From d0858015f121416a042ec847c01fefb733661bab Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 16 Aug 2022 16:05:23 +0000 Subject: UPnP: T4620: Fix Jinja2 template rules --- data/templates/firewall/upnpd.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/templates/firewall/upnpd.conf.j2 b/data/templates/firewall/upnpd.conf.j2 index 27573cbf9..b993052b4 100644 --- a/data/templates/firewall/upnpd.conf.j2 +++ b/data/templates/firewall/upnpd.conf.j2 @@ -129,7 +129,7 @@ lease_file=/config/upnp.leases #serial=12345678 #model_number=1 -{% if rules is vyos_defined %} +{% if rule is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is - or if there is only @@ -142,8 +142,8 @@ lease_file=/config/upnp.leases # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! -{% for rule, config in rules.items() %} -{% if config.disable is vyos_defined %} +{% for rule, config in rule.items() %} +{% if config.disable is not vyos_defined %} {{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} {% endif %} {% endfor %} -- cgit v1.2.3 From 6940bcf8d650eea714075df74b47bf0c99642743 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 16 Aug 2022 16:19:02 +0000 Subject: UPnP: T4611: Rule must be as prefix instead of an address From the doc miniupnpd IP/mask format must be nnn.nnn.nnn.nnn/nn Comment out invalid option "anchor" --- data/templates/firewall/upnpd.conf.j2 | 9 ++++++--- interface-definitions/service-upnp.xml.in | 7 ++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/data/templates/firewall/upnpd.conf.j2 b/data/templates/firewall/upnpd.conf.j2 index b993052b4..e964fc696 100644 --- a/data/templates/firewall/upnpd.conf.j2 +++ b/data/templates/firewall/upnpd.conf.j2 @@ -71,7 +71,7 @@ min_lifetime={{ pcp_lifetime.min }} {% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" -friendly_name= {{ friendly_name }} +friendly_name={{ friendly_name }} {% endif %} # Manufacturer name, default is "`uname -s`" @@ -117,7 +117,10 @@ clean_ruleset_threshold=10 clean_ruleset_interval=600 # Anchor name in pf (default is miniupnpd) -anchor=VyOS +# Something wrong with this option "anchor", comment it out +# vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf +# invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS +#anchor=VyOS uuid={{ uuid }} @@ -144,7 +147,7 @@ lease_file=/config/upnp.leases # CAUTION: failure to enforce any rules may permit insecure requests to be made! {% for rule, config in rule.items() %} {% if config.disable is not vyos_defined %} -{{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} +{{ config.action }} {{ config.external_port_range }} {{ config.ip }}{{ '/32' if '/' not in config.ip else '' }} {{ config.internal_port_range }} {% endif %} {% endfor %} {% endif %} diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service-upnp.xml.in index a129b7260..50cb47f39 100644 --- a/interface-definitions/service-upnp.xml.in +++ b/interface-definitions/service-upnp.xml.in @@ -197,10 +197,15 @@ The IP to which this rule applies (REQUIRE) ipv4 + The IPv4 address to which this rule applies + + + ipv4net The IPv4 to which this rule applies - + + -- cgit v1.2.3