From 0440f0b8a74c6c47ae2b16893b148ac7b5c3a519 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Thu, 26 Apr 2012 16:08:39 +0200 Subject: [PATCH] Started to implement add_pinhole() for netfilter (linux) --- miniupnpd/Changelog.txt | 9 +- miniupnpd/Makefile.linux | 6 +- miniupnpd/netfilter/Makefile | 15 +- miniupnpd/netfilter/ip6tables_display.sh | 8 + miniupnpd/netfilter/ip6tables_flush.sh | 7 + miniupnpd/netfilter/ip6tables_init.sh | 12 ++ .../netfilter/ip6tables_init_and_clean.sh | 22 +++ miniupnpd/netfilter/ip6tables_removeall.sh | 13 ++ miniupnpd/netfilter/iptcrdr.c | 2 +- miniupnpd/netfilter/iptcrdr.h | 2 +- miniupnpd/netfilter/iptpinhole.c | 172 ++++++++++++++++++ miniupnpd/netfilter/iptpinhole.h | 17 ++ miniupnpd/netfilter/testiptcrdr.c | 17 +- miniupnpd/netfilter/testiptpinhole.c | 27 +++ miniupnpd/upnpglobalvars.c | 6 +- miniupnpd/upnpglobalvars.h | 5 +- miniupnpd/upnpredirect.c | 6 +- 17 files changed, 329 insertions(+), 17 deletions(-) create mode 100755 miniupnpd/netfilter/ip6tables_display.sh create mode 100755 miniupnpd/netfilter/ip6tables_flush.sh create mode 100755 miniupnpd/netfilter/ip6tables_init.sh create mode 100755 miniupnpd/netfilter/ip6tables_init_and_clean.sh create mode 100755 miniupnpd/netfilter/ip6tables_removeall.sh create mode 100644 miniupnpd/netfilter/iptpinhole.c create mode 100644 miniupnpd/netfilter/iptpinhole.h create mode 100644 miniupnpd/netfilter/testiptpinhole.c diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt index b1b6304..db3ecf0 100644 --- a/miniupnpd/Changelog.txt +++ b/miniupnpd/Changelog.txt @@ -1,9 +1,16 @@ -$Id: Changelog.txt,v 1.274 2012/04/25 22:26:03 nanard Exp $ +$Id: Changelog.txt,v 1.275 2012/04/26 14:01:15 nanard Exp $ + +2012/04/26: + Started to implement add_pinhole() for netfilter (linux) 2012/04/25: Fixed a bug in upnphttp that happened when POST is received in several recv() calls and realloc() is called so the buffer used is moved. +2012/04/23: + Implement CheckPinholeWorking GetPinholePackets. WANIPv6FirewallControl + UpdatePinhole still to be done. And also netfilter/ipf/ipfw versions + 2012/04/20: Enough WANIPv6FirewallControl is implemented on pf so that AddPinhole() and DeletePinhole() works ! diff --git a/miniupnpd/Makefile.linux b/miniupnpd/Makefile.linux index e9160e7..2393397 100644 --- a/miniupnpd/Makefile.linux +++ b/miniupnpd/Makefile.linux @@ -1,4 +1,4 @@ -# $Id: Makefile.linux,v 1.64 2012/04/20 12:54:01 nanard Exp $ +# $Id: Makefile.linux,v 1.65 2012/04/24 22:41:52 nanard Exp $ # MiniUPnP project # (c) 2006-2012 Thomas Bernard # http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ @@ -40,7 +40,7 @@ BASEOBJS = miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o \ upnpevents.o upnputils.o getconnstatus.o LNXOBJS = linux/getifstats.o linux/ifacewatcher.o -NETFILTEROBJS = netfilter/iptcrdr.o +NETFILTEROBJS = netfilter/iptcrdr.o netfilter/iptpinhole.o ALLOBJS = $(BASEOBJS) $(LNXOBJS) $(NETFILTEROBJS) @@ -129,6 +129,8 @@ install: miniupnpd genuuid $(INSTALL) -d $(ETCINSTALLDIR) $(INSTALL) netfilter/iptables_init.sh $(ETCINSTALLDIR) $(INSTALL) netfilter/iptables_removeall.sh $(ETCINSTALLDIR) + $(INSTALL) netfilter/ip6tables_init.sh $(ETCINSTALLDIR) + $(INSTALL) netfilter/ip6tables_removeall.sh $(ETCINSTALLDIR) $(INSTALL) --mode=0644 -b miniupnpd.conf $(ETCINSTALLDIR) $(INSTALL) -d $(PREFIX)/etc/init.d $(INSTALL) linux/miniupnpd.init.d.script $(PREFIX)/etc/init.d/miniupnpd diff --git a/miniupnpd/netfilter/Makefile b/miniupnpd/netfilter/Makefile index de7d56c..8a16f4a 100644 --- a/miniupnpd/netfilter/Makefile +++ b/miniupnpd/netfilter/Makefile @@ -1,5 +1,5 @@ -# $Id: Makefile,v 1.3 2011/03/02 16:04:23 nanard Exp $ -CFLAGS?=-Wall -g -DDEBUG +# $Id: Makefile,v 1.6 2012/04/26 13:50:48 nanard Exp $ +CFLAGS?=-Wall -g -D_GNU_SOURCE -DDEBUG -Wstrict-prototypes -Wdeclaration-after-statement -ansi CC = gcc #LIBS = -liptc @@ -26,7 +26,8 @@ LIBS = $(IPTABLESPATH)/libiptc/libiptc.a endif else # check for system-wide iptables files. Test if iptables version >= 1.4.3 -TEST := $(shell test -f /usr/include/iptables/internal.h && grep -q "\#define IPTABLES_VERSION" /usr/include/iptables/internal.h && echo 1) +#TEST := $(shell test -f /usr/include/iptables/internal.h && grep -q "\#define IPTABLES_VERSION" /usr/include/iptables/internal.h && echo 1) +TEST := $(shell test -f /usr/include/xtables.h && grep -q "XTABLES_VERSION_CODE" /usr/include/xtables.h && echo 1) ifeq ($(TEST), 1) CFLAGS := $(CFLAGS) -DIPTABLES_143 LIBS = -liptc @@ -37,15 +38,19 @@ endif endif endif -all: iptcrdr.o testiptcrdr +all: iptcrdr.o testiptcrdr iptpinhole.o testiptpinhole clean: - $(RM) *.o testiptcrdr + $(RM) *.o testiptcrdr testiptpinhole testiptcrdr: testiptcrdr.o iptcrdr.o upnpglobalvars.o $(LIBS) +testiptpinhole: testiptpinhole.o iptpinhole.o upnpglobalvars.o $(LIBS) + iptcrdr.o: iptcrdr.c iptcrdr.h +iptpinhole.o: iptpinhole.c iptpinhole.h + upnpglobalvars.o: ../upnpglobalvars.c ../upnpglobalvars.h $(CC) -c -o $@ $< diff --git a/miniupnpd/netfilter/ip6tables_display.sh b/miniupnpd/netfilter/ip6tables_display.sh new file mode 100755 index 0000000..922eb2d --- /dev/null +++ b/miniupnpd/netfilter/ip6tables_display.sh @@ -0,0 +1,8 @@ +#! /bin/sh +# $Id: ip6tables_display.sh,v 1.1 2012/04/24 22:13:41 nanard Exp $ +IPTABLES=/sbin/ip6tables + +#display all chains relative to miniupnpd +$IPTABLES -v -n -t filter -L FORWARD +$IPTABLES -v -n -t filter -L MINIUPNPD + diff --git a/miniupnpd/netfilter/ip6tables_flush.sh b/miniupnpd/netfilter/ip6tables_flush.sh new file mode 100755 index 0000000..b9c68d9 --- /dev/null +++ b/miniupnpd/netfilter/ip6tables_flush.sh @@ -0,0 +1,7 @@ +#! /bin/sh +# $Id: ip6tables_flush.sh,v 1.1 2012/04/24 22:13:41 nanard Exp $ +IPTABLES=/sbin/ip6tables + +#flush all rules owned by miniupnpd +$IPTABLES -t filter -F MINIUPNPD + diff --git a/miniupnpd/netfilter/ip6tables_init.sh b/miniupnpd/netfilter/ip6tables_init.sh new file mode 100755 index 0000000..288b980 --- /dev/null +++ b/miniupnpd/netfilter/ip6tables_init.sh @@ -0,0 +1,12 @@ +#! /bin/sh +# $Id: ip6tables_init.sh,v 1.1 2012/04/24 22:13:41 nanard Exp $ +IPTABLES=/sbin/ip6tables + +#change this parameters : +EXTIF=eth0 + +#adding the MINIUPNPD chain for filter +$IPTABLES -t filter -N MINIUPNPD +#adding the rule to MINIUPNPD +$IPTABLES -t filter -A FORWARD -i $EXTIF ! -o $EXTIF -j MINIUPNPD + diff --git a/miniupnpd/netfilter/ip6tables_init_and_clean.sh b/miniupnpd/netfilter/ip6tables_init_and_clean.sh new file mode 100755 index 0000000..38e2a57 --- /dev/null +++ b/miniupnpd/netfilter/ip6tables_init_and_clean.sh @@ -0,0 +1,22 @@ +#! /bin/sh +# $Id: ip6tables_init_and_clean.sh,v 1.1 2012/04/24 22:13:41 nanard Exp $ +# Improved Miniupnpd iptables init script. +# Checks for state of filter before doing anything.. + +EXTIF=eth0 +IPTABLES=/sbin/ip6tables +FDIRTY="`LC_ALL=C /sbin/ip6tables -t filter -L -n | grep 'MINIUPNPD' | awk '{printf $1}'`" + +if [[ $FDIRTY = "MINIUPNPDChain" ]]; then + echo "Filter table dirty; Cleaning..." + $IPTABLES -t filter -F MINIUPNPD +elif [[ $FDIRTY = "Chain" ]]; then + echo "Dirty filter chain but no reference..? Fixsted." + $IPTABLES -t filter -I FORWARD 4 -i $EXTIF ! -o $EXTIF -j MINIUPNPD + $IPTABLES -t filter -F MINIUPNPD +else + echo "Filter table clean..initalizing.." + $IPTABLES -t filter -N MINIUPNPD + $IPTABLES -t filter -I FORWARD 4 -i $EXTIF ! -o $EXTIF -j MINIUPNPD +fi + diff --git a/miniupnpd/netfilter/ip6tables_removeall.sh b/miniupnpd/netfilter/ip6tables_removeall.sh new file mode 100755 index 0000000..56ffb8e --- /dev/null +++ b/miniupnpd/netfilter/ip6tables_removeall.sh @@ -0,0 +1,13 @@ +#! /bin/sh +# $Id: ip6tables_removeall.sh,v 1.1 2012/04/24 22:13:41 nanard Exp $ +IPTABLES=/sbin/ip6tables + +#change this parameters : +EXTIF=eth0 + +#removing the MINIUPNPD chain for filter +$IPTABLES -t filter -F MINIUPNPD +#adding the rule to MINIUPNPD +$IPTABLES -t filter -D FORWARD -i $EXTIF ! -o $EXTIF -j MINIUPNPD +$IPTABLES -t filter -X MINIUPNPD + diff --git a/miniupnpd/netfilter/iptcrdr.c b/miniupnpd/netfilter/iptcrdr.c index 6807707..e2a6d49 100644 --- a/miniupnpd/netfilter/iptcrdr.c +++ b/miniupnpd/netfilter/iptcrdr.c @@ -1,4 +1,4 @@ -/* $Id: iptcrdr.c,v 1.47 2012/02/04 23:34:41 nanard Exp $ */ +/* $Id: iptcrdr.c,v 1.48 2012/03/05 20:36:19 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * (c) 2006-2011 Thomas Bernard diff --git a/miniupnpd/netfilter/iptcrdr.h b/miniupnpd/netfilter/iptcrdr.h index 5225426..f26bbc5 100644 --- a/miniupnpd/netfilter/iptcrdr.h +++ b/miniupnpd/netfilter/iptcrdr.h @@ -1,4 +1,4 @@ -/* $Id: iptcrdr.h,v 1.17 2011/06/04 15:44:58 nanard Exp $ */ +/* $Id: iptcrdr.h,v 1.18 2012/03/05 20:36:20 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * (c) 2006-2011 Thomas Bernard diff --git a/miniupnpd/netfilter/iptpinhole.c b/miniupnpd/netfilter/iptpinhole.c new file mode 100644 index 0000000..88530db --- /dev/null +++ b/miniupnpd/netfilter/iptpinhole.c @@ -0,0 +1,172 @@ +/* $Id: iptpinhole.c,v 1.2 2012/04/26 14:01:17 nanard Exp $ */ +/* MiniUPnP project + * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ + * (c) 2012 Thomas Bernard + * This software is subject to the conditions detailed + * in the LICENCE file provided within the distribution */ + +#include +#include +#include +#include +#include + +#include "../config.h" +#include "iptpinhole.h" +#include "../upnpglobalvars.h" + +#ifdef ENABLE_6FC_SERVICE + +#include +#include +#include "tiny_nf_nat.h" + +#define IP6TC_HANDLE struct ip6tc_handle * + +static int next_uid = 1; + +static struct ip6t_entry_match * +new_match(int proto, unsigned short sport, unsigned short dport) +{ + struct ip6t_entry_match *match; + struct ip6t_tcp *info; + size_t size; + const char * name; + size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + + XT_ALIGN(sizeof(struct ip6t_tcp)); + match = calloc(1, size); + match->u.user.match_size = size; + switch(proto) { + case IPPROTO_TCP: + name = "tcp"; + break; + case IPPROTO_UDP: + name = "udp"; + break; + case IPPROTO_UDPLITE: + name = "udplite"; + break; + default: + name = NULL; + } + if(name) + strncpy(match->u.user.name, name, sizeof(match->u.user.name)); + else + syslog(LOG_WARNING, "no name for protocol %d", proto); + info = (struct ip6t_tcp *)match->data; + if(sport) { + info->spts[0] = sport; /* specified source port */ + info->spts[1] = sport; + } else { + info->spts[0] = 0; /* all source ports */ + info->spts[1] = 0xFFFF; + } + info->dpts[0] = dport; /* specified destination port */ + info->dpts[1] = dport; + return match; +} + +static struct ip6t_entry_target * +get_accept_target(void) +{ + struct ip6t_entry_target * target = NULL; + size_t size; + size = XT_ALIGN(sizeof(struct ip6t_entry_target)) + + XT_ALIGN(sizeof(int)); + target = calloc(1, size); + target->u.user.target_size = size; + strncpy(target->u.user.name, "ACCEPT", sizeof(target->u.user.name)); + return target; +} + +static int +ip6tc_init_verify_append(const char * table, + const char * chain, + struct ip6t_entry * e) +{ + IP6TC_HANDLE h; + + h = ip6tc_init(table); + if(!h) { + syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno)); + return -1; + } + if(!ip6tc_is_chain(chain, h)) { + syslog(LOG_ERR, "chain %s not found", chain); + goto error; + } + if(!ip6tc_append_entry(chain, e, h)) { + syslog(LOG_ERR, "ip6tc_append_entry() error : %s", ip6tc_strerror(errno)); + goto error; + } + if(!ip6tc_commit(h)) { + syslog(LOG_ERR, "ip6tc_commit() error : %s", ip6tc_strerror(errno)); + goto error; + } + return 0; /* ok */ +error: + ip6tc_free(h); + return -1; +} + +/* +ip6tables -I %s %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j ACCEPT +ip6tables -I %s %d -p %s -i %s --sport %hu -d %s --dport %hu -j ACCEPT + +miniupnpd_forward_chain, line_number, proto, ext_if_name, raddr, rport, iaddr, iport + +ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j TRACE +ip6tables -t raw -I PREROUTING %d -p %s -i %s --sport %hu -d %s --dport %hu -j TRACE +*/ +int add_pinhole(const char * ifname, + const char * rem_host, unsigned short rem_port, + const char * int_client, unsigned short int_port, + int proto) +{ + int uid; + struct ip6t_entry * e; + struct ip6t_entry_match *match = NULL; + struct ip6t_entry_target *target = NULL; + + e = calloc(1, sizeof(struct ip6t_entry)); + e->ipv6.proto = proto; + + if(ifname) + strncpy(e->ipv6.iniface, ifname, IFNAMSIZ); + if(rem_host) { + inet_pton(AF_INET6, rem_host, &e->ipv6.src); + memset(&e->ipv6.smsk, 0xff, sizeof(e->ipv6.smsk)); + } + inet_pton(AF_INET6, int_client, &e->ipv6.dst); + memset(&e->ipv6.dmsk, 0xff, sizeof(e->ipv6.dmsk)); + + /*e->nfcache = NFC_IP_DST_PT;*/ + /*e->nfcache |= NFC_UNKNOWN;*/ + + match = new_match(proto, rem_port, int_port); + target = get_accept_target(); + e = realloc(e, sizeof(struct ip6t_entry) + + match->u.match_size + + target->u.target_size); + memcpy(e->elems, match, match->u.match_size); + memcpy(e->elems + match->u.match_size, target, target->u.target_size); + e->target_offset = sizeof(struct ip6t_entry) + + match->u.match_size; + e->next_offset = sizeof(struct ip6t_entry) + + match->u.match_size + + target->u.target_size; + free(match); + free(target); + + if(ip6tc_init_verify_append("filter", miniupnpd_v6_filter_chain, e) < 0) { + free(e); + return -1; + } + free(e); + uid = next_uid; + next_uid++; + return uid; +} + +#endif + diff --git a/miniupnpd/netfilter/iptpinhole.h b/miniupnpd/netfilter/iptpinhole.h new file mode 100644 index 0000000..f358a80 --- /dev/null +++ b/miniupnpd/netfilter/iptpinhole.h @@ -0,0 +1,17 @@ +/* $Id: iptpinhole.h,v 1.2 2012/04/26 14:01:17 nanard Exp $ */ +/* MiniUPnP project + * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ + * (c) 2012 Thomas Bernard + * This software is subject to the conditions detailed + * in the LICENCE file provided within the distribution */ +#ifndef __IPTPINHOLE_H__ +#define __IPTPINHOLE_H__ + +#ifdef ENABLE_6FC_SERVICE +int add_pinhole(const char * ifname, + const char * rem_host, unsigned short rem_port, + const char * int_client, unsigned short int_port, + int proto); +#endif + +#endif diff --git a/miniupnpd/netfilter/testiptcrdr.c b/miniupnpd/netfilter/testiptcrdr.c index 7fa697f..a4c5c3b 100644 --- a/miniupnpd/netfilter/testiptcrdr.c +++ b/miniupnpd/netfilter/testiptcrdr.c @@ -1,7 +1,7 @@ -/* $Id: testiptcrdr.c,v 1.16 2011/03/02 16:04:23 nanard Exp $ */ +/* $Id: testiptcrdr.c,v 1.18 2012/04/24 22:41:53 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ - * (c) 2006-2011 Thomas Bernard + * (c) 2006-2012 Thomas Bernard * This software is subject to the conditions detailed * in the LICENCE file provided within the distribution */ @@ -11,6 +11,7 @@ #include #include "iptcrdr.h" +#include "../commonrdr.h" #ifndef PRIu64 #define PRIu64 "llu" @@ -29,21 +30,29 @@ main(int argc, char ** argv) eport = (unsigned short)atoi(argv[1]); iaddr = argv[2]; iport = (unsigned short)atoi(argv[3]); +#if 0 printf("trying to redirect port %hu to %s:%hu\n", eport, iaddr, iport); if(addnatrule(IPPROTO_TCP, eport, iaddr, iport) < 0) return -1; if(add_filter_rule(IPPROTO_TCP, iaddr, iport) < 0) return -1; +#endif /* test */ { unsigned short p1, p2; char addr[16]; int proto2; char desc[256]; + char rhost[256]; + unsigned int timestamp; u_int64_t packets, bytes; + desc[0] = '\0'; - if(get_redirect_rule_by_index(0, "", &p1, addr, sizeof(addr), - &p2, &proto2, desc, sizeof(desc), + if(get_redirect_rule_by_index(0, "", &p1, + addr, sizeof(addr), &p2, + &proto2, desc, sizeof(desc), + rhost, sizeof(rhost), + ×tamp, &packets, &bytes) < 0) { printf("rule not found\n"); diff --git a/miniupnpd/netfilter/testiptpinhole.c b/miniupnpd/netfilter/testiptpinhole.c new file mode 100644 index 0000000..caa3832 --- /dev/null +++ b/miniupnpd/netfilter/testiptpinhole.c @@ -0,0 +1,27 @@ +/* $Id: testiptpinhole.c,v 1.1 2012/04/26 13:50:48 nanard Exp $ */ +/* MiniUPnP project + * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ + * (c) 2012 Thomas Bernard + * This software is subject to the conditions detailed + * in the LICENCE file provided within the distribution */ + +#include +#include +#include +#include + +#include "../config.h" +#include "iptpinhole.h" +#include "../commonrdr.h" + + +int main(int argc, char * * argv) +{ + int uid; + + openlog("testiptpinhole", LOG_PERROR|LOG_CONS, LOG_LOCAL0); + + uid = add_pinhole("eth0", NULL, 0, "ff::123", 54321, IPPROTO_TCP); + return 0; +} + diff --git a/miniupnpd/upnpglobalvars.c b/miniupnpd/upnpglobalvars.c index 5c79af3..18efbee 100644 --- a/miniupnpd/upnpglobalvars.c +++ b/miniupnpd/upnpglobalvars.c @@ -1,4 +1,4 @@ -/* $Id: upnpglobalvars.c,v 1.27 2012/02/04 23:05:21 nanard Exp $ */ +/* $Id: upnpglobalvars.c,v 1.29 2012/04/26 14:01:16 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * (c) 2006-2012 Thomas Bernard @@ -75,6 +75,10 @@ const char * tag = 0; * and the filter table */ const char * miniupnpd_nat_chain = "MINIUPNPD"; const char * miniupnpd_forward_chain = "MINIUPNPD"; +#ifdef ENABLE_6FC_SERVICE +const char * miniupnpd_v6_filter_chain = "MINIUPNPD"; +#endif + #endif #ifdef ENABLE_NFQUEUE int nfqueue = -1; diff --git a/miniupnpd/upnpglobalvars.h b/miniupnpd/upnpglobalvars.h index f7cd47f..8caf66b 100644 --- a/miniupnpd/upnpglobalvars.h +++ b/miniupnpd/upnpglobalvars.h @@ -1,4 +1,4 @@ -/* $Id: upnpglobalvars.h,v 1.31 2012/02/04 23:05:21 nanard Exp $ */ +/* $Id: upnpglobalvars.h,v 1.33 2012/04/26 14:01:16 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * (c) 2006-2012 Thomas Bernard @@ -94,6 +94,9 @@ extern const char * tag; #ifdef USE_NETFILTER extern const char * miniupnpd_nat_chain; extern const char * miniupnpd_forward_chain; +#ifdef ENABLE_6FC_SERVICE +extern const char * miniupnpd_v6_filter_chain; +#endif #endif #ifdef ENABLE_NFQUEUE diff --git a/miniupnpd/upnpredirect.c b/miniupnpd/upnpredirect.c index afe5665..7c50c11 100644 --- a/miniupnpd/upnpredirect.c +++ b/miniupnpd/upnpredirect.c @@ -1,4 +1,4 @@ -/* $Id: upnpredirect.c,v 1.75 2012/04/23 22:36:57 nanard Exp $ */ +/* $Id: upnpredirect.c,v 1.76 2012/04/26 14:01:16 nanard Exp $ */ /* MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * (c) 2006-2012 Thomas Bernard @@ -24,6 +24,7 @@ #include "upnpevents.h" #if defined(USE_NETFILTER) #include "netfilter/iptcrdr.h" +#include "netfilter/iptpinhole.h" #endif #if defined(USE_PF) #include "pf/obsdrdr.h" @@ -667,6 +668,9 @@ upnp_add_inboundpinhole(const char * raddr, #ifdef USE_PF *uid = add_pinhole (0/*ext_if_name*/, raddr, rport, iaddr, iport, proto, timestamp); return 1; +#elif USE_NETFILTER + *uid = add_pinhole (0/*ext_if_name*/, raddr, rport, iaddr, iport, proto); + return 1; #else return -42; /* not implemented */ #endif