View previous topic :: View next topic |
Author |
Message |
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Jan 28, 2016 5:45 pm Post subject: |
|
|
@AndyF Thank you for your tests, I'm happy it seems to work
I think the current code may have issues with how the rules are deleted, I'll have to check that.
(If the xbox's properly call DeletePortMapping, please have a look at your iptables rules after you have shut them down...)
Also I think the "-o ppp0" is to remove (it is already in the rule which jumped to MINIUPNPD-POSTROUTING chain) _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Thu Jan 28, 2016 6:20 pm Post subject: |
|
|
I've never seen xbox or xbox one or the game try to delete on my old setup
IIRC I once tested a PS3 and that did delete it's port on shutdown, which makes me think the xboxes really don't try.
I am a bit stumped about the right thing to do here - Just insert rather than append I guess would be easy and is what I did.
I wonder if the specs say anything about this situation.
FWIW I have/can make more tcpdumps easily - it's not too pretty trying to read the ascii in the packets, but is possible!
Slightly unrelated I do wonder what the xbox does with DHCP and whether it behaves differently with different servers.
Mine by luck rather than explicit configuration seem to get the same IPs and it's almost like they test on startup.
For example here's the daemon log of the two being started for the first time after I installed miniupnpd.
Code: |
Jan 28 12:37:36 asr miniupnpd[11055]: HTTP listening on port 45798
Jan 28 12:53:11 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:12 asr dhcpd: DHCPOFFER on 192.168.0.220 to b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:12 asr dhcpd: Wrote 10 leases to leases file.
Jan 28 12:53:12 asr dhcpd: DHCPREQUEST for 192.168.0.220 (192.168.0.1) from b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:12 asr dhcpd: DHCPACK on 192.168.0.220 to b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:15 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:53:18 asr dhcpd: DHCPINFORM from 192.168.0.220 via eth0
Jan 28 12:53:18 asr dhcpd: DHCPACK to 192.168.0.220 (b4:ae:2b:67:dc:93) via eth0
Jan 28 12:53:26 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:53:26 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:26 asr dhcpd: DHCPOFFER on 192.168.0.220 to b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:26 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:53:26 asr dhcpd: DHCPREQUEST for 192.168.0.220 (192.168.0.1) from b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:26 asr dhcpd: DHCPACK on 192.168.0.220 to b4:ae:2b:67:dc:93 via eth0
Jan 28 12:55:16 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:58:10 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:11 asr dhcpd: DHCPOFFER on 192.168.0.221 to b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:12 asr dhcpd: DHCPREQUEST for 192.168.0.221 (192.168.0.1) from b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:12 asr dhcpd: DHCPACK on 192.168.0.221 to b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:17 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:58:20 asr dhcpd: DHCPINFORM from 192.168.0.221 via eth0
Jan 28 12:58:20 asr dhcpd: DHCPACK to 192.168.0.221 (b4:ae:2b:67:be:45) via eth0
Jan 28 12:58:25 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:58:25 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:25 asr dhcpd: DHCPOFFER on 192.168.0.221 to b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:25 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:58:25 asr dhcpd: DHCPREQUEST for 192.168.0.221 (192.168.0.1) from b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:25 asr dhcpd: DHCPACK on 192.168.0.221 to b4:ae:2b:67:be:45 via eth0
Jan 28 13:01:11 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
|
|
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Mon Feb 08, 2016 7:36 pm Post subject: |
|
|
It seems that deleting rules where 0 for infinite lease is requested has some issues.
AIUI 7 days should be used - after 7 days I started looking to see if the oldest rules started getting deleted, but they didn't.
A day later a whole batch or rules got deleted including some that were active at the time. The active ones were those where the xbox ones request the same port as last time - so it seems that the 0 lease is not extended when this happens.
There was a PC game that requested a 6 hour lease and this got cleared correctly.
After the batch delete of rules -
Feb 5 21:17:26 asr miniupnpd[11055]: removed 19 unused rules
One xbox later connected resulting in logging as below. When I examined the rules that were left it seems this xbox did not get its port. I have since updated miniupnpd and set logging to INFO - so maybe more of what happens will be shown.
Code: |
Feb 5 21:55:59 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 21:56:48 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 21:57:25 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 21:59:13 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:01:05 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:03:34 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:06:12 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:09:23 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:12:22 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:15:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:19:01 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:22:08 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:25:27 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:28:22 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:32:02 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:35:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:38:58 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:42:11 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:45:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:48:48 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb 5 22:52:26 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0 |
|
|
Back to top |
|
 |
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Mon Feb 08, 2016 11:10 pm Post subject: |
|
|
OK - I am running updated now.
The thing about those messages was they were after the delete and didn't result in anything happening iptables wise.
Before the delete a message like that was "real" in that a rule was created. |
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Wed Feb 10, 2016 11:48 pm Post subject: |
|
|
So after looking at the code a bit I understand a bit what happened.
I am not using IGD2 so don't get the 7day timeout for 0 leases. Even if I did I think there would be an issue with the lease time not getting reset when the client re requests the same port.
So what happened above is I hit the cleaning threshold, but it seems the algorithm is a bit over aggressive and deleted ports that were in use.
It seems to look at DNAT usage counters (I am unsure on time period), but it would be quite normal for there to be low/no traffic seen as DNAT only counts connections not traffic.
From other threads it seems that xbox one has issues with IGD2 - I haven't tried yet. but even if it did work there is another possible issue with appended postrouting rules.
As things stand the game that needs these works by luck, but I think it would be better to insert the masq rules rather than append.
1. It seems illogical not to use the mapping just requested over an old one by the same host. It's not like opening ports inbound where multiple can map to one - there can AFAICT only ever be one outbound mapping when remote host is wildcard for the same internal port.
2. Though appending and so using older existing mappings works by luck for my test case, it could be broken by lease timeout (assuming IGD2) - it may be deleted while in use, inserting would avoid this. |
|
Back to top |
|
 |
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Feb 11, 2016 9:17 am Post subject: |
|
|
The "Unused rules cleaning" works by comparing byte and packet count for the "nat redirect rule" (DNAT)
The interval (seconds) is set in miniupnpd.conf
Code: | clean_ruleset_interval=600 |
10 minutes is maybe too low for you
You should add syslog() in upnpredirect.c/remove_unused_rules() to check if the counter values are relevent.
Indeed miniupnpd doesn't check that 2 port mappings don't redirect to the same LAN host:port, as it isn't relevant for inbound connections.
I will have a look at what say the UPnP specs about it.
Inserting / appending is only changing the order of priority of the rules. This should not matter as rules should not colide...
You can try to change it in netfilter/iptcrdr.c on line 1080 : iptc_append_entry() => iptc_insert_entry() _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Thu Feb 11, 2016 9:04 pm Post subject: |
|
|
miniupnp wrote: | The "Unused rules cleaning" works by comparing byte and packet count for the "nat redirect rule" (DNAT)
The interval (seconds) is set in miniupnpd.conf
Code: | clean_ruleset_interval=600 |
10 minutes is maybe too low for you
You should add syslog() in upnpredirect.c/remove_unused_rules() to check if the counter values are relevent. |
OK, thanks, yea given the the counters are for connections and not traffic then 10 minutes will be the reason.
miniupnp wrote: | Indeed miniupnpd doesn't check that 2 port mappings don't redirect to the same LAN host:port, as it isn't relevant for inbound connections.
I will have a look at what say the UPnP specs about it.
Inserting / appending is only changing the order of priority of the rules. This should not matter as rules should not colide... |
Yea, but I don't see any other way WRT backward compatibility. I mean an IGD1 client may be allowed to ask for 2 external ports to be redirected to one internal. Checking for collisions because of IDG2 behavior shouldn't break this.
In fact even for IGD2 I don't think disallowing collisions would work for my test case - not that I tested, or know what "disallowing collisions" would look like.
The game in question doesn't bother to clean up its own mappings and requests new, apparently random mappings each run. Inserting the masq rules does seem like the best way to easily solve without hurting old clients.
miniupnp wrote: | You can try to change it in netfilter/iptcrdr.c on line 1080 : iptc_append_entry() => iptc_insert_entry() |
Thanks, I'll try this.
In addition, I may try to use IGD2 timeout rather than relying on cleaning - Look s like this will need some work WRT renewing lease for the xbox ones thenselves - as they reuse their ports.
In fact when I get time I'll see if they'll work with IGD2 "proper" - I see this didn't work out for some. |
|
Back to top |
|
 |
AndyF
Joined: 17 Nov 2015 Posts: 12
|
Posted: Sun Feb 21, 2016 12:52 am Post subject: |
|
|
I tried with IGD2 enabled and the xbox ones don't open any ports with that enabled.
Looking back over some tcpdumps that I did with Linux IGD2 I can see that was working in "compatibility for broken clients" mode and the xboxes were getting the 1 version of things.
The recent updates that reset the lease expire times for existing mappings are working OK for me. Tested by forcing any requested zero leases to be one day - which is probably how I'll leave it for my use case to avoid other cleaning - I know that it should really be a week to be compliant with IGD2.
Inserting libiptc rules is also working OK. I had to use 0 for the position - some docs say 1 but that didn't work for me starting with empty chains.
So thanks for all your work on this. |
|
Back to top |
|
 |
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
|
Back to top |
|
 |
|