--- a/config/Config-build.in +++ b/config/Config-build.in @@ -160,7 +160,7 @@ Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto config IPV6 - def_bool y + def_bool n comment "Stripping options" --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -325,7 +325,7 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_QUOTA, $(P_XT)nft_quota),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REDIR, $(P_XT)nft_redir),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4 $(P_V6)nft_reject_ipv6),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT_INET, $(P_XT)nft_reject_inet),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_BRIDGE,CONFIG_NFT_BRIDGE_META, $(P_EBT)nft_meta_bridge),)) --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -1153,7 +1153,7 @@ define KernelPackage/nft-offload SUBMENU:=$(NF_MENU) TITLE:=Netfilter nf_tables routing/NAT offload support - DEPENDS:=@IPV6 +kmod-nf-flow +kmod-nft-nat + DEPENDS:=+kmod-nf-flow +kmod-nft-nat KCONFIG:= \ CONFIG_NF_FLOW_TABLE_INET \ CONFIG_NF_FLOW_TABLE_IPV4 \ @@ -1162,9 +1162,8 @@ FILES:= \ $(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \ $(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \ - $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \ $(LINUX_DIR)/net/netfilter/nft_flow_offload.ko - AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload) + AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nft_flow_offload) endef $(eval $(call KernelPackage,nft-offload)) --- /dev/null +++ b/package/network/config/firewall4/patches/001-disable-ipv6.patch @@ -0,0 +1,139 @@ +--- a/root/usr/share/firewall4/main.uc ++++ b/root/usr/share/firewall4/main.uc +@@ -33,14 +33,14 @@ function reload_sets() { + let first = true; + let printer = (entry) => { + if (first) { +- print(`add element inet fw4 ${set.name} {\n`); ++ print(`add element ip fw4 ${set.name} {\n`); + first = false; + } + + print(` ${join(" . ", entry)},\n`); + }; + +- print(`flush set inet fw4 ${set.name}\n`); ++ print(`flush set ip fw4 ${set.name}\n`); + + map(set.entries, printer); + +--- a/root/usr/share/firewall4/templates/redirect.uc ++++ b/root/usr/share/firewall4/templates/redirect.uc +@@ -1,5 +1,5 @@ + {%+ if (redirect.family && !redirect.has_addrs): -%} +- meta nfproto {{ fw4.nfproto(redirect.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ if (!redirect.proto.any && !redirect.has_ports): -%} + meta l4proto {{ + (redirect.proto.name == 'icmp' && redirect.family == 6) ? 'ipv6-icmp' : redirect.proto.name +--- a/root/usr/share/firewall4/templates/rule.uc ++++ b/root/usr/share/firewall4/templates/rule.uc +@@ -1,5 +1,5 @@ + {%+ if (rule.family && !rule.has_addrs): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%} + meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%} + {%+ if (rule.iifnames): -%} +--- a/root/usr/share/firewall4/templates/ruleset.uc ++++ b/root/usr/share/firewall4/templates/ruleset.uc +@@ -4,14 +4,14 @@ + let defined_ipsets = fw4.ipsets(); + -%} + +-table inet fw4 +-flush table inet fw4 ++table ip fw4 ++flush table ip fw4 + {% if (fw4.check_flowtable()): %} +-delete flowtable inet fw4 ft ++delete flowtable ip fw4 ft + {% endif %} + {% fw4.includes('ruleset-prepend') %} + +-table inet fw4 { ++table ip fw4 { + {% if (length(flowtable_devices) > 0): %} + # + # Flowtable +@@ -187,12 +187,12 @@ table inet fw4 { + chain handle_reject { + meta l4proto tcp reject with {{ + (fw4.default_option("tcp_reject_code") != "tcp-reset") +- ? `icmpx type ${fw4.default_option("tcp_reject_code")}` ++ ? `icmp type ${fw4.default_option("tcp_reject_code")}` + : "tcp reset" + }} comment "!fw4: Reject TCP traffic" + reject with {{ + (fw4.default_option("any_reject_code") != "tcp-reset") +- ? `icmpx type ${fw4.default_option("any_reject_code")}` ++ ? `icmp type ${fw4.default_option("any_reject_code")}` + : "tcp reset" + }} comment "!fw4: Reject any other traffic" + } +--- a/root/usr/share/firewall4/templates/zone-jump.uc ++++ b/root/usr/share/firewall4/templates/zone-jump.uc +@@ -1,5 +1,5 @@ + {%+ if (rule.family): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ include("zone-match.uc", { egress: (direction in ["output", "srcnat"]), rule }) -%} + jump {{ direction }}_{{ zone.name }} comment "!fw4: Handle {{ zone.name }} {{ + fw4.nfproto(rule.family, true) +--- a/root/usr/share/firewall4/templates/zone-masq.uc ++++ b/root/usr/share/firewall4/templates/zone-masq.uc +@@ -1,4 +1,4 @@ +-meta nfproto {{ fw4.nfproto(family) }} {%+ if (saddrs && saddrs[0]): -%} ++{%+ if (saddrs && saddrs[0]): -%} + {{ fw4.ipproto(family) }} saddr {{ fw4.set(map(saddrs[0], fw4.cidr)) }} {%+ endif -%} + {%+ if (saddrs && saddrs[1]): -%} + {{ fw4.ipproto(family) }} saddr != {{ fw4.set(map(saddrs[1], fw4.cidr)) }} {%+ endif -%} +--- a/root/usr/share/firewall4/templates/zone-mssfix.uc ++++ b/root/usr/share/firewall4/templates/zone-mssfix.uc +@@ -1,5 +1,5 @@ + {%+ if (rule.family): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ include("zone-match.uc", { egress, rule }) -%} + tcp flags syn tcp option maxseg size set rt mtu {%+ if (zone.log & 2): -%} + log prefix "MSSFIX {{ zone.name }} out: " {%+ endif -%} +--- a/root/usr/share/firewall4/templates/zone-notrack.uc ++++ b/root/usr/share/firewall4/templates/zone-notrack.uc +@@ -7,7 +7,7 @@ + return; + -%} + {%+ if (rule.family): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ if (length(devs)): -%} + iifname {{ fw4.set(devs) }} {%+ endif -%} + {%+ if (rule.devices_neg): -%} +--- a/root/usr/share/firewall4/templates/zone-verdict.uc ++++ b/root/usr/share/firewall4/templates/zone-verdict.uc +@@ -1,5 +1,5 @@ + {%+ if (rule.family): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ include("zone-match.uc", { egress, rule }) -%} + {%+ if (zone.counter): -%} + counter {%+ endif -%} +--- a/root/usr/share/firewall4/templates/mangle-rule.uc +--- a/root/usr/share/firewall4/templates/mangle-rule.uc +@@ -1,7 +1,7 @@ + {%+ for (let src_devices in rule.src?.zone) } + + {%+ if (rule.family && !rule.has_addrs): -%} +- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} ++ {%+ endif -%} + {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%} + meta l4proto {{ + (rule.proto.name == 'icmp' && rule.family == 6) ? 'ipv6-icmp' : rule.proto.name +--- a/root/usr/share/firewall4/templates/zone-drop-invalid.uc ++++ a/root/usr/share/firewall4/templates/zone-drop-invalid.uc +@@ -1,5 +1,5 @@ + {%+ if (zone.masq ^ zone.masq6): -%} +- meta nfproto {{ fw4.nfproto(zone.masq ? 4 : 6) }} {%+ endif -%} ++ {%+ endif -%} + {%+ include("zone-match.uc", { egress: true, rule }) -%} + ct state invalid {%+ if (zone.counter): -%} + counter {%+ endif -%}