From 7cc0a0eabd7534d45decef2df3a29a0b33fe9b4d Mon Sep 17 00:00:00 2001 From: Tiago Gaspar Date: Tue, 16 Aug 2022 22:35:11 +0100 Subject: [PATCH] miniupnpd: update and fix nftables variant Update the package to a commit that fixes an issue with removing PCP mappings from nftables. This also allows us to fix the nftables miniupnpd implementation on openwrt. In this new implementation, a table is created at the start of miniupnpd and it is dedicated to miniupnpd with a priority above the firewall4 table. This allows miniupnpd to go ahead of the drop rules of firewall4 and forward traffic as needed. There was the possibility of adding a chain inside the firewall4 table, but this would raise an issue where if firewall4 was reloaded the port forwardings would be lost and miniupnpd could be out of sync. When miniupnpd is stopped the table is deleted, taking the port forwardings with it. Some of this commit is based of msylgj's work, mainly the logic of the init/hotplug scripts and the makefile build parameters. Signed-off-by: ZiMing Mo Signed-off-by: Tiago Gaspar (cherry picked from commit 651a578cac6168566cf727d6b82ce819e41bbbbe) --- net/miniupnpd/Makefile | 14 ++++--- net/miniupnpd/files/miniupnpd.hotplug | 5 ++- net/miniupnpd/files/miniupnpd.init | 40 ++++++++++++++----- ...pd-configure-don-t-hardcode-iptables.patch | 25 ------------ 4 files changed, 43 insertions(+), 41 deletions(-) delete mode 100644 net/miniupnpd/patches/100-miniupnpd-configure-don-t-hardcode-iptables.patch diff --git a/net/miniupnpd/Makefile b/net/miniupnpd/Makefile index 2a1372755..4eebdd825 100644 --- a/net/miniupnpd/Makefile +++ b/net/miniupnpd/Makefile @@ -8,12 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=miniupnpd -PKG_VERSION:=2.2.3 -PKG_RELEASE:=$(AUTORELEASE) -PKG_SOURCE_URL:=https://miniupnp.tuxfamily.org/files -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_HASH:=f89c310ce9575183af3fec61af65e548f85114133df8caaaa9e204c13b7a9da5 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git +PKG_SOURCE_DATE:=2022-08-06 +PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629 +PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50 +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd PKG_MAINTAINER:= PKG_LICENSE:=BSD-3-Clause @@ -26,6 +27,9 @@ PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/version.mk +TAR_OPTIONS+= --strip-components 1 +TAR_CMD=$(HOST_TAR) -C $(1)/.. $(TAR_OPTIONS) + define Package/miniupnpd/Default SECTION:=net CATEGORY:=Network diff --git a/net/miniupnpd/files/miniupnpd.hotplug b/net/miniupnpd/files/miniupnpd.hotplug index 63d6114b6..607a32bdc 100644 --- a/net/miniupnpd/files/miniupnpd.hotplug +++ b/net/miniupnpd/files/miniupnpd.hotplug @@ -13,6 +13,7 @@ tmpconf="/var/etc/miniupnpd.conf" external_iface=$(uci -q get upnpd.config.external_iface) external_iface6=$(uci -q get upnpd.config.external_iface6) external_zone=$(uci -q get upnpd.config.external_zone) +[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3" . /lib/functions/network.sh @@ -20,7 +21,7 @@ if [ -n "$external_iface" ] ; then network_get_device ifname "$external_iface" else if [ -n "$external_zone" ] ; then - ifname=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1) + ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1) else network_find_wan external_iface && \ network_get_device ifname "$external_iface" @@ -30,7 +31,7 @@ if [ -n "$external_iface6" ] ; then network_get_device ifname6 "$external_iface6" else if [ -n "$external_zone" ] ; then - ifname6=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1) + ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1) else network_find_wan6 external_iface6 && \ network_get_device ifname6 "$external_iface6" diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init index cc13e0440..1caa03d84 100644 --- a/net/miniupnpd/files/miniupnpd.init +++ b/net/miniupnpd/files/miniupnpd.init @@ -5,6 +5,7 @@ START=94 STOP=15 USE_PROCD=1 PROG=/usr/sbin/miniupnpd +[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3" upnpd_get_port_range() { local var="$1"; shift @@ -98,7 +99,7 @@ upnpd() { network_get_device ifname "$external_iface" else if [ -n "$external_zone" ] ; then - ifname=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1) + ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1) else network_find_wan external_iface && \ network_get_device ifname "$external_iface" @@ -108,7 +109,7 @@ upnpd() { network_get_device ifname6 "$external_iface6" else if [ -n "$external_zone" ] ; then - ifname6=$(fw3 -q zone "$external_zone" 2>/dev/null | head -1) + ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1) else network_find_wan6 external_iface6 && \ network_get_device ifname6 "$external_iface6" @@ -171,12 +172,29 @@ upnpd() { config_foreach conf_rule_add perm_rule + if [ "Z$FW" = "Zfw4" ]; then + #When using nftables configure miniupnpd to use its own table and chains + echo "upnp_table_name=miniupnpd" + echo "upnp_nat_table_name=miniupnpd" + echo "upnp_forward_chain=forward" + echo "upnp_nat_chain=prerouting" + echo "upnp_nat_postrouting_chain=postrouting" + fi + } > "$tmpconf" fi if [ -n "$ifname" ]; then # start firewall - iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload + if [ "Z$FW" = "Zfw4" ]; then + #Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules + nft add table inet miniupnpd + nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; } + nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; } + nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; } + else + iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload + fi else logger -t "upnp daemon" "external interface not found, not starting" fi @@ -189,11 +207,15 @@ upnpd() { } stop_service() { - iptables -t nat -F MINIUPNPD 2>/dev/null - iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null - iptables -t filter -F MINIUPNPD 2>/dev/null - - [ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null + if [ "Z$FW" = "Zfw3" ]; then + iptables -t nat -F MINIUPNPD 2>/dev/null + iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null + iptables -t filter -F MINIUPNPD 2>/dev/null + [ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null + else + #delete the table removing port-forwardings when exiting + nft delete table inet miniupnpd + fi } start_service() { @@ -203,4 +225,4 @@ start_service() { service_triggers() { procd_add_reload_trigger "upnpd" -} +} \ No newline at end of file diff --git a/net/miniupnpd/patches/100-miniupnpd-configure-don-t-hardcode-iptables.patch b/net/miniupnpd/patches/100-miniupnpd-configure-don-t-hardcode-iptables.patch deleted file mode 100644 index c6f24b282..000000000 --- a/net/miniupnpd/patches/100-miniupnpd-configure-don-t-hardcode-iptables.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 51a422407b22f0cb7188ea4bfb3867b2bbfcfe68 Mon Sep 17 00:00:00 2001 -From: Stijn Tintel -Date: Sun, 7 Nov 2021 20:24:29 +0200 -Subject: [PATCH] miniupnpd/configure: don't hardcode iptables - -The OpenWrt Makefile that builds miniupnpd passes the firewall argument -to the configure script, so this is not needed and it is blocking us -from using nftables instead, which will be the default backend for -firewall4 to be used in the next OpenWrt stable release. - -Signed-off-by: Stijn Tintel ---- - configure | 1 - - 1 file changed, 1 deletion(-) - ---- a/configure -+++ b/configure -@@ -387,7 +387,6 @@ case $OS_NAME in - OpenWRT) - OS_URL=http://www.openwrt.org/ - echo "#define USE_IFACEWATCHER 1" >> ${CONFIGFILE} -- FW=iptables - ;; - OpenEmbedded) - OS_URL=http://www.openembedded.org/