Indefinitely duplicated ip/port in os-upnp

[roylaprattep]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ Y ] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ Y ] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

My last bug report was deleted. Can you please solve, give me a workaround or a direction I can go before closing... Instead of manual port forward.

There is a serious bug with os-upnp since latest version fresh install. The status list is deduplicating same entries again and again which means that the status log is growing indefinitely.

Everything was working perfectly fine on 23.7 and associated version.

Thank you very much guys.

To Reproduce

Go to "Services"
Click on "Universal Plug and Play"
Then click "Status"
See bug

Expected behavior

One entry per port/IP.

Screenshots

Environment

-OPNsense 24.1.1-amd64
-FreeBSD 13.2-RELEASE-p9
-OpenSSL 3.0.13
-os-upnp 1.5_6
-Intel(R) Core(TM) i5-3450 CPU @ 3.10GHz (4 cores, 4 threads)
-Intel X520-DA2 E10G42BTDA PCI-E Dual Port 10G SFP+ NIC Server Adapter (Configured with LAG/LACP)

[fichtner]

It's probably a kernel bug due to pfctl fiddling or the new miniupnpd pfctl patching in FreeBSD ports. If you want to take it to the appropriate authority go to https://bugs.freebsd.org/bugzilla/ and give them the raw command line output of the respective FreeBSD commands saying the problem is on stable/13.

Cheers,
Franco

[roylaprattep]

Hi @fichtner,

OPNsense team can't do nothing? When I was on last 23.7.11, someone gave me a command to use the upnp package from 23.7.10 (while still on 23.7.11). Is there a way to achieve the same thing on 24.1.1?

Otherwise, I don't know what to send to FreeBSD bug report.

Thank you for your reply.

[fichtner]

Well we can help mitigate but it’s a Saturday and I have a rather large tree to deal with at the moment. 😉

[roylaprattep]

@fichtner

Haha, ok. I can wait, no worries.

Thank you.

[roylaprattep]

Anyone would like to mitigate this issue please? Any good samaritains? :P

Would be greatly appreciated, I'll pay next beer.

Thank you.

[fichtner]

@roylaprattep does this bring it back?

# pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/MINT/23.7.10/latest/All/miniupnpd-2.3.3_1,1.pkg

Cheers,
Franco

[CrazyCoder]

Looks exactly as my issue described at https://forum.opnsense.org/index.php?topic=38732.0.

UPnP clients get corrupted mappings from OPNsense miniupnpd server :(

does this bring it back?

@fichtner not in my case. I had the same issue on 23.7 (don't remember when exactly it started, but I'm new to OPNsense and have been using it only for ~2 months), and 24.1 cannot install this package because of:

pkg: Missing dependency 'openssl111'
Failed to install the following 1 package(s): https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/MINT/23.7.10/latest/All/miniupnpd-2.3.3_1,1.pkg

[fichtner]

Ok, bummer. Please report to https://bugs.freebsd.org

Cheers,
Franco

[CrazyCoder]

Reported https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277226.

Not sure what other information they will need.

[roylaprattep]

@fichtner

Unfortunately not. :/

[roylaprattep]

This issue has been resolved upstream: miniupnp/miniupnp#719

Please update this FreeBSD port to the latest version in order to resolve this issue.

[fichtner]

That leaves the complication that FreeBSD ports has custom patch glue that no longer applies to 2.3.6.

Still, the whole timing issue here is off so I wouldn't bet on this horse just yet.

Cheers,
Franco

[roylaprattep]

Just to know it's gonna be taken care of sooner or later, is nice. As for the "when", I don't think there is a hurry here... If, and when it is done, just let us know brother.

Thanks Franco.

[MorningLightMountain713]

Just to know it's gonna be taken care of sooner or later, is nice. As for the "when", I don't think there is a hurry here... If, and when it is done, just let us know brother.

Thanks Franco.

If you're desperate (like I was :P) You can go to the miniupnpd website, and download the source, and compile. I can confirm this issue is resolved on the new version. (2.3.6)

[denverpilot]

Tempted to do that too @MorningLightMountain713 but leery because of @roylaprattep 's comment that ports has glue... wonder what the glue is for... if your compiled version is behaving fine... hahaha...yuck...

[Sjors]

@MorningLightMountain713 when you built from source, did you do (more than) this?

Delete lines with MAN from Makefile.bsd

./configure --ipv6 --firewall=pf
make
make install

See also https://cgit.freebsd.org/ports/tree/net/miniupnpd/Makefile

[fichtner]

FreeBSD complications with libpfctl use are problematic. I don't know the impact building without it. A patch is available here now... https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277226

[fichtner]

A snapshot with the update has been published:

# opnsense-revert -z miniupnpd

Feedback welcome.

Cheers,
Franco

[CrazyCoder]

@fichtner

Hmm, I just updated to 24.1.8 and the command above doesn't seem to install the right version?

root@gw:~ # opnsense-revert -z miniupnpd
Fetching miniupnpd.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
miniupnpd-2.3.3_3,1: already unlocked
Installing miniupnpd-2.3.3_3,1...
package miniupnpd is already installed, forced install
Extracting miniupnpd-2.3.3_3,1: 100%
=====
Message from miniupnpd-2.3.3_3,1:

--
*** !!WARNING!! !!WARNING!! !!WARNING!! ***
This port allows machines within your network to create holes in your
firewall.  Please ensure this is really what you want!
*** !!WARNING!! !!WARNING!! !!WARNING!! ***

For this daemon to work, you must modify your pf rules to add an anchor
in both the NAT and rules section.  Both must be called 'miniupnpd'.
Example:

# NAT section
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

# Rules section
# uPnPd rule anchor
anchor "miniupnpd"

[fichtner]

@CrazyCoder not the main mirror then. still syncing on this one you have set up

[CrazyCoder]

@fichtner Thanks, indeed, switched to the default mirror (https://pkg.opnsense.org/FreeBSD:13:amd64/24.1) and it worked:

Installing miniupnpd-2.3.6,1...
package miniupnpd is already installed, forced install
Extracting miniupnpd-2.3.6,1: 100%

[fichtner]

@CrazyCoder update worked or the fix too? ;)

[CrazyCoder]

@fichtner The update and the fix. I did a quick test with https://github.com/kaklakariada/portmapper. Adding/removing mappings works, and there are no more duplicates or corrupted records.

[denverpilot]

@fichtner working properly now here also, when testing the updated miniupnpd. No duplicate ports. Thank you for your work.

[fichtner]

Ok I'll close then! Thanks all :)