Merge pull request #19320 from jow-/miniupnpd-rework

miniupnpd: rework firewall4 integration
author: Jo-Philipp Wich <jo@mein.io> 2022-09-07 19:53:28 +0200
committer: GitHub <noreply@github.com> 2022-09-07 19:53:28 +0200
commit: 8c7a48957b1f13eb6aa8627f8096a1b0995cc3f8 (patch)
tree: c5033f0986b06fd6c953d9b2e72489f26afc6ce9
parent: 3d5264c8a4be75e26d72122d7a71333d0c6aabbd (diff)
parent: f1c69d0e6cea3dc33e3cc86e22812afb8ecb1032 (diff)
8 files changed, 47 insertions, 20 deletions
diff --git a/net/miniupnpd/Makefile b/net/miniupnpd/Makefile
index 4eebdd825..5d4c2a08c 100644
--- a/net/miniupnpd/Makefile
+++ b/net/miniupnpd/Makefile
@@ -11,11 +11,13 @@ PKG_NAME:=miniupnpd
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git
-PKG_SOURCE_DATE:=2022-08-06
-PKG_SOURCE_VERSION:=fa42d8f9316bf9c1ca14317e5a6e0d4a21365629
-PKG_MIRROR_HASH:=06662c7cf8f553f625cd968d12ea732db4193706510ed0db6e8bdd1c6b935c50
+PKG_SOURCE_DATE:=2022-08-31
+PKG_SOURCE_VERSION:=68c8ec508a421f4f4af67a63e3eb6f497d2531e1
+PKG_MIRROR_HASH:=68a3170ec73149c4cf4855b1ce6e031557cc12bff85a58421bb94785daaf225d
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd
 
+PKG_RELEASE:=1
+
 PKG_MAINTAINER:=
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -113,6 +115,12 @@ endef
 
 define Package/miniupnpd-nftables/install
 	$(call Package/miniupnpd/install/Default,$1)
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/usr/share/miniupnpd
+	$(INSTALL_BIN) ./files/miniupnpd.defaults.nftables $(1)/etc/uci-defaults/99-miniupnpd
+	$(INSTALL_DATA) ./files/firewall4.include $(1)/usr/share/miniupnpd/firewall.include
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d
+	$(CP) ./files/nftables.d/* $(1)/usr/share/nftables.d/
 endef
 
 $(eval $(call BuildPackage,miniupnpd-iptables))
diff --git a/net/miniupnpd/files/firewall4.include b/net/miniupnpd/files/firewall4.include
new file mode 100644
index 000000000..ee5be1f1b
--- /dev/null
+++ b/net/miniupnpd/files/firewall4.include
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+/etc/init.d/miniupnpd enabled && /etc/init.d/miniupnpd restart
+exit 0
diff --git a/net/miniupnpd/files/miniupnpd.defaults.nftables b/net/miniupnpd/files/miniupnpd.defaults.nftables
new file mode 100644
index 000000000..d3e3d8720
--- /dev/null
+++ b/net/miniupnpd/files/miniupnpd.defaults.nftables
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOT
+	delete firewall.miniupnpd
+	set firewall.miniupnpd=include
+	set firewall.miniupnpd.type=script
+	set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
+	commit firewall
+EOT
+
+exit 0
diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init
index 1caa03d84..de3504529 100644
--- a/net/miniupnpd/files/miniupnpd.init
+++ b/net/miniupnpd/files/miniupnpd.init
@@ -172,13 +172,13 @@ upnpd() {
 
 		config_foreach conf_rule_add perm_rule
 
-		if [ "Z$FW" = "Zfw4" ]; then
+		if [ "$FW" = "fw4" ]; then
 			#When using nftables configure miniupnpd to use its own table and chains
-			echo "upnp_table_name=miniupnpd"
-			echo "upnp_nat_table_name=miniupnpd"
-			echo "upnp_forward_chain=forward"
-			echo "upnp_nat_chain=prerouting"
-			echo "upnp_nat_postrouting_chain=postrouting"
+			echo "upnp_table_name=fw4"
+			echo "upnp_nat_table_name=fw4"
+			echo "upnp_forward_chain=upnp_forward"
+			echo "upnp_nat_chain=upnp_prerouting"
+			echo "upnp_nat_postrouting_chain=upnp_postrouting"
 		fi
 
 		} > "$tmpconf"
@@ -186,20 +186,17 @@ upnpd() {
 
 	if [ -n "$ifname" ]; then
 		# start firewall
-		if [ "Z$FW" = "Zfw4" ]; then
-			#Add a miniupnpd table so that when fw4 reloads port-forwadings aren't lost, also give it priority so that port-forwards are considered before standard firewall rules
-			nft add table inet miniupnpd
-			nft add chain inet miniupnpd forward { type filter hook forward priority -20 \; policy accept \; comment \"Miniupnpd forwarding table\" \; }
-			nft add chain inet miniupnpd prerouting { type nat hook prerouting priority dstnat -20 \; policy accept \; comment \"Miniupnpd prerouting table\" \; }
-			nft add chain inet miniupnpd postrouting { type nat hook postrouting priority srcnat -20 \; policy accept \; comment \"Miniupnpd postrouting table\" \; }
+		if [ "$FW" = "fw4" ]; then
+			nft -s -t -n list chain inet fw4 upnp_forward >/dev/null 2>&1 || fw4 reload
 		else
-			iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload			
+			iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
 		fi
 	else
 		logger -t "upnp daemon" "external interface not found, not starting"
 	fi
 
 	procd_open_instance
+	procd_set_param file "$conf" "/etc/config/firewall"
 	procd_set_param command "$PROG"
 	procd_append_param command -f "$conf"
 	[ "$log_output" = "1" ] && procd_append_param command -d
@@ -207,14 +204,15 @@ upnpd() {
 }
 
 stop_service() {
-	if [ "Z$FW" = "Zfw3" ]; then
+	if [ "$FW" = "fw3" ]; then
 		iptables -t nat -F MINIUPNPD 2>/dev/null
 		iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
 		iptables -t filter -F MINIUPNPD 2>/dev/null
 		[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
 	else
-		#delete the table removing port-forwardings when exiting
-		nft delete table inet miniupnpd
+		nft flush chain inet fw4 upnp_forward 2>/dev/null
+		nft flush chain inet fw4 upnp_prerouting 2>/dev/null
+		nft flush chain inet fw4 upnp_postrouting 2>/dev/null
 	fi
 }
 
@@ -225,4 +223,4 @@ start_service() {
 
 service_triggers() {
 	procd_add_reload_trigger "upnpd"
-}
-\ No newline at end of file
+}
diff --git a/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft
new file mode 100644
index 000000000..2b3c627aa
--- /dev/null
+++ b/net/miniupnpd/files/nftables.d/chain-post/dstnat/20-miniupnpd.nft
@@ -0,0 +1 @@
+jump upnp_prerouting comment "Hook into miniupnpd prerouting chain";
diff --git a/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft
new file mode 100644
index 000000000..b8c29fb89
--- /dev/null
+++ b/net/miniupnpd/files/nftables.d/chain-post/forward/20-miniupnpd.nft
@@ -0,0 +1 @@
+jump upnp_forward comment "Hook into miniupnpd forwarding chain";
diff --git a/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft
new file mode 100644
index 000000000..2d0051e20
--- /dev/null
+++ b/net/miniupnpd/files/nftables.d/chain-post/srcnat/20-miniupnpd.nft
@@ -0,0 +1 @@
+jump upnp_postrouting comment "Hook into miniupnpd postrouting chain";
diff --git a/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft b/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft
new file mode 100644
index 000000000..7d914e5c8
--- /dev/null
+++ b/net/miniupnpd/files/nftables.d/table-post/20-miniupnpd.nft
@@ -0,0 +1,3 @@
+chain upnp_forward {}
+chain upnp_prerouting {}
+chain upnp_postrouting {}
author	Jo-Philipp Wich <jo@mein.io>	2022-09-07 19:53:28 +0200
committer	GitHub <noreply@github.com>	2022-09-07 19:53:28 +0200
commit	8c7a48957b1f13eb6aa8627f8096a1b0995cc3f8 (patch)
tree	c5033f0986b06fd6c953d9b2e72489f26afc6ce9
parent	3d5264c8a4be75e26d72122d7a71333d0c6aabbd (diff)
parent	f1c69d0e6cea3dc33e3cc86e22812afb8ecb1032 (diff)