IPV6: V24-SP2 Eko Newd, Need Kernel 2.4.37 IPV6 Modules

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
flewid
DD-WRT Novice


Joined: 15 Nov 2009
Posts: 3

PostPosted: Sun Nov 15, 2009 9:05    Post subject: IPV6: V24-SP2 Eko Newd, Need Kernel 2.4.37 IPV6 Modules Reply with quote
Hello,

Been an avid reader for the past few days while struggling with this, haven't posted yet. So, hi!, and thanks for the great firmware, you've helped me reduce my network from 3 cisco appliances and a PBX to just 1 router and a usb harddrive - awesome!.

I've been struggling with getting IPV6 working for a week now and have come to the conclusion it is totally working, but I need to insert the kernel modules for NAT before it will "really work".

So, Does anyone have the modules, for IPV6 on this kernel?

I've tried all of the ones available in the openwrt repo's and none are compiled specifically for 2.4.37 only patch levels (.1,.2 etc). So, they fail to lose saying they are compiled for another kernel (I think I can force this somehow with insmod, but I don't think that's a very good idea).

I am so close to getting IPV6 working, all I need now is these modules. If there's a specific ip6tables for this kernel that'd be great too, but I've already gotten this working using an OPENWRT package.

I'd prefer not to have to reflash if I can avoid it as I have everything tweaked nicely and haven't had a chance to back it all up yet. Also don't really want to go about setting up a cross compiler environment since I figure a few of you guys already have this done and easy access to it.

Here's the setup info:


Router:
Asus WL-500W

Version:
DD-WRT v24-sp2 (09/30/09) big
(SVN revision 13000M NEWD Eko)

Kernel Version:
Linux thenerd 2.4.37 #4169 Wed Sep 30 10:23:24 CEST 2009 mips GNU/Linux

Modules Required:

ip6_queue.o
ip6_tables.o
ip6t_IMQ.o
ip6t_LOG.o
ip6t_REJECT.o
ip6t_eui64.o
ip6t_frag.o
ip6t_hbh.o
ip6t_ipv6header.o
ip6t_limit.o
ip6t_owner.o
ip6t_rt.o
ip6table_filter.o
ip6table_mangle.o

I just need the modules, but a proper .ipk would be cool too :)

Thanks in advance!
Sponsor
Masterman
DD-WRT Guru


Joined: 24 Aug 2009
Posts: 2070
Location: South Florida

PostPosted: Sun Nov 15, 2009 9:53    Post subject: Reply with quote
Look at Openwrt's kernel 2.6 firmware for that router. It will provide you with the necessary working drivers...

These newer routers have the capability for kernel 2.6, but the Dev's probably will not implement the builds due to fact that 90% of the users on here have older Linksys routers and other models that will not support 2.6..

From what I have hypothesized, they want a "universal" build library that works with most all routers..

_________________
Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
flewid
DD-WRT Novice


Joined: 15 Nov 2009
Posts: 3

PostPosted: Sun Nov 15, 2009 10:06    Post subject: Reply with quote
Masterman wrote:
Look at Openwrt's kernel 2.6 firmware for that router.


Hmm. I didn't really want to go to something without a GUI. I travel a lot and my roomate would be screwed if anything happened while I was away and I had to direct him through CLI commands :p

I just upgraded to the latest build of NEWD BIG but the modules still aren't in it, and the kernel is still at the same version so I can't just run with the modules from the openwrt repo :/
Masterman
DD-WRT Guru


Joined: 24 Aug 2009
Posts: 2070
Location: South Florida

PostPosted: Sun Nov 15, 2009 11:03    Post subject: Reply with quote
You can configure a GUI with Openwrt..it's a bitch though...

Better method:

http://www.dd-wrt.com/wiki/index.php/Development

_________________
Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
flewid
DD-WRT Novice


Joined: 15 Nov 2009
Posts: 3

PostPosted: Sun Nov 15, 2009 12:03    Post subject: Reply with quote
Masterman wrote:

Better method:

http://www.dd-wrt.com/wiki/index.php/Development


Cool, I have this setup already with ip6tables as an added package. I think it's broken though (read on..).

I've also tried forcing some modules for 2.4.37.5 that i found but I dont think they are working either.

Using the dev environment doesn't really give me what I need unless I go and build my own firmware - which I think is a little over kill? (judging from the instructions this seems super hard).

Basically I just need the modules package for ipv6, ip6tables, and ping6/tracert6 packages etc but built for 2.4.37 specifically. The closest I found in binary format was "kmod-ip6tables_2.4.37.5-1_brcm-2.4.ipk" but that doesn't work as it's .5 patchlevel.

I also notice that inserting the modules forcefully lets me run ip6tables, but then I get an error with it;

ip6tables v1.3.8: Unknown arg `--syn'

which then also gives me when removed

ip6tables v1.3.8: Couldn't load match `multiport':File not found


So I think some includes are messed up or something for the one I tried installing from openwrt - which isn't really a surprise, but I figured I should give it a shot anyway.

Is there a way to setup a super simple cross compiler environment so I can copy over this basic kernel config, add the IPV6 stuff I need along with ping6, tracert6, ip6tables et all and compile myself a firmware image? This still seems like a lot of work for probably 200k worth of binaries required.

I see there's lots of interest in ipv6, but not much in "how to make it work" properly amongst the various versions of dd-wrt so I suspect that it's pretty difficult to start creating your own firmware images - at least with what I expect from the community for this type of thing.
Diosbejgli
DD-WRT Novice


Joined: 23 Aug 2008
Posts: 30

PostPosted: Sat Mar 27, 2010 19:07    Post subject: Reply with quote
I'm also in need of an ip6_tables kernel module for version 2.4.37 (eko build 13577). I don't really want to download a complete SDK and source trees to compile just one module.

I found the following site: http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/packages/ but it only contains a module for kernel 2.4.35.4.
fastest963
DD-WRT Novice


Joined: 02 Mar 2008
Posts: 28

PostPosted: Mon Apr 05, 2010 0:20    Post subject: Reply with quote
Diosbejgli wrote:

I found the following site: http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/packages/ but it only contains a module for kernel 2.4.35.4.


Those modules have been tested and work fine on 2.4.37.
Diosbejgli
DD-WRT Novice


Joined: 23 Aug 2008
Posts: 30

PostPosted: Mon Apr 05, 2010 0:35    Post subject: Reply with quote
Thank you, I will check and test them.
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Thu Jul 08, 2010 3:44    Post subject: Reply with quote
I'm using those modules but apparently nothing is getting filtered.

This should reject everything incomming to the LAN, right ?

ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -j REJECT --reject-with adm-prohibited


Because it is not rejecting anything Sad
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Thu Jul 08, 2010 5:36    Post subject: Reply with quote
Ok... tried everything and it appears that the only way I can stop packets from going thru is to set de FORWARD policy to DROP or with a rule that drops everything comming in from ipv6.

Every time I try to use "-p tcp" it allows everything in.

Didn't try udp, but at least looks like "-p tcp" isn't filtering anything at all.

Any ideas?

Notes about my setup:
Quote:

DD-WRT v24-sp2 (06/09/10) std-nokaid-nohot-nostore
(SVN revision 14583M NEWD Eko)

ipkg stuff installed:

ip6tables_1.3.8-4.1_mipsel.ipk
kmod-ip6tables_2.4.35.4-brcm-2.4-1_mipsel.ipk
iputils-ping6_20071127-1_mipsel.ipk
iputils-traceroute6_20071127-1_mipsel.ipk
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Sat Jul 10, 2010 8:31    Post subject: Reply with quote
I got it working!
Now it DOES filter the packets!
(tested from here http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php)

I compiled the modules from source for 2.4.37 and it works like a charm.
Didn't find the REJECT module but DROP works perfectly fine for me.

I compiled these modules:
ip6_queue.o
ip6table_filter.o
ip6table_mangle.o
ip6_tables.o
ip6t_ah.o
ip6t_dst.o
ip6t_esp.o
ip6t_eui64.o
ip6t_frag.o
ip6t_hbh.o
ip6t_hl.o
ip6t_IMQ.o
ip6t_ipv6header.o
ip6t_length.o
ip6t_limit.o
ip6t_LOG.o
ip6t_mac.o
ip6t_mark.o
ip6t_MARK.o
ip6t_multiport.o
ip6t_owner.o
ip6t_rt.o

and used the ip6tables_1.3.8-4.1_mipsel.ipk pakage from openwrt.

I'm attaching the compiled modules.

Enjoy a safer ipv6 experience!



kmod-ip6tables_2.4.37-brcm-2.4_mipsel.tar.gz
 Description:
ip6tables modules for 2.4.37

Download
 Filename:  kmod-ip6tables_2.4.37-brcm-2.4_mipsel.tar.gz
 Filesize:  31.42 KB
 Downloaded:  4559 Time(s)

fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Sun Jul 11, 2010 7:01    Post subject: Reply with quote
It's been a day and it still works ok so I'll just share my setup.

DD-WRT v24-sp2 (06/09/10) std-nokaid-nohot-nostore
(SVN revision 14583M NEWD Eko) on a WRT54gL v1.0

Installed some ipkg packages:
ip6tables_1.3.8-4.1_mipsel.ipk
iputils-ping6_20071127-1_mipsel.ipk
iputils-traceroute6_20071127-1_mipsel.ipk

and my own ip6tables modules compiled from source.

I have a script (ip6t.sh) that is called by the other scripts to setup same common variables.
Some stuff isn't really needed but I was testing different modules versions and it was easier this way:

ip6t.sh:
Code:
#!/bin/sh
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
export IP6VER=2.4.37


Then I have 2 scripts that are called from rc_startup and rc_firewall and since I'm a bit paranoid the startup script actually calls the firewall script before enabling the ipv6 forwarding.
The "for" loop in the startup script loads all ip6tables modules. Most are probably not needed but since I'm not sure which ones I'm loading all of them:

ipv6_startup.sh:
Code:
#!/bin/sh

insmod ipv6
. /jffs/ip6t.sh

for i in `ls -1 /jffs/lib/modules/$IP6VER`
do
insmod /jffs/lib/modules/$IP6VER/$i
done

ip tunnel add he-ipv6 mode sit remote xxx.xxx.xxx.xxx local yyy.yyy.yyy.yyy ttl 64
ip link set he-ipv6 up
ip addr add 2001:470:zzzz:zzz::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip addr add 2001:470:wwww:www:200:00ff:fe00:0000/64 dev br0
/jffs/ipv6_firewall.sh
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd -C /jffs/radvd.conf


The firewall script allows some ports I use for torrent and other stuff and then drop everything else:

ipv6_firewall.sh:
Code:
#!/bin/sh

. /jffs/ip6t.sh
# insmod already performed on startup
ip6tables -F
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -m multiport --dports aaaa,bbbb -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -j DROP
ip6tables -A FORWARD -p udp -i he-ipv6 -m multiport --dports aaaa,bbbb,domain,ntp -j ACCEPT
ip6tables -A FORWARD -p udp -i he-ipv6 -j DROP


and I almost forgot about the radvd.conf file:
Code:
interface br0 {
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvSendAdvert on;
        prefix 2001:470:wwww:www::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
};


and that's it. Even my cell phones can use ipv6 now Smile
surdules
DD-WRT Novice


Joined: 27 Feb 2008
Posts: 6

PostPosted: Thu Aug 19, 2010 20:49    Post subject: Reply with quote
OpenWRT has a newer version of {ip6tables, ping6, traceroute6}, in Backfire 10.03, at http://downloads.openwrt.org/backfire/10.03/brcm-2.4/packages/

kmod-ip6tables_2.4.37.9-1_brcm-2.4.ipk 06-Apr-2010 13:52 27904
ip6tables_1.4.6-2_brcm-2.4.ipk 01-Apr-2010 05:20 40390
iputils-ping6_20071127-1_brcm-2.4.ipk 24-Mar-2010 02:33 17900
iputils-traceroute6_20071127-1_brcm-2.4.ipk 24-Mar-2010 02:33 9508

Has anyone tried the latest kmod package? It targets kernel 2.4.37 (which is the same as the one in the EKO build), although it's at a different patch level (.9). The ip6table/iputils are newer too.

How much does the patch level matter?
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Sun Aug 22, 2010 0:15    Post subject: Reply with quote
I've downloaded them and this is what I found.

I think ping6 and traceroute6 are the same versions that were available before.

ip6tables package is newer but has a lot less libs... maybe the others ain't needed but I'll keep using the old package.

kmod-ip6tables doesn't have all the modules I compiled so I'll keep using mine :)

These are the modules included on the new kmod-ip6tables OpenWRT package:

Code:
ip6t_LOG.o
ip6t_rt.o
ip6table_raw.o
ip6table_mangle.o
ip6t_hbh.o
ip6_tables.o
ip6t_IMQ.o
ip6table_filter.o
ip6t_ipv6header.o
ip6t_REJECT.o
ip6_queue.o
ip6t_eui64.o
ip6t_frag.o
ip6t_owner.o
ip6t_limit.o
surdules
DD-WRT Novice


Joined: 27 Feb 2008
Posts: 6

PostPosted: Mon Aug 23, 2010 17:14    Post subject: Reply with quote
I looked at the file history for the ipv6 kernel module (at http://www.linuxhq.com/kernel/file/net/ipv6/netfilter/index.html) and here's what I found:

1. The following modules appear to have been deleted in the newest version (the file pointers are there, but the latest diff deletes the contents):

ip6t_dst.o
ip6t_esp.o
ip6t_hl.o
ip6t_length.o
ip6t_mac.o
ip6t_mark.o
ip6t_MARK.o
ip6t_multiport.o

2. The following modules only appear in the new version of the package:

ip6table_raw.o - A port of the IPv4 raw table to IPv6
ip6t_REJECT.o - Packet rejection target for IPv6

3. The following module still exists in both the old and the new version, but is not compiled and included by default in the new version:

ip6t_ah.o - IPv6 IPsec-AH match

My impression is that the newest version of the IPV6 code underwent some big refactoring and the contents of many files were deleted and probably integrated in other files (along with bug fixes, maybe?)

I'm going to install the newest version of these packages sometime this week and write back on this thread with my findings.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum