miniupnpd: Better document and reformat default upnpd UCI config file

Self-Hosting-Group · Self-Hosting-Group · commit 8aa97026e8c4 · 2024-10-01T00:00:00.000Z
and add (template) ACL entry for low ports (&lt;1024) denied by default,
current behaviour

Signed-off-by: Self Hosting Group &lt;selfhostinggroup-git+openwrt@shost.ing&gt;
diff --git a/net/miniupnpd/files/upnpd.config b/net/miniupnpd/files/upnpd.config
@@ -1,28 +1,40 @@
-config upnpd config
-	option enabled		0
-	option enable_pcp_pmp	1
-	option enable_upnp	1
+# UPnP IGD & PCP/NAT-PMP service configuration
+
+config upnpd 'config'
+	option enabled					0
+	option enable_upnp				1
+	option enable_pcp_pmp			1
+# UPnP IGD compatibility mode is IGDv1 by default due to still existing client issues
+	option upnp_igd_compat			igdv1
+	option download_kbps			100000
+	option upload_kbps				50000
+# The allow_third_party_maps option behaves in the opposite way to the previous secure_mode UCI option
 	option allow_third_party_maps	0
-	option log_output	0
-	option download_kbps		100000
-	option upload_kbps		50000
-#by default, looked up dynamically from ubus
-#	option external_iface	wan
-	option internal_iface	lan
-	option port		5000
-	option upnp_lease_file	/var/run/miniupnpd.leases
-	option upnp_igd_compat		igdv1
+# By default, looked up dynamically from ubus
+#	option external_iface			wan
+	option internal_iface			lan
+	option log_output				0
+	option upnp_lease_file			/var/run/miniupnpd.leases
+
+# Service access control list configuration (IPv6 always allowed)
+
+config perm_rule
+	option action					allow
+	option ext_ports				1024-65535
+	option int_addr					0.0.0.0/0
+	option int_ports				1024-65535
+	option comment					'Allow high ports'
 
 config perm_rule
-	option action		allow
-	option ext_ports	1024-65535
-	option int_addr		0.0.0.0/0	# Does not override secure_mode
-	option int_ports	1024-65535
-	option comment		"Allow high ports"
+	option action					deny
+	option ext_ports				1-1023
+	option int_addr					0.0.0.0/0
+	option int_ports				1-1023
+	option comment					'Low ports'
 
 config perm_rule
-	option action		deny
-	option ext_ports	0-65535
-	option int_addr		0.0.0.0/0
-	option int_ports	0-65535
-	option comment		"Default deny"
+	option action					deny
+	option ext_ports				1-65535
+	option int_addr					0.0.0.0/0
+	option int_ports				1-65535
+	option comment					'Deny by default'
