Merge branch 'openwrt:master' into master

2022-12-11 20:09:19 +04:00 · 2022-12-11 20:09:19 +04:00 · ec23d95e9d
commit ec23d95e9d
parent d92b71214b fd7da3333e
84 changed files with 3997 additions and 3752 deletions
--- a/.github/workflows/check-autorelease-deprecation.yml
+++ b/.github/workflows/check-autorelease-deprecation.yml
@ -28,6 +28,8 @@ jobs:

      - name: Determine changed packages
        run: |
+          RET=0
+
          # only detect packages with changes
          PKG_ROOTS=$(find . -name Makefile | \
            grep -v ".*/src/Makefile" | \
@ -46,14 +48,13 @@ jobs:
          done

          if [ -n "$CONTAINS_AUTORELEASE" ]; then
+            RET=1
            cat > "$GITHUB_WORKSPACE/pr_comment.md" << EOF
          Please do no longer set *PKG_RELEASE* to *AUTORELEASE* as the
          feature is deprecated. Please use an integer instead. Below is a
          list of affected packages including correct *PKG_RELEASE*:

          EOF
-          else
-            echo "No usage of *AUTORELEASE* found in changes" > "$GITHUB_WORKSPACE/pr_comment.md"
          fi

          for ROOT in $CONTAINS_AUTORELEASE; do
@ -70,8 +71,11 @@ jobs:
            echo >> "$GITHUB_WORKSPACE/pr_comment.md"
          done

+          exit $RET
+
      - name: Find Comment
        uses: peter-evans/find-comment@v2
+        if: ${{ failure() }}
        id: fc
        with:
          issue-number: ${{ github.event.pull_request.number }}
@ -79,6 +83,7 @@ jobs:

      - name: Create or update comment
        uses: peter-evans/create-or-update-comment@v2
+        if: ${{ failure() }}
        with:
          comment-id: ${{ steps.fc.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/entrypoint.sh
+++ b/.github/workflows/entrypoint.sh
@ -1,10 +1,14 @@
 #!/bin/sh

+# not enabling `errtrace` and `pipefail` since those are bash specific
+set -o errexit # failing commands causes script to fail
+set -o nounset # undefined variables causes script to fail 
+
 mkdir -p /var/lock/

 opkg update

-[ -n "$CI_HELPER" ] || CI_HELPER="/ci/.github/workflows/ci_helpers.sh"
+[ -n "${CI_HELPER:=''}" ] || CI_HELPER="/ci/.github/workflows/ci_helpers.sh"

 for PKG in /ci/*.ipk; do
 	tar -xzOf "$PKG" ./control.tar.gz | tar xzf - ./control 
--- a/lang/golang/golang/Makefile
+++ b/lang/golang/golang/Makefile
@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk

 GO_VERSION_MAJOR_MINOR:=1.19
-GO_VERSION_PATCH:=3
+GO_VERSION_PATCH:=4

 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \

 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=18ac263e39210bcf68d85f4370e97fb1734166995a1f63fb38b4f6e07d90d212
+PKG_HASH:=eda74db4ac494800a3e66ee784e495bfbb9b8e535df924a8b01b1a8028b7f368

 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
--- a/lang/python/django/Makefile
+++ b/lang/python/django/Makefile
@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=django
-PKG_VERSION:=4.1.1
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_VERSION:=4.1.3
+PKG_RELEASE:=1

 PYPI_NAME:=Django
-PKG_HASH:=a153ffd5143bf26a877bfae2f4ec736ebd8924a46600ca089ad96b54a1d4e28e
+PKG_HASH:=678bbfc8604eb246ed54e2063f0765f13b321a50526bdc8cb1f943eda7fa31f1

 PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
 PKG_LICENSE:=BSD-3-Clause
--- a/libs/libmbim/Makefile
+++ b/libs/libmbim/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libmbim
-PKG_SOURCE_VERSION:=1.26.4
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_SOURCE_VERSION:=1.28.2
+PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
-PKG_MIRROR_HASH:=4963f9135f8ad26165d969d0b2028b00d68243201113c94a2ebe22c4227058a4
+PKG_MIRROR_HASH:=0b0b46016738fc22355d5a58c8a2d1b2f04906c49c51a50b57a09640d13b00b7

 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>

--- a/libs/libqmi/Makefile
+++ b/libs/libqmi/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libqmi
-PKG_SOURCE_VERSION:=1.30.8
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_SOURCE_VERSION:=1.32.2
+PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
-PKG_MIRROR_HASH:=a0fa33a89011bdb593f66fd0b674f2a7c31f87e43ffd7f3e9a515b00864c4a91
+PKG_MIRROR_HASH:=711d16d75a6a9afaefcf2be1bc845a4a6181dff786dfbd079e41e91279a0be91

 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>

--- a/libs/libqrtr-glib/Makefile
+++ b/libs/libqrtr-glib/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=libqrtr-glib
 PKG_VERSION:=1.2.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=3

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqrtr-glib.git
--- a/multimedia/tvheadend/Config.in
+++ b/multimedia/tvheadend/Config.in
@ -3,10 +3,10 @@ comment "Generic options"

 config TVHEADEND_OPTIMIZE_SPEED
  bool "Optimize for speed"
-  depends on PACKAGE_tvheadend
+  depends on PACKAGE_tvheadend && (arm || aarch64 || x86_64)
  default n
  help
-    Optimize tvheadend for speed instead of size. This option adds -O2 and LTO (Link Time Optimization).
+    Optimize tvheadend for speed instead of size. This option adds -O3 and LTO (Link Time Optimization).
    Note: No benchmarks were performed when this option was added. Speed improvements (if any) are not known.

 config TVHEADEND_TRACE
--- a/multimedia/tvheadend/Makefile
+++ b/multimedia/tvheadend/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=tvheadend
 PKG_VERSION:=2022-11-20
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=3

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/tvheadend/tvheadend.git
--- a/net/bpfcountd/Makefile
+++ b/net/bpfcountd/Makefile
@ -0,0 +1,42 @@
+# SPDX-License-Identifier: MIT
+# Copyright (C) 2022 Linus Lüssing <linus.luessing@c0d3.blue>
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=bpfcountd
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2021-06-26
+PKG_SOURCE_URL=https://github.com/lemoer/bpfcountd.git
+PKG_SOURCE_VERSION:=8b1aeb18d686815f93e2bfe976e536c5699d6371
+PKG_MIRROR_HASH:=e6e7adcc11c0fd33c6d3ac31423d3288812270944c2f31d9610ac8c3173a8c5f
+
+PKG_MAINTAINER:=Linus Lüssing <linus.luessing@c0d3.blue>
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/bpfcountd
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Berkeley Packet Filter Counting Daemon
+  DEPENDS:=+libpcap
+endef
+
+define Package/bpfcountd/description
+  bpfcountd was created to obtain packet statistics in larger networks
+  without stressing the cpu resources. bpfcountd will count the amount
+  of packages and bytes over time (for each defined rule). The rules
+  are defined using the tcpdump filter syntax (bpf). The collected
+  data is provided on a unix socket in plaintext.
+endef
+
+define Package/bpfcountd/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bpfcountd $(1)/usr/sbin/
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,bpfcountd))
--- a/net/bpfcountd/files/etc/bpfcountd.filters
+++ b/net/bpfcountd/files/etc/bpfcountd.filters
@ -0,0 +1,2 @@
+arp;arp
+icmp6;icmp6
--- a/net/bpfcountd/files/etc/config/bpfcountd
+++ b/net/bpfcountd/files/etc/config/bpfcountd
@ -0,0 +1,13 @@
+config bpfcountd 'eth0_in'
+	option ifname 'eth0'
+	option prefilter 'inbound'
+	option filterfile '/etc/bpfcountd.filters'
+	option buffersize '2097152'
+	option disabled '1'
+
+config bpfcountd 'eth0_out'
+	option ifname 'eth0'
+	option prefilter 'outbound'
+	option filterfile '/etc/bpfcountd.filters'
+	option buffersize '2097152'
+	option disabled '1'
--- a/net/bpfcountd/files/etc/init.d/bpfcountd
+++ b/net/bpfcountd/files/etc/init.d/bpfcountd
@ -0,0 +1,92 @@
+#!/bin/sh /etc/rc.common
+# SPDX-License-Identifier: MIT
+# Copyright (C) 2022 Linus Lüssing <linus.luessing@c0d3.blue>
+
+USE_PROCD=1
+START=20
+STOP=90
+
+UNIXSOCKDIR=/var/run/bpfcountd
+
+bpfcountd_start() {
+	local cfg="$1"
+	local disabled
+
+	local ifname
+	local prefilter
+	local filterfile
+	local buffersize
+
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" -gt 0 ] && return 0
+
+	mkdir -p "$UNIXSOCKDIR"
+
+	config_get ifname "$cfg" "ifname"
+	config_get prefilter "$cfg" "prefilter"
+	config_get filterfile "$cfg" "filterfile"
+	config_get buffersize "$cfg" "buffersize"
+
+	[ -z "$ifname" ] && {
+		echo "Error: no ifname specified for $cfg" >&2
+		return 0
+	}
+	[ -z "$filterfile" ] && {
+		echo "Error: no filterfile specified for $cfg" >&2
+		return 0
+	}
+
+	procd_open_instance "$cfg"
+
+	procd_set_param command /usr/sbin/bpfcountd
+	procd_append_param command -i "$ifname"
+	procd_append_param command -f "$filterfile"
+	procd_append_param command -u $UNIXSOCKDIR/"$cfg".sock
+	[ -n "$prefilter" ] && procd_append_param command -F "$prefilter"
+	[ -n "$buffersize" ] && procd_append_param command -b "$buffersize"
+
+	procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
+
+	procd_set_param stderr 1
+	procd_close_instance
+}
+
+start_service() {
+	local cfg="$1"
+	local instance_found=0
+
+	. /lib/functions/network.sh
+
+	config_cb() {
+		local type="$1"
+		local name="$2"
+		if [ "$type" = "bpfcountd" ]; then
+			if [ -n "$cfg" -a "$cfg" = "$name" ]; then
+				instance_found=1
+			fi
+		fi
+	}
+
+	config_load bpfcountd
+
+	if [ -n "$cfg" ]; then
+		[ "$instance_found" -gt 0 ] || return
+		bpfcountd_start "$cfg"
+	else
+		config_foreach bpfcountd_start bpfcountd
+	fi
+}
+
+stop_service() {
+	local cfg="$1"
+
+	if [ -n "$cfg" ]; then
+		rm $UNIXSOCKDIR/$cfg.sock
+	else
+		rm $UNIXSOCKDIR/*.sock
+	fi
+}
+
+service_triggers() {
+	procd_add_reload_trigger bpfcountd
+}
--- a/net/cloudflared/Makefile
+++ b/net/cloudflared/Makefile
@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=cloudflared
-PKG_VERSION:=2022.11.0
+PKG_VERSION:=2022.11.1
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=01478108dc4a4a74b2a9eecda35b1b7cc69ce33f45fe0c94edf598b90154fda0
+PKG_HASH:=d4b1133057a721087a0a5387ea6d4d1ebf3b1f5135396da25a1e88e873cd5203

 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
--- a/net/ddns-scripts/Makefile
+++ b/net/ddns-scripts/Makefile
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=ddns-scripts
 PKG_VERSION:=2.8.2
-PKG_RELEASE:=29
+PKG_RELEASE:=30

 PKG_LICENSE:=GPL-2.0

@ -70,6 +70,17 @@ define Package/ddns-scripts-cloudflare/description
 endef


+define Package/ddns-scripts-gcp
+  $(call Package/ddns-scripts/Default)
+  TITLE:=Extension for Google Cloud DNS API v1
+  DEPENDS:=ddns-scripts +curl +openssl-util
+endef
+
+define Package/ddns-scripts-gcp/description
+  Dynamic DNS Client scripts extension for Google Cloud DNS API v1 (requires curl)
+endef
+
+
 define Package/ddns-scripts-freedns
  $(call Package/ddns-scripts/Default)
  TITLE:=Extension for freedns.42.pl
@ -323,6 +334,7 @@ define Package/ddns-scripts-services/install

 	# Remove special services
 	rm $(1)/usr/share/ddns/default/cloudflare.com-v4.json
+	rm $(1)/usr/share/ddns/default/cloud.google.com-v1.json
 	rm $(1)/usr/share/ddns/default/freedns.42.pl.json
 	rm $(1)/usr/share/ddns/default/godaddy.com-v1.json
 	rm $(1)/usr/share/ddns/default/digitalocean.com-v2.json
@ -358,6 +370,25 @@ exit 0
 endef


+define Package/ddns-scripts-gcp/install
+	$(INSTALL_DIR) $(1)/usr/lib/ddns
+	$(INSTALL_BIN) ./files/usr/lib/ddns/update_gcp_v1.sh \
+		$(1)/usr/lib/ddns
+
+	$(INSTALL_DIR) $(1)/usr/share/ddns/default
+	$(INSTALL_DATA) ./files/usr/share/ddns/default/cloud.google.com-v1.json \
+		$(1)/usr/share/ddns/default/
+endef
+
+define Package/ddns-scripts-gcp/prerm
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+	/etc/init.d/ddns stop
+fi
+exit 0
+endef
+
+
 define Package/ddns-scripts-freedns/install
 	$(INSTALL_DIR) $(1)/usr/lib/ddns
 	$(INSTALL_BIN) ./files/usr/lib/ddns/update_freedns_42_pl.sh \
@ -608,6 +639,7 @@ endef
 $(eval $(call BuildPackage,ddns-scripts))
 $(eval $(call BuildPackage,ddns-scripts-services))
 $(eval $(call BuildPackage,ddns-scripts-cloudflare))
+$(eval $(call BuildPackage,ddns-scripts-gcp))
 $(eval $(call BuildPackage,ddns-scripts-freedns))
 $(eval $(call BuildPackage,ddns-scripts-godaddy))
 $(eval $(call BuildPackage,ddns-scripts-digitalocean))
--- a/net/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh
+++ b/net/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh
@ -0,0 +1,272 @@
+#!/bin/sh
+#
+#.Distributed under the terms of the GNU General Public License (GPL) version 2.0
+#.2022 Chris Barrick <chrisbarrick@google.com>
+#
+# This script sends DDNS updates using the Google Cloud DNS REST API.
+# See: https://cloud.google.com/dns/docs/reference/v1
+#
+# This script uses a GCP service account. The user is responsible for creating
+# the service account, ensuring it has permission to update DNS records, and
+# for generating a service account key to be used by this script. The records
+# to be updated must already exist.
+#
+# Arguments:
+#
+# - $username: The service account name.
+#   Example: ddns-service-account@my-dns-project.iam.gserviceaccount.com
+#
+# - $password: The service account key. You can paste the key directly into the
+#   "password" field or upload the key file to the router and set the field
+#   equal to the file path. This script supports JSON keys or the raw private
+#   key as a PEM file. P12 keys are not supported. File names must end with
+#   `*.json` or `*.pem`.
+#
+# - $domain: The domain to update.
+#
+# - $param_enc: The additional required arguments, as form-urlencoded data,
+#   i.e. `key1=value1&key2=value2&...`. The required arguments are:
+#   - project: The name of the GCP project that owns the DNS records.
+#   - zone: The DNS zone in the GCP API.
+#   - Example: `project=my-dns-project&zone=my-dns-zone`
+#
+# - $param_opt: Optional TTL for the records, in seconds. Defaults to 3600 (1h).
+#
+# Dependencies:
+# - ddns-scripts  (for the base functionality)
+# - openssl-util  (for the authentication flow)
+# - curl          (for the GCP REST API)
+
+. /usr/share/libubox/jshn.sh
+
+
+# Authentication
+# ---------------------------------------------------------------------------
+# The authentication flow works like this:
+#
+#   1. Construct a JWT claim for access to the DNS readwrite scope.
+#   2. Sign the JWT with the service accout key, proving we have access.
+#   3. Exchange the JWT for an access token, valid for 5m.
+#   4. Use the access token for API calls.
+#
+# See https://developers.google.com/identity/protocols/oauth2/service-account
+
+# A URL-safe variant of base64 encoding, used by JWTs.
+base64_urlencode() {
+	openssl base64 | tr '/+' '_-' | tr -d '=\n'
+}
+
+# Prints the service account private key in PEM format.
+get_service_account_key() {
+	# The "password" field provides us with the service account key.
+	# We allow the user to provide it to us in a few different formats.
+	#
+	# 1. If $password is a string ending in `*.json`, it is a file path,
+	#    pointing to a JSON service account key as downloaded from GCP.
+	#
+	# 2. If $password is a string ending with `*.pem`, it is a PEM private
+	#    key, extracted from the JSON service account key.
+	#
+	# 3. If $password starts with `{`, then the JSON service account key
+	#    was pasted directly into the password field.
+	#
+	# 4. If $password starts with `---`, then the PEM private key was pasted
+	#    directly into the password field.
+	#
+	# We do not support P12 service account keys.
+	case "${password}" in
+	(*".json")
+		jsonfilter -i "${password}" -e @.private_key
+	;;
+	(*".pem")
+		cat "${password}"
+	;;
+	("{"*)
+		jsonfilter -s "${password}" -e @.private_key
+	;;
+	("---"*)
+		printf "%s" "${password}"
+	;;
+	(*)
+		write_log 14 "Could not parse the service account key."
+	;;
+	esac
+}
+
+# Sign stdin using the service account key. Prints the signature.
+# The input is the JWT header-payload. Used to construct a signed JWT.
+sign() {
+	# Dump the private key to a tmp file so openssl can get to it.
+	local tmp_keyfile="$(mktemp -t gcp_dns_sak.pem.XXXXXX)"
+	chmod 600 ${tmp_keyfile}
+	get_service_account_key > ${tmp_keyfile}
+	openssl dgst -binary -sha256 -sign ${tmp_keyfile}
+	rm ${tmp_keyfile}
+}
+
+# Print the JWT header in JSON format.
+# Currently, Google only supports RS256.
+jwt_header() {
+	json_init
+	json_add_string "alg" "RS256"
+	json_add_string "typ" "JWT"
+	json_dump
+}
+
+# Prints the JWT claim-set in JSON format.
+# The claim is for 5m of readwrite access to the Cloud DNS API.
+jwt_claim_set() {
+	local iat=$(date -u +%s)  # Current UNIX time, UTC.
+	local exp=$(( iat + 300 ))  # Expiration is 5m in the future.
+
+	json_init
+	json_add_string "iss" "${username}"
+	json_add_string "scope" "https://www.googleapis.com/auth/ndev.clouddns.readwrite"
+	json_add_string "aud" "https://oauth2.googleapis.com/token"
+	json_add_string "iat" "${iat}"
+	json_add_string "exp" "${exp}"
+	json_dump
+}
+
+# Generate a JWT signed by the service account key, which can be exchanged for
+# a Google Cloud access token, authorized for Cloud DNS.
+get_jwt() {
+	local header=$(jwt_header | base64_urlencode)
+	local payload=$(jwt_claim_set | base64_urlencode)
+	local header_payload="${header}.${payload}"
+	local signature=$(printf "%s" ${header_payload} | sign | base64_urlencode)
+	echo "${header_payload}.${signature}"
+}
+
+# Request an access token for the Google Cloud service account.
+get_access_token_raw() {
+	local grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer"
+	local assertion=$(get_jwt)
+
+	${CURL} -v https://oauth2.googleapis.com/token \
+		--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
+		--data-urlencode "assertion=${assertion}" \
+		| jsonfilter -e @.access_token
+}
+
+# Get the access token, stripping the trailing dots.
+get_access_token() {
+	# Since tokens may contain internal dots, we only trim the suffix if it
+	# starts with at least 8 dots. (The access token has *many* trailing dots.)
+	local access_token="$(get_access_token_raw)"
+	echo "${access_token%%........*}"
+}
+
+
+# Google Cloud DNS API
+# ---------------------------------------------------------------------------
+# Cloud DNS offers a straight forward RESTful API.
+#
+# - The main class is a ResourceRecordSet. It's a collection of DNS records
+#   that share the same domain, type, TTL, etc. Within a record set, the only
+#   difference between the records are their values.
+#
+# - The record sets live under a ManagedZone, which in turn lives under a
+#   Project. All we need to know about these are their names.
+#
+# - This implementation only makes PATCH requests to update existing record
+#   sets. The user must have already created at least one A or AAAA record for
+#   the domain they are updating. It's fine to start with a dummy, like 0.0.0.0.
+#
+# - The API requires SSL, and this implementation uses curl.
+
+# Prints a ResourceRecordSet in JSON format.
+format_record_set() {
+	local domain="$1"
+	local record_type="$2"
+	local ttl="$3"
+	shift 3 # The remaining arguments are the IP addresses for this record set.
+
+	json_init
+	json_add_string "kind" "dns#resourceRecordSet"
+	json_add_string "name" "${domain}."  # trailing dot on the domain
+	json_add_string "type" "${record_type}"
+	json_add_string "ttl" "${ttl}"
+	json_add_array "rrdatas"
+	for value in $@; do
+		json_add_string "" "${value}"
+	done
+	json_close_array
+	json_dump
+}
+
+# Makes an HTTP PATCH request to the Cloud DNS API.
+patch_record_set() {
+	local access_token="$1"
+	local project="$2"
+	local zone="$3"
+	local domain="$4"
+	local record_type="$5"
+	local ttl="$6"
+	shift 6 # The remaining arguments are the IP addresses for this record set.
+
+	# Note the trailing dot after the domain name. It's fully qualified.
+	local url="https://dns.googleapis.com/dns/v1/projects/${project}/managedZones/${zone}/rrsets/${domain}./${record_type}"
+	local record_set=$(format_record_set ${domain} ${record_type} ${ttl} $@)
+
+	${CURL} -v ${url} \
+		-X PATCH \
+		-H "Content-Type: application/json" \
+		-H "Authorization: Bearer ${access_token}" \
+		-d "${record_set}"
+}
+
+
+# Main entrypoint
+# ---------------------------------------------------------------------------
+
+# Parse the $param_enc into project and zone variables.
+# The arguments are the names for those variables.
+parse_project_zone() {
+	local project_var=$1
+	local zone_var=$2
+
+	IFS='&'
+	for entry in $param_enc
+	do
+		case "${entry}" in
+		('project='*)
+			local project_val=$(echo "${entry}" | cut -d'=' -f2)
+			eval "${project_var}=${project_val}"
+		;;
+		('zone='*)
+			local zone_val=$(echo "${entry}" | cut -d'=' -f2)
+			eval "${zone_var}=${zone_val}"
+		;;
+		esac
+	done
+	unset IFS
+}
+
+main() {
+	local access_token project zone ttl record_type
+
+	# Dependency checking
+	[ -z "${CURL_SSL}" ] && write_log 14 "Google Cloud DNS requires cURL with SSL support"
+	[ -z "$(openssl version)" ] && write_log 14 "Google Cloud DNS update requires openssl-utils"
+
+	# Argument parsing
+	[ -z ${param_opt} ] && ttl=3600 || ttl="${param_opt}"
+	[ $use_ipv6 -ne 0 ] && record_type="AAAA" || record_type="A"
+	parse_project_zone project zone
+
+	# Sanity checks
+	[ -z "${username}" ] && write_log 14 "Config is missing 'username' (service account name)"
+	[ -z "${password}" ] && write_log 14 "Config is missing 'password' (service account key)"
+	[ -z "${domain}" ] && write_log 14 "Config is missing 'domain'"
+	[ -z "${project}" ] && write_log 14 "Could not parse project name from 'param_enc'"
+	[ -z "${zone}" ] && write_log 14 "Could not parse zone name from 'param_enc'"
+	[ -z "${ttl}" ] && write_log 14 "Could not parse TTL from 'param_opt'"
+	[ -z "${record_type}" ] && write_log 14 "Could not determine the record type"
+
+	# Push the record!
+	access_token="$(get_access_token)"
+	patch_record_set "${access_token}" "${project}" "${zone}" "${domain}" "${record_type}" "${ttl}" "${__IP}"
+}
+
+main $@
--- a/net/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json
+++ b/net/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json
@ -0,0 +1,10 @@
+{
+	"name": "cloud.google.com-v1",
+	"ipv4": {
+		"url": "update_gcp_v1.sh"
+	},
+	"ipv6": {
+		"url": "update_gcp_v1.sh"
+	}
+}
+
--- a/net/dnsproxy/Makefile
+++ b/net/dnsproxy/Makefile
@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dnsproxy
-PKG_VERSION:=0.46.2
+PKG_VERSION:=0.46.4
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=8ce720f258747b0ff74b9889c93c616efe3b7267d04283a1338d2ff1e24d661e
+PKG_HASH:=5c959bd2f08b2304306b8f0b933b20d31a3a3d1ebeb0f349740799e5089fd4ae

 PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
 PKG_LICENSE:=Apache-2.0
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@ -7,16 +7,16 @@

 include $(TOPDIR)/rules.mk
 PKG_NAME:=frr
-PKG_VERSION:=8.3.1
-PKG_RELEASE:=$(AUTORELEASE)
-PKG_SOURCE_DATE:=2022-10-14
+PKG_VERSION:=8.4.1
+PKG_RELEASE:=1
+PKG_SOURCE_DATE:=2022-11-29

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_DATE).tar.gz
-PKG_SOURCE_VERSION:=b9cb689f3c4b78fb047216ed41d8c79424b1774f
+PKG_SOURCE_VERSION:=7d7b33a0281b233757606bb1fa4e9c056c57084f
 PKG_SOURCE_URL:=https://codeload.github.com/FRRouting/frr/tar.gz/$(PKG_SOURCE_VERSION)?


-PKG_HASH:=bc4aa020f3725c499093ea3c98f9c21160fc1ae06439a698f39f6a9c55c2825a
+PKG_HASH:=9899f2c6ecb6cce5bf7d56ddb9fc137dd8388f7201a52595c93d33572092fcaf
 PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>

 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION)
--- a/net/frr/patches/997-reverse_python_test.patch
+++ b/net/frr/patches/997-reverse_python_test.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -833,7 +833,6 @@ fi
+@@ -835,7 +835,6 @@ fi
 #
 
 AS_IF([test "$host" = "$build"], [
--- a/net/frr/patches/999-thread_reverse.patch
+++ b/net/frr/patches/999-thread_reverse.patch
@ -1,6 +1,6 @@
 --- a/lib/thread.c
 +++ b/lib/thread.c
-@@ -867,13 +867,9 @@ static void thread_free(struct thread_ma
+@@ -870,13 +870,9 @@ static void thread_free(struct thread_ma
 	XFREE(MTYPE_THREAD, thread);
 }
 
@ -16,7 +16,7 @@
 	/*
 	 * If timer_wait is null here, that means poll() should block
 	 * indefinitely, unless the thread_master has overridden it by setting
-@@ -904,58 +900,15 @@ static int fd_poll(struct thread_master
+@@ -907,58 +903,15 @@ static int fd_poll(struct thread_master
 	rcu_assert_read_unlocked();
 
 	/* add poll pipe poker */
@ -82,7 +82,7 @@
 		while (read(m->io_pipe[0], &trash, sizeof(trash)) > 0)
 			;
 
-@@ -1762,7 +1715,7 @@ struct thread *thread_fetch(struct threa
+@@ -1768,7 +1721,7 @@ struct thread *thread_fetch(struct threa
 	struct timeval zerotime = {0, 0};
 	struct timeval tv;
 	struct timeval *tw = NULL;
@ -91,7 +91,7 @@
 	int num = 0;
 
 	do {
-@@ -1838,14 +1791,14 @@ struct thread *thread_fetch(struct threa
+@@ -1844,14 +1797,14 @@ struct thread *thread_fetch(struct threa
 
 		pthread_mutex_unlock(&m->mtx);
 		{
--- a/net/https-dns-proxy/Makefile
+++ b/net/https-dns-proxy/Makefile
@ -2,11 +2,11 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=https-dns-proxy
 PKG_VERSION:=2022-10-15
-PKG_RELEASE:=8
+PKG_RELEASE:=10

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
-PKG_SOURCE_DATE:=2022-10-15
+PKG_SOURCE_DATE:=$(PKG_VERSION)
 PKG_SOURCE_VERSION:=f52a85f3edabecfbab41d9244c63a1c6b8aaf49b
 PKG_MIRROR_HASH:=dd8a55255e8859a462fcfd736577fec40731b39a4783325640518745009b0dee
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
--- a/net/https-dns-proxy/files/https-dns-proxy.init
+++ b/net/https-dns-proxy/files/https-dns-proxy.init
@ -153,6 +153,7 @@ start_instance() {
 	procd_set_param stdout 1
 	procd_set_param respawn
 	procd_open_data
+	procd_add_mdns_service "$packageName" 'udp' "$port" "DNS over HTTPS proxy"
 	json_add_string url "$url"
 	if [ "$force_dns" -ne 0 ]; then
 		json_add_array firewall
@ -279,7 +280,7 @@ service_triggers() {

 service_started() { procd_set_config_changed firewall; }
 service_stopped() { procd_set_config_changed firewall; }
-restart() { procd_send_signal "$packageName"; }
+restart() { procd_send_signal "$packageName"; rc_procd start_service; }

 dnsmasq_doh_server() {
 	local cfg="$1" param="$2" address="${3:-127.0.0.1}" port="$4" i
--- a/net/modemmanager/Makefile
+++ b/net/modemmanager/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=modemmanager
-PKG_SOURCE_VERSION:=1.18.12
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_SOURCE_VERSION:=1.20.2
+PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git
-PKG_MIRROR_HASH:=5a32f90fc58345e2136f4196166a7a2b95a804a6b92adf1bfb5b7a1173a5b1a0
+PKG_MIRROR_HASH:=f138effc693456c5040ec22e17c0a8b41143c3b17b62437462995c297a9150dc

 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
 PKG_LICENSE:=GPL-2.0-or-later
@ -56,6 +56,7 @@ endef
 MESON_ARGS += \
 	-Dudev=false \
 	-Dudevdir=/lib/udev \
+	-Dtests=false \
 	-Dsystemdsystemunitdir=no \
 	-Dsystemd_suspend_resume=false \
 	-Dsystemd_journal=false \
--- a/net/natmap/Makefile
+++ b/net/natmap/Makefile
@ -0,0 +1,40 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=natmap
+PKG_VERSION:=20221203
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION)
+PKG_HASH:=c7aa0bb1f3e057bf1fa987ad6166ba7c2e80510a89593e04f4fe0f36f1873338
+
+PKG_MAINTAINER:=Richard Yu <yurichard3839@gmail.com>
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=License
+
+PKG_USE_MIPS16:=0
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/natmap
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=TCP/UDP port mapping tool for full cone NAT
+  URL:=https://github.com/heiher/natmap
+endef
+
+MAKE_FLAGS += REV_ID="$(PKG_VERSION)"
+
+define Package/natmap/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/natmap $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/usr/lib/natmap/
+	$(INSTALL_BIN) ./files/natmap-update.sh $(1)/usr/lib/natmap/update.sh
+	$(INSTALL_DIR) $(1)/etc/config/
+	$(INSTALL_CONF) ./files/natmap.config $(1)/etc/config/natmap
+	$(INSTALL_DIR) $(1)/etc/init.d/
+	$(INSTALL_BIN) ./files/natmap.init $(1)/etc/init.d/natmap
+endef
+
+$(eval $(call BuildPackage,natmap))
--- a/net/natmap/files/natmap-update.sh
+++ b/net/natmap/files/natmap-update.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+
+. /usr/share/libubox/jshn.sh
+
+(
+	json_init
+	json_add_string ip "$1"
+	json_add_int port "$2"
+	json_add_int inner_port "$4"
+	json_add_string protocol "$5"
+	json_dump > /var/run/natmap/$PPID.json
+)
+
+[ -n "${NOTIFY_SCRIPT}" ] && {
+	export -n NOTIFY_SCRIPT
+	exec "${NOTIFY_SCRIPT}" "$@"
+}
--- a/net/natmap/files/natmap.config
+++ b/net/natmap/files/natmap.config
@ -0,0 +1,12 @@
+config natmap
+	option enable '0'
+	option family ''
+	option udp_mode '1'
+	option interface ''
+	option interval ''
+	option stun_server 'stun.stunprotocol.org'
+	option http_server 'example.com'
+	option port '8080'
+	option forward_target ''
+	option notify_script ''
+
--- a/net/natmap/files/natmap.init
+++ b/net/natmap/files/natmap.init
@ -0,0 +1,112 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+USE_PROCD=1
+
+NAME=natmap
+PROG=/usr/bin/$NAME
+
+STATUS_PATH=/var/run/natmap
+
+load_interfaces() {
+	config_get interface "$1" interface
+	config_get enable "$1" enable 1
+
+	[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
+}
+
+validate_section_natmap() {
+	uci_load_validate "${NAME}" natmap "$1" "$2" \
+		'enable:bool:1' \
+		'family:string' \
+		'udp_mode:bool:0' \
+		'interface:string' \
+		'interval:uinteger' \
+		'stun_server:host' \
+		'http_server:host' \
+		'port:port' \
+		'forward_target:host' \
+		'notify_script:file'
+}
+
+natmap_instance() {
+	[ "$2" = 0 ] || {
+		echo "validation failed"
+		return 1
+	}
+
+	[ "${enable}" = 0 ] && return 1
+
+	procd_open_instance "$1"
+	procd_set_param command "$PROG" \
+		${interval:+-k $interval} \
+		${stun_server:+-s "$stun_server"} \
+		${http_server:+-h "$http_server"}
+
+	[ "${family}" = ipv4 ] && procd_append_param command -4
+	[ "${family}" = ipv6 ] && procd_append_param command -6
+	[ "${udp_mode}" = 1 ] && procd_append_param command -u
+
+	[ -n "$interface" ] && {
+		local ifname
+
+		network_get_device ifname "$interface" || ifname="$interface"
+		procd_append_param command -i "$ifname"
+		procd_append_param netdev "$ifname"
+	}
+
+	if [ -n "$forward_target" ]; then
+		procd_append_param command -t "$forward_target" -p $port
+	else
+		procd_append_param command -b $port
+	fi
+
+	[ -n "${notify_script}" ] && procd_set_param env "NOTIFY_SCRIPT=${notify_script}"
+	procd_append_param command -e /usr/lib/natmap/update.sh
+
+	procd_set_param respawn
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+
+	procd_close_instance
+}
+
+clear_status_files() {
+	find "${STATUS_PATH}" -type f -print0 | xargs -0 rm -f --
+}
+
+service_triggers() {
+	local interfaces
+
+	procd_add_reload_trigger "${NAME}"
+
+	config_load "${NAME}"
+	config_foreach load_interfaces natmap
+
+	[ -n "${interfaces}" ] && {
+		for n in $interfaces ; do
+			procd_add_reload_interface_trigger $n
+		done
+	}
+
+	procd_add_validation validate_section_natmap
+}
+
+start_service() {
+	. /lib/functions/network.sh
+
+	mkdir -p "${STATUS_PATH}"
+	clear_status_files
+
+	config_load "${NAME}"
+	config_foreach validate_section_natmap natmap natmap_instance
+}
+
+reload_service() {
+	stop
+	start
+}
+
+service_stopped() {
+	clear_status_files
+}
--- a/net/natmap/test.sh
+++ b/net/natmap/test.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+"$1" 2>&1 | grep "$2"
--- a/net/pbr/Makefile
+++ b/net/pbr/Makefile
@ -0,0 +1,201 @@
+# Copyright 2017-2022 Stan Grishin (stangri@melmac.ca)
+# This is free software, licensed under the GNU General Public License v3.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=pbr
+PKG_VERSION:=1.0.0
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-3.0-or-later
+PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/pbr/default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=VPN
+  PROVIDES:=pbr
+  TITLE:=Policy Based Routing Service
+  URL:=https://docs.openwrt.melmac.net/pbr/
+  DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
+  CONFLICTS:=vpnbypass vpn-policy-routing
+  PROVIDES:=vpnbypass vpn-policy-routing
+  PKGARCH:=all
+endef
+
+define Package/pbr
+$(call Package/pbr/default)
+	TITLE+= with nft/nft set support
+	DEPENDS+=+firewall4 +kmod-nft-core +kmod-nft-nat +nftables-json
+endef
+
+define Package/pbr-iptables
+$(call Package/pbr/default)
+	TITLE+= with iptables/ipset support
+	DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
+endef
+
+define Package/pbr-netifd
+$(call Package/pbr/default)
+	TITLE+= with netifd support
+endef
+
+define Package/pbr/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
+endef
+
+define Package/pbr-iptables/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with fw3/ipset/iptables.
+endef
+
+define Package/pbr-netifd/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
+This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
+endef
+
+define Package/pbr/conffiles
+/etc/config/pbr
+endef
+
+Package/pbr-iptables/conffiles = $(Package/pbr/conffiles)
+Package/pbr-netifd/conffiles = $(Package/pbr/conffiles)
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/pbr/default/install
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
+	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
+	$(INSTALL_DIR) $(1)/usr/share/pbr
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
+endef
+
+define Package/pbr/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d
+	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
+endef
+
+define Package/pbr-iptables/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
+endef
+
+define Package/pbr-netifd/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN)  ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr
+endef
+
+define Package/pbr/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		chmod -x /etc/init.d/pbr || true
+		fw4 -q reload || true
+		chmod +x /etc/init.d/pbr || true
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr/postrm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		fw4 -q reload || true
+	fi
+	exit 0
+endef
+
+define Package/pbr-iptables/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-iptables/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-netifd/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	#	echo -n "Installing netifd support for pbr... "
+	#	/etc/init.d/pbr netifd install && echo "OK" || echo "FAIL"
+	#	echo -n "Restarting network... "
+	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-netifd/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+	#	echo -n "Removing netifd support for pbr... "
+	#	/etc/init.d/pbr netifd remove && echo "OK" || echo "FAIL"
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	#	echo -n "Restarting network... "
+	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+$(eval $(call BuildPackage,pbr))
+$(eval $(call BuildPackage,pbr-iptables))
+#$(eval $(call BuildPackage,pbr-netifd))
--- a/net/pbr/files/README.md
+++ b/net/pbr/files/README.md
@ -0,0 +1,3 @@
+# README
+
+README is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).
--- a/net/pbr/files/etc/config/pbr
+++ b/net/pbr/files/etc/config/pbr
@ -0,0 +1,45 @@
+config pbr 'config'
+	option enabled '0'
+	option verbosity '2'
+	option strict_enforcement '1'
+	option resolver_set 'none'
+	option ipv6_enabled '0'
+	list ignored_interface 'vpnserver'
+	list ignored_interface 'wgserver'
+	option boot_timeout '30'
+	option rule_create_option 'add'
+	option procd_reload_delay '1'
+	option webui_show_ignore_target '0'
+	list webui_supported_protocol 'all'
+	list webui_supported_protocol 'tcp'
+	list webui_supported_protocol 'udp'
+	list webui_supported_protocol 'tcp udp'
+	list webui_supported_protocol 'icmp'
+
+config include
+	option path '/usr/share/pbr/pbr.user.aws'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.netflix'
+	option enabled 0
+
+config policy
+	option name 'Plex/Emby Local Server'
+	option interface 'wan'
+	option src_port '8096 8920 32400'
+	option enabled '0'
+
+config policy
+	option name 'Plex/Emby Remote Servers'
+	option interface 'wan'
+	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
+	option enabled '0'
+
+config policy
+	option name 'WireGuard Server'
+	option interface 'wan'
+	option src_port '51820'
+	option chain 'OUTPUT'
+	option proto 'udp'
+	option enabled '0'
--- a/net/pbr/files/etc/config/pbr.iptables
+++ b/net/pbr/files/etc/config/pbr.iptables
@ -0,0 +1,45 @@
+config pbr 'config'
+	option enabled '0'
+	option verbosity '2'
+	option strict_enforcement '1'
+	option resolver_set 'dnsmasq.ipset'
+	option ipv6_enabled '0'
+	list ignored_interface 'vpnserver'
+	list ignored_interface 'wgserver'
+	option boot_timeout '30'
+	option rule_create_option 'add'
+	option procd_reload_delay '1'
+	option webui_show_ignore_target '0'
+	list webui_supported_protocol 'all'
+	list webui_supported_protocol 'tcp'
+	list webui_supported_protocol 'udp'
+	list webui_supported_protocol 'tcp udp'
+	list webui_supported_protocol 'icmp'
+
+config include
+	option path '/usr/share/pbr/pbr.user.aws'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.netflix'
+	option enabled 0
+
+config policy
+	option name 'Plex/Emby Local Server'
+	option interface 'wan'
+	option src_port '8096 8920 32400'
+	option enabled '0'
+
+config policy
+	option name 'Plex/Emby Remote Servers'
+	option interface 'wan'
+	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
+	option enabled '0'
+
+config policy
+	option name 'WireGuard Server'
+	option interface 'wan'
+	option src_port '51820'
+	option chain 'OUTPUT'
+	option proto 'udp'
+	option enabled '0'
--- a/net/pbr/files/etc/hotplug.d/firewall/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/firewall/70-pbr
@ -0,0 +1,6 @@
+#!/bin/sh
+[ "$ACTION" = "reload" ] ||[ "$ACTION" = "restart" ] || exit 0
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	/etc/init.d/pbr reload
+fi
--- a/net/pbr/files/etc/hotplug.d/iface/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr
@ -0,0 +1,8 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3060
+[ -s /etc/openwrt_release ] && . /etc/openwrt_release
+[ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)"
+	/etc/init.d/pbr reload_interface "$INTERFACE"
+fi
--- a/net/pbr/files/etc/init.d/pbr.init
+++ b/net/pbr/files/etc/init.d/pbr.init
--- a/net/pbr/files/etc/uci-defaults/90-pbr
+++ b/net/pbr/files/etc/uci-defaults/90-pbr
@ -0,0 +1,34 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3037,SC3043
+
+readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
+
+# Transition from vpn-policy-routing
+if [ -s '/etc/config/vpn-policy-routing' ] && [ ! -s '/etc/config/pbr-opkg' ]; then
+	echo "Migrating vpn-policy-routing config file."
+	mv '/etc/config/pbr' '/etc/config/pbr-opkg'
+	sed 's/vpn-policy-routing/pbr/g' /etc/config/vpn-policy-routing > /etc/config/pbr
+	uci set vpn-policy-routing.config.enabled=0; uci commit vpn-policy-routing;
+fi
+
+# Transition from older versions of pbr
+sed -i 's/resolver_ipset/resolver_set/g' /etc/config/pbr
+sed -i 's/iptables_rule_option/rule_create_option/g' /etc/config/pbr
+sed -i "s/'FORWARD'/'forward'/g" /etc/config/pbr
+sed -i "s/'INPUT'/'input'/g" /etc/config/pbr
+sed -i "s/'OUTPUT'/'output'/g" /etc/config/pbr
+sed -i "s/'PREROUTING'/'prerouting'/g" /etc/config/pbr
+sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr
+sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr
+sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr
+
+uci -q batch <<-EOT
+	delete firewall.pbr
+	set firewall.pbr='include'
+	set firewall.pbr.fw4_compatible='1'
+	set firewall.pbr.type='script'
+	set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
+	commit firewall
+EOT
+
+exit 0
--- a/net/pbr/files/etc/uci-defaults/91-pbr
+++ b/net/pbr/files/etc/uci-defaults/91-pbr
@ -0,0 +1,58 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3037,SC3043
+
+readonly packageName='pbr'
+readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
+
+pbr_iface_setup() {
+	local iface="${1}"
+	local proto
+	config_get proto "${iface}" proto
+	case "${iface}" in
+		(lan|loopback) return 0 ;;
+	esac
+	case "${proto}" in
+		(gre*|nebula|relay|vti*|vxlan|xfrm) return 0 ;;
+		(none)
+			uci -q set "network.${iface}_rt=route"
+			uci -q set "network.${iface}_rt.interface=${iface}"
+			uci -q set "network.${iface}_rt.target=0.0.0.0/0"
+			uci -q set "network.${iface}_rt6=route6"
+			uci -q set "network.${iface}_rt6.interface=${iface}"
+			uci -q set "network.${iface}_rt6.target=::/0"
+		;;
+	esac
+	echo -en "Setting up ${packageName} routing tables for ${iface}... "
+	uci -q set "network.${iface}.ip4table=${packageName}_${iface%6}"
+	uci -q set "network.${iface}.ip6table=${packageName}_${iface%6}"
+	if ! grep -q -E -e "^[0-9]+\s+${packageName}_${iface%6}$" /etc/iproute2/rt_tables; then
+		sed -i -e "\$a $(($(sort -r -n /etc/iproute2/rt_tables | grep -o -E -m 1 "^[0-9]+")+1))\t${packageName}_${iface%6}" \
+			/etc/iproute2/rt_tables
+	fi
+	echo -e "${__OK__}"
+}
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+config_load network
+config_foreach pbr_iface_setup interface
+network_flush_cache
+network_find_wan iface
+network_find_wan6 iface6
+# shellcheck disable=SC2154
+[ -n "$iface" ] && uci -q batch << EOF
+set network.default='rule'
+set network.default.lookup='${packageName}_${iface%6}'
+set network.default.priority='80000'
+EOF
+[ -n "$iface6" ] && uci -q batch << EOF
+set network.default6='rule6'
+set network.default6.lookup='${packageName}_${iface6%6}'
+set network.default6.priority='80000'
+EOF
+uci commit network
+echo -en "Restarting network... "
+/etc/init.d/network restart
+echo -e "${__OK__}"
+
+exit 0
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft
@ -0,0 +1 @@
+jump pbr_forward comment "Jump into pbr forward chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft
@ -0,0 +1 @@
+jump pbr_input comment "Jump into pbr input chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft
@ -0,0 +1 @@
+jump pbr_output comment "Jump into pbr output chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft
@ -0,0 +1 @@
+jump pbr_postrouting comment "Jump into pbr postrouting chain";
--- a/net/pbr/files/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft
@ -0,0 +1 @@
+jump pbr_prerouting comment "Jump into pbr prerouting chain";
--- a/net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft
+++ b/net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft
@ -0,0 +1,5 @@
+chain pbr_forward {}
+chain pbr_input {}
+chain pbr_output {}
+chain pbr_prerouting {}
+chain pbr_postrouting {}
--- a/net/pbr/files/usr/share/pbr/pbr.firewall.include
+++ b/net/pbr/files/usr/share/pbr/pbr.firewall.include
@ -0,0 +1,5 @@
+#!/bin/sh
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	/etc/init.d/pbr on_firewall_reload "$ACTION"
+fi
--- a/net/pbr/files/usr/share/pbr/pbr.user.aws
+++ b/net/pbr/files/usr/share/pbr/pbr.user.aws
@ -0,0 +1,33 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+
+TARGET_SET='pbr_wan_4_dst_ip_user'
+TARGET_IPSET='pbr_wan_4_dst_net_user'
+TARGET_TABLE='inet fw4'
+TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
+TARGET_DL_FILE="/var/pbr_tmp_aws_ip_ranges"
+TARGET_NFT_FILE="/var/pbr_tmp_aws_ip_ranges.nft"
+[ -z "$nft" ] && nft="$(command -v nft)"
+_ret=1
+
+if [ ! -s "$TARGET_DL_FILE" ]; then
+	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE"
+fi
+
+if [ -s "$TARGET_DL_FILE" ]; then
+	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
+			_ret=0
+		fi
+	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
+		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
+		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
+		printf " } " >> "$TARGET_NFT_FILE"
+		if "$nft" -f "$TARGET_NFT_FILE"; then
+			rm -f "$TARGET_NFT_FILE"
+			_ret=0
+		fi
+	fi
+fi
+
+return $_ret
--- a/net/pbr/files/usr/share/pbr/pbr.user.netflix
+++ b/net/pbr/files/usr/share/pbr/pbr.user.netflix
@ -0,0 +1,49 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
+# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
+
+TARGET_SET='pbr_wan_4_dst_ip_user'
+TARGET_IPSET='pbr_wan_4_dst_net_user'
+TARGET_TABLE='inet fw4'
+TARGET_ASN='2906'
+TARGET_DL_FILE="/var/pbr_tmp_AS${TARGET_ASN}"
+TARGET_NFT_FILE="/var/pbr_tmp_AS${TARGET_ASN}.nft"
+#DB_SOURCE='ipinfo.io'
+#DB_SOURCE='api.hackertarget.com'
+DB_SOURCE='api.bgpview.io'
+[ -z "$nft" ] && nft="$(command -v nft)"
+_ret=1
+
+if [ ! -s "$TARGET_DL_FILE" ]; then
+	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
+		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_DL_FILE"
+	fi
+	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
+		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE"
+	fi
+	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
+		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE"
+	fi
+fi
+
+if [ -s "$TARGET_DL_FILE" ]; then
+	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
+			if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
+				_ret=0
+			fi
+	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
+		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
+		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
+		printf " } " >> "$TARGET_NFT_FILE"
+		if "$nft" -f "$TARGET_NFT_FILE"; then
+			rm -f "$TARGET_NFT_FILE"
+			_ret=0
+		fi
+	fi
+fi
+
+return $_ret
--- a/net/vpn-policy-routing/test.sh
+++ b/net/vpn-policy-routing/test.sh
--- a/net/simple-adblock/Makefile
+++ b/net/simple-adblock/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=simple-adblock
 PKG_VERSION:=1.9.3
-PKG_RELEASE:=2
+PKG_RELEASE:=4
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=GPL-3.0-or-later

--- a/net/simple-adblock/files/simple-adblock.init
+++ b/net/simple-adblock/files/simple-adblock.init
@ -62,7 +62,7 @@ readonly sharedMemoryError="/dev/shm/$packageName-error"
 readonly sharedMemoryOutput="/dev/shm/$packageName-output"
 readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
 readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
-readonly dnsmasqAddressFilter='\|^address=/[[:alnum:]_.-].*/#|!d'
+readonly dnsmasqOISDFilter='\|^server=/[[:alnum:]_.-].*/|!d'
 readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
 readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
 readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
@ -100,49 +100,60 @@ uci_changes() {
 ipset() { "$ipset" "$@" >/dev/null 2>&1; }
 nft() { "$nft" "$@" >/dev/null 2>&1; }

-get_status_text() {
-	local _ret
+get_text() {
+	local r
 	case "$1" in
-		statusNoInstall) _ret="$serviceName is not installed or not found";;
-		statusStopped) _ret="Stopped";;
-		statusStarting) _ret="Starting";;
-		statusRestarting) _ret="Restarting";;
-		statusForceReloading) _ret="Force Reloading";;
-		statusDownloading) _ret="Downloading";;
-		statusProcessing) _ret="Processing";;
-		statusError) _ret="Error";;
-		statusWarning) _ret="Warning";;
-		statusFail) _ret="Fail";;
-		statusSuccess) _ret="Success";;
+		errorConfigValidationFail) r="$packageName config validation failed";;
+		errorServiceDisabled) r="$packageName is currently disabled";;
+		errorNoDnsmasqIpset) 
+			r="dnsmasq ipset support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support ipset";;
+		errorNoIpset) 
+			r="dnsmasq ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type";;
+		errorNoDnsmasqNftset) 
+			r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";;
+		errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";;
+		errorMkdirFail) r="Unable to create directory for";;
+		errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
+		errorOutputDirCreate) r="failed to create directory for %s file";;
+		errorOutputFileCreate) r="failed to create $outputFile file";;
+		errorFailDNSReload) r="failed to restart/reload DNS resolver";;
+		errorSharedMemory) r="failed to access shared memory";;
+		errorSorting) r="failed to sort data file";;
+		errorOptimization) r="failed to optimize data file";;
+		errorAllowListProcessing) r="failed to process allow-list";;
+		errorDataFileFormatting) r="failed to format data file";;
+		errorMovingDataFile) r="failed to move data file '${A_TMP}' to '${outputFile}'";;
+		errorCreatingCompressedCache) r="failed to create compressed cache";;
+		errorRemovingTempFiles) r="failed to remove temporary files";;
+		errorRestoreCompressedCache) r="failed to unpack compressed cache";;
+		errorRestoreCache) r="failed to move '$outputCache' to '$outputFile'";;
+		errorOhSnap) r="failed to create block-list or restart DNS resolver";;
+		errorStopping) r="failed to stop $serviceName";;
+		errorDNSReload) r="failed to reload/restart DNS resolver";;
+		errorDownloadingConfigUpdate) r="failed to download Config Update file";;
+		errorDownloadingList) r="failed to download";;
+		errorParsingConfigUpdate) r="failed to parse Config Update file";;
+		errorParsingList) r="failed to parse";;
+		errorNoSSLSupport) r="no HTTPS/SSL support on device";;
+		errorCreatingDirectory) r="failed to create output/cache/gzip file directory";;
+
+		statusNoInstall) r="$serviceName is not installed or not found";;
+		statusStopped) r="Stopped";;
+		statusStarting) r="Starting";;
+		statusRestarting) r="Restarting";;
+		statusForceReloading) r="Force Reloading";;
+		statusDownloading) r="Downloading";;
+		statusProcessing) r="Processing";;
+		statusError) r="Error";;
+		statusWarning) r="Warning";;
+		statusFail) r="Fail";;
+		statusSuccess) r="Success";;
+
+		warningExternalDnsmasqConfig)
+			r="use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'";;
+		warningMissingRecommendedPackages) r="Some recommended packages are missing";;
 	esac
-	printf "%b" "$_ret"
-}
-get_error_text() {
-	local _ret
-	case "$1" in
-		errorOutputFileCreate) _ret="failed to create $outputFile file";;
-		errorFailDNSReload) _ret="failed to restart/reload DNS resolver";;
-		errorSharedMemory) _ret="failed to access shared memory";;
-		errorSorting) _ret="failed to sort data file";;
-		errorOptimization) _ret="failed to optimize data file";;
-		errorAllowListProcessing) _ret="failed to process allow-list";;
-		errorDataFileFormatting) _ret="failed to format data file";;
-		errorMovingDataFile) _ret="failed to move data file '${A_TMP}' to '${outputFile}'";;
-		errorCreatingCompressedCache) _ret="failed to create compressed cache";;
-		errorRemovingTempFiles) _ret="failed to remove temporary files";;
-		errorRestoreCompressedCache) _ret="failed to unpack compressed cache";;
-		errorRestoreCache) _ret="failed to move '$outputCache' to '$outputFile'";;
-		errorOhSnap) _ret="failed to create block-list or restart DNS resolver";;
-		errorStopping) _ret="failed to stop $serviceName";;
-		errorDNSReload) _ret="failed to reload/restart DNS resolver";;
-		errorDownloadingConfigUpdate) _ret="failed to download Config Update file";;
-		errorDownloadingList) _ret="failed to download";;
-		errorParsingConfigUpdate) _ret="failed to parse Config Update file";;
-		errorParsingList) _ret="failed to parse";;
-		errorNoSSLSupport) _ret="no HTTPS/SSL support on device";;
-		errorCreatingDirectory) _ret="failed to create output/cache/gzip file directory";;
-	esac
-	printf "%b" "$_ret"
+	echo "$r"
 }

 output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; }
@ -187,13 +198,15 @@ load_environment() {
 	local validation_result="$1" quiet="$2"

 	if [ "$validation_result" != '0' ]; then
-		output "${_ERROR_}: $packageName config validation failed!\\n"
+		json add error "errorConfigValidationFail"
+		output "${_ERROR_}: $(get_text 'errorConfigValidationFail')!\\n"
 		output "Please check if the '$packageConfigFile' contains correct values for config options.\\n"
 		return 1
 	fi

 	if [ "$enabled" -eq 0 ]; then
-		output "$packageName is currently disabled.\\n"
+		json add error "errorServiceDisabled"
+		output "${_ERROR_}: $(get_text 'errorServiceDisabled')!\\n"
 		output "Run the following commands before starting service again:\\n"
 		output "uci set ${packageName}.config.enabled='1'; uci commit $packageName;\\n"
 		return 1
@ -210,7 +223,8 @@ load_environment() {
 			dnsmasq.conf) :;;
 			*)
 				if [ -z "$quiet" ]; then
-					output "$_WARNING_: use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'!\\n"
+					json add warning "warningExternalDnsmasqConfig"
+					output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n"
 				fi
 			;;
 		esac
@ -230,13 +244,15 @@ load_environment() {
 		dnsmasq.ipset)
 			if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq ipset support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support ipset!\\n"
+					json add error "errorNoDnsmasqIpset"
+					output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
 			if ! ipset help hash:net; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type!\\n"
+					json add error "errorNoIpset"
+					output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
@ -244,13 +260,15 @@ load_environment() {
 		dnsmasq.nftset)
 			if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq nft sets support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft sets!\\n"
+					json add error "errorNoDnsmasqNftset"
+					output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
 			if [ -z "$nft" ]; then
 				if [ -z "$quiet" ]; then
-					output "$_ERROR_: dnsmasq nft sets support is enabled in $packageName, but nft is not installed!\\n"
+					json add error "errorNoNft"
+					output "${_ERROR_}: $(get_text 'errorNoNft')!\\n"
 				fi
 				dns='dnsmasq.servers'
 			fi
@ -335,8 +353,8 @@ load_environment() {

 	for i in "$outputFile" "$outputCache" "$outputGzip"; do
 		if ! mkdir -p "$(dirname "$i")"; then
-			output "$_ERROR_: Unable to create directory for $i!\\n"
-			json add error "errorOutputFileCreate"
+			json add error "errorOutputDirCreate" "$i"
+			output "${_ERROR_}: $(get_text 'errorMkdirFail' "$i")!\\n"
 		fi
 	done

@ -352,7 +370,8 @@ load_environment() {
 			is_present '/usr/libexec/sed-gnu' || s="$s sed"
 			is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort"
 			if [ -z "$quiet" ]; then
-				output "$_WARNING_: Some recommended packages are missing, install them by running:\\n"
+				json add warning "errorOutputFileCreate" "${i}"
+				output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n"
 				output "$s;\\n"
 			fi
 	fi
@ -390,7 +409,8 @@ load_environment() {
 	cache 'test_gzip' && return 0
 	network_flush_cache; network_find_wan wan_if; network_get_gateway wan_gw "$wan_if";
 	[ -n "$wan_gw" ] && return 0
-	output "$_ERROR_: $serviceName failed to discover WAN gateway.\\n"; return 1;
+	json add error "errorNoWanGateway"
+	output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1;
 }

 resolver() {
@ -424,7 +444,7 @@ dns() {
 			if [ ! -s "$outputFile" ]; then
 				json set status "statusFail"
 				json add error "errorOutputFileCreate"
-				output "$_ERROR_: $(get_error_text 'errorOutputFileCreate')!\\n"
+				output "${_ERROR_}: $(get_text 'errorOutputFileCreate')!\\n"
 				return 1
 			fi

@ -473,7 +493,7 @@ dns() {
 				output_fail
 				json set status "statusFail"
 				json add error "errorDNSReload"
-				output "$_ERROR_: $(get_error_text 'errorDNSReload')!\\n"
+				output "${_ERROR_}: $(get_text 'errorDNSReload')!\\n"
 				return 1
 			fi
 		;;
@ -518,6 +538,9 @@ dns() {
 json() {
 # shellcheck disable=SC2034
 	local action="$1" param="$2" value="$3"
+	shift 3
+# shellcheck disable=SC2124
+	local extras="$@" line
 	local status message error stats
 	local reload restart curReload curRestart ret i
 	if [ -s "$jsonFile" ]; then
@ -549,10 +572,8 @@ json() {
 			esac
 		;;
 		add)
-			if [ -n "$(eval echo "\$$param")" ]; then
-				value="$(eval echo "\$$param") ${value}"
-			fi
-				eval "$param"='${value}'
+			line="$(eval echo "\$$param")"
+			eval "$param"='${line:+$line }${value}${extras:+|$extras}'
 		;;
 		del)
 			case "$param" in
@ -573,7 +594,7 @@ json() {
 					restart="$compressed_cache $force_dns $led $force_dns_port"
 				;;
 				*)
-					eval "$param"='$value';;
+					eval "$param"='${value}${extras:+|$extras}';;
 			esac
 		;;
 	esac
@ -637,7 +658,7 @@ process_url() {
 	if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi
 	label="${1##*//}"; label="${label%%/*}";
 	case "$2" in
-		dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqAddressFilter";;
+		dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqOISDFilter";;
 		domains) label="Domains: $label"; filter="$domainsFilter";;
 		hosts) label="Hosts:   $label"; filter="$hostsFilter";;
 	esac
@ -678,7 +699,7 @@ process_url() {
 download_dnsmasq_file() {
 	local hf allow_filter j=0 R_TMP

-	json set message "$(get_status_text "statusDownloading")..."
+	json set message "$(get_text "statusDownloading")..."
 	json set status "statusDownloading"

 	rm -f "$A_TMP" "$B_TMP" "$outputFile" "$outputCache" "$outputGzip"
@ -714,7 +735,7 @@ download_dnsmasq_file() {
 download_lists() {
 	local hf allow_filter j=0 R_TMP

-	json set message "$(get_status_text "statusDownloading")..."
+	json set message "$(get_text "statusDownloading")..."
 	json set status "statusDownloading"

 	rm -f "$A_TMP" "$B_TMP" "$outputFile" "$outputCache" "$outputGzip"
@ -775,7 +796,8 @@ $(cat $A_TMP)"

 	output 1 'Processing downloads '
 	output 2 'Sorting combined list '
-	json set message "$(get_status_text "statusProcessing"): sorting combined list"
+	json set status "statusProcessing"
+	json set message "$(get_text "statusProcessing"): sorting combined list"
 	if [ "$allow_non_ascii" -gt 0 ]; then
 		if sort -u "$B_TMP" > "$A_TMP"; then
 			output_ok
@ -799,7 +821,7 @@ $(cat $A_TMP)"
 		 [ "$dns" = 'unbound.adb_list' ]; then
 		# TLD optimization written by Dirk Brenken (dev@brenken.org)
 		output 2 'Optimizing combined list '
-		json set message "$(get_status_text "statusProcessing"): optimizing combined list"
+		json set message "$(get_text "statusProcessing"): optimizing combined list"
 # 	sed -E 'G;:t;s/(.*)(\.)(.*)(\n)(.*)/\1\4\5\2\3/;tt;s/(.*)\n(\.)(.*)/\3\2\1/' is actually slower than command below
 		if $awk -F "." '{for(f=NF;f>1;f--)printf "%s.",$f;print $1}' "$A_TMP" > "$B_TMP"; then
 			if sort "$B_TMP" > "$A_TMP"; then
@ -835,7 +857,7 @@ $(cat $A_TMP)"
 	fi

 	output 2 'Allowing domains '
-	json set message "$(get_status_text "statusProcessing"): allowing domains"
+	json set message "$(get_text "statusProcessing"): allowing domains"
 	if sed -i -E "$allow_filter" "$B_TMP"; then
 		output_ok
 	else
@ -844,7 +866,7 @@ $(cat $A_TMP)"
 	fi

 	output 2 'Formatting merged file '
-	json set message "$(get_status_text "statusProcessing"): formatting merged file"
+	json set message "$(get_text "statusProcessing"): formatting merged file"
 	if [ -z "$outputFilterIPv6" ]; then
 		if sed "$outputFilter" "$B_TMP" > "$A_TMP"; then
 			output_ok
@ -869,27 +891,27 @@ $(cat $A_TMP)"
 	case "$dns" in
 		dnsmasq.addnhosts)
 			output 2 'Creating dnsmasq addnhosts file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq addnhosts file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq addnhosts file"
 		;;
 		dnsmasq.conf)
 			output 2 'Creating dnsmasq config file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq config file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq config file"
 		;;
 		dnsmasq.ipset)
 			output 2 'Creating dnsmasq ipset file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq ipset file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq ipset file"
 		;;
 		dnsmasq.nftset)
 			output 2 'Creating dnsmasq nft set file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq nft set file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq nft set file"
 		;;
 		dnsmasq.servers)
 			output 2 'Creating dnsmasq servers file '
-			json set message "$(get_status_text "statusProcessing"): creating dnsmasq servers file"
+			json set message "$(get_text "statusProcessing"): creating dnsmasq servers file"
 		;;
 		unbound.adb_list)
 			output 2 'Creating Unbound adb_list file '
-			json set message "$(get_status_text "statusProcessing"): creating Unbound adb_list file"
+			json set message "$(get_text "statusProcessing"): creating Unbound adb_list file"
 		;;
 	esac

@ -901,7 +923,7 @@ $(cat $A_TMP)"
 	fi
 	if [ "$compressed_cache" -gt 0 ]; then
 		output 2 'Creating compressed cache '
-		json set message "$(get_status_text "statusProcessing"): creating compressed cache"
+		json set message "$(get_text "statusProcessing"): creating compressed cache"
 		if cache 'create_gzip'; then
 			output_ok
 		else
@ -912,7 +934,7 @@ $(cat $A_TMP)"
 		rm -f "$outputGzip"
 	fi
 	output 2 'Removing temporary files '
-	json set message "$(get_status_text "statusProcessing"): removing temporary files"
+	json set message "$(get_text "statusProcessing"): removing temporary files"
 	rm -f "/tmp/${packageName}_tmp.*" "$A_TMP" "$B_TMP" "$outputCache" || j=1
 	if [ $j -eq 0 ]; then
 		output_ok
@ -1183,7 +1205,7 @@ adb_start() {
 			else
 				output_failn
 				json add error "errorRestoreCompressedCache"
-				output "$_ERROR_: $(get_error_text 'errorRestoreCompressedCache')!\\n"
+				output "${_ERROR_}: $(get_text 'errorRestoreCompressedCache')!\\n"
 				action='download'
 			fi
 		fi
@ -1196,7 +1218,7 @@ adb_start() {
 			else
 				output_failn
 				json add error "errorRestoreCache"
-				output "$_ERROR_: $(get_error_text 'errorRestoreCache')!\\n"
+				output "${_ERROR_}: $(get_text 'errorRestoreCache')!\\n"
 				action='download'
 			fi
 		fi
@ -1342,7 +1364,7 @@ adb_status() {
 	if [ "$status" = "statusSuccess" ]; then
 		output "$stats "; output_okn;
 	else
-		[ -n "$status" ] && status="$(get_status_text "$status")"
+		[ -n "$status" ] && status="$(get_text "$status")"
 		if [ -n "$status" ] && [ -n "$message" ]; then 
 			status="${status}: $message"
 		fi
@ -1354,9 +1376,9 @@ adb_status() {
 			c="${c%|*}"
 			case "$c" in
 				errorDownloadingList|errorParsingList)
-					output "$_ERROR_: $(get_error_text "$c") $url!\\n";;
+					output "${_ERROR_}: $(get_text "$c") $url!\\n";;
 				*)
-					output "$_ERROR_: $(get_error_text "$c")!\\n";;
+					output "${_ERROR_}: $(get_text "$c")!\\n";;
 			esac
 			n=$((n+1))
 		done
@ -1382,7 +1404,7 @@ adb_stop() {
 			output 0 "$__FAIL__\\n"; output_fail;
 			json set status "statusFail"
 			json add error "errorStopping"
-			output "$_ERROR_: $(get_error_text 'errorStopping')!\\n"
+			output "${_ERROR_}: $(get_text 'errorStopping')!\\n"
 		fi
 	fi
 }
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=snort3
-PKG_VERSION:=3.1.47.0
-PKG_RELEASE:=1
+PKG_VERSION:=3.1.48.0
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
-PKG_HASH:=7565411db11b453a98f8bd88eeef0fa9f2e85416a8f595e710aa19c430228b8c
+PKG_HASH:=65df088a8cac11e59f0b71a7f98fc9d21eeb0e31d35280c470c985172947ebfe

 PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
 PKG_LICENSE:=GPL-2.0-only
@ -90,7 +90,8 @@ define Package/snort3/install
 		$(PKG_INSTALL_DIR)/usr/include/snort/lua/snort_plugin.lua \
 		$(1)/usr/share/lua/

-	$(INSTALL_DIR) $(1)/etc/snort
+	$(INSTALL_DIR) $(1)/etc/snort/{rules,lists,builtin_rules,so_rules}
+
 	$(INSTALL_CONF) \
 		$(PKG_INSTALL_DIR)/usr/etc/snort/*.lua \
 		$(1)/etc/snort
@ -107,6 +108,25 @@ define Package/snort3/install
 	$(INSTALL_CONF) \
 		./files/snort.config \
 		$(1)/etc/config/snort
+	$(INSTALL_CONF) \
+		./files/local.lua \
+		$(1)/etc/snort
+	$(INSTALL_CONF) \
+		./files/homenet.lua \
+		$(1)/etc/snort
+	sed \
+		-i -e "/^EXTERNAL_NET\\s\\+=/ a include 'homenet.lua'" \
+		-e "/^HOME_NET\\s\\+=/ i -- we set HOME_NET and EXTERNAL_NET here or via an included file" \
+		-e 's/^\(HOME_NET\s\+=\)/--\1/g' \
+		-e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \
+		$(1)/etc/snort/snort.lua
+	sed \
+		-i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \
+		-e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \
+		-e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \
+		-e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
+		-e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
+		$(1)/etc/snort/snort_defaults.lua
 endef

 $(eval $(call BuildPackage,snort3))
--- a/net/snort3/files/homenet.lua
+++ b/net/snort3/files/homenet.lua
@ -0,0 +1,3 @@
+-- setup HOME_NET below with your IP range/ranges to protect
+HOME_NET = [[ 192.168.1.0/24 10.1.0.1/24 ]]
+EXTERNAL_NET = "!$HOME_NET"
--- a/net/snort3/files/local.lua
+++ b/net/snort3/files/local.lua
@ -0,0 +1,52 @@
+-- use ths file to customize any functions defined in /etc/snort/snort.lua
+
+-- switch tap to inline in ips and uncomment the below to run snort in inline mode
+--snort = {}
+--snort["-Q"] = ''
+
+ips = {
+  mode = tap,
+  -- mode = inline,
+  variables = default_variables,
+  -- uncomment and change the below to reflect rules or symlinks to rules on your filesystem
+  -- include = RULE_PATH .. '/snort.rules',
+}
+
+daq = {
+  module_dirs = {
+    '/usr/lib/daq',
+  },
+  modules = {
+    {
+      name = 'afpacket',
+      mode = 'inline',
+    }
+  }
+}
+
+alert_syslog = {
+  level = 'info',
+}
+
+-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
+--output.logdir = '/var/log/snort'
+--alert_fast = {
+--  file = true,
+--  packet = false,
+--}
+
+normalizer = {
+  tcp = {
+    ips = true,
+  }
+}
+
+file_policy = {
+  enable_type = true,
+  enable_signature = true,
+  rules = {
+    use = {
+      verdict = 'log', enable_file_type = true, enable_file_signature = true
+    }
+  }
+}
--- a/net/snort3/files/snort.config
+++ b/net/snort3/files/snort.config
@ -1,4 +1,3 @@
 config snort 'snort'
 	option config_dir '/etc/snort/'
-	option alert_module 'alert_syslog'
 	option interface 'eth0'
--- a/net/snort3/files/snort.init
+++ b/net/snort3/files/snort.init
@ -9,7 +9,6 @@ PROG=/usr/bin/snort
 validate_snort_section() {
 	uci_validate_section snort snort "${1}" \
 		'config_dir:string' \
-		'alert_module:string' \
 		'interface:string'
 }

@ -22,7 +21,7 @@ start_service() {
 	}

 	procd_open_instance
-	procd_set_param command $PROG -q --daq-dir /usr/lib/daq/ -i "$interface" -c "$config_dir/snort.lua" -A "$alert_module"
+	procd_set_param command $PROG -q -i "$interface" -c "${config_dir%/}/snort.lua" --tweaks local
 	procd_set_param env SNORT_LUA_PATH="$config_dir"
 	procd_set_param file $CONFIGFILE
 	procd_set_param respawn
--- a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
+++ b/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch
@ -0,0 +1,16 @@
+--- a/cmake/FindFlexLexer.cmake
+++ b/cmake/FindFlexLexer.cmake
+@@ -16,11 +16,11 @@ macro(FLEX NAME LEXER_IN LEXER_OUT)
+         COMPILE_FLAGS ${FLEX_FLAGS}
+     )
+ 
+-    # we use '+' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
+    # we use '|' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT
+     add_custom_command(
+         OUTPUT ${LEXER_OUT}
+         COMMAND sed -e
+-            "s+void yyFlexLexer::LexerError+yynoreturn void yyFlexLexer::LexerError+;s+${LEXER_OUT}.tmp+${LEXER_OUT}+"
+            "s|void yyFlexLexer::LexerError|yynoreturn void yyFlexLexer::LexerError|;s|${LEXER_OUT}.tmp|${LEXER_OUT}|"
+             ${FLEX_${NAME}_OUTPUTS} > ${LEXER_OUT}
+         DEPENDS ${FLEX_${NAME}_OUTPUTS}
+         VERBATIM
--- a/net/snowflake/Makefile
+++ b/net/snowflake/Makefile
@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=snowflake
-PKG_VERSION:=2.3.1
+PKG_VERSION:=2.4.1
 PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_MIRROR_HASH:=f83d48ebdbb3966856fdd1016a2ff4e57e63598182ad5e53ab5c31a7100ce6ee
+PKG_MIRROR_HASH:=91f32c3f56718ae35641c734aa061be138eb7c0d1bc88596b42e731e30aaa27a

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=stubby
-PKG_VERSION:=0.4.0
-PKG_RELEASE:=6
+PKG_VERSION:=0.4.2
+PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME)
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_MIRROR_HASH:=bc5f604da1b70287a6c3d89eac2e13ce8bca52840e7b72ab098a3deeb9935082
+PKG_MIRROR_HASH:=0a40e3eec2ef86a83977b69f03bc63f232fe52ca15703273a0d097e64fa3bf05

 PKG_MAINTAINER:=
 PKG_LICENSE:=BSD-3-Clause
--- a/net/tailscale/Makefile
+++ b/net/tailscale/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=tailscale
-PKG_VERSION:=1.24.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_VERSION:=1.32.3
+PKG_RELEASE:=1

 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=f1fe7770b4e372ace47c5b0ac4cbe21af95c3a6fb1828ee4f407fcfe35b7958f
+PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4

 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@ -77,6 +77,7 @@ endef

 define Package/tailscaled/conffiles
 /etc/config/tailscale
+/etc/tailscale/tailscaled.state
 endef

 $(eval $(call BuildPackage,tailscale))
--- a/net/vallumd/Makefile
+++ b/net/vallumd/Makefile
@ -8,12 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=vallumd
-PKG_VERSION:=0.2.0
+PKG_VERSION:=0.2.2
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/stintel/vallumd/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=7c1baffa3f7889c9c6f2795aac134c50a309ef201764d5ce6bbbce5d657416c0
+PKG_SOURCE_URL:=https://codeberg.org/stintel/vallumd/archive/$(PKG_VERSION).tar.gz?
+PKG_HASH:=f88cafce41cc118862869268b5e6c9b315a6f084aa8a498d4484e9dac49c575c
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)

 PKG_MAINTAINER:=Stijn Tintel <stijn@linux-ipv6.be>
 PKG_LICENSE:=GPL-3.0
--- a/net/vallumd/patches/001-CMake-skip-git-magic-if-no-.git-dir-exists.patch
+++ b/net/vallumd/patches/001-CMake-skip-git-magic-if-no-.git-dir-exists.patch
@ -0,0 +1,78 @@
+From b70137d0cc62be7f43816a3ba33b7c3e6a2fbd4e Mon Sep 17 00:00:00 2001
+From: Stijn Tintel <stijn@linux-ipv6.be>
+Date: Fri, 18 Nov 2022 09:19:02 +0200
+Subject: [PATCH] CMake: skip git magic if no .git dir exists
+
+The checks to fail CMake if git describe isn't working break build when
+building from source tarballs.
+
+Test if there is a git directory, and completely skip the git magic if
+not.
+
+Fixes: f42e7beec46e ("CI: add explicit clone to fetch tags")
+Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
+---
+ CMakeLists.txt | 51 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -9,35 +9,36 @@ set (VERSION_MAJOR 0)
+ set (VERSION_MINOR 2)
+ set (VERSION_PATCH 2)
+ 
+-execute_process(COMMAND git describe --tags --dirty
+-		OUTPUT_VARIABLE GIT_DESCRIBE
+-		OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
+-execute_process(COMMAND git describe --abbrev=0
+-                OUTPUT_VARIABLE GIT_LAST_TAG
+-                OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
+if (EXISTS .git/)
+    execute_process(COMMAND git describe --tags --dirty
+            OUTPUT_VARIABLE GIT_DESCRIBE
+            OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
+    execute_process(COMMAND git describe --abbrev=0
+                    OUTPUT_VARIABLE GIT_LAST_TAG
+                    OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET)
+ 
+-string(LENGTH "${GIT_DESCRIBE}" GIT_DESCRIBE_LEN)
+-string(LENGTH "${GIT_LAST_TAG}" GIT_LAST_TAG_LEN)
+    string(LENGTH "${GIT_DESCRIBE}" GIT_DESCRIBE_LEN)
+    string(LENGTH "${GIT_LAST_TAG}" GIT_LAST_TAG_LEN)
+ 
+-if (GIT_DESCRIBE_LEN EQUAL 0 OR GIT_LAST_TAG_LEN EQUAL 0)
+-    message(FATAL_ERROR "git describe output empty")
+-endif ()
+    if (GIT_DESCRIBE_LEN EQUAL 0 OR GIT_LAST_TAG_LEN EQUAL 0)
+        message(FATAL_ERROR "git describe output empty")
+    endif ()
+ 
+-string(REGEX REPLACE "^${GIT_LAST_TAG}-" "" GIT_DESCRIBE_NOTAG "${GIT_DESCRIBE}")
+    string(REGEX REPLACE "^${GIT_LAST_TAG}-" "" GIT_DESCRIBE_NOTAG "${GIT_DESCRIBE}")
+ 
+-if (NOT "${GIT_DESCRIBE}" STREQUAL "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
+-    if ("${GIT_LAST_TAG}" VERSION_LESS
+-        "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
+-        string(REGEX REPLACE "^${GIT_LAST_TAG}-"
+-                "" VERSION_TWEAK "0-pre-${GIT_DESCRIBE_NOTAG}")
+-    else ()
+-	string(REGEX REPLACE
+-		"^${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-"
+-		"" VERSION_TWEAK "${GIT_DESCRIBE}")
+    if (NOT "${GIT_DESCRIBE}" STREQUAL "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
+        if ("${GIT_LAST_TAG}" VERSION_LESS
+            "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
+            string(REGEX REPLACE "^${GIT_LAST_TAG}-"
+                    "" VERSION_TWEAK "0-pre-${GIT_DESCRIBE_NOTAG}")
+        else ()
+        string(REGEX REPLACE
+            "^${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-"
+            "" VERSION_TWEAK "${GIT_DESCRIBE}")
+        endif ()
+     endif ()
+ endif ()
+ 
+-
+ configure_file (
+   "${PROJECT_SOURCE_DIR}/src/config.h.in"
+   "${PROJECT_BINARY_DIR}/config.h"
--- a/net/vpn-policy-routing/Makefile
+++ b/net/vpn-policy-routing/Makefile
@ -1,68 +0,0 @@
-# Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
-# This is free software, licensed under the GNU General Public License v3.
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=vpn-policy-routing
-PKG_VERSION:=0.3.4
-PKG_RELEASE:=8
-PKG_LICENSE:=GPL-3.0-or-later
-PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/vpn-policy-routing
-	SECTION:=net
-	CATEGORY:=Network
-	TITLE:=VPN Policy-Based Routing Service
-	URL:=https://docs.openwrt.melmac.net/vpn-policy-routing/
-	DEPENDS:=+jshn +ipset +iptables +resolveip +kmod-ipt-ipset +iptables-mod-ipopt +ip-full
-	PKGARCH:=all
-endef
-
-define Package/vpn-policy-routing/description
-This service allows policy-based routing for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels and WAN interface.
-Policies can specify domains, local IPs/subnets and ports, as well as remote IPs/subnets and ports.
-endef
-
-define Package/vpn-policy-routing/conffiles
-/etc/config/vpn-policy-routing
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/vpn-policy-routing/install
-	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall $(1)/etc/
-	$(INSTALL_BIN) ./files/vpn-policy-routing.init $(1)/etc/init.d/vpn-policy-routing
-	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpn-policy-routing
-	$(INSTALL_CONF) ./files/vpn-policy-routing.config $(1)/etc/config/vpn-policy-routing
-	$(INSTALL_DATA) ./files/vpn-policy-routing.firewall.hotplug $(1)/etc/hotplug.d/firewall/70-vpn-policy-routing
-	$(INSTALL_DATA) ./files/vpn-policy-routing.aws.user $(1)/etc/vpn-policy-routing.aws.user
-	$(INSTALL_DATA) ./files/vpn-policy-routing.netflix.user $(1)/etc/vpn-policy-routing.netflix.user
-endef
-
-define Package/vpn-policy-routing/postinst
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		/etc/init.d/vpn-policy-routing enable
-	fi
-	exit 0
-endef
-
-define Package/vpn-policy-routing/prerm
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		echo "Stopping service and removing rc.d symlink for vpn-policy-routing"
-		/etc/init.d/vpn-policy-routing stop || true
-		/etc/init.d/vpn-policy-routing disable || true
-	fi
-	exit 0
-endef
-
-$(eval $(call BuildPackage,vpn-policy-routing))
--- a/net/vpn-policy-routing/files/README.md
+++ b/net/vpn-policy-routing/files/README.md
@ -1,3 +0,0 @@
-# README
-
-README has been moved to [https://docs.openwrt.melmac.net/vpn-policy-routing/](https://docs.openwrt.melmac.net/vpn-policy-routing/).
--- a/net/vpn-policy-routing/files/vpn-policy-routing.aws.user
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.aws.user
@ -1,19 +0,0 @@
-#!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-
-TARGET_IPSET='wan'
-
-TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
-TARGET_FNAME="/var/vpn-policy-routing_tmp_aws_ip_ranges"
-
-_ret=1
-
-if [ ! -s "$TARGET_FNAME" ]; then
-	curl "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_FNAME"
-fi
-if [ -s "$TARGET_FNAME" ]; then
-	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
-fi
-rm -f "$TARGET_FNAME"
-
-return $_ret
--- a/net/vpn-policy-routing/files/vpn-policy-routing.config
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.config
@ -1,30 +0,0 @@
-config vpn-policy-routing 'config'
-	option enabled '0'
-	option verbosity '2'
-	option strict_enforcement '1'
-	option src_ipset '0'
-	option dest_ipset '0'
-	option resolver_ipset 'dnsmasq.ipset'
-	option ipv6_enabled '0'
-	list ignored_interface 'vpnserver wgserver'
-	option boot_timeout '30'
-	option iptables_rule_option 'append'
-	option procd_reload_delay '1'
-	option webui_enable_column '0'
-	option webui_protocol_column '0'
-	option webui_chain_column '0'
-	option webui_show_ignore_target '0'
-	option webui_sorting '1'
-	list webui_supported_protocol 'tcp'
-	list webui_supported_protocol 'udp'
-	list webui_supported_protocol 'tcp udp'
-	list webui_supported_protocol 'icmp'
-	list webui_supported_protocol 'all'
-
-config include
-	option path '/etc/vpn-policy-routing.netflix.user'
-	option enabled 0
-
-config include
-	option path '/etc/vpn-policy-routing.aws.user'
-	option enabled 0
--- a/net/vpn-policy-routing/files/vpn-policy-routing.firewall.hotplug
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.firewall.hotplug
@ -1,6 +0,0 @@
-#!/bin/sh
-
-[ "$ACTION" = "reload" ] || exit 0
-
-logger -t "vpn-policy-routing" "Reloading vpn-policy-routing due to $ACTION of firewall"
-/etc/init.d/vpn-policy-routing reload
--- a/net/vpn-policy-routing/files/vpn-policy-routing.init
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.init
--- a/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user
+++ b/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user
@ -1,37 +0,0 @@
-#!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
-# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
-
-TARGET_IPSET='wan'
-TARGET_ASN='2906'
-TARGET_FNAME="/var/vpn-policy-routing_tmp_AS${TARGET_ASN}"
-#DB_SOURCE='ipinfo.io'
-#DB_SOURCE='api.hackertarget.com'
-DB_SOURCE='api.bgpview.io'
-
-_ret=1
-
-if [ ! -s "$TARGET_FNAME" ]; then
-	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
-		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
-		curl "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_FNAME"
-	fi
-
-	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
-		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
-		curl "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME"
-	fi
-
-	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
-		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
-		curl -s "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME"
-	fi
-fi
-
-if [ -s "$TARGET_FNAME" ]; then
-	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
-fi
-rm -f "$TARGET_FNAME"
-
-return $_ret
--- a/net/vpnbypass/Makefile
+++ b/net/vpnbypass/Makefile
@ -1,69 +0,0 @@
-# Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
-# This is free software, licensed under the GNU General Public License v3.
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=vpnbypass
-PKG_VERSION:=1.3.2
-PKG_RELEASE:=1
-PKG_LICENSE:=GPL-3.0-or-later
-PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/vpnbypass
-	SECTION:=net
-	CATEGORY:=Network
-	TITLE:=VPN Bypass Service
-	URL:=https://docs.openwrt.melmac.net/vpnbypass/
-	DEPENDS:=+ipset +iptables
-	PKGARCH:=all
-endef
-
-define Package/vpnbypass/description
-This service can be used to enable simple VPN split tunnelling.
-Supports accessing domains, IP ranges outside of your VPN tunnel.
-Also supports dedicating local ports/IP ranges for direct
-internet access (outside of your VPN tunnel).
-Please see the README for further information.
-endef
-
-define Package/vpnbypass/conffiles
-/etc/config/vpnbypass
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/vpnbypass/install
-	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall
-	$(INSTALL_BIN) ./files/vpnbypass.init $(1)/etc/init.d/vpnbypass
-	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpnbypass
-	$(INSTALL_CONF) ./files/vpnbypass.config $(1)/etc/config/vpnbypass
-	$(INSTALL_DATA) ./files/vpnbypass.hotplug $(1)/etc/hotplug.d/firewall/94-vpnbypass
-endef
-
-define Package/vpnbypass/postinst
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		/etc/init.d/vpnbypass enable
-	fi
-	exit 0
-endef
-
-define Package/vpnbypass/prerm
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		echo "Stopping service and removing rc.d symlink for vpnbypass"
-		/etc/init.d/vpnbypass stop || true
-		/etc/init.d/vpnbypass disable || true
-	fi
-	exit 0
-endef
-
-$(eval $(call BuildPackage,vpnbypass))
--- a/net/vpnbypass/files/README.md
+++ b/net/vpnbypass/files/README.md
@ -1,3 +0,0 @@
-# README
-
-README has been moved to [https://docs.openwrt.melmac.net/vpnbypass/](https://docs.openwrt.melmac.net/vpnbypass/).
--- a/net/vpnbypass/files/vpnbypass.config
+++ b/net/vpnbypass/files/vpnbypass.config
@ -1,5 +0,0 @@
-config vpnbypass 'config'
-	option enabled		'0'
-	list localport		'32400'
-	list localsubnet	'192.168.1.81/29'
-	list remotesubnet	'25.0.0.0/8'
--- a/net/vpnbypass/files/vpnbypass.hotplug
+++ b/net/vpnbypass/files/vpnbypass.hotplug
@ -1,2 +0,0 @@
-#!/bin/sh
-[ "$ACTION" = "reload" ] && /etc/init.d/vpnbypass reload
--- a/net/vpnbypass/files/vpnbypass.init
+++ b/net/vpnbypass/files/vpnbypass.init
@ -1,146 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
-# shellcheck disable=SC2039,SC1091,SC2086,SC3043,SC3057,SC3060
-PKG_VERSION='dev-test'
-
-# shellcheck disable=SC2034
-START=94
-# shellcheck disable=SC2034
-USE_PROCD=1
-
-if type extra_command 1>/dev/null 2>&1; then
-	extra_command 'version' 'Show version information'
-else
-# shellcheck disable=SC2034
-	EXTRA_COMMANDS='version'
-fi
-
-version() { echo "$PKG_VERSION"; }
-
-readonly __ERROR__='\033[0;31mERROR\033[0m'
-
-# shellcheck disable=SC2034
-serviceEnabled=0
-verbosity=2
-TID='200'
-IPSET='vpnbypass'
-FW_MARK='0x010000'
-FW_MASK='0xff0000'
-wan_if4=''
-wan_gw=''
-
-readonly packageName='vpnbypass'
-readonly serviceName="$packageName $PKG_VERSION"
-readonly sharedMemoryOutput="/dev/shm/$packageName-output"
-
-output() {
-# Can take a single parameter (text) to be output at any verbosity
-# Or target verbosity level and text to be output at specifc verbosity
-	local msg memmsg logmsg
-	if [ $# -ne 1 ]; then
-		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
-	fi
-	[ -t 1 ] && printf "%b" "$1"
-	msg="${1//$serviceName /service }";
-	if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
-		[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
-		logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
-		logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
-		rm -f "$sharedMemoryOutput"
-	else
-		printf "%b" "$msg" >> "$sharedMemoryOutput"
-	fi
-}
-load_package_config() {
-	config_load "$packageName"
-	config_get_bool serviceEnabled 'config' 'enabled' 1
-	config_get verbosity           'config' 'verbosity' '2'
-	if [ -z "${verbosity##*[!0-9]*}" ] || [ "$verbosity" -lt 0 ] || [ "$verbosity" -gt 2 ]; then
-		verbosity=1
-	fi
-	. /lib/functions/network.sh
-}
-
-is_enabled() {
-	local sleepCount=1
-	load_package_config
-	while : ; do
-		network_find_wan wan_if4
-		[ "$serviceEnabled" -gt 0 ] || return 1
-		[ -n "$wan_if4" ] && network_get_gateway wan_gw "$wan_if4"
-		if [ $sleepCount -ge 25 ] || [ -n "$wan_gw" ]; then break; fi
-		output "$serviceName waiting for wan gateway...\\n"
-		sleep 2; network_flush_cache; sleepCount=$((sleepCount+1));
-	done
-	[ -n "$wan_gw" ] && return 0
-	output "$__ERROR__: $serviceName failed to discover WAN gateway.\\n"; return 1;
-}
-
-is_ovpn() { local dev i; for i in ifname device; do [ -z "$dev" ] && dev="$(uci -q get "network.${1}.${i}")"; done; if [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; then return 0; else return 1; fi; }
-is_wan() { if [ -n "$wan_if4" ] && [ "$1" = "$wan_if4" ]; then return 0; else return 1; fi; }
-is_supported_interface() { if is_wan "$1" || is_ovpn "$1"; then return 0; else return 1; fi; }
-
-ipt() {
-	local d; 
-	d="${*//-A/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-I/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-N/-F}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-N/-X}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="$*"; iptables $d >/dev/null 2>&1 || output "\\n$__ERROR__: iptables $d\\n"
-}
-
-start_service() {
-	local ll lports rports routes ranges
-	is_enabled || return 1
-	config_get lports   'config' 'localport'
-	config_get rports   'config' 'remoteport'
-	config_get routes   'config' 'remotesubnet'
-	config_get ranges   'config' 'localsubnet'
-
-	procd_open_instance "main"
-	procd_set_param command /bin/true
-	procd_set_param stdout 1
-	procd_set_param stderr 1
-	procd_close_instance
-
-	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
-	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
-	ip route flush table "$TID"; ip route flush cache;
-	ip route add default via "$wan_gw" table "$TID"; ip route flush cache;
-	ip rule add fwmark "$FW_MARK" table "$TID"
-	ipset -q -exist create "$IPSET" hash:ip; ipset -q flush "$IPSET"
-	{ modprobe xt_set; modprobe ip_set; modprobe ip_set_hash_ip; } >/dev/null 2>&1
-	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
-	{ ipt -t mangle -N VPNBYPASS; ipt -t mangle -A PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS; } >/dev/null 2>&1
-	ipt -t mangle -A VPNBYPASS -m set --match-set $IPSET dst -j MARK --set-mark ${FW_MARK}/${FW_MASK} >/dev/null 2>&1
-	for ll in ${ranges}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -s "$ll"; done
-	for ll in ${lports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --sport "${ll//-/:}"; done
-	for ll in ${routes}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -d "$ll"; done
-	for ll in ${rports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --dport "${ll//-/:}"; done
-	output "$serviceName started with TID: $TID; FW_MARK: $FW_MARK\\n"
-}
-
-stop_service() {
-	load_package_config
-	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
-	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
-	ip route flush table "$TID"; ip route flush cache;
-	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
-	{ ipt -t mangle -F VPNBYPASS; ipt -t mangle -X VPNBYPASS; } >/dev/null 2>&1
-	output "$serviceName stopped\\n"
-}
-
-service_triggers_load_interface() { is_supported_interface "$1" && ifaces="${ifaces}${1} "; }
-service_triggers() {
-	local ifaces n
-	config_load network; config_foreach service_triggers_load_interface 'interface';
-	procd_open_trigger
-		procd_add_reload_trigger 'openvpn'
-		if type procd_add_service_trigger 1>/dev/null 2>&1; then
-			procd_add_service_trigger "service.restart" "firewall" /etc/init.d/${packageName} reload
-		fi
-		procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload
-		for n in $ifaces; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/vpnbypass reload; done;
-		output "$serviceName monitoring interfaces: $ifaces\\n"
-	procd_close_trigger
-}
--- a/net/vpnbypass/test.sh
+++ b/net/vpnbypass/test.sh
@ -1,3 +0,0 @@
-#!/bin/sh
-
-/etc/init.d/"$1" version 2>&1 | grep "$2"
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=wget
 PKG_VERSION:=1.21.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
--- a/net/wget/patches/001-fix-nettle-ntml.patch
+++ b/net/wget/patches/001-fix-nettle-ntml.patch
@ -1,18 +0,0 @@
--- a/configure.ac
-+++ b/configure.ac
-@@ -630,6 +630,7 @@ then
-     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
-   fi
- else
-+ if test x"$ENABLE_NTLM" != xno; then
-   PKG_CHECK_MODULES([NETTLE], nettle, [
-     HAVE_NETTLE=yes
-     LIBS="$NETTLE_LIBS $LIBS"
-@@ -651,6 +652,7 @@ else
-     ENABLE_NTLM=yes
-     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
-   fi
-+ fi
- fi
- 
- dnl **********************************************************************
--- a/net/wget/patches/001-upstream-fix-disable-ntlm-1.patch
+++ b/net/wget/patches/001-upstream-fix-disable-ntlm-1.patch
@ -0,0 +1,25 @@
+From 485217d0ff8d0d17ea3815244b2bc2b747451e15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sat, 10 Dec 2022 16:43:38 +0100
+Subject: [PATCH] * configure.ac: Allow disabling NTLM if nettle present (Savannah #63431)
+
+---
+ configure.ac | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/configure.ac
+++ b/configure.ac
+@@ -648,8 +648,11 @@ else
+ 
+   if test x"$HAVE_NETTLE" = xyes; then
+     AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
+-    ENABLE_NTLM=yes
+-    AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
+    if test x"$ENABLE_NTLM" != xno
+    then
+      ENABLE_NTLM=yes
+      AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
+    fi
+   fi
+ fi
+ 
--- a/net/wget/patches/002-upstream-fix-disable-ntlm-2.patch
+++ b/net/wget/patches/002-upstream-fix-disable-ntlm-2.patch
@ -0,0 +1,65 @@
+From c69030a904f8ab25b9ca2704c8a6dd03554e9503 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 11 Dec 2022 13:31:38 +0100
+Subject: [PATCH] * configure.ac: Disable nettle if NTLM is explicitly disabled
+
+---
+ configure.ac | 41 +++++++++++++++++++----------------------
+ 1 file changed, 19 insertions(+), 22 deletions(-)
+
+--- a/configure.ac
+++ b/configure.ac
+@@ -622,34 +622,31 @@ AS_IF([test x"$with_ssl" = xopenssl], [
+ ]) # endif: --with-ssl == openssl?
+ 
+ dnl Enable NTLM if requested and if SSL is available.
+-if test x"$LIBSSL" != x || test "$ac_cv_lib_ssl32_SSL_connect" = yes
+if test x"$ENABLE_NTLM" != xno
+ then
+-  if test x"$ENABLE_NTLM" != xno
+  if test x"$LIBSSL" != x || test "$ac_cv_lib_ssl32_SSL_connect" = yes
+   then
+     ENABLE_NTLM=yes
+     AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
+-  fi
+-else
+-  PKG_CHECK_MODULES([NETTLE], nettle, [
+-    HAVE_NETTLE=yes
+-    LIBS="$NETTLE_LIBS $LIBS"
+-    CFLAGS="$NETTLE_CFLAGS $CFLAGS"
+-  ], [
+-    AC_CHECK_LIB(nettle, nettle_md4_init, [HAVE_NETTLE=yes], [HAVE_NETTLE=no; AC_MSG_WARN(*** libnettle was not found. You will not be able to use NTLM)])
+-    if test x"$HAVE_NETTLE" != xyes; then
+-      if  test x"$ENABLE_NTLM" = xyes; then
+-        AC_MSG_ERROR([NTLM authorization requested and SSL not enabled; aborting])
+-      fi
+-    else
+-      AC_SUBST(NETTLE_LIBS, "-lnettle")
+  else
+    PKG_CHECK_MODULES([NETTLE], nettle, [
+      HAVE_NETTLE=yes
+       LIBS="$NETTLE_LIBS $LIBS"
+-    fi
+-  ])
+      CFLAGS="$NETTLE_CFLAGS $CFLAGS"
+    ], [
+      AC_CHECK_LIB(nettle, nettle_md4_init, [HAVE_NETTLE=yes], [HAVE_NETTLE=no; AC_MSG_WARN(*** libnettle was not found. You will not be able to use NTLM)])
+      if test x"$HAVE_NETTLE" != xyes; then
+        if  test x"$ENABLE_NTLM" = xyes; then
+          AC_MSG_ERROR([NTLM authorization requested and SSL not enabled; aborting])
+        fi
+      else
+        AC_SUBST(NETTLE_LIBS, "-lnettle")
+        LIBS="$NETTLE_LIBS $LIBS"
+      fi
+    ])
+ 
+-  if test x"$HAVE_NETTLE" = xyes; then
+-    AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
+-    if test x"$ENABLE_NTLM" != xno
+-    then
+    if test x"$HAVE_NETTLE" = xyes; then
+      AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
+       ENABLE_NTLM=yes
+       AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization support compiled in.])
+     fi
--- a/utils/docker-compose/Makefile
+++ b/utils/docker-compose/Makefile
@ -1,14 +1,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=compose
-PKG_VERSION:=2.12.2
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_VERSION:=2.14.0
+PKG_RELEASE:=1
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE

 PKG_SOURCE:=v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/docker/compose/tar.gz/v${PKG_VERSION}?
-PKG_HASH:=311131c5d930fdb1f5e86de19ea2ad1705d23e5745b780c0b10b2eb3f964fc69
+PKG_HASH:=003efb3139298aa4795f7a9fa4723ef43c12b401c235fe0c93dd23cc2c6b5f2e

 PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>

--- a/utils/swig/Makefile
+++ b/utils/swig/Makefile
@ -7,12 +7,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=swig
-PKG_VERSION:=4.0.2
-PKG_RELEASE:=2
+PKG_VERSION:=4.1.1
+PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=d53be9730d8d58a16bf0cbd1f8ac0c0c3e1090573168bfa151b01eb47fa906fc
+PKG_HASH:=2af08aced8fcd65cdb5cc62426768914bedc735b1c250325203716f78e39ac9b

 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>, Hirokazu MORIKAWA <morikw2@gmail.com>
 PKG_LICENSE:=GPL-3.0-or-later
--- a/utils/swig/patches/000-support_v12.patch
+++ b/utils/swig/patches/000-support_v12.patch
--- a/utils/xz/Makefile
+++ b/utils/xz/Makefile
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=xz
-PKG_VERSION:=5.2.7
+PKG_VERSION:=5.2.9
 PKG_RELEASE:=1

-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/lzmautils
-PKG_HASH:=8712e9acb0b6b49a97d443458a3067dc5c08a025e02dc5f773176c51dd7cfc69
+PKG_HASH:=b194507fba3a462a753c553149ccdaa168337bcb7deefddd067ba987c83dfce6

 PKG_MAINTAINER:=
 PKG_LICENSE:=Public-Domain LGPL-2.1-or-later GPL-2.0-or-later GPL-3.0-or-later
--- a/utils/zoneinfo/Makefile
+++ b/utils/zoneinfo/Makefile
@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=zoneinfo
-PKG_VERSION:=2022f
+PKG_VERSION:=2022g
 PKG_RELEASE:=1

 #As i couldn't find real license used "Public Domain"
@ -19,14 +19,14 @@ PKG_LICENSE:=Public Domain
 PKG_SOURCE:=tzdata$(PKG_VERSION).tar.gz
 PKG_SOURCE_CODE:=tzcode$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.iana.org/time-zones/repository/releases
-PKG_HASH:=9990d71f675d212567b931fe8aae1cab7027f89fefb8a79d808a6933a67af000
+PKG_HASH:=4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478

 include $(INCLUDE_DIR)/package.mk

 define Download/tzcode
   FILE=$(PKG_SOURCE_CODE)
   URL=$(PKG_SOURCE_URL)
-   HASH:=e4543e90f84f91fa82809ea98930052fdbc13880c8a623ee3a4eaa42f8a64c15
+   HASH:=9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74
 endef

 $(eval $(call Download,tzcode))
				`@ -0,0 +1 @@`
				`jump pbr_forward comment "Jump into pbr forward chain";`
				`@ -0,0 +1 @@`
				`jump pbr_input comment "Jump into pbr input chain";`
				`@ -0,0 +1 @@`
				`jump pbr_output comment "Jump into pbr output chain";`
				`@ -0,0 +1 @@`
				`jump pbr_postrouting comment "Jump into pbr postrouting chain";`
				`@ -0,0 +1 @@`
				`jump pbr_prerouting comment "Jump into pbr prerouting chain";`