miniupnpd: update to 2.2.2

- refresh patches

release/src-rt-6.x.4708/router/miniupnpd/Changelog.txt

@@ -1,4 +1,17 @@
-$Id: Changelog.txt,v 1.472 2020/10/31 09:16:14 nanard Exp $
+$Id: Changelog.txt,v 1.476 2021/05/11 22:36:16 nanard Exp $
+
+2021/04/22:
+  Add SO_REUSEPORT option for SSDP receive sockets
+
+2021/03/31:
+  GetExternalIPAddress returns empty string when the External IP address can
+    not be retrieved.
+
+2021/02/26:
+  iptables_removeall.sh: fix the cleanup of PREROUTING mangle chain
+
+VERSION 2.2.1 : released on 2020/12/20
+ (only minor build corrections)
 
 VERSION 2.2.0 : released on 2020/10/31
 

release/src-rt-6.x.4708/router/miniupnpd/INSTALL

@@ -1,12 +1,12 @@
 MiniUPnP project.
-(c) 2006-2020 Thomas Bernard
+(c) 2006-2021 Thomas Bernard
 Homepage : http://miniupnp.free.fr/
 Mirror: https://miniupnp.tuxfamily.org/
 github: https://github.com/miniupnp/miniupnp
 
-miniupnpd is still under developpement. This documentation is
-likely to be a little outdated when you read it. So please go on the
-web forum https://miniupnp.tuxfamily.org/ if you need more information.
+If you find some outdated information in this documentation, please fix
+or report the issue on https://github.com/miniupnp/miniupnp or the web
+forum https://miniupnp.tuxfamily.org/
 
 ================================ *BSD/pf =================================
 To Build and Install :
@@ -114,15 +114,12 @@ How to get libiptc with its headers on debian :
 
 ======================== Linux/netfilter nftables =========================
 
-work is in progress.
 install the required development libraries. For debian :
  > apt-get install libnftnl-dev libmnl-dev
 
 To build :
  > ./configure --firewall=nftables
  > make
-(first clean any old config if you built the netfilter/iptables version
-previoulsy)
 
 see :
 https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=4370
@@ -215,4 +212,4 @@ SIGPIPE: Ignore
 
 There is code to detect change in network interfaces bsd/ifacewatcher.c and
 linux/ifacewatcher.c, but if that code doesn't work for you, you may want to
-send SIGUSR1 to miniupnpd if you public IP address changed.
+send SIGUSR1 to miniupnpd if your public IP address changed.

release/src-rt-6.x.4708/router/miniupnpd/VERSION

@@ -1 +1 @@
-2.2.1
+2.2.2

release/src-rt-6.x.4708/router/miniupnpd/minissdp.c

@@ -1,8 +1,8 @@
-/* $Id: minissdp.c,v 1.101 2020/06/06 17:56:17 nanard Exp $ */
+/* $Id: minissdp.c,v 1.102 2021/05/11 22:36:20 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
- * (c) 2006-2020 Thomas Bernard
+ * (c) 2006-2021 Thomas Bernard
  * This software is subject to the conditions detailed
  * in the LICENCE file provided within the distribution */
 
@@ -197,6 +197,10 @@ OpenAndConfSSDPReceiveSocket(int ipv6)
 	{
 		syslog(LOG_WARNING, "setsockopt(udp, SO_REUSEADDR): %m");
 	}
+	if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) < 0)
+	{
+		syslog(LOG_WARNING, "setsockopt(udp, SO_REUSEPORT): %m");
+	}
 #ifdef IP_RECVIF
 	/* BSD */
 	if(!ipv6) {

release/src-rt-6.x.4708/router/miniupnpd/miniupnpd.c

@@ -1,8 +1,8 @@
-/* $Id: miniupnpd.c,v 1.248 2020/10/30 21:31:08 nanard Exp $ */
+/* $Id: miniupnpd.c,v 1.249 2021/05/11 21:51:05 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
- * (c) 2006-2020 Thomas Bernard
+ * (c) 2006-2021 Thomas Bernard
  * This software is subject to the conditions detailed
  * in the LICENCE file provided within the distribution */
 
@@ -799,7 +799,7 @@ sigusr1(int sig)
 #if 0
 	/* calling syslog() is forbidden in signal handler according to
 	 * signal(3) */
-	syslog(LOG_INFO, "received signal %d, public ip address change", sig);
+	syslog(LOG_INFO, "received signal %d, public IP address change", sig);
 #endif
 
 	should_send_public_address_change_notif = 1;
@@ -905,7 +905,7 @@ struct runtime_vars {
 /* parselanaddr()
  * parse address with mask
  * ex: 192.168.1.1/24 or 192.168.1.1/255.255.255.0
- * When MULTIPLE_EXTERNAL_IP is enabled, the ip address of the
+ * When MULTIPLE_EXTERNAL_IP is enabled, the IP address of the
  * external interface associated with the lan subnet follows.
  * ex : 192.168.1.1/24 81.21.41.11
  *
@@ -953,6 +953,13 @@ parselanaddr(struct lan_addr_s * lan_addr, const char * str)
 		if(!inet_aton(lan_addr->str, &lan_addr->addr))
 			goto parselan_error;
 	}
+	if(!addr_is_reserved(&lan_addr->addr)) {
+		fprintf(stderr, "Error: LAN address contains public IP address : %s\n", lan_addr->str);
+		fprintf(stderr, "Public IP address can be configured via ext_ip= option\n");
+		fprintf(stderr, "LAN address should contain private address, e.g. from 192.168. block\n");
+		fprintf(stderr, "Listening on public IP address is a security issue\n");
+		return -1;
+	}
 	if(*p == '/')
 	{
 		const char * q = ++p;
@@ -990,7 +997,7 @@ parselanaddr(struct lan_addr_s * lan_addr, const char * str)
 	while(*p && isspace(*p))
 		p++;
 	if(*p) {
-		/* parse the exteral ip address to associate with this subnet */
+		/* parse the exteral IP address to associate with this subnet */
 		n = 0;
 		while(p[n] && !isspace(*p))
 			n++;
@@ -1090,11 +1097,20 @@ int update_ext_ip_addr_from_stun(int init)
 
 	if ((init || disable_port_forwarding) && !restrictive_nat) {
 		if (addr_is_reserved(&if_addr))
-			syslog(LOG_INFO, "STUN: ext interface %s with IP address %s is now behind unrestricted NAT 1:1 with public IP address %s: Port forwarding is now enabled", ext_if_name, if_addr_str, ext_addr_str);
+			syslog(LOG_INFO, "STUN: ext interface %s with IP address %s is now behind unrestricted full-cone NAT 1:1 with public IP address %s and firewall does not block incoming connections set by miniunnpd", ext_if_name, if_addr_str, ext_addr_str);
 		else
-			syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s: Port forwarding is now enabled", ext_if_name, if_addr_str);
+			syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s and firewall does not block incoming connections set by miniunnpd", ext_if_name, if_addr_str);
+		syslog(LOG_INFO, "Port forwarding is now enabled");
 	} else if ((init || !disable_port_forwarding) && restrictive_nat) {
-		syslog(LOG_WARNING, "STUN: ext interface %s with IP address %s is now behind restrictive NAT with public IP address %s: Port forwarding is now impossible", ext_if_name, if_addr_str, ext_addr_str);
+		if (addr_is_reserved(&if_addr)) {
+			syslog(LOG_WARNING, "STUN: ext interface %s with private IP address %s is now behind restrictive or symmetric NAT with public IP address %s which does not support port forwarding", ext_if_name, if_addr_str, ext_addr_str);
+			syslog(LOG_WARNING, "NAT on upstream router blocks incoming connections set by miniupnpd");
+			syslog(LOG_WARNING, "Turn off NAT on upstream router or change it to full-cone NAT 1:1 type");
+		} else {
+			syslog(LOG_WARNING, "STUN: ext interface %s has now public IP address %s but firewall filters incoming connections set by miniunnpd", ext_if_name, if_addr_str);
+			syslog(LOG_WARNING, "Check configuration of firewall on local machine and also on upstream router");
+		}
+		syslog(LOG_WARNING, "Port forwarding is now disabled");
 	} else {
 		syslog(LOG_INFO, "STUN: ... done");
 	}
@@ -2178,6 +2194,7 @@ main(int argc, char * * argv)
 			syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
 			syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
 			syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
+			syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
 			disable_port_forwarding = 1;
 		}
 	}
@@ -2449,6 +2466,8 @@ main(int argc, char * * argv)
 					} else if (!disable_port_forwarding && reserved) {
 						syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
 						syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
+						syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
+						syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
 					}
 					disable_port_forwarding = reserved;
 				}

release/src-rt-6.x.4708/router/miniupnpd/miniupnpd.conf

@@ -11,7 +11,7 @@
 #ext_ip=
 # WAN interface must have public IP address. Otherwise it is behind NAT
 # and port forwarding is impossible. In some cases WAN interface can be
-# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
+# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
 # routed to WAN interfaces without any filtering. In this cases miniupnpd
 # needs to know public IP address and it can be learnt by asking external
 # server via STUN protocol. Following option enable retrieving external

release/src-rt-6.x.4708/router/miniupnpd/netfilter/iptables_removeall.sh

@@ -1,5 +1,5 @@
 #! /bin/sh
-# $Id: iptables_removeall.sh,v 1.11 2018/04/06 10:17:09 nanard Exp $
+# $Id: iptables_removeall.sh,v 1.12 2021/05/11 21:55:36 nanard Exp $
 
 EXT=1
 . $(dirname "$0")/miniupnpd_functions.sh
@@ -18,7 +18,7 @@ fi
 #removing the MINIUPNPD chain for mangle
 if [ "$MDIRTY" = "${CHAIN}Chain" ]; then
 	$IPTABLES -t mangle -F $CHAIN
-	$IPTABLES -t mangle -D FORWARD -i $EXTIF -j $CHAIN
+	$IPTABLES -t mangle -D PREROUTING -i $EXTIF -j $CHAIN
 	$IPTABLES -t mangle -X $CHAIN
 elif [ "$MDIRTY" = "Chain" ]; then
 	$IPTABLES -t mangle -F $CHAIN

release/src-rt-6.x.4708/router/miniupnpd/upnpsoap.c

@@ -1,8 +1,8 @@
-/* $Id: upnpsoap.c,v 1.160 2020/10/30 21:37:33 nanard Exp $ */
+/* $Id: upnpsoap.c,v 1.161 2021/05/11 21:54:18 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
- * (c) 2006-2020 Thomas Bernard
+ * (c) 2006-2021 Thomas Bernard
  * This software is subject to the conditions detailed
  * in the LICENCE file provided within the distribution */
 
@@ -345,15 +345,15 @@ GetExternalIPAddress(struct upnphttp * h, const char * action, const char * ns)
 		{
 			syslog(LOG_ERR, "Failed to get ip address for interface %s",
 				ext_if_name);
-			strncpy(ext_ip_addr, "0.0.0.0", INET_ADDRSTRLEN);
+			ext_ip_addr[0] = '\0';
 		} else if (addr_is_reserved(&addr)) {
 			syslog(LOG_NOTICE, "private/reserved address %s is not suitable for external IP", ext_ip_addr);
-			strncpy(ext_ip_addr, "0.0.0.0", INET_ADDRSTRLEN);
+			ext_ip_addr[0] = '\0';
 		}
 	}
 #else
 	struct lan_addr_s * lan_addr;
-	strncpy(ext_ip_addr, "0.0.0.0", INET_ADDRSTRLEN);
+	ext_ip_addr[0] = '\0';
 	for(lan_addr = lan_addrs.lh_first; lan_addr != NULL; lan_addr = lan_addr->list.le_next)
 	{
 		if( (h->clientaddr.s_addr & lan_addr->mask.s_addr)
@@ -364,11 +364,17 @@ GetExternalIPAddress(struct upnphttp * h, const char * action, const char * ns)
 		}
 	}
 #endif
+	/* WANIPConnection:2 Service 2.3.13 :
+	 * When the external IP address could not be retrieved by the gateway
+	 * (for example, because the interface is down or because there was a
+	 * failure in the last connection setup attempt),
+	 * then the ExternalIPAddress MUST be equal to the empty string.
+	 *
+	 * There is no precise requirement on how theses cases must be handled
+	 * in IGDv1 specifications, but ExternalIPAddress default value is empty
+	 * string. */
 	if (strcmp(ext_ip_addr, "0.0.0.0") == 0)
-	{
-		SoapError(h, 501, "Action Failed");
-		return;
-	}
+		ext_ip_addr[0] = '\0';
 	bodylen = snprintf(body, sizeof(body), resp,
 	              action, ns, /*SERVICE_TYPE_WANIPC,*/
 				  ext_ip_addr, action);

release/src-rt-6.x.4708/router/miniupnpd/upnpstun.c

@@ -1,4 +1,4 @@
-/* $Id: upnpstun.c,v 1.7 2020/11/04 21:01:44 nanard Exp $ */
+/* $Id: upnpstun.c,v 1.8 2021/05/11 21:49:05 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
@@ -393,9 +393,9 @@ static int parse_stun_response(unsigned char *buffer, size_t len, struct sockadd
 }
 
 /* Perform main STUN operation, return external IP address and check
- * if host is behind restrictive NAT.
+ * if host is behind restrictive, symmetric NAT or behind firewall.
  * Restrictive NAT means any NAT which do some filtering and
- * which is not static 1:1, basically NAT which is not usable
+ * which is not static full-cone NAT 1:1, basically NAT which is not usable
  * for port forwarding */
 int perform_stun(const char *if_name, const char *if_addr, const char *stun_host, unsigned short stun_port, struct in_addr *ext_addr, int *restrictive_nat)
 {
@@ -524,7 +524,7 @@ int perform_stun(const char *if_name, const char *if_addr, const char *stun_host
 		}
 	}
 
-	/* Otherwise we are either directly connected or behind unrestricted NAT 1:1 */
+	/* Otherwise we are either directly connected or behind unrestricted full-cone NAT 1:1 without filtering */
 	/* There is no filtering, so port forwarding would work fine */
 	return 0;
 }

release/src-rt-6.x.4708/router/patches/miniupnpd/102-do-not-disable-port-forwarding-when-in-double-nat.patch

@@ -1,37 +1,59 @@
 --- miniupnpd/miniupnpd.c
 +++ miniupnpd/miniupnpd.c
-@@ -1094,7 +1094,7 @@ 
- 		else
- 			syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s: Port forwarding is now enabled", ext_if_name, if_addr_str);
+@@ -1102,15 +1102,15 @@ 
+ 			syslog(LOG_INFO, "STUN: ext interface %s has now public IP address %s and firewall does not block incoming connections set by miniunnpd", ext_if_name, if_addr_str);
+ 		syslog(LOG_INFO, "Port forwarding is now enabled");
  	} else if ((init || !disable_port_forwarding) && restrictive_nat) {
--		syslog(LOG_WARNING, "STUN: ext interface %s with IP address %s is now behind restrictive NAT with public IP address %s: Port forwarding is now impossible", ext_if_name, if_addr_str, ext_addr_str);
+-		if (addr_is_reserved(&if_addr)) {
+-			syslog(LOG_WARNING, "STUN: ext interface %s with private IP address %s is now behind restrictive or symmetric NAT with public IP address %s which does not support port forwarding", ext_if_name, if_addr_str, ext_addr_str);
+-			syslog(LOG_WARNING, "NAT on upstream router blocks incoming connections set by miniupnpd");
+-			syslog(LOG_WARNING, "Turn off NAT on upstream router or change it to full-cone NAT 1:1 type");
+-		} else {
+-			syslog(LOG_WARNING, "STUN: ext interface %s has now public IP address %s but firewall filters incoming connections set by miniunnpd", ext_if_name, if_addr_str);
+-			syslog(LOG_WARNING, "Check configuration of firewall on local machine and also on upstream router");
+-		}
+-		syslog(LOG_WARNING, "Port forwarding is now disabled");
++//		if (addr_is_reserved(&if_addr)) {
++//			syslog(LOG_WARNING, "STUN: ext interface %s with private IP address %s is now behind restrictive or symmetric NAT with public IP address %s which does not support port forwarding", ext_if_name, if_addr_str, ext_addr_str);
++//			syslog(LOG_WARNING, "NAT on upstream router blocks incoming connections set by miniupnpd");
++//			syslog(LOG_WARNING, "Turn off NAT on upstream router or change it to full-cone NAT 1:1 type");
++//		} else {
++//			syslog(LOG_WARNING, "STUN: ext interface %s has now public IP address %s but firewall filters incoming connections set by miniunnpd", ext_if_name, if_addr_str);
++//			syslog(LOG_WARNING, "Check configuration of firewall on local machine and also on upstream router");
++//		}
 +		syslog(LOG_WARNING, "STUN: ext interface %s with IP address %s is now behind restrictive NAT with public IP address %s: Port forwarding might not work properly", ext_if_name, if_addr_str, ext_addr_str);
  	} else {
  		syslog(LOG_INFO, "STUN: ... done");
  	}
-@@ -2175,10 +2175,10 @@ 
+@@ -2191,11 +2191,11 @@ 
  		if (getifaddr(ext_if_name, if_addr, INET_ADDRSTRLEN, &addr, NULL) < 0) {
  			syslog(LOG_WARNING, "Cannot get IP address for ext interface %s. Network is down", ext_if_name);
  		} else if (addr_is_reserved(&addr)) {
 -			syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
 -			syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
 -			syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
+-			syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
 -			disable_port_forwarding = 1;
 +//			syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
 +//			syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
 +//			syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
++//			syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
 +//			disable_port_forwarding = 1;
  		}
  	}
  
-@@ -2447,10 +2447,10 @@ 
+@@ -2464,12 +2464,12 @@ 
  					if (disable_port_forwarding && !reserved) {
  						syslog(LOG_INFO, "Public IP address %s on ext interface %s: Port forwarding is enabled", if_addr, ext_if_name);
  					} else if (!disable_port_forwarding && reserved) {
 -						syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
 -						syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
+-						syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
+-						syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
 +						syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding might not work properly", if_addr, ext_if_name);
 +//						syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
++//						syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
++//						syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
  					}
 -					disable_port_forwarding = reserved;
 +//					disable_port_forwarding = reserved;

release/src-rt-6.x.4708/router/patches/miniupnpd/103-revert-previous-upstream-changes-that-prevented.patch

@@ -1,6 +1,6 @@
 --- miniupnpd/miniupnpd.c
 +++ miniupnpd/miniupnpd.c
-@@ -1002,11 +1002,13 @@ 
+@@ -1009,11 +1009,13 @@ 
  				fprintf(stderr, "Error parsing address : %s\n", lan_addr->ext_ip_str);
  				return -1;
  			}
@@ -14,7 +14,7 @@
  		}
  	}
  #else
-@@ -1763,10 +1765,12 @@ 
+@@ -1779,10 +1781,12 @@ 
  			fprintf(stderr, "Error: option ext_ip contains invalid address %s\n", use_ext_ip_addr);
  			return 1;
  		}
@@ -57,11 +57,11 @@
 @@ -346,9 +346,11 @@ 
  			syslog(LOG_ERR, "Failed to get ip address for interface %s",
  				ext_if_name);
- 			strncpy(ext_ip_addr, "0.0.0.0", INET_ADDRSTRLEN);
+ 			ext_ip_addr[0] = '\0';
 +#if 0
  		} else if (addr_is_reserved(&addr)) {
  			syslog(LOG_NOTICE, "private/reserved address %s is not suitable for external IP", ext_ip_addr);
- 			strncpy(ext_ip_addr, "0.0.0.0", INET_ADDRSTRLEN);
+ 			ext_ip_addr[0] = '\0';
 +#endif
  		}
  	}