Merge pull request #19320 from jow-/miniupnpd-rework

miniupnpd: rework firewall4 integration

net/miniupnpd/Makefile

@@ -11,11 +11,13 @@ PKG_NAME:=miniupnpd
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git
-PKG_SOURCE_DATE:=2022-08-06
+PKG_SOURCE_DATE:=2022-08-31
-PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629
+PKG_SOURCE_VERSION:=68c8ec508a421f4f4af67a63e3eb6f497d2531e1
-PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50
+PKG_MIRROR_HASH:=68a3170ec73149c4cf4855b1ce6e031557cc12bff85a58421bb94785daaf225d
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd
 
+PKG_RELEASE:=1
+
 PKG_MAINTAINER:=
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -113,6 +115,12 @@ endef
 
 define Package/miniupnpd-nftables/install
 	$(call Package/miniupnpd/install/Default,$1)
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/usr/share/miniupnpd
+	$(INSTALL_BIN) ./files/miniupnpd.defaults.nftables $(1)/etc/uci-defaults/99-miniupnpd
+	$(INSTALL_DATA) ./files/firewall4.include $(1)/usr/share/miniupnpd/firewall.include
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d
+	$(CP) ./files/nftables.d/* $(1)/usr/share/nftables.d/
 endef
 
 $(eval $(call BuildPackage,miniupnpd-iptables))

net/miniupnpd/files/firewall4.include

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+/etc/init.d/miniupnpd enabled && /etc/init.d/miniupnpd restart
+exit 0

net/miniupnpd/files/miniupnpd.defaults.nftables

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOT
+	delete firewall.miniupnpd
+	set firewall.miniupnpd=include
+	set firewall.miniupnpd.type=script
+	set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
+	commit firewall
+EOT
+
+exit 0

net/miniupnpd/files/miniupnpd.init

@@ -172,13 +172,13 @@ upnpd() {
 
 		config_foreach conf_rule_add perm_rule
 
-		if [ "Z$FW" = "Zfw4" ]; then
+		if [ "$FW" = "fw4" ]; then
 			#When using nftables configure miniupnpd to use its own table and chains
-			echo "upnp_table_name=miniupnpd"
+			echo "upnp_table_name=fw4"
-			echo "upnp_nat_table_name=miniupnpd"
+			echo "upnp_nat_table_name=fw4"
-			echo "upnp_forward_chain=forward"
+			echo "upnp_forward_chain=upnp_forward"
-			echo "upnp_nat_chain=prerouting"
+			echo "upnp_nat_chain=upnp_prerouting"
-			echo "upnp_nat_postrouting_chain=postrouting"
+			echo "upnp_nat_postrouting_chain=upnp_postrouting"
 		fi
 
 		} > "$tmpconf"
@@ -186,20 +186,17 @@ upnpd() {
 
 	if [ -n "$ifname" ]; then
 		# start firewall
-		if [ "Z$FW" = "Zfw4" ]; then
+		if [ "$FW" = "fw4" ]; then
-			#Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules
+			nft -s -t -n list chain inet fw4 upnp_forward >/dev/null 2>&1 || fw4 reload
-			nft add table inet miniupnpd
-			nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; }
-			nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; }
-			nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; }
 		else
-			iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload			
+			iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
 		fi
 	else
 		logger -t "upnp daemon" "external interface not found, not starting"
 	fi
 
 	procd_open_instance
+	procd_set_param file "$conf" "/etc/config/firewall"
 	procd_set_param command "$PROG"
 	procd_append_param command -f "$conf"
 	[ "$log_output" = "1" ] && procd_append_param command -d
@@ -207,14 +204,15 @@ upnpd() {
 }
 
 stop_service() {
-	if [ "Z$FW" = "Zfw3" ]; then
+	if [ "$FW" = "fw3" ]; then
 		iptables -t nat -F MINIUPNPD 2>/dev/null
 		iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
 		iptables -t filter -F MINIUPNPD 2>/dev/null
 		[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
 	else
-		#delete the table removing port-forwardings when exiting
+		nft flush chain inet fw4 upnp_forward 2>/dev/null
-		nft delete table inet miniupnpd
+		nft flush chain inet fw4 upnp_prerouting 2>/dev/null
+		nft flush chain inet fw4 upnp_postrouting 2>/dev/null
 	fi
 }
 
@@ -225,4 +223,4 @@ start_service() {
 
 service_triggers() {
 	procd_add_reload_trigger "upnpd"
-}
+}

net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_prerouting comment "Hook into miniupnpd prerouting chain";

net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_forward comment "Hook into miniupnpd forwarding chain";

net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_postrouting comment "Hook into miniupnpd postrouting chain";

net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft

@@ -0,0 +1,3 @@
+chain upnp_forward {}
+chain upnp_prerouting {}
+chain upnp_postrouting {}