Add UPnP support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/actions.std

@@ -12,6 +12,10 @@
 #                       #conntrack state.
 #    allowInvalid	#Accept packets that are in the INVALID
 #			#conntrack state.
+#    allowoutUPnP       #Allow traffic from local command 'upnpd'
+#    allowinUPnP        #Allow UPnP inbound (to firewall) traffic
+#    forwardUPnP	#Allow traffic that upnpd has redirected from
+#			#'upnp' interfaces.
 #
 #ACTION
 

Shorewall2/changelog.txt

@@ -1,3 +1,7 @@
+Changes in 2.2.4
+
+1) Added support for UPnP
+
 Changes in 2.2.3
 
 1) Added the 'continue' extension script.

Shorewall2/firewall

@@ -937,7 +937,7 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
+		dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
 		    ;;
 		detectnets)
 		    [ -n "$wildcard" ] && \
@@ -3473,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
 	
-    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
+    
     USEDACTIONS=
 
     strip_file actions
@@ -3544,6 +3545,15 @@ process_actions1() {
 
 process_actions2() {
 
+    local interfaces="$(find_interfaces_by_option upnp)"
+
+    if [ -n "$interfaces" ]; then
+	if ! list_search forwardUPnP $USEDACTIONS; then
+	    error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
+	    USEDACTIONS="$USEDACTIONS forwardUPnP"
+	fi
+    fi
+
     progress_message "   Generating Transitive Closure of Used-action List..."
 
     changed=Yes
@@ -3695,6 +3705,26 @@ process_actions3() {
 		    run_iptables -A $xchain -m state --state INVALID -j ACCEPT
 		fi
 		;;
+	    forwardUPnP)
+		;;
+	    allowinUPnP)
+		if [ "$COMMAND" != check ]; then
+		    if [ -n "$xlevel" ]; then
+			log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
+			log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
+		    fi
+
+		    run_iptables -A $xchain -p udp --dport 1900  -j ACCEPT
+		    run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
+		fi
+		;;
+	    allowoutUPnP)
+		if [ "$COMMAND" != check ]; then
+		    [ -n "$xlevel" ] && \
+			log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
+		    run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
+		fi
+		;;
 	    *)
 		#
 		# Not a builtin
@@ -6290,6 +6320,20 @@ add_common_rules() {
 	    run_iptables -A OUTPUT -o $interface        -j $(dynamic_out $interface)
 	done
     fi
+    #
+    # UPnP
+    #
+    interfaces=$(find_interfaces_by_option upnp)
+
+    if [ -n "$interfaces" ]; then
+	echo "Setting up UPnP..."
+
+	createnatchain UPnP
+	
+	for interface in $interfaces; do
+	    run_iptables -t nat -A PREROUTING -i $interface -j UPnP
+	done
+    fi
 
     setup_forwarding
 }
@@ -6387,7 +6431,9 @@ activate_rules()
     # are inserted before jumps to one-to-one NAT chains.
     #
     addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
-    {
+    {    interfaces=$(find_interfaces_by_option upnp)
+
+
 	local sourcechain=$1 destchain=$2
 	shift
 	shift
@@ -6402,7 +6448,7 @@ activate_rules()
 
 	fi
     }    
-
+    
     #
     # Add jumps to early SNAT chains
     #
@@ -6697,6 +6743,7 @@ define_firewall() # $1 = Command (Start or Restart)
 
     echo "Initializing...";                    initialize_netfilter
     echo "Configuring Proxy ARP";              setup_proxy_arp
+
     echo "Setting up NAT...";                  setup_nat
     echo "Setting up NETMAP...";               setup_netmap
     echo "Adding Common Rules";                add_common_rules

Shorewall2/interfaces

@@ -167,6 +167,8 @@
 #			detectnets   - Automatically taylors the zone named
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
+#			upnp         - Incoming requests from this interface may
+#				       be remapped via UPNP (upnpd).
 #
 #		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #			         INTERNET INTERFACE.

Shorewall2/releasenotes.txt

@@ -1,4 +1,67 @@
-Shorewall 2.2.3
+Shorewall 2.2.4
+
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.4
+
+None.
+
+-----------------------------------------------------------------------
+New Features in version 2.2.4
+
+1) Support has been added for UPnP using linux-igd
+   (http://linux-idg.sourceforge.net). UPnP is required by a number of
+   popular applications including MSN IM.
+
+   WARNING: From a security architecture viewpoint, UPnP is a
+	    disaster. It assumes that:
+
+	    a) All local systems and their users are complete
+	       trustworthy.
+
+	    b) No local system is infected with any worm or trojan.
+
+	    If either of these assumptions are not true then UPnP can
+	    be used to totally defeat you firewall and to allow
+	    incoming connections to arbitrary local systems on any port
+	    whatsoever. 
+
+	    In short: USE UPnP AT YOUR OWN RISK.
+
+   WARNING: Building and installing linux-igd is not for the faint of
+	    heart. You must download the source from the CVS and be
+	    prepared to do quite a bit of fiddling with the include
+	    files from libupnp (which is required to build and/or run
+	    linux-igd).
+
+   linux-idg Configuration:
+
+	     In /etc/upnpd.conf, you will want:
+
+		insert_forward_rules = yes
+		prerouting_chain_name = UPnP
+		forward_chain_name = forwardUPnP
+
+   Shorewall Configuration:
+
+	     In /etc/shorewall/interfaces, you need the 'upnp' option
+	     on your external interface.
+
+	     If your fw->loc policy is not ACCEPT then you need this
+	     rule:
+
+	     allowoutUPnP	fw	loc
+
+	     If your loc->fw policy is not ACCEPT then you need this
+	     rule:
+
+	     allowinUPnP	loc	fw
+
+	     You MUST have this rule:
+
+	     forwardUPnP	net	loc
+
+   You must also ensure that you have a route to 224.0.0.0/4 on your
+   internal (local) interface.
 
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3