From c804cd3b8f021ece14e010380fb03c997204bf1e Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 24 Jun 2021 17:10:35 +0200 Subject: [PATCH 1/4] Update https-dns-proxy --- https-dns-proxy/Makefile | 10 +-- https-dns-proxy/files/README.md | 96 +--------------------- https-dns-proxy/files/https-dns-proxy.init | 51 ++++++++---- https-dns-proxy/test.sh | 3 + 4 files changed, 44 insertions(+), 116 deletions(-) create mode 100644 https-dns-proxy/test.sh diff --git a/https-dns-proxy/Makefile b/https-dns-proxy/Makefile index 331318402..73d0a07cf 100644 --- a/https-dns-proxy/Makefile +++ b/https-dns-proxy/Makefile @@ -1,14 +1,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy -PKG_VERSION:=2021-01-17 -PKG_RELEASE=2 +PKG_VERSION:=2021-06-03 +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy -PKG_SOURCE_DATE:=2021-01-17 -PKG_SOURCE_VERSION:=37511cc08712d7548978a4f6f1cc457b7594fb96 -PKG_MIRROR_HASH:=4e6a7dcb69e350d1df9f17570439b589e031e249da7f91f2ec7600a955e0aaa3 +PKG_SOURCE_DATE:=2021-06-03 +PKG_SOURCE_VERSION:=5651b984f770a8bcecb14aeffc224703f8f82586 +PKG_MIRROR_HASH:=b65161936269aa3117debad0fcfce157024726b78d7e7da77c226f7aa8da5b4d PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE diff --git a/https-dns-proxy/files/README.md b/https-dns-proxy/files/README.md index 87e548462..7ebf479e6 100644 --- a/https-dns-proxy/files/README.md +++ b/https-dns-proxy/files/README.md @@ -1,95 +1,3 @@ -# DNS Over HTTPS Proxy (https-dns-proxy) +# README -A lean RFC8484-compatible (no JSON API support) DNS-over-HTTPS (DoH) proxy service which supports DoH servers ran by AdGuard, CleanBrowsing, Cloudflare, Google, ODVR (nic.cz) and Quad9. Please see the [README](https://github.com/stangri/openwrt_packages/blob/master/https-dns-proxy/files/README.md) for further information. Based on [@aarond10](https://github.com/aarond10)'s [https-dns-proxy](https://github.com/aarond10/https_dns_proxy). - -## Features - -- [RFC8484](https://tools.ietf.org/html/rfc8484)-compatible DoH Proxy. -- Compact size. -- Web UI (```luci-app-https-dns-proxy```) available. -- (By default) automatically updates DNSMASQ settings to use DoH proxy when it's started and reverts to old DNSMASQ resolvers when DoH proxy is stopped. - -## Screenshots (luci-app-https-dns-proxy) - -![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/https-dns-proxy/screenshot01.png "https-dns-proxy screenshot") - -## Requirements - -This proxy requires the following packages to be installed on your router: ```libc```, ```libcares```, ```libcurl```, ```libev```, ```ca-bundle```. They will be automatically installed when you're installing ```https-dns-proxy```. - -## Unmet Dependencies - -If you are running a development (trunk/snapshot) build of OpenWrt/LEDE Project on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the [requirements](#requirements) you get errors), please flash either current LEDE release image or current development/snapshot image. - -## How To Install - -Install ```https-dns-proxy``` and ```luci-app-https-dns-proxy``` packages from Web UI or run the following in the command line: - -```sh -opkg update; opkg install https-dns-proxy luci-app-https-dns-proxy; -``` - -## Default Settings - -Default configuration has service enabled and starts the service with Google and Cloudflare DoH servers. In most configurations, you will keep the default ```DNSMASQ``` service installed to handle requests from devices in your local network and point ```DNSMASQ``` to use ```https-dns-proxy``` for name resolution. - -By default, the service will intelligently override existing ```DNSMASQ``` servers settings on start to use the DoH servers and restores original ```DNSMASQ``` servers on stop. See the [Configuration Settings](#configuration-settings) section below for more information and how to disable this behavior. - -## Configuration Settings - -Configuration contains the (named) "main" config section where you can configure which ```DNSMASQ``` settings the service will automatically affect and the typed (unnamed) https-dns-proxy instance settings. The original config file is included below: - -```text -config main 'config' - option update_dnsmasq_config '*' - -config https-dns-proxy - option bootstrap_dns '8.8.8.8,8.8.4.4' - option resolver_url 'https://dns.google/dns-query' - option listen_addr '127.0.0.1' - option listen_port '5053' - option user 'nobody' - option group 'nogroup' - -config https-dns-proxy - option bootstrap_dns '1.1.1.1,1.0.0.1' - option resolver_url 'https://cloudflare-dns.com/dns-query' - option listen_addr '127.0.0.1' - option listen_port '5054' - option user 'nobody' - option group 'nogroup' -``` - -The ```update_dnsmasq_config``` option can be set to dash (set to ```'-'``` to not change ```DNSMASQ``` server settings on start/stop), can be set to ```'*'``` to affect all ```DNSMASQ``` instance server settings or have a space-separated list of ```DNSMASQ``` instances to affect (like ```'0 4 5'```). If this option is omitted, the default setting is ```'*'```. - -Starting with ```https-dns-proxy``` version ```2019-12-03-3``` and higher, when the service is set to update the DNSMASQ servers setting on start/stop, it does not override entries which contain either ```#``` or ```/```, so the entries like listed below will be kept in use: - -```test - list server '/onion/127.0.0.1#65453' - list server '/openwrt.org/8.8.8.8' - list server '/pool.ntp.org/8.8.8.8' - list server '127.0.0.1#15353' - list server '127.0.0.1#55353' - list server '127.0.0.1#65353' -``` - -The https-dns-proxy instance settings are: - -|Parameter|Type|Default|Description| -| --- | --- | --- | --- | -|bootstrap_dns|IP Address||The non-encrypted DNS servers to be used to resolve the DoH server name on start.| -|edns_subnet|Subnet||EDNS Subnet address can be supplied to supported DoH servers to provide local resolution results.| -|listen_addr|IP Address|127.0.0.1|The local IP address to listen to requests.| -|listen_port|port|5053 and up|If this setting is omitted, the service will start the first https-dns-proxy instance on port 5053, second on 5054 and so on.| -|logfile|Full filepath||Full filepath to the file to log the instance events to.| -|resolver_url|URL||The https URL to the RFC8484-compatible resolver.| -|proxy_server|URL||Local proxy server to use when accessing resolvers.| -|user|String|nobody|Local user to run instance under.| -|group|String|nogroup|Local group to run instance under.| -|use_http1|Boolean|0|If set to 1, use HTTP/1 on installations with broken/outdated ```curl``` package. Included for posterity reasons, you will most likely not ever need it on OpenWrt.| -|verbosity|Integer|0|logging verbosity level. fatal = 0, error = 1, warning = 2, info = 3, debug = 4| -|use_ipv6_resolvers_only|Boolean|0|If set to 1, Forces IPv6 DNS resolvers instead of IPv4| - -## Thanks - -This OpenWrt package wouldn't have been possible without [@aarond10](https://github.com/aarond10)'s [https-dns-proxy](https://github.com/aarond10/https_dns_proxy) and his active participation in the OpenWrt package itself. Special thanks to [@jow-](https://github.com/jow-) for general package/luci guidance. +README has been moved to [https://docs.openwrt.melmac.net/https-dns-proxy/](https://docs.openwrt.melmac.net/https-dns-proxy/). diff --git a/https-dns-proxy/files/https-dns-proxy.init b/https-dns-proxy/files/https-dns-proxy.init index 64bf7eccf..8b8680763 100755 --- a/https-dns-proxy/files/https-dns-proxy.init +++ b/https-dns-proxy/files/https-dns-proxy.init @@ -1,6 +1,6 @@ #!/bin/sh /etc/rc.common # Copyright 2019-2020 Stan Grishin (stangri@melmac.net) -# shellcheck disable=SC2039 +# shellcheck disable=SC2039,SC3043,SC3060 PKG_VERSION='dev-test' # shellcheck disable=SC2034 @@ -16,8 +16,7 @@ else fi readonly PROG=/usr/sbin/https-dns-proxy -dnsmasqConfig='' -forceDNS='1' +dnsmasqConfig=''; forceDNS=''; forceDNSPorts=''; version() { echo "$PKG_VERSION"; } @@ -95,10 +94,11 @@ start_instance() { is_force_dns_active() { iptables-save | grep -q -w -- '--dport 53'; } start_service() { - local p=5053 + local p=5053 c config_load 'https-dns-proxy' config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' config_get_bool forceDNS 'config' 'force_dns' '1' + config_get forceDNSPorts 'config' 'force_dns_port' '53 853' dhcp_backup 'create' config_load 'https-dns-proxy' config_foreach start_instance 'https-dns-proxy' @@ -109,16 +109,28 @@ start_service() { procd_set_param stderr 1 procd_open_data json_add_array firewall - json_add_object '' - json_add_string type redirect - json_add_string name https_dns_proxy_dns_redirect - json_add_string target DNAT - json_add_string src lan - json_add_string proto tcpudp - json_add_string src_dport 53 - json_add_string dest_port 53 - json_add_string reflection 0 - json_close_object + for c in $forceDNSPorts; do + if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then + json_add_object "" + json_add_string type redirect + json_add_string target DNAT + json_add_string src lan + json_add_string proto "tcp udp" + json_add_string src_dport "$c" + json_add_string dest_port "$c" + json_add_boolean reflection 0 + json_close_object + else + json_add_object "" + json_add_string type rule + json_add_string src lan + json_add_string dest "*" + json_add_string proto "tcp udp" + json_add_string dest_port "$c" + json_add_string target REJECT + json_close_object + fi + done json_close_array procd_close_data procd_close_instance @@ -159,7 +171,7 @@ dnsmasq_add_doh_server() { dnsmasq_create_server_backup() { local cfg="$1" local i - uci -q get "dhcp.${cfg}" >/dev/null || return 0 + uci -q get "dhcp.${cfg}" >/dev/null || return 1 if ! uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then if [ -z "$(uci -q get "dhcp.${cfg}.noresolv")" ]; then uci -q set "dhcp.${cfg}.noresolv=1" @@ -170,13 +182,17 @@ dnsmasq_create_server_backup() { fi fi if ! uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then + if [ -z "$(uci -q get "dhcp.${cfg}.server")" ]; then + uci -q add_list "dhcp.${cfg}.doh_backup_server=" + fi for i in $(uci -q get "dhcp.${cfg}.server"); do uci -q add_list "dhcp.${cfg}.doh_backup_server=$i" - if [ "$i" = "${i//127.0.0.1}" ] && [ "$i" = "$(echo "$i" | tr -d /)" ]; then + if [ "$i" = "$(echo "$i" | tr -d /\#)" ]; then uci -q del_list "dhcp.${cfg}.server=$i" fi done fi + return 0 } dnsmasq_restore_server_backup() { @@ -209,7 +225,8 @@ dhcp_backup() { config_foreach dnsmasq_create_server_backup 'dnsmasq' elif [ -n "$dnsmasqConfig" ]; then for i in $dnsmasqConfig; do - dnsmasq_create_server_backup "@dnsmasq[${i}]" + dnsmasq_create_server_backup "@dnsmasq[${i}]" || \ + dnsmasq_create_server_backup "$i" done fi ;; diff --git a/https-dns-proxy/test.sh b/https-dns-proxy/test.sh new file mode 100644 index 000000000..45469ed96 --- /dev/null +++ b/https-dns-proxy/test.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +/etc/init.d/"$1" version 2>&1 | grep "$2" From 1afd6496522f517c4fa8f636d85f270f5cc05749 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 24 Jun 2021 17:11:08 +0200 Subject: [PATCH 2/4] Add parameter to help with cache --- .../root/www/luci-static/resources/sysupgrade.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/luci-app-sysupgrade/root/www/luci-static/resources/sysupgrade.js b/luci-app-sysupgrade/root/www/luci-static/resources/sysupgrade.js index 8cbbced97..5750ad0b5 100644 --- a/luci-app-sysupgrade/root/www/luci-static/resources/sysupgrade.js +++ b/luci-app-sysupgrade/root/www/luci-static/resources/sysupgrade.js @@ -164,7 +164,7 @@ function upgrade_check() { hide("#status_box"); hide("#server_div"); set_status("info", _("Searching for upgrades"), true); - fetch(data.url + "/api/versions") + fetch(data.url + "/api/versions?v=" + Date.now()) .then(response => response.json()) .then(response => { var branches = response["branches"] @@ -348,7 +348,7 @@ function download_image() { } function server_request() { - fetch(data.url + "/api/build", { + fetch(data.url + "/api/build?v=" + Date.now(), { method: 'POST', headers: { 'Content-Type': 'application/json' From 78334e33855f673b6f29173361065694862f4291 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 24 Jun 2021 17:11:41 +0200 Subject: [PATCH 3/4] Fix shadowsocks dependencie --- shadowsocks-libev/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile index 4f09cf2ba..00c12c7f5 100644 --- a/shadowsocks-libev/Makefile +++ b/shadowsocks-libev/Makefile @@ -57,7 +57,7 @@ define Package/shadowsocks-libev/Default SUBMENU:=Web Servers/Proxies TITLE:=shadowsocks-libev $(1) URL:=https://github.com/shadowsocks/shadowsocks-libev - DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib +libpcap +libcap +libstdcpp +libelf1 + DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib +libpcap +libcap +libstdcpp +libelf endef define Package/shadowsocks-libev-$(1)/install From dd16ae03f596269851652a24ccc3a58545af6b39 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 24 Jun 2021 17:12:12 +0200 Subject: [PATCH 4/4] Add iperf3 with patch to fix compilation issue --- iperf3/Makefile | 83 +++++++++++++++++++ iperf3/patches/remove-in6_flowlabel_req.patch | 24 ++++++ 2 files changed, 107 insertions(+) create mode 100644 iperf3/Makefile create mode 100644 iperf3/patches/remove-in6_flowlabel_req.patch diff --git a/iperf3/Makefile b/iperf3/Makefile new file mode 100644 index 000000000..1d0d891ef --- /dev/null +++ b/iperf3/Makefile @@ -0,0 +1,83 @@ +# +# Copyright (C) 2007-2010 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=iperf +PKG_VERSION:=3.10.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://downloads.es.net/pub/iperf +PKG_HASH:=03bc9760cc54a245191d46bfc8edaf8a4750f0e87abca6764486972044d6715a + +PKG_MAINTAINER:=Felix Fietkau +PKG_LICENSE:=BSD-3-Clause + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +DISABLE_NLS:= + +define Package/iperf3/default + SECTION:=net + CATEGORY:=Network + TITLE:=Internet Protocol bandwidth measuring tool + URL:=https://github.com/esnet/iperf +endef + +define Package/iperf3 +$(call Package/iperf3/default) + VARIANT:=nossl +endef + +define Package/iperf3-ssl +$(call Package/iperf3/default) + TITLE+= with iperf_auth support + VARIANT:=ssl + DEPENDS:= +libopenssl +endef + +TARGET_CFLAGS += -D_GNU_SOURCE +CONFIGURE_ARGS += --disable-shared + +ifeq ($(BUILD_VARIANT),ssl) + CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr" +else + CONFIGURE_ARGS += --without-openssl +endif + +MAKE_FLAGS += noinst_PROGRAMS= + +define Package/iperf3/description + Iperf is a modern alternative for measuring TCP and UDP bandwidth + performance, allowing the tuning of various parameters and + characteristics. +endef + +# autoreconf fails if the README file isn't present +define Build/Prepare + $(call Build/Prepare/Default) + touch $(PKG_BUILD_DIR)/README +endef + +define Package/iperf3/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/ +endef + +define Package/iperf3-ssl/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/ +endef + +$(eval $(call BuildPackage,iperf3)) +$(eval $(call BuildPackage,iperf3-ssl)) diff --git a/iperf3/patches/remove-in6_flowlabel_req.patch b/iperf3/patches/remove-in6_flowlabel_req.patch new file mode 100644 index 000000000..3d2be694f --- /dev/null +++ b/iperf3/patches/remove-in6_flowlabel_req.patch @@ -0,0 +1,24 @@ +--- a/src/flowlabel.h 2021-06-24 13:26:33.142463630 +0200 ++++ b/src/flowlabel.h 2021-06-24 13:27:45.669235179 +0200 +@@ -37,21 +37,6 @@ + conflicts with "netinet/in.h" . + */ + +-#ifndef __ANDROID__ +-struct in6_flowlabel_req +-{ +- struct in6_addr flr_dst; +- __u32 flr_label; +- __u8 flr_action; +- __u8 flr_share; +- __u16 flr_flags; +- __u16 flr_expires; +- __u16 flr_linger; +- __u32 __flr_pad; +- /* Options in format of IPV6_PKTOPTIONS */ +-}; +-#endif +- + #define IPV6_FL_A_GET 0 + #define IPV6_FL_A_PUT 1 + #define IPV6_FL_A_RENEW 2