update

kiddin9 · Dec 24, 2024 · bbfd72a · bbfd72a
1 parent cbc8a3b
commit bbfd72a
Show file tree

Hide file tree

Showing 79 changed files with 8,484 additions and 850 deletions.
diff --git a/.github/workflows/Openwrt-AutoBuild.yml b/.github/workflows/Openwrt-AutoBuild.yml
@@ -147,12 +147,13 @@ jobs:
 
     - name: Clone source code
       run: |
+        set -x
         TAG_INFO="$(curl -gs -H 'Content-Type: application/json' \
            -H "Authorization: Bearer ${{ secrets.TOKEN_KIDDIN9 }}" \
            -X POST -d '{ "query": "query {repository(owner: \"openwrt\", name: \"openwrt\") {refs(refPrefix: \"refs/tags/\", first: 4, orderBy: {field: TAG_COMMIT_DATE, direction: DESC}) {nodes {name target { ... on Tag {tagger {date}}}}}}}"}' https://api.github.com/graphql)"
-        TAG_DATE="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[] | select(.name | startswith("v23")) | .target.tagger.date' | head -n 1)"
+        TAG_DATE="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[] | select(.name | startswith("v24")) | .target.tagger.date' | head -n 1)"
         if [[ $(( ($(date +%s) - $(date -d "$TAG_DATE" +%s)) / 86400 )) -lt 30 ]]; then
-        REPO_BRANCH="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[].name' | grep v23 | head -n 1)"
+        REPO_BRANCH="$( echo ${TAG_INFO} | jq -r '.data.repository.refs.nodes[].name' | grep v24 | head -n 1)"
         else
         REPO_BRANCH="openwrt-24.10"
         fi

diff --git a/devices/amlogic_meson8b/patches/BRCMFMAC_SDIO.patch b/devices/amlogic_meson8b/patches/BRCMFMAC_SDIO.patch
@@ -1,10 +1,10 @@
 --- a/package/kernel/mac80211/broadcom.mk
 +++ b/package/kernel/mac80211/broadcom.mk
-@@ -437,6 +437,7 @@ define KernelPackage/brcmfmac/config
- 		default y if TARGET_starfive
- 		default y if TARGET_rockchip
- 		default y if TARGET_sunxi
+@@ -432,6 +432,7 @@ define KernelPackage/brcmfmac/config
+
+ 	config BRCMFMAC_SDIO
+ 		bool "Enable SDIO bus interface support"
 +		default y if TARGET_amlogic
- 		default n
- 		help
- 		  Enable support for cards attached to an SDIO bus.
+ 		default y if TARGET_bcm27xx
+ 		default y if TARGET_imx_cortexa7
+ 		default y if TARGET_starfive
diff --git a/devices/common/.config b/devices/common/.config
@@ -8,13 +8,18 @@ CONFIG_LUCI_CSSTIDY=n
 CONFIG_SIGNED_PACKAGES=n
 CONFIG_SIGNATURE_CHECK=n
 
+CONFIG_TARGET_MULTI_PROFILE=y
+CONFIG_TARGET_ALL_PROFILES=y
+
 # 设置固件大小:
 CONFIG_TARGET_ROOTFS_PARTSIZE=1004
 
 CONFIG_ALL_NONSHARED=y
 
 CONFIG_USE_APK=n
 
+CONFIG_BUILD_PATENTED=y
+
 CONFIG_IB=y
 CONFIG_IB_STANDALONE=y
 CONFIG_JSON_OVERVIEW_IMAGE_INFO=y
@@ -33,6 +38,7 @@ CONFIG_IPV6=y
 
 CONFIG_PACKAGE_luci-theme-bootstrap=y
 
+CONFIG_PACKAGE_procd-seccomp=n
 
 # 其他需要安装的软件包:
 

diff --git a/devices/common/diy.sh b/devices/common/diy.sh
@@ -13,17 +13,29 @@ sed -i '/	refresh_config();/d' scripts/feeds
 ./scripts/feeds install -a -p kiddin9 -f
 ./scripts/feeds install -a
 
-rm -rf package/base-files
-mv -f feeds/kiddin9/base-files package/
+sed -i "/DISTRIB_DESCRIPTION/c\DISTRIB_DESCRIPTION=\"%D %C by Kiddin'\"" package/base-files/files/etc/openwrt_release
+sed -i -e '$a /etc/bench.log' \
+        -e '/\/etc\/profile/d' \
+        -e '/\/etc\/shinit/d' \
+        package/base-files/files/lib/upgrade/keep.d/base-files-essential
+sed -i -e '/^\/etc\/profile/d' \
+        -e '/^\/etc\/shinit/d' \
+        package/base-files/Makefile
+sed -i "s/192.168.1/10.0.0/" package/base-files/files/bin/config_generate
+
+wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/network/utils/nftables/patches/002-nftables-add-fullcone-expression-support.patch -P package/network/utils/nftables/patches/
+wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/network/utils/nftables/patches/001-drop-useless-file.patch -P package/network/utils/nftables/patches/
+wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/system/fstools/patches/100-fstools-support-extroot-for-non-MTD-rootfs_data.patch -P package/system/fstools/patches/
+wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/libs/libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch -P package/libs/libnftnl/patches/
+wget -N https://github.com/immortalwrt/immortalwrt/raw/refs/heads/openwrt-24.10/package/firmware/wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch -P package/firmware/wireless-regdb/patches/
 
 echo "$(date +"%s")" >version.date
 sed -i '/$(curdir)\/compile:/c\$(curdir)/compile: package/opkg/host/compile' package/Makefile
 sed -i "s/DEFAULT_PACKAGES:=/DEFAULT_PACKAGES:=luci-app-advancedplus luci-app-firewall luci-app-package-manager luci-app-upnp luci-app-syscontrol \
 luci-app-wizard luci-base luci-compat luci-lib-ipkg luci-lib-fs \
-coremark wget-ssl curl autocore htop nano zram-swap kmod-lib-zstd kmod-tcp-bbr bash openssh-sftp-server block-mount resolveip ds-lite swconfig luci-app-fan luci-app-fileassistant /" include/target.mk
+coremark wget-ssl curl autocore htop nano zram-swap kmod-lib-zstd kmod-tcp-bbr bash openssh-sftp-server block-mount resolveip ds-lite swconfig luci-app-fan luci-app-filemanager /" include/target.mk
 
 sed -i "s/procd-ujail//" include/target.mk
-sed -i "s/procd-seccomp//" include/target.mk
 
 sed -i "s/^.*vermagic$/\techo '1' > \$(LINUX_DIR)\/.vermagic/" include/kernel-defaults.mk
 
@@ -39,18 +51,15 @@ mv -f feeds/kiddin9/r81* tmp/
 
 wget -N https://raw.githubusercontent.com/openwrt/packages/master/lang/golang/golang/Makefile -P feeds/packages/lang/golang/golang/
 
-sed -i "s/192.168.1/10.0.0/" package/base-files/files/bin/config_generate
-
 #sed -i "/call Build\/check-size,\$\$(KERNEL_SIZE)/d" include/image.mk
 
-wget -N https://github.com/openwrt/openwrt/raw/refs/heads/main/package/kernel/linux/modules/video.mk -P package/kernel/linux/modules/
-
 git_clone_path master https://github.com/coolsnowwolf/lede mv target/linux/generic/hack-6.6
 rm -rf target/linux/generic/hack-6.6/929-Revert-genetlink*
 wget -N https://raw.githubusercontent.com/coolsnowwolf/lede/master/target/linux/generic/pending-6.6/613-netfilter_optional_tcp_window_check.patch -P target/linux/generic/pending-6.6/
 
+wget -N https://patch-diff.githubusercontent.com/raw/openwrt/openwrt/pull/16414.patch -P devices/common/patches/
+
 sed -i "/mediaurlbase/d" package/feeds/*/luci-theme*/root/etc/uci-defaults/*
-sed -i 's/=bbr/=cubic/' package/kernel/linux/files/sysctl-tcp-bbr.conf
 
 # find target/linux/x86 -name "config*" -exec bash -c 'cat kernel.conf >> "{}"' \;
 sed -i 's/max_requests 3/max_requests 20/g' package/network/services/uhttpd/files/uhttpd.config

diff --git a/devices/common/diy/package/base-files/files/etc/banner b/devices/common/diy/package/base-files/files/etc/banner
@@ -0,0 +1,6 @@
+
+                       |\__/,|   (`\
+                     _.|o o  |_   ) )
+       -------------(((---(((-------------------
+              %D %C by Kiddin'
+       -----------------------------------------
diff --git a/devices/common/diy/package/network/config/firewall/files/firewall.exwan b/devices/common/diy/package/network/config/firewall/files/firewall.exwan
@@ -0,0 +1,183 @@
+#!/bin/sh
+
+# UCI 配置操作函数
+config_get() { uci -q get "$1"; }
+config_set() { uci set "$1=$2"; }
+config_add_list() { uci add_list "$1=$2"; }
+config_delete() { uci -q delete "$1"; }
+config_commit() { uci commit "$1"; }
+
+# 检查列表是否包含元素
+list_contains() {
+    local value="$1"; shift
+    echo "$@" | grep -q -w "$value"
+}
+
+# 从列表中移除元素
+list_remove() {
+    local value="$1"
+    local list="$2"
+    echo "$list" | sed "s/\<$value\>//g" | xargs
+}
+
+# 更新 SSH 和 TTYD 配置
+update_ssh_ttyd() {
+    if [ "$(config_get "firewall.@defaults[0].ex_ssh")" = "1" ]; then
+        if [ -n "$(config_get "dropbear.@dropbear[0].GatewayPorts")" ]; then
+            config_set "dropbear.@dropbear[0].GatewayPorts" "on"
+            config_commit "dropbear"
+            service dropbear reload &
+        fi
+        if command -v ttyd >/dev/null 2>&1; then
+            [ "$(config_get "ttyd.@ttyd[0].interface")" != "@lan" ] && config_set "ttyd.@ttyd[0].interface" "@lan"
+            if [ "$(config_get "firewall.@defaults[0].family")" = "ipv4" ]; then
+                config_set "ttyd.@ttyd[0].ipv6" "0"
+            else
+                config_set "ttyd.@ttyd[0].ipv6" "1"
+            fi
+            config_commit "ttyd"
+            service ttyd reload &
+        fi
+    fi
+}
+
+# 更新防火墙规则
+update_firewall_rule() {
+    local port="$1"
+    local is_backend_port="$2"
+    local rule="firewall.ex_$port"
+    local family=$(config_get "firewall.@defaults[0].family")
+    local proto=$(config_get "firewall.@defaults[0].proto")
+
+    config_set "$rule" "rule"
+    config_set "$rule.name" "ex_$port"
+    config_set "$rule.src" "wan"
+    config_set "$rule.dest_port" "$port"
+    config_set "$rule.target" "ACCEPT"
+
+    [ "$family" = "ipv4" ] && config_set "$rule.family" "ipv4" || config_set "$rule.family" "ipv6"
+
+    if [ "$is_backend_port" = "1" ]; then
+        config_add_list "$rule.proto" "tcp"
+    else
+        case "$proto" in
+            udp) config_add_list "$rule.proto" "udp" ;;
+            tudp)
+                config_add_list "$rule.proto" "tcp"
+                config_add_list "$rule.proto" "udp"
+                ;;
+            *)  config_add_list "$rule.proto" "tcp" ;;
+        esac
+    fi
+}
+
+# 删除所有以前生成的 config rule
+remove_all_ex_rules() {
+    local rules=$(uci show firewall | grep "\.name='ex_" | cut -d. -f2)
+    for rule in $rules; do
+        config_delete "firewall.$rule"
+    done
+}
+
+# 更新 export 配置
+update_export() {
+    local export=$(config_get "firewall.@defaults[0].export")
+    local ex_ssh=$(config_get "firewall.@defaults[0].ex_ssh")
+    local sshport=$(config_get "dropbear.@dropbear[0].Port")
+
+    # 处理 SSH 端口
+    if [ "$ex_ssh" = "1" ]; then
+        if ! list_contains "$sshport" $export; then
+            export="$export $sshport"
+        fi
+    else
+        export=$(list_remove "$sshport" "$export")
+    fi
+
+    config_set "firewall.@defaults[0].export" "$export"
+
+    remove_all_ex_rules
+
+    # 添加新的规则
+    for port in $export; do
+        update_firewall_rule "$port" "0"
+    done
+}
+
+# 更新 uhttpd 配置
+update_uhttpd() {
+    local backend_port="$1"
+    local old_backend_port="$2"
+    local use_https=$(config_get "uhttpd.main.redirect_https")
+
+    uci -q del_list uhttpd.main.listen_http="0.0.0.0:$old_backend_port"
+    uci -q del_list uhttpd.main.listen_http="[::]:$old_backend_port"
+    uci -q del_list uhttpd.main.listen_https="0.0.0.0:$old_backend_port"
+    uci -q del_list uhttpd.main.listen_https="[::]:$old_backend_port"
+
+    if [ -n "$backend_port" ]; then
+        if [ "$use_https" = "1" ]; then
+            config_add_list "uhttpd.main.listen_https" "0.0.0.0:$backend_port"
+            config_add_list "uhttpd.main.listen_https" "[::]:$backend_port"
+        else
+            config_add_list "uhttpd.main.listen_http" "0.0.0.0:$backend_port"
+            config_add_list "uhttpd.main.listen_http" "[::]:$backend_port"
+        fi
+    fi
+    config_commit "uhttpd"
+}
+
+# 更新 nginx 配置
+update_nginx() {
+    local backend_port="$1"
+    local old_backend_port="$2"
+    local use_https=$(uci show nginx | grep -q "_redirect2ssl" && echo "1" || echo "0")
+
+    config_delete "nginx.ex_$old_backend_port"
+
+    if [ -n "$backend_port" ]; then
+        config_set "nginx.ex_$backend_port" "server"
+        config_set "nginx.ex_$backend_port.server_name" "ex_$backend_port"
+        config_add_list "nginx.ex_$backend_port.include" "conf.d/*.locations"
+        config_set "nginx.ex_$backend_port.access_log" "off"
+        if [ "$use_https" = "1" ]; then
+            config_add_list "nginx.ex_$backend_port.listen" "$backend_port ssl"
+            config_add_list "nginx.ex_$backend_port.listen" "[::]:$backend_port ssl"
+            if [ ! "$(config_get "nginx.ex_$backend_port.ssl_certificate")" ]; then
+                config_set "nginx.ex_$backend_port.ssl_certificate" "/etc/nginx/conf.d/_lan.crt"
+                config_set "nginx.ex_$backend_port.ssl_certificate_key" "/etc/nginx/conf.d/_lan.key"
+            fi
+        else
+            config_add_list "nginx.ex_$backend_port.listen" "$backend_port"
+            config_add_list "nginx.ex_$backend_port.listen" "[::]:$backend_port"
+        fi
+    fi
+
+    config_commit "nginx"
+}
+
+# 主逻辑
+main() {
+    local backend_port=$(config_get "firewall.@defaults[0].backend_port")
+    local old_backend_port=$(config_get "firewall.@defaults[0].old_backend_port")
+
+    update_ssh_ttyd
+    update_export
+
+    if [ "$backend_port" != "$old_backend_port" ]; then
+        if pgrep nginx >/dev/null; then
+            update_nginx "$backend_port" "$old_backend_port"
+            /etc/init.d/nginx reload &
+        elif pgrep uhttpd >/dev/null; then
+            update_uhttpd "$backend_port" "$old_backend_port"
+            /etc/init.d/uhttpd reload &
+        fi
+        config_set "firewall.@defaults[0].old_backend_port" "$backend_port"
+    fi
+
+    [ -n "$backend_port" ] && update_firewall_rule "$backend_port" "1"
+
+    config_commit "firewall"
+}
+
+main
diff --git a/devices/common/diy/package/network/config/firewall/patches/fullconenat.patch b/devices/common/diy/package/network/config/firewall/patches/fullconenat.patch
@@ -0,0 +1,63 @@
+index 85a3750..9fac9b1 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
+ 	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
+ 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
+ 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
+-
++	
++	FW3_OPT("fullcone",           bool,     defaults, fullcone),
++	
+ 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
+ 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
+ 	FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
+diff --git a/options.h b/options.h
+index 6edd174..c02eb97 100644
+--- a/options.h
++++ b/options.h
+@@ -267,6 +267,7 @@ struct fw3_defaults
+ 	bool drop_invalid;
+
+ 	bool syn_flood;
++	bool fullcone;
+ 	struct fw3_limit syn_flood_rate;
+
+ 	bool tcp_syncookies;
+diff --git a/zones.c b/zones.c
+index 2aa7473..57eead0 100644
+--- a/zones.c
++++ b/zones.c
+@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 	struct fw3_address *msrc;
+ 	struct fw3_address *mdest;
+ 	struct fw3_ipt_rule *r;
++	struct fw3_defaults *defs = &state->defaults;
+
+ 	if (!fw3_is_family(zone, handle->family))
+ 		return;
+@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 				{
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
+-					fw3_ipt_rule_target(r, "MASQUERADE");
+-					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++					/*FIXME: Workaround for FULLCONE-NAT*/
++					if(defs->fullcone)
++					{
++						warn("%s will enable FULLCONE-NAT", zone->name);
++						fw3_ipt_rule_target(r, "FULLCONENAT");
++						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++						r = fw3_ipt_rule_new(handle);
++						fw3_ipt_rule_src_dest(r, msrc, mdest);
++						fw3_ipt_rule_target(r, "FULLCONENAT");
++						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
++					}
++					else
++					{
++						fw3_ipt_rule_target(r, "MASQUERADE");
++						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++					}
+ 				}
+ 			}
+ 		}