update 2023-05-08 02:01:26

luci-app-serverchan/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-serverchan
-PKG_VERSION:=2.06.2
+PKG_VERSION:=2.07.0
 PKG_RELEASE:=10
 
 PKG_MAINTAINER:=tty228 <tty228@yeah.net>

luci-app-serverchan/luasrc/model/cbi/serverchan/setting.lua

@@ -335,6 +335,7 @@ a = s:taboption("ipset", Flag, "port_knocking", translate("端口敲门"))
 a.default = 0
 a.rmempty = true
 a.description = translate("登录成功后开放端口")
+a.description = translate("如在 防火墙 - 区域设置 中禁用了 LAN 口入站和转发，将不起作用<br/>写起来太鸡儿麻烦了，告辞")
 
 a = s:taboption("ipset", Value, "ip_port_white", "端口")
 a.default = ""

luci-app-serverchan/root/usr/share/serverchan/serverchan

@@ -59,14 +59,14 @@ function read_config(){
 # 初始化
 function serverchan_init(){
 	enable_detection
+	echo "---------------------------------------------------------------------------------------" >> ${logfile}
+	echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】start running..." >> ${logfile}
 	if [ -f "/usr/share/serverchan/errlog" ]; then
 		cat /usr/share/serverchan/errlog > ${logfile}
 		echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！！】载入上次重启前日志" >> ${logfile}
-		echo "--------------------------------------------------------" >> ${logfile}
 	fi
 	down_oui &
 	get_syslog
-	set_ip_black
 
 	rm -f ${dir}fd1 ${dir}sheep_usage ${dir}old_sheep_usage ${dir}client_usage_aliases ${dir}old_client_usage_aliases /usr/share/serverchan/errlog >/dev/null 2>&1
 	[ ! -f "/usr/sbin/wrtbwmon" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【info】未安装 wrtbwmon ，流量统计不可用" >> ${logfile}
@@ -74,6 +74,14 @@ function serverchan_init(){
 	[ -z "$cu_version" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！！】无法获取依赖项 curl 版本号，请确认插件是否正常运行" >> ${logfile}
 	[ -z "${sckey}${tg_token}${pushplus_token}${corpid}${wxpusher_apptoken}${wxpusher_uids}${wxpusher_topicIds}" -a "${jsonpath}" != "/usr/share/serverchan/api/diy.json" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！！】请填写正确的 key " >> ${logfile} && return 1
 	local interfacelist=`getinterfacelist` && [ -z "$interfacelist" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！！】无法获取接口在线时间等信息，可能存在多个接口或配置错误，请确认插件是否正常运行" >> ${logfile}
+	[ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ] && local cpu_wendu=`soc_temp` || local cpu_wendu="null"
+	[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"`  【！！！】无法读取设备温度，请检查命令" >> ${logfile}
+	[ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ] && local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null || local cpu_fuzai="null"
+	[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"`  【！！！】无法读取设备负载，请检查命令" >> ${logfile}
+	
+	set_ip_black
+	[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv4"
+	[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv6"
 	return 0
 }
 
@@ -194,7 +202,7 @@ function getip(){
 # 获取接口信息
 function getinterfacelist(){
 	[ `ubus list|grep -w -i "network.interface.wan"|wc -l` -ge "1" ] && ubus call network.interface.wan status && return
-	local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec_server*"|grep -v -i "VPN*"|grep -v -i "DOCKER*"`
+	local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec.*"|grep -v -i "VPN.*"|grep -v -i "DOCKER.*"`
 	[ `echo "${ubuslist}" |wc -l` -eq "1" ] && ubus call ${ubuslist} status && return
 }
 
@@ -327,7 +335,7 @@ function soc_temp(){
 	[ "$soc_code" == "pve" ] && [ ! -z "$server_host" ] && [ -z "$soctemp" ] || [ "$soctemp" == "null" ] && local soctemp=`ssh -i /root/.ssh/id_rsa root@${server_host} -p ${server_port} sensors -j 2>/dev/null|jq '."zenpower-pci-00c3"."Tctl"."temp1_input"'`
 	# PVE 应该没啥特殊设备了，懒得写了
 	
-	[ ! -z "$soctemp" ] && echo "$soctemp" && return
+	[ ! -z "$soctemp" ] && echo "$soctemp" && return 0
 	[ ! -z "$soc_code" ] && eval `echo "$soc_code"` 2>/dev/null
 }
 
@@ -984,15 +992,14 @@ function cpu_load(){
 	if [ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ]; then
 		[ -z "$temperature_time" ] && temperature_time=`date +%s`
 		local cpu_wendu=`soc_temp`;
-		[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"`  【！！！】无法读取设备温度，请检查命令" >> ${logfile}
 
-		if [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
+		if [ ! -z "$cpu_wendu" ] && [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
 			echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！警报！！】 CPU 温度过高: ${cpu_wendu}" >> ${logfile}
 		else
 			temperature_time=`date +%s`
 		fi
 
-		if [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
+		if [ ! -z "$cpu_wendu" ] && [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
 			title="CPU 温度过高！"
 			temperaturecd_time=`date +%s`
 			echo "`date "+%Y-%m-%d %H:%M:%S"` ${disturb_text} CPU 温 度过高: ${cpu_wendu}" >> ${logfile}
@@ -1005,16 +1012,15 @@ function cpu_load(){
 	if [ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ]; then
 		[ -z "$cpuload_time" ] && cpuload_time=`date +%s`
 		local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null
-		[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"`  【！！！】无法读取设备负载，请检查命令" >> ${logfile}
 
-		if [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
+		if [ ! -z "$cpu_fuzai" ] && [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
 			echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！警报！！】 CPU 负载过高: ${cpu_fuzai}" >> ${logfile}
 			cputop log
-		else
+		elif [ ! -z "$cpu_fuzai" ]; then
 			cpuload_time=`date +%s`
 		fi
 
-		if [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
+		if [ ! -z "$cpu_fuzai" ] && [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
 			unset getlogtop
 			if [ ! -z "$title" ] && ( echo "$title"|grep -q "过高" ); then
 				title="设备报警！"
@@ -1175,43 +1181,80 @@ function login_send(){
 	unset login_ip login_sum
 }
 
-# 添加白名单，懒得写删除项和信息显示了，感觉没啥必要
+# 添加白名单，懒得写删除项和信息显示了，纯粹就是懒
 function add_ip_white() {
-  local ip=$1
-  [ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
-  # 检查 IP 版本
-  if ( echo "$ip" | grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ); then
-    local ipset_name="ip_whitelist"
-    local iptables_cmd="iptables"
-    local nat_table_cmd=""
-  elif ( echo "$ip" | grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ); then
-    local ipset_name="ip_whitelistv6"
-    local iptables_cmd="ip6tables"
-    local nat_table_cmd="family inet6"
-  else
-    echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败，IP 格式错误" >> ${logfile} && return
-  fi
-  
-  ipset list $ipset_name >/dev/null 2>&1 || ipset create $ipset_name hash:ip timeout ${ip_white_timeout} >/dev/null 2>&1
-  # 端口放行
-  if [ ! -z $ip_port_white ]; then
-	$iptables_cmd -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || $iptables_cmd -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
-  fi
-  # 端口转发
-  for port_forward in "$port_forward_list"; do
-	port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
-	[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
-    local src_ip=`echo ${port_forward}|awk '{print $1}'`
-    local src_port=`echo ${port_forward}|awk '{print $2}'`
-    local dst_ip=`echo ${port_forward}|awk '{print $3}'`
-    local dst_port=`echo ${port_forward}|awk '{print $4}'`
-    $iptables_cmd -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || $iptables_cmd -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1		
-    $iptables_cmd -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || $iptables_cmd -t nat -I POSTROUTING  -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
-  done
-  unset port_forward
-  ipset -exist add $ipset_name $ip timeout $ip_white_timeout
+	[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
+	# 检查 IP 版本
+	( echo "$1"|grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ) && local ipset_name="ip_whitelist"
+	( echo "$1"|grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ) && local ipset_name="ip_whitelistv6"
+	[ -z $ipset_name ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败，IP 格式错误" >> ${logfile} && return
+
+	( opkg list-installed|grep -w -q ^firewall4 ) && nft list set inet fw4 $ipset_name >/dev/null 2>&1|grep $1 >/dev/null 2>&1 && nft delete element inet fw4 $ipset_name { $1 } >/dev/null 2>&1
+	( opkg list-installed|grep -w -q ^firewall4 ) && nft add element inet fw4 $ipset_name { $1 } && return #没找到刷新时间的命令，删除再添加
+	ipset -exist add $ipset_name $1 timeout $ip_white_timeout
 }
 
+# 初始化白名单
+function init_ip_white() {
+	[ -z $web_login_black ] && [ -z $port_knocking ] && return
+	# 设置 IP 版本变量
+	if [ $1=="ipv4" ]; then
+		local ipset_name="ip_whitelist"
+		local ip_version="ip"
+	elif [ $1=="ipv6" ]; then
+		local ipset_name="ip_whitelistv6"
+		local ip_version="ip6"
+		local nat_table_cmd="family inet6"
+	fi
+	
+	if ( opkg list-installed|grep -w -q ^firewall4 ); then
+		! nft list set inet fw4 $ipset_name >/dev/null 2>&1 && nft add set inet fw4 $ipset_name { type ${1}_addr\; flags timeout\; timeout ${ip_white_timeout}s\; }
+		nft add chain inet fw4 serverchan_dstnat { type nat hook prerouting priority -100 \; }
+		nft add chain inet fw4 serverchan_srcnat { type nat hook postrouting priority 100 \; }
+	else
+		! ipset list $ipset_name >/dev/null 2>&1 && ipset create $ipset_name hash:ip timeout $ip_white_timeout $nat_table_cmd >/dev/null 2>&1
+	fi
+
+	# 端口放行
+	if [ ! -z $ip_port_white ]; then
+		local ip_port_white=`echo "$ip_port_white"|sed 's/ //g'|sed 's/,/, /g'` 2>/dev/null
+		if ( opkg list-installed|grep -w -q ^firewall4 ); then
+			local count_accept_rules=`nft list ruleset | grep -c "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\""`
+			if [ $count_accept_rules -eq 0 ]; then
+				nft insert rule inet fw4 input tcp dport { $ip_port_white } $ip_version saddr @$ipset_name counter accept comment "!serverchan Accept rule" >/dev/null 2>&1
+			elif [ $count_accept_rules -ne 1 ]; then
+				local i=0
+				local handles=`nft --handle list ruleset | grep "!serverchan Accept rule" | grep -v "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\"" | awk '{print $NF}'`
+				for handle in $handles; do
+					[ $i -eq 0 ] && i=1 && continue
+					nft delete rule $handle
+				done
+			fi
+		else
+			${ip_version}tables -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || ${ip_version}tables -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
+		fi
+	fi
+	unset handle
+	# 端口转发
+	for port_forward in `echo "$port_forward_list"`; do
+		port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
+		[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
+		local src_ip=`echo ${port_forward}|awk '{print $1}'`
+		local src_port=`echo ${port_forward}|awk '{print $2}'`
+		local dst_ip=`echo ${port_forward}|awk '{print $3}'`
+		local dst_port=`echo ${port_forward}|awk '{print $4}'`
+		if ( opkg list-installed|grep -w -q ^firewall4 ); then
+			! nft list ruleset|grep "$ip_version saddr @${ipset_name} tcp dport $src_port counter .* dnat $ip_version to $dst_ip:$dst_port comment \"!serverchan DNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_dstnat meta nfproto $1 $ip_version saddr @${ipset_name} tcp dport $src_port counter dnat to "$dst_ip:$dst_port" comment \"!serverchan DNAT rule\" >/dev/null 2>&1
+			! nft list ruleset|grep "$ip_version saddr $dst_ip tcp dport $dst_port counter .* snat $ip_version to $src_ip comment \"!serverchan SNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_srcnat $ip_version saddr $dst_ip tcp dport $dst_port counter snat to $src_ip comment \"!serverchan SNAT rule\" >/dev/null 2>&1
+		else
+			${ip_version}tables -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || ${ip_version}tables -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1		
+			${ip_version}tables -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || ${ip_version}tables -t nat -I POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
+		fi
+	done
+	unset port_forward
+}
+
+# 封禁 iptables 暂时还可以使用，以后再说吧
 # 添加黑名单
 function add_ip_black(){
 	[ ! "$1" ] && return
@@ -1372,7 +1415,7 @@ fi
 
 # 载入在线设备
 serverchan_init;[ $? -eq 1 ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【！！！】读取设置出错，请检查设置项 " >> ${logfile} && exit
-echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备" >> ${logfile}
+echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备..." >> ${logfile}
 > ${dir}send_enable.lock && serverchan_first && deltemp
 echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】初始化完成" >> ${logfile}
 

smartdns/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=smartdns
-PKG_VERSION:=Release41
+PKG_VERSION:=Release42
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://www.github.com/pymumu/smartdns.git
-PKG_MIRROR_HASH:=6ee60c4cae37b1c60f678f51595c2bc2da3ca8a1fbdcd78b3e884ec4bb2b6f27
+PKG_MIRROR_HASH:=83bb3c588672dff7fe702223538d6e61a4d475e592643a57d1416aade0b363d0
 PKG_SOURCE_VERSION:=d792e5f7f71ce9320b341fe02135077e00fa3e21
 
 PKG_MAINTAINER:=Nick Peng <pymumu@gmail.com>