aredn/patches/719-disable-ipv6.patch

169 lines
6.4 KiB
Diff
Raw Normal View History

Update AREDN to OpenWRT 22.3.2 (Major Upgrade) (#574) * Update to Openwrt 21.02 and add support for the CPE710 v1 Update scripts to change references to ifname to device due to a change in Openwrt naming reverse-wpad-basic-wolfssl and disable SSL on Curl NOTE: The compile host must have python3-distutils installed for gpsd to build * aredn: initial working upgrade to openwrt 21.02.1 * aredn: update 1 to working upgrade to openwrt 21.02.1 * aredn: add cpe710v1 to build config * Andrew's patches * Remove duplicates + display perl * Temp disable wifi extension patch * ifname/ports support * Add spectrum patch back in * Generic function to extra interfaces * New api to get wifi ifname * Disables jails * Style link * aredn: partial upgrade to openwrt 22.0.3.0 added AC device images and partial migration to 22.0.3.0 firewall upgrade pending * aredn: update mesh-release and revert config.mk * Unused * NFT firewall rewrite * Common-isze configs * Fix network layout for hap2 * Use local packages dev (new firewall rules) * Add HAP2 * Add pause after network restart to let bridge reinitialize * Various lua fixes for new lua version * Tweak config * Re-fix networking (lost patch change) * Add new radio names * Tolerate missing wifi * Fix hap-lite switch setup * More devices * New radio id * Build Rocket 5AC lite * Remove need for luci.sys * Remove need for luci.sys * Explicitly name wlan interfaces * Handle different compatibility verisoning * Update networking for switches * ipref version bump * Extra flag for curl * Better compat_version fix * Remove wolfssl * Fix dns server * Fix device name * Unused * Remove things we dont need * Remove unused packages * Generic macaddr overrides * Fix uci commit * Fix luci.template.parser to avoid luci.http loading the real thing * Rocket-M build * Add search-domain dhcp option * Turn of ipv6 * No IPV6 in dnsmasq * Override mac addresses if devices all the same * Working from master (for now) * Put back hostap * Disable old ethmac fixup * Tweak configs * Move back to v22.03.2 Leave ipq4019 builds to master * Need IPV6 to compile nft firewall * Rocket-M fixes * Before we start * WIP * Working snapshot * Cleaned patches * Merged patch * Single patch to support HAP2 * Fix typo * Add nanostation-m * 5/10Mhz patch * 5+10MHz patch for ath10k-ct driver * Extend 2Ghz channel check to include -4 to -1 * Add chanbw setup for ath10k (like ath9k) * Added TP-Link CPE710 v1 * Override firmwares * Missing patch * Dropbear config like 3.22.8.0 * Add Ubiquiti Rocket 5AC Lite * Fix c6 * Update * Need more scan channels * Remove IPV6 * Improve mac fixups * Put back missing nft app * IPv6 removed so dont have to disable it * Fix rocket-m flash bug * Fix nanostation-m * Nanobridge is tiny * Fix wifi order for ar750 * Rocket M5 XW support * New rates * Fix firewall4 so we don't need IPv6 * Allow channel width to be restricted * Move channel list into library * Fix naming * Mechanism to block specific channels on specific radios * Refresh buttons * routerboard-sxt-5nd * CPE605 v1.0 * Improve rocket m xw * tpink * Update patch * Update to remove disable * Remove BW restrictions on cpe710 * Restrict to what has been tested * Remove test BW restrictions * sxtsq-5-ac * Update * Update * powerbeam-m5-300 support * Fix * Fix hap2 * Tidy unused patches * Remove limit * Add ubnt_bullet-m-ar7241 * Added ubnt_nanobeam-ac-gen2 * Fix typo * Tolerate missing dtd ip * Explicitly gix hap2 mac addresses * Fix some broken patches * Hap2 wont work at 5MHz * Ubiquiti LiteBeam 5AC Gen2 * Fix compat_version for sxt 5ac * Update patch * Unused * Fix lan configuration for some devices * Rolling average of noise level * Unused * Split out the ath10k rssi monitor (its very simple at the moment) * Ignore .DS_Store * Reboot if ethernet doesnt come up (but only once!) * reboot returns - add exit * Add some logging info * Fix ] * Check all possibly ethernet bridges * Improve mac fixing * Remove HostAP on small memory devices * Reduce dropbear footprint * Add setsid * Kill hostap when upgrading to save memory * Different way to detect hostapd unavailable * New build steps * Improve manager logging * Fix name conflict for the two monitors * Try to improve test mesh name resolve problem * Migrate tiny to generic (tiny doesnt work properly) * Typo * Another attempt to fix macs for Mikrotik * Protect against missing trackers * Fix wpad for ipq40xx * Remove old tunnel check code * Enable ZRAM swap to aid low memory devices * ath10k noise can something be out of range - protect against that * Updated with current devices and status * Update firmware which has been tested * Updated with more builds * More binary/README * Fix css error * Start noise at sensible base level * Unfix the css so it looks how it use to. * Save as much memory as we can on lowmem nodes * Hide some options on low memory devices * Add "eol" to 32MB devices * Restart network rather than reboot node if it seems to be broken * Fixes * Revert network reset * Fix ar750 networking * Continue to trim tiny configs * More devices * Dump IW output messages * Fix Rocket 5AC intermittent ethernet issue * Ethernet fix for PowerBeam 5AC 500 * More tiny size reduction * More support data * Fixed POE and USB power features * Add Ubiquiti NanoBeam AC (gen1) * NanoStation (not NanoBeam) * Add mii-tool package * Device updates * Bump update time to 5 minutes * Fix ethernet negotiation for rocker-5ac and nanobeam * Fix iplookup * Config changes based on call feedback * Radio listing fixes * Update with more untested builds * Fallback TxMbps extracted from iw station dump * Fix tunnel detection for low memory nodes * Remove unused feed packages * snapshot build * Update stability info * Add powerbeam-5ac-500 * Typo * Add missing 3.22.1.0 * Add MikroTik LHG 5 AC * Fix permissions * Fix permissions * AirGrid's take Bullet builds * Mikrotik AC3 * Improve supportdata structure a little to make it easier to find things * Restore WAN VLAN overrides * Fix vlan regex for hap2 and hap3 * Support old and new style poe controls * hap-ac3 is version 1.1 * Handle typo in some openwrt config files * Fix HAP AC3 install * Update hap ac3 status * Support user overrides for network ports (non-swconfig devices) * LHG 5AC support * Remove -nand * Remove non-working platform.sh change * tunnel weight override * Omit LinkQualityMult when value is 1 * Add mANTBox 19s and 15s * Support ath79 mikrotik devices which require ath10k in the initramfs Co-authored-by: apcameron <apcameron@softhome.net> Co-authored-by: Joe AE6XE <ae6xe@arrl.net> Co-authored-by: Joe Ayers <joe@arrl.net>
2022-12-22 13:22:49 -07:00
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -156,7 +156,7 @@
config IPV6
bool
prompt "Enable IPv6 support in packages"
- default y
+ default n
help
Enables IPv6 support in kernel (builtin) and packages.
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -325,7 +325,7 @@
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_QUOTA, $(P_XT)nft_quota),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REDIR, $(P_XT)nft_redir),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4 $(P_V6)nft_reject_ipv6),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT_INET, $(P_XT)nft_reject_inet),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_BRIDGE,CONFIG_NFT_BRIDGE_META, $(P_EBT)nft_meta_bridge),))
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -1153,7 +1153,7 @@
define KernelPackage/nft-offload
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables routing/NAT offload support
- DEPENDS:=@IPV6 +kmod-nf-flow +kmod-nft-nat
+ DEPENDS:=+kmod-nf-flow +kmod-nft-nat
KCONFIG:= \
CONFIG_NF_FLOW_TABLE_INET \
CONFIG_NF_FLOW_TABLE_IPV4 \
@@ -1162,9 +1162,8 @@
FILES:= \
$(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \
$(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \
- $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \
$(LINUX_DIR)/net/netfilter/nft_flow_offload.ko
- AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload)
+ AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nft_flow_offload)
endef
$(eval $(call KernelPackage,nft-offload))
--- /dev/null
+++ b/package/network/config/firewall4/patches/001-disable-ipv6.patch
@@ -0,0 +1,119 @@
+--- a/root/usr/share/firewall4/main.uc
++++ b/root/usr/share/firewall4/main.uc
+@@ -33,14 +33,14 @@ function reload_sets() {
+ let first = true;
+ let printer = (entry) => {
+ if (first) {
+- print(`add element inet fw4 ${set.name} {\n`);
++ print(`add element ip fw4 ${set.name} {\n`);
+ first = false;
+ }
+
+ print(` ${join(" . ", entry)},\n`);
+ };
+
+- print(`flush set inet fw4 ${set.name}\n`);
++ print(`flush set ip fw4 ${set.name}\n`);
+
+ map(set.entries, printer);
+
+--- a/root/usr/share/firewall4/templates/redirect.uc
++++ b/root/usr/share/firewall4/templates/redirect.uc
+@@ -1,5 +1,5 @@
+ {%+ if (redirect.family && !redirect.has_addrs): -%}
+- meta nfproto {{ fw4.nfproto(redirect.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (!redirect.proto.any && !redirect.has_ports): -%}
+ meta l4proto {{
+ (redirect.proto.name == 'icmp' && redirect.family == 6) ? 'ipv6-icmp' : redirect.proto.name
+--- a/root/usr/share/firewall4/templates/rule.uc
++++ b/root/usr/share/firewall4/templates/rule.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family && !rule.has_addrs): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%}
+ meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%}
+ {%+ if (rule.iifnames): -%}
+--- a/root/usr/share/firewall4/templates/ruleset.uc
++++ b/root/usr/share/firewall4/templates/ruleset.uc
+@@ -4,14 +4,14 @@
+ let defined_ipsets = fw4.ipsets();
+ -%}
+
+-table inet fw4
+-flush table inet fw4
++table ip fw4
++flush table ip fw4
+ {% if (fw4.check_flowtable()): %}
+-delete flowtable inet fw4 ft
++delete flowtable ip fw4 ft
+ {% endif %}
+ {% fw4.includes('ruleset-prepend') %}
+
+-table inet fw4 {
++table ip fw4 {
+ {% if (length(flowtable_devices) > 0): %}
+ #
+ # Flowtable
+@@ -187,12 +187,12 @@ table inet fw4 {
+ chain handle_reject {
+ meta l4proto tcp reject with {{
+ (fw4.default_option("tcp_reject_code") != "tcp-reset")
+- ? `icmpx type ${fw4.default_option("tcp_reject_code")}`
++ ? `icmp type ${fw4.default_option("tcp_reject_code")}`
+ : "tcp reset"
+ }} comment "!fw4: Reject TCP traffic"
+ reject with {{
+ (fw4.default_option("any_reject_code") != "tcp-reset")
+- ? `icmpx type ${fw4.default_option("any_reject_code")}`
++ ? `icmp type ${fw4.default_option("any_reject_code")}`
+ : "tcp reset"
+ }} comment "!fw4: Reject any other traffic"
+ }
+--- a/root/usr/share/firewall4/templates/zone-jump.uc
++++ b/root/usr/share/firewall4/templates/zone-jump.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress: (direction in ["output", "srcnat"]), rule }) -%}
+ jump {{ direction }}_{{ zone.name }} comment "!fw4: Handle {{ zone.name }} {{
+ fw4.nfproto(rule.family, true)
+--- a/root/usr/share/firewall4/templates/zone-masq.uc
++++ b/root/usr/share/firewall4/templates/zone-masq.uc
+@@ -1,4 +1,4 @@
+-meta nfproto {{ fw4.nfproto(family) }} {%+ if (saddrs && saddrs[0]): -%}
++{%+ if (saddrs && saddrs[0]): -%}
+ {{ fw4.ipproto(family) }} saddr {{ fw4.set(map(saddrs[0], fw4.cidr)) }} {%+ endif -%}
+ {%+ if (saddrs && saddrs[1]): -%}
+ {{ fw4.ipproto(family) }} saddr != {{ fw4.set(map(saddrs[1], fw4.cidr)) }} {%+ endif -%}
+--- a/root/usr/share/firewall4/templates/zone-mssfix.uc
++++ b/root/usr/share/firewall4/templates/zone-mssfix.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress, rule }) -%}
+ tcp flags syn tcp option maxseg size set rt mtu {%+ if (zone.log & 2): -%}
+ log prefix "MSSFIX {{ zone.name }} out: " {%+ endif -%}
+--- a/root/usr/share/firewall4/templates/zone-notrack.uc
++++ b/root/usr/share/firewall4/templates/zone-notrack.uc
+@@ -7,7 +7,7 @@
+ return;
+ -%}
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (length(devs)): -%}
+ iifname {{ fw4.set(devs) }} {%+ endif -%}
+ {%+ if (rule.devices_neg): -%}
+--- a/root/usr/share/firewall4/templates/zone-verdict.uc
++++ b/root/usr/share/firewall4/templates/zone-verdict.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress, rule }) -%}
+ {%+ if (zone.counter): -%}
+ counter {%+ endif -%}