* remove firewall4.include file as it is not needed and procuces a firewall
error on service miniupnpd restart
* remove the uci-defaults file as its sole purpose was to install the
firewall include file
* modify the Makefile to reflect the deleted files
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Bump to the latest Git version in order to increase the package version
for simpler opkg upgrade of the broken version
- (Re-)Introduce PKG_RELEASE into the package, omitting it may lead to
opkg segmentation faults under certain circumstances
- Utilize automatic include hooks to drop the isolated miniupnpd table
in favor to chains within the main inet fw4 table, otherwise PCP is
unreliable as the upnp table might accept traffic which is later
rejected by fw4
- Install a fw4 script hook to restart miniupnpd on fw4 restarts and
reloads in order to repopulate the upnp chains with forward rules
- Register the used miniupnpd configuration file and the firewall uci
configuration as change sources, otherwise `/etc/init.d/miniupnpd reload`
has no effect if the firewall or upnpd config was changed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update the package to a commit that fixes an issue with removing PCP
mappings from nftables.
This also allows us to fix the nftables miniupnpd implementation on
openwrt.
In this new implementation, a table is created at the start of miniupnpd
and it is dedicated to miniupnpd with a priority above the firewall4
table. This allows miniupnpd to go ahead of the drop rules of firewall4
and forward traffic as needed. There was the possibility of adding a
chain inside the firewall4 table, but this would raise an issue where
if firewall4 was reloaded the port forwardings would be lost and
miniupnpd could be out of sync. When miniupnpd is stopped the table is
deleted, taking the port forwardings with it.
Some of this commit is based of msylgj's work, mainly the logic of the
init/hotplug scripts and the makefile build parameters.
Signed-off-by: ZiMing Mo <msylgj@immortalwrt.org>
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Declare the nftables variant as the DEFAULT_VARIANT
as nftables firewall4 is the now default in OpenWrt.
Additionally,
* toggle CONFLICTS placement to avoid circular dependency warning
* use AUTORELEASE
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The next OpenWrt stable release aims to use firewall4 by default. As
this uses nftables as backend, miniupnpd will no longer work. Create an
iptables and nftables variant of the miniupnpd package so that miniupnpd
can be used with either firewall variant.
See #16818 for more info.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Since version 2.2.3, miniupnpd will detect MS clients and force IGDv1.
This reverts commit 7f5534ac7a.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Fixes the build problem below.
Package miniupnpd is missing dependencies for the following libraries:
libmnl.so.0
libnetfilter_conntrack.so.3
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Occasionally, mostly at startup, miniupnpd reports "Another app is
currently holding the xtables lock. Perhaps you want to use the -w
option?"
Take iptables' advice and wait up to 1 second before giving up.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Microsoft Windows, Xbox and possibly other operating systems do not
support IGDv2. With IGDv2 enabled, they send a HTTP GET request for
rootDesc.xml and WANIPCn.xml, and then nothing happens. The Microsoft
implementation probably doesn't like the WANIPCn.xml response and
decides UPnP is not available. When miniupnpd is built without IGDv2
support, after the 2 HTTP GET requests, there is a HTTP POST request to
/ctl/IPConn, and miniupnpd configures the port forward as expected.
The runtime option force_igd_desc_v1=yes (UCI: igvd1) does not solve
this problem. It's possible this was enough in earlier miniupnpd
versions, but it does not fix the problem the current version.
Since we are a modern distro, we want to support the latest and
greatest, so we should default to IGDv2 enabled. Introducing a
menuconfig option to disable IGDv2 would only help people who build
their own images, so offer a separate package variant for IGDv1.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Unlike ipv4, this option is supposed to be an IP address, otherwise, an
error occurs on startup:
can't parse "br-lan" as valid IPv6 listening address
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
It seems even modern stuff doesn't support v2 correctly. The miniupnp
suite does but other stacks seem to lack support. Default to v1 to
avoid the headache.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Tidy up some minor patch fuzz with a refresh.
Also tweak the linux makefile to make it run on macosx and linux:
install only understand -m for filemode, not that the openwrt staging
dir understands file modes. Also glibc>2.17 so patch out the check that
otherwise barfs a number of errors from a missing 'ldd' command under
macos.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As miniupnpd is running as root, libcap(-ng) can be used to limit its
capabilities.
libcap-ng is very small, so this isn't a problem.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Use the newly introduced configure script.
Use PKG_INSTALL for consistency between packages.
Use PKG_BUILD_PARALLEL for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If miniupnpd is installed but disabled or not running, the hotplug
script will query uci for keys that don't exist and grep a temporary
config file that doesn't exist, resulting in the following errors:
uci: Entry not found
grep: /var/etc/miniupnd.conf: No such file or directory
These would arise when an interface is brought up or down, and are
more confusing than helpful, especially when miniupnpd is disabled.
Suppress these errors.
Signed-off-by: David Ehrmann <ehrmann@gmail.com>
The existing interface selection/detection code was incomprehensible at
worst and convoluted at best. The uci config file suggested it
understood an external ipv6 interface but in reality the init script
took no notice. Re-work it so it is at least comprehendible and takes
notice of ipv6 interface details if specified.
Update the hotplug script to use the same interface selection/detection
code as the init script and take note of ipv6 interface selection, only
restarting miniupnpd on interface up events and only if that interface
isn't already known (for that ip class) by miniupnpd.
For me this has solved numerous 'flaky' startup problems, especially
with regard to ipv6.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
hotplug scripts are sourced not exec'd so #!/bin/sh /etc/rc.common
doesn't pull in the functions defined in /etc/rc.common thus since
'enabled' isn't defined the following sequence always fails:
enabled miniupnpd || exit 0
Unfortunately sourcing /etc/rc.common doesn't appear to work so come up
with some alternatives.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Refreshed patch.
Added PKG_LICENSE_FILES.
Added --as-needed linker flag for slightly smaller size.
Removed -O2 hack to get it to compile. As part of this, removed a bunch of
CFLAGS that are normally passed which potentially affect compilation with
Os.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Practicalities of life have intervened and I am no longer able to
dedicate the time required to look after this package.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Add -fPIC to TARGET_LD_FLAGS
ce9TpAS.ltrans0.ltrans.o: relocation R_MIPS16_26 against `syslog' can not
be used when making a shared object; recompile with -fPIC
cce9TpAS.ltrans0.ltrans.o: error adding symbols: Bad value
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Move default leasefile location from /var to /var/run.
Also rename from upnp.leases to miniupnpd.leases
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Building with --gc-sections & -flto drop ipk size from 72600 to 66345
on MIPS
No misbehaviour due to these optimisations observed.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Import miniupnpd from routing repo and bump to 20180422.
Drop 102-ipv6-ext-port.patch as this looks upstreamed in the pinhole
code to me.
Consolidate all other patches & update with a view to sending upstream.
Add support for runtime IGDv1 mode switch (default to IGDv2)
(not extensively) Tested-on: ar71xx Archer C7 v2 in IGDv1 compatibility
mode. A variety of devices/applications appear to be able to create
mappings.
Have an attempt at resolving https://github.com/openwrt-routing/packages/issues/286
TL;DR miniupnpd rules get processed before fw3 rules and thus can
override existing/intended redirects. Ideally the miniupnpd rules would
be last in the relevant chains, unfortunately fw3 can sometimes use the
last rule as a REJECT. Put miniupnpd rules as penultimate.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Stan Grishin