Merge branch 'openwrt:master' into master

admin/sudo/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sudo
-PKG_VERSION:=1.9.12p1
+PKG_VERSION:=1.9.12p2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.sudo.ws/dist
-PKG_HASH:=475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8
+PKG_HASH:=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539
 
 PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
 

lang/python/python-chardet/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=python-chardet
-PKG_VERSION:=5.0.0
+PKG_VERSION:=5.1.0
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_LICENSE:=LGPL-2.1
 
 PYPI_NAME:=chardet
-PKG_HASH:=0368df2bfd78b5fc20572bb4e9bb7fb53e2c094f60ae9993339e8671d0afb8aa
+PKG_HASH:=0d62712b956bc154f85fb0a266e2a3c5913c2967e00348701b32411d6def31e5
 
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
@@ -26,7 +26,7 @@ define Package/python3-chardet
   MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
   URL:=https://github.com/chardet/chardet
   TITLE:=Universal encoding detector
-  DEPENDS:=+python3-light
+  DEPENDS:=+python3-light +python3-logging
 endef
 
 define Package/python3-chardet/description

lang/python/python-evdev/Makefile

@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=python-evdev
-PKG_VERSION:=1.6.0
+PKG_VERSION:=1.6.1
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_MAINTAINER:=Paulo Costa <me@paulo.costa.nom.br>, Alexandru Ardelean <ardeleanalex@gmail.com>
 
 PYPI_NAME:=evdev
-PKG_HASH:=ecfa01b5c84f7e8c6ced3367ac95288f43cd84efbfd7dd7d0cdbfc0d18c87a6a
+PKG_HASH:=299db8628cc73b237fc1cc57d3c2948faa0756e2a58b6194b5bf81dc2081f1e3
 
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk

net/bind/Config.in

@@ -33,4 +33,12 @@ config BIND_ENABLE_DOH
 		You can disable DoHTTPS if you do not need it or need
 		to avoid the additional library dependency.
 
+config BIND_ENABLE_GSSAPI
+	bool
+	default n
+	prompt "Include GSSPAI support in bind"
+	help
+		BIND 9 supports GSSAPI. This depends on libcomerr and krb5-libs.
+		Disable it by default as krb5-libs is rather large.
+
 endif

net/bind/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
 PKG_VERSION:=9.18.11
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 USERID:=bind=57:bind=57
 
 PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
@@ -34,7 +34,8 @@ PKG_BUILD_PARALLEL:=1
 PKG_CONFIG_DEPENDS := \
 	CONFIG_BIND_LIBJSON \
 	CONFIG_BIND_LIBXML2 \
-	CONFIG_BIND_ENABLE_DOH
+	CONFIG_BIND_ENABLE_DOH \
+	CONFIG_BIND_ENABLE_GSSAPI
 
 PKG_BUILD_DEPENDS += BIND_LIBXML2:libxml2 BIND_LIBJSON:libjson-c
 
@@ -61,6 +62,8 @@ define Package/bind-libs
 	+libatomic \
 	+libuv \
 	+BIND_ENABLE_DOH:libnghttp2 \
+	+BIND_ENABLE_GSSAPI:krb5-libs \
+	+BIND_ENABLE_GSSAPI:libcomerr \
 	+BIND_LIBXML2:libxml2 \
 	+BIND_LIBJSON:libjson-c
   TITLE:=bind shared libraries
@@ -147,7 +150,6 @@ CONFIGURE_ARGS += \
 	--with-openssl="$(STAGING_DIR)/usr" \
 	--without-lmdb \
 	--enable-epoll \
-	--without-gssapi \
 	--without-readline \
 	--sysconfdir=/etc/bind
 
@@ -176,6 +178,14 @@ else
 		--disable-doh
 endif
 
+ifdef CONFIG_BIND_ENABLE_GSSAPI
+	CONFIGURE_ARGS += \
+		--with-gssapi
+else
+	CONFIGURE_ARGS += \
+		--without-gssapi
+endif
+
 CONFIGURE_VARS += \
 	BUILD_CC="$(TARGET_CC)" \
 

net/bind/files/named.init

@@ -73,7 +73,7 @@ start_service() {
     touch $conf_local_file
 
     local args=
-    [ no_ipv6 ] && args="-4"
+    no_ipv6 && args="-4"
 
     procd_open_instance
     procd_set_param command /usr/sbin/named -u bind -f $args -c $config_file

net/crowdsec-firewall-bouncer/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=crowdsec-firewall-bouncer
-PKG_VERSION:=0.0.21
+PKG_VERSION:=0.0.25
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=c92e02085c4c8481009a46ba80374329d102a45933fd0fd2164901954331923e
+PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
@@ -47,8 +47,7 @@ endef
 
 define Package/crowdsec-firewall-bouncer
 $(call Package/crowdsec-firewall-bouncer/Default)
-  DEPENDS:=@(PACKAGE_iptables||PACKAGE_nftables) \
+  DEPENDS:=$(GO_ARCH_DEPENDS)
-	$(GO_ARCH_DEPENDS)
 endef
 
 define Package/golang-crowdsec-firewall-bouncer-dev
@@ -65,7 +64,7 @@ define Package/crowdsec-firewall-bouncer/Default/description
   crowdsec-firewall-bouncer will fetch new and old decisions
   from a CrowdSec API to add them in a blocklist used by supported firewalls.
 
-  You must install iptables+ipset or nftables.
+  You must install nftables.
 endef
 
 define Package/crowdsec-firewall-bouncer/description
@@ -83,29 +82,15 @@ endef
 define Package/crowdsec-firewall-bouncer/install
 	$(call GoPackage/Package/Install/Bin,$(1))
 
-	$(INSTALL_DIR) $(1)/etc/crowdsec/bouncers
+	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_DATA) \
+	$(INSTALL_CONF) ./files/crowdsec.config $(1)/etc/config/crowdsec
-		$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/crowdsec-firewall-bouncer.yaml \
-		$(1)/etc/crowdsec/bouncers
 
 	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) \
+	$(INSTALL_BIN) ./files/crowdsec-firewall-bouncer.initd $(1)/etc/init.d/crowdsec-firewall-bouncer
-		./files/crowdsec-firewall-bouncer.initd \
-		$(1)/etc/init.d/crowdsec-firewall-bouncer
-
-	$(INSTALL_DIR) $(1)/etc
-	$(INSTALL_BIN) \
-		./files/crowdsec-firewall-bouncer.firewall \
-		$(1)/etc/firewall.cs
-
-	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) \
-		./files/crowdsec-firewall-bouncer.defaults \
-		$(1)/etc/uci-defaults/99_crowdsec-firewall-bouncer
 endef
 
 define Package/crowdsec-firewall-bouncer/conffiles
-/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
+/etc/config/crowdsec
 endef
 
 $(eval $(call GoBinPackage,crowdsec-firewall-bouncer))

net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
-## Gen&ConfigApiKey
-if grep -q "{API_KEY}" "$CONFIG"; then
-	SUFFIX=`tr -dc A-Za-z0-9 </dev/urandom | head -c 8`
-	API_KEY=`/usr/bin/cscli bouncers add crowdsec-firewall-bouncer-${SUFFIX} -o raw`
-	sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$API_KEY," $CONFIG
-else
-	echo API key already registered...
-fi
-
-# unfortunately, UCI doesn't provide a nice way to add an anonymous section only if it doesn't already exist
-if ! uci show firewall | grep -q firewall.cs; then
-  name="$(uci add firewall include)"
-  uci set "firewall.${name}.path=/etc/firewall.cs"
-  uci set "firewall.${name}.enabled=1"
-  uci set "firewall.${name}.reload=1"
-  echo -e "Adding the following UCI config:\n $(uci changes)"
-  uci commit
-fi
-
-exit 0

net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.firewall

@@ -1,4 +0,0 @@
-#!/bin/sh
-/etc/init.d/crowdsec enabled && /etc/init.d/crowdsec restart
-/etc/init.d/crowdsec-firewall-bouncer enabled && /etc/init.d/crowdsec-firewall-bouncer restart
-exit 0

net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd

@@ -1,69 +1,231 @@
 #!/bin/sh /etc/rc.common
-# Copyright (C) 2021-2022 Gerald Kerma <gandalf@gk2.net>
+
+USE_PROCD=1
 
 START=99
-USE_PROCD=1
+
 NAME=crowdsec-firewall-bouncer
 PROG=/usr/bin/cs-firewall-bouncer
-CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
-BACKEND=iptables
 VARCONFIGDIR=/var/etc/crowdsec/bouncers
 VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
-FW_BACKEND="iptables"
+
+CONFIGURATION=crowdsec
+
+TABLE="crowdsec"
+TABLE6="crowdsec6"
 
 service_triggers() {
 	procd_add_reload_trigger crowdsec-firewall-bouncer
+	procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload
 }
 
-init_config() {
+init_yaml() {
-	## CheckFirewall
-	iptables="true"
-	which iptables > /dev/null
-	FW_BACKEND=""
-	if [[ $? != 0 ]]; then
-	  echo "iptables is not present"
-	  iptables="false"
-	else
-	  FW_BACKEND="iptables"
-	  echo "iptables found"
-	fi
 
-	nftables="true"
+	local section="$1"
-	which nft > /dev/null
-	if [[ $? != 0 ]]; then
-	  echo "nftables is not present"
-	  nftables="false"
-	else
-	  FW_BACKEND="nftables"
-	  echo "nftables found"
-	fi
 
-	if [ "$nftables" = "true" -a "$iptables" = "true" ]; then
+	local update_frequency
-	  echo "Found nftables(default) and iptables..."
+	local log_level
-	fi
+	local api_url
+	local api_key
+	local ipv6
+	local deny_action
+	local deny_log
+	local log_prefix
+	local log_max_size
+	local log_max_backups
+	local log_max_age
+	local ipv4
+	local input_chain_name
+	local input6_chain_name
 
-	if [ "$FW_BACKEND" = "iptables" ]; then
+	config_get update_frequency $section update_frequency '10s'
-	  which ipset > /dev/null
+	config_get log_level $section log_level 'info'
-	  if [[ $? != 0 ]]; then
+	config_get api_url $section api_url "http://127.0.0.1:8080"
-	    echo "ipset not found, install it !"
+	config_get api_key $section api_key "API_KEY"
-	  fi
+	config_get_bool ipv6 $section ipv6 '1'
-	fi
+	config_get deny_action $section deny_action "drop"
-	BACKEND=$FW_BACKEND
+	config_get_bool deny_log $section deny_log '0'
+	config_get log_prefix $section log_prefix "crowdsec: "
+	config_get log_max_size $section log_max_size '100'
+	config_get log_max_backups $section log_max_backups '3'
+	config_get log_max_age $section log_max_age '30'
+	config_get_bool ipv4 $section ipv4 '1'
+	config_get input_chain_name $section input_chain_name "input"
+	config_get input6_chain_name $section input6_chain_name "input"
 
 	# Create tmp dir & permissions if needed
 	if [ ! -d "${VARCONFIGDIR}" ]; then
 		mkdir -m 0755 -p "${VARCONFIGDIR}"
 	fi;
 
-	cp $CONFIG $VARCONFIG
+	cat > $VARCONFIG <<-EOM
+	mode: nftables
+	pid_dir: /var/run/
+	update_frequency: $update_frequency
+	daemonize: true
+	log_mode: file
+	log_dir: /var/log/
+	log_level: $log_level
+	log_compression: true
+	log_max_size: $log_max_size
+	log_max_backups: $log_max_backups
+	log_max_age: $log_max_age
+	api_url: $api_url
+	api_key: $api_key
+	insecure_skip_verify: true
+	disable_ipv6: boolnot($ipv6)
+	deny_action: $deny_action
+	deny_log: bool($deny_log)
+	supported_decisions_type:
+	  - ban
+	#to change log prefix
+	deny_log_prefix: "$log_prefix"
+	#to change the blacklists name
+	blacklists_ipv4: crowdsec-blacklists
+	blacklists_ipv6: crowdsec6-blacklists
+	#type of ipset to use
+	ipset_type: nethash
+	#if present, insert rule in those chains
+	iptables_chains:
+	  - INPUT
+	#  - FORWARD
+	#  - DOCKER-USER
+	## nftables
+	nftables:
+	  ipv4:
+	    enabled: bool($ipv4)
+	    set-only: true
+	    table: $TABLE
+	    chain: $input_chain_name
+	  ipv6:
+	    enabled: bool($ipv6)
+	    set-only: true
+	    table: $TABLE6
+	    chain: $input6_chain_name
+	# packet filter
+	pf:
+	  # an empty disables the anchor
+	  anchor_name: ""
+	prometheus:
+	  enabled: false
+	  listen_addr: 127.0.0.1
+	  listen_port: 60601
+	EOM
 
-	sed -i "s,^\(\s*mode\s*:\s*\).*\$,\1$BACKEND," $VARCONFIG
+	sed -i "s/bool(1)/true/g" $VARCONFIG
+	sed -i "s/bool(0)/false/g" $VARCONFIG
+	sed -i "s/boolnot(1)/false/g" $VARCONFIG
+	sed -i "s/boolnot(0)/true/g" $VARCONFIG
+	sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG
+	sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG 	
 }
 
-start_service() {
+init_nftables() {
-	init_config
+
+	local section="$1"
+
+	local priority
+	local deny_action
+	local deny_log
+	local log_prefix
+	local ipv4
+	local ipv6
+	local filter_input
+	local filter_forward
+	local input_chain_name
+	local forward_chain_name
+	local input6_chain_name
+	local forward6_chain_name
+	local interface
+	local log_term=""
+
+	config_get priority $section priority "4"
+	config_get deny_action $section deny_action "drop"
+	config_get_bool deny_log $section deny_log '0'
+	config_get log_prefix $section log_prefix "crowdsec: "
+	config_get_bool ipv4 $section ipv4 '1'
+	config_get_bool ipv6 $section ipv6 '1'
+	config_get_bool filter_input $section filter_input '1'
+	config_get_bool filter_forward $section filter_forward '1'
+	config_get input_chain_name $section input_chain_name "input"
+	config_get forward_chain_name $section forward_chain_name "forward"
+	config_get input6_chain_name $section input6_chain_name "input"
+	config_get forward6_chain_name $section forward6_chain_name "forward"
+	config_get interface $section interface 'eth1'
+
+	if [ "$deny_log" -eq "1" ] ; then
+		local log_term="log prefix \"${log_prefix}\""
+	fi
+
+	local interface="${interface// /, }"
+
+	#as of kernel 3.18 we can delete a table without need to flush it
+	nft delete table ip crowdsec 2>/dev/null
+	nft delete table ip6 crowdsec6 2>/dev/null
+
+	if [ "$ipv4" -eq "1" ] ; then
+
+		nft add table ip crowdsec
+		nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }'
+
+		if [ "$filter_input" -eq "1" ] ; then
+			nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }"
+			nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
+		fi
+		if [ "$filter_forward" -eq "1" ] ; then
+			nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }"
+			nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
+		fi
+	fi
+
+	if [ "$ipv6" -eq "1" ] ; then
+
+		nft add table ip6 crowdsec6
+		nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }'
+
+		if [ "$filter_input" -eq "1" ] ; then
+			nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }"
+			nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
+		fi
+		if [ "$filter_forward" -eq "1" ] ; then
+			nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }"
+			nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
+		fi
+	fi
+}
+
+run_bouncer() {
+
+	local section="$1"
+
+	local enabled
+	config_get_bool enabled $section enabled 0
+
+	if [ "$enabled" -eq "1" ] ; then
+
+		init_yaml "$section"
+		init_nftables "$section"
 
 		procd_open_instance
 		procd_set_param command "$PROG" -c "$VARCONFIG"
+		procd_set_param stdout 1
+		procd_set_param stderr 1
 		procd_close_instance
+	fi
 }
+
+start_service() {
+
+	config_load "${CONFIGURATION}"
+	config_foreach run_bouncer bouncer
+}
+
+service_stopped() {
+
+	rm $VARCONFIG
+
+	nft delete table ip crowdsec 2>/dev/null
+	nft delete table ip6 crowdsec6 2>/dev/null
+}
+
+

net/crowdsec-firewall-bouncer/files/crowdsec.config

@@ -0,0 +1,15 @@
+config bouncer
+	option enabled '0'
+	option ipv4 '1'
+	option ipv6 '1'
+	option api_url 'http://localhost:8080/'
+	option api_key ''
+	option update_frequency '10s'
+	option deny_action 'drop'
+	option deny_log '0'
+	option log_prefix 'crowdsec: '
+	option log_level 'info'
+	option filter_input '1'
+	option filter_forward '1'
+	list interface 'eth1'
+

net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch

@@ -1,9 +0,0 @@
---- a/config/crowdsec-firewall-bouncer.yaml
-+++ b/config/crowdsec-firewall-bouncer.yaml
-@@ -20,5 +20,5 @@ supported_decisions_types:
- #if present, insert rule in those chains
- iptables_chains:
-   - INPUT
--#  - FORWARD
-+  - FORWARD
- #  - DOCKER-USER

net/openssh/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
-PKG_VERSION:=9.1p1
+PKG_VERSION:=9.2p1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/
-PKG_HASH:=19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288
+PKG_HASH:=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
 
 PKG_LICENSE:=BSD ISC
 PKG_LICENSE_FILES:=LICENCE
@@ -36,7 +36,6 @@ define Package/openssh/Default
 	MAINTAINER:=Peter Wagner <tripolar@gmx.at>
 	URL:=http://www.openssh.com/
 	SUBMENU:=SSH
-	VARIANT:=without-pam
 endef
 
 define Package/openssh-moduli
@@ -89,6 +88,7 @@ define Package/openssh-server
 	DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
 	TITLE+= server
 	USERID:=sshd=22:sshd=22
+	VARIANT:=without-pam
 endef
 
 define Package/openssh-server/config

net/pdns-recursor/Makefile

@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pdns-recursor
-PKG_VERSION:=4.8.1
+PKG_VERSION:=4.8.2
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/
-PKG_HASH:=d7b03447009257e512f01fcc46cbdb9c859b672a1c9b23faf382e870765b0f0d
+PKG_HASH:=4382d3e84f13401685772779dfede6cbc8157ecf6763fa7fdb1dd33ee3f79ac7
 
 PKG_MAINTAINER:=Peter van Dijk <peter.van.dijk@powerdns.com>
 PKG_LICENCE:=GPL-2.0-only

net/simple-adblock/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=simple-adblock
 PKG_VERSION:=1.9.3
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=GPL-3.0-or-later
 

net/simple-adblock/files/simple-adblock.conf

@@ -71,9 +71,9 @@ config simple-adblock 'config'
 # enabling this will disable processing of any other block/allow-lists
 #	option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/'
 
-# File size: 34.0M
+# File size: 19.0M
 # block-list too big for most routers
-#	list blocked_hosts_url 'https://hosts.oisd.nl/'
+#	list blocked_domains_url 'https://dbl.oisd.nl/'
 
 # site was down on last check
 #	list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt'

net/simple-adblock/files/simple-adblock.conf.update

@@ -4,7 +4,6 @@ s|blacklist_hosts_url|blocked_hosts_url|g
 s|blacklist_domains_url|blocked_domains_url|g
 s|blacklist_domain|blocked_domain|g
 s|ssl.bblck.me|cdn.jsdelivr.net/gh/paulgb/BarbBlock|g
-s|dbl.oisd.nl|hosts.oisd.nl|g
 s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/hosts@|g
 s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g
 s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g

net/simple-adblock/files/simple-adblock.init

@@ -1409,16 +1409,29 @@ adb_stop() {
 	fi
 }
 
+allow() { load_validate_config 'config' adb_allow "'$*'"; }
+boot() {
+	ubus -t 30 wait_for network.interface 2>/dev/null
+	rc_procd start_service 'on_boot'
+}
+check() { load_validate_config 'config' adb_check "'$*'"; }
+dl() { rc_procd start_service 'download'; }
+killcache() {
+	rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
+	rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip"
+	rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
+	rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
+	rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip"
+	rm -f "$unboundCache" "$unboundGzip"
+	config_load 'dhcp'
+	config_foreach resolver 'dnsmasq' 'cleanup'
+	uci_commit 'dhcp'
+	return 0
+}
+reload_service() { rc_procd start_service 'restart'; }
+restart_service() { rc_procd start_service 'restart'; }
 service_started() { procd_set_config_changed firewall; }
 service_stopped() { procd_set_config_changed firewall; }
-restart_service() { rc_procd start_service 'restart'; }
-reload_service() { rc_procd start_service 'restart'; }
-start_service() { 
-	load_validate_config 'config' adb_config_update "'$*'"
-	load_validate_config 'config' adb_start "'$*'"
-}
-stop_service() { load_validate_config 'config' adb_stop "'$*'"; }
-status_service() { load_validate_config 'config' adb_status "''"; }
 service_triggers() {
 	local wan wan6 i
 	local procd_trigger_wan6
@@ -1437,22 +1450,13 @@ service_triggers() {
 	done
 	procd_add_config_trigger "config.change" "$packageName" "/etc/init.d/${packageName}" reload
 }
-allow() { load_validate_config 'config' adb_allow "'$*'"; }
-check() { load_validate_config 'config' adb_check "'$*'"; }
-dl() { rc_procd start_service 'download'; }
-killcache() {
-	rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip"
-	rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip"
-	rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip"
-	rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip"
-	rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip"
-	rm -f "$unboundCache" "$unboundGzip"
-	config_load 'dhcp'
-	config_foreach resolver 'dnsmasq' 'cleanup'
-	uci_commit 'dhcp'
-	return 0
-}
 sizes() { load_validate_config 'config' adb_sizes "''"; }
+start_service() { 
+	load_validate_config 'config' adb_config_update "'$*'"
+	load_validate_config 'config' adb_start "'$*'"
+}
+status_service() { load_validate_config 'config' adb_status "''"; }
+stop_service() { load_validate_config 'config' adb_stop "'$*'"; }
 version() { echo "$PKG_VERSION"; }
 
 load_validate_config() {

net/tailscale/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tailscale
-PKG_VERSION:=1.32.3
+PKG_VERSION:=1.36.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4
+PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76
 
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@@ -61,24 +61,44 @@ endef
 
 Package/tailscaled/description:=$(Package/tailscale/description)
 
+define Package/tailscaled/conffiles
+/etc/config/tailscale
+/etc/tailscale/tailscaled.state
+endef
+
+GO_IPTABLES_VERSION:=0.6.0
+GO_IPTABLES_FILE:=$(PKG_NAME)-go-iptables-$(GO_IPTABLES_VERSION).tar.gz
+
+define Download/go-iptables
+  URL:=https://codeload.github.com/coreos/go-iptables/tar.gz/v$(GO_IPTABLES_VERSION)?
+  URL_FILE:=$(GO_IPTABLES_FILE)
+  FILE:=$(GO_IPTABLES_FILE)
+  HASH:=a784cc17fcb17879f073eae47bc4c2e899f59f6906dac5a0aa7a9cc9f95ea66d
+endef
+
+define Build/Prepare
+	$(PKG_UNPACK)
+	[ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR)
+	$(eval $(call Download,go-iptables))
+	( \
+		mkdir -p $(PKG_BUILD_DIR)/patched/ ; \
+		gzip -dc $(DL_DIR)/$(GO_IPTABLES_FILE) | $(HOST_TAR) -C $(PKG_BUILD_DIR)/patched $(TAR_OPTIONS) ; \
+		mv $(PKG_BUILD_DIR)/patched/go-iptables-$(GO_IPTABLES_VERSION) $(PKG_BUILD_DIR)/patched/go-iptables ; \
+	)
+	$(Build/Patch)
+endef
+
 define Package/tailscale/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin
 endef
 
 define Package/tailscaled/install
-	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config
 	$(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscaled $(1)/usr/sbin
-	$(INSTALL_DIR) $(1)/etc/init.d/
 	$(INSTALL_BIN) ./files//tailscale.init $(1)/etc/init.d/tailscale
-	$(INSTALL_DIR) $(1)/etc/config/
 	$(INSTALL_DATA) ./files//tailscale.conf $(1)/etc/config/tailscale
 endef
 
-define Package/tailscaled/conffiles
-/etc/config/tailscale
-/etc/tailscale/tailscaled.state
-endef
-
 $(eval $(call BuildPackage,tailscale))
 $(eval $(call BuildPackage,tailscaled))

net/tailscale/README.md

@@ -25,4 +25,9 @@ Run command and finish device registration with the given URL.
 tailscale up
 ```
 
+If you are running with nftables, it is not supported by tailscale,
+so disable it and configure firewall by yourself and add argument
+--netfilter-mode off
+to tailscale up command to disable iptables use.
+
 After that, you should see your router in tailscale admin page.

net/tailscale/patches/010-fake_iptables.patch

@@ -0,0 +1,53 @@
+--- a/go.mod
++++ b/go.mod
+@@ -2,6 +2,8 @@ module tailscale.com
+ 
+ go 1.19
+ 
++replace github.com/coreos/go-iptables => ./patched/go-iptables
++
+ require (
+ 	filippo.io/mkcert v1.4.3
+ 	github.com/Microsoft/go-winio v0.6.0
+--- a/patched/go-iptables/iptables/iptables.go
++++ b/patched/go-iptables/iptables/iptables.go
+@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err
+ 	return ipt, nil
+ }
+ 
++func NewFake(opts ...option) (*IPTables, error) {
++
++	ipt := &IPTables{
++		path:		   "/bin/false",
++		proto:		   ProtocolIPv4,
++		hasCheck:	   false,
++		hasWait:	   false,
++		waitSupportSecond: false,
++		hasRandomFully:	   false,
++		v1:		   0,
++		v2:		   0,
++		v3:		   0,
++		mode:		   "legacy",
++		timeout:	   0,
++	}
++
++	for _, opt := range opts {
++		opt(ipt)
++	}
++
++	return ipt, nil
++}
++
+ // New creates a new IPTables for the given proto.
+ // The proto will determine which command is used, either "iptables" or "ip6tables".
+ func NewWithProtocol(proto Protocol) (*IPTables, error) {
+ 	return New(IPFamily(proto), Timeout(0))
+ }
+ 
++func NewFakeWithProtocol(proto Protocol) (*IPTables, error) {
++	return NewFake(IPFamily(proto), Timeout(0))
++}
++
+ // Proto returns the protocol used by this IPTables.
+ func (ipt *IPTables) Proto() Protocol {
+ 	return ipt.proto

net/tailscale/patches/020-tailscaled_fake_iptables.patch

@@ -0,0 +1,32 @@
+--- a/wgengine/router/router_linux.go
++++ b/wgengine/router/router_linux.go
+@@ -129,7 +129,7 @@ func newUserspaceRouter(logf logger.Logf
+ 
+ 	ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+ 	if err != nil {
+-		return nil, err
++		ipt4, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv4)
+ 	}
+ 
+ 	v6err := checkIPv6(logf)
+@@ -148,7 +148,7 @@ func newUserspaceRouter(logf logger.Logf
+ 		// if unavailable. We want that to be a non-fatal error.
+ 		ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+ 		if err != nil {
+-			return nil, err
++			ipt6, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv6)
+ 		}
+ 	}
+ 
+@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error {
+ 		return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err)
+ 	}
+ 
+-	// Some distros ship ip6tables separately from iptables.
+-	if _, err := exec.LookPath("ip6tables"); err != nil {
+-		return err
+-	}
+-
+ 	return nil
+ }
+ 

net/tailscale/patches/030-default_to_netfilter_off.patch

@@ -0,0 +1,11 @@
+--- a/cmd/tailscale/cli/up.go
++++ b/cmd/tailscale/cli/up.go
+@@ -143,7 +143,7 @@ func defaultNetfilterMode() string {
+ 	if distro.Get() == distro.Synology {
+ 		return "off"
+ 	}
+-	return "on"
++	return "off"
+ }
+ 
+ type upArgsT struct {

net/tailscale/test.sh

@@ -1,8 +1,10 @@
 #!/bin/sh
-if command -v tailscale; then
-    tailscale version | grep "$2" || exit 1
-fi
 
-if command -v tailscaled; then
+case "$1" in
+	tailscale)
+		tailscale version | grep "$2"
+		;;
+	tailscaled)
 		tailscaled -version | grep "$2"
-fi
+		;;
+esac

net/xl2tpd/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=xl2tpd
-PKG_VERSION:=1.3.17
+PKG_VERSION:=1.3.18
 PKG_RELEASE:=1
 PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>
 PKG_LICENSE:=GPL-2.0
@@ -19,7 +19,7 @@ PKG_SOURCE_URL:=https://github.com/xelerance/xl2tpd.git
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MIRROR_HASH:=5fbc1fe5a01ebd5b0eb2929b85e68eb271e29cc2989320aa1ae2b32f0ac0e540
+PKG_MIRROR_HASH:=f4faa15357063a2ac11e427adbcac6b51c755cc294f1a26fe4eb0c008840df31
 
 PKG_INSTALL:=1