From 16389fda3c5313bffc83fb6594f5bb5872e37e5e Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Wed, 22 Oct 2014 10:54:07 +0200
Subject: [PATCH] miniupnpd: Discard NAT-PMP packets coming from the WAN

---
 miniupnpd/Changelog.txt |  3 +++
 miniupnpd/miniupnpd.c   | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
index b44f650..d9322a5 100644
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@@ -1,5 +1,8 @@
 $Id: Changelog.txt,v 1.379 2014/10/22 08:52:17 nanard Exp $
 
+2014/10/22:
+  Discard NAT-PMP packets coming from the WAN
+
 2014/10/21:
   small modifications to compile with exotic C libraries
 
diff --git a/miniupnpd/miniupnpd.c b/miniupnpd/miniupnpd.c
index b347b77..6468075 100644
--- a/miniupnpd/miniupnpd.c
+++ b/miniupnpd/miniupnpd.c
@@ -2133,6 +2133,20 @@ main(int argc, char * * argv)
 				                               msg_buff, sizeof(msg_buff));
 				if (len < 1)
 					continue;
+				/* Check if the packet is coming from a LAN to enforce RFC6886 :
+				 * The NAT gateway MUST NOT accept mapping requests destined to the NAT
+				 * gateway's external IP address or received on its external network
+				 * interface.  Only packets received on the internal interface(s) with a
+				 * destination address matching the internal address(es) of the NAT
+				 * gateway should be allowed. */
+				lan_addr = get_lan_for_peer((struct sockaddr *)&senderaddr);
+				if(lan_addr == NULL) {
+					char sender_str[64];
+					sockaddr_to_string((struct sockaddr *)&senderaddr, sender_str, sizeof(sender_str));
+					syslog(LOG_WARNING, "NAT-PMP/PCP packet sender %s not from a LAN, ignoring",
+					       sender_str);
+					continue;
+				}
 #ifdef ENABLE_PCP
 				if (msg_buff[0]==0) {  /* version equals to 0 -> means NAT-PMP */
 					ProcessIncomingNATPMPPacket(snatpmp[i], msg_buff, len,