From 98bd0b6f63fd27331dab998c3549cf246dbc905b Mon Sep 17 00:00:00 2001
From: MDMCK10 <admin@mdmck10.xyz>
Date: Sat, 30 Mar 2024 12:56:27 -0400
Subject: [PATCH] Fix patch

---
 nftables.patch | 48 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 7 deletions(-)

diff --git a/nftables.patch b/nftables.patch
index b6099b6..e0ef5b6 100644
--- a/nftables.patch
+++ b/nftables.patch
@@ -1,5 +1,5 @@
---- nftables.conf       2023-06-09 19:16:58.000000000 -0400
-+++ nftables.conf.2     2024-02-12 12:35:17.175626420 -0500
+--- nftables.conf       2023-06-10 01:16:58.000000000 +0200
++++ nftables.conf.2     2024-03-30 17:53:25.967805988 +0100
 @@ -1,5 +1,6 @@
  #!/usr/sbin/nft -f
  flush ruleset
@@ -19,12 +19,46 @@
 
          chain forward {
                  type filter hook forward priority filter; policy drop;
-@@ -34,6 +40,8 @@
+@@ -32,12 +38,16 @@
+                 # Accept LAN<->WAN traffic
+                 meta iifname $LAN meta oifname $WAN accept
                  meta iifname $WAN meta oifname $LAN accept
-                 udp dport 80 log prefix "Dropped (UDP/80): " drop
-                 udp dport 443 log prefix "Dropped (UDP/443): " drop
-+                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
-+                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+-                udp dport 80 log prefix "Dropped (UDP/80): " drop
+-                udp dport 443 log prefix "Dropped (UDP/443): " drop
                  ct state related,established accept
                  log prefix "Packet discarded by policy: "
          }
+         chain noforward {
++                udp dport 80 log prefix "Dropped (UDP/80): " drop
++                udp dport 443 log prefix "Dropped (UDP/443): " drop
++                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
++                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
++
++
+                # Block all DNS resolvers beside the router
+                 th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject
+                # Block access to the SLiRP gateway
+@@ -48,6 +58,13 @@
+ }
+
+ table inet nat {
++        set blocklist {
++          type ipv4_addr
++          flags interval
++          elements = { $blocklist }
++        }
++
++
+         chain postrouting {
+                 type nat hook postrouting priority srcnat; policy accept;
+                 meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT
+@@ -55,7 +72,7 @@
+         chain prerouting {
+                 type nat hook prerouting priority dstnat; policy accept;
+                 # Uncomment for E2Guardian
+-                # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
+-                # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
++                iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 80 redirect to :8080
++                iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 443 redirect to :8443
+         }
+ }