[PATCH][netifd] vlandev: fix system_vlandev_add error triggered by multiple vlandev_set_up calls
vlan devices can be switched up more than once, in which case this error will
be traced:
system_vlandev_add(1608): Error adding vlandev 'vlan_wan' over 'ptm0': -6
and interface that use this device will fail to start with error code
DEVICE_CLAIM_FAILED.
This change will prevent calling system_vlandev_add() when vlan device
was already created, thus solving the root cause of the issue.
Signed-off-by: Alin Nastac
---
vlandev.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/vlandev.c b/vlandev.c
index 31b82b1..4780ca3 100644
--- a/vlandev.c
+++ b/vlandev.c
@@ -163,9 +163,14 @@ vlandev_set_up(struct vlandev_device *mvdev)
if (ret < 0)
return ret;
- ret = system_vlandev_add(>dev, mvdev->parent.dev,
>config);
- if (ret < 0)
- goto release;
+ if (mvdev->dev.ifindex && mvdev->dev.ifindex !=
system_if_resolve(>dev))
+ mvdev->dev.ifindex = 0; /* previous instance of this vlan
device was destroyed */
+
+ if (!mvdev->dev.ifindex) {
+ ret = system_vlandev_add(>dev, mvdev->parent.dev,
>config);
+ if (ret < 0)
+ goto release;
+ }
ret = mvdev->set_state(>dev, true);
if (ret)
--
2.34.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] vlandev: fix system_vlandev_add error triggered by multiple vlandev_set_up calls
vlan devices can be switched up more than once, in which case this error will
be traced:
system_vlandev_add(1608): Error adding vlandev 'vlan_wan' over 'ptm0': -6
and interface that use this device will fail to start with error code
DEVICE_CLAIM_FAILED.
This change will prevent calling system_vlandev_add() when vlan device
was already created, thus solving the root cause of the issue.
Signed-off-by: Alin Nastac
---
vlandev.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/vlandev.c b/vlandev.c
index 31b82b1..4780ca3 100644
--- a/vlandev.c
+++ b/vlandev.c
@@ -163,9 +163,14 @@ vlandev_set_up(struct vlandev_device *mvdev)
if (ret < 0)
return ret;
- ret = system_vlandev_add(>dev, mvdev->parent.dev,
>config);
- if (ret < 0)
- goto release;
+ if (mvdev->dev.ifindex && mvdev->dev.ifindex !=
system_if_resolve(>dev))
+ mvdev->dev.ifindex = 0; /* previous instance of this vlan
device was destroyed */
+
+ if (!mvdev->dev.ifindex) {
+ ret = system_vlandev_add(>dev, mvdev->parent.dev,
>config);
+ if (ret < 0)
+ goto release;
+ }
ret = mvdev->set_state(>dev, true);
if (ret)
--
2.34.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH][odhcp6c] odhcp6c_find_entry: exclude priority from the list of fields that must match
Priority of an entry can vary from one RA to another, but the entry
identity should be the same regardless of the priority declared in the
RA message handled in ra_process() at a time.
CDRouter for instance tests compliance of the device to requirement
G-5 of RFC 7084 by provisioning initially the CPE with a valid default
route that has a medium preference after which it sends a low preference
RA with lifetime 0 to check that CPE will start sending RAs with
lifetime 0 on the LAN side. Because odhcp6c didn't matched the low
precedence default router entry with the odhcp6c_entry that was
previously stored with medium precedence, it will fail to remove the
existing STATE_RA_ROUTE default route, hence preventing odhcpd from
advertising RAs with lifetime 0 to LAN.
Signed-off-by: Alin Nastac
---
src/dhcpv6.c | 4 ++--
src/odhcp6c.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index 4cd1abc..65cc4e1 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -1233,8 +1233,8 @@ static unsigned int dhcpv6_parse_ia(void *opt, void *end)
// Update address IA
dhcpv6_for_each_option(_hdr[1], end, otype, olen, odata) {
- struct odhcp6c_entry entry = {IN6ADDR_ANY_INIT, 0, 0, 0,
- IN6ADDR_ANY_INIT, 0, 0, 0, 0, 0};
+ struct odhcp6c_entry entry = {IN6ADDR_ANY_INIT, 0, 0,
+ IN6ADDR_ANY_INIT, 0, 0, 0, 0, 0, 0};
entry.iaid = ia_hdr->iaid;
diff --git a/src/odhcp6c.h b/src/odhcp6c.h
index 40ce098..14d0017 100644
--- a/src/odhcp6c.h
+++ b/src/odhcp6c.h
@@ -348,8 +348,8 @@ struct odhcp6c_entry {
struct in6_addr router;
uint8_t auxlen;
uint8_t length;
- int16_t priority;
struct in6_addr target;
+ int16_t priority;
uint32_t valid;
uint32_t preferred;
uint32_t t1;
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH][odhcp6c] ra: exit on RTM_DELLINK event
Also handle the netlink message correctly (the current code assumes
that the entire buffer returned by recv contains just one netlink
message).
This fixes a timing issue that occurs when wan interface proto is
pppoe, wan6 proto is dhcpv6 and PPP session is closed by the peer.
Because odhpc6c doesn't react to pppoe-wan device deletion, sometimes
netifd device created by the old pppd instance doesn't get released
before new pppd instance execute the ppp-up script (pppoe-wan device
is reffered by wan6 device alias), so device_claim() doesn't trigger
device_set_ifindex(). That will impede default route creation for wan
interface (pppoe-wan device will store the incorrect ifindex).
Signed-off-by: Alin Nastac
---
src/dhcpv6.c | 6 +-
src/ra.c | 54 ++
2 files changed, 35 insertions(+), 25 deletions(-)
diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index bd8a2dc..4cd1abc 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -560,7 +560,11 @@ int dhcpv6_request(enum dhcpv6_msg type)
struct timespec ts = {0, 0};
ts.tv_nsec = (dhcpv6_rand_delay((1 * DHCPV6_REQ_DELAY) / 2)
+ (1000 * DHCPV6_REQ_DELAY) / 2) * 100;
- while (nanosleep(, ) < 0 && errno == EINTR);
+ while (nanosleep(, ) < 0 && errno == EINTR) {
+ // Check for pending signal
+ if (odhcp6c_signal_process())
+ return -1;
+ }
}
if (type == DHCPV6_MSG_UNKNOWN)
diff --git a/src/ra.c b/src/ra.c
index 337c0bd..9af48a2 100644
--- a/src/ra.c
+++ b/src/ra.c
@@ -16,6 +16,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -208,37 +209,42 @@ static int16_t pref_to_priority(uint8_t flags)
bool ra_link_up(void)
{
static bool firstcall = true;
- struct {
- struct nlmsghdr hdr;
- struct ifinfomsg msg;
- uint8_t pad[4000];
- } resp;
+ char buf[4096];
bool ret = false;
ssize_t read;
- do {
- read = recv(rtnl, , sizeof(resp), MSG_DONTWAIT);
+ while ((read = recv(rtnl, , sizeof(buf), MSG_DONTWAIT)) > 0) {
+ for (struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
+ NLMSG_OK (nlh, read) && nlh->nlmsg_type !=
NLMSG_DONE;
+ nlh = NLMSG_NEXT(nlh, read)) {
+ if (nlh->nlmsg_type != RTM_NEWLINK && nlh->nlmsg_type
!= RTM_DELLINK)
+ continue;
- if (read < 0 || !NLMSG_OK(, (size_t)read) ||
- resp.hdr.nlmsg_type != RTM_NEWLINK ||
- resp.msg.ifi_index != if_index)
- continue;
+ struct ifinfomsg *ifi = NLMSG_DATA(nlh);
+ if (ifi->ifi_index != if_index)
+ continue;
- ssize_t alen = NLMSG_PAYLOAD(, sizeof(resp.msg));
- for (struct rtattr *rta = (struct rtattr*)(resp.pad);
- RTA_OK(rta, alen); rta = RTA_NEXT(rta, alen)) {
- if (rta->rta_type == IFLA_ADDRESS &&
- RTA_PAYLOAD(rta) >=
sizeof(rs.lladdr.data))
- memcpy(rs.lladdr.data, RTA_DATA(rta),
sizeof(rs.lladdr.data));
- }
+ if (nlh->nlmsg_type == RTM_DELLINK) {
+ syslog(LOG_ERR, "Interface %s has been deleted,
exiting", if_name);
+ exit(1);
+ }
- bool hascarrier = resp.msg.ifi_flags & IFF_LOWER_UP;
- if (!firstcall && nocarrier != !hascarrier)
- ret = true;
+ ssize_t alen = IFLA_PAYLOAD(nlh);
+ for (struct rtattr *rta = IFLA_RTA(nlh);
+ RTA_OK(rta, alen); rta = RTA_NEXT(rta,
alen)) {
+ if (rta->rta_type == IFLA_ADDRESS &&
+ RTA_PAYLOAD(rta) >=
sizeof(rs.lladdr.data))
+ memcpy(rs.lladdr.data, RTA_DATA(rta),
sizeof(rs.lladdr.data));
+ }
+
+ bool hascarrier = ifi->ifi_flags & IFF_LOWER_UP;
+ if (!firstcall && nocarrier != !hascarrier)
+ ret = true;
- nocarrier = !hascarrier;
- firstcall = false;
- } while (read > 0);
+ nocarrier = !hascarrier;
+ firstcall = false;
+ }
+ }
if (ret) {
syslog(LOG_NOTICE, "carrier => %i e
[PATCH][netifd] system-linux: initialize ifreq struct before using it
Signed-off-by: Alin Nastac
---
system-linux.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/system-linux.c b/system-linux.c
index 6778b1d..9188899 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -904,6 +904,8 @@ failure:
int system_if_resolve(struct device *dev)
{
struct ifreq ifr;
+
+ memset(, 0, sizeof(ifr));
strncpy(ifr.ifr_name, dev->ifname, sizeof(ifr.ifr_name) - 1);
if (!ioctl(sock_ioctl, SIOCGIFINDEX, ))
return ifr.ifr_ifindex;
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[firewall3][PATCH] zones: limit masq_allow_invalid effect to ipv4 family
Preventing NAT leakage on ipv6 doesn't make sense, as
all other masq* options have effect only on ipv4.
Signed-off-by: Alin Nastac
---
zones.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/zones.c b/zones.c
index 68b02ab..dbf23dc 100644
--- a/zones.c
+++ b/zones.c
@@ -501,7 +501,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct
fw3_state *state,
if (has(zone->flags, handle->family, t))
{
- if (t == FW3_FLAG_ACCEPT &&
+ if (t == FW3_FLAG_ACCEPT && handle->family ==
FW3_FAMILY_V4 &&
zone->masq && !zone->masq_allow_invalid)
{
r = fw3_ipt_rule_create(handle, NULL,
NULL, dev, NULL, sub);
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [firewall3][PATCH] redirects: fix segmentation fault
Fixes 9d7f49df47ad ("redurects: add support to define multiple zones for dnat
reflection rules")
Signed-off-by: Alin Nastac
---
redirects.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/redirects.c b/redirects.c
index b928287..45a6cb1 100644
--- a/redirects.c
+++ b/redirects.c
@@ -708,9 +708,8 @@ expand_redirect(struct fw3_ipt_handle *handle, struct
fw3_state *state,
return;
ext_addrs = fw3_resolve_zone_addresses(redir->_src, >ip_dest);
-
if (!ext_addrs)
- goto out;
+ return;
list_for_each_entry(ext_addr, ext_addrs, list)
{
@@ -733,6 +732,9 @@ expand_redirect(struct fw3_ipt_handle *handle, struct
fw3_state *state,
continue;
int_addrs = fw3_resolve_zone_addresses(zone, NULL);
+ if (!int_addrs)
+ continue;
+
list_for_each_entry(int_addr, int_addrs, list)
{
if (!fw3_is_family(int_addr, handle->family))
@@ -755,12 +757,12 @@ expand_redirect(struct fw3_ipt_handle *handle, struct
fw3_state *state,
_addr, int_addr,
ext_addr, reflection_zone);
}
}
+
+ fw3_free_list(int_addrs);
}
}
-out:
fw3_free_list(ext_addrs);
- fw3_free_list(int_addrs);
}
void
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [firewall3][PATCH v3] redirect & nat: add IPv6 NAT support
1) Remove hardcoded restrictions that disable redirect support on IPv6.
2) Allow usage of IP address lists in redirect and snat uci sections.
This is needed for 2 scenarios:
- use the interface address that matches the redirect & nat family
when dest_ip is set to an interface name
- set redirect destination to a pair of IPv4/v6 addresses when DNAT
redirection is needed on both families
To be documented that, although redirect & nat IP addresses are now
technically lists, only the first address of the respective family
will be used in the correspondent ip(6)tables rule.
This new feature has been tested with the following redirect:
config redirect
option name 'DNS-interception'
option src 'lan'
option dest 'lan'
option family 'any'
option proto 'tcpudp'
option src_dport '53'
option dest_ip 'lan'
option target 'DNAT'
It was also tested on a build that did not supported IPv6 NAT (nat
was not present in /proc/net/ip6_tables_names), fw3 -d restart did
not signaled any error.
Signed-off-by: Alin Nastac
---
defaults.c | 4 +-
options.h | 12 ++---
redirects.c | 157 ++--
redirects.h | 2 +-
snats.c | 78 +++---
ubus.c | 37 +-
utils.c | 34 +
utils.h | 6 +++
zones.c | 11 +++--
9 files changed, 243 insertions(+), 98 deletions(-)
diff --git a/defaults.c b/defaults.c
index 60a4c81..e5369eb 100644
--- a/defaults.c
+++ b/defaults.c
@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
- C(V4, NAT,CUSTOM_CHAINS, "prerouting_rule"),
- C(V4, NAT,CUSTOM_CHAINS, "postrouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "prerouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "postrouting_rule"),
{ }
};
diff --git a/options.h b/options.h
index e20c89b..d48db74 100644
--- a/options.h
+++ b/options.h
@@ -420,14 +420,14 @@ struct fw3_redirect
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct list_head mac_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_redir;
+ struct list_head ip_redir;
struct fw3_port port_redir;
struct fw3_limit limit;
@@ -462,13 +462,13 @@ struct fw3_snat
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_snat;
+ struct list_head ip_snat;
struct fw3_port port_snat;
struct fw3_limit limit;
diff --git a/redirects.c b/redirects.c
index 45a6cb1..dea19f8 100644
--- a/redirects.c
+++ b/redirects.c
@@ -33,14 +33,14 @@ const struct fw3_option fw3_redirect_opts[] = {
FW3_LIST("proto", protocol, redirect, proto),
- FW3_OPT("src_ip", network, redirect, ip_src),
+ FW3_LIST("src_ip", network, redirect, ip_src),
FW3_LIST("src_mac",mac, redirect, mac_src),
FW3_OPT("src_port",port, redirect, port_src),
- FW3_OPT("src_dip", network, redirect, ip_dest),
+ FW3_LIST("src_dip",network, redirect, ip_dest),
FW3_OPT("src_dport", port, redirect, port_dest),
- FW3_OPT("dest_ip", network, redirect, ip_redir),
+ FW3_LIST("dest_ip",network, redirect, ip_redir),
FW3_OPT("dest_port", port, redirect, port_redir),
FW3_OPT("extra", string,redirect, extra),
@@ -68,7 +68,6 @@ const struct fw3_option fw3_redirect_opts[] = {
{ }
};
-
static bool
check_families(struct uci_element *e, struct fw3_redirect *r)
{
@@ -101,19 +100,19 @@ check_families(struct uci_element *e, struct fw3_redirect
*r)
return false;
}
- if (r->ip_src.family && r->ip_src.family != r->family)
+ if (!fw3_check_family_addr(>ip_src, r->family))
{
warn_elem(e, "uses source ip with different family");
return false;
}
- if (r->ip_dest.family && r->ip_dest.family != r->family)
+ if (!fw3_check_family_addr(>ip_dest, r->family))
[OpenWrt-Devel] [firewall3][PATCH v2] redirect & nat: add IPv6 NAT support
From: Alin Nastac
1) Remove hardcoded restrictions that disable redirect support on IPv6.
2) Allow usage of IP address lists in redirect and snat uci sections.
This is needed for 2 scenarios:
- use the interface address that matches the redirect & nat family
when dest_ip is set to an interface name
- set redirect destination to a pair of IPv4/v6 addresses when DNAT
redirection is needed on both families
To be documented that, although redirect & nat IP addresses are now
technically lists, only the first address of the respective family
will be used in the correspondent ip(6)tables rule.
This new feature has been tested with the following redirect:
config redirect
option name 'DNS-interception'
option src 'lan'
option dest 'lan'
option family 'any'
option proto 'tcpudp'
option src_dport '53'
option dest_ip 'lan'
option target 'DNAT'
It was also tested on a build that did not supported IPv6 NAT (nat
was not present in /proc/net/ip6_tables_names), fw3 -d restart did
not signaled any error.
Signed-off-by: Alin Nastac
---
defaults.c | 4 +-
options.h | 12 ++---
redirects.c | 157 ++--
redirects.h | 2 +-
snats.c | 78 +++---
ubus.c | 37 +-
utils.c | 34 +
utils.h | 6 +++
zones.c | 11 +++--
9 files changed, 243 insertions(+), 98 deletions(-)
diff --git a/defaults.c b/defaults.c
index 60a4c81..e5369eb 100644
--- a/defaults.c
+++ b/defaults.c
@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
- C(V4, NAT,CUSTOM_CHAINS, "prerouting_rule"),
- C(V4, NAT,CUSTOM_CHAINS, "postrouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "prerouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "postrouting_rule"),
{ }
};
diff --git a/options.h b/options.h
index e20c89b..d48db74 100644
--- a/options.h
+++ b/options.h
@@ -420,14 +420,14 @@ struct fw3_redirect
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct list_head mac_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_redir;
+ struct list_head ip_redir;
struct fw3_port port_redir;
struct fw3_limit limit;
@@ -462,13 +462,13 @@ struct fw3_snat
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_snat;
+ struct list_head ip_snat;
struct fw3_port port_snat;
struct fw3_limit limit;
diff --git a/redirects.c b/redirects.c
index b928287..1b7245b 100644
--- a/redirects.c
+++ b/redirects.c
@@ -33,14 +33,14 @@ const struct fw3_option fw3_redirect_opts[] = {
FW3_LIST("proto", protocol, redirect, proto),
- FW3_OPT("src_ip", network, redirect, ip_src),
+ FW3_LIST("src_ip", network, redirect, ip_src),
FW3_LIST("src_mac",mac, redirect, mac_src),
FW3_OPT("src_port",port, redirect, port_src),
- FW3_OPT("src_dip", network, redirect, ip_dest),
+ FW3_LIST("src_dip",network, redirect, ip_dest),
FW3_OPT("src_dport", port, redirect, port_dest),
- FW3_OPT("dest_ip", network, redirect, ip_redir),
+ FW3_LIST("dest_ip",network, redirect, ip_redir),
FW3_OPT("dest_port", port, redirect, port_redir),
FW3_OPT("extra", string,redirect, extra),
@@ -68,7 +68,6 @@ const struct fw3_option fw3_redirect_opts[] = {
{ }
};
-
static bool
check_families(struct uci_element *e, struct fw3_redirect *r)
{
@@ -101,19 +100,19 @@ check_families(struct uci_element *e, struct fw3_redirect
*r)
return false;
}
- if (r->ip_src.family && r->ip_src.family != r->family)
+ if (!fw3_check_family_addr(>ip_src, r->family))
{
warn_elem(e, "uses source ip with different family");
return false;
}
- if (r->ip_dest.family && r->ip_dest.family != r->family)
+ if (!fw3_check_family_addr(>ip_dest, r->family))
[OpenWrt-Devel] [PATCH][uci] file: preserve original file mode after commit
Because mkstemp() create a file with mode 0600, only user doing
the commit (typically root) will be allowed to inspect the content
of the file after uci commit.
Signed-off-by: Alin Nastac
---
file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/file.c b/file.c
index 3ac49c6..6486de9 100644
--- a/file.c
+++ b/file.c
@@ -724,6 +724,7 @@ static void uci_file_commit(struct uci_context *ctx, struct
uci_package **packag
char *volatile name = NULL;
char *volatile path = NULL;
char *filename = NULL;
+ struct stat statbuf;
volatile bool do_rename = false;
int fd;
@@ -801,7 +802,7 @@ done:
uci_close_stream(f1);
if (do_rename) {
path = realpath(p->path, NULL);
- if (!path || rename(filename, path)) {
+ if (!path || stat(path, ) || chmod(filename,
statbuf.st_mode) || rename(filename, path)) {
unlink(filename);
UCI_THROW(ctx, UCI_ERR_IO);
}
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] system-linux: fix PATH_MAX undeclared compilation error
From: Alin Nastac Issue was introduced in commit 1321c1bd8fe921986c4eb39c3783ddd827b79543. Signed-off-by: Alin Nastac --- system-linux.c | 1 + 1 file changed, 1 insertion(+) diff --git a/system-linux.c b/system-linux.c index d36d287..775b448 100644 --- a/system-linux.c +++ b/system-linux.c @@ -26,6 +26,7 @@ #include #include +#include #include #include #include -- 2.7.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [firewall3][PATCH] redirect & nat: add IPv6 NAT support
From: Alin Nastac
1) Remove hardcoded restrictions that disable redirect support on IPv6.
2) Allow usage of IP address lists in redirect and snat uci sections.
This is needed for 2 scenarios:
- use the interface address that matches the redirect & nat family
when dest_ip is set to an interface name
- set redirect destination to a pair of IPv4/v6 addresses when DNAT
redirection is needed on both families
To be documented that, although redirect & nat IP addresses are now
technically lists, only the first address of the respective family
will be used in the correspondent ip(6)tables rule.
This new feature has been tested with the following redirect:
config redirect
option name 'DNS-interception'
option src 'lan'
option dest 'lan'
option family 'any'
option proto 'tcpudp'
option src_dport '53'
option dest_ip 'lan'
option target 'DNAT'
It was also tested on a build that did not supported IPv6 NAT (nat
was not present in /proc/net/ip6_tables_names), fw3 -d restart did
not signaled any error.
Signed-off-by: Alin Nastac
---
defaults.c | 4 +-
options.h | 12 ++---
redirects.c | 155 ++--
redirects.h | 2 +-
snats.c | 78 +++---
ubus.c | 37 ++-
utils.c | 34 +
utils.h | 6 +++
zones.c | 11 +++--
9 files changed, 242 insertions(+), 97 deletions(-)
diff --git a/defaults.c b/defaults.c
index 60a4c81..e5369eb 100644
--- a/defaults.c
+++ b/defaults.c
@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
- C(V4, NAT,CUSTOM_CHAINS, "prerouting_rule"),
- C(V4, NAT,CUSTOM_CHAINS, "postrouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "prerouting_rule"),
+ C(ANY, NAT,CUSTOM_CHAINS, "postrouting_rule"),
{ }
};
diff --git a/options.h b/options.h
index e20c89b..d48db74 100644
--- a/options.h
+++ b/options.h
@@ -420,14 +420,14 @@ struct fw3_redirect
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct list_head mac_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_redir;
+ struct list_head ip_redir;
struct fw3_port port_redir;
struct fw3_limit limit;
@@ -462,13 +462,13 @@ struct fw3_snat
struct list_head proto;
- struct fw3_address ip_src;
+ struct list_head ip_src;
struct fw3_port port_src;
- struct fw3_address ip_dest;
+ struct list_head ip_dest;
struct fw3_port port_dest;
- struct fw3_address ip_snat;
+ struct list_head ip_snat;
struct fw3_port port_snat;
struct fw3_limit limit;
diff --git a/redirects.c b/redirects.c
index b928287..a557679 100644
--- a/redirects.c
+++ b/redirects.c
@@ -33,14 +33,14 @@ const struct fw3_option fw3_redirect_opts[] = {
FW3_LIST("proto", protocol, redirect, proto),
- FW3_OPT("src_ip", network, redirect, ip_src),
+ FW3_LIST("src_ip", network, redirect, ip_src),
FW3_LIST("src_mac",mac, redirect, mac_src),
FW3_OPT("src_port",port, redirect, port_src),
- FW3_OPT("src_dip", network, redirect, ip_dest),
+ FW3_LIST("src_dip",network, redirect, ip_dest),
FW3_OPT("src_dport", port, redirect, port_dest),
- FW3_OPT("dest_ip", network, redirect, ip_redir),
+ FW3_LIST("dest_ip",network, redirect, ip_redir),
FW3_OPT("dest_port", port, redirect, port_redir),
FW3_OPT("extra", string,redirect, extra),
@@ -68,7 +68,6 @@ const struct fw3_option fw3_redirect_opts[] = {
{ }
};
-
static bool
check_families(struct uci_element *e, struct fw3_redirect *r)
{
@@ -101,19 +100,19 @@ check_families(struct uci_element *e, struct fw3_redirect
*r)
return false;
}
- if (r->ip_src.family && r->ip_src.family != r->family)
+ if (!fw3_check_family_addr(>ip_src, r->family))
{
warn_elem(e, "uses source ip with different family");
return false;
}
- if (r->ip_dest.family && r->ip_dest.family != r->family)
+ if (!fw3_check_family_addr(>ip_dest, r->family))
[OpenWrt-Devel] [netifd][PATCH] interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel
From: Alin Nastac When netifd manages the prefix route directly, it will remove it the moment prefix gets deprecated. This will make it impossible for the target to send ICMPv6 errors back to LAN devices still using the deprecated prefix, thus breaking the L-14 requirement of RFC 7084. Signed-off-by: Alin Nastac --- interface-ip.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/interface-ip.c b/interface-ip.c index 91c305b..ff8f219 100644 --- a/interface-ip.c +++ b/interface-ip.c @@ -913,7 +913,7 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, addr.addr.in6 = assignment->addr; addr.mask = assignment->length; - addr.flags = DEVADDR_INET6 | DEVADDR_OFFLINK; + addr.flags = DEVADDR_INET6; addr.preferred_until = prefix->preferred_until; addr.valid_until = prefix->valid_until; @@ -960,6 +960,7 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, route.addr = addr.addr; } + addr.flags |= DEVADDR_OFFLINK; if (system_add_address(l3_downlink, )) return; -- 2.7.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [netifd][PATCH] interface-ip: transfer prefix route ownership to kernel when IPv6 address becomes deprecated
From: Alin Nastac When netifd manages the prefix route directly, it will remove it the moment prefix gets deprecated. This will make it impossible for the target to send ICMPv6 errors back to LAN devices still using the deprecated prefix, thus breaking the L-14 requirement of RFC 7084. Signed-off-by: Alin Nastac --- interface-ip.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/interface-ip.c b/interface-ip.c index 91c305b..ff8f219 100644 --- a/interface-ip.c +++ b/interface-ip.c @@ -913,7 +913,7 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, addr.addr.in6 = assignment->addr; addr.mask = assignment->length; - addr.flags = DEVADDR_INET6 | DEVADDR_OFFLINK; + addr.flags = DEVADDR_INET6; addr.preferred_until = prefix->preferred_until; addr.valid_until = prefix->valid_until; @@ -960,6 +960,7 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, route.addr = addr.addr; } + addr.flags |= DEVADDR_OFFLINK; if (system_add_address(l3_downlink, )) return; -- 2.7.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ubus: lua binding does not allow a reply with 64 bit numbers
Numbers originated from lua bindings get explicitly truncated to 32 bit.
Signed-off-by: Alin Nastac
---
lua/ubus.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lua/ubus.c b/lua/ubus.c
index 86dcc50..aa01ac9 100644
--- a/lua/ubus.c
+++ b/lua/ubus.c
@@ -196,7 +196,11 @@ ubus_lua_format_blob(lua_State *L, struct blob_buf *b,
bool table)
case LUA_TINT:
#endif
case LUA_TNUMBER:
- blobmsg_add_u32(b, key, (uint32_t)lua_tointeger(L, -1));
+ if((uint64_t)lua_tonumber(L, -1) > INT_MAX) {
+ blobmsg_add_u64(b, key, (uint64_t)lua_tonumber(L, -1));
+ } else {
+ blobmsg_add_u32(b, key, (uint32_t)lua_tointeger(L, -1));
+ }
break;
case LUA_TSTRING:
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] interface: add IPv6 addresses without IFA_F_NOPREFIXROUTE
When netifd manages the prefix route directly, it will remove it
the moment prefix gets deprecated. This will make it impossible
for the target to send ICMPv6 errors back to LAN devices still
using the deprecated prefix, thus breaking the L-14 requirement
of RFC 7084.
Signed-off-by: Alin Nastac
---
interface-ip.c | 18 +-
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/interface-ip.c b/interface-ip.c
index c159e09..0958fcb 100644
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -905,20 +905,14 @@ interface_set_prefix_address(struct
device_prefix_assignment *assignment,
struct device *l3_downlink = iface->l3_dev.dev;
struct device_addr addr;
- struct device_route route;
memset(, 0, sizeof(addr));
- memset(, 0, sizeof(route));
addr.addr.in6 = assignment->addr;
addr.mask = assignment->length;
- addr.flags = DEVADDR_INET6 | DEVADDR_OFFLINK;
+ addr.flags = DEVADDR_INET6;
addr.preferred_until = prefix->preferred_until;
addr.valid_until = prefix->valid_until;
- route.flags = DEVADDR_INET6;
- route.mask = addr.mask < 64 ? 64 : addr.mask;
- route.addr = addr.addr;
-
if (!add && assignment->enabled) {
time_t now = system_get_rtime();
@@ -939,10 +933,6 @@ interface_set_prefix_address(struct
device_prefix_assignment *assignment,
addr.mask, 0, iface,
"unreachable", true);
}
- clear_if_addr(, route.mask);
- interface_set_route_info(iface, );
-
- system_del_route(l3_downlink, );
system_add_address(l3_downlink, );
assignment->addr = in6addr_any;
@@ -955,7 +945,6 @@ interface_set_prefix_address(struct
device_prefix_assignment *assignment,
return;
assignment->addr = addr.addr.in6;
- route.addr = addr.addr;
}
if (system_add_address(l3_downlink, ))
@@ -976,11 +965,6 @@ interface_set_prefix_address(struct
device_prefix_assignment *assignment,
}
}
- clear_if_addr(, route.mask);
- interface_set_route_info(iface, );
-
- system_add_route(l3_downlink, );
-
if (uplink && uplink->l3_dev.dev &&
!(l3_downlink->settings.flags & DEV_OPT_MTU6)) {
int mtu = system_update_ipv6_mtu(uplink->l3_dev.dev, 0);
int mtu_old = system_update_ipv6_mtu(l3_downlink, 0);
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2] fstools: add a hook before mounting the overlay
From: Alin Nastac
Scripts located in the directory /etc/mount_root.d will be executed
before mounting the overlay. It can be used to implement
configuration merges between old & new setup after doing sysupgrade.
Signed-off-by: Alin Nastac
---
libfstools/overlay.c | 46 +-
1 file changed, 45 insertions(+), 1 deletion(-)
diff --git a/libfstools/overlay.c b/libfstools/overlay.c
index 14214a3..46c87c9 100644
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -14,6 +14,7 @@
#include
#include
#include
+#include
#include
@@ -400,6 +401,49 @@ int fs_state_set(const char *dir, enum fs_state state)
return symlink(valstr, path);
}
+static inline int hook_execute(const char *path)
+{
+ DIR *dir;
+ struct dirent *dent;
+ char script[256];
+ pid_t pid;
+
+ ULOG_INFO("executing scripts in %s\n", path);
+
+ if ((dir = opendir(path)) == NULL) {
+ ULOG_INFO("cannot open %s (%s)\n", path, strerror(errno));
+ return 0;
+ }
+
+ while ((dent = readdir(dir)) != NULL) {
+ struct stat st;
+ int wstatus;
+
+ snprintf(script, sizeof(script), "%s/%s", path, dent->d_name);
+ if (stat(script, ))
+ continue;
+ if (!S_ISREG(st.st_mode))
+ continue;
+ ULOG_INFO("%s\n", script);
+ pid = fork();
+ if (!pid) {
+ char *cmd[] = {script, NULL};
+
+ execvp(cmd[0], cmd);
+ ULOG_ERR("Failed to execute %s\n", script);
+ exit(-1);
+ }
+ if (pid <= 0) {
+ ULOG_INFO("Failed to fork() for %s\n", script);
+ continue;
+ }
+ waitpid(pid, , 0);
+ }
+
+ closedir(dir);
+
+ return 0;
+}
int mount_overlay(struct volume *v)
{
@@ -439,7 +483,7 @@ int mount_overlay(struct volume *v)
fs_name = overlay_fs_name(volume_identify(v));
ULOG_INFO("switching to %s overlay\n", fs_name);
- if (mount_move("/tmp", "", "/overlay") || fopivot("/overlay", "/rom")) {
+ if (mount_move("/tmp", "", "/overlay") ||
hook_execute("/etc/mount_root.d") || fopivot("/overlay", "/rom")) {
ULOG_ERR("switching to %s failed - fallback to ramoverlay\n",
fs_name);
return ramoverlay();
}
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type
From: Alin Nastac Problem can be reproduced with a rule like this: option src 'wan' option family 'ipv6' option proto 'icmp' option icmp_type '128' option target 'DROP' The resulted rule will set --icmpv6-type to 128/255. Signed-off-by: Alin Nastac --- options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/options.c b/options.c index c763d9e..7870143 100644 --- a/options.c +++ b/options.c @@ -568,7 +568,7 @@ fw3_parse_icmptype(void *ptr, const char *val, bool is_list) } icmp.type6 = icmp.type; - icmp.code6_min = icmp.code_max; + icmp.code6_min = icmp.code_min; icmp.code6_max = icmp.code_max; v4 = true; -- 2.7.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] iproute2: add libcap support, enabled in ip-full
Preserve optionality of libcap by having configuration script follow the
HAVE_CAP environment variable, used similarly to the HAVE_ELF variable.
Signed-off-by: Alin Nastac
---
package/network/utils/iproute2/Makefile| 18 ++
.../iproute2/patches/150-keep_libcap_optional.patch| 12
2 files changed, 22 insertions(+), 8 deletions(-)
create mode 100644
package/network/utils/iproute2/patches/150-keep_libcap_optional.patch
diff --git a/package/network/utils/iproute2/Makefile
b/package/network/utils/iproute2/Makefile
index 0f09b79..8792eb9 100644
--- a/package/network/utils/iproute2/Makefile
+++ b/package/network/utils/iproute2/Makefile
@@ -49,7 +49,7 @@ $(call Package/iproute2/Default)
VARIANT:=full
PROVIDES:=ip
ALTERNATIVES:=300:/sbin/ip:/usr/libexec/ip-full
- DEPENDS:=+libnl-tiny +libelf +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+ DEPENDS:=+libnl-tiny +libelf +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libcap
endef
define Package/tc
@@ -57,43 +57,43 @@ $(call Package/iproute2/Default)
TITLE:=Traffic control utility
VARIANT:=tc
PROVIDES:=tc
- DEPENDS:=+kmod-sched-core +libxtables +libelf
+(PACKAGE_devlink||PACKAGE_rdma):libmnl
+ DEPENDS:=+kmod-sched-core +libxtables +libelf
+(PACKAGE_devlink||PACKAGE_rdma):libmnl +PACKAGE_ip-full:libcap
endef
define Package/genl
$(call Package/iproute2/Default)
TITLE:=General netlink utility frontend
- DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf +PACKAGE_ip-full:libcap
endef
define Package/ip-bridge
$(call Package/iproute2/Default)
TITLE:=Bridge configuration utility from iproute2
- DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf +PACKAGE_ip-full:libcap
endef
define Package/ss
$(call Package/iproute2/Default)
TITLE:=Socket statistics utility
- DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf +PACKAGE_ip-full:libcap
endef
define Package/nstat
$(call Package/iproute2/Default)
TITLE:=Network statistics utility
- DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+(PACKAGE_tc||PACKAGE_ip-full):libelf +PACKAGE_ip-full:libcap
endef
define Package/devlink
$(call Package/iproute2/Default)
TITLE:=Network devlink utility
- DEPENDS:=+libmnl +(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libmnl +(PACKAGE_tc||PACKAGE_ip-full):libelf
+PACKAGE_ip-full:libcap
endef
define Package/rdma
$(call Package/iproute2/Default)
TITLE:=Network rdma utility
- DEPENDS:=+libmnl +(PACKAGE_tc||PACKAGE_ip-full):libelf
+ DEPENDS:=+libmnl +(PACKAGE_tc||PACKAGE_ip-full):libelf
+PACKAGE_ip-full:libcap
endef
ifeq ($(BUILD_VARIANT),tiny)
@@ -102,6 +102,7 @@ endif
ifeq ($(BUILD_VARIANT),full)
HAVE_ELF:=y
+ HAVE_CAP:=y
endif
ifeq ($(BUILD_VARIANT),tc)
@@ -132,6 +133,7 @@ MAKE_FLAGS += \
IP_CONFIG_TINY=$(IP_CONFIG_TINY) \
HAVE_ELF=$(HAVE_ELF) \
HAVE_MNL=$(HAVE_MNL) \
+ HAVE_CAP=$(HAVE_CAP) \
IPT_LIB_DIR=/usr/lib/iptables \
XT_LIB_DIR=/usr/lib/iptables \
FPIC="$(FPIC)"
diff --git
a/package/network/utils/iproute2/patches/150-keep_libcap_optional.patch
b/package/network/utils/iproute2/patches/150-keep_libcap_optional.patch
new file mode 100644
index 000..8fe23ae
--- /dev/null
+++ b/package/network/utils/iproute2/patches/150-keep_libcap_optional.patch
@@ -0,0 +1,12 @@
+diff -Nru a/configure b/configure
+--- a/configure2019-07-01 10:35:39.142807973 +0200
b/configure2019-07-01 10:46:40.518832990 +0200
+@@ -307,7 +307,7 @@
+
+ check_cap()
+ {
+- if ${PKG_CONFIG} libcap --exists; then
++ if [ "${HAVE_CAP}" = "y" ] && ${PKG_CONFIG} libcap --exists; then
+ echo "HAVE_CAP:=y" >>$CONFIG
+ echo "yes"
+
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ipset: add support for hash(ip,mac)
Signed-off-by: Alin Nastac --- package/kernel/linux/modules/netfilter.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 25715be..ef17524 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -334,6 +334,7 @@ define KernelPackage/ipt-ipset CONFIG_IP_SET_HASH_IPPORT \ CONFIG_IP_SET_HASH_IPPORTIP \ CONFIG_IP_SET_HASH_IPPORTNET \ + CONFIG_IP_SET_HASH_IPMAC \ CONFIG_IP_SET_HASH_MAC \ CONFIG_IP_SET_HASH_NET \ CONFIG_IP_SET_HASH_NETNET \ -- 2.7.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] system-linux: handle hotplug event socket ENOBUFS errors
Hotplug events are no longer handled after socket RX queue is
overrun. The issue has been fixed by:
- setting SO_RCVBUF initially to 65535
- doubling SO_RCVBUF value each time RX queue gets overrun
Signed-off-by: Alin Nastac
---
system-linux.c | 53 +++--
1 file changed, 47 insertions(+), 6 deletions(-)
diff --git a/system-linux.c b/system-linux.c
index ea16ed5..82e9928 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -182,6 +182,21 @@ create_event_socket(struct event_socket *ev, int protocol,
}
static bool
+create_hotplug_event_socket(struct event_socket *ev, int protocol,
+ void (*cb)(struct uloop_fd *u, unsigned int events))
+{
+ if (!create_raw_event_socket(ev, protocol, 1, cb, ULOOP_ERROR_CB))
+ return false;
+
+ /* Increase rx buffer size to 65K on event sockets */
+ ev->bufsize = 65535;
+ if (nl_socket_set_buffer_size(ev->sock, ev->bufsize, 0))
+ return false;
+
+ return true;
+}
+
+static bool
system_rtn_aton(const char *src, unsigned int *dst)
{
char *e;
@@ -249,8 +264,8 @@ int system_init(void)
if (!create_event_socket(_event, NETLINK_ROUTE, cb_rtnl_event))
return -1;
- if (!create_raw_event_socket(_event, NETLINK_KOBJECT_UEVENT, 1,
- handle_hotplug_event, 0))
+ if (!create_hotplug_event_socket(_event, NETLINK_KOBJECT_UEVENT,
+handle_hotplug_event))
return -1;
/* Receive network link events form kernel */
@@ -660,13 +675,39 @@ handle_hotplug_event(struct uloop_fd *u, unsigned int
events)
struct sockaddr_nl nla;
unsigned char *buf = NULL;
int size;
+ int err;
+ socklen_t errlen = sizeof(err);
+
+ if (!u->error) {
+ while ((size = nl_recv(ev->sock, , , NULL)) > 0) {
+ if (nla.nl_pid == 0)
+ handle_hotplug_msg((char *) buf, size);
+
+ free(buf);
+ }
+ return;
+ }
- while ((size = nl_recv(ev->sock, , , NULL)) > 0) {
- if (nla.nl_pid == 0)
- handle_hotplug_msg((char *) buf, size);
+ if (getsockopt(u->fd, SOL_SOCKET, SO_ERROR, (void *), ))
+ goto abort;
- free(buf);
+ switch(err) {
+ case ENOBUFS:
+ /* Increase rx buffer size on netlink socket */
+ ev->bufsize *= 2;
+ if (nl_socket_set_buffer_size(ev->sock, ev->bufsize, 0))
+ goto abort;
+ break;
+
+ default:
+ goto abort;
}
+ u->error = false;
+ return;
+
+abort:
+ uloop_fd_delete(>uloop);
+ return;
}
static int system_rtnl_call(struct nl_msg *msg)
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] firewall3: link zone_loopback_helper chain through an OUTPUT rule
From: Alin Nastac
Locally-generated packets are passing through OUTPUT chain, not
PREROUTING.
Signed-off-by: Alin Nastac
---
zones.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/zones.c b/zones.c
index 505ab20..8c3daef 100644
--- a/zones.c
+++ b/zones.c
@@ -557,22 +557,24 @@ print_interface_rule(struct fw3_ipt_handle *handle,
struct fw3_state *state,
}
else if (handle->table == FW3_TABLE_RAW)
{
+ bool loopback_dev = (dev != NULL && !dev->any && !dev->invert
&& strcmp(dev->name, "lo") == 0);
+
if (has(zone->flags, handle->family, FW3_FLAG_HELPER))
{
- r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub,
NULL);
+ r = fw3_ipt_rule_create(handle, NULL, loopback_dev ?
NULL : dev, NULL, sub, NULL);
fw3_ipt_rule_comment(r, "%s CT helper assignment",
zone->name);
fw3_ipt_rule_target(r, "zone_%s_helper", zone->name);
fw3_ipt_rule_extra(r, zone->extra_src);
- fw3_ipt_rule_replace(r, "PREROUTING");
+ fw3_ipt_rule_replace(r, loopback_dev ? "OUTPUT" :
"PREROUTING");
}
if (has(zone->flags, handle->family, FW3_FLAG_NOTRACK))
{
- r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub,
NULL);
+ r = fw3_ipt_rule_create(handle, NULL, loopback_dev ?
NULL : dev, NULL, sub, NULL);
fw3_ipt_rule_comment(r, "%s CT bypass", zone->name);
fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
fw3_ipt_rule_extra(r, zone->extra_src);
- fw3_ipt_rule_replace(r, "PREROUTING");
+ fw3_ipt_rule_replace(r, loopback_dev ? "OUTPUT" :
"PREROUTING");
}
}
}
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2] firewall3: make reject types selectable by user
From: Alin Nastac
RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).
Signed-off-by: Alin Nastac
---
defaults.c | 34 --
options.c | 13 +
options.h | 12
3 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/defaults.c b/defaults.c
index 11fbf0d..f42eed6 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
FW3_OPT("output", target, defaults, policy_output),
FW3_OPT("drop_invalid",bool, defaults, drop_invalid),
+ FW3_OPT("tcp_reject_code", reject_code, defaults, tcp_reject_code),
+ FW3_OPT("any_reject_code", reject_code, defaults, any_reject_code),
FW3_OPT("syn_flood", bool, defaults, syn_flood),
FW3_OPT("synflood_protect",bool, defaults, syn_flood),
@@ -102,6 +104,30 @@ check_offloading(struct uci_element *e, bool *offloading)
*offloading = false;
}
+static void
+check_any_reject_code(struct uci_element *e, enum fw3_reject_code
*any_reject_code)
+{
+ if (*any_reject_code == FW3_REJECT_CODE_TCP_RESET) {
+ warn_elem(e, "tcp-reset not valid for any_reject_code,
defaulting to port-unreach");
+ *any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
+ }
+}
+
+static const char*
+get_reject_code(enum fw3_family family, enum fw3_reject_code reject_code)
+{
+ switch (reject_code) {
+ case FW3_REJECT_CODE_TCP_RESET:
+ return "tcp-reset";
+ case FW3_REJECT_CODE_PORT_UNREACH:
+ return "port-unreach";
+ case FW3_REJECT_CODE_ADM_PROHIBITED:
+ return family == FW3_FAMILY_V6 ? "adm-prohibited":
"admin-prohib";
+ default:
+ return "unknown";
+ }
+}
+
void
fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
{
@@ -111,6 +137,8 @@ fw3_load_defaults(struct fw3_state *state, struct
uci_package *p)
bool seen = false;
+ defs->tcp_reject_code = FW3_REJECT_CODE_TCP_RESET;
+ defs->any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
defs->syn_flood_rate.rate = 25;
defs->syn_flood_rate.burst = 50;
defs->tcp_syncookies = true;
@@ -138,6 +166,8 @@ fw3_load_defaults(struct fw3_state *state, struct
uci_package *p)
check_policy(e, >policy_output, "output");
check_policy(e, >policy_forward, "forward");
+ check_any_reject_code(e, >any_reject_code);
+
check_offloading(e, >flow_offloading);
}
}
@@ -278,12 +308,12 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
*handle,
r = fw3_ipt_rule_create(handle, , NULL, NULL, NULL, NULL);
fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
+ fw3_ipt_rule_addarg(r, false, "--reject-with",
get_reject_code(handle->family, defs->tcp_reject_code));
fw3_ipt_rule_append(r, "reject");
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+ fw3_ipt_rule_addarg(r, false, "--reject-with",
get_reject_code(handle->family, defs->any_reject_code));
fw3_ipt_rule_append(r, "reject");
break;
diff --git a/options.c b/options.c
index 087aa63..c85bafd 100644
--- a/options.c
+++ b/options.c
@@ -86,6 +86,12 @@ const char *fw3_flag_names[__FW3_FLAG_MAX] = {
"DROP",
};
+const char *fw3_reject_code_names[__FW3_REJECT_CODE_MAX] = {
+ "tcp-reset",
+ "port-unreach",
+ "adm-prohibited",
+};
+
const char *fw3_limit_units[__FW3_LIMIT_UNIT_MAX] = {
"second",
"minute",
@@ -170,6 +176,13 @@ fw3_parse_target(void *ptr, const char *val, bool is_list)
}
bool
+fw3_parse_reject_code(void *ptr, const char *val, bool is_list)
+{
+ return parse_enum(ptr, val,
_reject_code_names[FW3_REJECT_CODE_TCP_RESET],
+ FW3_REJECT_CODE_TCP_RESET,
FW3_REJECT_CODE_ADM_PROHIBITED);
+}
+
+bool
fw3_parse_limit(void *ptr, const char *val, bool is_list)
{
struct fw3_limit *limit = ptr;
diff --git a/options.h b/options.h
index 08fecf6..0b73a84 100644
--- a/options.h
+++ b/options.h
@@ -88,6 +88,15 @@ enum fw3_flag
__FW3_FLAG_MAX
};
+enum fw3_reject_code
+{
+
[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user
From: Alin Nastac
RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).
Signed-off-by: Alin Nastac
---
defaults.c | 21 -
options.h | 2 ++
2 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/defaults.c b/defaults.c
index 11fbf0d..6565ca2 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
FW3_OPT("output", target, defaults, policy_output),
FW3_OPT("drop_invalid",bool, defaults, drop_invalid),
+ FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects),
+ FW3_OPT("admin_prohib_rejects",bool, defaults,
admin_prohib_rejects),
FW3_OPT("syn_flood", bool, defaults, syn_flood),
FW3_OPT("synflood_protect",bool, defaults, syn_flood),
@@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct
uci_package *p)
defs->syn_flood_rate.rate = 25;
defs->syn_flood_rate.burst = 50;
+ defs->tcp_reset_rejects= true;
defs->tcp_syncookies = true;
defs->tcp_window_scaling = true;
defs->custom_chains= true;
@@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
*handle,
fw3_ipt_rule_append(r, "INPUT");
}
- r = fw3_ipt_rule_create(handle, , NULL, NULL, NULL, NULL);
- fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
- fw3_ipt_rule_append(r, "reject");
+ if (defs->tcp_reset_rejects)
+ {
+ r = fw3_ipt_rule_create(handle, , NULL, NULL, NULL,
NULL);
+ fw3_ipt_rule_target(r, "REJECT");
+ fw3_ipt_rule_addarg(r, false, "--reject-with",
"tcp-reset");
+ fw3_ipt_rule_append(r, "reject");
+ }
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+ fw3_ipt_rule_addarg(r, false, "--reject-with",
+ defs->admin_prohib_rejects ?
+ (handle->family == FW3_FAMILY_V6 ?
+ "adm-prohibited" :
+ "admin-prohib") :
+ "port-unreach");
fw3_ipt_rule_append(r, "reject");
break;
diff --git a/options.h b/options.h
index 08fecf6..e3ba99c 100644
--- a/options.h
+++ b/options.h
@@ -276,6 +276,8 @@ struct fw3_defaults
enum fw3_flag policy_forward;
bool drop_invalid;
+ bool tcp_reset_rejects;
+ bool admin_prohib_rejects;
bool syn_flood;
struct fw3_limit syn_flood_rate;
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] netfilter: add bpf match support
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.
Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.
Signed-off-by: Alin Nastac
---
include/netfilter.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/netfilter.mk b/include/netfilter.mk
index 5d532ce..510aa18 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -106,6 +106,7 @@ $(eval $(call
nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_ph
# filter
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING,
$(P_XT)xt_string))
+$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_BPF, $(P_XT)xt_bpf))
# ipopt
--
2.7.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] procd: service gets deleted when its last instance is freed
This fixes the following regression introduced in commit
961dc692aff7457f874bce61f8e766514edcf794:
1) reboot using the following configuration
root@OpenWrt:~# uci show system.ntp
system.ntp=timeserver
system.ntp.enable_server='0'
system.ntp.use_dhcp='1'
system.ntp.dhcp_interface='wan'
root@OpenWrt:~# uci show network.wan
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth4'
network.wan.reqopts='1 3 6 15 33 42 51 121 249'
2) if obtained DHCP lease has an option 42 sysntpd service will have an
instance
3) run "ifup wan"
4) although the same DHCP lease was obtained, sysntpd would be stopped
Because sysntpd service is deleted when last instance is freed, its triggers
will also be released. Without these triggers in place, sysntpd will not be
reloaded when a new DHCP lease containing option 42 will be received.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
service/service.c | 5 -
service/service.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/service/service.c b/service/service.c
index 0584ee0..9675ba2 100644
--- a/service/service.c
+++ b/service/service.c
@@ -140,6 +140,8 @@ service_update(struct service *s, struct blob_attr **tb,
bool add)
vlist_flush(>instances);
}
+ s->deleted = false;
+
rc(s->name, "running");
return 0;
@@ -149,6 +151,7 @@ static void
service_delete(struct service *s)
{
vlist_flush_all(>instances);
+ s->deleted = true;
service_stopped(s);
}
@@ -602,7 +605,7 @@ service_start_early(char *name, char *cmdline)
void service_stopped(struct service *s)
{
- if (avl_is_empty(>instances.avl)) {
+ if (s->deleted && avl_is_empty(>instances.avl)) {
service_event("service.stop", s->name, NULL);
avl_delete(, >avl);
trigger_del(s);
diff --git a/service/service.h b/service/service.h
index d4f0a83..cc629b1 100644
--- a/service/service.h
+++ b/service/service.h
@@ -40,6 +40,7 @@ struct validate {
struct service {
struct avl_node avl;
const char *name;
+ bool deleted;
struct blob_attr *trigger;
struct vlist_tree instances;
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] procd: service gets deleted when its last instance is freed
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
service/service.c | 5 -
service/service.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/service/service.c b/service/service.c
index 0584ee0..9675ba2 100644
--- a/service/service.c
+++ b/service/service.c
@@ -140,6 +140,8 @@ service_update(struct service *s, struct blob_attr **tb,
bool add)
vlist_flush(>instances);
}
+ s->deleted = false;
+
rc(s->name, "running");
return 0;
@@ -149,6 +151,7 @@ static void
service_delete(struct service *s)
{
vlist_flush_all(>instances);
+ s->deleted = true;
service_stopped(s);
}
@@ -602,7 +605,7 @@ service_start_early(char *name, char *cmdline)
void service_stopped(struct service *s)
{
- if (avl_is_empty(>instances.avl)) {
+ if (s->deleted && avl_is_empty(>instances.avl)) {
service_event("service.stop", s->name, NULL);
avl_delete(, >avl);
trigger_del(s);
diff --git a/service/service.h b/service/service.h
index d4f0a83..cc629b1 100644
--- a/service/service.h
+++ b/service/service.h
@@ -40,6 +40,7 @@ struct validate {
struct service {
struct avl_node avl;
const char *name;
+ bool deleted;
struct blob_attr *trigger;
struct vlist_tree instances;
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] procd: stop service using SIGKILL if SIGTERM failed to do so
SIGKILL is sent if instance process is still running after
seconds after SIGTERM has been sent. To prevent
another daemon process being launched before old process dies,
the instance is kept until SIGCHLD confirms that service has
been stopped.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
service/instance.c | 44 +---
service/instance.h | 1 +
service/service.c | 26 --
service/service.h | 3 +++
4 files changed, 57 insertions(+), 17 deletions(-)
diff --git a/service/instance.c b/service/instance.c
index 018db3c..4d340fd 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -55,6 +55,7 @@ enum {
INSTANCE_ATTR_SECCOMP,
INSTANCE_ATTR_PIDFILE,
INSTANCE_ATTR_RELOADSIG,
+ INSTANCE_ATTR_TERMTIMEOUT,
__INSTANCE_ATTR_MAX
};
@@ -79,6 +80,7 @@ static const struct blobmsg_policy
instance_attr[__INSTANCE_ATTR_MAX] = {
[INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
[INSTANCE_ATTR_PIDFILE] = { "pidfile", BLOBMSG_TYPE_STRING },
[INSTANCE_ATTR_RELOADSIG] = { "reload_signal", BLOBMSG_TYPE_INT32 },
+ [INSTANCE_ATTR_TERMTIMEOUT] = { "term_timeout", BLOBMSG_TYPE_INT32 },
};
enum {
@@ -389,8 +391,16 @@ instance_start(struct service_instance *in)
return;
}
- if (in->proc.pending || !in->command)
+ if (!in->command) {
+ LOG("Not starting instance %s::%s, command not set\n",
in->srv->name, in->name);
return;
+ }
+
+ if (in->proc.pending) {
+ if (in->halt)
+ in->restart = true;
+ return;
+ }
instance_free_stdio(in);
if (in->_stdout.fd.fd > -2) {
@@ -408,7 +418,7 @@ instance_start(struct service_instance *in)
}
in->restart = false;
- in->halt = !in->respawn;
+ in->halt = false;
if (!in->valid)
return;
@@ -494,7 +504,11 @@ instance_timeout(struct uloop_timeout *t)
in = container_of(t, struct service_instance, timeout);
- if (!in->halt && (in->restart || in->respawn))
+ if (in->halt) {
+ LOG("Instance %s::%s pid %d not stopped on SIGTERM, sending
SIGKILL instead\n",
+ in->srv->name, in->name, in->proc.pid);
+ kill(in->proc.pid, SIGKILL);
+ } else if (in->restart || in->respawn)
instance_start(in);
}
@@ -515,8 +529,19 @@ instance_exit(struct uloop_process *p, int ret)
return;
uloop_timeout_cancel(>timeout);
+ service_event("instance.stop", in->srv->name, in->name);
+
if (in->halt) {
instance_removepid(in);
+ if (in->restart)
+ instance_start(in);
+ else {
+ struct service *s = in->srv;
+
+ avl_delete(>instances.avl, >node.avl);
+ instance_free(in);
+ service_stopped(s);
+ }
} else if (in->restart) {
instance_start(in);
} else if (in->respawn) {
@@ -535,7 +560,6 @@ instance_exit(struct uloop_process *p, int ret)
uloop_timeout_set(>timeout, in->respawn_timeout *
1000);
}
}
- service_event("instance.stop", in->srv->name, in->name);
}
void
@@ -546,6 +570,7 @@ instance_stop(struct service_instance *in)
in->halt = true;
in->restart = in->respawn = false;
kill(in->proc.pid, SIGTERM);
+ uloop_timeout_set(>timeout, in->term_timeout * 1000);
}
static void
@@ -559,10 +584,10 @@ instance_restart(struct service_instance *in)
return;
}
- in->halt = false;
+ in->halt = true;
in->restart = true;
kill(in->proc.pid, SIGTERM);
- instance_removepid(in);
+ uloop_timeout_set(>timeout, in->term_timeout * 1000);
}
static bool
@@ -796,6 +821,8 @@ instance_config_parse(struct service_instance *in)
if (!instance_config_parse_command(in, tb))
return false;
+ if (tb[INSTANCE_ATTR_TERMTIMEOUT])
+ in->term_timeout =
blobmsg_get_u32(tb[INSTANCE_ATTR_TERMTIMEOUT]);
if (tb[INSTANCE_ATTR_RESPAWN]) {
int i = 0;
uint32_t vals[3] = { 3600, 5, 5};
@@ -933,8 +960,9 @@ instance_update(struct service_instance *in, struct
service_instance *in_new)
{
bool changed = instance_config_changed(in, in_new);
bool running = in->proc.pending;
+ bool stopping = in->halt;
- if (!running) {
+ if (!running ||
[OpenWrt-Devel] [PATCH] netifd: Add option to configure locktime for each device
The UCI parameter neighlocktime allows to control the hardware
address to IP mapping lock time in the IPv4 neighbour table.
The IPv6 lock time was not set because it is not used at all in any
kernel versions, hardware address override being controlled in this case
by the override flag present in the NA packet.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
device.c | 10 ++
device.h | 3 +++
system-linux.c | 20
3 files changed, 33 insertions(+)
diff --git a/device.c b/device.c
index 43881e5..306496c 100644
--- a/device.c
+++ b/device.c
@@ -59,6 +59,7 @@ static const struct blobmsg_policy dev_attrs[__DEV_ATTR_MAX]
= {
[DEV_ATTR_LEARNING] = { .name ="learning", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_UNICAST_FLOOD] = { .name ="unicast_flood", .type =
BLOBMSG_TYPE_BOOL },
[DEV_ATTR_SENDREDIRECTS] = { .name = "sendredirects", .type =
BLOBMSG_TYPE_BOOL },
+ [DEV_ATTR_NEIGHLOCKTIME] = { .name = "neighlocktime", .type =
BLOBMSG_TYPE_INT32 },
};
const struct uci_blob_param_list device_attr_list = {
@@ -217,6 +218,8 @@ device_merge_settings(struct device *dev, struct
device_settings *n)
s->neigh4gcstaletime : os->neigh4gcstaletime;
n->neigh6gcstaletime = s->flags & DEV_OPT_NEIGHGCSTALETIME ?
s->neigh6gcstaletime : os->neigh6gcstaletime;
+ n->neigh4locktime = s->flags & DEV_OPT_NEIGHLOCKTIME ?
+ s->neigh4locktime : os->neigh4locktime;
n->dadtransmits = s->flags & DEV_OPT_DADTRANSMITS ?
s->dadtransmits : os->dadtransmits;
n->multicast = s->flags & DEV_OPT_MULTICAST ?
@@ -314,6 +317,11 @@ device_init_settings(struct device *dev, struct blob_attr
**tb)
s->flags |= DEV_OPT_NEIGHGCSTALETIME;
}
+ if ((cur = tb[DEV_ATTR_NEIGHLOCKTIME])) {
+ s->neigh4locktime = blobmsg_get_u32(cur);
+ s->flags |= DEV_OPT_NEIGHLOCKTIME;
+ }
+
if ((cur = tb[DEV_ATTR_RPS])) {
s->rps = blobmsg_get_bool(cur);
s->flags |= DEV_OPT_RPS;
@@ -1044,6 +1052,8 @@ device_dump_status(struct blob_buf *b, struct device *dev)
blobmsg_add_u32(b, "neigh4gcstaletime",
st.neigh4gcstaletime);
blobmsg_add_u32(b, "neigh6gcstaletime",
st.neigh6gcstaletime);
}
+ if (st.flags & DEV_OPT_NEIGHLOCKTIME)
+ blobmsg_add_u32(b, "neigh4locktime", st.neigh4locktime);
if (st.flags & DEV_OPT_DADTRANSMITS)
blobmsg_add_u32(b, "dadtransmits", st.dadtransmits);
if (st.flags & DEV_OPT_MULTICAST_TO_UNICAST)
diff --git a/device.h b/device.h
index 87236d4..feb865f 100644
--- a/device.h
+++ b/device.h
@@ -51,6 +51,7 @@ enum {
DEV_ATTR_UNICAST_FLOOD,
DEV_ATTR_NEIGHGCSTALETIME,
DEV_ATTR_SENDREDIRECTS,
+ DEV_ATTR_NEIGHLOCKTIME,
__DEV_ATTR_MAX,
};
@@ -103,6 +104,7 @@ enum {
DEV_OPT_NEIGHGCSTALETIME= (1 << 19),
DEV_OPT_MULTICAST_FAST_LEAVE= (1 << 20),
DEV_OPT_SENDREDIRECTS = (1 << 21),
+ DEV_OPT_NEIGHLOCKTIME = (1 << 22),
};
/* events broadcasted to all users of a device */
@@ -160,6 +162,7 @@ struct device_settings {
unsigned int neigh6reachabletime;
unsigned int neigh4gcstaletime;
unsigned int neigh6gcstaletime;
+ unsigned int neigh4locktime;
bool rps;
bool xps;
unsigned int dadtransmits;
diff --git a/system-linux.c b/system-linux.c
index 2f15bf1..a77ff5f 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -316,6 +316,11 @@ static void system_set_neigh6gcstaletime(struct device
*dev, const char *val)
system_set_dev_sysctl("/proc/sys/net/ipv6/neigh/%s/gc_stale_time",
dev->ifname, val);
}
+static void system_set_neigh4locktime(struct device *dev, const char *val)
+{
+ system_set_dev_sysctl("/proc/sys/net/ipv4/neigh/%s/locktime",
dev->ifname, val);
+}
+
static void system_set_dadtransmits(struct device *dev, const char *val)
{
system_set_dev_sysctl("/proc/sys/net/ipv6/conf/%s/dad_transmits",
dev->ifname, val);
@@ -484,6 +489,12 @@ static int system_get_neigh6gcstaletime(struct device
*dev, char *buf, const siz
dev->ifname, buf, buf_sz);
}
+static int system_get_neigh4locktime(struct device *dev, char *buf, const
size_t buf_sz)
+{
+ return system_get_dev_sysctl("/proc/sys/net/ipv4/neigh/%s/locktime",
+ dev->ifname, buf, buf_sz);
+}
+
static int system_get_dadtransmits(struct device *dev, char *buf, const size_t
buf_sz)
{
return system_get_dev
[OpenWrt-Devel] [PATCH] libnetfilter_queue: fix checksum computation
There are 2 issues fixed by this patch:
- UDP checksum is computed incorrectly, the used pseudo IP header
contains transport protocol 6 iso 17
- on big endian arches the UDP/TCP checksum is incorrectly
computed when payload length is odd
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
.../patches/100-checksum_computation.patch | 117 +
1 file changed, 117 insertions(+)
create mode 100644
package/libs/libnetfilter-queue/patches/100-checksum_computation.patch
diff --git
a/package/libs/libnetfilter-queue/patches/100-checksum_computation.patch
b/package/libs/libnetfilter-queue/patches/100-checksum_computation.patch
new file mode 100644
index 000..5d170f3
--- /dev/null
+++ b/package/libs/libnetfilter-queue/patches/100-checksum_computation.patch
@@ -0,0 +1,117 @@
+diff -Nru libnetfilter_queue-1.0.2.orig/src/extra/checksum.c
libnetfilter_queue-1.0.2/src/extra/checksum.c
+--- libnetfilter_queue-1.0.2.orig/src/extra/checksum.c 2012-08-06
14:50:10.596973900 +0200
libnetfilter_queue-1.0.2/src/extra/checksum.c 2016-06-23
17:06:50.266905883 +0200
+@@ -11,6 +11,7 @@
+
+ #include
+ #include
++#include
+ #include
+ #include
+ #include
+@@ -26,8 +27,13 @@
+ sum += *buf++;
+ size -= sizeof(uint16_t);
+ }
+- if (size)
+- sum += *(uint8_t *)buf;
++ if (size) {
++#if __BYTE_ORDER == __BIG_ENDIAN
++ sum += (uint16_t)*(uint8_t *)buf << 8;
++#else
++ sum += (uint16_t)*(uint8_t *)buf;
++#endif
++ }
+
+ sum = (sum >> 16) + (sum & 0x);
+ sum += (sum >>16);
+@@ -35,7 +41,7 @@
+ return (uint16_t)(~sum);
+ }
+
+-uint16_t checksum_tcpudp_ipv4(struct iphdr *iph)
++uint16_t checksum_tcpudp_ipv4(struct iphdr *iph, uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t iph_len = iph->ihl*4;
+@@ -46,13 +52,13 @@
+ sum += (iph->saddr) & 0x;
+ sum += (iph->daddr >> 16) & 0x;
+ sum += (iph->daddr) & 0x;
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(len);
+
+ return checksum(sum, (uint16_t *)payload, len);
+ }
+
+-uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr)
++uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t hdr_len = (uint32_t *)transport_hdr - (uint32_t *)ip6h;
+@@ -68,7 +74,7 @@
+ sum += (ip6h->ip6_dst.s6_addr16[i] >> 16) & 0x;
+ sum += (ip6h->ip6_dst.s6_addr16[i]) & 0x;
+ }
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(ip6h->ip6_plen);
+
+ return checksum(sum, (uint16_t *)payload, len);
+diff -Nru libnetfilter_queue-1.0.2.orig/src/extra/tcp.c
libnetfilter_queue-1.0.2/src/extra/tcp.c
+--- libnetfilter_queue-1.0.2.orig/src/extra/tcp.c 2012-08-20
19:36:17.985866277 +0200
libnetfilter_queue-1.0.2/src/extra/tcp.c 2016-06-23 17:04:52.911859011
+0200
+@@ -91,7 +91,7 @@
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv4(iph);
++ tcph->check = checksum_tcpudp_ipv4(iph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv4);
+
+@@ -105,7 +105,7 @@
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv6(ip6h, tcph);
++ tcph->check = checksum_tcpudp_ipv6(ip6h, tcph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv6);
+
+diff -Nru libnetfilter_queue-1.0.2.orig/src/extra/udp.c
libnetfilter_queue-1.0.2/src/extra/udp.c
+--- libnetfilter_queue-1.0.2.orig/src/extra/udp.c 2012-08-20
19:36:17.985866277 +0200
libnetfilter_queue-1.0.2/src/extra/udp.c 2016-06-23 17:04:52.922859297
+0200
+@@ -91,7 +91,7 @@
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv4(iph);
++ udph->check = checksum_tcpudp_ipv4(iph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv4);
+
+@@ -110,7 +110,7 @@
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv6(ip6h, udph);
++ udph->check = checksum_tcpudp_ipv6(ip6h, udph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv6);
+
+diff -Nru libnetfilter_queue-1.0.2.orig/src/internal.h
libnetfilter_queue-1.0.2/src/internal.h
+--- libnetfilter_queue-1.0.2.orig/src/internal.h 2012-08-06
14:50:10.596973900 +0200
libnetfilter_queue-1.0.2/src/internal.h2016-06-23 17:04:52.930859505
+0200
+@@ -13,8 +13,8 @@
+ struct ip6_hdr;
+
+ uint16_t checksum(uint32_t sum,
[OpenWrt-Devel] [PATCH] [NG-57971] libnetfilter_queue: fix UDP checksum computation
This patch was copied from
http://www.spinics.net/lists/netfilter/msg56704.html .
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
.../patches/100-udp_checksum_computation.patch | 95 ++
1 file changed, 95 insertions(+)
create mode 100644
package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
diff --git
a/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
b/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
new file mode 100644
index 000..9939b83
--- /dev/null
+++ b/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
@@ -0,0 +1,95 @@
+--- libnetfilter_queue-1.0.2.orig/src/extra/checksum.c
libnetfilter_queue-1.0.2/src/extra/checksum.c
+@@ -35,7 +35,7 @@ uint16_t checksum(uint32_t sum, uint16_t
+ return (uint16_t)(~sum);
+ }
+
+-uint16_t checksum_tcpudp_ipv4(struct iphdr *iph)
++uint16_t checksum_tcpudp_ipv4(struct iphdr *iph, uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t iph_len = iph->ihl*4;
+@@ -46,13 +46,13 @@ uint16_t checksum_tcpudp_ipv4(struct iph
+ sum += (iph->saddr) & 0x;
+ sum += (iph->daddr >> 16) & 0x;
+ sum += (iph->daddr) & 0x;
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(len);
+
+ return checksum(sum, (uint16_t *)payload, len);
+ }
+
+-uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr)
++uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t hdr_len = (uint32_t *)transport_hdr - (uint32_t *)ip6h;
+@@ -68,7 +68,7 @@ uint16_t checksum_tcpudp_ipv6(struct ip6
+ sum += (ip6h->ip6_dst.s6_addr16[i] >> 16) & 0x;
+ sum += (ip6h->ip6_dst.s6_addr16[i]) & 0x;
+ }
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(ip6h->ip6_plen);
+
+ return checksum(sum, (uint16_t *)payload, len);
+Index: libnetfilter_queue-1.0.2/src/extra/tcp.c
+===
+--- libnetfilter_queue-1.0.2.orig/src/extra/tcp.c
libnetfilter_queue-1.0.2/src/extra/tcp.c
+@@ -91,7 +91,7 @@ nfq_tcp_compute_checksum_ipv4(struct tcp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv4(iph);
++ tcph->check = checksum_tcpudp_ipv4(iph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv4);
+
+@@ -105,7 +105,7 @@ nfq_tcp_compute_checksum_ipv6(struct tcp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv6(ip6h, tcph);
++ tcph->check = checksum_tcpudp_ipv6(ip6h, tcph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv6);
+
+Index: libnetfilter_queue-1.0.2/src/extra/udp.c
+===
+--- libnetfilter_queue-1.0.2.orig/src/extra/udp.c
libnetfilter_queue-1.0.2/src/extra/udp.c
+@@ -91,7 +91,7 @@ nfq_udp_compute_checksum_ipv4(struct udp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv4(iph);
++ udph->check = checksum_tcpudp_ipv4(iph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv4);
+
+@@ -110,7 +110,7 @@ nfq_udp_compute_checksum_ipv6(struct udp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv6(ip6h, udph);
++ udph->check = checksum_tcpudp_ipv6(ip6h, udph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv6);
+
+Index: libnetfilter_queue-1.0.2/src/internal.h
+===
+--- libnetfilter_queue-1.0.2.orig/src/internal.h
libnetfilter_queue-1.0.2/src/internal.h
+@@ -13,8 +13,8 @@ struct iphdr;
+ struct ip6_hdr;
+
+ uint16_t checksum(uint32_t sum, uint16_t *buf, int size);
+-uint16_t checksum_tcpudp_ipv4(struct iphdr *iph);
+-uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr);
++uint16_t checksum_tcpudp_ipv4(struct iphdr *iph, uint16_t protocol_id);
++uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protocol_id);
+
+ struct pkt_buff {
+ uint8_t *mac_header;
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] libnetfilter_queue: fix UDP checksum computation
This patch was copied from
http://www.spinics.net/lists/netfilter/msg56704.html .
---
.../patches/100-udp_checksum_computation.patch | 95 ++
1 file changed, 95 insertions(+)
create mode 100644
package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
diff --git
a/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
b/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
new file mode 100644
index 000..9939b83
--- /dev/null
+++ b/package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
@@ -0,0 +1,95 @@
+--- libnetfilter_queue-1.0.2.orig/src/extra/checksum.c
libnetfilter_queue-1.0.2/src/extra/checksum.c
+@@ -35,7 +35,7 @@ uint16_t checksum(uint32_t sum, uint16_t
+ return (uint16_t)(~sum);
+ }
+
+-uint16_t checksum_tcpudp_ipv4(struct iphdr *iph)
++uint16_t checksum_tcpudp_ipv4(struct iphdr *iph, uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t iph_len = iph->ihl*4;
+@@ -46,13 +46,13 @@ uint16_t checksum_tcpudp_ipv4(struct iph
+ sum += (iph->saddr) & 0x;
+ sum += (iph->daddr >> 16) & 0x;
+ sum += (iph->daddr) & 0x;
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(len);
+
+ return checksum(sum, (uint16_t *)payload, len);
+ }
+
+-uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr)
++uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protocol_id)
+ {
+ uint32_t sum = 0;
+ uint32_t hdr_len = (uint32_t *)transport_hdr - (uint32_t *)ip6h;
+@@ -68,7 +68,7 @@ uint16_t checksum_tcpudp_ipv6(struct ip6
+ sum += (ip6h->ip6_dst.s6_addr16[i] >> 16) & 0x;
+ sum += (ip6h->ip6_dst.s6_addr16[i]) & 0x;
+ }
+- sum += htons(IPPROTO_TCP);
++ sum += htons(protocol_id);
+ sum += htons(ip6h->ip6_plen);
+
+ return checksum(sum, (uint16_t *)payload, len);
+Index: libnetfilter_queue-1.0.2/src/extra/tcp.c
+===
+--- libnetfilter_queue-1.0.2.orig/src/extra/tcp.c
libnetfilter_queue-1.0.2/src/extra/tcp.c
+@@ -91,7 +91,7 @@ nfq_tcp_compute_checksum_ipv4(struct tcp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv4(iph);
++ tcph->check = checksum_tcpudp_ipv4(iph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv4);
+
+@@ -105,7 +105,7 @@ nfq_tcp_compute_checksum_ipv6(struct tcp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ tcph->check = 0;
+- tcph->check = checksum_tcpudp_ipv6(ip6h, tcph);
++ tcph->check = checksum_tcpudp_ipv6(ip6h, tcph, IPPROTO_TCP);
+ }
+ EXPORT_SYMBOL(nfq_tcp_compute_checksum_ipv6);
+
+Index: libnetfilter_queue-1.0.2/src/extra/udp.c
+===
+--- libnetfilter_queue-1.0.2.orig/src/extra/udp.c
libnetfilter_queue-1.0.2/src/extra/udp.c
+@@ -91,7 +91,7 @@ nfq_udp_compute_checksum_ipv4(struct udp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv4(iph);
++ udph->check = checksum_tcpudp_ipv4(iph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv4);
+
+@@ -110,7 +110,7 @@ nfq_udp_compute_checksum_ipv6(struct udp
+ {
+ /* checksum field in header needs to be zero for calculation. */
+ udph->check = 0;
+- udph->check = checksum_tcpudp_ipv6(ip6h, udph);
++ udph->check = checksum_tcpudp_ipv6(ip6h, udph, IPPROTO_UDP);
+ }
+ EXPORT_SYMBOL(nfq_udp_compute_checksum_ipv6);
+
+Index: libnetfilter_queue-1.0.2/src/internal.h
+===
+--- libnetfilter_queue-1.0.2.orig/src/internal.h
libnetfilter_queue-1.0.2/src/internal.h
+@@ -13,8 +13,8 @@ struct iphdr;
+ struct ip6_hdr;
+
+ uint16_t checksum(uint32_t sum, uint16_t *buf, int size);
+-uint16_t checksum_tcpudp_ipv4(struct iphdr *iph);
+-uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr);
++uint16_t checksum_tcpudp_ipv4(struct iphdr *iph, uint16_t protocol_id);
++uint16_t checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protocol_id);
+
+ struct pkt_buff {
+ uint8_t *mac_header;
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] netifd: Add option to configure gc_stale_time for each device
The UCI parameter neighgcstaletime allows to control how much time will
STALE entries be kept in the neighbour table for both IPv4 and IPv6.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
device.c | 14 ++
device.h | 4
system-linux.c | 38 ++
3 files changed, 56 insertions(+)
diff --git a/device.c b/device.c
index 7004bfd..3e182f3 100644
--- a/device.c
+++ b/device.c
@@ -45,6 +45,7 @@ static const struct blobmsg_policy dev_attrs[__DEV_ATTR_MAX]
= {
[DEV_ATTR_IGMPVERSION] = { .name = "igmpversion", .type =
BLOBMSG_TYPE_INT32 },
[DEV_ATTR_MLDVERSION] = { .name = "mldversion", .type =
BLOBMSG_TYPE_INT32 },
[DEV_ATTR_NEIGHREACHABLETIME] = { .name = "neighreachabletime", .type =
BLOBMSG_TYPE_INT32 },
+ [DEV_ATTR_NEIGHGCSTALETIME] = { .name = "neighgcstaletime", .type =
BLOBMSG_TYPE_INT32 },
[DEV_ATTR_RPS] = { .name = "rps", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_XPS] = { .name = "xps", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_DADTRANSMITS] = { .name = "dadtransmits", .type =
BLOBMSG_TYPE_INT32 },
@@ -171,6 +172,10 @@ device_merge_settings(struct device *dev, struct
device_settings *n)
s->neigh4reachabletime : os->neigh4reachabletime;
n->neigh6reachabletime = s->flags & DEV_OPT_NEIGHREACHABLETIME ?
s->neigh6reachabletime : os->neigh6reachabletime;
+ n->neigh4gcstaletime = s->flags & DEV_OPT_NEIGHGCSTALETIME ?
+ s->neigh4gcstaletime : os->neigh4gcstaletime;
+ n->neigh6gcstaletime = s->flags & DEV_OPT_NEIGHGCSTALETIME ?
+ s->neigh6gcstaletime : os->neigh6gcstaletime;
n->dadtransmits = s->flags & DEV_OPT_DADTRANSMITS ?
s->dadtransmits : os->dadtransmits;
n->multicast = s->flags & DEV_OPT_MULTICAST ?
@@ -258,6 +263,11 @@ device_init_settings(struct device *dev, struct blob_attr
**tb)
s->flags |= DEV_OPT_NEIGHREACHABLETIME;
}
+ if ((cur = tb[DEV_ATTR_NEIGHGCSTALETIME])) {
+ s->neigh6gcstaletime = s->neigh4gcstaletime =
blobmsg_get_u32(cur);
+ s->flags |= DEV_OPT_NEIGHGCSTALETIME;
+ }
+
if ((cur = tb[DEV_ATTR_RPS])) {
s->rps = blobmsg_get_bool(cur);
s->flags |= DEV_OPT_RPS;
@@ -960,6 +970,10 @@ device_dump_status(struct blob_buf *b, struct device *dev)
blobmsg_add_u32(b, "neigh4reachabletime",
st.neigh4reachabletime);
blobmsg_add_u32(b, "neigh6reachabletime",
st.neigh6reachabletime);
}
+ if (st.flags & DEV_OPT_NEIGHGCSTALETIME) {
+ blobmsg_add_u32(b, "neigh4gcstaletime",
st.neigh4gcstaletime);
+ blobmsg_add_u32(b, "neigh6gcstaletime",
st.neigh6gcstaletime);
+ }
if (st.flags & DEV_OPT_DADTRANSMITS)
blobmsg_add_u32(b, "dadtransmits", st.dadtransmits);
if (st.flags & DEV_OPT_MULTICAST_TO_UNICAST)
diff --git a/device.h b/device.h
index 9c4b822..0b8cd6a 100644
--- a/device.h
+++ b/device.h
@@ -45,6 +45,7 @@ enum {
DEV_ATTR_MULTICAST_TO_UNICAST,
DEV_ATTR_MULTICAST_ROUTER,
DEV_ATTR_MULTICAST,
+ DEV_ATTR_NEIGHGCSTALETIME,
__DEV_ATTR_MAX,
};
@@ -88,6 +89,7 @@ enum {
DEV_OPT_MULTICAST_TO_UNICAST= (1 << 14),
DEV_OPT_MULTICAST_ROUTER= (1 << 15),
DEV_OPT_MULTICAST = (1 << 16),
+ DEV_OPT_NEIGHGCSTALETIME= (1 << 17),
};
/* events broadcasted to all users of a device */
@@ -143,6 +145,8 @@ struct device_settings {
unsigned int mldversion;
unsigned int neigh4reachabletime;
unsigned int neigh6reachabletime;
+ unsigned int neigh4gcstaletime;
+ unsigned int neigh6gcstaletime;
bool rps;
bool xps;
unsigned int dadtransmits;
diff --git a/system-linux.c b/system-linux.c
index f79625a..62c51b5 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -310,6 +310,16 @@ static void system_set_neigh6reachabletime(struct device
*dev, const char *val)
system_set_dev_sysctl("/proc/sys/net/ipv6/neigh/%s/base_reachable_time_ms",
dev->ifname, val);
}
+static void system_set_neigh4gcstaletime(struct device *dev, const char *val)
+{
+ system_set_dev_sysctl("/proc/sys/net/ipv4/neigh/%s/gc_stale_time",
dev->ifname, val);
+}
+
+static void system_set_neigh6gcstaletime(struct device *dev, const char *val)
+{
+ system_set_dev_sysctl("/proc/sys/net/ipv6/neigh/%s/gc_stale_time",
dev->ifname, val);
+}
+
static void system_set
[OpenWrt-Devel] [PATCH] libnet-1.2.x: enable HAVE_PACKET_SOCKET
There is already a CONFIGURE_VAR set in here that seem to have the same purpose, but it doesn't do the trick in my cause (autoconf 2.69). --- libs/libnet-1.2.x/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/libs/libnet-1.2.x/Makefile b/libs/libnet-1.2.x/Makefile index a791163..062c7b6 100644 --- a/libs/libnet-1.2.x/Makefile +++ b/libs/libnet-1.2.x/Makefile @@ -39,6 +39,7 @@ CONFIGURE_ARGS += \ CONFIGURE_VARS += \ ac_cv_libnet_endianess=$(ENDIANESS) \ ac_libnet_have_pf_packet=yes \ + libnet_cv_have_packet_socket=yes \ LL_INT_TYPE=libnet_link_linux define Build/Configure -- 1.7.12.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] conntrack: enable support for netfilter conntrack zones
Storage of such zones is provided by a nf_ct_ext struct, hence conntrack memory foot print will not be increased if zones are not used. --- package/kernel/linux/modules/netfilter.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk index 3b623e4..4d9c116 100644 --- a/package/kernel/linux/modules/netfilter.mk +++ b/package/kernel/linux/modules/netfilter.mk @@ -68,6 +68,7 @@ define KernelPackage/nf-conntrack KCONFIG:= \ CONFIG_NETFILTER=y \ CONFIG_NETFILTER_ADVANCED=y \ +CONFIG_NF_CONNTRACK_ZONES=y \ $(KCONFIG_NF_CONNTRACK) FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko) AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m))) -- 1.7.12.4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] load running state after lock is acquired
When running "/etc/init.d/firewall reload & fw3 -q restart", the
fw3 instance that handle the reload might try to read the running
state after firewall was stopped by the fw3 instance that does the
restarting. Since a NULL run_state will transform reload operation in
start operation, the resulted iptables chains will contain duplicate
sets of rules.
---
main.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/main.c b/main.c
index b953020..241da62 100644
--- a/main.c
+++ b/main.c
@@ -546,7 +546,6 @@ int main(int argc, char **argv)
}
build_state(false);
- build_state(true);
defs = _state->defaults;
if (optind >= argc)
@@ -577,12 +576,18 @@ int main(int argc, char **argv)
print_family = family;
fw3_pr_debug = true;
- rv = start();
+ if (fw3_lock())
+ {
+ build_state(true);
+ rv = start();
+ fw3_unlock();
+ }
}
else if (!strcmp(argv[optind], "start"))
{
if (fw3_lock())
{
+ build_state(true);
rv = start();
fw3_unlock();
}
@@ -591,6 +596,7 @@ int main(int argc, char **argv)
{
if (fw3_lock())
{
+ build_state(true);
rv = stop(false);
fw3_unlock();
}
@@ -599,6 +605,7 @@ int main(int argc, char **argv)
{
if (fw3_lock())
{
+ build_state(true);
rv = stop(true);
fw3_unlock();
}
@@ -607,6 +614,7 @@ int main(int argc, char **argv)
{
if (fw3_lock())
{
+ build_state(true);
stop(true);
rv = start();
fw3_unlock();
@@ -616,6 +624,7 @@ int main(int argc, char **argv)
{
if (fw3_lock())
{
+ build_state(true);
rv = reload();
fw3_unlock();
}
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] [package] firewall: Redirect incoming WAN traffic only when destination IP address matches the IP address used for masquerading
(Resend of a previous patch affected by gmail's editor line wrapping)
This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git.
Basically it prevents zone_wan_prerouting rules to affect traffic towards IP
addresses that are not used
for masquerading LAN private IP space and it does that by setting destination
IP address of the
delegate_prerouting rules for zone with masq enabled to whatever address(es)
that particular network
interface has.
The typical scenario this patch fixes involves 2 LAN network prefixes:
- the usual 192.168.1.0/24 which is masqueraded by the public IP address
configured on the WAN interface
- a public IP network prefix for those LAN devices that are supposed to be
excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x LAN
devices will also affect traffic
towards the 2nd prefix.
From 56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001
From: Alin Nastac<alin.nas...@gmail.com>
Date: Fri, 4 Sep 2015 13:54:10 +0200
Subject: [PATCH] Redirect incoming WAN traffic only when
destination IP address matches the IP address configured on the incoming
interface
---
zones.c | 36
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle,
struct fw3_state *state,
{
if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
{
- r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub,
NULL);
- fw3_ipt_rule_target(r, "zone_%s_prerouting",
zone->name);
- fw3_ipt_rule_extra(r, zone->extra_src);
- fw3_ipt_rule_replace(r, "delegate_prerouting");
+ struct list_head *addrs;
+ struct fw3_address *addr;
+
+ addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+ if (addrs)
+ {
+ /* redirect only the traffic towards a locally
configured address */
+ INIT_LIST_HEAD(addrs);
+ fw3_ubus_address(addrs, dev->network);
+
+ list_for_each_entry(addr, addrs, list)
+ {
+ if (!fw3_is_family(addr,
handle->family))
+ continue;
+ /* reset mask to its maximum value */
+ memset(>mask.v6, 0xFF,
sizeof(addr->mask.v6));
+
+ r = fw3_ipt_rule_create(handle, NULL,
dev, NULL, sub, addr);
+ fw3_ipt_rule_target(r,
"zone_%s_prerouting", zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r,
"delegate_prerouting");
+ }
+
+ fw3_free_list(addrs);
+ }
+ else
+ {
+ r = fw3_ipt_rule_create(handle, NULL, dev,
NULL, sub, NULL);
+ fw3_ipt_rule_target(r, "zone_%s_prerouting",
zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r, "delegate_prerouting");
+ }
}
if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
--
1.7.12.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
