Regression #15470
closed
Forwards created by miniupnpd do not expire
0%
Description
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
UPnP & NAT-PMP Rules WAN tcp any any personal-agent 172.21.16.8 5555 Test WAN tcp any any 5554 172.21.16.8 5554 Test WAN tcp any any 5553 172.21.16.8 5553 Test
15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
miniupnpd rules/nat contents: rdr pass quick on mvneta2 inet proto tcp from any to any port = personal-agent keep state label "Test" rtable 0 -> 172.21.16.8 port 5555 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5554 keep state label "Test" rtable 0 -> 172.21.16.8 port 5554 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5553 keep state label "Test" rtable 0 -> 172.21.16.8 port 5553
Updated by Wyatt Childers about 2 months ago
Steve Wheeler wrote:
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
[...]15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
[...]
I'm seeing this problem as well and this may be related: https://github.com/miniupnp/miniupnp/issues/715
Similar to the GitHub issue I'm seeing issues with UnPnP and NAT-PMP on pfSense 24.03 with many log entries reading:
ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File existsand others reading:
Failed to add NAT-PMP 22493 udp->192.168.7.156:22475 'NAT-PMP 22493 udp'The GitHub issue would suggest that this affects pfSense releases based on FreeBSD 14 and FreeBSD 15 though I've only recently become aware of the issue following an investigation of issues with a ZeroTier deployment.
Updated by Kristof Provost about 2 months ago
- Status changed from New to Feedback
- Assignee set to Kristof Provost
I've updated miniupnpd to the latest version and adjusted the libpfctl patch in https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/6e7d96166c051915155356546474a1c6e68cf2aa
That fixes the lack of expiring entries.
Updated by Marcos M about 2 months ago
- Status changed from Feedback to Resolved
With the fix, port mappings correctly automatically expire and can be removed on client request.
Updated by Bob Dig about 1 month ago
Marcos M wrote in #note-3:
With the fix, port mappings correctly automatically expire and can be removed on client request.
May I ask for a Patch for this? Would be nice to have it early.
Updated by Steve Wheeler about 1 month ago
It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[24.03-RELEASE][admin@4200.stevew.lan]/root: pkg upgrade miniupnpd
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
miniupnpd: 2.3.3_2,1 -> 2.3.6,1 [pfSense]
Number of packages to be upgraded: 1
73 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching miniupnpd-2.3.6,1.pkg: 100% 73 KiB 75.1kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Upgrading miniupnpd from 2.3.3_2,1 to 2.3.6,1...
[1/1] Extracting miniupnpd-2.3.6,1: 100%
Updated by Bob Dig about 1 month ago
Steve Wheeler wrote in #note-5:
It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[...]
Thank you. Open Ports will be closed again right after closing the p2p-app.
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.07 to 24.08