add from f1c69d0e6c

Makefile

@@ -0,0 +1,127 @@
+#
+# Copyright (C) 2006-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=miniupnpd
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/miniupnp/miniupnp.git
+PKG_SOURCE_DATE:=2022-08-31
+PKG_SOURCE_VERSION:=68c8ec508a421f4f4af67a63e3eb6f497d2531e1
+PKG_MIRROR_HASH:=68a3170ec73149c4cf4855b1ce6e031557cc12bff85a58421bb94785daaf225d
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)/miniupnpd
+
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=LICENSE
+PKG_CPE_ID:=cpe:/a:miniupnp_project:miniupnpd
+
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/version.mk
+
+TAR_OPTIONS+= --strip-components 1
+TAR_CMD=$(HOST_TAR) -C $(1)/.. $(TAR_OPTIONS)
+
+define Package/miniupnpd/Default
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:= \
+	+libcap-ng \
+	+libmnl \
+	+libuuid
+  PROVIDES:=miniupnpd
+  TITLE:=Lightweight UPnP IGD, NAT-PMP & PCP daemon
+  SUBMENU:=Firewall
+  URL:=https://miniupnp.tuxfamily.org/
+endef
+
+define Package/miniupnpd-iptables
+  $(call Package/miniupnpd/Default)
+  DEPENDS+= \
+	+IPV6:ip6tables \
+	+IPV6:libip6tc \
+	+iptables \
+	+libip4tc \
+	+libnetfilter-conntrack
+  TITLE+= (iptables)
+  VARIANT:=iptables
+endef
+
+define Package/miniupnpd-nftables
+  $(call Package/miniupnpd/Default)
+  DEPENDS+= \
+	+libnftnl
+  TITLE+= (nftables)
+  VARIANT:=nftables
+  DEFAULT_VARIANT:=1
+  CONFLICTS:=miniupnpd-iptables
+endef
+
+define Package/miniupnpd/conffiles/Default
+/etc/config/upnpd
+endef
+
+Package/miniupnpd-iptables/conffiles = $(Package/miniupnpd/conffiles/Default)
+Package/miniupnpd-nftables/conffiles = $(Package/miniupnpd/conffiles/Default)
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	echo "$(VERSION_NUMBER)" | tr '() ' '_' >$(PKG_BUILD_DIR)/os.openwrt
+endef
+
+CONFIGURE_ARGS = \
+	$(if $(CONFIG_IPV6),--ipv6) \
+	--igd2 \
+	--leasefile \
+	--portinuse \
+	--firewall=$(BUILD_VARIANT) \
+	--disable-fork
+
+TARGET_CFLAGS += $(FPIC)
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
+
+ifeq ($(BUILD_VARIANT),iptables)
+	TARGET_CFLAGS += -flto
+endif
+
+define Package/miniupnpd/install/Default
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/miniupnpd $(1)/usr/sbin/miniupnpd
+	$(INSTALL_BIN) ./files/miniupnpd.init $(1)/etc/init.d/miniupnpd
+	$(INSTALL_CONF) ./files/upnpd.config $(1)/etc/config/upnpd
+	$(INSTALL_DATA) ./files/miniupnpd.hotplug $(1)/etc/hotplug.d/iface/50-miniupnpd
+endef
+
+define Package/miniupnpd-iptables/install
+	$(call Package/miniupnpd/install/Default,$1)
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/usr/share/miniupnpd
+	$(INSTALL_BIN) ./files/miniupnpd.defaults.iptables $(1)/etc/uci-defaults/99-miniupnpd
+	$(INSTALL_DATA) ./files/firewall3.include $(1)/usr/share/miniupnpd/firewall.include
+endef
+
+define Package/miniupnpd-nftables/install
+	$(call Package/miniupnpd/install/Default,$1)
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/usr/share/miniupnpd
+	$(INSTALL_BIN) ./files/miniupnpd.defaults.nftables $(1)/etc/uci-defaults/99-miniupnpd
+	$(INSTALL_DATA) ./files/firewall4.include $(1)/usr/share/miniupnpd/firewall.include
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d
+	$(CP) ./files/nftables.d/* $(1)/usr/share/nftables.d/
+endef
+
+$(eval $(call BuildPackage,miniupnpd-iptables))
+$(eval $(call BuildPackage,miniupnpd-nftables))

files/firewall3.include

@@ -0,0 +1,72 @@
+#!/bin/sh
+# miniupnpd integration for firewall3
+
+IPTABLES="/usr/sbin/iptables"
+IP6TABLES="/usr/sbin/ip6tables"
+IPTARGS="-w 1"
+
+$IPTABLES -t filter -N MINIUPNPD 2>/dev/null
+$IPTABLES -t nat -N MINIUPNPD 2>/dev/null
+$IPTABLES -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
+
+[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
+
+. /lib/functions/network.sh
+
+# helper to insert in chain as penultimate
+iptables_prepend_rule() {
+	local iptables="$1"
+	local table="$2"
+	local chain="$3"
+	local target="$4"
+
+	$iptables "$IPTARGS" -t "$table" -I "$chain" $($iptables "$IPTARGS" -t "$table" --line-numbers -nL "$chain" | \
+		sed -ne '$s/[^0-9].*//p') -j "$target"
+}
+
+ADDED=0
+
+add_extzone_rules() {
+    local ext_zone="$1"
+
+    [ -z "$ext_zone" ] && return
+
+    # IPv4 - due to NAT, need to add both to nat and filter table
+    # need to insert as penultimate rule for input & forward & postrouting since final rule might be a fw3 REJECT
+    iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_input" MINIUPNPD
+    iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
+    $IPTABLES -t nat -A "zone_${ext_zone}_prerouting"  -j MINIUPNPD
+    iptables_prepend_rule "$IPTABLES" nat "zone_${ext_zone}_postrouting" MINIUPNPD-POSTROUTING
+
+    # IPv6 if available - filter only
+    [ -x $IP6TABLES ] && {
+	iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_input" MINIUPNPD
+	iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
+    }
+    ADDED=$(($ADDED + 1))
+}
+
+# By default, user configuration is king.
+
+for ext_iface in $(uci -q get upnpd.config.external_iface); do
+    add_extzone_rules $(fw3 -q network "$ext_iface")
+done
+
+add_extzone_rules $(uci -q get upnpd.config.external_zone)
+
+[ "$ADDED" -ne 0 ] && exit 0
+
+# If really nothing is available, resort to network_find_wan{,6} and
+# assume external interfaces all have same firewall zone.
+
+# (This heuristic may fail horribly, in case of e.g. multihoming, so
+# please set external_zone in that case!)
+
+network_find_wan wan_iface
+network_find_wan6 wan6_iface
+
+for ext_iface in $wan_iface $wan6_iface; do
+    # fw3 -q network fails on sub-interfaces => map to device first
+    network_get_device ext_device $ext_iface
+    add_extzone_rules $(fw3 -q device "$ext_device")
+done

files/firewall4.include

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+/etc/init.d/miniupnpd enabled && /etc/init.d/miniupnpd restart
+exit 0

files/miniupnpd.defaults.iptables

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+uci -q batch <<-EOT
+	delete firewall.miniupnpd
+	set firewall.miniupnpd=include
+	set firewall.miniupnpd.type=script
+	set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
+	set firewall.miniupnpd.family=any
+	set firewall.miniupnpd.reload=1
+	commit firewall
+EOT
+
+exit 0

files/miniupnpd.defaults.nftables

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOT
+	delete firewall.miniupnpd
+	set firewall.miniupnpd=include
+	set firewall.miniupnpd.type=script
+	set firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
+	commit firewall
+EOT
+
+exit 0

files/miniupnpd.hotplug

@@ -0,0 +1,45 @@
+/etc/init.d/miniupnpd enabled || exit 0
+
+# If miniupnpd is not running:
+# - check on _any_ event (event updates may contribute to network_find_wan*)
+
+# If miniupnpd _is_ running:
+# - check only on ifup (otherwise lease updates etc would cause
+#   miniupnpd state loss)
+
+[ "$ACTION" != "ifup" ] && /etc/init.d/miniupnpd running && exit 0
+
+tmpconf="/var/etc/miniupnpd.conf"
+external_iface=$(uci -q get upnpd.config.external_iface)
+external_iface6=$(uci -q get upnpd.config.external_iface6)
+external_zone=$(uci -q get upnpd.config.external_zone)
+[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3"
+
+. /lib/functions/network.sh
+
+if [ -n "$external_iface" ] ; then
+	network_get_device ifname "$external_iface"
+else
+	if [ -n "$external_zone" ] ; then
+		ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
+	else
+		network_find_wan external_iface && \
+			network_get_device ifname "$external_iface"
+	fi
+fi
+if [ -n "$external_iface6" ] ; then
+	network_get_device ifname6 "$external_iface6"
+else
+	if [ -n "$external_zone" ] ; then
+		ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
+	else
+		network_find_wan6 external_iface6 && \
+			network_get_device ifname6 "$external_iface6"
+	fi
+fi
+
+[ "$DEVICE" != "$ifname" ] && [ "$DEVICE" != "$ifname6" ] && exit 0
+
+grep -qs "^ext_ifname=$ifname" "$tmpconf" && grep -qs "^ext_ifname6=$ifname6" "$tmpconf" && exit 0
+
+/etc/init.d/miniupnpd restart

files/miniupnpd.init

@@ -0,0 +1,226 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2014 OpenWrt.org
+
+START=94
+STOP=15
+USE_PROCD=1
+PROG=/usr/sbin/miniupnpd
+[ -x "$(command -v nft)" ] && FW="fw4" || FW="fw3"
+
+upnpd_get_port_range() {
+	local var="$1"; shift
+	local val
+
+	config_get val "$@"
+
+	case "$val" in
+		[0-9]*[:-][0-9]*)
+			export -n -- "${var}_start=${val%%[:-]*}"
+			export -n -- "${var}_end=${val##*[:-]}"
+		;;
+		[0-9]*)
+			export -n -- "${var}_start=$val"
+			export -n -- "${var}_end="
+		;;
+	esac
+}
+
+conf_rule_add() {
+	local cfg="$1"
+	local action int_addr
+	local ext_start ext_end int_start int_end comment
+
+	config_get action "$cfg" action "deny"                # allow or deny
+	upnpd_get_port_range "ext" "$cfg" ext_ports "0-65535" # external ports: x, x-y, x:y
+	config_get int_addr "$cfg" int_addr "0.0.0.0/0"       # ip or network and subnet mask (internal)
+	upnpd_get_port_range "int" "$cfg" int_ports "0-65535" # internal ports: x, x-y, x:y or range
+	config_get comment "$cfg" comment "ACL"		      # comment
+
+	# Make a single IP IP/32 so that miniupnpd.conf can use it.
+	[ "${int_addr%/*}" = "$int_addr" ] && int_addr="$int_addr/32"
+
+	echo "$action $ext_start${ext_end:+-}$ext_end $int_addr $int_start${int_end:+-}$int_end #$comment"
+}
+
+upnpd_write_bool() {
+	local opt="$1"
+	local def="${2:-0}"
+	local alt="${3:-$opt}"
+	local val
+
+	config_get_bool val config "$opt" "$def"
+	if [ "$val" -eq 0 ]; then
+		echo "$alt=no"
+	else
+		echo "$alt=yes"
+	fi
+}
+
+upnpd() {
+	config_load "upnpd"
+	local external_iface external_iface6 external_zone external_ip internal_iface
+	local upload download log_output port config_file serial_number model_number
+	local use_stun stun_host stun_port uuid notify_interval presentation_url
+	local upnp_lease_file clean_ruleset_threshold clean_ruleset_interval
+	local ipv6_disable
+
+	local enabled
+	config_get_bool enabled config enabled 1
+	[ "$enabled" -eq 0 ] && return 1
+
+	config_get external_iface config external_iface
+	config_get external_iface6 config external_iface6
+	config_get external_zone config external_zone
+	config_get external_ip config external_ip
+	config_get internal_iface config internal_iface
+	config_get port config port 5000
+	config_get upload config upload
+	config_get download config download
+	config_get_bool log_output config log_output 0
+	config_get config_file config config_file
+	config_get serial_number config serial_number
+	config_get model_number config model_number
+	config_get uuid config uuid
+	config_get use_stun config use_stun 0
+	config_get stun_host config stun_host
+	config_get stun_port config stun_port
+	config_get notify_interval config notify_interval
+	config_get presentation_url config presentation_url
+	config_get upnp_lease_file config upnp_lease_file
+	config_get clean_ruleset_threshold config clean_ruleset_threshold
+	config_get clean_ruleset_interval config clean_ruleset_interval
+	config_get ipv6_disable config ipv6_disable 0
+
+	local conf ifname ifname6
+
+	. /lib/functions/network.sh
+
+	if [ -n "$external_iface" ] ; then
+		network_get_device ifname "$external_iface"
+	else
+		if [ -n "$external_zone" ] ; then
+			ifname=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
+		else
+			network_find_wan external_iface && \
+				network_get_device ifname "$external_iface"
+		fi
+	fi
+	if [ -n "$external_iface6" ] ; then
+		network_get_device ifname6 "$external_iface6"
+	else
+		if [ -n "$external_zone" ] ; then
+			ifname6=$($FW -q zone "$external_zone" 2>/dev/null | head -1)
+		else
+			network_find_wan6 external_iface6 && \
+				network_get_device ifname6 "$external_iface6"
+		fi
+	fi
+
+	if [ -n "$config_file" ]; then
+		conf="$config_file"
+	else
+		local tmpconf="/var/etc/miniupnpd.conf"
+		conf="$tmpconf"
+		mkdir -p /var/etc
+
+		{
+		echo "ext_ifname=$ifname"
+		echo "ext_ifname6=$ifname6"
+		[ -n "$external_ip" ] && echo "ext_ip=$external_ip"
+
+		local iface
+		for iface in ${internal_iface:-lan}; do
+			local device
+			network_get_device device "$iface" && echo "listening_ip=$device"
+		done
+
+		config_load "upnpd"
+		upnpd_write_bool enable_natpmp 1
+		upnpd_write_bool enable_upnp 1
+		upnpd_write_bool secure_mode 1
+		upnpd_write_bool system_uptime 1
+		upnpd_write_bool igdv1 0 force_igd_desc_v1
+		upnpd_write_bool use_stun 0 ext_perform_stun
+		upnpd_write_bool ipv6_disable $ipv6_disable
+
+		[ "$use_stun" -eq 0 ] || {
+			[ -n "$stun_host" ] && echo "ext_stun_host=$stun_host"
+			[ -n "$stun_port" ] && echo "ext_stun_port=$stun_port"
+		}
+
+		[ -n "$upload" ] && [ -n "$download" ] && {
+			echo "bitrate_down=$((download * 1024 * 8))"
+			echo "bitrate_up=$((upload * 1024 * 8))"
+		}
+
+		[ -n "$upnp_lease_file" ] && touch "$upnp_lease_file" && echo "lease_file=$upnp_lease_file"
+		[ -n "$presentation_url" ] && echo "presentation_url=$presentation_url"
+		[ -n "$notify_interval" ] && echo "notify_interval=$notify_interval"
+		[ -n "$clean_ruleset_threshold" ] && echo "clean_ruleset_threshold=$clean_ruleset_threshold"
+		[ -n "$clean_ruleset_interval" ] && echo "clean_ruleset_interval=$clean_ruleset_interval"
+		[ -n "$serial_number" ] && echo "serial=$serial_number"
+		[ -n "$model_number" ] && echo "model_number=$model_number"
+		[ -n "$port" ] && echo "port=$port"
+
+		[ -z "$uuid" ] && {
+			uuid="$(cat /proc/sys/kernel/random/uuid)"
+			uci set upnpd.config.uuid="$uuid"
+			uci commit upnpd
+		}
+
+		[ "$uuid" = "nocli" ] || echo "uuid=$uuid"
+
+		config_foreach conf_rule_add perm_rule
+
+		if [ "$FW" = "fw4" ]; then
+			#When using nftables configure miniupnpd to use its own table and chains
+			echo "upnp_table_name=fw4"
+			echo "upnp_nat_table_name=fw4"
+			echo "upnp_forward_chain=upnp_forward"
+			echo "upnp_nat_chain=upnp_prerouting"
+			echo "upnp_nat_postrouting_chain=upnp_postrouting"
+		fi
+
+		} > "$tmpconf"
+	fi
+
+	if [ -n "$ifname" ]; then
+		# start firewall
+		if [ "$FW" = "fw4" ]; then
+			nft -s -t -n list chain inet fw4 upnp_forward >/dev/null 2>&1 || fw4 reload
+		else
+			iptables -L MINIUPNPD >/dev/null 2>&1 || fw3 reload
+		fi
+	else
+		logger -t "upnp daemon" "external interface not found, not starting"
+	fi
+
+	procd_open_instance
+	procd_set_param file "$conf" "/etc/config/firewall"
+	procd_set_param command "$PROG"
+	procd_append_param command -f "$conf"
+	[ "$log_output" = "1" ] && procd_append_param command -d
+	procd_close_instance
+}
+
+stop_service() {
+	if [ "$FW" = "fw3" ]; then
+		iptables -t nat -F MINIUPNPD 2>/dev/null
+		iptables -t nat -F MINIUPNPD-POSTROUTING 2>/dev/null
+		iptables -t filter -F MINIUPNPD 2>/dev/null
+		[ -x /usr/sbin/ip6tables ] && ip6tables -t filter -F MINIUPNPD 2>/dev/null
+	else
+		nft flush chain inet fw4 upnp_forward 2>/dev/null
+		nft flush chain inet fw4 upnp_prerouting 2>/dev/null
+		nft flush chain inet fw4 upnp_postrouting 2>/dev/null
+	fi
+}
+
+start_service() {
+	config_load "upnpd"
+	config_foreach upnpd "upnpd"
+}
+
+service_triggers() {
+	procd_add_reload_trigger "upnpd"
+}

files/nftables.d/chain-post/dstnat/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_prerouting comment "Hook into miniupnpd prerouting chain";

files/nftables.d/chain-post/forward/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_forward comment "Hook into miniupnpd forwarding chain";

files/nftables.d/chain-post/srcnat/20-miniupnpd.nft

@@ -0,0 +1 @@
+jump upnp_postrouting comment "Hook into miniupnpd postrouting chain";

files/nftables.d/table-post/20-miniupnpd.nft

@@ -0,0 +1,3 @@
+chain upnp_forward {}
+chain upnp_prerouting {}
+chain upnp_postrouting {}

files/upnpd.config

@@ -0,0 +1,28 @@
+config upnpd config
+	option enabled		0
+	option enable_natpmp	1
+	option enable_upnp	1
+	option secure_mode	1
+	option log_output	0
+	option download		1024
+	option upload		512
+#by default, looked up dynamically from ubus
+#	option external_iface	wan
+	option internal_iface	lan
+	option port		5000
+	option upnp_lease_file	/var/run/miniupnpd.leases
+	option igdv1		1
+
+config perm_rule
+	option action		allow
+	option ext_ports	1024-65535
+	option int_addr		0.0.0.0/0	# Does not override secure_mode
+	option int_ports	1024-65535
+	option comment		"Allow high ports"
+
+config perm_rule
+	option action		deny
+	option ext_ports	0-65535
+	option int_addr		0.0.0.0/0
+	option int_ports	0-65535
+	option comment		"Default deny"

patches/200-remove-default-cflags.patch

@@ -0,0 +1,24 @@
+--- a/Makefile.linux
++++ b/Makefile.linux
+@@ -25,16 +25,16 @@ CONFIG_OPTIONS ?= $(cat .configure.cache
+ CONFIG_OPTIONS += --firewall=iptables
+ #CFLAGS = -O -g -DDEBUG
+ CFLAGS ?= -Os
+-CFLAGS += -fno-strict-aliasing
+-CFLAGS += -fno-common
+-CFLAGS += -fstack-protector -fPIE
+-CFLAGS += -D_FORTIFY_SOURCE=2
++#CFLAGS += -fno-strict-aliasing
++#CFLAGS += -fno-common
++#CFLAGS += -fstack-protector -fPIE
++#CFLAGS += -D_FORTIFY_SOURCE=2
+ CPPFLAGS += -D_GNU_SOURCE
+ CFLAGS += -Wall
+ CFLAGS += -Wextra -Wstrict-prototypes -Wdeclaration-after-statement
+ #CFLAGS += -Wno-missing-field-initializers
+ #CFLAGS += -ansi	# iptables headers does use typeof which is a gcc extension
+-LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie
++LDFLAGS ?= -Wl,-z,now -Wl,-z,relro -pie
+ CC ?= gcc
+ RM = rm -f
+ INSTALL = install

patches/300-macos-compat.patch

@@ -0,0 +1,36 @@
+--- a/Makefile.linux
++++ b/Makefile.linux
+@@ -96,13 +96,13 @@ endif # ($(TEST),1)
+ endif # ($(TARGET_OPENWRT,)
+ 
+ ifneq ($(shell ldd --version | grep GLIBC),)
+-GLIBC_VERSION := $(shell ldd --version | head -n 1 | sed 's/^.* //')
+-GLIBC_VERSION_MAJOR = $(shell echo $(GLIBC_VERSION) | cut -f 1 -d . )
+-GLIBC_VERSION_MINOR = $(shell echo $(GLIBC_VERSION) | cut -f 2 -d . )
++#GLIBC_VERSION := $(shell ldd --version | head -n 1 | sed 's/^.* //')
++#GLIBC_VERSION_MAJOR = $(shell echo $(GLIBC_VERSION) | cut -f 1 -d . )
++#GLIBC_VERSION_MINOR = $(shell echo $(GLIBC_VERSION) | cut -f 2 -d . )
+ # clock_gettime() needs -lrt when glibc version < 2.17
+-LDLIBS += $(shell if [ $(GLIBC_VERSION_MAJOR) -lt 2 ] \
+-  || [ \( $(GLIBC_VERSION_MAJOR) -eq 2 \) -a \( $(GLIBC_VERSION_MINOR) -lt 17 \) ] ; \
+-  then echo "-lrt" ; fi )
++#LDLIBS += $(shell if [ $(GLIBC_VERSION_MAJOR) -lt 2 ] \
++#  || [ \( $(GLIBC_VERSION_MAJOR) -eq 2 \) -a \( $(GLIBC_VERSION_MINOR) -lt 17 \) ] ; \
++#  then echo "-lrt" ; fi )
+ endif
+ 
+ TESTUPNPDESCGENOBJS = testupnpdescgen.o upnpdescgen.o
+@@ -143,11 +143,11 @@ install:	miniupnpd $(SRCDIR)/miniupnpd.8
+ 	$(INSTALL) $(SRCDIR)/netfilter/ip6tables_init.sh $(DESTDIR)$(ETCINSTALLDIR)
+ 	$(INSTALL) $(SRCDIR)/netfilter/ip6tables_removeall.sh $(DESTDIR)$(ETCINSTALLDIR)
+ 	$(INSTALL) $(SRCDIR)/netfilter/miniupnpd_functions.sh $(DESTDIR)$(ETCINSTALLDIR)
+-	$(INSTALL) --mode=0644 -b $(SRCDIR)/miniupnpd.conf $(DESTDIR)$(ETCINSTALLDIR)
++	$(INSTALL) -m 0644 -b $(SRCDIR)/miniupnpd.conf $(DESTDIR)$(ETCINSTALLDIR)
+ 	$(INSTALL) -d $(DESTDIR)$(PREFIX)/etc/init.d
+ 	$(INSTALL) $(SRCDIR)/linux/miniupnpd.init.d.script $(DESTDIR)$(PREFIX)/etc/init.d/miniupnpd
+ 	$(INSTALL) -d $(DESTDIR)$(MANINSTALLDIR)
+-	$(INSTALL) --mode=0644 $(SRCDIR)/miniupnpd.8 $(DESTDIR)$(MANINSTALLDIR)
++	$(INSTALL) -m 0644 $(SRCDIR)/miniupnpd.8 $(DESTDIR)$(MANINSTALLDIR)
+ 	gzip -f $(DESTDIR)$(MANINSTALLDIR)/miniupnpd.8
+ 
+ # genuuid is using the uuidgen CLI tool which is part of libuuid