Skip to content

Commit cfbf68e

Browse files
Self-Hosting-GroupSelf-Hosting-Group
committed
miniupnpd: Better document and reformat default upnpd UCI config file
and add (template) ACL entry for low ports (<1024) denied by default, current behaviour Signed-off-by: Self Hosting Group <[email protected]>
1 parent 0e5ec71 commit cfbf68e

File tree

2 files changed

+105
-1
lines changed

2 files changed

+105
-1
lines changed

net/miniupnpd/Makefile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
99

1010
PKG_NAME:=miniupnpd
1111
PKG_VERSION:=2.3.7
12-
PKG_RELEASE:=1
12+
PKG_RELEASE:=2
1313

1414
PKG_SOURCE_URL:=https://miniupnp.tuxfamily.org/files
1515
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
@@ -94,8 +94,10 @@ define Package/miniupnpd/install/Default
9494
$(INSTALL_DIR) $(1)/etc/init.d
9595
$(INSTALL_DIR) $(1)/etc/config
9696
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
97+
$(INSTALL_DIR) $(1)/etc/uci-defaults
9798
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/miniupnpd $(1)/usr/sbin/miniupnpd
9899
$(INSTALL_BIN) ./files/miniupnpd.init $(1)/etc/init.d/miniupnpd
100+
$(INSTALL_BIN) ./files/upnpd-migration.uci-defaults $(1)/etc/uci-defaults/98-miniupnpd
99101
$(INSTALL_CONF) ./files/upnpd.config $(1)/etc/config/upnpd
100102
$(INSTALL_DATA) ./files/miniupnpd.hotplug $(1)/etc/hotplug.d/iface/50-miniupnpd
101103
endef

net/miniupnpd/files/upnpd-migration.uci-defaults

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
#!/bin/sh
2+
3+
# Remove clean_ruleset_interval and clean_ruleset_threshold as not working
4+
uci -q batch 2>/dev/null <<-EOF
5+
delete upnpd.config.clean_ruleset_interval
6+
delete upnpd.config.clean_ruleset_threshold
7+
commit upnpd
8+
EOF
9+
10+
# Rename enable_natpmp to enable_pcp_pmp as upstream
11+
enable_pcp_pmp="$(uci get upnpd.config.enable_natpmp 2>/dev/null || echo 1)"
12+
uci -q batch 2>/dev/null <<-EOF
13+
set upnpd.config.enable_pcp_pmp="$enable_pcp_pmp"
14+
delete upnpd.config.enable_natpmp
15+
commit upnpd
16+
EOF
17+
18+
# Convert download/upload to kbit/s and rename to download_kbps/upload_kbps and update defaults
19+
download="$(uci get upnpd.config.download 2>/dev/null || echo 1024)"
20+
upload="$(uci get upnpd.config.upload 2>/dev/null || echo 512)"
21+
if [ "$download" = "1024" ] && [ "$upload" = "512" ]; then
22+
download_kbps=100000
23+
upload_kbps=50000
24+
else
25+
download_kbps="$((download * 8 * 1000 / 1024))"
26+
upload_kbps="$((upload * 8 * 1000 / 1024))"
27+
fi
28+
uci -q batch 2>/dev/null <<-EOF
29+
set upnpd.config.download_kbps="$download_kbps"
30+
set upnpd.config.upload_kbps="$upload_kbps"
31+
delete upnpd.config.download
32+
delete upnpd.config.upload
33+
commit upnpd
34+
EOF
35+
36+
# Convert igdv1 boolean to upnp_igd_compat string with value igdv1
37+
if [ "$(uci get upnpd.config.igdv1 2>/dev/null || echo 1)" = "1" ]; then
38+
upnp_igd_compat=igdv1
39+
else
40+
upnp_igd_compat=igdv2
41+
fi
42+
uci -q batch 2>/dev/null <<-EOF
43+
set upnpd.config.upnp_igd_compat="$upnp_igd_compat"
44+
delete upnpd.config.igdv1
45+
commit upnpd
46+
EOF
47+
48+
# Rename and invert secure_mode to allow_third_party_mapping
49+
if [ "$(uci get upnpd.config.secure_mode 2>/dev/null)" = "0" ]; then
50+
allow_third_party_mapping=1
51+
else
52+
allow_third_party_mapping=0
53+
fi
54+
uci -q batch 2>/dev/null <<-EOF
55+
set upnpd.config.allow_third_party_mapping="$allow_third_party_mapping"
56+
delete upnpd.config.secure_mode
57+
commit upnpd
58+
EOF
59+
60+
# Remove port if UCI default
61+
if [ "$(uci get upnpd.config.port 2>/dev/null)" = "5000" ]; then
62+
uci -q batch 2>/dev/null <<-EOF
63+
delete upnpd.config.port
64+
commit upnpd
65+
EOF
66+
fi
67+
68+
# Update access control list defaults
69+
if [ "$(uci get upnpd.@perm_rule[0].action)" = "allow" ] &&
70+
[ "$(uci get upnpd.@perm_rule[0].ext_ports)" = "1024-65535" ] &&
71+
[ "$(uci get upnpd.@perm_rule[0].int_addr)" = "0.0.0.0/0" ] &&
72+
[ "$(uci get upnpd.@perm_rule[0].int_ports)" = "1024-65535" ] &&
73+
[ "$(uci get upnpd.@perm_rule[1].action)" = "deny" ] &&
74+
[ "$(uci get upnpd.@perm_rule[1].ext_ports)" = "0-65535" ] &&
75+
[ "$(uci get upnpd.@perm_rule[1].int_addr)" = "0.0.0.0/0" ] &&
76+
[ "$(uci get upnpd.@perm_rule[1].int_ports)" = "0-65535" ] &&
77+
[ "$(uci get upnpd.@perm_rule[2] 2>/dev/null)" != "perm_rule" ]; then
78+
uci -q batch 2>/dev/null <<-EOF
79+
set upnpd.@perm_rule[0]=perm_rule
80+
set upnpd.@perm_rule[0].action='allow'
81+
set upnpd.@perm_rule[0].ext_ports='1024-65535'
82+
set upnpd.@perm_rule[0].int_addr='0.0.0.0/0'
83+
set upnpd.@perm_rule[0].int_ports='1024-65535'
84+
set upnpd.@perm_rule[0].comment='Allow high ports'
85+
set upnpd.@perm_rule[1]=perm_rule
86+
set upnpd.@perm_rule[1].action='deny'
87+
set upnpd.@perm_rule[1].ext_ports='1-1023'
88+
set upnpd.@perm_rule[1].int_addr='0.0.0.0/0'
89+
set upnpd.@perm_rule[1].int_ports='1-1023'
90+
set upnpd.@perm_rule[1].comment='Low ports'
91+
add upnpd perm_rule
92+
set upnpd.@perm_rule[2]=perm_rule
93+
set upnpd.@perm_rule[2].action='deny'
94+
set upnpd.@perm_rule[2].ext_ports='1-65535'
95+
set upnpd.@perm_rule[2].int_addr='0.0.0.0/0'
96+
set upnpd.@perm_rule[2].int_ports='1-65535'
97+
set upnpd.@perm_rule[2].comment='Deny by default'
98+
commit upnpd
99+
EOF
100+
fi
101+
102+
exit 0

0 commit comments

Comments
 (0)