miniupnpd: Improve configuration generation and deny ACL by default

Signed-off-by: Self Hosting Group <[email protected]>
openwrt · Jan 6, 2025 · 8c9bbfe · 8c9bbfe
1 parent 05d611d
commit 8c9bbfe
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 22 deletions.
diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init
@@ -31,14 +31,11 @@ conf_rule_add() {
 	local ext_start ext_end int_start int_end comment
 
 	config_get action "$cfg" action "deny"                # allow or deny
-	upnpd_get_port_range "ext" "$cfg" ext_ports "0-65535" # external ports: x, x-y, x:y
+	upnpd_get_port_range "ext" "$cfg" ext_ports "1-65535" # external ports: x, x-y, x:y
 	config_get int_addr "$cfg" int_addr "0.0.0.0/0"       # ip or network and subnet mask (internal)
-	upnpd_get_port_range "int" "$cfg" int_ports "0-65535" # internal ports: x, x-y, x:y or range
+	upnpd_get_port_range "int" "$cfg" int_ports "1-65535" # internal ports: x, x-y, x:y or range
 	config_get comment "$cfg" comment "ACL"		      # comment
 
-	# Make a single IP IP/32 so that miniupnpd.conf can use it.
-	[ "${int_addr%/*}" = "$int_addr" ] && int_addr="$int_addr/32"
-
 	echo "$action $ext_start${ext_end:+-}$ext_end $int_addr $int_start${int_end:+-}$int_end #$comment"
 }
 
@@ -175,8 +172,6 @@ upnpd() {
 
 		[ "$uuid" = "nocli" ] || echo "uuid=$uuid"
 
-		config_foreach conf_rule_add perm_rule
-
 		if [ "$FW" = "fw4" ]; then
 			#When using nftables configure miniupnpd to use its own table and chains
 			echo "upnp_table_name=fw4"
@@ -186,6 +181,9 @@ upnpd() {
 			echo "upnp_nat_postrouting_chain=upnp_postrouting"
 		fi
 
+		config_foreach conf_rule_add perm_rule
+		echo "deny 1-65535 0.0.0.0/0 1-65535"
+
 		} > "$tmpconf"
 	fi
 

diff --git a/net/miniupnpd/files/upnpd-migration.uci-defaults b/net/miniupnpd/files/upnpd-migration.uci-defaults
@@ -95,13 +95,6 @@ if [ "$(uci get upnpd.@perm_rule[0].action)" = "allow" ] &&
 		set upnpd.@perm_rule[1].int_addr='0.0.0.0/0'
 		set upnpd.@perm_rule[1].int_ports='1-1023'
 		set upnpd.@perm_rule[1].comment='Low ports'
-		add upnpd perm_rule
-		set upnpd.@perm_rule[2]=perm_rule
-		set upnpd.@perm_rule[2].action='deny'
-		set upnpd.@perm_rule[2].ext_ports='1-65535'
-		set upnpd.@perm_rule[2].int_addr='0.0.0.0/0'
-		set upnpd.@perm_rule[2].int_ports='1-65535'
-		set upnpd.@perm_rule[2].comment='Deny by default'
 		commit upnpd
 	EOF
 fi

diff --git a/net/miniupnpd/files/upnpd.config b/net/miniupnpd/files/upnpd.config
@@ -15,7 +15,7 @@ config upnpd 'config'
 	#option external_iface             wan
 	option upnp_lease_file            /var/run/miniupnpd.leases
 
-# Service access control list configuration, IPv6 always allowed
+# Service access control list configuration, IPv6 always allowed. Deny by default.
 
 config perm_rule
 	option action                     allow
@@ -30,10 +30,3 @@ config perm_rule
 	option int_addr                   0.0.0.0/0
 	option int_ports                  1-1023
 	option comment                    'Low ports'
-
-config perm_rule
-	option action                     deny
-	option ext_ports                  1-65535
-	option int_addr                   0.0.0.0/0
-	option int_ports                  1-65535
-	option comment                    'Deny by default'