Commit Graph

1239 Commits

Author SHA1 Message Date
Sergey Ponomarev 1479881003 minixml.c sync sources
In the commit a0573e2518
was fixed a buffer overflow in the minixml.c but it wasn't copied to upnpc-async.
To make comparison simpler the header was also synced
2022-01-27 11:29:16 +02:00
Thomas Bernard 9df2f43e08 miniupnpd: VERSION 2.3.0 2022-01-23 01:25:49 +01:00
Thomas Bernard 6576eb611b version 2.3.0 2022-01-23 01:19:01 +01:00
Thomas Bernard 545d2b421c 2022 2022-01-23 01:18:49 +01:00
Brian John 87776e8345 Split "NAT" and "TABLE" for consistency 2022-01-01 16:58:55 -06:00
Brian John 8d061ecf65 Fix typo: should check for `$NAT_TABLE` 2022-01-01 16:17:31 -06:00
Brian John 69f01ffcc8 Spelling fix: routeing --> routing 2022-01-01 16:15:54 -06:00
Thomas Bernard 78823d762e
README.md: updated. fix titles 2021-12-16 00:29:39 +01:00
Thomas Bernard 2bfed34e8c
README.md: reformat chain/tables setup
fix 3129683cb3
2021-12-16 00:27:57 +01:00
Thomas Bernard 1a5cdc0a13 remove space before eol 2021-12-02 00:35:51 +01:00
Thomas Bernard af0ee582d9
commonrdr.h: 2021 2021-12-02 00:06:24 +01:00
Thomas Bernard 97aa00f076
miniupnpd/Changelog.txt: update regarding #584 / 3129683c 2021-12-02 00:06:24 +01:00
Thomas Bernard 46ecef1365
miniupnpd.conf: default table name changed with #584 / 3129683c 2021-12-02 00:06:23 +01:00
Sven Auhagen 3129683cb3 NFTables use scripts to create tables and chains
To hardcode table and chain creation and deletion makes it impossible
for existing firewall infrastructures to integrate miniupnpd.
NFTables will either reevaluate packets through miniupnpd or
it will delete existing tables when there are already custom chains in it.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-11-28 08:08:37 +01:00
Thomas Bernard d4849fa08e
miniupnpd.conf: comments about netfilter table/chain names 2021-11-27 21:49:25 +01:00
Sven Auhagen 0b3f3e4029
NFTables make tables name configurable
Right now the table names are hardcoded and do not integrate with an overall
firewall strategy.
NFTables has restrictions on how packets are evaluated against chains.
For example if multiple forward chains are evaluated with different prioity,
all packets that pass the first one will be reevaluated again in the second chain.
To have an overall firewall concept with miniupnpd it is necessary to use existing
tables and hence to configure them in miniupnpd.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-11-27 21:49:21 +01:00
Thomas Bernard 9eb826a7eb
miniupnpd/Changelog.txt: update regarding merge of #562
see https://github.com/miniupnp/miniupnp/pull/562
2021-11-17 12:37:02 +01:00
Thomas BERNARD 9a5215c54a
Merge pull request #562 from svenauhagen/feature/nftablesnat
NFTables use nat chain for inet (instead of specific IPv4 chain)
2021-11-17 12:36:19 +01:00
Stijn Tintel 51a422407b miniupnpd/configure: don't hardcode iptables
The OpenWrt Makefile that builds miniupnpd passes the firewall argument
to the configure script, so this is not needed and it is blocking us
from using nftables instead, which will be the default backend for
firewall4 to be used in the next OpenWrt stable release.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-07 20:24:29 +02:00
Stijn Tintel 2b00c461fb treewide: s/OpenWRT/OpenWrt/
The correct spelling is OpenWrt.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-07 20:21:25 +02:00
Thomas Bernard 7634920f3c
Makefile.linux_nft: fix DEPFLAGS and make install 2021-09-30 23:20:52 +02:00
Thomas Bernard a933c76be4
Makefile.linux: fix install dependencies 2021-09-30 23:20:25 +02:00
Thomas Bernard 881ba06bc1
configure: warning when no libiptc pkg-config found 2021-09-30 01:49:30 +02:00
Thomas Bernard d2f558f659
configure: use 'command -v' instead of 'which' 2021-09-30 01:49:30 +02:00
Thomas Bernard 6e16650bc2
miniupnpd/configure: fix comparaison
[ "$IPTABLES_143" -eq 1 ]
doesn't work if $ITABLES_143 is empty
using instead :
 [ "$IPTABLES_143" = "1" ]
2021-09-30 01:49:30 +02:00
Thomas Bernard c88178650e
replace 'which' with 'command -v' 2021-09-30 01:49:30 +02:00
Thomas Bernard 5d315359aa
gitrev.mk: use gitlab-ci predefined variables 2021-09-30 01:49:29 +02:00
Thomas Bernard 50950a3520
iptcrdr.c: fix a potential double iptc_free(h)
closes #566
2021-09-28 22:47:05 +02:00
Pali Rohár 200d6c2509 miniupnpd: Add some missing checks when update_ext_ip_addr_from_stun() or getifaddr() fails
There is missing corner case check when these functions return failure.
Network in this case does not work, so disable port forwarding to prevent
returning incorrect response about port forwarding state.

Also explicitly set disable_port_forwarding to 0 on success to make code
more readable.
2021-08-31 21:34:27 +02:00
Michał Górny 2087e14b8e testgetifaddr.sh: Always use the first IP addr from 'ip -4 addr'
Terminate the awk after getting the first interface name and IP address
from 'ip -4 addr' output.  Otherwise, the test fails if the interface
in question has multiple IP addresses, as the test program returns
the first address, while awk prints all.
2021-08-22 09:53:31 +02:00
Michał Górny 8c1e5f9500 testgetifaddr.sh: Implement EXTIF fallback to 'ip -4 addr'
Fall back to getting the interface name from 'ip -4 addr' when there
is no default route.  In this case, the test simply uses the interface
providing the IP address for 'ip -4 addr' (since the command is
implicitly called with no interface argument).
2021-08-22 09:50:25 +02:00
Thomas Bernard df0fbf08b8 miniupnpd version 2.2.3 2021-08-21 11:17:30 +02:00
Thomas Bernard 92cf5c2f95 nftnlrdr_misc.c: 2021 2021-08-21 10:26:31 +02:00
Thomas Bernard 23edb7e5eb options.c: 2021 2021-08-21 10:24:22 +02:00
Thomas Bernard fec7d87f00 pcplearndscp.h: "new" website 2021-08-21 10:22:26 +02:00
Thomas Bernard 9dbee950ad
upnppinhole.c/.h: 2021 2021-08-21 10:14:28 +02:00
Thomas BERNARD 2115b8f8f0
Merge pull request #553 from ncopa/musl-libc-fix
miniupnpd: don't check for glibc version with musl
2021-08-21 09:52:06 +02:00
Sven Auhagen acc3bcb0a3 NFTables use inet nat chain
NFTables supports inet in the nat chain as well.
Use it instead of IPv4 chain so it is consistent with the filter chain.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-08-18 16:58:50 +01:00
Thomas Bernard 5d5a06c206
Changelog.txt: lease file for IPv6 pinholes
closes #18
2021-08-18 12:38:04 +02:00
Sven Auhagen 74dbad5ab0 IPv6 pinholes lease file
This patch adds a lease file for IPv6 pinholes.
The leases are maintained and readded when miniupnpd restarts.
Currently all IPv6 leases are lost on restart.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
2021-08-18 11:06:12 +01:00
Thomas Bernard 46fedcbc32
update Changelog.txt
see #539
2021-08-12 23:19:14 +02:00
Thomas Bernard 32f1d4cd1a
upnpdescgen.c: rootDesc.xml skip DeviceProtection and WANIPv6FirewallControl when force_igd1
see #539
2021-08-12 23:19:14 +02:00
Thomas Bernard 4d4121bf40
upnpdescgen.c: move a variable declaration 2021-08-12 23:19:14 +02:00
Thomas Bernard 2f2685af97
upnphttp.c: detecting MS client and forcing IGD v1
should fix #539
2021-08-12 23:19:14 +02:00
Thomas Bernard d8e5659c7b
upnpdescgen.c: add force_igd1 param to XML description generation functions 2021-08-12 23:19:13 +02:00
Thomas Bernard 7c112e2b39 Merge commit '7ee554d31b47a7227ab85aa919792597ce78c81e' 2021-08-11 14:49:06 +02:00
Thomas Bernard f1388717af
miniupnpd.c: fix 1aa46b5a2c 2021-08-11 12:19:30 +02:00
Pali Rohár 7ee554d31b miniupnpd: Disable port forwarding when upstream interface is down
Obviously port forwarding cannot work when upstream interface is down. So
correctly report status code for port forwarding requests to clients in
this case.
2021-08-06 16:13:25 +02:00
Natanael Copa ebaa69b313 miniupnpd: don't check for glibc version with musl
Test that ldd is from GLIBC before exctracting the GLIBC_VERSION. This
is not needed with musl libc.
2021-07-21 10:38:35 +02:00
Natanael Copa 1aa46b5a2c miniupnpd: improve error message for bad config
Improve error message so users don't need read the source to figure out
why miniupnpd refuses to start even if the usage is correct.
2021-07-15 12:23:26 +02:00
Thomas Bernard 6f848ae082
2021 2021-06-18 00:37:27 +02:00
Thomas Bernard 7fcbcd35b9
fix commit 5567e7c7e0 2021-06-18 00:31:27 +02:00
Thomas Bernard 5567e7c7e0
miniupnpd: improves error handling during init.
- Fails on config parsing and init errors.
- print errors during init to both syslog and stderr.

fixes #551
2021-06-18 00:21:16 +02:00
Thomas Bernard 97b7ec1ad2
normalize use of __STDC_VERSION__ 2021-06-17 09:25:26 +02:00
Thomas Bernard 7783ac1545
upnphttp.c: Code factorization : use SendResp_upnphttp() in SendRespAndClose_upnphttp() 2021-05-22 23:54:32 +02:00
Thomas Bernard acca60a365
miniupnpd: Better comment snprintf() used to build HTTP headers 2021-05-22 23:30:05 +02:00
Thomas Bernard 08ae9e9e71
miniupnpd: dynamically retrieve `uname -r`
fixes #547
2021-05-22 00:16:40 +02:00
Thomas Bernard 982f47a8b6
miniupnpd: version 2.2.2 2021-05-13 13:33:02 +02:00
SeaEagle1 1713f4b9b4
Add SO_REUSEPORT option for SSDP
fixes #541
2021-05-12 00:15:02 +02:00
Thomas Bernard 57e9a52b95
miniupnpd/Changelog.txt: update 2021-05-11 23:58:35 +02:00
Thomas Bernard 3a87be33e7
upnpsoap.c: comment and improve GetExternalIPAddress()
GetExternalIPAddress returns empty string when the External IP address can
not be retrieved.
2021-03-31 09:43:28 +02:00
Pali Rohár 79ca440f73 miniupnpd: When ExternalIPAddress is unknown returns empty string in GetExternalIPAddress
IGD v2.0 specification for WANIPConnection:2 says:

  When the external IP address could not be retrieved by the gateway (for
  example, because the interface is down or because there was a failure in
  the last connection setup attempt), then the ExternalIPAddress MUST be
  equal to the empty string.

So instead of Error 501 "Action Failed" returns empty string to be
compliant with IGD v2.0 specification.
2021-03-28 17:20:34 +02:00
Thomas Bernard 9239cf28c1
Fix the cleanup of PREROUTING mangle chain
it was changed iby mistake to FORWARD by 82ec7bc3df

see discussion in PR #530
2021-02-26 15:15:09 +01:00
Thomas Bernard 3b6b0ba1e3
INSTALL: update 2021-02-26 15:14:03 +01:00
Thomas Bernard 207d1849e4 miniupnpd.c: typo and ip -> IP 2021-01-15 19:33:29 +01:00
Pali Rohár e6bf74a691 Add check that miniupnpd is not going to listen on WAN interface with public IP address
Option listen= is used for LAN interface/address and option ext_addr= is
used for public IP address. If users by mistake swap WAN and LAN interface
or public and private IP addresses then miniupnpd obviously would not work
and instead of hacking miniupnpd code users should rather check their
miniupnpd configuration or local firewall settings.

So add checks and hints which prevents security issues like swapping LAN
and WAN interfaces/addresses and therefore prevent exposing port forwarding
and firewall configuration on public Internet.
2020-12-30 11:23:29 +01:00
Pali Rohár 304ff79dc5 Update and extend description from STUN output
People sometimes do not understand where is the problem, so include also
hints what they needs to check, change and re-configure.
2020-12-30 11:22:12 +01:00
Thomas Bernard 9ef311d235
miniupnpd: version 2.2.1 2020-12-20 19:12:47 +01:00
Tim Gates 341d0f51a2
docs: fix simple typo, decription -> description
There is a small typo in miniupnpd/commonrdr.h, miniupnpd/ipf/ipfrdr.c, miniupnpd/pf/obsdrdr.c.

Should read `description` rather than `decription`.
2020-12-10 05:26:04 +11:00
Thomas Bernard 22c1386351
protocol[] can be "UDPLITE"
fixes #5034
2020-11-12 08:59:47 +01:00
Thomas Bernard f50f00b5ea
errno.h not sys/errno.h 2020-11-11 13:24:48 +01:00
Thomas Bernard ab544c3a0e
asyncsendto.c: use named enum.
see #502
2020-11-11 13:16:14 +01:00
Thomas Bernard 30c27967ae
fix error message for IPV6. 2020 2020-11-05 21:59:25 +01:00
Thomas Bernard 97fd716bd0
2020 2020-11-04 22:32:14 +01:00
Thomas Bernard 057368701e
fix warning 2020-11-04 22:31:47 +01:00
Thomas Bernard 32164d27d2
fix a couple of warnings 2020-11-02 00:26:13 +01:00
Thomas Bernard c41094c2af
exact same declaration for random_url[]
see #498
2020-11-01 23:29:08 +01:00
Thomas Bernard 29797cf607 2019 => 2020 2020-10-31 11:36:06 +01:00
Thomas Bernard 01d686078e
use tag as GITREF if available 2020-10-31 10:56:02 +01:00
Thomas Bernard 56c66b5472
miniupnpd version 2.2.0 2020-10-31 10:23:44 +01:00
Thomas Bernard 1331b42410
fix dd99f0eb75 2020-10-31 10:05:50 +01:00
Thomas Bernard dd99f0eb75
sysctl is not always in /sbin 2020-10-30 23:11:44 +01:00
Thomas Bernard 72ec9e1943
update changelog / comments 2020-10-30 22:44:02 +01:00
Thomas Bernard c9939cc01e
fix portinuse.c for OpenBSD 5.5+
all CIRCLEQ have been replaced by TAILQ
fixes #496
2020-10-30 22:14:45 +01:00
Thomas Bernard 1008ed1117 Merge branch 'issue-465' into master 2020-10-28 19:38:52 +01:00
Thomas Bernard 90259ae803
Fix undefined behaviour: shifting signed int by 31 place
see #465

     #0 0x555719469ec5 in AddAnyPortMapping.cfi /home/ryutaroh/miniupnpd-1018/miniupnp/miniupnpd/upnpsoap.c:703:42
     #1 0x5557194705a7 in ExecuteSoapAction /home/ryutaroh/miniupnpd-1018/miniupnp/miniupnpd/upnpsoap.c:2335:5
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior upnpsoap.c:703:42 in
2020-10-26 08:46:37 +01:00
Thomas Bernard 85f8123504 Merge branch 'issue-495' into master 2020-10-24 15:23:26 +02:00
Thomas Bernard 946f6c19bb
fix Makefile.bsd
fixes #495
2020-10-24 15:17:59 +02:00
Thomas Bernard 92ff8a6a7e
in_addr_t instead of struct in_addr 2020-10-22 23:20:50 +02:00
Thomas Bernard 6b2070c6e9
fix 18a6ab0201 2020-10-22 23:19:59 +02:00
Thomas Bernard 5e7f8b5183 netfilter_nft/nftnlrdr_misc.h: comment 2020-10-22 21:39:41 +02:00
Thomas Bernard 1b5cab1e87
update Changelog.txt 2020-10-22 21:27:04 +02:00
Thomas Bernard 68cc35156e
fix nftables shutdown_redirect()
see #481
2020-10-22 21:19:37 +02:00
Thomas Bernard 04e245258e
For FreeBSD ports
see #495
2020-10-22 20:45:15 +02:00
Thomas Bernard 18a6ab0201
AddAnyPortMapping(): Only try allowed ports
build an array of all allowed ports.
should fix #465
2020-10-18 00:20:24 +02:00
Thomas Bernard 3a17dea056 pass rule type to the private arg of mnl_cb_run() callback
should fix #481
2020-10-17 23:20:29 +02:00
Thomas Bernard a3522723ae fix .gitignore 2020-10-17 22:55:12 +02:00
Thomas Bernard 2595275eb5 netfilter_nft: build testing 2020-10-17 22:52:34 +02:00
Thomas Bernard 992565201b fix testnftnlrdr.c 2020-09-29 01:00:29 +02:00
BERNARD Thomas 91ff44c9d2 netfilter_nft: fix test stuff 2020-09-29 00:43:55 +02:00
Thomas Bernard 11dec5b25c fix log 2020-09-29 00:17:58 +02:00
Thomas Bernard f9908a788b Move chain name variables to netfilter/* 2020-09-28 22:44:24 +02:00
Thomas Bernard 61d4aecb6e fix warning 2020-09-28 21:58:08 +02:00
Thomas Bernard 7db8ef0921 fix c9f6ddd 2020-09-28 21:57:50 +02:00
Thomas Bernard c9f6ddd102
miniupnpd/netfilter_nft: more logs in set_rdr_name()
see #481
2020-09-26 17:42:26 +02:00
Pali Rohár dbb821a7c9 getifaddr.c: Fix mask for RFC7534 Direct Delegation AS112 Service 2020-07-12 13:45:30 +02:00
Thomas Bernard d7b40010d5
nftnlrdr_misc.c: add log in case of send_batch() failure
useful for #481
2020-07-09 11:16:47 +02:00
Chen Minqiang b44e5e7a83 fix update_portmapping() missing target when update filter table 2020-06-27 11:31:08 +08:00
Thomas Bernard 24df04fc1b update 2020-06-20 17:49:19 +02:00
Thomas Bernard 7a9452fca9
miniupnpd: make sure "runtime_vars" are initialized 2020-06-20 17:02:19 +02:00
Thomas Bernard 5bbcc0bb65
miniupnpd --help shows usage 2020-06-20 17:01:01 +02:00
Thomas Bernard 417b496617
miniupnpd: add -v/-vv command line argument to enable more logs
fixes #477
2020-06-20 17:00:10 +02:00
Thomas Bernard 686b41fc52
AddAnyPortMapping(): support wildcard in NewExternalPort
supported wildcard is either 0 or *
2020-06-20 16:38:14 +02:00
Thomas Bernard de71eef493
miniupnpd: AddAnyPortMapping() tries port above and below requested port
fixes #465
if the requested port is n, it will tries successively :
n, n+1, n-1, n+2, n-2, n+3, n-3, etc.
2020-06-20 16:38:14 +02:00
Thomas BERNARD 1e7fb305b6
Merge pull request #475 from miniupnp/issue-474
improve netfilter_nft code
2020-06-11 14:53:38 +02:00
Renato Botelho 1baa95277d Fix manpage installation on BSD
Respect MANPREFIX when it's set, when not, use PREFIX
2020-06-10 14:38:23 -03:00
Thomas Bernard 86b6aad797
ido not use depreacted nftnl_rule_set() and nftnl_chain_set()
now uses nftnl_rule_set_str() and nftnl_chain_set_str()
fixes #476
2020-06-10 11:55:42 +02:00
Thomas Bernard acbb9f09d7 update Changelog.txt 2.2.0-RC1 2020-06-08 12:10:17 +02:00
Thomas Bernard 92ec4d05ab
nftnlrdr_misc.c: fix a memory leak in table_cb() 2020-06-08 10:08:44 +02:00
Thomas Bernard 5f66d1852d
rewrite send_batch() for clarity 2020-06-07 21:43:03 +02:00
Thomas Bernard f23c3e68aa fix previous commit 2020-06-07 21:30:12 +02:00
Thomas Bernard 8ad596d846
fix previous commit
fixes a7eeb5938f
2020-06-07 21:02:51 +02:00
Thomas Bernard a7eeb5938f
improved error handling in parse_rule_nat() 2020-06-07 20:58:25 +02:00
Thomas Bernard d41aceffb5
improve table_cb() to remove memory leak 2020-06-07 20:12:12 +02:00
Thomas Bernard a64d4f937b
rewrite table_cb() to better handle errors 2020-06-07 20:00:52 +02:00
Thomas Bernard 70b9526834
remove unecessary if in flush_nft_cache() 2020-06-07 19:58:48 +02:00
Thomas Bernard 7245a68e5c improve error handling in nft_mnl_connect() 2020-06-07 19:57:29 +02:00
Thomas Bernard ed48113355
refresh_nft_cache() return error status
fixes 037639c07a
2020-06-07 19:56:03 +02:00
Thomas Bernard 037639c07a
improve error handling in refresh_nft_cache() and send_batch()
to help debug #474
2020-06-07 19:29:22 +02:00
Thomas Bernard 61ce33a51b
Changelog.txt: pf symetric nat implementation 2020-06-06 19:39:49 +02:00
Thomas Bernard 563576878c Merge branch 'pf-nat-rules' 2020-06-06 19:39:08 +02:00
Thomas Bernard 0af141d9c5
miniupnpd: fix processing of v4 M-SEARCH received on v6 socket
So we don't answer with the v6 LOCATION to v4 clients anymore !

should fix #467
see #461
2020-06-05 22:39:59 +02:00
Thomas Bernard 409ba9c0f2
nftpinhole.c: fix get_pinhole_info()
this whole file should be reviewed carefully

fixes #459
2020-06-05 10:36:17 +02:00
Thomas Bernard 3716381308
improve syslog in PinholeVerification() 2020-06-05 10:19:15 +02:00
Thomas Bernard d5ba9c368e
fix memroy leak in PinholeVerification()
see #459
2020-06-05 10:13:13 +02:00
Thomas Bernard f151cc1dd4
minor checks on PCPSendUnsolicitedAnnounce() 2020-06-04 00:56:16 +02:00
Thomas Bernard 45191081f1
fix 9b32a523bf 2020-06-04 00:46:41 +02:00
Thomas Bernard 9b32a523bf
improve get_redirect_rule_count() for netfilter_nft too 2020-06-04 00:37:17 +02:00
Thomas Bernard 95d611e7a0
fix 67465c3cc0 2020-06-04 00:30:01 +02:00
Thomas Bernard 26c46e5a49
improve upnp_get_portmapping_number_of_entries() 2020-06-04 00:27:49 +02:00
Thomas Bernard ddf328845a
keep memory of ./configure parameters 2020-06-03 23:54:24 +02:00
Thomas Bernard 8a665a1c8e
configure --disable-fork to disable going to background
fixes #468
2020-06-03 23:43:58 +02:00
Thomas Bernard eaf23f0d10
fix bug introduced in d458f1a222
dev is also used in  pfpinhole.c and should be global
2020-06-03 23:15:28 +02:00
Thomas Bernard 67465c3cc0
OpenBSD: Disable pledge()
see #455
2020-06-03 23:11:15 +02:00
Thomas Bernard e1f3478519
miniupnpd/netfilter_nft: fix get_redirect_rule_by_index()
should fix #462
2020-06-03 00:30:14 +02:00
Thomas Bernard c8cbf9f6ce
miniupnpd/netfilter_nft: replace calls to inet_ntoa by inet_ntop() 2020-06-03 00:30:09 +02:00
Thomas Bernard bc645c108d
same fix as 827fc6f04 for SendSSDPGoodbye()
see #459
2020-06-02 09:08:59 +02:00
Thomas Bernard b8c8cec26b
fix bug introduced in c3d71b97ab
see #459
2020-06-02 09:02:45 +02:00
Thomas Bernard fb63cf3455
miniupnpd/netfilter_nft: properly store timestamps
should fix #466
2020-06-02 01:00:04 +02:00
Thomas Bernard c0ea7926c0
upnpdescgen.c: error message when memory alloc fails 2020-06-02 00:24:15 +02:00