To hardcode table and chain creation and deletion makes it impossible
for existing firewall infrastructures to integrate miniupnpd.
NFTables will either reevaluate packets through miniupnpd or
it will delete existing tables when there are already custom chains in it.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
The OpenWrt Makefile that builds miniupnpd passes the firewall argument
to the configure script, so this is not needed and it is blocking us
from using nftables instead, which will be the default backend for
firewall4 to be used in the next OpenWrt stable release.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.
Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
Terminate the awk after getting the first interface name and IP address
from 'ip -4 addr' output. Otherwise, the test fails if the interface
in question has multiple IP addresses, as the test program returns
the first address, while awk prints all.
Fall back to getting the interface name from 'ip -4 addr' when there
is no default route. In this case, the test simply uses the interface
providing the IP address for 'ip -4 addr' (since the command is
implicitly called with no interface argument).
NFTables supports inet in the nat chain as well.
Use it instead of IPv4 chain so it is consistent with the filter chain.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
Thomas Bernard
Brian John
Sven Auhagen
Stijn Tintel
Pali Rohár
Michał Górny
Natanael Copa