fixes#698
As advised in UDA:
Due to the unreliable nature of UDP, devices SHOULD send the entire set
of discovery messages more than once with some delay between sets e.g. a
few hundred milliseconds. To avoid network congestion discovery messages
SHOULD NOT be sent more than three times. In addition, the device MUST
re-send its advertisements periodically prior to expiration of the duration
specified in the CACHE-CONTROL header field; it is RECOMMENDED that such
refreshing of advertisements be done at a randomly-distributed interval
of less than one-half of the advertisement expiration time.
(CACHE-CONTROL value is minimum 1800 seconds, so the interval should be
less than 900s
fixes#697http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
p9:
1.2 Changes since WANIPConnection:1
Upon startup, UPnP IGD DCP MUST broadcast an ssdp:byebye before sending the initial
ssdp:alive onto the local network. Sending an ssdp:byebye as part of the normal start up process
for a UPnP device ensures that UPnP control points with information about the previous device
instance will safely discard state information about the previous device instance before
communicating with the new device instance.
NFtables uses the INET table for NAT which combines IPv4 and IPv6.
Older systems might not have this option and use the ip table instead.
This adds a flag to fall back to the ip table style.
Signed-Off-By: Sven Auhagen <sven.auhagen@voleatech.de>
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.
Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.
So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
you now can setup :
listening_ip=igb1 bridge0 xxx0 xxx1 ...
miniupnpd will use igd1 address, but will not complain when receiving
packets from either igb1, bridge0, xxx0 or xxx1
fixes#379
see also #408
