Securifi Community Forum

Securifi Products => Almond+ => Topic started by: habeatgenmoint on April 21, 2015, 03:16:02 pm

Title: Exploding number of UPnP entries
Post by: habeatgenmoint on April 21, 2015, 03:16:02 pm

My Almond+ stopped accepting new UPnP entries a few days ago, so I did a bit of troubleshooting. Turns out there are a huge amount of duplicate ipfilter entries created by MINIUPNPD. The list is so huge I didn't manage to find out how long it is, but the number is more than 30000 (yes, 30000.) The Almond+ has been up for 19 days.

It goes like this:

Chain MINIUPNPD (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             192.168.1.234        udp dpt:12345
ACCEPT     udp  --  anywhere             192.168.1.234        udp dpt:12345
....
ACCEPT     udp  --  anywhere             192.168.1.234        udp dpt:12345

Apparently, the UPnP deamon never checks for duplicate entries when adding new ones into the IP table. Please fix this  :'(

Edit: I'm on R072.

Title: Re: Exploding number of UPnP entries
Post by: LGNilsson on April 21, 2015, 10:43:32 pm

Thanks for the heads up, I've reported it to the software team.

Title: Re: Exploding number of UPnP entries
Post by: habeatgenmoint on April 22, 2015, 08:52:16 am

Just in case anyone finds this useful, I'm now running a dirty script periodically to work around this bug at the moment:

Code: [Select]

iptables-save|uniq > /tmp/iptables.rules &&\
iptables --flush MINIUPNPD &&\
(echo \*nat; echo ":MINIUPNPD - [0:0]"; cat /tmp/iptables.rules|grep "\-A MINIUPNPD"|sort|grep DNAT|uniq; echo COMMIT; echo \*filter; echo ":MINIUPNPD - [0:0]"; cat /tmp/iptables.rules|grep "\-A MINIUPNPD"|sort|grep ACCEPT|uniq; echo COMMIT)|iptables-restore --noflush &&\
rm /tmp/iptables.rules

It seems to me that simply using "iptables -C" when adding new entries from miniupnpd would fix most of the problem though.