miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ipfilter broken in miniupnpd-1.6.20120305

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
metalliqaz



Joined: 13 Mar 2012
Posts: 6

PostPosted: Tue Mar 13, 2012 2:06 am    Post subject: ipfilter broken in miniupnpd-1.6.20120305 Reply with quote

Is ipf supported in recent versions of miniupnpd? I am trying to compile the latest version and the ipf code seems out of date compared to ipfw and pf.

-d
Back to top
View user's profile Send private message
metalliqaz



Joined: 13 Mar 2012
Posts: 6

PostPosted: Tue Mar 13, 2012 3:29 am    Post subject: Reply with quote

Okay, did some looking myself. I will email Darren Reed to see if he is still interested in maintaining the code.

In the mean time, here are the diffs that show what I had to do to get it to compile on NetBSD 6 with ipfilter.

First, the ipfilter code. The function prototypes for the redirects changed. It needs to implement the rhost and timestamp. Also, it is missing the get_portmappings_in_range function.

EDIT: See next post for a new diff.

Here is the header that goes with it.
Code:
--- ipfrdr.h.orig       2012-03-05 15:37:13.000000000 -0500
+++ ipfrdr.h    2012-03-12 23:23:46.000000000 -0400
@@ -10,12 +10,12 @@
 #include "../commonrdr.h"

 int
-add_redirect_rule2(const char * ifname, unsigned short eport,
+add_redirect_rule2(const char * ifname, const char * rhost, unsigned short eport,
                    const char * iaddr, unsigned short iport, int proto,
-                                  const char * desc);
+                                  const char * desc, unsigned int timestamp);

 int
-add_filter_rule2(const char * ifname, const char * iaddr,
+add_filter_rule2(const char * ifname, const char * rhost, const char * iaddr,
                  unsigned short eport, unsigned short iport,
                                 int proto, const char * desc);



On netbsd6, route.h contains the "inline" keyword, which is not ansi C, so I removed the -ansi flag for gcc. This is something I can fix with the pkgsrc framework, so I don't care if this is "fixed" in miniupnpd.

Code:
--- Makefile.orig       2012-03-05 15:37:13.000000000 -0500
+++ Makefile    2012-03-12 23:24:16.000000000 -0400
@@ -38,6 +38,7 @@
 .endif

 .if $(OSNAME) == "NetBSD"
+CFLAGS = -pipe -Wall -Os
 FWNAME != . /etc/rc.subr; . /etc/rc.conf; \
           if checkyesno ipfilter; then \
           echo "ipf"; else echo "pf"; fi


Last edited by metalliqaz on Tue Mar 13, 2012 3:38 pm; edited 1 time in total
Back to top
View user's profile Send private message
metalliqaz



Joined: 13 Mar 2012
Posts: 6

PostPosted: Tue Mar 13, 2012 3:18 pm    Post subject: Reply with quote

Here I am again... I couldn't let it rest, I suppose.

Even though I don't fully grok ipfilter, I implemented the missing functions using mostly copy-paste.

EDIT: added timestamp support

Code:
--- ipfrdr.c.orig   2012-03-05 15:37:13.000000000 -0500
+++ ipfrdr.c   2012-03-13 16:40:40.000000000 -0400
@@ -131,6 +131,7 @@
    struct rdr_desc * next;
    unsigned short eport;
    int proto;
+   unsigned int timestamp;
    char str[];
 };
 
@@ -138,7 +139,8 @@
 static struct rdr_desc * rdr_desc_list;
 
 static void
-add_redirect_desc(unsigned short eport, int proto, const char * desc)
+add_redirect_desc(unsigned short eport, int proto,
+                  unsigned int timestamp, const char * desc)
 {
    struct rdr_desc * p;
    size_t l;
@@ -150,6 +152,7 @@
          p->next = rdr_desc_list;
          p->eport = eport;
          p->proto = proto;
+         p->timestamp = timestamp;
          memcpy(p->str, desc, l);
          rdr_desc_list = p;
       }
@@ -174,20 +177,25 @@
    }
 }
 
-static void
+/* Okay, so this is a little awkward, but looking at how this function is used,
+   returning a timestamp right now is better than doing another linear search
+   for the same rule.    //DAH
+*/
+static unsigned int
 get_redirect_desc(unsigned short eport, int proto, char * desc, int desclen)
 {
    struct rdr_desc * p;
 
    if (desc == NULL || desclen == 0)
-      return;
+      return 0;
    for (p = rdr_desc_list; p; p = p->next) {
       if (p->eport == eport && p->proto == proto)
       {
          strncpy(desc, p->str, desclen);
-         return;
+         return p->timestamp;
       }
    }
+   return 0;
 }
 
 int init_redirect(void)
@@ -221,9 +229,9 @@
 }
 
 int
-add_redirect_rule2(const char * ifname, unsigned short eport,
-    const char * iaddr, unsigned short iport, int proto,
-    const char * desc)
+add_redirect_rule2(const char * ifname, const char * rhost,
+    unsigned short eport, const char * iaddr, unsigned short iport,
+    int proto, const char * desc, unsigned int timestamp)
 {
    struct ipnat ipnat;
    struct ipfobj obj;
@@ -257,6 +265,12 @@
    }
 #endif
 
+   if(rhost && rhost[0] != '\0' && rhost[0] != '*')
+   {
+      inet_pton(AF_INET, rhost, &ipnat.in_src[0].in4);
+      ipnat.in_src[1].in4.s_addr = 0xffffffff;
+   }
+
    inet_pton(AF_INET, iaddr, &ipnat.in_in[0].in4);
    ipnat.in_in[1].in4.s_addr = 0xffffffff;
 
@@ -269,7 +283,7 @@
    if (r == -1)
       syslog(LOG_ERR, "ioctl(SIOCADNAT): %m");
    else
-      add_redirect_desc(eport, proto, desc);
+      add_redirect_desc(eport, proto, timestamp, desc);
    return r;
 }
 
@@ -280,12 +294,15 @@
 get_redirect_rule(const char * ifname, unsigned short eport, int proto,
     char * iaddr, int iaddrlen, unsigned short * iport,
     char * desc, int desclen,
+    char * rhost, int rhostlen,
+    unsigned int * timestamp,
     u_int64_t * packets, u_int64_t * bytes)
 {
    ipfgeniter_t iter;
    ipfobj_t obj;
    ipnat_t ipn;
    int r;
+   unsigned int temp_timestamp;
 
    memset(&obj, 0, sizeof(obj));
    obj.ipfo_rev = IPFILTER_VERSION;
@@ -323,7 +340,11 @@
          if (iport != NULL)
             *iport = ntohs(ipn.in_pnext);
          if (desc != NULL)
-            get_redirect_desc(eport, proto, desc, desclen);
+            temp_timestamp = get_redirect_desc(eport, proto, desc, desclen);
+         if ((timestamp != NULL) && (temp_timestamp != 0))
+            *timestamp = temp_timestamp;
+         if ((rhost != NULL) && (rhostlen > 0))
+            inet_ntop(AF_INET, &ipn.in_src[0].in4, rhost, rhostlen);
          inet_ntop(AF_INET, &ipn.in_in[0].in4, iaddr, iaddrlen);
          r = 0;
       }
@@ -337,12 +358,15 @@
     char * ifname, unsigned short * eport,
     char * iaddr, int iaddrlen, unsigned short * iport,
     int * proto, char * desc, int desclen,
+    char * rhost, int rhostlen,
+    unsigned int * timestamp,
     u_int64_t * packets, u_int64_t * bytes)
 {
    ipfgeniter_t iter;
    ipfobj_t obj;
    ipnat_t ipn;
    int n, r;
+   unsigned int temp_timestamp;
 
    if (index < 0)
       return -1;
@@ -388,7 +412,11 @@
          if (bytes != NULL)
             *bytes = 0;
          if (desc != NULL)
-            get_redirect_desc(*eport, *proto, desc, desclen);
+            temp_timestamp = get_redirect_desc(*eport, *proto, desc, desclen);
+         if ((timestamp != NULL) && (temp_timestamp != 0))
+            *timestamp = temp_timestamp;
+         if ((rhost != NULL) && (rhostlen > 0))
+            inet_ntop(AF_INET, &ipn.in_src[0].in4, rhost, rhostlen);
          inet_ntop(AF_INET, &ipn.in_in[0].in4, iaddr, iaddrlen);
          r = 0;
       }
@@ -464,8 +492,8 @@
 
 /* thanks to Seth Mos for this function */
 int
-add_filter_rule2(const char * ifname, const char * iaddr,
-    unsigned short eport, unsigned short iport,
+add_filter_rule2(const char * ifname, const char * rhost,
+    const char * iaddr, unsigned short eport, unsigned short iport,
     int proto, const char * desc)
 {
    ipfobj_t obj;
@@ -507,6 +535,12 @@
       fr.fr_tcpfm = TH_SYN|TH_ACK|TH_RST|TH_FIN|TH_URG|TH_PUSH;
    }
 
+   if(rhost && rhost[0] != '\0' && rhost[0] != '*')
+   {
+      inet_pton(AF_INET, rhost, &fr.fr_saddr);
+      fr.fr_smask = 0xffffffff;
+   }
+
    inet_pton(AF_INET, iaddr, &fr.fr_daddr);
    fr.fr_dmask = 0xffffffff;
 
@@ -600,3 +634,72 @@
    return r;
 }
 
+unsigned short *
+get_portmappings_in_range(unsigned short startport, unsigned short endport,
+                          int proto, unsigned int * number)
+{
+   unsigned short * array;
+   unsigned int capacity;
+   unsigned short eport;
+   ipfgeniter_t iter;
+   ipfobj_t obj;
+   ipnat_t ipn;
+
+   *number = 0;
+   if (dev < 0) {
+      syslog(LOG_ERR, "%s not open", IPNAT_NAME);
+      return NULL;
+   }
+   capacity = 128;
+   array = calloc(capacity, sizeof(unsigned short));
+   if(!array)
+   {
+      syslog(LOG_ERR, "get_portmappings_in_range() : calloc error");
+      return NULL;
+   }
+   
+   memset(&obj, 0, sizeof(obj));
+   obj.ipfo_rev = IPFILTER_VERSION;
+   obj.ipfo_ptr = &iter;
+   obj.ipfo_size = sizeof(iter);
+   obj.ipfo_type = IPFOBJ_GENITER;
+
+   iter.igi_type = IPFGENITER_IPNAT;
+#if IPFILTER_VERSION > 4011300
+   iter.igi_nitems = 1;
+#endif
+   iter.igi_data = &ipn;
+
+   do {
+      if (ioctl(dev, SIOCGENITER, &obj) == -1) {
+         syslog(LOG_ERR, "%s:ioctl(SIOCGENITER): %m",
+             "get_portmappings_in_range");
+         break;
+      }
+      
+      if (strcmp(ipn.in_tag.ipt_tag, group_name) != 0)
+         continue;
+      
+      eport = ntohs(ipn.in_pmin);
+      if( (eport == ntohs(ipn.in_pmax))
+        && (ipn.in_p == proto)
+        && (startport <= eport) && (eport <= endport) )
+      {
+         if(*number >= capacity)
+         {
+            /* need to increase the capacity of the array */
+            capacity += 128;
+            array = realloc(array, sizeof(unsigned short)*capacity);
+            if(!array)
+            {
+               syslog(LOG_ERR, "get_portmappings_in_range() : realloc(%lu) error", sizeof(unsigned short)*capacity);
+               *number = 0;
+               return NULL;
+            }
+         }
+         array[*number] = eport;
+         (*number)++;
+      }
+   } while (ipn.in_next != NULL);
+   return array;
+}


Last edited by metalliqaz on Tue Mar 13, 2012 7:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1518

PostPosted: Tue Mar 13, 2012 5:18 pm    Post subject: Reply with quote

Thank you for the patch.
I indeed do no maintain the ipfilter code. That's a shame but I have no feedback about it... except you ? Smile

if you are a git user see https://github.com/miniupnp/miniupnp, it's easier for patches !
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/


Last edited by miniupnp on Wed Mar 14, 2012 10:00 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
metalliqaz



Joined: 13 Mar 2012
Posts: 6

PostPosted: Tue Mar 13, 2012 6:07 pm    Post subject: Reply with quote

Okay. The ipfilter section really needs a lot of work. I got it to compile but it's still broken. I'll work it and submit something through git.
thanks,
-d
Back to top
View user's profile Send private message
evil_spider



Joined: 17 Nov 2012
Posts: 1

PostPosted: Sat Nov 17, 2012 7:45 pm    Post subject: Reply with quote

I just set up a router with NetBSD 6 with, among other things, the intention of having miniupnpd handle UPnP for my PS3.

When I try starting miniupnpd, I get:
Nov 17 20:03:01 aria miniupnpd[15197]: pf is disabled
Nov 17 20:03:01 aria miniupnpd[15197]: Failed to init redirection engine. EXITING

I'm slightly surprised to see it complain about pf, since I told pkgsrc:
PKG_OPTIONS.miniupnpd = ipfilter

What am I missing? And, to be explicitly on-topic, how (in)complete is the ipfilter-support? Does it need more work? Anyone still working on it?

Edit: Ah.. I build my packages in a pkg_comp chroot, therefor I have neither ipfilter=YES or pf=YES in /etc/rc.conf, and it defaulted to pf. The autodetection is neat, but it should probably handle the case where there neither pf nor ipfilter is in rc.conf.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1518

PostPosted: Mon Nov 19, 2012 10:19 am    Post subject: Reply with quote

I'm sorry, ipfilter support is not maintained...
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.