firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)

author Jo-Philipp Wich <jow@openwrt.org>

Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)

committer Jo-Philipp Wich <jow@openwrt.org>

Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
author Jo-Philipp Wich <jow@openwrt.org>
Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
committer Jo-Philipp Wich <jow@openwrt.org>
Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
diff --git a/package/firewall/Makefile b/package/firewall/Makefile

index cdb8dc6224ca5185eda990e353c4673cc79dae9a..b192ad330e1f1b18805b2abe492da7bbb327b18f 100644 (file)
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
  PKG_NAME:=firewall
  
  PKG_VERSION:=2
-PKG_RELEASE:=33
+PKG_RELEASE:=34
  
  include $(INCLUDE_DIR)/package.mk
  
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config

index b47823fe2d12e628c3a8b18263a16eb5f60d8a1c..5a5dfd018672a04042826956e8d84cda577ee661 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -44,6 +44,22 @@ config rule
         option target           ACCEPT
  
  # Allow essential incoming IPv6 ICMP traffic
+config rule
+       option src              wan
+       option proto    icmp
+       list icmp_type          echo-request
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       list icmp_type          router-solicitation
+       list icmp_type          neighbour-solicitation
+       option limit            1000/sec
+       option family           ipv6
+       option target           ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
  config rule                                   
         option src              wan
         option dest             *
diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug

index 15e350082a1230084565d2d8bbc3e9b0b09d556b..1feb21075afcb0aa30ef86032ff43764ae424257 100644 (file)
--- a/package/firewall/files/reflection.hotplug
+++ b/package/firewall/files/reflection.hotplug
@@ -102,7 +102,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
                                 local p
                                 for p in ${proto:-tcp udp}; do
                                         case "$p" in
-                                               tcp|udp)
+                                               tcp|udp|6|17)
                                                         iptables -t nat -A nat_reflection_in \
                                                                 -s $lanip/$lanmk -d $exthost \
                                                                 -p $p $extport \
author	Jo-Philipp Wich <jow@openwrt.org>
	Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
committer	Jo-Philipp Wich <jow@openwrt.org>
	Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
package/firewall/Makefile		patch \| blob \| history
package/firewall/files/firewall.config		patch \| blob \| history
package/firewall/files/reflection.hotplug		patch \| blob \| history