Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
kiddin9 committed Dec 24, 2024
1 parent cbc8a3b commit 169343f
Show file tree
Hide file tree
Showing 79 changed files with 8,476 additions and 850 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/Openwrt-AutoBuild.yml
Original file line number Diff line number Diff line change
Expand Up @@ -147,12 +147,13 @@ jobs:
- name: Clone source code
run: |
set -x
TAG_INFO="$(curl -gs -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${{ secrets.TOKEN_KIDDIN9 }}" \
-X POST -d '{ "query": "query {repository(owner: \"openwrt\", name: \"openwrt\") {refs(refPrefix: \"refs/tags/\", first: 4, orderBy: {field: TAG_COMMIT_DATE, direction: DESC}) {nodes {name target { ... on Tag {tagger {date}}}}}}}"}' https://api.github.com/graphql)"
TAG_DATE="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[] | select(.name | startswith("v23")) | .target.tagger.date' | head -n 1)"
TAG_DATE="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[] | select(.name | startswith("v24")) | .target.tagger.date' | head -n 1)"
if [[ $(( ($(date +%s) - $(date -d "$TAG_DATE" +%s)) / 86400 )) -lt 30 ]]; then
REPO_BRANCH="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[].name' | grep v23 | head -n 1)"
REPO_BRANCH="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[].name' | grep v24 | head -n 1)"
else
REPO_BRANCH="openwrt-24.10"
fi
Expand Down
14 changes: 7 additions & 7 deletions devices/amlogic_meson8b/patches/BRCMFMAC_SDIO.patch
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
--- a/package/kernel/mac80211/broadcom.mk
+++ b/package/kernel/mac80211/broadcom.mk
@@ -437,6 +437,7 @@ define KernelPackage/brcmfmac/config
default y if TARGET_starfive
default y if TARGET_rockchip
default y if TARGET_sunxi
@@ -432,6 +432,7 @@ define KernelPackage/brcmfmac/config

config BRCMFMAC_SDIO
bool "Enable SDIO bus interface support"
+ default y if TARGET_amlogic
default n
help
Enable support for cards attached to an SDIO bus.
default y if TARGET_bcm27xx
default y if TARGET_imx_cortexa7
default y if TARGET_starfive
6 changes: 6 additions & 0 deletions devices/common/.config
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,18 @@ CONFIG_LUCI_CSSTIDY=n
CONFIG_SIGNED_PACKAGES=n
CONFIG_SIGNATURE_CHECK=n

CONFIG_TARGET_MULTI_PROFILE=y
CONFIG_TARGET_ALL_PROFILES=y

# 设置固件大小:
CONFIG_TARGET_ROOTFS_PARTSIZE=1004

CONFIG_ALL_NONSHARED=y

CONFIG_USE_APK=n

CONFIG_BUILD_PATENTED=y

CONFIG_IB=y
CONFIG_IB_STANDALONE=y
CONFIG_JSON_OVERVIEW_IMAGE_INFO=y
Expand All @@ -33,6 +38,7 @@ CONFIG_IPV6=y

CONFIG_PACKAGE_luci-theme-bootstrap=y

CONFIG_PACKAGE_procd-seccomp=n

# 其他需要安装的软件包:

Expand Down
27 changes: 18 additions & 9 deletions devices/common/diy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,29 @@ sed -i '/ refresh_config();/d' scripts/feeds
./scripts/feeds install -a -p kiddin9 -f
./scripts/feeds install -a

rm -rf package/base-files
mv -f feeds/kiddin9/base-files package/
sed -i "/DISTRIB_DESCRIPTION/c\DISTRIB_DESCRIPTION=\"%D %C by Kiddin'\"" package/base-files/files/etc/openwrt_release
sed -i -e '$a /etc/bench.log' \
-e '/\/etc\/profile/d' \
-e '/\/etc\/shinit/d' \
package/base-files/files/lib/upgrade/keep.d/base-files-essential
sed -i -e '/^\/etc\/profile/d' \
-e '/^\/etc\/shinit/d' \
package/base-files/Makefile
sed -i "s/192.168.1/10.0.0/" package/base-files/files/bin/config_generate

wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/network/utils/nftables/patches/002-nftables-add-fullcone-expression-support.patch -P package/network/utils/nftables/patches/
wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/network/utils/nftables/patches/001-drop-useless-file.patch -P package/network/utils/nftables/patches/
wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/system/fstools/patches/100-fstools-support-extroot-for-non-MTD-rootfs_data.patch -P package/system/fstools/patches/
wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/libs/libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch -P package/libs/libnftnl/patches/
wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/firmware/wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch -P package/firmware/wireless-regdb/patches/

echo "$(date +"%s")" >version.date
sed -i '/$(curdir)\/compile:/c\$(curdir)/compile: package/opkg/host/compile' package/Makefile
sed -i "s/DEFAULT_PACKAGES:=/DEFAULT_PACKAGES:=luci-app-advancedplus luci-app-firewall luci-app-package-manager luci-app-upnp luci-app-syscontrol \
luci-app-wizard luci-base luci-compat luci-lib-ipkg luci-lib-fs \
coremark wget-ssl curl autocore htop nano zram-swap kmod-lib-zstd kmod-tcp-bbr bash openssh-sftp-server block-mount resolveip ds-lite swconfig luci-app-fan luci-app-fileassistant /" include/target.mk
coremark wget-ssl curl autocore htop nano zram-swap kmod-lib-zstd kmod-tcp-bbr bash openssh-sftp-server block-mount resolveip ds-lite swconfig luci-app-fan luci-app-filemanager /" include/target.mk

sed -i "s/procd-ujail//" include/target.mk
sed -i "s/procd-seccomp//" include/target.mk

sed -i "s/^.*vermagic$/\techo '1' > \$(LINUX_DIR)\/.vermagic/" include/kernel-defaults.mk

Expand All @@ -39,18 +51,15 @@ mv -f feeds/kiddin9/r81* tmp/

wget -N https://raw.githubusercontent.com/openwrt/packages/master/lang/golang/golang/Makefile -P feeds/packages/lang/golang/golang/

sed -i "s/192.168.1/10.0.0/" package/base-files/files/bin/config_generate

#sed -i "/call Build\/check-size,\$\$(KERNEL_SIZE)/d" include/image.mk

wget -N https://github.com/openwrt/openwrt/raw/refs/heads/main/package/kernel/linux/modules/video.mk -P package/kernel/linux/modules/

git_clone_path master https://github.com/coolsnowwolf/lede mv target/linux/generic/hack-6.6
rm -rf target/linux/generic/hack-6.6/929-Revert-genetlink*
wget -N https://raw.githubusercontent.com/coolsnowwolf/lede/master/target/linux/generic/pending-6.6/613-netfilter_optional_tcp_window_check.patch -P target/linux/generic/pending-6.6/

wget -N https://patch-diff.githubusercontent.com/raw/openwrt/openwrt/pull/16414.patch -P devices/common/patches/

sed -i "/mediaurlbase/d" package/feeds/*/luci-theme*/root/etc/uci-defaults/*
sed -i 's/=bbr/=cubic/' package/kernel/linux/files/sysctl-tcp-bbr.conf

# find target/linux/x86 -name "config*" -exec bash -c 'cat kernel.conf >> "{}"' \;
sed -i 's/max_requests 3/max_requests 20/g' package/network/services/uhttpd/files/uhttpd.config
Expand Down
6 changes: 6 additions & 0 deletions devices/common/diy/package/base-files/files/etc/banner
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

|\__/,| (`\
_.|o o |_ ) )
-------------(((---(((-------------------
%D %C by Kiddin'
-----------------------------------------
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
#!/bin/sh

# UCI 配置操作函数
config_get() { uci -q get "$1"; }
config_set() { uci set "$1=$2"; }
config_add_list() { uci add_list "$1=$2"; }
config_delete() { uci -q delete "$1"; }
config_commit() { uci commit "$1"; }

# 检查列表是否包含元素
list_contains() {
local value="$1"; shift
echo "$@" | grep -q -w "$value"
}

# 从列表中移除元素
list_remove() {
local value="$1"
local list="$2"
echo "$list" | sed "s/\<$value\>//g" | xargs
}

# 更新 SSH 和 TTYD 配置
update_ssh_ttyd() {
if [ "$(config_get "firewall.@defaults[0].ex_ssh")" = "1" ]; then
if [ -n "$(config_get "dropbear.@dropbear[0].GatewayPorts")" ]; then
config_set "dropbear.@dropbear[0].GatewayPorts" "on"
config_commit "dropbear"
service dropbear reload &
fi
if command -v ttyd >/dev/null 2>&1; then
[ "$(config_get "ttyd.@ttyd[0].interface")" != "@lan" ] && config_set "ttyd.@ttyd[0].interface" "@lan"
if [ "$(config_get "firewall.@defaults[0].family")" = "ipv4" ]; then
config_set "ttyd.@ttyd[0].ipv6" "0"
else
config_set "ttyd.@ttyd[0].ipv6" "1"
fi
config_commit "ttyd"
service ttyd reload &
fi
fi
}

# 更新防火墙规则
update_firewall_rule() {
local port="$1"
local is_backend_port="$2"
local rule="firewall.ex_$port"
local family=$(config_get "firewall.@defaults[0].family")
local proto=$(config_get "firewall.@defaults[0].proto")

config_set "$rule" "rule"
config_set "$rule.name" "ex_$port"
config_set "$rule.src" "wan"
config_set "$rule.dest_port" "$port"
config_set "$rule.target" "ACCEPT"

[ "$family" = "ipv4" ] && config_set "$rule.family" "ipv4" || config_set "$rule.family" "ipv6"

if [ "$is_backend_port" = "1" ]; then
config_add_list "$rule.proto" "tcp"
else
case "$proto" in
udp) config_add_list "$rule.proto" "udp" ;;
tudp)
config_add_list "$rule.proto" "tcp"
config_add_list "$rule.proto" "udp"
;;
*) config_add_list "$rule.proto" "tcp" ;;
esac
fi
}

# 删除所有以前生成的 config rule
remove_all_ex_rules() {
local rules=$(uci show firewall | grep "\.name='ex_" | cut -d. -f2)
for rule in $rules; do
config_delete "firewall.$rule"
done
}

# 更新 export 配置
update_export() {
local export=$(config_get "firewall.@defaults[0].export")
local ex_ssh=$(config_get "firewall.@defaults[0].ex_ssh")
local sshport=$(config_get "dropbear.@dropbear[0].Port")

# 处理 SSH 端口
if [ "$ex_ssh" = "1" ]; then
if ! list_contains "$sshport" $export; then
export="$export $sshport"
fi
else
export=$(list_remove "$sshport" "$export")
fi

config_set "firewall.@defaults[0].export" "$export"

remove_all_ex_rules

# 添加新的规则
for port in $export; do
update_firewall_rule "$port" "0"
done
}

# 更新 uhttpd 配置
update_uhttpd() {
local backend_port="$1"
local old_backend_port="$2"
local use_https=$(config_get "uhttpd.main.redirect_https")

uci -q del_list uhttpd.main.listen_http="0.0.0.0:$old_backend_port"
uci -q del_list uhttpd.main.listen_http="[::]:$old_backend_port"
uci -q del_list uhttpd.main.listen_https="0.0.0.0:$old_backend_port"
uci -q del_list uhttpd.main.listen_https="[::]:$old_backend_port"

if [ -n "$backend_port" ]; then
if [ "$use_https" = "1" ]; then
config_add_list "uhttpd.main.listen_https" "0.0.0.0:$backend_port"
config_add_list "uhttpd.main.listen_https" "[::]:$backend_port"
else
config_add_list "uhttpd.main.listen_http" "0.0.0.0:$backend_port"
config_add_list "uhttpd.main.listen_http" "[::]:$backend_port"
fi
fi
config_commit "uhttpd"
}

# 更新 nginx 配置
update_nginx() {
local backend_port="$1"
local old_backend_port="$2"
local use_https=$(uci show nginx | grep -q "_redirect2ssl" && echo "1" || echo "0")

config_delete "nginx.ex_$old_backend_port"

if [ -n "$backend_port" ]; then
config_set "nginx.ex_$backend_port" "server"
config_set "nginx.ex_$backend_port.server_name" "ex_$backend_port"
config_add_list "nginx.ex_$backend_port.include" "conf.d/*.locations"
config_set "nginx.ex_$backend_port.access_log" "off"
if [ "$use_https" = "1" ]; then
config_add_list "nginx.ex_$backend_port.listen" "$backend_port ssl"
config_add_list "nginx.ex_$backend_port.listen" "[::]:$backend_port ssl"
if [ ! "$(config_get "nginx.ex_$backend_port.ssl_certificate")" ]; then
config_set "nginx.ex_$backend_port.ssl_certificate" "/etc/nginx/conf.d/_lan.crt"
config_set "nginx.ex_$backend_port.ssl_certificate_key" "/etc/nginx/conf.d/_lan.key"
fi
else
config_add_list "nginx.ex_$backend_port.listen" "$backend_port"
config_add_list "nginx.ex_$backend_port.listen" "[::]:$backend_port"
fi
fi

config_commit "nginx"
}

# 主逻辑
main() {
local backend_port=$(config_get "firewall.@defaults[0].backend_port")
local old_backend_port=$(config_get "firewall.@defaults[0].old_backend_port")

update_ssh_ttyd
update_export

if [ "$backend_port" != "$old_backend_port" ]; then
if pgrep nginx >/dev/null; then
update_nginx "$backend_port" "$old_backend_port"
/etc/init.d/nginx reload &
elif pgrep uhttpd >/dev/null; then
update_uhttpd "$backend_port" "$old_backend_port"
/etc/init.d/uhttpd reload &
fi
config_set "firewall.@defaults[0].old_backend_port" "$backend_port"
fi

[ -n "$backend_port" ] && update_firewall_rule "$backend_port" "1"

config_commit "firewall"
}

main
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
index 85a3750..9fac9b1 100644
--- a/defaults.c
+++ b/defaults.c
@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
FW3_OPT("synflood_protect", bool, defaults, syn_flood),
FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate),
FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst),
-
+
+ FW3_OPT("fullcone", bool, defaults, fullcone),
+
FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies),
FW3_OPT("tcp_ecn", int, defaults, tcp_ecn),
FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling),
diff --git a/options.h b/options.h
index 6edd174..c02eb97 100644
--- a/options.h
+++ b/options.h
@@ -267,6 +267,7 @@ struct fw3_defaults
bool drop_invalid;

bool syn_flood;
+ bool fullcone;
struct fw3_limit syn_flood_rate;

bool tcp_syncookies;
diff --git a/zones.c b/zones.c
index 2aa7473..57eead0 100644
--- a/zones.c
+++ b/zones.c
@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
struct fw3_address *msrc;
struct fw3_address *mdest;
struct fw3_ipt_rule *r;
+ struct fw3_defaults *defs = &state->defaults;

if (!fw3_is_family(zone, handle->family))
return;
@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
{
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_src_dest(r, msrc, mdest);
- fw3_ipt_rule_target(r, "MASQUERADE");
- fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+ /*FIXME: Workaround for FULLCONE-NAT*/
+ if(defs->fullcone)
+ {
+ warn("%s will enable FULLCONE-NAT", zone->name);
+ fw3_ipt_rule_target(r, "FULLCONENAT");
+ fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_src_dest(r, msrc, mdest);
+ fw3_ipt_rule_target(r, "FULLCONENAT");
+ fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+ }
+ else
+ {
+ fw3_ipt_rule_target(r, "MASQUERADE");
+ fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+ }
}
}
}
Loading

0 comments on commit 169343f

Please sign in to comment.