From: Andy Chiang <AndyChiang_git@outlook.com>
Date: Mon, 27 Oct 2025 01:34:13 +0000 (+0700)
Subject: firewall: config: add dest addr restrictions for DHCPv6 rules
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=4ad22d03429d45f9f5769af58c4521b3ff26815a;p=openwrt%2Fstaging%2Fblocktrron.git

firewall: config: add dest addr restrictions for DHCPv6 rules

Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10

Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/20562
Signed-off-by: Robert Marko <robimarko@gmail.com>
---

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 0e8091efcc..7e62de5bf4 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 4c7ef8a96e..6829e58ec1 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -59,6 +59,7 @@ config rule
 	option name		Allow-DHCPv6
 	option src		wan
 	option proto		udp
+	option dest_ip		fe80::/10
 	option dest_port	546
 	option family		ipv6
 	option target		ACCEPT