miniupnp/miniupnpd/netfilter_nft
Thomas Bernard 6ce3b2eeda 2024 ;) 2024-03-20 00:37:33 +01:00
..
scripts Quote paths in nft scripts to prevent word splitting. 2023-08-07 05:30:41 +08:00
Makefile testnftpinhole: call init_redirect() / shutdown_redirect() 2024-03-13 00:12:52 +01:00
README.md NFTables: Add backwards compatibility for IPv4 NAT 2024-03-04 06:18:41 +01:00
nfct_get.c
nftnlrdr.c netfilter_nft: rule_t: have src/dst/nat addresses and ports 2024-03-13 00:14:20 +01:00
nftnlrdr.h Move print_rule to the file it's used in. 2019-10-06 21:47:50 +02:00
nftnlrdr_misc.c netfilter_nft: rule_t: have src/dst/nat addresses and ports 2024-03-13 00:14:20 +01:00
nftnlrdr_misc.h netfilter_nft: rule_t: have src/dst/nat addresses and ports 2024-03-13 00:14:20 +01:00
nftpinhole.c nftpinhole.c: fix get_pinhole_info() to return the description 2024-03-13 00:14:27 +01:00
nftpinhole.h This commit fixes IPv4 and adds IPv6 pinhole to nftables. 2019-06-12 23:09:20 +02:00
test_nfct_get.c test_nfct_get.c: openlog() 2019-06-30 21:50:55 +02:00
testnftnlrdr.c testnftnlrdr.c: comments + debug output 2024-03-13 00:14:27 +01:00
testnftpinhole.c 2024 ;) 2024-03-20 00:37:33 +01:00
tiny_nf_nat.h This commit fixes IPv4 and adds IPv6 pinhole to nftables. 2019-06-12 23:09:20 +02:00

README.md

Miniupnpd nftables support by Tomofumi Hayashi (s1061123@gmail.com).

Supported Features

  • IPv4 NAT/Filter add/del.

How to build miniupnpd with nftables:

Run 'configure' command with '--firewall=nftables',

./configure --firewall=nftables && make

How to Run

Please run 'netfilter_nft/scripts/nft_init.sh' to add miniupnpd chain.

sudo ./netfilter_nft/scripts/nft_init.sh

FAQ

I will add this section when I get question. Comments and Questions are welcome ;)

Custom Chains

NFTables is very flexible but it comes with some restrictions because of that. If there is a second filter chain than all packets that were passed before with the miniupnpd chain will be reevaluated. This also means that if the chain is a drop chain you loose the packets. In that case you really want to use a custom chain and jump to it in your filter chain. miniupnpd should save all accept rules in that custom chain. For NAT it is the same, a second chain will also evaluate the packets again and therefore it is possible that a second SNAT or DNAT is performed.

The following is used in miniupnpd for a table setup but it can be customized:

table inet filter {
    chain forward {
        type filter hook forward priority 0;
        policy drop;

        # miniupnpd
        jump miniupnpd

        # Add other rules here
    }

    # miniupnpd
    chain miniupnpd {
    }

    chain prerouting {
        type nat hook prerouting priority -100;
        policy accept;

        # miniupnpd
        jump prerouting_miniupnpd

        # Add other rules here
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        policy accept;

        # miniupnpd
        jump postrouting_miniupnpd

        # Add other rules here
    }

    chain prerouting_miniupnpd {
    }

    chain postrouting_miniupnpd {
    }
}

and the following config settings can be used to change the tables and chains :

upnp_table_name=filter
upnp_nat_table_name=filter
upnp_forward_chain=miniupnpd
upnp_nat_chain=prerouting_miniupnpd
upnp_nat_postrouting_chain=postrouting_miniupnpd

If you need to use the old ipv4 NAT family style set the flag upnp_nftables_family_split to yes. Default is to use INET family which combines IPv4 and IPv6.