NFtables uses the INET table for NAT which combines IPv4 and IPv6.
Older systems might not have this option and use the ip table instead.
This adds a flag to fall back to the ip table style.
Signed-Off-By: Sven Auhagen <sven.auhagen@voleatech.de>
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.
Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.
So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
you now can setup :
listening_ip=igb1 bridge0 xxx0 xxx1 ...
miniupnpd will use igd1 address, but will not complain when receiving
packets from either igb1, bridge0, xxx0 or xxx1
fixes#379
see also #408
In this case port forwarding is impossible, so rather return error code to the client instead of silently trying to do something and informing clients that port forwarding is enabled.
This ensures that all requests for getting public IP address (either via UPnP IGD or PCP/PMP) would contain correct public IP address or an error (instead of some invalid private/reserved IP address).