In T5835#188048, @aidan-gibson wrote:

I guess the fate of upnp has already been decided https://vyos.dev/rVYOSONEX7c438caa2c21101cbefc2eec21935ab55af19c46
RIP

In T5835#187967, @dmbaturin wrote:

If you are really that curious, I can attach a screenshot.

In T5835#187963, @dylanneild wrote:

A bunch to unpack here.
[...]

In T5835#187938, @syncer wrote:

Created a poll for maintainers on this topic, and we will go with the decision made.

In T5835#187937, @syncer wrote:

go learn how cheap cameras open firewalls via UPnP and make them available on the internet without people being aware of that

or how malware exfiltrates data via port 443 because enterprises can't reliably block outbound traffic on that port.

In T5835#187935, @Viacheslav wrote:

If you know how to test it will be great to test it. If no one needs it even for tests, what are we talking about?

In T5835#187934, @syncer wrote:

In T5835#187933, @simplysoft wrote:

A firewall is doing exactly this all the time when using NAT, autonomously opening ports via call from internal networks (aka internal originated traffic) to allow responses to reach the originator. Enterprises might have some strict outbound rules. For UPnP is exactly the same, an enterprise would have strict rules which services are allowed to open ports.

Not if it's not configured to do so.

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

In T5835#187919, @syncer wrote:

Does it work now?

One reasons it is rarely seen is as most are not aware of it being used undercover and when not being present, nothing necessarily brakes (due to fallback to other mechanisms). For some home routers we saw this was an undocumented "feature" that you did not have any control over, more recent & reasonable implementation we have seen allow you to enable or disable it (but nothing much more like fine grained permissions)

In T5835#187910, @syncer wrote:

@aidan-gibson main use case is games typically, which is not in priority for us

The mentioned file that missing is located upstream in https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_1/miniupnpd/netfilter_nft/scripts
and the upstream configuration options that we think are missing to match vyos chains is https://github.com/miniupnp/miniupnp/blob/miniupnpd_2_3_1/miniupnpd/miniupnpd.conf#L77