diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 1042a8921..b324e4990 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1213,55 +1213,53 @@ sub add_common_rules ( $ ) {
}
}
- if ( $family == F_IPV4 ) {
- my $announced = 0;
+ my $announced = 0;
- $list = find_interfaces_by_option 'upnp';
+ $list = find_interfaces_by_option 'upnp';
- if ( @$list ) {
- progress_message2 "$doing UPnP";
+ if ( @$list ) {
+ progress_message2 "$doing UPnP";
- $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+ $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
- add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+ add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
- my $chainref1;
+ my $chainref1;
- if ( $config{MINIUPNPD} ) {
- $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE );
- add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
- }
-
- $announced = 1;
-
- for $interface ( @$list ) {
- add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
- add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1;
- }
+ if ( $config{MINIUPNPD} ) {
+ $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE );
+ add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
}
- $list = find_interfaces_by_option 'upnpclient';
+ $announced = 1;
- if ( @$list ) {
- progress_message2 "$doing UPnP" unless $announced;
+ for $interface ( @$list ) {
+ add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+ add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1;
+ }
+ }
- for $interface ( @$list ) {
- my $chainref = $filter_table->{input_option_chain $interface};
- my $base = uc var_base get_physical $interface;
- my $optional = interface_is_optional( $interface );
- my $variable = get_interface_gateway( $interface, ! $optional );
- my $origin = get_interface_origin( $interface );
+ $list = find_interfaces_by_option 'upnpclient';
- if ( $optional ) {
- add_commands( $chainref,
- qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
- incr_cmd_level( $chainref );
- add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
- decr_cmd_level( $chainref );
- add_commands( $chainref, 'fi' );
- } else {
- add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
- }
+ if ( @$list ) {
+ progress_message2 "$doing UPnP" unless $announced;
+
+ for $interface ( @$list ) {
+ my $chainref = $filter_table->{input_option_chain $interface};
+ my $base = uc var_base get_physical $interface;
+ my $optional = interface_is_optional( $interface );
+ my $variable = get_interface_gateway( $interface, ! $optional );
+ my $origin = get_interface_origin( $interface );
+
+ if ( $optional ) {
+ add_commands( $chainref,
+ qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+ incr_cmd_level( $chainref );
+ add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+ decr_cmd_level( $chainref );
+ add_commands( $chainref, 'fi' );
+ } else {
+ add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
}
}
}
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 162fc1a93..990ebf0c8 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -407,6 +407,8 @@ sub initialize( $$ ) {
forward => BINARY_IF_OPTION,
physical => STRING_IF_OPTION + IF_OPTION_HOST,
unmanaged => SIMPLE_IF_OPTION,
+ upnp => SIMPLE_IF_OPTION,
+ upnpclient => SIMPLE_IF_OPTION,
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
);
%validhostoptions = (
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 76fe425ac..b4027d32f 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
+MINIUPNPD=No
+
MODULE_SUFFIX="ko ko.xz"
MUTEX_TIMEOUT=60
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 96734a606..c516344d2 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -189,6 +189,8 @@ MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
+MINIUPNPD=No
+
MODULE_SUFFIX="ko ko.xz"
MUTEX_TIMEOUT=60
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index a64c02fe6..e69cb0957 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
+MINIUPNPD=No
+
MODULE_SUFFIX="ko ko.xz"
MUTEX_TIMEOUT=60
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 47cfb021b..8c6682474 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
+MINIUPNPD=No
+
MODULE_SUFFIX="ko ko.xz"
MUTEX_TIMEOUT=60
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index e481fca77..69ea468da 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -27,6 +27,7 @@ DropDNSrep inline # Drops DNS replies
DropSmurfs noinline # Handles packets with a broadcast source address
Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED
+forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
IfEvent noinline # Perform an action based on an event
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
state=INVALID
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 1cc72fcfd..b541bcb57 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
+MINIUPNPD=No
+
MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index aadbb886e..751e39f69 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1555,6 +1555,28 @@ LOG:info:,bar net fw
+
+ MINIUPNPD=[Yes|No]
+
+
+ Added in Shorewall 5.1.4. If set to Yes, Shorewall will create
+ a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+ jumps from POSTROUTING to that chain for each interface with the
+ option specified. Default is No.
+
+
+
+
+ MARK_IN_FORWARD_CHAIN=[Yes|No]
+
+
+
+
+
+
MODULE_SUFFIX=["extension ...