miniupnpd: update and fix nftables variant
Update the package to a commit that fixes an issue with removing PCP mappings from nftables. This also allows us to fix the nftables miniupnpd implementation on openwrt. In this new implementation, a table is created at the start of miniupnpd and it is dedicated to miniupnpd with a priority above the firewall4 table. This allows miniupnpd to go ahead of the drop rules of firewall4 and forward traffic as needed. There was the possibility of adding a chain inside the firewall4 table, but this would raise an issue where if firewall4 was reloaded the port forwardings would be lost and miniupnpd could be out of sync. When miniupnpd is stopped the table is deleted, taking the port forwardings with it. Some of this commit is based of msylgj's work, mainly the logic of the init/hotplug scripts and the makefile build parameters. Signed-off-by: ZiMing Mo <msylgj@immortalwrt.org> Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
This commit is contained in:
Tiago Gaspar
Rosen Penev
parent
1d795f2c1e
commit
651a578cac
|
|
@ -8,12 +8,13 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=miniupnpd
|
||||
PKG_VERSION:=2.2.3
|
||||
PKG_RELEASE:=$(AUTORELEASE)
|
||||
|
||||
PKG_SOURCE_URL:=https://miniupnp.tuxfamily.org/files
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_HASH:=f89c310ce9575183af3fec61af65e548f85114133df8caaaa9e204c13b7a9da5
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git
|
||||
PKG_SOURCE_DATE:=2022-08-06
|
||||
PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629
|
||||
PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd
|
||||
|
||||
PKG_MAINTAINER:=
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
@ -26,6 +27,9 @@ PKG_BUILD_PARALLEL:=1
|
|||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/version.mk
|
||||
|
||||
TAR_OPTIONS+= --strip-components 1
|
||||
TAR_CMD=$(HOST_TAR) -C $(1)/.. $(TAR_OPTIONS)
|
||||
|
||||
define Package/miniupnpd/Default
|
||||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ tmpconf="/var/etc/miniupnpd.conf"
|
|||
external_iface=$(uci -q get upnpd.config.external_iface)
|
||||
external_iface6=$(uci -q get upnpd.config.external_iface6)
|
||||
external_zone=$(uci -q get upnpd.config.external_zone)
|
||||
[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
|
|
@ -20,7 +21,7 @@ if [ -n "$external_iface" ] ; then
|
|||
network_get_device ifname "$external_iface"
|
||||
else
|
||||
if [ -n "$external_zone" ] ; then
|
||||
ifname=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
else
|
||||
network_find_wan external_iface && \
|
||||
network_get_device ifname "$external_iface"
|
||||
|
|
@ -30,7 +31,7 @@ if [ -n "$external_iface6" ] ; then
|
|||
network_get_device ifname6 "$external_iface6"
|
||||
else
|
||||
if [ -n "$external_zone" ] ; then
|
||||
ifname6=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
else
|
||||
network_find_wan6 external_iface6 && \
|
||||
network_get_device ifname6 "$external_iface6"
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ START=94
|
|||
STOP=15
|
||||
USE_PROCD=1
|
||||
PROG=/usr/sbin/miniupnpd
|
||||
[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3"
|
||||
|
||||
upnpd_get_port_range() {
|
||||
local var="$1"; shift
|
||||
|
|
@ -98,7 +99,7 @@ upnpd() {
|
|||
network_get_device ifname "$external_iface"
|
||||
else
|
||||
if [ -n "$external_zone" ] ; then
|
||||
ifname=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
else
|
||||
network_find_wan external_iface && \
|
||||
network_get_device ifname "$external_iface"
|
||||
|
|
@ -108,7 +109,7 @@ upnpd() {
|
|||
network_get_device ifname6 "$external_iface6"
|
||||
else
|
||||
if [ -n "$external_zone" ] ; then
|
||||
ifname6=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
|
||||
else
|
||||
network_find_wan6 external_iface6 && \
|
||||
network_get_device ifname6 "$external_iface6"
|
||||
|
|
@ -171,12 +172,29 @@ upnpd() {
|
|||
|
||||
config_foreach conf_rule_add perm_rule
|
||||
|
||||
if [ "Z$FW" = "Zfw4" ]; then
|
||||
#When using nftables configure miniupnpd to use its own table and chains
|
||||
echo "upnp_table_name=miniupnpd"
|
||||
echo "upnp_nat_table_name=miniupnpd"
|
||||
echo "upnp_forward_chain=forward"
|
||||
echo "upnp_nat_chain=prerouting"
|
||||
echo "upnp_nat_postrouting_chain=postrouting"
|
||||
fi
|
||||
|
||||
} > "$tmpconf"
|
||||
fi
|
||||
|
||||
if [ -n "$ifname" ]; then
|
||||
# start firewall
|
||||
iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
|
||||
if [ "Z$FW" = "Zfw4" ]; then
|
||||
#Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules
|
||||
nft add table inet miniupnpd
|
||||
nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; }
|
||||
nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; }
|
||||
nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; }
|
||||
else
|
||||
iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
|
||||
fi
|
||||
else
|
||||
logger -t "upnp daemon" "external interface not found, not starting"
|
||||
fi
|
||||
|
|
@ -189,11 +207,15 @@ upnpd() {
|
|||
}
|
||||
|
||||
stop_service() {
|
||||
iptables -t nat -F MINIUPNPD 2>/dev/null
|
||||
iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
|
||||
iptables -t filter -F MINIUPNPD 2>/dev/null
|
||||
|
||||
[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
|
||||
if [ "Z$FW" = "Zfw3" ]; then
|
||||
iptables -t nat -F MINIUPNPD 2>/dev/null
|
||||
iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
|
||||
iptables -t filter -F MINIUPNPD 2>/dev/null
|
||||
[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
|
||||
else
|
||||
#delete the table removing port-forwardings when exiting
|
||||
nft delete table inet miniupnpd
|
||||
fi
|
||||
}
|
||||
|
||||
start_service() {
|
||||
|
|
@ -203,4 +225,4 @@ start_service() {
|
|||
|
||||
service_triggers() {
|
||||
procd_add_reload_trigger "upnpd"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
From 51a422407b22f0cb7188ea4bfb3867b2bbfcfe68 Mon Sep 17 00:00:00 2001
|
||||
From: Stijn Tintel <stijn@linux-ipv6.be>
|
||||
Date: Sun, 7 Nov 2021 20:24:29 +0200
|
||||
Subject: [PATCH] miniupnpd/configure: don't hardcode iptables
|
||||
|
||||
The OpenWrt Makefile that builds miniupnpd passes the firewall argument
|
||||
to the configure script, so this is not needed and it is blocking us
|
||||
from using nftables instead, which will be the default backend for
|
||||
firewall4 to be used in the next OpenWrt stable release.
|
||||
|
||||
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
||||
---
|
||||
configure | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -387,7 +387,6 @@ case $OS_NAME in
|
||||
OpenWRT)
|
||||
OS_URL=http://www.openwrt.org/
|
||||
echo "#define USE_IFACEWATCHER 1" >> ${CONFIGFILE}
|
||||
- FW=iptables
|
||||
;;
|
||||
OpenEmbedded)
|
||||
OS_URL=http://www.openembedded.org/
|
||||
Loading…
Reference in New Issue