From d252d5110a0210425845b886d96d9fde5271b2ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Mon, 19 Apr 2021 19:01:31 +0200 Subject: [PATCH] fff-network: Add comments to set sysctls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To make it clear why the set sysctls are necessary, add appropriate comments to them. Also reorder them for improved readability. Signed-off-by: Fabian Bläse Tested-by: Fabian Bläse --- src/packages/fff/fff-network/Makefile | 2 +- .../files/etc/sysctl.d/50-fff-network.conf | 25 +++++++++++++++---- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile index b3f8fe45..25cef9ee 100644 --- a/src/packages/fff/fff-network/Makefile +++ b/src/packages/fff/fff-network/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-network -PKG_RELEASE:=44 +PKG_RELEASE:=45 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf index 3cfd81dd..d6b89df3 100644 --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -1,9 +1,24 @@ +# Disable IPv4 forwarding. +# This has to be set first, because it resets some of the +# net.ipv4.conf.* sysctls. net.ipv4.ip_forward=0 -net.ipv6.conf.default.accept_dad=0 -net.ipv6.conf.default.accept_ra=0 -net.ipv6.conf.all.accept_dad=0 -net.ipv6.conf.all.accept_ra=0 - +# Enable IPv6 forwarding, otherwise the fc00::/7 route sometimes is +# not used if a default route is available, which breaks fc00::/7 +# inside Freifunk. +# To ensure no packets are routed to different interfaces, fff-firewall +# sets appropriate iptables rules net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=0 + +# Do not accept Router Advertisements, so no public +# addresses are assigned to interfaces, where we don't +# want them. OpenWrts netifd overwrites this option for the WAN +# interface, so IPv6 WAN connectivity is still possible. +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.all.accept_ra=0 + +# Disable DAD, so fdff::1 on br-client does not get erroneously disabled. +# This should be done on a per-interface basis in the future. +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.all.accept_dad=0