mirror of https://github.com/aredn/aredn.git
169 lines
6.4 KiB
Diff
169 lines
6.4 KiB
Diff
|
--- a/config/Config-build.in
|
||
|
+++ b/config/Config-build.in
|
||
|
@@ -156,7 +156,7 @@
|
||
|
config IPV6
|
||
|
bool
|
||
|
prompt "Enable IPv6 support in packages"
|
||
|
- default y
|
||
|
+ default n
|
||
|
help
|
||
|
Enables IPv6 support in kernel (builtin) and packages.
|
||
|
|
||
|
--- a/include/netfilter.mk
|
||
|
+++ b/include/netfilter.mk
|
||
|
@@ -325,7 +325,7 @@
|
||
|
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
|
||
|
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_QUOTA, $(P_XT)nft_quota),))
|
||
|
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REDIR, $(P_XT)nft_redir),))
|
||
|
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4 $(P_V6)nft_reject_ipv6),))
|
||
|
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4),))
|
||
|
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT_INET, $(P_XT)nft_reject_inet),))
|
||
|
|
||
|
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_BRIDGE,CONFIG_NFT_BRIDGE_META, $(P_EBT)nft_meta_bridge),))
|
||
|
|
||
|
--- a/package/kernel/linux/modules/netfilter.mk
|
||
|
+++ b/package/kernel/linux/modules/netfilter.mk
|
||
|
@@ -1153,7 +1153,7 @@
|
||
|
define KernelPackage/nft-offload
|
||
|
SUBMENU:=$(NF_MENU)
|
||
|
TITLE:=Netfilter nf_tables routing/NAT offload support
|
||
|
- DEPENDS:=@IPV6 +kmod-nf-flow +kmod-nft-nat
|
||
|
+ DEPENDS:=+kmod-nf-flow +kmod-nft-nat
|
||
|
KCONFIG:= \
|
||
|
CONFIG_NF_FLOW_TABLE_INET \
|
||
|
CONFIG_NF_FLOW_TABLE_IPV4 \
|
||
|
@@ -1162,9 +1162,8 @@
|
||
|
FILES:= \
|
||
|
$(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \
|
||
|
$(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \
|
||
|
- $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \
|
||
|
$(LINUX_DIR)/net/netfilter/nft_flow_offload.ko
|
||
|
- AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload)
|
||
|
+ AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nft_flow_offload)
|
||
|
endef
|
||
|
|
||
|
$(eval $(call KernelPackage,nft-offload))
|
||
|
|
||
|
--- /dev/null
|
||
|
+++ b/package/network/config/firewall4/patches/001-disable-ipv6.patch
|
||
|
@@ -0,0 +1,119 @@
|
||
|
+--- a/root/usr/share/firewall4/main.uc
|
||
|
++++ b/root/usr/share/firewall4/main.uc
|
||
|
+@@ -33,14 +33,14 @@ function reload_sets() {
|
||
|
+ let first = true;
|
||
|
+ let printer = (entry) => {
|
||
|
+ if (first) {
|
||
|
+- print(`add element inet fw4 ${set.name} {\n`);
|
||
|
++ print(`add element ip fw4 ${set.name} {\n`);
|
||
|
+ first = false;
|
||
|
+ }
|
||
|
+
|
||
|
+ print(` ${join(" . ", entry)},\n`);
|
||
|
+ };
|
||
|
+
|
||
|
+- print(`flush set inet fw4 ${set.name}\n`);
|
||
|
++ print(`flush set ip fw4 ${set.name}\n`);
|
||
|
+
|
||
|
+ map(set.entries, printer);
|
||
|
+
|
||
|
+--- a/root/usr/share/firewall4/templates/redirect.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/redirect.uc
|
||
|
+@@ -1,5 +1,5 @@
|
||
|
+ {%+ if (redirect.family && !redirect.has_addrs): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(redirect.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ if (!redirect.proto.any && !redirect.has_ports): -%}
|
||
|
+ meta l4proto {{
|
||
|
+ (redirect.proto.name == 'icmp' && redirect.family == 6) ? 'ipv6-icmp' : redirect.proto.name
|
||
|
+--- a/root/usr/share/firewall4/templates/rule.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/rule.uc
|
||
|
+@@ -1,5 +1,5 @@
|
||
|
+ {%+ if (rule.family && !rule.has_addrs): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%}
|
||
|
+ meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%}
|
||
|
+ {%+ if (rule.iifnames): -%}
|
||
|
+--- a/root/usr/share/firewall4/templates/ruleset.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/ruleset.uc
|
||
|
+@@ -4,14 +4,14 @@
|
||
|
+ let defined_ipsets = fw4.ipsets();
|
||
|
+ -%}
|
||
|
+
|
||
|
+-table inet fw4
|
||
|
+-flush table inet fw4
|
||
|
++table ip fw4
|
||
|
++flush table ip fw4
|
||
|
+ {% if (fw4.check_flowtable()): %}
|
||
|
+-delete flowtable inet fw4 ft
|
||
|
++delete flowtable ip fw4 ft
|
||
|
+ {% endif %}
|
||
|
+ {% fw4.includes('ruleset-prepend') %}
|
||
|
+
|
||
|
+-table inet fw4 {
|
||
|
++table ip fw4 {
|
||
|
+ {% if (length(flowtable_devices) > 0): %}
|
||
|
+ #
|
||
|
+ # Flowtable
|
||
|
+@@ -187,12 +187,12 @@ table inet fw4 {
|
||
|
+ chain handle_reject {
|
||
|
+ meta l4proto tcp reject with {{
|
||
|
+ (fw4.default_option("tcp_reject_code") != "tcp-reset")
|
||
|
+- ? `icmpx type ${fw4.default_option("tcp_reject_code")}`
|
||
|
++ ? `icmp type ${fw4.default_option("tcp_reject_code")}`
|
||
|
+ : "tcp reset"
|
||
|
+ }} comment "!fw4: Reject TCP traffic"
|
||
|
+ reject with {{
|
||
|
+ (fw4.default_option("any_reject_code") != "tcp-reset")
|
||
|
+- ? `icmpx type ${fw4.default_option("any_reject_code")}`
|
||
|
++ ? `icmp type ${fw4.default_option("any_reject_code")}`
|
||
|
+ : "tcp reset"
|
||
|
+ }} comment "!fw4: Reject any other traffic"
|
||
|
+ }
|
||
|
+--- a/root/usr/share/firewall4/templates/zone-jump.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/zone-jump.uc
|
||
|
+@@ -1,5 +1,5 @@
|
||
|
+ {%+ if (rule.family): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ include("zone-match.uc", { egress: (direction in ["output", "srcnat"]), rule }) -%}
|
||
|
+ jump {{ direction }}_{{ zone.name }} comment "!fw4: Handle {{ zone.name }} {{
|
||
|
+ fw4.nfproto(rule.family, true)
|
||
|
+--- a/root/usr/share/firewall4/templates/zone-masq.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/zone-masq.uc
|
||
|
+@@ -1,4 +1,4 @@
|
||
|
+-meta nfproto {{ fw4.nfproto(family) }} {%+ if (saddrs && saddrs[0]): -%}
|
||
|
++{%+ if (saddrs && saddrs[0]): -%}
|
||
|
+ {{ fw4.ipproto(family) }} saddr {{ fw4.set(map(saddrs[0], fw4.cidr)) }} {%+ endif -%}
|
||
|
+ {%+ if (saddrs && saddrs[1]): -%}
|
||
|
+ {{ fw4.ipproto(family) }} saddr != {{ fw4.set(map(saddrs[1], fw4.cidr)) }} {%+ endif -%}
|
||
|
+--- a/root/usr/share/firewall4/templates/zone-mssfix.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/zone-mssfix.uc
|
||
|
+@@ -1,5 +1,5 @@
|
||
|
+ {%+ if (rule.family): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ include("zone-match.uc", { egress, rule }) -%}
|
||
|
+ tcp flags syn tcp option maxseg size set rt mtu {%+ if (zone.log & 2): -%}
|
||
|
+ log prefix "MSSFIX {{ zone.name }} out: " {%+ endif -%}
|
||
|
+--- a/root/usr/share/firewall4/templates/zone-notrack.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/zone-notrack.uc
|
||
|
+@@ -7,7 +7,7 @@
|
||
|
+ return;
|
||
|
+ -%}
|
||
|
+ {%+ if (rule.family): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ if (length(devs)): -%}
|
||
|
+ iifname {{ fw4.set(devs) }} {%+ endif -%}
|
||
|
+ {%+ if (rule.devices_neg): -%}
|
||
|
+--- a/root/usr/share/firewall4/templates/zone-verdict.uc
|
||
|
++++ b/root/usr/share/firewall4/templates/zone-verdict.uc
|
||
|
+@@ -1,5 +1,5 @@
|
||
|
+ {%+ if (rule.family): -%}
|
||
|
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
|
||
|
++ {%+ endif -%}
|
||
|
+ {%+ include("zone-match.uc", { egress, rule }) -%}
|
||
|
+ {%+ if (zone.counter): -%}
|
||
|
+ counter {%+ endif -%}
|