diff --git a/net/miniupnpd/Makefile b/net/miniupnpd/Makefile index 4eebdd825..5d4c2a08c 100644 --- a/net/miniupnpd/Makefile +++ b/net/miniupnpd/Makefile @@ -11,11 +11,13 @@ PKG_NAME:=miniupnpd PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git -PKG_SOURCE_DATE:=2022-08-06 -PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629 -PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50 +PKG_SOURCE_DATE:=2022-08-31 +PKG_SOURCE_VERSION:=68c8ec508a421f4f4af67a63e3eb6f497d2531e1 +PKG_MIRROR_HASH:=68a3170ec73149c4cf4855b1ce6e031557cc12bff85a58421bb94785daaf225d PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd +PKG_RELEASE:=1 + PKG_MAINTAINER:= PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -113,6 +115,12 @@ endef define Package/miniupnpd-nftables/install $(call Package/miniupnpd/install/Default,$1) + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_DIR) $(1)/usr/share/miniupnpd + $(INSTALL_BIN) ./files/miniupnpd.defaults.nftables $(1)/etc/uci-defaults/99-miniupnpd + $(INSTALL_DATA) ./files/firewall4.include $(1)/usr/share/miniupnpd/firewall.include + $(INSTALL_DIR) $(1)/usr/share/nftables.d + $(CP) ./files/nftables.d/* $(1)/usr/share/nftables.d/ endef $(eval $(call BuildPackage,miniupnpd-iptables)) diff --git a/net/miniupnpd/files/firewall4.include b/net/miniupnpd/files/firewall4.include new file mode 100644 index 000000000..ee5be1f1b --- /dev/null +++ b/net/miniupnpd/files/firewall4.include @@ -0,0 +1,4 @@ +#!/bin/sh + +/etc/init.d/miniupnpd enabled && /etc/init.d/miniupnpd restart +exit 0 diff --git a/net/miniupnpd/files/miniupnpd.defaults.nftables b/net/miniupnpd/files/miniupnpd.defaults.nftables new file mode 100644 index 000000000..d3e3d8720 --- /dev/null +++ b/net/miniupnpd/files/miniupnpd.defaults.nftables @@ -0,0 +1,11 @@ +#!/bin/sh + +uci -q batch <<-EOT + delete firewall.miniupnpd + set firewall.miniupnpd=include + set firewall.miniupnpd.type=script + set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include + commit firewall +EOT + +exit 0 diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init index 1caa03d84..de3504529 100644 --- a/net/miniupnpd/files/miniupnpd.init +++ b/net/miniupnpd/files/miniupnpd.init @@ -172,13 +172,13 @@ upnpd() { config_foreach conf_rule_add perm_rule - if [ "Z$FW" = "Zfw4" ]; then + if [ "$FW" = "fw4" ]; then #When using nftables configure miniupnpd to use its own table and chains - echo "upnp_table_name=miniupnpd" - echo "upnp_nat_table_name=miniupnpd" - echo "upnp_forward_chain=forward" - echo "upnp_nat_chain=prerouting" - echo "upnp_nat_postrouting_chain=postrouting" + echo "upnp_table_name=fw4" + echo "upnp_nat_table_name=fw4" + echo "upnp_forward_chain=upnp_forward" + echo "upnp_nat_chain=upnp_prerouting" + echo "upnp_nat_postrouting_chain=upnp_postrouting" fi } > "$tmpconf" @@ -186,20 +186,17 @@ upnpd() { if [ -n "$ifname" ]; then # start firewall - if [ "Z$FW" = "Zfw4" ]; then - #Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules - nft add table inet miniupnpd - nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; } - nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; } - nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; } + if [ "$FW" = "fw4" ]; then + nft -s -t -n list chain inet fw4 upnp_forward >/dev/null 2>&1 || fw4 reload else - iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload + iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload fi else logger -t "upnp daemon" "external interface not found, not starting" fi procd_open_instance + procd_set_param file "$conf" "/etc/config/firewall" procd_set_param command "$PROG" procd_append_param command -f "$conf" [ "$log_output" = "1" ] && procd_append_param command -d @@ -207,14 +204,15 @@ upnpd() { } stop_service() { - if [ "Z$FW" = "Zfw3" ]; then + if [ "$FW" = "fw3" ]; then iptables -t nat -F MINIUPNPD 2>/dev/null iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null iptables -t filter -F MINIUPNPD 2>/dev/null [ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null else - #delete the table removing port-forwardings when exiting - nft delete table inet miniupnpd + nft flush chain inet fw4 upnp_forward 2>/dev/null + nft flush chain inet fw4 upnp_prerouting 2>/dev/null + nft flush chain inet fw4 upnp_postrouting 2>/dev/null fi } @@ -225,4 +223,4 @@ start_service() { service_triggers() { procd_add_reload_trigger "upnpd" -} \ No newline at end of file +} diff --git a/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft new file mode 100644 index 000000000..2b3c627aa --- /dev/null +++ b/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft @@ -0,0 +1 @@ +jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"; diff --git a/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft new file mode 100644 index 000000000..b8c29fb89 --- /dev/null +++ b/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft @@ -0,0 +1 @@ +jump upnp_forward comment "Hook into miniupnpd forwarding chain"; diff --git a/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft new file mode 100644 index 000000000..2d0051e20 --- /dev/null +++ b/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft @@ -0,0 +1 @@ +jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"; diff --git a/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft new file mode 100644 index 000000000..7d914e5c8 --- /dev/null +++ b/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft @@ -0,0 +1,3 @@ +chain upnp_forward {} +chain upnp_prerouting {} +chain upnp_postrouting {}