Commit Graph

969 Commits

Author SHA1 Message Date
Thomas Bernard f200b1b7e8
netfilter_nft/nftpinhole.c: fix after function renames
nft_send_request() => nft_send_rule()
reflesh_nft_cache_filter() => refresh_nft_cache_filter()
2019-10-06 22:30:36 +02:00
Thomas Bernard 8ac3784fe2 Merge branch 'version' 2019-10-06 22:17:25 +02:00
Paul Chambers 913194cf75 Move print_rule to the file it's used in. 2019-10-06 21:47:50 +02:00
Paul Chambers 9d1680455e cleanup some formatting inconsistencies 2019-10-06 21:38:58 +02:00
Thomas Bernard 4ac428cbc9 netfilter_nft: remove dead code 2019-10-06 21:25:03 +02:00
Paul Chambers 35fa178ec8 encapsulate debug printing of rules. keeps stack layout the same between debug & non-debug builds. 2019-10-06 21:15:25 +02:00
Thomas Bernard a87011f933 fix checking of "~Man:" header"
bug introduced in 3571a41d1b
2019-10-06 00:17:52 +02:00
Thomas Bernard b747e222a8 miniupnpd/.gitignore: dox/ 2019-10-05 23:55:44 +02:00
Thomas Bernard 0a35f97db7
Makefile.linux: validate version 2019-10-05 22:44:36 +02:00
Thomas Bernard 49d3b57441
miniupnpd: Add --version commandline option
fixes #370
2019-10-05 22:44:31 +02:00
Thomas Bernard 700b86eeda
compatibility with OpenSSL 1.1.x
Use OpenSSL TLS_server_method() instead of TLSv1_server_method()
Also fix ERR_remove_state(0) call
2019-10-05 22:44:31 +02:00
Paul Chambers 123e589266 establish persistent mnl/netlink socket at init_redirect (needs elevated privileges) 2019-10-05 22:39:05 +02:00
Thomas Bernard 22223da9a1 use OpenBSD pledge() to drop privileges
To be tested

see #405
2019-10-03 23:23:53 +02:00
Thomas Bernard 174db857f8 fix end of file 2019-10-03 00:15:50 +02:00
Thomas Bernard 49a60028e7 2019 2019-10-03 00:15:32 +02:00
Thomas Bernard 6f4057ee82 update Changelog.txt 2019-10-03 00:15:13 +02:00
Thomas Bernard 57bc67f72a 2019 2019-10-02 23:42:55 +02:00
Paul Chambers 7ea314412c make rdr_name_type enum values more unique 2019-10-02 23:42:15 +02:00
Paul Chambers b36a6e94f8 NFT_RULE_USERDATA is sized, not null-terminated. Must use strndup() 2019-10-02 23:42:15 +02:00
Paul Chambers fda82bceef remove lingering debug stuff, add my name to file headers 2019-10-02 13:08:22 -07:00
Paul Chambers dcad93615f set the family attribute on the chain 2019-10-01 01:12:10 -07:00
Paul Chambers 2a496a1c1c Minimize attributes set if chain_op is not NFT_MSG_NEWCHAIN 2019-10-01 00:40:05 -07:00
Paul Chambers 6a53e6e765 use the same name for all three tables, like sshguard does 2019-09-30 11:20:16 -07:00
Paul Chambers 13b63da3fb bump the priority of miniupnpd's forward chain, so it processes packets before other filter chains 2019-09-30 09:40:40 -07:00
Paul Chambers 75bdb777cf rework nft-specific globals, create & destroy tables/chains at init & shutdown 2019-09-30 00:12:08 -07:00
Paul Chambers d5773600f9 add --firewall=<name> to genconfig.sh & tweak Makefiles to match 2019-09-28 22:17:51 -07:00
Paul Chambers 48f2339759 parse_rule_cmp: promote repeated code in cases outside the switch 2019-09-27 21:25:34 -07:00
Paul Chambers dbdaabd21e insert omitted break statements causing compiler warnings 2019-09-27 21:00:28 -07:00
Paul Chambers b5021ef57f suppress warnings for some intentional fallthrough cases in switch statements 2019-09-27 20:47:53 -07:00
Thomas Bernard 2c45b0793e fix genconfig.sh for OpenBSD
see 70a215d693
2019-09-26 23:46:24 +02:00
Thomas Bernard ace2250533
cast time_t to long long instead of long 2019-09-24 16:07:42 +02:00
Thomas Bernard 70a215d693 net.inet6.ip6.v6only has been removed in recent OpenBSD versions 2019-09-24 16:06:38 +02:00
Thomas Bernard 8c00d0747a
include <sys/select.h> for fd_set 2019-09-24 16:06:12 +02:00
Thomas Bernard 2917d99c58 2019 2019-09-24 16:05:44 +02:00
Thomas Bernard a6291ca391 update miniupnpd/Changelog.txt and README 2019-09-24 13:02:20 +02:00
Thomas Bernard 1976452125 handle both IP_PKTINFO and IP_RECVIF defined.
fixes #391
2019-09-24 12:26:57 +02:00
Thomas Bernard 8cb006c538 macros.h: add FALL_THROUGH macro 2019-09-24 12:04:40 +02:00
Paul Chambers ed9ef746a0 Distinguish between iptables and nftables in genconfig.sh, adding USE_IPTABLES or USE_NFTABLES defines. 2019-09-24 11:57:39 +02:00
Thomas Bernard 81e0d83403 build doc with Doxygen 2019-09-24 11:57:27 +02:00
Paul Chambers 8a56bb50cf add 'dox' make target for nftables, which generates docs using doxygen. Also modify the uuid in the installed copy of miniupnpd.conf, not the pristine local copy that is under revision control. 2019-09-17 18:22:11 -07:00
Thomas Bernard dec239d340
pfpinhole.c: fix includes 2019-09-02 02:03:41 +02:00
Thomas Bernard 5ab641e9e6
update Changelog 2019-09-02 01:01:43 +02:00
Thomas Bernard d1d7059e75 fix file modes for nft_display.sh (chmod +x) 2019-09-02 00:57:49 +02:00
Guilherme Senges 62d62e4f88 Applied patch to OpenWRT compatibility 2019-09-02 00:28:45 +02:00
Paul Chambers f24ca07640 Fix the error messages produced by nft_init.sh in normal operation. Simplify the script. 2019-08-31 23:22:30 -07:00
Paul Chambers 60b57a442a Rework nft_removeall.sh to preserve nftables structures miniupnpd didn't add. Important for firewalld and sshguard co-existance. 2019-08-31 20:47:11 -07:00
Thomas Bernard 6317e73342 iptpinhole.c: fix ressource leak in ip6tc_init_verify_append()
fixes #393
2019-08-24 10:55:33 +02:00
Thomas Bernard a77d1ff9d3
iptcrdr.c: memory allocation fix in get_portmappings_in_range()
fixes #394
2019-08-24 10:54:46 +02:00
Thomas Bernard 4f8a4abcd1
nftnlrdr: list_redirect_rule() only in DEBUG 2019-06-30 22:23:36 +02:00
Thomas Bernard 4e480a7c4e nftnlrdr_misc.c: use syslog() instead of perror()
do not exit()
2019-06-30 22:02:15 +02:00
Thomas Bernard 9402b49456
update headers 2019-06-30 21:51:15 +02:00
Thomas Bernard d8368f7651
test_nfct_get.c: openlog() 2019-06-30 21:50:55 +02:00
Thomas Bernard 9070e175d4 Merge remote-tracking branch 'svenauhagen/fixes/nftablesipv6' 2019-06-30 21:25:01 +02:00
Sven Auhagen b377305db0 This commits fixes an error setting the NFT Chain in DNAT instead of Filter 2019-06-30 19:46:35 +02:00
Sven Auhagen b581b5d8af pinhole fixes 2019-06-28 11:02:19 +02:00
Thomas Bernard 3cf6efa912
miniupnpd/Changelog.txt update 2019-06-25 23:30:12 +02:00
Sven Auhagen f67f6ae5f0 NFTables fixes and scripts
This commit fixes the list detection and uses the inet chain for ipv4.
The scripts got reworked as well and a display script was added.
2019-06-25 09:44:51 +02:00
sven ee84a3949d Update nftnlrdr_misc.h
Fix compiler warnings
2019-06-13 21:34:52 +02:00
Sven Auhagen 00ff23c428 This commit fixes IPv4 and adds IPv6 pinhole to nftables.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2019-06-12 23:09:20 +02:00
Thomas Bernard 765156b04a nftnlrdr.c: fix indent and spaces before eol 2019-06-04 23:02:52 +02:00
Thomas Bernard a1ceec3dba
miniupnpd: Allow to use two different network interfaces for IPv4 and IPv6 internet
-i / -I
ext_ifname= / ext_ifname6=

see :
df906367be/
thanks to "sfstudio"
2019-05-21 10:42:40 +02:00
Thomas Bernard f89d01d06a
silent warning in GCC 7 (switch/case fallthrough) 2019-05-20 21:59:41 +02:00
Thomas Bernard 585a1d64e2
getifaddr.c: properly use strncpy()
silent a gcc8 warning
2019-05-20 21:55:17 +02:00
Vladislav Grishenko 08b80d5abd miniupnpd: fix ssdp notify on unrelated interfaces
If several different interfaces share same ipv4 address on different
subnets (i.e. eth0 192.168.1.1/24 + eth1 192.168.1.1/16), miniupnpd
may pick any one of them, possibly wrong one w/o respecting exact
listening_ip interface.

syslog will contain something similar to:
    miniupnpd: sendto(udp_notify=6, 192.168.1.1): No such device
    miniupnpd: sendto(udp_notify=6, 192.168.1.1): No such device
    miniupnpd: try_sendto(sock=6, len=464, dest=239.255.255.250:1900): sendto: No such device
    miniupnpd: try_sendto(sock=6, len=464, dest=239.255.255.250:1900): sendto: No such device
    miniupnpd: try_sendto failed to send 11 packets

Fix that with specifying exact outgoing mcast interface for each
notify socket with help of IP_MULTICAST_IF/mreqn struct.
Since OpenAndConfSSDPNotifySocket() now takes lan_addr_s struct,
OpenAndConfSSDPNotifySocketIPv6() was similary changed for api
consistency.
2019-05-02 15:36:06 +05:00
Thomas Bernard 2ffc7afae9 minissdp.c: fix indentation 2019-05-02 12:09:28 +02:00
Thomas Bernard 1ef1deec01
upnpevents.c: properly handle urls in the form http://ip:port
Fix buffer over-read in upnpevents.c with urls in the form http://ip:port
(without path).
Assume / when the path is empty

fixes #361
2019-04-09 22:06:21 +02:00
Thomas Bernard 922372bff3 2019 2019-04-08 14:46:11 +02:00
Thomas Bernard 2f16cf7387
AddPortMapping supports error 606 in IGDv2
see #359
2019-04-07 23:01:51 +02:00
Thomas Bernard e1b4f25bba
upnpreplyparse.c: Fix memory leak
If there are multiple  NewPortListing tags,
there is a malloc() for each one.

fixes #357
2019-04-05 10:30:10 +02:00
Thomas Bernard a9a764cea9 update Changlogs. 2019-04-03 17:38:33 +02:00
Thomas Bernard 8f403ae8ae Makefile.linux: clean testminissdp.o and testssdppktgen.o 2019-03-22 15:36:58 +01:00
Thomas Bernard 2d873ce908 miniupnpd_functions.sh parsing fix.
both MINIUPNPD and MINIUPNPD-PREROUTING were matched by
/$CHAIN/.
2019-03-22 15:35:23 +01:00
Thomas Bernard 476974ab52 use iptables -I instead of -A to add rules
So the rules are added at the head of the chains, taking
priority over the preloaded rules.

should fix #354
2019-03-22 15:33:57 +01:00
Thomas Bernard c3f752db4a
miniupnpd/netfilter: fix iptables_init.sh for postrouting chain
should fix #334
2019-03-09 16:16:00 +01:00
Steven Mestdagh dedbee16b1 AddAnyPortMapping: check against NULL
this avoids a crash in strcasecmp by passing an empty protocol argument
2019-03-09 10:24:38 +01:00
Thomas Bernard a613992892 update Changelog 2019-03-07 23:37:11 +01:00
Rodrigo Osorio e0ddc97997 Update portinuse code to reflect changes made in FreeBSD 12.0
Structures xtcpcb and xinpcb returned by the kernel
hide now part of its members after r315662. The fix
was inspired by changes made in usr.bin/systat/netstat.c
tool.
2019-03-07 17:22:36 +01:00
Thomas Bernard e0b5b4efe6 linux/getifstats.c: use custom strtoul() implementation to roll over after 2^32-1
fixes #349

http://upnp.org/specs/gw/UPnP-gw-WANCommonInterfaceConfig-v1-Service.pdf
 2.2.9 2.2.10 2.2.11 2.2.12 :

    This variable represents the cumulative counter for total number
    of bytes sent upstream across all connection service instances on
    WANDevice. The count rolls over to 0 after it reaching the maximum
    value (2^32) –1
2019-02-12 15:10:49 +01:00
Thomas Bernard 08e955de40 Update Changelogs + 2019 2019-02-10 16:11:16 +01:00
Thomas Bernard 30a89be85e
update miniupnpd/minixml.h 2019-02-10 16:10:07 +01:00
Thomas Bernard e94a724ae5 Merge remote-tracking branch 'sorz/install-nft-script'
see pull request #345
2019-02-04 19:39:35 +01:00
Shachar Menashe 51b5e09e04 miniupnpd: add secure compilation flags for Linux 2019-02-04 17:23:42 +02:00
Thomas Bernard f7d65cdaad
miniupnpd/netfilter/ipctcrdr.c: conditionnaly use NFC_UNKNOWN as well
fix #346
2019-02-03 19:04:44 +01:00
Thomas Bernard 6106111972
miniupnpd/netfilter: build with linux kernel 5.0
should fix #346
2019-02-03 13:26:27 +01:00
Thomas Bernard 510a6e9630
fix check of valid HTTPS socket 2019-01-23 09:25:10 +01:00
sorz 031915f856
Install nftables scripts 2019-01-18 16:21:25 +08:00
Thomas Bernard 86030db849
fix error from commit 13585f15c7 2018-12-18 23:47:54 +01:00
Thomas Bernard cb8a02af7a
pcpserver.c: copyIPv6IfDifferent() check for NULL src argument 2018-12-18 23:04:14 +01:00
Thomas Bernard f321c2066b upnp_redirect(): accept NULL desc argument 2018-12-18 22:59:18 +01:00
Thomas Bernard 13585f15c7
GetOutboundPinholeTimeout: check args 2018-12-18 22:54:51 +01:00
Thomas Bernard bec6ccec63 upnp_event_prepare(): check the return value of snprintf() 2018-12-18 22:37:14 +01:00
Thomas Bernard 6b4e9bd855
upnpstun.c: fix generate_transaction_id() 2018-12-15 18:02:46 +01:00
Steven Mestdagh f6fc66ee41
avoid off-by-one buffer overread
similar to commit 9fcc0a72f0
2018-12-06 00:11:21 +01:00
Thomas Bernard e7fa40f60b
update INSTALL about running a NAT behind NAT setup.
also update 2017->2018
2018-10-31 18:33:56 +01:00
Thomas Bernard bde31cd4f1 update miniupnpd/Changelog.txt 2018-09-07 17:28:42 +02:00
Thomas Bernard 95d707a71f
pcpserver.c: properly fill the opcode field of response
fixes #327
2018-09-07 17:24:43 +02:00
Pali Rohár a2baa36312 Fix compilation with nftables
Fixes #324
2018-09-06 17:44:41 +02:00
Thomas Bernard 11785205f1 Merge remote-tracking branch 'Lochnair/fix_nftables' into travis-ci-nftables 2018-07-15 12:59:25 +02:00
Nils Andreas Svee 181428e843 miniupnpd: add update_portmappings functions for nft 2018-07-14 19:59:26 +02:00
Thomas Bernard ac796a4077 linux: add -lrt when building for glibc < 2.17 2018-07-14 14:23:13 +02:00