miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

nftables woes (Debian 11, various miniupnpd versions...)

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation
View previous topic :: View next topic  
Author Message
vom513



Joined: 13 Sep 2018
Posts: 10
Location: Ohio, USA

PostPosted: Mon Jan 24, 2022 8:58 am    Post subject: nftables woes (Debian 11, various miniupnpd versions...) Reply with quote

Hello,

So previously I was running Debian 9 as my firewall. Still running iptables. I had compiled miniupnpd from git at the time. Everything was working well.

This weekend I made the decision to wipe the firewall and go with Debian 11 Bullseye. As part of this - I started to run into issues running iptables. Namely - miniupnpd from github wouldn't compile with the iptables config.

So I bit the bullet - converted all my iptables rules to nftables. That's the inevitable future anyway right ? So now my firewall runs nftables, so far so good.

I tried Debian's package of miniupnpd. It seems to nuke my nat table, and thereby kill my ipv4 internet access. (PS: this is a *really* good way to find out which sites are ipv6 reachable when you are googling around for help ). Wink

So I removed this, and pulled from github. Compiled and edited config.h the way I want it. Did a make install (PS: why is there no 'uninstall' in the Makefile ? I had to hunt the files down by hand and remove them). One thing I noticed, is that even though I just built and installed nftables flavor of miniupnpd - the init script that got installed says it's from 2007 - and more importantly - it's trying to run iptables scripts - not nftables. I tried to edit this to run the nft_init.sh etc but this didn't work either. On that note - I had to manually copy the miniupnpd_functions script into /etc/miniupnpd. Seems make install didn't bring this over.

EDIT: With github version - my nat table doesn't get nuked, but something in the priorities and packet processing make my masquerade rule not get hit. I'm guessing it's the one deny policy in nft_init.sh ? Again - this kills my ipv4 access.

So my ultimate question - does anyone have miniupnpd running successfully with nftables ?

I also saw a few threads / issues such as:

https://github.com/miniupnp/miniupnp/issues/397

Seems like some of what I experienced, but unfortunately nothing in there helped me.

Thanks.
Back to top
View user's profile Send private message
u308d3



Joined: 24 Jan 2022
Posts: 1

PostPosted: Mon Jan 24, 2022 8:16 pm    Post subject: Reply with quote

I saw the latest version 2.3 claimed to support nftables, but after trying it today it does not look ready for use. I'm on Fedora 35 x86_64 using nftables, and I went through the hand compile/install process.

I also saw I had to manually copy missing scripts that were not installed by 'make install', and had to edit them. After I got the daemon to successfully start it killed my NAT access.

I was hoping to find more details on what the daemon is trying to do, and perhaps customise the rules that get added to my pre-existing nftables ruleset, so it does not destroy my existing connection & nftables ruleset, but there seems to be no accommodation or documentation for any of this.

I'll check here out of curiosity to see if this ever works, but in the meantime I am looking at just reverting to iptables so I can have upnp on my NAT router. I am mystified at how much harder setting up a Linux NAT router is in 2022 than it was around 2002. Relevant docs are hard to find, and miniupnpd seemed like the best bet to get an expected service like upnp working, but it does not work. I'm finding it hard to face the idea that perhaps the only way to get upnp working without a headache is to install some questionable router appliance distro.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Sat May 07, 2022 8:52 am    Post subject: Reply with quote

the support for installing nft init scripts was added in february :
https://github.com/miniupnp/miniupnp/commit/c8476e6f16f8c000aa5e882562994c8129257154

you can test with the updated sources
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
vom513



Joined: 13 Sep 2018
Posts: 10
Location: Ohio, USA

PostPosted: Sat May 07, 2022 7:18 pm    Post subject: Reply with quote

miniupnp wrote:
the support for installing nft init scripts was added in february :
https://github.com/miniupnp/miniupnp/commit/c8476e6f16f8c000aa5e882562994c8129257154

you can test with the updated sources


That is good news.

The bad news is the out of the box policy and chains that get built still completely kill my internet access.

Out of curiosity, in /etc/miniupnpd/nft_init.sh, near the top, I changed the default policy from drop to accept:

#policy drop;
policy accept;

With this change, my internet access is no longer killed. I also tested some forwarding to make sure I didn't open a hole. I have explicit drops for "new" traffic already, so it seems I'm good here.

However, the port forwarding still doesn't work. I see the rules get built (testing with upnpc) - but it seems like my packets never get there. I feel like I need some kind of jump or something in my existing rules to go to miniupnpd chains and come back ?

I'd love to help troubleshoot this, but I'd need some guidance. I don't pretend to be a nftables expert, but I know my way around okay.
Back to top
View user's profile Send private message
vom513



Joined: 13 Sep 2018
Posts: 10
Location: Ohio, USA

PostPosted: Sat May 07, 2022 7:58 pm    Post subject: Reply with quote

I might have made the tiniest bit of progress. It seems that I (and seemingly other folks) have seperate ip and ip6 tables in play. In the nftables world, there is the magical inet table which processes both v4 + v6 packets. miniupnpd's scripts are doing all their work in the inet table.

Out of curiosity - I made a version of my rules with everything in inet (no more ip, ip6). I had to tweak a few things - but it was working.

However, as soon as I started miniupnpd - my forward chain was flushed and replaced by miniupnpd's.

So it seems there are a couple of things that might have to happen to remedy all this:

- Users need to be told to run all their existing rules in inet and not separate
- The miniupnpd .sh scripts need to do things differently to account for existing rules. This is where I get shaky on what actually should be done...
Back to top
View user's profile Send private message
vom513



Joined: 13 Sep 2018
Posts: 10
Location: Ohio, USA

PostPosted: Sat May 07, 2022 10:34 pm    Post subject: Reply with quote

Well against all odds I think I got this working. Here's a rundown of the things I did:

- In my rules my forward chain was FORWARD (all caps) - miniupnpd was trying to put thing in forward (lowercase). I changed my chain to forward.

- The nft_init.sh script will exit if the table is already there. So my nftables script (systemd) was fighting the miniunpnpd ones and having race conditions / flushing. So my solution was to take the chains that miniupnpd creates - and pre-create them in my ruleset.

- This isn't really related to nftables - but miniupnpd would get jammed up with systemd timing and try to start before IPs are assigned (this is my home firewall - so the WAN has to get DHCP from the ISP of course). My solution (very ugly and old school) was to put a sleep 30 in the init script and call this from rc.local. There's probably a more elegant solution for this - but I'll tackle that some other time.

I just tested upnpc using both v4 and v6 and was able to forward/pinhole on both.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Sat May 14, 2022 10:19 am    Post subject: Reply with quote

thank you for sharing your experience.
Can you share your improvements to miniupnpd init scripts ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
vom513



Joined: 13 Sep 2018
Posts: 10
Location: Ohio, USA

PostPosted: Mon May 16, 2022 11:18 pm    Post subject: Reply with quote

miniupnp wrote:
thank you for sharing your experience.
Can you share your improvements to miniupnpd init scripts ?


Yeah - I'll give it a shot. To be clear - I didn't really edit the scripts when all is said and done. It was more understanding what the scripts were trying to do vs. my pre-existing rules.

So what started me down this path - was that on my most recent attempt to get miniupnpd going from source, I had issues with it configured for iptables. I decided to take the plunge and convert to nftables. When I did this, I had both iptables and ip6tables. The conversion put these into ip and ip6 tables (nf) respectively. The way the scripts that come with miniupnpd work is they do everything in the inet (mixed v4/v6) table. So at that point I had 3 tables in action (ip, ip6, and inet). It never seemed that packets made it to the inet table (I would assume that by default in nftables-land - that ip and ip6 have priority (first) before inet (more specific match at a protocol level). Again, I have to admit I'm an nftables newbie.

So I bit the next bullet and put all my rules into inet. Had to do some tweaks here and there of course, but once it was done - I like the elegance of having everything in one table type. After this though, I was fighting race conditions with nftables starting on boot vs. miniupnpd, restarting my rules if I make a change etc. Also, if miniupnpd was creating the tables (nft_init.sh) - it was setting some policies to "drop". In my ruleset, I have everything accept and have explicit "clean up" rules at the end of every possible flow (input, forward, etc).

So finally the state I arrived at which works, is that I manually put the rules that miniupnpd would have created into my rules. This way - the logic in nft_init.sh sees that the table already exists and exits. To realize this though - you have to ensure miniupnpd starts AFTER the nftables script. Since miniupnpd ships with sysv init scripts, and most distros are systemd now, there is some asynchronous startup action and possible race conditions. My ugly solution was to add a sleep 30 into the top of the miniupnpd init script as well as to manually call it from rc.local.

This also allows me to keep my accept default policy in place. With the drop policy, my ipv4 NAT was dead in the water every time.

So as for a solution for the package going forward, I guess maybe a more detailed documentation section on nftables ? I.e. telling the user that everything will be in inet and to plan accordingly (can you even jump from a top level table to another in nftables ?). I don't think the scripts are "broken" per say, I think they only work in a very specific setup (i.e. not mine).

Hope this info helps. I'm happy to try things and help troubleshoot more going forward now that I have a known good config. Thanks.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Wed May 18, 2022 5:48 am    Post subject: Reply with quote

yes, the documentation should be improved anyway.
About the systemd starting thing, that must be configurable that miniupnpd depends on the nftables init to be finished.

in the miniupnpd.service we shoud add nftables or something in After=

Code:
[Unit]
Description=MiniUPnPD
After=network.target

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Wed May 18, 2022 5:51 am    Post subject: Reply with quote

maybe
Code:
After=network.target nftables.target
?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.