diff options
author | Waldemar Brodkorb <wbx@openadk.org> | 2010-04-21 20:46:46 +0200 |
---|---|---|
committer | Waldemar Brodkorb <wbx@openadk.org> | 2010-04-21 20:46:46 +0200 |
commit | 38910b0bc0393c60da90e1b2540e3d4c5858dae9 (patch) | |
tree | b2e2fcc845098bfb35ec584906fafe587ba45331 | |
parent | b803209ad0f1f198072695109b30a726e0411084 (diff) | |
parent | 0e0d27dc9662ffd759912233ddd71ccb99b9b681 (diff) |
Merge branch 'master' of git+ssh://openadk.org/git/openadk
37 files changed, 777 insertions, 295 deletions
@@ -1,8 +1,3 @@ - openssh on amd64 does not work, ssh-keygen endless loop - uclibc on lemote mips64 target does not work (only uclibc-trunk with patches) -<<<<<<< HEAD - qemu-mips64* targets does not boot, kernel problem? -- (cross-)compile from debian amd64 to f.e. qemu-x86_64 or shuttle with - either glibc or eglibc is broken, have sth. todo with target == host -======= ->>>>>>> 4d569ed1a3305c7b7abe8fa4273cea3b559cc85a @@ -1,3 +1,5 @@ +- php update +- openssh update - macos x build - test on OpenSuSE - test on Fedora Core diff --git a/mk/modules.mk b/mk/modules.mk index ab33f6863..90c26affc 100644 --- a/mk/modules.mk +++ b/mk/modules.mk @@ -510,6 +510,67 @@ $(eval $(call KMOD_template,IP_NF_TARGET_TTL,ip-nf-target-ttl,\ ,65)) # +# IPv6: Netfilter +# +$(eval $(call KMOD_template,NF_CONNTRACK_IPV6,nf-conntrack-ipv6,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/nf_conntrack_ipv6 \ +,50)) + +$(eval $(call KMOD_template,IP6_NF_IPTABLES,ip6-nf-iptables,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6_tables \ +,50)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_AH,ip6-nf-match-AH,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ah \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_EUI64,ip6-nf-match-eui64,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_eui64 \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_FRAG,ip6-nf-match-frag,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_frag \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_OPTS,ip6-nf-match-opts,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_hbh \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_IPV6HEADER,ip6-nf-match-ipv6header,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ipv6header \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_MH,ip6-nf-match-mh,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_mh \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_RT,ip6-nf-match-rt,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_rt \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_TARGET_LOG,ip6-nf-target-log,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_LOG \ +,55)) + +# +# IPv6: Filtering +# +$(eval $(call KMOD_template,IP6_NF_FILTER,ip6-nf-filter,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_filter \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_TARGET_REJECT,ip6-nf-target-reject,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_REJECT \ +,60)) + +# +# IPv6: Mangle +# +$(eval $(call KMOD_template,IP6_NF_MANGLE,ip6-nf-mangle,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_mangle \ +,60)) + +# # IPVS # diff --git a/mk/package.mk b/mk/package.mk index 6c58d4d4e..b4b02d8a5 100644 --- a/mk/package.mk +++ b/mk/package.mk @@ -43,6 +43,10 @@ else CONFIGURE_ARGS+= --disable-debug endif +ifeq ($(ADK_ENABLE_IPV6),y) +CONFIGURE_ARGS+= --enable-ipv6 +endif + CONFIGURE_ENV+= CONFIG_SHELL='$(strip ${SHELL})' \ CFLAGS='$(strip ${TCFLAGS})' \ CXXFLAGS='$(strip ${TCXXFLAGS})' \ diff --git a/package/Config.in b/package/Config.in index 0537a7646..37f1e4e92 100644 --- a/package/Config.in +++ b/package/Config.in @@ -3,6 +3,18 @@ menu "Package selection" +config ADK_ENABLE_IPV6 + prompt "enable IPv6 globally" + boolean + default y + # FIXME: selecting stuff here is ugly, better fix package flavours to + # support a symbol-value-based default (i.e., "default y if IPV6") + select ADK_PACKAGE_NFS_UTILS_WITH_TIRPC if ADK_PACKAGE_NFS_UTILS != n + help + This enables IPv6 support in all related applications. Basically this + just means passing --enable-ipv6 to the configure script, but the + exception proves the rule. ;) + menu "Basesystem" source "package/adkinstall/Config.in" source "package/base-files/Config.in" @@ -97,6 +109,7 @@ menu "Firewall / Routing / Bridging" source "package/arpd/Config.in" source "package/bridge-utils/Config.in" source "package/linux-atm/Config.in" +source "package/conntrack-tools/Config.in" source "package/cutter/Config.in" source "package/ebtables/Config.in" source "package/ether-wake/Config.in" diff --git a/package/asterisk/Makefile b/package/asterisk/Makefile index 595bae027..425683f24 100644 --- a/package/asterisk/Makefile +++ b/package/asterisk/Makefile @@ -26,13 +26,15 @@ PKG_DESCR_CHAN_MGCP:= Media Gateway Control Protocol implementation PKG_DESCR_CHAN_SKINNY:= Skinny Client Control Protocol implementation PKG_DESCR_CHAN_IAX2:= Support for the Inter Asterisk Protocol PKG_DESCR_CODEC_SPEEX:= Speex/PCM16 Codec Translator +PKG_DESCR_SOUNDS:= Various soundfiles in GSM format +PKG_DEPENDS_SOUNDS:= ${PKG_DEPENDS} asterisk-codec-gsm include $(TOPDIR)/mk/package.mk $(eval $(call PKG_template,ASTERISK,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_PGSQL,asterisk-pgsql,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_VOICEMAIL,asterisk-voicemail,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) -$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_SOUNDS},${PKG_DESCR_SOUNDS},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_MGCP,asterisk-chan-mgcp,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_MGCP},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_SKINNY,asterisk-chan-skinny,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_SKINNY},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_IAX2,asterisk-chan-iax2,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_IAX2},${PKG_SECTION})) diff --git a/package/asterisk/files/asterisk.conffiles b/package/asterisk/files/asterisk.conffiles index 2cb705f9c..55949fde7 100644 --- a/package/asterisk/files/asterisk.conffiles +++ b/package/asterisk/files/asterisk.conffiles @@ -13,7 +13,6 @@ /etc/asterisk/modules.conf /etc/asterisk/musiconhold.conf /etc/asterisk/osp.conf -/etc/asterisk/privacy.conf /etc/asterisk/queues.conf /etc/asterisk/rtp.conf /etc/asterisk/sip.conf diff --git a/package/base-files/src/etc/init.d/boot b/package/base-files/src/etc/init.d/boot index 2ef6538e0..ed55ccc88 100644 --- a/package/base-files/src/etc/init.d/boot +++ b/package/base-files/src/etc/init.d/boot @@ -8,7 +8,7 @@ mkdir -p /var/log mkdir -p /var/run touch /var/log/lastlog touch /var/log/wtmp -ln -s /var/tmp /tmp +ln -s /tmp /var/tmp echo 0 > /proc/sys/kernel/printk diff --git a/package/base-files/src/etc/sysctl.conf b/package/base-files/src/etc/sysctl.conf index 73260cf9d..f45e98632 100644 --- a/package/base-files/src/etc/sysctl.conf +++ b/package/base-files/src/etc/sysctl.conf @@ -4,6 +4,7 @@ #kernel.panic = 3 # Enable packet forwarding #net.ipv4.ip_forward = 1 +#net.ipv6.conf.all.forwarding = 1 # Disables IP dynaddr #net.ipv4.ip_dynaddr = 0 # Disable ECN diff --git a/package/bc/Makefile b/package/bc/Makefile index dbe613550..8912693c0 100644 --- a/package/bc/Makefile +++ b/package/bc/Makefile @@ -8,7 +8,7 @@ PKG_VERSION:= 1.06 PKG_RELEASE:= 1 PKG_MD5SUM:= d44b5dddebd8a7a7309aea6c36fda117 PKG_DESCR:= An arbitrary precision calculator language -PKG_SECTION:= util +PKG_SECTION:= utils PKG_URL:= http://www.gnu.org/software/bc PKG_SITES:= http://ftp.gnu.org/pub/gnu/bc/ diff --git a/package/busybox/Config.in.manual b/package/busybox/Config.in.manual index 84c1bde40..4e7251520 100644 --- a/package/busybox/Config.in.manual +++ b/package/busybox/Config.in.manual @@ -17,3 +17,6 @@ menu "Busybox Configuration" source "package/busybox/config/Config.in" endmenu +config ADK_PACKAGE_UDHCPD + boolean + default BUSYBOX_APP_UDHCPD diff --git a/package/busybox/Makefile b/package/busybox/Makefile index 400be01e6..5d6826986 100644 --- a/package/busybox/Makefile +++ b/package/busybox/Makefile @@ -12,9 +12,13 @@ PKG_SECTION:= base PKG_URL:= http://www.busybox.net PKG_SITES:= http://www.busybox.net/downloads/ +PKG_DESCR_UDHCPD:= uDHCPD meta package +PKG_SECTION_UDHCPD:= net + include $(TOPDIR)/mk/package.mk $(eval $(call PKG_template,BUSYBOX,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,UDHCPD,udhcpd,${PKG_VERSION}-${PKG_RELEASE},busybox,${PKG_DESCR_UDHCPD},${PKG_SECTION_UDHCPD})) CONFIG_STYLE:= manual BUILD_STYLE:= manual @@ -63,6 +67,10 @@ ifeq ($(ADK_DEBUG),y) ${INSTALL_BIN} $(WRKBUILD)/busybox_unstripped \ $(IDIR_BUSYBOX)/bin/busybox endif +ifeq ($(ADK_PACKAGE_UDHCPD),y) + ${INSTALL_DIR} ${IDIR_UDHCPD}/etc/ + ${INSTALL_DATA} ./files/udhcpd.conf ${IDIR_UDHCPD}/etc/ +endif fake: $(TOPDIR)/.busyboxcfg do-configure do-install diff --git a/package/busybox/files/udhcpd.conf b/package/busybox/files/udhcpd.conf new file mode 100644 index 000000000..6c8104dfa --- /dev/null +++ b/package/busybox/files/udhcpd.conf @@ -0,0 +1,28 @@ +# interface to bind to +interface eth0 + +# iprange to choose from +start 192.168.1.100 +end 192.168.1.200 + +# max number of leases +#max_leases 100 + +# period of auto lease file updates (in seconds) +auto_time 7200 + +# some timeouts +#decline_time 3600 +#conflict_time 3600 +#offer_time 60 +#min_lease 60 + +# do not change the path here +leases_file /var/udhcpd.leases + +# call this script upon lease file write +# (dumpleases may be useful for debugging) +#notify_file dumpleases + +# static leases +#static_lease 00:fe:ed:ba:be:00 192.168.1.2 diff --git a/package/busybox/files/udhcpd.conffiles b/package/busybox/files/udhcpd.conffiles new file mode 100644 index 000000000..c0b2aeea6 --- /dev/null +++ b/package/busybox/files/udhcpd.conffiles @@ -0,0 +1 @@ +/etc/udhcpd.conf diff --git a/package/busybox/files/udhcpd.init b/package/busybox/files/udhcpd.init new file mode 100644 index 000000000..d9627aa9d --- /dev/null +++ b/package/busybox/files/udhcpd.init @@ -0,0 +1,28 @@ +#!/bin/sh +#PKG udhcpd +#INIT 50 +. /etc/rc.conf + +case $1 in +autostop) ;; +autostart) + [[ $udhcpd = NO ]] && exit 0 + exec sh $0 start + ;; +start) + touch /var/udhcp.leases + udhcpd -S + ;; +stop) + pkill udhcpd + ;; +restart) + sh $0 stop + sh $0 start + ;; +*) + echo "Usage: $0 {start | stop | restart}" + exit 1 + ;; +esac +exit $? diff --git a/package/busybox/files/udhcpd.postinst b/package/busybox/files/udhcpd.postinst new file mode 100644 index 000000000..f90718c58 --- /dev/null +++ b/package/busybox/files/udhcpd.postinst @@ -0,0 +1,3 @@ +#!/bin/sh +. $IPKG_INSTROOT/etc/functions.sh +add_rcconf udhcpd udhcpd 'NO' diff --git a/package/conntrack-tools/Makefile b/package/conntrack-tools/Makefile new file mode 100644 index 000000000..d4d53b8be --- /dev/null +++ b/package/conntrack-tools/Makefile @@ -0,0 +1,26 @@ +# This file is part of the OpenADK project. OpenADK is copyrighted +# material, please see the LICENCE file in the top-level directory. + +include $(TOPDIR)/rules.mk + +PKG_NAME:= conntrack-tools +PKG_VERSION:= 0.9.9 +PKG_RELEASE:= 1 +PKG_MD5SUM:= 35b0ab9cde069b4ec8a493daae82d67b +PKG_DESCR:= Connection tracking userspace tools +PKG_SECTION:= firewall +PKG_DEPENDS:= libnetfilter_conntrack +PKG_BUILDDEP+= libnetfilter_conntrack +PKG_URL:= http://conntrack-tools.netfilter.org +PKG_SITES:= http://www.netfilter.org/projects/conntrack-tools/files/ +DISTFILES:= ${PKG_NAME}-${PKG_VERSION}.tar.bz2 + +include $(TOPDIR)/mk/package.mk + +$(eval $(call PKG_template,CONNTRACK_TOOLS,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) + +post-install: + $(INSTALL_DIR) $(IDIR_CONNTRACK_TOOLS)/usr/sbin + $(INSTALL_BIN) $(WRKINST)/usr/sbin/conntrack{,d} $(IDIR_CONNTRACK_TOOLS)/usr/sbin/ + +include ${TOPDIR}/mk/pkg-bottom.mk diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile index 6625cb21c..2ab254cd2 100644 --- a/package/dropbear/Makefile +++ b/package/dropbear/Makefile @@ -5,14 +5,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:= dropbear PKG_VERSION:= 0.52 -PKG_RELEASE:= 1 +PKG_RELEASE:= 2 PKG_MD5SUM:= 1c69ec674481d7745452f68f2ea5597e PKG_DESCR:= SSH 2 server/client designed for embedded systems PKG_SECTION:= net PKG_URL:= http://matt.ucc.asn.au/dropbear PKG_SITES:= http://matt.ucc.asn.au/dropbear/releases/ -PKG_DESCR_UTIL:= Utility for converting SSH keys +PKG_DESCR_UTIL:= Utility for converting SSH private keys include $(TOPDIR)/mk/package.mk diff --git a/package/dropbear/files/dropbear.init b/package/dropbear/files/dropbear.init index 4a7d7a875..9983e943c 100644 --- a/package/dropbear/files/dropbear.init +++ b/package/dropbear/files/dropbear.init @@ -27,6 +27,14 @@ start) test $rv = 0 || exit 1 test -f /etc/dropbear/dropbear_rsa_host_key || exit 1 fi + if test ! -f /etc/dropbear/dropbear_dss_host_key; then + # take it easy here, since above already catched the worst cases + if test -x /usr/bin/dropbearkey; then + bothlog "dropbear: generating SSH private key (DSS)" + /usr/bin/dropbearkey -f /etc/dropbear/dropbear_dss_host_key -t dss + bothlog dropbear: key generation exited with code $? + fi + fi /usr/sbin/dropbear $dropbear_flags ;; stop) diff --git a/package/dropbear/patches/patch-options_h b/package/dropbear/patches/patch-options_h index b0903f45d..00914dda2 100644 --- a/package/dropbear/patches/patch-options_h +++ b/package/dropbear/patches/patch-options_h @@ -1,6 +1,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $ --- dropbear-0.52.orig/options.h 2008-11-11 15:13:50.000000000 +0100 -+++ dropbear-0.52/options.h 2010-01-22 17:55:09.000000000 +0100 ++++ dropbear-0.52/options.h 2010-03-14 23:30:26.277667006 +0100 @@ -10,6 +10,11 @@ * parts are to allow for commandline -DDROPBEAR_XXX options etc. ******************************************************************/ @@ -13,15 +13,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" #endif -@@ -115,7 +120,7 @@ etc) slower (perhaps by 50%). Recommende - * Removing either of these won't save very much space. - * SSH2 RFC Draft requires dss, recommends rsa */ - #define DROPBEAR_RSA --#define DROPBEAR_DSS -+/* #define DROPBEAR_DSS */ - - /* RSA can be vulnerable to timing attacks which use the time required for - * signing to guess the private key. Blinding avoids this attack, though makes @@ -129,7 +134,7 @@ etc) slower (perhaps by 50%). Recommende /* #define DSS_PROTOK */ diff --git a/package/iptables/Makefile b/package/iptables/Makefile index f07604877..4aa2d58bf 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -14,6 +14,8 @@ PKG_DEPENDS+= kmod-nf-conntrack-ipv4 kmod-nf-nat PKG_DEPENDS+= kmod-ip-nf-target-masquerade kmod-ip-nf-target-reject PKG_DEPENDS+= kmod-ip-nf-filter kmod-ip-nf-match-state PKG_DEPENDS+= kmod-netfilter-xt-target-tcpmss +PKG_DEPENDS6:= kmod-ip6-nf-iptables kmod-nf-conntrack-ipv6 +PKG_DEPENDS6+= kmod-ip6-nf-filter kmod-ip6-nf-target-reject PKG_URL:= http://www.netfilter.org PKG_SITES:= http://www.netfilter.org/projects/iptables/files/ \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ @@ -29,7 +31,7 @@ include ${TOPDIR}/mk/package.mk #include ${LINUX_DIR}/.config $(eval $(call PKG_template,IPTABLES,iptables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) -$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS6},${PKG_DESCR},${PKG_SECTION})) CONFIGURE_ARGS+= --enable-devel @@ -44,8 +46,8 @@ post-install: ${SUB_INSTALL-m} ${SUB_INSTALL-y} ${CP} ${WRKINST}/usr/lib/libxtables.so* ${IDIR_IPTABLES}/usr/lib ip6tables-install: - ${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/lib - ${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/sbin + ${INSTALL_DIR} ${IDIR_IP6TABLES}/{usr/lib,etc,usr/sbin} + ${INSTALL_DATA} ./files/firewall6.conf ${IDIR_IP6TABLES}/etc ${INSTALL_BIN} ${WRKINST}/usr/sbin/ip6tables ${IDIR_IP6TABLES}/usr/sbin/ ${CP} ${WRKINST}/usr/lib/libip6tc.so* ${IDIR_IP6TABLES}/usr/lib diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf index 2c8faaa34..15794dece 100644 --- a/package/iptables/files/firewall.conf +++ b/package/iptables/files/firewall.conf @@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule ### Default policy iptables -P INPUT DROP iptables -P FORWARD DROP +iptables -P OUTPUT DROP ### INPUT ### (connections with the router as destination) @@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ### (connections with the router as source) # base case -iptables -A OUTPUT -m state --state INVALID -j DROP -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT ### FORWARD ### (connections routed through the router) # base case iptables -A FORWARD -m state --state INVALID -j DROP -iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +# fix for broken ISPs blocking ICMP "fragmentation needed" packets +#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # custom rules iptables -A FORWARD -j forwarding_rule iptables -t nat -A PREROUTING -j prerouting_rule diff --git a/package/iptables/files/firewall6.conf b/package/iptables/files/firewall6.conf new file mode 100644 index 000000000..2e86138b2 --- /dev/null +++ b/package/iptables/files/firewall6.conf @@ -0,0 +1,98 @@ +#!/bin/sh +echo "configure /etc/firewall6.conf first." +exit 1 + +### Interfaces +WAN=sixxs +LAN=br0 +WLAN=wlan0 + +###################################################################### +### Default ruleset +###################################################################### + +### Create chains +ip6tables -N input_rule +ip6tables -N forwarding_rule + +### Default policy +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT DROP + +### INPUT +### (connections with the router as destination) + +# base case +ip6tables -A INPUT -m state --state INVALID -j DROP +ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP + +# custom rules +ip6tables -A INPUT -j input_rule + +# allow access from anything but WAN +ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT +# allow icmp messages +ip6tables -A INPUT -p icmp6 -j ACCEPT + +# reject +ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset +ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable + +### OUTPUT +### (connections with the router as source) + +# base case +ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +ip6tables -A OUTPUT -p icmp6 -j ACCEPT + +### FORWARD +### (connections routed through the router) + +# base case +ip6tables -A FORWARD -m state --state INVALID -j DROP +ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + +# fix for broken ISPs blocking ICMPv6 "packet too big" packets +#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +# custom rules +ip6tables -A FORWARD -j forwarding_rule + +# allow LAN +ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT + +###################################################################### +### Default ruleset end +###################################################################### + +### +### Connections to the router +### + +# ssh +#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT + +# IPSec +#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT +#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT + +# OpenVPN +#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT + +# PPTP +#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT +#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT + +### +### VPN traffic +### + +# IPSec +#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT +#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT + +# OpenVPN +#ip6tables -A forwarding_rule -o tun+ -j ACCEPT +#ip6tables -A forwarding_rule -i tun+ -j ACCEPT diff --git a/package/iptables/files/firewall6.init b/package/iptables/files/firewall6.init new file mode 100755 index 000000000..bedb639a9 --- /dev/null +++ b/package/iptables/files/firewall6.init @@ -0,0 +1,31 @@ +#!/bin/sh +#PKG iptables +#INIT 45 +. /etc/rc.conf + +case $1 in +autostop) ;; +autostart) + test x"${firewall6:-NO}" = x"NO" && exit 0 + exec sh $0 start + ;; +start) + . /etc/firewall6.conf + ;; +stop) + ### Clear tables + ip6tables -F + ip6tables -X + ip6tables -P INPUT ACCEPT + ip6tables -P FORWARD ACCEPT + ip6tables -P OUTPUT ACCEPT + ;; +restart) + sh $0 stop + sh $0 start + ;; +*) + echo "Usage: $0 {start | stop | restart}" + ;; +esac +exit $? diff --git a/package/iptables/files/iptables.postinst b/package/iptables/files/iptables.postinst index 89b0af164..b418e73f9 100644 --- a/package/iptables/files/iptables.postinst +++ b/package/iptables/files/iptables.postinst @@ -2,3 +2,4 @@ . $IPKG_INSTROOT/etc/functions.sh add_rcconf iptables firewall NO +add_rcconf iptables firewall6 NO diff --git a/package/ntfs-3g/Makefile b/package/ntfs-3g/Makefile index 72d418e56..265a09d8d 100644 --- a/package/ntfs-3g/Makefile +++ b/package/ntfs-3g/Makefile @@ -8,7 +8,7 @@ PKG_VERSION= 2010.1.16 PKG_RELEASE= 1 PKG_MD5SUM= e104c914e8d7d29ee83e63d46afbba25 PKG_DESCR:= ntfs filesystem driver with read and write support -PKG_SECTION:= sys +PKG_SECTION:= kernel PKG_DEPENDS:= kmod-fuse-fs PKG_URL:= http://tuxera.com PKG_SITES= http://tuxera.com/opensource/ diff --git a/package/openssh/Makefile b/package/openssh/Makefile index 27bc8dab8..1eb72097a 100644 --- a/package/openssh/Makefile +++ b/package/openssh/Makefile @@ -4,9 +4,9 @@ include ${TOPDIR}/rules.mk PKG_NAME:= openssh -PKG_VERSION:= 5.4p1 +PKG_VERSION:= 5.5p1 PKG_RELEASE:= 1 -PKG_MD5SUM:= da10af8a789fa2e83e3635f3a1b76f5e +PKG_MD5SUM:= 88633408f4cb1eb11ec7e2ec58b519eb PKG_DESCR:= OpenSSH server PKG_SECTION:= net PKG_DEPENDS:= zlib libopenssl libpthread diff --git a/package/openssh/patches/patch-openbsd-compat_port-tun_c b/package/openssh/patches/patch-openbsd-compat_port-tun_c new file mode 100644 index 000000000..a9ed6434b --- /dev/null +++ b/package/openssh/patches/patch-openbsd-compat_port-tun_c @@ -0,0 +1,11 @@ +--- openssh-5.5p1.orig/openbsd-compat/port-tun.c 2008-05-19 07:28:36.000000000 +0200 ++++ openssh-5.5p1/openbsd-compat/port-tun.c 2010-04-21 20:14:00.000000000 +0200 +@@ -213,7 +213,7 @@ sys_tun_infilter(struct Channel *c, char + if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) + return (-1); + ptr = (char *)&rbuf[0]; +- bcopy(buf, ptr + sizeof(u_int32_t), len); ++ memcpy(ptr + sizeof(u_int32_t), buf, len); + len += sizeof(u_int32_t); + af = (u_int32_t *)ptr; + diff --git a/package/pdnsd/files/pdnsd.conf b/package/pdnsd/files/pdnsd.conf index 00b548117..73690524a 100644 --- a/package/pdnsd/files/pdnsd.conf +++ b/package/pdnsd/files/pdnsd.conf @@ -1,7 +1,8 @@ global { - perm_cache=1024; - cache_dir="/var/cache/pdnsd"; # do not change this! - run_as="nobody"; + perm_cache = 1024; + cache_dir = "/var/cache/pdnsd"; # do not change this! + run_as = "nobody"; + strict_setuid = on; server_ip = 127.0.0.1; # Use eth0 here if you want to allow other # machines on your network to query pdnsd. status_ctl = on; @@ -11,20 +12,25 @@ global { min_ttl=15m; # Retain cached entries at least 15 minutes. max_ttl=1w; # One week. timeout=10; # Global timeout option (10 seconds). + proc_limit = 20; } -server { - label= "myisp"; - ip = 192.168.0.1; # Put your ISP's DNS-server address(es) here. -# proxy_only=on; # Do not query any name servers beside your ISP's. - # This may be necessary if you are behind some - # kind of firewall and cannot receive replies - # from outside name servers. - timeout=4; # Server timeout; this may be much shorter - # that the global timeout option. - uptest=if; # Test if the network interface is active. - interface=eth0; # The name of the interface to check. - interval=10m; # Check every 10 minutes. - purge_cache=off; # Keep stale cache entries in case the ISP's - # DNS servers go offline. +# serve local host definitions +source { + owner = "localhost"; + serve_aliases = off; # skip everything after the first host for an IP + file = "/etc/hosts"; } + +# for dns servers via dhcp +#server { +# label = "dhcp"; +# file = "/var/resolv.conf"; +# exclude = ".lan"; +# policy = fqdn_only; +# timeout = 4; +# uptest = if; +# interface = "eth0"; +# interval = 60; +#} + diff --git a/package/pdnsd/files/pdnsd.init b/package/pdnsd/files/pdnsd.init index 0da77186d..b67696469 100644 --- a/package/pdnsd/files/pdnsd.init +++ b/package/pdnsd/files/pdnsd.init @@ -13,7 +13,10 @@ autostart) start) [ -f /etc/pdnsd.conf ] || exit mkdir -p /var/cache/pdnsd - pdnsd -s -t -d + touch /var/cache/pdnsd/pdnsd.cache + # this allows for strict_setuid + chown -R nobody:nogroup /var/cache/pdnsd + pdnsd -d ;; stop) pkill pdnsd diff --git a/package/pdnsd/patches/patch-src_dns_query_c b/package/pdnsd/patches/patch-src_dns_query_c new file mode 100644 index 000000000..f16c3d497 --- /dev/null +++ b/package/pdnsd/patches/patch-src_dns_query_c @@ -0,0 +1,12 @@ +use the temporary port, not always the global one over and over again +--- pdnsd-1.2.7.orig/src/dns_query.c 2008-09-01 15:56:51.000000000 +0200 ++++ pdnsd-1.2.7/src/dns_query.c 2010-03-19 21:44:38.837858828 +0100 +@@ -650,7 +650,7 @@ static int bind_socket(int s) + ELSE_IPV6 { + memset(&sin.sin6,0,sizeof(struct sockaddr_in6)); + sin.sin6.sin6_family=AF_INET6; +- sin.sin6.sin6_port=htons(global.port); ++ sin.sin6.sin6_port=htons(prt); + sin.sin6.sin6_flowinfo=IPV6_FLOWINFO; + SET_SOCKA_LEN6(sin.sin6); + sinl=sizeof(struct sockaddr_in6); diff --git a/package/tcsh/Makefile b/package/tcsh/Makefile index ac8424831..b0e85a79a 100644 --- a/package/tcsh/Makefile +++ b/package/tcsh/Makefile @@ -8,7 +8,7 @@ PKG_VERSION:= 6.17.00 PKG_RELEASE:= 1 PKG_MD5SUM:= c47de903e3d52f6824c8dd0c91eeb477 PKG_DESCR:= alternative csh -PKG_SECTION:= shell +PKG_SECTION:= shells PKG_DEPENDS:= libncurses PKG_BUILDDEP+= ncurses PKG_URL:= http://www.tcsh.org/Welcome @@ -31,8 +31,10 @@ ADK_TARGET_SUFFIX:= $(strip $(subst ",, $(ADK_TARGET_SUFFIX))) ADK_COMPRESSION_TOOL:= $(strip $(subst ",, $(ADK_COMPRESSION_TOOL))) ifeq ($(strip ${ADK_HAVE_DOT_CONFIG}),y) +ifneq ($(strip $(wildcard $(TOPDIR)/target/$(ADK_TARGET)/target.mk)),) include $(TOPDIR)/target/$(ADK_TARGET)/target.mk endif +endif include $(TOPDIR)/mk/vars.mk diff --git a/target/linux/config/Config.in.netfilter b/target/linux/config/Config.in.netfilter index 3cf61ed58..e831fd594 100644 --- a/target/linux/config/Config.in.netfilter +++ b/target/linux/config/Config.in.netfilter @@ -197,251 +197,12 @@ config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_TCPMSS endmenu menu "IP: Netfilter Configuration" +source target/linux/config/Config.in.netfilter.ip4 +endmenu -config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4 - bool 'IPv4 connection tracking support (required for NAT)' - select ADK_KPACKAGE_KMOD_NF_CONNTRACK - help - Connection tracking keeps a record of what packets have passed - through your machine, in order to figure out how they are related - into connections. - -config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT - bool 'Connection tracking flow accounting' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - If this option is enabled, the connection tracking code will - keep per-flow packet and byte counters. - - Those counters can be used for flow-based accounting or the - `connbytes' match. - -config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK - bool 'Connection mark tracking support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - select ADK_KERNEL_IP_NF_MATCH_CONNMARK - help - This option enables support for connection marks, used by the - `CONNMARK' target and `connmark' match. Similar to the mark value - of packets, but this mark value is kept in the conntrack session - instead of the individual packets. - -config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK - bool 'Connection tracking security mark support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - #FIXME select NETWORK_SECMARK - help - This option enables security markings to be applied to - connections. Typically they are copied to connections from - packets using the CONNSECMARK target and copied back from - connections to packets with the same target, with the packets - being originally labeled via SECMARK. - -config ADK_KPACKAGE_KMOD_IP_NF_FTP - tristate 'FTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - Tracking FTP connections is problematic: special helpers are - required for tracking them, and doing masquerading and other forms - of Network Address Translation on them. - -config ADK_KPACKAGE_KMOD_IP_NF_IRC - tristate 'IRC protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - There is a commonly-used extension to IRC called - Direct Client-to-Client Protocol (DCC). This enables users to send - files to each other, and also chat to each other without the need - of a server. DCC Sending is used anywhere you send files over IRC, - and DCC Chat is most commonly used by Eggdrop bots. If you are - using NAT, this extension will enable you to send files and initiate - chats. Note that you do NOT need this extension to get files or - have others initiate chats, or everything else in IRC. - -config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS - tristate 'NetBIOS name service protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - NetBIOS name service requests are sent as broadcast messages from an - unprivileged port and responded to with unicast messages to the - same port. This make them hard to firewall properly because connection - tracking doesn't deal with broadcasts. This helper tracks locally - originating NetBIOS name service requests and the corresponding - responses. It relies on correct IP address configuration, specifically - netmask and broadcast address. When properly configured, the output - of "ip address show" should look similar to this: - - $ ip -4 address show eth0 - 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 - inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 - -config ADK_KPACKAGE_KMOD_IP_NF_TFTP - tristate 'TFTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - TFTP connection tracking helper, this is required depending - on how restrictive your ruleset is. - If you are using a tftp client behind -j SNAT or -j MASQUERADING - you will need this. - -config ADK_KPACKAGE_KMOD_IP_NF_AMANDA - tristate 'Amanda backup protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - #FIXME TEXTSEARCH && TEXTSEARCH_KMP - help - If you are running the Amanda backup package <http://www.amanda.org/> - on this machine or machines that will be MASQUERADED through this - machine, then you may want to enable this feature. This allows the - connection tracking and natting code to allow the sub-channels that - Amanda requires for communication of the backup data, messages and - index. - -config ADK_KPACKAGE_KMOD_IP_NF_PPTP - tristate 'PPTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - This module adds support for PPTP (Point to Point Tunnelling - Protocol, RFC2637) connection tracking and NAT. - - If you are running PPTP sessions over a stateful firewall or NAT - box, you may want to enable this feature. - - Please note that not all PPTP modes of operation are supported yet. - For more info, read top of the file - net/ipv4/netfilter/ip_conntrack_pptp.c - -config ADK_KPACKAGE_KMOD_IP_NF_H323 - tristate 'H.323 protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - H.323 is a VoIP signalling protocol from ITU-T. As one of the most - important VoIP protocols, it is widely used by voice hardware and - software including voice gateways, IP phones, Netmeeting, OpenPhone, - Gnomemeeting, etc. - - With this module you can support H.323 on a connection tracking/NAT - firewall. - - This module supports RAS, Fast Start, H.245 Tunnelling, Call - Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, - whiteboard, file transfer, etc. For more information, please - visit http://nath323.sourceforge.net/. - -config ADK_KPACKAGE_KMOD_IP_NF_SIP - tristate 'SIP protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - SIP is an application-layer control protocol that can establish, - modify, and terminate multimedia sessions (conferences) such as - Internet telephony calls. With the ip_conntrack_sip and - the ip_nat_sip modules you can support the protocol on a connection - tracking/NATing firewall. - - -config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES - tristate 'IP tables support (required for filtering/masq/NAT)' - select ADK_KERNEL_NETFILTER_XTABLES - help - iptables is a general, extensible packet identification framework. - The packet filtering and full NAT (masquerading, port forwarding, - etc) subsystems now use this: say `Y' or `M' here if you want to use - either of those. - -config ADK_KPACKAGE_KMOD_IP_NF_FILTER - tristate 'Packet Filtering' - depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES - help - Packet filtering defines a table `filter', which has a series of - rules for simple packet filtering at local input, forwarding and - local output. See the man page for iptables(8). - -config ADK_KPACKAGE_KMOD_NF_NAT - tristate 'Full NAT' - depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES - help - The Full NAT option allows masquerading, port forwarding and other - forms of full Network Address Port Translation. It is controlled by - the `nat' table in iptables: see the man page for iptables(8). - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE - tristate 'MASQUERADE target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - Masquerading is a special case of NAT: all outgoing connections are - changed to seem to come from a particular interface's address, and - if the interface goes down, those connections are lost. This is - only useful for dialup accounts with dynamic IP address (ie. your IP - address will be different on next dialup). - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT - tristate 'REJECT target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - The REJECT target allows a filtering rule to specify that an ICMP - error should be issued in response to an incoming packet, rather - than silently being dropped. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG - tristate 'LOG target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - This option adds a `LOG' target, which allows you to create rules in - any iptables table which records the packet header to the syslog. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG - tristate 'ULOG target support (ipv4 only)' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - This option enables the old IPv4-only "ipt_ULOG" implementation - which has been obsoleted by the new "nfnetlink_log" code (see - CONFIG_NETFILTER_NETLINK_LOG). - - This option adds a `ULOG' target, which allows you to create rules in - any iptables table. The packet is passed to a userspace logging - daemon using netlink multicast sockets; unlike the LOG target - which can only be viewed through syslog. - - The appropriate userspace logging daemon (ulogd) may be obtained from - <http://www.gnumonks.org/projects/ulogd/> - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT - tristate 'REDIRECT target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - REDIRECT is a special case of NAT: all incoming connections are - mapped onto the incoming interface's address, causing the packets to - come to the local machine instead of passing through. This is - useful for transparent proxies. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP - tristate 'NETMAP target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - NETMAP is an implementation of static 1:1 NAT mapping of network - addresses. It maps the network address part, while keeping the host - address part intact. It is similar to Fast NAT, except that - Netfilter's connection tracking doesn't work well with Fast NAT. - -config ADK_KPACKAGE_KMOD_IP_NF_MANGLE - tristate 'Packet mangling' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - This option adds a `mangle' table to iptables: see the man page for - iptables(8). This table is used for various packet alterations - which can effect how the packet is routed. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN - tristate 'ECN target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE - help - This option adds a `ECN' target, which can be used in the iptables mangle - table. - - You can use this target to remove the ECN bits from the IPv4 header of - an IP packet. This is particularly useful, if you need to work around - existing ECN blackholes on the internet, but don't want to disable - ECN support in general. - +menu "IPv6: Netfilter Configuration" + depends on ADK_ENABLE_IPV6 +source target/linux/config/Config.in.netfilter.ip6 endmenu menu "Ethernet bridge firewalling" diff --git a/target/linux/config/Config.in.netfilter.ip4 b/target/linux/config/Config.in.netfilter.ip4 new file mode 100644 index 000000000..34eb14449 --- /dev/null +++ b/target/linux/config/Config.in.netfilter.ip4 @@ -0,0 +1,244 @@ +config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4 + bool 'IPv4 connection tracking support (required for NAT)' + select ADK_KPACKAGE_KMOD_NF_CONNTRACK + help + Connection tracking keeps a record of what packets have passed + through your machine, in order to figure out how they are related + into connections. + +config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT + bool 'Connection tracking flow accounting' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + If this option is enabled, the connection tracking code will + keep per-flow packet and byte counters. + + Those counters can be used for flow-based accounting or the + `connbytes' match. + +config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK + bool 'Connection mark tracking support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + select ADK_KERNEL_IP_NF_MATCH_CONNMARK + help + This option enables support for connection marks, used by the + `CONNMARK' target and `connmark' match. Similar to the mark value + of packets, but this mark value is kept in the conntrack session + instead of the individual packets. + +config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK + bool 'Connection tracking security mark support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + #FIXME select NETWORK_SECMARK + help + This option enables security markings to be applied to + connections. Typically they are copied to connections from + packets using the CONNSECMARK target and copied back from + connections to packets with the same target, with the packets + being originally labeled via SECMARK. + +config ADK_KPACKAGE_KMOD_IP_NF_FTP + tristate 'FTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + Tracking FTP connections is problematic: special helpers are + required for tracking them, and doing masquerading and other forms + of Network Address Translation on them. + +config ADK_KPACKAGE_KMOD_IP_NF_IRC + tristate 'IRC protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + There is a commonly-used extension to IRC called + Direct Client-to-Client Protocol (DCC). This enables users to send + files to each other, and also chat to each other without the need + of a server. DCC Sending is used anywhere you send files over IRC, + and DCC Chat is most commonly used by Eggdrop bots. If you are + using NAT, this extension will enable you to send files and initiate + chats. Note that you do NOT need this extension to get files or + have others initiate chats, or everything else in IRC. + +config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS + tristate 'NetBIOS name service protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + NetBIOS name service requests are sent as broadcast messages from an + unprivileged port and responded to with unicast messages to the + same port. This make them hard to firewall properly because connection + tracking doesn't deal with broadcasts. This helper tracks locally + originating NetBIOS name service requests and the corresponding + responses. It relies on correct IP address configuration, specifically + netmask and broadcast address. When properly configured, the output + of "ip address show" should look similar to this: + + $ ip -4 address show eth0 + 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 + inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 + +config ADK_KPACKAGE_KMOD_IP_NF_TFTP + tristate 'TFTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + TFTP connection tracking helper, this is required depending + on how restrictive your ruleset is. + If you are using a tftp client behind -j SNAT or -j MASQUERADING + you will need this. + +config ADK_KPACKAGE_KMOD_IP_NF_AMANDA + tristate 'Amanda backup protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + #FIXME TEXTSEARCH && TEXTSEARCH_KMP + help + If you are running the Amanda backup package <http://www.amanda.org/> + on this machine or machines that will be MASQUERADED through this + machine, then you may want to enable this feature. This allows the + connection tracking and natting code to allow the sub-channels that + Amanda requires for communication of the backup data, messages and + index. + +config ADK_KPACKAGE_KMOD_IP_NF_PPTP + tristate 'PPTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + This module adds support for PPTP (Point to Point Tunnelling + Protocol, RFC2637) connection tracking and NAT. + + If you are running PPTP sessions over a stateful firewall or NAT + box, you may want to enable this feature. + + Please note that not all PPTP modes of operation are supported yet. + For more info, read top of the file + net/ipv4/netfilter/ip_conntrack_pptp.c + +config ADK_KPACKAGE_KMOD_IP_NF_H323 + tristate 'H.323 protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + H.323 is a VoIP signalling protocol from ITU-T. As one of the most + important VoIP protocols, it is widely used by voice hardware and + software including voice gateways, IP phones, Netmeeting, OpenPhone, + Gnomemeeting, etc. + + With this module you can support H.323 on a connection tracking/NAT + firewall. + + This module supports RAS, Fast Start, H.245 Tunnelling, Call + Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, + whiteboard, file transfer, etc. For more information, please + visit http://nath323.sourceforge.net/. + +config ADK_KPACKAGE_KMOD_IP_NF_SIP + tristate 'SIP protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + SIP is an application-layer control protocol that can establish, + modify, and terminate multimedia sessions (conferences) such as + Internet telephony calls. With the ip_conntrack_sip and + the ip_nat_sip modules you can support the protocol on a connection + tracking/NATing firewall. + + +config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES + tristate 'IP tables support (required for filtering/masq/NAT)' + select ADK_KERNEL_NETFILTER_XTABLES + help + iptables is a general, extensible packet identification framework. + The packet filtering and full NAT (masquerading, port forwarding, + etc) subsystems now use this: say `Y' or `M' here if you want to use + either of those. + +config ADK_KPACKAGE_KMOD_IP_NF_FILTER + tristate 'Packet Filtering' + depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES + help + Packet filtering defines a table `filter', which has a series of + rules for simple packet filtering at local input, forwarding and + local output. See the man page for iptables(8). + +config ADK_KPACKAGE_KMOD_NF_NAT + tristate 'Full NAT' + depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES + help + The Full NAT option allows masquerading, port forwarding and other + forms of full Network Address Port Translation. It is controlled by + the `nat' table in iptables: see the man page for iptables(8). + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE + tristate 'MASQUERADE target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + Masquerading is a special case of NAT: all outgoing connections are + changed to seem to come from a particular interface's address, and + if the interface goes down, those connections are lost. This is + only useful for dialup accounts with dynamic IP address (ie. your IP + address will be different on next dialup). + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT + tristate 'REJECT target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + The REJECT target allows a filtering rule to specify that an ICMP + error should be issued in response to an incoming packet, rather + than silently being dropped. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG + tristate 'LOG target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + This option adds a `LOG' target, which allows you to create rules in + any iptables table which records the packet header to the syslog. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG + tristate 'ULOG target support (ipv4 only)' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + This option enables the old IPv4-only "ipt_ULOG" implementation + which has been obsoleted by the new "nfnetlink_log" code (see + CONFIG_NETFILTER_NETLINK_LOG). + + This option adds a `ULOG' target, which allows you to create rules in + any iptables table. The packet is passed to a userspace logging + daemon using netlink multicast sockets; unlike the LOG target + which can only be viewed through syslog. + + The appropriate userspace logging daemon (ulogd) may be obtained from + <http://www.gnumonks.org/projects/ulogd/> + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT + tristate 'REDIRECT target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + REDIRECT is a special case of NAT: all incoming connections are + mapped onto the incoming interface's address, causing the packets to + come to the local machine instead of passing through. This is + useful for transparent proxies. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP + tristate 'NETMAP target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + NETMAP is an implementation of static 1:1 NAT mapping of network + addresses. It maps the network address part, while keeping the host + address part intact. It is similar to Fast NAT, except that + Netfilter's connection tracking doesn't work well with Fast NAT. + +config ADK_KPACKAGE_KMOD_IP_NF_MANGLE + tristate 'Packet mangling' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + This option adds a `mangle' table to iptables: see the man page for + iptables(8). This table is used for various packet alterations + which can effect how the packet is routed. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN + tristate 'ECN target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE + help + This option adds a `ECN' target, which can be used in the iptables mangle + table. + + You can use this target to remove the ECN bits from the IPv4 header of + an IP packet. This is particularly useful, if you need to work around + existing ECN blackholes on the internet, but don't want to disable + ECN support in general. + diff --git a/target/linux/config/Config.in.netfilter.ip6 b/target/linux/config/Config.in.netfilter.ip6 new file mode 100644 index 000000000..a0bb7beba --- /dev/null +++ b/target/linux/config/Config.in.netfilter.ip6 @@ -0,0 +1,131 @@ +config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV6 + tristate "IPv6 connection tracking support" + select ADK_KPACKAGE_KMOD_NF_CONNTRACK + ---help--- + Connection tracking keeps a record of what packets have passed + through your machine, in order to figure out how they are related + into connections. + + This is IPv6 support on Layer 3 independent connection tracking. + Layer 3 independent connection tracking is experimental scheme + which generalize ip_conntrack to support other layer 3 protocols. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES + tristate "IP6 tables support (required for filtering)" + select ADK_KERNEL_NETFILTER_XTABLES + help + ip6tables is a general, extensible packet identification framework. + Currently only the packet filtering and packet mangling subsystem + for IPv6 use this, but connection tracking is going to follow. + Say 'Y' or 'M' here if you want to use either of those. + + To compile it as a module, choose M here. If unsure, say N. + +if ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES + +# The simple matches. +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_AH + tristate '"ah" match support' + help + This module allows one to match AH packets. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_EUI64 + tristate '"eui64" address check' + help + This module performs checking on the IPv6 source address + Compares the last 64 bits with the EUI64 (delivered + from the MAC address) address + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_FRAG + tristate '"frag" Fragmentation header match support' + help + frag matching allows you to match packets based on the fragmentation + header of the packet. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_OPTS + tristate '"hbh" hop-by-hop and "dst" opts header match support' + help + This allows one to match packets based on the hop-by-hop + and destination options headers of a packet. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_IPV6HEADER + tristate '"ipv6header" IPv6 Extension Headers Match' + help + This module allows one to match packets based upon + the ipv6 extension headers. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_MH + tristate '"mh" match support' + help + This module allows one to match MH packets. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_RT + tristate '"rt" Routing header match support' + help + rt matching allows you to match packets based on the routing + header of the packet. + + To compile it as a module, choose M here. If unsure, say N. + +# The targets +config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_LOG + tristate "LOG target support" + help + This option adds a `LOG' target, which allows you to create rules in + any iptables table which records the packet header to the syslog. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_FILTER + tristate "Packet filtering" + help + Packet filtering defines a table `filter', which has a series of + rules for simple packet filtering at local input, forwarding and + local output. See the man page for iptables(8). + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_REJECT + tristate "REJECT target support" + depends on ADK_KPACKAGE_KMOD_IP6_NF_FILTER + help + The REJECT target allows a filtering rule to specify that an ICMPv6 + error should be issued in response to an incoming packet, rather + than silently being dropped. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MANGLE + tristate "Packet mangling" + help + This option adds a `mangle' table to iptables: see the man page for + iptables(8). This table is used for various packet alterations + which can effect how the packet is routed. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_RAW + tristate 'raw table support (required for TRACE)' + help + This option adds a `raw' table to ip6tables. This table is the very + first in the netfilter framework and hooks in at the PREROUTING + and OUTPUT chains. + + If you want to compile it as a module, say M here and read + <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + +endif # ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES diff --git a/toolchain/uClibc/Makefile b/toolchain/uClibc/Makefile index 8d956f4b1..ee64a4940 100644 --- a/toolchain/uClibc/Makefile +++ b/toolchain/uClibc/Makefile @@ -8,6 +8,10 @@ include ../rules.mk include Makefile.inc include ${TOPDIR}/mk/buildhlp.mk +ifeq (${ADK_MAKE_PARALLEL},y) +UCLIBC_MAKEOPTS+= -j${ADK_MAKE_JOBS} +endif + $(WRKBUILD)/.headers: $(SED) 's,^CROSS=.*,CROSS=$(TARGET_CROSS),g' $(WRKBUILD)/Rules.mak sed -e 's^KERNEL_HEADERS.*$$KERNEL_HEADERS=\"${TOOLCHAIN_SYSROOT}/usr/include\"' \ @@ -15,7 +19,7 @@ $(WRKBUILD)/.headers: ifneq ($(ADK_DEBUG),) $(SED) 's,DOSTRIP,DODEBUG,' ${WRKBUILD}/.config endif - $(MAKE) -C $(WRKBUILD) \ + $(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \ PREFIX=$(TOOLCHAIN_SYSROOT) \ DEVEL_PREFIX=/usr/ \ RUNTIME_PREFIX=$(TOOLCHAIN_SYSROOT) \ @@ -26,7 +30,7 @@ endif touch $@ $(WRKBUILD)/.compiled: - $(MAKE) -C $(WRKBUILD) \ + $(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \ PREFIX= \ DEVEL_PREFIX=/ \ RUNTIME_PREFIX=/ \ |