Merge branch 'openwrt:master' into master

2022-12-11 20:09:19 +04:00 · 2022-12-11 20:09:19 +04:00 · ec23d95e9d
commit ec23d95e9d
parent d92b71214b fd7da3333e
84 changed files with 3997 additions and 3752 deletions
--- a/.github/workflows/check-autorelease-deprecation.yml
+++ b/.github/workflows/check-autorelease-deprecation.yml
@ -28,6 +28,8 @@ jobs:
      - name: Determine changed packages
        run: |
          RET=0
          # only detect packages with changes
          PKG_ROOTS=$(find . -name Makefile | \
            grep -v ".*/src/Makefile" | \
@ -46,14 +48,13 @@ jobs:
          done
          if [ -n "$CONTAINS_AUTORELEASE" ]; then
            RET=1
            cat > "$GITHUB_WORKSPACE/pr_comment.md" << EOF
          Please do no longer set *PKG_RELEASE* to *AUTORELEASE* as the
          feature is deprecated. Please use an integer instead. Below is a
          list of affected packages including correct *PKG_RELEASE*:
          EOF
          else
            echo "No usage of *AUTORELEASE* found in changes" > "$GITHUB_WORKSPACE/pr_comment.md"
          fi
          for ROOT in $CONTAINS_AUTORELEASE; do
@ -70,8 +71,11 @@ jobs:
            echo >> "$GITHUB_WORKSPACE/pr_comment.md"
          done
          exit $RET
      - name: Find Comment
        uses: peter-evans/find-comment@v2
        if: ${{ failure() }}
        id: fc
        with:
          issue-number: ${{ github.event.pull_request.number }}
@ -79,6 +83,7 @@ jobs:
      - name: Create or update comment
        uses: peter-evans/create-or-update-comment@v2
        if: ${{ failure() }}
        with:
          comment-id: ${{ steps.fc.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/entrypoint.sh
+++ b/.github/workflows/entrypoint.sh
@ -1,10 +1,14 @@
 #!/bin/sh
 # not enabling `errtrace` and `pipefail` since those are bash specific
 set -o errexit # failing commands causes script to fail
 set -o nounset # undefined variables causes script to fail 
 mkdir -p /var/lock/
 opkg update
-[ -n "$CI_HELPER" ] || CI_HELPER="/ci/.github/workflows/ci_helpers.sh"
+[ -n "${CI_HELPER:=''}" ] || CI_HELPER="/ci/.github/workflows/ci_helpers.sh"
 for PKG in /ci/*.ipk; do
 	tar -xzOf "$PKG" ./control.tar.gz | tar xzf - ./control 
--- a/lang/golang/golang/Makefile
+++ b/lang/golang/golang/Makefile
@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 GO_VERSION_MAJOR_MINOR:=1.19
-GO_VERSION_PATCH:=3
+GO_VERSION_PATCH:=4
 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \
 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=18ac263e39210bcf68d85f4370e97fb1734166995a1f63fb38b4f6e07d90d212
+PKG_HASH:=eda74db4ac494800a3e66ee784e495bfbb9b8e535df924a8b01b1a8028b7f368
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
--- a/lang/python/django/Makefile
+++ b/lang/python/django/Makefile
@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=django
-PKG_VERSION:=4.1.1
+PKG_VERSION:=4.1.3
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PYPI_NAME:=Django
-PKG_HASH:=a153ffd5143bf26a877bfae2f4ec736ebd8924a46600ca089ad96b54a1d4e28e
+PKG_HASH:=678bbfc8604eb246ed54e2063f0765f13b321a50526bdc8cb1f943eda7fa31f1
 PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
 PKG_LICENSE:=BSD-3-Clause
--- a/libs/libmbim/Makefile
+++ b/libs/libmbim/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libmbim
-PKG_SOURCE_VERSION:=1.26.4
+PKG_SOURCE_VERSION:=1.28.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
-PKG_MIRROR_HASH:=4963f9135f8ad26165d969d0b2028b00d68243201113c94a2ebe22c4227058a4
+PKG_MIRROR_HASH:=0b0b46016738fc22355d5a58c8a2d1b2f04906c49c51a50b57a09640d13b00b7
 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
--- a/libs/libqmi/Makefile
+++ b/libs/libqmi/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libqmi
-PKG_SOURCE_VERSION:=1.30.8
+PKG_SOURCE_VERSION:=1.32.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
-PKG_MIRROR_HASH:=a0fa33a89011bdb593f66fd0b674f2a7c31f87e43ffd7f3e9a515b00864c4a91
+PKG_MIRROR_HASH:=711d16d75a6a9afaefcf2be1bc845a4a6181dff786dfbd079e41e91279a0be91
 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
--- a/libs/libqrtr-glib/Makefile
+++ b/libs/libqrtr-glib/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=libqrtr-glib
 PKG_VERSION:=1.2.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=3
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqrtr-glib.git
--- a/multimedia/tvheadend/Config.in
+++ b/multimedia/tvheadend/Config.in
@ -3,10 +3,10 @@ comment "Generic options"
 config TVHEADEND_OPTIMIZE_SPEED
  bool "Optimize for speed"
-  depends on PACKAGE_tvheadend
+  depends on PACKAGE_tvheadend && (arm || aarch64 || x86_64)
  default n
  help
-    Optimize tvheadend for speed instead of size. This option adds -O2 and LTO (Link Time Optimization).
+    Optimize tvheadend for speed instead of size. This option adds -O3 and LTO (Link Time Optimization).
    Note: No benchmarks were performed when this option was added. Speed improvements (if any) are not known.
 config TVHEADEND_TRACE
--- a/multimedia/tvheadend/Makefile
+++ b/multimedia/tvheadend/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=tvheadend
 PKG_VERSION:=2022-11-20
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=3
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/tvheadend/tvheadend.git
--- a/net/bpfcountd/Makefile
+++ b/net/bpfcountd/Makefile
@ -0,0 +1,42 @@
 # SPDX-License-Identifier: MIT
 # Copyright (C) 2022 Linus Lüssing <linus.luessing@c0d3.blue>
 include $(TOPDIR)/rules.mk
 PKG_NAME:=bpfcountd
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-06-26
 PKG_SOURCE_URL=https://github.com/lemoer/bpfcountd.git
 PKG_SOURCE_VERSION:=8b1aeb18d686815f93e2bfe976e536c5699d6371
 PKG_MIRROR_HASH:=e6e7adcc11c0fd33c6d3ac31423d3288812270944c2f31d9610ac8c3173a8c5f
 PKG_MAINTAINER:=Linus Lüssing <linus.luessing@c0d3.blue>
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
 include $(INCLUDE_DIR)/package.mk
 define Package/bpfcountd
  SECTION:=net
  CATEGORY:=Network
  TITLE:=Berkeley Packet Filter Counting Daemon
  DEPENDS:=+libpcap
 endef
 define Package/bpfcountd/description
  bpfcountd was created to obtain packet statistics in larger networks
  without stressing the cpu resources. bpfcountd will count the amount
  of packages and bytes over time (for each defined rule). The rules
  are defined using the tcpdump filter syntax (bpf). The collected
  data is provided on a unix socket in plaintext.
 endef
 define Package/bpfcountd/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bpfcountd $(1)/usr/sbin/
 	$(CP) ./files/* $(1)/
 endef
 $(eval $(call BuildPackage,bpfcountd))
--- a/net/bpfcountd/files/etc/bpfcountd.filters
+++ b/net/bpfcountd/files/etc/bpfcountd.filters
@ -0,0 +1,2 @@
 arp;arp
 icmp6;icmp6
--- a/net/bpfcountd/files/etc/config/bpfcountd
+++ b/net/bpfcountd/files/etc/config/bpfcountd
@ -0,0 +1,13 @@
 config bpfcountd 'eth0_in'
 	option ifname 'eth0'
 	option prefilter 'inbound'
 	option filterfile '/etc/bpfcountd.filters'
 	option buffersize '2097152'
 	option disabled '1'
 config bpfcountd 'eth0_out'
 	option ifname 'eth0'
 	option prefilter 'outbound'
 	option filterfile '/etc/bpfcountd.filters'
 	option buffersize '2097152'
 	option disabled '1'
--- a/net/bpfcountd/files/etc/init.d/bpfcountd
+++ b/net/bpfcountd/files/etc/init.d/bpfcountd
@ -0,0 +1,92 @@
 #!/bin/sh /etc/rc.common
 # SPDX-License-Identifier: MIT
 # Copyright (C) 2022 Linus Lüssing <linus.luessing@c0d3.blue>
 USE_PROCD=1
 START=20
 STOP=90
 UNIXSOCKDIR=/var/run/bpfcountd
 bpfcountd_start() {
 	local cfg="$1"
 	local disabled
 	local ifname
 	local prefilter
 	local filterfile
 	local buffersize
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return 0
 	mkdir -p "$UNIXSOCKDIR"
 	config_get ifname "$cfg" "ifname"
 	config_get prefilter "$cfg" "prefilter"
 	config_get filterfile "$cfg" "filterfile"
 	config_get buffersize "$cfg" "buffersize"
 	[ -z "$ifname" ] && {
 		echo "Error: no ifname specified for $cfg" >&2
 		return 0
 	}
 	[ -z "$filterfile" ] && {
 		echo "Error: no filterfile specified for $cfg" >&2
 		return 0
 	}
 	procd_open_instance "$cfg"
 	procd_set_param command /usr/sbin/bpfcountd
 	procd_append_param command -i "$ifname"
 	procd_append_param command -f "$filterfile"
 	procd_append_param command -u $UNIXSOCKDIR/"$cfg".sock
 	[ -n "$prefilter" ] && procd_append_param command -F "$prefilter"
 	[ -n "$buffersize" ] && procd_append_param command -b "$buffersize"
 	procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
 	procd_set_param stderr 1
 	procd_close_instance
 }
 start_service() {
 	local cfg="$1"
 	local instance_found=0
 	. /lib/functions/network.sh
 	config_cb() {
 		local type="$1"
 		local name="$2"
 		if [ "$type" = "bpfcountd" ]; then
 			if [ -n "$cfg" -a "$cfg" = "$name" ]; then
 				instance_found=1
 			fi
 		fi
 	}
 	config_load bpfcountd
 	if [ -n "$cfg" ]; then
 		[ "$instance_found" -gt 0 ] || return
 		bpfcountd_start "$cfg"
 	else
 		config_foreach bpfcountd_start bpfcountd
 	fi
 }
 stop_service() {
 	local cfg="$1"
 	if [ -n "$cfg" ]; then
 		rm $UNIXSOCKDIR/$cfg.sock
 	else
 		rm $UNIXSOCKDIR/*.sock
 	fi
 }
 service_triggers() {
 	procd_add_reload_trigger bpfcountd
 }
--- a/net/cloudflared/Makefile
+++ b/net/cloudflared/Makefile
@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=cloudflared
-PKG_VERSION:=2022.11.0
+PKG_VERSION:=2022.11.1
 PKG_RELEASE:=$(AUTORELEASE)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=01478108dc4a4a74b2a9eecda35b1b7cc69ce33f45fe0c94edf598b90154fda0
+PKG_HASH:=d4b1133057a721087a0a5387ea6d4d1ebf3b1f5135396da25a1e88e873cd5203
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
--- a/net/ddns-scripts/Makefile
+++ b/net/ddns-scripts/Makefile
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=ddns-scripts
 PKG_VERSION:=2.8.2
-PKG_RELEASE:=29
+PKG_RELEASE:=30
 PKG_LICENSE:=GPL-2.0
@ -70,6 +70,17 @@ define Package/ddns-scripts-cloudflare/description
 endef
 define Package/ddns-scripts-gcp
  $(call Package/ddns-scripts/Default)
  TITLE:=Extension for Google Cloud DNS API v1
  DEPENDS:=ddns-scripts +curl +openssl-util
 endef
 define Package/ddns-scripts-gcp/description
  Dynamic DNS Client scripts extension for Google Cloud DNS API v1 (requires curl)
 endef
 define Package/ddns-scripts-freedns
  $(call Package/ddns-scripts/Default)
  TITLE:=Extension for freedns.42.pl
@ -323,6 +334,7 @@ define Package/ddns-scripts-services/install
 	# Remove special services
 	rm $(1)/usr/share/ddns/default/cloudflare.com-v4.json
 	rm $(1)/usr/share/ddns/default/cloud.google.com-v1.json
 	rm $(1)/usr/share/ddns/default/freedns.42.pl.json
 	rm $(1)/usr/share/ddns/default/godaddy.com-v1.json
 	rm $(1)/usr/share/ddns/default/digitalocean.com-v2.json
@ -358,6 +370,25 @@ exit 0
 endef
 define Package/ddns-scripts-gcp/install
 	$(INSTALL_DIR) $(1)/usr/lib/ddns
 	$(INSTALL_BIN) ./files/usr/lib/ddns/update_gcp_v1.sh \
 		$(1)/usr/lib/ddns
 	$(INSTALL_DIR) $(1)/usr/share/ddns/default
 	$(INSTALL_DATA) ./files/usr/share/ddns/default/cloud.google.com-v1.json \
 		$(1)/usr/share/ddns/default/
 endef
 define Package/ddns-scripts-gcp/prerm
 #!/bin/sh
 if [ -z "$${IPKG_INSTROOT}" ]; then
 	/etc/init.d/ddns stop
 fi
 exit 0
 endef
 define Package/ddns-scripts-freedns/install
 	$(INSTALL_DIR) $(1)/usr/lib/ddns
 	$(INSTALL_BIN) ./files/usr/lib/ddns/update_freedns_42_pl.sh \
@ -608,6 +639,7 @@ endef
 $(eval $(call BuildPackage,ddns-scripts))
 $(eval $(call BuildPackage,ddns-scripts-services))
 $(eval $(call BuildPackage,ddns-scripts-cloudflare))
 $(eval $(call BuildPackage,ddns-scripts-gcp))
 $(eval $(call BuildPackage,ddns-scripts-freedns))
 $(eval $(call BuildPackage,ddns-scripts-godaddy))
 $(eval $(call BuildPackage,ddns-scripts-digitalocean))
--- a/net/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh
+++ b/net/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh
@ -0,0 +1,272 @@
 #!/bin/sh
 #
 #.Distributed under the terms of the GNU General Public License (GPL) version 2.0
 #.2022 Chris Barrick <chrisbarrick@google.com>
 #
 # This script sends DDNS updates using the Google Cloud DNS REST API.
 # See: https://cloud.google.com/dns/docs/reference/v1
 #
 # This script uses a GCP service account. The user is responsible for creating
 # the service account, ensuring it has permission to update DNS records, and
 # for generating a service account key to be used by this script. The records
 # to be updated must already exist.
 #
 # Arguments:
 #
 # - $username: The service account name.
 #   Example: ddns-service-account@my-dns-project.iam.gserviceaccount.com
 #
 # - $password: The service account key. You can paste the key directly into the
 #   "password" field or upload the key file to the router and set the field
 #   equal to the file path. This script supports JSON keys or the raw private
 #   key as a PEM file. P12 keys are not supported. File names must end with
 #   `*.json` or `*.pem`.
 #
 # - $domain: The domain to update.
 #
 # - $param_enc: The additional required arguments, as form-urlencoded data,
 #   i.e. `key1=value1&key2=value2&...`. The required arguments are:
 #   - project: The name of the GCP project that owns the DNS records.
 #   - zone: The DNS zone in the GCP API.
 #   - Example: `project=my-dns-project&zone=my-dns-zone`
 #
 # - $param_opt: Optional TTL for the records, in seconds. Defaults to 3600 (1h).
 #
 # Dependencies:
 # - ddns-scripts  (for the base functionality)
 # - openssl-util  (for the authentication flow)
 # - curl          (for the GCP REST API)
 . /usr/share/libubox/jshn.sh
 # Authentication
 # ---------------------------------------------------------------------------
 # The authentication flow works like this:
 #
 #   1. Construct a JWT claim for access to the DNS readwrite scope.
 #   2. Sign the JWT with the service accout key, proving we have access.
 #   3. Exchange the JWT for an access token, valid for 5m.
 #   4. Use the access token for API calls.
 #
 # See https://developers.google.com/identity/protocols/oauth2/service-account
 # A URL-safe variant of base64 encoding, used by JWTs.
 base64_urlencode() {
 	openssl base64 | tr '/+' '_-' | tr -d '=\n'
 }
 # Prints the service account private key in PEM format.
 get_service_account_key() {
 	# The "password" field provides us with the service account key.
 	# We allow the user to provide it to us in a few different formats.
 	#
 	# 1. If $password is a string ending in `*.json`, it is a file path,
 	#    pointing to a JSON service account key as downloaded from GCP.
 	#
 	# 2. If $password is a string ending with `*.pem`, it is a PEM private
 	#    key, extracted from the JSON service account key.
 	#
 	# 3. If $password starts with `{`, then the JSON service account key
 	#    was pasted directly into the password field.
 	#
 	# 4. If $password starts with `---`, then the PEM private key was pasted
 	#    directly into the password field.
 	#
 	# We do not support P12 service account keys.
 	case "${password}" in
 	(*".json")
 		jsonfilter -i "${password}" -e @.private_key
 	;;
 	(*".pem")
 		cat "${password}"
 	;;
 	("{"*)
 		jsonfilter -s "${password}" -e @.private_key
 	;;
 	("---"*)
 		printf "%s" "${password}"
 	;;
 	(*)
 		write_log 14 "Could not parse the service account key."
 	;;
 	esac
 }
 # Sign stdin using the service account key. Prints the signature.
 # The input is the JWT header-payload. Used to construct a signed JWT.
 sign() {
 	# Dump the private key to a tmp file so openssl can get to it.
 	local tmp_keyfile="$(mktemp -t gcp_dns_sak.pem.XXXXXX)"
 	chmod 600 ${tmp_keyfile}
 	get_service_account_key > ${tmp_keyfile}
 	openssl dgst -binary -sha256 -sign ${tmp_keyfile}
 	rm ${tmp_keyfile}
 }
 # Print the JWT header in JSON format.
 # Currently, Google only supports RS256.
 jwt_header() {
 	json_init
 	json_add_string "alg" "RS256"
 	json_add_string "typ" "JWT"
 	json_dump
 }
 # Prints the JWT claim-set in JSON format.
 # The claim is for 5m of readwrite access to the Cloud DNS API.
 jwt_claim_set() {
 	local iat=$(date -u +%s)  # Current UNIX time, UTC.
 	local exp=$(( iat + 300 ))  # Expiration is 5m in the future.
 	json_init
 	json_add_string "iss" "${username}"
 	json_add_string "scope" "https://www.googleapis.com/auth/ndev.clouddns.readwrite"
 	json_add_string "aud" "https://oauth2.googleapis.com/token"
 	json_add_string "iat" "${iat}"
 	json_add_string "exp" "${exp}"
 	json_dump
 }
 # Generate a JWT signed by the service account key, which can be exchanged for
 # a Google Cloud access token, authorized for Cloud DNS.
 get_jwt() {
 	local header=$(jwt_header | base64_urlencode)
 	local payload=$(jwt_claim_set | base64_urlencode)
 	local header_payload="${header}.${payload}"
 	local signature=$(printf "%s" ${header_payload} | sign | base64_urlencode)
 	echo "${header_payload}.${signature}"
 }
 # Request an access token for the Google Cloud service account.
 get_access_token_raw() {
 	local grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer"
 	local assertion=$(get_jwt)
 	${CURL} -v https://oauth2.googleapis.com/token \
 		--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
 		--data-urlencode "assertion=${assertion}" \
 		| jsonfilter -e @.access_token
 }
 # Get the access token, stripping the trailing dots.
 get_access_token() {
 	# Since tokens may contain internal dots, we only trim the suffix if it
 	# starts with at least 8 dots. (The access token has *many* trailing dots.)
 	local access_token="$(get_access_token_raw)"
 	echo "${access_token%%........*}"
 }
 # Google Cloud DNS API
 # ---------------------------------------------------------------------------
 # Cloud DNS offers a straight forward RESTful API.
 #
 # - The main class is a ResourceRecordSet. It's a collection of DNS records
 #   that share the same domain, type, TTL, etc. Within a record set, the only
 #   difference between the records are their values.
 #
 # - The record sets live under a ManagedZone, which in turn lives under a
 #   Project. All we need to know about these are their names.
 #
 # - This implementation only makes PATCH requests to update existing record
 #   sets. The user must have already created at least one A or AAAA record for
 #   the domain they are updating. It's fine to start with a dummy, like 0.0.0.0.
 #
 # - The API requires SSL, and this implementation uses curl.
 # Prints a ResourceRecordSet in JSON format.
 format_record_set() {
 	local domain="$1"
 	local record_type="$2"
 	local ttl="$3"
 	shift 3 # The remaining arguments are the IP addresses for this record set.
 	json_init
 	json_add_string "kind" "dns#resourceRecordSet"
 	json_add_string "name" "${domain}."  # trailing dot on the domain
 	json_add_string "type" "${record_type}"
 	json_add_string "ttl" "${ttl}"
 	json_add_array "rrdatas"
 	for value in $@; do
 		json_add_string "" "${value}"
 	done
 	json_close_array
 	json_dump
 }
 # Makes an HTTP PATCH request to the Cloud DNS API.
 patch_record_set() {
 	local access_token="$1"
 	local project="$2"
 	local zone="$3"
 	local domain="$4"
 	local record_type="$5"
 	local ttl="$6"
 	shift 6 # The remaining arguments are the IP addresses for this record set.
 	# Note the trailing dot after the domain name. It's fully qualified.
 	local url="https://dns.googleapis.com/dns/v1/projects/${project}/managedZones/${zone}/rrsets/${domain}./${record_type}"
 	local record_set=$(format_record_set ${domain} ${record_type} ${ttl} $@)
 	${CURL} -v ${url} \
 		-X PATCH \
 		-H "Content-Type: application/json" \
 		-H "Authorization: Bearer ${access_token}" \
 		-d "${record_set}"
 }
 # Main entrypoint
 # ---------------------------------------------------------------------------
 # Parse the $param_enc into project and zone variables.
 # The arguments are the names for those variables.
 parse_project_zone() {
 	local project_var=$1
 	local zone_var=$2
 	IFS='&'
 	for entry in $param_enc
 	do
 		case "${entry}" in
 		('project='*)
 			local project_val=$(echo "${entry}" | cut -d'=' -f2)
 			eval "${project_var}=${project_val}"
 		;;
 		('zone='*)
 			local zone_val=$(echo "${entry}" | cut -d'=' -f2)
 			eval "${zone_var}=${zone_val}"
 		;;
 		esac
 	done
 	unset IFS
 }
 main() {
 	local access_token project zone ttl record_type
 	# Dependency checking
 	[ -z "${CURL_SSL}" ] && write_log 14 "Google Cloud DNS requires cURL with SSL support"
 	[ -z "$(openssl version)" ] && write_log 14 "Google Cloud DNS update requires openssl-utils"
 	# Argument parsing
 	[ -z ${param_opt} ] && ttl=3600 || ttl="${param_opt}"
 	[ $use_ipv6 -ne 0 ] && record_type="AAAA" || record_type="A"
 	parse_project_zone project zone
 	# Sanity checks
 	[ -z "${username}" ] && write_log 14 "Config is missing 'username' (service account name)"
 	[ -z "${password}" ] && write_log 14 "Config is missing 'password' (service account key)"
 	[ -z "${domain}" ] && write_log 14 "Config is missing 'domain'"
 	[ -z "${project}" ] && write_log 14 "Could not parse project name from 'param_enc'"
 	[ -z "${zone}" ] && write_log 14 "Could not parse zone name from 'param_enc'"
 	[ -z "${ttl}" ] && write_log 14 "Could not parse TTL from 'param_opt'"
 	[ -z "${record_type}" ] && write_log 14 "Could not determine the record type"
 	# Push the record!
 	access_token="$(get_access_token)"
 	patch_record_set "${access_token}" "${project}" "${zone}" "${domain}" "${record_type}" "${ttl}" "${__IP}"
 }
 main $@
--- a/net/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json
+++ b/net/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json
@ -0,0 +1,10 @@
 {
 	"name": "cloud.google.com-v1",
 	"ipv4": {
 		"url": "update_gcp_v1.sh"
 	},
 	"ipv6": {
 		"url": "update_gcp_v1.sh"
 	}
 }
--- a/net/dnsproxy/Makefile
+++ b/net/dnsproxy/Makefile
@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=dnsproxy
-PKG_VERSION:=0.46.2
+PKG_VERSION:=0.46.4
 PKG_RELEASE:=$(AUTORELEASE)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=8ce720f258747b0ff74b9889c93c616efe3b7267d04283a1338d2ff1e24d661e
+PKG_HASH:=5c959bd2f08b2304306b8f0b933b20d31a3a3d1ebeb0f349740799e5089fd4ae
 PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
 PKG_LICENSE:=Apache-2.0
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@ -7,16 +7,16 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=frr
-PKG_VERSION:=8.3.1
+PKG_VERSION:=8.4.1
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
-PKG_SOURCE_DATE:=2022-10-14
+PKG_SOURCE_DATE:=2022-11-29
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_DATE).tar.gz
-PKG_SOURCE_VERSION:=b9cb689f3c4b78fb047216ed41d8c79424b1774f
+PKG_SOURCE_VERSION:=7d7b33a0281b233757606bb1fa4e9c056c57084f
 PKG_SOURCE_URL:=https://codeload.github.com/FRRouting/frr/tar.gz/$(PKG_SOURCE_VERSION)?
-PKG_HASH:=bc4aa020f3725c499093ea3c98f9c21160fc1ae06439a698f39f6a9c55c2825a
+PKG_HASH:=9899f2c6ecb6cce5bf7d56ddb9fc137dd8388f7201a52595c93d33572092fcaf
 PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION)
--- a/net/frr/patches/997-reverse_python_test.patch
+++ b/net/frr/patches/997-reverse_python_test.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -833,7 +833,6 @@ fi
+@@ -835,7 +835,6 @@ fi
 #
 AS_IF([test "$host" = "$build"], [
--- a/net/frr/patches/999-thread_reverse.patch
+++ b/net/frr/patches/999-thread_reverse.patch
@ -1,6 +1,6 @@
 --- a/lib/thread.c
 +++ b/lib/thread.c
-@@ -867,13 +867,9 @@ static void thread_free(struct thread_ma
+@@ -870,13 +870,9 @@ static void thread_free(struct thread_ma
 	XFREE(MTYPE_THREAD, thread);
 }
@ -16,7 +16,7 @@
 	/*
 	 * If timer_wait is null here, that means poll() should block
 	 * indefinitely, unless the thread_master has overridden it by setting
-@@ -904,58 +900,15 @@ static int fd_poll(struct thread_master
+@@ -907,58 +903,15 @@ static int fd_poll(struct thread_master
 	rcu_assert_read_unlocked();
 	/* add poll pipe poker */
@ -82,7 +82,7 @@
 		while (read(m->io_pipe[0], &trash, sizeof(trash)) > 0)
 			;
-@@ -1762,7 +1715,7 @@ struct thread *thread_fetch(struct threa
+@@ -1768,7 +1721,7 @@ struct thread *thread_fetch(struct threa
 	struct timeval zerotime = {0, 0};
 	struct timeval tv;
 	struct timeval *tw = NULL;
@ -91,7 +91,7 @@
 	int num = 0;
 	do {
-@@ -1838,14 +1791,14 @@ struct thread *thread_fetch(struct threa
+@@ -1844,14 +1797,14 @@ struct thread *thread_fetch(struct threa
 		pthread_mutex_unlock(&m->mtx);
 		{
--- a/net/https-dns-proxy/Makefile
+++ b/net/https-dns-proxy/Makefile
@ -2,11 +2,11 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=https-dns-proxy
 PKG_VERSION:=2022-10-15
-PKG_RELEASE:=8
+PKG_RELEASE:=10
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
-PKG_SOURCE_DATE:=2022-10-15
+PKG_SOURCE_DATE:=$(PKG_VERSION)
 PKG_SOURCE_VERSION:=f52a85f3edabecfbab41d9244c63a1c6b8aaf49b
 PKG_MIRROR_HASH:=dd8a55255e8859a462fcfd736577fec40731b39a4783325640518745009b0dee
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
--- a/net/https-dns-proxy/files/https-dns-proxy.init
+++ b/net/https-dns-proxy/files/https-dns-proxy.init
@ -153,6 +153,7 @@ start_instance() {
 	procd_set_param stdout 1
 	procd_set_param respawn
 	procd_open_data
 	procd_add_mdns_service "$packageName" 'udp' "$port" "DNS over HTTPS proxy"
 	json_add_string url "$url"
 	if [ "$force_dns" -ne 0 ]; then
 		json_add_array firewall
@ -279,7 +280,7 @@ service_triggers() {
 service_started() { procd_set_config_changed firewall; }
 service_stopped() { procd_set_config_changed firewall; }
-restart() { procd_send_signal "$packageName"; }
+restart() { procd_send_signal "$packageName"; rc_procd start_service; }
 dnsmasq_doh_server() {
 	local cfg="$1" param="$2" address="${3:-127.0.0.1}" port="$4" i
--- a/net/modemmanager/Makefile
+++ b/net/modemmanager/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=modemmanager
-PKG_SOURCE_VERSION:=1.18.12
+PKG_SOURCE_VERSION:=1.20.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git
-PKG_MIRROR_HASH:=5a32f90fc58345e2136f4196166a7a2b95a804a6b92adf1bfb5b7a1173a5b1a0
+PKG_MIRROR_HASH:=f138effc693456c5040ec22e17c0a8b41143c3b17b62437462995c297a9150dc
 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
 PKG_LICENSE:=GPL-2.0-or-later
@ -56,6 +56,7 @@ endef
 MESON_ARGS += \
 	-Dudev=false \
 	-Dudevdir=/lib/udev \
 	-Dtests=false \
 	-Dsystemdsystemunitdir=no \
 	-Dsystemd_suspend_resume=false \
 	-Dsystemd_journal=false \
--- a/net/natmap/Makefile
+++ b/net/natmap/Makefile
@ -0,0 +1,40 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=natmap
 PKG_VERSION:=20221203
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION)
 PKG_HASH:=c7aa0bb1f3e057bf1fa987ad6166ba7c2e80510a89593e04f4fe0f36f1873338
 PKG_MAINTAINER:=Richard Yu <yurichard3839@gmail.com>
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=License
 PKG_USE_MIPS16:=0
 PKG_BUILD_PARALLEL:=1
 include $(INCLUDE_DIR)/package.mk
 define Package/natmap
  SECTION:=net
  CATEGORY:=Network
  TITLE:=TCP/UDP port mapping tool for full cone NAT
  URL:=https://github.com/heiher/natmap
 endef
 MAKE_FLAGS += REV_ID="$(PKG_VERSION)"
 define Package/natmap/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/natmap $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/usr/lib/natmap/
 	$(INSTALL_BIN) ./files/natmap-update.sh $(1)/usr/lib/natmap/update.sh
 	$(INSTALL_DIR) $(1)/etc/config/
 	$(INSTALL_CONF) ./files/natmap.config $(1)/etc/config/natmap
 	$(INSTALL_DIR) $(1)/etc/init.d/
 	$(INSTALL_BIN) ./files/natmap.init $(1)/etc/init.d/natmap
 endef
 $(eval $(call BuildPackage,natmap))
--- a/net/natmap/files/natmap-update.sh
+++ b/net/natmap/files/natmap-update.sh
@ -0,0 +1,17 @@
 #!/bin/sh
 . /usr/share/libubox/jshn.sh
 (
 	json_init
 	json_add_string ip "$1"
 	json_add_int port "$2"
 	json_add_int inner_port "$4"
 	json_add_string protocol "$5"
 	json_dump > /var/run/natmap/$PPID.json
 )
 [ -n "${NOTIFY_SCRIPT}" ] && {
 	export -n NOTIFY_SCRIPT
 	exec "${NOTIFY_SCRIPT}" "$@"
 }
--- a/net/natmap/files/natmap.config
+++ b/net/natmap/files/natmap.config
@ -0,0 +1,12 @@
 config natmap
 	option enable '0'
 	option family ''
 	option udp_mode '1'
 	option interface ''
 	option interval ''
 	option stun_server 'stun.stunprotocol.org'
 	option http_server 'example.com'
 	option port '8080'
 	option forward_target ''
 	option notify_script ''
--- a/net/natmap/files/natmap.init
+++ b/net/natmap/files/natmap.init
@ -0,0 +1,112 @@
 #!/bin/sh /etc/rc.common
 START=99
 USE_PROCD=1
 NAME=natmap
 PROG=/usr/bin/$NAME
 STATUS_PATH=/var/run/natmap
 load_interfaces() {
 	config_get interface "$1" interface
 	config_get enable "$1" enable 1
 	[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
 }
 validate_section_natmap() {
 	uci_load_validate "${NAME}" natmap "$1" "$2" \
 		'enable:bool:1' \
 		'family:string' \
 		'udp_mode:bool:0' \
 		'interface:string' \
 		'interval:uinteger' \
 		'stun_server:host' \
 		'http_server:host' \
 		'port:port' \
 		'forward_target:host' \
 		'notify_script:file'
 }
 natmap_instance() {
 	[ "$2" = 0 ] || {
 		echo "validation failed"
 		return 1
 	}
 	[ "${enable}" = 0 ] && return 1
 	procd_open_instance "$1"
 	procd_set_param command "$PROG" \
 		${interval:+-k $interval} \
 		${stun_server:+-s "$stun_server"} \
 		${http_server:+-h "$http_server"}
 	[ "${family}" = ipv4 ] && procd_append_param command -4
 	[ "${family}" = ipv6 ] && procd_append_param command -6
 	[ "${udp_mode}" = 1 ] && procd_append_param command -u
 	[ -n "$interface" ] && {
 		local ifname
 		network_get_device ifname "$interface" || ifname="$interface"
 		procd_append_param command -i "$ifname"
 		procd_append_param netdev "$ifname"
 	}
 	if [ -n "$forward_target" ]; then
 		procd_append_param command -t "$forward_target" -p $port
 	else
 		procd_append_param command -b $port
 	fi
 	[ -n "${notify_script}" ] && procd_set_param env "NOTIFY_SCRIPT=${notify_script}"
 	procd_append_param command -e /usr/lib/natmap/update.sh
 	procd_set_param respawn
 	procd_set_param stdout 1
 	procd_set_param stderr 1
 	procd_close_instance
 }
 clear_status_files() {
 	find "${STATUS_PATH}" -type f -print0 | xargs -0 rm -f --
 }
 service_triggers() {
 	local interfaces
 	procd_add_reload_trigger "${NAME}"
 	config_load "${NAME}"
 	config_foreach load_interfaces natmap
 	[ -n "${interfaces}" ] && {
 		for n in $interfaces ; do
 			procd_add_reload_interface_trigger $n
 		done
 	}
 	procd_add_validation validate_section_natmap
 }
 start_service() {
 	. /lib/functions/network.sh
 	mkdir -p "${STATUS_PATH}"
 	clear_status_files
 	config_load "${NAME}"
 	config_foreach validate_section_natmap natmap natmap_instance
 }
 reload_service() {
 	stop
 	start
 }
 service_stopped() {
 	clear_status_files
 }
--- a/net/natmap/test.sh
+++ b/net/natmap/test.sh
@ -0,0 +1,3 @@
 #!/bin/sh
 "$1" 2>&1 | grep "$2"
--- a/net/pbr/Makefile
+++ b/net/pbr/Makefile
@ -0,0 +1,201 @@
 # Copyright 2017-2022 Stan Grishin (stangri@melmac.ca)
 # This is free software, licensed under the GNU General Public License v3.
 include $(TOPDIR)/rules.mk
 PKG_NAME:=pbr
 PKG_VERSION:=1.0.0
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 include $(INCLUDE_DIR)/package.mk
 define Package/pbr/default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=VPN
  PROVIDES:=pbr
  TITLE:=Policy Based Routing Service
  URL:=https://docs.openwrt.melmac.net/pbr/
  DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
  CONFLICTS:=vpnbypass vpn-policy-routing
  PROVIDES:=vpnbypass vpn-policy-routing
  PKGARCH:=all
 endef
 define Package/pbr
 $(call Package/pbr/default)
 	TITLE+= with nft/nft set support
 	DEPENDS+=+firewall4 +kmod-nft-core +kmod-nft-nat +nftables-json
 endef
 define Package/pbr-iptables
 $(call Package/pbr/default)
 	TITLE+= with iptables/ipset support
 	DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
 endef
 define Package/pbr-netifd
 $(call Package/pbr/default)
 	TITLE+= with netifd support
 endef
 define Package/pbr/description
 This service enables policy-based routing for WAN interfaces and various VPN tunnels.
 This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
 endef
 define Package/pbr-iptables/description
 This service enables policy-based routing for WAN interfaces and various VPN tunnels.
 This version supports OpenWrt with fw3/ipset/iptables.
 endef
 define Package/pbr-netifd/description
 This service enables policy-based routing for WAN interfaces and various VPN tunnels.
 This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
 This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
 endef
 define Package/pbr/conffiles
 /etc/config/pbr
 endef
 Package/pbr-iptables/conffiles = $(Package/pbr/conffiles)
 Package/pbr-netifd/conffiles = $(Package/pbr/conffiles)
 define Build/Configure
 endef
 define Build/Compile
 endef
 define Package/pbr/default/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
 	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
 	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
 endef
 define Package/pbr/install
 $(call Package/pbr/default/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/usr/share/nftables.d
 	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
 endef
 define Package/pbr-iptables/install
 $(call Package/pbr/default/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
 endef
 define Package/pbr-netifd/install
 $(call Package/pbr/default/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr
 endef
 define Package/pbr/postinst
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		chmod -x /etc/init.d/pbr || true
 		fw4 -q reload || true
 		chmod +x /etc/init.d/pbr || true
 		echo -n "Installing rc.d symlink for pbr... "
 		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 define Package/pbr/prerm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr service... "
 		/etc/init.d/pbr stop || true
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 define Package/pbr/postrm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		fw4 -q reload || true
 	fi
 	exit 0
 endef
 define Package/pbr-iptables/postinst
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		echo -n "Installing rc.d symlink for pbr... "
 		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 define Package/pbr-iptables/prerm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr service... "
 		/etc/init.d/pbr stop || true
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 define Package/pbr-netifd/postinst
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		echo -n "Installing rc.d symlink for pbr... "
 		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
 	#	echo -n "Installing netifd support for pbr... "
 	#	/etc/init.d/pbr netifd install && echo "OK" || echo "FAIL"
 	#	echo -n "Restarting network... "
 	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 define Package/pbr-netifd/prerm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr service... "
 		/etc/init.d/pbr stop || true
 	#	echo -n "Removing netifd support for pbr... "
 	#	/etc/init.d/pbr netifd remove && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	#	echo -n "Restarting network... "
 	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
 	fi
 	exit 0
 endef
 $(eval $(call BuildPackage,pbr))
 $(eval $(call BuildPackage,pbr-iptables))
 #$(eval $(call BuildPackage,pbr-netifd))
--- a/net/pbr/files/README.md
+++ b/net/pbr/files/README.md
@ -0,0 +1,3 @@
 # README
 README is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).
--- a/net/pbr/files/etc/config/pbr
+++ b/net/pbr/files/etc/config/pbr
@ -0,0 +1,45 @@
 config pbr 'config'
 	option enabled '0'
 	option verbosity '2'
 	option strict_enforcement '1'
 	option resolver_set 'none'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver'
 	list ignored_interface 'wgserver'
 	option boot_timeout '30'
 	option rule_create_option 'add'
 	option procd_reload_delay '1'
 	option webui_show_ignore_target '0'
 	list webui_supported_protocol 'all'
 	list webui_supported_protocol 'tcp'
 	list webui_supported_protocol 'udp'
 	list webui_supported_protocol 'tcp udp'
 	list webui_supported_protocol 'icmp'
 config include
 	option path '/usr/share/pbr/pbr.user.aws'
 	option enabled 0
 config include
 	option path '/usr/share/pbr/pbr.user.netflix'
 	option enabled 0
 config policy
 	option name 'Plex/Emby Local Server'
 	option interface 'wan'
 	option src_port '8096 8920 32400'
 	option enabled '0'
 config policy
 	option name 'Plex/Emby Remote Servers'
 	option interface 'wan'
 	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
 	option enabled '0'
 config policy
 	option name 'WireGuard Server'
 	option interface 'wan'
 	option src_port '51820'
 	option chain 'OUTPUT'
 	option proto 'udp'
 	option enabled '0'
--- a/net/pbr/files/etc/config/pbr.iptables
+++ b/net/pbr/files/etc/config/pbr.iptables
@ -0,0 +1,45 @@
 config pbr 'config'
 	option enabled '0'
 	option verbosity '2'
 	option strict_enforcement '1'
 	option resolver_set 'dnsmasq.ipset'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver'
 	list ignored_interface 'wgserver'
 	option boot_timeout '30'
 	option rule_create_option 'add'
 	option procd_reload_delay '1'
 	option webui_show_ignore_target '0'
 	list webui_supported_protocol 'all'
 	list webui_supported_protocol 'tcp'
 	list webui_supported_protocol 'udp'
 	list webui_supported_protocol 'tcp udp'
 	list webui_supported_protocol 'icmp'
 config include
 	option path '/usr/share/pbr/pbr.user.aws'
 	option enabled 0
 config include
 	option path '/usr/share/pbr/pbr.user.netflix'
 	option enabled 0
 config policy
 	option name 'Plex/Emby Local Server'
 	option interface 'wan'
 	option src_port '8096 8920 32400'
 	option enabled '0'
 config policy
 	option name 'Plex/Emby Remote Servers'
 	option interface 'wan'
 	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
 	option enabled '0'
 config policy
 	option name 'WireGuard Server'
 	option interface 'wan'
 	option src_port '51820'
 	option chain 'OUTPUT'
 	option proto 'udp'
 	option enabled '0'
--- a/net/pbr/files/etc/hotplug.d/firewall/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/firewall/70-pbr
@ -0,0 +1,6 @@
 #!/bin/sh
 [ "$ACTION" = "reload" ] ||[ "$ACTION" = "restart" ] || exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
 	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
 	/etc/init.d/pbr reload
 fi
--- a/net/pbr/files/etc/hotplug.d/iface/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr
@ -0,0 +1,8 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3060
 [ -s /etc/openwrt_release ] && . /etc/openwrt_release
 [ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
 	logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)"
 	/etc/init.d/pbr reload_interface "$INTERFACE"
 fi
--- a/net/pbr/files/etc/init.d/pbr.init
+++ b/net/pbr/files/etc/init.d/pbr.init
--- a/net/pbr/files/etc/uci-defaults/90-pbr
+++ b/net/pbr/files/etc/uci-defaults/90-pbr
@ -0,0 +1,34 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3037,SC3043
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
 # Transition from vpn-policy-routing
 if [ -s '/etc/config/vpn-policy-routing' ] && [ ! -s '/etc/config/pbr-opkg' ]; then
 	echo "Migrating vpn-policy-routing config file."
 	mv '/etc/config/pbr' '/etc/config/pbr-opkg'
 	sed 's/vpn-policy-routing/pbr/g' /etc/config/vpn-policy-routing > /etc/config/pbr
 	uci set vpn-policy-routing.config.enabled=0; uci commit vpn-policy-routing;
 fi
 # Transition from older versions of pbr
 sed -i 's/resolver_ipset/resolver_set/g' /etc/config/pbr
 sed -i 's/iptables_rule_option/rule_create_option/g' /etc/config/pbr
 sed -i "s/'FORWARD'/'forward'/g" /etc/config/pbr
 sed -i "s/'INPUT'/'input'/g" /etc/config/pbr
 sed -i "s/'OUTPUT'/'output'/g" /etc/config/pbr
 sed -i "s/'PREROUTING'/'prerouting'/g" /etc/config/pbr
 sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr
 sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr
 sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr
 uci -q batch <<-EOT
 	delete firewall.pbr
 	set firewall.pbr='include'
 	set firewall.pbr.fw4_compatible='1'
 	set firewall.pbr.type='script'
 	set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
 	commit firewall
 EOT
 exit 0
--- a/net/pbr/files/etc/uci-defaults/91-pbr
+++ b/net/pbr/files/etc/uci-defaults/91-pbr
@ -0,0 +1,58 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3037,SC3043
 readonly packageName='pbr'
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
 pbr_iface_setup() {
 	local iface="${1}"
 	local proto
 	config_get proto "${iface}" proto
 	case "${iface}" in
 		(lan|loopback) return 0 ;;
 	esac
 	case "${proto}" in
 		(gre*|nebula|relay|vti*|vxlan|xfrm) return 0 ;;
 		(none)
 			uci -q set "network.${iface}_rt=route"
 			uci -q set "network.${iface}_rt.interface=${iface}"
 			uci -q set "network.${iface}_rt.target=0.0.0.0/0"
 			uci -q set "network.${iface}_rt6=route6"
 			uci -q set "network.${iface}_rt6.interface=${iface}"
 			uci -q set "network.${iface}_rt6.target=::/0"
 		;;
 	esac
 	echo -en "Setting up ${packageName} routing tables for ${iface}... "
 	uci -q set "network.${iface}.ip4table=${packageName}_${iface%6}"
 	uci -q set "network.${iface}.ip6table=${packageName}_${iface%6}"
 	if ! grep -q -E -e "^[0-9]+\s+${packageName}_${iface%6}$" /etc/iproute2/rt_tables; then
 		sed -i -e "\$a $(($(sort -r -n /etc/iproute2/rt_tables | grep -o -E -m 1 "^[0-9]+")+1))\t${packageName}_${iface%6}" \
 			/etc/iproute2/rt_tables
 	fi
 	echo -e "${__OK__}"
 }
 . /lib/functions.sh
 . /lib/functions/network.sh
 config_load network
 config_foreach pbr_iface_setup interface
 network_flush_cache
 network_find_wan iface
 network_find_wan6 iface6
 # shellcheck disable=SC2154
 [ -n "$iface" ] && uci -q batch << EOF
 set network.default='rule'
 set network.default.lookup='${packageName}_${iface%6}'
 set network.default.priority='80000'
 EOF
 [ -n "$iface6" ] && uci -q batch << EOF
 set network.default6='rule6'
 set network.default6.lookup='${packageName}_${iface6%6}'
 set network.default6.priority='80000'
 EOF
 uci commit network
 echo -en "Restarting network... "
 /etc/init.d/network restart
 echo -e "${__OK__}"
 exit 0
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft
@ -0,0 +1 @@
 jump pbr_forward comment "Jump into pbr forward chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft
@ -0,0 +1 @@
 jump pbr_input comment "Jump into pbr input chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft
@ -0,0 +1 @@
 jump pbr_output comment "Jump into pbr output chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft
@ -0,0 +1 @@
 jump pbr_postrouting comment "Jump into pbr postrouting chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft
@ -0,0 +1 @@
 jump pbr_prerouting comment "Jump into pbr prerouting chain";
--- a/net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft
@ -0,0 +1,5 @@
 chain pbr_forward {}
 chain pbr_input {}
 chain pbr_output {}
 chain pbr_prerouting {}
 chain pbr_postrouting {}
--- a/net/pbr/files/usr/share/pbr/pbr.firewall.include
+++ b/net/pbr/files/usr/share/pbr/pbr.firewall.include
@ -0,0 +1,5 @@
 #!/bin/sh
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
 	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
 	/etc/init.d/pbr on_firewall_reload "$ACTION"
 fi
--- a/net/pbr/files/usr/share/pbr/pbr.user.aws
+++ b/net/pbr/files/usr/share/pbr/pbr.user.aws
@ -0,0 +1,33 @@
 #!/bin/sh
 # This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
 TARGET_SET='pbr_wan_4_dst_ip_user'
 TARGET_IPSET='pbr_wan_4_dst_net_user'
 TARGET_TABLE='inet fw4'
 TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
 TARGET_DL_FILE="/var/pbr_tmp_aws_ip_ranges"
 TARGET_NFT_FILE="/var/pbr_tmp_aws_ip_ranges.nft"
 [ -z "$nft" ] && nft="$(command -v nft)"
 _ret=1
 if [ ! -s "$TARGET_DL_FILE" ]; then
 	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE"
 fi
 if [ -s "$TARGET_DL_FILE" ]; then
 	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
 		if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
 			_ret=0
 		fi
 	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
 		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
 		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
 		printf " } " >> "$TARGET_NFT_FILE"
 		if "$nft" -f "$TARGET_NFT_FILE"; then
 			rm -f "$TARGET_NFT_FILE"
 			_ret=0
 		fi
 	fi
 fi
 return $_ret
--- a/net/pbr/files/usr/share/pbr/pbr.user.netflix
+++ b/net/pbr/files/usr/share/pbr/pbr.user.netflix
@ -0,0 +1,49 @@
 #!/bin/sh
 # This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
 # Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
 # Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
 TARGET_SET='pbr_wan_4_dst_ip_user'
 TARGET_IPSET='pbr_wan_4_dst_net_user'
 TARGET_TABLE='inet fw4'
 TARGET_ASN='2906'
 TARGET_DL_FILE="/var/pbr_tmp_AS${TARGET_ASN}"
 TARGET_NFT_FILE="/var/pbr_tmp_AS${TARGET_ASN}.nft"
 #DB_SOURCE='ipinfo.io'
 #DB_SOURCE='api.hackertarget.com'
 DB_SOURCE='api.bgpview.io'
 [ -z "$nft" ] && nft="$(command -v nft)"
 _ret=1
 if [ ! -s "$TARGET_DL_FILE" ]; then
 	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
 		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
 		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_DL_FILE"
 	fi
 	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
 		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
 		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE"
 	fi
 	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
 		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
 		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE"
 	fi
 fi
 if [ -s "$TARGET_DL_FILE" ]; then
 	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
 			if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
 				_ret=0
 			fi
 	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
 		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
 		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
 		printf " } " >> "$TARGET_NFT_FILE"
 		if "$nft" -f "$TARGET_NFT_FILE"; then
 			rm -f "$TARGET_NFT_FILE"
 			_ret=0
 		fi
 	fi
 fi
 return $_ret
--- a/net/vpn-policy-routing/test.sh
+++ b/net/vpn-policy-routing/test.sh
--- a/net/simple-adblock/Makefile
+++ b/net/simple-adblock/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=simple-adblock
 PKG_VERSION:=1.9.3
-PKG_RELEASE:=2
+PKG_RELEASE:=4
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=GPL-3.0-or-later
--- a/net/simple-adblock/files/simple-adblock.init
+++ b/net/simple-adblock/files/simple-adblock.init
@ -62,7 +62,7 @@ readonly sharedMemoryError="/dev/shm/$packageName-error"
 readonly sharedMemoryOutput="/dev/shm/$packageName-output"
 readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
 readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
-readonly dnsmasqAddressFilter='\|^address=/[[:alnum:]_.-].*/#|!d'
+readonly dnsmasqOISDFilter='\|^server=/[[:alnum:]_.-].*/|!d'
 readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
 readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
@ -100,49 +100,60 @@ uci_changes() {
 ipset() { "$ipset" "$@" >/dev/null 2>&1; }
 nft() { "$nft" "$@" >/dev/null 2>&1; }
-get_status_text() {
+get_text() {
-	local _ret
+	local r
 	case "$1" in
-		statusNoInstall) _ret="$serviceName is not installed or not found";;
+		errorConfigValidationFail) r="$packageName config validation failed";;
-		statusStopped) _ret="Stopped";;
+		errorServiceDisabled) r="$packageName is currently disabled";;
-		statusStarting) _ret="Starting";;
+		errorNoDnsmasqIpset) 
-		statusRestarting) _ret="Restarting";;
+			r="dnsmasq ipset support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support ipset";;
-		statusForceReloading) _ret="Force Reloading";;
+		errorNoIpset) 
-		statusDownloading) _ret="Downloading";;
+			r="dnsmasq ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type";;
-		statusProcessing) _ret="Processing";;
+		errorNoDnsmasqNftset) 
-		statusError) _ret="Error";;
+			r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";;
-		statusWarning) _ret="Warning";;
+		errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";;
-		statusFail) _ret="Fail";;
+		errorMkdirFail) r="Unable to create directory for";;
-		statusSuccess) _ret="Success";;
+		errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
 		errorOutputDirCreate) r="failed to create directory for %s file";;
 		errorOutputFileCreate) r="failed to create $outputFile file";;
 		errorFailDNSReload) r="failed to restart/reload DNS resolver";;
 		errorSharedMemory) r="failed to access shared memory";;
 		errorSorting) r="failed to sort data file";;
 		errorOptimization) r="failed to optimize data file";;
 		errorAllowListProcessing) r="failed to process allow-list";;
 		errorDataFileFormatting) r="failed to format data file";;
 		errorMovingDataFile) r="failed to move data file '${A_TMP}' to '${outputFile}'";;
 		errorCreatingCompressedCache) r="failed to create compressed cache";;
 		errorRemovingTempFiles) r="failed to remove temporary files";;
 		errorRestoreCompressedCache) r="failed to unpack compressed cache";;
 		errorRestoreCache) r="failed to move '$outputCache' to '$outputFile'";;
 		errorOhSnap) r="failed to create block-list or restart DNS resolver";;
 		errorStopping) r="failed to stop $serviceName";;
 		errorDNSReload) r="failed to reload/restart DNS resolver";;
 		errorDownloadingConfigUpdate) r="failed to download Config Update file";;
 		errorDownloadingList) r="failed to download";;
 		errorParsingConfigUpdate) r="failed to parse Config Update file";;
 		errorParsingList) r="failed to parse";;
 		errorNoSSLSupport) r="no HTTPS/SSL support on device";;
 		errorCreatingDirectory) r="failed to create output/cache/gzip file directory";;
 		statusNoInstall) r="$serviceName is not installed or not found";;
 		statusStopped) r="Stopped";;
 		statusStarting) r="Starting";;
 		statusRestarting) r="Restarting";;
 		statusForceReloading) r="Force Reloading";;
 		statusDownloading) r="Downloading";;
 		statusProcessing) r="Processing";;
 		statusError) r="Error";;
 		statusWarning) r="Warning";;
 		statusFail) r="Fail";;
 		statusSuccess) r="Success";;
 		warningExternalDnsmasqConfig)
 			r="use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'";;
 		warningMissingRecommendedPackages) r="Some recommended packages are missing";;
 	esac
-	printf "%b" "$_ret"
+	echo "$r"
 }
 get_error_text() {
 	local _ret
 	case "$1" in
 		errorOutputFileCreate) _ret="failed to create $outputFile file";;
 		errorFailDNSReload) _ret="failed to restart/reload DNS resolver";;
 		errorSharedMemory) _ret="failed to access shared memory";;
 		errorSorting) _ret="failed to sort data file";;
 		errorOptimization) _ret="failed to optimize data file";;
 		errorAllowListProcessing) _ret="failed to process allow-list";;
 		errorDataFileFormatting) _ret="failed to format data file";;
 		errorMovingDataFile) _ret="failed to move data file '${A_TMP}' to '${outputFile}'";;
 		errorCreatingCompressedCache) _ret="failed to create compressed cache";;
 		errorRemovingTempFiles) _ret="failed to remove temporary files";;
 		errorRestoreCompressedCache) _ret="failed to unpack compressed cache";;
 		errorRestoreCache) _ret="failed to move '$outputCache' to '$outputFile'";;
 		errorOhSnap) _ret="failed to create block-list or restart DNS resolver";;
 		errorStopping) _ret="failed to stop $serviceName";;
 		errorDNSReload) _ret="failed to reload/restart DNS resolver";;
 		errorDownloadingConfigUpdate) _ret="failed to download Config Update file";;
 		errorDownloadingList) _ret="failed to download";;
 		errorParsingConfigUpdate) _ret="failed to parse Config Update file";;
 		errorParsingList) _ret="failed to parse";;
 		errorNoSSLSupport) _ret="no HTTPS/SSL support on device";;
 		errorCreatingDirectory) _ret="failed to create output/cache/gzip file directory";;
 	esac
 	printf "%b" "$_ret"
 }
 output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; }
@ -187,13 +198,15 @@ load_environment() {
 	local validation_result="$1" quiet="$2"
 	if [ "$validation_result" != '0' ]; then
-		output "${_ERROR_}: $packageName config validation failed!\\n"
+		json add error "errorConfigValidationFail"
 		output "${_ERROR_}: $(get_text 'errorConfigValidationFail')!\\n"
 		output "Please check if the '$packageConfigFile' contains correct values for config options.\\n"
 		return 1
 	fi
 	if [ "$enabled" -eq 0 ]; then
-		output "$packageName is currently disabled.\\n"
+		json add error "errorServiceDisabled"
 		output "${_ERROR_}: $(get_text 'errorServiceDisabled')!\\n"
 		output "Run the following commands before starting service again:\\n"
 		output "uci set ${packageName}.config.enabled='1'; uci commit $packageName;\\n"
 		return 1
@ -210,7 +223,8 @@ load_environment() {
 			dnsmasq.conf) :;;
 			*)
 				if [ -z "$quiet" ]; then
-					output "$_WARNING_: use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'!\\n"
+					json add warning "warningExternalDnsmasqConfig"
 					output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n"
 				fi
 			;;
 		esac
@ -230,13 +244,15 @@ load_environment() {
 		dnsmasq.ipset)
 			if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq ipset support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support ipset!\\n"
+					json add error "errorNoDnsmasqIpset"
 					output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
 			if ! ipset help hash:net; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type!\\n"
+					json add error "errorNoIpset"
 					output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
@ -244,13 +260,15 @@ load_environment() {
 		dnsmasq.nftset)
 			if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq nft sets support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft sets!\\n"
+					json add error "errorNoDnsmasqNftset"
 					output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
 			if [ -z "$nft" ]; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq nft sets support is enabled in $packageName, but nft is not installed!\\n"
+					json add error "errorNoNft"
 					output "${_ERROR_}: $(get_text 'errorNoNft')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
@ -335,8 +353,8 @@ load_environment() {
 	for i in "$outputFile" "$outputCache" "$outputGzip"; do
 		if ! mkdir -p "$(dirname "$i")"; then
-			output "$_ERROR_: Unable to create directory for $i!\\n"
+			json add error "errorOutputDirCreate" "$i"
-			json add error "errorOutputFileCreate"
+			output "${_ERROR_}: $(get_text 'errorMkdirFail' "$i")!\\n"
 		fi
 	done
@ -352,7 +370,8 @@ load_environment() {
 			is_present '/usr/libexec/sed-gnu' || s="$s sed"
 			is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort"
 			if [ -z "$quiet" ]; then
-				output "$_WARNING_: Some recommended packages are missing, install them by running:\\n"
+				json add warning "errorOutputFileCreate" "${i}"
 				output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n"
 				output "$s;\\n"
 			fi
 	fi
@ -390,7 +409,8 @@ load_environment() {
 	cache 'test_gzip' && return 0
 	network_flush_cache; network_find_wan wan_if; network_get_gateway wan_gw "$wan_if";
 	[ -n "$wan_gw" ] && return 0
-	output "$_ERROR_: $serviceName failed to discover WAN gateway.\\n"; return 1;
+	json add error "errorNoWanGateway"
 	output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1;
 }
 resolver() {
@ -424,7 +444,7 @@ dns() {
 			if [ ! -s "$outputFile" ]; then
 				json set status "statusFail"
 				json add error "errorOutputFileCreate"
-				output "$_ERROR_: $(get_error_text 'errorOutputFileCreate')!\\n"
+				output "${_ERROR_}: $(get_text 'errorOutputFileCreate')!\\n"
 				return 1
 			fi
@ -473,7 +493,7 @@ dns() {
 				output_fail
 				json set status "statusFail"
 				json add error "errorDNSReload"
-				output "$_ERROR_: $(get_error_text 'errorDNSReload')!\\n"
+				output "${_ERROR_}: $(get_text 'errorDNSReload')!\\n"
 				return 1
 			fi
 		;;
@ -518,6 +538,9 @@ dns() {
 json() {
 # shellcheck disable=SC2034
 	local action="$1" param="$2" value="$3"
 	shift 3
 # shellcheck disable=SC2124
 	local extras="$@" line
 	local status message error stats
 	local reload restart curReload curRestart ret i
 	if [ -s "$jsonFile" ]; then
@ -549,10 +572,8 @@ json() {
 			esac
 		;;
 		add)
-			if [ -n "$(eval echo "\$$param")" ]; then
+			line="$(eval echo "\$$param")"
-				value="$(eval echo "\$$param") ${value}"
+			eval "$param"='${line:+$line }${value}${extras:+|$extras}'
 			fi
 				eval "$param"='${value}'
 		;;
 		del)
 			case "$param" in
@ -573,7 +594,7 @@ json() {
 					restart="$compressed_cache $force_dns $led $force_dns_port"
 				;;
 				*)
-					eval "$param"='$value';;
+					eval "$param"='${value}${extras:+|$extras}';;
 			esac
 		;;
 	esac
@ -637,7 +658,7 @@ process_url() {
 	if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi
 	label="${1##*//}"; label="${label%%/*}";
 	case "$2" in
-		dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqAddressFilter";;
+		dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqOISDFilter";;
 		domains) label="Domains: $label"; filter="$domainsFilter";;
 		hosts) label="Hosts:   $label"; filter="$hostsFilter";;
 	esac
@ -678,7 +699,7 @@ process_url() {
 download_dnsmasq_file() {
 	local hf allow_filter j=0 R_TMP
-	json set message "$(get_status_text "statusDownloading")..."
+	json set message "$(get_text "statusDownloading")..."
 	json set status "statusDownloading"
 	rm -f "$A_TMP" "$B_TMP" "$outputFile" "$outputCache" "$outputGzip"
@ -714,7 +735,7 @@ download_dnsmasq_file() {
 download_lists() {
 	local hf allow_filter j=0 R_TMP
-	json set message "$(get_status_text "statusDownloading")..."
+	json set message "$(get_text "statusDownloading")..."
 	json set status "statusDownloading"
 	rm -f "$A_TMP" "$B_TMP" "$outputFile" "$outputCache" "$outputGzip"
@ -775,7 +796,8 @@ $(cat $A_TMP)"
 	output 1 'Processing downloads '
 	output 2 'Sorting combined list '
-	json set message "$(get_status_text "statusProcessing"): sorting combined list"
+	json set status "statusProcessing"
 	json set message "$(get_text "statusProcessing"): sorting combined list"
 	if [ "$allow_non_ascii" -gt 0 ]; then
 		if sort -u "$B_TMP" > "$A_TMP"; then
 			output_ok
@ -799,7 +821,7 @@ $(cat $A_TMP)"
 		 [ "$dns" = 'unbound.adb_list' ]; then
 		# TLD optimization written by Dirk Brenken (dev@brenken.org)
 		output 2 'Optimizing combined list '
-		json set message "$(get_status_text "statusProcessing"): optimizing combined list"
+		json set message "$(get_text "statusProcessing"): optimizing combined list"
 # 	sed -E 'G;:t;s/(.*)(\.)(.*)(\n)(.*)/\1\4\5\2\3/;tt;s/(.*)\n(\.)(.*)/\3\2\1/' is actually slower than command below
 		if $awk -F "." '{for(f=NF;f>1;f--)printf "%s.",$f;print $1}' "$A_TMP" > "$B_TMP"; then
 			if sort "$B_TMP" > "$A_TMP"; then
@ -835,7 +857,7 @@ $(cat $A_TMP)"
 	fi
 	output 2 'Allowing domains '
-	json set message "$(get_status_text "statusProcessing"): allowing domains"
+	json set message "$(get_text "statusProcessing"): allowing domains"
 	if sed -i -E "$allow_filter" "$B_TMP"; then
 		output_ok
 	else
@ -844,7 +866,7 @@ $(cat $A_TMP)"
 	fi
 	output 2 'Formatting merged file '
-	json set message "$(get_status_text "statusProcessing"): formatting merged file"
+	json set message "$(get_text "statusProcessing"): formatting merged file"
 	if [ -z "$outputFilterIPv6" ]; then
 		if sed "$outputFilter" "$B_TMP" > "$A_TMP"; then
 			output_ok
@ -869,27 +891,27 @@ $(cat $A_TMP)"
 	case "$dns" in
 		dnsmasq.addnhosts)
 			output 2 'Creating dnsmasq addnhosts file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq addnhosts file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq addnhosts file"
 		;;
 		dnsmasq.conf)
 			output 2 'Creating dnsmasq config file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq config file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq config file"
 		;;
 		dnsmasq.ipset)
 			output 2 'Creating dnsmasq ipset file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq ipset file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq ipset file"
 		;;
 		dnsmasq.nftset)
 			output 2 'Creating dnsmasq nft set file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq nft set file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq nft set file"
 		;;
 		dnsmasq.servers)
 			output 2 'Creating dnsmasq servers file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq servers file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq servers file"
 		;;
 		unbound.adb_list)
 			output 2 'Creating Unbound adb_list file '
-			json set message "$(get_status_text "statusProcessing"): creating Unbound adb_list file"
+			json set message "$(get_text "statusProcessing"): creating Unbound adb_list file"
 		;;
 	esac
@ -901,7 +923,7 @@ $(cat $A_TMP)"
 	fi
 	if [ "$compressed_cache" -gt 0 ]; then
 		output 2 'Creating compressed cache '
-		json set message "$(get_status_text "statusProcessing"): creating compressed cache"
+		json set message "$(get_text "statusProcessing"): creating compressed cache"
 		if cache 'create_gzip'; then
 			output_ok
 		else
@ -912,7 +934,7 @@ $(cat $A_TMP)"
 		rm -f "$outputGzip"
 	fi
 	output 2 'Removing temporary files '
-	json set message "$(get_status_text "statusProcessing"): removing temporary files"
+	json set message "$(get_text "statusProcessing"): removing temporary files"
 	rm -f "/tmp/${packageName}_tmp.*" "$A_TMP" "$B_TMP" "$outputCache" || j=1
 	if [ $j -eq 0 ]; then
 		output_ok
@ -1183,7 +1205,7 @@ adb_start() {
 			else
 				output_failn
 				json add error "errorRestoreCompressedCache"
-				output "$_ERROR_: $(get_error_text 'errorRestoreCompressedCache')!\\n"
+				output "${_ERROR_}: $(get_text 'errorRestoreCompressedCache')!\\n"
 				action='download'
 			fi
 		fi
@ -1196,7 +1218,7 @@ adb_start() {
 			else
 				output_failn
 				json add error "errorRestoreCache"
-				output "$_ERROR_: $(get_error_text 'errorRestoreCache')!\\n"
+				output "${_ERROR_}: $(get_text 'errorRestoreCache')!\\n"
 				action='download'
 			fi
 		fi
@ -1342,7 +1364,7 @@ adb_status() {
 	if [ "$status" = "statusSuccess" ]; then
 		output "$stats "; output_okn;
 	else
-		[ -n "$status" ] && status="$(get_status_text "$status")"
+		[ -n "$status" ] && status="$(get_text "$status")"
 		if [ -n "$status" ] && [ -n "$message" ]; then 
 			status="${status}: $message"
 		fi
@ -1354,9 +1376,9 @@ adb_status() {
 			c="${c%|*}"
 			case "$c" in
 				errorDownloadingList|errorParsingList)
-					output "$_ERROR_: $(get_error_text "$c") $url!\\n";;
+					output "${_ERROR_}: $(get_text "$c") $url!\\n";;
 				*)
-					output "$_ERROR_: $(get_error_text "$c")!\\n";;
+					output "${_ERROR_}: $(get_text "$c")!\\n";;
 			esac
 			n=$((n+1))
 		done
@ -1382,7 +1404,7 @@ adb_stop() {
 			output 0 "$__FAIL__\\n"; output_fail;
 			json set status "statusFail"
 			json add error "errorStopping"
-			output "$_ERROR_: $(get_error_text 'errorStopping')!\\n"
+			output "${_ERROR_}: $(get_text 'errorStopping')!\\n"
 		fi
 	fi
 }
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=snort3
-PKG_VERSION:=3.1.47.0
+PKG_VERSION:=3.1.48.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_SOURCE:=$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
-PKG_HASH:=7565411db11b453a98f8bd88eeef0fa9f2e85416a8f595e710aa19c430228b8c
+PKG_HASH:=65df088a8cac11e59f0b71a7f98fc9d21eeb0e31d35280c470c985172947ebfe
 PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
 PKG_LICENSE:=GPL-2.0-only
@ -90,7 +90,8 @@ define Package/snort3/install
 		$(PKG_INSTALL_DIR)/usr/include/snort/lua/snort_plugin.lua \
 		$(1)/usr/share/lua/
-	$(INSTALL_DIR) $(1)/etc/snort
+	$(INSTALL_DIR) $(1)/etc/snort/{rules,lists,builtin_rules,so_rules}
 	$(INSTALL_CONF) \
 		$(PKG_INSTALL_DIR)/usr/etc/snort/*.lua \
 		$(1)/etc/snort
@ -107,6 +108,25 @@ define Package/snort3/install
 	$(INSTALL_CONF) \
 		./files/snort.config \
 		$(1)/etc/config/snort
 	$(INSTALL_CONF) \
 		./files/local.lua \
 		$(1)/etc/snort
 	$(INSTALL_CONF) \
 		./files/homenet.lua \
 		$(1)/etc/snort
 	sed \
 		-i -e "/^EXTERNAL_NET\\s\\+=/ a include 'homenet.lua'" \
 		-e "/^HOME_NET\\s\\+=/ i -- we set HOME_NET and EXTERNAL_NET here or via an included file" \
 		-e 's/^\(HOME_NET\s\+=\)/--\1/g' \
 		-e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \
 		$(1)/etc/snort/snort.lua
 	sed \
 		-i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \
 		-e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \
 		-e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \
 		-e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
 		-e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
 		$(1)/etc/snort/snort_defaults.lua
 endef
 $(eval $(call BuildPackage,snort3))
--- a/net/snort3/files/homenet.lua
+++ b/net/snort3/files/homenet.lua
@ -0,0 +1,3 @@
 -- setup HOME_NET below with your IP range/ranges to protect
 HOME_NET = [[ 192.168.1.0/24 10.1.0.1/24 ]]
 EXTERNAL_NET = "!$HOME_NET"
--- a/net/snort3/files/local.lua
+++ b/net/snort3/files/local.lua
@ -0,0 +1,52 @@
 -- use ths file to customize any functions defined in /etc/snort/snort.lua
 -- switch tap to inline in ips and uncomment the below to run snort in inline mode
 --snort = {}
 --snort["-Q"] = ''
 ips = {
  mode = tap,
  -- mode = inline,
  variables = default_variables,
  -- uncomment and change the below to reflect rules or symlinks to rules on your filesystem
  -- include = RULE_PATH .. '/snort.rules',
 }
 daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
    }
  }
 }
 alert_syslog = {
  level = 'info',
 }
 -- To log to a file, uncomment the below and manually create the dir defined in output.logdir
 --output.logdir = '/var/log/snort'
 --alert_fast = {
 --  file = true,
 --  packet = false,
 --}
 normalizer = {
  tcp = {
    ips = true,
  }
 }
 file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
 }
--- a/net/snort3/files/snort.config
+++ b/net/snort3/files/snort.config
@ -1,4 +1,3 @@
 config snort 'snort'
 	option config_dir '/etc/snort/'
 	option alert_module 'alert_syslog'
 	option interface 'eth0'
--- a/net/snort3/files/snort.init
+++ b/net/snort3/files/snort.init
@ -9,7 +9,6 @@ PROG=/usr/bin/snort
 validate_snort_section() {
 	uci_validate_section snort snort "${1}" \
 		'config_dir:string' \
 		'alert_module:string' \
 		'interface:string'
 }
@ -22,7 +21,7 @@ start_service() {
 	}
 	procd_open_instance
-	procd_set_param command $PROG -q --daq-dir /usr/lib/daq/ -i "$interface" -c "$config_dir/snort.lua" -A "$alert_module"
+	procd_set_param command $PROG -q -i "$interface" -c "${config_dir%/}/snort.lua" --tweaks local
 	procd_set_param env SNORT_LUA_PATH="$config_dir"
 	procd_set_param file $CONFIGFILE
 	procd_set_param respawn
--- a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
+++ b/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
@ -0,0 +1,16 @@
 --- a/cmake/FindFlexLexer.cmake
 +++ b/cmake/FindFlexLexer.cmake
@@ -16,11 +16,11 @@ macro(FLEX NAME LEXER_IN LEXER_OUT)
         COMPILE_FLAGS ${FLEX_FLAGS}
     )
 -    # we use '+' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
 +    # we use '|' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
     add_custom_command(
         OUTPUT ${LEXER_OUT}
         COMMAND sed -e
 -            "s+void yyFlexLexer::LexerError+yynoreturn void yyFlexLexer::LexerError+;s+${LEXER_OUT}.tmp+${LEXER_OUT}+"
 +            "s|void yyFlexLexer::LexerError|yynoreturn void yyFlexLexer::LexerError|;s|${LEXER_OUT}.tmp|${LEXER_OUT}|"
             ${FLEX_${NAME}_OUTPUTS} > ${LEXER_OUT}
         DEPENDS ${FLEX_${NAME}_OUTPUTS}
         VERBATIM
--- a/net/snowflake/Makefile
+++ b/net/snowflake/Makefile
@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=snowflake
-PKG_VERSION:=2.3.1
+PKG_VERSION:=2.4.1
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_MIRROR_HASH:=f83d48ebdbb3966856fdd1016a2ff4e57e63598182ad5e53ab5c31a7100ce6ee
+PKG_MIRROR_HASH:=91f32c3f56718ae35641c734aa061be138eb7c0d1bc88596b42e731e30aaa27a
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=stubby
-PKG_VERSION:=0.4.0
+PKG_VERSION:=0.4.2
-PKG_RELEASE:=6
+PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME)
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_MIRROR_HASH:=bc5f604da1b70287a6c3d89eac2e13ce8bca52840e7b72ab098a3deeb9935082
+PKG_MIRROR_HASH:=0a40e3eec2ef86a83977b69f03bc63f232fe52ca15703273a0d097e64fa3bf05
 PKG_MAINTAINER:=
 PKG_LICENSE:=BSD-3-Clause
--- a/net/tailscale/Makefile
+++ b/net/tailscale/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=tailscale
-PKG_VERSION:=1.24.2
+PKG_VERSION:=1.32.3
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=f1fe7770b4e372ace47c5b0ac4cbe21af95c3a6fb1828ee4f407fcfe35b7958f
+PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@ -77,6 +77,7 @@ endef
 define Package/tailscaled/conffiles
 /etc/config/tailscale
 /etc/tailscale/tailscaled.state
 endef
 $(eval $(call BuildPackage,tailscale))
--- a/net/vallumd/Makefile
+++ b/net/vallumd/Makefile
@ -8,12 +8,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=vallumd
-PKG_VERSION:=0.2.0
+PKG_VERSION:=0.2.2
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/stintel/vallumd/tar.gz/$(PKG_VERSION)?
+PKG_SOURCE_URL:=https://codeberg.org/stintel/vallumd/archive/$(PKG_VERSION).tar.gz?
-PKG_HASH:=7c1baffa3f7889c9c6f2795aac134c50a309ef201764d5ce6bbbce5d657416c0
+PKG_HASH:=f88cafce41cc118862869268b5e6c9b315a6f084aa8a498d4484e9dac49c575c
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 PKG_MAINTAINER:=Stijn Tintel <stijn@linux-ipv6.be>
 PKG_LICENSE:=GPL-3.0
--- a/net/vallumd/patches/001-CMake-skip-git-magic-if-no-.git-dir-exists.patch
+++ b/net/vallumd/patches/001-CMake-skip-git-magic-if-no-.git-dir-exists.patch
@ -0,0 +1,78 @@
 From b70137d0cc62be7f43816a3ba33b7c3e6a2fbd4e Mon Sep 17 00:00:00 2001
 From: Stijn Tintel <stijn@linux-ipv6.be>
 Date: Fri, 18 Nov 2022 09:19:02 +0200
 Subject: [PATCH] CMake: skip git magic if no .git dir exists
 The checks to fail CMake if git describe isn't working break build when
 building from source tarballs.
 Test if there is a git directory, and completely skip the git magic if
 not.
 Fixes: f42e7beec46e ("CI: add explicit clone to fetch tags")
 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
 ---
 CMakeLists.txt | 51 +++++++++++++++++++++++++-------------------------
 1 file changed, 26 insertions(+), 25 deletions(-)
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
@@ -9,35 +9,36 @@ set (VERSION_MAJOR 0)
 set (VERSION_MINOR 2)
 set (VERSION_PATCH 2)
 -execute_process(COMMAND git describe --tags --dirty
 -		OUTPUT_VARIABLE GIT_DESCRIBE
 -		OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
 -execute_process(COMMAND git describe --abbrev=0
 -                OUTPUT_VARIABLE GIT_LAST_TAG
 -                OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
 +if (EXISTS .git/)
 +    execute_process(COMMAND git describe --tags --dirty
 +            OUTPUT_VARIABLE GIT_DESCRIBE
 +            OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
 +    execute_process(COMMAND git describe --abbrev=0
 +                    OUTPUT_VARIABLE GIT_LAST_TAG
 +                    OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
 -string(LENGTH "${GIT_DESCRIBE}" GIT_DESCRIBE_LEN)
 -string(LENGTH "${GIT_LAST_TAG}" GIT_LAST_TAG_LEN)
 +    string(LENGTH "${GIT_DESCRIBE}" GIT_DESCRIBE_LEN)
 +    string(LENGTH "${GIT_LAST_TAG}" GIT_LAST_TAG_LEN)
 -if (GIT_DESCRIBE_LEN EQUAL 0 OR GIT_LAST_TAG_LEN EQUAL 0)
 -    message(FATAL_ERROR "git describe output empty")
 -endif ()
 +    if (GIT_DESCRIBE_LEN EQUAL 0 OR GIT_LAST_TAG_LEN EQUAL 0)
 +        message(FATAL_ERROR "git describe output empty")
 +    endif ()
 -string(REGEX REPLACE "^${GIT_LAST_TAG}-" "" GIT_DESCRIBE_NOTAG "${GIT_DESCRIBE}")
 +    string(REGEX REPLACE "^${GIT_LAST_TAG}-" "" GIT_DESCRIBE_NOTAG "${GIT_DESCRIBE}")
 -if (NOT "${GIT_DESCRIBE}" STREQUAL "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
 -    if ("${GIT_LAST_TAG}" VERSION_LESS
 -        "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
 -        string(REGEX REPLACE "^${GIT_LAST_TAG}-"
 -                "" VERSION_TWEAK "0-pre-${GIT_DESCRIBE_NOTAG}")
 -    else ()
 -	string(REGEX REPLACE
 -		"^${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-"
 -		"" VERSION_TWEAK "${GIT_DESCRIBE}")
 +    if (NOT "${GIT_DESCRIBE}" STREQUAL "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
 +        if ("${GIT_LAST_TAG}" VERSION_LESS
 +            "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
 +            string(REGEX REPLACE "^${GIT_LAST_TAG}-"
 +                    "" VERSION_TWEAK "0-pre-${GIT_DESCRIBE_NOTAG}")
 +        else ()
 +        string(REGEX REPLACE
 +            "^${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-"
 +            "" VERSION_TWEAK "${GIT_DESCRIBE}")
 +        endif ()
     endif ()
 endif ()
 -
 configure_file (
   "${PROJECT_SOURCE_DIR}/src/config.h.in"
   "${PROJECT_BINARY_DIR}/config.h"
--- a/net/vpn-policy-routing/Makefile
+++ b/net/vpn-policy-routing/Makefile
@ -1,68 +0,0 @@
 # Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
 # This is free software, licensed under the GNU General Public License v3.
 include $(TOPDIR)/rules.mk
 PKG_NAME:=vpn-policy-routing
 PKG_VERSION:=0.3.4
 PKG_RELEASE:=8
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
 include $(INCLUDE_DIR)/package.mk
 define Package/vpn-policy-routing
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=VPN Policy-Based Routing Service
 	URL:=https://docs.openwrt.melmac.net/vpn-policy-routing/
 	DEPENDS:=+jshn +ipset +iptables +resolveip +kmod-ipt-ipset +iptables-mod-ipopt +ip-full
 	PKGARCH:=all
 endef
 define Package/vpn-policy-routing/description
 This service allows policy-based routing for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels and WAN interface.
 Policies can specify domains, local IPs/subnets and ports, as well as remote IPs/subnets and ports.
 endef
 define Package/vpn-policy-routing/conffiles
 /etc/config/vpn-policy-routing
 endef
 define Build/Configure
 endef
 define Build/Compile
 endef
 define Package/vpn-policy-routing/install
 	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall $(1)/etc/
 	$(INSTALL_BIN) ./files/vpn-policy-routing.init $(1)/etc/init.d/vpn-policy-routing
 	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpn-policy-routing
 	$(INSTALL_CONF) ./files/vpn-policy-routing.config $(1)/etc/config/vpn-policy-routing
 	$(INSTALL_DATA) ./files/vpn-policy-routing.firewall.hotplug $(1)/etc/hotplug.d/firewall/70-vpn-policy-routing
 	$(INSTALL_DATA) ./files/vpn-policy-routing.aws.user $(1)/etc/vpn-policy-routing.aws.user
 	$(INSTALL_DATA) ./files/vpn-policy-routing.netflix.user $(1)/etc/vpn-policy-routing.netflix.user
 endef
 define Package/vpn-policy-routing/postinst
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		/etc/init.d/vpn-policy-routing enable
 	fi
 	exit 0
 endef
 define Package/vpn-policy-routing/prerm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		echo "Stopping service and removing rc.d symlink for vpn-policy-routing"
 		/etc/init.d/vpn-policy-routing stop || true
 		/etc/init.d/vpn-policy-routing disable || true
 	fi
 	exit 0
 endef
 $(eval $(call BuildPackage,vpn-policy-routing))
--- a/net/vpn-policy-routing/files/README.md
+++ b/net/vpn-policy-routing/files/README.md
@ -1,3 +0,0 @@
 # README
 README has been moved to [https://docs.openwrt.melmac.net/vpn-policy-routing/](https://docs.openwrt.melmac.net/vpn-policy-routing/).
--- a/net/vpn-policy-routing/files/vpn-policy-routing.aws.user
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.aws.user
@ -1,19 +0,0 @@
 #!/bin/sh
 # This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
 TARGET_IPSET='wan'
 TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
 TARGET_FNAME="/var/vpn-policy-routing_tmp_aws_ip_ranges"
 _ret=1
 if [ ! -s "$TARGET_FNAME" ]; then
 	curl "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_FNAME"
 fi
 if [ -s "$TARGET_FNAME" ]; then
 	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
 fi
 rm -f "$TARGET_FNAME"
 return $_ret
--- a/net/vpn-policy-routing/files/vpn-policy-routing.config
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.config
@ -1,30 +0,0 @@
 config vpn-policy-routing 'config'
 	option enabled '0'
 	option verbosity '2'
 	option strict_enforcement '1'
 	option src_ipset '0'
 	option dest_ipset '0'
 	option resolver_ipset 'dnsmasq.ipset'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver wgserver'
 	option boot_timeout '30'
 	option iptables_rule_option 'append'
 	option procd_reload_delay '1'
 	option webui_enable_column '0'
 	option webui_protocol_column '0'
 	option webui_chain_column '0'
 	option webui_show_ignore_target '0'
 	option webui_sorting '1'
 	list webui_supported_protocol 'tcp'
 	list webui_supported_protocol 'udp'
 	list webui_supported_protocol 'tcp udp'
 	list webui_supported_protocol 'icmp'
 	list webui_supported_protocol 'all'
 config include
 	option path '/etc/vpn-policy-routing.netflix.user'
 	option enabled 0
 config include
 	option path '/etc/vpn-policy-routing.aws.user'
 	option enabled 0
--- a/net/vpn-policy-routing/files/vpn-policy-routing.firewall.hotplug
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.firewall.hotplug
@ -1,6 +0,0 @@
 #!/bin/sh
 [ "$ACTION" = "reload" ] || exit 0
 logger -t "vpn-policy-routing" "Reloading vpn-policy-routing due to $ACTION of firewall"
 /etc/init.d/vpn-policy-routing reload
--- a/net/vpn-policy-routing/files/vpn-policy-routing.init
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.init
--- a/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user
@ -1,37 +0,0 @@
 #!/bin/sh
 # This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
 # Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
 # Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
 TARGET_IPSET='wan'
 TARGET_ASN='2906'
 TARGET_FNAME="/var/vpn-policy-routing_tmp_AS${TARGET_ASN}"
 #DB_SOURCE='ipinfo.io'
 #DB_SOURCE='api.hackertarget.com'
 DB_SOURCE='api.bgpview.io'
 _ret=1
 if [ ! -s "$TARGET_FNAME" ]; then
 	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
 		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
 		curl "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_FNAME"
 	fi
 	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
 		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
 		curl "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME"
 	fi
 	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
 		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
 		curl -s "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME"
 	fi
 fi
 if [ -s "$TARGET_FNAME" ]; then
 	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
 fi
 rm -f "$TARGET_FNAME"
 return $_ret
--- a/net/vpnbypass/Makefile
+++ b/net/vpnbypass/Makefile
@ -1,69 +0,0 @@
 # Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
 # This is free software, licensed under the GNU General Public License v3.
 include $(TOPDIR)/rules.mk
 PKG_NAME:=vpnbypass
 PKG_VERSION:=1.3.2
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
 include $(INCLUDE_DIR)/package.mk
 define Package/vpnbypass
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=VPN Bypass Service
 	URL:=https://docs.openwrt.melmac.net/vpnbypass/
 	DEPENDS:=+ipset +iptables
 	PKGARCH:=all
 endef
 define Package/vpnbypass/description
 This service can be used to enable simple VPN split tunnelling.
 Supports accessing domains, IP ranges outside of your VPN tunnel.
 Also supports dedicating local ports/IP ranges for direct
 internet access (outside of your VPN tunnel).
 Please see the README for further information.
 endef
 define Package/vpnbypass/conffiles
 /etc/config/vpnbypass
 endef
 define Build/Configure
 endef
 define Build/Compile
 endef
 define Package/vpnbypass/install
 	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall
 	$(INSTALL_BIN) ./files/vpnbypass.init $(1)/etc/init.d/vpnbypass
 	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpnbypass
 	$(INSTALL_CONF) ./files/vpnbypass.config $(1)/etc/config/vpnbypass
 	$(INSTALL_DATA) ./files/vpnbypass.hotplug $(1)/etc/hotplug.d/firewall/94-vpnbypass
 endef
 define Package/vpnbypass/postinst
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		/etc/init.d/vpnbypass enable
 	fi
 	exit 0
 endef
 define Package/vpnbypass/prerm
 	#!/bin/sh
 	# check if we are on real system
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		echo "Stopping service and removing rc.d symlink for vpnbypass"
 		/etc/init.d/vpnbypass stop || true
 		/etc/init.d/vpnbypass disable || true
 	fi
 	exit 0
 endef
 $(eval $(call BuildPackage,vpnbypass))
--- a/net/vpnbypass/files/README.md
+++ b/net/vpnbypass/files/README.md
@ -1,3 +0,0 @@
 # README
 README has been moved to [https://docs.openwrt.melmac.net/vpnbypass/](https://docs.openwrt.melmac.net/vpnbypass/).
--- a/net/vpnbypass/files/vpnbypass.config
+++ b/net/vpnbypass/files/vpnbypass.config
@ -1,5 +0,0 @@
 config vpnbypass 'config'
 	option enabled		'0'
 	list localport		'32400'
 	list localsubnet	'192.168.1.81/29'
 	list remotesubnet	'25.0.0.0/8'
--- a/net/vpnbypass/files/vpnbypass.hotplug
+++ b/net/vpnbypass/files/vpnbypass.hotplug
@ -1,2 +0,0 @@
 #!/bin/sh
 [ "$ACTION" = "reload" ] && /etc/init.d/vpnbypass reload
--- a/net/vpnbypass/files/vpnbypass.init
+++ b/net/vpnbypass/files/vpnbypass.init
@ -1,146 +0,0 @@
 #!/bin/sh /etc/rc.common
 # Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
 # shellcheck disable=SC2039,SC1091,SC2086,SC3043,SC3057,SC3060
 PKG_VERSION='dev-test'
 # shellcheck disable=SC2034
 START=94
 # shellcheck disable=SC2034
 USE_PROCD=1
 if type extra_command 1>/dev/null 2>&1; then
 	extra_command 'version' 'Show version information'
 else
 # shellcheck disable=SC2034
 	EXTRA_COMMANDS='version'
 fi
 version() { echo "$PKG_VERSION"; }
 readonly __ERROR__='\033[0;31mERROR\033[0m'
 # shellcheck disable=SC2034
 serviceEnabled=0
 verbosity=2
 TID='200'
 IPSET='vpnbypass'
 FW_MARK='0x010000'
 FW_MASK='0xff0000'
 wan_if4=''
 wan_gw=''
 readonly packageName='vpnbypass'
 readonly serviceName="$packageName $PKG_VERSION"
 readonly sharedMemoryOutput="/dev/shm/$packageName-output"
 output() {
 # Can take a single parameter (text) to be output at any verbosity
 # Or target verbosity level and text to be output at specifc verbosity
 	local msg memmsg logmsg
 	if [ $# -ne 1 ]; then
 		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
 	fi
 	[ -t 1 ] && printf "%b" "$1"
 	msg="${1//$serviceName /service }";
 	if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
 		[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
 		logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
 		logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
 		rm -f "$sharedMemoryOutput"
 	else
 		printf "%b" "$msg" >> "$sharedMemoryOutput"
 	fi
 }
 load_package_config() {
 	config_load "$packageName"
 	config_get_bool serviceEnabled 'config' 'enabled' 1
 	config_get verbosity           'config' 'verbosity' '2'
 	if [ -z "${verbosity##*[!0-9]*}" ] || [ "$verbosity" -lt 0 ] || [ "$verbosity" -gt 2 ]; then
 		verbosity=1
 	fi
 	. /lib/functions/network.sh
 }
 is_enabled() {
 	local sleepCount=1
 	load_package_config
 	while : ; do
 		network_find_wan wan_if4
 		[ "$serviceEnabled" -gt 0 ] || return 1
 		[ -n "$wan_if4" ] && network_get_gateway wan_gw "$wan_if4"
 		if [ $sleepCount -ge 25 ] || [ -n "$wan_gw" ]; then break; fi
 		output "$serviceName waiting for wan gateway...\\n"
 		sleep 2; network_flush_cache; sleepCount=$((sleepCount+1));
 	done
 	[ -n "$wan_gw" ] && return 0
 	output "$__ERROR__: $serviceName failed to discover WAN gateway.\\n"; return 1;
 }
 is_ovpn() { local dev i; for i in ifname device; do [ -z "$dev" ] && dev="$(uci -q get "network.${1}.${i}")"; done; if [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; then return 0; else return 1; fi; }
 is_wan() { if [ -n "$wan_if4" ] && [ "$1" = "$wan_if4" ]; then return 0; else return 1; fi; }
 is_supported_interface() { if is_wan "$1" || is_ovpn "$1"; then return 0; else return 1; fi; }
 ipt() {
 	local d; 
 	d="${*//-A/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
 	d="${*//-I/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
 	d="${*//-N/-F}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
 	d="${*//-N/-X}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
 	d="$*"; iptables $d >/dev/null 2>&1 || output "\\n$__ERROR__: iptables $d\\n"
 }
 start_service() {
 	local ll lports rports routes ranges
 	is_enabled || return 1
 	config_get lports   'config' 'localport'
 	config_get rports   'config' 'remoteport'
 	config_get routes   'config' 'remotesubnet'
 	config_get ranges   'config' 'localsubnet'
 	procd_open_instance "main"
 	procd_set_param command /bin/true
 	procd_set_param stdout 1
 	procd_set_param stderr 1
 	procd_close_instance
 	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
 	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
 	ip route flush table "$TID"; ip route flush cache;
 	ip route add default via "$wan_gw" table "$TID"; ip route flush cache;
 	ip rule add fwmark "$FW_MARK" table "$TID"
 	ipset -q -exist create "$IPSET" hash:ip; ipset -q flush "$IPSET"
 	{ modprobe xt_set; modprobe ip_set; modprobe ip_set_hash_ip; } >/dev/null 2>&1
 	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
 	{ ipt -t mangle -N VPNBYPASS; ipt -t mangle -A PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS; } >/dev/null 2>&1
 	ipt -t mangle -A VPNBYPASS -m set --match-set $IPSET dst -j MARK --set-mark ${FW_MARK}/${FW_MASK} >/dev/null 2>&1
 	for ll in ${ranges}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -s "$ll"; done
 	for ll in ${lports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --sport "${ll//-/:}"; done
 	for ll in ${routes}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -d "$ll"; done
 	for ll in ${rports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --dport "${ll//-/:}"; done
 	output "$serviceName started with TID: $TID; FW_MARK: $FW_MARK\\n"
 }
 stop_service() {
 	load_package_config
 	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
 	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
 	ip route flush table "$TID"; ip route flush cache;
 	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
 	{ ipt -t mangle -F VPNBYPASS; ipt -t mangle -X VPNBYPASS; } >/dev/null 2>&1
 	output "$serviceName stopped\\n"
 }
 service_triggers_load_interface() { is_supported_interface "$1" && ifaces="${ifaces}${1} "; }
 service_triggers() {
 	local ifaces n
 	config_load network; config_foreach service_triggers_load_interface 'interface';
 	procd_open_trigger
 		procd_add_reload_trigger 'openvpn'
 		if type procd_add_service_trigger 1>/dev/null 2>&1; then
 			procd_add_service_trigger "service.restart" "firewall" /etc/init.d/${packageName} reload
 		fi
 		procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload
 		for n in $ifaces; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/vpnbypass reload; done;
 		output "$serviceName monitoring interfaces: $ifaces\\n"
 	procd_close_trigger
 }
--- a/net/vpnbypass/test.sh
+++ b/net/vpnbypass/test.sh
@ -1,3 +0,0 @@
 #!/bin/sh
 /etc/init.d/"$1" version 2>&1 | grep "$2"
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=wget
 PKG_VERSION:=1.21.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
--- a/net/wget/patches/001-fix-nettle-ntml.patch
+++ b/net/wget/patches/001-fix-nettle-ntml.patch
@ -1,18 +0,0 @@
 --- a/configure.ac
 +++ b/configure.ac
@@ -630,6 +630,7 @@ then
     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
   fi
 else
 + if test x"$ENABLE_NTLM" != xno; then
   PKG_CHECK_MODULES([NETTLE], nettle, [
     HAVE_NETTLE=yes
     LIBS="$NETTLE_LIBS $LIBS"
@@ -651,6 +652,7 @@ else
     ENABLE_NTLM=yes
     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
   fi
 + fi
 fi
 dnl **********************************************************************
--- a/net/wget/patches/001-upstream-fix-disable-ntlm-1.patch
+++ b/net/wget/patches/001-upstream-fix-disable-ntlm-1.patch
@ -0,0 +1,25 @@
 From 485217d0ff8d0d17ea3815244b2bc2b747451e15 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
 Date: Sat, 10 Dec 2022 16:43:38 +0100
 Subject: [PATCH] * configure.ac: Allow disabling NTLM if nettle present (Savannah #63431)
 ---
 configure.ac | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 --- a/configure.ac
 +++ b/configure.ac
@@ -648,8 +648,11 @@ else
   if test x"$HAVE_NETTLE" = xyes; then
     AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
 -    ENABLE_NTLM=yes
 -    AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
 +    if test x"$ENABLE_NTLM" != xno
 +    then
 +      ENABLE_NTLM=yes
 +      AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
 +    fi
   fi
 fi
--- a/net/wget/patches/002-upstream-fix-disable-ntlm-2.patch
+++ b/net/wget/patches/002-upstream-fix-disable-ntlm-2.patch
@ -0,0 +1,65 @@
 From c69030a904f8ab25b9ca2704c8a6dd03554e9503 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
 Date: Sun, 11 Dec 2022 13:31:38 +0100
 Subject: [PATCH] * configure.ac: Disable nettle if NTLM is explicitly disabled
 ---
 configure.ac | 41 +++++++++++++++++++----------------------
 1 file changed, 19 insertions(+), 22 deletions(-)
 --- a/configure.ac
 +++ b/configure.ac
@@ -622,34 +622,31 @@ AS_IF([test x"$with_ssl" = xopenssl], [
 ]) # endif: --with-ssl == openssl?
 dnl Enable NTLM if requested and if SSL is available.
 -if test x"$LIBSSL" != x || test "$ac_cv_lib_ssl32_SSL_connect" = yes
 +if test x"$ENABLE_NTLM" != xno
 then
 -  if test x"$ENABLE_NTLM" != xno
 +  if test x"$LIBSSL" != x || test "$ac_cv_lib_ssl32_SSL_connect" = yes
   then
     ENABLE_NTLM=yes
     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
 -  fi
 -else
 -  PKG_CHECK_MODULES([NETTLE], nettle, [
 -    HAVE_NETTLE=yes
 -    LIBS="$NETTLE_LIBS $LIBS"
 -    CFLAGS="$NETTLE_CFLAGS $CFLAGS"
 -  ], [
 -    AC_CHECK_LIB(nettle, nettle_md4_init, [HAVE_NETTLE=yes], [HAVE_NETTLE=no; AC_MSG_WARN(*** libnettle was not found. You will not be able to use NTLM)])
 -    if test x"$HAVE_NETTLE" != xyes; then
 -      if  test x"$ENABLE_NTLM" = xyes; then
 -        AC_MSG_ERROR([NTLM authorization requested and SSL not enabled; aborting])
 -      fi
 -    else
 -      AC_SUBST(NETTLE_LIBS, "-lnettle")
 +  else
 +    PKG_CHECK_MODULES([NETTLE], nettle, [
 +      HAVE_NETTLE=yes
       LIBS="$NETTLE_LIBS $LIBS"
 -    fi
 -  ])
 +      CFLAGS="$NETTLE_CFLAGS $CFLAGS"
 +    ], [
 +      AC_CHECK_LIB(nettle, nettle_md4_init, [HAVE_NETTLE=yes], [HAVE_NETTLE=no; AC_MSG_WARN(*** libnettle was not found. You will not be able to use NTLM)])
 +      if test x"$HAVE_NETTLE" != xyes; then
 +        if  test x"$ENABLE_NTLM" = xyes; then
 +          AC_MSG_ERROR([NTLM authorization requested and SSL not enabled; aborting])
 +        fi
 +      else
 +        AC_SUBST(NETTLE_LIBS, "-lnettle")
 +        LIBS="$NETTLE_LIBS $LIBS"
 +      fi
 +    ])
 -  if test x"$HAVE_NETTLE" = xyes; then
 -    AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
 -    if test x"$ENABLE_NTLM" != xno
 -    then
 +    if test x"$HAVE_NETTLE" = xyes; then
 +      AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
       ENABLE_NTLM=yes
       AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
     fi
--- a/utils/docker-compose/Makefile
+++ b/utils/docker-compose/Makefile
@ -1,14 +1,14 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=compose
-PKG_VERSION:=2.12.2
+PKG_VERSION:=2.14.0
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
 PKG_SOURCE:=v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/docker/compose/tar.gz/v${PKG_VERSION}?
-PKG_HASH:=311131c5d930fdb1f5e86de19ea2ad1705d23e5745b780c0b10b2eb3f964fc69
+PKG_HASH:=003efb3139298aa4795f7a9fa4723ef43c12b401c235fe0c93dd23cc2c6b5f2e
 PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>
--- a/utils/swig/Makefile
+++ b/utils/swig/Makefile
@ -7,12 +7,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=swig
-PKG_VERSION:=4.0.2
+PKG_VERSION:=4.1.1
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=d53be9730d8d58a16bf0cbd1f8ac0c0c3e1090573168bfa151b01eb47fa906fc
+PKG_HASH:=2af08aced8fcd65cdb5cc62426768914bedc735b1c250325203716f78e39ac9b
 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>, Hirokazu MORIKAWA <morikw2@gmail.com>
 PKG_LICENSE:=GPL-3.0-or-later
--- a/utils/swig/patches/000-support_v12.patch
+++ b/utils/swig/patches/000-support_v12.patch
--- a/utils/xz/Makefile
+++ b/utils/xz/Makefile
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=xz
-PKG_VERSION:=5.2.7
+PKG_VERSION:=5.2.9
 PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/lzmautils
-PKG_HASH:=8712e9acb0b6b49a97d443458a3067dc5c08a025e02dc5f773176c51dd7cfc69
+PKG_HASH:=b194507fba3a462a753c553149ccdaa168337bcb7deefddd067ba987c83dfce6
 PKG_MAINTAINER:=
 PKG_LICENSE:=Public-Domain LGPL-2.1-or-later GPL-2.0-or-later GPL-3.0-or-later
--- a/utils/zoneinfo/Makefile
+++ b/utils/zoneinfo/Makefile
@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=zoneinfo
-PKG_VERSION:=2022f
+PKG_VERSION:=2022g
 PKG_RELEASE:=1
 #As i couldn't find real license used "Public Domain"
@ -19,14 +19,14 @@ PKG_LICENSE:=Public Domain
 PKG_SOURCE:=tzdata$(PKG_VERSION).tar.gz
 PKG_SOURCE_CODE:=tzcode$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.iana.org/time-zones/repository/releases
-PKG_HASH:=9990d71f675d212567b931fe8aae1cab7027f89fefb8a79d808a6933a67af000
+PKG_HASH:=4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478
 include $(INCLUDE_DIR)/package.mk
 define Download/tzcode
   FILE=$(PKG_SOURCE_CODE)
   URL=$(PKG_SOURCE_URL)
-   HASH:=e4543e90f84f91fa82809ea98930052fdbc13880c8a623ee3a4eaa42f8a64c15
+   HASH:=9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74
 endef
 $(eval $(call Download,tzcode))
		`@ -0,0 +1,3 @@`
							`# README`

							`README is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).`
		`@ -0,0 +1 @@`
							`jump pbr_forward comment "Jump into pbr forward chain";`
		`@ -0,0 +1 @@`
							`jump pbr_input comment "Jump into pbr input chain";`
		`@ -0,0 +1 @@`
							`jump pbr_output comment "Jump into pbr output chain";`
		`@ -0,0 +1 @@`
							`jump pbr_postrouting comment "Jump into pbr postrouting chain";`
		`@ -0,0 +1 @@`
							`jump pbr_prerouting comment "Jump into pbr prerouting chain";`
		`@ -1,3 +0,0 @@`
			`# README`

			`README has been moved to [https://docs.openwrt.melmac.net/vpn-policy-routing/](https://docs.openwrt.melmac.net/vpn-policy-routing/).`
		`@ -1,2 +0,0 @@`
			`#!/bin/sh`
			`[ "$ACTION" = "reload" ] && /etc/init.d/vpnbypass reload`
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`/etc/init.d/"$1" version 2>&1 \| grep "$2"`