I've compiled and packaged linux-idg and its associated libraries.

I tried compiling linux-idg statically but the file I end up with was ridiculously large (2.9M!!) and thus I'm sure I'm doing something wrong. If anyone around here wants to give it a shot or tell me what I was doing wrong go ahead, I'm happy enough with the dynamic version myself.

Anyway the packages are all on my source site at http://openwrt.wojjie.net/packages/ and the source for my modifications porting it to openwrt are at http://openwrt.wojjie.net/src/.

You will need to configure your firewall appropriately, I'm not sure if it will work with the default openwrt firewall out of the box. I'm using Shorewall so http://www.fastflow.it/floppinux/bering/ was useful for me, although I'm still having problems with my firewall blocking it.

BTW if you want to change your router's UPnP name and other such stuff just look inside the /etc/linuxigd/ directory, in particular at /etc/linuxigd/gatedesc.xml.

At the moment linux-igd is using a webserver built into upnpsdk to share this directory on port 2869. To save memory and flash space we coudl probably get it to use the webserver already on openwrt...

I added a patch today that should support iptables configurations where the default policies don't match the requirements stated in the linux-igd docs, e.g.
Shorewall, by adding a FORWARD entry in the filter table along with the standard PREROUTING entry in the nat table.

If anyone uses this package let me know how it goes, and BTW if you are a linux user liek me and wondering why you'd want this, most of the latest bittorrent clients have support for UPnP and it can make a huge difference.

is it true that uPnP can also help for SIP behind the router or may be it is MSN messenger ?

I have read that uPnP is supposed to be a security breach but I would assume if I just want to shield the outside and allow full control from inside, it  is not a problem right ?

From what I understand the problems with UPnP w.r.t. security are that it lacks any authentication - for something that can change your firewall rules this is in general a bad thing.

First of all I would suggest using a stricter set of firewall rules than the default, e.g. something like shorewall (although it takes a bit of configuration to get UPnP working with shorewall, have to create a new zone for broadcast address, etc). UPnP really has be restricted to trusted users somehow.

To quote from the linux-igd SECURITY file:

I think OpenWrt's philosophy is to give users the choice, and certainly on of the features a lot of users want is UPnP as this is available on almost every other wireless router nowadays. As long as your firewall is resonably setup this isn't much of an issue, but like all other things security, ignorance of how to use the daemon properly is the greatest risk.

I'm trying this with the default upnp binary from linksys firmware and shorewall.
If tried it with the howto from http://www.fastflow.it/floppinux/bering/ but it isnt working..

upnp giving no errors if i start it with:/usr/sbin/upnp -D -L $(nvram get lan_ifname) -W $(nvram get wan_ifname)

Maybe somehere got upnp and shorewall working together

Hi, I use shorewall with it :-).

How do you use Shorewall with current OpenWRT build? It doesn't include iptables-saverestore functionality and Shorewall takes forever to load without saverestore. I found iptables-saverestore in Yani's repository (thanks) but it doesn't work with current build.

Yani,

I note that the code you compiled doesn't make use of the patch that uses the /etc/upnpd.conf file.  Just wondering why that was, as it's a handy little way to make upnpd deal with the way your router might be customised.

Kaldek

Yani: I cannot seem to get your version to work on RC4, it wants to install libstdc++ which conflicts with libgcc_s from whiterussian. This leaves me with no UPNP support, since the linksys binary also doesn't work correctly on my openwrt.

There is a documentation: http://wiki.openwrt.org/OpenWrtDocs/upnp. Besides basics of uPnP it tells how to force installation of packages:

ipkg install -force-overwrite your_package_here

Enjoy!

Is overwriting the standard C++ library really that good of an idea? Also, why does this package need e2fs libraries?

I think I might want to build a new package with the SDK

So far I didn't see any problems.

It would be nice, if you reduce the size of this bastard.

I'm probably well placed to answer this question since I'm the guy that put the linksys package together.  Basically this package is a collection of the pre-compiled binary upnp daemon as provided in the Linksys firmware image, because I liked its simplicity.  Unfortunately, it required its own version of some libraries (in particular the libshared.so library), so I just collected those from the Linksys firmware and put them in the package.

I have had this package running on RC2, RC3, and now RC4.  It has not caused me any problems to date, however I had half a brain I would take the Linksys source code and recompile it so that it didn't need to replace existing libary files but instead created new ones.  Unfortunately, I'm not that good yet.

Kaldek

(Last edited by kaldek on 6 Jan 2006, 03:48)

I'm not using the linksys package, though, I'm (trying to) use Yani's linux-igd.

I might end up doing that, :3... the upnpsdk is turning out to be a total bitch to get compiled. It's makefile calls my /usr/bin/gcc, which (gee i wonder) can't produce MIPS executables at all.

Well, I figured out what was going wrong with the linksys UPNP. After downloading the source code, I realised it was trying to set iptables entries with the contents of wan_ipaddr, which wasn't correct. I used /usr/sbin/nvram to set it to 0.0.0.0 and that made the iptables entries correct.

I use this, but in concert with the OpenWRT / Shorewall Package from http://sfl.homelinux.net/openwrt/shorew … mipsel.ipk , and it works like a peach!

I had to download and install libpthread because it was throwing an error upon start.  Works fine with Azureus UPnP!  Haven't tested it with anything else yet though!

I don't want to spoil anything, but the linux-igd package from sourceforge has serious security flaws. With a specially crafted UPnP packet it is possible to turn the router into a forwarder for an attacker by setting the parameter "NewInternalClient" to an external IP address. The Broadcom UPnP code (as used on the WRT54G and WRT54GS) suffers from a similar bug, which is trivial to abuse for anyone/anything on your LAN. Linksys released new code for the WRT54GS recently to address this problem.