1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"UpnP" not vorking with "deny" rules

Discussion in 'Tomato Firmware' started by kthaddock, Aug 28, 2013.

  1. kthaddock

    kthaddock Network Guru Member

    I have done some testing with upnp and I can't get "deny" rules to work.

    If I use: "deny 0-65535 192.168.2.225/32 0-65535" to block one computer doesn't work.
    Uncheck upnp box "LAN" and put rules in custom config box. (must also have LAN1 check box on)
    Put that computer outside dhcp range:
    First Usable IP Address = 192.168.2.193
    Last Usable IP Address = 192.168.2.222

    In upnp config file last raw contain: deny 0-65535 0.0.0.0/0 0-65535

    Someone have struggle with this ? any tips ?
     
  2. koitsu

    koitsu Network Guru Member

    1. Does miniupnp understand CIDR syntax? My /etc/upnp/config shows full netmasks, not CIDR, i.e. listening_ip=192.168.1.1/255.255.255.0 (not /24). The same goes for my allow and deny entries.

    2. Have you tried putting your deny line before the allow, i.e.:

    Code:
    deny 0-65535 192.168.2.225/255.255.255.224 0-65535
    allow 1024-65535 192.168.2.200/255.255.255.224 1024-65536
    
    Also note that for the netmask on the deny line, I'm not specifying /255.255.255.255 (i.e. /32, a single IP), I'm specifying the netmask of the entire network block. The reason for that has to do with broadcast packets; I get the impression the above lines are actually internally telling the daemon "the broadcast address is XYZ" (hence the need to specify the netmask). I could be wrong though -- it all depends on how the daemon behaves, and this is where documentation would be useful.

    3. I also have no idea what upnp_lan="1" does in upnp config syntax (see #4 below); in fact, none of the config entries have quotes around them, so maybe that should just be upnp_lan=1.

    4. I sure wish I could find documentation for the config format for this daemon. The site (in France) is just a dump of text, nothing really coherent, and their forum is equally as confusing. *shakes head*

    Otherwise, I strongly urge you to get on their forum and discuss this -- because this looks to be more of a problem relating to miniupnp and not Tomato. They have a bug reports board.

    P.S. -- This thread caused me to find that my miniupnp daemon had stopped running on my router (wasn't in the process list). Cute. :/ Linux has userland application segfault logging capability but I don't think in Tomato this is enabled (and IMO it damn well should be!).

    I can't be of any help past this point.
     
  3. mstombs

    mstombs Network Guru Member

    The best documentation for the minupnpd conf file is the example miniupnpd.conf in the source code bundle, but I don't see "upnp_lan" in there.

    https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf

    For ip/mask it says

    Tomato does have code patches for extras to generate web gui outputs etc.

    The OP's problem could be a conflict with the default config (dynamically generated by rc code) which does have a default port range restriction controlled by tomato specific nvram vars - should check the actual resulting conf file on router.
     
    Last edited: Aug 28, 2013
  4. koitsu

    koitsu Network Guru Member

    Note this line:

    So what the heck are we doing using full netmasks (ex. /255.255.255.0) when the config file explicitly states it wants CIDR (ex. /24)? *shakes head* This makes me wonder if the documentation is wrong or if we (Tomato) are doing the wrong thing and those rules are being interpreted wrong. Grr. Into the source I go...

    Code is in options.c. allow/deny directives are handled here, which get passed off to read_permission_line().

    read_permission_line() is in upnppermissions.c. Netmask parsing code starts around line 94. Looking at the code, it clearly looks for . (dot) in the "mask" portion of the string, and near the end it's handling bitshifts (for CIDR) via n_bits and htonl().

    All this in English: allow/deny support octet-quad netmasks and CIDR. So, their example documentation via miniupnpd.conf is inaccurate/doesn't reflect what the code supports.

    @mstombs -- very, very possible, however the NVRAM variables are what get used to create /etc/upnp/conf on-the-fly (when clicking Save in the GUI, for example). /etc is a symlink to /tmp/etc thus is in RAM.

    It is possible to start miniupnpd with the -d flag, which enables debugging output (sets debug_flag=1), and the daemon begins emitting messages to stderr and does not daemonise (will run in foreground). That may actually come in handy here, as it might output something that indicates what's going on. Hard for me to say. If the OP wants to try that, go ahead, but there are other flags that are needed as well (ps | grep miniupnpd and see what the existing flags are, then just add -d to those)
     
  5. kthaddock

    kthaddock Network Guru Member

    I have use /AA CIDR all the time ;) and "upnp_lan="1"" is to turn on upnpd on LAN.
    I have to do so because you can't only turn on upnpd on one bridge then it's protests.
    Se picture.
     

    Attached Files:

  6. RMerlin

    RMerlin Network Guru Member

    CIDR vs full netmask was a pretty large debate sometime last year. I forgot what the final conclusion was, I think that the example file did not match the documentation or the code.
     
  7. mstombs

    mstombs Network Guru Member

    Last edited: Aug 29, 2013

Share This Page