luci-app-upnp: revision and adapt to updated package options

The following settings UCI options been added or changed, and the
previous options are migrated on updating:

- Only display `Active Port Maps` if the service is enabled and `Access
  Control List` if it is used
- Enable protocols (`enable_protocols`): Combined UI option added
- Allow CGNAT/STUN (`allow_cgnat`): Allow new option for IPv4 CGNAT use
  (allow filtered), and updated help with newer wording of RFC 5780
- STUN server (`stun_host`): Allow port inclusion
- STUN port: Removed, as now accepted in STUN server
- Override external IPv4 (`external_ip`): UI option added for CGNAT use
- Allow third-party mapping (`allow_third_party_mapping`): Inverted from
  secure mode and optionally extended to PCP
- Log output level (`log_output`): Allow info log level, and reworded
- UPnP IGD compatibility (`upnp_igd_compat`): Reworded/extensible
- Download/upload speed (`download_kbps`/`upload_kbps`): In kbit/s and
  datatype set, now, interface link speed by default
- Router/friendly name (`friendly_name`): UI option added to set name
  displayed in Windows Explorer, model/serial number removed
- Enable Networks / Access Control (`internal_network`): Section added
  to select the enabled networks and their access control. By:
  - Internal network (`interface`): UI option added to select the
    local/internal (LAN) network interface to enable the service for
  - Access preset (`access_preset`): UI option added to select an access
    control preset for ports that all devices on this network can map
  - Accept extra ports (`accept_ports`): UI option added to accept these
    ports or port ranges on this network as well
  - Reject ports (`reject_ports`): UI option added to reject ports on
    this network; override other settings
  - Ignore ACL (`ignore_acl`): UI option added to define whether the ACL
    entries should not be checked before a preset; can extend/override a
    preset
- Slightly improve introduction text

More details on changed options can be found in the dependent package PR

Depends on: https://redirect.github.com/openwrt/packages/pull/24988

Signed-off-by: Self-Hosting-Group <[email protected]>

Author: Self-Hosting-Group

applications/luci-app-upnp/Makefile

@@ -6,7 +6,7 @@
 
 include $(TOPDIR)/rules.mk
 
-LUCI_TITLE:=UPnP IGD & PCP/NAT-PMP configuration module | Universal Plug and Play
+LUCI_TITLE:=LuCI support for UPnP IGD & PCP/NAT-PMP service | formerly: Universal Plug and Play
 LUCI_DEPENDS:=+luci-base +miniupnpd +rpcd-mod-ucode
 
 PKG_LICENSE:=Apache-2.0

applications/luci-app-upnp/htdocs/luci-static/resources/view/upnp/upnp.js

@@ -6,6 +6,7 @@
 'require ui';
 'require rpc';
 'require form';
+'require tools.widgets as widgets';
 
 const callInitAction = rpc.declare({
 	object: 'luci',
@@ -87,8 +88,8 @@ return view.extend({
 			'<a href="https://en.wikipedia.org/wiki/Port_Control_Protocol" target="_blank" rel="noreferrer"><abbr title="Port Control Protocol">PCP</abbr></a>',
 			'<a href="https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol" target="_blank" rel="noreferrer"><abbr title="NAT Port Mapping Protocol">NAT-PMP</abbr></a>');
 		m = new form.Map('upnpd', _('UPnP IGD & PCP/NAT-PMP Service'),
-			_('The %s protocols allow clients on the local network to configure port maps/forwards on the router autonomously.',
-				'The %s (%s = UPnP IGD & PCP/NAT-PMP) protocols allow clients on the local network to configure port maps/forwards on the router autonomously.')
+			_('The %s protocols/service enable permitted devices on local networks to autonomously set up port maps (forwards) on this router.',
+				'The %s (%s = UPnP IGD & PCP/NAT-PMP) protocols/service enable permitted devices on local networks to autonomously set up port maps (forwards) on this router.')
 			.format(protocols)
 		);
 		if (!uci.get('upnpd', 'config')) {
@@ -100,6 +101,7 @@ return view.extend({
 		}
 
 		s = m.section(form.GridSection, '_active_rules');
+		s.disable = uci.get('upnpd', 'config', 'enabled') == '0';
 
 		s.render = L.bind(function(view, section_id) {
 			const table = E('table', { 'class': 'table cbi-section-table', 'id': 'upnp_status_table' }, [
@@ -150,39 +152,49 @@ return view.extend({
 			_('Enable the autonomous port mapping service'));
 		o.rmempty = false;
 
-		o = s.taboption('setup', form.Flag, 'enable_upnp', _('Enable UPnP IGD protocol'));
-		o.default = '1';
-
-		o = s.taboption('setup', form.Flag, 'enable_natpmp', _('Enable PCP/NAT-PMP protocols'));
-		o.default = '1';
-
-		o = s.taboption('setup', form.Flag, 'igdv1', _('UPnP IGDv1 compatibility mode'),
-			_('Advertise as IGDv1 (IPv4 only) device instead of IGDv2'));
-		o.default = '1';
-		o.rmempty = false;
-		o.depends('enable_upnp', '1');
+		o = s.taboption('setup', form.ListValue, 'enable_protocols', _('Enable protocols'));
+		o.value('all', _('All protocols'));
+		o.value('upnp-igd', _('UPnP IGD'));
+		o.value('pcp+nat-pmp', _('PCP and NAT-PMP'));
+		o.default = 'all';
+		o.widget = 'radio';
+
+		o = s.taboption('setup', form.ListValue, 'upnp_igd_compat', _('UPnP IGD compatibility'),
+			_('Set compatibility mode (act as device) to workaround IGDv2-incompatible clients; %s only work with %s (or) <br>Emulate/report a specific/different device to workaround/support/handle/bypass/assist/mitigate... (alternative text welcome)').format('Sony PS / CoD', 'IGDv1'));
+		o.value('igdv1', _('IGDv1 (IPv4 only)'));
+		o.value('igdv2', _('IGDv2 (with workarounds)'));
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
 		o.retain = true;
 
-		s.taboption('advanced', form.Flag, 'use_stun', _('Use %s', 'Use %s (%s = STUN)')
-			.format('<a href="https://en.wikipedia.org/wiki/STUN" target="_blank" rel="noreferrer"><abbr title="Session Traversal Utilities for NAT">STUN</abbr></a>'),
-			_('To detect the public IPv4 address for unrestricted full-cone/one-to-one NATs'));
-
-		o = s.taboption('advanced', form.Value, 'stun_host', _('STUN host'));
-		o.datatype = 'host';
-		o.depends('use_stun', '1');
+		o = s.taboption('advanced', form.RichListValue, 'allow_cgnat', _('Allow %s/%s', 'Allow %s/%s (%s = CGNAT, %s = STUN)')
+			.format('<a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT" target="_blank" rel="noreferrer"><abbr title="Carrier-grade NAT">CGNAT</abbr></a>',
+				'<a href="https://en.wikipedia.org/wiki/STUN" target="_blank" rel="noreferrer"><abbr title="Session Traversal Utilities for NAT">STUN</abbr></a>'),
+			_('Allow use of unrestricted endpoint-independent (1:1) CGNATs and detect the public IPv4'));
+		o.value('', _('Disabled'), _('Manually override external IPv4 to allow a private IP'));
+		o.value('1', _('Enabled'), _('Filtering test currently requires an extra firewall rule'));
+		o.value('allow-filtered', _('Enabled') + ' (' + _('allow filtered') + ')', _('Allow filtered IPv4 CGNAT test result'));
+		o.optional = true;
+
+		o = s.taboption('advanced', form.Value, 'stun_host', _('STUN server'));
+		o.datatype = 'or(hostname,hostport,ip4addr("nomask"))';
+		o.placeholder = 'stun.nextcloud.com';
+		o.depends('allow_cgnat', '1');
+		o.depends('allow_cgnat', 'allow-filtered');
 		o.retain = true;
 
-		o = s.taboption('advanced', form.Value, 'stun_port', _('STUN port'));
-		o.datatype = 'port';
-		o.placeholder = '3478';
-		o.depends('use_stun', '1');
-		o.retain = true;
+		o = s.taboption('advanced', form.Value, 'external_ip', _('Override external IPv4'),
+			_('Report custom public/external (WAN) IPv4 address'));
+		o.datatype = 'ip4addr("nomask")';
+		o.placeholder = '(203.1.2.3)';
+		o.depends('allow_cgnat', '');
 
-		o = s.taboption('advanced', form.Flag, 'secure_mode', _('Enable secure mode'),
-			_('Allow adding port maps for requesting IP addresses only'));
-		o.default = '1';
-		o.depends('enable_upnp', '1');
-		o.retain = true;
+		o = s.taboption('advanced', form.ListValue, 'allow_third_party_mapping', _('Allow third-party mapping'),
+			_('Allow adding port maps for non-requesting IP addresses'));
+		o.value('', _('Disabled'));
+		o.value('1', _('Enabled'));
+		o.value('upnp-igd', _('Enabled') + ' (' + _('UPnP IGD only') + ')');
+		o.value('pcp', _('Enabled') + ' (' + _('PCP only') + ')');
 
 		s.taboption('advanced', form.Flag, 'ipv6_disable', _('Disable IPv6 mapping'));
 
@@ -191,46 +203,69 @@ return view.extend({
 		o.depends('to-disable-as-rarely-used', '1');
 		o.retain = true;
 
-		s.taboption('advanced', form.Flag, 'log_output', _('Enable additional logging'),
-			_('Puts extra debugging information into the system log'));
+		o = s.taboption('advanced', form.ListValue, 'log_output', _('Log output level'));
+		o.value('default', _('Default'));
+		o.value('info', _('Info'));
+		o.value('debug', _('Debug'));
+		o.default = 'default';
+		o.widget = 'radio';
 
-		o = s.taboption('advanced', form.Value, 'upnp_lease_file', _('Service lease file'));
+		o = s.taboption('advanced', form.Value, 'lease_file', _('Service lease file'));
 		o.depends('to-disable-as-rarely-used', '1');
 		o.retain = true;
 
-		o = s.taboption('igd', form.Value, 'download', _('Download speed'),
-			_('Report maximum download speed in kByte/s'));
-		o.depends('enable_upnp', '1');
+		o = s.taboption('igd', form.Value, 'download_kbps', _('Download speed'),
+			_('Report maximum connection speed in kbit/s'));
+		o.datatype = 'uinteger';
+		o.placeholder = _('Default interface link speed');
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
+		o.retain = true;
+
+		o = s.taboption('igd', form.Value, 'upload_kbps', _('Upload speed'),
+			_('Report maximum connection speed in kbit/s'));
+		o.datatype = 'uinteger';
+		o.placeholder = _('Default interface link speed');
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
 		o.retain = true;
 
-		o = s.taboption('igd', form.Value, 'upload', _('Upload speed'),
-			_('Report maximum upload speed in kByte/s'));
-		o.depends('enable_upnp', '1');
+		o = s.taboption('igd', form.Value, 'friendly_name', _('Router/friendly name'));
+		o.placeholder = 'OpenWrt UPnP IGD & PCP';
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
 		o.retain = true;
 
 		o = s.taboption('igd', form.Value, 'model_number', _('Announced model number'));
-		o.depends('enable_upnp', '1');
+		// o.depends('enable_protocols', 'upnp-igd');
+		// o.depends('enable_protocols', 'all');
+		o.depends('to-disable-as-rarely-used', '1');
 		o.retain = true;
 
 		o = s.taboption('igd', form.Value, 'serial_number', _('Announced serial number'));
-		o.depends('enable_upnp', '1');
+		// o.depends('enable_protocols', 'upnp-igd');
+		// o.depends('enable_protocols', 'all');
+		o.depends('to-disable-as-rarely-used', '1');
 		o.retain = true;
 
 		o = s.taboption('igd', form.Value, 'presentation_url', _('Router/presentation URL'),
 			_('Report custom router web interface URL'));
 		o.placeholder = 'http://192.168.1.1/';
-		o.depends('enable_upnp', '1');
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
 		o.retain = true;
 
 		o = s.taboption('igd', form.Value, 'uuid', _('Device UUID'));
-		// o.depends('enable_upnp', '1');
+		// o.depends('enable_protocols', 'upnp-igd');
+		// o.depends('enable_protocols', 'all');
 		o.depends('to-disable-as-rarely-used', '1');
 		o.retain = true;
 
-		o = s.taboption('igd', form.Value, 'port', _('SOAP/HTTP port'));
+		o = s.taboption('igd', form.Value, 'http_port', _('SOAP/HTTP port'));
 		o.datatype = 'port';
 		o.placeholder = '5000';
-		o.depends('enable_upnp', '1');
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
 		o.retain = true;
 
 		o = s.taboption('igd', form.Value, 'notify_interval', _('Notify interval'),
@@ -239,14 +274,81 @@ return view.extend({
 			.format('<abbr title="Simple Service Discovery Protocol">SSDP</abbr>', '<code>Cache-Control: max-age=1800</code>'));
 		o.datatype = 'min(900)';
 		o.placeholder = '900';
-		o.depends('enable_upnp', '1');
+		o.depends('enable_protocols', 'upnp-igd');
+		o.depends('enable_protocols', 'all');
+		o.retain = true;
+
+		s = m.section(form.GridSection, 'internal_network', '<h5>' + _('Enable Networks / Access Control') + '</h5>',
+			_('Select local/internal (LAN) network interfaces to enable the service for.') + ' ' +
+			_('Use an access control preset for ports that all devices on a network can map.') + ' ' +
+			_('Alternatively, add client-specific permissions using the access control list (ACL), which can also extend/override a preset.') + ' ' +
+			_('IPv6 is currently always accepted unless disabled. (alternative text welcome)'));
+		s.anonymous = true;
+		s.addremove = true;
+		s.cloneable = true;
+		s.sortable = true;
+		s.nodescriptions = true;
+		s.modaltitle = _('UPnP IGD & PCP') + ' - ' + _('Edit Network Access Control Settings');
+
+		o = s.option(widgets.NetworkSelect, 'interface', _('Internal network'),
+			_('Select the local/internal (LAN) network interface to enable the service for'));
+		o.exclude = 'wan'; // wan6 should also be excluded
+		o.nocreate = true;
+		o.editable = true;
+		o.retain = true;
+		o.validate = function(section_id, value) {
+			// Commented out, as it causes issues with cloning
+			//let netcount = 0;
+			//for (let ifnr = 0; uci.get('upnpd', `@internal_network[${ifnr}]`, 'interface'); ifnr++) {
+			//	if (uci.get('upnpd', `@internal_network[${ifnr}]`, 'interface') == value) netcount++;
+			//};
+			return (value == '' || value == 'wan' || value == 'wan6') ? '' : true;
+		};
+
+		o = s.option(form.ListValue, 'access_preset', _('Access preset'));
+		o.value('', _('None / accept extra ports only'));
+		o.value('accept-high-ports', _('Accept ports >= 1024'));
+		o.value('accept-web+high-ports', _('Accept HTTP/HTTPS + ports >= 1024'));
+		o.value('accept-web-ports', _('Accept HTTP/HTTPS ports only'));
+		o.value('accept-all-ports', _('Accept all ports'));
+		o.editable = true;
+		o.retain = true;
+
+		o = s.option(form.Value, 'accept_ports', _('Accept extra ports'));
+		o.retain = true;
+		o.validate = function(section_id, value) {
+			return value.search(/^[0-9 -]*$/) != -1 ? true : _('Expecting: %s').format(_('valid port or port range (port1-port2)'));
+		};
+
+		o = s.option(form.Value, 'reject_ports', _('Reject ports'),
+			_('Reject unsafe/insecure/risky FTP/Telnet/DCE/NetBIOS/SMB/RDP ports on this network by default; override other settings; use space for none'));
+		o.placeholder = '21 23 135 137-139 445 3389';
+		o.modalonly = true;
+		o.retain = true;
+		o.validate = function(section_id, value) {
+			return value.search(/^[0-9 -]*$/) != -1 ? true : _('Expecting: %s').format(_('valid port or port range (port1-port2)'));
+		};
+
+		o = s.option(form.Flag, 'ignore_acl', _('Ignore ACL'),
+			_('Whether the ACL entries should not be checked before a preset; can extend/override a preset') + '<br>' +
+			_('Sequence: 1. Reject ports, 2. ACL entries (if used), 3. Preset ports, 4. Accept extra ports'));
+		o.editable = true;
 		o.retain = true;
 
 		s = m.section(form.GridSection, 'perm_rule', _('Service Access Control List'),
 			_('ACL specify which client addresses and ports can be mapped, IPv6 always allowed.'));
 		s.anonymous = true;
 		s.addremove = true;
 		s.sortable = true;
+		// Preferably: ACL part of extra tab with depends for section as immediately, and network section part of service setup tab. Nice to have: Add button (+input) calls function and opens modal pre-filled
+		let acl_used = false;
+		for (let ifnr = 0; uci.get('upnpd', `@internal_network[${ifnr}]`, 'interface'); ifnr++) {
+			if (!uci.get('upnpd', `@internal_network[${ifnr}]`, 'ignore_acl') == '1') {
+				acl_used = true;
+				break;
+			}
+		}
+		s.disable = !acl_used;
 
 		s.option(form.Value, 'comment', _('Comment'));
 
@@ -267,11 +369,13 @@ return view.extend({
 		o.value('deny', _('Deny'));
 
 		return m.render().then(L.bind(function(m, nodes) {
-			poll.add(L.bind(function() {
-				return Promise.all([
-					callUpnpGetStatus()
-				]).then(L.bind(this.poll_status, this, nodes));
-			}, this), 5);
+			if (uci.get('upnpd', 'config', 'enabled') != '0') {
+				poll.add(L.bind(function() {
+					return Promise.all([
+						callUpnpGetStatus()
+					]).then(L.bind(this.poll_status, this, nodes));
+				}, this), 5);
+			}
 			return nodes;
 		}, this, m));
 	}

applications/luci-app-upnp/root/usr/share/rpcd/ucode/luci.upnp

@@ -10,7 +10,7 @@ import { connect } from 'ubus';
 import { cursor } from 'uci';
 
 const uci = cursor();
-const leasefilepath = uci.get('upnpd', 'config', 'upnp_lease_file') || '/run/miniupnpd.leases';
+const leasefilepath = uci.get('upnpd', 'config', 'lease_file') || '/run/miniupnpd.leases';
 
 const methods = {
 	get_status: {