miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Several public IPs and generic redirecting engine
Goto page Previous  1, 2
 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP
View previous topic :: View next topic  
Author Message
nuclight



Joined: 17 Jan 2008
Posts: 23

PostPosted: Thu May 01, 2008 5:09 pm    Post subject: Reply with quote

So, I haven't received answer to my previous post and decided to write my own daemon for my custom conditions. However, I planned to write it the way it's part will be suitable for use in minupnpd - that is, firewall/backend functions are absolutely compatible with miniupnpd in it's API, and you can cut-n-paste the block marked with comments "for miniupnpd" (I used the interface paramete for IP addr passing, but interface passing is still supported because of backward compatibility).

However, I didn't finish work on my daemon - I've written everything except of actual NAT-PMP handling part (and thus entire daemon is not tested). The reason is - my university bosses decided to take away my network from managing by me and my friend, the last several weeks we fighted for it, now I have no access to my router to do anything with it there. May be I'll regain it later, it is still unknown yet, but currently I have no NAT boxes under my control.

So I decided to make available that code which is already written (and slightly updated version of the protocol):

http://antigreen.org/vadim/freebsd/ng_nat/avtnatpmpd/

The part for miniupnpd is complete (just not tested) and you can use it, at least for case (1) from post before, without much patching the miniupnpd sources.

The backend script for ng_nat was not written, but it could be made from rc.conf/rc.d-style ng_nat.sh in http://antigreen.org/vadim/freebsd/ng_nat/ - I planned to do that.
_________________
WBR, Nuclear Lightning
Back to top
View user's profile Send private message Send e-mail
nuclight



Joined: 17 Jan 2008
Posts: 23

PostPosted: Sun Nov 09, 2008 6:44 pm    Post subject: It now works! Reply with quote

Now I'm glad to say that I have regained access to my network with several NAT instances and finished writing my specific daemon. It is now tested and works correctly for two months.

So the updated source code, along with PFCFBP spec, is available here:

http://antigreen.org/vadim/freebsd/ng_nat/avtnatpmpd/
(and http://antigreen.org/vadim/freebsd/ng_nat/ for mentioned ng_nat scripts)

This is working solution written with miniupnpd in mind, so that the code is reusable, so,

To miniupnpd author: There is a section in avtnatpmp.c, marked in comments for copypaste to miniupnpd - please use it ;) just as any other firewall. I've already heard demands for FreeBSD-compatible UPnP engine capable to work with ipfw/ng_nat, so this feature in minupnpd will be useful. My daemon implement custom case for NAT-PMP of several ext IPs in one internal subnet, which is not worth for miniupnpd because not applicable to UPnP - but backend part is still useful.

BTW, some not related to firewalls itself questions - I've tried to keep compatibility in labeling descriptions as "NAT-PMP %s" with timestamp. But then I discovered that miniupnpd keeps relative timestamp, and if I restart daemon due to changed config or for debug, older entries become stale for a long time, increasing with each restart. So I changed this to keeping absolute UNIX timstamp of expiration time, so the system became resistant to daemon restarts. Is there any real reason in minupnpd to keep relative timestamps which I missed?

Another thing I've found is that miniupnpd doesn't fully (all-cases correct)ly implement NAT-PMP specification, so I wrote that myself from scratch.
_________________
WBR, Nuclear Lightning
Back to top
View user's profile Send private message Send e-mail
NoSFeRaTU



Joined: 13 Dec 2008
Posts: 4

PostPosted: Sat Dec 13, 2008 4:09 am    Post subject: Reply with quote

Nuclight, excellent work! I'm using your daemon & scripts on freebsd 6.3 about a month. All works great. It will be amazing if someone teachs miniupnp to work with generic-like engine.
Back to top
View user's profile Send private message
NoSFeRaTU



Joined: 13 Dec 2008
Posts: 4

PostPosted: Sat Dec 13, 2008 4:10 am    Post subject: Reply with quote

If someone interested I've added to avtnatpmpd port range deny support, very hacky & dirty patch (with hardcoded values) is here:
http://fghi.pp.ru/gpl/natpmp/avtnatpmp_hacky_rangedeny.patch
And wrote mapping utility based on libnatpmpc in which you can manually specify gateway, protocol, ports, lifetime:
http://fghi.pp.ru/gpl/natpmp/natpmpc-20081213-GaNJaNET.tar.gz
It can be useful for clients on tunnel protocols (pptp/l2tp/pppoe and so on). Because almost all natpmp client implemetations incorrectly detect gateway ip address and portmapping don't work in this case.

PS. Double posting because "at least one post required to post links" limit.
Back to top
View user's profile Send private message
NoSFeRaTU



Joined: 13 Dec 2008
Posts: 4

PostPosted: Thu Sep 17, 2009 8:11 pm    Post subject: Reply with quote

Is there any news about updating avtnatpmpd or integration with miniupnp?
Back to top
View user's profile Send private message
nuclight



Joined: 17 Jan 2008
Posts: 23

PostPosted: Mon Oct 12, 2009 9:14 am    Post subject: Reply with quote

Alas, don't heard anything, except http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=577

Also, I have downloaded the miniupnpd source from post at the link above and didn't find any mentioned ipfw_*.sh scripts. Moreover, the interface to ipfw used is undocumented, and the ABI is likely to change in the next major FreeBSD release.

Why not to integrate avtnatpmpd's code part specifically designed for miniupnpd? This generic engine would allow easy modifying of binary-interface-independent scripts - you are anyway using scripts, aren't you? So why to have several implementations (even in separate avtnatpmp daemon) when instead just one miniupnpd could be used for all?..
_________________
WBR, Nuclear Lightning
Back to top
View user's profile Send private message Send e-mail
NoSFeRaTU



Joined: 13 Dec 2008
Posts: 4

PostPosted: Fri Oct 16, 2009 10:16 pm    Post subject: Reply with quote

nuclight wrote:
Why not to integrate avtnatpmpd's code part specifically designed for miniupnpd? This generic engine would allow easy modifying of binary-interface-independent scripts - you are anyway using scripts, aren't you? So why to have several implementations (even in separate avtnatpmp daemon) when instead just one miniupnpd could be used for all?..

I'm agree with that, but it looks to me that author of miniupnpd just unintested in this functionality. So, the fork is the only solution...
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1442

PostPosted: Mon Oct 19, 2009 2:12 pm    Post subject: Reply with quote

Unfortunately I don't have any box on which I can test IPFW, So I'm not able to do the testing.
The current code you are talking about was contributed as a patch by a user.
I'm always ready to integrate patches coming from contributors.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
nuclight



Joined: 17 Jan 2008
Posts: 23

PostPosted: Fri Feb 05, 2010 6:50 pm    Post subject: Reply with quote

Hmm, so for this you do need ready-to-go patches or users to test them? I don't know exactly how this code should be arranged to source files or miniupnpd - the funcs are currently the part of the files between comments /* for miniupnpd */ and is currently tested by at least two users, while not in miniupnpd, though. I can call my friends etc. to test the functionality if it will be included into miniupnpd. That's just a generic backend, they can do it for everything...
_________________
WBR, Nuclear Lightning
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.