Merge branch 'openwrt:master' into master

2023-03-07 19:24:59 +05:30 · 2023-03-07 19:24:59 +05:30 · abfb6331f7
commit abfb6331f7
parent e7661c9277 58fcaf8fc4
25 changed files with 388 additions and 251 deletions
--- a/libs/libb64/Makefile
+++ b/libs/libb64/Makefile
@ -0,0 +1,34 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libb64
+PKG_VERSION:=2.0.0
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/libb64/libb64/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=28c43c47674409fc50e7145d4c2d26dc1f3d200889c41205e7812c2b67f26382
+
+PKG_LICENSE:=PublicDomain
+PKG_LICENSE_FILES:=LICENSE.md
+
+PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+
+include $(INCLUDE_DIR)/package.mk
+
+MAKE_FLAGS+=all_src
+
+define Package/libb64
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Base64 Encoding/Decoding Routines
+  URL:=https://github.com/libb64/libb64
+  BUILDONLY:=1
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/b64 $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/include/b64/*.h $(1)/usr/include/b64
+	$(CP) $(PKG_BUILD_DIR)/src/*.a $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,libb64))
--- a/libs/libb64/patches/100-no-Werror.patch
+++ b/libs/libb64/patches/100-no-Werror.patch
@ -0,0 +1,11 @@
+--- a/src/Makefile
+++ b/src/Makefile
+@@ -15,7 +15,7 @@ TARGETS = $(LIBRARIES)
+ 
+ LINK.o = gcc
+ 
+-CFLAGS += -Werror -pedantic
+CFLAGS += -pedantic
+ CFLAGS += -I../include
+ 
+ vpath %.h ../include/b64
--- a/libs/libdeflate/Makefile
+++ b/libs/libdeflate/Makefile
@ -0,0 +1,38 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libdeflate
+PKG_VERSION:=1.17
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/ebiggers/libdeflate/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=fa4615af671513fa2a53dc2e7a89ff502792e2bdfc046869ef35160fcc373763
+
+PKG_LICENSE:=COPYING
+PKG_LICENSE_FILES:=MIT
+
+PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/libdeflate
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=library for fast, whole-buffer DEFLATE-based compression and decompression
+  URL:=https://github.com/ebiggers/libdeflate
+endef
+
+define Package/libdeflate/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libdeflate.so* $(1)/usr/lib/
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libdeflate.pc $(1)/usr/lib/pkgconfig/
+endef
+
+$(eval $(call BuildPackage,libdeflate))
--- a/libs/libdht/Makefile
+++ b/libs/libdht/Makefile
@ -0,0 +1,41 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libdht
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/jech/dht
+PKG_SOURCE_DATE:=2022-04-27
+PKG_SOURCE_VERSION:=111230894416d400c9a1e038a033586bfeaafc93
+PKG_MIRROR_HASH:=71decd82023e0d3ec872604e9f0d709003906b38266990a8b1bb540907d1d3f0
+
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/libdht
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Kademlia Distributed Hash Table (DHT) library
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/dht $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/dht.h $(1)/usr/include/dht
+	$(CP) $(PKG_BUILD_DIR)/libdht.so $(1)/usr/lib/
+endef
+
+define Package/libdht/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/libdht.so $(1)/usr/lib/
+endef
+
+define Build/Compile
+	$(TARGET_CC) $(FPIC) -Wall -c -o $(PKG_BUILD_DIR)/dht.o $(PKG_BUILD_DIR)/dht.c
+	$(TARGET_CC) -shared -lcrypt -o $(PKG_BUILD_DIR)/libdht.so $(PKG_BUILD_DIR)/dht.o
+endef
+
+$(eval $(call BuildPackage,libdht))
--- a/libs/libutp/Makefile
+++ b/libs/libutp/Makefile
@ -0,0 +1,46 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libutp
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/transmission/libutp
+PKG_SOURCE_DATE:=2023-02-14
+PKG_SOURCE_VERSION:=c95738b1a6644b919e5b64d3ea9736cfc5894e0b
+PKG_MIRROR_HASH:=5e466da0cb45119d58e8dd847da13951c94bfe9f20936f96b43f350d1e49c625
+
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/libutp
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=The uTorrent Transport Protocol library
+  DEPENDS:=+libstdcpp
+endef
+
+# MAKE_VARS+=OPT="-I$(PKG_BUILD_DIR)/include/libutp -I$(PKG_BUILD_DIR)/include"
+
+CMAKE_OPTIONS += \
+	-DLIBUTP_SHARED:BOOL=YES \
+	-DLIBUTP_ENABLE_INSTALL:BOOL=YES \
+	-DLIBUTP_ENABLE_WERROR:BOOL=YES \
+	-DLIBUTP_BUILD_PROGRAMS:BOOL=NO
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/libutp $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/libutp/*.h $(1)/usr/include/libutp
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libutp.so $(1)/usr/lib/
+endef
+
+define Package/libutp/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/libutp.so $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,libutp))
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@ -1,5 +1,5 @@
 #
-# banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables
+# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 #
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=banip
 PKG_VERSION:=0.8.1
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@ -55,48 +55,50 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | voip                | VoIP fraud blocklist           |    x    |    x    |         | [Link](https://voipbl.org)                                    |
 | yoyo                | yoyo IPs                       |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |

-* zero-conf like automatic installation & setup, usually no manual changes needed
-* all sets are handled in a separate nft table/namespace 'banIP'
-* full IPv4 and IPv6 support
-* supports nft atomic set loading
-* supports blocking by ASN numbers and by iso country codes
-* supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
-* auto-add the uplink subnet to the local allowlist
-* provides a small background log monitor to ban unsuccessful login attempts in real-time
-* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
-* fast feed processing as they are handled in parallel as background jobs
-* per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
-* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
-* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
-* supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
-* deduplicate IPs accross all sets (single IPs only, no intervals)
-* provides comprehensive runtime information
-* provides a detailed set report
-* provides a set search engine for certain IPs
-* feed parsing by fast & flexible regex rulesets
-* minimal status & error logging to syslog, enable debug logging to receive more output
-* procd based init system support (start/stop/restart/reload/status/report/search)
-* procd network interface trigger support
-* ability to add new banIP feeds on your own
+* Zero-conf like automatic installation & setup, usually no manual changes needed
+* All sets are handled in a separate nft table/namespace 'banIP'
+* Full IPv4 and IPv6 support
+* Supports nft atomic set loading
+* Supports blocking by ASN numbers and by iso country codes
+* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
+* Auto-add the uplink subnet to the local allowlist
+* Provides a small background log monitor to ban unsuccessful login attempts in real-time
+* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
+* Fast feed processing as they are handled in parallel as background jobs
+* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
+* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
+* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
+* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
+* Deduplicate IPs accross all sets (single IPs only, no intervals)
+* Provides comprehensive runtime information
+* Provides a detailed set report
+* Provides a set search engine for certain IPs
+* Feed parsing by fast & flexible regex rulesets
+* Minimal status & error logging to syslog, enable debug logging to receive more output
+* Procd based init system support (start/stop/restart/reload/status/report/search/survey)
+* Procd network interface trigger support
+* Ability to add new banIP feeds on your own

 ## Prerequisites
-* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support  
-* a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
-* a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
-* for E-Mail notifications you need to install and setup the additional 'msmtp' package
+* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
+* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
+* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
+* For E-Mail notifications you need to install and setup the additional 'msmtp' package

 **Please note the following:**
 * Devices with less than 256Mb of RAM are **_not_** supported
 * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)

 ## Installation & Usage
-* update your local opkg repository (_opkg update_)
-* install banIP (_opkg install banip_) - the banIP service is disabled by default
-* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
-* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
+* Update your local opkg repository (_opkg update_)
+* Install banIP (_opkg install banip_) - the banIP service is disabled by default
+* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
+* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
+* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
+* Start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'

 ## banIP CLI interface
-* All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
+* All important banIP functions are accessible via CLI.
 ```
 ~# /etc/init.d/banip
 Syntax: /etc/init.d/banip [command]
@ -135,6 +137,7 @@ Available commands:
 | ban_autoallowlist       | option | 1                             | add wan IPs/subnets automatically to the local allowlist                              |
 | ban_autoblocklist       | option | 1                             | add suspicious attacker IPs automatically to the local blocklist                      |
 | ban_allowlistonly       | option | 0                             | restrict the internet access from/to a small number of secure websites/IPs            |
+| ban_basedir             | option | /tmp                          | base working directory while banIP processing                                         |
 | ban_reportdir           | option | /tmp/banIP-report             | directory where banIP stores the report files                                         |
 | ban_backupdir           | option | /tmp/banIP-backup             | directory where banIP stores the compressed backup files                              |
 | ban_protov4             | option | - / autodetect                | enable IPv4 support                                                                   |
@ -216,19 +219,19 @@ Available commands:
 ```
 ~# /etc/init.d/banip status
 ::: banIP runtime information
-  + status            : active
-  + version           : 0.8.1-2
-  + element_count     : 206644
-  + active_feeds      : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6,
-                         adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack
-                        v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6
+  + status            : active (nft: ✔, monitor: ✔)
+  + version           : 0.8.1-3
+  + element_count     : 180596
+  + active_feeds      : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, cinsscorev4, adguardv6, countryv6, countryv4, 
+                        deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv6, oisdsmallv4, urlvirv4, webclientv4, blocklistvMAC, blocklistv4,
+                         blocklistv6
  + active_devices    : eth2
  + active_interfaces : wan, wan6
-  + active_subnets    : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128
-  + run_info          : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_file: /etc/banip/banip.feeds
-  + run_flags         : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘
-  + last_run          : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55
-  + system_info       : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469
+  + active_subnets    : 91.64.168.218/24, 2a02:710c:0:80:e342:4b0c:725d:1d43/128
+  + run_info          : base: /tmp, backup: /mnt/data/banIP-backup, report: /mnt/data/banIP-report, feed: /etc/banip/banip.feeds
+  + run_flags         : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
+  + last_run          : action: restart, duration: 0m 58s, date: 2023-03-06 13:50:27
+  + system_info       : cores: 2, memory: 1831, device: Turris Omnia, OpenWrt SNAPSHOT r22151-1d82a47b49
 ```

 **banIP search information**  
@ -242,6 +245,32 @@ Available commands:
    IP found in set oisdbasicv4
 ```

+**banIP survey information**  
+```
+~# /etc/init.d/banip survey cinsscorev4
+:::
+::: banIP Survey
+:::
+    List the elements of set cinsscorev4 on 2023-03-06 14:07:58
+    ---
+1.10.187.179
+1.10.203.30
+1.10.255.58
+1.11.67.53
+1.11.114.211
+1.11.208.29
+1.12.75.87
+1.12.231.227
+1.12.247.134
+1.12.251.141
+1.14.96.156
+1.14.250.37
+1.15.40.79
+1.15.71.140
+1.15.77.237
+[...]
+```
+
 **allow-/blocklist handling**  
 banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.  
 Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.  
@ -257,7 +286,7 @@ banIP only supports logfile scanning via logread, so to monitor attacks on Aster
 **tweaks for low memory systems**  
 nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:  

-    * point 'ban_reportdir' and 'ban_backupdir' to an external usb drive
+    * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
    * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
    * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members

@ -265,7 +294,7 @@ nftables supports the atomic loading of rules/sets/members, which is cool but un
 By default banIP uses the following pre-configured download options:
 ```
    * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
-    * curl: --connect-timeout 20 --silent --show-error --location -o
+    * curl: --connect-timeout 20 --fail --silent --show-error --location -o
    * uclient-fetch: --timeout=20 -O
    * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
 ```
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@ -11,13 +11,15 @@ export LC_ALL=C
 export PATH="/usr/sbin:/usr/bin:/sbin:/bin"

 ban_basedir="/tmp"
-ban_backupdir="${ban_basedir}/banIP-backup"
-ban_reportdir="${ban_basedir}/banIP-report"
+ban_backupdir="/tmp/banIP-backup"
+ban_reportdir="/tmp/banIP-report"
 ban_feedfile="/etc/banip/banip.feeds"
-ban_pidfile="/var/run/banip.pid"
-ban_lock="/var/run/banip.lock"
-ban_blocklist="/etc/banip/banip.blocklist"
 ban_allowlist="/etc/banip/banip.allowlist"
+ban_blocklist="/etc/banip/banip.blocklist"
+ban_mailtemplate="/etc/banip/banip.tpl"
+ban_pidfile="/var/run/banip.pid"
+ban_rtfile="/var/run/banip_runtime.json"
+ban_lock="/var/run/banip.lock"
 ban_fetchcmd=""
 ban_logreadcmd="$(command -v logread)"
 ban_logcmd="$(command -v logger)"
@ -32,7 +34,6 @@ ban_mailsender="no-reply@banIP"
 ban_mailreceiver=""
 ban_mailtopic="banIP notification"
 ban_mailprofile="ban_notify"
-ban_mailtemplate="/etc/banip/banip.tpl"
 ban_nftpriority="-200"
 ban_nftexpiry=""
 ban_loglevel="warn"
@ -49,7 +50,7 @@ ban_autoallowlist="1"
 ban_autoblocklist="1"
 ban_deduplicate="1"
 ban_splitsize="0"
-ban_autodetect=""
+ban_autodetect="1"
 ban_feed=""
 ban_blockinput=""
 ban_blockforwardwan=""
@ -281,6 +282,24 @@ f_rmpid() {
 	: >"${ban_pidfile}"
 }

+# get nft/monitor actuals
+#
+f_actual() {
+	local nft monitor
+
+	if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
+		nft="$(f_char "1")"
+	else
+		nft="$(f_char "0")"
+	fi
+	if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
+		monitor="$(f_char "1")"
+	else
+		monitor="$(f_char "0")"
+	fi
+	printf "%s" "nft: ${nft}, monitor: ${monitor}"
+}
+
 # get wan interfaces
 #
 f_getif() {
@ -387,7 +406,7 @@ f_nftinit() {
 		# nft header (tables and chains)
 		#
 		printf "%s\n\n" "#!/usr/sbin/nft -f"
-		if "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then
+		if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
 			printf "%s\n" "delete table inet banIP"
 		fi
 		printf "%s\n" "add table inet banIP"
@ -426,6 +445,8 @@ f_nftinit() {
 	return ${feed_rc}
 }

+# handle downloads
+#
 f_down() {
 	local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle
 	local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
@ -763,7 +784,7 @@ f_rmset() {
 	local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc

 	tmp_del="${ban_tmpfile}.final.delete"
-	table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)"
+	table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | jsonfilter -qe '@.nftables[*].set.name')"
 	input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
 	forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
 	forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
@ -797,7 +818,7 @@ f_rmset() {
 # generate status information
 #
 f_genstatus() {
-	local object duration nft_table nft_feeds cnt_elements="0" split="0" status="${1}"
+	local object duration nft_feeds cnt_elements="0" split="0" status="${1}"

 	[ -z "${ban_dev}" ] && f_conf
 	if [ "${status}" = "active" ]; then
@ -805,8 +826,7 @@ f_genstatus() {
 			ban_endtime="$(date "+%s")"
 			duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
 		fi
-		nft_table="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null)"
-		nft_feeds="$(f_trim "$(printf "%s\n" "${nft_table}" | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}')")"
+		nft_feeds="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | jsonfilter -qe '@.nftables[*].set.name')"
 		for object in ${nft_feeds}; do
 			cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
 		done
@ -815,9 +835,9 @@ f_genstatus() {
 	f_system
 	[ ${ban_splitsize:-"0"} -gt "0" ] && split="1"

-	: >"${ban_basedir}/ban_runtime.json"
+	: >"${ban_rtfile}"
 	json_init
-	json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1
+	json_load_file "${ban_rtfile}" >/dev/null 2>&1
 	json_add_string "status" "${status}"
 	json_add_string "version" "${ban_ver}"
 	json_add_string "element_count" "${cnt_elements}"
@ -874,24 +894,26 @@ f_genstatus() {
 	fi
 	json_close_array
 	json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}"
-	json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
+	json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
 	json_add_string "last_run" "${runtime:-"-"}"
 	json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
-	json_dump >"${ban_basedir}/ban_runtime.json"
+	json_dump >"${ban_rtfile}"
 }

 # get status information
 #
 f_getstatus() {
-	local key keylist type value index_value
+	local key keylist type value index_value actual="${1}"

 	[ -z "${ban_dev}" ] && f_conf
-	json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1
+	json_load_file "${ban_rtfile}" >/dev/null 2>&1
 	if json_get_keys keylist; then
 		printf "%s\n" "::: banIP runtime information"
 		for key in ${keylist}; do
 			json_get_var value "${key}" >/dev/null 2>&1
-			if [ "${key%_*}" = "active" ]; then
+			if [ "${key}" = "status" ]; then
+				value="${value} ($(f_actual))"
+			elif [ "${key%_*}" = "active" ]; then
 				json_select "${key}" >/dev/null 2>&1
 				index=1
 				while json_get_type type "${index}" && [ "${type}" = "object" ]; do
@ -905,10 +927,8 @@ f_getstatus() {
 				done
 				json_select ".."
 			fi
-			value="$(
-				printf "%s" "${value}" |
-					awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
-			)"
+			value="$(printf "%s" "${value}" |
+						awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
 			printf "  + %-17s : %s\n" "${key}" "${value:-"-"}"
 		done
 	else
@ -964,7 +984,7 @@ f_lookup() {
 	f_log "debug" "f_lookup  ::: name: ${feed}, cnt_domain: ${cnt_domain}, cnt_ip: ${cnt_ip}, duration: ${duration}"
 }

-# banIP table statistics
+# table statistics
 #
 f_report() {
 	local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
@ -1070,8 +1090,8 @@ f_report() {
 				printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
 				printf "%s\n" "    Timestamp: ${timestamp}"
 				printf "%s\n" "    ------------------------------"
-				printf "%s\n" "    auto-added to allowlist: ${autoadd_allow}"
-				printf "%s\n\n" "    auto-added to blocklist: ${autoadd_block}"
+				printf "%s\n" "    auto-added to allowlist today: ${autoadd_allow}"
+				printf "%s\n\n" "    auto-added to blocklist today: ${autoadd_block}"
 				json_select "sets" >/dev/null 2>&1
 				json_get_keys nft_sets >/dev/null 2>&1
 				if [ -n "${nft_sets}" ]; then
@ -1121,14 +1141,13 @@ f_report() {
 	esac
 }

-# banIP set search
+# set search
 #
 f_search() {
 	local nft_sets ip proto run_search search="${1}"

 	f_system
 	run_search="/var/run/banIP.search"
-
 	if [ -n "${search}" ]; then
 		ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
 		[ -n "${ip}" ] && proto="v4"
@ -1166,6 +1185,29 @@ f_search() {
 	rm -f "${run_search}"
 }

+# set survey
+#
+f_survey() {
+	local set_survey set="${1}"
+
+	f_system
+	if [ -n "${set}" ]; then
+		if "${ban_nftcmd}" -jt list set inet banIP "${set}" >/dev/null 2>&1; then
+			set_survey="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
+		else
+			printf "%s\n%s\n%s\n" ":::" "::: unknown banIP set (single banIP set name)" ":::"
+			return
+		fi
+	else
+		printf "%s\n%s\n%s\n" ":::" "::: no valid survey input (single banIP set name)" ":::"
+		return
+	fi
+	printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
+	printf "%s\n" "    List the elements of set ${set} on $(date "+%Y-%m-%d %H:%M:%S")"
+	printf "%s\n" "    ---"
+	printf "%s\n" "${set_survey}"
+}
+
 # send status mails
 #
 f_mail() {
--- a/net/banip/files/banip-service.sh
+++ b/net/banip/files/banip-service.sh
@ -1,5 +1,5 @@
 #!/bin/sh
-# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables
+# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.

--- a/net/banip/files/banip.conf
+++ b/net/banip/files/banip.conf
@ -6,4 +6,4 @@ config banip 'global'
 	list ban_logterm 'luci: failed login'
 	list ban_logterm 'error: maximum authentication attempts exceeded'
 	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
-	list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress='
+	list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
--- a/net/banip/files/banip.init
+++ b/net/banip/files/banip.init
@ -10,7 +10,8 @@ START=30
 USE_PROCD=1

 extra_command "report" "[text|json|mail] Print banIP related set statistics"
-extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets"
+extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set"
+extra_command "survey" "[<set name>] List all elements of a given banIP set"

 ban_init="/etc/init.d/banip"
 ban_service="/usr/bin/banip-service.sh"
@ -19,7 +20,7 @@ ban_pidfile="/var/run/banip.pid"
 ban_lock="/var/run/banip.lock"

 [ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0
-[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "status" ]; } && exit 1
+[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
 [ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1
 [ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}"

@ -71,8 +72,10 @@ status() {
 }

 status_service() {
+	local actual="${1}"
+
 	[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
-	f_getstatus
+	[ -n "${actual}" ] && f_actual || f_getstatus
 }

 report() {
@ -85,6 +88,11 @@ search() {
 	f_search "${1}"
 }

+survey() {
+	[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
+	f_survey "${1}"
+}
+
 service_triggers() {
 	local iface trigger delay

--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -10,12 +10,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=haproxy
-PKG_VERSION:=2.6.8
+PKG_VERSION:=2.6.9
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src
-PKG_HASH:=a02ad64550dd30a94b25fd0e225ba699649d0c4037bca3b36b20e8e3235bb86f
+PKG_HASH:=f01a1c5f465dc1b5cd175d0b28b98beb4dfe82b5b5b63ddcc68d1df433641701

 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>, \
 		Christian Lachner <gladiac@gmail.com>
--- a/net/haproxy/get-latest-patches.sh
+++ b/net/haproxy/get-latest-patches.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git
-BASE_TAG=v2.6.8
+BASE_TAG=v2.6.9
 TMP_REPODIR=tmprepo
 PATCHESDIR=patches

--- a/net/netbird/Makefile
+++ b/net/netbird/Makefile
@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=netbird
-PKG_VERSION:=0.12.0
+PKG_VERSION:=0.14.2
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/netbirdio/netbird/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=c88b65bb9358e5a6f9c34882e77a3414b02d4c5ac13b76fb2e60b952af6a18d7
+PKG_HASH:=8ffef4569572b9eb93891e881cb7b3b9ba98b5596f3ffda3b433b32e364adb56

 PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
--- a/net/sing-box/Makefile
+++ b/net/sing-box/Makefile
@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=sing-box
-PKG_VERSION:=1.1.5
+PKG_VERSION:=1.1.6
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=a1e642362f41bd0e362cd9c8d2f0d29d2eca6a55a948677f6f03cfb81c4f0657
+PKG_HASH:=2fdf93fd49c9375cd14b2fe2e2163cbad4b65d0cfa422c592855e7810036ef56

 PKG_LICENSE:=GPL-3.0-or-later
 PKG_LICENSE_FILES:=LICENSE
@ -27,7 +27,7 @@ define Package/sing-box
  SECTION:=net
  CATEGORY:=Network
  URL:=https://sing-box.sagernet.org
-  DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +kmod-tun
+  DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +kmod-inet-diag +kmod-tun
  USERID:=sing-box=5566:sing-box=5566
 endef

@ -42,7 +42,6 @@ define Package/sing-box/config

 		config SINGBOX_WITH_ACME
 			bool "Build with ACME TLS certificate issuer support"
-			default n

 		config SINGBOX_WITH_CLASH_API
 			bool "Build with Clash API support"
@ -50,15 +49,12 @@ define Package/sing-box/config

 		config SINGBOX_WITH_ECH
 			bool "Build with TLS ECH extension support for TLS outbound"
-			default n

 		config SINGBOX_WITH_EMBEDDED_TOR
 			bool "Build with embedded Tor support"
-			default n

 		config SINGBOX_WITH_GRPC
 			bool "Build with standard gRPC support"
-			default n

 		config SINGBOX_WITH_GVISOR
 			bool "Build with gVisor support"
@ -66,7 +62,6 @@ define Package/sing-box/config

 		config SINGBOX_WITH_LWIP
 			bool "Build with LWIP Tun stack support"
-			default n

 		config SINGBOX_WITH_QUIC
 			bool "Build with QUIC support"
@ -74,7 +69,6 @@ define Package/sing-box/config

 		config SINGBOX_WITH_SHADOWSOCKSR
 			bool "Build with ShadowsocksR support"
-			default n

 		config SINGBOX_WITH_UTLS
 			bool "Build with uTLS support for TLS outbound"
@ -82,7 +76,6 @@ define Package/sing-box/config

 		config SINGBOX_WITH_V2RAY_API
 			bool "Build with V2Ray API support"
-			default n

 		config SINGBOX_WITH_WIREGUARD
 			bool "Build with WireGuard support"
--- a/net/transmission/Makefile
+++ b/net/transmission/Makefile
@ -8,20 +8,20 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=transmission
-PKG_VERSION:=3.00
-PKG_RELEASE:=19
+PKG_VERSION:=4.0.1
+PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@GITHUB/transmission/transmission-releases/master
-PKG_HASH:=9144652fe742f7f7dd6657716e378da60b751aaeda8bef8344b3eefc4db255f2
+PKG_SOURCE_URL:=https://github.com/transmission/transmission/releases/download/$(PKG_VERSION)/
+PKG_HASH:=8fc5aef23638c983406f6a3ee9918369e4cdc84e3228bd2fb3d01dd55cdad900

 PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=COPYING
 PKG_CPE_ID:=cpe:/a:transmissionbt:transmission

-PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
+PKG_BUILD_DEPENDS:=libb64 node/host
 PKG_BUILD_PARALLEL:=1
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_LIBCURL_GNUTLS \
@ -31,6 +31,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_LIBCURL_NOSSL

 include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
 include $(INCLUDE_DIR)/package-seccomp.mk

 define Package/transmission/template
@ -39,7 +40,10 @@ define Package/transmission/template
  CATEGORY:=Network
  TITLE:=BitTorrent client
  URL:=https://www.transmissionbt.com
-  DEPENDS:=+libcurl +libevent2 +libminiupnpc +libnatpmp +libpthread +librt +zlib +LIBCURL_NOSSL:libmbedtls +LIBCURL_GNUTLS:libmbedtls
+  DEPENDS:=+libatomic +libcurl +libdeflate +libdht +libevent2 \
+	   +libevent2-pthreads +libminiupnpc +libnatpmp +libpthread +libpsl \
+	   +librt +libutp +zlib +LIBCURL_NOSSL:libmbedtls \
+	   +LIBCURL_GNUTLS:libmbedtls
 endef

 define Package/transmission-daemon
@ -87,23 +91,40 @@ define Package/transmission-daemon/conffiles
 /etc/config/transmission
 endef

-TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
+TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto -DHAVE_SIZE_T -latomic
 TARGET_LDFLAGS += -Wl,--gc-sections -Wl,--as-needed

-CONFIGURE_ARGS += \
-	--enable-cli \
-	--enable-daemon \
-	--enable-external-natpmp \
-	--enable-largefile \
-	--enable-lightweight \
-	--without-gtk \
-	--without-kqueue \
-	--without-systemd-daemon \
-	$(if $(CONFIG_LIBCURL_NOSSL),--with-crypto=polarssl) \
-	$(if $(CONFIG_LIBCURL_GNUTLS),--with-crypto=polarssl) \
-	$(if $(CONFIG_LIBCURL_MBEDTLS),--with-crypto=polarssl) \
-	$(if $(CONFIG_LIBCURL_OPENSSL),--with-crypto=openssl) \
-	$(if $(CONFIG_LIBCURL_WOLFSSL),--with-crypto=cyassl)
+CMAKE_OPTIONS += \
+	-DENABLE_CLI:BOOL=YES \
+	-DENABLE_GTK:BOOL=NO \
+	-DENABLE_QT:BOOL=NO \
+	-DENABLE_MAC:BOOL=NO \
+	-DENABLE_TESTS:BOOL=NO \
+	-DENABLE_NLS:BOOL=NO \
+	-DENABLE_UTP:BOOL=YES \
+	-DRUN_CLANG_TIDY:BOOL=NO \
+	-DUSE_SYSTEM_EVENT2:BOOL=YES \
+	-DUSE_SYSTEM_DEFLATE:BOOL=YES \
+	-DUSE_SYSTEM_DHT:BOOL=YES \
+	-DUSE_SYSTEM_MINIUPNPC:BOOL=YES \
+	-DUSE_SYSTEM_NATPMP:BOOL=YES \
+	-DUSE_SYSTEM_UTP:BOOL=YES \
+	-DUSE_SYSTEM_B64:BOOL=YES \
+	-DUSE_SYSTEM_PSL:BOOL=YES \
+	-DWITH_INOTIFY:BOOL=YES \
+	-DWITH_KQUEUE:BOOL=NO \
+	-DWITH_SYSTEMD:BOOL=NO \
+	-DB64_INCLUDE_DIR=$(STAGING_DIR)/usr/include \
+	-DB64_LIBRARY=$(STAGING_DIR)/usr/lib/libb64.a \
+	-DDHT_INCLUDE_DIR=$(STAGING_DIR)/usr/include \
+	-DDHT_LIBRARY=$(STAGING_DIR)/usr/lib/libdht.so \
+	-DUTP_INCLUDE_DIR=$(STAGING_DIR)/usr/include \
+	-DUTP_LIBRARY=$(STAGING_DIR)/usr/lib/libutp.so \
+	$(if $(CONFIG_LIBCURL_NOSSL),-DWITH_CRYPTO=mbedtls) \
+	$(if $(CONFIG_LIBCURL_GNUTLS),-DWITH_CRYPTO=mbedtls) \
+	$(if $(CONFIG_LIBCURL_MBEDTLS),-DWITH_CRYPTO=mbedtls) \
+	$(if $(CONFIG_LIBCURL_OPENSSL),-DWITH_CRYPTO=openssl) \
+	$(if $(CONFIG_LIBCURL_WOLFSSL),-DWITH_CRYPTO=wolfssl)

 define Package/transmission-daemon/install
 	$(INSTALL_DIR) $(1)/usr/bin
@ -133,7 +154,7 @@ endef

 define Package/transmission-web/install
 	$(INSTALL_DIR) $(1)/usr/share/transmission
-	$(CP) $(PKG_INSTALL_DIR)/usr/share/transmission/web $(1)/usr/share/transmission/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/transmission/public_html $(1)/usr/share/transmission/
 endef

 $(eval $(call BuildPackage,transmission-daemon))
--- a/net/transmission/files/transmission-daemon.json
+++ b/net/transmission/files/transmission-daemon.json
@ -17,6 +17,7 @@
 				"epoll_create1",
 				"epoll_ctl",
 				"epoll_pwait",
+				"eventfd2",
 				"exit",
 				"exit_group",
 				"faccessat",
@ -87,6 +88,7 @@
 				"sendto",
 				"setsockopt",
 				"shutdown",
+				"signalfd4",
 				"sigreturn",
 				"socket",
 				"socketpair",
--- a/net/transmission/files/transmission.init
+++ b/net/transmission/files/transmission.init
@ -170,7 +170,7 @@ transmission() {
 	procd_add_jail_mount_rw "$download_dir"
 	[ "$incomplete_dir_enabled" = "1" ] && procd_add_jail_mount_rw "$incomplete_dir"
 	[ "$watch_dir_enabled" = "1" ] && procd_add_jail_mount_rw "$watch_dir"
-	web_home="${web_home:-/usr/share/transmission/web}"
+	web_home="${web_home:-/usr/share/transmission/public_html}"
 	[ -d "$web_home" ] && procd_add_jail_mount "$web_home"
 	[ -f "$ca_bundle_file" ] && procd_add_jail_mount "$ca_bundle_file"
 	procd_close_instance
--- a/net/transmission/patches/001-apply-dscp-to-udp-sockets.patch
+++ b/net/transmission/patches/001-apply-dscp-to-udp-sockets.patch
@ -1,68 +0,0 @@
-From 98da2afa58b7bdf5350de16fd99905ddb04e1b0d Mon Sep 17 00:00:00 2001
-From: Dan Walters <dan@walters.io>
-Date: Sun, 13 Oct 2019 10:08:36 -0500
-Subject: [PATCH] Apply the configured peer socket TOS to UDP sockets, not just
- TCP.
-
---
- libtransmission/session.c |  2 ++
- libtransmission/tr-udp.c  | 20 ++++++++++++++++++++
- libtransmission/tr-udp.h  |  1 +
- 3 files changed, 23 insertions(+)
-
--- a/libtransmission/session.c
-+++ b/libtransmission/session.c
-@@ -2274,6 +2274,8 @@ static void toggle_utp(void* data)
- 
-     tr_udpSetSocketBuffers(session);
- 
-+    tr_udpSetSocketTOS(session);
-+
-     /* But don't call tr_utpClose -- see reset_timer in tr-utp.c for an
-        explanation. */
- }
--- a/libtransmission/tr-udp.c
-+++ b/libtransmission/tr-udp.c
-@@ -125,6 +125,24 @@ void tr_udpSetSocketBuffers(tr_session*
-     }
- }
- 
-+void tr_udpSetSocketTOS(tr_session* session)
-+{
-+    if (session->peerSocketTOS == 0)
-+    {
-+        return;
-+    }
-+
-+    if (session->udp_socket != TR_BAD_SOCKET)
-+    {
-+        tr_netSetTOS(session->udp_socket, session->peerSocketTOS, TR_AF_INET);
-+    }
-+
-+    if (session->udp6_socket != TR_BAD_SOCKET)
-+    {
-+        tr_netSetTOS(session->udp6_socket, session->peerSocketTOS, TR_AF_INET6);
-+    }
-+}
-+
- /* BEP-32 has a rather nice explanation of why we need to bind to one
-    IPv6 address, if I may say so myself. */
- 
-@@ -363,6 +381,8 @@ ipv6:
- 
-     tr_udpSetSocketBuffers(ss);
- 
-+    tr_udpSetSocketTOS(ss);
-+
-     if (ss->isDHTEnabled)
-     {
-         tr_dhtInit(ss);
--- a/libtransmission/tr-udp.h
-+++ b/libtransmission/tr-udp.h
-@@ -30,5 +30,6 @@ THE SOFTWARE.
- void tr_udpInit(tr_session*);
- void tr_udpUninit(tr_session*);
- void tr_udpSetSocketBuffers(tr_session*);
-+void tr_udpSetSocketTOS(tr_session*);
- 
- bool tau_handle_message(tr_session* session, uint8_t const* msg, size_t msglen);
--- a/net/transmission/patches/010-no-intltool.patch
+++ b/net/transmission/patches/010-no-intltool.patch
@ -1,12 +0,0 @@
--- a/configure.ac
-+++ b/configure.ac
-@@ -555,9 +555,6 @@ dnl it should be safe to re-edit 0.40 ba
- use_nls=no
- if test "x$enable_nls" = "xyes" ; then
-     use_nls=yes
-    m4_ifdef([IT_PROG_INTLTOOL],
-             [IT_PROG_INTLTOOL([0.35.0],[no-xml])],
-             [AC_MSG_ERROR("--enable-nls requires intltool to be installed.")])
-     AC_CHECK_HEADERS([libintl.h])
-     GETTEXT_PACKAGE=transmission-gtk
-     AC_SUBST(GETTEXT_PACKAGE)
--- a/net/transmission/patches/020-mbedcrypto.patch
+++ b/net/transmission/patches/020-mbedcrypto.patch
@ -1,13 +0,0 @@
--- a/configure.ac
-+++ b/configure.ac
-@@ -152,8 +152,8 @@ AS_IF([test "x$want_crypto" = "xauto" -o
-     )
- ])
- AS_IF([test "x$want_crypto" = "xauto" -o "x$want_crypto" = "xpolarssl"], [
-    PKG_CHECK_MODULES(MBEDTLS, [mbedtls >= $POLARSSL_MINIMUM],
-        [want_crypto="polarssl"; CRYPTO_PKG="polarssl"; CRYPTO_CFLAGS="$MBEDTLS_CFLAGS"; CRYPTO_LIBS="$MBEDTLS_LIBS"; POLARSSL_IS_MBEDTLS=yes],
-+    AC_CHECK_LIB(mbedcrypto, mbedtls_strerror,
-+        [want_crypto="polarssl"; CRYPTO_PKG="polarssl"; CRYPTO_LIBS="-lmbedcrypto"; POLARSSL_IS_MBEDTLS=yes],
-         [AC_CHECK_HEADER([polarssl/version.h],
-             [AC_EGREP_CPP([version_ok], [#include <polarssl/version.h>
-                                          #if defined (POLARSSL_VERSION_NUMBER) && POLARSSL_VERSION_NUMBER >= $POLARSSL_MINIMUM
--- a/net/transmission/patches/030-wolfssl.patch
+++ b/net/transmission/patches/030-wolfssl.patch
@ -1,24 +0,0 @@
-From 82b5d4028885d75adba9b66d43aeb11592e64914 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Wed, 13 Oct 2021 18:16:55 -0700
-Subject: [PATCH] fix runtime with wolfSSL and fastmath
-
-wolfSSL's fastmath support requires options.h to be included before
-anything else. Otherwise bad codepaths get taken and a crash occurs
-during DH initialization.
-
-Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
- libtransmission/crypto-utils-cyassl.c | 1 +
- 1 file changed, 1 insertion(+)
-
--- a/libtransmission/crypto-utils-cyassl.c
-+++ b/libtransmission/crypto-utils-cyassl.c
-@@ -19,6 +19,7 @@
- #define API_VERSION_HEX LIBCYASSL_VERSION_HEX
- #endif
- 
-+#include API_HEADER(options.h)
- #include API_HEADER_CRYPT(arc4.h)
- #include API_HEADER_CRYPT(dh.h)
- #include API_HEADER_CRYPT(error-crypt.h)
--- a/net/transmission/patches/080-disable-webseeding.patch
+++ b/net/transmission/patches/080-disable-webseeding.patch
@ -1,11 +0,0 @@
--- a/libtransmission/webseed.c
-+++ b/libtransmission/webseed.c
-@@ -510,8 +510,6 @@ static void webseed_timer_func(evutil_so
-         ++w->retry_tickcount;
-     }
- 
-    on_idle(w);
-
-     tr_timerAddMsec(w->timer, TR_IDLE_TIMER_MSEC);
- }
- 
--- a/utils/conmon/Makefile
+++ b/utils/conmon/Makefile
@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=conmon
-PKG_VERSION:=2.1.6
+PKG_VERSION:=2.1.7
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/containers/$(PKG_NAME)/archive/v$(PKG_VERSION)
-PKG_HASH:=340453f7aac43e6a1f9a5efe31f24471f8a7a997a849ad6d1ff3fb530a9e2874
+PKG_HASH:=7d0f9a2f7cb8a76c51990128ac837aaf0cc89950b6ef9972e94417aa9cf901fe

 PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
 PKG_LICENSE:=Apache-2.0
--- a/utils/coremark/Makefile
+++ b/utils/coremark/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=coremark
-PKG_SOURCE_DATE:=2022-07-27
-PKG_SOURCE_VERSION:=eefc986ebd3452d6adde22eafaff3e5c859f29e4
+PKG_SOURCE_DATE:=2023-01-25
+PKG_SOURCE_VERSION:=d5fad6bd094899101a4e5fd53af7298160ced6ab
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_DATE).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/eembc/coremark/tar.gz/$(PKG_SOURCE_VERSION)?
-PKG_HASH:=a5964bf215786d65d08941b6f9a9a4f4e50524f5391fa3826db2994c47d5e7f3
+PKG_HASH:=76f3b98fc940d277521023dc6e106551ef4a2180fa4c3da8cd5bf933aa494ef2
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION)

 PKG_MAINTAINER:=Lim Guo Wei <limguowei@gmail.com> \