I've done a small patch which, before allowing a new or altered port forwarding, checks that the control point's IP address matches the internal IP for the forward. It's enabled by a new option in upnpd.conf called "paranoid" :-)
Please don't use this patch yet: Adam Cécile found a bug which causes segfaults. Sourceforge isn't allowing me to delete the patch but I'll update it when fixed.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=46394
Originator: YES
Adam Cécile found a bug. Will re-upload patch when we've confirmed that it is fixed.
Logged In: YES
user_id=46394
Originator: YES
Please don't use this patch yet: Adam Cécile found a bug which causes segfaults. Sourceforge isn't allowing me to delete the patch but I'll update it when fixed.
06-paranoid-port-forwarding.patch: segfault now fixed
Logged In: YES
user_id=46394
Originator: YES
File Added: 06-paranoid-port-forwarding.patch
Logged In: YES
user_id=46394
Originator: YES
Patch now fixed and tested in use !
Logged In: YES
user_id=1857856
Originator: NO
This patch works if there are some aliases into the interface, for example, LAN is eth0, but I have assigned to it:
eth0:1 192.168.1.2
eth0:2 192.168.3.1
eth0:3 172.18.3.1
....
(I don't reviewed the patch)