Commit Graph

162 Commits

Author SHA1 Message Date
Sven Auhagen 2c9a645b10 NFTables: Add backwards compatibility for IPv4 NAT
NFtables uses the INET table for NAT which combines IPv4 and IPv6.
Older systems might not have this option and use the ip table instead.

This adds a flag to fall back to the ip table style.

Signed-Off-By: Sven Auhagen <sven.auhagen@voleatech.de>
2024-03-04 06:18:41 +01:00
Thomas Bernard 420bd685cf make it more clear that clean_ruleset_interval=0 disables the check
see #699
2024-01-31 05:24:57 +01:00
Thomas Bernard 1a49233fe7
fix typo 2024-01-27 00:35:56 +01:00
Thomas Bernard 4b0ff229d8
default to /etc/miniupnpd/miniupnpd.conf under linux
it is still /etc/miniupnpd.conf under BSD.

closes #695
2024-01-17 00:49:32 +01:00
Thomas Bernard b8d9f66890 miniupnpd.c: 2024 2024-01-15 00:59:33 +01:00
Thomas Bernard aefebb18cb
miniupnpd.c: fix enforcing min_lifetime minimum of 120secs 2024-01-08 00:24:07 +01:00
Thomas Bernard f91a32ff02
miniupnpd: enable secure mode by default 2023-05-27 18:42:18 +02:00
Thomas Bernard 19aa26df7e
miniupnpd: add a short list of build-time options in --version output 2023-05-27 11:56:19 +02:00
Thomas Bernard 37c29a3716 miniupnpd: mention PCP in usage 2023-05-27 11:26:45 +02:00
Thomas Bernard ab57f7ca3a
miniupnpd.c: improve comments about SETFLAG(ENABLENATPMPMASK) 2023-05-27 11:20:29 +02:00
Sven Auhagen 0b3f3e4029
NFTables make tables name configurable
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-11-27 21:49:21 +01:00
Pali Rohár 200d6c2509 miniupnpd: Add some missing checks when update_ext_ip_addr_from_stun() or getifaddr() fails
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.

Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
2021-08-31 21:34:27 +02:00
Sven Auhagen 74dbad5ab0 IPv6 pinholes lease file
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-08-18 11:06:12 +01:00
Thomas Bernard 7c112e2b39 Merge commit '7ee554d31b47a7227ab85aa919792597ce78c81e' 2021-08-11 14:49:06 +02:00
Thomas Bernard f1388717af
miniupnpd.c: fix 1aa46b5a2c 2021-08-11 12:19:30 +02:00
Pali Rohár 7ee554d31b miniupnpd: Disable port forwarding when upstream interface is down
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
2021-08-06 16:13:25 +02:00
Natanael Copa 1aa46b5a2c miniupnpd: improve error message for bad config
Improve error message so users don't need read the source to figure out
why miniupnpd refuses to start even if the usage is correct.
2021-07-15 12:23:26 +02:00
Thomas Bernard 5567e7c7e0
miniupnpd: improves error handling during init.
- Fails on config parsing and init errors.
- print errors during init to both syslog and stderr.

fixes #551
2021-06-18 00:21:16 +02:00
Thomas Bernard 08ae9e9e71
miniupnpd: dynamically retrieve `uname -r`
fixes #547
2021-05-22 00:16:40 +02:00
Thomas Bernard 207d1849e4 miniupnpd.c: typo and ip -> IP 2021-01-15 19:33:29 +01:00
Pali Rohár e6bf74a691 Add check that miniupnpd is not going to listen on WAN interface with public IP address
Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.

So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
2020-12-30 11:23:29 +01:00
Pali Rohár 304ff79dc5 Update and extend description from STUN output
People sometimes do not understand where is the problem, so include also
hints what they needs to check, change and re-configure.
2020-12-30 11:22:12 +01:00
Thomas Bernard 68cc35156e
fix nftables shutdown_redirect()
see #481
2020-10-22 21:19:37 +02:00
Thomas Bernard f9908a788b Move chain name variables to netfilter/* 2020-09-28 22:44:24 +02:00
Thomas Bernard 7a9452fca9
miniupnpd: make sure "runtime_vars" are initialized 2020-06-20 17:02:19 +02:00
Thomas Bernard 5bbcc0bb65
miniupnpd --help shows usage 2020-06-20 17:01:01 +02:00
Thomas Bernard 417b496617
miniupnpd: add -v/-vv command line argument to enable more logs
fixes #477
2020-06-20 17:00:10 +02:00
Thomas Bernard 8a665a1c8e
configure --disable-fork to disable going to background
fixes #468
2020-06-03 23:43:58 +02:00
Thomas Bernard 194566a5bd
support for libcap-ng
fixes #405
2020-05-10 15:34:45 +02:00
Thomas Bernard 5abb714d34
drop linux capabilities 2020-05-10 15:34:44 +02:00
Thomas Bernard 7800de9429
miniupnpd: fix for bridges
you now can setup :
listening_ip=igb1 bridge0 xxx0 xxx1 ...

miniupnpd will use igd1 address, but will not complain when receiving
packets from either igb1, bridge0, xxx0 or xxx1

fixes #379
see also #408
2020-04-29 00:03:54 +02:00
Thomas Bernard c51c5b7d58
miniupnpd: be more explicit about usage of ext_ip= in double nat setups 2020-04-12 19:44:27 +02:00
Thomas Bernard a774830fe0
miniupnpd: Option to disable IPv6 at runtime : -4 / ipv6_disable=yes 2020-04-09 21:12:20 +02:00
Thomas Bernard aa08b09068 miniupnpd version prints backend 2019-10-22 20:11:02 +02:00
Thomas Bernard 49d3b57441
miniupnpd: Add --version commandline option
fixes #370
2019-10-05 22:44:31 +02:00
Thomas Bernard 22223da9a1 use OpenBSD pledge() to drop privileges
To be tested

see #405
2019-10-03 23:23:53 +02:00
Paul Chambers 7ea314412c make rdr_name_type enum values more unique 2019-10-02 23:42:15 +02:00
Paul Chambers 75bdb777cf rework nft-specific globals, create & destroy tables/chains at init & shutdown 2019-09-30 00:12:08 -07:00
Thomas Bernard a1ceec3dba
miniupnpd: Allow to use two different network interfaces for IPv4 and IPv6 internet
-i / -I
ext_ifname= / ext_ifname6=

see :
df906367be/
thanks to "sfstudio"
2019-05-21 10:42:40 +02:00
Thomas Bernard 510a6e9630
fix check of valid HTTPS socket 2019-01-23 09:25:10 +01:00
Thomas Bernard efe5d87103 LOG_WARNING if behind restrictive NAT 2018-07-06 14:41:04 +02:00
Pali Rohár e6011dc534 miniupnpd: Allow to specify also port number in -o STUN: option
Also update help for -o STUN: option, it can take stun hostname too.
2018-07-06 14:38:37 +02:00
Thomas Bernard 810cb665c2 Merge branch 'pr_307'
see #307
2018-07-06 13:40:18 +02:00
Thomas Bernard 15b6f3e9c2 fixes in update_ext_ip_addr_from_stun()
Signed-off-by: Thomas Bernard <miniupnp@free.fr>
2018-07-06 13:29:33 +02:00
Thomas Bernard 8bc6d6f556 PERFORMSTUN => PERFORMSTUNMASK. allow to specify stun using -o option 2018-07-06 13:23:22 +02:00
Thomas Bernard ef179a45e3 do not check empty string with strlen(s) == 0
see #292
2018-06-01 10:55:45 +02:00
Pali Rohár 8c97654d70 miniupnpd: When enabled perform STUN to learn external IP address and NAT type
Also enable port forwarding when direct (non-NAT) connection or unrestricted NAT 1:1 (without any filtering) is detected.
2018-05-19 13:32:42 +02:00
Pali Rohár 8e10a1aeab miniupnpd: Disable port forwarding when we are behind restrictive nat with reserved / private IP address
In this case port forwarding is impossible, so rather return error code to the client instead of silently trying to do something and informing clients that port forwarding is enabled.
2018-05-19 13:32:04 +02:00
Pali Rohár cce19781e6 miniupnpd: Add validation that public ip address is not reserved and is really public
This ensures that all requests for getting public IP address (either via UPnP IGD or PCP/PMP) would contain correct public IP address or an error (instead of some invalid private/reserved IP address).
2018-05-19 13:31:26 +02:00
Thomas Bernard e11bbf0bc0
miniupnpd/pcp: Send PCP announcment at startup
fixes #254
2018-05-08 23:06:19 +02:00