update 2025-03-01 00:26:24

homebox/Makefile

@@ -5,11 +5,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=homebox
-PKG_VERSION:=0.1.0.20241126
+PKG_VERSION:=0.0.0.20241013
-PKG_REAL_VER:=0.1.0-dev.2024112600
+PKG_REAL_VER:=0.0.0-dev.2024101306
 PKG_RELEASE:=1
-PKG_FLAGS:=nonshared
-RSTRIP:=:
 
 ifeq ($(ARCH),aarch64)
 	H_ARCH:=arm64
@@ -37,7 +35,7 @@ define Package/$(PKG_NAME)
   CATEGORY:=Network
   TITLE:=A Toolbox for Home Local Networks Speed Test
   URL:=https://github.com/XGHeaven/homebox
-  DEPENDS:=@(i386||x86_64||arm||aarch64||mipsel||mips) +libstdcpp +libatomic +libpthread +libc
+  DEPENDS:=@(i386||x86_64||arm||aarch64||mipsel||mips) +libstdcpp
 endef
 
 define Package/$(PKG_NAME)/description
@@ -46,8 +44,8 @@ endef
 
 define Build/Prepare
 	mkdir -p $(PKG_BUILD_DIR)
-	[ ! -f $(PKG_BUILD_DIR)/homebox-linux-$(H_ARCH).tar.gz ] && wget https://github.com/XGHeaven/homebox/releases/download/v$(PKG_REAL_VER)/homebox-linux-$(H_ARCH).tar.gz -O $(PKG_BUILD_DIR)/homebox-linux-$(H_ARCH).tar.gz
+	[ ! -f $(PKG_BUILD_DIR)/server-linux-$(H_ARCH).tar.gz ] && wget https://github.com/XGHeaven/homebox/releases/download/v$(PKG_REAL_VER)/server-linux-$(H_ARCH).tar.gz -O $(PKG_BUILD_DIR)/server-linux-$(H_ARCH).tar.gz
-	tar -xzvf $(PKG_BUILD_DIR)/homebox-linux-$(H_ARCH).tar.gz -C $(PKG_BUILD_DIR)
+	tar -xzvf $(PKG_BUILD_DIR)/server-linux-$(H_ARCH).tar.gz -C $(PKG_BUILD_DIR)
 endef
 
 define Build/Compile
@@ -55,18 +53,7 @@ endef
 
 define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/homebox-linux-$(H_ARCH) $(1)/usr/bin/homebox
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/server-linux-$(H_ARCH) $(1)/usr/bin/homebox
-endef
-
-# 使用force-depends选项强制忽略依赖检查
-define Package/$(PKG_NAME)/preinst
-#!/bin/sh
-exit 0
-endef
-
-# 添加"force-depends=1"到包控制文件中
-define Package/$(PKG_NAME)/extra_provides
-echo "libc.so.6"; echo "libm.so.6"
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))

oaf/src/af_conntrack.c

@@ -68,6 +68,7 @@ af_conn_t *af_conn_add(u32 src_ip, u32 dst_ip, u16 src_port, u16 dst_port, u8 pr
     conn->protocol = protocol;
     conn->total_pkts = 0;
     conn->app_id = 0;
+	conn->client_hello = 0;
     conn->drop = 0;
     conn->state = AF_CONN_NEW;
     conn->last_jiffies = jiffies;

oaf/src/af_conntrack.h

@@ -22,6 +22,7 @@ typedef struct {
     u8  protocol;
     u32 total_pkts;
     u32 app_id;
+	u8 client_hello;
     u8  drop;
     af_conn_state_t state;      
     unsigned long last_jiffies;

oaf/src/af_log.c

@@ -12,6 +12,7 @@ int af_test_mode = 0;
 int g_oaf_filter_enable __read_mostly = 0;
 int g_oaf_record_enable __read_mostly = 0;
 int g_by_pass_accl = 1;
+int g_user_mode = 0;
 int af_work_mode = AF_MODE_GATEWAY;
 unsigned int af_lan_ip = 0;
 unsigned int af_lan_mask = 0;
@@ -86,6 +87,13 @@ static struct ctl_table oaf_table[] = {
 		.mode		= 0666,
 		.proc_handler	= proc_dointvec,
 	},
+	{
+		.procname	= "user_mode",
+		.data		= &g_user_mode,
+		.maxlen 	= sizeof(int),
+		.mode		= 0666,
+		.proc_handler	= proc_dointvec,
+	},
 	{
 		.procname	= "work_mode",
 		.data		= &af_work_mode,

oaf/src/af_log.h

@@ -9,6 +9,7 @@ extern int g_by_pass_accl;
 extern unsigned int af_lan_ip;
 extern unsigned int af_lan_mask;
 extern int g_feature_init;
+extern int g_user_mode;
 
 extern char g_lan_ifname[64];
 extern int g_tcp_rst;

oaf/src/app_filter.c

@@ -632,13 +632,18 @@ int dpi_https_proto(flow_info_t *flow)
 	{
 		return -1;
 	}
-	if (!(p[0] == 0x16 && p[1] == 0x03 && p[2] == 0x01))
+	if (!((p[0] == 0x16 && p[1] == 0x03 && p[2] == 0x01) || flow->client_hello))
 		return -1;
 
 	for (i = 0; i < data_len; i++)
 	{
 		if (i + HTTPS_URL_OFFSET >= data_len)
 		{
+			AF_LMT_INFO("match https host failed, data_len = %d, sport:%d, dport:%d\n", data_len, flow->sport,flow->dport);
+			if ((TEST_MODE())){
+ 				print_hex_ascii(flow->l4_data,  flow->l4_len);
+			}
+			flow->client_hello = 1;	
 			return -1;
 		}
 
@@ -660,6 +665,8 @@ int dpi_https_proto(flow_info_t *flow)
 				flow->https.match = AF_TRUE;
 				flow->https.url_pos = p + i + HTTPS_URL_OFFSET;
 				flow->https.url_len = ntohs(url_len);
+				AF_LMT_INFO("match https host ok, data_len = %d, client hello = %d\n", data_len, flow->client_hello);
+				flow->client_hello = 0;
 				return 0;
 			}
 		}
@@ -975,7 +982,7 @@ int match_feature(flow_info_t *flow)
 
 int match_app_filter_rule(int appid, af_client_info_t *client)
 {
-	if (is_user_match_enable() && !find_af_mac(client->mac))
+	if (g_user_mode && !find_af_mac(client->mac))
 	{
 		return AF_FALSE;
 	}
@@ -989,6 +996,8 @@ int match_app_filter_rule(int appid, af_client_info_t *client)
 
 
 #define NF_DROP_BIT 0x80000000
+#define NF_CLIENT_HELLO_BIT 0x40000000
+
 
 static int af_get_visit_index(af_client_info_t *node, int app_id)
 {
@@ -1163,13 +1172,16 @@ u_int32_t app_filter_hook_bypass_handle(struct sk_buff *skb, struct net_device *
 	}
 	#endif
 
+
 	if (skb_is_nonlinear(skb) && flow.l4_len < MAX_AF_SUPPORT_DATA_LEN)
 	{
 		flow.l4_data = read_skb(skb, flow.l4_data - skb->data, flow.l4_len);
 		if (!flow.l4_data)
 			return NF_ACCEPT;
+		AF_LMT_DEBUG("##match nonlinear skb, len = %d\n", flow.l4_len);
 		malloc_data = 1;
 	}
+	flow.client_hello = conn->client_hello;
 
 	if (conn->app_id != 0)
 	{
@@ -1177,8 +1189,8 @@ u_int32_t app_filter_hook_bypass_handle(struct sk_buff *skb, struct net_device *
 		flow.drop = conn->drop;
 	}
 	else{
-		if (0 != dpi_main(skb, &flow))
+		dpi_main(skb, &flow);
-			goto EXIT;
+		conn->client_hello = flow.client_hello;
 
 		if (!match_feature(&flow))
 			goto EXIT;
@@ -1266,10 +1278,10 @@ u_int32_t app_filter_hook_gateway_handle(struct sk_buff *skb, struct net_device
 
 	if (ct->mark != 0)
 	{
-		app_id = ct->mark & (~NF_DROP_BIT);
+		app_id = ct->mark & 0xffff;
 		if (app_id > 1000 && app_id < 9999)
 		{
-			if (g_oaf_filter_enable){
+			if (g_oaf_filter_enable) {
 				if (NF_DROP_BIT == (ct->mark & NF_DROP_BIT))
 					drop = 1; 
 			}
@@ -1284,6 +1296,13 @@ u_int32_t app_filter_hook_gateway_handle(struct sk_buff *skb, struct net_device
 				return NF_DROP;
 			}
 		}
+		else {
+			AF_LMT_DEBUG("ct->mark = %x\n", ct->mark);
+			if (ct->mark & NF_CLIENT_HELLO_BIT) {
+				AF_LMT_INFO("match ct client hello...\n");
+				flow.client_hello = 1;
+			}
+		}
 	}
 	acct = nf_conn_acct_find(ct);
 	if (!acct)
@@ -1300,8 +1319,14 @@ u_int32_t app_filter_hook_gateway_handle(struct sk_buff *skb, struct net_device
 			return NF_ACCEPT;
 		malloc_data = 1;
 	}
-	if (0 != dpi_main(skb, &flow))
+	dpi_main(skb, &flow);
-		goto EXIT;
+
+	if (flow.client_hello) {
+		ct->mark |= NF_CLIENT_HELLO_BIT;
+	}
+	else {
+		ct->mark &= ~NF_CLIENT_HELLO_BIT;
+	}
 
 	if (!match_feature(&flow))
 		goto EXIT;
@@ -1316,7 +1341,9 @@ u_int32_t app_filter_hook_gateway_handle(struct sk_buff *skb, struct net_device
 			}
 		}
 	}
-	ct->mark = flow.app_id;
+	ct->mark = (ct->mark & 0xFFFF0000) | (flow.app_id & 0xFFFF);
+
+	
 	if (g_oaf_filter_enable){
 		if (match_app_filter_rule(flow.app_id, client))
 		{

oaf/src/app_filter.h

@@ -166,6 +166,7 @@ typedef struct flow_info{
 	u_int8_t drop;
 	u_int8_t dir;
 	u_int16_t total_len;
+	u_int8_t client_hello;
 	af_feature_node_t *feature;
 }flow_info_t;
 

oaf/src/app_filter_config.c

@@ -1,4 +1,3 @@
-
 #include <linux/init.h>
 #include <linux/module.h>
 #include <net/tcp.h>
@@ -155,8 +154,7 @@ int hash_mac(unsigned char *mac)
 {
 	if (!mac)
 		return 0;
-	else
+	return ((mac[0] ^ mac[1]) + (mac[2] ^ mac[3]) + (mac[4] ^ mac[5])) % MAX_AF_MAC_HASH_SIZE;
-		return mac[5] & (MAX_AF_MAC_HASH_SIZE - 1);
 }
 
 af_mac_info_t *find_af_mac(unsigned char *mac)

open-app-filter/files/oaf_rule

@@ -81,7 +81,10 @@ reload_base_config(){
     config_load appfilter 
     config_get work_mode "global" "work_mode"
     config_get lan_ifname "global" "lan_ifname"
+    config_get user_mode "global" "user_mode"
+
     echo "$work_mode" >/proc/sys/oaf/work_mode
+    echo "$user_mode" >/proc/sys/oaf/user_mode
       
     if [ x"" != x"$lan_ifname" ];then
         echo "$lan_ifname" >/proc/sys/oaf/lan_ifname