Regression #15470
closedForwards created by miniupnpd do not expire
0%
Description
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
UPnP & NAT-PMP Rules WAN tcp any any personal-agent 172.21.16.8 5555 Test WAN tcp any any 5554 172.21.16.8 5554 Test WAN tcp any any 5553 172.21.16.8 5553 Test
15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
miniupnpd rules/nat contents: rdr pass quick on mvneta2 inet proto tcp from any to any port = personal-agent keep state label "Test" rtable 0 -> 172.21.16.8 port 5555 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5554 keep state label "Test" rtable 0 -> 172.21.16.8 port 5554 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5553 keep state label "Test" rtable 0 -> 172.21.16.8 port 5553
Updated by Wyatt Childers 11 days ago
Steve Wheeler wrote:
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
[...]15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
[...]
I'm seeing this problem as well and this may be related: https://github.com/miniupnp/miniupnp/issues/715
Similar to the GitHub issue I'm seeing issues with UnPnP and NAT-PMP on pfSense 24.03 with many log entries reading:
ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
and others reading:
Failed to add NAT-PMP 22493 udp->192.168.7.156:22475 'NAT-PMP 22493 udp'
The GitHub issue would suggest that this affects pfSense releases based on FreeBSD 14 and FreeBSD 15 though I've only recently become aware of the issue following an investigation of issues with a ZeroTier deployment.
Updated by Kristof Provost 10 days ago
- Status changed from New to Feedback
- Assignee set to Kristof Provost
I've updated miniupnpd to the latest version and adjusted the libpfctl patch in https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/6e7d96166c051915155356546474a1c6e68cf2aa
That fixes the lack of expiring entries.