cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-29 15:08:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

miniupnpd: Import release 20180422 to repo

Browse Source 
Import miniupnpd from routing repo and bump to 20180422.

Drop 102-ipv6-ext-port.patch as this looks upstreamed in the pinhole
code to me.
Consolidate all other patches & update with a view to sending upstream.

Add support for runtime IGDv1 mode switch (default to IGDv2)

(not extensively) Tested-on: ar71xx Archer C7 v2 in IGDv1 compatibility
mode.  A variety of devices/applications appear to be able to create
mappings.

Have an attempt at resolving https://github.com/openwrt-routing/packages/issues/286
TL;DR miniupnpd rules get processed before fw3 rules and thus can
override existing/intended redirects.  Ideally the miniupnpd rules would
be last in the relevant chains, unfortunately fw3 can sometimes use the
last rule as a REJECT.  Put miniupnpd rules as penultimate.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This commit is contained in:
Kevin Darbyshire-Bryant
2018-04-30 11:09:05 +01:00
parent 5e73184c2f
commit a2e2eeb409
7 changed files with 477 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/miniupnpd/files/firewall.include
+69
View File
@@ -0,0 +1,69 @@
#!/bin/sh
# miniupnpd integration for firewall3
IPTABLES=/usr/sbin/iptables
IP6TABLES=/usr/sbin/ip6tables
$IPTABLES -t filter -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
. /lib/functions/network.sh
# helper to insert in chain as penultimate
iptables_prepend_rule() {
local iptables="$1"
local table="$2"
local chain="$3"
local target="$4"
$iptables -t "$table" -I "$chain" $($iptables -t "$table" --line-numbers -nL "$chain" | \
sed -ne '$s/[^0-9].*//p') -j "$target"
}
ADDED=0
add_extzone_rules() {
local ext_zone="$1"
[ -z "$ext_zone" ] && return
# IPv4 - due to NAT, need to add both to nat and filter table
# need to insert as penultimate rule for forward & postrouting since final rule might be a fw3 REJECT
iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
$IPTABLES -t nat -A "zone_${ext_zone}_prerouting" -j MINIUPNPD
iptables_prepend_rule "$IPTABLES" nat "zone_${ext_zone}_postrouting" MINIUPNPD-POSTROUTING
# IPv6 if available - filter only
[ -x $IP6TABLES ] && {
iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
}
ADDED=$(($ADDED + 1))
}
# By default, user configuration is king.
for ext_iface in $(uci -q get upnpd.config.external_iface); do
add_extzone_rules $(fw3 -q network "$ext_iface")
done
add_extzone_rules $(uci -q get upnpd.config.external_zone)
[ "$ADDED" -ne 0 ] && exit 0
# If really nothing is available, resort to network_find_wan{,6} and
# assume external interfaces all have same firewall zone.
# (This heuristic may fail horribly, in case of e.g. multihoming, so
# please set external_zone in that case!)
network_find_wan wan_iface
network_find_wan6 wan6_iface
for ext_iface in $wan_iface $wan6_iface; do
# fw3 -q network fails on sub-interfaces => map to device first
network_get_device ext_device $ext_iface
add_extzone_rules $(fw3 -q device "$ext_device")
done