miniupnpd: Update, revision, new network access control and UCI options…

[Self-Hosting-Group]

Commits

As this PR is extensive, the descriptions of the individual commits are collapsed here:

0. Update to 2.3.9 to fix issues, refresh building (merged 70ce349 2025-12-24, in 24.10/25.12 packages 2025-12-30)

• Update daemon to 2.3.9 to fix removal of nftables rules in upnp_forward and return the correct internal port; also resulted in the excessive opening of new ports. Accept interface names starting with digits
• Build from GitHub releases to get a reliable HTTPS server, as the HTTP-only/HTTPS mirror were only available ~85%/77% over 3 months
  Project main download mirror miniupnp.free.fr was down for 20 days miniupnp/miniupnp#770
  https://stats.uptimerobot.com/DwGDxUB914
• Build daemon with --disable-pppconn to remove the old/IGDv1-only extra WANPPPConnection SSDP announcements workaround not included in other implementations since >15y
• Build daemon with --vendorcfg to allow customisation of the router/friendly name (+5 potential options) displayed in Windows Explorer, 384 bytes extra required on ARMv7 (binary)
• Remove old (iptables variant only) patches, as no longer needed
• Remove clean_ruleset_interval/threshold UCI config options as not standard/working since OpenWrt 22.03, as nftables not supported

Fixes: openwrt/openwrt#18011
Fixes: openwrt/luci#7759
Fixes: #26352

1. Patch for UPnP IGDv2 Microsoft/Apple compat

• Add workaround to list port maps with the Windows IGDv2-incompatible client by returning an infinite (0) lease duration. To fix listing and editing via GUI (Explorer/Network), if daemon was compiled with IGDv2
• Extend detection to older versions of Windows and add Xbox
• Detect Apple IGDv2-incompatible clients and apply existing workaround, that only caused problems if PCP/NAT-PMP (prioritised) was disabled

(to merge with prior)

Link: https://github.com/Self-Hosting-Group/miniupnp/tree/upnp-igdv2-compat

2. Patch to fix description filter option

To fix the non-working description regex filter option

(to merge with prior)

Link: miniupnp/miniupnp#853

3. Patch to improve startup banner and logging

(to be expanded, to merge with prior)

Link: https://github.com/Self-Hosting-Group/miniupnp/tree/improve-banner

4. Package revision and new/updated UCI options

The following settings UCI options been added or changed, and the previous options are migrated on updating:

upnpd.config UCI options	Change	Previous name
enabled	Match default (1)
enable_protocols=upnp-igd	Combined option	enable_upnp=1
enable_protocols=pcp+nat-pmp	Combined option	enable_natpmp=1
allow_cgnat	Allow allow-filtered (2)	use_stun
stun_host	Allow port inclusion (3)
stun_port	Removed, included in host
allow_third_party_mapping=0	Inverted/extended to PCP	secure_mode=1
log_output	Allow info log level
lease_file	Set by default + IPv6 (4)	upnp_lease_file
upnp_igd_compat=igdv1	Renamed/match default (1)	igdv1=1
download_kbps	In kbit/s and renamed (5)	download
upload_kbps	In kbit/s and renamed (5)	upload
friendly_name	New option, router name
http_port	Renamed, rem. if default	port
notify_interval	Removed if <900s, minimum
internal_iface	Migrated, new section

internal_network UCI options	Change	Previous name
interface	New option
access_preset	New option (6)
accept_ports	New option (6)
reject_ports	New option (7)
ignore_acl	New option (6)

Notes:

1. Init UCI default now matches LuCI and initial config file defaults for: enabled=0 and upnp_igd_compat=igdv1
2. Allow allow-filtered for IPv4 CGNAT use and migrate option from X-Wrt and only use STUN when necessary with a private/CGNAT external IPv4
3. Remove known incompatible STUN servers and set compatible by default
4. Configure undocumented daemon option lease_file6=${lease_file}-ipv6 so that active IPv6 port maps are not lost when service restarts, e.g. by deleting an active port map. Remove option if UCI default set
5. Gets converted, config file now defaults to interface link speed instead of 8/4 Mbit/s, which is removed on migration
6. New options added to select a preset for ports that all devices on a network can map and decide if the ACL should not be checked before a preset. Extra ports can also be defined. Presets: accept-high-ports accept-web+high-ports/accept-web-ports/accept-all-ports
7. Reject ports; override other settings. By default reject unsafe: 21 (FTP), 23 (Telnet), DCE/NetBIOS/SMB (135/137-139/445), RDP (3389)

Code refactoring:

• Add a function for logging and output to stderr, and extend logging
• Revise daemon init/config-gen slightly by declare all UCI options (incl. booleans) according to the same principle and remove upnpd_write_bool
• Document and reformat default /etc/config/upnpd UCI config file

Depends on: openwrt/luci#7822

Fixes: #17413

5. Group/rearrange config-gen and refactoring

• Group and rearrange UCI option declaration and config-gen by function/LuCI UI, and comment
• Encode required XML entities of text UPnP IGD config options until the daemon does so using the created function xml_encode
• Only generate UPnP IGD config if the protocol is enabled

(to merge with prior)

6. Rename UCI section name to `settings` (v2.0)

Inspired/address copilot's PR review for a clearer config by rename UCI section name config (v1.0) -> settings (v2.0), helps on migration and to distinguish the updated config from the previous one easily

(to merge with prior)

7. Add second CGNAT UCI option

Alternative option to STUN allow-filtered. As requested by AquanJSW, to test with Tailscale. Also adds the required daemon fix. No STUN public IPv4 detection; various issues, e.g. with PCP/NAT-PMP clients

(proposed for inclusion, to merge with prior)

8. Update ACL options, migrate section

• Note that the ACL is now rejected by default, with no preset and accepted extra ports. Add (ignored) ACL template entries on migration
• Migrate ACL entries to the new section name acl_entry
• The following ACL UCI options been added or changed, and the previous options are migrated on updating:

acl_entry UCI options	Change	Previous name
action	New/updated values (1)
int_port	Remove colon separator (2)	int_ports
ext_port	Remove colon separator (2)	ext_ports
descr_filter	New option (3)

1. Allow ignore, and update action option to use the nftables terms (allow/deny -> accept/reject). To avoid adding inverted actions when changing via LuCI, ensure any missing are set, as LuCI and UCI had not matching action defaults. Missing actions are now ignored/logged
2. Ensure that the hyphen (-) is only used as a port range separator by migration, as the colon (:) is not valid in LuCI
3. Add missing UCI option to set a regular expression to check for a UPnP IGD IPv4 port map description, and fix the current collision with the comment field which was not noticed due to a daemon bug
   miniupnpd: Update to 2.3.7 and enable regex filter #24495
   miniupnpd: Rewrite permission line parser miniupnp/miniupnp#853

• Refactoring by adding a more universal usable is_port_or_range function instead of upnpd_get_port_range and check if it has a valid range, and removes a shellcheck warning
• Rename conf_rule_add function to upnpd_add_acl_entry

(to merge with prior)

9. Separate service start and config-gen

• Remove config_foreach upnpd "upnpd" and replace it with regular function call, as init was not designed for a multi-instance setup, as the same tmpconf will be used/overwritten, and non-anonymous section
• Move code to make the custom vs. config file generation decision earlier, and only perform external interface detection with the second one, and rename function upnpd to upnpd_generate_config
• Replace unnecessary if cases with elif in init/hotplug
• Exit with 1 on errors to get an inactive service status
• Use procd_add_reload_trigger "firewall" instead of listening /etc/config/firewall

(to merge with prior)

10. Rearrange init and format `firewall3.include`

• Arrange start_service and main init functions first
• Format firewall3.include using shfmt

(to merge with prior)

(The italic commits are intended to be merged with the prior ones after review)

Screenshots

The new network-wide access control functionality… can best be described using the LuCI screenshots:

Enable Networks / Access Control (new)

Edit Network Access Control Settings (new)

Advanced Settings tab with new CGNAT functionality

UPnP IGD Adjustments tab (new)

LuCI notification if the related package is not updated (new)

Full LuCI screenshot

Depends on LuCI PR: openwrt/luci#7822
The first commit here has no dependencies and is intended for early cherry-picking
Tested on: OpenWrt 24.10.5 and 25.12.0-rc3

Wanted: Newer Microsoft Xbox (One/Series) console users with OpenWrt to provide UPnP IGD logs as specified in #24988 (comment) (updated package not necessary).

miniupnpd: Core functionality issues
https://github.com/Self-Hosting-Group/miniupnpd-issues

The Port Control Protocol (PCP) is the successor to NAT-PMP, shares similar protocol concepts and packet formats, but supports IPv6 port mapping and options/extensions. For more information, see:
Port Mapping Protocols Overview and Comparison 2026+: About UPnP IGD & PCP/NAT-PMP
https://github.com/Self-Hosting-Group/wiki/wiki/Port-Mapping-Protocols-Overview

[systemcrash]

A downgrade included in a patchset won't get accepted, since a downgrade may subtly reintroducing bugs for existing users, if we assume that point releases fix bugs only. Better to wait for a new release, and bump to that version.

Migrations are probably a more serious matter: those must be carried basically 'forever'. The best way is simply to avoid those. One might introduce a new setting, and deprecate the old one, and change the UI over to use the new one. Still a bit of a bumpy road.

I think personally this is minor in the grand scheme of things (rather unimportant settings), but other reviewers may take a much firmer stance on it since you are, after all, changing setting names.

[systemcrash]

What do you think about backporting the commit?

Acceptable. It just breaks compile at the next release bump when it no longer applies. Minor, I guess.

[systemcrash]

Every single test-build failed: Dirty patches detected, please refresh and review the diff

[Self-Hosting-Group]

I reported this to GitHub: https://github.com/openwrt/luci/pull/7822#issuecomment-3731725055

Update: New bloated comment: Is this an repeating/off-topic/abusing SPAM bot???? ;-(

Can we do something about that? E.g. @GeorgeSapkin. Could you help?
https://github.com/openwrt/luci/pull/7822#issuecomment-3731817179

[Self-Hosting-Group]

@GeorgeSapkin @BKPepe: I feel harassed by Neustradamus for the third time. I would like to have him blocked here (PRs) if possible, and LuCI. Otherwise, I cannot continue with this PR. Reason: Be nice to each other (formerly known as “Rule 12”)

[GeorgeSapkin]

@Self-Hosting-Group I pinged some people for assistance, but I don't have access to anything, so can't do much. Sorry.

[Self-Hosting-Group]

Thanks. I can also justify my request with examples. However, I do not want to draw any more attention to this cold wind if this is not necessary. I see someone here who is offended. And who is also spreading falsehoods (e.g. there's no miniupnp team, only single maintainer with repo privileges, and no ToS missuse...).

Note: We have 8 off-topic/abusive/zero-content comments from this user on this PR alone (+2 on LuCI, +2 new issues)
None of them refer to technical aspects or code improvements.

I do not want a mistake in OpenWrt source code.

?

[GeorgeSapkin]

@Neustradamus you are not contributing anything to this PR besides noise. In fact I don't see you contributing anything to OpenWrt in general. I would think your comments being marked as spam and hidden would be signal enough, but no. Please stop.

[1715173329]

I have enough with this, honestly.

Let's back to the code, any more changes needed before we merging this? LuCI changes?

@Self-Hosting-Group I hope you can still reply this thread ;)