miniupnpd: Disable port forwarding when we are behind restrictive nat with reserved / private IP address

In this case port forwarding is impossible, so rather return error code to the client instead of silently trying to do something and informing clients that port forwarding is enabled.
2025-02-16 16:07:30 +00:00 · 2018-05-19 13:32:04 +02:00 · 2018-05-19 13:32:04 +02:00 · 8e10a1aeab
commit 8e10a1aeab
parent cce19781e6
4 changed files with 38 additions and 0 deletions
--- a/miniupnpd/miniupnpd.c
+++ b/miniupnpd/miniupnpd.c
@ -1941,6 +1941,20 @@ main(int argc, char * * argv)
 	       GETFLAG(ENABLEUPNPMASK) ? "UPnP-IGD " : "",
 	       ext_if_name, upnp_bootid);

+	if (!use_ext_ip_addr)
+	{
+		char if_addr[INET_ADDRSTRLEN];
+		struct in_addr addr;
+		if (getifaddr(ext_if_name, if_addr, INET_ADDRSTRLEN, &addr, NULL) < 0) {
+			syslog(LOG_ERR, "Cannot get IP address for ext interface %s. EXITING", ext_if_name);
+			return 1;
+		}
+		if (addr_is_reserved(&addr)) {
+			syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
+			disable_port_forwarding = 1;
+		}
+	}
+
 	if(GETFLAG(ENABLEUPNPMASK))
 	{
 		unsigned short listen_port;
@ -2132,6 +2146,20 @@ main(int argc, char * * argv)
 		if(should_send_public_address_change_notif)
 		{
 			syslog(LOG_INFO, "should send external iface address change notification(s)");
+			if (!use_ext_ip_addr)
+			{
+				char if_addr[INET_ADDRSTRLEN];
+				struct in_addr addr;
+				if (getifaddr(ext_if_name, if_addr, INET_ADDRSTRLEN, &addr, NULL) == 0) {
+					int reserved = addr_is_reserved(&addr);
+					if (disable_port_forwarding && !reserved) {
+						syslog(LOG_INFO, "Public IP address %s on ext interface %s: Port forwarding is enabled", if_addr, ext_if_name);
+					} else if (!disable_port_forwarding && reserved) {
+						syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
+					}
+					disable_port_forwarding = reserved;
+				}
+			}
 #ifdef ENABLE_NATPMP
 			if(GETFLAG(ENABLENATPMPMASK))
 				SendNATPMPPublicAddressChangeNotification(snatpmp, addr_count);
--- a/miniupnpd/upnpglobalvars.c
+++ b/miniupnpd/upnpglobalvars.c
@ -25,6 +25,10 @@ const char* lease_file = 0;
 * when NULL, getifaddr() is used */
 const char * use_ext_ip_addr = 0;

+/* disallow all port forwarding requests when
+ * we are behind restrictive nat */
+int disable_port_forwarding = 0;
+
 unsigned long downstream_bitrate = 0;
 unsigned long upstream_bitrate = 0;

--- a/miniupnpd/upnpglobalvars.h
+++ b/miniupnpd/upnpglobalvars.h
@ -26,6 +26,10 @@ extern const char * lease_file;
 * when NULL, getifaddr() is used */
 extern const char * use_ext_ip_addr;

+/* disallow all port forwarding requests when
+ * we are behind restrictive nat */
+extern int disable_port_forwarding;
+
 /* parameters to return to upnp client when asked */
 extern unsigned long downstream_bitrate;
 extern unsigned long upstream_bitrate;
--- a/miniupnpd/upnpredirect.c
+++ b/miniupnpd/upnpredirect.c
@ -440,6 +440,8 @@ upnp_redirect_internal(const char * rhost, unsigned short eport,
 {
 	/*syslog(LOG_INFO, "redirecting port %hu to %s:%hu protocol %s for: %s",
 		eport, iaddr, iport, protocol, desc);			*/
+	if(disable_port_forwarding)
+		return -1;
 	if(add_redirect_rule2(ext_if_name, rhost, eport, iaddr, iport, proto,
 	                      desc, timestamp) < 0) {
 		return -1;