luci-app-upnp: Revision, new network access control and UCI options…

[Self-Hosting-Group]

As this PR is extensive, the descriptions of the individual commits are collapsed here:

1. Improve existing UI

• Workaround daemon bug to fix listing of active port maps with iptables >= 1.8.8, and relax nftables parsing for upcoming releases
• Change Active Service Port Maps to Active Port Maps, use the same wording for the table headings and ACL as on the overview status page
• Change description field header to Added via / description, always include the protocol and clearer/less redundant protocol labels
• Disable IPv6 mapping (ipv6_disable): UI option added, UCI exists
• Don't clear dependent options if UPnP IGD/STUN temporarily disabled
• Set notify_interval minimum to 900 s (default), as recommended by UDA 1.1 (2x=1800 in the standard), because daemon/OpenWrt wrongly suggested 30x less in the past, and to reduce multicast traffic and power consumption in wireless networks, clearer help
• Report system instead of service uptime, UUID and service lease file: UI options removed (disabled, to keep translations) as rarely used
• Slightly improve some text strings
• Show hint if no suitable configuration found (missing related update), link to package manager, and show form as read-only to prevent changes
• Configure service lease file by default in rpcd ucode for full UI functionality without option set
• Refactoring by moving ubus connection as jow-/ucode@a58fe47 was merged
• Adapt to JavaScript ES6 and remove some line breaks and format files
• A commit has been prepared that manually adjusts the translations, without losing them

2. Add `UPnP IGD Adjustments` tab

And rearrange as many options

(to merge with prior)

3. Revision and adapt to new package

The following settings UCI options been added or changed, and the previous options are migrated on updating:

• Only display Active Port Maps if the service is enabled and Access Control List if it is used
• Enable protocols (enable_protocols): Combined UI option added
• Allow CGNAT/STUN (allow_cgnat): Accept new values for IPv4 CGNAT use (allow-* values), and update help with newer wording of RFC 5780
• STUN server (stun_host): Allow port inclusion
• STUN port: Removed, as now accepted in STUN server
• Override external IPv4 (external_ip): UI option added for CGNAT use
• Allow third-party mapping (allow_third_party_mapping): Inverted from secure mode and optionally extended to PCP
• Log level (log_output): Allow info log level, and reworded
• UPnP IGD compatibility (upnp_igd_compat): Reworded/extensible
• Download/upload speed (download_kbps/upload_kbps): In kbit/s and datatype set, now, interface link speed by default
• Router/friendly name (friendly_name): UI option added to set name displayed in Windows Explorer, model/serial number removed
• Enable Networks / Access Control (internal_network): Section added to select the enabled networks and their access control. By:
  • Internal network (interface): UI option added to select the local/internal (LAN) network interface to enable the service for
  • Access preset (access_preset): UI option added to select an access control preset for ports that all devices on the network can map
  • Accept extra ports (accept_ports): UI option added to accept these ports or port ranges on the network as well
  • Reject ports (reject_ports): UI option added to reject ports on this network; override other settings
  • Ignore ACL (ignore_acl): UI option added to not check ACL entries before a preset; can extend/override a preset
• Slightly improve introduction text

More details on changed options can be found in the dependent package PR

Depends on: openwrt/packages#24988

4. Rename UCI section to settings v2.0

Rename UCI section config (v1.0) -> settings (v2.0), helps on migration and to distinguish the updated config from the previous one

(to merge with prior)

5. Update ACL options, migrate section

• Ignorable and cloneable ACL entries, always translated Action
• Improve UI with direct editability, clearer help wording, and rename to Access Control List
• Note that the ACL is now rejected by default, with no preset and accepted extra ports. Add (ignored) ACL template entries on migration
• Migrate ACL entries to the new section name acl_entry
• The following ACL UCI options been added or changed, and the previous options are migrated on updating:

acl_entry UCI options	Change	Previous name
action	New/updated values (1)
int_port	Remove colon separator (2)	int_ports
ext_port	Remove colon separator (2)	ext_ports
descr_filter	New option (3)

1. Allow ignore, and update action option to use the nftables terms (allow/deny -> accept/reject). To avoid adding inverted actions when changing via LuCI, ensure any missing are set, as LuCI and UCI had not matching action defaults. Missing actions are now ignored/logged
2. Ensure that the hyphen (-) is only used as a port range separator by migration, as the colon (:) is not valid in LuCI
3. Add missing UCI option to set a regular expression to check for a UPnP IGD IPv4 port map description, and fix the current collision with the comment field which was not noticed due to a daemon bug miniupnpd: Update to 2.3.7 and enable regex filter packages#24495 miniupnpd: Rewrite permission line parser miniupnp/miniupnp#853

• Refactoring by adding a more universal usable is_port_or_range function instead of upnpd_get_port_range and check if it has a valid range, and removes a shellcheck warning
• Rename conf_rule_add function to upnpd_add_acl_entry

(to merge with prior)

(The italic commits are intended to be merged with the prior ones after review)

Screenshots

The new network-wide access control functionality… can best be described using the LuCI screenshots:

Enable Networks / Access Control (new)

Edit Network Access Control Settings (new)

Advanced Settings tab with new CGNAT functionality

UPnP IGD Adjustments tab (new)

LuCI notification if the related package is not updated

Full LuCI screenshot

Depends on packages PR: openwrt/packages#24988
The first two commits here have no dependencies and can be cherry-picked
Tested on: OpenWrt 24.10.5 and 25.12.0
Maintainer: @jow-

Wanted: Microsoft Xbox One/Series console users with OpenWrt to provide UPnP IGD logs as specified in openwrt/packages#24988 (comment) (updated package not necessary).

miniupnpd: Core functionality issues
https://github.com/Self-Hosting-Group/miniupnpd-issues

The Port Control Protocol (PCP) is the successor to NAT-PMP, shares similar protocol concepts and packet formats, but supports IPv6 port mapping and options/extensions. For more information, see:
Port Mapping Protocols Overview and Comparison 2026+: About UPnP IGD & PCP/NAT-PMP
https://github.com/Self-Hosting-Group/wiki/wiki/Port-Mapping-Protocols-Overview

[systemcrash]

Hi - please don't open PRs here until you've finished with the PR in the packages repo first.

[hnyman]

Reference to openwrt/packages#24988

[Neustradamus]

@Self-Hosting-Group: Thanks for this PR!

[Self-Hosting-Group]

Hello @1715173329

Thanks for merging the daemon package commit, it worked great ;-)

Can we also adopt the first two commits (merged) as a pre-update here (all the rest then through the PR)? This helps to ensure that active port maps are displayed in full and can be deleted after the daemon update/migration, but with a missing LuCI update. Also, a commit has been prepared that manually adapts message IDs to avoid losing translations. For consistency, I would then wait for the next Weblate update and add the translation adaptation commit for early merging. And so as not to translate all new strings at once.

Can we do it this way? And can you give me your opinion on this first commit message: Is it good, or too long? As a single commit including translation adaptation?

[1715173329]

Unfortunately I don't have access to this repo ;(
@ldir-EDB0 and @systemcrash may interested in this

[Neustradamus]

About all the warnings like here, I have already informed the problem with the author but no changes yet about:

• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)

🔶 Author name (Self-Hosting-Group) seems to be a nickname or an alias
🔶 Committer name (Self-Hosting-Group) seems to be a nickname or an alias

The problem is same for this PR:

• miniupnpd: Update, revision, new network access control and UCI options… packages#24988

[Neustradamus]

Attention: To add more informations, warnings specified in my previous comment are here, it is not from me (I have previously cited only the latest one):

• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)
• luci-app-upnp: Revision, new network access control and UCI options… #7822 (comment)

🔶 Author name (Self-Hosting-Group) seems to be a nickname or an alias
🔶 Committer name (Self-Hosting-Group) seems to be a nickname or an alias

Recall:

• @Self-Hosting-Group has been banned by miniupnp team.
• I have already informed the PR author about the needed changes (nothing must be merged before changes).

The OpenWrt "Submission Guidelines" is here and clear:

• https://openwrt.org/submitting-patches

It is specified:

• all commits must contain Signed-off-by: My Name <my@email.address> where you write your real name and real email address, in accordance with Section 11 of the Linux Kernel patches guide: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=HEAD#n416
• GitHub web interface or GUI application for git: you must append the Signed-off-by: line manually in the commit description
• git command-line interface:
  git commit --signoff
• the Author field must match the Signed-off-by: line
• GitHub web interface: you must specify your real name in the Name field and the Primary email address to match the Signed-off-by: line
• git command-line interface:
  git config --global user.name "my name"
git config --global user.email "my@email.address"