Resolved merge conflicts with upstream repo

2023-05-08 12:08:37 +05:30 · 2023-05-08 12:08:37 +05:30 · 251bb81d40
commit 251bb81d40
parent 31490d6a29 4e60a7f3fb
79 changed files with 1454 additions and 1319 deletions
--- a/.github/workflows/entrypoint.sh
+++ b/.github/workflows/entrypoint.sh
@ -26,10 +26,24 @@ for PKG in /ci/*.ipk; do
 	echo "Testing package $PKG_NAME in version $PKG_VERSION from $PKG_SOURCE"
 	opkg install "$PKG"
 	export PKG_NAME PKG_VERSION CI_HELPER
 	PRE_TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/pre-test.sh
 	if [ -f "$PRE_TEST_SCRIPT" ]; then
 		echo "Use package specific pre-test.sh"
 		if sh "$PRE_TEST_SCRIPT" "$PKG_NAME" "$PKG_VERSION"; then
 			echo "Pre-test successful"
 		else
 			echo "Pre-test failed"
 			exit 1
 		fi
 	else
 		echo "No pre-test.sh script available"
 	fi
 	opkg install "$PKG"
 	TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/test.sh
 	if [ -f "$TEST_SCRIPT" ]; then
--- a/.github/workflows/multi-arch-test-build.yml
+++ b/.github/workflows/multi-arch-test-build.yml
@ -17,7 +17,7 @@ jobs:
          - arch: mips_24kc
            target: ath79-generic
-            runtime_test: false
+            runtime_test: true
          - arch: mipsel_24kc
            target: mt7621
@ -162,7 +162,9 @@ jobs:
      - name: Register QEMU
        if: ${{ matrix.runtime_test }}
        run: |
-          sudo docker run --rm --privileged aptman/qus -s -- -p
+          sudo apt-get update
          sudo apt-get install -y qemu-user-static binfmt-support
          sudo update-binfmts --import
      - name: Build Docker container
        if: ${{ matrix.runtime_test }}
--- a/lang/python/python-calver/Makefile
+++ b/lang/python/python-calver/Makefile
@ -0,0 +1,48 @@
 #
 # Copyright (C) 2023 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=python-calver
 PKG_VERSION:=2022.6.26
 PKG_RELEASE:=1
 PYPI_NAME:=calver
 PKG_HASH:=e05493a3b17517ef1748fbe610da11f10485faa7c416b9d33fd4a52d74894f8b
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_HOST_ONLY:=1
 HOST_BUILD_DEPENDS:=python3/host python-build/host python-installer/host python-wheel/host
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/host-build.mk
 include ../python3-package.mk
 include ../python3-host-build.mk
 define Package/python3-calver
  SECTION:=lang
  CATEGORY:=Languages
  SUBMENU:=Python
  TITLE:=Setuptools extension for CalVer package versions
  URL:=https://github.com/di/calver
  DEPENDS:=+python3-light
  BUILDONLY:=1
 endef
 define Package/python3-calver/description
 The calver package is a setuptools extension for automatically defining
 your Python package version as a calendar version.
 endef
 $(eval $(call Py3Package,python3-calver))
 $(eval $(call BuildPackage,python3-calver))
 $(eval $(call BuildPackage,python3-calver-src))
 $(eval $(call HostBuild))
--- a/lang/python/python-eventlet/Makefile
+++ b/lang/python/python-eventlet/Makefile
@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=python-eventlet
-PKG_VERSION:=0.30.2
+PKG_VERSION:=0.33.3
 PKG_RELEASE:=1
 PYPI_NAME:=eventlet
-PKG_HASH:=1811b122d9a45eb5bafba092d36911bca825f835cb648a862bbf984030acff9d
+PKG_HASH:=722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=MIT
--- a/lang/python/python-hatchling/Makefile
+++ b/lang/python/python-hatchling/Makefile
@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=python-hatchling
-PKG_VERSION:=1.13.0
+PKG_VERSION:=1.14.1
 PKG_RELEASE:=1
 PYPI_NAME:=hatchling
-PKG_HASH:=f8d275a2cc720735286b7c2e2bc35da05761e6d3695c2fa416550395f10c53c7
+PKG_HASH:=55fbc88cbd0d96c09c3e9392b51db513fd4cb4caf47615d65f935a5ef1756133
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE.txt
@ -27,7 +27,8 @@ HOST_BUILD_DEPENDS:= \
 	python-packaging/host \
 	python-pathspec/host \
 	python-pluggy/host \
-	python-tomli/host
+	python-tomli/host \
 	python-trove-classifiers/host
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
@ -48,7 +49,8 @@ define Package/python3-hatchling
      +python3-packaging \
      +python3-pathspec \
      +python3-pluggy \
-      +python3-tomli
+      +python3-tomli \
      +python3-trove-classifiers
  BUILDONLY:=1
 endef
--- a/lang/python/python-trove-classifiers/Makefile
+++ b/lang/python/python-trove-classifiers/Makefile
@ -0,0 +1,56 @@
 #
 # Copyright (C) 2023 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=python-trove-classifiers
 PKG_VERSION:=2023.3.9
 PKG_RELEASE:=1
 PYPI_NAME:=trove-classifiers
 PKG_HASH:=ee42f2f8c1d4bcfe35f746e472f07633570d485fab45407effc0379270a3bb03
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_HOST_ONLY:=1
 PKG_BUILD_DEPENDS:=python-calver/host
 HOST_BUILD_DEPENDS:= \
 	python3/host \
 	python-build/host \
 	python-installer/host \
 	python-wheel/host \
 	python-calver/host
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/host-build.mk
 include ../python3-package.mk
 include ../python3-host-build.mk
 define Package/python3-trove-classifiers
  SECTION:=lang
  CATEGORY:=Languages
  SUBMENU:=Python
  TITLE:=Canonical source for classifiers on PyPI (pypi.org).
  URL:=https://github.com/pypa/trove-classifiers
  DEPENDS:=+python3-light
  BUILDONLY:=1
 endef
 define Package/python3-trove-classifiers/description
 Canonical source for classifiers on PyPI.
 Classifiers categorize projects per PEP 301. Use this package to
 validate classifiers in packages for PyPI upload or download.
 endef
 $(eval $(call Py3Package,python3-trove-classifiers))
 $(eval $(call BuildPackage,python3-trove-classifiers))
 $(eval $(call BuildPackage,python3-trove-classifiers-src))
 $(eval $(call HostBuild))
--- a/libs/getdns/Makefile
+++ b/libs/getdns/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=getdns
 PKG_VERSION:=1.7.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/libs/getdns/patches/001-openssl-deprecated.patch
+++ b/libs/getdns/patches/001-openssl-deprecated.patch
@ -0,0 +1,20 @@
 --- a/src/openssl/tls.c
 +++ b/src/openssl/tls.c
@@ -872,7 +872,7 @@ _getdns_tls_x509* _getdns_tls_connection
 	if (!conn || !conn->ssl)
 		return NULL;
 -	return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl));
 +	return _getdns_tls_x509_new(mfs, SSL_get1_peer_certificate(conn->ssl));
 }
 getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
@@ -990,7 +990,7 @@ getdns_return_t _getdns_tls_connection_c
 #if defined(USE_DANESSL)
 	{
 		getdns_return_t res = GETDNS_RETURN_GOOD;
 -		X509* peer_cert = SSL_get_peer_certificate(conn->ssl);
 +		X509* peer_cert = SSL_get1_peer_certificate(conn->ssl);
 		if (peer_cert) {
 			if (conn->auth_name[0] &&
 			    X509_check_host(peer_cert,
--- a/libs/gnutls/Makefile
+++ b/libs/gnutls/Makefile
@ -6,13 +6,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=gnutls
-PKG_VERSION:=3.7.8
+PKG_VERSION:=3.8.0
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_BUILD_FLAGS:=no-mips16
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7
+PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8
-PKG_HASH:=c58ad39af0670efe6a8aee5e3a8b2331a1200418b64b7c51977fb396d4617114
+PKG_HASH:=0ea0d11a1660a1e63f960f157b197abe6d0c8cb3255be24e1fb3815930b9bdc5
 PKG_MAINTAINER:=Nikos Mavrogiannopoulos <nmav@gnutls.org>
 PKG_LICENSE:=LGPL-2.1-or-later
--- a/libs/gnutls/patches/010-m4.patch
+++ b/libs/gnutls/patches/010-m4.patch
@ -62,12 +62,12 @@
     [AC_COMPILE_IFELSE(
 --- a/src/gl/m4/gnulib-comp.m4
 +++ b/src/gl/m4/gnulib-comp.m4
-@@ -1188,7 +1188,7 @@ changequote([, ])dnl
+@@ -1252,7 +1252,7 @@ changequote([, ])dnl
   gl_UNISTD_MODULE_INDICATOR([sleep])
   AC_CHECK_DECLS_ONCE([alarm])
   AC_REQUIRE([gt_TYPE_WCHAR_T])
 -  AC_REQUIRE([gt_TYPE_WINT_T])
 +  AC_REQUIRE([gt_TYPE_WINT_T_GNUTLS])
   gl_FUNC_STRERROR_R
-   if test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1; then
+   AS_IF([test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1], [
     AC_LIBOBJ([strerror_r])
--- a/libs/gnutls/patches/020-dont-install-m4-files.patch
+++ b/libs/gnutls/patches/020-dont-install-m4-files.patch
@ -14,7 +14,7 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -57,7 +57,7 @@ if ENABLE_DOC
+@@ -48,7 +48,7 @@ if ENABLE_DOC
 SUBDIRS += doc
 endif
--- a/libs/gperf/Makefile
+++ b/libs/gperf/Makefile
@ -1,47 +0,0 @@
 #
 # Copyright (C) 2006-2017 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=gperf
 PKG_VERSION:=3.1
 PKG_RELEASE:=1
 PKG_HASH:=588546b945bba4b70b6a3a616e80b4ab466e3f33024a352fc2198112cdbb3ae2
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/gperf
 PKG_HOST_ONLY=1
 PKG_MAINTAINER:=Espen Jürgensen <espenjurgensen+openwrt@gmail.com>
 PKG_LICENSE:=GPL-3.0
 PKG_LICENSE_FILES:=COPYING
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/package.mk
 define Package/gperf
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=GNU gperf
  BUILDONLY:=1
  URL:=http://www.gnu.org/software/gperf
 endef
 define Package/gperf/description
 GNU gperf is a perfect hash function generator. For a given list of strings, it
 produces a hash function and hash table, in form of C or C++ code, for looking 
 up a value depending on the input string. The hash function is perfect, which 
 means that the hash table has no collisions, and the hash table lookup needs a
 single string comparison only.
 endef
 define Host/Install
 	$(MAKE) -C $(HOST_BUILD_DIR) install
 endef
 $(eval $(call HostBuild))
 $(eval $(call BuildPackage,gperf))
--- a/libs/gperf/patches/100-include_own_first.patch
+++ b/libs/gperf/patches/100-include_own_first.patch
@ -1,26 +0,0 @@
 diff --git a/lib/Makefile.in b/lib/Makefile.in
 index 29bbf92..cf2bf3c 100644
 --- a/lib/Makefile.in
 +++ b/lib/Makefile.in
@@ -61,7 +61,7 @@ SHELL = /bin/sh
 VPATH = $(srcdir)
 OBJECTS  = getopt.$(OBJEXT) getopt1.$(OBJEXT) getline.$(OBJEXT) hash.$(OBJEXT)
 -CPPFLAGS = @CPPFLAGS@ -I$(srcdir)
 +CPPFLAGS = -I$(srcdir) @CPPFLAGS@
 TARGETLIB = libgp.a
 diff --git a/src/Makefile.in b/src/Makefile.in
 index 6866ffd..bd4df14 100644
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
@@ -64,7 +64,7 @@ VPATH = $(srcdir)
 OBJECTS  = version.$(OBJEXT) positions.$(OBJEXT) options.$(OBJEXT) keyword.$(OBJEXT) keyword-list.$(OBJEXT) \
            input.$(OBJEXT) bool-array.$(OBJEXT) hash-table.$(OBJEXT) search.$(OBJEXT) output.$(OBJEXT) main.$(OBJEXT)
 LIBS     = ../lib/libgp.a @GPERF_LIBM@
 -CPPFLAGS = @CPPFLAGS@ -I. -I$(srcdir)/../lib
 +CPPFLAGS = -I. -I$(srcdir)/../lib @CPPFLAGS@
 TARGETPROG = gperf$(EXEEXT)
--- a/libs/libxml2/Makefile
+++ b/libs/libxml2/Makefile
@ -1,214 +0,0 @@
 #
 # Copyright (C) 2006-2016 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libxml2
 PKG_VERSION:=2.10.3
 PKG_RELEASE:=2
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNOME/libxml2/$(basename $(PKG_VERSION))
 PKG_HASH:=5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c
 PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=COPYING
 PKG_CPE_ID:=cpe:/a:xmlsoft:libxml2
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 include $(INCLUDE_DIR)/nls.mk
 define Package/libxml2
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=Gnome XML library
  URL:=http://xmlsoft.org/
  DEPENDS:=+libpthread +zlib $(ICONV_DEPENDS)
 endef
 define Package/libxml2/description
  A library for manipulating XML and HTML resources.
 endef
 define Package/libxml2-dev
  SECTION:=devel
  CATEGORY:=Development
  SUBMENU:=Libraries
  TITLE:=Development files for libxml2
  URL:=http://xmlsoft.org/
  DEPENDS:=+libxml2
 endef
 define Package/libxml2-dev/description
  A library for manipulating XML and HTML resources.
  This package contains the headers and xml2-config binary.
 endef
 define Package/libxml2-utils
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=XML command line utilities (xmllint...)
  URL:=http://xmlsoft.org/
  DEPENDS:=+libxml2
 endef
 define Package/libxml2-utils/description
  This package contains the binaries xmllint and xmlcatalog
  from libxml2, a library for manipulating XML and HTML resources.
 endef
 CMAKE_HOST_OPTIONS += \
 	-DBUILD_SHARED_LIBS=OFF \
 	-DLIBXML2_WITH_C14N=ON \
 	-DLIBXML2_WITH_CATALOG=OFF \
 	-DLIBXML2_WITH_DEBUG=ON \
 	-DLIBXML2_WITH_FTP=OFF \
 	-DLIBXML2_WITH_HTML=ON \
 	-DLIBXML2_WITH_HTTP=OFF \
 	-DLIBXML2_WITH_ICONV=ON \
 	-DLIBXML2_WITH_ICU=OFF \
 	-DLIBXML2_WITH_ISO8859X=OFF \
 	-DLIBXML2_WITH_LEGACY=OFF \
 	-DLIBXML2_WITH_LZMA=OFF \
 	-DLIBXML2_WITH_MEM_DEBUG=OFF \
 	-DLIBXML2_WITH_MODULES=OFF \
 	-DLIBXML2_WITH_OUTPUT=ON \
 	-DLIBXML2_WITH_PATTERN=ON \
 	-DLIBXML2_WITH_PROGRAMS=OFF \
 	-DLIBXML2_WITH_PUSH=ON \
 	-DLIBXML2_WITH_PYTHON=OFF \
 	-DLIBXML2_WITH_READER=ON \
 	-DLIBXML2_WITH_REGEXPS=ON \
 	-DLIBXML2_WITH_RUN_DEBUG=OFF \
 	-DLIBXML2_WITH_SAX1=ON \
 	-DLIBXML2_WITH_SCHEMAS=ON \
 	-DLIBXML2_WITH_SCHEMATRON=OFF \
 	-DLIBXML2_WITH_TESTS=OFF \
 	-DLIBXML2_WITH_THREADS=ON \
 	-DLIBXML2_WITH_THREAD_ALLOC=OFF \
 	-DLIBXML2_WITH_TREE=ON \
 	-DLIBXML2_WITH_VALID=ON \
 	-DLIBXML2_WITH_WRITER=ON \
 	-DLIBXML2_WITH_XINCLUDE=ON \
 	-DLIBXML2_WITH_XPATH=ON \
 	-DLIBXML2_WITH_XPTR=ON \
 	-DLIBXML2_WITH_XPTR_LOCS=ON \
 	-DLIBXML2_WITH_ZLIB=ON
 CMAKE_OPTIONS += \
 	-DBUILD_SHARED_LIBS=ON \
 	-DLIBXML2_WITH_C14N=ON \
 	-DLIBXML2_WITH_CATALOG=OFF \
 	-DLIBXML2_WITH_DEBUG=ON \
 	-DLIBXML2_WITH_FTP=OFF \
 	-DLIBXML2_WITH_HTML=ON \
 	-DLIBXML2_WITH_HTTP=OFF \
 	-DLIBXML2_WITH_ICONV=ON \
 	-DLIBXML2_WITH_ICU=OFF \
 	-DLIBXML2_WITH_ISO8859X=OFF \
 	-DLIBXML2_WITH_LEGACY=OFF \
 	-DLIBXML2_WITH_LZMA=OFF \
 	-DLIBXML2_WITH_MEM_DEBUG=OFF \
 	-DLIBXML2_WITH_MODULES=OFF \
 	-DLIBXML2_WITH_OUTPUT=ON \
 	-DLIBXML2_WITH_PATTERN=ON \
 	-DLIBXML2_WITH_PROGRAMS=ON \
 	-DLIBXML2_WITH_PUSH=ON \
 	-DLIBXML2_WITH_PYTHON=OFF \
 	-DLIBXML2_WITH_READER=ON \
 	-DLIBXML2_WITH_REGEXPS=ON \
 	-DLIBXML2_WITH_RUN_DEBUG=OFF \
 	-DLIBXML2_WITH_SAX1=ON \
 	-DLIBXML2_WITH_SCHEMAS=ON \
 	-DLIBXML2_WITH_SCHEMATRON=OFF \
 	-DLIBXML2_WITH_TESTS=OFF \
 	-DLIBXML2_WITH_THREADS=ON \
 	-DLIBXML2_WITH_THREAD_ALLOC=OFF \
 	-DLIBXML2_WITH_TREE=ON \
 	-DLIBXML2_WITH_VALID=ON \
 	-DLIBXML2_WITH_WRITER=ON \
 	-DLIBXML2_WITH_XINCLUDE=ON \
 	-DLIBXML2_WITH_XPATH=ON \
 	-DLIBXML2_WITH_XPTR=ON \
 	-DLIBXML2_WITH_XPTR_LOCS=ON \
 	-DLIBXML2_WITH_ZLIB=ON \
 	-DHAVE_LIBHISTORY=OFF \
 	-DHAVE_LIBREADLINE=OFF
 define Build/InstallDev
 	$(INSTALL_DIR) $(2)/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/xml2-config \
 		$(2)/bin/$(GNU_TARGET_NAME)-xml2-config
 	$(SED) 's,^\(prefix\|exec_prefix\)=.*,\1=$(STAGING_DIR)/usr,g' \
 		$(2)/bin/$(GNU_TARGET_NAME)-xml2-config
 	$(LN) $(GNU_TARGET_NAME)-xml2-config $(2)/bin/xml2-config
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/usr/include
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/libxml2 $(1)/usr/include/
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so* $(1)/usr/lib/
 	$(INSTALL_DIR) $(1)/usr/lib/cmake/libxml2
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/cmake/libxml2-$(PKG_VERSION)/*.cmake \
 		$(1)/usr/lib/cmake/libxml2
 	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxml-2.0.pc $(1)/usr/lib/pkgconfig/
 	$(INSTALL_DIR) $(2)/share/aclocal/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(2)/share/aclocal
 endef
 define Host/Install
 	$(call Host/Install/Default)
 	mv $(1)/bin/xml2-config $(1)/bin/$(GNU_HOST_NAME)-xml2-config
 	$(LN) $(GNU_HOST_NAME)-xml2-config $(1)/bin/xml2-config
 endef
 define Package/libxml2/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so.* $(1)/usr/lib/
 endef
 define Package/libxml2-dev/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/xml2-config $(1)/usr/bin/
 	$(SED) "s,$(STAGING_DIR),,g" $(1)/usr/bin/xml2-config
 	$(INSTALL_DIR) $(1)/usr/include/
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so $(1)/usr/lib/
 	$(INSTALL_DIR) $(1)/usr/lib/{cmake,pkgconfig}
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/{cmake,pkgconfig} $(1)/usr/lib/
 	$(SED) "s,$(STAGING_DIR),,g" $(1)/usr/lib/pkgconfig/*.pc
 	$(INSTALL_DIR) $(1)/usr/share/aclocal
 	$(CP) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(1)/usr/share/aclocal
 endef
 define Package/libxml2-utils/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/
 endef
 $(eval $(call HostBuild))
 $(eval $(call BuildPackage,libxml2))
 $(eval $(call BuildPackage,libxml2-dev))
 $(eval $(call BuildPackage,libxml2-utils))
--- a/libs/libxml2/patches/010-iconv.patch
+++ b/libs/libxml2/patches/010-iconv.patch
@ -1,12 +0,0 @@
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
@@ -496,6 +496,9 @@ if(LIBXML2_WITH_PROGRAMS)
 		add_executable(LibXml2::${PROGRAM} ALIAS ${PROGRAM})
 		target_compile_definitions(${PROGRAM} PRIVATE SYSCONFDIR="${CMAKE_INSTALL_FULL_SYSCONFDIR}")
 		target_link_libraries(${PROGRAM} LibXml2)
 +		if(LIBXML2_WITH_ICONV AND NOT Iconv_IS_BUILT_IN)
 +			target_link_libraries(${PROGRAM} iconv)
 +		endif()
 		if(HAVE_LIBHISTORY)
 			target_link_libraries(${PROGRAM} history)
 		endif()
--- a/libs/sqlite3/Makefile
+++ b/libs/sqlite3/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=sqlite
-PKG_VERSION:=3410100
+PKG_VERSION:=3410200
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-autoconf-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.sqlite.org/2023/
-PKG_HASH:=4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33
+PKG_HASH:=e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499
 PKG_CPE_ID:=cpe:/a:sqlite:sqlite
 PKG_LICENSE:=PUBLICDOMAIN
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.2
+PKG_VERSION:=1.0.3
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
@ -48,19 +48,9 @@ define Package/acme-common/install
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/acme
 endef
 define Package/acme-common/postinst
 #!/bin/sh
 if [ -z "$$IPKG_INSTROOT" ]; then
 	grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0
 	echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
 fi
 endef
 define Package/acme-common/prerm
 #!/bin/sh
 if [ -z "$$IPKG_INSTROOT" ]; then
 sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root
 fi
 endef
 define Build/Configure
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@ -1,13 +1,11 @@
-#
+# banIP - ban incoming and outgoing IPs via named nftables Sets
 # banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=banip
-PKG_VERSION:=0.8.4
+PKG_VERSION:=0.8.5
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -17,13 +15,13 @@ include $(INCLUDE_DIR)/package.mk
 define Package/banip
 	SECTION:=net
 	CATEGORY:=Network
-	TITLE:=banIP blocks IP addresses via named nftables sets
+	TITLE:=banIP blocks IPs via named nftables Sets
 	DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
 	PKGARCH:=all
 endef
 define Package/banip/description
-banIP blocks IP addresses via named nftables sets.
+banIP blocks IPs via named nftables Sets.
 banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
 Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@ -1,9 +1,9 @@
 <!-- markdownlint-disable -->
-# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
+# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
 ## Description
-IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.  
+IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.  
 ## Main Features
 * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).  
@ -57,12 +57,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | yoyo                | yoyo IPs                       |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
 * Zero-conf like automatic installation & setup, usually no manual changes needed
-* All sets are handled in a separate nft table/namespace 'banIP'
+* All Sets are handled in a separate nft table/namespace 'banIP'
 * Full IPv4 and IPv6 support
-* Supports nft atomic set loading
+* Supports nft atomic Set loading
 * Supports blocking by ASN numbers and by iso country codes
 * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
-* Auto-add the uplink subnet to the local allowlist
+* Auto-add the uplink subnet or uplink IP to the local allowlist
 * Provides a small background log monitor to ban unsuccessful login attempts in real-time
 * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
 * Fast feed processing as they are handled in parallel as background jobs
@ -70,15 +70,16 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
 * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
 * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
-* Deduplicate IPs accross all sets (single IPs only, no intervals)
+* Deduplicate IPs accross all Sets (single IPs only, no intervals)
 * Provides comprehensive runtime information
-* Provides a detailed set report
+* Provides a detailed Set report
-* Provides a set search engine for certain IPs
+* Provides a Set search engine for certain IPs
 * Feed parsing by fast & flexible regex rulesets
 * Minimal status & error logging to syslog, enable debug logging to receive more output
 * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
 * Procd network interface trigger support
 * Add new or edit existing banIP feeds on your own with the integrated custom feed editor
 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
 ## Prerequisites
 * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
@ -112,9 +113,9 @@ Available commands:
 	enable          Enable service autostart
 	disable         Disable service autostart
 	enabled         Check if service is started on boot
-	report          [text|json|mail] Print banIP related set statistics
+	report          [text|json|mail] Print banIP related Set statistics
-	search          [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set
+	search          [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
-	survey          [<set name>] List all elements of a given banIP set
+	survey          [<Set name>] List all elements of a given banIP Set
 	lookup          Lookup the IPs of domain names in the local lists and update them
 	running         Check if service is running
 	status          Service status
@ -125,11 +126,11 @@ Available commands:
 ## banIP config options
 | Option                  | Type   | Default                       | Description                                                                                                  |
-| :---------------------- | :----- | :---------------------------- | :-------------------------------------------------------------------------------------------- |
+| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- |
 | ban_enabled             | option | 0                             | enable the banIP service                                                                                     |
 | ban_nicelimit           | option | 0                             | ulimit nice level of the banIP service (range 0-19)                                                          |
 | ban_filelimit           | option | 1024                          | ulimit max open/number of files (range 1024-4096)                                                            |
-| ban_loglimit            | option | 100                           | scan only the last n log entries permanently. Set it to '0' to disable the monitor            |
+| ban_loglimit            | option | 100                           | scan only the last n log entries permanently. A value of '0' disables the monitor                            |
 | ban_logcount            | option | 1                             | how many times the IP must appear in the log to be considered as suspicious                                  |
 | ban_logterm             | list   | regex                         | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk)                           |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                              |
@ -137,8 +138,9 @@ Available commands:
 | ban_loginput            | option | 1                             | log drops in the wan-input chain                                                                             |
 | ban_logforwardwan       | option | 1                             | log drops in the wan-forward chain                                                                           |
 | ban_logforwardlan       | option | 0                             | log rejects in the lan-forward chain                                                                         |
-| ban_autoallowlist       | option | 1                             | add wan IPs/subnets automatically to the local allowlist                                      |
+| ban_autoallowlist       | option | 1                             | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets)         |
-| ban_autoblocklist       | option | 1                             | add suspicious attacker IPs automatically to the local blocklist                              |
+| ban_autoblocklist       | option | 1                             | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
 | ban_autoallowuplink     | option | subnet                        | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all                                |
 | ban_allowlistonly       | option | 0                             | restrict the internet access from/to a small number of secure websites/IPs                                   |
 | ban_basedir             | option | /tmp                          | base working directory while banIP processing                                                                |
 | ban_reportdir           | option | /tmp/banIP-report             | directory where banIP stores the report files                                                                |
@ -151,12 +153,12 @@ Available commands:
 | ban_trigger             | list   | -                             | logical startup trigger interface(s), e.g. 'wan'                                                             |
 | ban_triggerdelay        | option | 10                            | trigger timeout before banIP processing begins                                                               |
 | ban_triggeraction       | option | start                         | trigger action on ifup events, e.g. start, restart or reload                                                 |
-| ban_deduplicate         | option | 1                             | deduplicate IP addresses across all active sets                                               |
+| ban_deduplicate         | option | 1                             | deduplicate IP addresses across all active Sets                                                              |
-| ban_splitsize           | option | 0                             | split ext. sets after every n lines/members (saves RAM)                                       |
+| ban_splitsize           | option | 0                             | split ext. Sets after every n lines/members (saves RAM)                                                      |
 | ban_cores               | option | - / autodetect                | limit the cpu cores used by banIP (saves RAM)                                                                |
 | ban_nftloglevel         | option | warn                          | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug                                     |
 | ban_nftpriority         | option | -200                          | nft priority for the banIP table (default is the prerouting table priority)                                  |
-| ban_nftpolicy           | option | memory                        | nft policy for banIP-related sets, values: memory, performance                                |
+| ban_nftpolicy           | option | memory                        | nft policy for banIP-related Sets, values: memory, performance                                               |
 | ban_nftexpiry           | option | -                             | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d'                                        |
 | ban_feed                | list   | -                             | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table)                           |
 | ban_asn                 | list   | -                             | ASNs for the 'asn' feed, e.g.'32934'                                                                         |
@ -167,13 +169,14 @@ Available commands:
 | ban_blockforwardlan     | list   | -                             | limit a feed to the lan-forward chain, e.g. 'doh'                                                            |
 | ban_fetchcmd            | option | - / autodetect                | 'uclient-fetch', 'wget', 'curl' or 'aria2c'                                                                  |
 | ban_fetchparm           | option | - / autodetect                | set the config options for the selected download utility                                                     |
 | ban_fetchretry          | option | 5                             | number of download attempts in case of an error (not supported by uclient-fetch)                             |
 | ban_fetchinsecure       | option | 0                             | don't check SSL server certificates during download                                                          |
 | ban_mailreceiver        | option | -                             | receiver address for banIP related notification E-Mails                                                      |
 | ban_mailsender          | option | no-reply@banIP                | sender address for banIP related notification E-Mails                                                        |
 | ban_mailtopic           | option | banIP notification            | topic for banIP related notification E-Mails                                                                 |
 | ban_mailprofile         | option | ban_notify                    | mail profile used in 'msmtp' for banIP related notification E-Mails                                          |
 | ban_mailnotification    | option | 0                             | receive E-Mail notifications with every banIP run                                                            |
-| ban_reportelements      | option | 1                             | list set elements in the report, disable this to speed up the report significantly            |
+| ban_reportelements      | option | 1                             | count Set elements in the report, disable this option to speed up the report significantly                   |
 | ban_resolver            | option | -                             | external resolver used for DNS lookups                                                                       |
 ## Examples
@ -229,11 +232,11 @@ Available commands:
 ~# /etc/init.d/banip status
 ::: banIP runtime information
  + status            : active (nft: ✔, monitor: ✔)
-  + version           : 0.8.3-1
+  + version           : 0.8.5-1
  + element_count     : 281161
  + active_feeds      : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6
  + active_devices    : br-wan ::: wan, wan6
-  + active_subnets    : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
+  + active_uplink     : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
  + nft_info          : priority: -200, policy: memory, loglevel: warn, expiry: -
  + run_info          : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
  + run_flags         : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
@ -258,7 +261,7 @@ Available commands:
 :::
 ::: banIP Survey
 :::
-    List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58
+    List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
    ---
 1.10.187.179
 1.10.203.30
@ -288,9 +291,10 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
 **allow-/blocklist handling**  
 banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.  
-Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.  
+Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.  
-Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option).  
+Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.  
-Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
+Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').  
 Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
 **allowlist-only mode**  
 banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
@ -306,22 +310,22 @@ For a regular, automatic status mailing and update of the used lists on a daily
 ```
 **tweaks for low memory systems**  
-nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:  
+nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:  
    * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
    * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
-    * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
+    * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
-    * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements
+    * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
 **tweak the download options**  
 By default banIP uses the following pre-configured download options:
 ```
-    * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
+    * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
-    * curl: --connect-timeout 20 --fail --silent --show-error --location -o
+    * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
    * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
    * uclient-fetch: --timeout=20 -O
    * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
 ```
-To override the default set 'ban_fetchparm' manually to your needs.
+To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
 **send E-Mail notifications via 'msmtp'**  
 To use the email notification you must install & configure the package 'msmtp'.  
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@ -1,4 +1,4 @@
-# banIP shared function library/include
+# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
@ -29,6 +29,9 @@ ban_nftcmd="$(command -v nft)"
 ban_fw4cmd="$(command -v fw4)"
 ban_awkcmd="$(command -v awk)"
 ban_grepcmd="$(command -v grep)"
 ban_sedcmd="$(command -v sed)"
 ban_catcmd="$(command -v cat)"
 ban_zcatcmd="$(command -v zcat)"
 ban_lookupcmd="$(command -v nslookup)"
 ban_mailcmd="$(command -v msmtp)"
 ban_mailsender="no-reply@banIP"
@ -49,8 +52,10 @@ ban_asn=""
 ban_loginput="1"
 ban_logforwardwan="1"
 ban_logforwardlan="0"
 ban_allowurl=""
 ban_allowlistonly="0"
 ban_autoallowlist="1"
 ban_autoallowuplink="subnet"
 ban_autoblocklist="1"
 ban_deduplicate="1"
 ban_splitsize="0"
@ -65,8 +70,9 @@ ban_protov6="0"
 ban_ifv4=""
 ban_ifv6=""
 ban_dev=""
-ban_sub=""
+ban_uplink=""
 ban_fetchinsecure=""
 ban_fetchretry="5"
 ban_cores=""
 ban_memory=""
 ban_trigger=""
@ -105,7 +111,7 @@ f_mkdir() {
 	if [ ! -d "${dir}" ]; then
 		rm -f "${dir}"
 		mkdir -p "${dir}"
-		f_log "debug" "f_mkdir   ::: created directory: ${dir}"
+		f_log "debug" "f_mkdir     ::: directory: ${dir}"
 	fi
 }
@ -116,7 +122,7 @@ f_mkfile() {
 	if [ ! -f "${file}" ]; then
 		: >"${file}"
-		f_log "debug" "f_mkfile  ::: created file: ${file}"
+		f_log "debug" "f_mkfile    ::: file: ${file}"
 	fi
 }
@ -137,7 +143,7 @@ f_rmdir() {
 	if [ -d "${dir}" ]; then
 		rm -rf "${dir}"
-		f_log "debug" "f_rmdir   ::: deleted directory: ${dir}"
+		f_log "debug" "f_rmdir     ::: directory: ${dir}"
 	fi
 }
@ -195,7 +201,7 @@ f_log() {
 # load config
 #
 f_conf() {
-	unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
+	unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
 	config_cb() {
 		option_cb() {
 			local option="${1}"
@ -218,6 +224,9 @@ f_conf() {
 				"ban_feed")
 					eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \""
 					;;
 				"ban_allowurl")
 					eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \""
 					;;
 				"ban_blockinput")
 					eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
 					;;
@ -247,17 +256,17 @@ f_conf() {
 # prepare fetch utility
 #
 f_fetch() {
-	local ut utils packages insecure
+	local item utils packages insecure
-	if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then
+	if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then
-		packages="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null)"
+		packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
-		[ -z "${packages}" ] && f_log "err" "local opkg package repository is not available, please set the download utility 'ban_fetchcmd' manually"
+		[ -z "${packages}" ] && f_log "err" "no local package repository"
 		utils="aria2c curl wget uclient-fetch"
-		for ut in ${utils}; do
+		for item in ${utils}; do
-			if { [ "${ut}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
+			if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
-				{ [ "${ut}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
+				{ [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
-				[ "${ut}" = "curl" ] || [ "${ut}" = "aria2c" ]; then
+				[ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then
-				ban_fetchcmd="$(command -v "${ut}")"
+				ban_fetchcmd="$(command -v "${item}")"
 				if [ -x "${ban_fetchcmd}" ]; then
 					uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}"
 					uci_commit "banip"
@ -265,16 +274,18 @@ f_fetch() {
 				fi
 			fi
 		done
 	else
 		ban_fetchcmd="$(command -v "${ban_fetchcmd}")"
 	fi
-	[ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found"
+	[ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support"
 	case "${ban_fetchcmd##*/}" in
 		"aria2c")
 			[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
-			ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
+			ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
 			;;
 		"curl")
 			[ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure"
-			ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}"
+			ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}"
 			;;
 		"uclient-fetch")
 			[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
@ -282,11 +293,11 @@ f_fetch() {
 			;;
 		"wget")
 			[ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate"
-			ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
+			ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}"
 			;;
 	esac
-	f_log "debug" "f_fetch   ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
+	f_log "debug" "f_fetch     ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
 }
 # remove logservice
@ -294,7 +305,7 @@ f_fetch() {
 f_rmpid() {
 	local ppid pid pids
-	ppid="$(cat "${ban_pidfile}" 2>/dev/null)"
+	ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
 	[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0
 	for pid in ${pids}; do
 		kill -INT "${pid}" >/dev/null 2>&1
@ -312,7 +323,7 @@ f_actual() {
 	else
 		nft="$(f_char "0")"
 	fi
-	if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
+	if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
 		monitor="$(f_char "1")"
 	else
 		monitor="$(f_char "0")"
@ -334,7 +345,7 @@ f_getif() {
 				ban_ifv4="${iface}"
 				uci_set banip global ban_protov4 "1"
 				uci_add_list banip global ban_ifv4 "${iface}"
-				f_log "info" "added IPv4 interface '${iface}' to config"
+				f_log "info" "add IPv4 interface '${iface}' to config"
 			fi
 		fi
 		if [ -z "${ban_ifv6}" ]; then
@ -345,7 +356,7 @@ f_getif() {
 				ban_ifv6="${iface}"
 				uci_set banip global ban_protov6 "1"
 				uci_add_list banip global ban_ifv6 "${iface}"
-				f_log "info" "added IPv6 interface '${iface}' to config"
+				f_log "info" "add IPv6 interface '${iface}' to config"
 			fi
 		fi
 	fi
@ -357,11 +368,11 @@ f_getif() {
 		ban_ifv6="${ban_ifv6%%?}"
 		for iface in ${ban_ifv4} ${ban_ifv6}; do
 			if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
-				f_log "err" "wan interface '${iface}' is not available, please check your configuration"
+				f_log "err" "no wan interface '${iface}'"
 			fi
 		done
 	fi
-	[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
+	[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces"
 	f_log "debug" "f_getif     ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
 }
@ -383,7 +394,7 @@ f_getdev() {
 					if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
 						ban_dev="${ban_dev}${dev} "
 						uci_add_list banip global ban_dev "${dev}"
-						f_log "info" "added device '${dev}' to config"
+						f_log "info" "add device '${dev}' to config"
 					fi
 				fi
 			done
@ -396,39 +407,53 @@ f_getdev() {
 		uci_commit "banip"
 	fi
 	ban_dev="${ban_dev%%?}"
-	[ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
+	[ -z "${ban_dev}" ] && f_log "err" "no wan devices"
 	f_log "debug" "f_getdev    ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
 }
-# get local subnets
+# get local uplink
 #
-f_getsub() {
+f_getuplink() {
-	local sub iface ip update="0"
+	local uplink iface ip update="0"
-	if [ "${ban_autoallowlist}" = "1" ]; then
+	if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then
 		for iface in ${ban_ifv4} ${ban_ifv6}; do
 			network_flush_cache
-			network_get_subnet sub "${iface}"
+			if [ "${ban_autoallowuplink}" = "subnet" ]; then
-			if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
+				network_get_subnet uplink "${iface}"
-				ban_sub="${ban_sub}${sub} "
+			elif [ "${ban_autoallowuplink}" = "ip" ]; then
 				network_get_ipaddr uplink "${iface}"
 			fi
-			network_get_subnet6 sub "${iface}"
+			if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
-			if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
+				ban_uplink="${ban_uplink}${uplink} "
-				ban_sub="${ban_sub}${sub} "
+			fi
 			if [ "${ban_autoallowuplink}" = "subnet" ]; then
 				network_get_subnet6 uplink "${iface}"
 			elif [ "${ban_autoallowuplink}" = "ip" ]; then
 				network_get_ipaddr6 uplink "${iface}"
 			fi
 			if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
 				ban_uplink="${ban_uplink}${uplink} "
 			fi
 		done
-		for ip in ${ban_sub}; do
+		for ip in ${ban_uplink}; do
 			if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then
 				if [ "${update}" = "0" ]; then
 					"${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}"
 				fi
 				printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
 				f_log "info" "add uplink '${ip}' to local allowlist"
 				update="1"
 				printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
 				f_log "info" "added subnet '${ip}' to local allowlist"
 			fi
 		done
-		ban_sub="${ban_sub%%?}"
+		ban_uplink="${ban_uplink%%?}"
 	elif [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" = "disable" ]; then
 		"${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}"
 		update="1"
 	fi
-	f_log "debug" "f_getsub  ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}"
+	f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}"
 }
 # get feed information
@ -437,22 +462,22 @@ f_getfeed() {
 	json_init
 	if [ -s "${ban_customfeedfile}" ]; then
 		if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then
-			f_log "info" "banIP custom feed file can't be loaded"
+			f_log "info" "can't load banIP custom feed file"
 			if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
-				f_log "err" "banIP feed file can't be loaded"
+				f_log "err" "can't load banIP feed file"
 			fi
 		fi
 	elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
-		f_log "err" "banIP feed file can't be loaded"
+		f_log "err" "can't load banIP feed file"
 	fi
 }
-# get set elements
+# get Set elements
 #
 f_getelements() {
 	local file="${1}"
-	[ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };"
+	[ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };"
 }
 # build initial nft file with base table, chains and rules
@ -517,6 +542,7 @@ f_down() {
 	tmp_file="${ban_tmpfile}.${feed}.file"
 	tmp_flush="${ban_tmpfile}.${feed}.flush"
 	tmp_nft="${ban_tmpfile}.${feed}.nft"
 	tmp_allow="${ban_tmpfile}.${feed%v*}"
 	[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
 	[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
@ -576,18 +602,33 @@ f_down() {
 		feed_rc="${restore_rc}"
 	fi
-	# handle local lists
+	# prepare local allowlist
 	#
 	if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then
 		"${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}"
 		for feed_url in ${ban_allowurl}; do
 			feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)"
 			feed_rc="${?}"
 			if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then
 				"${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}"
 			else
 				f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})"
 			fi
 		done
 	fi
 	# handle local feeds
 	#
 	if [ "${feed%v*}" = "allowlist" ]; then
 		{
 			printf "%s\n\n" "#!/usr/sbin/nft -f"
-			[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
+			[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
 			if [ "${proto}" = "MAC" ]; then
-				"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
+				"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}"
 				printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
 				[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
 			elif [ "${proto}" = "4" ]; then
-				"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
+				"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}"
 				printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
 				if [ -z "${feed_direction##*input*}" ]; then
 					if [ "${ban_allowlistonly}" = "1" ]; then
@ -611,7 +652,7 @@ f_down() {
 					fi
 				fi
 			elif [ "${proto}" = "6" ]; then
-				"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
+				"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" |
 					"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
 				printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
 				if [ -z "${feed_direction##*input*}" ]; then
@ -641,7 +682,7 @@ f_down() {
 	elif [ "${feed%v*}" = "blocklist" ]; then
 		{
 			printf "%s\n\n" "#!/usr/sbin/nft -f"
-			[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
+			[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
 			if [ "${proto}" = "MAC" ]; then
 				"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
 				printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
@ -651,7 +692,7 @@ f_down() {
 					"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
 					"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
 					"${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
-					cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
+					"${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
 				else
 					"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}"
 				fi
@ -666,7 +707,7 @@ f_down() {
 						"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}"
 					"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
 					"${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
-					cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
+					"${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}"
 				else
 					"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
 						"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}"
@ -679,7 +720,8 @@ f_down() {
 			fi
 		} >"${tmp_nft}"
 		feed_rc="0"
-	# handle external downloads
+
 	# handle external feeds
 	#
 	elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then
 		# handle country downloads
@ -688,7 +730,7 @@ f_down() {
 			for country in ${ban_country}; do
 				feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)"
 				feed_rc="${?}"
-				[ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
+				[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
 			done
 			rm -f "${tmp_raw}"
@ -698,7 +740,7 @@ f_down() {
 			for asn in ${ban_asn}; do
 				feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)"
 				feed_rc="${?}"
-				[ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
+				[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
 			done
 			rm -f "${tmp_raw}"
@ -710,7 +752,7 @@ f_down() {
 					feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
 					feed_rc="${?}"
 					if [ "${feed_rc}" = "0" ]; then
-						zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}"
+						"${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
 						feed_rc="${?}"
 					fi
 					rm -f "${tmp_raw}"
@ -724,6 +766,7 @@ f_down() {
 			feed_rc="${?}"
 		fi
 	fi
 	[ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})"
 	# backup/restore
 	#
@ -735,10 +778,10 @@ f_down() {
 		feed_rc="${?}"
 	fi
-	# build nft file with set and rules for regular downloads
+	# build nft file with Sets and rules for regular downloads
 	#
 	if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then
-		# deduplicate sets
+		# deduplicate Sets
 		#
 		if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
 			"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
@ -747,13 +790,13 @@ f_down() {
 			"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
 		fi
 		feed_rc="${?}"
-		# split sets
+		# split Sets
 		#
 		if [ "${feed_rc}" = "0" ]; then
 			if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
 				if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
 					rm -f "${tmp_file}".*
-					f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'"
+					f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
 				fi
 			else
 				"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
@ -763,10 +806,10 @@ f_down() {
 		rm -f "${tmp_raw}" "${tmp_load}"
 		if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
 			{
-				# nft header (IPv4 set)
+				# nft header (IPv4 Set)
 				#
 				printf "%s\n\n" "#!/usr/sbin/nft -f"
-				[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
+				[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
 				printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
 				# input and forward rules
@ -777,10 +820,10 @@ f_down() {
 			} >"${tmp_nft}"
 		elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
 			{
-				# nft header (IPv6 set)
+				# nft header (IPv6 Set)
 				#
 				printf "%s\n\n" "#!/usr/sbin/nft -f"
-				[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
+				[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
 				printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
 				# input and forward rules
@ -799,6 +842,7 @@ f_down() {
 		if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
 			feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
 			feed_rc="${?}"
 			# load additional split files
 			#
 			if [ "${feed_rc}" = "0" ]; then
@ -808,8 +852,8 @@ f_down() {
 						rm -f "${split_file}"
 						continue
 					fi
-					if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then
+					if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
-						f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set"
+						f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
 					fi
 					rm -f "${split_file}"
 				done
@ -818,7 +862,7 @@ f_down() {
 				fi
 			fi
 		else
-			f_log "info" "empty feed '${feed}' will be skipped"
+			f_log "info" "skip empty feed '${feed}'"
 		fi
 	fi
 	rm -f "${tmp_split}" "${tmp_nft}"
@ -847,7 +891,7 @@ f_restore() {
 	[ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}"
 	[ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}"
 	if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then
-		zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}"
+		"${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}"
 		restore_rc="${?}"
 	fi
@ -855,10 +899,10 @@ f_restore() {
 	return ${restore_rc}
 }
-# remove disabled feeds
+# remove disabled Sets
 #
 f_rmset() {
-	local feedlist tmp_del ruleset_raw table_sets handle set del_set feed_log feed_rc
+	local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc
 	f_getfeed
 	json_get_keys feedlist
@ -867,19 +911,19 @@ f_rmset() {
 	table_sets="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
 	{
 		printf "%s\n\n" "#!/usr/sbin/nft -f"
-		for set in ${table_sets}; do
+		for item in ${table_sets}; do
-			if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${set%v*}" ||
+			if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${item%v*}" ||
-				! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${set%v*}"; then
+				! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${item%v*}"; then
-				del_set="${del_set}${set}, "
+				del_set="${del_set}${item}, "
-				rm -f "${ban_backupdir}/banIP.${set}.gz"
+				rm -f "${ban_backupdir}/banIP.${item}.gz"
-				printf "%s\n" "flush set inet banIP ${set}"
+				printf "%s\n" "flush set inet banIP ${item}"
-				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].handle")"
+				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")"
 				[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
-				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")"
+				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
 				[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
-				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")"
+				handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
 				[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
-				printf "%s\n\n" "delete set inet banIP ${set}"
+				printf "%s\n\n" "delete set inet banIP ${item}"
 			fi
 		done
 	} >"${tmp_del}"
@ -897,7 +941,7 @@ f_rmset() {
 # generate status information
 #
 f_genstatus() {
-	local object duration set table_sets cnt_elements="0" custom="0" split="0" status="${1}"
+	local object duration item table_sets cnt_elements="0" custom="0" split="0" status="${1}"
 	[ -z "${ban_dev}" ] && f_conf
 	if [ "${status}" = "active" ]; then
@ -907,8 +951,8 @@ f_genstatus() {
 		fi
 		table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
 		if [ "${ban_reportelements}" = "1" ]; then
-			for set in ${table_sets}; do
+			for item in ${table_sets}; do
-				cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
+				cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
 			done
 		fi
 		runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
@ -941,10 +985,10 @@ f_genstatus() {
 		json_close_object
 	done
 	json_close_array
-	json_add_array "active_subnets"
+	json_add_array "active_uplink"
-	for object in ${ban_sub:-"-"}; do
+	for object in ${ban_uplink:-"-"}; do
 		json_add_object
-		json_add_string "subnet" "${object}"
+		json_add_string "uplink" "${object}"
 		json_close_object
 	done
 	json_close_array
@ -1018,6 +1062,7 @@ f_getstatus() {
 f_lookup() {
 	local cnt list domain lookup ip elementsv4 elementsv6 start_time end_time duration cnt_domain="0" cnt_ip="0" feed="${1}"
 	[ -z "${ban_dev}" ] && f_conf
 	start_time="$(date "+%s")"
 	if [ "${feed}" = "allowlist" ]; then
 		list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)"
@ -1051,24 +1096,24 @@ f_lookup() {
 	done
 	if [ -n "${elementsv4}" ]; then
 		if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
-			f_log "info" "failed to add lookup file to '${feed}v4' Set"
+			f_log "info" "can't add lookup file to Set '${feed}v4'"
 		fi
 	fi
 	if [ -n "${elementsv6}" ]; then
 		if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
-			f_log "info" "failed to add lookup file to '${feed}v6' Set"
+			f_log "info" "can't add lookup file to Set '${feed}v6'"
 		fi
 	fi
 	end_time="$(date "+%s")"
 	duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s"
-	f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
+	f_log "debug" "f_lookup    ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
 }
 # table statistics
 #
 f_report() {
-	local report_jsn report_txt set tmp_val ruleset_raw table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
+	local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
 	local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
 	[ -z "${ban_dev}" ] && f_conf
@ -1093,12 +1138,12 @@ f_report() {
 	{
 		printf "%s\n" "{"
 		printf "\t%s\n" '"sets":{'
-		for set in ${table_sets}; do
+		for item in ${table_sets}; do
-			set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
+			set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
-			set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
+			set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
-			set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
+			set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
 			if [ "${ban_reportelements}" = "1" ]; then
-				set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
+				set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
 				sum_setelements="$((sum_setelements + set_cnt))"
 			else
 				set_cnt=""
@ -1129,7 +1174,7 @@ f_report() {
 				set_cntforwardlan=""
 			fi
 			[ "${sum_sets}" -gt "0" ] && printf "%s\n" ","
-			printf "\t\t%s\n" "\"${set}\": {"
+			printf "\t\t%s\n" "\"${item}\":{"
 			printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\","
 			printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\","
 			printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
@ -1183,9 +1228,9 @@ f_report() {
 				if [ -n "${table_sets}" ]; then
 					printf "%-25s%-15s%-24s%-24s%s\n" "    Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
 					printf "%s\n" "    ---------------------+--------------+-----------------------+-----------------------+------------------------"
-					for set in ${table_sets}; do
+					for item in ${table_sets}; do
-						printf "    %-21s" "${set}"
+						printf "    %-21s" "${item}"
-						json_select "${set}"
+						json_select "${item}"
 						json_get_keys set_details
 						for detail in ${set_details}; do
 							json_get_var jsnval "${detail}" >/dev/null 2>&1
@ -1216,10 +1261,10 @@ f_report() {
 	#
 	case "${output}" in
 		"text")
-			[ -s "${report_txt}" ] && cat "${report_txt}"
+			[ -s "${report_txt}" ] && "${ban_catcmd}" "${report_txt}"
 			;;
 		"json")
-			[ -s "${report_jsn}" ] && cat "${report_jsn}"
+			[ -s "${report_jsn}" ] && "${ban_catcmd}" "${report_jsn}"
 			;;
 		"mail")
 			[ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
@ -1228,16 +1273,16 @@ f_report() {
 	rm -f "${report_txt}"
 }
-# set search
+# Set search
 #
 f_search() {
-	local set table_sets ip proto run_search hold cnt search="${1}"
+	local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
-	if [ -n "${search}" ]; then
+	if [ -n "${input}" ]; then
-		ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
+		ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
 		[ -n "${ip}" ] && proto="v4"
 		if [ -z "${proto}" ]; then
-			ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')"
+			ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')"
 			[ -n "${ip}" ] && proto="v6"
 		fi
 	fi
@ -1251,13 +1296,15 @@ f_search() {
 	printf "    %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
 	printf "    %s\n" "---"
 	cnt="1"
-	run_search="/var/run/banIP.search"
+	for item in ${table_sets}; do
-	for set in ${table_sets}; do
+		if [ -f "${result_flag}" ]; then
-		[ -f "${run_search}" ] && break
+			rm -f "${result_flag}"
 			return
 		fi
 		(
-			if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then
+			if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then
-				printf "    %s\n" "IP found in Set '${set}'"
+				printf "    %s\n" "IP found in Set '${item}'"
-				: >"${run_search}"
+				: >"${result_flag}"
 			fi
 		) &
 		hold="$((cnt % ban_cores))"
@ -1265,27 +1312,26 @@ f_search() {
 		cnt="$((cnt + 1))"
 	done
 	wait
-	[ ! -f "${run_search}" ] && printf "    %s\n" "IP not found"
+	printf "    %s\n" "IP not found"
 	rm -f "${run_search}"
 }
-# set survey
+# Set survey
 #
 f_survey() {
-	local set_elements set="${1}"
+	local set_elements input="${1}"
-	if [ -z "${set}" ]; then
+	if [ -z "${input}" ]; then
 		printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
 		return
 	fi
-	[ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
+	set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
 	printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
-	printf "    %s\n" "List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")"
+	printf "    %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
 	printf "    %s\n" "---"
-	[ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf "    %s\n" "empty set"
+	[ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf "    %s\n" "empty Set"
 }
-# send status mails
+# send status mail
 #
 f_mail() {
 	local msmtp_debug
@ -1295,19 +1341,16 @@ f_mail() {
 	if [ -r "${ban_mailtemplate}" ]; then
 		. "${ban_mailtemplate}"
 	else
-		f_log "info" "the mail template is missing"
+		f_log "info" "no mail template"
 	fi
-	[ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty"
+	[ -z "${mail_text}" ] && f_log "info" "no mail content"
 	[ "${ban_debug}" = "1" ] && msmtp_debug="--debug"
 	# send mail
 	#
 	ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
-	if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then
+	printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
-		f_log "info" "status mail was sent successfully"
+	f_log "info" "send status mail (${?})"
 	else
 		f_log "info" "failed to send status mail (${?})"
 	fi
 	f_log "debug" "f_mail      ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
 }
@ -1327,8 +1370,7 @@ fi
 #
 f_system
 if [ "${ban_action}" != "stop" ]; then
-	[ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package"
+	[ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory"
-	[ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package"
+	[ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config"
-	[ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package"
+	[ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled"
 	[ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
 fi
--- a/net/banip/files/banip-service.sh
+++ b/net/banip/files/banip-service.sh
@ -1,5 +1,5 @@
 #!/bin/sh
-# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables
+# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
@ -21,7 +21,7 @@ f_tmp
 f_fetch
 f_getif
 f_getdev
-f_getsub
+f_getuplink
 f_mkdir "${ban_backupdir}"
 f_mkfile "${ban_blocklist}"
 f_mkfile "${ban_allowlist}"
@ -36,10 +36,10 @@ if [ "${ban_action}" != "reload" ]; then
 			sleep 1
 		done
 		if ! /etc/init.d/firewall status >/dev/null 2>&1; then
-			f_log "err" "nft based firewall/fw4 not functional"
+			f_log "err" "error in nft based firewall/fw4"
 		fi
 	else
-		f_log "err" "nft based firewall/fw4 not found"
+		f_log "err" "no nft based firewall/fw4"
 	fi
 fi
@ -47,9 +47,9 @@ fi
 #
 if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
 	if f_nftinit "${ban_tmpfile}".init.nft; then
-		f_log "info" "nft namespace initialized"
+		f_log "info" "initialize nft namespace"
 	else
-		f_log "err" "nft namespace can't be initialized"
+		f_log "err" "can't initialize nft namespace"
 	fi
 fi
@ -83,7 +83,7 @@ for feed in allowlist ${ban_feed} blocklist; do
 	# external feeds
 	#
 	if ! json_select "${feed}" >/dev/null 2>&1; then
-		f_log "info" "unknown feed '${feed}' will be removed"
+		f_log "info" "remove unknown feed '${feed}'"
 		uci_remove_list banip global ban_feed "${feed}"
 		uci_commit "banip"
 		continue
@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do
 	if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } ||
 		{ { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } ||
 		{ [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then
-		f_log "info" "incomplete feed '${feed}' will be skipped"
+		f_log "info" "skip incomplete feed '${feed}'"
 		continue
 	fi
@ -138,7 +138,6 @@ wait
 f_rmset
 f_rmdir "${ban_tmpdir}"
 f_genstatus "active"
 f_log "info" "finished banIP download processes"
 # start domain lookup
 #
@ -191,15 +190,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi
 				[ -n "${ip}" ] && proto="v6"
 			fi
 			if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
-				f_log "info" "suspicious IP${proto} found '${ip}'"
+				f_log "info" "suspicious IP${proto} '${ip}'"
 				log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
 				log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
 				if [ "${log_count}" -ge "${ban_logcount}" ]; then
 					if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
-						f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
+						f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
 						if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
 							printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
-							f_log "info" "added IP${proto} '${ip}' to local blocklist"
+							f_log "info" "add IP${proto} '${ip}' to local blocklist"
 						fi
 					fi
 				fi
--- a/net/banip/files/banip.feeds
+++ b/net/banip/files/banip.feeds
@ -69,7 +69,7 @@
 		"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
-		"descr": "fail2ban IP blacklist"
+		"descr": "fail2ban IP blocklist"
 	},
 	"doh":{
 		"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
--- a/net/banip/files/banip.init
+++ b/net/banip/files/banip.init
@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
+# banIP init script - ban incoming and outgoing IPs via named nftables Sets
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
@ -9,9 +9,9 @@
 START=30
 USE_PROCD=1
-extra_command "report" "[text|json|mail] Print banIP related set statistics"
+extra_command "report" "[text|json|mail] Print banIP related Set statistics"
-extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set"
+extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
-extra_command "survey" "[<set name>] List all elements of a given banIP set"
+extra_command "survey" "[<Set name>] List all elements of a given banIP Set"
 extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them"
 ban_init="/etc/init.d/banip"
@ -45,7 +45,7 @@ start_service() {
 		procd_close_instance
 	else
 		[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
-		f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
+		f_log "err" "banIP service autostart is disabled"
 		rm -rf "${ban_lock}"
 	fi
 }
--- a/net/banip/files/banip.tpl
+++ b/net/banip/files/banip.tpl
@ -1,5 +1,5 @@
-# banIP mail template/include
+# banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org)
+# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 # info preparation
--- a/net/cloudflared/Makefile
+++ b/net/cloudflared/Makefile
@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=cloudflared
-PKG_VERSION:=2023.4.0
+PKG_VERSION:=2023.5.0
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=bdb9dea9e5f9bb6b66878bbd1243d8a57fc565ca946c5f9790c2f120400ffa9e
+PKG_HASH:=38d72e35fbb894c43161ee7c6871c44d9771bc9a1f3bc54602baf66e69acefd3
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
--- a/net/crowdsec-firewall-bouncer/Makefile
+++ b/net/crowdsec-firewall-bouncer/Makefile
@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=crowdsec-firewall-bouncer
-PKG_VERSION:=0.0.25
+PKG_VERSION:=0.0.26
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e
+PKG_HASH:=2325df3f8d01e2c9b52db212a796b15b4992a135d5d278441277e97db353b2a7
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -10,12 +10,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=haproxy
-PKG_VERSION:=2.6.12
+PKG_VERSION:=2.6.13
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src
-PKG_HASH:=58f9edb26bf3288f4b502658399281cc5d6478468bd178eafe579c8f41895854
+PKG_HASH:=d69ff5233dbca657132ef280d111222ec1e33f5be1c1937d4e9ff516f63f5243
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>, \
 		Christian Lachner <gladiac@gmail.com>
--- a/net/haproxy/get-latest-patches.sh
+++ b/net/haproxy/get-latest-patches.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git
-BASE_TAG=v2.6.12
+BASE_TAG=v2.6.13
 TMP_REPODIR=tmprepo
 PATCHESDIR=patches
--- a/net/kea/Makefile
+++ b/net/kea/Makefile
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=kea
-PKG_VERSION:=2.0.3
+PKG_VERSION:=2.2.0
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.isc.org/isc/kea/$(PKG_VERSION)
-PKG_HASH:=d642907374d17480ebe4df805b363dc9e230a955475a9f3e04a076b52d5c43ec
+PKG_HASH:=da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2
 PKG_MAINTAINER:=BangLang Huang <banglang.huang@foxmail.com>, Rosy Song <rosysong@rosinson.com>
 PKG_LICENSE:=MPL-2.0
--- a/net/kea/files/kea.init
+++ b/net/kea/files/kea.init
@ -39,5 +39,5 @@ start_kea() {
 	procd_set_param file "$cnf"
 	procd_set_param stderr 1
 	procd_set_param stdout 1
-	procd_close_instance ctrl_agent
+	procd_close_instance
 }
--- a/net/kea/patches/003-no-test-compile.patch
+++ b/net/kea/patches/003-no-test-compile.patch
@ -158,14 +158,6 @@
 AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib
 AM_CPPFLAGS += $(BOOST_INCLUDES)
 --- a/src/lib/cql/Makefile.am
 +++ b/src/lib/cql/Makefile.am
@@ -1,4 +1,4 @@
 -SUBDIRS = . testutils tests
 +SUBDIRS = .
 AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib
 AM_CPPFLAGS += $(BOOST_INCLUDES) $(CQL_CPPFLAGS)
 --- a/src/lib/cryptolink/Makefile.am
 +++ b/src/lib/cryptolink/Makefile.am
@@ -1,4 +1,4 @@
@ -203,8 +195,8 @@
@@ -1,6 +1,6 @@
 AUTOMAKE_OPTIONS = subdir-objects
-SUBDIRS = . testutils tests benchmarks
+-SUBDIRS = . testutils tests
-+SUBDIRS = . benchmarks
+SUBDIRS = .
 # DATA_DIR is the directory where to put default CSV files and the DHCPv6
 # server ID file (i.e. the file where the server finds its DUID at startup).
--- a/net/kea/patches/004-replace-rev-with-awk.patch
+++ b/net/kea/patches/004-replace-rev-with-awk.patch
@ -1,6 +1,6 @@
 --- a/src/bin/keactrl/keactrl.in
 +++ b/src/bin/keactrl/keactrl.in
-@@ -117,7 +117,7 @@ get_pid_from_file() {
+@@ -115,7 +115,7 @@ get_pid_from_file() {
     # Extract the name portion (from last slash to last dot) of the config file name
     # File name and extension are documented in src/lib/util/filename.h
     local conf_name
--- a/net/kea/patches/010-openssl-deprecated.patch
+++ b/net/kea/patches/010-openssl-deprecated.patch
@ -1,6 +1,6 @@
 --- a/src/lib/cryptolink/openssl_link.cc
 +++ b/src/lib/cryptolink/openssl_link.cc
-@@ -79,7 +79,7 @@ CryptoLink::initialize() {
+@@ -77,7 +77,7 @@ CryptoLink::initialize(CryptoLink& c) {
 std::string
 CryptoLink::getVersion() {
--- a/net/libreswan/Makefile
+++ b/net/libreswan/Makefile
@ -7,12 +7,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libreswan
-PKG_VERSION:=4.9
+PKG_VERSION:=4.10
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.libreswan.org/
-PKG_HASH:=f642dcb635e909564ca8fd99ea44ab43f60723b4d76c158ed812978c45b398b9
+PKG_HASH:=5a9400c25a8edba07420426fb55dcbaafdaa3702e5b0f2c19205a6c567248a7b
 PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
 PKG_LICENSE:=GPL-2.0-or-later
--- a/net/lighttpd/Makefile
+++ b/net/lighttpd/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=lighttpd
 PKG_VERSION:=1.4.69
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 # release candidate ~rcX testing; remove for release
 #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
--- a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch
+++ b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch
@ -0,0 +1,34 @@
 From e91ad65e4aacde815679c06cb687931dd7beb9b3 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Thu, 20 Apr 2023 21:27:36 -0400
 Subject: [PATCH] [meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO
 ---
 src/meson.build | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 --- a/src/meson.build
 +++ b/src/meson.build
@@ -358,15 +358,19 @@ if get_option('with_mbedtls')
 	libmbedtls = [ compiler.find_library('mbedtls') ]
 	libmbedx509 = [ compiler.find_library('mbedx509') ]
 	libmbedcrypto = [ compiler.find_library('mbedcrypto') ]
 -	libcrypto = [ compiler.find_library('mbedcrypto') ]
 +	if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == ''
 +	  libcrypto = [ compiler.find_library('mbedcrypto') ]
 +	endif
 	conf_data.set('HAVE_LIBMBEDCRYPTO', true)
 endif
 if get_option('with_nettle')
 	# manual search:
 	# header: nettle/nettle-types.h
 	# function: nettle_md5_init (-lnettle)
 -	libcrypto = [ dependency('nettle') ]
 -	conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true)
 +	if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' and compiler.get_define('FORCE_MBEDTLS_CRYPTO') == ''
 +	  libcrypto = [ dependency('nettle') ]
 +	  conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true)
 +	endif
 endif
 if get_option('with_gnutls')
 	# manual search:
--- a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch
+++ b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch
@ -0,0 +1,23 @@
 From 37cbdacda78f9df4aba4c39e60472025d93bb7ba Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Fri, 28 Apr 2023 03:17:16 -0400
 Subject: [PATCH] [mod_mbedtls] check MBEDTLS_DEBUG_C for debug func
 ---
 src/mod_mbedtls.c | 2 ++
 1 file changed, 2 insertions(+)
 --- a/src/mod_mbedtls.c
 +++ b/src/mod_mbedtls.c
@@ -2357,9 +2357,11 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_a
      * overlap, and so this debug setting is not reset upon connection close.
      * Once enabled, debug hook will remain so for this mbedtls_ssl_config */
     if (hctx->conf.ssl_log_noise) {/* volume level for debug message callback */
 +      #ifdef MBEDTLS_DEBUG_C
       #if MBEDTLS_VERSION_NUMBER >= 0x02000000 /* mbedtls 2.0.0 */
         mbedtls_debug_set_threshold(hctx->conf.ssl_log_noise);
       #endif
 +      #endif
         mbedtls_ssl_conf_dbg(hctx->ssl_ctx, mod_mbedtls_debug_cb,
                              (void *)(intptr_t)hctx->conf.ssl_log_noise);
     }
--- a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch
+++ b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch
@ -0,0 +1,20 @@
 From 2fc157f37ea4644ba9ac776de1926b9e518ec42b Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Sat, 29 Apr 2023 00:43:55 -0400
 Subject: [PATCH] [meson] build fix for builtin_mods
 ---
 src/meson.build | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 --- a/src/meson.build
 +++ b/src/meson.build
@@ -656,7 +656,7 @@ executable('lighttpd-angel',
 )
 executable('lighttpd', configparser,
 -	sources: common_src + main_src,
 +	sources: common_src + main_src + builtin_mods,
 	dependencies: [ common_flags, lighttpd_flags
 		, libattr
 		, libcrypto
--- a/net/mwan3/Makefile
+++ b/net/mwan3/Makefile
@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=mwan3
-PKG_VERSION:=2.11.4
+PKG_VERSION:=2.11.6
 PKG_RELEASE:=1
 PKG_MAINTAINER:=Florian Eckert <fe@dev.tdt.de>, \
 		Aaron Goodman <aaronjg@alumni.stanford.edu>
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@ -735,8 +735,8 @@ mwan3_set_policies_iptables()
 mwan3_set_sticky_iptables()
 {
-	local rule="${1}"
+	local interface="${1}"
-	local interface="${2}"
+	local rule="${2}"
 	local ipv="${3}"
 	local policy="${4}"
@ -879,7 +879,7 @@ mwan3_set_user_iptables_rule()
 		fi
 		mwan3_push_update -F "mwan3_rule_$1"
-		config_foreach mwan3_set_sticky_iptables interface $ipv "$policy"
+		config_foreach mwan3_set_sticky_iptables interface "$rule" "$ipv" "$policy"
 		mwan3_push_update -A "mwan3_rule_$1" \
--- a/net/mwan3/files/usr/sbin/mwan3rtmon
+++ b/net/mwan3/files/usr/sbin/mwan3rtmon
@ -75,7 +75,7 @@ mwan3_rtmon_route_handle()
 	if [ "$route_line" = "$1" ]; then
 		action="replace"
-		$IPS -! add mwan3_connected_${route_family##ip} ${route_line%% *}
+		$IPS -! add mwan3_connected_${route_family} ${route_line%% *}
 	else
 		action="del"
 		mwan3_set_connected_${route_family}
--- a/net/nginx-util/Makefile
+++ b/net/nginx-util/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=nginx-util
 PKG_VERSION:=1.6
-PKG_RELEASE:=15
+PKG_RELEASE:=16
 PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at>
 include $(INCLUDE_DIR)/package.mk
@ -67,6 +67,8 @@ define Package/nginx-ssl-util/install/default
 	$(INSTALL_CONF) ./files/restrict_locally $(1)/etc/nginx/
 	$(INSTALL_DIR) $(1)/etc/nginx/module.d/
 	$(INSTALL_DIR) $(1)/etc/config/
 	$(INSTALL_CONF) ./files/nginx.config $(1)/etc/config/nginx
--- a/net/nginx-util/files/uci.conf.template
+++ b/net/nginx-util/files/uci.conf.template
@ -6,6 +6,8 @@ worker_processes auto;
 user root;
 include module.d/*.module;
 events {}
 http {
--- a/net/nginx/Config_ssl.in
+++ b/net/nginx/Config_ssl.in
@ -15,21 +15,6 @@ config NGINX_DAV
 		Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.
 	default n
 config NGINX_DAV_EXT
 	bool
 	prompt "Enable WebDAV EXT module"
 	select NGINX_DAV
 	help
 		Enable the WebDAV methods PROPFIND, OPTIONS, LOCK, UNLOCK.
 	default n
 config NGINX_UBUS
 	bool
 	prompt "Enable UBUS module"
 	help
 		Enable UBUS api support directly from the server.
 	default y
 config NGINX_FLV
 	bool
 	prompt "Enable FLV module"
@ -195,16 +180,6 @@ config NGINX_PCRE
 	prompt "Enable PCRE library usage"
 	default y
 config NGINX_NAXSI
 	bool
 	prompt "Enable NAXSI module"
 	default y
 config NGINX_LUA
 	bool
 	prompt "Enable Lua module"
 	default n
 config NGINX_HTTP_REAL_IP
 	bool
 	prompt "Enable HTTP real ip module"
@ -220,56 +195,4 @@ config NGINX_HTTP_SUB
 	prompt "Enable HTTP sub module"
 	default n
 config NGINX_HEADERS_MORE
 	bool
 	prompt "Enable Headers_more module"
 	help
 		Set and clear input and output headers...more than "add"!
 	default y
 config NGINX_HTTP_BROTLI
 	bool
 	prompt "Enable Brotli compression module"
 	help
 		Add support for brotli compression module.
 	default n
 config NGINX_STREAM_CORE_MODULE
 	bool
 	prompt "Enable stream support"
 	help
 		Add support for NGINX request streaming.
 	default n
 config NGINX_STREAM_SSL_MODULE
 	bool
 	prompt "Enable stream support with SSL/TLS termination"
 	depends on NGINX_STREAM_CORE_MODULE
 	help
 		Add support for NGINX request streaming with SSL/TLS termination.
 	default n
 config NGINX_STREAM_SSL_PREREAD_MODULE
 	bool
 	prompt "Enable stream support with SSL/TLS pre-read"
 	depends on NGINX_STREAM_CORE_MODULE
 	help
 		Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS.
 	default n
 config NGINX_RTMP_MODULE
 	bool
 	prompt "Enable RTMP module"
 	help
 		Add support for NGINX-based Media Streaming Server module.
 		DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module
 	default n
 config NGINX_TS_MODULE
 	bool
 	prompt "Enable TS module"
 	help
 		Add support for MPEG-TS Live Module module.
 	default n
 endmenu
--- a/net/nginx/Makefile
+++ b/net/nginx/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=nginx
-PKG_VERSION:=1.21.3
+PKG_VERSION:=1.24.0
-PKG_RELEASE:=3
+PKG_RELEASE:=2
 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nginx.org/download/
-PKG_HASH:=14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a
+PKG_HASH:=77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> \
 				Ansuel Smith <ansuelsmth@gmail.com>
@ -27,9 +27,7 @@ PKG_BUILD_FLAGS:=gc-sections
 PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_DAV \
 	CONFIG_NGINX_DAV_EXT \
 	CONFIG_NGINX_FLV \
 	CONFIG_NGINX_UBUS \
 	CONFIG_NGINX_STUB_STATUS \
 	CONFIG_NGINX_HTTP_CHARSET \
 	CONFIG_NGINX_HTTP_GZIP \
@ -62,17 +60,8 @@ PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_HTTP_CACHE \
 	CONFIG_NGINX_HTTP_V2 \
 	CONFIG_NGINX_PCRE \
 	CONFIG_NGINX_NAXSI \
 	CONFIG_NGINX_LUA \
 	CONFIG_NGINX_HTTP_REAL_IP \
 	CONFIG_NGINX_HTTP_SECURE_LINK \
 	CONFIG_NGINX_HTTP_BROTLI \
 	CONFIG_NGINX_HEADERS_MORE \
 	CONFIG_NGINX_STREAM_CORE_MODULE \
 	CONFIG_NGINX_STREAM_SSL_MODULE \
 	CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE \
 	CONFIG_NGINX_RTMP_MODULE \
 	CONFIG_NGINX_TS_MODULE \
 	CONFIG_OPENSSL_ENGINE \
 	CONFIG_OPENSSL_WITH_NPN
@ -101,27 +90,28 @@ define Package/nginx-ssl
  VARIANT:=ssl
  DEPENDS+= +NGINX_PCRE:libpcre \
 	+NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \
-	+NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \
+	+NGINX_HTTP_GZIP:zlib +NGINX_DAV:libxml2
 	+NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c
  EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2)
-  CONFLICTS:=nginx-all-module
+  CONFLICTS:=nginx-full
 endef
 Package/nginx-ssl/description = $(Package/nginx/description) \
  This variant is compiled with SSL support enabled. To enable additional module \
  select them in the nginx default configuration menu.
-define Package/nginx-all-module
+define Package/nginx-full
  $(Package/nginx/default)
  TITLE += with ALL module selected
-  DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \
+  DEPENDS+=+libpcre +nginx-ssl-util +zlib +libxml2 \
-	+libblobmsg-json +libjson-c
+  +nginx-mod-ubus +nginx-mod-naxsi +nginx-mod-lua \
  +nginx-mod-dav-ext +nginx-mod-stream +nginx-mod-headers-more \
  +nginx-mod-brotli +nginx-mod-rtmp +nginx-mod-ts
  EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2)
  VARIANT:=all-module
  PROVIDES += nginx-ssl
 endef
-Package/nginx-all-module/description = $(Package/nginx/description) \
+Package/nginx-full/description = $(Package/nginx/description) \
  This variant is compiled with ALL module selected.
 define Package/nginx-ssl/config
@ -135,8 +125,7 @@ define Package/nginx/conffiles
 endef
 Package/nginx-ssl/conffiles = $(Package/nginx/conffiles)
-Package/nginx-all-module/conffiles = $(Package/nginx/conffiles)
+Package/nginx-full/conffiles = $(Package/nginx/conffiles)
 ADDITIONAL_MODULES:= --with-http_ssl_module
@ -233,12 +222,6 @@ ifneq ($(BUILD_VARIANT),all-module)
  ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y)
    ADDITIONAL_MODULES += --without-http_upstream_keepalive_module
  endif
  ifeq ($(CONFIG_NGINX_NAXSI),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src
  endif
  ifeq ($(CONFIG_NGINX_LUA),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx
  endif
  ifeq ($(CONFIG_IPV6),y)
    ADDITIONAL_MODULES += --with-ipv6
  endif
@ -251,12 +234,6 @@ ifneq ($(BUILD_VARIANT),all-module)
  ifeq ($(CONFIG_NGINX_DAV),y)
    ADDITIONAL_MODULES += --with-http_dav_module
  endif
  ifeq ($(CONFIG_NGINX_DAV_EXT),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module
  endif
  ifeq ($(CONFIG_NGINX_UBUS),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module
  endif
  ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y)
    ADDITIONAL_MODULES += --with-http_auth_request_module
  endif
@ -272,51 +249,45 @@ ifneq ($(BUILD_VARIANT),all-module)
  ifeq ($(CONFIG_NGINX_HTTP_SUB),y)
 	ADDITIONAL_MODULES += --with-http_sub_module
  endif
  ifeq ($(CONFIG_NGINX_STREAM_CORE_MODULE),y)
    ADDITIONAL_MODULES += --with-stream
  endif
  ifeq ($(CONFIG_NGINX_STREAM_SSL_MODULE),y)
    ADDITIONAL_MODULES += --with-stream_ssl_module
  endif
  ifeq ($(CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE),y)
    ADDITIONAL_MODULES += --with-stream_ssl_preread_module
  endif
  ifeq ($(CONFIG_NGINX_HEADERS_MORE),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-headers-more
  endif
  ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-brotli
  endif
  ifeq ($(CONFIG_NGINX_RTMP_MODULE),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-rtmp
  endif
  ifeq ($(CONFIG_NGINX_TS_MODULE),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ts
  endif
 else
  CONFIG_NGINX_HEADERS_MORE:=y
  CONFIG_NGINX_HTTP_BROTLI:=y
  CONFIG_NGINX_RTMP_MODULE:=y
  CONFIG_NGINX_TS_MODULE:=y
  CONFIG_NGINX_NAXSI:=y
  CONFIG_NGINX_LUA:=y
  CONFIG_NGINX_DAV:=y
  CONFIG_NGINX_DAV_EXT:=y
  CONFIG_NGINX_UBUS:=y
  ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \
 	--with-http_dav_module \
 	--with-http_auth_request_module --with-http_v2_module --with-http_realip_module \
 	--with-http_secure_link_module --with-http_sub_module \
 	--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
 	--add-module=$(PKG_BUILD_DIR)/nginx-headers-more \
 	--add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \
 	--add-module=$(PKG_BUILD_DIR)/lua-nginx \
 	--add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \
 	--add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \
 	--add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module
  config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/lua-nginx
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-dav-ext),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-stream),)
  ADDITIONAL_MODULES += --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ubus-module
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-headers-more
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-brotli
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-rtmp),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-rtmp
 endif
 ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),)
  ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ts
 endif
 ifeq ($(CONFIG_NGINX_GEOIP_MODULE),y)
  ADDITIONAL_MODULES += --with-http_geoip_module=dynamic
 endif
 define Package/nginx-mod-luci
  TITLE:=Nginx on LuCI
  SECTION:=net
@ -324,7 +295,7 @@ define Package/nginx-mod-luci
  SUBMENU:=Web Servers/Proxies
  TITLE:=Support file for Nginx
  URL:=http://nginx.org/
-  DEPENDS:=+uwsgi +uwsgi-luci-support +nginx
+  DEPENDS:=+uwsgi +uwsgi-luci-support +nginx +nginx-mod-ubus
  # TODO: add PROVIDES when removing nginx-mod-luci-ssl
  # PROVIDES:=nginx-mod-luci-ssl
 endef
@ -333,12 +304,95 @@ define Package/nginx-mod-luci/description
 Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
 endef
 NGINX_MODULES :=
-TARGET_CFLAGS += -fvisibility=hidden -DNGX_LUA_NO_BY_LUA_BLOCK
+# $(1) module name
 # $(2) module additional dependency
 # $(3) module so name (stripped of the finaly _module.so)
 # $(4) module description
 define module
  define Package/nginx-mod-$(strip $(1))
 	$(call Package/nginx/default)
 	DEPENDS:=+nginx-ssl $(2)
 	TITLE:=Nginx $(1) module
  endef
-ifeq ($(CONFIG_NGINX_LUA),y)
+  define Package/nginx-mod-$(strip $(1))/description
-  CONFIGURE_VARS += LUA_INC=$(STAGING_DIR)/usr/include \
+   $(4)
-					LUA_LIB=$(STAGING_DIR)/usr/lib
+  endef
  define Package/nginx-mod-$(strip $(1))/install
 	$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
 	$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(3)_module.so $$(1)/usr/lib/nginx/modules
  endef
  NGINX_MODULES += nginx-mod-$(strip $(1))
 endef
 define brotli
  define Package/nginx-mod-brotli
 	$(call Package/nginx/default)
 	DEPENDS:=+nginx-ssl
 	TITLE:=Nginx Brotli module
  endef
  define Package/nginx-mod-brotli/description
   Add support for brotli compression module.
  endef
  define Package/nginx-mod-brotli/install
 	$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
 	$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so $$(1)/usr/lib/nginx/modules
 	$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_static_module.so $$(1)/usr/lib/nginx/modules
  endef
  NGINX_MODULES += nginx-mod-brotli
 endef
 define naxsi
  define Package/nginx-mod-naxsi
 	$(call Package/nginx/default)
 	DEPENDS:=+nginx-ssl
 	TITLE:=Nginx naxsi module
  endef
  define Package/nginx-mod-naxsi/description
   Enable NAXSI module.
  endef
  define Package/nginx-mod-naxsi/install
 	$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
 	$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_naxsi_module.so $$(1)/usr/lib/nginx/modules
 	$(INSTALL_DIR) $$(1)/etc/nginx
 	$(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx
 	chmod 0640 $$(1)/etc/nginx/naxsi_core.rules
 	$(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx
 	chmod 0640 $$(1)/etc/nginx/naxsi_core.rules
  endef
  NGINX_MODULES += nginx-mod-naxsi
 endef
 $(eval $(call module,lua, +luajit,ngx_http_lua, Enable Lua module))
 $(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.))
 $(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.))
 $(eval $(call module,dav-ext, +@NGINX_DAV +libxml2,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.))
 $(eval $(call module,headers-more,,ngx_http_headers_more_filter, Set and clear input and output headers...more than "add"!))
 $(eval $(call module,rtmp,,ngx_rtmp, Add support for NGINX-based Media Streaming Server module. \
 		DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module))
 $(eval $(call module, ts,,ngx_http_ts, Add support for MPEG-TS Live Module module.))
 $(eval $(call brotli))
 $(eval $(call naxsi))
 PKG_CONFIG_DEPENDS += $(patsubst %,CONFIG_PACKAGE_%,$(NGINX_MODULES))
 TARGET_CFLAGS += -DNGX_LUA_NO_BY_LUA_BLOCK
 ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),)
  CONFIGURE_VARS += LUAJIT_INC=$(STAGING_DIR)/usr/include/luajit-* \
 					LUAJIT_LIB=$(STAGING_DIR)/usr/lib
 endif
 CONFIGURE_VARS += CONFIG_BIG_ENDIAN=$(CONFIG_BIG_ENDIAN)
@ -347,6 +401,7 @@ CONFIGURE_ARGS += \
 			--crossbuild=Linux::$(ARCH) \
 			--prefix=/usr \
 			--conf-path=/etc/nginx/nginx.conf \
 			--modules-path=/usr/lib/nginx/modules \
 			$(ADDITIONAL_MODULES) \
 			--error-log-path=stderr \
 			--pid-path=/var/run/nginx.pid \
@ -358,7 +413,8 @@ CONFIGURE_ARGS += \
 			--with-cc="$(TARGET_CC)" \
 			--with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \
 			--with-ld-opt="$(TARGET_LDFLAGS)" \
-			--without-http_upstream_zone_module
+			--without-http_upstream_zone_module \
 			--without-pcre2
 define Package/nginx-mod-luci/install
 	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
@ -374,16 +430,9 @@ define Package/nginx-ssl/install
 	$(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx
 ifeq ($(CONFIG_NGINX_NAXSI),y)
 	$(INSTALL_DIR) $(1)/etc/nginx
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx
 	chmod 0640 $(1)/etc/nginx/naxsi_core.rules
 endif
 	$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
 	$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
 endef
-Package/nginx-all-module/install = $(Package/nginx-ssl/install)
+Package/nginx-full/install = $(Package/nginx-ssl/install)
 define Package/nginx-ssl/prerm
 #!/bin/sh
@ -396,14 +445,14 @@ rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")"
 exit 0
 endef
-Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm)
+Package/nginx-full/prerm = $(Package/nginx-ssl/prerm)
 define Download/nginx-headers-more
-  VERSION:=a9f7c7e86cc7441d04e2f11f01c2e3a9c4b0301d
+  VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0
  SUBDIR:=nginx-headers-more
  FILE:=headers-more-nginx-module-$$(VERSION).tar.xz
  URL:=https://github.com/openresty/headers-more-nginx-module.git
-  MIRROR_HASH:=ce0b9996ecb2cff790831644d6ab1adc087aa2771d77d3931c06246d11bc59fd
+  MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b
  PROTO:=git
 endef
@ -469,11 +518,11 @@ define Prepare/nginx-naxsi
 endef
 define Download/lua-nginx
-  VERSION:=e94f2e5d64daa45ff396e262d8dab8e56f5f10e0
+  VERSION:=68acad14e4a8f42e31d4a4bb5ed44d6f5b55fc1c
  SUBDIR:=lua-nginx
  FILE:=lua-nginx-module-$$(VERSION).tar.xz
  URL:=https://github.com/openresty/lua-nginx-module.git
-  MIRROR_HASH:=27729921964f066d97e99c263da153b34622a2f4b811114e4c3ee61c6fc71395
+  MIRROR_HASH:=366f24e1ba6221e34f6ba20ab29146438438f88c89fd71f9500d169b3f5aedf0
  PROTO:=git
 endef
@ -513,13 +562,13 @@ endef
 define Build/Patch
 	$(if $(QUILT),rm -rf $(PKG_BUILD_DIR)/patches; mkdir -p $(PKG_BUILD_DIR)/patches)
 	$(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/nginx,nginx/)
-ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" ""
 	$(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/dav-nginx,dav-nginx/)
 endif
-ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" ""
 	$(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/lua-nginx,lua-nginx/)
 endif
-ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" ""
 	$(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/rtmp-nginx,rtmp-nginx/)
 endif
 	$(if $(QUILT),touch $(PKG_BUILD_DIR)/.quilt_used)
@ -537,42 +586,42 @@ define Build/Prepare
 	mkdir -p $(PKG_BUILD_DIR)
 	$(PKG_UNPACK)
-ifeq ($(CONFIG_NGINX_NAXSI),y)
+ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),)
  $(eval $(call Download,nginx-naxsi))
  $(Prepare/nginx-naxsi)
 endif
-ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" ""
  $(eval $(call Download,lua-nginx))
  $(Prepare/lua-nginx)
 endif
-ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y)
+ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),)
  $(eval $(call Download,nginx-brotli))
  $(Prepare/nginx-brotli)
 endif
-ifeq ($(CONFIG_NGINX_HEADERS_MORE),y)
+ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),)
  $(eval $(call Download,nginx-headers-more))
  $(Prepare/nginx-headers-more)
 endif
-ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" ""
  $(eval $(call Download,nginx-rtmp))
  $(Prepare/nginx-rtmp)
 endif
-ifeq ($(CONFIG_NGINX_TS_MODULE),y)
+ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),)
  $(eval $(call Download,nginx-ts))
  $(Prepare/nginx-ts)
 endif
-ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" ""
+ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" ""
  $(eval $(call Download,nginx-dav-ext-module))
  $(Prepare/nginx-dav-ext-module)
 endif
-ifeq ($(CONFIG_NGINX_UBUS),y)
+ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),)
  $(eval $(call Download,nginx-ubus-module))
  $(Prepare/nginx-ubus-module)
 endif
@ -581,9 +630,11 @@ endif
 endef
 $(eval $(call BuildPackage,nginx-ssl))
-$(eval $(call BuildPackage,nginx-all-module))
+$(eval $(call BuildPackage,nginx-full))
 $(eval $(call BuildPackage,nginx-mod-luci))
 $(foreach m,$(NGINX_MODULES),$(eval $(call BuildPackage,$(m))))
 # TODO: remove after a transition period (together with pkg nginx-util):
 # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl
 # respectively nginx-mod-luci). Add above commented PROVIDES when removing.
--- a/net/nginx/files-luci-support/60_nginx-luci-support
+++ b/net/nginx/files-luci-support/60_nginx-luci-support
@ -1,6 +1,6 @@
 #!/bin/sh
-if nginx -V 2>&1 | grep -q ubus; then
+if nginx -V 2>&1 | grep -q ubus && [ -f /usr/lib/nginx/modules/ngx_http_ubus_module.so ]; then
 	if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then
 		cat <<EOT >> /etc/nginx/conf.d/luci.locations
@ -24,6 +24,12 @@ location ~ /netdata/(?<ndpath>.*) {
    proxy_pass http://\$server_addr:19999/\$ndpath\$is_args\$args;
 }
 EOT
 	fi
        if [ ! -f "/etc/nginx/module.d/luci.module" ]; then
 		cat <<EOT >> /etc/nginx/module.d/luci.module
 load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
 EOT
 	fi
 fi
--- a/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch
+++ b/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch
@ -1,10 +1,9 @@
 --- a/lua-nginx/src/ngx_http_lua_module.c
 +++ b/lua-nginx/src/ngx_http_lua_module.c
-@@ -165,14 +165,14 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -207,12 +207,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_lua_loc_conf_t, log_socket_errors),
       NULL },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("init_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@ -12,16 +11,14 @@
       NGX_HTTP_MAIN_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_init_by_inline },
 -
 +#endif
     { ngx_string("init_by_lua"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
-       ngx_http_lua_init_by_lua,
+@@ -228,12 +230,14 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -186,14 +186,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_MAIN_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_init_by_file },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("init_worker_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@ -29,141 +26,157 @@
       NGX_HTTP_MAIN_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_init_worker_by_inline },
 -
 +#endif
     { ngx_string("init_worker_by_lua"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
-       ngx_http_lua_init_worker_by_lua,
+@@ -249,12 +253,14 @@ static ngx_command_t ngx_http_lua_cmds[]
-@@ -209,6 +209,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+       0,
       (void *) ngx_http_lua_init_worker_by_file },
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("exit_worker_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_exit_worker_by_lua_block,
       NGX_HTTP_MAIN_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_exit_worker_by_inline },
 +#endif
     { ngx_string("exit_worker_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
@@ -264,6 +270,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       (void *) ngx_http_lua_exit_worker_by_file },
 #if defined(NDK) && NDK
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
-     /* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */
+     /* set_by_lua_block $res { inline Lua code } */
     { ngx_string("set_by_lua_block"),
       NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -217,7 +218,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -272,6 +279,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_filter_set_by_lua_inline },
 -
 +#endif
     /* set_by_lua $res <inline script> [$arg1 [$arg2 [...]]] */
     { ngx_string("set_by_lua"),
-       NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
+@@ -292,6 +300,7 @@ static ngx_command_t ngx_http_lua_cmds[]
-@@ -245,7 +246,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+       (void *) ngx_http_lua_filter_set_by_lua_file },
-       NGX_HTTP_LOC_CONF_OFFSET,
+ #endif
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* server_rewrite_by_lua_block { <inline script> } */
     { ngx_string("server_rewrite_by_lua_block"),
         NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -299,6 +308,7 @@ static ngx_command_t ngx_http_lua_cmds[]
         NGX_HTTP_SRV_CONF_OFFSET,
         0,
         (void *) ngx_http_lua_server_rewrite_handler_inline },
 +#endif
     /* server_rewrite_by_lua_file filename; */
     { ngx_string("server_rewrite_by_lua_file"),
@@ -317,6 +327,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       0,
       (void *) ngx_http_lua_rewrite_handler_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* rewrite_by_lua_block { <inline script> } */
     { ngx_string("rewrite_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -254,7 +255,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -325,6 +336,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_rewrite_handler_inline },
 -
 +#endif
     /* access_by_lua "<inline script>" */
     { ngx_string("access_by_lua"),
-       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
+@@ -335,6 +347,7 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -263,7 +264,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_access_handler_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* access_by_lua_block { <inline script> } */
     { ngx_string("access_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -343,6 +356,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_access_handler_inline },
 -
 +#endif
     /* content_by_lua "<inline script>" */
     { ngx_string("content_by_lua"),
-       NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
+@@ -352,6 +366,7 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_content_handler_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* content_by_lua_block { <inline script> } */
     { ngx_string("content_by_lua_block"),
       NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
-@@ -288,7 +289,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -359,6 +374,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_content_handler_inline },
 -
 +#endif
     /* log_by_lua <inline script> */
     { ngx_string("log_by_lua"),
-       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
+@@ -369,6 +385,7 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -297,7 +298,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_log_handler_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* log_by_lua_block { <inline script> } */
     { ngx_string("log_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -306,7 +307,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -377,6 +394,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_log_handler_inline },
 -
 +#endif
     { ngx_string("rewrite_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                         |NGX_CONF_TAKE1,
+@@ -433,6 +451,7 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -361,7 +362,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_header_filter_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* header_filter_by_lua_block { <inline script> } */
     { ngx_string("header_filter_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -370,7 +371,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -441,6 +460,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_header_filter_inline },
 -
 +#endif
     { ngx_string("header_filter_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                         |NGX_CONF_TAKE1,
+@@ -458,6 +478,7 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -386,7 +387,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_body_filter_inline },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     /* body_filter_by_lua_block { <inline script> } */
     { ngx_string("body_filter_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-@@ -395,7 +396,7 @@ static ngx_command_t ngx_http_lua_cmds[]
+@@ -466,6 +487,7 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_body_filter_inline },
 -
 +#endif
     { ngx_string("body_filter_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                         |NGX_CONF_TAKE1,
+@@ -475,12 +497,14 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -403,14 +404,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_body_filter_file },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("balancer_by_lua_block"),
       NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@ -171,16 +184,29 @@
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_balancer_handler_inline },
 -
 +#endif
     { ngx_string("balancer_by_lua_file"),
       NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1,
-       ngx_http_lua_balancer_by_lua,
+@@ -585,12 +609,14 @@ static ngx_command_t ngx_http_lua_cmds[]
@@ -517,14 +518,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
       NULL },
-
+ 
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("ssl_client_hello_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_client_hello_by_lua_block,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_client_hello_handler_inline },
 +#endif
     { ngx_string("ssl_client_hello_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -599,12 +625,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       0,
       (void *) ngx_http_lua_ssl_client_hello_handler_file },
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("ssl_certificate_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@ -188,8 +214,37 @@
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_cert_handler_inline },
 -
 +#endif
     { ngx_string("ssl_certificate_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
-       ngx_http_lua_ssl_cert_by_lua,
+@@ -613,12 +641,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       0,
       (void *) ngx_http_lua_ssl_cert_handler_file },
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("ssl_session_store_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_sess_store_by_lua_block,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_sess_store_handler_inline },
 +#endif
     { ngx_string("ssl_session_store_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
@@ -627,12 +657,14 @@ static ngx_command_t ngx_http_lua_cmds[]
       0,
       (void *) ngx_http_lua_ssl_sess_store_handler_file },
 +#ifndef NGX_LUA_NO_BY_LUA_BLOCK
     { ngx_string("ssl_session_fetch_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_sess_fetch_by_lua_block,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_sess_fetch_handler_inline },
 +#endif
     { ngx_string("ssl_session_fetch_by_lua_file"),
       NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
--- a/net/nginx/patches/nginx/201-ignore-invalid-options.patch
+++ b/net/nginx/patches/nginx/201-ignore-invalid-options.patch
@ -1,6 +1,6 @@
 --- a/auto/options
 +++ b/auto/options
-@@ -400,8 +400,7 @@ $0: warning: the \"--with-sha1-asm\" opt
+@@ -402,8 +402,7 @@ $0: warning: the \"--with-sha1-asm\" opt
         --test-build-solaris-sendfilev)  NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;;
         *)
--- a/net/openssh/files/sshd.init
+++ b/net/openssh/files/sshd.init
@ -27,9 +27,14 @@ start_service() {
 	procd_open_instance
 	procd_add_mdns "ssh" "tcp" "$lport"
 	procd_set_param command $PROG -D
 	procd_set_param respawn
 	procd_close_instance
 }
 reload_service() {
 	procd_send_signal sshd
 }
 shutdown() {
 	local pid
--- a/net/pbr/Makefile
+++ b/net/pbr/Makefile
@ -4,8 +4,8 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=pbr
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.1.1
-PKG_RELEASE:=16
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
@ -17,7 +17,7 @@ define Package/pbr/Default
  SUBMENU:=Routing and Redirection
  TITLE:=Policy Based Routing Service
  URL:=https://docs.openwrt.melmac.net/pbr/
-  DEPENDS:=+ip-full +jshn +jsonfilter +libubus +resolveip
+  DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
  CONFLICTS:=vpnbypass vpn-policy-routing
  PKGARCH:=all
 endef
@ -79,13 +79,11 @@ define Package/pbr/default/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
 	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
 	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
 endef
@ -94,12 +92,16 @@ define Package/pbr/install
 $(call Package/pbr/default/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
 	$(INSTALL_DIR) $(1)/usr/share/nftables.d
 	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
 endef
 define Package/pbr-iptables/install
 $(call Package/pbr/default/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
 endef
@ -130,7 +132,7 @@ define Package/pbr/prerm
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
-		echo -n "Stopping pbr service... "
+		echo "Stopping pbr service... "
 		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
@ -162,7 +164,7 @@ define Package/pbr-iptables/prerm
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
-		echo -n "Stopping pbr-iptables service... "
+		echo "Stopping pbr-iptables service... "
 		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr-iptables... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
@ -185,7 +187,7 @@ define Package/pbr-netifd/prerm
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
-		echo -n "Stopping pbr-netifd service... "
+		echo "Stopping pbr-netifd service... "
 		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
--- a/net/pbr/files/etc/hotplug.d/firewall/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/firewall/70-pbr
@ -1,6 +1,6 @@
 #!/bin/sh
 [ "$ACTION" = "reload" ] || [ "$ACTION" = "restart" ] || exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
-	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	logger -t "pbr" "Reloading pbr due to firewall action: $ACTION"
 	/etc/init.d/pbr reload
 fi
--- a/net/pbr/files/etc/hotplug.d/iface/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr
@ -1,8 +1,6 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3060
 [ -s /etc/openwrt_release ] && . /etc/openwrt_release
 [ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
-	logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)"
+	logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)"
-	/etc/init.d/pbr reload_interface "$INTERFACE"
+	/etc/init.d/pbr on_interface_reload "$INTERFACE"
 fi
--- a/net/pbr/files/etc/init.d/pbr.init
+++ b/net/pbr/files/etc/init.d/pbr.init
@ -35,10 +35,10 @@ readonly packageName='pbr'
 readonly serviceName="$packageName $PKG_VERSION"
 readonly serviceTrapSignals='exit SIGHUP SIGQUIT SIGKILL'
 readonly packageConfigFile="/etc/config/${packageName}"
 readonly packageLockFile="/var/run/${packageName}.lock"
 readonly nftTempFile="/var/run/${packageName}.nft"
 #readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft"
 readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
 readonly sharedMemoryOutput="/dev/shm/$packageName-output"
 readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
 readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
@ -46,6 +46,8 @@ readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
 readonly _ERROR_='\033[0;31mERROR\033[0m'
 readonly _WARNING_='\033[0;33mWARNING\033[0m'
 readonly ip_full='/usr/libexec/ip-full'
 # shellcheck disable=SC2155
 readonly ip_bin="$(command -v ip)"
 readonly ipTablePrefix='pbr'
 # shellcheck disable=SC2155
 readonly iptables="$(command -v iptables)"
@ -96,6 +98,7 @@ ifaceTableID=
 ifacePriority=
 ifacesAll=
 ifacesSupported=
 firewallWanZone=
 wanGW4=
 wanGW6=
 serviceStartTrigger=
@ -122,30 +125,32 @@ get_text() {
 		errorPolicyNoSrcDest) r="Policy '%s' has no source/destination parameters!";;
 		errorPolicyNoInterface) r="Policy '%s' has no assigned interface!";;
 		errorPolicyUnknownInterface) r="Policy '%s' has an unknown interface!";;
-		errorPolicyProcessCMD) r="%s";;
+		errorPolicyProcessCMD) r="'%s'!";;
 		errorFailedSetup) r="Failed to set up '%s'!";;
 		errorFailedReload) r="Failed to reload '%s'!";;
 		errorUserFileNotFound) r="Custom user file '%s' not found or empty!";;
-		ererrorUserFileSyntax) r="Syntax error in custom user file '%s'!";;
+		errorUserFileSyntax) r="Syntax error in custom user file '%s'!";;
 		errorUserFileRunning) r="Error running custom user file '%s'!";;
 		errorUserFileNoCurl) r="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";;
 		errorNoGateways) r="Failed to set up any gateway!";;
-		errorResolver) r="Resolver %s";;
+		errorResolver) r="Resolver '%s'!";;
-		errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled";;
+		errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled!";;
-		errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'";;
+		errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'!";;
-		errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy %s";;
+		errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy '%s'!";;
-		errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy %s";;
+		errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy '%s'!";;
-		errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy %s";;
+		errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy '%s'!";;
-		errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy %s";;
+		errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";;
-		errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing";;
+		errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";;
-		errorFailedToResolve) r="Failed to resolve %s";;
+		errorFailedToResolve) r="Failed to resolve '%s'!";;
 		warningInvalidOVPNConfig) r="Invalid OpenVPN config for '%s' interface.";;
 		warningResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system.";;
-		warningAGHVersionTooLow) r="Installed AdGuardHome (%s) doesn't support 'ipset_file' option.";;
+		warningAGHVersionTooLow) r="Installed AdGuardHome ('%s') doesn't support 'ipset_file' option.";;
-		warningPolicyProcessCMD) r="%s";;
+		warningPolicyProcessCMD) r="'%s'";;
-		warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'";;
+		warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'.";;
-		warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'";;
+		warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'.";;
-		warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'";;
+		warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'.";;
-		warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'";;
+		warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'.";;
 		warningOutdatedWebUIApp) r="The WebUI application is outdated (version %s), please update it.";;
 	esac
 	echo "$r"
 }
@ -171,6 +176,7 @@ output() {
 # Can take a single parameter (text) to be output at any verbosity
 # Or target verbosity level and text to be output at specifc verbosity
 	local msg memmsg logmsg
 	local sharedMemoryOutput="/dev/shm/$packageName-output"
 	verbosity="${verbosity:-2}"
 	if [ "$#" -ne 1 ]; then
 		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
@ -190,8 +196,9 @@ is_present() { command -v "$1" >/dev/null 2>&1; }
 is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
 is_variant_installed() { [ "$(echo /usr/lib/opkg/info/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; }
 is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting"; }
 _find_firewall_wan_zone() { [ "$(uci -q get "firewall.${1}.name")" = "wan" ] && firewallWanZone="$1"; }
 _build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; }
-_build_ifaces_supported() { is_supported_interface "$1" && ifacesSupported="${ifacesSupported}${1} "; }
+_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; }
 pbr_find_iface() {
 	local iface i param="$2"
 	[ "$param" = 'wan6' ] || param='wan'
@ -209,7 +216,7 @@ pbr_get_gateway() {
 	network_get_gateway gw "$iface" true
 	if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
 #		gw="$(ubus call "network.interface.${iface}" status | jsonfilter -e "@.route[0].nexthop")"
-		gw="$($ip_full -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')"
+		gw="$($ip_bin -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')"
 	fi
 	eval "$1"='$gw'
 }
@ -217,14 +224,16 @@ pbr_get_gateway6() {
 	local iface="$2" dev="$3" gw
 	network_get_gateway6 gw "$iface" true
 	if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then
-		gw="$($ip_full -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')"
+		gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')"
 	fi
 	eval "$1"='$gw'
 }
 is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite" ]; }
 is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; }
 is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; }
-is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
+# is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
 is_ovpn() { local dev; dev="$(uci -q get "network.${1}.device")"; [ -z "$dev" ] && dev="$(uci -q get "network.${1}.dev")"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
 is_valid_ovpn() { local dev_net dev_ovpn; dev_net="$(uci -q get "network.${1}.device")"; [ -z "$dev_net" ] && dev_net="$(uci -q get "network.${1}.dev")"; dev_ovpn="$(uci -q get "openvpn.${1}.dev")"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; }
 is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; }
 is_softether() { local dev; network_get_device dev "$1"; [ "${dev:0:4}" = "vpn_" ]; }
 is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; }
@ -258,7 +267,7 @@ is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; }
 is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; }
 dnsmasq_kill() { killall -q -s HUP dnsmasq; }
 dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; }
-is_default_dev() { [ "$1" = "$($ip_full -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; }
+is_default_dev() { [ "$1" = "$($ip_bin -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; }
 is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; }
 is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; }
 is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING" >/dev/null 2>&1; }
@ -298,6 +307,7 @@ get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null
 is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; }
 ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; }
 ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; }
 opkg_get_version() { grep -m1 -A1 "$1" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; }
 load_package_config() {
 	config_load "$packageName"
@ -341,8 +351,8 @@ load_package_config() {
 load_environment() {
 	local param="$1" validation_result="$2"
 	load_package_config
-
+	case "$param" in
-	if [ "$param" = 'on_start' ]; then
+		on_start)
 			if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then
 				output "${_ERROR_}: The $packageName config validation failed!\\n"
 				output "Please check if the '$packageConfigFile' contains correct values for config options.\\n"
@ -353,7 +363,7 @@ load_environment() {
 				state add 'errorSummary' 'errorServiceDisabled'
 				return 1
 			fi
-		if [ ! -x "$ip_full" ]; then
+			if [ ! -x "$ip_bin" ]; then
 				state add 'errorSummary' 'errorNoIpFull'
 				return 1
 			fi
@ -363,16 +373,29 @@ load_environment() {
 					return 1
 				fi
 			fi
 			rm -f "$packageLockFile"
 			resolver 'check_support'
-	fi
+		;;
-
+		on_stop)
 			touch "$packageLockFile"
 		;;
 	esac
 	load_network "$param"
 }
 load_network() {
 	local i
 	config_load 'network'
 	[ -z "$ifacesAll" ] && config_foreach _build_ifaces_all 'interface'
-	[ -z "$ifacesSupported" ] && config_foreach _build_ifaces_supported 'interface'
+	if [ -z "$ifacesSupported" ]; then
 		config_load 'firewall'
 		config_foreach _find_firewall_wan_zone 'zone'
 		for i in $(uci -q get "firewall.${firewallWanZone}.network"); do
 			is_supported_interface "$i" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${i} "
 		done
 		config_load 'network'
 		config_foreach _build_ifaces_supported 'interface'
 	fi
 	pbr_find_iface wanIface4 'wan'
 	[ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6 'wan6'
 	[ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4"
@ -724,6 +747,8 @@ state() {
 			eval "$param"='${line:+$line#}${value}${extras:+ $extras}'
 		;;
 		json)
 			json_init
 			json_add_object "$packageName"
 			case "$param" in
 				errorSummary)
 					json_add_array 'errors';;
@ -747,6 +772,8 @@ $(eval echo "\$$param" | tr \# \\n)
 EOF
 			fi
 			json_close_array
 			json_close_object
 			json_dump
 		;;
 		print)
 			[ -z "$(eval echo "\$$param")" ] && return 0
@ -816,7 +843,7 @@ resolver() {
 						return 1
 					fi
 					if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then
-						agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|')"
+						agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|' | sed 's|-.*||')"
 						if is_greater_or_equal "$agh_version" '0.107.13'; then
 							resolver_set_supported='true'
 							return 0
@ -1165,20 +1192,20 @@ policy_routing_iptables() {
 		return 1
 	fi
 	if [ -z "$proto" ]; then
 		if [ -n "$lport" ] || [ -n "$rport" ]; then 
 			proto='tcp udp'
 		else
 			proto='all'
 		fi
 	fi
 	if is_family_mismatch "$laddr" "$raddr"; then 
 		processPolicyError='true'
 		state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'"
 		return 1
 	fi
 	if [ -z "$proto" ]; then
 		if [ -n "${lport}${rport}" ]; then 
 			proto='tcp udp'
 		else
 			proto='all'
 		fi
 	fi
 	for i in $proto; do
 		if [ "$i" = 'all' ]; then
 			param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest"
@ -1322,25 +1349,25 @@ policy_routing_iptables() {
 			ipt6 "$param6" || ipv6_error='1'
 		fi
-# ipt6 returns true if IPv6 support is not enabled
+	if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
 	[ -z "$ipv6_enabled" ] && ipv6_error='1'
 	if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
 		if [ -n "$ipv6_enabled" ]; then
 		processPolicyError='true'
 		state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name"
 		state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4"
 		state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6"
-		else
+		logger -t "$packageName" "ERROR: iptables $param4"
 		logger -t "$packageName" "ERROR: iptables $param6"
 	elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then
 		processPolicyError='true'
 		state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name"
 		state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4"
-		fi
+		logger -t "$packageName" "ERROR: iptables $param4"
 	fi
 	done
 }
 policy_routing_nft() {
-	local mark param4 param6 i negation value dest nftInsertOption='add'
+	local mark i nftInsertOption='add'
 	local param4 param6 proto_i negation value dest
 	local ip4Flag='ip' ip6Flag='ip6'
 	local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9"
 	proto="$(str_to_lower "$7")"
@ -1370,9 +1397,22 @@ policy_routing_nft() {
 		return 1
 	fi
-	if [ -n "$proto" ] && ! is_supported_protocol "$proto"; then
+	if [ -z "$proto" ]; then
 		if [ -n "${src_port}${dest_port}" ]; then 
 			proto='tcp udp'
 		else
 			proto='all'
 		fi
 	fi
 	for proto_i in $proto; do
 		unset param4
 		unset param6
 		if [ "$proto_i" = 'all' ]; then
 			unset proto_i
 		elif ! is_supported_protocol "$proto_i"; then
 			processPolicyError='true'
-		state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$i'"
+			state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$proto_i'"
 			return 1
 		fi
@ -1450,18 +1490,14 @@ policy_routing_nft() {
 			fi
 		fi
 	if [ -n "${src_port}${dest_port}" ]; then
 		proto="${proto:-tcp}"
 	fi
 		if [ -n "$src_port" ]; then
 			if [ "${src_port:0:1}" = "!" ]; then
 				negation='!='; value="${src_port:1}"
 			else
 				unset negation; value="$src_port";
 			fi
-		param4="$param4 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}"
+			param4="$param4 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}"
-		param6="$param6 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}"
+			param6="$param6 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}"
 		fi
 		if [ -n "$dest_port" ]; then
@ -1470,8 +1506,8 @@ policy_routing_nft() {
 			else
 				unset negation; value="$dest_port";
 			fi
-		param4="$param4 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}"
+			param4="$param4 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}"
-		param6="$param6 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}"
+			param6="$param6 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}"
 		fi
 		param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\""
@ -1487,20 +1523,21 @@ policy_routing_nft() {
 			nftPrevParam6="$param6"
 		fi
-# nft6 returns true if IPv6 support is not enabled
+	if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
 	[ -z "$ipv6_enabled" ] && ipv6_error='1'
 	if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
 		if [ -n "$ipv6_enabled" ]; then
 		processPolicyError='true'
 		state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name"
-			state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'"
+		state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4"
-			state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param6'"
+		state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param6"
-		else
+		logger -t "$packageName" "ERROR: nft $param4"
 		logger -t "$packageName" "ERROR: nft $param6"
 	elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then
 		processPolicyError='true'
 		state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name"
-			state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'"
+		state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4"
-		fi
+		logger -t "$packageName" "ERROR: nft $param4"
 	fi
 	done
 }
 policy_process() {
@ -1582,8 +1619,8 @@ interface_process_tor_iptables() {
 		destroy)
 			for i in $chainsList; do
 				i="$(str_to_upper "$i")"
-				ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}"
+				ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
-				ipt -t nat -F "${nftPrefix}_${i}"; ipt -t nat -X "${nftPrefix}_${i}";
+				ipt -t nat -F "${iptPrefix}_${i}"; ipt -t nat -X "${iptPrefix}_${i}";
 			done
 			;;
 		create)
@ -1592,18 +1629,19 @@ interface_process_tor_iptables() {
 			trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')"
 			dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}"; 
 			for i in $chainsList; do
-				ipt -t nat -N "${nftPrefix}_${i}"
+				i="$(str_to_upper "$i")"
-				ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}"
+				ipt -t nat -N "${iptPrefix}_${i}"
 				ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
 			done
 			if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && ips 'flush' "$iface" 'dst' 'ip'; then
 				set_name4="${ipsPrefix}_${iface}_4_dst_ip"
 				for i in $chainsList; do
-					i="$(str_to_lower "$i")"
+					i="$(str_to_upper "$i")"
-					ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1
+					ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1
-					ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1
+					ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1
-					ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1
+					ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1
-					ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1
+					ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1
-					ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1
+					ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1
 				done
 			else
 				s=1
@ -1639,16 +1677,16 @@ interface_process_tor_nft() {
 			if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && nftset 'flush' "$iface" 'dst' 'ip'; then
 				set_name4="${nftPrefix}_${iface}_4_dst_ip"
 				set_name6="${nftPrefix}_${iface}_6_dst_ip"
-				nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1
+				nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1
-				nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1
+				nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1
-				nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1
+				nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1
-				nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1
+				nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1
-				nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1
+				nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1
-				nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1
+				nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1
-				nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1
+				nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1
-				nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1
+				nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1
-				nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1
+				nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1
-				nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1
+				nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1
 			else
 				s=1
 			fi
@ -1676,8 +1714,8 @@ interface_routing() {
 		create)
 			if is_netifd_table "$iface"; then
 				ipv4_error=0
-				$ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
+				$ip_bin rule del table "$tid" >/dev/null 2>&1
-				$ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+				$ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
 				if is_nft; then
 					nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 
 					nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
@ -1689,8 +1727,7 @@ interface_routing() {
 				fi
 				if [ -n "$ipv6_enabled" ]; then
 					ipv6_error=0
-					$ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
+					$ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
 					$ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
 				fi
 			else
 				if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then
@ -1699,14 +1736,14 @@ interface_routing() {
 					echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables'
 					sync
 				fi
-				$ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
+				$ip_bin rule del table "$tid" >/dev/null 2>&1
-				$ip_full -4 route flush table "$tid" >/dev/null 2>&1
+				$ip_bin route flush table "$tid" >/dev/null 2>&1
 				if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
 					ipv4_error=0
 					if [ -z "$gw4" ]; then
-						$ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
+						$ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
 					else
-						$ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
+						$ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
 					fi
 # shellcheck disable=SC2086
 					while read -r i; do
@ -1714,12 +1751,12 @@ interface_routing() {
 						i="$(echo "$i" | sed 's/ onlink$//')"
 						idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')"
 						if ! is_supported_iface_dev "$idev"; then
-							$ip_full -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
+							$ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
 						fi
 					done << EOF
-					$($ip_full -4 route list table main)
+					$($ip_bin -4 route list table main)
 EOF
-					$ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+					$ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
 					if is_nft; then
 						nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 
 						nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
@ -1732,25 +1769,23 @@ EOF
 				fi
 				if [ -n "$ipv6_enabled" ]; then
 					ipv6_error=0
 					$ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
 					$ip_full -6 route flush table "$tid" >/dev/null 2>&1
 					if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
 						if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
-							$ip_full -6 route add unreachable default table "$tid" || ipv6_error=1
+							$ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1
-						elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then
+						elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
 							while read -r i; do
 								i="$(echo "$i" | sed 's/ linkdown$//')"
 								i="$(echo "$i" | sed 's/ onlink$//')"
-								$ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+								$ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1
 							done << EOF
-							$($ip_full -6 route list table main | grep " dev $dev6 ")
+							$($ip_bin -6 route list table main | grep " dev $dev6 ")
 EOF
 						else
-							$ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+							$ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
-							$ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+							$ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
 						fi
 					fi
-					$ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
+					$ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
 				fi
 			fi
 			if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
@ -1790,9 +1825,9 @@ EOF
 			return "$s"
 		;;
 		delete|destroy)
-			$ip_full rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
+			$ip_bin rule del table "$tid" >/dev/null 2>&1
 			if ! is_netifd_table "$iface"; then
-				$ip_full route flush table "$tid" >/dev/null 2>&1
+				$ip_bin route flush table "$tid" >/dev/null 2>&1
 				sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables'
 				sync
 			fi
@ -1801,35 +1836,35 @@ EOF
 		reload_interface)
 			is_netifd_table "$iface" && return 0;
 			ipv4_error=0
-			$ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
+			$ip_bin rule del table "$tid" >/dev/null 2>&1
-			$ip_full -4 route flush table "$tid" >/dev/null 2>&1
+			if ! is_netifd_table "$iface"; then
 				$ip_bin route flush table "$tid" >/dev/null 2>&1
 			fi
 			if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
 				if [ -z "$gw4" ]; then
-					$ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
+					$ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
 				else
-					$ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
+					$ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
 				fi
-				$ip_full rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+				$ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
 			fi
 			if [ -n "$ipv6_enabled" ]; then
 				ipv6_error=0
 				$ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1
 				$ip_full -6 route flush table "$tid" >/dev/null 2>&1
 				if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
 					if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
-						$ip_full -6 route add unreachable default table "$tid" || ipv6_error=1
+						$ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1
-					elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then
+					elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
 						while read -r i; do
-							$ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+							$ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1
 						done << EOF
-						$($ip_full -6 route list table main | grep " dev $dev6 ")
+						$($ip_bin -6 route list table main | grep " dev $dev6 ")
 EOF
 					else
-						$ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+						$ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
-						$ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+						$ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
 					fi
 				fi
-				$ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
+				$ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
 			fi
 			if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
 				s=0
@ -1876,9 +1911,15 @@ interface_process() {
 	is_wan6 "$iface" && return 0
 	[ $((ifaceMark)) -gt $((fw_mask)) ] && return 1
 	if is_ovpn "$iface" && ! is_valid_ovpn "$iface"; then
 		: || state add 'warningSummary' 'warningInvalidOVPNConfig' "$iface"
 	fi
 	network_get_device dev "$iface"
 	[ -z "$dev" ] && network_get_physdev dev "$iface"
 	if is_wan "$iface" && [ -n "$wanIface6" ] && str_contains "$wanIface6" "$iface"; then
 		network_get_device dev6 "$wanIface6"
 		[ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6"
 	fi
 	[ -z "$dev6" ] && dev6="$dev"
@ -1952,7 +1993,7 @@ user_file_process() {
 		return 1
 	fi
 	if ! $shellBin -n "$path"; then
-		state add 'errorSummary' 'ererrorUserFileSyntax' "$path"
+		state add 'errorSummary' 'errorUserFileSyntax' "$path"
 		output_fail
 		return 1
 	fi
@ -1977,17 +2018,24 @@ boot() {
 }
 on_firewall_reload() { 
-	if [ -z "$(ubus_get_status 'gateways')" ]; then # service is not running, do not start it on firewall reload
+	if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on firewall reload
-		logger -t "$packageName" "Reload on firewall action aborted: service not running."
+		logger -t "$packageName" "Reload on firewall action aborted: service is stopped."
-		return 0;
+		return 0
 	else
 		rc_procd start_service 'on_firewall_reload' "$1"
 	fi
 }
-on_interface_reload() { rc_procd start_service 'on_interface_reload' "$1"; }
+on_interface_reload() { 
 	if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on interface change
 		logger -t "$packageName" "Reload on interface change aborted: service is stopped."
 		return 0
 	else
 		rc_procd start_service 'on_interface_reload' "$1"
 	fi
 }
 start_service() {
-	local resolverStoredHash resolverNewHash i reloadedIface param="$1"
+	local resolverStoredHash resolverNewHash i param="$1" reloadedIface
 	load_environment 'on_start' "$(load_validate_config)" || return 1
 	is_wan_up || return 1
@ -2001,8 +2049,14 @@ start_service() {
 			serviceStartTrigger='on_start'
 		;;
 		on_interface_reload)
 			serviceStartTrigger='on_interface_reload'
 			reloadedIface="$2"
 			if is_ovpn "$reloadedIface"; then
 				logger -t "$packageName" "Updated interface is an OpenVPN tunnel, restarting."
 				serviceStartTrigger='on_start'
 				unset reloadedIface
 			else
 				serviceStartTrigger='on_interface_reload'
 			fi
 		;;
 		on_reload)
 			serviceStartTrigger='on_reload'
@ -2238,8 +2292,8 @@ status_service_nft() {
 	fi
 	if [ -n "$wanIface6" ]; then
 		network_get_device dev6 "$wanIface6"
-		wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
+		wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
-		[ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
+		[ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
 	fi
 	while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done
 	[ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
@ -2255,17 +2309,17 @@ status_service_nft() {
 	echo "$_SEPARATOR_"
 	echo "$packageName chains - policies"
 	for i in forward input output prerouting postrouting; do
-		"$nft" list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p"
+		"$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p"
 	done
 	echo "$_SEPARATOR_"
 	echo "$packageName chains - marking"
 	for i in $(get_mark_nft_chains); do
-		"$nft" list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p"
+		"$nft" -a list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p"
 	done
 	echo "$_SEPARATOR_"
 	echo "$packageName nft sets"
 	for i in $(get_nft_sets); do
-		"$nft" list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p"
+		"$nft" -a list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p"
 	done
 	if [ -s "$dnsmasqFile" ]; then
 		echo "$_SEPARATOR_"
@ -2278,9 +2332,9 @@ status_service_nft() {
 	tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
 	wan_tid=$(($(get_rt_tables_next_id)-tableCount))
 	i=0; while [ $i -lt "$tableCount" ]; do 
-		echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)"
+		echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)"
 		echo "IPv4 table $((wan_tid + i)) rule(s):"
-		$ip_full -4 rule list table "$((wan_tid + i))"
+		$ip_bin -4 rule list table "$((wan_tid + i))"
 		i=$((i + 1))
 	done
 }
@ -2295,8 +2349,8 @@ status_service_iptables() {
 	fi
 	if [ -n "$wanIface6" ]; then
 		network_get_device dev6 "$wanIface6"
-		wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
+		wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
-		[ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
+		[ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
 	fi
 	while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done
 	[ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
@ -2322,15 +2376,15 @@ status_service_iptables() {
 		if [ -n "$set_d" ]; then ip rule list; fi
 		wan_tid=$(($(get_rt_tables_next_id)-tableCount))
 		i=0; while [ $i -lt "$tableCount" ]; do 
-			echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)"
+			echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)"
 			echo "IPv4 table $((wan_tid + i)) rule(s):"
-			$ip_full -4 rule list table "$((wan_tid + i))"
+			$ip_bin -4 rule list table "$((wan_tid + i))"
 			i=$((i + 1))
 		done
 		if [ -n "$ipv6_enabled" ]; then
 			i=0; while [ $i -lt "$tableCount" ]; do
-				$ip_full -6 route show table $((wan_tid + i)) | while read -r param; do
+				$ip_bin -6 route show table $((wan_tid + i)) | while read -r param; do
 					echo "IPv6 Table $((wan_tid + i)): $param"
 				done
 				i=$((i + 1))
@ -2422,9 +2476,9 @@ load_validate_config() {
 		'verbosity:range(0,2):1' \
 		"wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \
 		"fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \
-		'icmp_interface:or("","ignore", uci("network", "@interface"))' \
+		'icmp_interface:or("", "tor", uci("network", "@interface"))' \
-		'ignored_interface:list(uci("network", "@interface"))' \
+		'ignored_interface:list(or("tor", uci("network", "@interface")))' \
-		'supported_interface:list(uci("network", "@interface"))' \
+		'supported_interface:list(or("tor", uci("network", "@interface")))' \
 		'boot_timeout:integer:30' \
 		'wan_ip_rules_priority:uinteger:30000' \
 		'rule_create_option:or("", "add", "insert"):add' \
@ -2448,7 +2502,7 @@ load_validate_policy() {
 	uci_load_validate "$packageName" 'policy' "$1" "${2}${3:+ $3}" \
 		'name:string:Untitled' \
 		'enabled:bool:1' \
-		'interface:or(uci("network", "@interface"),"ignore"):wan' \
+		'interface:or("ignore", "tor", uci("network", "@interface")):wan' \
 		'proto:or(string)' \
 		'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \
 		'src_addr:list(neg(or(host,network,macaddr,string)))' \
--- a/net/pbr/files/etc/uci-defaults/90-pbr
+++ b/net/pbr/files/etc/uci-defaults/90-pbr
@ -22,6 +22,7 @@ sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr
 sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr
 sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr
 if [ -s '/usr/share/pbr/pbr.firewall.include' ]; then
 uci -q batch <<-EOT
 	delete firewall.pbr
 	set firewall.pbr='include'
@ -30,5 +31,6 @@ uci -q batch <<-EOT
 	set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
 	commit firewall
 EOT
 fi
 exit 0
--- a/net/pbr/files/etc/uci-defaults/91-pbr
+++ b/net/pbr/files/etc/uci-defaults/91-pbr
@ -4,6 +4,7 @@
 readonly packageName='pbr'
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
 # shellcheck disable=SC2317
 pbr_iface_setup() {
 	local iface="${1}"
 	local proto
--- a/net/pbr/files/usr/share/pbr/pbr.firewall.include
+++ b/net/pbr/files/usr/share/pbr/pbr.firewall.include
@ -1,5 +1,5 @@
 #!/bin/sh
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
-	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	logger -t "pbr" "Reloading pbr due to firewall action: $ACTION"
 	/etc/init.d/pbr on_firewall_reload "$ACTION"
 fi
--- a/net/samba4/Config.in
+++ b/net/samba4/Config.in
@ -31,12 +31,22 @@ config SAMBA4_SERVER_AVAHI
 		Announce Samba resources via DNS/DNS-SD using the Avahi daemon, for Linux/Mac clients.
 	default y
 config SAMBA4_SERVER_QUOTAS
 	bool "Quotas support"
 	depends on PACKAGE_samba4-server
 	select SAMBA4_SERVER_VFS
 	help
 		Enable VFS Quotas
 		installs:
 			modules: vfs_default_quota
 	default n
 config SAMBA4_SERVER_VFS
 	bool "Common VFS modules"
 	depends on PACKAGE_samba4-server
 	help
 		installs:
-			modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr vfs_default_quota
+			modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr
 		Commonly used VFS modules, vfs_btrfs requires kmod-fs-btrfs to be selected separately
 	default y
--- a/net/samba4/Makefile
+++ b/net/samba4/Makefile
@ -28,6 +28,7 @@ PKG_BUILD_DEPENDS:=samba4/host libtasn1/host perl/host
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_SAMBA4_SERVER_NETBIOS \
 	CONFIG_SAMBA4_SERVER_AVAHI \
 	CONFIG_SAMBA4_SERVER_QUOTAS \
 	CONFIG_SAMBA4_SERVER_VFS \
 	CONFIG_SAMBA4_SERVER_VFSX \
 	CONFIG_SAMBA4_SERVER_AD_DC \
@ -122,7 +123,7 @@ define Package/samba4-utils
 endef
 define Package/samba4-utils/description
-  installs: smbstatus smbtree mvxattr smbtar smbcquotas
+  installs: smbstatus smbtree mvxattr smbtar (smbcquotas)
  Utilities collection
 endef
@ -231,7 +232,7 @@ CONFIGURE_ARGS += \
 		--with-privatedir=/etc/samba
 # features
-ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y)
+ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y)
 	CONFIGURE_ARGS += --with-quotas
 else
 	CONFIGURE_ARGS += --without-quotas
@ -258,7 +259,10 @@ ifdef CONFIG_KERNEL_IO_URING
 	SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_io_uring,
 endif
 ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y)
-	SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_default_quota,vfs_widelinks,
+	SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_widelinks,
 ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y)
 	SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_default_quota,
 endif
 ifdef CONFIG_PACKAGE_kmod-fs-btrfs
 	SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_btrfs,
 endif
@ -407,7 +411,7 @@ endef
 define Package/samba4-utils/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{smbstatus,smbtree,mvxattr,smbtar} $(1)/usr/bin/
-ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y)
+ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y)
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/smbcquotas $(1)/usr/bin/
 endif
 endef
--- a/net/simple-adblock/Makefile
+++ b/net/simple-adblock/Makefile
@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=simple-adblock
-PKG_VERSION:=1.9.4
+PKG_VERSION:=1.9.5
-PKG_RELEASE:=4
+PKG_RELEASE:=1
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=GPL-3.0-or-later
--- a/net/simple-adblock/files/simple-adblock.conf
+++ b/net/simple-adblock/files/simple-adblock.conf
@ -5,9 +5,11 @@ config simple-adblock 'config'
 	option canary_domains_icloud '0'
 	option canary_domains_mozilla '0'
 	option compressed_cache '0'
 	option compressed_cache_dir '/etc'
 	option config_update_enabled '0'
 	option config_update_url 'https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update'
-#	option curl_max_file_size '1000000'
+	option curl_additional_param ''
 	option curl_max_file_size '30000000'
 	option curl_retry '3'
 	option download_timeout '10'
 	option debug '0'
--- a/net/simple-adblock/files/simple-adblock.init
+++ b/net/simple-adblock/files/simple-adblock.init
@ -31,35 +31,34 @@ readonly serviceName="$packageName $PKG_VERSION"
 readonly packageConfigFile="/etc/config/${packageName}"
 readonly dnsmasqAddnhostsFile="/var/run/${packageName}/dnsmasq.addnhosts"
 readonly dnsmasqAddnhostsCache="/var/run/${packageName}/dnsmasq.addnhosts.cache"
-readonly dnsmasqAddnhostsGzip="/etc/${packageName}.dnsmasq.addnhosts.gz"
+readonly dnsmasqAddnhostsGzip="${packageName}.dnsmasq.addnhosts.gz"
 readonly dnsmasqAddnhostsFilter='s|^|127.0.0.1 |;s|$||'
 readonly dnsmasqAddnhostsFilterIPv6='s|^|:: |;s|$||'
 readonly dnsmasqConfFile="/tmp/dnsmasq.d/${packageName}"
 readonly dnsmasqConfCache="/var/run/${packageName}/dnsmasq.conf.cache"
-readonly dnsmasqConfGzip="/etc/${packageName}.dnsmasq.conf.gz"
+readonly dnsmasqConfGzip="${packageName}.dnsmasq.conf.gz"
 readonly dnsmasqConfFilter='s|^|local=/|;s|$|/|'
 readonly dnsmasqIpsetFile="/tmp/dnsmasq.d/${packageName}.ipset"
 readonly dnsmasqIpsetCache="/var/run/${packageName}/dnsmasq.ipset.cache"
-readonly dnsmasqIpsetGzip="/etc/${packageName}.dnsmasq.ipset.gz"
+readonly dnsmasqIpsetGzip="${packageName}.dnsmasq.ipset.gz"
 readonly dnsmasqIpsetFilter='s|^|ipset=/|;s|$|/adb|'
 readonly dnsmasqNftsetFile="/tmp/dnsmasq.d/${packageName}.nftset"
 readonly dnsmasqNftsetCache="/var/run/${packageName}/dnsmasq.nftset.cache"
-readonly dnsmasqNftsetGzip="/etc/${packageName}.dnsmasq.nftset.gz"
+readonly dnsmasqNftsetGzip="${packageName}.dnsmasq.nftset.gz"
 readonly dnsmasqNftsetFilter='s|^|nftset=/|;s|$|/4#inet#fw4#adb4|'
 readonly dnsmasqNftsetFilterIPv6='s|^|nftset=/|;s|$|/4#inet#fw4#adb4,6#inet#fw4#adb6|'
 readonly dnsmasqServersFile="/var/run/${packageName}/dnsmasq.servers"
 readonly dnsmasqServersCache="/var/run/${packageName}/dnsmasq.servers.cache"
-readonly dnsmasqServersGzip="/etc/${packageName}.dnsmasq.servers.gz"
+readonly dnsmasqServersGzip="${packageName}.dnsmasq.servers.gz"
 readonly dnsmasqServersFilter='s|^|server=/|;s|$|/|'
 readonly unboundFile="/var/lib/unbound/adb_list.${packageName}"
 readonly unboundCache="/var/run/${packageName}/unbound.cache"
-readonly unboundGzip="/etc/${packageName}.unbound.gz"
+readonly unboundGzip="${packageName}.unbound.gz"
 readonly unboundFilter='s|^|local-zone: "|;s|$|" static|'
 readonly A_TMP="/var/${packageName}.hosts.a.tmp"
 readonly B_TMP="/var/${packageName}.hosts.b.tmp"
 readonly jsonFile="/var/run/${packageName}/${packageName}.json"
 readonly sharedMemoryError="/dev/shm/$packageName-error"
 readonly sharedMemoryOutput="/dev/shm/$packageName-output"
 readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
 readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
 readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
@ -163,6 +162,7 @@ get_text() {
 		warningExternalDnsmasqConfig)
 			r="use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'";;
 		warningMissingRecommendedPackages) r="Some recommended packages are missing";;
 		warningInvalidCompressedCacheDir) r="invalid compressed cache directory '%s'";;
 	esac
 	echo "$r"
 }
@ -183,11 +183,13 @@ dnsmasq_kill() { killall -q -s KILL dnsmasq; }
 dnsmasq_restart() { /etc/init.d/dnsmasq restart >/dev/null 2>&1; }
 unbound_restart() { /etc/init.d/unbound restart >/dev/null 2>&1; }
 is_present() { command -v "$1" >/dev/null 2>&1; }
 sanitize_dir() { [ -d "$(readlink -fn "$1")" ] && readlink -fn "$1"; }
 output() {
 # Can take a single parameter (text) to be output at any verbosity
 # Or target verbosity level and text to be output at specifc verbosity
 	local msg memmsg logmsg
 	local sharedMemoryOutput="/dev/shm/$packageName-output"
 	verbosity="${verbosity:-2}"
 	if [ $# -ne 1 ]; then
 		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
@ -330,41 +332,50 @@ load_environment() {
 		;;
 	esac
 	if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then
 		compressed_cache_dir=''
 	elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then
 		compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")"
 	else
 		json add warning 'warningInvalidCompressedCacheDir' "$compressed_cache_dir"
 		compressed_cache_dir="/etc"
 	fi
 	case "$dns" in
 		dnsmasq.addnhosts)
 			outputFilter="$dnsmasqAddnhostsFilter"
 			outputFile="$dnsmasqAddnhostsFile"
 			outputCache="$dnsmasqAddnhostsCache"
-			outputGzip="$dnsmasqAddnhostsGzip"
+			outputGzip="${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
 			if [ "$ipv6_enabled" -ne 0 ]; then
 				outputFilterIPv6="$dnsmasqAddnhostsFilterIPv6"
 			fi
-			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip"
+			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
-			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip"
+			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 			rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
 		;;
 		dnsmasq.conf)
 			outputFilter="$dnsmasqConfFilter"
 			outputFile="$dnsmasqConfFile"
 			outputCache="$dnsmasqConfCache"
-			outputGzip="$dnsmasqConfGzip"
+			outputGzip="${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
-			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
-			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip"
+			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 			rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
 		;;
 		dnsmasq.ipset)
 			outputFilter="$dnsmasqIpsetFilter"
 			outputFile="$dnsmasqIpsetFile"
 			outputCache="$dnsmasqIpsetCache"
-			outputGzip="$dnsmasqIpsetGzip"
+			outputGzip="${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
-			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip"
+			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
-			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip"
+			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 			rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
 		;;
 		dnsmasq.nftset)
@ -375,22 +386,22 @@ load_environment() {
 			fi
 			outputFile="$dnsmasqNftsetFile"
 			outputCache="$dnsmasqNftsetCache"
-			outputGzip="$dnsmasqNftsetGzip"
+			outputGzip="${compressed_cache_dir}/${dnsmasqNftsetGzip}"
-			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
-			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip"
+			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip"
+			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 			rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
 		;;
 		dnsmasq.servers)
 			outputFilter="$dnsmasqServersFilter"
 			outputFile="$dnsmasqServersFile"
 			outputCache="$dnsmasqServersCache"
-			outputGzip="$dnsmasqServersGzip"
+			outputGzip="${compressed_cache_dir}/${dnsmasqServersGzip}"
-			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
-			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip"
+			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
 			rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
 		;;
 		unbound.adb_list)
@ -398,11 +409,11 @@ load_environment() {
 			outputFile="$unboundFile"
 			outputCache="$unboundCache"
 			outputGzip="$unboundGzip"
-			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+			rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
-			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip"
+			rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
-			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+			rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
-			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+			rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
-			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip"
+			rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 		;;
 	esac
@ -432,6 +443,7 @@ load_environment() {
 	# Prefer curl because it supports the file:// scheme.
 	if is_present 'curl'; then
 		dl_command="curl --silent --insecure"
 		dl_command="${dl_command}${curl_additional_param:+ $curl_additional_param}"
 		dl_command="${dl_command}${curl_max_file_size:+ --max-filesize $curl_max_file_size}"
 		dl_command="${dl_command}${curl_retry:+ --retry $curl_retry}"
 		dl_command="${dl_command}${download_timeout:+ --connect-timeout $download_timeout}"
@ -613,8 +625,8 @@ json() {
 				triggers)
 					curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
 						$blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
-						$dnsmasq_config_file_url $curl_max_file_size $curl_retry"
+						$dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry"
-					curRestart="$compressed_cache $force_dns $led $force_dns_port"
+					curRestart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port"
 					if [ ! -s "$jsonFile" ]; then
 						ret='on_boot'
 					elif [ "$curReload" != "$reload" ]; then
@ -647,8 +659,8 @@ json() {
 				triggers) 
 					reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
 						$blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
-						$dnsmasq_config_file_url $curl_max_file_size $curl_retry"
+						$dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry"
-					restart="$compressed_cache $force_dns $led $force_dns_port"
+					restart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port"
 				;;
 				*)
 					eval "$param"='${value}${extras:+|$extras}';;
@ -1516,11 +1528,21 @@ boot() {
 check() { load_validate_config 'config' adb_check "'$*'"; }
 dl() { rc_procd start_service 'download'; }
 killcache() {
-	rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+	local compressed_cache_dir
-	rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip"
+	config_load "$packageName"
-	rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+	config_get compressed_cache_dir 'config' 'compressed_cache_dir' '/etc'
-	rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+	if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then
-	rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip"
+		compressed_cache_dir=''
 	elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then
 		compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")"
 	else
 		compressed_cache_dir="/etc"
 	fi
 	rm -f "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}"
 	rm -f "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}"
 	rm -f "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}"
 	rm -f "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}"
 	rm -f "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 	rm -f "$unboundCache" "$unboundGzip"
 	config_load 'dhcp'
 	config_foreach resolver 'dnsmasq' 'cleanup'
@ -1567,6 +1589,7 @@ load_validate_config() {
 	local parallel_downloads
 	local debug
 	local compressed_cache
 	local compressed_cache_dir
 	local ipv6_enabled
 	local allow_non_ascii
 	local canary_domains_icloud
@ -1574,6 +1597,7 @@ load_validate_config() {
 	local config_update_enabled
 	local config_update_url
 	local download_timeout
 	local curl_additional_param
 	local curl_max_file_size
 	local curl_retry
 	local verbosity
@ -1596,6 +1620,7 @@ load_validate_config() {
 		'parallel_downloads:bool:1' \
 		'debug:bool:0' \
 		'compressed_cache:bool:0' \
 		'compressed_cache_dir:directory:/etc' \
 		'ipv6_enabled:bool:0' \
 		'allow_non_ascii:bool:0' \
 		'canary_domains_icloud:bool:0' \
@ -1603,7 +1628,8 @@ load_validate_config() {
 		'config_update_enabled:bool:0' \
 		'config_update_url:string:https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update' \
 		'download_timeout:range(1,60):20' \
-		'curl_max_file_size:uinteger' \
+		'curl_additional_param:or("", string)' \
 		'curl_max_file_size:or("", uinteger)' \
 		'curl_retry:range(0,30):3' \
 		'verbosity:range(0,2):2' \
 		'procd_trigger_wan6:bool:0' \
--- a/net/sing-box/Makefile
+++ b/net/sing-box/Makefile
@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=sing-box
-PKG_VERSION:=1.2.1
+PKG_VERSION:=1.2.6
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=0f304b75c2e9f61e3f7808f23fe8fbe08161553475d9bec0dea4a5acf4452d2d
+PKG_HASH:=8f7adf55ed9afe6ec0dd8b04ed64dd3a6243578ee779f909dfb3778fa2dbda10
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_LICENSE_FILES:=LICENSE
--- a/net/smartdns/Makefile
+++ b/net/smartdns/Makefile
@ -1,18 +1,18 @@
 #
-# Copyright (c) 2018-2022 Nick Peng (pymumu@gmail.com)
+# Copyright (c) 2018-2023 Nick Peng (pymumu@gmail.com)
 # This is free software, licensed under the GNU General Public License v3.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=smartdns
-PKG_VERSION:=1.2022.38.1
+PKG_VERSION:=1.2023.42
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://www.github.com/pymumu/smartdns.git
-PKG_SOURCE_VERSION:=9bc857f628299573c7eca0833229d9812b1c1de4
+PKG_SOURCE_VERSION:=ed102cda03c56e9c63040d33d4a391b56491493e
-PKG_MIRROR_HASH:=a202b765e6ce8355335c80214819add3ed72a82426b033d7d5adf1448b415063
+PKG_MIRROR_HASH:=366e98b92c3d22844ff5fc52c35f65c3b01e1b92fc9dc14c474823f0cc3ed11a
 PKG_MAINTAINER:=Nick Peng <pymumu@gmail.com>
 PKG_LICENSE:=GPL-3.0-or-later
@ -36,7 +36,7 @@ endef
 define Package/smartdns/description
 SmartDNS is a local DNS server which accepts DNS query requests from local network clients,
 gets DNS query results from multiple upstream DNS servers concurrently, and returns the fastest IP to clients.
-Unlike dnsmasq's all-servers, smartdns returns the fastest IP. 
+Unlike dnsmasq's all-servers, smartdns returns the fastest IP, and encrypt DNS queries with DoT or DoH. 
 endef
 define Package/smartdns/conffiles
@ -44,10 +44,13 @@ define Package/smartdns/conffiles
 /etc/smartdns/address.conf
 /etc/smartdns/blacklist-ip.conf
 /etc/smartdns/custom.conf
 /etc/smartdns/domain-block.list
 /etc/smartdns/domain-forwarding.list
 endef
 define Package/smartdns/install
-	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d $(1)/etc/smartdns
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d 
 	$(INSTALL_DIR) $(1)/etc/smartdns $(1)/etc/smartdns/domain-set $(1)/etc/smartdns/conf.d/
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/smartdns $(1)/usr/sbin/smartdns
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/package/openwrt/files/etc/init.d/smartdns $(1)/etc/init.d/smartdns
 	$(INSTALL_CONF) $(PKG_BUILD_DIR)/package/openwrt/address.conf $(1)/etc/smartdns/address.conf
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=snort3
-PKG_VERSION:=3.1.60.0
+PKG_VERSION:=3.1.61.0
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
-PKG_HASH:=295bbeea93ead7835379d9c9332b1f82f9ecdd3741aeed267caf85bb887126a1
+PKG_HASH:=207963ece2eddd3c85ad90c9e2dabe33dc67eaa485ba9576e2b244f7ac45fc5d
 PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
 PKG_LICENSE:=GPL-2.0-only
--- a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
+++ b/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
@ -1,16 +0,0 @@
 --- a/cmake/FindFlexLexer.cmake
 +++ b/cmake/FindFlexLexer.cmake
@@ -16,11 +16,11 @@ macro(FLEX NAME LEXER_IN LEXER_OUT)
         COMPILE_FLAGS ${FLEX_FLAGS}
     )
 -    # we use '+' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
 +    # we use '|' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
     add_custom_command(
         OUTPUT ${LEXER_OUT}
         COMMAND sed -e
 -            "s+void yyFlexLexer::LexerError+yynoreturn void yyFlexLexer::LexerError+;s+${LEXER_OUT}.tmp+${LEXER_OUT}+"
 +            "s|void yyFlexLexer::LexerError|yynoreturn void yyFlexLexer::LexerError|;s|${LEXER_OUT}.tmp|${LEXER_OUT}|"
             ${FLEX_${NAME}_OUTPUTS} > ${LEXER_OUT}
         DEPENDS ${FLEX_${NAME}_OUTPUTS}
         VERBATIM
--- a/net/tailscale/Makefile
+++ b/net/tailscale/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=tailscale
-PKG_VERSION:=1.36.0
+PKG_VERSION:=1.40.0
 PKG_RELEASE:=1
 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76
+PKG_HASH:=6964176889943e0e0b25d8d69e14226cfb1c1a9944a257b24cb2dd212f797141
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@ -27,8 +27,8 @@ PKG_BUILD_FLAGS:=no-mips16
 GO_PKG:=\
 	tailscale.com/cmd/tailscale \
 	tailscale.com/cmd/tailscaled
-GO_PKG_LDFLAGS:=-X 'tailscale.com/version.Long=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)'
+GO_PKG_LDFLAGS:=-X 'tailscale.com/version.longStamp=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)'
-GO_PKG_LDFLAGS_X:=tailscale.com/version.Short=$(PKG_VERSION)
+GO_PKG_LDFLAGS_X:=tailscale.com/version.shortStamp=$(PKG_VERSION)
 include $(INCLUDE_DIR)/package.mk
 include ../../lang/golang/golang-package.mk
--- a/net/tailscale/patches/010-fake_iptables.patch
+++ b/net/tailscale/patches/010-fake_iptables.patch
@ -2,7 +2,7 @@
 +++ b/go.mod
@@ -2,6 +2,8 @@ module tailscale.com
- go 1.19
+ go 1.20
 +replace github.com/coreos/go-iptables => ./patched/go-iptables
 +
--- a/net/tailscale/patches/020-tailscaled_fake_iptables.patch
+++ b/net/tailscale/patches/020-tailscaled_fake_iptables.patch
@ -18,7 +18,7 @@
 		}
 	}
-@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error {
+@@ -1676,11 +1676,6 @@ func checkIPv6(logf logger.Logf) error {
 		return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err)
 	}
--- a/net/tailscale/patches/030-default_to_netfilter_off.patch
+++ b/net/tailscale/patches/030-default_to_netfilter_off.patch
@ -1,6 +1,6 @@
 --- a/cmd/tailscale/cli/up.go
 +++ b/cmd/tailscale/cli/up.go
-@@ -143,7 +143,7 @@ func defaultNetfilterMode() string {
+@@ -147,7 +147,7 @@ func defaultNetfilterMode() string {
 	if distro.Get() == distro.Synology {
 		return "off"
 	}
--- a/net/uwsgi/Makefile
+++ b/net/uwsgi/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=uwsgi
 PKG_VERSION:=2.0.20
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PYPI_NAME:=uwsgi
 PKG_HASH:=88ab9867d8973d8ae84719cf233b7dafc54326fcaec89683c3f9f77c002cdff9
--- a/net/uwsgi/files-luci-support/luci-cgi_io.ini
+++ b/net/uwsgi/files-luci-support/luci-cgi_io.ini
@ -8,7 +8,7 @@ end-if =
 plugin = cgi
 cgi-mode = true
 cgi = /www/
-chdir = /usr/lib/lua/luci/
+chdir = /usr/lib/ucode/luci/
 buffer-size = 10000
 reload-mercy = 8
 max-requests = 2000
--- a/net/uwsgi/files-luci-support/luci-webui.ini
+++ b/net/uwsgi/files-luci-support/luci-webui.ini
@ -8,7 +8,7 @@ end-if =
 plugin = cgi
 cgi-mode = true
 cgi = /www/
-chdir = /usr/lib/lua/luci/
+chdir = /usr/lib/ucode/luci/
 buffer-size = 10000
 reload-mercy = 8
 max-requests = 2000
--- a/utils/cache-domains/Makefile
+++ b/utils/cache-domains/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=cache-domains
 PKG_VERSION:=2.3.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com>
--- a/utils/cache-domains/pre-test.sh
+++ b/utils/cache-domains/pre-test.sh
@ -0,0 +1,24 @@
 #! /bin/sh
 set -o errexit
 case "${PKG_NAME}" in
    cache-domains-openssl)
        LIBUSTREAM_DEPS="libustream-openssl libopenssl3"
        LIBUSTREAM_DEPS="${LIBUSTREAM_DEPS} libatomic1" # arm_cortex-a15_neon-vfpv4 extra dep
        ;;
    cache-domains-mbedtls)
        LIBUSTREAM_DEPS="libustream-mbedtls libmbedtls"
        ;;
    cache-domains-wolfssl)
        LIBUSTREAM_DEPS="libustream-wolfssl libwolfssl"
        ;;
 esac
 # Replace the current libustream with the one PKG_NAME depends on.
 # opkg depends on libustream for https so we need to download the
 # replacement first and replace it offline.
 opkg download ${LIBUSTREAM_DEPS}
 opkg remove 'libustream-*'
 opkg install --offline-root / ./*.ipk
 rm ./*.ipk
--- a/utils/open-plc-utils/Makefile
+++ b/utils/open-plc-utils/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=open-plc-utils
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/qca/open-plc-utils.git
-PKG_SOURCE_VERSION:=358dfcf78bdaf7b0b13dcdf91cb1aae1789f2770
+PKG_SOURCE_VERSION:=1ba7d5a042e4e8ff6858b08e113eec5dc4e89cf2
-PKG_MIRROR_HASH:=3b24033f3d2d9ac33778fb772837bc5e0a8891ac708bbe1f35336ff792baf9f8
+PKG_MIRROR_HASH:=67a8c23a10b6b9e3437badad9f215d5350a766b1d0021c58d0ae092609be2b34
 PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
--- a/utils/restic/Makefile
+++ b/utils/restic/Makefile
@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=restic
-PKG_VERSION:=0.15.1
+PKG_VERSION:=0.15.2
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/restic/restic/tar.gz/v${PKG_VERSION}?
-PKG_HASH:=fce382fdcdac0158a35daa640766d5e8a6e7b342ae2b0b84f2aacdff13990c52
+PKG_HASH:=52aca841486eaf4fe6422b059aa05bbf20db94b957de1d3fca019ed2af8192b7
 PKG_LICENSE:=BSD-2-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/utils/rtl_433/Makefile
+++ b/utils/rtl_433/Makefile
@ -7,12 +7,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=rtl_433
-PKG_VERSION:=21.12
+PKG_VERSION:=22.11
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/merbanan/rtl_433/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=b362ef3410adec64aee7ad8e6d4d74875f1b3d59ef6fb4856e96adc03876dc65
+PKG_HASH:=61a9163d69cc4b1da46aebbcaf969bd180a055a6b90f42ad281218cc4fbefb86
 PKG_MAINTAINER:=Jasper Scholte <NightNL@outlook.com>
 PKG_LICENSE:=GPL-2.0-or-later
--- a/utils/sedutil/Makefile
+++ b/utils/sedutil/Makefile
@ -0,0 +1,41 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=sedutil
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=https://github.com/Drive-Trust-Alliance/sedutil
 PKG_SOURCE_DATE:=2022-12-27
 PKG_SOURCE_VERSION:=7a0cda7f60cce346f72466e61ce006e5ea48fbc0
 PKG_MIRROR_HASH:=e11333bfa0760a46cbebcba35360e0f076e6219eb38ce1545179b8741476668a
 PKG_LICENSE_FILES:=README.md
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>
 PKG_FIXUP:=autoreconf
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_FLAGS:=lto
 include $(INCLUDE_DIR)/package.mk
 define Package/sedutil
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=The Drive Trust Alliance Self Encrypting Drive Utility
  URL:=https://github.com/Drive-Trust-Alliance/sedutil
  DEPENDS:=+libstdcpp
 endef
 define Package/sedutil/description
 This program and it's accompanying Pre-Boot Authorization image allow you to
 enable the locking in SED's that comply with the TCG OPAL 2.00 standard on bios
 machines.
 endef
 define Package/sedutil/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_BUILD_DIR)/{linuxpba,sedutil-cli} $(1)/usr/bin
 endef
 $(eval $(call BuildPackage,sedutil))
--- a/utils/zoneinfo/Makefile
+++ b/utils/zoneinfo/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=zoneinfo
 PKG_VERSION:=2023c
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 #As i couldn't find real license used "Public Domain"
 #as referense to http://www.iana.org/time-zones/repository/tz-link.html
@ -32,7 +32,7 @@ endef
 $(eval $(call Download,tzcode))
 define Package/zoneinfo/Default
-  SUBMENU:=Zoneinfo
+  SUBMENU:=Time Zone info
  TITLE:=Zone Information
  SECTION:=utils
  CATEGORY:=Utilities
@ -47,56 +47,63 @@ endef
 define Package/zoneinfo-simple
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (simple)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-africa
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (Africa)
  DEPENDS+= +zoneinfo-core
 endef
-define Package/zoneinfo-northamerica
+define Package/zoneinfo-america
 $(call Package/zoneinfo/Default)
-  TITLE:=Zone Information (NorthAmerica)
+  TITLE:=Zone Information (America North/South)
-endef
+  PROVIDES:=zoneinfo-northamerica zoneinfo-southamerica
-
+  DEPENDS+= +zoneinfo-core
 define Package/zoneinfo-southamerica
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (SouthAmerica)
 endef
 define Package/zoneinfo-poles
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (Arctic, Antarctic)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-asia
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (Asia)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-atlantic
 $(call Package/zoneinfo/Default)
-  TITLE:=Zone Information (Atlantic)
+  TITLE:=Zone Information (Atlantic Ocean)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-australia-nz
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (Australia-NZ)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-pacific
 $(call Package/zoneinfo/Default)
-  TITLE:=Zone Information (Pacific)
+  TITLE:=Zone Information (Pacific Ocean)
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-europe
 $(call Package/zoneinfo/Default)
  TITLE:=Zone Information (Europe)
  DEPENDS+= +zoneinfo-core
 endef
-define Package/zoneinfo-india
+define Package/zoneinfo-indian
 $(call Package/zoneinfo/Default)
-  TITLE:=Zone Information (India)
+  TITLE:=Zone Information (Indian Ocean)
  PROVIDES:=zoneinfo-india
  DEPENDS+= +zoneinfo-core
 endef
 define Package/zoneinfo-all
@ -105,15 +112,14 @@ $(call Package/zoneinfo/Default)
  DEPENDS:= \
 	+zoneinfo-core \
 	+zoneinfo-africa \
-	+zoneinfo-northamerica \
+	+zoneinfo-america \
 	+zoneinfo-southamerica \
 	+zoneinfo-poles \
 	+zoneinfo-asia \
 	+zoneinfo-atlantic \
 	+zoneinfo-australia-nz \
 	+zoneinfo-pacific \
 	+zoneinfo-europe \
-	+zoneinfo-india
+	+zoneinfo-indian
 endef
 define Build/Prepare
@ -136,7 +142,7 @@ endef
 define Package/zoneinfo-core/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
 	for i in \
-		CET CST6CDT EET EST EST5EDT GB-Eire Eire \
+		CET CST6CDT EET EST EST5EDT GB-Eire \
 		GB    GMT   GMT+0 GMT-0 GMT0  Greenwich  \
 		HST   MET   MST   MST7MDT                \
 		PRC   PST8PDT ROC ROK     UCT   UTC      \
@ -167,29 +173,19 @@ define Package/zoneinfo-simple/install
 endef
 define Package/zoneinfo-africa/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo/Africa
 	$(CP) $(PKG_INSTALL_DIR)/zoneinfo/Africa/* \
 	      $(1)/usr/share/zoneinfo/Africa
 endef
 define Package/zoneinfo-northamerica/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
-	for i in US America Canada Mexico Cuba Jamaica Navajo ; do \
+	for i in Africa Egypt Libya ; do \
 	  $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \
 	      $(1)/usr/share/zoneinfo ; \
 	done
 	rm  -rf $(1)/usr/share/zoneinfo/America/Argentina
 endef
-define Package/zoneinfo-southamerica/install
+define Package/zoneinfo-america/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
-	for i in Brazil Chile ; do \
+	for i in America Brazil Canada Chile Cuba Jamaica Mexico Navajo US ; do \
 	  $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \
 	      $(1)/usr/share/zoneinfo ; \
 	done
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo/America/Argentina
 	$(CP) $(PKG_INSTALL_DIR)/zoneinfo/America/Argentina/* \
 	      $(1)/usr/share/zoneinfo/America/Argentina
 endef
 define Package/zoneinfo-poles/install
@ -202,7 +198,7 @@ endef
 define Package/zoneinfo-asia/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
-	for i in Asia Japan Singapore Hongkong ; do \
+	for i in Asia Hongkong Iran Israel Japan Singapore ; do \
 	  $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \
 	      $(1)/usr/share/zoneinfo ; \
 	done
@ -234,13 +230,13 @@ endef
 define Package/zoneinfo-europe/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
-	for i in Europe Portugal Poland ; do \
+	for i in Europe Eire Portugal Poland Turkey ; do \
 	  $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \
 	      $(1)/usr/share/zoneinfo ; \
 	done
 endef
-define Package/zoneinfo-india/install
+define Package/zoneinfo-indian/install
 	$(INSTALL_DIR) $(1)/usr/share/zoneinfo
 	for i in Indian ; do \
 	  $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \
@ -251,13 +247,12 @@ endef
 $(eval $(call BuildPackage,zoneinfo-simple))
 $(eval $(call BuildPackage,zoneinfo-core))
 $(eval $(call BuildPackage,zoneinfo-africa))
-$(eval $(call BuildPackage,zoneinfo-northamerica))
+$(eval $(call BuildPackage,zoneinfo-america))
 $(eval $(call BuildPackage,zoneinfo-southamerica))
 $(eval $(call BuildPackage,zoneinfo-poles))
 $(eval $(call BuildPackage,zoneinfo-asia))
 $(eval $(call BuildPackage,zoneinfo-atlantic))
 $(eval $(call BuildPackage,zoneinfo-australia-nz))
 $(eval $(call BuildPackage,zoneinfo-pacific))
 $(eval $(call BuildPackage,zoneinfo-europe))
-$(eval $(call BuildPackage,zoneinfo-india))
+$(eval $(call BuildPackage,zoneinfo-indian))
 $(eval $(call BuildPackage,zoneinfo-all))