Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #19320 from jow-/miniupnpd-rework

Browse source 
miniupnpd: rework firewall4 integration
This commit is contained in:
Jo-Philipp Wich 2022-09-07 19:53:28 +02:00 committed by GitHub
commit 8c7a48957b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 47 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
net/miniupnpd/Makefile
View file

@ -11,11 +11,13 @@ PKG_NAME:=miniupnpd
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git
PKG_SOURCE_DATE:=2022-08-06
PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629
PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50
PKG_SOURCE_DATE:=2022-08-31
PKG_SOURCE_VERSION:=68c8ec508a421f4f4af67a63e3eb6f497d2531e1
PKG_MIRROR_HASH:=68a3170ec73149c4cf4855b1ce6e031557cc12bff85a58421bb94785daaf225d
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd
PKG_RELEASE:=1
PKG_MAINTAINER:=
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
@ -113,6 +115,12 @@ endef
define Package/miniupnpd-nftables/install
$(call Package/miniupnpd/install/Default,$1)
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_DIR) $(1)/usr/share/miniupnpd
$(INSTALL_BIN) ./files/miniupnpd.defaults.nftables $(1)/etc/uci-defaults/99-miniupnpd
$(INSTALL_DATA) ./files/firewall4.include $(1)/usr/share/miniupnpd/firewall.include
$(INSTALL_DIR) $(1)/usr/share/nftables.d
$(CP) ./files/nftables.d/* $(1)/usr/share/nftables.d/
endef
$(eval $(call BuildPackage,miniupnpd-iptables))

4
net/miniupnpd/files/firewall4.include Normal file
View file

@ -0,0 +1,4 @@
#!/bin/sh
/etc/init.d/miniupnpd enabled && /etc/init.d/miniupnpd restart
exit 0

11
net/miniupnpd/files/miniupnpd.defaults.nftables Normal file
View file

@ -0,0 +1,11 @@
#!/bin/sh
uci -q batch <<-EOT
delete firewall.miniupnpd
set firewall.miniupnpd=include
set firewall.miniupnpd.type=script
set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
commit firewall
EOT
exit 0

32
net/miniupnpd/files/miniupnpd.init
View file

@ -172,13 +172,13 @@ upnpd() {
config_foreach conf_rule_add perm_rule
if [ "Z$FW" = "Zfw4" ]; then
if [ "$FW" = "fw4" ]; then
#When using nftables configure miniupnpd to use its own table and chains
echo "upnp_table_name=miniupnpd"
echo "upnp_nat_table_name=miniupnpd"
echo "upnp_forward_chain=forward"
echo "upnp_nat_chain=prerouting"
echo "upnp_nat_postrouting_chain=postrouting"
echo "upnp_table_name=fw4"
echo "upnp_nat_table_name=fw4"
echo "upnp_forward_chain=upnp_forward"
echo "upnp_nat_chain=upnp_prerouting"
echo "upnp_nat_postrouting_chain=upnp_postrouting"
fi
} > "$tmpconf"
@ -186,20 +186,17 @@ upnpd() {
if [ -n "$ifname" ]; then
# start firewall
if [ "Z$FW" = "Zfw4" ]; then
#Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules
nft add table inet miniupnpd
nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; }
nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; }
nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; }
if [ "$FW" = "fw4" ]; then
nft -s -t -n list chain inet fw4 upnp_forward >/dev/null 2>&1 || fw4 reload
else
iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
fi
else
logger -t "upnp daemon" "external interface not found, not starting"
fi
procd_open_instance
procd_set_param file "$conf" "/etc/config/firewall"
procd_set_param command "$PROG"
procd_append_param command -f "$conf"
[ "$log_output" = "1" ] && procd_append_param command -d
@ -207,14 +204,15 @@ upnpd() {
}
stop_service() {
if [ "Z$FW" = "Zfw3" ]; then
if [ "$FW" = "fw3" ]; then
iptables -t nat -F MINIUPNPD 2>/dev/null
iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
iptables -t filter -F MINIUPNPD 2>/dev/null
[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
else
#delete the table removing port-forwardings when exiting
nft delete table inet miniupnpd
nft flush chain inet fw4 upnp_forward 2>/dev/null
nft flush chain inet fw4 upnp_prerouting 2>/dev/null
nft flush chain inet fw4 upnp_postrouting 2>/dev/null
fi
}
@ -225,4 +223,4 @@ start_service() {
service_triggers() {
procd_add_reload_trigger "upnpd"
}
}

1
net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft Normal file
View file

@ -0,0 +1 @@
jump upnp_prerouting comment "Hook into miniupnpd prerouting chain";

1
net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft Normal file
View file

@ -0,0 +1 @@
jump upnp_forward comment "Hook into miniupnpd forwarding chain";

1
net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft Normal file
View file

@ -0,0 +1 @@
jump upnp_postrouting comment "Hook into miniupnpd postrouting chain";

3
net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft Normal file
View file

@ -0,0 +1,3 @@
chain upnp_forward {}
chain upnp_prerouting {}
chain upnp_postrouting {}