I have been on the lookout for a UPnP Internet Gateway for Linux for some time, and am glad to see that the discussion seems to have begun in earnest. I have been researching implementing a UPnP gateway that works with netfilter for several months now, and wanted to throw out some more information regarding UPnP, MSN Messenger, etc. I see that there have been a couple threads regarding this stuff in the last couple days, so some of this may have already been covered.
>My overall impression is that UPnP is something that Microsoft designed and >is trying to push through any standards body that will listen. It doesn't >look like something that was designed by the IETF. Knowing how much the >IETF hates NAT in general, and who is implementing UPnP apps, this makes >perfect sense. ;-) While you are accurate in your assumption that UPnP is really Microsoft's baby, it appears to have been widely accepted by other vendors. Intel has also been a driving force, and Linksys, D-Link, Netgear etc. have not only committed to making their internet gateway devices UPnP compatible, but at least several of them already have it available. Several of the Linksys NAT gateways already support UPnP. Voice, video, and file transfers for MSN Messenger work fine from behind them. >George sent me a private email pointing me to http://www.upnp.org >Not surprisingly, that domain is registered by Microsoft. They have some >useful information on the site, including an SDK and some drafts that they >submitted to the IETF. I didn't study the drafts well enough to see exactly >how this UPnP thing is supposed to work for traversing firewalls. Here is an extremely general overview of how a UPnP gateway allows traversal of the firewall: 1) Each UPnP device on the network sends a "Discovery" message to find out what other UPnP devices are around when it is first connected to the network. In the case of Windows XP / MSN Messenger, when it (either Messenger or XP, I don't know which) is first loaded, it sends a Discovery message to see if there are any other UPnP devices on it's subnet. The gateway is supposed to respond by saying that it supports UPnP, and register the client as one of the devices it is supporting. From that point forward, XP / Messenger will know that it can make use of the UPnP functions of the gateway. 2) When a program needs traversal through the firewall, it will ask the gateway for X number of ports to specifically be opened and forwarded to the inside machine. The gateway will report to the calling program (Messenger) which ports it has opened/forwarded, and the calling program takes it from there. When the program is done with the ports it is supposed to ask the gateway to close them. It is (of course) actually a little more complicated than above. The three main sources of technical information I've found are the UPnP forum, Microsoft's site, and the Intel UPnP site. Intel's main UPnP website is at: http://www.intel.com/labs/connectivity/upnp/tech.htm. They have several whitepapers with more specific information on device discovery and NAT traversal. The upnp.org site also appears to have a very detailed description of the actual messages/etc that a UPnP gateway is supposed to handle at http://www.upnp.org/resources/standards.asp The UPnP messaging between UPnP devices appears to work primarily through SOAP and XML, and Intel has written an open source Linux SDK that can be used to handle the messaging, device registration, discovery, etc. (http://upnp.sourceforge.net) I think the proper solution is to write an "UPnP Internet Gateway Device" daemon based on the Intel SDK that handles the messaging, and make sure netfilter has the proper hooks to open/forward/close the ports as necessary. This seems like a much cleaner solution than trying to write conntrack modules for Microsoft's mutilated SIP, RDP, etc. It will also allow the newer online games (and any other UPnP enabled software) to work through NAT. There is a partial implementation of this for the 2.2 kernels and IPChains available at: http://pseudoicsd.sourceforge.net/ This person took the Intel SDK and turned it into a daemon that listens for UPnP messages, and then patched hooks into IPChains to allow the port opening/forwarding/closing. He has not implemented all of the UPnP messages, but it is functional enough that it allows MSN Messenger voice/video/file transfers to work properly through IP Chains. It may be a good starting place. I suspect that the daemon could be cleaned up and the ipchains hooks could be converted to ones that work on netfilter in a short period of time. Please let me know if there is any way I can help. I have limited time, but would like to help in any way I can. Thanks. Eric Wirt
