Commit Graph

1177 Commits

Author SHA1 Message Date
Thomas Bernard 9239cf28c1
Fix the cleanup of PREROUTING mangle chain
it was changed iby mistake to FORWARD by 82ec7bc3df

see discussion in PR #530
2021-02-26 15:15:09 +01:00
Thomas Bernard 3b6b0ba1e3
INSTALL: update 2021-02-26 15:14:03 +01:00
Thomas Bernard 207d1849e4 miniupnpd.c: typo and ip -> IP 2021-01-15 19:33:29 +01:00
Pali Rohár e6bf74a691 Add check that miniupnpd is not going to listen on WAN interface with public IP address
Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.

So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
2020-12-30 11:23:29 +01:00
Pali Rohár 304ff79dc5 Update and extend description from STUN output
People sometimes do not understand where is the problem, so include also
hints what they needs to check, change and re-configure.
2020-12-30 11:22:12 +01:00
Thomas Bernard 9ef311d235
miniupnpd: version 2.2.1 2020-12-20 19:12:47 +01:00
Tim Gates 341d0f51a2
docs: fix simple typo, decription -> description
There is a small typo in miniupnpd/commonrdr.h, miniupnpd/ipf/ipfrdr.c, miniupnpd/pf/obsdrdr.c.

Should read `description` rather than `decription`.
2020-12-10 05:26:04 +11:00
Thomas Bernard 22c1386351
protocol[] can be "UDPLITE"
fixes #5034
2020-11-12 08:59:47 +01:00
Thomas Bernard f50f00b5ea
errno.h not sys/errno.h 2020-11-11 13:24:48 +01:00
Thomas Bernard ab544c3a0e
asyncsendto.c: use named enum.
see #502
2020-11-11 13:16:14 +01:00
Thomas Bernard 30c27967ae
fix error message for IPV6. 2020 2020-11-05 21:59:25 +01:00
Thomas Bernard 97fd716bd0
2020 2020-11-04 22:32:14 +01:00
Thomas Bernard 057368701e
fix warning 2020-11-04 22:31:47 +01:00
Thomas Bernard 32164d27d2
fix a couple of warnings 2020-11-02 00:26:13 +01:00
Thomas Bernard c41094c2af
exact same declaration for random_url[]
see #498
2020-11-01 23:29:08 +01:00
Thomas Bernard 29797cf607 2019 => 2020 2020-10-31 11:36:06 +01:00
Thomas Bernard 01d686078e
use tag as GITREF if available 2020-10-31 10:56:02 +01:00
Thomas Bernard 56c66b5472
miniupnpd version 2.2.0 2020-10-31 10:23:44 +01:00
Thomas Bernard 1331b42410
fix dd99f0eb75 2020-10-31 10:05:50 +01:00
Thomas Bernard dd99f0eb75
sysctl is not always in /sbin 2020-10-30 23:11:44 +01:00
Thomas Bernard 72ec9e1943
update changelog / comments 2020-10-30 22:44:02 +01:00
Thomas Bernard c9939cc01e
fix portinuse.c for OpenBSD 5.5+
all CIRCLEQ have been replaced by TAILQ
fixes #496
2020-10-30 22:14:45 +01:00
Thomas Bernard 1008ed1117 Merge branch 'issue-465' into master 2020-10-28 19:38:52 +01:00
Thomas Bernard 90259ae803
Fix undefined behaviour: shifting signed int by 31 place
see #465

     #0 0x555719469ec5 in AddAnyPortMapping.cfi /home/ryutaroh/miniupnpd-1018/miniupnp/miniupnpd/upnpsoap.c:703:42
     #1 0x5557194705a7 in ExecuteSoapAction /home/ryutaroh/miniupnpd-1018/miniupnp/miniupnpd/upnpsoap.c:2335:5
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior upnpsoap.c:703:42 in
2020-10-26 08:46:37 +01:00
Thomas Bernard 85f8123504 Merge branch 'issue-495' into master 2020-10-24 15:23:26 +02:00
Thomas Bernard 946f6c19bb
fix Makefile.bsd
fixes #495
2020-10-24 15:17:59 +02:00
Thomas Bernard 92ff8a6a7e
in_addr_t instead of struct in_addr 2020-10-22 23:20:50 +02:00
Thomas Bernard 6b2070c6e9
fix 18a6ab0201 2020-10-22 23:19:59 +02:00
Thomas Bernard 5e7f8b5183 netfilter_nft/nftnlrdr_misc.h: comment 2020-10-22 21:39:41 +02:00
Thomas Bernard 1b5cab1e87
update Changelog.txt 2020-10-22 21:27:04 +02:00
Thomas Bernard 68cc35156e
fix nftables shutdown_redirect()
see #481
2020-10-22 21:19:37 +02:00
Thomas Bernard 04e245258e
For FreeBSD ports
see #495
2020-10-22 20:45:15 +02:00
Thomas Bernard 18a6ab0201
AddAnyPortMapping(): Only try allowed ports
build an array of all allowed ports.
should fix #465
2020-10-18 00:20:24 +02:00
Thomas Bernard 3a17dea056 pass rule type to the private arg of mnl_cb_run() callback
should fix #481
2020-10-17 23:20:29 +02:00
Thomas Bernard a3522723ae fix .gitignore 2020-10-17 22:55:12 +02:00
Thomas Bernard 2595275eb5 netfilter_nft: build testing 2020-10-17 22:52:34 +02:00
Thomas Bernard 992565201b fix testnftnlrdr.c 2020-09-29 01:00:29 +02:00
BERNARD Thomas 91ff44c9d2 netfilter_nft: fix test stuff 2020-09-29 00:43:55 +02:00
Thomas Bernard 11dec5b25c fix log 2020-09-29 00:17:58 +02:00
Thomas Bernard f9908a788b Move chain name variables to netfilter/* 2020-09-28 22:44:24 +02:00
Thomas Bernard 61d4aecb6e fix warning 2020-09-28 21:58:08 +02:00
Thomas Bernard 7db8ef0921 fix c9f6ddd 2020-09-28 21:57:50 +02:00
Thomas Bernard c9f6ddd102
miniupnpd/netfilter_nft: more logs in set_rdr_name()
see #481
2020-09-26 17:42:26 +02:00
Pali Rohár dbb821a7c9 getifaddr.c: Fix mask for RFC7534 Direct Delegation AS112 Service 2020-07-12 13:45:30 +02:00
Thomas Bernard d7b40010d5
nftnlrdr_misc.c: add log in case of send_batch() failure
useful for #481
2020-07-09 11:16:47 +02:00
Chen Minqiang b44e5e7a83 fix update_portmapping() missing target when update filter table 2020-06-27 11:31:08 +08:00
Thomas Bernard 24df04fc1b update 2020-06-20 17:49:19 +02:00
Thomas Bernard 7a9452fca9
miniupnpd: make sure "runtime_vars" are initialized 2020-06-20 17:02:19 +02:00
Thomas Bernard 5bbcc0bb65
miniupnpd --help shows usage 2020-06-20 17:01:01 +02:00
Thomas Bernard 417b496617
miniupnpd: add -v/-vv command line argument to enable more logs
fixes #477
2020-06-20 17:00:10 +02:00
Thomas Bernard 686b41fc52
AddAnyPortMapping(): support wildcard in NewExternalPort
supported wildcard is either 0 or *
2020-06-20 16:38:14 +02:00
Thomas Bernard de71eef493
miniupnpd: AddAnyPortMapping() tries port above and below requested port
fixes #465
if the requested port is n, it will tries successively :
n, n+1, n-1, n+2, n-2, n+3, n-3, etc.
2020-06-20 16:38:14 +02:00
Thomas BERNARD 1e7fb305b6
Merge pull request #475 from miniupnp/issue-474
improve netfilter_nft code
2020-06-11 14:53:38 +02:00
Renato Botelho 1baa95277d Fix manpage installation on BSD
Respect MANPREFIX when it's set, when not, use PREFIX
2020-06-10 14:38:23 -03:00
Thomas Bernard 86b6aad797
ido not use depreacted nftnl_rule_set() and nftnl_chain_set()
now uses nftnl_rule_set_str() and nftnl_chain_set_str()
fixes #476
2020-06-10 11:55:42 +02:00
Thomas Bernard acbb9f09d7 update Changelog.txt 2.2.0-RC1 2020-06-08 12:10:17 +02:00
Thomas Bernard 92ec4d05ab
nftnlrdr_misc.c: fix a memory leak in table_cb() 2020-06-08 10:08:44 +02:00
Thomas Bernard 5f66d1852d
rewrite send_batch() for clarity 2020-06-07 21:43:03 +02:00
Thomas Bernard f23c3e68aa fix previous commit 2020-06-07 21:30:12 +02:00
Thomas Bernard 8ad596d846
fix previous commit
fixes a7eeb5938f
2020-06-07 21:02:51 +02:00
Thomas Bernard a7eeb5938f
improved error handling in parse_rule_nat() 2020-06-07 20:58:25 +02:00
Thomas Bernard d41aceffb5
improve table_cb() to remove memory leak 2020-06-07 20:12:12 +02:00
Thomas Bernard a64d4f937b
rewrite table_cb() to better handle errors 2020-06-07 20:00:52 +02:00
Thomas Bernard 70b9526834
remove unecessary if in flush_nft_cache() 2020-06-07 19:58:48 +02:00
Thomas Bernard 7245a68e5c improve error handling in nft_mnl_connect() 2020-06-07 19:57:29 +02:00
Thomas Bernard ed48113355
refresh_nft_cache() return error status
fixes 037639c07a
2020-06-07 19:56:03 +02:00
Thomas Bernard 037639c07a
improve error handling in refresh_nft_cache() and send_batch()
to help debug #474
2020-06-07 19:29:22 +02:00
Thomas Bernard 61ce33a51b
Changelog.txt: pf symetric nat implementation 2020-06-06 19:39:49 +02:00
Thomas Bernard 563576878c Merge branch 'pf-nat-rules' 2020-06-06 19:39:08 +02:00
Thomas Bernard 0af141d9c5
miniupnpd: fix processing of v4 M-SEARCH received on v6 socket
So we don't answer with the v6 LOCATION to v4 clients anymore !

should fix #467
see #461
2020-06-05 22:39:59 +02:00
Thomas Bernard 409ba9c0f2
nftpinhole.c: fix get_pinhole_info()
this whole file should be reviewed carefully

fixes #459
2020-06-05 10:36:17 +02:00
Thomas Bernard 3716381308
improve syslog in PinholeVerification() 2020-06-05 10:19:15 +02:00
Thomas Bernard d5ba9c368e
fix memroy leak in PinholeVerification()
see #459
2020-06-05 10:13:13 +02:00
Thomas Bernard f151cc1dd4
minor checks on PCPSendUnsolicitedAnnounce() 2020-06-04 00:56:16 +02:00
Thomas Bernard 45191081f1
fix 9b32a523bf 2020-06-04 00:46:41 +02:00
Thomas Bernard 9b32a523bf
improve get_redirect_rule_count() for netfilter_nft too 2020-06-04 00:37:17 +02:00
Thomas Bernard 95d611e7a0
fix 67465c3cc0 2020-06-04 00:30:01 +02:00
Thomas Bernard 26c46e5a49
improve upnp_get_portmapping_number_of_entries() 2020-06-04 00:27:49 +02:00
Thomas Bernard ddf328845a
keep memory of ./configure parameters 2020-06-03 23:54:24 +02:00
Thomas Bernard 8a665a1c8e
configure --disable-fork to disable going to background
fixes #468
2020-06-03 23:43:58 +02:00
Thomas Bernard eaf23f0d10
fix bug introduced in d458f1a222
dev is also used in  pfpinhole.c and should be global
2020-06-03 23:15:28 +02:00
Thomas Bernard 67465c3cc0
OpenBSD: Disable pledge()
see #455
2020-06-03 23:11:15 +02:00
Thomas Bernard e1f3478519
miniupnpd/netfilter_nft: fix get_redirect_rule_by_index()
should fix #462
2020-06-03 00:30:14 +02:00
Thomas Bernard c8cbf9f6ce
miniupnpd/netfilter_nft: replace calls to inet_ntoa by inet_ntop() 2020-06-03 00:30:09 +02:00
Thomas Bernard bc645c108d
same fix as 827fc6f04 for SendSSDPGoodbye()
see #459
2020-06-02 09:08:59 +02:00
Thomas Bernard b8c8cec26b
fix bug introduced in c3d71b97ab
see #459
2020-06-02 09:02:45 +02:00
Thomas Bernard fb63cf3455
miniupnpd/netfilter_nft: properly store timestamps
should fix #466
2020-06-02 01:00:04 +02:00
Thomas Bernard c0ea7926c0
upnpdescgen.c: error message when memory alloc fails 2020-06-02 00:24:15 +02:00
Thomas Bernard 7b9489fb84
the buffer passed to mnl_nlmsg_batch_start() must be double of MNL_SOCKET_BUFFER_SIZE
see https://www.netfilter.org/projects/libmnl/doxygen/html/group__batch.html
http://www.lt.netfilter.org/projects/libmnl/doxygen/group__batch.html#ga28488fc4dee4c3e9eda5918f049db2af
2020-06-02 00:07:39 +02:00
Thomas Bernard 5dbdc50aa7 check return value of nftnl_expr_get() 2020-06-01 20:20:29 +02:00
Thomas Bernard 1e37a9f7b5
improve parse_rule_cmp()
see #459
2020-06-01 20:14:20 +02:00
Thomas Bernard c09f485482
nftnlrdr.c: fix writing to iaddr instead of rhost
fixes #462
https://github.com/miniupnp/miniupnp/issues/462
https://github.com/miniupnp/miniupnp/issues/459#issuecomment-636402954
2020-06-01 17:56:38 +02:00
Thomas Bernard c3d71b97ab nftnlrdr_misc.c: malloc/memcpy instead of strndup()
see #466
2020-06-01 17:35:26 +02:00
Thomas Bernard 3b20182c86
miniupnpd/upnpdescgen.c: check string length before memcmp() in genServiceDesc()
see https://github.com/miniupnp/miniupnp/issues/459
2020-05-30 11:06:24 +02:00
Thomas Bernard a711165e6e
miniupnpd: improve AddAnyPortMapping()
try with next port when  -3 permission check failed

see #465
2020-05-30 10:29:24 +02:00
Thomas Bernard a30e3de4ba
miniupnpd/netfilter_nft: add debug messages about lease timestamps/duration
in order to debug issue #466
2020-05-30 10:09:22 +02:00
Thomas Bernard f97367c87d
miniupnpd/p: delete_nat_rule()
also clear_nat_rules()
2020-05-30 00:32:29 +02:00
Thomas Bernard 6cd5ca6e9a
call nftnl_rule_is_set(NFTNL_RULE_USERDATA) before nftnl_rule_get_data(NFTNL_RULE_USERDATA)
see #459 and #461
2020-05-29 18:10:30 +02:00
Thomas Bernard 827fc6f041
miniupnpd: prevent buffer overread of known_devices_types
should fix #459
2020-05-29 18:01:39 +02:00
Thomas Bernard 7be0b48022
fix GetExternalIPAddress()
a bug was introduced by cce19781e6

may fix #460
2020-05-29 08:55:44 +02:00
Thomas Bernard e3395f12fc miniupnpd/pf: minor changes 2020-05-21 02:24:59 +02:00
Thomas Bernard 2cf50c57fa
miniupnpd/pf: add_nat_rule() 2020-05-21 02:24:39 +02:00
Thomas Bernard abefb6c6d0 miniupnpd/pf: fix test 2020-05-21 02:21:49 +02:00
Thomas Bernard d458f1a222
minor stuff 2020-05-17 23:16:45 +02:00
Thomas Bernard e823722b5d
some cp implementations do not support the -v option 2020-05-11 23:31:53 +02:00
Thomas Bernard 02e41f7346
miniupnpd: BSD: allow to build from another directory
$ cd miniupnpd
$ mkdir build
$ cd build
$ ../configure && make
2020-05-11 23:30:19 +02:00
Thomas Bernard 384f6592a8
miniupnpd: update Changelog 2020-05-10 20:01:30 +02:00
Thomas Bernard f9002bfaa7
https://miniupnp.tuxfamily.org/ 2020-05-10 20:01:24 +02:00
Thomas Bernard a04d6d405d miniupnpd/Makefile.linux_nft: update CFLAGS / LDFLAGS 2020-05-10 20:00:50 +02:00
Thomas Bernard e166f541e8 => 2020 2020-05-10 20:00:37 +02:00
Thomas Bernard 194566a5bd
support for libcap-ng
fixes #405
2020-05-10 15:34:45 +02:00
Thomas Bernard 5abb714d34
drop linux capabilities 2020-05-10 15:34:44 +02:00
Pali Rohár 9e41cad6a8 upnpstun.c: TEST: Require root user
New version of /sbin/iptables binary prints nonsense error message when is
called by ordinary non-root user:

  iptables v1.8.2 (nf_tables): unknown option "--dport"

Under root user it works correctly and understands --dport argument.

/sbin/iptables binary obviously does not work without root user, so rather
print error message as debugging why /sbin/iptables printed that nonsense
error message about unknown option.
2020-05-08 16:32:16 +02:00
Pali Rohár 0cad5296c6 upnpstun.c: TEST: Redirect syslog() call to printf()
When compiling Testing Linux application, replace syslog() call by
printf(). openlog() does not honor LOG_CONS flag, it works only when
application cannot connect to syslog (which is rare). There is way to force
syslog() call to print to stdout, so replace openlog() and syslog() calls
by normal printf() call via preprocessor macro when compiling Testing Linux
application.
2020-05-08 16:29:31 +02:00
Pali Rohár d7f60e3fdf upnpstun.c: Show more debug information 2020-05-08 16:26:39 +02:00
Pali Rohár 92a1ee9a7d upnpstun.c: Parse more fields from STUN packet
These fields are sent by e.g. stun.ekiga.net
2020-05-08 16:25:43 +02:00
Pali Rohár 420cfaf208 upnpstun.c: Do not stop processing STUN packet when XOR-MAPPED-ADDRESS is found 2020-05-08 16:23:58 +02:00
Thomas Bernard 388d93d678 minipnpd: move check target to check.mk 2020-05-07 01:02:48 +02:00
Thomas Bernard 2b4d9f5ee5
miniupnpd: fix build for nftables 2020-05-07 00:47:26 +02:00
Thomas Bernard 44c30b0a4e miniupnpd: fix build for nftables 2020-05-07 00:41:59 +02:00
Thomas Bernard 1cdc352788
miniupnpd/testupnppermissions.sh: do not require bash or ksh anymore 2020-05-07 00:34:44 +02:00
Thomas Bernard ea90d39892
miniupnpd: update linux makefiles 2020-05-07 00:34:44 +02:00
Thomas Bernard 4f67061e08
miniupnpd: allow to build in another directory. use .d for depends 2020-05-07 00:34:40 +02:00
Thomas Bernard 9ffc336b5c linux: detect libcap-ng or libcap 2020-05-04 00:09:42 +02:00
Thomas Bernard ca0a3b30ba miniupnpd: update Changelog.txt 2020-05-04 00:08:50 +02:00
Thomas Bernard 55d2535a6f
miniupnpd: move many scripts from Makefile.linux to configure 2020-05-02 18:28:05 +02:00
Thomas Bernard 1833a538ef
miniupnpd/Makefile.linux: move some compile config to configure script 2020-05-02 18:28:00 +02:00
Thomas Bernard 125030132e
genconfig.sh -> configure 2020-05-02 18:26:45 +02:00
Thomas Bernard 69137442fb
Makefile => Makefile.bsd
copy the right Makefile to "Makefile"

TODO : rename genconfig.sh to configure
2020-05-02 18:26:36 +02:00
Thomas Bernard 2a8368a2de
gitrev.mk: CFLAGS => CPPFLAGS 2020-05-02 18:25:48 +02:00
Thomas Bernard 7800de9429
miniupnpd: fix for bridges
you now can setup :
listening_ip=igb1 bridge0 xxx0 xxx1 ...

miniupnpd will use igd1 address, but will not complain when receiving
packets from either igb1, bridge0, xxx0 or xxx1

fixes #379
see also #408
2020-04-29 00:03:54 +02:00
Thomas Bernard a965520085
fix warning (int promotion)
also add (c) Thomas Bernard
2020-04-29 00:01:44 +02:00
Thomas Bernard fcac8b9690
upnpstun.c: support for more attributes types
0x0009: /* ERROR-CODE */
 0x0020: /* XOR-MAPPED-ADDRESS (RFC 5389) */
 0x802b: /* RESPONSE-ORIGIN (RFC 5780) */
 0x802c: /* OTHER-ADDRESS (RFC 5780) */
2020-04-21 23:25:17 +02:00
Thomas Bernard 78956a97df
upnpstun.c: improve error and debug log 2020-04-21 23:24:58 +02:00
Thomas Bernard 38c3419ea5 miniupnpd/Changelog.txt: update about e49d44f700 2020-04-21 18:38:09 +02:00
Chen Minqiang e49d44f700 miniupnpd: set SNAT to support bidirectional mapping
we cannot expect that iport == eport on all the case in firewall.

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2020-04-21 07:41:58 +08:00
Thomas Bernard db82286683
genconfig.sh: allow --firewall option on BSD's too 2020-04-21 00:24:11 +02:00
Thomas Bernard 89e63507ac
Remove FW API detecting code from Makefile (BSD)
generate bsdmake.inc
2020-04-21 00:24:07 +02:00
Thomas Bernard 07abee862c miniupnpd: Fix "IGD2 Port Triggering" in update_portmapping() 2020-04-20 23:37:24 +02:00
Chen Minqiang 7662088603 miniupnpd: fix typo
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2020-04-20 15:05:13 +08:00
Chen Minqiang 93c89c209c miniupnpd: update snat rules on update_portmapping
We forget to update the snat rule when update the
portmapping.

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2020-04-20 15:05:00 +08:00
Thomas Bernard c51c5b7d58
miniupnpd: be more explicit about usage of ext_ip= in double nat setups 2020-04-12 19:44:27 +02:00
Thomas Bernard 3f04f7992c
miniupnpd/pf: disabled setting dst address in rule by default
see #433
was introduced by 53e8185725 to fix #231
2020-04-12 19:30:37 +02:00
Thomas Bernard a774830fe0
miniupnpd: Option to disable IPv6 at runtime : -4 / ipv6_disable=yes 2020-04-09 21:12:20 +02:00
Thomas Bernard 040fbc40f8 miniupnpd/Makefile: fix FreeBSD firewall detection
see 5e11ef3245
fixes #431
2020-04-06 12:00:09 +02:00
Thomas Bernard c3fab25f86 update Changelog.txt 2020-03-29 11:08:15 +02:00
Thomas Bernard 5e11ef3245
miniupnpd: fix FreeBSD Firewall detection
fixes #431
2020-03-29 10:54:26 +02:00
Blink 05e09f9e6d
fix build for macos 2020-03-21 17:38:46 +08:00
HanJong Jang 5eaf3ec0fe Correct typo 2020-03-05 22:46:01 +09:00
Thomas Bernard 927e2f3666 miniupnpd/Changelog.txt: update 2019-12-24 01:38:55 +01:00