aredn/patches/719-disable-ipv6.patch

189 lines
7.3 KiB
Diff

--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -160,7 +160,7 @@
Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
config IPV6
- def_bool y
+ def_bool n
comment "Stripping options"
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -325,7 +325,7 @@
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_QUOTA, $(P_XT)nft_quota),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REDIR, $(P_XT)nft_redir),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4 $(P_V6)nft_reject_ipv6),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT, $(P_XT)nft_reject $(P_V4)nft_reject_ipv4),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_REJECT_INET, $(P_XT)nft_reject_inet),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_BRIDGE,CONFIG_NFT_BRIDGE_META, $(P_EBT)nft_meta_bridge),))
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -1153,7 +1153,7 @@
define KernelPackage/nft-offload
SUBMENU:=$(NF_MENU)
TITLE:=Netfilter nf_tables routing/NAT offload support
- DEPENDS:=@IPV6 +kmod-nf-flow +kmod-nft-nat
+ DEPENDS:=+kmod-nf-flow +kmod-nft-nat
KCONFIG:= \
CONFIG_NF_FLOW_TABLE_INET \
CONFIG_NF_FLOW_TABLE_IPV4 \
@@ -1162,9 +1162,8 @@
FILES:= \
$(LINUX_DIR)/net/netfilter/nf_flow_table_inet.ko \
$(LINUX_DIR)/net/ipv4/netfilter/nf_flow_table_ipv4.ko \
- $(LINUX_DIR)/net/ipv6/netfilter/nf_flow_table_ipv6.ko \
$(LINUX_DIR)/net/netfilter/nft_flow_offload.ko
- AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nf_flow_table_ipv6 nft_flow_offload)
+ AUTOLOAD:=$(call AutoProbe,nf_flow_table_inet nf_flow_table_ipv4 nft_flow_offload)
endef
$(eval $(call KernelPackage,nft-offload))
--- /dev/null
+++ b/package/network/config/firewall4/patches/001-disable-ipv6.patch
@@ -0,0 +1,139 @@
+--- a/root/usr/share/firewall4/main.uc
++++ b/root/usr/share/firewall4/main.uc
+@@ -33,14 +33,14 @@ function reload_sets() {
+ let first = true;
+ let printer = (entry) => {
+ if (first) {
+- print(`add element inet fw4 ${set.name} {\n`);
++ print(`add element ip fw4 ${set.name} {\n`);
+ first = false;
+ }
+
+ print(` ${join(" . ", entry)},\n`);
+ };
+
+- print(`flush set inet fw4 ${set.name}\n`);
++ print(`flush set ip fw4 ${set.name}\n`);
+
+ map(set.entries, printer);
+
+--- a/root/usr/share/firewall4/templates/redirect.uc
++++ b/root/usr/share/firewall4/templates/redirect.uc
+@@ -1,5 +1,5 @@
+ {%+ if (redirect.family && !redirect.has_addrs): -%}
+- meta nfproto {{ fw4.nfproto(redirect.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (!redirect.proto.any && !redirect.has_ports): -%}
+ meta l4proto {{
+ (redirect.proto.name == 'icmp' && redirect.family == 6) ? 'ipv6-icmp' : redirect.proto.name
+--- a/root/usr/share/firewall4/templates/rule.uc
++++ b/root/usr/share/firewall4/templates/rule.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family && !rule.has_addrs): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%}
+ meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%}
+ {%+ if (rule.iifnames): -%}
+--- a/root/usr/share/firewall4/templates/ruleset.uc
++++ b/root/usr/share/firewall4/templates/ruleset.uc
+@@ -4,14 +4,14 @@
+ let defined_ipsets = fw4.ipsets();
+ -%}
+
+-table inet fw4
+-flush table inet fw4
++table ip fw4
++flush table ip fw4
+ {% if (fw4.check_flowtable()): %}
+-delete flowtable inet fw4 ft
++delete flowtable ip fw4 ft
+ {% endif %}
+ {% fw4.includes('ruleset-prepend') %}
+
+-table inet fw4 {
++table ip fw4 {
+ {% if (length(flowtable_devices) > 0): %}
+ #
+ # Flowtable
+@@ -187,12 +187,12 @@ table inet fw4 {
+ chain handle_reject {
+ meta l4proto tcp reject with {{
+ (fw4.default_option("tcp_reject_code") != "tcp-reset")
+- ? `icmpx type ${fw4.default_option("tcp_reject_code")}`
++ ? `icmp type ${fw4.default_option("tcp_reject_code")}`
+ : "tcp reset"
+ }} comment "!fw4: Reject TCP traffic"
+ reject with {{
+ (fw4.default_option("any_reject_code") != "tcp-reset")
+- ? `icmpx type ${fw4.default_option("any_reject_code")}`
++ ? `icmp type ${fw4.default_option("any_reject_code")}`
+ : "tcp reset"
+ }} comment "!fw4: Reject any other traffic"
+ }
+--- a/root/usr/share/firewall4/templates/zone-jump.uc
++++ b/root/usr/share/firewall4/templates/zone-jump.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress: (direction in ["output", "srcnat"]), rule }) -%}
+ jump {{ direction }}_{{ zone.name }} comment "!fw4: Handle {{ zone.name }} {{
+ fw4.nfproto(rule.family, true)
+--- a/root/usr/share/firewall4/templates/zone-masq.uc
++++ b/root/usr/share/firewall4/templates/zone-masq.uc
+@@ -1,4 +1,4 @@
+-meta nfproto {{ fw4.nfproto(family) }} {%+ if (saddrs && saddrs[0]): -%}
++{%+ if (saddrs && saddrs[0]): -%}
+ {{ fw4.ipproto(family) }} saddr {{ fw4.set(map(saddrs[0], fw4.cidr)) }} {%+ endif -%}
+ {%+ if (saddrs && saddrs[1]): -%}
+ {{ fw4.ipproto(family) }} saddr != {{ fw4.set(map(saddrs[1], fw4.cidr)) }} {%+ endif -%}
+--- a/root/usr/share/firewall4/templates/zone-mssfix.uc
++++ b/root/usr/share/firewall4/templates/zone-mssfix.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress, rule }) -%}
+ tcp flags syn tcp option maxseg size set rt mtu {%+ if (zone.log & 2): -%}
+ log prefix "MSSFIX {{ zone.name }} out: " {%+ endif -%}
+--- a/root/usr/share/firewall4/templates/zone-notrack.uc
++++ b/root/usr/share/firewall4/templates/zone-notrack.uc
+@@ -7,7 +7,7 @@
+ return;
+ -%}
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (length(devs)): -%}
+ iifname {{ fw4.set(devs) }} {%+ endif -%}
+ {%+ if (rule.devices_neg): -%}
+--- a/root/usr/share/firewall4/templates/zone-verdict.uc
++++ b/root/usr/share/firewall4/templates/zone-verdict.uc
+@@ -1,5 +1,5 @@
+ {%+ if (rule.family): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress, rule }) -%}
+ {%+ if (zone.counter): -%}
+ counter {%+ endif -%}
+--- a/root/usr/share/firewall4/templates/mangle-rule.uc
+--- a/root/usr/share/firewall4/templates/mangle-rule.uc
+@@ -1,7 +1,7 @@
+ {%+ for (let src_devices in rule.src?.zone) }
+
+ {%+ if (rule.family && !rule.has_addrs): -%}
+- meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%}
+ meta l4proto {{
+ (rule.proto.name == 'icmp' && rule.family == 6) ? 'ipv6-icmp' : rule.proto.name
+--- a/root/usr/share/firewall4/templates/zone-drop-invalid.uc
++++ a/root/usr/share/firewall4/templates/zone-drop-invalid.uc
+@@ -1,5 +1,5 @@
+ {%+ if (zone.masq ^ zone.masq6): -%}
+- meta nfproto {{ fw4.nfproto(zone.masq ? 4 : 6) }} {%+ endif -%}
++ {%+ endif -%}
+ {%+ include("zone-match.uc", { egress: true, rule }) -%}
+ ct state invalid {%+ if (zone.counter): -%}
+ counter {%+ endif -%}