From 9c0dc2abe07c53802eb1afbc287dfea8fb74fa7d Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Mon, 12 Apr 2010 08:26:31 +0200 Subject: fix stupid merge errors, mentioned by phil --- BUGS | 5 ----- TODO | 2 ++ package/autoconf/Makefile | 6 ------ 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/BUGS b/BUGS index bbb5275a8..f08dabec5 100644 --- a/BUGS +++ b/BUGS @@ -1,8 +1,3 @@ - openssh on amd64 does not work, ssh-keygen endless loop - uclibc on lemote mips64 target does not work (only uclibc-trunk with patches) -<<<<<<< HEAD - qemu-mips64* targets does not boot, kernel problem? -- (cross-)compile from debian amd64 to f.e. qemu-x86_64 or shuttle with - either glibc or eglibc is broken, have sth. todo with target == host -======= ->>>>>>> 4d569ed1a3305c7b7abe8fa4273cea3b559cc85a diff --git a/TODO b/TODO index 8ab4f4aec..64a9ceca8 100644 --- a/TODO +++ b/TODO @@ -1,3 +1,5 @@ +- php update +- openssh update - macos x build - test on OpenSuSE - test on Fedora Core diff --git a/package/autoconf/Makefile b/package/autoconf/Makefile index b7517b3b3..3e40e7a15 100644 --- a/package/autoconf/Makefile +++ b/package/autoconf/Makefile @@ -4,15 +4,9 @@ include ${TOPDIR}/rules.mk PKG_NAME:= autoconf -<<<<<<< HEAD -PKG_VERSION:= 2.64 -PKG_RELEASE:= 2 -PKG_MD5SUM:= 30a198cef839471dd4926e92ab485361 -======= PKG_VERSION:= 2.65 PKG_RELEASE:= 1 PKG_MD5SUM:= 46cfb40e0babf4c64f8325f03da81c9b ->>>>>>> 4d569ed1a3305c7b7abe8fa4273cea3b559cc85a PKG_DESCR:= GNU autoconf PKG_SECTION:= utils PKG_URL:= http://www.gnu.org/software/autoconf/ -- cgit v1.2.3 From cf46c10bda39030e892589bb2a05289fd698cd2a Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:30 +0200 Subject: rules.mk: a little more robustness --- rules.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules.mk b/rules.mk index 145ca7a62..0d8aeb99b 100644 --- a/rules.mk +++ b/rules.mk @@ -31,8 +31,10 @@ ADK_TARGET_SUFFIX:= $(strip $(subst ",, $(ADK_TARGET_SUFFIX))) ADK_COMPRESSION_TOOL:= $(strip $(subst ",, $(ADK_COMPRESSION_TOOL))) ifeq ($(strip ${ADK_HAVE_DOT_CONFIG}),y) +ifneq ($(strip $(wildcard $(TOPDIR)/target/$(ADK_TARGET)/target.mk)),) include $(TOPDIR)/target/$(ADK_TARGET)/target.mk endif +endif include $(TOPDIR)/mk/vars.mk -- cgit v1.2.3 From 21ed9fa0c18c76a05136fb4b9964616b4fea7728 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:35 +0200 Subject: add proper infrastructure for udhcpd This is a bit hacky, as it creates a meta-package with no prompt and boolean value of the busybox internal udhcpd config symbol. It's use is only to get the required files into the image. I guess there is probably a more elegant way of doing this. --- package/busybox/Config.in.manual | 3 +++ package/busybox/Makefile | 8 ++++++++ package/busybox/files/udhcpd.conf | 28 ++++++++++++++++++++++++++++ package/busybox/files/udhcpd.conffiles | 1 + package/busybox/files/udhcpd.init | 28 ++++++++++++++++++++++++++++ package/busybox/files/udhcpd.postinst | 3 +++ 6 files changed, 71 insertions(+) create mode 100644 package/busybox/files/udhcpd.conf create mode 100644 package/busybox/files/udhcpd.conffiles create mode 100644 package/busybox/files/udhcpd.init create mode 100644 package/busybox/files/udhcpd.postinst diff --git a/package/busybox/Config.in.manual b/package/busybox/Config.in.manual index 84c1bde40..4e7251520 100644 --- a/package/busybox/Config.in.manual +++ b/package/busybox/Config.in.manual @@ -17,3 +17,6 @@ menu "Busybox Configuration" source "package/busybox/config/Config.in" endmenu +config ADK_PACKAGE_UDHCPD + boolean + default BUSYBOX_APP_UDHCPD diff --git a/package/busybox/Makefile b/package/busybox/Makefile index 400be01e6..5d6826986 100644 --- a/package/busybox/Makefile +++ b/package/busybox/Makefile @@ -12,9 +12,13 @@ PKG_SECTION:= base PKG_URL:= http://www.busybox.net PKG_SITES:= http://www.busybox.net/downloads/ +PKG_DESCR_UDHCPD:= uDHCPD meta package +PKG_SECTION_UDHCPD:= net + include $(TOPDIR)/mk/package.mk $(eval $(call PKG_template,BUSYBOX,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,UDHCPD,udhcpd,${PKG_VERSION}-${PKG_RELEASE},busybox,${PKG_DESCR_UDHCPD},${PKG_SECTION_UDHCPD})) CONFIG_STYLE:= manual BUILD_STYLE:= manual @@ -63,6 +67,10 @@ ifeq ($(ADK_DEBUG),y) ${INSTALL_BIN} $(WRKBUILD)/busybox_unstripped \ $(IDIR_BUSYBOX)/bin/busybox endif +ifeq ($(ADK_PACKAGE_UDHCPD),y) + ${INSTALL_DIR} ${IDIR_UDHCPD}/etc/ + ${INSTALL_DATA} ./files/udhcpd.conf ${IDIR_UDHCPD}/etc/ +endif fake: $(TOPDIR)/.busyboxcfg do-configure do-install diff --git a/package/busybox/files/udhcpd.conf b/package/busybox/files/udhcpd.conf new file mode 100644 index 000000000..6c8104dfa --- /dev/null +++ b/package/busybox/files/udhcpd.conf @@ -0,0 +1,28 @@ +# interface to bind to +interface eth0 + +# iprange to choose from +start 192.168.1.100 +end 192.168.1.200 + +# max number of leases +#max_leases 100 + +# period of auto lease file updates (in seconds) +auto_time 7200 + +# some timeouts +#decline_time 3600 +#conflict_time 3600 +#offer_time 60 +#min_lease 60 + +# do not change the path here +leases_file /var/udhcpd.leases + +# call this script upon lease file write +# (dumpleases may be useful for debugging) +#notify_file dumpleases + +# static leases +#static_lease 00:fe:ed:ba:be:00 192.168.1.2 diff --git a/package/busybox/files/udhcpd.conffiles b/package/busybox/files/udhcpd.conffiles new file mode 100644 index 000000000..c0b2aeea6 --- /dev/null +++ b/package/busybox/files/udhcpd.conffiles @@ -0,0 +1 @@ +/etc/udhcpd.conf diff --git a/package/busybox/files/udhcpd.init b/package/busybox/files/udhcpd.init new file mode 100644 index 000000000..d9627aa9d --- /dev/null +++ b/package/busybox/files/udhcpd.init @@ -0,0 +1,28 @@ +#!/bin/sh +#PKG udhcpd +#INIT 50 +. /etc/rc.conf + +case $1 in +autostop) ;; +autostart) + [[ $udhcpd = NO ]] && exit 0 + exec sh $0 start + ;; +start) + touch /var/udhcp.leases + udhcpd -S + ;; +stop) + pkill udhcpd + ;; +restart) + sh $0 stop + sh $0 start + ;; +*) + echo "Usage: $0 {start | stop | restart}" + exit 1 + ;; +esac +exit $? diff --git a/package/busybox/files/udhcpd.postinst b/package/busybox/files/udhcpd.postinst new file mode 100644 index 000000000..f90718c58 --- /dev/null +++ b/package/busybox/files/udhcpd.postinst @@ -0,0 +1,3 @@ +#!/bin/sh +. $IPKG_INSTROOT/etc/functions.sh +add_rcconf udhcpd udhcpd 'NO' -- cgit v1.2.3 From 9b88e974d36bfb507623cbf5c8ef12d67d378240 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:36 +0200 Subject: add back in the good old "enable IPv6" option We do Linux, so we do IPv6. Internet for everyone. --- mk/package.mk | 4 ++++ package/Config.in | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/mk/package.mk b/mk/package.mk index 6c58d4d4e..b4b02d8a5 100644 --- a/mk/package.mk +++ b/mk/package.mk @@ -43,6 +43,10 @@ else CONFIGURE_ARGS+= --disable-debug endif +ifeq ($(ADK_ENABLE_IPV6),y) +CONFIGURE_ARGS+= --enable-ipv6 +endif + CONFIGURE_ENV+= CONFIG_SHELL='$(strip ${SHELL})' \ CFLAGS='$(strip ${TCFLAGS})' \ CXXFLAGS='$(strip ${TCXXFLAGS})' \ diff --git a/package/Config.in b/package/Config.in index e5ffd2e07..a48b5b444 100644 --- a/package/Config.in +++ b/package/Config.in @@ -3,6 +3,15 @@ menu "Package selection" +config ADK_ENABLE_IPV6 + prompt "enable IPv6 globally" + boolean + default y + help + This enables IPv6 support in all related applications. Basically this + just means passing --enable-ipv6 to the configure script, but the + exception proves the rule. ;) + menu "Basesystem" source "package/adkinstall/Config.in" source "package/base-files/Config.in" -- cgit v1.2.3 From dcc208d1f0033508a937c50a6caba280c19ecda5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:37 +0200 Subject: fix pdnsd for IPv6 queries --- package/pdnsd/patches/patch-src_dns_query_c | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 package/pdnsd/patches/patch-src_dns_query_c diff --git a/package/pdnsd/patches/patch-src_dns_query_c b/package/pdnsd/patches/patch-src_dns_query_c new file mode 100644 index 000000000..f16c3d497 --- /dev/null +++ b/package/pdnsd/patches/patch-src_dns_query_c @@ -0,0 +1,12 @@ +use the temporary port, not always the global one over and over again +--- pdnsd-1.2.7.orig/src/dns_query.c 2008-09-01 15:56:51.000000000 +0200 ++++ pdnsd-1.2.7/src/dns_query.c 2010-03-19 21:44:38.837858828 +0100 +@@ -650,7 +650,7 @@ static int bind_socket(int s) + ELSE_IPV6 { + memset(&sin.sin6,0,sizeof(struct sockaddr_in6)); + sin.sin6.sin6_family=AF_INET6; +- sin.sin6.sin6_port=htons(global.port); ++ sin.sin6.sin6_port=htons(prt); + sin.sin6.sin6_flowinfo=IPV6_FLOWINFO; + SET_SOCKA_LEN6(sin.sin6); + sinl=sizeof(struct sockaddr_in6); -- cgit v1.2.3 From 64e18613d6fa738e74f768f8c9f79010b886f924 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:38 +0200 Subject: base-files/sysctl.conf: add statement to enable IPv6 forwarding --- package/base-files/src/etc/sysctl.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/package/base-files/src/etc/sysctl.conf b/package/base-files/src/etc/sysctl.conf index 73260cf9d..f45e98632 100644 --- a/package/base-files/src/etc/sysctl.conf +++ b/package/base-files/src/etc/sysctl.conf @@ -4,6 +4,7 @@ #kernel.panic = 3 # Enable packet forwarding #net.ipv4.ip_forward = 1 +#net.ipv6.conf.all.forwarding = 1 # Disables IP dynaddr #net.ipv4.ip_dynaddr = 0 # Disable ECN -- cgit v1.2.3 From e09ba936612208368ca2fa254076e60147776518 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:39 +0200 Subject: pdnsd review: improve default config, fix init script --- package/pdnsd/files/pdnsd.conf | 40 +++++++++++++++++++++++----------------- package/pdnsd/files/pdnsd.init | 5 ++++- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/package/pdnsd/files/pdnsd.conf b/package/pdnsd/files/pdnsd.conf index 00b548117..73690524a 100644 --- a/package/pdnsd/files/pdnsd.conf +++ b/package/pdnsd/files/pdnsd.conf @@ -1,7 +1,8 @@ global { - perm_cache=1024; - cache_dir="/var/cache/pdnsd"; # do not change this! - run_as="nobody"; + perm_cache = 1024; + cache_dir = "/var/cache/pdnsd"; # do not change this! + run_as = "nobody"; + strict_setuid = on; server_ip = 127.0.0.1; # Use eth0 here if you want to allow other # machines on your network to query pdnsd. status_ctl = on; @@ -11,20 +12,25 @@ global { min_ttl=15m; # Retain cached entries at least 15 minutes. max_ttl=1w; # One week. timeout=10; # Global timeout option (10 seconds). + proc_limit = 20; } -server { - label= "myisp"; - ip = 192.168.0.1; # Put your ISP's DNS-server address(es) here. -# proxy_only=on; # Do not query any name servers beside your ISP's. - # This may be necessary if you are behind some - # kind of firewall and cannot receive replies - # from outside name servers. - timeout=4; # Server timeout; this may be much shorter - # that the global timeout option. - uptest=if; # Test if the network interface is active. - interface=eth0; # The name of the interface to check. - interval=10m; # Check every 10 minutes. - purge_cache=off; # Keep stale cache entries in case the ISP's - # DNS servers go offline. +# serve local host definitions +source { + owner = "localhost"; + serve_aliases = off; # skip everything after the first host for an IP + file = "/etc/hosts"; } + +# for dns servers via dhcp +#server { +# label = "dhcp"; +# file = "/var/resolv.conf"; +# exclude = ".lan"; +# policy = fqdn_only; +# timeout = 4; +# uptest = if; +# interface = "eth0"; +# interval = 60; +#} + diff --git a/package/pdnsd/files/pdnsd.init b/package/pdnsd/files/pdnsd.init index 0da77186d..b67696469 100644 --- a/package/pdnsd/files/pdnsd.init +++ b/package/pdnsd/files/pdnsd.init @@ -13,7 +13,10 @@ autostart) start) [ -f /etc/pdnsd.conf ] || exit mkdir -p /var/cache/pdnsd - pdnsd -s -t -d + touch /var/cache/pdnsd/pdnsd.cache + # this allows for strict_setuid + chown -R nobody:nogroup /var/cache/pdnsd + pdnsd -d ;; stop) pkill pdnsd -- cgit v1.2.3 From d7ca8e4860e5b38c9f3cda2b6786b9fa89ac8bf5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:40 +0200 Subject: fix nfs-utils for IPv6 FIXME: this is rather a workaround, the package flavour system should support conditional defaults (or we should select the flavour option conditionally from the main package symbol?). --- package/Config.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/Config.in b/package/Config.in index a48b5b444..87a4066a7 100644 --- a/package/Config.in +++ b/package/Config.in @@ -7,6 +7,9 @@ config ADK_ENABLE_IPV6 prompt "enable IPv6 globally" boolean default y + # FIXME: selecting stuff here is ugly, better fix package flavours to + # support a symbol-value-based default (i.e., "default y if IPV6") + select ADK_PACKAGE_NFS_UTILS_WITH_TIRPC if ADK_PACKAGE_NFS_UTILS != n help This enables IPv6 support in all related applications. Basically this just means passing --enable-ipv6 to the configure script, but the -- cgit v1.2.3 From 4966edc2d201b4f728e0fe22b7bb5b0711e3583d Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:41 +0200 Subject: split IPv4 symbols from Config.in.netfilter, add IPv6 ones Luckily, the vast majority of iptables modules now reside in netfilter core (i.e. they're layer3-independent), so there is not so much to keep in sync in between iptables and ip6tables. --- mk/modules.mk | 61 +++++++ target/linux/config/Config.in.netfilter | 249 +--------------------------- target/linux/config/Config.in.netfilter.ip4 | 244 +++++++++++++++++++++++++++ target/linux/config/Config.in.netfilter.ip6 | 131 +++++++++++++++ 4 files changed, 441 insertions(+), 244 deletions(-) create mode 100644 target/linux/config/Config.in.netfilter.ip4 create mode 100644 target/linux/config/Config.in.netfilter.ip6 diff --git a/mk/modules.mk b/mk/modules.mk index ab33f6863..90c26affc 100644 --- a/mk/modules.mk +++ b/mk/modules.mk @@ -509,6 +509,67 @@ $(eval $(call KMOD_template,IP_NF_TARGET_TTL,ip-nf-target-ttl,\ $(MODULES_DIR)/kernel/net/ipv4/netfilter/ipt_TTL \ ,65)) +# +# IPv6: Netfilter +# +$(eval $(call KMOD_template,NF_CONNTRACK_IPV6,nf-conntrack-ipv6,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/nf_conntrack_ipv6 \ +,50)) + +$(eval $(call KMOD_template,IP6_NF_IPTABLES,ip6-nf-iptables,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6_tables \ +,50)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_AH,ip6-nf-match-AH,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ah \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_EUI64,ip6-nf-match-eui64,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_eui64 \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_FRAG,ip6-nf-match-frag,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_frag \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_OPTS,ip6-nf-match-opts,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_hbh \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_IPV6HEADER,ip6-nf-match-ipv6header,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ipv6header \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_MH,ip6-nf-match-mh,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_mh \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_MATCH_RT,ip6-nf-match-rt,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_rt \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_TARGET_LOG,ip6-nf-target-log,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_LOG \ +,55)) + +# +# IPv6: Filtering +# +$(eval $(call KMOD_template,IP6_NF_FILTER,ip6-nf-filter,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_filter \ +,55)) + +$(eval $(call KMOD_template,IP6_NF_TARGET_REJECT,ip6-nf-target-reject,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_REJECT \ +,60)) + +# +# IPv6: Mangle +# +$(eval $(call KMOD_template,IP6_NF_MANGLE,ip6-nf-mangle,\ + $(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_mangle \ +,60)) + # # IPVS # diff --git a/target/linux/config/Config.in.netfilter b/target/linux/config/Config.in.netfilter index 3cf61ed58..e831fd594 100644 --- a/target/linux/config/Config.in.netfilter +++ b/target/linux/config/Config.in.netfilter @@ -197,251 +197,12 @@ config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_TCPMSS endmenu menu "IP: Netfilter Configuration" +source target/linux/config/Config.in.netfilter.ip4 +endmenu -config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4 - bool 'IPv4 connection tracking support (required for NAT)' - select ADK_KPACKAGE_KMOD_NF_CONNTRACK - help - Connection tracking keeps a record of what packets have passed - through your machine, in order to figure out how they are related - into connections. - -config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT - bool 'Connection tracking flow accounting' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - If this option is enabled, the connection tracking code will - keep per-flow packet and byte counters. - - Those counters can be used for flow-based accounting or the - `connbytes' match. - -config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK - bool 'Connection mark tracking support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - select ADK_KERNEL_IP_NF_MATCH_CONNMARK - help - This option enables support for connection marks, used by the - `CONNMARK' target and `connmark' match. Similar to the mark value - of packets, but this mark value is kept in the conntrack session - instead of the individual packets. - -config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK - bool 'Connection tracking security mark support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - #FIXME select NETWORK_SECMARK - help - This option enables security markings to be applied to - connections. Typically they are copied to connections from - packets using the CONNSECMARK target and copied back from - connections to packets with the same target, with the packets - being originally labeled via SECMARK. - -config ADK_KPACKAGE_KMOD_IP_NF_FTP - tristate 'FTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - Tracking FTP connections is problematic: special helpers are - required for tracking them, and doing masquerading and other forms - of Network Address Translation on them. - -config ADK_KPACKAGE_KMOD_IP_NF_IRC - tristate 'IRC protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - There is a commonly-used extension to IRC called - Direct Client-to-Client Protocol (DCC). This enables users to send - files to each other, and also chat to each other without the need - of a server. DCC Sending is used anywhere you send files over IRC, - and DCC Chat is most commonly used by Eggdrop bots. If you are - using NAT, this extension will enable you to send files and initiate - chats. Note that you do NOT need this extension to get files or - have others initiate chats, or everything else in IRC. - -config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS - tristate 'NetBIOS name service protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - NetBIOS name service requests are sent as broadcast messages from an - unprivileged port and responded to with unicast messages to the - same port. This make them hard to firewall properly because connection - tracking doesn't deal with broadcasts. This helper tracks locally - originating NetBIOS name service requests and the corresponding - responses. It relies on correct IP address configuration, specifically - netmask and broadcast address. When properly configured, the output - of "ip address show" should look similar to this: - - $ ip -4 address show eth0 - 4: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 - inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 - -config ADK_KPACKAGE_KMOD_IP_NF_TFTP - tristate 'TFTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - TFTP connection tracking helper, this is required depending - on how restrictive your ruleset is. - If you are using a tftp client behind -j SNAT or -j MASQUERADING - you will need this. - -config ADK_KPACKAGE_KMOD_IP_NF_AMANDA - tristate 'Amanda backup protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - #FIXME TEXTSEARCH && TEXTSEARCH_KMP - help - If you are running the Amanda backup package - on this machine or machines that will be MASQUERADED through this - machine, then you may want to enable this feature. This allows the - connection tracking and natting code to allow the sub-channels that - Amanda requires for communication of the backup data, messages and - index. - -config ADK_KPACKAGE_KMOD_IP_NF_PPTP - tristate 'PPTP protocol support' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - This module adds support for PPTP (Point to Point Tunnelling - Protocol, RFC2637) connection tracking and NAT. - - If you are running PPTP sessions over a stateful firewall or NAT - box, you may want to enable this feature. - - Please note that not all PPTP modes of operation are supported yet. - For more info, read top of the file - net/ipv4/netfilter/ip_conntrack_pptp.c - -config ADK_KPACKAGE_KMOD_IP_NF_H323 - tristate 'H.323 protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - H.323 is a VoIP signalling protocol from ITU-T. As one of the most - important VoIP protocols, it is widely used by voice hardware and - software including voice gateways, IP phones, Netmeeting, OpenPhone, - Gnomemeeting, etc. - - With this module you can support H.323 on a connection tracking/NAT - firewall. - - This module supports RAS, Fast Start, H.245 Tunnelling, Call - Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, - whiteboard, file transfer, etc. For more information, please - visit http://nath323.sourceforge.net/. - -config ADK_KPACKAGE_KMOD_IP_NF_SIP - tristate 'SIP protocol support (EXPERIMENTAL)' - depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK - help - SIP is an application-layer control protocol that can establish, - modify, and terminate multimedia sessions (conferences) such as - Internet telephony calls. With the ip_conntrack_sip and - the ip_nat_sip modules you can support the protocol on a connection - tracking/NATing firewall. - - -config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES - tristate 'IP tables support (required for filtering/masq/NAT)' - select ADK_KERNEL_NETFILTER_XTABLES - help - iptables is a general, extensible packet identification framework. - The packet filtering and full NAT (masquerading, port forwarding, - etc) subsystems now use this: say `Y' or `M' here if you want to use - either of those. - -config ADK_KPACKAGE_KMOD_IP_NF_FILTER - tristate 'Packet Filtering' - depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES - help - Packet filtering defines a table `filter', which has a series of - rules for simple packet filtering at local input, forwarding and - local output. See the man page for iptables(8). - -config ADK_KPACKAGE_KMOD_NF_NAT - tristate 'Full NAT' - depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES - help - The Full NAT option allows masquerading, port forwarding and other - forms of full Network Address Port Translation. It is controlled by - the `nat' table in iptables: see the man page for iptables(8). - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE - tristate 'MASQUERADE target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - Masquerading is a special case of NAT: all outgoing connections are - changed to seem to come from a particular interface's address, and - if the interface goes down, those connections are lost. This is - only useful for dialup accounts with dynamic IP address (ie. your IP - address will be different on next dialup). - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT - tristate 'REJECT target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - The REJECT target allows a filtering rule to specify that an ICMP - error should be issued in response to an incoming packet, rather - than silently being dropped. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG - tristate 'LOG target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - This option adds a `LOG' target, which allows you to create rules in - any iptables table which records the packet header to the syslog. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG - tristate 'ULOG target support (ipv4 only)' - depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER - help - This option enables the old IPv4-only "ipt_ULOG" implementation - which has been obsoleted by the new "nfnetlink_log" code (see - CONFIG_NETFILTER_NETLINK_LOG). - - This option adds a `ULOG' target, which allows you to create rules in - any iptables table. The packet is passed to a userspace logging - daemon using netlink multicast sockets; unlike the LOG target - which can only be viewed through syslog. - - The appropriate userspace logging daemon (ulogd) may be obtained from - - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT - tristate 'REDIRECT target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - REDIRECT is a special case of NAT: all incoming connections are - mapped onto the incoming interface's address, causing the packets to - come to the local machine instead of passing through. This is - useful for transparent proxies. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP - tristate 'NETMAP target support' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - NETMAP is an implementation of static 1:1 NAT mapping of network - addresses. It maps the network address part, while keeping the host - address part intact. It is similar to Fast NAT, except that - Netfilter's connection tracking doesn't work well with Fast NAT. - -config ADK_KPACKAGE_KMOD_IP_NF_MANGLE - tristate 'Packet mangling' - depends on ADK_KPACKAGE_KMOD_NF_NAT - help - This option adds a `mangle' table to iptables: see the man page for - iptables(8). This table is used for various packet alterations - which can effect how the packet is routed. - -config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN - tristate 'ECN target support' - depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE - help - This option adds a `ECN' target, which can be used in the iptables mangle - table. - - You can use this target to remove the ECN bits from the IPv4 header of - an IP packet. This is particularly useful, if you need to work around - existing ECN blackholes on the internet, but don't want to disable - ECN support in general. - +menu "IPv6: Netfilter Configuration" + depends on ADK_ENABLE_IPV6 +source target/linux/config/Config.in.netfilter.ip6 endmenu menu "Ethernet bridge firewalling" diff --git a/target/linux/config/Config.in.netfilter.ip4 b/target/linux/config/Config.in.netfilter.ip4 new file mode 100644 index 000000000..34eb14449 --- /dev/null +++ b/target/linux/config/Config.in.netfilter.ip4 @@ -0,0 +1,244 @@ +config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4 + bool 'IPv4 connection tracking support (required for NAT)' + select ADK_KPACKAGE_KMOD_NF_CONNTRACK + help + Connection tracking keeps a record of what packets have passed + through your machine, in order to figure out how they are related + into connections. + +config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT + bool 'Connection tracking flow accounting' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + If this option is enabled, the connection tracking code will + keep per-flow packet and byte counters. + + Those counters can be used for flow-based accounting or the + `connbytes' match. + +config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK + bool 'Connection mark tracking support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + select ADK_KERNEL_IP_NF_MATCH_CONNMARK + help + This option enables support for connection marks, used by the + `CONNMARK' target and `connmark' match. Similar to the mark value + of packets, but this mark value is kept in the conntrack session + instead of the individual packets. + +config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK + bool 'Connection tracking security mark support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + #FIXME select NETWORK_SECMARK + help + This option enables security markings to be applied to + connections. Typically they are copied to connections from + packets using the CONNSECMARK target and copied back from + connections to packets with the same target, with the packets + being originally labeled via SECMARK. + +config ADK_KPACKAGE_KMOD_IP_NF_FTP + tristate 'FTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + Tracking FTP connections is problematic: special helpers are + required for tracking them, and doing masquerading and other forms + of Network Address Translation on them. + +config ADK_KPACKAGE_KMOD_IP_NF_IRC + tristate 'IRC protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + There is a commonly-used extension to IRC called + Direct Client-to-Client Protocol (DCC). This enables users to send + files to each other, and also chat to each other without the need + of a server. DCC Sending is used anywhere you send files over IRC, + and DCC Chat is most commonly used by Eggdrop bots. If you are + using NAT, this extension will enable you to send files and initiate + chats. Note that you do NOT need this extension to get files or + have others initiate chats, or everything else in IRC. + +config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS + tristate 'NetBIOS name service protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + NetBIOS name service requests are sent as broadcast messages from an + unprivileged port and responded to with unicast messages to the + same port. This make them hard to firewall properly because connection + tracking doesn't deal with broadcasts. This helper tracks locally + originating NetBIOS name service requests and the corresponding + responses. It relies on correct IP address configuration, specifically + netmask and broadcast address. When properly configured, the output + of "ip address show" should look similar to this: + + $ ip -4 address show eth0 + 4: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 + inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 + +config ADK_KPACKAGE_KMOD_IP_NF_TFTP + tristate 'TFTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + TFTP connection tracking helper, this is required depending + on how restrictive your ruleset is. + If you are using a tftp client behind -j SNAT or -j MASQUERADING + you will need this. + +config ADK_KPACKAGE_KMOD_IP_NF_AMANDA + tristate 'Amanda backup protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + #FIXME TEXTSEARCH && TEXTSEARCH_KMP + help + If you are running the Amanda backup package + on this machine or machines that will be MASQUERADED through this + machine, then you may want to enable this feature. This allows the + connection tracking and natting code to allow the sub-channels that + Amanda requires for communication of the backup data, messages and + index. + +config ADK_KPACKAGE_KMOD_IP_NF_PPTP + tristate 'PPTP protocol support' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + This module adds support for PPTP (Point to Point Tunnelling + Protocol, RFC2637) connection tracking and NAT. + + If you are running PPTP sessions over a stateful firewall or NAT + box, you may want to enable this feature. + + Please note that not all PPTP modes of operation are supported yet. + For more info, read top of the file + net/ipv4/netfilter/ip_conntrack_pptp.c + +config ADK_KPACKAGE_KMOD_IP_NF_H323 + tristate 'H.323 protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + H.323 is a VoIP signalling protocol from ITU-T. As one of the most + important VoIP protocols, it is widely used by voice hardware and + software including voice gateways, IP phones, Netmeeting, OpenPhone, + Gnomemeeting, etc. + + With this module you can support H.323 on a connection tracking/NAT + firewall. + + This module supports RAS, Fast Start, H.245 Tunnelling, Call + Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, + whiteboard, file transfer, etc. For more information, please + visit http://nath323.sourceforge.net/. + +config ADK_KPACKAGE_KMOD_IP_NF_SIP + tristate 'SIP protocol support (EXPERIMENTAL)' + depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK + help + SIP is an application-layer control protocol that can establish, + modify, and terminate multimedia sessions (conferences) such as + Internet telephony calls. With the ip_conntrack_sip and + the ip_nat_sip modules you can support the protocol on a connection + tracking/NATing firewall. + + +config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES + tristate 'IP tables support (required for filtering/masq/NAT)' + select ADK_KERNEL_NETFILTER_XTABLES + help + iptables is a general, extensible packet identification framework. + The packet filtering and full NAT (masquerading, port forwarding, + etc) subsystems now use this: say `Y' or `M' here if you want to use + either of those. + +config ADK_KPACKAGE_KMOD_IP_NF_FILTER + tristate 'Packet Filtering' + depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES + help + Packet filtering defines a table `filter', which has a series of + rules for simple packet filtering at local input, forwarding and + local output. See the man page for iptables(8). + +config ADK_KPACKAGE_KMOD_NF_NAT + tristate 'Full NAT' + depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES + help + The Full NAT option allows masquerading, port forwarding and other + forms of full Network Address Port Translation. It is controlled by + the `nat' table in iptables: see the man page for iptables(8). + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE + tristate 'MASQUERADE target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + Masquerading is a special case of NAT: all outgoing connections are + changed to seem to come from a particular interface's address, and + if the interface goes down, those connections are lost. This is + only useful for dialup accounts with dynamic IP address (ie. your IP + address will be different on next dialup). + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT + tristate 'REJECT target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + The REJECT target allows a filtering rule to specify that an ICMP + error should be issued in response to an incoming packet, rather + than silently being dropped. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG + tristate 'LOG target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + This option adds a `LOG' target, which allows you to create rules in + any iptables table which records the packet header to the syslog. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG + tristate 'ULOG target support (ipv4 only)' + depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER + help + This option enables the old IPv4-only "ipt_ULOG" implementation + which has been obsoleted by the new "nfnetlink_log" code (see + CONFIG_NETFILTER_NETLINK_LOG). + + This option adds a `ULOG' target, which allows you to create rules in + any iptables table. The packet is passed to a userspace logging + daemon using netlink multicast sockets; unlike the LOG target + which can only be viewed through syslog. + + The appropriate userspace logging daemon (ulogd) may be obtained from + + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT + tristate 'REDIRECT target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + REDIRECT is a special case of NAT: all incoming connections are + mapped onto the incoming interface's address, causing the packets to + come to the local machine instead of passing through. This is + useful for transparent proxies. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP + tristate 'NETMAP target support' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + NETMAP is an implementation of static 1:1 NAT mapping of network + addresses. It maps the network address part, while keeping the host + address part intact. It is similar to Fast NAT, except that + Netfilter's connection tracking doesn't work well with Fast NAT. + +config ADK_KPACKAGE_KMOD_IP_NF_MANGLE + tristate 'Packet mangling' + depends on ADK_KPACKAGE_KMOD_NF_NAT + help + This option adds a `mangle' table to iptables: see the man page for + iptables(8). This table is used for various packet alterations + which can effect how the packet is routed. + +config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN + tristate 'ECN target support' + depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE + help + This option adds a `ECN' target, which can be used in the iptables mangle + table. + + You can use this target to remove the ECN bits from the IPv4 header of + an IP packet. This is particularly useful, if you need to work around + existing ECN blackholes on the internet, but don't want to disable + ECN support in general. + diff --git a/target/linux/config/Config.in.netfilter.ip6 b/target/linux/config/Config.in.netfilter.ip6 new file mode 100644 index 000000000..a0bb7beba --- /dev/null +++ b/target/linux/config/Config.in.netfilter.ip6 @@ -0,0 +1,131 @@ +config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV6 + tristate "IPv6 connection tracking support" + select ADK_KPACKAGE_KMOD_NF_CONNTRACK + ---help--- + Connection tracking keeps a record of what packets have passed + through your machine, in order to figure out how they are related + into connections. + + This is IPv6 support on Layer 3 independent connection tracking. + Layer 3 independent connection tracking is experimental scheme + which generalize ip_conntrack to support other layer 3 protocols. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES + tristate "IP6 tables support (required for filtering)" + select ADK_KERNEL_NETFILTER_XTABLES + help + ip6tables is a general, extensible packet identification framework. + Currently only the packet filtering and packet mangling subsystem + for IPv6 use this, but connection tracking is going to follow. + Say 'Y' or 'M' here if you want to use either of those. + + To compile it as a module, choose M here. If unsure, say N. + +if ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES + +# The simple matches. +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_AH + tristate '"ah" match support' + help + This module allows one to match AH packets. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_EUI64 + tristate '"eui64" address check' + help + This module performs checking on the IPv6 source address + Compares the last 64 bits with the EUI64 (delivered + from the MAC address) address + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_FRAG + tristate '"frag" Fragmentation header match support' + help + frag matching allows you to match packets based on the fragmentation + header of the packet. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_OPTS + tristate '"hbh" hop-by-hop and "dst" opts header match support' + help + This allows one to match packets based on the hop-by-hop + and destination options headers of a packet. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_IPV6HEADER + tristate '"ipv6header" IPv6 Extension Headers Match' + help + This module allows one to match packets based upon + the ipv6 extension headers. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_MH + tristate '"mh" match support' + help + This module allows one to match MH packets. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_RT + tristate '"rt" Routing header match support' + help + rt matching allows you to match packets based on the routing + header of the packet. + + To compile it as a module, choose M here. If unsure, say N. + +# The targets +config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_LOG + tristate "LOG target support" + help + This option adds a `LOG' target, which allows you to create rules in + any iptables table which records the packet header to the syslog. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_FILTER + tristate "Packet filtering" + help + Packet filtering defines a table `filter', which has a series of + rules for simple packet filtering at local input, forwarding and + local output. See the man page for iptables(8). + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_REJECT + tristate "REJECT target support" + depends on ADK_KPACKAGE_KMOD_IP6_NF_FILTER + help + The REJECT target allows a filtering rule to specify that an ICMPv6 + error should be issued in response to an incoming packet, rather + than silently being dropped. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_MANGLE + tristate "Packet mangling" + help + This option adds a `mangle' table to iptables: see the man page for + iptables(8). This table is used for various packet alterations + which can effect how the packet is routed. + + To compile it as a module, choose M here. If unsure, say N. + +config ADK_KPACKAGE_KMOD_IP6_NF_RAW + tristate 'raw table support (required for TRACE)' + help + This option adds a `raw' table to ip6tables. This table is the very + first in the netfilter framework and hooks in at the PREROUTING + and OUTPUT chains. + + If you want to compile it as a module, say M here and read + . If unsure, say `N'. + +endif # ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES -- cgit v1.2.3 From 39d8800fe63c5bb69a9ecc088f59b59566c6e71e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:42 +0200 Subject: firewall.conf: minor fixups - Apply drop policy to the OUTPUT chain, too (the actual behaviour should not have changed, as all now unhandled packets were explicitly dropped before). - The TCPMSS target is only valid in the mangle table, which is not enabled by default. So fix the statement and comment it out to leave it up to the user to decide whether he really needs it. --- package/iptables/files/firewall.conf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf index 2c8faaa34..15794dece 100644 --- a/package/iptables/files/firewall.conf +++ b/package/iptables/files/firewall.conf @@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule ### Default policy iptables -P INPUT DROP iptables -P FORWARD DROP +iptables -P OUTPUT DROP ### INPUT ### (connections with the router as destination) @@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ### (connections with the router as source) # base case -iptables -A OUTPUT -m state --state INVALID -j DROP -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT ### FORWARD ### (connections routed through the router) # base case iptables -A FORWARD -m state --state INVALID -j DROP -iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +# fix for broken ISPs blocking ICMP "fragmentation needed" packets +#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # custom rules iptables -A FORWARD -j forwarding_rule iptables -t nat -A PREROUTING -j prerouting_rule -- cgit v1.2.3 From 6e4361587337535619fcfed0a46719184c1aacf1 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:43 +0200 Subject: ip6tables review Init-script and config based on the IPv4-ones, but all NAT-related stuff dropped. --- package/iptables/Makefile | 8 ++- package/iptables/files/firewall6.conf | 98 ++++++++++++++++++++++++++++++++ package/iptables/files/firewall6.init | 31 ++++++++++ package/iptables/files/iptables.postinst | 1 + 4 files changed, 135 insertions(+), 3 deletions(-) create mode 100644 package/iptables/files/firewall6.conf create mode 100755 package/iptables/files/firewall6.init diff --git a/package/iptables/Makefile b/package/iptables/Makefile index f07604877..4aa2d58bf 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -14,6 +14,8 @@ PKG_DEPENDS+= kmod-nf-conntrack-ipv4 kmod-nf-nat PKG_DEPENDS+= kmod-ip-nf-target-masquerade kmod-ip-nf-target-reject PKG_DEPENDS+= kmod-ip-nf-filter kmod-ip-nf-match-state PKG_DEPENDS+= kmod-netfilter-xt-target-tcpmss +PKG_DEPENDS6:= kmod-ip6-nf-iptables kmod-nf-conntrack-ipv6 +PKG_DEPENDS6+= kmod-ip6-nf-filter kmod-ip6-nf-target-reject PKG_URL:= http://www.netfilter.org PKG_SITES:= http://www.netfilter.org/projects/iptables/files/ \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ @@ -29,7 +31,7 @@ include ${TOPDIR}/mk/package.mk #include ${LINUX_DIR}/.config $(eval $(call PKG_template,IPTABLES,iptables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) -$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS6},${PKG_DESCR},${PKG_SECTION})) CONFIGURE_ARGS+= --enable-devel @@ -44,8 +46,8 @@ post-install: ${SUB_INSTALL-m} ${SUB_INSTALL-y} ${CP} ${WRKINST}/usr/lib/libxtables.so* ${IDIR_IPTABLES}/usr/lib ip6tables-install: - ${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/lib - ${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/sbin + ${INSTALL_DIR} ${IDIR_IP6TABLES}/{usr/lib,etc,usr/sbin} + ${INSTALL_DATA} ./files/firewall6.conf ${IDIR_IP6TABLES}/etc ${INSTALL_BIN} ${WRKINST}/usr/sbin/ip6tables ${IDIR_IP6TABLES}/usr/sbin/ ${CP} ${WRKINST}/usr/lib/libip6tc.so* ${IDIR_IP6TABLES}/usr/lib diff --git a/package/iptables/files/firewall6.conf b/package/iptables/files/firewall6.conf new file mode 100644 index 000000000..2e86138b2 --- /dev/null +++ b/package/iptables/files/firewall6.conf @@ -0,0 +1,98 @@ +#!/bin/sh +echo "configure /etc/firewall6.conf first." +exit 1 + +### Interfaces +WAN=sixxs +LAN=br0 +WLAN=wlan0 + +###################################################################### +### Default ruleset +###################################################################### + +### Create chains +ip6tables -N input_rule +ip6tables -N forwarding_rule + +### Default policy +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT DROP + +### INPUT +### (connections with the router as destination) + +# base case +ip6tables -A INPUT -m state --state INVALID -j DROP +ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP + +# custom rules +ip6tables -A INPUT -j input_rule + +# allow access from anything but WAN +ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT +# allow icmp messages +ip6tables -A INPUT -p icmp6 -j ACCEPT + +# reject +ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset +ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable + +### OUTPUT +### (connections with the router as source) + +# base case +ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +ip6tables -A OUTPUT -p icmp6 -j ACCEPT + +### FORWARD +### (connections routed through the router) + +# base case +ip6tables -A FORWARD -m state --state INVALID -j DROP +ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + +# fix for broken ISPs blocking ICMPv6 "packet too big" packets +#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +# custom rules +ip6tables -A FORWARD -j forwarding_rule + +# allow LAN +ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT + +###################################################################### +### Default ruleset end +###################################################################### + +### +### Connections to the router +### + +# ssh +#ip6tables -A input_rule -i $WAN -p tcp -s --dport 22 -j ACCEPT + +# IPSec +#ip6tables -A input_rule -i $WAN -p esp -s -j ACCEPT +#ip6tables -A input_rule -i $WAN -p udp -s --dport 500 -j ACCEPT + +# OpenVPN +#ip6tables -A input_rule -i $WAN -p udp -s --dport 1194 -j ACCEPT + +# PPTP +#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT +#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT + +### +### VPN traffic +### + +# IPSec +#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT +#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT + +# OpenVPN +#ip6tables -A forwarding_rule -o tun+ -j ACCEPT +#ip6tables -A forwarding_rule -i tun+ -j ACCEPT diff --git a/package/iptables/files/firewall6.init b/package/iptables/files/firewall6.init new file mode 100755 index 000000000..bedb639a9 --- /dev/null +++ b/package/iptables/files/firewall6.init @@ -0,0 +1,31 @@ +#!/bin/sh +#PKG iptables +#INIT 45 +. /etc/rc.conf + +case $1 in +autostop) ;; +autostart) + test x"${firewall6:-NO}" = x"NO" && exit 0 + exec sh $0 start + ;; +start) + . /etc/firewall6.conf + ;; +stop) + ### Clear tables + ip6tables -F + ip6tables -X + ip6tables -P INPUT ACCEPT + ip6tables -P FORWARD ACCEPT + ip6tables -P OUTPUT ACCEPT + ;; +restart) + sh $0 stop + sh $0 start + ;; +*) + echo "Usage: $0 {start | stop | restart}" + ;; +esac +exit $? diff --git a/package/iptables/files/iptables.postinst b/package/iptables/files/iptables.postinst index 89b0af164..b418e73f9 100644 --- a/package/iptables/files/iptables.postinst +++ b/package/iptables/files/iptables.postinst @@ -2,3 +2,4 @@ . $IPKG_INSTROOT/etc/functions.sh add_rcconf iptables firewall NO +add_rcconf iptables firewall6 NO -- cgit v1.2.3 From ef33aa27faa919cb13155e396f7f275cc51b1fe8 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:44 +0200 Subject: new package conntrack-cools --- package/Config.in | 1 + package/conntrack-tools/Makefile | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 package/conntrack-tools/Makefile diff --git a/package/Config.in b/package/Config.in index 87a4066a7..e2a5effa6 100644 --- a/package/Config.in +++ b/package/Config.in @@ -109,6 +109,7 @@ menu "Firewall / Routing / Bridging" source "package/arpd/Config.in" source "package/bridge-utils/Config.in" source "package/linux-atm/Config.in" +source "package/conntrack-tools/Config.in" source "package/cutter/Config.in" source "package/ebtables/Config.in" source "package/ether-wake/Config.in" diff --git a/package/conntrack-tools/Makefile b/package/conntrack-tools/Makefile new file mode 100644 index 000000000..d4d53b8be --- /dev/null +++ b/package/conntrack-tools/Makefile @@ -0,0 +1,26 @@ +# This file is part of the OpenADK project. OpenADK is copyrighted +# material, please see the LICENCE file in the top-level directory. + +include $(TOPDIR)/rules.mk + +PKG_NAME:= conntrack-tools +PKG_VERSION:= 0.9.9 +PKG_RELEASE:= 1 +PKG_MD5SUM:= 35b0ab9cde069b4ec8a493daae82d67b +PKG_DESCR:= Connection tracking userspace tools +PKG_SECTION:= firewall +PKG_DEPENDS:= libnetfilter_conntrack +PKG_BUILDDEP+= libnetfilter_conntrack +PKG_URL:= http://conntrack-tools.netfilter.org +PKG_SITES:= http://www.netfilter.org/projects/conntrack-tools/files/ +DISTFILES:= ${PKG_NAME}-${PKG_VERSION}.tar.bz2 + +include $(TOPDIR)/mk/package.mk + +$(eval $(call PKG_template,CONNTRACK_TOOLS,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) + +post-install: + $(INSTALL_DIR) $(IDIR_CONNTRACK_TOOLS)/usr/sbin + $(INSTALL_BIN) $(WRKINST)/usr/sbin/conntrack{,d} $(IDIR_CONNTRACK_TOOLS)/usr/sbin/ + +include ${TOPDIR}/mk/pkg-bottom.mk -- cgit v1.2.3 From 91653cd0c26a5dc3b33addc3d90f17300b0ed5d0 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:31 +0200 Subject: enable parallel building for uclibc --- toolchain/uClibc/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/toolchain/uClibc/Makefile b/toolchain/uClibc/Makefile index 8d956f4b1..ee64a4940 100644 --- a/toolchain/uClibc/Makefile +++ b/toolchain/uClibc/Makefile @@ -8,6 +8,10 @@ include ../rules.mk include Makefile.inc include ${TOPDIR}/mk/buildhlp.mk +ifeq (${ADK_MAKE_PARALLEL},y) +UCLIBC_MAKEOPTS+= -j${ADK_MAKE_JOBS} +endif + $(WRKBUILD)/.headers: $(SED) 's,^CROSS=.*,CROSS=$(TARGET_CROSS),g' $(WRKBUILD)/Rules.mak sed -e 's^KERNEL_HEADERS.*$$KERNEL_HEADERS=\"${TOOLCHAIN_SYSROOT}/usr/include\"' \ @@ -15,7 +19,7 @@ $(WRKBUILD)/.headers: ifneq ($(ADK_DEBUG),) $(SED) 's,DOSTRIP,DODEBUG,' ${WRKBUILD}/.config endif - $(MAKE) -C $(WRKBUILD) \ + $(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \ PREFIX=$(TOOLCHAIN_SYSROOT) \ DEVEL_PREFIX=/usr/ \ RUNTIME_PREFIX=$(TOOLCHAIN_SYSROOT) \ @@ -26,7 +30,7 @@ endif touch $@ $(WRKBUILD)/.compiled: - $(MAKE) -C $(WRKBUILD) \ + $(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \ PREFIX= \ DEVEL_PREFIX=/ \ RUNTIME_PREFIX=/ \ -- cgit v1.2.3 From 94c77f2701f008c646cee8c3e0956cf707662211 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:45 +0200 Subject: ntfs-3g: set PKG_SECTION to kernel --- package/ntfs-3g/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/ntfs-3g/Makefile b/package/ntfs-3g/Makefile index 72d418e56..265a09d8d 100644 --- a/package/ntfs-3g/Makefile +++ b/package/ntfs-3g/Makefile @@ -8,7 +8,7 @@ PKG_VERSION= 2010.1.16 PKG_RELEASE= 1 PKG_MD5SUM= e104c914e8d7d29ee83e63d46afbba25 PKG_DESCR:= ntfs filesystem driver with read and write support -PKG_SECTION:= sys +PKG_SECTION:= kernel PKG_DEPENDS:= kmod-fuse-fs PKG_URL:= http://tuxera.com PKG_SITES= http://tuxera.com/opensource/ -- cgit v1.2.3 From 242b8f2386497be8183ad4ec3ee27b3f60f7de0f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:46 +0200 Subject: bc, tcsh: fix obvious PKG_SECTION typos --- package/bc/Makefile | 2 +- package/tcsh/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/bc/Makefile b/package/bc/Makefile index dbe613550..8912693c0 100644 --- a/package/bc/Makefile +++ b/package/bc/Makefile @@ -8,7 +8,7 @@ PKG_VERSION:= 1.06 PKG_RELEASE:= 1 PKG_MD5SUM:= d44b5dddebd8a7a7309aea6c36fda117 PKG_DESCR:= An arbitrary precision calculator language -PKG_SECTION:= util +PKG_SECTION:= utils PKG_URL:= http://www.gnu.org/software/bc PKG_SITES:= http://ftp.gnu.org/pub/gnu/bc/ diff --git a/package/tcsh/Makefile b/package/tcsh/Makefile index ac8424831..b0e85a79a 100644 --- a/package/tcsh/Makefile +++ b/package/tcsh/Makefile @@ -8,7 +8,7 @@ PKG_VERSION:= 6.17.00 PKG_RELEASE:= 1 PKG_MD5SUM:= c47de903e3d52f6824c8dd0c91eeb477 PKG_DESCR:= alternative csh -PKG_SECTION:= shell +PKG_SECTION:= shells PKG_DEPENDS:= libncurses PKG_BUILDDEP+= ncurses PKG_URL:= http://www.tcsh.org/Welcome -- cgit v1.2.3 From 520729e1dd86176f98282daf0519c1ed63d76085 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:47 +0200 Subject: asterisk: add dependency from sounds to gsm Necessary because all sounds are in GSM format. While here, add a description to the sounds sub-package, too. --- package/asterisk/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/package/asterisk/Makefile b/package/asterisk/Makefile index 595bae027..425683f24 100644 --- a/package/asterisk/Makefile +++ b/package/asterisk/Makefile @@ -26,13 +26,15 @@ PKG_DESCR_CHAN_MGCP:= Media Gateway Control Protocol implementation PKG_DESCR_CHAN_SKINNY:= Skinny Client Control Protocol implementation PKG_DESCR_CHAN_IAX2:= Support for the Inter Asterisk Protocol PKG_DESCR_CODEC_SPEEX:= Speex/PCM16 Codec Translator +PKG_DESCR_SOUNDS:= Various soundfiles in GSM format +PKG_DEPENDS_SOUNDS:= ${PKG_DEPENDS} asterisk-codec-gsm include $(TOPDIR)/mk/package.mk $(eval $(call PKG_template,ASTERISK,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_PGSQL,asterisk-pgsql,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_VOICEMAIL,asterisk-voicemail,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) -$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION})) +$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_SOUNDS},${PKG_DESCR_SOUNDS},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_MGCP,asterisk-chan-mgcp,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_MGCP},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_SKINNY,asterisk-chan-skinny,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_SKINNY},${PKG_SECTION})) $(eval $(call PKG_template,ASTERISK_CHAN_IAX2,asterisk-chan-iax2,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_IAX2},${PKG_SECTION})) -- cgit v1.2.3 From a950c478f8dcebf33a8bb7b5938ac1b5199079f8 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:32 +0200 Subject: seems like asterisk has no privacy.conf anymore --- package/asterisk/files/asterisk.conffiles | 1 - 1 file changed, 1 deletion(-) diff --git a/package/asterisk/files/asterisk.conffiles b/package/asterisk/files/asterisk.conffiles index 2cb705f9c..55949fde7 100644 --- a/package/asterisk/files/asterisk.conffiles +++ b/package/asterisk/files/asterisk.conffiles @@ -13,7 +13,6 @@ /etc/asterisk/modules.conf /etc/asterisk/musiconhold.conf /etc/asterisk/osp.conf -/etc/asterisk/privacy.conf /etc/asterisk/queues.conf /etc/asterisk/rtp.conf /etc/asterisk/sip.conf -- cgit v1.2.3 From 0422754bce96ada3b228333f1eb3db8cf11cd862 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:33 +0200 Subject: dropbear: reenable DSS algo support Tragically, disabling DSS support in order to prevent an error message from showing up at startup (because of missing dss host key) also disables support for pubkey auth using DSS keys. And guess which type mine is. ;) To provide a usable compromise, make dropbear.init generate the formerly missing dss host key. So there won't be any error message, either. Probably this fixes for hosts not being able to authenticate using an RSS host key, too. --- package/dropbear/Makefile | 4 ++-- package/dropbear/files/dropbear.init | 8 ++++++++ package/dropbear/patches/patch-options_h | 11 +---------- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile index 6625cb21c..2ab254cd2 100644 --- a/package/dropbear/Makefile +++ b/package/dropbear/Makefile @@ -5,14 +5,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:= dropbear PKG_VERSION:= 0.52 -PKG_RELEASE:= 1 +PKG_RELEASE:= 2 PKG_MD5SUM:= 1c69ec674481d7745452f68f2ea5597e PKG_DESCR:= SSH 2 server/client designed for embedded systems PKG_SECTION:= net PKG_URL:= http://matt.ucc.asn.au/dropbear PKG_SITES:= http://matt.ucc.asn.au/dropbear/releases/ -PKG_DESCR_UTIL:= Utility for converting SSH keys +PKG_DESCR_UTIL:= Utility for converting SSH private keys include $(TOPDIR)/mk/package.mk diff --git a/package/dropbear/files/dropbear.init b/package/dropbear/files/dropbear.init index 4a7d7a875..9983e943c 100644 --- a/package/dropbear/files/dropbear.init +++ b/package/dropbear/files/dropbear.init @@ -27,6 +27,14 @@ start) test $rv = 0 || exit 1 test -f /etc/dropbear/dropbear_rsa_host_key || exit 1 fi + if test ! -f /etc/dropbear/dropbear_dss_host_key; then + # take it easy here, since above already catched the worst cases + if test -x /usr/bin/dropbearkey; then + bothlog "dropbear: generating SSH private key (DSS)" + /usr/bin/dropbearkey -f /etc/dropbear/dropbear_dss_host_key -t dss + bothlog dropbear: key generation exited with code $? + fi + fi /usr/sbin/dropbear $dropbear_flags ;; stop) diff --git a/package/dropbear/patches/patch-options_h b/package/dropbear/patches/patch-options_h index b0903f45d..00914dda2 100644 --- a/package/dropbear/patches/patch-options_h +++ b/package/dropbear/patches/patch-options_h @@ -1,6 +1,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $ --- dropbear-0.52.orig/options.h 2008-11-11 15:13:50.000000000 +0100 -+++ dropbear-0.52/options.h 2010-01-22 17:55:09.000000000 +0100 ++++ dropbear-0.52/options.h 2010-03-14 23:30:26.277667006 +0100 @@ -10,6 +10,11 @@ * parts are to allow for commandline -DDROPBEAR_XXX options etc. ******************************************************************/ @@ -13,15 +13,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" #endif -@@ -115,7 +120,7 @@ etc) slower (perhaps by 50%). Recommende - * Removing either of these won't save very much space. - * SSH2 RFC Draft requires dss, recommends rsa */ - #define DROPBEAR_RSA --#define DROPBEAR_DSS -+/* #define DROPBEAR_DSS */ - - /* RSA can be vulnerable to timing attacks which use the time required for - * signing to guess the private key. Blinding avoids this attack, though makes @@ -129,7 +134,7 @@ etc) slower (perhaps by 50%). Recommende /* #define DSS_PROTOK */ -- cgit v1.2.3 From 4d3b0260219f6e7203b1b69ffec8a6c39b333bc9 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:34 +0200 Subject: basefiles: fix cyclic /var/tmp -> /var/tmp symlink --- package/base-files/src/etc/init.d/boot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/base-files/src/etc/init.d/boot b/package/base-files/src/etc/init.d/boot index 2ef6538e0..ed55ccc88 100644 --- a/package/base-files/src/etc/init.d/boot +++ b/package/base-files/src/etc/init.d/boot @@ -8,7 +8,7 @@ mkdir -p /var/log mkdir -p /var/run touch /var/log/lastlog touch /var/log/wtmp -ln -s /var/tmp /tmp +ln -s /tmp /var/tmp echo 0 > /proc/sys/kernel/printk -- cgit v1.2.3 From 0e0d27dc9662ffd759912233ddd71ccb99b9b681 Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Wed, 21 Apr 2010 20:43:57 +0200 Subject: update to latest upstream version --- package/openssh/Makefile | 4 ++-- package/openssh/patches/patch-openbsd-compat_port-tun_c | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 package/openssh/patches/patch-openbsd-compat_port-tun_c diff --git a/package/openssh/Makefile b/package/openssh/Makefile index 27bc8dab8..1eb72097a 100644 --- a/package/openssh/Makefile +++ b/package/openssh/Makefile @@ -4,9 +4,9 @@ include ${TOPDIR}/rules.mk PKG_NAME:= openssh -PKG_VERSION:= 5.4p1 +PKG_VERSION:= 5.5p1 PKG_RELEASE:= 1 -PKG_MD5SUM:= da10af8a789fa2e83e3635f3a1b76f5e +PKG_MD5SUM:= 88633408f4cb1eb11ec7e2ec58b519eb PKG_DESCR:= OpenSSH server PKG_SECTION:= net PKG_DEPENDS:= zlib libopenssl libpthread diff --git a/package/openssh/patches/patch-openbsd-compat_port-tun_c b/package/openssh/patches/patch-openbsd-compat_port-tun_c new file mode 100644 index 000000000..a9ed6434b --- /dev/null +++ b/package/openssh/patches/patch-openbsd-compat_port-tun_c @@ -0,0 +1,11 @@ +--- openssh-5.5p1.orig/openbsd-compat/port-tun.c 2008-05-19 07:28:36.000000000 +0200 ++++ openssh-5.5p1/openbsd-compat/port-tun.c 2010-04-21 20:14:00.000000000 +0200 +@@ -213,7 +213,7 @@ sys_tun_infilter(struct Channel *c, char + if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) + return (-1); + ptr = (char *)&rbuf[0]; +- bcopy(buf, ptr + sizeof(u_int32_t), len); ++ memcpy(ptr + sizeof(u_int32_t), buf, len); + len += sizeof(u_int32_t); + af = (u_int32_t *)ptr; + -- cgit v1.2.3