Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added chain rule to filter table so udp stun incoming connections rul… #13951

Closed
wants to merge 1 commit into from
Closed

Added chain rule to filter table so udp stun incoming connections rul… #13951

wants to merge 1 commit into from

Conversation

MarcoMartins86
Copy link
Contributor

Maintainer: @neheb @ptpt52
Compile tested: (ath79, tplink_tl-wr941-v2, openwrt-19.07)
Run tested: (ath79, tplink_tl-wr941-v2, openwrt-19.07)
Added to /etc/config/upnpd
option use_stun '1'
option stun_host 'stun.stunprotocol.org'
option stun_port '3478'

Make sure that no UDP rule exists on the firewall to accept all connections and check miniupnpd system logs to see it was successful.

Description:

Fix this issue https://forum.openwrt.org/t/miniupnpd-in-trunk-stun-setup/18688

For the miniupnpd stun protocol to work correctly to find out the external IP address dynamically, it opens rules in the table 'filter' to receive incoming UDP connections for the router IP but there was no chain rule on the zone input referencing the MINIUPNPD table and so it couldn't receive the expected connections.
The fix was to add a chain rule in the zone input to check the MINIUPNPD table before rejecting all connections.
Should I make another pull request for the master branch? I will not be able to test this on the new version.

@MarcoMartins86
Copy link
Contributor Author

Not sure why @jjm2473 commit appears on my pull request, nevertheless, I only intended to change firewall.include. I don't know how to fix this in git, can someone help me with some hint?

@MarcoMartins86
Copy link
Contributor Author

I think I was able to figure out what I needed to do from here https://openwrt.org/docs/guide-developer/working-with-github-pr .

@neheb
Copy link
Contributor

neheb commented Nov 20, 2020

I added your patch to #13960 . Please test.

@hnyman
Copy link
Contributor

hnyman commented Nov 28, 2020

#13960 was merged to master.
Is this 19.07 PR still ok?

@neheb
Copy link
Contributor

neheb commented Nov 29, 2020

Eh no. There's a whitespace issue with it. spaces vs tabs. I fixed that in the other PR.

Maybe that should be backported instead of this. miniupnpd under 19.07 has been getting backports judging by the history.

@MarcoMartins86
miniupnpd: Added chain rule to filter table so udp stun incoming conn…
ce88ccd 
…ections rules works

Signed-off-by: Marco Martins <marcomartins86@gmail.com>
@MarcoMartins86
Copy link
Contributor Author

I am sorry, only today I had the time to fix the space on the commit and test the #13960 on 19.07, and it seems to be working well.
Miniupnpd version 2.2.0 on the 19.07
image
Ports opened with STUN protocol enabled and with no extra firewall exceptions for UDP packages
image

@neheb
Copy link
Contributor

neheb commented Nov 30, 2020

This was merged to 19.07 separately.

@neheb neheb closed this Nov 30, 2020
@MarcoMartins86 MarcoMartins86 deleted the openwrt-19.07-fix-miniupnpd-udp-stun-incoming-connections-filter branch December 2, 2020 17:09
@pali pali mentioned this pull request Apr 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
OpenWrt 19.07 (end-of-support)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MarcoMartins86 @neheb @hnyman