My patchset (NAT66, IPv6 PBR, PPTP client, etc.)


#1

Hi everyone,

I routinely maintain a number of patches to add features/fix issues in my routers, and thought maybe these patches could be useful to someone else. Please note that, as I run Kim’s wheezy-transit version exclusively, the patches are made for that version (and some of them, like the brctl path fix, don’t make sense elsewhere). The patches are available on my FTP, and each patch applies to the corresponding directory in build-iso/pkgs (because that’s the most convenient for my own use). Here’s what each patch provides, in alphabetical order:

iptables.patch:

  • Upgrade to 1.4.19.1 (required by the NAT66 patch below)

ndppd.patch:

  • Rebuild for VyOS. (This is software needed to do proxy NDP, the equivalent of proxy ARP for IPv6. The configuration templates are provided in the vyatta-cfg-quagga patch described below)

ppp.patch:

  • Add support for PPTP client interfaces
  • Enable IPv6 support

vyatta-cfg-firewall.patch:

  • Add support for PPTP client interfaces
  • Restore direction for policy route rulesets (this one warrants an explanation: the PBR setup in Vyatta works only for the INPUT chain, using the clamp-mss-to-mtu feature would then generate an error. This allows setting a policy route/mangle ruleset to the INPUT or OUTPUT chains)
  • Fix missing autogenerated chain for IPv6 policy routing.
  • Increase number of rules to 99999 for more comfortable edits. (I may be dense but I don’t see why they limited the rule numbering to 10000, especially considering there’s AFAIK no resequence command, I usually want to leave at least 100 free entries between each rule)
  • Fix ipset copy routine (workaround for ``hash is full’’ error). (This is a dirty kludge, basically the message pops up because something goes wrong with the ipset restore. Pruning all parameters from the ipset save-generated create command fixed the issue for me)

vyatta-cfg-op-pppoe.patch:

  • Add support for PPTP client interfaces (hrm. This one is a bit embarrassing. Back when I wrote that PPTP patch, I encountered issues with interface renames failing, and this was part of the fix. The thing is, for the life of me, I just can’t remember what the actual issue was. If anyone else tries the PPTP stuff and can confirm whether this is no longer needed, I would be quite happy)

vyatta-cfg-op-pptp-client.patch:

  • Rebuild for VyOS (this is the main PPTP client support patch. If you want to have a permanent connection to a PPTP VPN/modem from your VyOS router, this may be for you)
  • Integrate changes by the UBNT engineering team.
  • Remove connect-on-demand as it seems broken, reported by Stig Thormudsrud

vyatta-cfg-qos.patch:

  • Add support for PPTP client interfaces (yes, Vyatta routers use interface names in a lot of places, so adding another kind of interface results in being forced to rebuild a lot of packages, unfortunately)

vyatta-cfg-quagga.patch:

  • Add proxy NDP features (requires ndppd, mentioned above)
  • Do not allow invalid OSPFv3 areas (fixes an old Vyatta bug, Quagga only accepts dotted decimal OSPF3 areas)
  • Add support for PPTP client interfaces
  • Add kludge to setup IPv6 routes for policy routing.

vyatta-cfg-system.patch:

  • Remove requirement for listen-on, to work on dynamic interfaces (ppp+). (dnsmasq can be useful to serve names to RAVPN users, but for this it has to listen on any interfaces rather than a definite list)
  • Add advanced dnsmasq patch from Julian Pawlowski (this is an old third-party patch that was never picked up by Vyatta. It adds a number of features to the dnsmasq configuration templates, including all you need to create a local DNS zone and serve that to your client machines)
  • Fix handling of PTR records in the above patch.
  • Add support for PPTP client interfaces
  • Change location of brctl binary to match Debian Wheezy’s. (obviously, this is specific to wheezy-transit, don’t apply this to the versions based on squeeze)

vyatta-ipv6-rtradv.patch:

  • Add support for PPTP client interfaces

vyatta-keepalived.patch:

  • Don’t disable IPv6 support. (yes, it was actually explicitly disabled, which meant VRRPv6 didn’t work. Also fixes a dubious modprobe invocation)

vyatta-nat.patch:

  • Remove useless checks that make hairpin NAT rules harder to write. (this allows me to write only one rule to make hairpin work for each of my subnets)
  • Increase priority to start after network interfaces. (got errors when interfaces that weren’t created yet were referenced by NAT rules)
  • Add support for NAT66. (yes, I know it’s controversial, but it was useful for my specific use-case)

vyatta-op-firewall.patch:

  • Fix display for large packet counts

vyatta-op-qos.patch:

  • Add support for PPTP client interfaces

vyatta-op-quagga.patch:

  • Add support for IPv6 policy routing.

vyatta-quagga.patch:

  • Add policy routing support for IPv6. (which was in fact so trivial I was sure I had missed something but I use it and it seems to work)

vyatta-ravpn.patch:

  • Add IPv6 support for PPTP links (now if only PPP had a way to push routes to the clients sigh)
  • Add support for PPTP client interfaces
  • Apply patch for idle timeout and ESP lifetime options (not my work, just lifted it off someone else)

vyatta-vrrp.patch:

  • Fixes for native IPv6 by Stig Thormodsrud and Tomasz Wasniewski (even after the recent upload which enables v6, there are still a few remaining things to fix)

vyatta-wirelessmodem.patch:

  • Add support for PPTP client interfaces

Hope this is of interest to someone. BTW, if you see anything patently wrong in there, or have any suggestions, I would obviously be glad to hear from you :wink:


#2

Hi wsapplegate,

Looks cool! Could you please export those patches with “git format-patch” to preserve the original commit description and commiter email or fork the repos on github and make pull requests?
Also, combining several changes in one patch makes it harder to keep track of added features/fixes and rollback individual changes if any problems arise.


#3

OK, I have put up a new set, broken out by purpose (each directory in turn contains one or more component patches broken out by package, as I have no clue how to get git format-patch to output a patch spanning several submodules. Sorry about that).

You’re obviously right, I had been pretty lazy in the first place. Hope the new arrangement will be more suitable.


#4

Hello.
How to apply a patch file vyatta-cfg-op-pptp-client.patch on vyos 1.1.0