tqcq/small-package
0
0
Fork 0
mirror of https://github.com/kenzok8/small-package.git synced 2026-02-05 14:26:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

update 2023-02-24 21:16:12

Browse Source
This commit is contained in:
github-actions[bot]
2023-02-24 21:16:12 +08:00
parent bae12caa4d
commit fc30e01f5e
11 changed files with 1509 additions and 268 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
libnftnl/Makefile Normal file
View File

@@ -0,0 +1,76 @@
#
# Copyright (C) 2014 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=libnftnl
PKG_CPE_ID:=cpe:/a:netfilter:libnftnl
PKG_VERSION:=1.2.4
PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://netfilter.org/projects/$(PKG_NAME)/files
PKG_HASH:=c0fe233be4cdfd703e7d5977ef8eb63fcbf1d0052b6044e1b23d47ca3562477f
PKG_MAINTAINER:=Steven Barth <steven@midlink.org>
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=COPYING
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
DISABLE_NLS:=
define Package/libnftnl
SECTION:=libs
CATEGORY:=Libraries
DEPENDS:=+libmnl
TITLE:=Low-level netlink library for the nf_tables subsystem
URL:=http://www.netfilter.org/projects/libnftnl
ABI_VERSION:=11
endef
define Package/libnftnl/description
libnftnl is a userspace library providing a low-level netlink
programming interface (API) to the in-kernel nf_tables subsystem.
endef
TARGET_CFLAGS += $(FPIC) -flto
TARGET_LDFLAGS += -flto
CONFIGURE_ARGS += \
--enable-static \
--enable-shared
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/libnftnl
$(CP) \
$(PKG_INSTALL_DIR)/usr/include/libnftnl/*.h \
$(1)/usr/include/libnftnl/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/libnftnl.{so*,a,la} \
$(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnftnl.pc \
$(1)/usr/lib/pkgconfig/
endef
define Package/libnftnl/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/libnftnl.so.* \
$(1)/usr/lib/
endef
$(eval $(call BuildPackage,libnftnl))

264
libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch Normal file
View File

@@ -0,0 +1,264 @@
From 6c39f04febd7cfdbd474233379416babcd0fc341 Mon Sep 17 00:00:00 2001
From: Syrone Wong <wong.syrone@gmail.com>
Date: Fri, 8 Apr 2022 23:52:11 +0800
Subject: [PATCH] libnftnl: add fullcone expression support
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
---
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 16 +++
src/Makefile.am | 1 +
src/expr/fullcone.c | 167 ++++++++++++++++++++++++++++
src/expr_ops.c | 2 +
5 files changed, 192 insertions(+)
create mode 100644 src/expr/fullcone.c
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 00c63ab..7dcf403 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -244,6 +244,12 @@ enum {
NFTNL_EXPR_MASQ_REG_PROTO_MAX,
};
+enum {
+ NFTNL_EXPR_FULLCONE_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_FULLCONE_REG_PROTO_MIN,
+ NFTNL_EXPR_FULLCONE_REG_PROTO_MAX,
+};
+
enum {
NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE,
NFTNL_EXPR_REDIR_REG_PROTO_MAX,
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0ae9120..8b8ae38 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1433,6 +1433,22 @@ enum nft_masq_attributes {
};
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
+/**
+ * enum nft_fullcone_attributes - nf_tables fullcone expression attributes
+ *
+ * @NFTA_FULLCONE_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_FULLCONE_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
+ * @NFTA_FULLCONE_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ */
+enum nft_fullcone_attributes {
+ NFTA_FULLCONE_UNSPEC,
+ NFTA_FULLCONE_FLAGS,
+ NFTA_FULLCONE_REG_PROTO_MIN,
+ NFTA_FULLCONE_REG_PROTO_MAX,
+ __NFTA_FULLCONE_MAX
+};
+#define NFTA_FULLCONE_MAX (__NFTA_FULLCONE_MAX - 1)
+
/**
* enum nft_redir_attributes - nf_tables redirect expression netlink attributes
*
diff --git a/src/Makefile.am b/src/Makefile.am
index c3b0ab9..2718218 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -54,6 +54,7 @@ libnftnl_la_SOURCES = utils.c \
expr/target.c \
expr/tunnel.c \
expr/masq.c \
+ expr/fullcone.c \
expr/redir.c \
expr/hash.c \
expr/socket.c \
diff --git a/src/expr/fullcone.c b/src/expr/fullcone.c
new file mode 100644
index 0000000..aaedd83
--- /dev/null
+++ b/src/expr/fullcone.c
@@ -0,0 +1,167 @@
+/*
+ * (C) 2022 wongsyrone
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <inttypes.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include "internal.h"
+#include <libmnl/libmnl.h>
+#include <libnftnl/expr.h>
+#include <libnftnl/rule.h>
+
+struct nftnl_expr_fullcone {
+ uint32_t flags;
+ enum nft_registers sreg_proto_min;
+ enum nft_registers sreg_proto_max;
+};
+
+static int
+nftnl_expr_fullcone_set(struct nftnl_expr *e, uint16_t type,
+ const void *data, uint32_t data_len)
+{
+ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e);
+
+ switch (type) {
+ case NFTNL_EXPR_FULLCONE_FLAGS:
+ memcpy(&fullcone->flags, data, sizeof(fullcone->flags));
+ break;
+ case NFTNL_EXPR_FULLCONE_REG_PROTO_MIN:
+ memcpy(&fullcone->sreg_proto_min, data, sizeof(fullcone->sreg_proto_min));
+ break;
+ case NFTNL_EXPR_FULLCONE_REG_PROTO_MAX:
+ memcpy(&fullcone->sreg_proto_max, data, sizeof(fullcone->sreg_proto_max));
+ break;
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+static const void *
+nftnl_expr_fullcone_get(const struct nftnl_expr *e, uint16_t type,
+ uint32_t *data_len)
+{
+ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e);
+
+ switch (type) {
+ case NFTNL_EXPR_FULLCONE_FLAGS:
+ *data_len = sizeof(fullcone->flags);
+ return &fullcone->flags;
+ case NFTNL_EXPR_FULLCONE_REG_PROTO_MIN:
+ *data_len = sizeof(fullcone->sreg_proto_min);
+ return &fullcone->sreg_proto_min;
+ case NFTNL_EXPR_FULLCONE_REG_PROTO_MAX:
+ *data_len = sizeof(fullcone->sreg_proto_max);
+ return &fullcone->sreg_proto_max;
+ }
+ return NULL;
+}
+
+static int nftnl_expr_fullcone_cb(const struct nlattr *attr, void *data)
+{
+ const struct nlattr **tb = data;
+ int type = mnl_attr_get_type(attr);
+
+ if (mnl_attr_type_valid(attr, NFTA_FULLCONE_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch (type) {
+ case NFTA_FULLCONE_REG_PROTO_MIN:
+ case NFTA_FULLCONE_REG_PROTO_MAX:
+ case NFTA_FULLCONE_FLAGS:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ abi_breakage();
+ break;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static void
+nftnl_expr_fullcone_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
+{
+ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e);
+
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_FLAGS))
+ mnl_attr_put_u32(nlh, NFTA_FULLCONE_FLAGS, htobe32(fullcone->flags));
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN))
+ mnl_attr_put_u32(nlh, NFTA_FULLCONE_REG_PROTO_MIN,
+ htobe32(fullcone->sreg_proto_min));
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX))
+ mnl_attr_put_u32(nlh, NFTA_FULLCONE_REG_PROTO_MAX,
+ htobe32(fullcone->sreg_proto_max));
+}
+
+static int
+nftnl_expr_fullcone_parse(struct nftnl_expr *e, struct nlattr *attr)
+{
+ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e);
+ struct nlattr *tb[NFTA_FULLCONE_MAX+1] = {};
+
+ if (mnl_attr_parse_nested(attr, nftnl_expr_fullcone_cb, tb) < 0)
+ return -1;
+
+ if (tb[NFTA_FULLCONE_FLAGS]) {
+ fullcone->flags = be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_FLAGS]));
+ e->flags |= (1 << NFTNL_EXPR_FULLCONE_FLAGS);
+ }
+ if (tb[NFTA_FULLCONE_REG_PROTO_MIN]) {
+ fullcone->sreg_proto_min =
+ be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_REG_PROTO_MIN]));
+ e->flags |= (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN);
+ }
+ if (tb[NFTA_FULLCONE_REG_PROTO_MAX]) {
+ fullcone->sreg_proto_max =
+ be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_REG_PROTO_MAX]));
+ e->flags |= (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX);
+ }
+
+ return 0;
+}
+
+static int nftnl_expr_fullcone_snprintf(char *buf, size_t remain,
+ uint32_t flags, const struct nftnl_expr *e)
+{
+ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e);
+ int offset = 0, ret = 0;
+
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN)) {
+ ret = snprintf(buf + offset, remain, "proto_min reg %u ",
+ fullcone->sreg_proto_min);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX)) {
+ ret = snprintf(buf + offset, remain, "proto_max reg %u ",
+ fullcone->sreg_proto_max);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_FLAGS)) {
+ ret = snprintf(buf + offset, remain, "flags 0x%x ", fullcone->flags);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+
+ return offset;
+}
+
+struct expr_ops expr_ops_fullcone = {
+ .name = "fullcone",
+ .alloc_len = sizeof(struct nftnl_expr_fullcone),
+ .max_attr = NFTA_FULLCONE_MAX,
+ .set = nftnl_expr_fullcone_set,
+ .get = nftnl_expr_fullcone_get,
+ .parse = nftnl_expr_fullcone_parse,
+ .build = nftnl_expr_fullcone_build,
+ .output = nftnl_expr_fullcone_snprintf,
+};
diff --git a/src/expr_ops.c b/src/expr_ops.c
index 7248e4f..9dee9f8 100644
--- a/src/expr_ops.c
+++ b/src/expr_ops.c
@@ -19,6 +19,7 @@ extern struct expr_ops expr_ops_limit;
extern struct expr_ops expr_ops_log;
extern struct expr_ops expr_ops_lookup;
extern struct expr_ops expr_ops_masq;
+extern struct expr_ops expr_ops_fullcone;
extern struct expr_ops expr_ops_match;
extern struct expr_ops expr_ops_meta;
extern struct expr_ops expr_ops_ng;
@@ -63,6 +64,7 @@ static struct expr_ops *expr_ops[] = {
&expr_ops_log,
&expr_ops_lookup,
&expr_ops_masq,
+ &expr_ops_fullcone,
&expr_ops_match,
&expr_ops_meta,
&expr_ops_ng,

203
mbedtls/Config.in Normal file
View File

@@ -0,0 +1,203 @@
if PACKAGE_libmbedtls
comment "Option details in source code: include/mbedtls/mbedtls_config.h"
comment "Ciphers - unselect old or less-used ciphers to reduce binary size"
config MBEDTLS_AES_C
bool "MBEDTLS_AES_C"
default y
config MBEDTLS_CAMELLIA_C
bool "MBEDTLS_CAMELLIA_C"
default n
config MBEDTLS_CCM_C
bool "MBEDTLS_CCM_C"
default n
config MBEDTLS_CMAC_C
bool "MBEDTLS_CMAC_C (old but used by hostapd)"
default y
config MBEDTLS_DES_C
bool "MBEDTLS_DES_C (old but used by hostapd)"
default y
config MBEDTLS_GCM_C
bool "MBEDTLS_GCM_C"
default y
config MBEDTLS_NIST_KW_C
bool "MBEDTLS_NIST_KW_C (old but used by hostapd)"
default y
config MBEDTLS_RIPEMD160_C
bool "MBEDTLS_RIPEMD160_C"
default n
config MBEDTLS_XTEA_C
bool "MBEDTLS_XTEA_C"
default n
config MBEDTLS_RSA_NO_CRT
bool "MBEDTLS_RSA_NO_CRT"
default y
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED"
default n
comment "Curves - unselect old or less-used curves to reduce binary size"
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED"
default y
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED"
default y
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED"
default y
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "MBEDTLS_ECP_DP_BP256R1_ENABLED"
default n
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "MBEDTLS_ECP_DP_BP384R1_ENABLED"
default n
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "MBEDTLS_ECP_DP_BP512R1_ENABLED"
default n
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED"
default y
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "MBEDTLS_ECP_DP_CURVE448_ENABLED"
default n
comment "Build Options - unselect features to reduce binary size"
config MBEDTLS_ARMV8CE_AES_C
bool "MBEDTLS_ARMV8CE_AES_C"
default y
depends on aarch64 && !TARGET_bcm27xx
config MBEDTLS_CERTS_C
bool "MBEDTLS_CERTS_C"
default n
config MBEDTLS_CIPHER_MODE_OFB
bool "MBEDTLS_CIPHER_MODE_OFB"
default n
config MBEDTLS_CIPHER_MODE_XTS
bool "MBEDTLS_CIPHER_MODE_XTS"
default n
config MBEDTLS_DEBUG_C
bool "MBEDTLS_DEBUG_C"
default n
config MBEDTLS_HAVE_SSE2
bool "MBEDTLS_HAVE_SSE2"
default y
depends on TARGET_x86_generic || TARGET_x86_64
config MBEDTLS_HKDF_C
bool "MBEDTLS_HKDF_C"
default n
config MBEDTLS_PLATFORM_C
bool "MBEDTLS_PLATFORM_C"
default n
config MBEDTLS_SELF_TEST
bool "MBEDTLS_SELF_TEST"
default n
config MBEDTLS_SSL_TRUNCATED_HMAC
bool "MBEDTLS_SSL_TRUNCATED_HMAC"
default n
config MBEDTLS_VERSION_C
bool "MBEDTLS_VERSION_C"
default n
config MBEDTLS_VERSION_FEATURES
bool "MBEDTLS_VERSION_FEATURES"
default n
comment "Build Options"
config MBEDTLS_ENTROPY_FORCE_SHA256
bool "MBEDTLS_ENTROPY_FORCE_SHA256"
default y
config MBEDTLS_SSL_RENEGOTIATION
bool "MBEDTLS_SSL_RENEGOTIATION"
default n
endif

108
mbedtls/Makefile
View File

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls PKG_NAME:=mbedtls
PKG_VERSION:=2.28.2 PKG_VERSION:=2.28.2
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_USE_MIPS16:=0 PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
@@ -20,9 +20,62 @@ PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=gpl-2.0.txt PKG_LICENSE_FILES:=gpl-2.0.txt
PKG_CPE_ID:=cpe:/a:arm:mbed_tls PKG_CPE_ID:=cpe:/a:arm:mbed_tls
PKG_CONFIG_DEPENDS := \ MBEDTLS_BUILD_OPTS_CURVES= \
CONFIG_LIBMBEDTLS_DEBUG_C \ CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \
CONFIG_LIBMBEDTLS_HKDF_C CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \
CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED
MBEDTLS_BUILD_OPTS_CIPHERS= \
CONFIG_MBEDTLS_AES_C \
CONFIG_MBEDTLS_CAMELLIA_C \
CONFIG_MBEDTLS_CCM_C \
CONFIG_MBEDTLS_CMAC_C \
CONFIG_MBEDTLS_DES_C \
CONFIG_MBEDTLS_GCM_C \
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
CONFIG_MBEDTLS_NIST_KW_C \
CONFIG_MBEDTLS_RIPEMD160_C \
CONFIG_MBEDTLS_RSA_NO_CRT \
CONFIG_MBEDTLS_XTEA_C
MBEDTLS_BUILD_OPTS= \
$(MBEDTLS_BUILD_OPTS_CURVES) \
$(MBEDTLS_BUILD_OPTS_CIPHERS) \
CONFIG_MBEDTLS_ARMV8CE_AES_C \
CONFIG_MBEDTLS_CERTS_C \
CONFIG_MBEDTLS_CIPHER_MODE_OFB \
CONFIG_MBEDTLS_CIPHER_MODE_XTS \
CONFIG_MBEDTLS_DEBUG_C \
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \
CONFIG_MBEDTLS_HAVE_SSE2 \
CONFIG_MBEDTLS_HKDF_C \
CONFIG_MBEDTLS_PLATFORM_C \
CONFIG_MBEDTLS_SELF_TEST \
CONFIG_MBEDTLS_SSL_RENEGOTIATION \
CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \
CONFIG_MBEDTLS_VERSION_C \
CONFIG_MBEDTLS_VERSION_FEATURES
PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS)
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk include $(INCLUDE_DIR)/cmake.mk
@@ -44,28 +97,11 @@ $(call Package/mbedtls/Default)
SUBMENU:=SSL SUBMENU:=SSL
TITLE+= (library) TITLE+= (library)
ABI_VERSION:=12 ABI_VERSION:=12
MENU:=1
endef endef
define Package/libmbedtls/config define Package/libmbedtls/config
config LIBMBEDTLS_DEBUG_C source "$(SOURCE)/Config.in"
depends on PACKAGE_libmbedtls
bool "Enable debug functions"
default n
help
This option enables mbedtls library's debug functions.
It increases the uncompressed libmbedtls binary size
by around 60 KiB (for an ARMv5 platform).
Usually, you don't need this, so don't select this if you're unsure.
config LIBMBEDTLS_HKDF_C
depends on PACKAGE_libmbedtls
bool "Enable the HKDF algorithm (RFC 5869)"
default n
help
This option adds support for the Hashed Message Authentication Code
(HMAC)-based key derivation function (HKDF).
endef endef
define Package/mbedtls-util define Package/mbedtls-util
@@ -89,28 +125,24 @@ endef
TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_CFLAGS += -ffunction-sections -fdata-sections
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS))
ifneq ($(CONFIG_MBEDTLS_ARMV8CE_AES_C),)
TARGET_CFLAGS := $(filter-out -march=%,$(TARGET_CFLAGS)) -march=armv8-a+crypto
endif
CMAKE_OPTIONS += \ CMAKE_OPTIONS += \
-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
-DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \ -DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \
-DENABLE_TESTING:Bool=OFF \ -DENABLE_TESTING:Bool=OFF \
-DENABLE_PROGRAMS:Bool=ON -DENABLE_PROGRAMS:Bool=ON
define Build/Configure define Build/Prepare
$(Build/Configure/Default) $(call Build/Prepare/Default)
awk 'BEGIN { rc = 1 } \ $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))),
/#define MBEDTLS_DEBUG_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_DEBUG_C),,// )#define MBEDTLS_DEBUG_C"; rc = 0 } \ $(foreach opt,$(MBEDTLS_BUILD_OPTS),
{ print } \ $(PKG_BUILD_DIR)/scripts/config.py \
END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \
>$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),)
mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h
awk 'BEGIN { rc = 1 } \
/#define MBEDTLS_HKDF_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_HKDF_C),,// )#define MBEDTLS_HKDF_C"; rc = 0 } \
{ print } \
END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \
>$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \
mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h
endef endef
define Build/InstallDev define Build/InstallDev

181
mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch Normal file
View File

@@ -0,0 +1,181 @@
From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Oct 2022 19:48:18 -0400
Subject: [PATCH 1/4] x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
include/mbedtls/x509_crt.h | 2 +-
library/x509_crt.c | 115 +++++++++++++++++++++++++++++--------
2 files changed, 93 insertions(+), 24 deletions(-)
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char *
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
- * Subject name. Currently only DNS names are supported. This
+ * Subject name. DNS names and IP addresses are supported. This
* may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2986,6 +2986,54 @@ find_parent:
}
}
+#ifdef _WIN32
+/* ??? */
+#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include)
+#if __has_include(<sys/socket.h>)
+#include <sys/socket.h>
+#endif
+#if __has_include(<arpa/inet.h>)
+#include <arpa/inet.h>
+#endif
+#endif
+
+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
+ * the platform inet_pton() or a local implementation (below). The local
+ * implementation may be used even in cases where the platform provides
+ * inet_pton(), e.g. when there are different includes required and/or the
+ * platform implementation requires dependencies on additional libraries.
+ * Specifically, Windows requires custom includes and additional link
+ * dependencies, and Solaris requires additional link dependencies.
+ * Also, as a coarse heuristic, use the local implementation if the compiler
+ * does not support __has_include(), or if the definition of AF_INET6 is not
+ * provided by headers included (or not) via __has_include() above. */
+#ifndef AF_INET6
+
+#define x509_cn_inet_pton( cn, dst ) ( 0 )
+
+#else
+
+static int x509_inet_pton_ipv6( const char *src, void *dst )
+{
+ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 );
+}
+
+static int x509_inet_pton_ipv4( const char *src, void *dst )
+{
+ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 );
+}
+
+#endif /* AF_INET6 */
+
+static size_t x509_cn_inet_pton( const char *cn, void *dst )
+{
+ return( strchr( cn, ':' ) == NULL
+ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0
+ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 );
+}
+
/*
* Check for CN match
*/
@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed
return( -1 );
}
+static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len )
+{
+ uint32_t ip[4];
+ cn_len = x509_cn_inet_pton( cn, ip );
+ if( cn_len == 0 )
+ return( -1 );
+
+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
+ {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
+ return( 0 );
+ }
+
+ return( -1 );
+}
+
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
-static int x509_crt_check_san( const mbedtls_x509_buf *name,
+static int x509_crt_check_san( const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len )
{
- const unsigned char san_type = (unsigned char) name->tag &
- MBEDTLS_ASN1_TAG_VALUE_MASK;
-
- /* dNSName */
- if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
- return( x509_crt_check_cn( name, cn, cn_len ) );
-
- /* (We may handle other types here later.) */
+ int san_ip = 0;
+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
+ {
+ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK )
+ {
+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
+ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
+ return( 0 );
+ break;
+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
+ san_ip = 1;
+ break;
+ /* (We may handle other types here later.) */
+ default: /* Unrecognized type */
+ break;
+ }
+ }
- /* Unrecognized type */
- return( -1 );
+ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 );
}
/*
@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const
uint32_t *flags )
{
const mbedtls_x509_name *name;
- const mbedtls_x509_sequence *cur;
size_t cn_len = strlen( cn );
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
{
- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
- {
- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
- break;
- }
-
- if( cur == NULL )
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 )
+ return;
}
else
{
@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
{
- break;
+ return;
}
}
- if( name == NULL )
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
}
+
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
}
/*

390
mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch Normal file
View File

@@ -0,0 +1,390 @@
From dfb6015ca79a9fee28f7fcb0af7e350a83574b83 Mon Sep 17 00:00:00 2001
From: "Markku-Juhani O. Saarinen" <mjos@mjos.fi>
Date: Mon, 20 Nov 2017 14:58:41 +0000
Subject: Implements AES and GCM with ARMv8 Crypto Extensions
A compact patch that provides AES and GCM implementations that utilize the
ARMv8 Crypto Extensions. The config flag is MBEDTLS_ARMV8CE_AES_C, which
is disabled by default as we don't do runtime checking for the feature.
The new implementation lives in armv8ce_aes.c.
Provides similar functionality to https://github.com/ARMmbed/mbedtls/pull/432
Thanks to Barry O'Rourke and others for that contribtion.
Tested on a Cortex A53 device and QEMU. On a midrange phone the real AES-GCM
throughput increases about 4x, while raw AES speed is up to 10x faster.
When cross-compiling, you want to set something like:
export CC='aarch64-linux-gnu-gcc'
export CFLAGS='-Ofast -march=armv8-a+crypto'
scripts/config.pl set MBEDTLS_ARMV8CE_AES_C
QEMU seems to also need
export LDFLAGS='-static'
Then run normal make or cmake etc.
---
--- /dev/null
+++ b/ChangeLog.d/armv8_crypto_extensions.txt
@@ -0,0 +1,2 @@
+Features
+ * Support ARMv8 Cryptography Extensions for AES and GCM.
--- /dev/null
+++ b/include/mbedtls/armv8ce_aes.h
@@ -0,0 +1,63 @@
+/**
+ * \file armv8ce_aes.h
+ *
+ * \brief ARMv8 Cryptography Extensions -- Optimized code for AES and GCM
+ */
+
+/*
+ *
+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ARMV8CE_AES_H
+#define MBEDTLS_ARMV8CE_AES_H
+
+#include "aes.h"
+
+/**
+ * \brief [ARMv8 Crypto Extensions] AES-ECB block en(de)cryption
+ *
+ * \param ctx AES context
+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input 16-byte input block
+ * \param output 16-byte output block
+ *
+ * \return 0 on success (cannot fail)
+ */
+
+int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16] );
+
+/**
+ * \brief [ARMv8 Crypto Extensions] Multiply in GF(2^128) for GCM
+ *
+ * \param c Result
+ * \param a First operand
+ * \param b Second operand
+ *
+ * \note Both operands and result are bit strings interpreted as
+ * elements of GF(2^128) as per the GCM spec.
+ */
+
+void mbedtls_armv8ce_gcm_mult( unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16] );
+
+#endif /* MBEDTLS_ARMV8CE_AES_H */
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -72,6 +72,10 @@
#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_ARMV8CE_AES_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_ARMV8CE_AES_C defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
#endif
@@ -956,3 +960,4 @@
typedef int mbedtls_iso_c_forbids_empty_translation_units;
#endif /* MBEDTLS_CHECK_CONFIG_H */
+
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -46,6 +46,7 @@
* Requires support for asm() in compiler.
*
* Used in:
+ * library/armv8ce_aes.c
* library/aria.c
* library/timing.c
* include/mbedtls/bn_mul.h
@@ -2331,6 +2332,21 @@
#define MBEDTLS_AESNI_C
/**
+ * \def MBEDTLS_ARMV8CE_AES_C
+ *
+ * Enable ARMv8 Crypto Extensions for AES and GCM
+ *
+ * Module: library/armv8ce_aes.c
+ * Caller: library/aes.c
+ * library/gcm.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This module adds support for Armv8 Cryptography Extensions for AES and GCM.
+ */
+//#define MBEDTLS_ARMV8CE_AES_C
+
+/**
* \def MBEDTLS_AES_C
*
* Enable the AES block cipher.
--- a/library/aes.c
+++ b/library/aes.c
@@ -39,7 +39,9 @@
#if defined(MBEDTLS_AESNI_C)
#include "mbedtls/aesni.h"
#endif
-
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+#include "mbedtls/armv8ce_aes.h"
+#endif
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_AES_ALT)
@@ -992,6 +994,11 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_c
return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
#endif
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+ // We don't do runtime checking for ARMv8 Crypto Extensions
+ return mbedtls_armv8ce_aes_crypt_ecb( ctx, mode, input, output );
+#endif
+
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
if( aes_padlock_ace )
{
--- /dev/null
+++ b/library/armv8ce_aes.c
@@ -0,0 +1,142 @@
+/*
+ * ARMv8 Cryptography Extensions -- Optimized code for AES and GCM
+ *
+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+
+#include <arm_neon.h>
+#include "mbedtls/armv8ce_aes.h"
+
+#ifndef asm
+#define asm __asm
+#endif
+
+/*
+ * [Armv8 Cryptography Extensions] AES-ECB block en(de)cryption
+ */
+
+#if defined(MBEDTLS_AES_C)
+
+int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16] )
+{
+ unsigned int i;
+ const uint8_t *rk;
+ uint8x16_t x, k;
+
+ x = vld1q_u8( input ); /* input block */
+ rk = (const uint8_t *) ctx->rk; /* round keys */
+
+ if( mode == MBEDTLS_AES_ENCRYPT )
+ {
+ for( i = ctx->nr - 1; i != 0; i-- ) /* encryption loop */
+ {
+ k = vld1q_u8( rk );
+ rk += 16;
+ x = vaeseq_u8( x, k );
+ x = vaesmcq_u8( x );
+ }
+ k = vld1q_u8( rk );
+ rk += 16;
+ x = vaeseq_u8( x, k );
+ }
+ else
+ {
+ for( i = ctx->nr - 1; i != 0 ; i-- ) /* decryption loop */
+ {
+ k = vld1q_u8( rk );
+ rk += 16;
+ x = vaesdq_u8( x, k );
+ x = vaesimcq_u8( x );
+ }
+ k = vld1q_u8( rk );
+ rk += 16;
+ x = vaesdq_u8( x, k );
+ }
+
+ k = vld1q_u8( rk ); /* final key just XORed */
+ x = veorq_u8( x, k );
+ vst1q_u8( output, x ); /* write out */
+
+ return ( 0 );
+}
+
+#endif /* MBEDTLS_AES_C */
+
+
+/*
+ * [Armv8 Cryptography Extensions] Multiply in GF(2^128) for GCM
+ */
+
+#if defined(MBEDTLS_GCM_C)
+
+void mbedtls_armv8ce_gcm_mult( unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16] )
+{
+ /* GCM's GF(2^128) polynomial basis is x^128 + x^7 + x^2 + x + 1 */
+ const uint64x2_t base = { 0, 0x86 }; /* note missing LS bit */
+
+ register uint8x16_t vc asm( "v0" ); /* named registers */
+ register uint8x16_t va asm( "v1" ); /* (to avoid conflict) */
+ register uint8x16_t vb asm( "v2" );
+ register uint64x2_t vp asm( "v3" );
+
+ va = vld1q_u8( a ); /* load inputs */
+ vb = vld1q_u8( b );
+ vp = base;
+
+ asm (
+ "rbit %1.16b, %1.16b \n\t" /* reverse bit order */
+ "rbit %2.16b, %2.16b \n\t"
+ "pmull2 %0.1q, %1.2d, %2.2d \n\t" /* v0 = a.hi * b.hi */
+ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */
+ "ext %0.16b, %0.16b, %0.16b, #8 \n\t"
+ "eor %0.16b, %0.16b, v4.16b \n\t"
+ "ext v5.16b, %2.16b, %2.16b, #8 \n\t" /* (swap hi and lo in b) */
+ "pmull v4.1q, %1.1d, v5.1d \n\t" /* v0 ^= a.lo * b.hi */
+ "eor %0.16b, %0.16b, v4.16b \n\t"
+ "pmull2 v4.1q, %1.2d, v5.2d \n\t" /* v0 ^= a.hi * b.lo */
+ "eor %0.16b, %0.16b, v4.16b \n\t"
+ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */
+ "ext %0.16b, %0.16b, %0.16b, #8 \n\t"
+ "eor %0.16b, %0.16b, v4.16b \n\t"
+ "pmull v4.1q, %1.1d, %2.1d \n\t" /* v0 ^= a.lo * b.lo */
+ "eor %0.16b, %0.16b, v4.16b \n\t"
+ "rbit %0.16b, %0.16b \n\t" /* reverse bits for output */
+ : "=w" (vc) /* q0: output */
+ : "w" (va), "w" (vb), "w" (vp) /* q1, q2: input */
+ : "v4", "v5" /* q4, q5: clobbered */
+ );
+
+ vst1q_u8( c, vc ); /* write out */
+}
+
+#endif /* MBEDTLS_GCM_C */
+
+#endif /* MBEDTLS_ARMV8CE_AES_C */
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -15,6 +15,7 @@ set(src_crypto
aesni.c
arc4.c
aria.c
+ armv8ce_aes.c
asn1parse.c
asn1write.c
base64.c
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -42,6 +42,10 @@
#include "mbedtls/aesni.h"
#endif
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+#include "mbedtls/armv8ce_aes.h"
+#endif
+
#if !defined(MBEDTLS_GCM_ALT)
/* Parameter validation macros */
@@ -79,6 +83,12 @@ static int gcm_gen_table( mbedtls_gcm_co
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
return( ret );
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+ // we don't do feature testing with ARMv8 cryptography extensions
+ memcpy( ctx ->HL, h, 16 ); // put H at the beginning of buffer
+ return( 0 ); // that's all we need
+#endif
+
/* pack h as two 64-bits ints, big-endian */
hi = MBEDTLS_GET_UINT32_BE( h, 0 );
lo = MBEDTLS_GET_UINT32_BE( h, 4 );
@@ -188,6 +198,11 @@ static void gcm_mult( mbedtls_gcm_contex
unsigned char lo, hi, rem;
uint64_t zh, zl;
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+ mbedtls_armv8ce_gcm_mult( output, x, (const unsigned char *) ctx->HL );
+ return;
+#endif
+
#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
unsigned char h[16];
--- a/library/Makefile
+++ b/library/Makefile
@@ -74,6 +74,7 @@ OBJS_CRYPTO= \
aria.o \
asn1parse.o \
asn1write.o \
+ armv8ce_aes.o \
base64.o \
bignum.o \
blowfish.o \
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -624,6 +624,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_AESNI_C)
"MBEDTLS_AESNI_C",
#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_ARMV8CE_AES_C)
+ "MBEDTLS_ARMV8CE_AES_C",
+#endif /* MBEDTLS_ARMV8CE_AES_C */
#if defined(MBEDTLS_AES_C)
"MBEDTLS_AES_C",
#endif /* MBEDTLS_AES_C */

228
mbedtls/patches/200-config.patch
View File

@@ -1,228 +0,0 @@
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -670,14 +670,14 @@
*
* Enable Output Feedback mode (OFB) for symmetric ciphers.
*/
-#define MBEDTLS_CIPHER_MODE_OFB
+//#define MBEDTLS_CIPHER_MODE_OFB
/**
* \def MBEDTLS_CIPHER_MODE_XTS
*
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
*/
-#define MBEDTLS_CIPHER_MODE_XTS
+//#define MBEDTLS_CIPHER_MODE_XTS
/**
* \def MBEDTLS_CIPHER_NULL_CIPHER
@@ -795,20 +795,20 @@
* Comment macros to disable the curve and functions for it
*/
/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define MBEDTLS_ECP_DP_BP256R1_ENABLED
-#define MBEDTLS_ECP_DP_BP384R1_ENABLED
-#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+//#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+//#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+//#define MBEDTLS_ECP_DP_BP512R1_ENABLED
/* Montgomery curves (supporting ECP) */
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+//#define MBEDTLS_ECP_DP_CURVE448_ENABLED
/**
* \def MBEDTLS_ECP_NIST_OPTIM
@@ -961,7 +961,7 @@
* See dhm.h for more details.
*
*/
-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -981,7 +981,7 @@
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
*/
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -1006,7 +1006,7 @@
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
*/
-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
@@ -1140,7 +1140,7 @@
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
*/
-#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -1164,7 +1164,7 @@
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
*/
-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -1268,7 +1268,7 @@
* This option is only useful if both MBEDTLS_SHA256_C and
* MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
*/
-//#define MBEDTLS_ENTROPY_FORCE_SHA256
+#define MBEDTLS_ENTROPY_FORCE_SHA256
/**
* \def MBEDTLS_ENTROPY_NV_SEED
@@ -1483,14 +1483,14 @@
* Uncomment this macro to disable the use of CRT in RSA.
*
*/
-//#define MBEDTLS_RSA_NO_CRT
+#define MBEDTLS_RSA_NO_CRT
/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
*/
-#define MBEDTLS_SELF_TEST
+//#define MBEDTLS_SELF_TEST
/**
* \def MBEDTLS_SHA256_SMALLER
@@ -1761,7 +1761,7 @@
* configuration of this extension).
*
*/
-#define MBEDTLS_SSL_RENEGOTIATION
+//#define MBEDTLS_SSL_RENEGOTIATION
/**
* \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -2022,7 +2022,7 @@
*
* Comment this macro to disable support for truncated HMAC in SSL
*/
-#define MBEDTLS_SSL_TRUNCATED_HMAC
+//#define MBEDTLS_SSL_TRUNCATED_HMAC
/**
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
@@ -2201,7 +2201,7 @@
*
* Comment this to disable run-time checking and save ROM space
*/
-#define MBEDTLS_VERSION_FEATURES
+//#define MBEDTLS_VERSION_FEATURES
/**
* \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
@@ -2550,7 +2550,7 @@
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
*/
-#define MBEDTLS_CAMELLIA_C
+//#define MBEDTLS_CAMELLIA_C
/**
* \def MBEDTLS_ARIA_C
@@ -2616,7 +2616,7 @@
* This module enables the AES-CCM ciphersuites, if other requisites are
* enabled as well.
*/
-#define MBEDTLS_CCM_C
+//#define MBEDTLS_CCM_C
/**
* \def MBEDTLS_CERTS_C
@@ -2628,7 +2628,7 @@
*
* This module is used for testing (ssl_client/server).
*/
-#define MBEDTLS_CERTS_C
+//#define MBEDTLS_CERTS_C
/**
* \def MBEDTLS_CHACHA20_C
@@ -2741,7 +2741,7 @@
* \warning DES is considered a weak cipher and its use constitutes a
* security risk. We recommend considering stronger ciphers instead.
*/
-#define MBEDTLS_DES_C
+//#define MBEDTLS_DES_C
/**
* \def MBEDTLS_DHM_C
@@ -2906,7 +2906,7 @@
* This module adds support for the Hashed Message Authentication Code
* (HMAC)-based key derivation function (HKDF).
*/
-#define MBEDTLS_HKDF_C
+//#define MBEDTLS_HKDF_C
/**
* \def MBEDTLS_HMAC_DRBG_C
@@ -3219,7 +3219,7 @@
*
* This module enables abstraction of common (libc) functions.
*/
-#define MBEDTLS_PLATFORM_C
+//#define MBEDTLS_PLATFORM_C
/**
* \def MBEDTLS_POLY1305_C
@@ -3295,7 +3295,7 @@
* Caller: library/md.c
*
*/
-#define MBEDTLS_RIPEMD160_C
+//#define MBEDTLS_RIPEMD160_C
/**
* \def MBEDTLS_RSA_C
@@ -3506,7 +3506,7 @@
*
* This module provides run-time version information.
*/
-#define MBEDTLS_VERSION_C
+//#define MBEDTLS_VERSION_C
/**
* \def MBEDTLS_X509_USE_C
@@ -3616,7 +3616,7 @@
* Module: library/xtea.c
* Caller:
*/
-#define MBEDTLS_XTEA_C
+//#define MBEDTLS_XTEA_C
/** \} name SECTION: mbed TLS modules */

28
mhz/Makefile Normal file
View File

@@ -0,0 +1,28 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=mhz
PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=https://github.com/wtarreau/mhz.git
PKG_SOURCE_DATE:=2022-08-18
PKG_SOURCE_VERSION:=6ec38cbb1371d20078a7a5059dd9faa5b281b2d9
PKG_MIRROR_HASH:=37559cc8b5e08d23c09878d63cf81ea8d123be45408f3e76e1dc042766a746a7
PKG_MAINTAINER:=Robert Marko <robimarko@gmail.com>
include $(INCLUDE_DIR)/package.mk
define Package/mhz
SECTION:=utils
CATEGORY:=Utilities
TITLE:=CPU frequency measurement utility
URL:=https://github.com/wtarreau/mhz
endef
define Package/mhz/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mhz $(1)/usr/sbin/
endef
$(eval $(call BuildPackage,mhz))

86
nftables/Makefile Normal file
View File

@@ -0,0 +1,86 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2015 OpenWrt.org
#
include $(TOPDIR)/rules.mk
PKG_NAME:=nftables
PKG_VERSION:=1.0.6
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://netfilter.org/projects/$(PKG_NAME)/files
PKG_HASH:=2407430ddd82987670e48dc2fda9e280baa8307abec04ab18d609df3db005e4c
PKG_MAINTAINER:=
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
DISABLE_NLS:=
CONFIGURE_ARGS += \
--disable-debug \
--disable-man-doc \
--with-mini-gmp \
--without-cli \
--disable-python
define Package/nftables/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Firewall
TITLE:=nftables userspace utility
DEPENDS:=+kmod-nft-core +libnftnl
URL:=http://netfilter.org/projects/nftables/
PROVIDES:=nftables
endef
define Package/nftables-nojson
$(Package/nftables/Default)
TITLE+= no JSON support
VARIANT:=nojson
DEFAULT_VARIANT:=1
CONFLICTS:=nftables-json
endef
define Package/nftables-json
$(Package/nftables/Default)
TITLE+= with JSON support
VARIANT:=json
DEPENDS+=+jansson
endef
ifeq ($(BUILD_VARIANT),json)
CONFIGURE_ARGS += --with-json
endif
TARGET_CFLAGS += -flto
TARGET_LDFLAGS += -flto
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/lib $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/include/nftables $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnftables.pc \
$(1)/usr/lib/pkgconfig/
endef
define Package/nftables/install/Default
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/nft $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/
endef
Package/nftables-nojson/install = $(Package/nftables/install/Default)
Package/nftables-json/install = $(Package/nftables/install/Default)
$(eval $(call BuildPackage,nftables-nojson))
$(eval $(call BuildPackage,nftables-json))

209
nftables/patches/002-nftables-add-fullcone-expression-support.patch Normal file
View File

@@ -0,0 +1,209 @@
From 58c89e8768711a959fdc6e953df3ea2254ff93c1 Mon Sep 17 00:00:00 2001
From: Syrone Wong <wong.syrone@gmail.com>
Date: Sat, 9 Apr 2022 00:38:51 +0800
Subject: [PATCH] nftables: add fullcone expression support
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
---
include/linux/netfilter/nf_tables.h | 16 ++++++++++
include/statement.h | 1 +
src/netlink_delinearize.c | 48 +++++++++++++++++++++++++++++
src/netlink_linearize.c | 7 +++++
src/parser_bison.y | 28 +++++++++++++++--
src/scanner.l | 1 +
src/statement.c | 1 +
7 files changed, 100 insertions(+), 2 deletions(-)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1436,6 +1436,22 @@ enum nft_masq_attributes {
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
/**
+ * enum nft_fullcone_attributes - nf_tables fullcone expression attributes
+ *
+ * @NFTA_FULLCONE_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_FULLCONE_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
+ * @NFTA_FULLCONE_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ */
+enum nft_fullcone_attributes {
+ NFTA_FULLCONE_UNSPEC,
+ NFTA_FULLCONE_FLAGS,
+ NFTA_FULLCONE_REG_PROTO_MIN,
+ NFTA_FULLCONE_REG_PROTO_MAX,
+ __NFTA_FULLCONE_MAX
+};
+#define NFTA_FULLCONE_MAX (__NFTA_FULLCONE_MAX - 1)
+
+/**
* enum nft_redir_attributes - nf_tables redirect expression netlink attributes
*
* @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
--- a/include/statement.h
+++ b/include/statement.h
@@ -122,6 +122,7 @@ enum nft_nat_etypes {
__NFT_NAT_SNAT = NFT_NAT_SNAT,
__NFT_NAT_DNAT = NFT_NAT_DNAT,
NFT_NAT_MASQ,
+ NFT_NAT_FULLCONE,
NFT_NAT_REDIR,
};
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1370,6 +1370,53 @@ out_err:
stmt_free(stmt);
}
+static void netlink_parse_fullcone(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers reg1, reg2;
+ struct expr *proto;
+ struct stmt *stmt;
+ uint32_t flags = 0;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_FULLCONE_FLAGS))
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FULLCONE_FLAGS);
+
+ stmt = nat_stmt_alloc(loc, NFT_NAT_FULLCONE);
+ stmt->nat.flags = flags;
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MIN);
+ if (reg1) {
+ proto = netlink_get_register(ctx, loc, reg1);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "fullcone statement has no proto expression");
+ goto out_err;
+ }
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->nat.proto = proto;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MAX);
+ if (reg2 && reg2 != reg1) {
+ proto = netlink_get_register(ctx, loc, reg2);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "fullcone statement has no proto expression");
+ goto out_err;
+ }
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+ stmt->nat.proto = proto;
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
@@ -1796,6 +1843,7 @@ static const struct expr_handler netlink
{ .name = "tproxy", .parse = netlink_parse_tproxy },
{ .name = "notrack", .parse = netlink_parse_notrack },
{ .name = "masq", .parse = netlink_parse_masq },
+ { .name = "fullcone", .parse = netlink_parse_fullcone },
{ .name = "redir", .parse = netlink_parse_redir },
{ .name = "dup", .parse = netlink_parse_dup },
{ .name = "queue", .parse = netlink_parse_queue },
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1140,6 +1140,13 @@ static void netlink_gen_nat_stmt(struct
nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN;
nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX;
break;
+ case NFT_NAT_FULLCONE:
+ nle = alloc_nft_expr("fullcone");
+
+ nftnl_flag_attr = NFTNL_EXPR_FULLCONE_FLAGS;
+ nftnl_reg_pmin = NFTNL_EXPR_FULLCONE_REG_PROTO_MIN;
+ nftnl_reg_pmax = NFTNL_EXPR_FULLCONE_REG_PROTO_MAX;
+ break;
case NFT_NAT_REDIR:
nle = alloc_nft_expr("redir");
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -582,6 +582,7 @@ int nft_lex(void *, void *, void *);
%token SNAT "snat"
%token DNAT "dnat"
%token MASQUERADE "masquerade"
+%token FULLCONE "fullcone"
%token REDIRECT "redirect"
%token RANDOM "random"
%token FULLY_RANDOM "fully-random"
@@ -716,8 +717,8 @@ int nft_lex(void *, void *, void *);
%type <val> limit_burst_pkts limit_burst_bytes limit_mode limit_bytes time_unit quota_mode
%type <stmt> reject_stmt reject_stmt_alloc
%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc
-%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
-%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
+%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc
+%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc
%type <val> nf_nat_flags nf_nat_flag offset_opt
%type <stmt> tproxy_stmt
%destructor { stmt_free($$); } tproxy_stmt
@@ -2877,6 +2878,7 @@ stmt : verdict_stmt
| queue_stmt
| ct_stmt
| masq_stmt close_scope_nat
+ | fullcone_stmt close_scope_nat
| redir_stmt close_scope_nat
| dup_stmt close_scope_dup
| fwd_stmt close_scope_fwd
@@ -3773,6 +3775,28 @@ masq_stmt_args : TO COLON stmt_expr
{
$<stmt>0->nat.proto = $3;
}
+ | TO COLON stmt_expr nf_nat_flags
+ {
+ $<stmt>0->nat.proto = $3;
+ $<stmt>0->nat.flags = $4;
+ }
+ | nf_nat_flags
+ {
+ $<stmt>0->nat.flags = $1;
+ }
+ ;
+
+fullcone_stmt : fullcone_stmt_alloc fullcone_stmt_args
+ | fullcone_stmt_alloc
+ ;
+
+fullcone_stmt_alloc : FULLCONE { $$ = nat_stmt_alloc(&@$, NFT_NAT_FULLCONE); }
+ ;
+
+fullcone_stmt_args : TO COLON stmt_expr
+ {
+ $<stmt>0->nat.proto = $3;
+ }
| TO COLON stmt_expr nf_nat_flags
{
$<stmt>0->nat.proto = $3;
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -449,6 +449,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr
"snat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return SNAT; }
"dnat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return DNAT; }
"masquerade" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return MASQUERADE; }
+"fullcone" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return FULLCONE; }
"redirect" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return REDIRECT; }
"random" { return RANDOM; }
<SCANSTATE_STMT_NAT>{
--- a/src/statement.c
+++ b/src/statement.c
@@ -650,6 +650,7 @@ const char *nat_etype2str(enum nft_nat_e
[NFT_NAT_SNAT] = "snat",
[NFT_NAT_DNAT] = "dnat",
[NFT_NAT_MASQ] = "masquerade",
+ [NFT_NAT_FULLCONE] = "fullcone",
[NFT_NAT_REDIR] = "redirect",
};

4
v2ray-geodata/Makefile
View File

@@ -21,13 +21,13 @@ define Download/geoip
HASH:=958b34017682aa28d2bf7f0368cdb62934c5623bf405d96ab12e54e320adfea0 HASH:=958b34017682aa28d2bf7f0368cdb62934c5623bf405d96ab12e54e320adfea0
endef endef
GEOSITE_VER:=20230223064004 GEOSITE_VER:=20230224040844
GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER) GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER)
define Download/geosite define Download/geosite
URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/ URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/
URL_FILE:=dlc.dat URL_FILE:=dlc.dat
FILE:=$(GEOSITE_FILE) FILE:=$(GEOSITE_FILE)
HASH:=40e34b30913798af6fc9fe0ed4d051f914de1c67d4e8f0d24522673c1759f1bc HASH:=f378ffb59ea2a97c47f897bec196b67de15066e84a182454630bceca2ef8d0b6
endef endef
define Package/v2ray-geodata/template define Package/v2ray-geodata/template