From 0b4340b5a6edce137433c794370e1509c4244c0c Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Fri, 13 Apr 2018 12:09:40 +0200
Subject: [PATCH] Backport patches for improved sysctl handling

---
 ...e-etc-uci-defaults-11_migrate-sysctl.patch |  31 ++++
 ...-etc-sysctl.d-before-etc-sysctl.conf.patch |  35 ++++
 ...ults-to-etc-sysctl.d-10-default.conf.patch |  89 +++++++++
 ...l-defaults-to-specific-kmod-packages.patch |  98 ++++++++++
 ...s-remove-etc-sysctl.d-from-conffiles.patch |  32 ++++
 ...-kernel-disable-accept_ra-by-default.patch | 170 ++++++++++++++++++
 6 files changed, 455 insertions(+)
 create mode 100644 patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch
 create mode 100644 patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch
 create mode 100644 patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch
 create mode 100644 patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch
 create mode 100644 patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch
 create mode 100644 patches/lede/0073-kernel-disable-accept_ra-by-default.patch

diff --git a/patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch b/patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch
new file mode 100644
index 00000000..404f24ee
--- /dev/null
+++ b/patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch
@@ -0,0 +1,31 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:30:16 +0200
+Subject: base-files: remove /etc/uci-defaults/11_migrate-sysctl
+
+11_migrate-sysctl has not been updated with new file hashes since 2012.
+Let's get rid of it.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/base-files/files/etc/uci-defaults/11_migrate-sysctl b/package/base-files/files/etc/uci-defaults/11_migrate-sysctl
+deleted file mode 100644
+index 464e275779ceec1d99a7323b6cbf7901aaa9fbb4..0000000000000000000000000000000000000000
+--- a/package/base-files/files/etc/uci-defaults/11_migrate-sysctl
++++ /dev/null
+@@ -1,16 +0,0 @@
+-#!/bin/sh
+-
+-if [ ! -f "/rom/etc/sysctl.conf" ] || cmp -s "/rom/etc/sysctl.conf" "/etc/sysctl.conf"; then
+-	exit 0
+-fi
+-
+-fingerprint="$(md5sum /etc/sysctl.conf)"
+-fingerprint="${fingerprint%% *}"
+-
+-if [ "$fingerprint" = "1b05ebb41f72cb84e5510573cd4aca26" ] || \
+-   [ "$fingerprint" = "62deb895be1a7f496040187b7c930e4e" ]; then
+-	logger -t migrate-sysctl "Updating sysctl.conf to use current defaults"
+-	cp "/rom/etc/sysctl.conf" "/etc/sysctl.conf"
+-fi
+-
+-exit 0
diff --git a/patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch b/patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch
new file mode 100644
index 00000000..54fd291f
--- /dev/null
+++ b/patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch
@@ -0,0 +1,35 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:33:51 +0200
+Subject: base-files: evaluate /etc/sysctl.d/* before /etc/sysctl.conf
+
+We can use /etc/sysctl.d/* for package-supplied sysctl snippets, giving
+admins the option to use /etc/sysctl.conf to override settings.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/base-files/files/etc/hotplug.d/net/00-sysctl b/package/base-files/files/etc/hotplug.d/net/00-sysctl
+index 7a71652c44f8bd1fb9f2e5643e7baa5d5d76c369..8abe7f8bbd698dc58716b770fe8bc7f8bd475b58 100644
+--- a/package/base-files/files/etc/hotplug.d/net/00-sysctl
++++ b/package/base-files/files/etc/hotplug.d/net/00-sysctl
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ 
+ if [ "$ACTION" = add ]; then
+-	for CONF in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
++	for CONF in /etc/sysctl.d/*.conf /etc/sysctl.conf; do
+ 		[ ! -f "$CONF" ] && continue;
+ 		sed -ne "/^[[:space:]]*net\..*\.$DEVICENAME\./p" "$CONF" | \
+ 			sysctl -e -p - | logger -t sysctl
+diff --git a/package/base-files/files/etc/init.d/sysctl b/package/base-files/files/etc/init.d/sysctl
+index 65e6aa99250d09a3ccd9d023cb8f8205be86eee8..8722126a6612d67a3f615166a7fbec146207e97f 100755
+--- a/package/base-files/files/etc/init.d/sysctl
++++ b/package/base-files/files/etc/init.d/sysctl
+@@ -30,7 +30,7 @@ apply_defaults() {
+ 
+ start() {
+ 	apply_defaults
+-	for CONF in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
++	for CONF in /etc/sysctl.d/*.conf /etc/sysctl.conf; do
+ 		[ -f "$CONF" ] && sysctl -p "$CONF" -e >&-
+ 	done
+ }
diff --git a/patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch b/patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch
new file mode 100644
index 00000000..545528cb
--- /dev/null
+++ b/patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch
@@ -0,0 +1,89 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:37:29 +0200
+Subject: base-files: move sysctl defaults to /etc/sysctl.d/10-default.conf
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf
+index 91a3ac9a02d4344cf8c4c8f93a36193120fc4b95..ae04212f420b185ce525dae444b563128ddf0e11 100644
+--- a/package/base-files/files/etc/sysctl.conf
++++ b/package/base-files/files/etc/sysctl.conf
+@@ -1,30 +1 @@
+-kernel.panic=3
+-kernel.core_pattern=/tmp/%e.%t.%p.%s.core
+-
+-net.ipv4.conf.default.arp_ignore=1
+-net.ipv4.conf.all.arp_ignore=1
+-net.ipv4.ip_forward=1
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-net.ipv4.igmp_max_memberships=100
+-net.ipv4.tcp_fin_timeout=30
+-net.ipv4.tcp_keepalive_time=120
+-net.ipv4.tcp_syncookies=1
+-net.ipv4.tcp_timestamps=1
+-net.ipv4.tcp_sack=1
+-net.ipv4.tcp_dsack=1
+-
+-net.ipv6.conf.default.forwarding=1
+-net.ipv6.conf.all.forwarding=1
+-
+-net.netfilter.nf_conntrack_acct=1
+-net.netfilter.nf_conntrack_checksum=0
+-net.netfilter.nf_conntrack_max=16384
+-net.netfilter.nf_conntrack_tcp_timeout_established=7440
+-net.netfilter.nf_conntrack_udp_timeout=60
+-net.netfilter.nf_conntrack_udp_timeout_stream=180
+-
+-# disable bridge firewalling by default
+-net.bridge.bridge-nf-call-arptables=0
+-net.bridge.bridge-nf-call-ip6tables=0
+-net.bridge.bridge-nf-call-iptables=0
++# Defaults are configured in /etc/sysctl.d/* and can be customized in this file
+diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf b/package/base-files/files/etc/sysctl.d/10-default.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..7c3344dba339514c023c3b13c592e9ce9ca1ff55
+--- /dev/null
++++ b/package/base-files/files/etc/sysctl.d/10-default.conf
+@@ -0,0 +1,34 @@
++# Do not edit, changes to this file will be lost on upgrades
++# /etc/sysctl.conf can be used to customize sysctl settings
++
++kernel.panic=3
++kernel.core_pattern=/tmp/%e.%t.%p.%s.core
++fs.suid_dumpable=2
++
++net.ipv4.conf.default.arp_ignore=1
++net.ipv4.conf.all.arp_ignore=1
++net.ipv4.ip_forward=1
++net.ipv4.icmp_echo_ignore_broadcasts=1
++net.ipv4.icmp_ignore_bogus_error_responses=1
++net.ipv4.igmp_max_memberships=100
++net.ipv4.tcp_fin_timeout=30
++net.ipv4.tcp_keepalive_time=120
++net.ipv4.tcp_syncookies=1
++net.ipv4.tcp_timestamps=1
++net.ipv4.tcp_sack=1
++net.ipv4.tcp_dsack=1
++
++net.ipv6.conf.default.forwarding=1
++net.ipv6.conf.all.forwarding=1
++
++net.netfilter.nf_conntrack_acct=1
++net.netfilter.nf_conntrack_checksum=0
++net.netfilter.nf_conntrack_max=16384
++net.netfilter.nf_conntrack_tcp_timeout_established=7440
++net.netfilter.nf_conntrack_udp_timeout=60
++net.netfilter.nf_conntrack_udp_timeout_stream=180
++
++# disable bridge firewalling by default
++net.bridge.bridge-nf-call-arptables=0
++net.bridge.bridge-nf-call-ip6tables=0
++net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/base-files/files/etc/sysctl.d/local.conf b/package/base-files/files/etc/sysctl.d/local.conf
+deleted file mode 100644
+index 891da73df8d61e0c47069d4c6c8cc090f693c0b2..0000000000000000000000000000000000000000
+--- a/package/base-files/files/etc/sysctl.d/local.conf
++++ /dev/null
+@@ -1 +0,0 @@
+-# local sysctl settings can be stored in this directory
diff --git a/patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch b/patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch
new file mode 100644
index 00000000..d75be503
--- /dev/null
+++ b/patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch
@@ -0,0 +1,98 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:57:44 +0200
+Subject: base-files: move netfilter sysctl defaults to specific kmod packages
+
+Avoid warnings when applying settings for uninstalled kmods. See also
+FS#1073.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/base-files/Makefile b/package/base-files/Makefile
+index 685e3c4061528e2b28054cce53258889b48c05b2..6ae4b9262e369f5e93f59133d1c0b61a0d6c2224 100644
+--- a/package/base-files/Makefile
++++ b/package/base-files/Makefile
+@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
+ include $(INCLUDE_DIR)/version.mk
+ 
+ PKG_NAME:=base-files
+-PKG_RELEASE:=173.5
++PKG_RELEASE:=173.5.1
+ PKG_FLAGS:=nonshared
+ 
+ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
+diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf b/package/base-files/files/etc/sysctl.d/10-default.conf
+index 7c3344dba339514c023c3b13c592e9ce9ca1ff55..98867b7c7ba1d1ce181f721cdfd17517069fcdf2 100644
+--- a/package/base-files/files/etc/sysctl.d/10-default.conf
++++ b/package/base-files/files/etc/sysctl.d/10-default.conf
+@@ -20,15 +20,3 @@ net.ipv4.tcp_dsack=1
+ 
+ net.ipv6.conf.default.forwarding=1
+ net.ipv6.conf.all.forwarding=1
+-
+-net.netfilter.nf_conntrack_acct=1
+-net.netfilter.nf_conntrack_checksum=0
+-net.netfilter.nf_conntrack_max=16384
+-net.netfilter.nf_conntrack_tcp_timeout_established=7440
+-net.netfilter.nf_conntrack_udp_timeout=60
+-net.netfilter.nf_conntrack_udp_timeout_stream=180
+-
+-# disable bridge firewalling by default
+-net.bridge.bridge-nf-call-arptables=0
+-net.bridge.bridge-nf-call-ip6tables=0
+-net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/kernel/linux/files/sysctl-br-netfilter.conf b/package/kernel/linux/files/sysctl-br-netfilter.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..b10ddc0874b6d393458e646e396716bd67b6b381
+--- /dev/null
++++ b/package/kernel/linux/files/sysctl-br-netfilter.conf
+@@ -0,0 +1,7 @@
++# Do not edit, changes to this file will be lost on upgrades
++# /etc/sysctl.conf can be used to customize sysctl settings
++
++# disable bridge firewalling by default
++net.bridge.bridge-nf-call-arptables=0
++net.bridge.bridge-nf-call-ip6tables=0
++net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/kernel/linux/files/sysctl-nf-conntrack.conf b/package/kernel/linux/files/sysctl-nf-conntrack.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..37baf5fd6ff9d99d37554f5e38bf1d749a7f21e2
+--- /dev/null
++++ b/package/kernel/linux/files/sysctl-nf-conntrack.conf
+@@ -0,0 +1,9 @@
++# Do not edit, changes to this file will be lost on upgrades
++# /etc/sysctl.conf can be used to customize sysctl settings
++
++net.netfilter.nf_conntrack_acct=1
++net.netfilter.nf_conntrack_checksum=0
++net.netfilter.nf_conntrack_max=16384
++net.netfilter.nf_conntrack_tcp_timeout_established=7440
++net.netfilter.nf_conntrack_udp_timeout=60
++net.netfilter.nf_conntrack_udp_timeout_stream=180
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 3b26ad1fbf3e261d84ae18216c51c87c53579c06..bb882363f3df4df733424ca6bba72badc96f06f8 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -74,6 +74,11 @@ define KernelPackage/nf-conntrack
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m)))
+ endef
+ 
++define KernelPackage/nf-conntrack/install
++	$(INSTALL_DIR) $(1)/etc/sysctl.d
++	$(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf
++endef
++
+ $(eval $(call KernelPackage,nf-conntrack))
+ 
+ 
+@@ -674,6 +679,11 @@ define KernelPackage/br-netfilter
+   AUTOLOAD:=$(call AutoProbe,br_netfilter)
+ endef
+ 
++define KernelPackage/br-netfilter/install
++	$(INSTALL_DIR) $(1)/etc/sysctl.d
++	$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
++endef
++
+ $(eval $(call KernelPackage,br-netfilter))
+ 
+ 
diff --git a/patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch b/patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch
new file mode 100644
index 00000000..c88ce368
--- /dev/null
+++ b/patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch
@@ -0,0 +1,32 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Fri, 13 Apr 2018 14:36:43 +0200
+Subject: base-files: remove /etc/sysctl.d/ from conffiles
+
+Let's use /etc/sysctl.d for package-provided snippets and leave
+/etc/sysctl.conf to the admin. Don't backup /etc/sysctl.d on upgrades, so
+old defaults get replaced properly.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/base-files/Makefile b/package/base-files/Makefile
+index 6ae4b9262e369f5e93f59133d1c0b61a0d6c2224..339528d3ba8a5ab40c2d8fa246c937d61fb4856d 100644
+--- a/package/base-files/Makefile
++++ b/package/base-files/Makefile
+@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
+ include $(INCLUDE_DIR)/version.mk
+ 
+ PKG_NAME:=base-files
+-PKG_RELEASE:=173.5.1
++PKG_RELEASE:=173.5.2
+ PKG_FLAGS:=nonshared
+ 
+ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
+@@ -59,8 +59,6 @@ define Package/base-files/conffiles
+ /etc/shadow
+ /etc/shells
+ /etc/sysctl.conf
+-/etc/sysctl.d/
+-/etc/sysctl.d/local.conf
+ /etc/sysupgrade.conf
+ $(call $(TARGET)/conffiles)
+ endef
diff --git a/patches/lede/0073-kernel-disable-accept_ra-by-default.patch b/patches/lede/0073-kernel-disable-accept_ra-by-default.patch
new file mode 100644
index 00000000..fd0c3090
--- /dev/null
+++ b/patches/lede/0073-kernel-disable-accept_ra-by-default.patch
@@ -0,0 +1,170 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 22:14:56 +0200
+Subject: kernel: disable accept_ra by default
+
+Our script setting accept_ra to 0 on all interfaces got lost in the
+transition to procd. This remained unnoticed for a long time, as was also
+enable forwarding on all interfaces, which prevents RA handling by default.
+
+Providing a way to ensure net.ipv6.conf.default.accept_ra is set early
+enough is a nicer solution than fixing up interfaces in a script (given the
+patch is accepted upstream).
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/target/linux/generic/config-3.18 b/target/linux/generic/config-3.18
+index 4c3215b594cea9f3d001f8a9f73bbdf78e30ceff..bf13cefde0c5dc45788da9dea57aca5def9b152b 100644
+--- a/target/linux/generic/config-3.18
++++ b/target/linux/generic/config-3.18
+@@ -1604,6 +1604,7 @@ CONFIG_IOSCHED_NOOP=y
+ # CONFIG_IPC_NS is not set
+ # CONFIG_IPMI_HANDLER is not set
+ # CONFIG_IPV6 is not set
++# CONFIG_IPV6_ACCEPT_RA_DEFAULT is not set
+ # CONFIG_IPV6_MIP6 is not set
+ # CONFIG_IPV6_MROUTE is not set
+ # CONFIG_IPV6_MROUTE_MULTIPLE_TABLES is not set
+diff --git a/target/linux/generic/config-4.4 b/target/linux/generic/config-4.4
+index a8fd15d1a4a40681d80da06ad7a826966287d8d8..e2d69426370a3e50703c48fb60c5b1b3aa601ef3 100644
+--- a/target/linux/generic/config-4.4
++++ b/target/linux/generic/config-4.4
+@@ -1671,6 +1671,7 @@ CONFIG_IOSCHED_NOOP=y
+ # CONFIG_IPC_NS is not set
+ # CONFIG_IPMI_HANDLER is not set
+ # CONFIG_IPV6 is not set
++# CONFIG_IPV6_ACCEPT_RA_DEFAULT is not set
+ # CONFIG_IPV6_ILA is not set
+ # CONFIG_IPV6_MIP6 is not set
+ # CONFIG_IPV6_MROUTE is not set
+diff --git a/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch b/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..6067be31830f6cc788708632dba36f338eb67d39
+--- /dev/null
++++ b/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+@@ -0,0 +1,60 @@
++From 782710d7f18a2c9999410cb7cfc92955463897d8 Mon Sep 17 00:00:00 2001
++Message-Id: <782710d7f18a2c9999410cb7cfc92955463897d8.1523559442.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Thu, 12 Apr 2018 20:08:05 +0200
++Subject: [PATCH net-next] ipv6: provide Kconfig switch to disable accept_ra by
++ default
++
++Many distributions and users prefer to handle router advertisements in
++userspace; one example is OpenWrt, which includes a combined RA and DHCPv6
++client. For such configurations, accept_ra should not be enabled by
++default.
++
++As setting net.ipv6.conf.default.accept_ra via sysctl.conf or similar
++facilities may be too late to catch all interfaces and common sysctl.conf
++tools do not allow setting an option for all existing interfaces, this
++patch provides a Kconfig option to control the default value of
++default.accept_ra.
++
++Using default.accept_ra is preferable to all.accept_ra for our usecase,
++as disabling all.accept_ra would preclude users from explicitly enabling
++accept_ra on individual interfaces.
++
++Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
++---
++ net/ipv6/Kconfig    | 12 ++++++++++++
++ net/ipv6/addrconf.c |  2 +-
++ 2 files changed, 13 insertions(+), 1 deletion(-)
++
++--- a/net/ipv6/Kconfig
+++++ b/net/ipv6/Kconfig
++@@ -21,6 +21,18 @@ menuconfig IPV6
++ 
++ if IPV6
++ 
+++config IPV6_ACCEPT_RA_DEFAULT
+++	bool "IPv6: Accept router advertisements by default"
+++	default y
+++	help
+++	  The kernel can internally handle IPv6 router advertisements for
+++	  stateless address autoconfiguration (SLAAC) and route configuration,
+++	  which can be configured in detail and per-interface using a number of
+++	  sysctl options. This option controls the default value of
+++	  net.ipv6.conf.default.accept_ra.
+++
+++	  If unsure, say Y.
+++
++ config IPV6_ROUTER_PREF
++ 	bool "IPv6: Router Preference (RFC 4191) support"
++ 	---help---
++--- a/net/ipv6/addrconf.c
+++++ b/net/ipv6/addrconf.c
++@@ -207,7 +207,7 @@ static struct ipv6_devconf ipv6_devconf_
++ 	.forwarding		= 0,
++ 	.hop_limit		= IPV6_DEFAULT_HOPLIMIT,
++ 	.mtu6			= IPV6_MIN_MTU,
++-	.accept_ra		= 1,
+++	.accept_ra		= IS_ENABLED(CONFIG_IPV6_ACCEPT_RA_DEFAULT),
++ 	.accept_redirects	= 1,
++ 	.autoconf		= 1,
++ 	.force_mld_version	= 0,
+diff --git a/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch b/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..8184a27705348c609d09c39a6d90b810d28fdead
+--- /dev/null
++++ b/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+@@ -0,0 +1,60 @@
++From 782710d7f18a2c9999410cb7cfc92955463897d8 Mon Sep 17 00:00:00 2001
++Message-Id: <782710d7f18a2c9999410cb7cfc92955463897d8.1523559442.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Thu, 12 Apr 2018 20:08:05 +0200
++Subject: [PATCH net-next] ipv6: provide Kconfig switch to disable accept_ra by
++ default
++
++Many distributions and users prefer to handle router advertisements in
++userspace; one example is OpenWrt, which includes a combined RA and DHCPv6
++client. For such configurations, accept_ra should not be enabled by
++default.
++
++As setting net.ipv6.conf.default.accept_ra via sysctl.conf or similar
++facilities may be too late to catch all interfaces and common sysctl.conf
++tools do not allow setting an option for all existing interfaces, this
++patch provides a Kconfig option to control the default value of
++default.accept_ra.
++
++Using default.accept_ra is preferable to all.accept_ra for our usecase,
++as disabling all.accept_ra would preclude users from explicitly enabling
++accept_ra on individual interfaces.
++
++Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
++---
++ net/ipv6/Kconfig    | 12 ++++++++++++
++ net/ipv6/addrconf.c |  2 +-
++ 2 files changed, 13 insertions(+), 1 deletion(-)
++
++--- a/net/ipv6/Kconfig
+++++ b/net/ipv6/Kconfig
++@@ -20,6 +20,18 @@ menuconfig IPV6
++ 
++ if IPV6
++ 
+++config IPV6_ACCEPT_RA_DEFAULT
+++	bool "IPv6: Accept router advertisements by default"
+++	default y
+++	help
+++	  The kernel can internally handle IPv6 router advertisements for
+++	  stateless address autoconfiguration (SLAAC) and route configuration,
+++	  which can be configured in detail and per-interface using a number of
+++	  sysctl options. This option controls the default value of
+++	  net.ipv6.conf.default.accept_ra.
+++
+++	  If unsure, say Y.
+++
++ config IPV6_ROUTER_PREF
++ 	bool "IPv6: Router Preference (RFC 4191) support"
++ 	---help---
++--- a/net/ipv6/addrconf.c
+++++ b/net/ipv6/addrconf.c
++@@ -222,7 +222,7 @@ static struct ipv6_devconf ipv6_devconf_
++ 	.forwarding		= 0,
++ 	.hop_limit		= IPV6_DEFAULT_HOPLIMIT,
++ 	.mtu6			= IPV6_MIN_MTU,
++-	.accept_ra		= 1,
+++	.accept_ra		= IS_ENABLED(CONFIG_IPV6_ACCEPT_RA_DEFAULT),
++ 	.accept_redirects	= 1,
++ 	.autoconf		= 1,
++ 	.force_mld_version	= 0,