From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 392D421F1D6 for ; Thu, 20 Mar 2014 06:07:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-kau.localdomain (Postfix, from userid 1000) id 1BBB08FA61; Thu, 20 Mar 2014 14:07:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1395320869; bh=le8celiSpLj6OkZbtTWdVRBMzG5ltxfc5PxlqMv9u48=; h=From:To:Subject:References:Date:In-Reply-To; b=cRThMKskJh7wmLNXSmAHp7iNMjQP4rETutSorSh+wIUu5pqwVBDwU/Fv5qmoIA/KI cdbFtYADCoNcV9H5g5O8VGbpTlLyNYxs7avEUGB49w6jkw7eGCUDMh2wAhA/lyMQL+ mRaiQm9rLzC2C3BQzMKmI96I4aYNputQ7Kf8jgPQ= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: cerowrt-devel@lists.bufferbloat.net References: <87txataord.fsf@toke.dk> <87pplh9q09.fsf@toke.dk> Date: Thu, 20 Mar 2014 14:07:45 +0100 In-Reply-To: <87pplh9q09.fsf@toke.dk> ("Toke =?utf-8?Q?H=C3=B8iland-J?= =?utf-8?Q?=C3=B8rgensen=22's?= message of "Thu, 20 Mar 2014 10:29:58 +0100") Message-ID: <87ior9ow66.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Subject: Re: [Cerowrt-devel] BCP38 implementation X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 13:07:58 -0000 --=-=-= Content-Type: text/plain So, another new version that should now be relatively feature-complete. It should be possible to just install these two packages: http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/bcp38_4-1_ar71xx.ipk http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/luci-app-bcp38_2-1_all.ipk and have everything enabled and working. This version does away with the firewall rules in the config (so no need to add them; if they exist it shouldn't hurt, I think, but might as well just remove them) in favour of inserting a whole separate iptables chain to do the matching on. There's now also an auto-detection feature for the upstream network, which should automatically whitelist it when the rules are set up. It does this by looking at the routing table for the upstream interface, and testing all 'scope link' routes against the configured ipset, adding exceptions if they match. There's a config toggle to turn off this behaviour, and manual exceptions can be added instead of (or in addition to) the auto-detection. Since this detection is done at every run time, it should also include hotplugging; the firewall is reloaded every time an interface is hotplugged, which also reloads the bcp38 configuration and re-does the auto-detection. Testing is very much appreciated; until some of you tell me different, I believe this version is suitable for inclusion in cerowrt. At least all the issues on my own previous lists have been fixed AFAIK. :) -Toke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTKughAAoJEENeEGz1+utPmmQH/jzvD0G33x3M8JsskS7TdI4k B3P+osQExTKrXZqHvXeF5kGNurYKhCNx5TNk2ALvXXnTNkKg628VF0NPReV2f46h CWtqgIcneFKgsZrtvaGIQzbjIzX1/Tn41lAnqbvQ/E9OU7Z8bXadwOOoxb2/9/xI WubEffuTeNKb79idTxLR9foT4f7JzGcDU+QLHWz8jevM7ys4I764Xc/FZn119qg1 GPkqnagWc+ADIpw1XTZJ05fF2WIxxpKzagUReDXedJ5VCOtyk4x51cNl+RttLUtk MOVBLq36F/Z0pv0JWC0UfGz4PuhjXCmSOmTMJCKrakkg5XOJrM6nS+l4u1KrPNM= =xBF/ -----END PGP SIGNATURE----- --=-=-=--