#!/bin/sh
# miniupnpd integration for firewall3
+# Note: Correct way to do this would be probably to use
+# /lib/functions/network.sh, and use network_find_wan{,6}, and then
+# network_get_device, then determine their zones using fw3 -q network
+# etc. However, network_find_wan* return only one device, and
+# frequently incorrect one if multiple ISPs are in use. So this
+# current ugly solution works, although perhaps makes holes where it
+# shouldn't (if so, do override it in e.g. firewall.user)
+
IP6TABLES=/usr/sbin/ip6tables
iptables -t filter -N MINIUPNPD 2>/dev/null
[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
-. /lib/functions/network.sh
-
-add_extzone_rules() {
- local ext_zone=$1
+# IPv4 - due to NAT, need to add both to nat and filter table
+iptables -t filter -I delegate_forward 2 -j MINIUPNPD
+iptables -t nat -I delegate_prerouting 2 -j MINIUPNPD
- # IPv4 - due to NAT, need to add both to nat and filter table
- iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
- iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD
-
- # IPv6 if available - filter only
- [ -x $IP6TABLES ] && {
- $IP6TABLES -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
- }
+# IPv6 if available - filter only
+[ -x $IP6TABLES ] && {
+ $IP6TABLES -t filter -I delegate_forward 2 -j MINIUPNPD
}
-
-network_find_wan wan_iface
-network_get_device wan_device $wan_iface
-
-for ext_zone in $(fw3 -q device "$wan_device"); do
- add_extzone_rules $ext_zone
-done
-
-for ext_iface in $(uci -q get upnpd.config.external_iface); do
- for ext_zone in $(fw3 -q network "$ext_iface"); do
- add_extzone_rules $ext_zone
- done
-done
-