Merge branch 'master' of git+ssh://openadk.org/git/openadk

BUGS

@@ -1,8 +1,3 @@
 - openssh on amd64 does not work, ssh-keygen endless loop
 - uclibc on lemote mips64 target does not work (only uclibc-trunk with patches)
-<<<<<<< HEAD
 - qemu-mips64* targets does not boot, kernel problem?
-- (cross-)compile from debian amd64 to f.e. qemu-x86_64 or shuttle with
-  either glibc or eglibc is broken, have sth. todo with target == host
-=======
->>>>>>> 4d569ed1a3305c7b7abe8fa4273cea3b559cc85a

TODO

@@ -1,3 +1,5 @@
+- php update
+- openssh update
 - macos x build
 - test on OpenSuSE
 - test on Fedora Core

mk/modules.mk

@@ -509,6 +509,67 @@ $(eval $(call KMOD_template,IP_NF_TARGET_TTL,ip-nf-target-ttl,\
 	$(MODULES_DIR)/kernel/net/ipv4/netfilter/ipt_TTL \
 ,65))
 
+#
+# IPv6: Netfilter
+#
+$(eval $(call KMOD_template,NF_CONNTRACK_IPV6,nf-conntrack-ipv6,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/nf_conntrack_ipv6 \
+,50))
+
+$(eval $(call KMOD_template,IP6_NF_IPTABLES,ip6-nf-iptables,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6_tables \
+,50))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_AH,ip6-nf-match-AH,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ah \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_EUI64,ip6-nf-match-eui64,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_eui64 \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_FRAG,ip6-nf-match-frag,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_frag \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_OPTS,ip6-nf-match-opts,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_hbh \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_IPV6HEADER,ip6-nf-match-ipv6header,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_ipv6header \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_MH,ip6-nf-match-mh,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_mh \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_MATCH_RT,ip6-nf-match-rt,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_rt \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_TARGET_LOG,ip6-nf-target-log,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_LOG \
+,55))
+
+#
+# IPv6: Filtering
+#
+$(eval $(call KMOD_template,IP6_NF_FILTER,ip6-nf-filter,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_filter \
+,55))
+
+$(eval $(call KMOD_template,IP6_NF_TARGET_REJECT,ip6-nf-target-reject,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6t_REJECT \
+,60))
+
+#
+# IPv6: Mangle
+#
+$(eval $(call KMOD_template,IP6_NF_MANGLE,ip6-nf-mangle,\
+	$(MODULES_DIR)/kernel/net/ipv6/netfilter/ip6table_mangle \
+,60))
+
 #
 # IPVS
 #

mk/package.mk

@@ -43,6 +43,10 @@ else
 CONFIGURE_ARGS+=	--disable-debug
 endif
 
+ifeq ($(ADK_ENABLE_IPV6),y)
+CONFIGURE_ARGS+=	--enable-ipv6
+endif
+
 CONFIGURE_ENV+=		CONFIG_SHELL='$(strip ${SHELL})' \
 			CFLAGS='$(strip ${TCFLAGS})' \
 			CXXFLAGS='$(strip ${TCXXFLAGS})' \

package/Config.in

@@ -3,6 +3,18 @@
 
 menu "Package selection"
 
+config ADK_ENABLE_IPV6
+	prompt "enable IPv6 globally"
+	boolean
+	default y
+	# FIXME: selecting stuff here is ugly, better fix package flavours to
+	#        support a symbol-value-based default (i.e., "default y if IPV6")
+	select ADK_PACKAGE_NFS_UTILS_WITH_TIRPC if ADK_PACKAGE_NFS_UTILS != n
+	help
+	  This enables IPv6 support in all related applications. Basically this
+	  just means passing --enable-ipv6 to the configure script, but the
+	  exception proves the rule. ;)
+
 menu "Basesystem"
 source "package/adkinstall/Config.in"
 source "package/base-files/Config.in"
@@ -97,6 +109,7 @@ menu "Firewall / Routing / Bridging"
 source "package/arpd/Config.in"
 source "package/bridge-utils/Config.in"
 source "package/linux-atm/Config.in"
+source "package/conntrack-tools/Config.in"
 source "package/cutter/Config.in"
 source "package/ebtables/Config.in"
 source "package/ether-wake/Config.in"

package/asterisk/Makefile

@@ -26,13 +26,15 @@ PKG_DESCR_CHAN_MGCP:=	Media Gateway Control Protocol implementation
 PKG_DESCR_CHAN_SKINNY:=	Skinny Client Control Protocol implementation
 PKG_DESCR_CHAN_IAX2:=	Support for the Inter Asterisk Protocol
 PKG_DESCR_CODEC_SPEEX:=	Speex/PCM16 Codec Translator
+PKG_DESCR_SOUNDS:=	Various soundfiles in GSM format
+PKG_DEPENDS_SOUNDS:=	${PKG_DEPENDS} asterisk-codec-gsm
 
 include $(TOPDIR)/mk/package.mk
 
 $(eval $(call PKG_template,ASTERISK,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_PGSQL,asterisk-pgsql,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_VOICEMAIL,asterisk-voicemail,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
-$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_SOUNDS},${PKG_DESCR_SOUNDS},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_MGCP,asterisk-chan-mgcp,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_MGCP},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_SKINNY,asterisk-chan-skinny,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_SKINNY},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_IAX2,asterisk-chan-iax2,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_IAX2},${PKG_SECTION}))

package/asterisk/files/asterisk.conffiles

@@ -13,7 +13,6 @@
 /etc/asterisk/modules.conf
 /etc/asterisk/musiconhold.conf
 /etc/asterisk/osp.conf
-/etc/asterisk/privacy.conf
 /etc/asterisk/queues.conf
 /etc/asterisk/rtp.conf
 /etc/asterisk/sip.conf

package/base-files/src/etc/init.d/boot

@@ -8,7 +8,7 @@ mkdir -p /var/log
 mkdir -p /var/run
 touch /var/log/lastlog
 touch /var/log/wtmp
-ln -s /var/tmp /tmp
+ln -s /tmp /var/tmp
 
 echo 0 > /proc/sys/kernel/printk
 

package/base-files/src/etc/sysctl.conf

@@ -4,6 +4,7 @@
 #kernel.panic = 3
 # Enable packet forwarding
 #net.ipv4.ip_forward = 1
+#net.ipv6.conf.all.forwarding = 1
 # Disables IP dynaddr
 #net.ipv4.ip_dynaddr = 0
 # Disable ECN

package/bc/Makefile

@@ -8,7 +8,7 @@ PKG_VERSION:=		1.06
 PKG_RELEASE:=		1
 PKG_MD5SUM:=		d44b5dddebd8a7a7309aea6c36fda117
 PKG_DESCR:=		An arbitrary precision calculator language
-PKG_SECTION:=		util
+PKG_SECTION:=		utils
 PKG_URL:=		http://www.gnu.org/software/bc
 PKG_SITES:=		http://ftp.gnu.org/pub/gnu/bc/
 

package/busybox/Config.in.manual

@@ -17,3 +17,6 @@ menu "Busybox Configuration"
 source "package/busybox/config/Config.in"
 endmenu
 
+config ADK_PACKAGE_UDHCPD
+	boolean
+	default BUSYBOX_APP_UDHCPD

package/busybox/Makefile

@@ -12,9 +12,13 @@ PKG_SECTION:=		base
 PKG_URL:=		http://www.busybox.net
 PKG_SITES:=		http://www.busybox.net/downloads/
 
+PKG_DESCR_UDHCPD:=	uDHCPD meta package
+PKG_SECTION_UDHCPD:=	net
+
 include $(TOPDIR)/mk/package.mk
 
 $(eval $(call PKG_template,BUSYBOX,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,UDHCPD,udhcpd,${PKG_VERSION}-${PKG_RELEASE},busybox,${PKG_DESCR_UDHCPD},${PKG_SECTION_UDHCPD}))
 
 CONFIG_STYLE:=		manual
 BUILD_STYLE:=		manual
@@ -63,6 +67,10 @@ ifeq ($(ADK_DEBUG),y)
 	${INSTALL_BIN} $(WRKBUILD)/busybox_unstripped \
 		$(IDIR_BUSYBOX)/bin/busybox
 endif
+ifeq ($(ADK_PACKAGE_UDHCPD),y)
+	${INSTALL_DIR} ${IDIR_UDHCPD}/etc/
+	${INSTALL_DATA} ./files/udhcpd.conf ${IDIR_UDHCPD}/etc/
+endif
 
 fake:	$(TOPDIR)/.busyboxcfg do-configure do-install
 

package/busybox/files/udhcpd.conf

@@ -0,0 +1,28 @@
+# interface to bind to
+interface eth0
+
+# iprange to choose from
+start	192.168.1.100
+end	192.168.1.200
+
+# max number of leases
+#max_leases	100
+
+# period of auto lease file updates (in seconds)
+auto_time 7200
+
+# some timeouts
+#decline_time 3600
+#conflict_time 3600
+#offer_time 60
+#min_lease 60
+
+# do not change the path here
+leases_file /var/udhcpd.leases
+
+# call this script upon lease file write
+# (dumpleases may be useful for debugging)
+#notify_file dumpleases
+
+# static leases
+#static_lease 00:fe:ed:ba:be:00 192.168.1.2

package/busybox/files/udhcpd.conffiles

@@ -0,0 +1 @@
+/etc/udhcpd.conf

package/busybox/files/udhcpd.init

@@ -0,0 +1,28 @@
+#!/bin/sh
+#PKG udhcpd
+#INIT 50
+. /etc/rc.conf
+
+case $1 in
+autostop) ;;
+autostart)
+	[[ $udhcpd = NO ]] && exit 0
+	exec sh $0 start
+	;;
+start)
+	touch /var/udhcp.leases
+	udhcpd -S
+	;;
+stop)
+	pkill udhcpd
+	;;
+restart)
+	sh $0 stop
+	sh $0 start
+	;;
+*)
+	echo "Usage: $0 {start | stop | restart}"
+	exit 1
+	;;
+esac
+exit $?

package/busybox/files/udhcpd.postinst

@@ -0,0 +1,3 @@
+#!/bin/sh
+. $IPKG_INSTROOT/etc/functions.sh
+add_rcconf udhcpd udhcpd 'NO'

package/conntrack-tools/Makefile

@@ -0,0 +1,26 @@
+# This file is part of the OpenADK project. OpenADK is copyrighted
+# material, please see the LICENCE file in the top-level directory.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=		conntrack-tools
+PKG_VERSION:=		0.9.9
+PKG_RELEASE:=		1
+PKG_MD5SUM:=		35b0ab9cde069b4ec8a493daae82d67b
+PKG_DESCR:=		Connection tracking userspace tools
+PKG_SECTION:=		firewall
+PKG_DEPENDS:=		libnetfilter_conntrack
+PKG_BUILDDEP+=		libnetfilter_conntrack
+PKG_URL:=		http://conntrack-tools.netfilter.org
+PKG_SITES:=		http://www.netfilter.org/projects/conntrack-tools/files/
+DISTFILES:=		${PKG_NAME}-${PKG_VERSION}.tar.bz2
+
+include $(TOPDIR)/mk/package.mk
+
+$(eval $(call PKG_template,CONNTRACK_TOOLS,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+
+post-install:
+	$(INSTALL_DIR) $(IDIR_CONNTRACK_TOOLS)/usr/sbin
+	$(INSTALL_BIN) $(WRKINST)/usr/sbin/conntrack{,d} $(IDIR_CONNTRACK_TOOLS)/usr/sbin/
+
+include ${TOPDIR}/mk/pkg-bottom.mk

package/dropbear/Makefile

@@ -5,14 +5,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=		dropbear
 PKG_VERSION:=		0.52
-PKG_RELEASE:=		1
+PKG_RELEASE:=		2
 PKG_MD5SUM:=		1c69ec674481d7745452f68f2ea5597e
 PKG_DESCR:=		SSH 2 server/client designed for embedded systems 
 PKG_SECTION:=		net
 PKG_URL:=		http://matt.ucc.asn.au/dropbear
 PKG_SITES:=		http://matt.ucc.asn.au/dropbear/releases/
 
-PKG_DESCR_UTIL:=	Utility for converting SSH keys
+PKG_DESCR_UTIL:=	Utility for converting SSH private keys
 
 include $(TOPDIR)/mk/package.mk
 

package/dropbear/files/dropbear.init

@@ -27,6 +27,14 @@ start)
 		test $rv = 0 || exit 1
 		test -f /etc/dropbear/dropbear_rsa_host_key || exit 1
 	fi
+	if test ! -f /etc/dropbear/dropbear_dss_host_key; then
+		# take it easy here, since above already catched the worst cases
+		if test -x /usr/bin/dropbearkey; then
+			bothlog "dropbear: generating SSH private key (DSS)"
+			/usr/bin/dropbearkey -f /etc/dropbear/dropbear_dss_host_key -t dss
+			bothlog dropbear: key generation exited with code $?
+		fi
+	fi
 	/usr/sbin/dropbear $dropbear_flags
 	;;
 stop)

package/dropbear/patches/patch-options_h

@@ -1,6 +1,6 @@
 $Id: update-patches 24 2008-08-31 14:56:13Z wbx $
 --- dropbear-0.52.orig/options.h	2008-11-11 15:13:50.000000000 +0100
-+++ dropbear-0.52/options.h	2010-01-22 17:55:09.000000000 +0100
++++ dropbear-0.52/options.h	2010-03-14 23:30:26.277667006 +0100
 @@ -10,6 +10,11 @@
   * parts are to allow for commandline -DDROPBEAR_XXX options etc.
   ******************************************************************/
@@ -13,15 +13,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $
  #ifndef DROPBEAR_DEFPORT
  #define DROPBEAR_DEFPORT "22"
  #endif
-@@ -115,7 +120,7 @@ etc) slower (perhaps by 50%). Recommende
-  * Removing either of these won't save very much space.
-  * SSH2 RFC Draft requires dss, recommends rsa */
- #define DROPBEAR_RSA
--#define DROPBEAR_DSS
-+/* #define DROPBEAR_DSS */
- 
- /* RSA can be vulnerable to timing attacks which use the time required for
-  * signing to guess the private key. Blinding avoids this attack, though makes
 @@ -129,7 +134,7 @@ etc) slower (perhaps by 50%). Recommende
  /* #define DSS_PROTOK */
  

package/iptables/Makefile

@@ -14,6 +14,8 @@ PKG_DEPENDS+=		kmod-nf-conntrack-ipv4 kmod-nf-nat
 PKG_DEPENDS+=		kmod-ip-nf-target-masquerade kmod-ip-nf-target-reject
 PKG_DEPENDS+=		kmod-ip-nf-filter kmod-ip-nf-match-state 
 PKG_DEPENDS+=		kmod-netfilter-xt-target-tcpmss
+PKG_DEPENDS6:=		kmod-ip6-nf-iptables kmod-nf-conntrack-ipv6
+PKG_DEPENDS6+=		kmod-ip6-nf-filter kmod-ip6-nf-target-reject
 PKG_URL:=		http://www.netfilter.org
 PKG_SITES:=		http://www.netfilter.org/projects/iptables/files/ \
 			ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
@@ -29,7 +31,7 @@ include ${TOPDIR}/mk/package.mk
 #include ${LINUX_DIR}/.config
 
 $(eval $(call PKG_template,IPTABLES,iptables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
-$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS6},${PKG_DESCR},${PKG_SECTION}))
 
 CONFIGURE_ARGS+=	--enable-devel
 
@@ -44,8 +46,8 @@ post-install: ${SUB_INSTALL-m} ${SUB_INSTALL-y}
 	${CP} ${WRKINST}/usr/lib/libxtables.so* ${IDIR_IPTABLES}/usr/lib
 
 ip6tables-install:
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/lib
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/sbin
+	${INSTALL_DIR} ${IDIR_IP6TABLES}/{usr/lib,etc,usr/sbin}
+	${INSTALL_DATA} ./files/firewall6.conf ${IDIR_IP6TABLES}/etc
 	${INSTALL_BIN} ${WRKINST}/usr/sbin/ip6tables ${IDIR_IP6TABLES}/usr/sbin/
 	${CP} ${WRKINST}/usr/lib/libip6tc.so* ${IDIR_IP6TABLES}/usr/lib
 

package/iptables/files/firewall.conf

@@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule
 ### Default policy
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
 
 ### INPUT
 ###  (connections with the router as destination)
@@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
 ###  (connections with the router as source)
 
 # base case
-iptables -A OUTPUT -m state --state INVALID -j DROP
-iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
+iptables -A OUTPUT -p icmp -j ACCEPT
 
 ### FORWARD
 ###  (connections routed through the router)
 
 # base case
 iptables -A FORWARD -m state --state INVALID -j DROP
-iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+# fix for broken ISPs blocking ICMP "fragmentation needed" packets
+#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
 # custom rules
 iptables -A FORWARD -j forwarding_rule
 iptables -t nat -A PREROUTING -j prerouting_rule

package/iptables/files/firewall6.conf

@@ -0,0 +1,98 @@
+#!/bin/sh
+echo "configure /etc/firewall6.conf first."
+exit 1
+
+### Interfaces
+WAN=sixxs
+LAN=br0
+WLAN=wlan0
+
+######################################################################
+### Default ruleset
+######################################################################
+
+### Create chains
+ip6tables -N input_rule
+ip6tables -N forwarding_rule
+
+### Default policy
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT DROP
+
+### INPUT
+###  (connections with the router as destination)
+
+# base case
+ip6tables -A INPUT -m state --state INVALID -j DROP
+ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
+
+# custom rules
+ip6tables -A INPUT -j input_rule
+
+# allow access from anything but WAN
+ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
+# allow icmp messages
+ip6tables -A INPUT -p icmp6 -j ACCEPT
+
+# reject
+ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
+
+### OUTPUT
+###  (connections with the router as source)
+
+# base case
+ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
+ip6tables -A OUTPUT -p icmp6 -j ACCEPT
+
+### FORWARD
+###  (connections routed through the router)
+
+# base case
+ip6tables -A FORWARD -m state --state INVALID -j DROP
+ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# fix for broken ISPs blocking ICMPv6 "packet too big" packets
+#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+# custom rules
+ip6tables -A FORWARD -j forwarding_rule
+
+# allow LAN
+ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
+######################################################################
+### Default ruleset end
+######################################################################
+
+###
+### Connections to the router
+###
+
+# ssh
+#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
+
+# IPSec
+#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
+
+# OpenVPN
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
+
+# PPTP
+#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
+#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
+
+###
+###  VPN traffic
+###
+
+# IPSec
+#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
+#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT
+
+# OpenVPN
+#ip6tables -A forwarding_rule -o tun+ -j ACCEPT
+#ip6tables -A forwarding_rule -i tun+ -j ACCEPT

package/iptables/files/firewall6.init

@@ -0,0 +1,31 @@
+#!/bin/sh
+#PKG iptables
+#INIT 45
+. /etc/rc.conf
+
+case $1 in
+autostop) ;;
+autostart)
+	test x"${firewall6:-NO}" = x"NO" && exit 0
+	exec sh $0 start
+	;;
+start)
+	. /etc/firewall6.conf
+	;;
+stop)
+	### Clear tables
+	ip6tables -F
+	ip6tables -X
+	ip6tables -P INPUT ACCEPT
+	ip6tables -P FORWARD ACCEPT
+	ip6tables -P OUTPUT ACCEPT
+	;;
+restart)
+	sh $0 stop
+	sh $0 start
+	;;
+*)
+	echo "Usage: $0 {start | stop | restart}"
+	;;
+esac
+exit $?

package/iptables/files/iptables.postinst

@@ -2,3 +2,4 @@
 . $IPKG_INSTROOT/etc/functions.sh
 
 add_rcconf iptables firewall NO
+add_rcconf iptables firewall6 NO

package/ntfs-3g/Makefile

@@ -8,7 +8,7 @@ PKG_VERSION=		2010.1.16
 PKG_RELEASE=		1
 PKG_MD5SUM=		e104c914e8d7d29ee83e63d46afbba25
 PKG_DESCR:=		ntfs filesystem driver with read and write support
-PKG_SECTION:=		sys
+PKG_SECTION:=		kernel
 PKG_DEPENDS:=		kmod-fuse-fs
 PKG_URL:=		http://tuxera.com
 PKG_SITES=		http://tuxera.com/opensource/

package/openssh/Makefile

@@ -4,9 +4,9 @@
 include ${TOPDIR}/rules.mk
 
 PKG_NAME:=		openssh
-PKG_VERSION:=		5.4p1
+PKG_VERSION:=		5.5p1
 PKG_RELEASE:=		1
-PKG_MD5SUM:=		da10af8a789fa2e83e3635f3a1b76f5e
+PKG_MD5SUM:=		88633408f4cb1eb11ec7e2ec58b519eb
 PKG_DESCR:=		OpenSSH server
 PKG_SECTION:=		net
 PKG_DEPENDS:=		zlib libopenssl libpthread

package/openssh/patches/patch-openbsd-compat_port-tun_c

@@ -0,0 +1,11 @@
+--- openssh-5.5p1.orig/openbsd-compat/port-tun.c	2008-05-19 07:28:36.000000000 +0200
++++ openssh-5.5p1/openbsd-compat/port-tun.c	2010-04-21 20:14:00.000000000 +0200
+@@ -213,7 +213,7 @@ sys_tun_infilter(struct Channel *c, char
+ 	if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
+ 		return (-1);
+ 	ptr = (char *)&rbuf[0];
+-	bcopy(buf, ptr + sizeof(u_int32_t), len);
++	memcpy(ptr + sizeof(u_int32_t), buf, len);
+ 	len += sizeof(u_int32_t);
+ 	af = (u_int32_t *)ptr;
+ 

package/pdnsd/files/pdnsd.conf

@@ -1,7 +1,8 @@
 global {
-	perm_cache=1024;
-	cache_dir="/var/cache/pdnsd";  # do not change this!
-	run_as="nobody";
+	perm_cache = 1024;
+	cache_dir = "/var/cache/pdnsd";  # do not change this!
+	run_as = "nobody";
+	strict_setuid = on;
 	server_ip = 127.0.0.1;  # Use eth0 here if you want to allow other
 				# machines on your network to query pdnsd.
 	status_ctl = on;
@@ -11,20 +12,25 @@ global {
 	min_ttl=15m;       # Retain cached entries at least 15 minutes.
 	max_ttl=1w;        # One week.
 	timeout=10;        # Global timeout option (10 seconds).
+	proc_limit = 20;
 }
 
-server {
-	label= "myisp";
-	ip = 192.168.0.1;  # Put your ISP's DNS-server address(es) here.
-#	proxy_only=on;     # Do not query any name servers beside your ISP's.
-	                   # This may be necessary if you are behind some
-	                   # kind of firewall and cannot receive replies
-	                   # from outside name servers.
-	timeout=4;         # Server timeout; this may be much shorter
-			   # that the global timeout option.
-	uptest=if;         # Test if the network interface is active.
-	interface=eth0;    # The name of the interface to check.
-	interval=10m;      # Check every 10 minutes.
-	purge_cache=off;   # Keep stale cache entries in case the ISP's
-			   # DNS servers go offline.
+# serve local host definitions
+source {
+	owner = "localhost";
+	serve_aliases = off; # skip everything after the first host for an IP
+	file = "/etc/hosts";
 }
+
+# for dns servers via dhcp
+#server {
+#	label = "dhcp";
+#	file = "/var/resolv.conf";
+#	exclude = ".lan";
+#	policy = fqdn_only;
+#	timeout = 4;
+#	uptest = if;
+#	interface = "eth0";
+#	interval = 60;
+#}
+

package/pdnsd/files/pdnsd.init

@@ -13,7 +13,10 @@ autostart)
 start)
 	[ -f /etc/pdnsd.conf ] || exit
 	mkdir -p /var/cache/pdnsd
-	pdnsd -s -t -d
+	touch /var/cache/pdnsd/pdnsd.cache
+	# this allows for strict_setuid
+	chown -R nobody:nogroup /var/cache/pdnsd
+	pdnsd -d
 	;;
 stop)
 	pkill pdnsd

package/pdnsd/patches/patch-src_dns_query_c

@@ -0,0 +1,12 @@
+use the temporary port, not always the global one over and over again
+--- pdnsd-1.2.7.orig/src/dns_query.c	2008-09-01 15:56:51.000000000 +0200
++++ pdnsd-1.2.7/src/dns_query.c	2010-03-19 21:44:38.837858828 +0100
+@@ -650,7 +650,7 @@ static int bind_socket(int s)
+ 				ELSE_IPV6 {
+ 					memset(&sin.sin6,0,sizeof(struct sockaddr_in6));
+ 					sin.sin6.sin6_family=AF_INET6;
+-					sin.sin6.sin6_port=htons(global.port);
++					sin.sin6.sin6_port=htons(prt);
+ 					sin.sin6.sin6_flowinfo=IPV6_FLOWINFO;
+ 					SET_SOCKA_LEN6(sin.sin6);
+ 					sinl=sizeof(struct sockaddr_in6);

package/tcsh/Makefile

@@ -8,7 +8,7 @@ PKG_VERSION:=		6.17.00
 PKG_RELEASE:=		1
 PKG_MD5SUM:=		c47de903e3d52f6824c8dd0c91eeb477
 PKG_DESCR:=		alternative csh
-PKG_SECTION:=		shell
+PKG_SECTION:=		shells
 PKG_DEPENDS:=		libncurses
 PKG_BUILDDEP+=		ncurses
 PKG_URL:=		http://www.tcsh.org/Welcome

rules.mk

@@ -31,8 +31,10 @@ ADK_TARGET_SUFFIX:=	$(strip $(subst ",, $(ADK_TARGET_SUFFIX)))
 ADK_COMPRESSION_TOOL:=	$(strip $(subst ",, $(ADK_COMPRESSION_TOOL)))
 
 ifeq ($(strip ${ADK_HAVE_DOT_CONFIG}),y)
+ifneq ($(strip $(wildcard $(TOPDIR)/target/$(ADK_TARGET)/target.mk)),)
 include $(TOPDIR)/target/$(ADK_TARGET)/target.mk
 endif
+endif
 
 include $(TOPDIR)/mk/vars.mk
 

target/linux/config/Config.in.netfilter

@@ -197,251 +197,12 @@ config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_TCPMSS
 endmenu
 
 menu "IP: Netfilter Configuration"
+source target/linux/config/Config.in.netfilter.ip4
+endmenu
 
-config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4
-	bool 'IPv4 connection tracking support (required for NAT)'
-	select ADK_KPACKAGE_KMOD_NF_CONNTRACK
-	help
-	  Connection tracking keeps a record of what packets have passed
-	  through your machine, in order to figure out how they are related
-	  into connections.
-
-config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT
-	bool 'Connection tracking flow accounting'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  If this option is enabled, the connection tracking code will
-	  keep per-flow packet and byte counters.
-
-	  Those counters can be used for flow-based accounting or the
-	  `connbytes' match.
-
-config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK
-	bool 'Connection mark tracking support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	select ADK_KERNEL_IP_NF_MATCH_CONNMARK
-	help
-	  This option enables support for connection marks, used by the
-	  `CONNMARK' target and `connmark' match. Similar to the mark value
-	  of packets, but this mark value is kept in the conntrack session
-	  instead of the individual packets.
-
-config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK
-	bool 'Connection tracking security mark support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	#FIXME select NETWORK_SECMARK
-	help
-	  This option enables security markings to be applied to
-	  connections.  Typically they are copied to connections from
-	  packets using the CONNSECMARK target and copied back from
-	  connections to packets with the same target, with the packets
-	  being originally labeled via SECMARK.
-
-config ADK_KPACKAGE_KMOD_IP_NF_FTP
-	tristate 'FTP protocol support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  Tracking FTP connections is problematic: special helpers are
-	  required for tracking them, and doing masquerading and other forms
-	  of Network Address Translation on them.
-
-config ADK_KPACKAGE_KMOD_IP_NF_IRC
-	tristate 'IRC protocol support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  There is a commonly-used extension to IRC called
-	  Direct Client-to-Client Protocol (DCC).  This enables users to send
-	  files to each other, and also chat to each other without the need
-	  of a server.  DCC Sending is used anywhere you send files over IRC,
-	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
-	  using NAT, this extension will enable you to send files and initiate
-	  chats.  Note that you do NOT need this extension to get files or
-	  have others initiate chats, or everything else in IRC.
-
-config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS
-	tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  NetBIOS name service requests are sent as broadcast messages from an
-	  unprivileged port and responded to with unicast messages to the
-	  same port. This make them hard to firewall properly because connection
-	  tracking doesn't deal with broadcasts. This helper tracks locally
-	  originating NetBIOS name service requests and the corresponding
-	  responses. It relies on correct IP address configuration, specifically
-	  netmask and broadcast address. When properly configured, the output
-	  of "ip address show" should look similar to this:
-
-	  $ ip -4 address show eth0
-	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
-	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
-
-config ADK_KPACKAGE_KMOD_IP_NF_TFTP
-	tristate 'TFTP protocol support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  TFTP connection tracking helper, this is required depending
-	  on how restrictive your ruleset is.
-	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
-	  you will need this.
-
-config ADK_KPACKAGE_KMOD_IP_NF_AMANDA
-	tristate 'Amanda backup protocol support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	#FIXME TEXTSEARCH && TEXTSEARCH_KMP
-	help
-	  If you are running the Amanda backup package <http://www.amanda.org/>
-	  on this machine or machines that will be MASQUERADED through this
-	  machine, then you may want to enable this feature.  This allows the
-	  connection tracking and natting code to allow the sub-channels that
-	  Amanda requires for communication of the backup data, messages and
-	  index.
-
-config ADK_KPACKAGE_KMOD_IP_NF_PPTP
-	tristate 'PPTP protocol support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  This module adds support for PPTP (Point to Point Tunnelling
-	  Protocol, RFC2637) connection tracking and NAT. 
-	
-	  If you are running PPTP sessions over a stateful firewall or NAT
-	  box, you may want to enable this feature.  
-	
-	  Please note that not all PPTP modes of operation are supported yet.
-	  For more info, read top of the file
-	  net/ipv4/netfilter/ip_conntrack_pptp.c
-
-config ADK_KPACKAGE_KMOD_IP_NF_H323
-	tristate 'H.323 protocol support (EXPERIMENTAL)'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
-	  important VoIP protocols, it is widely used by voice hardware and
-	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
-	  Gnomemeeting, etc.
-
-	  With this module you can support H.323 on a connection tracking/NAT
-	  firewall.
-
-	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
-	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
-	  whiteboard, file transfer, etc. For more information, please
-	  visit http://nath323.sourceforge.net/.
-
-config ADK_KPACKAGE_KMOD_IP_NF_SIP
-	tristate 'SIP protocol support (EXPERIMENTAL)'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
-	help
-	  SIP is an application-layer control protocol that can establish,
-	  modify, and terminate multimedia sessions (conferences) such as
-	  Internet telephony calls. With the ip_conntrack_sip and
-	  the ip_nat_sip modules you can support the protocol on a connection
-	  tracking/NATing firewall.
-
-
-config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
-	tristate 'IP tables support (required for filtering/masq/NAT)'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	help
-	  iptables is a general, extensible packet identification framework.
-	  The packet filtering and full NAT (masquerading, port forwarding,
-	  etc) subsystems now use this: say `Y' or `M' here if you want to use
-	  either of those.
-
-config ADK_KPACKAGE_KMOD_IP_NF_FILTER
-	tristate 'Packet Filtering'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
-	help
-	  Packet filtering defines a table `filter', which has a series of
-	  rules for simple packet filtering at local input, forwarding and
-	  local output.  See the man page for iptables(8).
-
-config ADK_KPACKAGE_KMOD_NF_NAT
-	tristate 'Full NAT'
-	depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES
-	help
-	  The Full NAT option allows masquerading, port forwarding and other
-	  forms of full Network Address Port Translation.  It is controlled by
-	  the `nat' table in iptables: see the man page for iptables(8).
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE
-	tristate 'MASQUERADE target support'
-	depends on ADK_KPACKAGE_KMOD_NF_NAT
-	help
-	  Masquerading is a special case of NAT: all outgoing connections are
-	  changed to seem to come from a particular interface's address, and
-	  if the interface goes down, those connections are lost.  This is
-	  only useful for dialup accounts with dynamic IP address (ie. your IP
-	  address will be different on next dialup).
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT
-	tristate 'REJECT target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
-	help
-	  The REJECT target allows a filtering rule to specify that an ICMP
-	  error should be issued in response to an incoming packet, rather
-	  than silently being dropped.
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG
-	tristate 'LOG target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
-	help
-	  This option adds a `LOG' target, which allows you to create rules in
-	  any iptables table which records the packet header to the syslog.
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
-	tristate 'ULOG target support (ipv4 only)'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
-	help
-	  This option enables the old IPv4-only "ipt_ULOG" implementation
-	  which has been obsoleted by the new "nfnetlink_log" code (see
-	  CONFIG_NETFILTER_NETLINK_LOG).
-
-	  This option adds a `ULOG' target, which allows you to create rules in
-	  any iptables table. The packet is passed to a userspace logging
-	  daemon using netlink multicast sockets; unlike the LOG target
-	  which can only be viewed through syslog.
-
-	  The appropriate userspace logging daemon (ulogd) may be obtained from
-	  <http://www.gnumonks.org/projects/ulogd/>
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
-	tristate 'REDIRECT target support'
-	depends on ADK_KPACKAGE_KMOD_NF_NAT
-	help
-	  REDIRECT is a special case of NAT: all incoming connections are
-	  mapped onto the incoming interface's address, causing the packets to
-	  come to the local machine instead of passing through.  This is
-	  useful for transparent proxies.
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
-	tristate 'NETMAP target support'
-	depends on ADK_KPACKAGE_KMOD_NF_NAT
-	help
-	  NETMAP is an implementation of static 1:1 NAT mapping of network
-	  addresses. It maps the network address part, while keeping the host
-	  address part intact. It is similar to Fast NAT, except that
-	  Netfilter's connection tracking doesn't work well with Fast NAT.
-
-config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
-	tristate 'Packet mangling'
-	depends on ADK_KPACKAGE_KMOD_NF_NAT
-	help
-	  This option adds a `mangle' table to iptables: see the man page for
-	  iptables(8).  This table is used for various packet alterations
-	  which can effect how the packet is routed.
-
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
-	tristate 'ECN target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE
-	help
-	  This option adds a `ECN' target, which can be used in the iptables mangle
-	  table.  
-
-	  You can use this target to remove the ECN bits from the IPv4 header of
-	  an IP packet.  This is particularly useful, if you need to work around
-	  existing ECN blackholes on the internet, but don't want to disable
-	  ECN support in general.
-
+menu "IPv6: Netfilter Configuration"
+	depends on ADK_ENABLE_IPV6
+source target/linux/config/Config.in.netfilter.ip6
 endmenu
 
 menu "Ethernet bridge firewalling"

target/linux/config/Config.in.netfilter.ip4

@@ -0,0 +1,244 @@
+config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4
+	bool 'IPv4 connection tracking support (required for NAT)'
+	select ADK_KPACKAGE_KMOD_NF_CONNTRACK
+	help
+	  Connection tracking keeps a record of what packets have passed
+	  through your machine, in order to figure out how they are related
+	  into connections.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT
+	bool 'Connection tracking flow accounting'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  keep per-flow packet and byte counters.
+
+	  Those counters can be used for flow-based accounting or the
+	  `connbytes' match.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK
+	bool 'Connection mark tracking support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	select ADK_KERNEL_IP_NF_MATCH_CONNMARK
+	help
+	  This option enables support for connection marks, used by the
+	  `CONNMARK' target and `connmark' match. Similar to the mark value
+	  of packets, but this mark value is kept in the conntrack session
+	  instead of the individual packets.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK
+	bool 'Connection tracking security mark support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	#FIXME select NETWORK_SECMARK
+	help
+	  This option enables security markings to be applied to
+	  connections.  Typically they are copied to connections from
+	  packets using the CONNSECMARK target and copied back from
+	  connections to packets with the same target, with the packets
+	  being originally labeled via SECMARK.
+
+config ADK_KPACKAGE_KMOD_IP_NF_FTP
+	tristate 'FTP protocol support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  Tracking FTP connections is problematic: special helpers are
+	  required for tracking them, and doing masquerading and other forms
+	  of Network Address Translation on them.
+
+config ADK_KPACKAGE_KMOD_IP_NF_IRC
+	tristate 'IRC protocol support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  There is a commonly-used extension to IRC called
+	  Direct Client-to-Client Protocol (DCC).  This enables users to send
+	  files to each other, and also chat to each other without the need
+	  of a server.  DCC Sending is used anywhere you send files over IRC,
+	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
+	  using NAT, this extension will enable you to send files and initiate
+	  chats.  Note that you do NOT need this extension to get files or
+	  have others initiate chats, or everything else in IRC.
+
+config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS
+	tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  NetBIOS name service requests are sent as broadcast messages from an
+	  unprivileged port and responded to with unicast messages to the
+	  same port. This make them hard to firewall properly because connection
+	  tracking doesn't deal with broadcasts. This helper tracks locally
+	  originating NetBIOS name service requests and the corresponding
+	  responses. It relies on correct IP address configuration, specifically
+	  netmask and broadcast address. When properly configured, the output
+	  of "ip address show" should look similar to this:
+
+	  $ ip -4 address show eth0
+	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
+	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
+
+config ADK_KPACKAGE_KMOD_IP_NF_TFTP
+	tristate 'TFTP protocol support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  TFTP connection tracking helper, this is required depending
+	  on how restrictive your ruleset is.
+	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
+	  you will need this.
+
+config ADK_KPACKAGE_KMOD_IP_NF_AMANDA
+	tristate 'Amanda backup protocol support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	#FIXME TEXTSEARCH && TEXTSEARCH_KMP
+	help
+	  If you are running the Amanda backup package <http://www.amanda.org/>
+	  on this machine or machines that will be MASQUERADED through this
+	  machine, then you may want to enable this feature.  This allows the
+	  connection tracking and natting code to allow the sub-channels that
+	  Amanda requires for communication of the backup data, messages and
+	  index.
+
+config ADK_KPACKAGE_KMOD_IP_NF_PPTP
+	tristate 'PPTP protocol support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  This module adds support for PPTP (Point to Point Tunnelling
+	  Protocol, RFC2637) connection tracking and NAT. 
+	
+	  If you are running PPTP sessions over a stateful firewall or NAT
+	  box, you may want to enable this feature.  
+	
+	  Please note that not all PPTP modes of operation are supported yet.
+	  For more info, read top of the file
+	  net/ipv4/netfilter/ip_conntrack_pptp.c
+
+config ADK_KPACKAGE_KMOD_IP_NF_H323
+	tristate 'H.323 protocol support (EXPERIMENTAL)'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
+	  important VoIP protocols, it is widely used by voice hardware and
+	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
+	  Gnomemeeting, etc.
+
+	  With this module you can support H.323 on a connection tracking/NAT
+	  firewall.
+
+	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
+	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
+	  whiteboard, file transfer, etc. For more information, please
+	  visit http://nath323.sourceforge.net/.
+
+config ADK_KPACKAGE_KMOD_IP_NF_SIP
+	tristate 'SIP protocol support (EXPERIMENTAL)'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+	help
+	  SIP is an application-layer control protocol that can establish,
+	  modify, and terminate multimedia sessions (conferences) such as
+	  Internet telephony calls. With the ip_conntrack_sip and
+	  the ip_nat_sip modules you can support the protocol on a connection
+	  tracking/NATing firewall.
+
+
+config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+	tristate 'IP tables support (required for filtering/masq/NAT)'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+	  iptables is a general, extensible packet identification framework.
+	  The packet filtering and full NAT (masquerading, port forwarding,
+	  etc) subsystems now use this: say `Y' or `M' here if you want to use
+	  either of those.
+
+config ADK_KPACKAGE_KMOD_IP_NF_FILTER
+	tristate 'Packet Filtering'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+	help
+	  Packet filtering defines a table `filter', which has a series of
+	  rules for simple packet filtering at local input, forwarding and
+	  local output.  See the man page for iptables(8).
+
+config ADK_KPACKAGE_KMOD_NF_NAT
+	tristate 'Full NAT'
+	depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES
+	help
+	  The Full NAT option allows masquerading, port forwarding and other
+	  forms of full Network Address Port Translation.  It is controlled by
+	  the `nat' table in iptables: see the man page for iptables(8).
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE
+	tristate 'MASQUERADE target support'
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
+	help
+	  Masquerading is a special case of NAT: all outgoing connections are
+	  changed to seem to come from a particular interface's address, and
+	  if the interface goes down, those connections are lost.  This is
+	  only useful for dialup accounts with dynamic IP address (ie. your IP
+	  address will be different on next dialup).
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT
+	tristate 'REJECT target support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+	help
+	  The REJECT target allows a filtering rule to specify that an ICMP
+	  error should be issued in response to an incoming packet, rather
+	  than silently being dropped.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG
+	tristate 'LOG target support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+	help
+	  This option adds a `LOG' target, which allows you to create rules in
+	  any iptables table which records the packet header to the syslog.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
+	tristate 'ULOG target support (ipv4 only)'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+	help
+	  This option enables the old IPv4-only "ipt_ULOG" implementation
+	  which has been obsoleted by the new "nfnetlink_log" code (see
+	  CONFIG_NETFILTER_NETLINK_LOG).
+
+	  This option adds a `ULOG' target, which allows you to create rules in
+	  any iptables table. The packet is passed to a userspace logging
+	  daemon using netlink multicast sockets; unlike the LOG target
+	  which can only be viewed through syslog.
+
+	  The appropriate userspace logging daemon (ulogd) may be obtained from
+	  <http://www.gnumonks.org/projects/ulogd/>
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
+	tristate 'REDIRECT target support'
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
+	help
+	  REDIRECT is a special case of NAT: all incoming connections are
+	  mapped onto the incoming interface's address, causing the packets to
+	  come to the local machine instead of passing through.  This is
+	  useful for transparent proxies.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
+	tristate 'NETMAP target support'
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
+	help
+	  NETMAP is an implementation of static 1:1 NAT mapping of network
+	  addresses. It maps the network address part, while keeping the host
+	  address part intact. It is similar to Fast NAT, except that
+	  Netfilter's connection tracking doesn't work well with Fast NAT.
+
+config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
+	tristate 'Packet mangling'
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
+	help
+	  This option adds a `mangle' table to iptables: see the man page for
+	  iptables(8).  This table is used for various packet alterations
+	  which can effect how the packet is routed.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
+	tristate 'ECN target support'
+	depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE
+	help
+	  This option adds a `ECN' target, which can be used in the iptables mangle
+	  table.  
+
+	  You can use this target to remove the ECN bits from the IPv4 header of
+	  an IP packet.  This is particularly useful, if you need to work around
+	  existing ECN blackholes on the internet, but don't want to disable
+	  ECN support in general.
+

target/linux/config/Config.in.netfilter.ip6

@@ -0,0 +1,131 @@
+config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV6
+	tristate "IPv6 connection tracking support"
+	select ADK_KPACKAGE_KMOD_NF_CONNTRACK
+	---help---
+	  Connection tracking keeps a record of what packets have passed
+	  through your machine, in order to figure out how they are related
+	  into connections.
+
+	  This is IPv6 support on Layer 3 independent connection tracking.
+	  Layer 3 independent connection tracking is experimental scheme
+	  which generalize ip_conntrack to support other layer 3 protocols.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES
+	tristate "IP6 tables support (required for filtering)"
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+	  ip6tables is a general, extensible packet identification framework.
+	  Currently only the packet filtering and packet mangling subsystem
+	  for IPv6 use this, but connection tracking is going to follow.
+	  Say 'Y' or 'M' here if you want to use either of those.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+if ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES
+
+# The simple matches.
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_AH
+	tristate '"ah" match support'
+	help
+	  This module allows one to match AH packets.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_EUI64
+	tristate '"eui64" address check'
+	help
+	  This module performs checking on the IPv6 source address
+	  Compares the last 64 bits with the EUI64 (delivered
+	  from the MAC address) address
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_FRAG
+	tristate '"frag" Fragmentation header match support'
+	help
+	  frag matching allows you to match packets based on the fragmentation
+	  header of the packet.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_OPTS
+	tristate '"hbh" hop-by-hop and "dst" opts header match support'
+	help
+	  This allows one to match packets based on the hop-by-hop
+	  and destination options headers of a packet.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_IPV6HEADER
+	tristate '"ipv6header" IPv6 Extension Headers Match'
+	help
+	  This module allows one to match packets based upon
+	  the ipv6 extension headers.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_MH
+	tristate '"mh" match support'
+	help
+	  This module allows one to match MH packets.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MATCH_RT
+	tristate '"rt" Routing header match support'
+	help
+	  rt matching allows you to match packets based on the routing
+	  header of the packet.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+# The targets
+config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_LOG
+	tristate "LOG target support"
+	help
+	  This option adds a `LOG' target, which allows you to create rules in
+	  any iptables table which records the packet header to the syslog.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_FILTER
+	tristate "Packet filtering"
+	help
+	  Packet filtering defines a table `filter', which has a series of
+	  rules for simple packet filtering at local input, forwarding and
+	  local output.  See the man page for iptables(8).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_TARGET_REJECT
+	tristate "REJECT target support"
+	depends on ADK_KPACKAGE_KMOD_IP6_NF_FILTER
+	help
+	  The REJECT target allows a filtering rule to specify that an ICMPv6
+	  error should be issued in response to an incoming packet, rather
+	  than silently being dropped.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_MANGLE
+	tristate "Packet mangling"
+	help
+	  This option adds a `mangle' table to iptables: see the man page for
+	  iptables(8).  This table is used for various packet alterations
+	  which can effect how the packet is routed.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_IP6_NF_RAW
+	tristate  'raw table support (required for TRACE)'
+	help
+	  This option adds a `raw' table to ip6tables. This table is the very
+	  first in the netfilter framework and hooks in at the PREROUTING
+	  and OUTPUT chains.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+
+endif # ADK_KPACKAGE_KMOD_IP6_NF_IPTABLES

toolchain/uClibc/Makefile

@@ -8,6 +8,10 @@ include ../rules.mk
 include Makefile.inc
 include ${TOPDIR}/mk/buildhlp.mk
 
+ifeq (${ADK_MAKE_PARALLEL},y)
+UCLIBC_MAKEOPTS+=	-j${ADK_MAKE_JOBS}
+endif
+
 $(WRKBUILD)/.headers:
 	$(SED) 's,^CROSS=.*,CROSS=$(TARGET_CROSS),g' $(WRKBUILD)/Rules.mak
 	sed -e 's
^KERNEL_HEADERS.*$$
KERNEL_HEADERS=\"${TOOLCHAIN_SYSROOT}/usr/include\"
' \
@@ -15,7 +19,7 @@ $(WRKBUILD)/.headers:
 ifneq ($(ADK_DEBUG),)
 	$(SED) 's,DOSTRIP,DODEBUG,' ${WRKBUILD}/.config
 endif
-	$(MAKE) -C $(WRKBUILD) \
+	$(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \
 		PREFIX=$(TOOLCHAIN_SYSROOT) \
 		DEVEL_PREFIX=/usr/ \
 		RUNTIME_PREFIX=$(TOOLCHAIN_SYSROOT) \
@@ -26,7 +30,7 @@ endif
 	touch $@
 
 $(WRKBUILD)/.compiled:
-	$(MAKE) -C $(WRKBUILD) \
+	$(MAKE) ${UCLIBC_MAKEOPTS} -C $(WRKBUILD) \
 		PREFIX= \
 		DEVEL_PREFIX=/ \
 		RUNTIME_PREFIX=/ \