From ea8cade28c5197401aeb4e9654ec0df0341860fe Mon Sep 17 00:00:00 2001 From: Tim Niemeyer Date: Sun, 3 Feb 2013 20:40:17 +0100 Subject: [PATCH] Fix the use os sysctls to prevent router_ads Signed-off-by: Tim Niemeyer --- bsp/default/root_file_system/etc/sysctl.conf | 17 +++++++++++++++-- .../invoke_sysctl_before_network.patch | 15 +++++++++++++++ buildscript | 3 +++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 build_patches/invoke_sysctl_before_network.patch diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf index 37466de..9072a86 100644 --- a/bsp/default/root_file_system/etc/sysctl.conf +++ b/bsp/default/root_file_system/etc/sysctl.conf @@ -22,6 +22,8 @@ net.ipv4.conf.default.rp_filter=1 #Do not accept source routing net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.default.accept_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.ip_forward=0 @@ -32,27 +34,38 @@ net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_dad=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.all.accept_redirects=0 + # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.all.router_solicitations = 0 # Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.all.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.all.accept_ra_pinfo = 0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.all.accept_ra_defrtr = 0 #router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.all.autoconf = 0 #how many neighbor solicitations to send out per address? -net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.dad_transmits = 3 +net.ipv6.conf.all.dad_transmits = 3 # How many global unicast IPv6 addresses can be assigned to each interface? -net.ipv6.conf.default.max_addresses = 1 +net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.all.max_addresses = 0 diff --git a/build_patches/invoke_sysctl_before_network.patch b/build_patches/invoke_sysctl_before_network.patch new file mode 100644 index 0000000..24731db --- /dev/null +++ b/build_patches/invoke_sysctl_before_network.patch @@ -0,0 +1,15 @@ +Index: package/netifd/files/etc/init.d/network +=================================================================== +--- package/netifd/files/etc/init.d/network (Revision 35298) ++++ package/netifd/files/etc/init.d/network (Arbeitskopie) +@@ -12,6 +12,10 @@ + ulimit -c unlimited + echo '/tmp/%e.%p.%s.%t.core' > /proc/sys/kernel/core_pattern + } ++ ++ # some RAs come to early otherwise: ++ [ -f /etc/sysctl.conf ] && sysctl -p -e >&- ++ + service_start /sbin/netifd + + setup_switch() { return 0; } diff --git a/buildscript b/buildscript index 40ab9d7..bd4db3e 100755 --- a/buildscript +++ b/buildscript @@ -19,6 +19,9 @@ prepare() { # This changes the default behavior of sysupgrade to not save the config cat build_patches/sysupgrade_no_config_save.patch | patch -p0 -d $target + # This adds the sysctl load just before the network comes up + cat build_patches/invoke_sysctl_before_network.patch | patch -p0 -d $target + board_prepare }