firewall: config: add dest addr restrictions for DHCPv6 rules

Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10

Signed-off-by: Andy Chiang <[email protected]>
Link: https://github.com/openwrt/openwrt/pull/20562
Signed-off-by: Robert Marko <[email protected]>

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 0e8091efccc3ec05ad4da527439bafd59199fcb8..7e62de5bf4902e9c3baf443d4913ced533751a89 100644 (file)
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 4c7ef8a96e0249535ec4c1b3837dff88432265e7..6829e58ec1978e2e9276a774e1e0dbc9b40db149 100644 (file)
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -59,6 +59,7 @@ config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
+       option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT