system_vlandev_add() when vlan device
was already created, thus solving the root cause of the issue.
Signed-off-by: Alin Nastac
---
vlandev.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/vlandev.c b/vlandev.c
index 31b82b1..4780ca3 100644
--- a/vlandev.c
+++ b/vlandev.c
system_vlandev_add() when vlan device
was already created, thus solving the root cause of the issue.
Signed-off-by: Alin Nastac
---
vlandev.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/vlandev.c b/vlandev.c
index 31b82b1..4780ca3 100644
--- a/vlandev.c
+++ b/vlandev.c
that was
previously stored with medium precedence, it will fail to remove the
existing STATE_RA_ROUTE default route, hence preventing odhcpd from
advertising RAs with lifetime 0 to LAN.
Signed-off-by: Alin Nastac
---
src/dhcpv6.c | 4 ++--
src/odhcp6c.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions
default route creation for wan
interface (pppoe-wan device will store the incorrect ifindex).
Signed-off-by: Alin Nastac
---
src/dhcpv6.c | 6 +-
src/ra.c | 54 ++
2 files changed, 35 insertions(+), 25 deletions(-)
diff --git a/src/dhcpv6
Signed-off-by: Alin Nastac
---
system-linux.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/system-linux.c b/system-linux.c
index 6778b1d..9188899 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -904,6 +904,8 @@ failure:
int system_if_resolve(struct device *dev)
{
struct
Preventing NAT leakage on ipv6 doesn't make sense, as
all other masq* options have effect only on ipv4.
Signed-off-by: Alin Nastac
---
zones.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/zones.c b/zones.c
index 68b02ab..dbf23dc 100644
--- a/zones.c
+++ b/zones.c
Fixes 9d7f49df47ad ("redurects: add support to define multiple zones for dnat
reflection rules")
Signed-off-by: Alin Nastac
---
redirects.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/redirects.c b/redirects.c
index b928287..45a6cb1 100644
--- a/r
n target 'DNAT'
It was also tested on a build that did not supported IPv6 NAT (nat
was not present in /proc/net/ip6_tables_names), fw3 -d restart did
not signaled any error.
Signed-off-by: Alin Nastac
---
defaults.c | 4 +-
options.h | 12 ++---
redirects
From: Alin Nastac
1) Remove hardcoded restrictions that disable redirect support on IPv6.
2) Allow usage of IP address lists in redirect and snat uci sections.
This is needed for 2 scenarios:
- use the interface address that matches the redirect & nat family
when dest_ip is
Because mkstemp() create a file with mode 0600, only user doing
the commit (typically root) will be allowed to inspect the content
of the file after uci commit.
Signed-off-by: Alin Nastac
---
file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/file.c b/file.c
index
From: Alin Nastac
Issue was introduced in commit 1321c1bd8fe921986c4eb39c3783ddd827b79543.
Signed-off-by: Alin Nastac
---
system-linux.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/system-linux.c b/system-linux.c
index d36d287..775b448 100644
--- a/system-linux.c
+++ b/system-linux.c
From: Alin Nastac
1) Remove hardcoded restrictions that disable redirect support on IPv6.
2) Allow usage of IP address lists in redirect and snat uci sections.
This is needed for 2 scenarios:
- use the interface address that matches the redirect & nat family
when dest_ip is
From: Alin Nastac
When netifd manages the prefix route directly, it will remove it
the moment prefix gets deprecated. This will make it impossible
for the target to send ICMPv6 errors back to LAN devices still
using the deprecated prefix, thus breaking the L-14 requirement
of RFC 7084.
Signed
From: Alin Nastac
When netifd manages the prefix route directly, it will remove it
the moment prefix gets deprecated. This will make it impossible
for the target to send ICMPv6 errors back to LAN devices still
using the deprecated prefix, thus breaking the L-14 requirement
of RFC 7084.
Signed
Numbers originated from lua bindings get explicitly truncated to 32 bit.
Signed-off-by: Alin Nastac
---
lua/ubus.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lua/ubus.c b/lua/ubus.c
index 86dcc50..aa01ac9 100644
--- a/lua/ubus.c
+++ b/lua/ubus.c
@@ -196,7 +196,11
When netifd manages the prefix route directly, it will remove it
the moment prefix gets deprecated. This will make it impossible
for the target to send ICMPv6 errors back to LAN devices still
using the deprecated prefix, thus breaking the L-14 requirement
of RFC 7084.
Signed-off-by: Alin Nastac
From: Alin Nastac
Scripts located in the directory /etc/mount_root.d will be executed
before mounting the overlay. It can be used to implement
configuration merges between old & new setup after doing sysupgrade.
Signed-off-by: Alin Nastac
---
libfstools/overlay.c
From: Alin Nastac
Problem can be reproduced with a rule like this:
option src 'wan'
option family 'ipv6'
option proto 'icmp'
option icmp_type '128'
option target 'DROP'
The resulted rule will set --icmpv6-type to 128/255.
Signed-off-by: Alin Nastac
---
options.c | 2 +-
1 file
Preserve optionality of libcap by having configuration script follow the
HAVE_CAP environment variable, used similarly to the HAVE_ELF variable.
Signed-off-by: Alin Nastac
---
package/network/utils/iproute2/Makefile| 18 ++
.../iproute2/patches/150
Signed-off-by: Alin Nastac
---
package/kernel/linux/modules/netfilter.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/kernel/linux/modules/netfilter.mk
b/package/kernel/linux/modules/netfilter.mk
index 25715be..ef17524 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b
Hotplug events are no longer handled after socket RX queue is
overrun. The issue has been fixed by:
- setting SO_RCVBUF initially to 65535
- doubling SO_RCVBUF value each time RX queue gets overrun
Signed-off-by: Alin Nastac
---
system-linux.c | 53
From: Alin Nastac
Locally-generated packets are passing through OUTPUT chain, not
PREROUTING.
Signed-off-by: Alin Nastac
---
zones.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/zones.c b/zones.c
index 505ab20..8c3daef 100644
--- a/zones.c
+++ b/zones.c
From: Alin Nastac
RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).
Signed-off-by: Alin Nastac
---
defaults.c | 34
From: Alin Nastac
RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).
Signed-off-by: Alin Nastac
---
defaults.c | 21
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.
Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.
Signed-off-by: Alin Nastac
---
include/netfilter.mk | 1 +
1 file changed, 1 insertion(+)
diff --git
s obtained, sysntpd would be stopped
Because sysntpd service is deleted when last instance is freed, its triggers
will also be released. Without these triggers in place, sysntpd will not be
reloaded when a new DHCP lease containing option 42 will be received.
Signed-off-by: Alin Nastac <alin.nas
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
service/service.c | 5 -
service/service.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/service/service.c b/service/service.c
index 0584ee0..9675ba2 100644
--- a/service/service.c
+++ b/service/service.c
@@
SIGKILL is sent if instance process is still running after
seconds after SIGTERM has been sent. To prevent
another daemon process being launched before old process dies,
the instance is kept until SIGCHLD confirms that service has
been stopped.
Signed-off-by: Alin Nastac <alin.nas...@gmail.
in the NA packet.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
device.c | 10 ++
device.h | 3 +++
system-linux.c | 20
3 files changed, 33 insertions(+)
diff --git a/device.c b/device.c
index 43881e5..306496c 100644
--- a/device.c
+++ b/de
There are 2 issues fixed by this patch:
- UDP checksum is computed incorrectly, the used pseudo IP header
contains transport protocol 6 iso 17
- on big endian arches the UDP/TCP checksum is incorrectly
computed when payload length is odd
Signed-off-by: Alin Nastac <alin.
This patch was copied from
http://www.spinics.net/lists/netfilter/msg56704.html .
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
.../patches/100-udp_checksum_computation.patch | 95 ++
1 file changed, 95 insertions(+)
create mode 100644
package/libs/libnet
This patch was copied from
http://www.spinics.net/lists/netfilter/msg56704.html .
---
.../patches/100-udp_checksum_computation.patch | 95 ++
1 file changed, 95 insertions(+)
create mode 100644
package/libs/libnetfilter-queue/patches/100-udp_checksum_computation.patch
The UCI parameter neighgcstaletime allows to control how much time will
STALE entries be kept in the neighbour table for both IPv4 and IPv6.
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
device.c | 14 ++
device.h | 4
system-linux.
There is already a CONFIGURE_VAR set in here that seem
to have the same purpose, but it doesn't do the trick
in my cause (autoconf 2.69).
---
libs/libnet-1.2.x/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/libs/libnet-1.2.x/Makefile b/libs/libnet-1.2.x/Makefile
index
Storage of such zones is provided by a nf_ct_ext struct, hence conntrack
memory foot print will not be increased if zones are not used.
---
package/kernel/linux/modules/netfilter.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/kernel/linux/modules/netfilter.mk
When running "/etc/init.d/firewall reload & fw3 -q restart", the
fw3 instance that handle the reload might try to read the running
state after firewall was stopped by the fw3 instance that does the
restarting. Since a NULL run_state will transform reload operation in
start operation, the resulted
56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001
From: Alin Nastac<alin.nas...@gmail.com>
Date: Fri, 4 Sep 2015 13:54:10 +0200
Subject: [PATCH] Redirect incoming WAN traffic only when
destination IP address matches the IP address configured on the incoming
interface
---
zones.
37 matches
Mail list logo
