Page 5 of 13 FirstFirst ... 34567 ... LastLast
Results 61 to 75 of 187

Thread: IPv6 Support

  1. #61
    Quote Originally Posted by lly View Post
    May be kamil can consult us?
    Hope so

    Quote Originally Posted by lly View Post
    Moreover, I really aware moments below from Changelog:
    Note: this could break deployments with some very old kernels, see more info at:
    i.e. we should spend hours to find all such places due to our 2.4 kernel
    Don't be afraid, we have the very fresh kernel. openwrt 2.4 uses it already, and there is notice about in changelog.
    moreover i had to make same almost the changes for traceroute6 recently

  2. #62
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    I tried your file lly, but there isn't any sixtun coming up
    maybe I should try make menuconf...

  3. #63
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    I tried your file lly, but there isn't any sixtun coming up
    Updated: seems to be my mistake - too hard week Right sequence for compile should be:
    • cd src/gateway
    • vi .config
    • make oldconfig
    • make
    • make install


    Updated2 13:26: More problems discovered:
    1. ip6tables-save/ip6tables-restore missing - fixed in r802
    2. "state" match missed in kernel for ipv6 - I need extra time to fix this

    I'm going to hardcode following ipv6 firewall rules into rc:
    Code:
    # Disable processing of any RH0 packet
    ip6tables -A INPUT   -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT  -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    
    
    ip6tables -A INPUT   -t filter -i lo -j ACCEPT
    ip6tables -A OUTPUT  -t filter -o lo -j ACCEPT
    ip6tables -A FORWARD -t filter -o lo -j ACCEPT
    
    ip6tables -A OUTPUT -o sixtun -j ACCEPT
    
    ip6tables -A OUTPUT -o br0 -j ACCEPT
    ip6tables -A INPUT  -i br0 -j ACCEPT
    
    # Allow ICMP (conditional?)
    ip6tables -A INPUT   -p icmpv6 -j ACCEPT
    ip6tables -A OUTPUT  -p icmpv6 -j ACCEPT
    ip6tables -A FORWARD -p icmpv6 -j ACCEPT
    
    # Allow Link-Local addresses
    ip6tables -A INPUT  -s fe80::/10 -j ACCEPT
    ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
     
    # Allow multicast
    ip6tables -A INPUT  -s ff00::/8 -j ACCEPT
    ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
    kamil - is it OK for the first step?
    Last edited by lly; 14-11-2009 at 12:09.

  4. #64
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by lly View Post
    I'm going to hardcode following ipv6 firewall rules into rc:
    Code:
    # Disable processing of any RH0 packet
    ip6tables -A INPUT   -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT  -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    
    
    ip6tables -A INPUT   -t filter -i lo -j ACCEPT
    ip6tables -A OUTPUT  -t filter -o lo -j ACCEPT
    ip6tables -A FORWARD -t filter -o lo -j ACCEPT
    
    ip6tables -A OUTPUT -o sixtun -j ACCEPT
    
    ip6tables -A OUTPUT -o br0 -j ACCEPT
    ip6tables -A INPUT  -i br0 -j ACCEPT
    
    # Allow ICMP (conditional?)
    ip6tables -A INPUT   -p icmpv6 -j ACCEPT
    ip6tables -A OUTPUT  -p icmpv6 -j ACCEPT
    ip6tables -A FORWARD -p icmpv6 -j ACCEPT
    
    # Allow Link-Local addresses
    ip6tables -A INPUT  -s fe80::/10 -j ACCEPT
    ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
     
    # Allow multicast
    ip6tables -A INPUT  -s ff00::/8 -j ACCEPT
    ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
    kamil - is it OK for the first step?
    yes, but i not see default policy

    ps: scripts i'm tested in VirtualBox and iso rescuecd - http://rescuecd.pld-linux.org/downlo...RCDx86_297.iso
    http://kamilm.net/
    irc: kamil@IRCNet kamil@LinuxStorm
    jid: kamil@pld-users.org
    WL-500gpv1-1.9.2.7-10
    WL-500gpv2-1.9.2.7-10

  5. #65
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by theMIROn View Post
    btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
    http://cvs.litech.org/viewcvs/radvd/CHANGES?view=markup
    size comparsion:
    radvd-0.7.3 58Kb, ~20Kb inside FW
    radvd-1.5 91Kb, ~28Kb inside FW
    Is it worth to?
    radvd-0.7.x great works on my ASUS wl500g, but...
    0.7.x - 2005
    1.5.x - 2009
    4 year
    http://kamilm.net/
    irc: kamil@IRCNet kamil@LinuxStorm
    jid: kamil@pld-users.org
    WL-500gpv1-1.9.2.7-10
    WL-500gpv2-1.9.2.7-10

  6. #66
    Quote Originally Posted by kamil View Post
    radvd-0.7.x great works on my ASUS wl500g, but...
    0.7.x - 2005
    1.5.x - 2009
    4 year
    I'm afraid that build date shouldn't be the main reason to update

  7. #67
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by kamil View Post
    yes, but i not see default policy
    default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?

    Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line

    Also, I can't find ipv6 TCPMSS module for 2.4 ...

    About radvd - many software developers increase versions too rapid, without real core functionality change, especially commercial software. So, I don't want to repair new bugs in new version due to incompatibility with our obsolete 2.4 kernel.
    Last edited by lly; 14-11-2009 at 14:17.

  8. #68
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by kamil View Post
    yes, but i not see default policy
    default policy is always accept

    or lly can add something like this into the beginning:
    POLICY="DROP"
    ip6tables -P OUTPUT $POLICY
    ip6tables -P INPUT $POLICY
    ip6tables -P FORWARD $POLICY
    I'm not sure how drop will work out, I always had bad luck with it, meaning that the tunnel was blocked

  9. #69
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line
    http://www.linux-ipv6.org/ml/usagi-users/msg02587.html
    But ip6_conntrack is highly independent, so I think it isn't difficult
    to port it to Linux 2.4. Please try below.
    maybe when there is more time we can give it a shot?

  10. #70
    Quote Originally Posted by lly View Post
    "state" match missed in kernel for ipv6 - I need extra time to fix this
    the onlly way is to backport it from 2.6. btw, we could even merge ipv4 and ipv6 modules/extensions to save space, like it was done in mainstream

  11. #71
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    http://www.linux-ipv6.org/ml/usagi-users/msg02587.html
    maybe when there is more time we can give it a shot?
    I found this link. It is real task, but since nobody done it, seems to be it is not so easy.
    Unfortunately, I haven't enough time to do this backport. We will be happy if someone send us patches against 2.4.3x.

    What your opinion about significance of TCPMSS for ipv6?
    Last edited by lly; 14-11-2009 at 14:56.

  12. #72
    Just set up ipv6 tunnel via http://tunnelbroker.net, works fine


    btw, do we need following (for the first approach without detailed ifs names)?

    iptables -I FORWARD -p ipv6 (-i/o sixtun/br0) - j ACCEPT
    iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE
    Last edited by theMIROn; 15-11-2009 at 22:16.

  13. #73
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by lly View Post
    default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?
    ...
    Oleg's 1.9.2.7-10 don't have ip6tables

    My scripts write in other routers where base system is linux with kernel 2.6.x

    Oleg's soft is poor support ipv6 (no mtr6, traceroute6, ip6tables)... but basic support have (ping6, firmaware 1.9.2.7-10 compiled with ipv6)... - i can't create scripts where base system not full support ipv6 (Oleg's firmware)
    Last edited by kamil; 14-11-2009 at 19:22.
    http://kamilm.net/
    irc: kamil@IRCNet kamil@LinuxStorm
    jid: kamil@pld-users.org
    WL-500gpv1-1.9.2.7-10
    WL-500gpv2-1.9.2.7-10

  14. #74
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by theMIROn View Post
    btw, do we need following (for the first approach without detailed ifs names)?

    iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE
    nat is absent for IPv6

    Quote Originally Posted by kamil View Post
    My scripts write in other routers where base system is linux with kernel 2.6.x
    You are happy man
    One more question - have you ever use TCPMSS for IPv6?

  15. #75
    Quote Originally Posted by lly View Post
    nat is absent for IPv6
    yep, it's abs useless for that, in case or routed ipv6 range

Page 5 of 13 FirstFirst ... 34567 ... LastLast

Similar Threads

  1. New oleg firmware version
    By Lesiuk in forum WL-500gP Firmware Discussion
    Replies: 713
    Last Post: 13-05-2016, 05:55
  2. Broadcom 63xx SOCs support in linux-mips and OpenWrt
    By goundoulf in forum WL-600g Firmware Discussion
    Replies: 0
    Last Post: 22-10-2008, 18:48
  3. About to remove IPv6 support from the firmware
    By Oleg in forum WL-500g Firmware Releases
    Replies: 7
    Last Post: 25-04-2008, 19:51
  4. HOWTO use your WL-500g as IPv6 router
    By phedny in forum WL-500g/WL-500gx Tutorials
    Replies: 8
    Last Post: 17-02-2008, 08:19

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •