From 0d531d50f0076045487ff32bbb8cedc10b90b75f Mon Sep 17 00:00:00 2001
From: Rob White <rob@blue-wave.net>
Date: Thu, 21 Aug 2025 16:30:09 +0100
Subject: [PATCH] Fix - Multiple changes to walled garden and blocklist sets

Signed-off-by: Rob White <rob@blue-wave.net>
---
 forward_authentication_service/libs/dnsconfig.sh  | 10 ++++++++--
 forward_authentication_service/libs/libopennds.sh |  4 ++--
 src/auth.c                                        |  8 ++------
 src/conf.c                                        |  7 -------
 src/main.c                                        |  7 +++++--
 5 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/forward_authentication_service/libs/dnsconfig.sh b/forward_authentication_service/libs/dnsconfig.sh
index 468f2ed..91d5a09 100755
--- a/forward_authentication_service/libs/dnsconfig.sh
+++ b/forward_authentication_service/libs/dnsconfig.sh
@@ -15,7 +15,13 @@ hosts="/etc/hosts"
 setconf="$1"
 uciconfig=$(uci show dhcp 2>/dev/null)
 
-ipset_to_nftset () {
+ipset_to_nftset() {
+	# Translate a legacy ipset to an nftset
+	# The legacy ipset might be dynamically updated eg by dnsmasq, so loop around for a set time
+	# Note: It loops after a sleep of one second so the call to this library function should probably always be forked into the background to prevent blocking
+	# (hint: use a trailing "&" when calling it)
+	# $ipsetname contains the name of the ipset
+	# $loopcount contains the number of loops to do
 
 	local timeout=$loopcount
 
@@ -32,7 +38,7 @@ ipset_to_nftset () {
 		elements=${elements:2}
 
 		if [ ! -z "$elements" ] && [ "$elements" != "$last_elements" ]; then
-			nft add element ip nds_filter "$ipsetname" {"$elements"}
+			nft add element inet nds_filter "$ipsetname" {"$elements"}
 		fi
 
 		last_elements="$elements"
diff --git a/forward_authentication_service/libs/libopennds.sh b/forward_authentication_service/libs/libopennds.sh
index 4c01511..1cb72fc 100755
--- a/forward_authentication_service/libs/libopennds.sh
+++ b/forward_authentication_service/libs/libopennds.sh
@@ -1456,7 +1456,7 @@ nft_set () {
 
 		if [ "$nftsetmode" = "add" ] || [ "$nftsetmode" = "insert" ]; then
 			# Add the set, add/insert the rule and the Dnsmasq config
-			nft add set ip nds_filter "$nftsetname" { type ipv4_addr\; size 128\; }
+			nft add set inet nds_filter "$nftsetname" { type ipv4_addr\; size 128\; }
 			ret=$?
 
 			if [ "$ret" -ne 0 ]; then
@@ -1545,7 +1545,7 @@ nft_set () {
 					echo $ucicmd | uci -q batch
 					ucicmd="set dhcp.nds_$nftsetname.table='nds_filter'"
 					echo $ucicmd | uci -q batch
-					ucicmd="set dhcp.nds_$nftsetname.table_family='ip'"
+					ucicmd="set dhcp.nds_$nftsetname.table_family='inet'"
 					echo $ucicmd | uci -q batch
 
 					domains=$fqdns
diff --git a/src/auth.c b/src/auth.c
index 3d43c5e..eaa39d7 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -585,17 +585,13 @@ fw_refresh_client_list(void)
 	// If Walled Garden ipset exists, copy it to the nftset.
 	dnscmd = safe_calloc(STATUS_BUF);
 	safe_snprintf(dnscmd, STATUS_BUF, "/usr/lib/opennds/dnsconfig.sh \"ipset_to_nftset\" \"walledgarden\" %d &", config->checkinterval);
-	if (system(dnscmd) != 0) {
-		debug(LOG_DEBUG, "legacy ipset not defined: %s", dnscmd);
-	}
+	system(dnscmd);
 	free(dnscmd);
 
 	// If Block List ipset exists, copy it to the nftset.
 	dnscmd = safe_calloc(STATUS_BUF);
 	safe_snprintf(dnscmd, STATUS_BUF, "/usr/lib/opennds/dnsconfig.sh \"ipset_to_nftset\" \"blocklist\" %d &", config->checkinterval);
-	if (system(dnscmd) != 0) {
-		debug(LOG_DEBUG, "legacy ipset not defined: %s", dnscmd);
-	}
+	system(dnscmd);
 	free(dnscmd);
 
 	if (routercheck > 0) {
diff --git a/src/conf.c b/src/conf.c
index 3058f6a..a7be66c 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -348,13 +348,6 @@ config_init(int argc, char **argv)
 
 	debug(LOG_NOTICE, "Interface %s is at %s (%s)", config.gw_interface, config.gw_ip, config.gw_mac);
 
-	// Make sure fas_remoteip is set. Note: This does not enable FAS.
-	if (strcmp(config.fas_remoteip, "disabled") == 0) {
-		config.fas_remoteip = safe_strdup(config.gw_ip);
-	}
-
-	debug(LOG_DEBUG, "FAS remote ip address is [ %s ]", config.fas_remoteip);
-
 	// Generate a unique faskey if not set in config
 	if (strcmp(config.fas_key, DEFAULT_FASKEY) == 0) {
 		setupcmd = safe_calloc(STATUS_BUF);
diff --git a/src/main.c b/src/main.c
index fb0da21..ed8f570 100644
--- a/src/main.c
+++ b/src/main.c
@@ -600,13 +600,16 @@ setup_from_config(void)
 	// If FAS is enabled then set it up
 	if (config->fas_port) {
 		debug(LOG_INFO, "fas_secure_enabled is set to level %d", config->fas_secure_enabled);
+		debug(LOG_INFO, "fasremoteip is %s, fasremotefqdn is %s", config->fas_remoteip, config->fas_remotefqdn);
 
 		// Check the FAS remote IP address
-		if ((strcmp(config->fas_remoteip, "disabled") == 0)) {
+		if ((strcmp(config->fas_remoteip, "disabled") == 0) && (strcmp(config->fas_remotefqdn, "disabled") == 0)) {
+		debug(LOG_DEBUG, "Setting undefined fas_remoteip");
 			config->fas_remoteip = safe_strdup(config->gw_ip);
 		}
 
-		if (config->fas_remoteip) {
+		if (strcmp(config->fas_remoteip, "disabled") != 0) {
+
 			if (is_addr(config->fas_remoteip) == 1) {
 				debug(LOG_INFO, "fasremoteip - %s - is a valid IPv4 address...", config->fas_remoteip);
 			} else {