mirror/openwrt
1
0
Fork 1
mirror of https://git.openwrt.org/openwrt/openwrt.git synced 2026-03-06 21:00:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

firewall: config: add dest addr restrictions for DHCPv6 rules
Some checks failed
Build all core packages / Build all core packages for selected target (push) Waiting to run
Details
Build host tools / Build host tools for linux and macos based systems (push) Has been cancelled
Details

Browse source 
Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10

Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/20562
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit is contained in:
Andy Chiang 2025-10-27 08:34:13 +07:00 committed by Robert Marko
parent df338d67d4
commit 4ad22d0342
2 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
package/network/config/firewall/Makefile
View file

@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git

1
package/network/config/firewall/files/firewall.config
View file

@ -59,6 +59,7 @@ config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT