Add 'upnpclient' interface option

2024-11-08 00:34:04 +01:00 · 2009-06-15 13:34:35 -07:00 · 2009-06-15 13:34:35 -07:00 · abe07c9fae
commit abe07c9fae
parent b6410902a0
7 changed files with 48 additions and 3 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -770,7 +770,7 @@ sub use_input_chain($) {
    #
    # We must use the interfaces's chain if the interface is associated with multiple zone nets
    #    
-    return 1 if $nets > 1;
+    return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
    #
    # Don't need it if it isn't associated with any zone
    #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -605,6 +605,8 @@ sub add_common_rules() {
    }

    if ( $family == F_IPV4 ) {
+	my $announced = 0;
+
 	$list = find_interfaces_by_option 'upnp';

 	if ( @$list ) {
@ -612,10 +614,28 @@ sub add_common_rules() {

 	    new_nat_chain( 'UPnP' );

+	    $announced = 1;
+
 	    for $interface ( @$list ) {
 		add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
 	    }
 	}
+
+	$list = find_interfaces_by_option 'upnpclient';
+
+	if ( @$list ) {
+	    progress_message2 "$doing UPnP" unless $announced;
+
+	    for $interface ( @$list ) {
+		my $chainref = $filter_table->{input_chain $interface};
+		my $base     = uc chain_base $interface;
+		my $variable = get_interface_gateway $interface;
+
+		add_command $chainref, qq(if [ -n "\$${base}_IS_UP" -a -n "$variable" ]; then);
+		add_command $chainref, qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3);
+		add_command $chainref, qq(fi);
+	    }
+	}
    }

    setup_syn_flood_chains;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -210,6 +210,7 @@ sub initialize( $ ) {
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
+				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@ -821,7 +821,7 @@ detect_dynamic_gateway() { # $1 = interface
    fi

    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway; return 0; done)
+	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi

    [ -n "$gateway" ] && echo $gateway
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -12,6 +12,8 @@ Changes in Shorewall 4.4.0-Beta2

 4)  Delete the 'continue' file from the Shorewall package.

+5)  Add 'upnpclient' interface option.
+
 Changes in Shorewall 4.4.0-Beta1

 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -130,7 +130,15 @@ None.
                N E W   F E A T U R E S   I N   4 . 4 . 0 Beta 2
 ----------------------------------------------------------------------------

-None.
+1)  A 'upnpclient' option has been added to
+    /etc/shorewall/interfaces. This option is intended for laptop users
+    who always run Shorewall on their system yet need to run
+    UPnP-enabled client apps such as Transmission (BitTorrent client).
+
+    The option causes Shorewall to detect the default gateway through
+    the interface and to accept UDP packets from that gateway. Note
+    that, like all aspects of UPnP, this is a security hole so use this
+    option at your own risk.

 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 4
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@ -540,6 +540,20 @@ loc     eth2            -</programlisting>
                url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">upnpclient</emphasis></term>
+
+              <listitem>
+                <para>This option is intended for laptop users who always run
+                Shorewall on their system yet need to run UPnP-enabled client
+                apps such as Transmission (BitTorrent client). The option
+                causes Shorewall to detect the default gateway through the
+                interface and to accept UDP packets from that gateway. Note
+                that, like all aspects of UPnP, this is a security hole so use
+                this option at your own risk. </para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>