realtek: remove firewall and other core components? [Was: Re: [PATCH 1/2] realtek: Use firewall4]
Sander Vanheule
sander at svanheule.net
Wed Mar 23 13:09:57 PDT 2022
Hi everyone,
On Thu, 2022-03-03 at 15:58 +0100, Petr Štetiar wrote:
> Daniel Golle <daniel at makrotopia.org> [2022-03-01 21:11:49]:
>
> Hi,
>
> > I fully agree, none of those packages make much sense on this class of
> > devices and all of them should be dropped from default installations.
>
> I think, that if you personaly don't care about other valid use cases, you
> should at least try to consider current 21.02 users as some realtek targets
> are already supported and removing firewall package has security related
> implications.
Since 22.03 has now been branched, I think we should decide on where we want to go with
the default package selection for realtek (and other managed switches).
One extra argument in favour of keeping the firewall in the default config, is that the
devices with more advanced stock FW also provide an ACL feature to filter out traffic
based on MAC, IP, ethernet frame contents, etc. However, this is offloaded to a hardware
engine in the switch, but I'm not up to date on how well this offloading currently works
(with nftables). So, providing a firewall would put OpenWrt on the same feature level as
more advanced vendor offerings.
>
> > Obviously users may still install them if they really want their switch to
> > act as DHCP server and/or caching DNS resolver.
>
> This topic is about firewall4, so are you suggesting to post-install firewall4
> package as well?
Dropping dnsmasq and odhcpd-ipv6only makes more sense to me, since these are not features
that are normally provided on a managed switch AFAIK.
Best,
Sander
More information about the openwrt-devel
mailing list