You know, you're right. I've spent the past couple of days sniffing MSN traffic and watching what it does. Of course I'm new to kernel programming so it's taking me a little while to understand this. My thinking was even if UPnP was implemented on linux, then we'd still have to hook into netfilter and that's why I was looking to create a conntrack, nat , and helper module for it. I know this is just a hack to get Messenger working, but I admint it is just a hack.
A UPnP daemon with netfilter hooks (and whatever else it needs to hook into) is the proper way to do this and go on with it. In the spirit of hating Microsoft, some people may abandon this idea. But it is becoming widely accepted. And lets face it, I administer some 60 windows machines and they are all connecting at multiple locations through Linux. I'm sure many people are in the same boat. I say we go for it. Is the guy who done the one for 2.2 responding to emails? Let's take a look at his code, and see what we can do. Questions? Comments? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Wirt Sent: Saturday, April 06, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: [UPnP-SDK-discuss] UPNP Server/Application Gateway for Linux I have been on the lookout for a UPnP Internet Gateway for Linux for some time, and am glad to see that the discussion seems to have begun in earnest. I have been researching implementing a UPnP gateway that works with netfilter for several months now, and wanted to throw out some more information regarding UPnP, MSN Messenger, etc. I see that there have been a couple threads regarding this stuff in the last couple days, so some of this may have already been covered. >My overall impression is that UPnP is something that Microsoft designed and >is trying to push through any standards body that will listen. It doesn't >look like something that was designed by the IETF. Knowing how much the >IETF hates NAT in general, and who is implementing UPnP apps, this makes >perfect sense. ;-) While you are accurate in your assumption that UPnP is really Microsoft's baby, it appears to have been widely accepted by other vendors. Intel has also been a driving force, and Linksys, D-Link, Netgear etc. have not only committed to making their internet gateway devices UPnP compatible, but at least several of them already have it available. Several of the Linksys NAT gateways already support UPnP. Voice, video, and file transfers for MSN Messenger work fine from behind them. >George sent me a private email pointing me to http://www.upnp.org >Not surprisingly, that domain is registered by Microsoft. They have some >useful information on the site, including an SDK and some drafts that they >submitted to the IETF. I didn't study the drafts well enough to see exactly >how this UPnP thing is supposed to work for traversing firewalls. Here is an extremely general overview of how a UPnP gateway allows traversal of the firewall: 1) Each UPnP device on the network sends a "Discovery" message to find out what other UPnP devices are around when it is first connected to the network. In the case of Windows XP / MSN Messenger, when it (either Messenger or XP, I don't know which) is first loaded, it sends a Discovery message to see if there are any other UPnP devices on it's subnet. The gateway is supposed to respond by saying that it supports UPnP, and register the client as one of the devices it is supporting. From that point forward, XP / Messenger will know that it can make use of the UPnP functions of the gateway. 2) When a program needs traversal through the firewall, it will ask the gateway for X number of ports to specifically be opened and forwarded to the inside machine. The gateway will report to the calling program (Messenger) which ports it has opened/forwarded, and the calling program takes it from there. When the program is done with the ports it is supposed to ask the gateway to close them. It is (of course) actually a little more complicated than above. The three main sources of technical information I've found are the UPnP forum, Microsoft's site, and the Intel UPnP site. Intel's main UPnP website is at: http://www.intel.com/labs/connectivity/upnp/tech.htm. They have several whitepapers with more specific information on device discovery and NAT traversal. The upnp.org site also appears to have a very detailed description of the actual messages/etc that a UPnP gateway is supposed to handle at http://www.upnp.org/resources/standards.asp The UPnP messaging between UPnP devices appears to work primarily through SOAP and XML, and Intel has written an open source Linux SDK that can be used to handle the messaging, device registration, discovery, etc. (http://upnp.sourceforge.net) I think the proper solution is to write an "UPnP Internet Gateway Device" daemon based on the Intel SDK that handles the messaging, and make sure netfilter has the proper hooks to open/forward/close the ports as necessary. This seems like a much cleaner solution than trying to write conntrack modules for Microsoft's mutilated SIP, RDP, etc. It will also allow the newer online games (and any other UPnP enabled software) to work through NAT. There is a partial implementation of this for the 2.2 kernels and IPChains available at: http://pseudoicsd.sourceforge.net/ This person took the Intel SDK and turned it into a daemon that listens for UPnP messages, and then patched hooks into IPChains to allow the port opening/forwarding/closing. He has not implemented all of the UPnP messages, but it is functional enough that it allows MSN Messenger voice/video/file transfers to work properly through IP Chains. It may be a good starting place. I suspect that the daemon could be cleaned up and the ipchains hooks could be converted to ones that work on netfilter in a short period of time. Please let me know if there is any way I can help. I have limited time, but would like to help in any way I can. Thanks. Eric Wirt
