Some reports that a certain app is abusing UPnP for exploiting upload
bandwidth. This commit adds support to restrict UPnP rules to a regex.
By matching requester's description string against rule's regex, this
will make some obstacles for that app.
When iterating interface addresses obtained via `getifaddrs()`, don't
stop at the first found IPv4 address but continue checking all IPv4
addresses and prefer to use a non-reserved one in case an interface
has both reserved (private) and non-reserved (public) addresses
assigned.
After this fix, miniupnpd on OpenWrt is able to properly detect the
external IP address of an external interface with both a private
RFC1918 and a public IP assigned regardless of whether `getifaddrs()`
happens to return the private or the public IPv4 address first.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The miniupnpd sources contain a working getifaddrs() based implementation
to fetch the IP address of an interface but that implementation is guarded
by a USE_GETIFADDRS define which can only be passed manually via CFLAGS.
Introduce a new `--getifaddrs` option to the configure script which can be
used to explicitly enable `getifaddrs()` usage.
Also extend the OpenWrt configuration case to enable `getifaddrs()` since
OpenWrt ships with a working implementation of it since several years
already.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In the commit a0573e2518
was fixed a buffer overflow in the minixml.c but it wasn't copied to upnpc-async.
To make comparison simpler the header was also synced
To hardcode table and chain creation and deletion makes it impossible
for existing firewall infrastructures to integrate miniupnpd.
NFTables will either reevaluate packets through miniupnpd or
it will delete existing tables when there are already custom chains in it.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
The OpenWrt Makefile that builds miniupnpd passes the firewall argument
to the configure script, so this is not needed and it is blocking us
from using nftables instead, which will be the default backend for
firewall4 to be used in the next OpenWrt stable release.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.
Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
Terminate the awk after getting the first interface name and IP address
from 'ip -4 addr' output. Otherwise, the test fails if the interface
in question has multiple IP addresses, as the test program returns
the first address, while awk prints all.
Fall back to getting the interface name from 'ip -4 addr' when there
is no default route. In this case, the test simply uses the interface
providing the IP address for 'ip -4 addr' (since the command is
implicitly called with no interface argument).
NFTables supports inet in the nat chain as well.
Use it instead of IPv4 chain so it is consistent with the filter chain.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
IGD v2.0 specification for WANIPConnection:2 says:
When the external IP address could not be retrieved by the gateway (for
example, because the interface is down or because there was a failure in
the last connection setup attempt), then the ExternalIPAddress MUST be
equal to the empty string.
So instead of Error 501 "Action Failed" returns empty string to be
compliant with IGD v2.0 specification.