HerrSpace/blog-luci-raw-diff.patch Secret

## blog-luci-raw-diff.patch
diff --git a/config/firewall b/config/firewall
index 7be01d2..c14a034 100644
--- a/config/firewall
+++ b/config/firewall
@@ -1,195 +1,139 @@
+
 config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		REJECT
-# Uncomment this line to disable ipv6 rules
-#	option disable_ipv6	1
+	option syn_flood '1'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'REJECT'

 config zone
-	option name		lan
-	list   network		'lan'
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		ACCEPT
+	option name 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+	option network 'lan'

 config zone
-	option name		wan
-	list   network		'wan'
-	list   network		'wan6'
-	option input		REJECT
-	option output		ACCEPT
-	option forward		REJECT
-	option masq		1
-	option mtu_fix		1
+	option name 'wan'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
+	option network 'wan wan6'

 config forwarding
-	option src		lan
-	option dest		wan
+	option src 'lan'
+	option dest 'wan'

-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
 config rule
-	option name		Allow-DHCP-Renew
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-	option family		ipv4
-
-# Allow IPv4 ping
+	option name 'Allow-DHCP-Renew'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
 config rule
-	option name		Allow-Ping
-	option src		wan
-	option proto		icmp
-	option icmp_type	echo-request
-	option family		ipv4
-	option target		ACCEPT
+	option name 'Allow-Ping'
+	option src 'wan'
+	option proto 'icmp'
+	option icmp_type 'echo-request'
+	option family 'ipv4'
+	option target 'ACCEPT'

 config rule
-	option name		Allow-IGMP
-	option src		wan
-	option proto		igmp
-	option family		ipv4
-	option target		ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
+	option name 'Allow-IGMP'
+	option src 'wan'
+	option proto 'igmp'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
 config rule
-	option name		Allow-DHCPv6
-	option src		wan
-	option proto		udp
-	option src_ip		fe80::/10
-	option src_port		547
-	option dest_ip		fe80::/10
-	option dest_port	546
-	option family		ipv6
-	option target		ACCEPT
+	option name 'Allow-DHCPv6'
+	option src 'wan'
+	option proto 'udp'
+	option src_ip 'fe80::/10'
+	option src_port '547'
+	option dest_ip 'fe80::/10'
+	option dest_port '546'
+	option family 'ipv6'
+	option target 'ACCEPT'

 config rule
-	option name		Allow-MLD
-	option src		wan
-	option proto		icmp
-	option src_ip		fe80::/10
-	list icmp_type		'130/0'
-	list icmp_type		'131/0'
-	list icmp_type		'132/0'
-	list icmp_type		'143/0'
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
+	option name 'Allow-MLD'
+	option src 'wan'
+	option proto 'icmp'
+	option src_ip 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
 config rule
-	option name		Allow-ICMPv6-Input
-	option src		wan
-	option proto	icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	list icmp_type		router-solicitation
-	list icmp_type		neighbour-solicitation
-	list icmp_type		router-advertisement
-	list icmp_type		neighbour-advertisement
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
+	option name 'Allow-ICMPv6-Input'
+	option src 'wan'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	list icmp_type 'router-solicitation'
+	list icmp_type 'neighbour-solicitation'
+	list icmp_type 'router-advertisement'
+	list icmp_type 'neighbour-advertisement'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
 config rule
-	option name		Allow-ICMPv6-Forward
-	option src		wan
-	option dest		*
-	option proto		icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-# include a file with users custom iptables rules
+	option name 'Allow-ICMPv6-Forward'
+	option src 'wan'
+	option dest '*'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
 config include
-	option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80
-#	option proto		tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-#	option src		wan
-#	option src_dport	22001
-#	option dest		lan
-#	option dest_port	22
-#	option proto		tcp
-
-# allow IPsec/ESP and ISAKMP passthrough
+	option path '/etc/firewall.user'
+
+config rule
+	option src 'wan'
+	option dest 'lan'
+	option proto 'esp'
+	option target 'ACCEPT'
+
 config rule
-	option src		wan
-	option dest		lan
-	option proto		esp
-	option target		ACCEPT
+	option src 'wan'
+	option dest 'lan'
+	option dest_port '500'
+	option proto 'udp'
+	option target 'ACCEPT'
+
+config zone
+	option name 'limited'
+	option input 'ACCEPT'
+	option forward 'REJECT'
+	option output 'ACCEPT'
+	option network 'limited_lan'

 config rule
-	option src		wan
-	option dest		lan
-	option dest_port	500
-	option proto		udp
-	option target		ACCEPT
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT
-
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
+	option target 'ACCEPT'
+	option src 'limited'
+	option dest 'wan'
+	option name 'berlin-ccc-dns'
+	option proto 'all'
+	option dest_ip '213.73.91.35'
+
diff --git a/config/network b/config/network
index e15871a..c9c5e4f 100644
--- a/config/network
+++ b/config/network
@@ -6,7 +6,7 @@ config interface 'loopback'
 	option netmask '255.0.0.0'

 config globals 'globals'
-	option ula_prefix 'fd45:46bf:26e1::/48'
+	option ula_prefix 'fd46:0848:2ff5::/48'

 config interface 'lan'
 	option ifname 'eth0.1'
@@ -29,14 +29,28 @@ config switch
 	option name 'switch0'
 	option reset '1'
 	option enable_vlan '1'
+	option mirror_source_port '0'
+	option mirror_monitor_port '0'
+	option enable_vlan4k '1'

 config switch_vlan
 	option device 'switch0'
 	option vlan '1'
-	option ports '1 2 3 4 5t'
+	option ports '1 2 3 5t'

 config switch_vlan
 	option device 'switch0'
 	option vlan '2'
 	option ports '0 5t'

+config switch_vlan
+	option device 'switch0'
+	option ports '4 5t'
+	option vlan '42'
+
+config interface 'limited_lan'
+	option proto 'static'
+	option ifname 'eth0.42'
+	option ipaddr '10.23.42.1'
+	option netmask '255.255.255.0'
+
	diff --git a/config/firewall b/config/firewall
	index 7be01d2..c14a034 100644
	--- a/config/firewall
	+++ b/config/firewall
	@@ -1,195 +1,139 @@
	+
	config defaults
	- option syn_flood 1
	- option input ACCEPT
	- option output ACCEPT
	- option forward REJECT
	-# Uncomment this line to disable ipv6 rules
	-# option disable_ipv6 1
	+ option syn_flood '1'
	+ option input 'ACCEPT'
	+ option output 'ACCEPT'
	+ option forward 'REJECT'

	config zone
	- option name lan
	- list network 'lan'
	- option input ACCEPT
	- option output ACCEPT
	- option forward ACCEPT
	+ option name 'lan'
	+ option input 'ACCEPT'
	+ option output 'ACCEPT'
	+ option forward 'ACCEPT'
	+ option network 'lan'

	config zone
	- option name wan
	- list network 'wan'
	- list network 'wan6'
	- option input REJECT
	- option output ACCEPT
	- option forward REJECT
	- option masq 1
	- option mtu_fix 1
	+ option name 'wan'
	+ option input 'REJECT'
	+ option output 'ACCEPT'
	+ option forward 'REJECT'
	+ option masq '1'
	+ option mtu_fix '1'
	+ option network 'wan wan6'

	config forwarding
	- option src lan
	- option dest wan
	+ option src 'lan'
	+ option dest 'wan'

	-# We need to accept udp packets on port 68,
	-# see https://dev.openwrt.org/ticket/4108
	config rule
	- option name Allow-DHCP-Renew
	- option src wan
	- option proto udp
	- option dest_port 68
	- option target ACCEPT
	- option family ipv4
	-
	-# Allow IPv4 ping
	+ option name 'Allow-DHCP-Renew'
	+ option src 'wan'
	+ option proto 'udp'
	+ option dest_port '68'
	+ option target 'ACCEPT'
	+ option family 'ipv4'
	+
	config rule
	- option name Allow-Ping
	- option src wan
	- option proto icmp
	- option icmp_type echo-request
	- option family ipv4
	- option target ACCEPT
	+ option name 'Allow-Ping'
	+ option src 'wan'
	+ option proto 'icmp'
	+ option icmp_type 'echo-request'
	+ option family 'ipv4'
	+ option target 'ACCEPT'

	config rule
	- option name Allow-IGMP
	- option src wan
	- option proto igmp
	- option family ipv4
	- option target ACCEPT
	-
	-# Allow DHCPv6 replies
	-# see https://dev.openwrt.org/ticket/10381
	+ option name 'Allow-IGMP'
	+ option src 'wan'
	+ option proto 'igmp'
	+ option family 'ipv4'
	+ option target 'ACCEPT'
	+
	config rule
	- option name Allow-DHCPv6
	- option src wan
	- option proto udp
	- option src_ip fe80::/10
	- option src_port 547
	- option dest_ip fe80::/10
	- option dest_port 546
	- option family ipv6
	- option target ACCEPT
	+ option name 'Allow-DHCPv6'
	+ option src 'wan'
	+ option proto 'udp'
	+ option src_ip 'fe80::/10'
	+ option src_port '547'
	+ option dest_ip 'fe80::/10'
	+ option dest_port '546'
	+ option family 'ipv6'
	+ option target 'ACCEPT'

	config rule
	- option name Allow-MLD
	- option src wan
	- option proto icmp
	- option src_ip fe80::/10
	- list icmp_type '130/0'
	- list icmp_type '131/0'
	- list icmp_type '132/0'
	- list icmp_type '143/0'
	- option family ipv6
	- option target ACCEPT
	-
	-# Allow essential incoming IPv6 ICMP traffic
	+ option name 'Allow-MLD'
	+ option src 'wan'
	+ option proto 'icmp'
	+ option src_ip 'fe80::/10'
	+ list icmp_type '130/0'
	+ list icmp_type '131/0'
	+ list icmp_type '132/0'
	+ list icmp_type '143/0'
	+ option family 'ipv6'
	+ option target 'ACCEPT'
	+
	config rule
	- option name Allow-ICMPv6-Input
	- option src wan
	- option proto icmp
	- list icmp_type echo-request
	- list icmp_type echo-reply
	- list icmp_type destination-unreachable
	- list icmp_type packet-too-big
	- list icmp_type time-exceeded
	- list icmp_type bad-header
	- list icmp_type unknown-header-type
	- list icmp_type router-solicitation
	- list icmp_type neighbour-solicitation
	- list icmp_type router-advertisement
	- list icmp_type neighbour-advertisement
	- option limit 1000/sec
	- option family ipv6
	- option target ACCEPT
	-
	-# Allow essential forwarded IPv6 ICMP traffic
	+ option name 'Allow-ICMPv6-Input'
	+ option src 'wan'
	+ option proto 'icmp'
	+ list icmp_type 'echo-request'
	+ list icmp_type 'echo-reply'
	+ list icmp_type 'destination-unreachable'
	+ list icmp_type 'packet-too-big'
	+ list icmp_type 'time-exceeded'
	+ list icmp_type 'bad-header'
	+ list icmp_type 'unknown-header-type'
	+ list icmp_type 'router-solicitation'
	+ list icmp_type 'neighbour-solicitation'
	+ list icmp_type 'router-advertisement'
	+ list icmp_type 'neighbour-advertisement'
	+ option limit '1000/sec'
	+ option family 'ipv6'
	+ option target 'ACCEPT'
	+
	config rule
	- option name Allow-ICMPv6-Forward
	- option src wan
	- option dest *
	- option proto icmp
	- list icmp_type echo-request
	- list icmp_type echo-reply
	- list icmp_type destination-unreachable
	- list icmp_type packet-too-big
	- list icmp_type time-exceeded
	- list icmp_type bad-header
	- list icmp_type unknown-header-type
	- option limit 1000/sec
	- option family ipv6
	- option target ACCEPT
	-
	-# include a file with users custom iptables rules
	+ option name 'Allow-ICMPv6-Forward'
	+ option src 'wan'
	+ option dest '*'
	+ option proto 'icmp'
	+ list icmp_type 'echo-request'
	+ list icmp_type 'echo-reply'
	+ list icmp_type 'destination-unreachable'
	+ list icmp_type 'packet-too-big'
	+ list icmp_type 'time-exceeded'
	+ list icmp_type 'bad-header'
	+ list icmp_type 'unknown-header-type'
	+ option limit '1000/sec'
	+ option family 'ipv6'
	+ option target 'ACCEPT'
	+
	config include
	- option path /etc/firewall.user
	-
	-
	-### EXAMPLE CONFIG SECTIONS
	-# do not allow a specific ip to access wan
	-#config rule
	-# option src lan
	-# option src_ip 192.168.45.2
	-# option dest wan
	-# option proto tcp
	-# option target REJECT
	-
	-# block a specific mac on wan
	-#config rule
	-# option dest wan
	-# option src_mac 00:11:22:33:44:66
	-# option target REJECT
	-
	-# block incoming ICMP traffic on a zone
	-#config rule
	-# option src lan
	-# option proto ICMP
	-# option target DROP
	-
	-# port redirect port coming in on wan to lan
	-#config redirect
	-# option src wan
	-# option src_dport 80
	-# option dest lan
	-# option dest_ip 192.168.16.235
	-# option dest_port 80
	-# option proto tcp
	-
	-# port redirect of remapped ssh port (22001) on wan
	-#config redirect
	-# option src wan
	-# option src_dport 22001
	-# option dest lan
	-# option dest_port 22
	-# option proto tcp
	-
	-# allow IPsec/ESP and ISAKMP passthrough
	+ option path '/etc/firewall.user'
	+
	+config rule
	+ option src 'wan'
	+ option dest 'lan'
	+ option proto 'esp'
	+ option target 'ACCEPT'
	+
	config rule
	- option src wan
	- option dest lan
	- option proto esp
	- option target ACCEPT
	+ option src 'wan'
	+ option dest 'lan'
	+ option dest_port '500'
	+ option proto 'udp'
	+ option target 'ACCEPT'
	+
	+config zone
	+ option name 'limited'
	+ option input 'ACCEPT'
	+ option forward 'REJECT'
	+ option output 'ACCEPT'
	+ option network 'limited_lan'

	config rule
	- option src wan
	- option dest lan
	- option dest_port 500
	- option proto udp
	- option target ACCEPT
	-
	-### FULL CONFIG SECTIONS
	-#config rule
	-# option src lan
	-# option src_ip 192.168.45.2
	-# option src_mac 00:11:22:33:44:55
	-# option src_port 80
	-# option dest wan
	-# option dest_ip 194.25.2.129
	-# option dest_port 120
	-# option proto tcp
	-# option target REJECT
	-
	-#config redirect
	-# option src lan
	-# option src_ip 192.168.45.2
	-# option src_mac 00:11:22:33:44:55
	-# option src_port 1024
	-# option src_dport 80
	-# option dest_ip 194.25.2.129
	-# option dest_port 120
	-# option proto tcp
	+ option target 'ACCEPT'
	+ option src 'limited'
	+ option dest 'wan'
	+ option name 'berlin-ccc-dns'
	+ option proto 'all'
	+ option dest_ip '213.73.91.35'
	+
	diff --git a/config/network b/config/network
	index e15871a..c9c5e4f 100644
	--- a/config/network
	+++ b/config/network
	@@ -6,7 +6,7 @@ config interface 'loopback'
	option netmask '255.0.0.0'

	config globals 'globals'
	- option ula_prefix 'fd45:46bf:26e1::/48'
	+ option ula_prefix 'fd46:0848:2ff5::/48'

	config interface 'lan'
	option ifname 'eth0.1'
	@@ -29,14 +29,28 @@ config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	+ option mirror_source_port '0'
	+ option mirror_monitor_port '0'
	+ option enable_vlan4k '1'

	config switch_vlan
	option device 'switch0'
	option vlan '1'
	- option ports '1 2 3 4 5t'
	+ option ports '1 2 3 5t'

	config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

	+config switch_vlan
	+ option device 'switch0'
	+ option ports '4 5t'
	+ option vlan '42'
	+
	+config interface 'limited_lan'
	+ option proto 'static'
	+ option ifname 'eth0.42'
	+ option ipaddr '10.23.42.1'
	+ option netmask '255.255.255.0'
	+