it seems like the MINIUPNPD chains have not been created in netfilter.
Have you executed the iptables_init.sh shell script ?
what is displayed by the following commands ?

iptables -v -n -t nat -L MINIUPNPD
iptables -v -n -t filter -L MINIUPNPD

Executing iptables_init.sh worked. But I checked the homepage for miniupnpd, and there was no mention of that?

sorry for the lack of documentation on the website. This information is included in the README file.

Here is my experience so far with miniupnp using White Russian with X-Wrt:

1. The miniupnp chain is created when the settings are saved from the X-Wrt interface. However, if any changes are made to the firewall settings in X-Wrt, the miniupnp chain is lost.
What this means is every time you modify the firewall settings, for example to add a port forward, you have to re-add the miniupnp chain.

2. This one is a bit more serious. After some time upnp simply stops working. The netfilters are there, but it just isn't working. Port forwards still work. This issue also applies to the linux-igd.

Linux-igd example:

Chain FORWARD (policy DROP 12 packets, 3540 bytes) 
num pkts bytes target prot opt in out source destination options 
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.11.10 tcp dpt:60116 

Chain PREROUTING (policy ACCEPT 205K packets, 14M bytes) 
num pkts bytes target prot opt in out source destination options 
1 7741 578K NEW all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 
2 7741 578K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0  
3 3679 251K prerouting_wan all -- vlan1 * 0.0.0.0/0 0.0.0.0/0  
4 439 23212 DNAT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:60116 to:192.168.11.10:60116-0

I have added a fix for my system to restart miniupnpd whenever the firewall rules are updated.

To do this I modified the /usr/lib/webif/apply.sh script to restart miniupnpd whenever the firewall is updated.

If someone wants to try this, then do the following

vi /usr/lib/webif/apply.sh

Page down until you reach the  reload_firewall() function. Edit it such that it looks like the following

reload_firewall() {
        echo_applying_settings "@TR<<apply_firewall#firewall>>"
        /etc/init.d/S??firewall
        reload_upnpd
        echo_action_done
}

Maybe reloading the entire miniupnp daemon isn't necessary? Would just inserting the iptables_init.sh in that function work? Hope this helps someone out!

-Will

(Last edited by mevatron on 26 Feb 2008, 21:47)

thx for miniupnpd works fine, but i had to correct the sequence in iptables filter FORWARD chain, MINIUPNPD was just appended - the forward dropped everything just bevor MINIUPNPD. Happened in a standard(?)-build of kamikaze Revision 13021.
(http://forum.openwrt.org/viewtopic.php?id=17475)

After

iptables -D FORWARD 6
iptables -I FORWARD 5 -p all -s 0/0 -d 0/0 -j MINIUPNPD

everything worked fine :

root@OpenWrt:~# iptables --line-numbers -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere            state INVALID
2    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    forwarding_rule  all  --  anywhere             anywhere
5    MINIUPNPD  all  --  anywhere             anywhere
6    forward    all  --  anywhere             anywhere
7    ACCEPT     all  --  anywhere             anywhere
8    ACCEPT     all  --  anywhere             anywhere

Thx for this rxgknpbo,

so I hadn't to search to long in the netfilter chains for the source of error.
I just wonder, why this appending of miniupnpd chain is still erroneous in Kamikaze R13627?

Maybe, one should point this out in some bugtracker?

Cheers
Kanne

fyi, I solved it now by changing /usr/bin/iptables_init.sh directly:

#adding the rule to MINIUPNPD
LINE="`iptables --line-numbers -t filter -v -L FORWARD | grep "forward " | awk -F' ' '{print $1}'`"
$IPTABLES -t filter -I FORWARD $LINE -i $EXTIF -o ! $EXTIF -j MINIUPNPD