From e377fe51369fb010b5434e0e723ed3b373f27e9c Mon Sep 17 00:00:00 2001 From: Markus Stenberg Date: Tue, 3 Jun 2014 11:10:01 +0300 Subject: [PATCH] miniupnpd: Various IPv6 related fixes to scripts (IPv6-only, multi-uplink, ..) --- miniupnpd/files/firewall.include | 40 +++++++++++------------------- miniupnpd/files/miniupnpd.defaults | 2 +- miniupnpd/files/miniupnpd.hotplug | 38 +++++++++++++++++++--------- miniupnpd/files/miniupnpd.init | 1 + 4 files changed, 42 insertions(+), 39 deletions(-) diff --git a/miniupnpd/files/firewall.include b/miniupnpd/files/firewall.include index bc108d5..5294c45 100644 --- a/miniupnpd/files/firewall.include +++ b/miniupnpd/files/firewall.include @@ -1,6 +1,14 @@ #!/bin/sh # miniupnpd integration for firewall3 +# Note: Correct way to do this would be probably to use +# /lib/functions/network.sh, and use network_find_wan{,6}, and then +# network_get_device, then determine their zones using fw3 -q network +# etc. However, network_find_wan* return only one device, and +# frequently incorrect one if multiple ISPs are in use. So this +# current ugly solution works, although perhaps makes holes where it +# shouldn't (if so, do override it in e.g. firewall.user) + IP6TABLES=/usr/sbin/ip6tables iptables -t filter -N MINIUPNPD 2>/dev/null @@ -8,31 +16,11 @@ iptables -t nat -N MINIUPNPD 2>/dev/null [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null -. /lib/functions/network.sh - -add_extzone_rules() { - local ext_zone=$1 +# IPv4 - due to NAT, need to add both to nat and filter table +iptables -t filter -I delegate_forward 2 -j MINIUPNPD +iptables -t nat -I delegate_prerouting 2 -j MINIUPNPD - # IPv4 - due to NAT, need to add both to nat and filter table - iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD - iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD - - # IPv6 if available - filter only - [ -x $IP6TABLES ] && { - $IP6TABLES -t filter -I zone_${ext_zone}_forward -j MINIUPNPD - } +# IPv6 if available - filter only +[ -x $IP6TABLES ] && { + $IP6TABLES -t filter -I delegate_forward 2 -j MINIUPNPD } - -network_find_wan wan_iface -network_get_device wan_device $wan_iface - -for ext_zone in $(fw3 -q device "$wan_device"); do - add_extzone_rules $ext_zone -done - -for ext_iface in $(uci -q get upnpd.config.external_iface); do - for ext_zone in $(fw3 -q network "$ext_iface"); do - add_extzone_rules $ext_zone - done -done - diff --git a/miniupnpd/files/miniupnpd.defaults b/miniupnpd/files/miniupnpd.defaults index c6bc19a..7271389 100644 --- a/miniupnpd/files/miniupnpd.defaults +++ b/miniupnpd/files/miniupnpd.defaults @@ -5,7 +5,7 @@ uci -q batch <<-EOT set firewall.miniupnpd=include set firewall.miniupnpd.type=script set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include - set firewall.miniupnpd.family=IPv4 + set firewall.miniupnpd.family=any set firewall.miniupnpd.reload=1 commit firewall EOT diff --git a/miniupnpd/files/miniupnpd.hotplug b/miniupnpd/files/miniupnpd.hotplug index 71a7f45..7ff363a 100644 --- a/miniupnpd/files/miniupnpd.hotplug +++ b/miniupnpd/files/miniupnpd.hotplug @@ -1,14 +1,28 @@ #!/bin/sh -/etc/init.d/miniupnpd enabled && [ "$ACTION" = "ifup" ] && { - local iface - local ext_iface - - . /lib/functions/network.sh - network_find_wan ext_iface - - for iface in $ext_iface $(uci_get upnpd config internal_iface; uci_get upnpd config external_iface); do - [ "$INTERFACE" = "$iface" ] && /etc/init.d/miniupnpd restart - exit 0 - done -} +if [ ! /etc/init.d/miniupnpd enabled ] +then + exit 0 +fi + +. /lib/functions/service.sh + +# If miniupnpd is not running: +# - check on _any_ event (even updates may contribute to network_find_wan*) +# If miniupnpd _is_ running: +# - check only on ifup + +[ ! "$ACTION" = "ifup" ] && service_check /usr/sbin/miniupnpd && exit 0 + +local iface +local ext_iface +local ext_iface6 + +. /lib/functions/network.sh +network_find_wan ext_iface +network_find_wan6 ext_iface6 + +for iface in $ext_iface $ext_iface6 $(uci_get upnpd config internal_iface; uci_get upnpd config external_iface); do + [ "$INTERFACE" = "$iface" ] && /etc/init.d/miniupnpd restart + exit 0 +done diff --git a/miniupnpd/files/miniupnpd.init b/miniupnpd/files/miniupnpd.init index caa69ad..a109244 100644 --- a/miniupnpd/files/miniupnpd.init +++ b/miniupnpd/files/miniupnpd.init @@ -94,6 +94,7 @@ start() { local ifname [ -n "$extiface" ] || network_find_wan extiface + [ -n "$extiface" ] || network_find_wan6 extiface network_get_device ifname ${extiface} -- 2.30.2