Merge branch 'master' of git+ssh://openadk.org/git/openadk

28 files changed, 322 insertions, 44 deletions

diff --git a/package/Config.in b/package/Config.in
index 0537a7646..37f1e4e92 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -3,6 +3,18 @@
 
 menu "Package selection"
 
+config ADK_ENABLE_IPV6
+	prompt "enable IPv6 globally"
+	boolean
+	default y
+	# FIXME: selecting stuff here is ugly, better fix package flavours to
+	#        support a symbol-value-based default (i.e., "default y if IPV6")
+	select ADK_PACKAGE_NFS_UTILS_WITH_TIRPC if ADK_PACKAGE_NFS_UTILS != n
+	help
+	  This enables IPv6 support in all related applications. Basically this
+	  just means passing --enable-ipv6 to the configure script, but the
+	  exception proves the rule. ;)
+
 menu "Basesystem"
 source "package/adkinstall/Config.in"
 source "package/base-files/Config.in"
@@ -97,6 +109,7 @@ menu "Firewall / Routing / Bridging"
 source "package/arpd/Config.in"
 source "package/bridge-utils/Config.in"
 source "package/linux-atm/Config.in"
+source "package/conntrack-tools/Config.in"
 source "package/cutter/Config.in"
 source "package/ebtables/Config.in"
 source "package/ether-wake/Config.in"
diff --git a/package/asterisk/Makefile b/package/asterisk/Makefile
index 595bae027..425683f24 100644
--- a/package/asterisk/Makefile
+++ b/package/asterisk/Makefile
@@ -26,13 +26,15 @@ PKG_DESCR_CHAN_MGCP:=	Media Gateway Control Protocol implementation
 PKG_DESCR_CHAN_SKINNY:=	Skinny Client Control Protocol implementation
 PKG_DESCR_CHAN_IAX2:=	Support for the Inter Asterisk Protocol
 PKG_DESCR_CODEC_SPEEX:=	Speex/PCM16 Codec Translator
+PKG_DESCR_SOUNDS:=	Various soundfiles in GSM format
+PKG_DEPENDS_SOUNDS:=	${PKG_DEPENDS} asterisk-codec-gsm
 
 include $(TOPDIR)/mk/package.mk
 
 $(eval $(call PKG_template,ASTERISK,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_PGSQL,asterisk-pgsql,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_VOICEMAIL,asterisk-voicemail,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
-$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,ASTERISK_SOUNDS,asterisk-sounds,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_SOUNDS},${PKG_DESCR_SOUNDS},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_MGCP,asterisk-chan-mgcp,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_MGCP},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_SKINNY,asterisk-chan-skinny,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_SKINNY},${PKG_SECTION}))
 $(eval $(call PKG_template,ASTERISK_CHAN_IAX2,asterisk-chan-iax2,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS_MAIN},${PKG_DESCR_CHAN_IAX2},${PKG_SECTION}))
diff --git a/package/asterisk/files/asterisk.conffiles b/package/asterisk/files/asterisk.conffiles
index 2cb705f9c..55949fde7 100644
--- a/package/asterisk/files/asterisk.conffiles
+++ b/package/asterisk/files/asterisk.conffiles
@@ -13,7 +13,6 @@
 /etc/asterisk/modules.conf
 /etc/asterisk/musiconhold.conf
 /etc/asterisk/osp.conf
-/etc/asterisk/privacy.conf
 /etc/asterisk/queues.conf
 /etc/asterisk/rtp.conf
 /etc/asterisk/sip.conf
diff --git a/package/base-files/src/etc/init.d/boot b/package/base-files/src/etc/init.d/boot
index 2ef6538e0..ed55ccc88 100644
--- a/package/base-files/src/etc/init.d/boot
+++ b/package/base-files/src/etc/init.d/boot
@@ -8,7 +8,7 @@ mkdir -p /var/log
 mkdir -p /var/run
 touch /var/log/lastlog
 touch /var/log/wtmp
-ln -s /var/tmp /tmp
+ln -s /tmp /var/tmp
 
 echo 0 > /proc/sys/kernel/printk
 
diff --git a/package/base-files/src/etc/sysctl.conf b/package/base-files/src/etc/sysctl.conf
index 73260cf9d..f45e98632 100644
--- a/package/base-files/src/etc/sysctl.conf
+++ b/package/base-files/src/etc/sysctl.conf
@@ -4,6 +4,7 @@
 #kernel.panic = 3
 # Enable packet forwarding
 #net.ipv4.ip_forward = 1
+#net.ipv6.conf.all.forwarding = 1
 # Disables IP dynaddr
 #net.ipv4.ip_dynaddr = 0
 # Disable ECN
diff --git a/package/bc/Makefile b/package/bc/Makefile
index dbe613550..8912693c0 100644
--- a/package/bc/Makefile
+++ b/package/bc/Makefile
@@ -8,7 +8,7 @@ PKG_VERSION:=		1.06
 PKG_RELEASE:=		1
 PKG_MD5SUM:=		d44b5dddebd8a7a7309aea6c36fda117
 PKG_DESCR:=		An arbitrary precision calculator language
-PKG_SECTION:=		util
+PKG_SECTION:=		utils
 PKG_URL:=		http://www.gnu.org/software/bc
 PKG_SITES:=		http://ftp.gnu.org/pub/gnu/bc/
 
diff --git a/package/busybox/Config.in.manual b/package/busybox/Config.in.manual
index 84c1bde40..4e7251520 100644
--- a/package/busybox/Config.in.manual
+++ b/package/busybox/Config.in.manual
@@ -17,3 +17,6 @@ menu "Busybox Configuration"
 source "package/busybox/config/Config.in"
 endmenu
 
+config ADK_PACKAGE_UDHCPD
+	boolean
+	default BUSYBOX_APP_UDHCPD
diff --git a/package/busybox/Makefile b/package/busybox/Makefile
index 400be01e6..5d6826986 100644
--- a/package/busybox/Makefile
+++ b/package/busybox/Makefile
@@ -12,9 +12,13 @@ PKG_SECTION:=		base
 PKG_URL:=		http://www.busybox.net
 PKG_SITES:=		http://www.busybox.net/downloads/
 
+PKG_DESCR_UDHCPD:=	uDHCPD meta package
+PKG_SECTION_UDHCPD:=	net
+
 include $(TOPDIR)/mk/package.mk
 
 $(eval $(call PKG_template,BUSYBOX,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,UDHCPD,udhcpd,${PKG_VERSION}-${PKG_RELEASE},busybox,${PKG_DESCR_UDHCPD},${PKG_SECTION_UDHCPD}))
 
 CONFIG_STYLE:=		manual
 BUILD_STYLE:=		manual
@@ -63,6 +67,10 @@ ifeq ($(ADK_DEBUG),y)
 	${INSTALL_BIN} $(WRKBUILD)/busybox_unstripped \
 		$(IDIR_BUSYBOX)/bin/busybox
 endif
+ifeq ($(ADK_PACKAGE_UDHCPD),y)
+	${INSTALL_DIR} ${IDIR_UDHCPD}/etc/
+	${INSTALL_DATA} ./files/udhcpd.conf ${IDIR_UDHCPD}/etc/
+endif
 
 fake:	$(TOPDIR)/.busyboxcfg do-configure do-install
 
diff --git a/package/busybox/files/udhcpd.conf b/package/busybox/files/udhcpd.conf
new file mode 100644
index 000000000..6c8104dfa
--- /dev/null
+++ b/package/busybox/files/udhcpd.conf
@@ -0,0 +1,28 @@
+# interface to bind to
+interface eth0
+
+# iprange to choose from
+start	192.168.1.100
+end	192.168.1.200
+
+# max number of leases
+#max_leases	100
+
+# period of auto lease file updates (in seconds)
+auto_time 7200
+
+# some timeouts
+#decline_time 3600
+#conflict_time 3600
+#offer_time 60
+#min_lease 60
+
+# do not change the path here
+leases_file /var/udhcpd.leases
+
+# call this script upon lease file write
+# (dumpleases may be useful for debugging)
+#notify_file dumpleases
+
+# static leases
+#static_lease 00:fe:ed:ba:be:00 192.168.1.2
diff --git a/package/busybox/files/udhcpd.conffiles b/package/busybox/files/udhcpd.conffiles
new file mode 100644
index 000000000..c0b2aeea6
--- /dev/null
+++ b/package/busybox/files/udhcpd.conffiles
@@ -0,0 +1 @@
+/etc/udhcpd.conf
diff --git a/package/busybox/files/udhcpd.init b/package/busybox/files/udhcpd.init
new file mode 100644
index 000000000..d9627aa9d
--- /dev/null
+++ b/package/busybox/files/udhcpd.init
@@ -0,0 +1,28 @@
+#!/bin/sh
+#PKG udhcpd
+#INIT 50
+. /etc/rc.conf
+
+case $1 in
+autostop) ;;
+autostart)
+	[[ $udhcpd = NO ]] && exit 0
+	exec sh $0 start
+	;;
+start)
+	touch /var/udhcp.leases
+	udhcpd -S
+	;;
+stop)
+	pkill udhcpd
+	;;
+restart)
+	sh $0 stop
+	sh $0 start
+	;;
+*)
+	echo "Usage: $0 {start | stop | restart}"
+	exit 1
+	;;
+esac
+exit $?
diff --git a/package/busybox/files/udhcpd.postinst b/package/busybox/files/udhcpd.postinst
new file mode 100644
index 000000000..f90718c58
--- /dev/null
+++ b/package/busybox/files/udhcpd.postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+. $IPKG_INSTROOT/etc/functions.sh
+add_rcconf udhcpd udhcpd 'NO'
diff --git a/package/conntrack-tools/Makefile b/package/conntrack-tools/Makefile
new file mode 100644
index 000000000..d4d53b8be
--- /dev/null
+++ b/package/conntrack-tools/Makefile
@@ -0,0 +1,26 @@
+# This file is part of the OpenADK project. OpenADK is copyrighted
+# material, please see the LICENCE file in the top-level directory.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=		conntrack-tools
+PKG_VERSION:=		0.9.9
+PKG_RELEASE:=		1
+PKG_MD5SUM:=		35b0ab9cde069b4ec8a493daae82d67b
+PKG_DESCR:=		Connection tracking userspace tools
+PKG_SECTION:=		firewall
+PKG_DEPENDS:=		libnetfilter_conntrack
+PKG_BUILDDEP+=		libnetfilter_conntrack
+PKG_URL:=		http://conntrack-tools.netfilter.org
+PKG_SITES:=		http://www.netfilter.org/projects/conntrack-tools/files/
+DISTFILES:=		${PKG_NAME}-${PKG_VERSION}.tar.bz2
+
+include $(TOPDIR)/mk/package.mk
+
+$(eval $(call PKG_template,CONNTRACK_TOOLS,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+
+post-install:
+	$(INSTALL_DIR) $(IDIR_CONNTRACK_TOOLS)/usr/sbin
+	$(INSTALL_BIN) $(WRKINST)/usr/sbin/conntrack{,d} $(IDIR_CONNTRACK_TOOLS)/usr/sbin/
+
+include ${TOPDIR}/mk/pkg-bottom.mk
diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile
index 6625cb21c..2ab254cd2 100644
--- a/package/dropbear/Makefile
+++ b/package/dropbear/Makefile
@@ -5,14 +5,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=		dropbear
 PKG_VERSION:=		0.52
-PKG_RELEASE:=		1
+PKG_RELEASE:=		2
 PKG_MD5SUM:=		1c69ec674481d7745452f68f2ea5597e
 PKG_DESCR:=		SSH 2 server/client designed for embedded systems 
 PKG_SECTION:=		net
 PKG_URL:=		http://matt.ucc.asn.au/dropbear
 PKG_SITES:=		http://matt.ucc.asn.au/dropbear/releases/
 
-PKG_DESCR_UTIL:=	Utility for converting SSH keys
+PKG_DESCR_UTIL:=	Utility for converting SSH private keys
 
 include $(TOPDIR)/mk/package.mk
 
diff --git a/package/dropbear/files/dropbear.init b/package/dropbear/files/dropbear.init
index 4a7d7a875..9983e943c 100644
--- a/package/dropbear/files/dropbear.init
+++ b/package/dropbear/files/dropbear.init
@@ -27,6 +27,14 @@ start)
 		test $rv = 0 || exit 1
 		test -f /etc/dropbear/dropbear_rsa_host_key || exit 1
 	fi
+	if test ! -f /etc/dropbear/dropbear_dss_host_key; then
+		# take it easy here, since above already catched the worst cases
+		if test -x /usr/bin/dropbearkey; then
+			bothlog "dropbear: generating SSH private key (DSS)"
+			/usr/bin/dropbearkey -f /etc/dropbear/dropbear_dss_host_key -t dss
+			bothlog dropbear: key generation exited with code $?
+		fi
+	fi
 	/usr/sbin/dropbear $dropbear_flags
 	;;
 stop)
diff --git a/package/dropbear/patches/patch-options_h b/package/dropbear/patches/patch-options_h
index b0903f45d..00914dda2 100644
--- a/package/dropbear/patches/patch-options_h
+++ b/package/dropbear/patches/patch-options_h
@@ -1,6 +1,6 @@
 $Id: update-patches 24 2008-08-31 14:56:13Z wbx $
 --- dropbear-0.52.orig/options.h	2008-11-11 15:13:50.000000000 +0100
-+++ dropbear-0.52/options.h	2010-01-22 17:55:09.000000000 +0100
++++ dropbear-0.52/options.h	2010-03-14 23:30:26.277667006 +0100
 @@ -10,6 +10,11 @@
   * parts are to allow for commandline -DDROPBEAR_XXX options etc.
   ******************************************************************/
@@ -13,15 +13,6 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $
  #ifndef DROPBEAR_DEFPORT
  #define DROPBEAR_DEFPORT "22"
  #endif
-@@ -115,7 +120,7 @@ etc) slower (perhaps by 50%). Recommende
-  * Removing either of these won't save very much space.
-  * SSH2 RFC Draft requires dss, recommends rsa */
- #define DROPBEAR_RSA
--#define DROPBEAR_DSS
-+/* #define DROPBEAR_DSS */
- 
- /* RSA can be vulnerable to timing attacks which use the time required for
-  * signing to guess the private key. Blinding avoids this attack, though makes
 @@ -129,7 +134,7 @@ etc) slower (perhaps by 50%). Recommende
  /* #define DSS_PROTOK */
  
diff --git a/package/iptables/Makefile b/package/iptables/Makefile
index f07604877..4aa2d58bf 100644
--- a/package/iptables/Makefile
+++ b/package/iptables/Makefile
@@ -14,6 +14,8 @@ PKG_DEPENDS+=		kmod-nf-conntrack-ipv4 kmod-nf-nat
 PKG_DEPENDS+=		kmod-ip-nf-target-masquerade kmod-ip-nf-target-reject
 PKG_DEPENDS+=		kmod-ip-nf-filter kmod-ip-nf-match-state 
 PKG_DEPENDS+=		kmod-netfilter-xt-target-tcpmss
+PKG_DEPENDS6:=		kmod-ip6-nf-iptables kmod-nf-conntrack-ipv6
+PKG_DEPENDS6+=		kmod-ip6-nf-filter kmod-ip6-nf-target-reject
 PKG_URL:=		http://www.netfilter.org
 PKG_SITES:=		http://www.netfilter.org/projects/iptables/files/ \
 			ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
@@ -29,7 +31,7 @@ include ${TOPDIR}/mk/package.mk
 #include ${LINUX_DIR}/.config
 
 $(eval $(call PKG_template,IPTABLES,iptables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
-$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS6},${PKG_DESCR},${PKG_SECTION}))
 
 CONFIGURE_ARGS+=	--enable-devel
 
@@ -44,8 +46,8 @@ post-install: ${SUB_INSTALL-m} ${SUB_INSTALL-y}
 	${CP} ${WRKINST}/usr/lib/libxtables.so* ${IDIR_IPTABLES}/usr/lib
 
 ip6tables-install:
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/lib
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/sbin
+	${INSTALL_DIR} ${IDIR_IP6TABLES}/{usr/lib,etc,usr/sbin}
+	${INSTALL_DATA} ./files/firewall6.conf ${IDIR_IP6TABLES}/etc
 	${INSTALL_BIN} ${WRKINST}/usr/sbin/ip6tables ${IDIR_IP6TABLES}/usr/sbin/
 	${CP} ${WRKINST}/usr/lib/libip6tc.so* ${IDIR_IP6TABLES}/usr/lib
 
diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf
index 2c8faaa34..15794dece 100644
--- a/package/iptables/files/firewall.conf
+++ b/package/iptables/files/firewall.conf
@@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule
 ### Default policy
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
 
 ### INPUT
 ###  (connections with the router as destination)
@@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
 ###  (connections with the router as source)
 
 # base case
-iptables -A OUTPUT -m state --state INVALID -j DROP
-iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
+iptables -A OUTPUT -p icmp -j ACCEPT
 
 ### FORWARD
 ###  (connections routed through the router)
 
 # base case
 iptables -A FORWARD -m state --state INVALID -j DROP
-iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+# fix for broken ISPs blocking ICMP "fragmentation needed" packets
+#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
 # custom rules
 iptables -A FORWARD -j forwarding_rule
 iptables -t nat -A PREROUTING -j prerouting_rule
diff --git a/package/iptables/files/firewall6.conf b/package/iptables/files/firewall6.conf
new file mode 100644
index 000000000..2e86138b2
--- /dev/null
+++ b/package/iptables/files/firewall6.conf
@@ -0,0 +1,98 @@
+#!/bin/sh
+echo "configure /etc/firewall6.conf first."
+exit 1
+
+### Interfaces
+WAN=sixxs
+LAN=br0
+WLAN=wlan0
+
+######################################################################
+### Default ruleset
+######################################################################
+
+### Create chains
+ip6tables -N input_rule
+ip6tables -N forwarding_rule
+
+### Default policy
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT DROP
+
+### INPUT
+###  (connections with the router as destination)
+
+# base case
+ip6tables -A INPUT -m state --state INVALID -j DROP
+ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
+
+# custom rules
+ip6tables -A INPUT -j input_rule
+
+# allow access from anything but WAN
+ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
+# allow icmp messages
+ip6tables -A INPUT -p icmp6 -j ACCEPT
+
+# reject
+ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
+
+### OUTPUT
+###  (connections with the router as source)
+
+# base case
+ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
+ip6tables -A OUTPUT -p icmp6 -j ACCEPT
+
+### FORWARD
+###  (connections routed through the router)
+
+# base case
+ip6tables -A FORWARD -m state --state INVALID -j DROP
+ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# fix for broken ISPs blocking ICMPv6 "packet too big" packets
+#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+# custom rules
+ip6tables -A FORWARD -j forwarding_rule
+
+# allow LAN
+ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
+######################################################################
+### Default ruleset end
+######################################################################
+
+###
+### Connections to the router
+###
+
+# ssh
+#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
+
+# IPSec
+#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
+
+# OpenVPN
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
+
+# PPTP
+#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
+#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
+
+###
+###  VPN traffic
+###
+
+# IPSec
+#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
+#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT
+
+# OpenVPN
+#ip6tables -A forwarding_rule -o tun+ -j ACCEPT
+#ip6tables -A forwarding_rule -i tun+ -j ACCEPT
diff --git a/package/iptables/files/firewall6.init b/package/iptables/files/firewall6.init
new file mode 100755
index 000000000..bedb639a9
--- /dev/null
+++ b/package/iptables/files/firewall6.init
@@ -0,0 +1,31 @@
+#!/bin/sh
+#PKG iptables
+#INIT 45
+. /etc/rc.conf
+
+case $1 in
+autostop) ;;
+autostart)
+	test x"${firewall6:-NO}" = x"NO" && exit 0
+	exec sh $0 start
+	;;
+start)
+	. /etc/firewall6.conf
+	;;
+stop)
+	### Clear tables
+	ip6tables -F
+	ip6tables -X
+	ip6tables -P INPUT ACCEPT
+	ip6tables -P FORWARD ACCEPT
+	ip6tables -P OUTPUT ACCEPT
+	;;
+restart)
+	sh $0 stop
+	sh $0 start
+	;;
+*)
+	echo "Usage: $0 {start | stop | restart}"
+	;;
+esac
+exit $?
diff --git a/package/iptables/files/iptables.postinst b/package/iptables/files/iptables.postinst
index 89b0af164..b418e73f9 100644
--- a/package/iptables/files/iptables.postinst
+++ b/package/iptables/files/iptables.postinst
@@ -2,3 +2,4 @@
 . $IPKG_INSTROOT/etc/functions.sh
 
 add_rcconf iptables firewall NO
+add_rcconf iptables firewall6 NO
diff --git a/package/ntfs-3g/Makefile b/package/ntfs-3g/Makefile
index 72d418e56..265a09d8d 100644
--- a/package/ntfs-3g/Makefile
+++ b/package/ntfs-3g/Makefile
@@ -8,7 +8,7 @@ PKG_VERSION=		2010.1.16
 PKG_RELEASE=		1
 PKG_MD5SUM=		e104c914e8d7d29ee83e63d46afbba25
 PKG_DESCR:=		ntfs filesystem driver with read and write support
-PKG_SECTION:=		sys
+PKG_SECTION:=		kernel
 PKG_DEPENDS:=		kmod-fuse-fs
 PKG_URL:=		http://tuxera.com
 PKG_SITES=		http://tuxera.com/opensource/
diff --git a/package/openssh/Makefile b/package/openssh/Makefile
index 27bc8dab8..1eb72097a 100644
--- a/package/openssh/Makefile
+++ b/package/openssh/Makefile
@@ -4,9 +4,9 @@
 include ${TOPDIR}/rules.mk
 
 PKG_NAME:=		openssh
-PKG_VERSION:=		5.4p1
+PKG_VERSION:=		5.5p1
 PKG_RELEASE:=		1
-PKG_MD5SUM:=		da10af8a789fa2e83e3635f3a1b76f5e
+PKG_MD5SUM:=		88633408f4cb1eb11ec7e2ec58b519eb
 PKG_DESCR:=		OpenSSH server
 PKG_SECTION:=		net
 PKG_DEPENDS:=		zlib libopenssl libpthread
diff --git a/package/openssh/patches/patch-openbsd-compat_port-tun_c b/package/openssh/patches/patch-openbsd-compat_port-tun_c
new file mode 100644
index 000000000..a9ed6434b
--- /dev/null
+++ b/package/openssh/patches/patch-openbsd-compat_port-tun_c
@@ -0,0 +1,11 @@
+--- openssh-5.5p1.orig/openbsd-compat/port-tun.c	2008-05-19 07:28:36.000000000 +0200
++++ openssh-5.5p1/openbsd-compat/port-tun.c	2010-04-21 20:14:00.000000000 +0200
+@@ -213,7 +213,7 @@ sys_tun_infilter(struct Channel *c, char
+ 	if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
+ 		return (-1);
+ 	ptr = (char *)&rbuf[0];
+-	bcopy(buf, ptr + sizeof(u_int32_t), len);
++	memcpy(ptr + sizeof(u_int32_t), buf, len);
+ 	len += sizeof(u_int32_t);
+ 	af = (u_int32_t *)ptr;
+ 
diff --git a/package/pdnsd/files/pdnsd.conf b/package/pdnsd/files/pdnsd.conf
index 00b548117..73690524a 100644
--- a/package/pdnsd/files/pdnsd.conf
+++ b/package/pdnsd/files/pdnsd.conf
@@ -1,7 +1,8 @@
 global {
-	perm_cache=1024;
-	cache_dir="/var/cache/pdnsd";  # do not change this!
-	run_as="nobody";
+	perm_cache = 1024;
+	cache_dir = "/var/cache/pdnsd";  # do not change this!
+	run_as = "nobody";
+	strict_setuid = on;
 	server_ip = 127.0.0.1;  # Use eth0 here if you want to allow other
 				# machines on your network to query pdnsd.
 	status_ctl = on;
@@ -11,20 +12,25 @@ global {
 	min_ttl=15m;       # Retain cached entries at least 15 minutes.
 	max_ttl=1w;        # One week.
 	timeout=10;        # Global timeout option (10 seconds).
+	proc_limit = 20;
 }
 
-server {
-	label= "myisp";
-	ip = 192.168.0.1;  # Put your ISP's DNS-server address(es) here.
-#	proxy_only=on;     # Do not query any name servers beside your ISP's.
-	                   # This may be necessary if you are behind some
-	                   # kind of firewall and cannot receive replies
-	                   # from outside name servers.
-	timeout=4;         # Server timeout; this may be much shorter
-			   # that the global timeout option.
-	uptest=if;         # Test if the network interface is active.
-	interface=eth0;    # The name of the interface to check.
-	interval=10m;      # Check every 10 minutes.
-	purge_cache=off;   # Keep stale cache entries in case the ISP's
-			   # DNS servers go offline.
+# serve local host definitions
+source {
+	owner = "localhost";
+	serve_aliases = off; # skip everything after the first host for an IP
+	file = "/etc/hosts";
 }
+
+# for dns servers via dhcp
+#server {
+#	label = "dhcp";
+#	file = "/var/resolv.conf";
+#	exclude = ".lan";
+#	policy = fqdn_only;
+#	timeout = 4;
+#	uptest = if;
+#	interface = "eth0";
+#	interval = 60;
+#}
+
diff --git a/package/pdnsd/files/pdnsd.init b/package/pdnsd/files/pdnsd.init
index 0da77186d..b67696469 100644
--- a/package/pdnsd/files/pdnsd.init
+++ b/package/pdnsd/files/pdnsd.init
@@ -13,7 +13,10 @@ autostart)
 start)
 	[ -f /etc/pdnsd.conf ] || exit
 	mkdir -p /var/cache/pdnsd
-	pdnsd -s -t -d
+	touch /var/cache/pdnsd/pdnsd.cache
+	# this allows for strict_setuid
+	chown -R nobody:nogroup /var/cache/pdnsd
+	pdnsd -d
 	;;
 stop)
 	pkill pdnsd
diff --git a/package/pdnsd/patches/patch-src_dns_query_c b/package/pdnsd/patches/patch-src_dns_query_c
new file mode 100644
index 000000000..f16c3d497
--- /dev/null
+++ b/package/pdnsd/patches/patch-src_dns_query_c
@@ -0,0 +1,12 @@
+use the temporary port, not always the global one over and over again
+--- pdnsd-1.2.7.orig/src/dns_query.c	2008-09-01 15:56:51.000000000 +0200
++++ pdnsd-1.2.7/src/dns_query.c	2010-03-19 21:44:38.837858828 +0100
+@@ -650,7 +650,7 @@ static int bind_socket(int s)
+ 				ELSE_IPV6 {
+ 					memset(&sin.sin6,0,sizeof(struct sockaddr_in6));
+ 					sin.sin6.sin6_family=AF_INET6;
+-					sin.sin6.sin6_port=htons(global.port);
++					sin.sin6.sin6_port=htons(prt);
+ 					sin.sin6.sin6_flowinfo=IPV6_FLOWINFO;
+ 					SET_SOCKA_LEN6(sin.sin6);
+ 					sinl=sizeof(struct sockaddr_in6);
diff --git a/package/tcsh/Makefile b/package/tcsh/Makefile
index ac8424831..b0e85a79a 100644
--- a/package/tcsh/Makefile
+++ b/package/tcsh/Makefile
@@ -8,7 +8,7 @@ PKG_VERSION:=		6.17.00
 PKG_RELEASE:=		1
 PKG_MD5SUM:=		c47de903e3d52f6824c8dd0c91eeb477
 PKG_DESCR:=		alternative csh
-PKG_SECTION:=		shell
+PKG_SECTION:=		shells
 PKG_DEPENDS:=		libncurses
 PKG_BUILDDEP+=		ncurses
 PKG_URL:=		http://www.tcsh.org/Welcome