miniupnp.tuxfamily.org

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

judging by the forum settings, you are clearly not the person who can help :\ but w'll try anyway

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

ext_ifname=pppoe0
ext_perform_stun=yes
ext_stun_host=stun.sipgate.net
listening_ip=vport0
enable_natpmp=yes
enable_upnp=yes
secure_mode=no
system_uptime=yes
notify_interval=60
clean_ruleset_interval=600
anchor=miniupnpd
uuid=00000000-0000-0000-0000-000000000000
allow 1024-65535 192.168.85.0/0 1024-65535
---------------------------------------------------

miniupnpd[31745]: version 2.3.0 starting NAT-PMP/PCP UPnP-IGD ext if pppoe0 BOOTID=1667848346
miniupnpd[31745]: STUN: Performing with host=stun.sipgate.net and port=0 ...
miniupnpd[31745]: resolve_stun_host: stun.sipgate.net:3478 => 217.10.68.145:3478
miniupnpd[31745]: perform_stun: local ports 3751 46253 4061 16242
miniupnpd[31745]: wait_for_stun_responses: waiting 3 secs and 0 usecs
miniupnpd[31745]: wait_for_stun_responses: received responses: 1
miniupnpd[31745]: wait_for_stun_responses: waiting 3 secs and 0 usecs
miniupnpd[31745]: wait_for_stun_responses: select(): no more responses
miniupnpd[31745]: wait_for_stun_responses: waiting 3 secs and 0 usecs
miniupnpd[31745]: wait_for_stun_responses: select(): no more responses
miniupnpd[31745]: wait_for_stun_responses: waiting 3 secs and 0 usecs
miniupnpd[31745]: wait_for_stun_responses: select(): no more responses
miniupnpd[31745]: parse_stun_response: Type 0x0101, Length 68, Magic Cookie 2112a442
miniupnpd[31745]: parse_stun_response: MAPPED-ADDRESS 109.106.141.221:64758
miniupnpd[31745]: parse_stun_response: SOURCE-ADDRESS 217.10.68.145:3478
miniupnpd[31745]: parse_stun_response: CHANGED-ADDRESS 217.116.122.143:3479
miniupnpd[31745]: parse_stun_response: XOR-MAPPED-ADDRESS 109.106.141.221:64758
miniupnpd[31745]: parse_stun_response: SOFTWARE Vovida.org 0.96
miniupnpd[31745]: perform_stun: 1 response out of 4 received
miniupnpd[31745]: perform_stun: #0 external address or port changed
miniupnpd[31745]: STUN: ext interface pppoe0 with private IP address 172.25.231.96 is now behind restrictive or symmetric NAT with public IP address 109.106.141.221 which does not support port forwarding
miniupnpd[31745]: NAT on upstream router blocks incoming connections set by miniupnpd
miniupnpd[31745]: Turn off NAT on upstream router or change it to full-cone NAT 1:1 type
miniupnpd[31745]: Port forwarding is now disabled
miniupnpd[31745]: HTTP listening on port 29442
miniupnpd[31745]: Listening for NAT-PMP/PCP traffic on port 5351
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57638 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: 200 rt_msg : msglen=200 version=5 type=14
miniupnpd[31745]: RTM_IFINFO: addrs=10 flags=8b43 index=4
miniupnpd[31745]: 200 rt_msg : msglen=200 version=5 type=14
miniupnpd[31745]: RTM_IFINFO: addrs=10 flags=8b43 index=4
miniupnpd[31745]: level=0 type=30
miniupnpd[31745]: sdl_index = 10 vport0:0.0.0.0.0.1
miniupnpd[31745]: ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 (ver=1)
miniupnpd[31745]: SSDP M-SEARCH from 192.168.85.23:58827 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
miniupnpd[31745]: Single search found
miniupnpd[31745]: SendSSDPResponse(): 0 bytes to 192.168.85.23:58827 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:00000000-0000-0000-0000-000000000000::urn:schemas-upnp-org:device:InternetGatewayDevice:1
EXT:
SERVER: OpenBSD/7.2 UPnP/1.1 MiniUPnPd/2.3.0
LOCATION: http://192.168.85.1:29442/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1667848346
BOOTID.UPNP.ORG: 1667848346
CONFIGID.UPNP.ORG: 1337
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57640 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57641 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57642 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57643 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd[31745]: HTTP REQUEST from 192.168.85.23:57644 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[31745]: Host: 192.168.85.1:29442
miniupnpd[31745]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[31745]: AddPortMapping: ext port 1111 to 192.168.85.23:1111 protocol UDP for: libminiupnpc leaseduration=0 rhost=
miniupnpd[31745]: UPnP permission rule 0 matched : port mapping accepted
miniupnpd[31745]: redirecting port 1111 to 192.168.85.23:1111 protocol UDP for: libminiupnpc
miniupnpd[31745]: Returning UPnPError 501: ActionFailed
---------------------------------------------------

upnpc-shared.exe -a 192.168.85.23 1111 1111 UDP
upnpc : miniupnpc library test client, version 2.2.3.
(c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.85.1:29442/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.85.1:29442/ctl/IPConn
Local LAN ip address : 192.168.85.23
ExternalIPAddress = 109.106.141.221
AddPortMapping(1111, 1111, 192.168.85.23) failed with code 501 (Action Failed)
---------------------------------------------------

and for some reason, everyone in the obsd community doesn't give a shit that the only upnp daemon doesn't work two versions, or even more. yes, i tried version 2.3.1 and earlier. i tried different build options, but i didn't find a working combination.
ps: no rules are created in the anchor

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

syslog(LOG_INFO, "Reserved / private IP address %s on ext interface %s: Port forwarding is impossible", if_addr, ext_if_name);
syslog(LOG_INFO, "You are probably behind NAT, enable option ext_perform_stun=yes to detect public IP address");
syslog(LOG_INFO, "Or use ext_ip= / -o option to declare public IP address");
syslog(LOG_INFO, "Public IP address is required by UPnP/PCP/PMP protocols and clients do not work without it");
disable_port_forwarding = 1;
-------
are you mad? you would also enter a political reason here. i immediately realized when i was still registering on the forum that something was wrong with you. all that is required of such a program is to open ports, and not to talk about the structure of the world. other programs specially created for this purpose think about the structure of the world Very Happy

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1594

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

every time i come across your program(no alternatives for obsd -_-) i want to kill!
okay, you think you know something about how people live and how their networks works. it's funny, but let it be. but not funny at all when you've fantasized something about it and tell to people how to them live(there was a similar dude in Germany in the 30s ;)) and build their networks. i'm talking about the case when you "determine"(haha, this is very funny. maybe you should use some stun-server for this? no? haha) external ip-address and if you don't like it(haha) then you prohibits ports forwarding. but okay, i found a way to deceive you- it's enough to specify a fake address through the key "-d" that satisfies your aryan worldview(for example, in "-d 1.1.1.1"), so it's not so terrible.
it's much more terrible that you create rules in the anchor that cannot be controlled, but which let traffic through. when i look at several variants of the redirect creation function i feel sick. i'm trying to disable creation of "pass" rules, i'm trying to enable "match" and tag them for i can do with these packets what i see fit. but every time i forget what i did before, and with each new version need to reinvent the wheel again. but every year it becomes more and more difficult for me, because with age my mind does not become clearer :D it's not easy for me, because the last time i programmed a quarter of century ago(in assembler for Z80 %D).
therefore, i suggest you make a simpler version based on the rule "match in on <ext_if> .. rdr-to <int_if> .. tag <tag>". there is no need to create outgoing rules, since pf maintains the connection state(unless the opposite is explicitly stated) as soon as the first packet passes according to the rule. i.e. if the packet has passed through the redirect, then it will also pass back through all the interfaces involved(unless the opposite is explicitly stated) without any additional rule for this. and all that is needed for the packets to actually go according to these rules is just to specify "pass tagged <tag>" after the anchor. or some other processing that the user needs. do you understand? the user will have complete freedom to do whatever he wants with these packets. and also the number of rules will be reduced by half!

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

p.s: the latest working version under openbsd it's 2.3.1. newer ones fail with segmentation fault

babut85 · Joined: 07 Nov 2022 Posts: 6 Location: moon

you know.. you'll give Denuvo a hundred points at start %D
you've set so many checks with addr_is_reserved, that after struggling with them overnight, i decided it was easier to go the other way, namely:
--- /@@@/miniupnpd-2.3.1/pf/obsdrdr.c.org Sun Oct 16 08:47:15 2022
+++ /@@@/miniupnpd-2.3.1/pf/obsdrdr.c Tue May 2 08:31:02 2023
@@ -585,7 +585,7 @@
#endif
#else
#ifndef PF_ENABLE_FILTER_RULES
- pcr.rule.action = PF_PASS;
+ pcr.rule.action = PF_MATCH;
#else
pcr.rule.action = PF_MATCH;
#endif
@@ -603,7 +603,7 @@
#ifdef PFRULE_HAS_ONRDOMAIN
pcr.rule.onrdomain = -1; /* first appeared in OpenBSD 5.0 */
#endif
- pcr.rule.quick = 1;
+ pcr.rule.quick = 0;
pcr.rule.keep_state = PF_STATE_NORMAL;
if(tag)
strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
---
and default sets in config.h, except that need to disable ENABLE_PORT_TRIGGERING. or deal with the case of "pass" rule creation for udp("Create a NAT rule for both inbound and outbound traffic"- what?! allah! these are the same idiots as those who came up with the ia_na mechanism in its current form for ipv6. they are infinitely far from reality).
and run miniupnpd with "-d 1.1.1.1" param.
and create miniupnpd's anchor as 'anchor "miniupnpd" to (self)' (by the way, "(self)"- this is a very convenient directive in pf, i suspect that you don't know about it, otherwise, instead of the monstrous "from any to any" construction, you would use the less monstrous "from any to (self)")

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1594