status-im
/
miniupnp
mirror of https://github.com/status-im/miniupnp.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

merge remote-tracking branch 'pali/master' into master

This commit is contained in:
Thomas Bernard 2021-01-12 01:12:42 +01:00
parent f8b45ab854 e6bf74a691
commit 4540d160d9
No known key found for this signature in database
GPG Key ID: DB511043A31ACAAF
3 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
miniupnpd/miniupnpd.c
View File

@ -953,6 +953,13 @@ parselanaddr(struct lan_addr_s * lan_addr, const char * str)
if(!inet_aton(lan_addr->str, &lan_addr->addr)) if(!inet_aton(lan_addr->str, &lan_addr->addr))
goto parselan_error; goto parselan_error;
} }
if(!addr_is_reserved(&lan_addr->addr)) {
fprintf(stderr, "Error: LAN address contains public ip address : %s\n", lan_addr->str);
fprintf(stderr, "Public ip address can be configured via ext_ip= option\n");
fprintf(stderr, "LAN address should contain private address, e.g. from 192.168. block\n");
fprintf(stderr, "Listening on public ip address is a security issue\n");
return -1;
}
if(*p == '/') if(*p == '/')
{ {
const char * q = ++p; const char * q = ++p;
@ -1090,11 +1097,20 @@ int update_ext_ip_addr_from_stun(int init)
if ((init || disable_port_forwarding) && !restrictive_nat) { if ((init || disable_port_forwarding) && !restrictive_nat) {
if (addr_is_reserved(&if_addr)) if (addr_is_reserved(&if_addr))
syslog(LOG_INFO, "STUN: ext interface %s with IP address %s is now behind unrestricted NAT 1:1 with public IP address %s: Port forwarding is now enabled", ext_if_name, if_addr_str, ext_addr_str); syslog(LOG_INFO, "STUN: ext interface %s with IP address %s is now behind unrestricted full-cone NAT 1:1 with public IP address %s and firewall does not block incoming connections set by miniunnpd", ext_if_name, if_addr_str, ext_addr_str);
else else
syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s: Port forwarding is now enabled", ext_if_name, if_addr_str); syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s and firewall does not blocks incoming connections set by miniunnpd", ext_if_name, if_addr_str);
syslog(LOG_INFO, "Port forwarding is now enabled");
} else if ((init || !disable_port_forwarding) && restrictive_nat) { } else if ((init || !disable_port_forwarding) && restrictive_nat) {
syslog(LOG_WARNING, "STUN: ext interface %s with IP address %s is now behind restrictive NAT with public IP address %s: Port forwarding is now impossible", ext_if_name, if_addr_str, ext_addr_str); if (addr_is_reserved(&if_addr)) {
syslog(LOG_WARNING, "STUN: ext interface %s with private IP address %s is now behind restrictive or symmetric NAT with public IP address %s which does not support port forwarding", ext_if_name, if_addr_str, ext_addr_str);
syslog(LOG_WARNING, "NAT on upstream router blocks incoming connections set by miniupnpd");
syslog(LOG_WARNING, "Turn off NAT on upstream router or change it to full-cone NAT 1:1 type");
} else {
syslog(LOG_WARNING, "STUN: ext interface %s has now public IP address %s but firewall filters incoming connections set by miniunnpd", ext_if_name, if_addr_str);
syslog(LOG_WARNING, "Check configuration of firewall on local machine and also on upstream router");
}
syslog(LOG_WARNING, "Port forwarding is now disabled");
} else { } else {
syslog(LOG_INFO, "STUN: ... done"); syslog(LOG_INFO, "STUN: ... done");
} }
@ -2178,6 +2194,7 @@ main(int argc, char * * argv)
syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name); syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address"); syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address"); syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
disable_port_forwarding = 1; disable_port_forwarding = 1;
} }
} }
@ -2449,6 +2466,8 @@ main(int argc, char * * argv)
} else if (!disable_port_forwarding && reserved) { } else if (!disable_port_forwarding && reserved) {
syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name); syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address"); syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
} }
disable_port_forwarding = reserved; disable_port_forwarding = reserved;
} }

2
miniupnpd/miniupnpd.conf
View File

@ -11,7 +11,7 @@
#ext_ip= #ext_ip=
# WAN interface must have public IP address. Otherwise it is behind NAT # WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be # and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and # behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
# routed to WAN interfaces without any filtering. In this cases miniupnpd # routed to WAN interfaces without any filtering. In this cases miniupnpd
# needs to know public IP address and it can be learnt by asking external # needs to know public IP address and it can be learnt by asking external
# server via STUN protocol. Following option enable retrieving external # server via STUN protocol. Following option enable retrieving external

6
miniupnpd/upnpstun.c
View File

@ -393,9 +393,9 @@ static int parse_stun_response(unsigned char *buffer, size_t len, struct sockadd
} }
/* Perform main STUN operation, return external IP address and check /* Perform main STUN operation, return external IP address and check
* if host is behind restrictive NAT. * if host is behind restrictive, symmetric NAT or behind firewall.
* Restrictive NAT means any NAT which do some filtering and * Restrictive NAT means any NAT which do some filtering and
* which is not static 1:1, basically NAT which is not usable * which is not static full-cone NAT 1:1, basically NAT which is not usable
* for port forwarding */ * for port forwarding */
int perform_stun(const char *if_name, const char *if_addr, const char *stun_host, unsigned short stun_port, struct in_addr *ext_addr, int *restrictive_nat) int perform_stun(const char *if_name, const char *if_addr, const char *stun_host, unsigned short stun_port, struct in_addr *ext_addr, int *restrictive_nat)
{ {
@ -524,7 +524,7 @@ int perform_stun(const char *if_name, const char *if_addr, const char *stun_host
} }
} }
/* Otherwise we are either directly connected or behind unrestricted NAT 1:1 */ /* Otherwise we are either directly connected or behind unrestricted full-cone NAT 1:1 without filtering */
/* There is no filtering, so port forwarding would work fine */ /* There is no filtering, so port forwarding would work fine */
return 0; return 0;
} }