Skip to content
Permalink
Browse files

miniupnpd: Discard NAT-PMP packets coming from the WAN

  • Loading branch information...
miniupnp committed Oct 22, 2014
1 parent f183e2b commit 16389fda3c5313bffc83fb6594f5bb5872e37e5e
Showing with 17 additions and 0 deletions.
  1. +3 −0 miniupnpd/Changelog.txt
  2. +14 −0 miniupnpd/miniupnpd.c
@@ -1,5 +1,8 @@
$Id: Changelog.txt,v 1.379 2014/10/22 08:52:17 nanard Exp $

2014/10/22:
Discard NAT-PMP packets coming from the WAN

2014/10/21:
small modifications to compile with exotic C libraries

@@ -2133,6 +2133,20 @@ main(int argc, char * * argv)
msg_buff, sizeof(msg_buff));
if (len < 1)
continue;
/* Check if the packet is coming from a LAN to enforce RFC6886 :
* The NAT gateway MUST NOT accept mapping requests destined to the NAT
* gateway's external IP address or received on its external network
* interface. Only packets received on the internal interface(s) with a
* destination address matching the internal address(es) of the NAT
* gateway should be allowed. */
lan_addr = get_lan_for_peer((struct sockaddr *)&senderaddr);
if(lan_addr == NULL) {
char sender_str[64];
sockaddr_to_string((struct sockaddr *)&senderaddr, sender_str, sizeof(sender_str));
syslog(LOG_WARNING, "NAT-PMP/PCP packet sender %s not from a LAN, ignoring",
sender_str);
continue;
}
#ifdef ENABLE_PCP
if (msg_buff[0]==0) { /* version equals to 0 -> means NAT-PMP */
ProcessIncomingNATPMPPacket(snatpmp[i], msg_buff, len,

0 comments on commit 16389fd

Please sign in to comment.
You can’t perform that action at this time.