Merge Official Source

Signed-off-by: Tianling Shen <[email protected]>

Author: 1715173329

libs/libfmt/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libfmt
-PKG_VERSION:=11.1.2
+PKG_VERSION:=11.1.3
 PKG_RELEASE:=1
 
 PKG_SOURCE_NAME:=fmt
 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/fmtlib/$(PKG_SOURCE_NAME)/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=d8773cf062cc806d4dd4df658111f15ba7a2c9c65db5084d2491696828b1eb97
+PKG_HASH:=67cd23ea86ccc359693e2ce1ba8d1bab533c02d743c09b15f3131102d0c2fc1c
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
 
 PKG_MAINTAINER:=Othmar Truniger <[email protected]>

libs/srt/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=srt
-PKG_VERSION:=1.5.3
+PKG_VERSION:=1.5.4
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/haivision/srt/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=befaeb16f628c46387b898df02bc6fba84868e86a6f6d8294755375b9932d777
+PKG_HASH:=d0a8b600fe1b4eaaf6277530e3cfc8f15b8ce4035f16af4a5eb5d4b123640cdd
 PKG_MAINTAINER:=Koen Vandeputte <[email protected]>
 
 PKG_LICENSE:=MPL-2.0

net/adblock/Makefile

@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=adblock
 PKG_VERSION:=4.2.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <[email protected]>
 
@@ -22,7 +22,7 @@ define Package/adblock
 endef
 
 define Package/adblock/description
-Powerful adblock solution to block ad/abuse domains via dnsmasq, unbound, named or kresd.
+Powerful adblock solution to block ad/abuse domains via dnsmasq, unbound, named, smartdns or kresd.
 The script supports many domain blacklist sites plus manual black- and whitelist overrides.
 Please see https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md for further information.
 

net/adblock/files/adblock.sh

@@ -133,8 +133,11 @@ f_load() {
 			if [ -z "${adb_repiface}" ]; then
 				network_get_device iface "lan"
 				[ -z "${iface}" ] && network_get_physdev iface "lan"
-				[ -n "${iface}" ] && adb_repiface="${iface}"
-				[ -n "${adb_repiface}" ] && { uci_set adblock global adb_repiface "${adb_repiface}"; f_uci "adblock"; }
+				if [ -n "${iface}" ]; then
+					adb_repiface="${iface}"
+					uci_set adblock global adb_repiface "${adb_repiface}"
+					f_uci "adblock"
+				fi
 			fi
 
 			if [ -n "${adb_repiface}" ] && [ -d "${adb_reportdir}" ]; then
@@ -342,7 +345,7 @@ f_dns() {
 			adb_dnsdeny="${adb_dnsdeny:-"${adb_awkcmd} '{print \"address /\"\$0\"/#\"}'"}"
 			adb_dnsallow="${adb_dnsallow:-"${adb_awkcmd} '{print \"address /\"\$0\"/-\"}'"}"
 			adb_dnssafesearch="${adb_dnssafesearch:-"${adb_awkcmd} -v item=\"\$item\" '{print \"cname /\"\$0\"/\"item\"\"}'"}"
-			adb_dnsstop="${adb_dnsstop:-"0"}"
+			adb_dnsstop="${adb_dnsstop:-"address #"}"
 			;;
 		"raw")
 			adb_dnscachecmd="-"
@@ -461,25 +464,21 @@ f_rmdns() {
 # commit uci changes
 #
 f_uci() {
-	local change config="${1}"
+	local config="${1}"
 
 	if [ -n "${config}" ]; then
-		change="$(uci -q changes "${config}" | "${adb_awkcmd}" '{ORS=" "; print $0}')"
-		if [ -n "${change}" ]; then
-			uci_commit "${config}"
-			case "${config}" in
-				"firewall")
-					"/etc/init.d/firewall" reload >/dev/null 2>&1
-					;;
-				"resolver")
-					printf "%b" "${adb_dnsheader}" >"${adb_dnsdir}/${adb_dnsfile}"
-					f_count
-					f_jsnup "running"
-					"/etc/init.d/${adb_dns}" reload >/dev/null 2>&1
-					;;
-			esac
-		fi
-		f_log "debug" "f_uci    ::: config: ${config}, change: ${change}"
+		uci_commit "${config}"
+		case "${config}" in
+			"firewall")
+				"/etc/init.d/firewall" reload >/dev/null 2>&1
+				;;
+			"resolver")
+				printf "%b" "${adb_dnsheader}" >"${adb_dnsdir}/${adb_dnsfile}"
+				f_count
+				f_jsnup "running"
+				"/etc/init.d/${adb_dns}" reload >/dev/null 2>&1
+				;;
+		esac
 	fi
 }
 
@@ -550,16 +549,28 @@ f_extconf() {
 		for zone in ${adb_zonelist}; do
 			for port in ${adb_portlist}; do
 				if ! printf "%s" "${fwcfg}" | "${adb_grepcmd}" -q "adblock_${zone}${port}[ |\$]"; then
-					uci -q batch <<-EOC
-						set firewall."adblock_${zone}${port}"="redirect"
-						set firewall."adblock_${zone}${port}".name="Adblock DNS (${zone}, ${port})"
-						set firewall."adblock_${zone}${port}".src="${zone}"
-						set firewall."adblock_${zone}${port}".proto="tcp udp"
-						set firewall."adblock_${zone}${port}".src_dport="${port}"
-						set firewall."adblock_${zone}${port}".dest_port="${port}"
-						set firewall."adblock_${zone}${port}".target="DNAT"
-						set firewall."adblock_${zone}${port}".family="any"
-					EOC
+					if [ "${port}" = "53" ]; then
+						uci -q batch <<-EOC
+							set firewall."adblock_${zone}${port}"="redirect"
+							set firewall."adblock_${zone}${port}".name="Adblock DNS (${zone}, ${port})"
+							set firewall."adblock_${zone}${port}".src="${zone}"
+							set firewall."adblock_${zone}${port}".proto="tcp udp"
+							set firewall."adblock_${zone}${port}".src_dport="${port}"
+							set firewall."adblock_${zone}${port}".dest_port="${port}"
+							set firewall."adblock_${zone}${port}".target="DNAT"
+							set firewall."adblock_${zone}${port}".family="any"
+						EOC
+					else
+						uci -q batch <<-EOC
+							set firewall."adblock_${zone}${port}"="rule"
+							set firewall."adblock_${zone}${port}".name="Adblock DNS (${zone}, ${port})"
+							set firewall."adblock_${zone}${port}".src="${zone}"
+							set firewall."adblock_${zone}${port}".proto="tcp udp"
+							set firewall."adblock_${zone}${port}".dest_port="${port}"
+							set firewall."adblock_${zone}${port}".target="REJECT"
+							set firewall."adblock_${zone}${port}".dest="*"
+						EOC
+					fi
 				fi
 				fwcfg="${fwcfg/adblock_${zone}${port}[ |\$]/}"
 			done
@@ -1058,8 +1069,8 @@ f_log() {
 	local class="${1}" log_msg="${2}"
 
 	if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${adb_debug}" = "1" ]; }; then
-		[ -x "${adb_loggercmd}" ] && "${adb_loggercmd}" -p "${class}" -t "adblock-${adb_ver}[${$}]" "${log_msg}" || \
-			printf "%s %s %s\n" "${class}" "adblock-${adb_ver}[${$}]" "${log_msg}"
+		[ -x "${adb_loggercmd}" ] && "${adb_loggercmd}" -p "${class}" -t "adblock-${adb_ver}[${$}]" "${log_msg::256}" || \
+			printf "%s %s %s\n" "${class}" "adblock-${adb_ver}[${$}]" "${log_msg::256}"
 		if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then
 			[ "${adb_action}" != "mail" ] && f_rmdns
 			f_jsnup "error"

net/banip/Makefile

@@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=1.5.0
-PKG_RELEASE:=6
+PKG_VERSION:=1.5.1
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <[email protected]>
 

net/banip/files/README.md

@@ -86,7 +86,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
 * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
 * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
-* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
+* Supports an 'allowlist only' mode, this option restricts the internet access only to specific, explicitly allowed IP segments
 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
 * Optionally always allow certain protocols/destination ports in the inbound chain
 * Deduplicate IPs accross all Sets (single IPs only, no intervals)
@@ -174,7 +174,7 @@ Available commands:
 | ban_autoblocklist       | option | 1                             | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets)      |
 | ban_autoblocksubnet     | option | 0                             | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP               |
 | ban_autoallowuplink     | option | subnet                        | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all                                     |
-| ban_allowlistonly       | option | 0                             | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments             |
+| ban_allowlistonly       | option | 0                             | restrict the internet access only to specific, explicitly allowed IP segments                                     |
 | ban_allowflag           | option | -                             | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445'          |
 | ban_allowurl            | list   | -                             | external allowlist feed URLs, one or more references to simple remote IP lists                                    |
 | ban_basedir             | option | /tmp                          | base working directory while banIP processing                                                                     |
@@ -370,7 +370,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and
 Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
 
 **Allowlist-only mode**  
-banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.  
+banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.  
 
 **MAC/IP-binding**
 banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking.  

net/banip/files/banip-functions.sh

@@ -99,14 +99,13 @@ ban_debug="0"
 f_system() {
 	local cpu core
 
-	if [ -z "${ban_dev}" ]; then
-		ban_debug="$(uci_get banip global ban_debug "0")"
-		ban_cores="$(uci_get banip global ban_cores)"
-	fi
+	ban_debug="$(uci_get banip global ban_debug "0")"
+	ban_cores="$(uci_get banip global ban_cores)"
 	ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
 	ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
 	ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' |
 		"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')"
+
 	if [ -z "${ban_cores}" ]; then
 		cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
 		core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)"
@@ -608,17 +607,17 @@ f_etag() {
 # load file in nftset
 #
 f_nftload() {
-	local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" load_log="" file="${1}" errmsg="${2}"
+	local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" file="${1}" errmsg="${2}"
 
 	while [ "${load_rc}" != "0" ]; do
-		load_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
+		"${ban_nftcmd}" -f "${file}" >/dev/null 2>&1
 		load_rc="${?}"
 		if [ "${load_rc}" = "0" ]; then
 			break
 		elif [ "${cnt}" = "${max_cnt}" ]; then
 			[ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}"
 			"${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}"
-			f_log "info" "${errmsg}, ${load_log::256}"
+			f_log "info" "${errmsg}"
 			break
 		fi
 		cnt="$((cnt + 1))"
@@ -677,7 +676,7 @@ f_nftinit() {
 		printf "%s\n" "add table inet banIP"
 		# base chains
 		#
-		printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -199; policy accept; }"
+		printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -175; policy accept; }"
 		printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
 		printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
 		printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
@@ -1737,7 +1736,12 @@ f_survey() {
 		printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
 		return
 	fi
-	set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
+
+	if [ "$(uci_get banip global ban_nftcount)" = "1" ]; then
+		set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*].elem.val')"
+	else
+		set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
+	fi
 	printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
 	printf "    %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
 	printf "    %s\n" "---"
@@ -1866,7 +1870,6 @@ fi
 #
 ban_awkcmd="$(f_cmd gawk awk)"
 ban_catcmd="$(f_cmd cat)"
-ban_fw4cmd="$(f_cmd fw4)"
 ban_grepcmd="$(f_cmd grep)"
 ban_jsoncmd="$(f_cmd jsonfilter)"
 ban_logcmd="$(f_cmd logger)"

net/banip/files/banip-service.sh

@@ -29,10 +29,8 @@ f_rmdir "${ban_errordir}"
 
 # firewall/fw4 pre-check
 #
-if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then
-	f_log "err" "firewall/fw4 not found"
-elif ! /etc/init.d/firewall status >/dev/null 2>&1; then
-	f_log "info" "firewall/fw4 is not running"
+if ! /etc/init.d/firewall status >/dev/null 2>&1; then
+	f_log "info" "the main firewall is not running"
 fi
 
 # init banIP nftables namespace
@@ -41,16 +39,14 @@ if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" list chain inet banIP pr
 	f_nftinit "${ban_tmpfile}".init.nft
 fi
 
-# handle downloads
+# start banIP processing
 #
 f_log "info" "start banIP download processes"
-if [ "${ban_allowlistonly}" = "1" ]; then
-	ban_feed=""
-else
-	f_getfeed
-fi
+f_getfeed
 [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
 
+# handle downloads
+#
 cnt="1"
 for feed in allowlist ${ban_feed} blocklist; do
 	# local feeds (sequential processing)

net/banip/files/banip.feeds

@@ -275,10 +275,12 @@
 		"descr": "tor exit nodes"
 	},
 	"turris":{
-		"url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
-		"rule_4":"BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
+		"url_4": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
+		"url_6": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
+		"rule_4": "BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
+		"rule_6": "BEGIN{FS=\",\"}/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)/{printf \"%s,\\n\",$1}",
 		"chain": "in",
-		"descr":"turris sentinel blocklist"
+		"descr": "turris sentinel blocklist"
 	},
 	"uceprotect1":{
 		"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",

net/banip/files/banip.init

@@ -20,13 +20,24 @@ ban_funlib="/usr/lib/banip-functions.sh"
 ban_pidfile="/var/run/banip.pid"
 ban_lock="/var/run/banip.lock"
 
-[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
-{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
-[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
-[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
-{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
+if [ -z "${IPKG_INSTROOT}" ]; then
+	if [ "${action}" = "boot" ] && "${ban_init}" running; then
+		exit 0
+	elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] ||
+		[ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running; then
+		exit 0
+	fi
+	if [ ! -d "${ban_lock}" ] &&
+		{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
+		[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
+		mkdir -p "${ban_lock}"	
+	elif [ -d "${ban_lock}" ] &&
+		{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
+		[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
+		exit 1
+	fi
+	. "${ban_funlib}"
+fi
 
 boot() {
 	: >"${ban_pidfile}"