1 files changed, 15 insertions, 36 deletions
diff --git a/main/firewall.c b/main/firewall.c
index f349ab1..8d535b4 100644
--- a/main/firewall.c
+++ b/main/firewall.c
@@ -6,13 +6,13 @@
 #include "lwip/lwip_napt.h"
 #include "lwip/etharp.h"
 #include "lwip/netif.h"
+#include "lwip/prot/ip4.h"
 #include <string.h>
 #define MAX_CLIENTS 10
 static const char *TAG = "firewall";
 static esp_ip4_addr_t s_ap_ip;
-static bool s_nat_enabled = false;
 typedef struct {
    uint32_t ip;
@@ -22,11 +22,6 @@ typedef struct {
 static fw_client_t s_clients[MAX_CLIENTS];
 static int s_client_count = 0;
-static struct netif *get_ap_netif(void)
-{
-    return netif_get_by_index(NETIF_NO_INDEX);
-}
 esp_err_t firewall_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)
 {
    wifi_sta_list_t sta_list;
@@ -66,38 +61,25 @@ esp_err_t firewall_init(esp_ip4_addr_t ap_ip)
    s_ap_ip = ap_ip;
    memset(s_clients, 0, sizeof(s_clients));
    s_client_count = 0;
-    ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR, IP2STR(&s_ap_ip));
+    ip_napt_enable(s_ap_ip.addr, 1);
+    ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR " (NAT always on, per-client filter)", IP2STR(&s_ap_ip));
    return ESP_OK;
 }
-static void update_nat(void)
+int tollgate_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder)
 {
-    bool should_enable = (s_client_count > 0);
+    (void)dest_addr_hostorder;
-    if (should_enable && !s_nat_enabled) {
+    if (p->len < IP_HLEN) return -1;
-        ip_napt_enable(s_ap_ip.addr, 1);
+    struct ip_hdr *iphdr = (struct ip_hdr *)p->payload;
-        s_nat_enabled = true;
+    uint32_t src_ip_h = lwip_ntohl(iphdr->src.addr);
-        ESP_LOGI(TAG, "NAT enabled (client authenticated)");
+    uint32_t ap_subnet = lwip_ntohl(s_ap_ip.addr) & 0xFFFFFF00;
-    } else if (!should_enable && s_nat_enabled) {
+    if ((src_ip_h & 0xFFFFFF00) != ap_subnet) {
-        ip_napt_enable(s_ap_ip.addr, 0);
+        return 1;
-        s_nat_enabled = false;
-        ESP_LOGI(TAG, "NAT disabled (no authenticated clients)");
    }
-}
+    if (firewall_is_client_allowed(iphdr->src.addr)) {
+        return 1;
-void firewall_enable_nat(void)
+    }
-{
+    return 0;
-    if (s_nat_enabled) return;
-    ip_napt_enable(s_ap_ip.addr, 1);
-    s_nat_enabled = true;
-    ESP_LOGI(TAG, "NAT enabled");
-}
-void firewall_disable_nat(void)
-{
-    if (!s_nat_enabled) return;
-    ip_napt_enable(s_ap_ip.addr, 0);
-    s_nat_enabled = false;
-    ESP_LOGI(TAG, "NAT disabled");
 }
 static fw_client_t *find_client_by_ip(uint32_t client_ip)
@@ -137,7 +119,6 @@ void firewall_grant_access(uint32_t client_ip)
    s_client_count++;
    dns_server_set_client_authenticated(client_ip, true);
-    update_nat();
    esp_ip4_addr_t ip_addr = { .addr = client_ip };
    ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),
@@ -154,7 +135,6 @@ void firewall_revoke_access(uint32_t client_ip)
            s_clients[i] = s_clients[s_client_count - 1];
            s_client_count--;
            dns_server_set_client_authenticated(client_ip, false);
-            update_nat();
            return;
        }
    }
@@ -166,7 +146,6 @@ void firewall_revoke_all(void)
        dns_server_set_client_authenticated(s_clients[i].ip, false);
    }
    s_client_count = 0;
-    update_nat();
    ESP_LOGI(TAG, "All client access revoked");
 }

diff --git a/main/firewall.c b/main/firewall.c index f349ab1..8d535b4 100644 --- a/main/firewall.c +++ b/main/firewall.c
@@ -6,13 +6,13 @@
6	#include "lwip/lwip_napt.h"	6	#include "lwip/lwip_napt.h"
7	#include "lwip/etharp.h"	7	#include "lwip/etharp.h"
8	#include "lwip/netif.h"	8	#include "lwip/netif.h"
		9	#include "lwip/prot/ip4.h"
9	#include <string.h>	10	#include <string.h>
10		11
11	#define MAX_CLIENTS 10	12	#define MAX_CLIENTS 10
12		13
13	static const char *TAG = "firewall";	14	static const char *TAG = "firewall";
14	static esp_ip4_addr_t s_ap_ip;	15	static esp_ip4_addr_t s_ap_ip;
15	static bool s_nat_enabled = false;
16		16
17	typedef struct {	17	typedef struct {
18	uint32_t ip;	18	uint32_t ip;
@@ -22,11 +22,6 @@ typedef struct {
22	static fw_client_t s_clients[MAX_CLIENTS];	22	static fw_client_t s_clients[MAX_CLIENTS];
23	static int s_client_count = 0;	23	static int s_client_count = 0;
24		24
25	static struct netif *get_ap_netif(void)
26	{
27	return netif_get_by_index(NETIF_NO_INDEX);
28	}
29
30	esp_err_t firewall_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)	25	esp_err_t firewall_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)
31	{	26	{
32	wifi_sta_list_t sta_list;	27	wifi_sta_list_t sta_list;
@@ -66,38 +61,25 @@ esp_err_t firewall_init(esp_ip4_addr_t ap_ip)
66	s_ap_ip = ap_ip;	61	s_ap_ip = ap_ip;
67	memset(s_clients, 0, sizeof(s_clients));	62	memset(s_clients, 0, sizeof(s_clients));
68	s_client_count = 0;	63	s_client_count = 0;
69	ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR, IP2STR(&s_ap_ip));	64	ip_napt_enable(s_ap_ip.addr, 1);
		65	ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR " (NAT always on, per-client filter)", IP2STR(&s_ap_ip));
70	return ESP_OK;	66	return ESP_OK;
71	}	67	}
72		68
73	static void update_nat(void)	69	int tollgate_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder)
74	{	70	{
75	bool should_enable = (s_client_count > 0);	71	(void)dest_addr_hostorder;
76	if (should_enable && !s_nat_enabled) {	72	if (p->len < IP_HLEN) return -1;
77	ip_napt_enable(s_ap_ip.addr, 1);	73	struct ip_hdr iphdr = (struct ip_hdr )p->payload;
78	s_nat_enabled = true;	74	uint32_t src_ip_h = lwip_ntohl(iphdr->src.addr);
79	ESP_LOGI(TAG, "NAT enabled (client authenticated)");	75	uint32_t ap_subnet = lwip_ntohl(s_ap_ip.addr) & 0xFFFFFF00;
80	} else if (!should_enable && s_nat_enabled) {	76	if ((src_ip_h & 0xFFFFFF00) != ap_subnet) {
81	ip_napt_enable(s_ap_ip.addr, 0);	77	return 1;
82	s_nat_enabled = false;
83	ESP_LOGI(TAG, "NAT disabled (no authenticated clients)");
84	}	78	}
85	}	79	if (firewall_is_client_allowed(iphdr->src.addr)) {
86		80	return 1;
87	void firewall_enable_nat(void)	81	}
88	{	82	return 0;
89	if (s_nat_enabled) return;
90	ip_napt_enable(s_ap_ip.addr, 1);
91	s_nat_enabled = true;
92	ESP_LOGI(TAG, "NAT enabled");
93	}
94
95	void firewall_disable_nat(void)
96	{
97	if (!s_nat_enabled) return;
98	ip_napt_enable(s_ap_ip.addr, 0);
99	s_nat_enabled = false;
100	ESP_LOGI(TAG, "NAT disabled");
101	}	83	}
102		84
103	static fw_client_t *find_client_by_ip(uint32_t client_ip)	85	static fw_client_t *find_client_by_ip(uint32_t client_ip)
@@ -137,7 +119,6 @@ void firewall_grant_access(uint32_t client_ip)
137	s_client_count++;	119	s_client_count++;
138		120
139	dns_server_set_client_authenticated(client_ip, true);	121	dns_server_set_client_authenticated(client_ip, true);
140	update_nat();
141		122
142	esp_ip4_addr_t ip_addr = { .addr = client_ip };	123	esp_ip4_addr_t ip_addr = { .addr = client_ip };
143	ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),	124	ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),
@@ -154,7 +135,6 @@ void firewall_revoke_access(uint32_t client_ip)
154	s_clients[i] = s_clients[s_client_count - 1];	135	s_clients[i] = s_clients[s_client_count - 1];
155	s_client_count--;	136	s_client_count--;
156	dns_server_set_client_authenticated(client_ip, false);	137	dns_server_set_client_authenticated(client_ip, false);
157	update_nat();
158	return;	138	return;
159	}	139	}
160	}	140	}
@@ -166,7 +146,6 @@ void firewall_revoke_all(void)
166	dns_server_set_client_authenticated(s_clients[i].ip, false);	146	dns_server_set_client_authenticated(s_clients[i].ip, false);
167	}	147	}
168	s_client_count = 0;	148	s_client_count = 0;
169	update_nat();
170	ESP_LOGI(TAG, "All client access revoked");	149	ESP_LOGI(TAG, "All client access revoked");
171	}	150	}
172		151