Backport patches for improved sysctl handling

0b4340b5 · Matthias Schiffer · 46c5effa · 0b4340b5 · 0b4340b5 · 0b4340b5
Unverified Commit 0b4340b5 authored 6 years ago by Matthias Schiffer
--- a/patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch
+++ b/patches/lede/0068-base-files-remove-etc-uci-defaults-11_migrate-sysctl.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:30:16 +0200
+Subject: base-files: remove /etc/uci-defaults/11_migrate-sysctl
+11_migrate-sysctl has not been updated with new file hashes since 2012.
+Let's get rid of it.
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/package/base-files/files/etc/uci-defaults/11_migrate-sysctl b/package/base-files/files/etc/uci-defaults/11_migrate-sysctl
+deleted file mode 100644
+index 464e275779ceec1d99a7323b6cbf7901aaa9fbb4..0000000000000000000000000000000000000000
+--- a/package/base-files/files/etc/uci-defaults/11_migrate-sysctl
+++ /dev/null
+@@ -1,16 +0,0 @@
+-#!/bin/sh
+-
+-if [ ! -f "/rom/etc/sysctl.conf" ] || cmp -s "/rom/etc/sysctl.conf" "/etc/sysctl.conf"; then
+-	exit 0
+-fi
+-
+-fingerprint="$(md5sum /etc/sysctl.conf)"
+-fingerprint="${fingerprint%% *}"
+-
+-if [ "$fingerprint" = "1b05ebb41f72cb84e5510573cd4aca26" ] || \
+-   [ "$fingerprint" = "62deb895be1a7f496040187b7c930e4e" ]; then
+-	logger -t migrate-sysctl "Updating sysctl.conf to use current defaults"
+-	cp "/rom/etc/sysctl.conf" "/etc/sysctl.conf"
+-fi
+-
+-exit 0
--- a/patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch
+++ b/patches/lede/0069-base-files-evaluate-etc-sysctl.d-before-etc-sysctl.conf.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:33:51 +0200
+Subject: base-files: evaluate /etc/sysctl.d/* before /etc/sysctl.conf
+We can use /etc/sysctl.d/* for package-supplied sysctl snippets, giving
+admins the option to use /etc/sysctl.conf to override settings.
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/package/base-files/files/etc/hotplug.d/net/00-sysctl b/package/base-files/files/etc/hotplug.d/net/00-sysctl
+index 7a71652c44f8bd1fb9f2e5643e7baa5d5d76c369..8abe7f8bbd698dc58716b770fe8bc7f8bd475b58 100644
+--- a/package/base-files/files/etc/hotplug.d/net/00-sysctl
+++ b/package/base-files/files/etc/hotplug.d/net/00-sysctl
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ if [ "$ACTION" = add ]; then
+-	for CONF in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
+	for CONF in /etc/sysctl.d/*.conf /etc/sysctl.conf; do
+ 		[ ! -f "$CONF" ] && continue;
+ 		sed -ne "/^[[:space:]]*net\..*\.$DEVICENAME\./p" "$CONF" | \
+ 			sysctl -e -p - | logger -t sysctl
+diff --git a/package/base-files/files/etc/init.d/sysctl b/package/base-files/files/etc/init.d/sysctl
+index 65e6aa99250d09a3ccd9d023cb8f8205be86eee8..8722126a6612d67a3f615166a7fbec146207e97f 100755
+--- a/package/base-files/files/etc/init.d/sysctl
+++ b/package/base-files/files/etc/init.d/sysctl
+@@ -30,7 +30,7 @@ apply_defaults() {
+ start() {
+ 	apply_defaults
+-	for CONF in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
+	for CONF in /etc/sysctl.d/*.conf /etc/sysctl.conf; do
+ 		[ -f "$CONF" ] && sysctl -p "$CONF" -e >&-
+ 	done
+ }
--- a/patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch
+++ b/patches/lede/0070-base-files-move-sysctl-defaults-to-etc-sysctl.d-10-default.conf.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:37:29 +0200
+Subject: base-files: move sysctl defaults to /etc/sysctl.d/10-default.conf
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf
+index 91a3ac9a02d4344cf8c4c8f93a36193120fc4b95..ae04212f420b185ce525dae444b563128ddf0e11 100644
+--- a/package/base-files/files/etc/sysctl.conf
+++ b/package/base-files/files/etc/sysctl.conf
+@@ -1,30 +1 @@
+-kernel.panic=3
+-kernel.core_pattern=/tmp/%e.%t.%p.%s.core
+-
+-net.ipv4.conf.default.arp_ignore=1
+-net.ipv4.conf.all.arp_ignore=1
+-net.ipv4.ip_forward=1
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-net.ipv4.igmp_max_memberships=100
+-net.ipv4.tcp_fin_timeout=30
+-net.ipv4.tcp_keepalive_time=120
+-net.ipv4.tcp_syncookies=1
+-net.ipv4.tcp_timestamps=1
+-net.ipv4.tcp_sack=1
+-net.ipv4.tcp_dsack=1
+-
+-net.ipv6.conf.default.forwarding=1
+-net.ipv6.conf.all.forwarding=1
+-
+-net.netfilter.nf_conntrack_acct=1
+-net.netfilter.nf_conntrack_checksum=0
+-net.netfilter.nf_conntrack_max=16384
+-net.netfilter.nf_conntrack_tcp_timeout_established=7440
+-net.netfilter.nf_conntrack_udp_timeout=60
+-net.netfilter.nf_conntrack_udp_timeout_stream=180
+-
+-# disable bridge firewalling by default
+-net.bridge.bridge-nf-call-arptables=0
+-net.bridge.bridge-nf-call-ip6tables=0
+-net.bridge.bridge-nf-call-iptables=0
+# Defaults are configured in /etc/sysctl.d/* and can be customized in this file
+diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf b/package/base-files/files/etc/sysctl.d/10-default.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..7c3344dba339514c023c3b13c592e9ce9ca1ff55
+--- /dev/null
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
+@@ -0,0 +1,34 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+kernel.panic=3
+kernel.core_pattern=/tmp/%e.%t.%p.%s.core
+fs.suid_dumpable=2
+
+net.ipv4.conf.default.arp_ignore=1
+net.ipv4.conf.all.arp_ignore=1
+net.ipv4.ip_forward=1
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+net.ipv4.igmp_max_memberships=100
+net.ipv4.tcp_fin_timeout=30
+net.ipv4.tcp_keepalive_time=120
+net.ipv4.tcp_syncookies=1
+net.ipv4.tcp_timestamps=1
+net.ipv4.tcp_sack=1
+net.ipv4.tcp_dsack=1
+
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.all.forwarding=1
+
+net.netfilter.nf_conntrack_acct=1
+net.netfilter.nf_conntrack_checksum=0
+net.netfilter.nf_conntrack_max=16384
+net.netfilter.nf_conntrack_tcp_timeout_established=7440
+net.netfilter.nf_conntrack_udp_timeout=60
+net.netfilter.nf_conntrack_udp_timeout_stream=180
+
+# disable bridge firewalling by default
+net.bridge.bridge-nf-call-arptables=0
+net.bridge.bridge-nf-call-ip6tables=0
+net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/base-files/files/etc/sysctl.d/local.conf b/package/base-files/files/etc/sysctl.d/local.conf
+deleted file mode 100644
+index 891da73df8d61e0c47069d4c6c8cc090f693c0b2..0000000000000000000000000000000000000000
+--- a/package/base-files/files/etc/sysctl.d/local.conf
+++ /dev/null
+@@ -1 +0,0 @@
+-# local sysctl settings can be stored in this directory
--- a/patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch
+++ b/patches/lede/0071-base-files-move-netfilter-sysctl-defaults-to-specific-kmod-packages.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 17:57:44 +0200
+Subject: base-files: move netfilter sysctl defaults to specific kmod packages
+Avoid warnings when applying settings for uninstalled kmods. See also
+FS#1073.
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/package/base-files/Makefile b/package/base-files/Makefile
+index 685e3c4061528e2b28054cce53258889b48c05b2..6ae4b9262e369f5e93f59133d1c0b61a0d6c2224 100644
+--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
+@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
+ include $(INCLUDE_DIR)/version.mk
+ PKG_NAME:=base-files
+-PKG_RELEASE:=173.5
+PKG_RELEASE:=173.5.1
+ PKG_FLAGS:=nonshared
+ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
+diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf b/package/base-files/files/etc/sysctl.d/10-default.conf
+index 7c3344dba339514c023c3b13c592e9ce9ca1ff55..98867b7c7ba1d1ce181f721cdfd17517069fcdf2 100644
+--- a/package/base-files/files/etc/sysctl.d/10-default.conf
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
+@@ -20,15 +20,3 @@ net.ipv4.tcp_dsack=1
+ net.ipv6.conf.default.forwarding=1
+ net.ipv6.conf.all.forwarding=1
+-
+-net.netfilter.nf_conntrack_acct=1
+-net.netfilter.nf_conntrack_checksum=0
+-net.netfilter.nf_conntrack_max=16384
+-net.netfilter.nf_conntrack_tcp_timeout_established=7440
+-net.netfilter.nf_conntrack_udp_timeout=60
+-net.netfilter.nf_conntrack_udp_timeout_stream=180
+-
+-# disable bridge firewalling by default
+-net.bridge.bridge-nf-call-arptables=0
+-net.bridge.bridge-nf-call-ip6tables=0
+-net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/kernel/linux/files/sysctl-br-netfilter.conf b/package/kernel/linux/files/sysctl-br-netfilter.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..b10ddc0874b6d393458e646e396716bd67b6b381
+--- /dev/null
+++ b/package/kernel/linux/files/sysctl-br-netfilter.conf
+@@ -0,0 +1,7 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+# disable bridge firewalling by default
+net.bridge.bridge-nf-call-arptables=0
+net.bridge.bridge-nf-call-ip6tables=0
+net.bridge.bridge-nf-call-iptables=0
+diff --git a/package/kernel/linux/files/sysctl-nf-conntrack.conf b/package/kernel/linux/files/sysctl-nf-conntrack.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..37baf5fd6ff9d99d37554f5e38bf1d749a7f21e2
+--- /dev/null
+++ b/package/kernel/linux/files/sysctl-nf-conntrack.conf
+@@ -0,0 +1,9 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+net.netfilter.nf_conntrack_acct=1
+net.netfilter.nf_conntrack_checksum=0
+net.netfilter.nf_conntrack_max=16384
+net.netfilter.nf_conntrack_tcp_timeout_established=7440
+net.netfilter.nf_conntrack_udp_timeout=60
+net.netfilter.nf_conntrack_udp_timeout_stream=180
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 3b26ad1fbf3e261d84ae18216c51c87c53579c06..bb882363f3df4df733424ca6bba72badc96f06f8 100644
+--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
+@@ -74,6 +74,11 @@ define KernelPackage/nf-conntrack
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m)))
+ endef
+define KernelPackage/nf-conntrack/install
+	$(INSTALL_DIR) $(1)/etc/sysctl.d
+	$(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf
+endef
+
+ $(eval $(call KernelPackage,nf-conntrack))
+@@ -674,6 +679,11 @@ define KernelPackage/br-netfilter
+   AUTOLOAD:=$(call AutoProbe,br_netfilter)
+ endef
+define KernelPackage/br-netfilter/install
+	$(INSTALL_DIR) $(1)/etc/sysctl.d
+	$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
+endef
+
+ $(eval $(call KernelPackage,br-netfilter))
--- a/patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch
+++ b/patches/lede/0072-base-files-remove-etc-sysctl.d-from-conffiles.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Fri, 13 Apr 2018 14:36:43 +0200
+Subject: base-files: remove /etc/sysctl.d/ from conffiles
+Let's use /etc/sysctl.d for package-provided snippets and leave
+/etc/sysctl.conf to the admin. Don't backup /etc/sysctl.d on upgrades, so
+old defaults get replaced properly.
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/package/base-files/Makefile b/package/base-files/Makefile
+index 6ae4b9262e369f5e93f59133d1c0b61a0d6c2224..339528d3ba8a5ab40c2d8fa246c937d61fb4856d 100644
+--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
+@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
+ include $(INCLUDE_DIR)/version.mk
+ PKG_NAME:=base-files
+-PKG_RELEASE:=173.5.1
+PKG_RELEASE:=173.5.2
+ PKG_FLAGS:=nonshared
+ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
+@@ -59,8 +59,6 @@ define Package/base-files/conffiles
+ /etc/shadow
+ /etc/shells
+ /etc/sysctl.conf
+-/etc/sysctl.d/
+-/etc/sysctl.d/local.conf
+ /etc/sysupgrade.conf
+ $(call $(TARGET)/conffiles)
+ endef
--- a/patches/lede/0073-kernel-disable-accept_ra-by-default.patch
+++ b/patches/lede/0073-kernel-disable-accept_ra-by-default.patch
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 22:14:56 +0200
+Subject: kernel: disable accept_ra by default
+Our script setting accept_ra to 0 on all interfaces got lost in the
+transition to procd. This remained unnoticed for a long time, as was also
+enable forwarding on all interfaces, which prevents RA handling by default.
+Providing a way to ensure net.ipv6.conf.default.accept_ra is set early
+enough is a nicer solution than fixing up interfaces in a script (given the
+patch is accepted upstream).
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+diff --git a/target/linux/generic/config-3.18 b/target/linux/generic/config-3.18
+index 4c3215b594cea9f3d001f8a9f73bbdf78e30ceff..bf13cefde0c5dc45788da9dea57aca5def9b152b 100644
+--- a/target/linux/generic/config-3.18
+++ b/target/linux/generic/config-3.18
+@@ -1604,6 +1604,7 @@ CONFIG_IOSCHED_NOOP=y
+ # CONFIG_IPC_NS is not set
+ # CONFIG_IPMI_HANDLER is not set
+ # CONFIG_IPV6 is not set
+# CONFIG_IPV6_ACCEPT_RA_DEFAULT is not set
+ # CONFIG_IPV6_MIP6 is not set
+ # CONFIG_IPV6_MROUTE is not set
+ # CONFIG_IPV6_MROUTE_MULTIPLE_TABLES is not set
+diff --git a/target/linux/generic/config-4.4 b/target/linux/generic/config-4.4
+index a8fd15d1a4a40681d80da06ad7a826966287d8d8..e2d69426370a3e50703c48fb60c5b1b3aa601ef3 100644
+--- a/target/linux/generic/config-4.4
+++ b/target/linux/generic/config-4.4
+@@ -1671,6 +1671,7 @@ CONFIG_IOSCHED_NOOP=y
+ # CONFIG_IPC_NS is not set
+ # CONFIG_IPMI_HANDLER is not set
+ # CONFIG_IPV6 is not set
+# CONFIG_IPV6_ACCEPT_RA_DEFAULT is not set
+ # CONFIG_IPV6_ILA is not set
+ # CONFIG_IPV6_MIP6 is not set
+ # CONFIG_IPV6_MROUTE is not set
+diff --git a/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch b/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..6067be31830f6cc788708632dba36f338eb67d39
+--- /dev/null
+++ b/target/linux/generic/patches-3.18/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+@@ -0,0 +1,60 @@
+From 782710d7f18a2c9999410cb7cfc92955463897d8 Mon Sep 17 00:00:00 2001
+Message-Id: <782710d7f18a2c9999410cb7cfc92955463897d8.1523559442.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 20:08:05 +0200
+Subject: [PATCH net-next] ipv6: provide Kconfig switch to disable accept_ra by
+ default
+
+Many distributions and users prefer to handle router advertisements in
+userspace; one example is OpenWrt, which includes a combined RA and DHCPv6
+client. For such configurations, accept_ra should not be enabled by
+default.
+
+As setting net.ipv6.conf.default.accept_ra via sysctl.conf or similar
+facilities may be too late to catch all interfaces and common sysctl.conf
+tools do not allow setting an option for all existing interfaces, this
+patch provides a Kconfig option to control the default value of
+default.accept_ra.
+
+Using default.accept_ra is preferable to all.accept_ra for our usecase,
+as disabling all.accept_ra would preclude users from explicitly enabling
+accept_ra on individual interfaces.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+---
+ net/ipv6/Kconfig    | 12 ++++++++++++
+ net/ipv6/addrconf.c |  2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -21,6 +21,18 @@ menuconfig IPV6
+ 
+ if IPV6
+ 
++config IPV6_ACCEPT_RA_DEFAULT
++	bool "IPv6: Accept router advertisements by default"
++	default y
++	help
++	  The kernel can internally handle IPv6 router advertisements for
++	  stateless address autoconfiguration (SLAAC) and route configuration,
++	  which can be configured in detail and per-interface using a number of
++	  sysctl options. This option controls the default value of
++	  net.ipv6.conf.default.accept_ra.
++
++	  If unsure, say Y.
++
+ config IPV6_ROUTER_PREF
+ 	bool "IPv6: Router Preference (RFC 4191) support"
+ 	---help---
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -207,7 +207,7 @@ static struct ipv6_devconf ipv6_devconf_
+ 	.forwarding		= 0,
+ 	.hop_limit		= IPV6_DEFAULT_HOPLIMIT,
+ 	.mtu6			= IPV6_MIN_MTU,
+-	.accept_ra		= 1,
++	.accept_ra		= IS_ENABLED(CONFIG_IPV6_ACCEPT_RA_DEFAULT),
+ 	.accept_redirects	= 1,
+ 	.autoconf		= 1,
+ 	.force_mld_version	= 0,
+diff --git a/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch b/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..8184a27705348c609d09c39a6d90b810d28fdead
+--- /dev/null
+++ b/target/linux/generic/patches-4.4/690-ipv6-provide-Kconfig-switch-to-disable-accept_ra-by-.patch
+@@ -0,0 +1,60 @@
+From 782710d7f18a2c9999410cb7cfc92955463897d8 Mon Sep 17 00:00:00 2001
+Message-Id: <782710d7f18a2c9999410cb7cfc92955463897d8.1523559442.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 12 Apr 2018 20:08:05 +0200
+Subject: [PATCH net-next] ipv6: provide Kconfig switch to disable accept_ra by
+ default
+
+Many distributions and users prefer to handle router advertisements in
+userspace; one example is OpenWrt, which includes a combined RA and DHCPv6
+client. For such configurations, accept_ra should not be enabled by
+default.
+
+As setting net.ipv6.conf.default.accept_ra via sysctl.conf or similar
+facilities may be too late to catch all interfaces and common sysctl.conf
+tools do not allow setting an option for all existing interfaces, this
+patch provides a Kconfig option to control the default value of
+default.accept_ra.
+
+Using default.accept_ra is preferable to all.accept_ra for our usecase,
+as disabling all.accept_ra would preclude users from explicitly enabling
+accept_ra on individual interfaces.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+---
+ net/ipv6/Kconfig    | 12 ++++++++++++
+ net/ipv6/addrconf.c |  2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -20,6 +20,18 @@ menuconfig IPV6
+ 
+ if IPV6
+ 
++config IPV6_ACCEPT_RA_DEFAULT
++	bool "IPv6: Accept router advertisements by default"
++	default y
++	help
++	  The kernel can internally handle IPv6 router advertisements for
++	  stateless address autoconfiguration (SLAAC) and route configuration,
++	  which can be configured in detail and per-interface using a number of
++	  sysctl options. This option controls the default value of
++	  net.ipv6.conf.default.accept_ra.
++
++	  If unsure, say Y.
++
+ config IPV6_ROUTER_PREF
+ 	bool "IPv6: Router Preference (RFC 4191) support"
+ 	---help---
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -222,7 +222,7 @@ static struct ipv6_devconf ipv6_devconf_
+ 	.forwarding		= 0,
+ 	.hop_limit		= IPV6_DEFAULT_HOPLIMIT,
+ 	.mtu6			= IPV6_MIN_MTU,
+-	.accept_ra		= 1,
++	.accept_ra		= IS_ENABLED(CONFIG_IPV6_ACCEPT_RA_DEFAULT),
+ 	.accept_redirects	= 1,
+ 	.autoconf		= 1,
+ 	.force_mld_version	= 0,