status-im
/
miniupnp
mirror of https://github.com/status-im/miniupnp.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
miniupnp/miniupnpd/netfilter_nft
History
Sven Auhagen 2c9a645b10 NFTables: Add backwards compatibility for IPv4 NAT 
NFtables uses the INET table for NAT which combines IPv4 and IPv6.
Older systems might not have this option and use the ip table instead.

This adds a flag to fall back to the ip table style.

Signed-Off-By: Sven Auhagen <sven.auhagen@voleatech.de>
 		2024-03-04 06:18:41 +01:00
..
scripts Quote paths in nft scripts to prevent word splitting. 2023-08-07 05:30:41 +08:00
Makefile netfilter_nft: build testing 2020-10-17 22:52:34 +02:00
README.md NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nfct_get.c Initial commit to support nftables. 2015-04-28 17:13:06 +09:00
nftnlrdr.c NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nftnlrdr.h Move print_rule to the file it's used in. 2019-10-06 21:47:50 +02:00
nftnlrdr_misc.c NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nftnlrdr_misc.h NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nftpinhole.c NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nftpinhole.h This commit fixes IPv4 and adds IPv6 pinhole to nftables. 2019-06-12 23:09:20 +02:00
test_nfct_get.c test_nfct_get.c: openlog() 2019-06-30 21:50:55 +02:00
testnftnlrdr.c netfilter_nft: build testing 2020-10-17 22:52:34 +02:00
testnftpinhole.c netfilter_nft: build testing 2020-10-17 22:52:34 +02:00
tiny_nf_nat.h This commit fixes IPv4 and adds IPv6 pinhole to nftables. 2019-06-12 23:09:20 +02:00

README.md

Miniupnpd nftables support by Tomofumi Hayashi (s1061123@gmail.com).

Supported Features

  • IPv4 NAT/Filter add/del.

How to build miniupnpd with nftables:

Run 'configure' command with '--firewall=nftables',

./configure --firewall=nftables && make

How to Run

Please run 'netfilter_nft/scripts/nft_init.sh' to add miniupnpd chain.

sudo ./netfilter_nft/scripts/nft_init.sh

FAQ

I will add this section when I get question. Comments and Questions are welcome ;)

Custom Chains

NFTables is very flexible but it comes with some restrictions because of that. If there is a second filter chain than all packets that were passed before with the miniupnpd chain will be reevaluated. This also means that if the chain is a drop chain you loose the packets. In that case you really want to use a custom chain and jump to it in your filter chain. miniupnpd should save all accept rules in that custom chain. For NAT it is the same, a second chain will also evaluate the packets again and therefore it is possible that a second SNAT or DNAT is performed.

The following is used in miniupnpd for a table setup but it can be customized:

table inet filter {
    chain forward {
        type filter hook forward priority 0;
        policy drop;

        # miniupnpd
        jump miniupnpd

        # Add other rules here
    }

    # miniupnpd
    chain miniupnpd {
    }

    chain prerouting {
        type nat hook prerouting priority -100;
        policy accept;

        # miniupnpd
        jump prerouting_miniupnpd

        # Add other rules here
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        policy accept;

        # miniupnpd
        jump postrouting_miniupnpd

        # Add other rules here
    }

    chain prerouting_miniupnpd {
    }

    chain postrouting_miniupnpd {
    }
}

and the following config settings can be used to change the tables and chains :

upnp_table_name=filter
upnp_nat_table_name=filter
upnp_forward_chain=miniupnpd
upnp_nat_chain=prerouting_miniupnpd
upnp_nat_postrouting_chain=postrouting_miniupnpd

If you need to use the old ipv4 NAT family style set the flag upnp_nftables_family_split to yes. Default is to use INET family which combines IPv4 and IPv6.