Miniupnpd nftables support by Tomofumi Hayashi (s1061123@gmail.com).

Supported Features

  • IPv4 NAT/Filter add/del.

How to build miniupnpd with nftables:

Run 'configure' command with '--firewall=nftables',

./configure --firewall=nftables && make

How to Run

Please run 'netfilter_nft/scripts/nft_init.sh' to add miniupnpd chain.

sudo ./netfilter_nft/scripts/nft_init.sh

FAQ

I will add this section when I get question. Comments and Questions are welcome ;)

Custom Chains

NFTables is very flexible but it comes with some restrictions because of that. If there is a second filter chain than all packets that were passed before with the miniupnpd chain will be reevaluated. This also means that if the chain is a drop chain you loose the packets. In that case you really want to use a custom chain and jump to it in your filter chain. miniupnpd should save all accept rules in that custom chain. For NAT it is the same, a second chain will also evaluate the packets again and therefore it is possible that a second SNAT or DNAT is performed.

The following is used in miniupnpd for a table setup but it can be customized:

table inet filter {
    chain forward {
        type filter hook forward priority 0;
        policy drop;

        # miniupnpd
        jump miniupnpd

        # Add other rules here
    }

    # miniupnpd
    chain miniupnpd {
    }

    chain prerouting {
        type nat hook prerouting priority -100;
        policy accept;

        # miniupnpd
        jump prerouting_miniupnpd

        # Add other rules here
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        policy accept;

        # miniupnpd
        jump postrouting_miniupnpd

        # Add other rules here
    }

    chain prerouting_miniupnpd {
    }

    chain postrouting_miniupnpd {
    }
}

and the following config settings can be used to change the tables and chains :

upnp_table_name=filter
upnp_nat_table_name=filter
upnp_forward_chain=miniupnpd
upnp_nat_chain=prerouting_miniupnpd
upnp_nat_postrouting_chain=postrouting_miniupnpd

If you need to use the old ipv4 NAT family style set the flag upnp_nftables_family_split to yes. Default is to use INET family which combines IPv4 and IPv6.