From: jow Date: Wed, 15 Sep 2010 02:57:50 +0000 (+0000) Subject: [packages] miniupnpd: rework firewall integration, should be much more robust now X-Git-Url: http://git.archive.openwrt.org/?a=commitdiff_plain;h=79db0b36c2cdb611dd99e4dfc0825b92e34cbf12;p=packages.git [packages] miniupnpd: rework firewall integration, should be much more robust now git-svn-id: svn://svn.openwrt.org/openwrt/packages@23065 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- diff --git a/net/miniupnpd/Makefile b/net/miniupnpd/Makefile index 586f39164..a82c65966 100644 --- a/net/miniupnpd/Makefile +++ b/net/miniupnpd/Makefile @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=miniupnpd PKG_VERSION:=1.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MD5SUM:=ffa33d4ed8732c662bdb7d511e86db76 PKG_SOURCE_URL:=http://miniupnp.free.fr/files diff --git a/net/miniupnpd/files/miniupnpd.hotplug b/net/miniupnpd/files/miniupnpd.hotplug index dfd4e53e7..4dc56de4a 100644 --- a/net/miniupnpd/files/miniupnpd.hotplug +++ b/net/miniupnpd/files/miniupnpd.hotplug @@ -1,46 +1,50 @@ #!/bin/sh -/etc/init.d/miniupnpd enabled && { +miniupnpd_add_rules() { + local zone="$1" + local network="$2" + local iface="$3" - local state="${ZONE}_${INTERFACE}" - local extif initifs + miniupnpd_remove_rules - config_load upnpd - config_get extif config external_iface + logger -t miniupnpd "adding firewall rules for $iface to zone $zone" - if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "$extif" ]; then + iptables -t nat -N MINIUPNPD 2>/dev/null + iptables -t nat -A zone_${zone}_prerouting -i $iface -j MINIUPNPD + iptables -t filter -N MINIUPNPD 2>/dev/null + iptables -t filter -A zone_${zone}_forward -i $iface ! -o $iface -j MINIUPNPD - local active - config_get active "$state" ifname - - [ -z "$active" ] && { - local ipaddr - config_get ipaddr "$extif" ipaddr - - logger -t "upnp" "adding $INTERFACE ($DEVICE - $ipaddr) to firewall" - - iptables -t nat -N MINIUPNPD 2>/dev/null - iptables -t nat -A prerouting_rule -i $DEVICE -d $ipaddr -j MINIUPNPD - iptables -t filter -N MINIUPNPD 2>/dev/null - iptables -t filter -A forwarding_rule -i $DEVICE ! -o $DEVICE -j MINIUPNPD - - uci_set_state upnpd "$state" "" "firewall" - uci_set_state upnpd "$state" ifname "$DEVICE" - uci_set_state upnpd "$state" ipaddr "$ipaddr" - } - - elif [ "$ACTION" = "remove" ] && [ "$INTERFACE" = "$extif" ]; then - - local ifname ipaddr - config_get ifname "$state" ifname - config_get ipaddr "$state" ipaddr - - [ -n "$ifname" ] && [ -n "$ipaddr" ] && { - logger -t "upnp" "removing $INTERFACE ($ifname - $ipaddr) from firewall" - iptables -t nat -D prerouting_rule -i $ifname -d $ipaddr -j MINIUPNPD - iptables -t filter -D forwarding_rule -i $DEVICE ! -o $DEVICE -j MINIUPNPD - uci_revert_state upnpd "$state" - } - fi + uci_set_state upnpd state "" state + uci_set_state upnpd state zone "$zone" + uci_set_state upnpd state ifname "$iface" + uci_set_state upnpd state network "$network" } +miniupnpd_remove_rules() { + local zone="$(uci_get_state upnpd state zone)" + local iface="$(uci_get_state upnpd state ifname)" + + [ -n "$zone" ] && [ -n "$iface" ] && { + logger -t miniupnpd "removing firewall rules for $iface from zone $zone" + + while iptables -t nat -D zone_${zone}_prerouting \ + -i $iface -j MINIUPNPD 2>/dev/null; do :; done + + while iptables -t filter -D zone_${zone}_forward \ + -i $iface ! -o $iface -j MINIUPNPD 2>/dev/null; do :; done + } + + uci_revert_state upnpd +} + +/etc/init.d/miniupnpd enabled && [ -n "`pidof miniupnpd`" ] && { + + local extif="$(uci_get upnpd config external_iface)" + local curif="$(uci_get_state upnpd state network)" + + if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "$extif" ]; then + miniupnpd_add_rules "$ZONE" "$INTERFACE" "$DEVICE" + elif [ "$ACTION" = "remove" ] && [ "$INTERFACE" = "$curif" ]; then + miniupnpd_remove_rules + fi +} diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init index 4705fc8fc..5f176f40e 100644 --- a/net/miniupnpd/files/miniupnpd.init +++ b/net/miniupnpd/files/miniupnpd.init @@ -2,6 +2,9 @@ START=95 start() { + type miniupnpd_add_rules >/dev/null 2>/dev/null || \ + ACTION=- . /etc/hotplug.d/firewall/50-miniupnpd + config_load "upnpd" local extiface intiface upload download logging secure enabled @@ -48,41 +51,23 @@ start() { config_load firewall config_get zone core "${extiface:-wan}_zone" [ -n "$zone" ] && \ - ACTION="add" ZONE="$zone" INTERFACE="${extiface:-wan}" DEVICE="$ifname" \ - . /etc/hotplug.d/firewall/50-miniupnpd + miniupnpd_add_rules "$zone" "${extiface:-wan}" "$ifname" else logger -t "upnp daemon" "external interface not found, not starting" fi } -clear_rule() { - local state="$1" - local ifname ipaddr - - config_get ifname "$state" ifname - config_get ipaddr "$state" ipaddr - - [ -n "$ifname" ] && [ -n "$ipaddr" ] && { - iptables -t nat -D prerouting_rule -i $ifname -d $ipaddr -j MINIUPNPD - iptables -t filter -D forwarding_rule -i $ifname ! -o $ifname -j MINIUPNPD - uci_revert_state upnpd "$state" - unset "CONFIG_${state}_ifname" - unset "CONFIG_${state}_ipaddr" - } -} - stop() { start-stop-daemon -K -q -x miniupnpd -p /var/run/miniupnpd.pid rm -f /var/run/miniupnpd.pid - logger -t "upnp" "removing firewall rules" + type miniupnpd_remove_rules >/dev/null 2>/dev/null || \ + ACTION=- . /etc/hotplug.d/firewall/50-miniupnpd - config_load upnpd - config_foreach clear_rule firewall + miniupnpd_remove_rules iptables -t nat -F MINIUPNPD 2>/dev/null iptables -t nat -X MINIUPNPD 2>/dev/null iptables -t filter -F MINIUPNPD 2>/dev/null iptables -t filter -X MINIUPNPD 2>/dev/null } -