miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

IGD2 Port triggering
Goto page Previous  1, 2
 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP
View previous topic :: View next topic  
Author Message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1452

PostPosted: Thu Jan 28, 2016 5:45 pm    Post subject: Reply with quote

@AndyF Thank you for your tests, I'm happy it seems to work Smile
I think the current code may have issues with how the rules are deleted, I'll have to check that.
(If the xbox's properly call DeletePortMapping, please have a look at your iptables rules after you have shut them down...)

Also I think the "-o ppp0" is to remove (it is already in the rule which jumped to MINIUPNPD-POSTROUTING chain)
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Thu Jan 28, 2016 6:20 pm    Post subject: Reply with quote

I've never seen xbox or xbox one or the game try to delete on my old setup Sad

IIRC I once tested a PS3 and that did delete it's port on shutdown, which makes me think the xboxes really don't try.

I am a bit stumped about the right thing to do here - Just insert rather than append I guess would be easy and is what I did.

I wonder if the specs say anything about this situation.

FWIW I have/can make more tcpdumps easily - it's not too pretty trying to read the ascii in the packets, but is possible!

Slightly unrelated I do wonder what the xbox does with DHCP and whether it behaves differently with different servers.

Mine by luck rather than explicit configuration seem to get the same IPs and it's almost like they test on startup.

For example here's the daemon log of the two being started for the first time after I installed miniupnpd.

Code:

Jan 28 12:37:36 asr miniupnpd[11055]: HTTP listening on port 45798
Jan 28 12:53:11 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:12 asr dhcpd: DHCPOFFER on 192.168.0.220 to b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:12 asr dhcpd: Wrote 10 leases to leases file.
Jan 28 12:53:12 asr dhcpd: DHCPREQUEST for 192.168.0.220 (192.168.0.1) from b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:12 asr dhcpd: DHCPACK on 192.168.0.220 to b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:15 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:53:18 asr dhcpd: DHCPINFORM from 192.168.0.220 via eth0
Jan 28 12:53:18 asr dhcpd: DHCPACK to 192.168.0.220 (b4:ae:2b:67:dc:93) via eth0
Jan 28 12:53:26 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:53:26 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:dc:93 (XboxOne) via eth0
Jan 28 12:53:26 asr dhcpd: DHCPOFFER on 192.168.0.220 to b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:26 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:53:26 asr dhcpd: DHCPREQUEST for 192.168.0.220 (192.168.0.1) from b4:ae:2b:67:dc:93 via eth0
Jan 28 12:53:26 asr dhcpd: DHCPACK on 192.168.0.220 to b4:ae:2b:67:dc:93 via eth0
Jan 28 12:55:16 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:58:10 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:11 asr dhcpd: DHCPOFFER on 192.168.0.221 to b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:12 asr dhcpd: DHCPREQUEST for 192.168.0.221 (192.168.0.1) from b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:12 asr dhcpd: DHCPACK on 192.168.0.221 to b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:17 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Jan 28 12:58:20 asr dhcpd: DHCPINFORM from 192.168.0.221 via eth0
Jan 28 12:58:20 asr dhcpd: DHCPACK to 192.168.0.221 (b4:ae:2b:67:be:45) via eth0
Jan 28 12:58:25 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:58:25 asr dhcpd: DHCPDISCOVER from b4:ae:2b:67:be:45 (XboxOne) via eth0
Jan 28 12:58:25 asr dhcpd: DHCPOFFER on 192.168.0.221 to b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:25 asr dhcpd: reuse_lease: lease age 14 (secs) under 25% threshold, reply with unaltered, existing lease
Jan 28 12:58:25 asr dhcpd: DHCPREQUEST for 192.168.0.221 (192.168.0.1) from b4:ae:2b:67:be:45 via eth0
Jan 28 12:58:25 asr dhcpd: DHCPACK on 192.168.0.221 to b4:ae:2b:67:be:45 via eth0
Jan 28 13:01:11 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Back to top
View user's profile Send private message
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Mon Feb 08, 2016 7:36 pm    Post subject: Reply with quote

It seems that deleting rules where 0 for infinite lease is requested has some issues.

AIUI 7 days should be used - after 7 days I started looking to see if the oldest rules started getting deleted, but they didn't.

A day later a whole batch or rules got deleted including some that were active at the time. The active ones were those where the xbox ones request the same port as last time - so it seems that the 0 lease is not extended when this happens.

There was a PC game that requested a 6 hour lease and this got cleared correctly.

After the batch delete of rules -

Feb 5 21:17:26 asr miniupnpd[11055]: removed 19 unused rules

One xbox later connected resulting in logging as below. When I examined the rules that were left it seems this xbox did not get its port. I have since updated miniupnpd and set logging to INFO - so maybe more of what happens will be shown.

Code:

Feb  5 21:55:59 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 21:56:48 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 21:57:25 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 21:59:13 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:01:05 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:03:34 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:06:12 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:09:23 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:12:22 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:15:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:19:01 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:22:08 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:25:27 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:28:22 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:32:02 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:35:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:38:58 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:42:11 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:45:44 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:48:48 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Feb  5 22:52:26 asr miniupnpd[11055]: add_redirect_rule2(): addmasqueraderule returned 0
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1452

PostPosted: Mon Feb 08, 2016 10:56 pm    Post subject: Reply with quote

I fixed that boggus log :
https://github.com/miniupnp/miniupnp/commit/3284d113c7b61762540d53ab16c65ee8c28c4929
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Mon Feb 08, 2016 11:10 pm    Post subject: Reply with quote

OK - I am running updated now.

The thing about those messages was they were after the delete and didn't result in anything happening iptables wise.

Before the delete a message like that was "real" in that a rule was created.
Back to top
View user's profile Send private message
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Wed Feb 10, 2016 11:48 pm    Post subject: Reply with quote

So after looking at the code a bit I understand a bit what happened.

I am not using IGD2 so don't get the 7day timeout for 0 leases. Even if I did I think there would be an issue with the lease time not getting reset when the client re requests the same port.

So what happened above is I hit the cleaning threshold, but it seems the algorithm is a bit over aggressive and deleted ports that were in use.

It seems to look at DNAT usage counters (I am unsure on time period), but it would be quite normal for there to be low/no traffic seen as DNAT only counts connections not traffic.

From other threads it seems that xbox one has issues with IGD2 - I haven't tried yet. but even if it did work there is another possible issue with appended postrouting rules.

As things stand the game that needs these works by luck, but I think it would be better to insert the masq rules rather than append.

1. It seems illogical not to use the mapping just requested over an old one by the same host. It's not like opening ports inbound where multiple can map to one - there can AFAICT only ever be one outbound mapping when remote host is wildcard for the same internal port.

2. Though appending and so using older existing mappings works by luck for my test case, it could be broken by lease timeout (assuming IGD2) - it may be deleted while in use, inserting would avoid this.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1452

PostPosted: Thu Feb 11, 2016 9:17 am    Post subject: Reply with quote

The "Unused rules cleaning" works by comparing byte and packet count for the "nat redirect rule" (DNAT)
The interval (seconds) is set in miniupnpd.conf
Code:
clean_ruleset_interval=600

10 minutes is maybe too low for you
You should add syslog() in upnpredirect.c/remove_unused_rules() to check if the counter values are relevent.


Indeed miniupnpd doesn't check that 2 port mappings don't redirect to the same LAN host:port, as it isn't relevant for inbound connections.
I will have a look at what say the UPnP specs about it.

Inserting / appending is only changing the order of priority of the rules. This should not matter as rules should not colide...
You can try to change it in netfilter/iptcrdr.c on line 1080 : iptc_append_entry() => iptc_insert_entry()
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Thu Feb 11, 2016 9:04 pm    Post subject: Reply with quote

miniupnp wrote:
The "Unused rules cleaning" works by comparing byte and packet count for the "nat redirect rule" (DNAT)
The interval (seconds) is set in miniupnpd.conf
Code:
clean_ruleset_interval=600

10 minutes is maybe too low for you
You should add syslog() in upnpredirect.c/remove_unused_rules() to check if the counter values are relevent.


OK, thanks, yea given the the counters are for connections and not traffic then 10 minutes will be the reason.

miniupnp wrote:
Indeed miniupnpd doesn't check that 2 port mappings don't redirect to the same LAN host:port, as it isn't relevant for inbound connections.
I will have a look at what say the UPnP specs about it.

Inserting / appending is only changing the order of priority of the rules. This should not matter as rules should not colide...


Yea, but I don't see any other way WRT backward compatibility. I mean an IGD1 client may be allowed to ask for 2 external ports to be redirected to one internal. Checking for collisions because of IDG2 behavior shouldn't break this.

In fact even for IGD2 I don't think disallowing collisions would work for my test case - not that I tested, or know what "disallowing collisions" would look like.

The game in question doesn't bother to clean up its own mappings and requests new, apparently random mappings each run. Inserting the masq rules does seem like the best way to easily solve without hurting old clients.

miniupnp wrote:
You can try to change it in netfilter/iptcrdr.c on line 1080 : iptc_append_entry() => iptc_insert_entry()


Thanks, I'll try this.

In addition, I may try to use IGD2 timeout rather than relying on cleaning - Look s like this will need some work WRT renewing lease for the xbox ones thenselves - as they reuse their ports.

In fact when I get time I'll see if they'll work with IGD2 "proper" - I see this didn't work out for some.
Back to top
View user's profile Send private message
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Sun Feb 21, 2016 12:52 am    Post subject: Reply with quote

I tried with IGD2 enabled and the xbox ones don't open any ports with that enabled.

Looking back over some tcpdumps that I did with Linux IGD2 I can see that was working in "compatibility for broken clients" mode and the xboxes were getting the 1 version of things.

The recent updates that reset the lease expire times for existing mappings are working OK for me. Tested by forcing any requested zero leases to be one day - which is probably how I'll leave it for my use case to avoid other cleaning - I know that it should really be a week to be compliant with IGD2.

Inserting libiptc rules is also working OK. I had to use 0 for the position - some docs say 1 but that didn't work for me starting with empty chains.

So thanks for all your work on this.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1452

PostPosted: Tue Mar 08, 2016 9:08 am    Post subject: Reply with quote

see https://github.com/miniupnp/miniupnp/issues/193
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.