miniupnpd: Better document and reformat default upnpd UCI config file

Self-Hosting-Group · Self-Hosting-Group · commit 2da9f2ba31eb · 2025-01-06T00:00:00.000Z
and add (template) ACL entry for low ports (&lt;1024) denied by default,
current behaviour

Signed-off-by: Self Hosting Group &lt;selfhostinggroup-git+openwrt@shost.ing&gt;
diff --git a/net/miniupnpd/files/upnpd.config b/net/miniupnpd/files/upnpd.config
@@ -1,28 +1,39 @@
-config upnpd config
-	option enabled		0
-	option enable_pcp_pmp	1
-	option enable_upnp	1
-	option allow_third_party_mapping	0
-	option log_output	0
-	option download_kbps		100000
-	option upload_kbps		50000
-#by default, looked up dynamically from ubus
-#	option external_iface	wan
-	option internal_iface	lan
-	option port		5000
-	option upnp_lease_file	/var/run/miniupnpd.leases
-	option upnp_igd_compat		igdv1
+# UPnP IGD & PCP/NAT-PMP service configuration
+
+config upnpd 'config'
+	option enabled                    0
+	option enable_upnp                1
+	option enable_pcp_pmp             1
+	option upnp_igd_compat            igdv1
+	option download_kbps              100000
+	option upload_kbps                50000
+	option allow_third_party_mapping  0
+	# Multiple LAN interfaces can be specified, separated by a space
+	option internal_iface             'lan'
+	# By default, looked up dynamically from ubus
+	#option external_iface             wan
+	option ipv6_disable               0
+	option upnp_lease_file            /var/run/miniupnpd.leases
+
+# Service access control list configuration (IPv6 always allowed)
+
+config perm_rule
+	option action                     allow
+	option ext_ports                  1024-65535
+	option int_addr                   0.0.0.0/0
+	option int_ports                  1024-65535
+	option comment                    'Allow high ports'
 
 config perm_rule
-	option action		allow
-	option ext_ports	1024-65535
-	option int_addr		0.0.0.0/0	# Does not override secure_mode
-	option int_ports	1024-65535
-	option comment		"Allow high ports"
+	option action                     deny
+	option ext_ports                  1-1023
+	option int_addr                   0.0.0.0/0
+	option int_ports                  1-1023
+	option comment                    'Low ports'
 
 config perm_rule
-	option action		deny
-	option ext_ports	0-65535
-	option int_addr		0.0.0.0/0
-	option int_ports	0-65535
-	option comment		"Default deny"
+	option action                     deny
+	option ext_ports                  1-65535
+	option int_addr                   0.0.0.0/0
+	option int_ports                  1-65535
+	option comment                    'Deny by default'
