[openwrt/openwrt] firewall: config: add dest addr restrictions for DHCPv6 rules
LEDE Commits
lede-commits at lists.infradead.org
Mon Nov 10 06:23:19 PST 2025
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/4ad22d03429d45f9f5769af58c4521b3ff26815a
commit 4ad22d03429d45f9f5769af58c4521b3ff26815a
Author: Andy Chiang <AndyChiang_git at outlook.com>
AuthorDate: Mon Oct 27 08:34:13 2025 +0700
firewall: config: add dest addr restrictions for DHCPv6 rules
Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10
Signed-off-by: Andy Chiang <AndyChiang_git at outlook.com>
Link: https://github.com/openwrt/openwrt/pull/20562
Signed-off-by: Robert Marko <robimarko at gmail.com>
---
package/network/config/firewall/Makefile | 2 +-
package/network/config/firewall/files/firewall.config | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 0e8091efcc..7e62de5bf4 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 4c7ef8a96e..6829e58ec1 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -59,6 +59,7 @@ config rule
option name Allow-DHCPv6
option src wan
option proto udp
+ option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
More information about the lede-commits
mailing list