Add IPv6 UPnP Support

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-05-31 15:05:39 +02:00 · 2017-03-24 09:54:36 -07:00 · 2017-03-24 09:54:36 -07:00 · d2392c3a9b
commit d2392c3a9b
parent 0763b27b0b
9 changed files with 71 additions and 38 deletions
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -1213,7 +1213,6 @@ sub add_common_rules ( $ ) {
 	}
    }

-    if ( $family == F_IPV4 ) {
    my $announced = 0;

    $list = find_interfaces_by_option 'upnp';
@ -1264,7 +1263,6 @@ sub add_common_rules ( $ ) {
 	    }
 	}
    }
-    }

    setup_syn_flood_chains;

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -407,6 +407,8 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
+				    upnp        => SIMPLE_IF_OPTION,
+				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -189,6 +189,8 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -27,6 +27,7 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
+forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
             state=INVALID
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -1555,6 +1555,28 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
        role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis