海运的博客

dnsmasq过滤/阻止ipv6域名查询

发布时间:December 16, 2019 // 分类: // 2 Comments

dnsmasq最新版本2.80增加了指定域名返回空的选项,通过此可以过滤ipv6查询:

#所有com域名禁止ipv6查询
server=/com/8.8.8.8
address=/com/::
#所有域名过滤ipv6查询
server=/#/8.8.8.8
address=/#/::

dnsmasq 2.78版本可使用此patch过滤ipv6 aaaa查询。
https://github.com/flyinprogrammer/dnsmasq-alpine-docker
unbound过滤ipv6见:
https://www.haiyun.me/archives/1303.html

https://discourse.pi-hole.net/t/solved-disable-aaaa-response-for-a-given-domain/13143
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

ubuntu下交叉编译PandoraBox/潘多拉 k2p/mipsel软件openssl和smartdns

发布时间:December 16, 2019 // 分类: // No Comments

交叉编译环境配置,使用PandoraBox提供的SDK:

apt install build-essential -y
wget https://downloads.pangubox.com/pandorabox/18.10/targets/ralink/mt7621/PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz
tar xf PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz 
mv PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64 PandoraBox
export STAGING_DIR=/root/PandoraBox/staging_dir/
export PKG_CONFIG_PATH=/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/pkgconfig/
export PATH=$PATH:/root/PandoraBox/staging_dir/toolchain-mipsel_1004kc+dsp_gcc-5.5.0_uClibc-1.0.x/bin/
export CC=mipsel-openwrt-linux-gcc
export RANLIB=mipsel-openwrt-linux-ranlib
export AR=mipsel-openwrt-linux-ar
export LD=mipsel-openwrt-linux-ld

潘多拉SDK自带openssl版本为1.1.0,为使用tls1.3编译安装最新版openssl1.1.1:

wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar zxvf openssl-1.1.1d.tar.gz
 ./config no-asm shared --prefix=/usr/local/openssl-mipsel
sed -i 's/-m64//g' Makefile
make && make install

编译smartdns:

git clone https://github.com/pymumu/smartdns.git
cd smartdns/src/
CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make
#不额外安装openssl,使用sdk自带的openssl
#CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

静态编译包含openssl,修改Makefile:

ifeq ($(STATIC), yes)
LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy -lpthread -ldl -lc -lgcc_eh
#LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy,--whole-archive -lpthread -Wl,--no-whole-archive -ldl -lc -lgcc_eh

静态编译:

STATIC=yes CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make 

如果以非root运行smartdns且使用ping测速,需设置cap_net_raw,不然不能发送icmp ping:

#setcap cap_net_raw+eip /usr/local/bin/smartdns 
#cap_net_bind_service允许非root监听53端口,ipset需要cap_net_admin权限
setcap cap_net_bind_service,cap_net_raw,cap_net_admin=+eip /usr/local/bin/smartdns

或直接使用systemd:

AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW

由于使用静态编译openssl1.1文件较大,不使用tls1.3可使用自带的openssl1.0动态编译:

CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

参考:
https://www.boris1993.com/linux/allow-non-root-process-to-bind-low-numbered-ports.html

此内容被密码保护

发布时间:December 15, 2019 // 分类: // No Comments

请输入密码访问

编译ubuntu/centos内核bbrplus

发布时间:December 14, 2019 // 分类: // 2 Comments

安装编译环境

yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel rpm-build
yum install -y dpkg-dev #生成deb包依赖

ubuntu下:

apt install build-essential libncurses-dev flex bison openssl libssl-dev dkms libelf-dev libudev-dev libpci-dev libiberty-dev autoconf

下载4.14版内核:

wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.14.158.tar.xz
tar xf linux-4.14.158.tar.xz

patch:

diff -urN aa/include/net/inet_connection_sock.h bb/include/net/inet_connection_sock.h
--- aa/include/net/inet_connection_sock.h       2019-12-14 17:07:48.190502969 +0800
+++ bb/include/net/inet_connection_sock.h       2019-12-14 17:08:06.373215456 +0800
@@ -136,8 +136,8 @@
        } icsk_mtup;
        u32                       icsk_user_timeout;
 
-       u64                       icsk_ca_priv[88 / sizeof(u64)];
-#define ICSK_CA_PRIV_SIZE      (11 * sizeof(u64))
+       u64                       icsk_ca_priv[112 / sizeof(u64)];
+#define ICSK_CA_PRIV_SIZE      (14 * sizeof(u64))
 };
 
 #define ICSK_TIME_RETRANS      1       /* Retransmit timer */
diff -urN aa/net/ipv4/Makefile bb/net/ipv4/Makefile
--- aa/net/ipv4/Makefile        2019-12-14 17:09:40.204731772 +0800
+++ bb/net/ipv4/Makefile        2019-12-14 17:09:47.147621995 +0800
@@ -44,7 +44,7 @@
 obj-$(CONFIG_INET_UDP_DIAG) += udp_diag.o
 obj-$(CONFIG_INET_RAW_DIAG) += raw_diag.o
 obj-$(CONFIG_NET_TCPPROBE) += tcp_probe.o
-obj-$(CONFIG_TCP_CONG_BBR) += tcp_bbr.o
+obj-$(CONFIG_TCP_CONG_BBR) += tcp_bbrplus.o
 obj-$(CONFIG_TCP_CONG_BIC) += tcp_bic.o
 obj-$(CONFIG_TCP_CONG_CDG) += tcp_cdg.o
 obj-$(CONFIG_TCP_CONG_CUBIC) += tcp_cubic.o
diff -urN aa/net/ipv4/tcp_output.c bb/net/ipv4/tcp_output.c
--- aa/net/ipv4/tcp_output.c    2019-12-14 17:08:48.488549518 +0800
+++ bb/net/ipv4/tcp_output.c    2019-12-14 17:08:55.061445594 +0800
@@ -1834,6 +1834,7 @@
 
        return !after(end_seq, tcp_wnd_end(tp));
 }
+EXPORT_SYMBOL(tcp_snd_wnd_test);
 
 /* Trim TSO SKB to LEN bytes, put the remaining data into a new packet
  * which is put after SKB on the list.  It is very much like

下载tcp_bbrplus源码:

wget -P net/ipv4/ https://raw.githubusercontent.com/cx9208/bbrplus/master/tcp_bbrplus.c

打开编译选项并开启编译bbr为模块:

make menuconfig

禁用签名调试:

scripts/config --disable MODULE_SIG
scripts/config --disable DEBUG_INFO

编译内核生成centos rpm或ubuntu deb包,注意如果使用make rpm-pkg则每次编译前会先clean,如果重复编译会很慢!

make binrpm-pkg -j4
make bindeb-pkg -j4 

开启bbrplus:

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbrplus" >> /etc/sysctl.conf
sysctl -p

ubuntu系统禁止更新内核:

for pkg in $(dpkg -l|awk '/linux-(generic|headers|image|libc|modules)/{print $2}');do 
echo $pkg; 
apt-mark hold $pkg;
done

20210102更新:
由于4.14内核过于老旧,新系统使用会出现兼容性问题,且新内核bbr也一直在更新优化,建议下载安装最新的内核使用。
centos安装最新内核方法:https://www.haiyun.me/archives/1139.html
ubuntu安装最新内核方法:https://www.haiyun.me/archives/1344.html
查看指定内核版本的bbr更新状态:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/ipv4/tcp_bbr.c?h=v5.10.4
查看ubuntu内核源码bbr更新状态:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/log/net/ipv4/tcp_bbr.c?h=Ubuntu-5.4.0-59.65
参考:
https://github.com/cx9208/bbrplus
https://blog.csdn.net/dog250/article/details/80629551

ubuntu更换指定版本内核

发布时间:December 14, 2019 // 分类: // No Comments

选择要下载的内核版本,https://kernel.ubuntu.com/~kernel-ppa/mainline/

cd /tmp
wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.10.4/amd64/linux-headers-5.10.4-051004-generic_5.10.4-051004.202012301142_amd64.deb
wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.10.4/amd64/linux-headers-5.10.4-051004_5.10.4-051004.202012301142_all.deb
wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.10.4/amd64/linux-image-unsigned-5.10.4-051004-generic_5.10.4-051004.202012301142_amd64.deb
wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.10.4/amd64/linux-modules-5.10.4-051004-generic_5.10.4-051004.202012301142_amd64.deb
apt install ./linux-*.deb
rm -rf ./linux-*.deb

查看内核顺序,从0开始,如果包含在submenu内,则写上级次序加下级次序,如1>5。

grep  menuentry /boot/grub/grub.cfg

修改默认启动内核,/etc/default/grub:

GRUB_DEFAULT="1>5"

更新grub:

update-grub
分类
最新文章
最近回复
  • opnfense: 谢谢博主!!!解决问题了!!!我之前一直以为内置的odhcp6就是唯一管理ipv6的方式
  • liyk: 这个方法获取的IPv6大概20分钟之后就会失效,默认路由先消失,然后Global IPV6再消失
  • 海运: 不好意思,没有。
  • zongboa: 您好,請問一下有immortalwrt設定guest Wi-Fi的GUI教學嗎?感謝您。
  • 海运: 恩山有很多。
  • swsend: 大佬可以分享一下固件吗,谢谢。
  • Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...
归档