So, I need a way for some users on my network to forward ports from the outside world to local computers, but didn't want to use UPnP, since I want to control who can forward ports and which ports they can forward.
To do that, I created 4 scripts on the OpenWRT router, which use uci to add, list, remove, and auto remove expired port forward rules. Then, on my home server, I created 3 suid programs to list, add, and remove rules, and restricted access to the suid programs to the trusted users. The suid programs switch to a system user and use ssh key-pair login to invoke the commands on the router. Without suid, it tries to ssh to the router as the current user, and can prompt for the router root password. The cleaner script is designed to run as a cron job, and will remove any expired rules.
The scripts are written in (micro)python, since I didn't want to try to use ash, and don't have a working mips C compiler. They're simple enough that someone familiar with ash could probably rewrite them easily enough. Anyway, I'm including them here. You're welcome to do whatever you want with them. If you spot any obvious problems with them, please let me know.