Some reports that a certain app is abusing UPnP for exploiting upload
bandwidth. This commit adds support to restrict UPnP rules to a regex.
By matching requester's description string against rule's regex, this
will make some obstacles for that app.
When iterating interface addresses obtained via `getifaddrs()`, don't
stop at the first found IPv4 address but continue checking all IPv4
addresses and prefer to use a non-reserved one in case an interface
has both reserved (private) and non-reserved (public) addresses
assigned.
After this fix, miniupnpd on OpenWrt is able to properly detect the
external IP address of an external interface with both a private
RFC1918 and a public IP assigned regardless of whether `getifaddrs()`
happens to return the private or the public IPv4 address first.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The miniupnpd sources contain a working getifaddrs() based implementation
to fetch the IP address of an interface but that implementation is guarded
by a USE_GETIFADDRS define which can only be passed manually via CFLAGS.
Introduce a new `--getifaddrs` option to the configure script which can be
used to explicitly enable `getifaddrs()` usage.
Also extend the OpenWrt configuration case to enable `getifaddrs()` since
OpenWrt ships with a working implementation of it since several years
already.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In the commit a0573e2518
was fixed a buffer overflow in the minixml.c but it wasn't copied to upnpc-async.
To make comparison simpler the header was also synced
To hardcode table and chain creation and deletion makes it impossible
for existing firewall infrastructures to integrate miniupnpd.
NFTables will either reevaluate packets through miniupnpd or
it will delete existing tables when there are already custom chains in it.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
The OpenWrt Makefile that builds miniupnpd passes the firewall argument
to the configure script, so this is not needed and it is blocking us
from using nftables instead, which will be the default backend for
firewall4 to be used in the next OpenWrt stable release.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Thomas Bernard
yangfl
Sergey Ponomarev
Jo-Philipp Wich
Brian John
Sven Auhagen
Stijn Tintel