git.99rst.org Git - openwrt-packages.git/log

bsbf-bonding: add

bsbf-bonding configures the system for the BondingShouldBeFree bonding
solution client.

Signed-off-by: Chester A. Unal <redacted>

bsbf-usb-netdev-autodhcp: add

bsbf-usb-netdev-autodhcp creates a network with a DHCP client using a newly
created network interface. It uses metric values from 1 to 8.

Signed-off-by: Chester A. Unal <redacted>

bsbf-resources: add

bsbf-resources contains the resources for the BondingShouldBeFree bonding
solution client.

Signed-off-by: Chester A. Unal <redacted>

tcp-in-udp: add

TCP-in-UDP is a lightweight TCP in UDP tunnel utilising eBPF.

Signed-off-by: Chester A. Unal <redacted>

mstflint: update to 4.35.0-1

This commit updates the mstflint package
to the latest 4.35.0-1 release.

It also includes a patch to fix a build error
that has been merged into their development branch [1]
but is not inside the current release version.

Additionally, the new Python script mstgenerate_pgcb_commands
introduced in 4.35.0 has been added to the package.

Release notes:
https://github.com/Mellanox/mstflint/releases/tag/v4.35.0-1

[1] https://github.com/Mellanox/mstflint/pull/1568

Signed-off-by: Til Kaiser <redacted>

adblock: release 4.5.2‑1

* added a new firewall feature: the DNS‑Bridge.
  This temporary DNS bridge ensures that an external fallback DNS server
  is automatically used during local DNS restarts, providing Zero‑Downtime DNS resolution.
* The debug mode now captures internal error output in a dedicated log file,
  located by default in the adblock base directory as /tmp/adb_error.log.
* LuCI: exposed the previously missing adb_cores option (auto‑detected by default).
* LuCI: added support for the new DNS‑Bridge options (Zero‑Downtime during DNS restarts).

Signed-off-by: Dirk Brenken <redacted>

qbee-agent: bump version to 2026.10

Bump version to 2026.10

Signed-off-by: Jon Henrik Bjørnstad <redacted>

lxc: update to 6.0.6

6.0.5 is a bug fix release, see:
https://discuss.linuxcontainers.org/t/lxc-6-0-6-lts-has-been-released/26294

Full changelog: https://github.com/lxc/lxc/compare/v6.0.5...v6.0.6

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc (Intel N150 based box)

Signed-off-by: John Audia <redacted>

pbr: update to 1.2.2-r6

Update pbr from 1.2.1-r87 to 1.2.2-r6. This release
adds mwan4 (Multi-WAN) integration, a diagnostic
`support` command, IPv6 lease-to-nftset handling,
improved split-uplink detection, stricter UCI
validation, shell variable quoting fixes across 30+
locations, and a comprehensive 126-case test suite
with a full mock OpenWrt sysroot.

Signed-off-by: Stan Grishin <redacted>
---

- **31 files changed**, +1,745 / -227 lines
  (net +1,518)
- **1 commit**: `61c8923` —
  `pbr: update to 1.2.2-r6`

---

- Version bumped from `1.2.1-r87` to `1.2.2-r6`
- URL updated from `github.com/stangri/pbr/` to
  `github.com/mossdef-org/pbr/`
- No dependency changes

---

Three options changed from scalar to list type:

| Option              | Old Type | New Type |
|---------------------|----------|----------|
| `ignored_interface` | `option` | `list`   |
| `lan_device`        | `option` | `list`   |
| `resolver_instance` | `option` | `list`   |

Options reordered: scalars first, then lists,
matching UCI convention. No values changed.

---

The init script (`/etc/init.d/pbr`) received
significant additions and fixes across ~660 lines
(+443/-218).

Bumped from `24` to `25`.

**mwan4 (Multi-WAN) Integration (8 new functions):**
- `mwan4_is_installed()` — Detect mwan4 package
- `mwan4_is_running()` — Check service status
- `mwan4_get_iface_list()` — Get enabled interfaces
- `mwan4_get_strategy_list()` — Get strategies
- `mwan4_get_iface_mark_chain()` — Get nft mark
  chain for interface
- `mwan4_get_iface_nft_sets()` — Get nftset names
- `mwan4_get_strategy_chain()` — Get strategy chain
- `mwan4_get_mmx_mask()` — Get Multi-WAN mark mask

Enables PBR to coordinate with mwan4 for combined
policy routing and multi-WAN failover.

**Diagnostic `support` Command:**
- New `support()` function generates masked
  diagnostic output for troubleshooting
- `print_config_masked()` redacts sensitive data
  (passwords, keys, tokens, PSKs, endpoints)
  while preserving IP addresses and structure

**IPv6 Lease Handling:**
- New `ipv6_leases_to_nftset()` parses DHCPv6
  leases from `/tmp/hosts/odhcpd`
- Complements existing `ipv4_leases_to_nftset()`

**Split Uplink Detection (3 new functions):**
- `is_uplink4()` — Check IPv4 uplink interface
- `is_uplink6()` — Check IPv6 uplink interface
- `is_uplink()` — Unified check (v4 or v6)
- New `ipv6_default_lookup` variable for split
  IPv4/IPv6 uplink routing table assignment

**ubus Integration:**
- New `ubus_get_interface()` queries PBR gateway
  data via ubus

**Shell Variable Quoting (30+ locations):**
Systematic conversion of bare variable references
to brace-quoted syntax throughout the script:
- `$2` to `${2}` in string replacements
- `$_ret` to `${_ret}` in conditional expansions
- `$_mark` to `${_mark}` in nft rule generation
- `$nftset6` to `${nftset6}` in dnsmasq rules
- `$nft_set_timeout` to `${nft_set_timeout}`
- `$xrayIfacePrefix` to `${xrayIfacePrefix}`
- And many more across rule generation, output
  strings, and conditional expressions

**Specific Fixes:**
- `pbr_get_gateway6()`: Changed `is_wan` to
  `is_uplink4` for correct IPv4 uplink detection
- `is_netifd_interface()`: Now checks both
  `ip4table` and `ip6table` (was IPv4 only)
- `load_environment()`: Fixed inverted flag check
  (`-z` changed to `-n` for `loadEnvironmentFlag`)
- Dnsmasq instance detection: Fixed UCI section
  lookup with proper variable handling
- Help text URL: `#WarningMessagesDetails` changed
  to `#warning-messages-details` (kebab-case)

- `uplink_ip_rules_priority`: Changed from
  `uinteger` to `range(99,32765)` to enforce
  valid Linux routing policy DB bounds

Three options now use `config_get_list` instead of
`config_get` to support multiple values:
- `ignored_interface`
- `lan_device`
- `resolver_instance`

**Rule Cleanup Refactored:**
- Replaced complex awk-based rule parsing with
  priority-range approach
- Calculates `prio_min = priority - max_ifaces`
  and `prio_max = priority`, iterates and deletes
  rules within range
- Skips netifd-managed fwmark rules
- Added legacy rule cleanup for
  `suppress_prefixlength` entries

**Firewall Sync:**
- Added `fw4 -q reload` after successful nft file
  installation to ensure fw4 state synchronizes
  with PBR's nftables changes

**Resolver Instance Handling:**
- Added robustness checks in
  `_dnsmasq_instance_config()`: file existence
  check and instance validity check
- Better section name resolution with UCI query
- Added missing `setup` parameter in resolver
  instance setup calls

- `uci_get_device()` — Replaced with inline call
- `uci_get_protocol()` — Replaced with inline call

---

In `70-pbr`, fixed shell variable quoting:
```sh
${DEVICE:+ ($DEVICE)}
${DEVICE:+ (${DEVICE})}
```

---

In `pbr.user.netflix`, fixed two instances of
bare variable expansion in parameter substitution:
```sh
params="${params:+$params, }${p}"
params="${params:+${params}, }${p}"
```

---

A full test suite is added in `net/pbr/tests/`
(21 new files, ~1,300 lines) using the shunit2
framework with a complete mock OpenWrt sysroot.

**Runner (`run_tests.sh`):**
- Discovers test files via glob pattern
- Supports pattern-based filtering via CLI arg
- Executes each test in isolated bash subprocess
- Captures output, reports pass/fail with color
- Accumulates stats and lists failures at end
- Requires `shunit2` package

**Setup (`lib/setup.sh`):**
- Creates temporary mock sysroot (`$MOCK_ROOT`)
- Sets `IPKG_INSTROOT` for OpenWrt path resolution
- Installs mock libraries, configs, and binaries
- Stubs `rc.common`, procd, logger, resolveip,
  jsonfilter, pidof, sync
- Sources pbr init script with `readonly` keyword
  stripped (allows test overrides)
- Redirects all file paths to temp directories

**UCI Config API (`lib/mocks/functions.sh`):**
- Full `config_load` parser for UCI syntax
- `config_get`, `config_get_bool`,
  `config_get_list`, `config_foreach`,
  `config_list_foreach`
- `uci_set`, `uci_get`, `uci_add_list`,
  `uci_remove`, `uci_remove_list`, `uci_commit`
- Stores state in associative arrays

**Network API (`lib/mocks/network.sh`):**
- `network_get_device`, `network_get_physdev`,
  `network_get_gateway`, `network_get_gateway6`,
  `network_get_protocol`, `network_get_ipaddr`,
  `network_get_ip6addr`, `network_get_dnsserver`,
  `network_flush_cache`
- Backed by `MOCK_NET_*` variables that tests
  override to simulate different network states
- Pre-configured: wan (eth0/dhcp/192.168.1.1),
  wan6 (eth0/dhcpv6/fd00::1), wg0 (wireguard),
  lan (br-lan/static), loopback (lo/static)

**JSON Shell (`lib/mocks/jshn.sh`):**
- Minimal JSON-in-shell implementation
- `json_init`, `json_add_string/boolean/int`,
  `json_add_object/array`, `json_close_*`,
  `json_select`, `json_get_var`, `json_get_keys`,
  `json_dump`, `json_load`
- Associative array backend with path tracking

**Mock Binaries:**
- `nft` — Returns fw4 table structure with
  standard chains (input, forward, output,
  dstnat, mangle_*); passes syntax checks
- `dnsmasq` — Reports version with nftset support
- `readlink` — Returns `/usr/libexec/ip-full`
  for `*/sbin/ip` (simulates ip-full installed)

**Mock UCI Configs:**
- `pbr` — Full config: enabled, policies
  (vpn_all, vpn_gaming, disabled_policy),
  dns_policy, nft settings, interface lists
- `network` — Interfaces: loopback, lan, wan,
  wan6, wg0 (wireguard)
- `firewall` — Zones: lan (accept all),
  wan (reject input/forward)
- `dhcp` — DHCP server stub
- `system` — Hostname and timezone

**01_validation — Input Validation (67 cases):**

`01_ipv4_validation` (13 cases):
- Valid IPs: 192.168.1.1, 10.0.0.1, 172.16.0.1
- Valid CIDR: /8, /24, /32, /0
- Invalid: octets >255, wrong octet count,
  CIDR >32, IPv6 addresses, domain names

`02_ipv6_validation` (21 cases):
- Valid: ::1, fe80::1, 2001:db8::1, fd00::1,
  full addresses, ::/0
- Invalid: IPv4 addrs, plain strings, MACs
- Scope detection: global (2001:db8::/32),
  link-local (fe80::/10), ULA (fd00::/8)

`03_domain_validation` (8 cases):
- Host: single labels (router, host123)
- Hostname: multi-label (example.com,
  sub.example.com, deep.sub.example.com)
- Domain: FQDN or single-label
- Invalid: IPs, empty strings, MAC notation

`04_misc_validators` (25 cases):
- MAC addresses (colon notation, case variants)
- Integer validation (positive, not negative)
- Negation marker (! prefix detection)
- URL schemes (http, https, ftp, file://)
- Version comparison (is_greater,
  is_greater_or_equal)
- Family mismatch (IPv4/IPv6 mixing detection)

**02_string_utils — String Functions (8 cases):**

`01_str_functions`:
- `str_contains` — Substring search
- `str_contains_word` — Word-boundary search
- `str_to_lower` / `str_to_upper` — Case convert
- `str_first_word` — Token extraction
- `str_replace` — String substitution
- `str_extras_to_underscore` — Normalize delims
- `str_extras_to_space` — Expand delimiters

**03_wan_detection — Interface Detection
  (13 cases):**

`01_wan_types`:
- `is_wan4` — Detects wan/wanX, not wan6/lan/wg0
- `is_wan6` — Detects wan6/mwan6 (IPv6-aware)
- `is_wan6_disabled` — Disabled when ipv6 off
- `is_wan` — Unified v4+v6 detection
- `is_uplink4` / `is_uplink6` — Uplink detection
- `is_tor` — Case-insensitive tor detection
- `is_ignore_target` — Ignore target detection
- `is_list` — Comma/space list vs single value

**04_config — Configuration Loading (13 cases):**

`01_load_config` (7 cases):
- Default values from UCI config
- Hex value parsing (fw_mask, uplink_mark)
- XOR calculation (fw_maskXor = ~fw_mask)
- List parsing (ignored_interface, resolver)
- nft parameters (auto-merge, flags)
- Config-loaded flag tracking

`02_disabled_service` (2 cases):
- Disabled: enabled option becomes unset
- Enabled: enabled option is set

`03_config_ipv6` (4 cases):
- IPv6 enabled: config and uplink interface set
- IPv6 disabled: both unset
- Reload behavior verification

**05_nft — nftables Integration (14 cases):**

`01_nft_file_operations` (8 cases):
- File creation with nft shebang
- Chain creation (dstnat, forward, output,
  prerouting)
- Jump rules and guard rules
- File append, content search, file deletion

`02_nft_check_element` (6 cases):
- fw4 table existence
- Chain existence (input, forward, output,
  dstnat, mangle_*)
- Non-existent chain detection

**06_network — Network Functions (11 cases):**

`01_gateway_discovery` (4 cases):
- IPv4 gateway from mock (192.168.1.1)
- IPv4 gateway fallback (ip addr parsing)
- IPv6 gateway from mock (fd00::1)
- Interface finding for uplinks

`02_supported_interfaces` (7 cases):
- Ignored: loopback in ignored list
- LAN detection vs non-LAN
- Uplink support (wan is supported)
- LAN/loopback not supported
- Wireguard supported (wg0)
- Explicit custom interface support

---

```sh
cd net/pbr/tests && sh run_tests.sh
```

Requires: `bash`, `shunit2`.
Optional filter: `sh run_tests.sh 01_validation`

Signed-off-by: Stan Grishin <redacted>

adblock-fast: update to 1.2.2-r6

Update adblock-fast from 1.2.1-r7 to 1.2.2-r6. This is a major
architectural rewrite that ports the core business logic from a ~2,700-line
monolithic shell script (`/etc/init.d/adblock-fast`) to a ~2,850-line ucode
module (`/lib/adblock-fast/adblock-fast.uc`), reducing the init script to a
thin ~130-line procd wrapper. The rewrite also introduces a comprehensive
test suite and adds the AGPL-3.0-or-later LICENSE file.

---

- **36 files changed**, +5,787 / -2,836 lines (net +2,951)
- **1 commit**: `0263b2b` — `adblock-fast: update to 1.2.2-r6`

---

The previous implementation embedded all business logic (download pipeline,
domain processing, resolver configuration, status reporting, caching)
inside the init.d script as a ~2,700-line POSIX shell script. This made the
code difficult to test, maintain, and extend. Shell limitations (no native
data structures, reliance on subshell `eval`, global namespace pollution)
also introduced fragility and performance overhead from repeated subprocess
spawning for UCI/ubus operations.

```
/etc/init.d/adblock-fast          (131 lines) — Thin procd wrapper
/lib/adblock-fast/adblock-fast.uc (2849 lines) — Core logic (ucode)
/lib/adblock-fast/cli.uc          (95 lines)  — CLI action dispatcher
```

The init script now delegates all operations to the ucode module via:
```sh
readonly _ucode="ucode -S -L /lib/${packageName} /lib/${packageName}/cli.uc --"
```

The CLI dispatcher (`cli.uc`) maps init script actions (start, stop,
status, allow, check, pause, etc.) to the module's exported functions.
The init script retains only procd lifecycle glue (`start_service`,
`stop_service`, `service_triggers`, `service_data`) and UCI validation
schemas.

1. **Native UCI/ubus bindings** — Direct `cursor()` and `connect()` calls
   replace subprocess-heavy `uci get/set` and `jsonfilter` pipelines
2. **Proper data structures** — Objects and arrays for config, status
   tracking, DNS mode definitions; no more string-concatenation state
   management
3. **Streaming I/O** — 64KB chunked file reads for blocklist processing
   instead of loading entire files into memory via pipes
4. **Memoized environment detection** — Platform capabilities (installed
   resolvers, ipset/nftset support, downloader detection) cached on first
   call
5. **Centralized trigger logic** — Config diff comparison
   (`adb_config_cache()`) determines download/restart/skip in one place
6. **Testable** — Module exports enable direct unit testing without mocking
   an entire init system

---

- `+ucode` — ucode interpreter runtime
- `+ucode-mod-fs` — Filesystem operations (readfile, writefile, popen,
  stat, etc.)
- `+ucode-mod-uci` — Native UCI cursor API
- `+ucode-mod-ubus` — Native ubus RPC API

- `+jshn` — No longer needed (was used for JSON parsing in shell)

- URL updated from `github.com/stangri/adblock-fast/` to
  `github.com/mossdef-org/adblock-fast/`
- Install target now installs `/lib/adblock-fast/adblock-fast.uc` and
  `/lib/adblock-fast/cli.uc` alongside the init script
- Version stamp now patches the ucode module
  (`version:` field) instead of init script (`PKG_VERSION` variable)
- `postinst` script removed (service enable handled elsewhere)
- `prerm` script simplified: only purges cache, no longer
  stops service or removes rc.d symlinks (handled by procd)

---

The module supports all existing DNS resolver integrations through a
unified `dns_modes{}` configuration map. Each mode defines output file
paths, gzip cache names, sed format/parse filters, and grep patterns:

| Mode                 | Output Format                                    |
|----------------------|--------------------------------------------------|
| `dnsmasq.addnhosts`  | `127.0.0.1 domain` (+ `:: domain` with IPv6)    |
| `dnsmasq.conf`       | `local=/domain/`                                 |
| `dnsmasq.ipset`      | `ipset=/domain/adb`                              |
| `dnsmasq.nftset`     | `nftset=/domain/4#inet#fw4#adb4[,6#...]`         |
| `dnsmasq.servers`    | `server=/domain/` (block) / `server=/domain/#` (allow) |
| `smartdns.domainset` | Raw domain (with smartdns conf wrapper)          |
| `smartdns.ipset`     | Raw domain (with smartdns ipset conf)            |
| `smartdns.nftset`    | Raw domain (with smartdns nftset conf)           |
| `unbound.adb_list`   | `local-zone: "domain." always_nxdomain`          |

The download pipeline auto-detects blocklist format from content:

| Format       | Detection                           | Example                    |
|--------------|-------------------------------------|----------------------------|
| AdBlock Plus | `[Adblock Plus]` header / `^||`     | `\|\|example.com^`         |
| dnsmasq      | `^server=`                          | `server=/example.com/`     |
| dnsmasq2     | `^local=`                           | `local=/example.com/`      |
| dnsmasq3     | `^address=`                         | `address=/example.com/0.0.0.0` |
| hosts        | `^0.0.0.0\s` or `^127.0.0.1\s`     | `0.0.0.0 example.com`     |
| domains      | (fallback — plain domain list)      | `example.com`              |

```
For each file_url UCI section:
  → Download URL (curl with retries, timeout, optional max-file-size)
  → Auto-detect format → Apply format-specific sed filter → Extract domains
  → Append to accumulator (blocked or allowed)

Merge phase:
  → sort -u (deduplicate)
  → Subdomain optimization (awk label-reverse → sort → dedup → reverse)
  → Remove allowed domains (sed -f generated_script)
  → Inject canary domains (iCloud Private Relay, Mozilla DoH)
  → Inject manually blocked_domain entries from config
  → Format for target DNS resolver
  → Optional validity check (remove malformed entries)
  → Atomic rename to output file

Resolver phase:
  → Update resolver config (UCI: addnhosts, conf-dir, server files)
  → Sanity check (dnsmasq --test)
  → Restart resolver service
  → Heartbeat probe (resolve canary domain to verify blocking)
  → Revert on failure
```

| Function              | Purpose                                              |
|-----------------------|------------------------------------------------------|
| `start(args)`         | Main lifecycle: download, restore from cache, or restart |
| `stop()`              | Disable blocking, flush kernel state, cleanup        |
| `status_service()`    | Report status to syslog/ubus                         |
| `allow(domain)`       | Whitelist domain in live blocklist + UCI config       |
| `check(pattern)`      | Search current blocklist for domain                  |
| `check_tld()`         | Detect TLD entries (sanity check)                    |
| `check_leading_dot()` | Detect leading-dot errors                            |
| `check_lists(domain)` | Search upstream list URLs for domain                 |
| `dl()`                | Force re-download all lists                          |
| `killcache()`         | Purge all cached files                               |
| `pause(seconds)`      | Temporarily disable blocking                         |
| `show_blocklist()`    | Output parsed blocklist to stdout                    |
| `sizes()`             | Fetch/display configured blocklist file sizes        |
| `get_init_status()`   | Full service state for UI/RPC clients                |
| `get_init_list()`     | Enabled/disabled status                              |
| `get_platform_support()` | Detect installed resolvers and features           |
| `get_file_url_filesizes()` | Return cached/live URL metadata                |

- 40+ localized message codes (e.g., `errorDownloadingList`,
  `errorConfigValidationFail`, `warningSanityCheckTLD`)
- Errors/warnings accumulated in `status_data{}` arrays
- Synced atomically to ubus service data for UI consumption
- Status states: `statusSuccess`, `statusFail`, `statusDownloading`,
  `statusProcessing`, `statusRestarting`, `statusPaused`

---

The init script (`/etc/init.d/adblock-fast`) is reduced from ~2,700 to ~130
lines. It now serves exclusively as a procd service wrapper:

- **procd lifecycle**: `start_service()` calls ucode `start`, captures
  shell output for `service_data()`; `stop_service()` calls ucode `stop`
- **Service triggers**: WAN interface triggers, config change triggers, UCI
  validation (unchanged from previous version)
- **Extra commands**: `allow`, `check`, `check_tld`, `check_leading_dot`,
  `check_lists`, `dl`, `killcache`, `pause`, `show_blocklist`, `sizes`,
  `version` — all delegate directly to ucode CLI dispatcher
- **procd data bridge**: `emit_procd_shell()` in ucode generates shell
  statements that the init script `eval`s for `service_data()` and
  `service_stopped()`/`service_started()` hooks (firewall restart flag)

---

The `90-adblock-fast` uci-defaults script is simplified from 181 to 65
lines:

- **Removed**: Entire `simple-adblock` migration path (config, cache files,
  URL lists). This migration was for the initial transition from
  simple-adblock to adblock-fast and is no longer needed.
- **Retained**: List name migration (adds `name` option to `file_url`
  sections that lack one, using pristine default config as reference),
  config key renames (`debug` → `debug_init_script`, `proc_debug` →
  `debug_performance`, `sanity_check` → `dnsmasq_sanity_check`)
- **Simplified**: Uses direct `uci` commands instead of sourcing the init
  script for `uci_get`/`uci_set` helpers. Pristine config lookup now
  supports both apk (`.apk-new`) and opkg (`-opkg`) package manager
  conventions.

---

A full test suite is added in `net/adblock-fast/tests/` (16 new files,
~1,800 lines) mock-and-expect pattern.

- **Module patching**: Converts ES6 imports to CommonJS requires, redirects
  hardcoded system paths to temp directories for isolation
- **Resolver stubs**: Mock binaries for dnsmasq (v2.89), smartdns, unbound,
  ipset, nft, resolveip
- **Test case format**: Markup-based (`-- Testcase --`,
  `-- Environment --`, `-- Expect stdout --`, `-- File path --`) with
  support for inline test data and per-test environment overrides
- **Assertion model**: Compares stdout, stderr, and exit code against
  expected values using `diff -u`
- **Shell validation**: Syntax-checks init.d and uci-defaults scripts via
  `sh -n`
- **Automatic cleanup**: Trap-based temp directory removal

**UCI Mock** (`tests/lib/mocklib/uci.uc`):
- Full `cursor()` interface: `load`, `get`, `get_all`, `foreach`, `set`,
  `delete`, `list_add`, `list_remove`, `commit`, `changes`
- Loads JSON fixtures from `tests/mocks/uci/` (adblock-fast, dhcp, network,
  smartdns, unbound configs)
- Supports `@type[index]` extended section addressing

**ubus Mock** (`tests/lib/mocklib/ubus.uc`):
- `connect()` → `call(object, method, args)` with signature-based fixture
  lookup
- Fixtures in `tests/mocks/ubus/` (system info, network interface
  dump/status, dnsmasq service list)

**System Call Interception** (`tests/lib/mocklib.uc`):
- Blocks service operations: `/etc/init.d/*`, `logger`, `sleep`,
  `dnsmasq --test`
- Passes through data processing: `sed`, `sort`, `grep`, `awk`
- Fixed timestamp (`1615382640`) for reproducible output
- Null `getenv()` for environment isolation

**01_pipeline** — Data processing pipeline (9 tests):
1. `01_all_dns_modes` — Verifies all 9 DNS output modes produce valid,
   deduplicated output (~162-165 domains from 2 input lists)
2. `02_input_format_detection` — Validates auto-detection of domains,
   hosts, AdBlock Plus, and dnsmasq input formats
3. `03_subdomain_dedup` — Confirms parent domains retained, child
   subdomains removed (e.g., blocks `example.com`, skips `sub.example.com`)
4. `04_allowed_domains` — Verifies `allowed_domain` config removes domains
   from output while preserving others
5. `05_canary_domains` — Confirms iCloud Private Relay and Mozilla DoH
   canary domain injection when enabled
6. `06_servers_mode_allow` — Validates dnsmasq.servers mode prepends
   explicit allow entries (`server=/domain/#` format)
7. `07_ipv6_addnhosts` — Verifies dual-stack output (both `127.0.0.1` and
   `::` entries) in addnhosts mode with IPv6 enabled
8. `08_ipv6_nftset` — Confirms nftset mode includes IPv6 set references
   (`4#inet#fw4#adb4,6#inet#fw4#adb6`) when IPv6 enabled
9. `09_unbound_header` — Validates `server:` header line prepended in
   unbound output mode

**02_config** — Configuration handling (1 test):
1. `01_blocked_domain_injection` — Verifies `blocked_domain` config entries
   appear in output

**03_functional** — CLI command tests (2 tests):
1. `01_check_domain` — Tests `check()` correctly identifies blocked vs.
   unblocked domains with appropriate output messages
2. `02_show_blocklist` — Tests `show_blocklist()` outputs parsed domain
   list (162 domains, correct format)

5 curated test data files with ~160+ unique test domains across multiple
formats (plain domains, hosts, AdBlock Plus, dnsmasq), including:
- Valid tracking/ad domains for positive matching
- Overlapping domains across files for deduplication testing
- Parent/child domain pairs for subdomain optimization testing
- Invalid entries (IPs, malformed, special chars) for filter robustness
- Mock UCI/ubus fixtures simulating a standard OpenWrt environment
  (512MB RAM, WAN interface up, dnsmasq running)

---

Adds the full AGPL-3.0-or-later license text (661 lines), matching the
`PKG_LICENSE` field already declared in the Makefile.

---

- Package compat bumped from `11` to `13` (in the ucode module's
  `pkg.compat` constant), reflecting the architectural change
- All existing UCI configuration options preserved (same validation schema)
- All existing extra_commands preserved (same CLI interface)
- All existing DNS resolver modes preserved (same output formats)
- procd service triggers and config triggers unchanged
- `simple-adblock` migration path removed from uci-defaults (obsolete)

---

```sh
cd net/adblock-fast/tests && sh run_tests.sh
```

Requires: `ucode`, `ucode-mod-fs`, `ucode-mod-uci`, `ucode-mod-ubus`,
`sed`, `sort`, `grep`, `awk` (standard OpenWrt buildroot tools).

Signed-off-by: Stan Grishin <redacted>

radicale3: bump to 3.6.1

Update to radicale3 to latest release

Signed-off-by: Daniel F. Dickinson <redacted>

net/sqm-scripts: bump to v1.7.2

This versions changes the default value of use_mq to off, as a
cautionary measure.

Signed-off-by: Toke Høiland-Jørgensen <redacted>

sing-box: update to 1.12.22

changelog: https://github.com/SagerNet/sing-box/releases/tag/v1.12.22

Signed-off-by: xiao bo <redacted>

telegraf: update to 1.37.3
- Update Telegraf to v1.37.3

Signed-off-by: Niklas Thorild <redacted>

clixon: update to 7.7.0

Dropped a size_t patch that was upstreamed.

Signed-off-by: Philip Prindeville <redacted>

cligen: update to 7.7.0

No significant changes.

Signed-off-by: Philip Prindeville <redacted>

adblock: update 4.5.1-4

* fix/stabilize the f_list "merge" function

Signed-off-by: Dirk Brenken <redacted>

net/sqm-scripts: bump to v1.7.1

Contains a bugfix for cake_mq. Also add 'ip' as a dependency to be able
to create multi-queue ifb devices.

Signed-off-by: Toke Høiland-Jørgensen <redacted>

python-gmpy2: update to 2.2.2

Fixes compilation.

Signed-off-by: Rosen Penev <redacted>

nextdns: update to version 1.47.1

Update nextdns package to upstream version 1.47.1

Signed-off-by: Olivier Poitrey <redacted>

openvpn: drop unused eurephia

This plugin has not seen updates to keep it synchronised
with recent openvpn, nor any updates in the last several
years. It relies on the SHA1 algo which is deprecated,
and iptables. ovpn has its own management interface.

Signed-off-by: Paul Donald <redacted>
https://github.com/openwrt/packages/pull/28533

openvpn: enable management interface

This eases management of live servers via its socket
interface.

Signed-off-by: Paul Donald <redacted>
https://github.com/openwrt/packages/pull/28533

openvpn: disable compression in builds

If you need the security risks of using compression,
make a custom build.

Signed-off-by: Paul Donald <redacted>
https://github.com/openwrt/packages/pull/28533

openvpn: introduce ucode proto handler

In preparation for netifd support for ucode
proto handlers.

Signed-off-by: Paul Donald <redacted>
https://github.com/openwrt/packages/pull/28533

openvpn: introduce proto handler

openvpn needs a proto handler. Here it is.

Removed all of the up/down scripts from the init handler
and made those entirely optional (with some ucode examples).

The config options have been updated to reflect v 2.6/2.7,
with a 'd' flag to denote deprecated. Deprecated flags are
gated behind an 'allow_deprecated' config flag, which must
be on to use them. Some flags will cease to work in the next
version.

Users should not be using compression. Openvpn has enough
security holes and pitfalls already without using
compression.

Updated the example configs (left in place as legacy
documentation) and removed older cryptos which do not exist
in ovpn any longer.

A migration script is included -x. /etc/config/openvpn
entries become interface entries in /etc/config/network
with proto='openvpn'. The source config is retained.

Signed-off-by: Paul Donald <redacted>
https://github.com/openwrt/packages/pull/28533

libutp: deactivate -Werror

With fortify sources libutp fails to compile because the fortify sources
for musl use the GNU extension include_next. Do not fail when the
compiler issues a warning.

Fixes the following compile error:
```
In file included from libutp-2023.02.14~c95738b1/utp_utils.cpp:23:
/include/fortify/stdlib.h:22:2: error: #include_next is a GCC extension [-Werror]
22 | #include_next <stdlib.h>
| ^~~~~~~~~~~~
```

Signed-off-by: Hauke Mehrtens <redacted>

tayga: update to Git HEAD (2026-01-27)

The big endian patch was replace upstream.
This drops the last downstream patch and should serve as a test version

Signed-off-by: Goetz Goerisch <redacted>

lxc-auto: add optional dnsmasq dep wait on startup

Add opt-in support for waiting for dnsmasq to be fully initialized
before starting LXC containers. This addresses issues where containers
that depend on DNS resolution (e.g., AdGuardHome) start before dnsmasq
has loaded its DHCP lease table, resulting in hostnames not being
resolved to IP addresses.

The feature is controlled by two new optional UCI config options in
/etc/config/lxc-auto whose usage is commented therein.

No new depends are introduced with this change.

Signed-off-by: John Audia <redacted>

btop: patch to move the log file to tmpfs

The log file path is hardcoded as $HOME/.local/state/btop.log, i.e. to the router’s flash storage rather than to tmpfs. This patch sets the log file path to /tmp/log/btop.log

Signed-off-by: XCas13 <redacted>

micro: update to 2.0.15

Release note: https://github.com/micro-editor/micro/releases/tag/v2.0.15

Signed-off-by: Gregory Gullin <redacted>

socat: update to 1.8.1.1

- update the package
- make SOCAT_SSL select OPENSSL_WITH_DEPRECATED

Signed-off-by: Maxim Storchak <redacted>

banip: update 1.8.0-3

* support the new possible nft expiry options in the backend as well

Signed-off-by: Dirk Brenken <redacted>

adblock: update 4.5.1-3

* added IPFire DBL: a comprehensive, community-maintained domain blocklist
divided in 12 categories
* LuCI: eslint fixes
* LuCI: added IPFire feed/category selection

Signed-off-by: Dirk Brenken <redacted>

mptcpd: update to 0.14

- libmptcpd breaking changes: new deny_join_id0 parameter in connection interfaces
- subflow_closed interface has new error parameter
- add support for new 'laminar' in-kernel PM endpoint
- mptcpize now appends LD_PRELOAD instead of overriding
- mptcpize sets GODEBUG=multipathtcp=1 for Go applications
- add musl libc compatibility
-> allows removal of most downstream patches
- support ELL 0.72 API changes
- security: added recommendation against world-writeable plugin directories

Link: https://github.com/intel/mptcpd/releases/tag/v0.14
Signed-off-by: Daniel Golle <redacted>

ell: update to 0.82

Embedded Linux Library update.

Link: https://git.kernel.org/pub/scm/libs/ell/ell.git/log/?h=0.82
Signed-off-by: Daniel Golle <redacted>

travelmate: update 2.4.0-2

* fixed a busybox awk problem in the new scan function
* minor cleanups
* LuCI: more eslint fixes

Signed-off-by: Dirk Brenken <redacted>

hdparm: fix license

Ref: https://spdx.org/licenses/hdparm.html

Signed-off-by: Wei-Ting Yang <redacted>

tor: update to 0.4.9.5 stable

First stable release of the 0.4.9.x series, see the changelog [1] for what's
new.

Patch automatically refreshed.

[1] https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.9.5/ChangeLog

Signed-off-by: Rui Salvaterra <redacted>

adguardhome: bump to 0.107.72

Changes: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.72
Signed-off-by: George Sapkin <redacted>

adguardhome: fix procd

Move START and STOP to be within the first 10 lines so they can be
properly detected by procd.

Signed-off-by: George Sapkin <redacted>

adguardhome: respawn on crash

Respawn service on crash.

Signed-off-by: George Sapkin <redacted>

openthread-br: create state dir before starting

If the directory is missing, otbr-agent will fail to start, and it's not
immediately clear from the logs why:

netifd: Interface 'thread' is setting up now
: [NOTE]-AGENT---: Backbone interface: br-iot
otbr-agent[5682]: [NOTE]-AGENT---: Running 0.3.0
otbr-agent[5682]: [NOTE]-AGENT---: Thread version: 1.4.0
otbr-agent[5682]: [NOTE]-AGENT---: Thread interface: wpan0
otbr-agent[5682]: [NOTE]-AGENT---: Radio URL: spinel+hdlc_uart:///dev/ttyS1?uart-baudrate=921600
otbr-agent[5682]: [NOTE]-AGENT---: Radio URL: trel://br-iot
otbr-agent[5682]: [NOTE]-ILS-----: Infra link selected: br-iot
otbr-agent[5682]: [INFO]-RCP_HOS-: OpenThread log level changed to 4
otbr-agent[5682]: 49d.17:03:10.822 [I] P-SpinelDrive-: co-processor reset: RESET_POWER_ON
otbr-agent[5682]: 49d.17:03:10.822 [C] P-SpinelDrive-: Software reset co-processor successfully
otbr-agent[5682]: 49d.17:03:10.825 [C] Platform------: Init() at settings_file.cpp:65: No such file or directory
netifd: thread (5684): Command failed: Not found
netifd: Interface 'thread' is now down

Signed-off-by: Stijn Tintel <redacted>

treewide: fix licenses

Fix licenses.

Signed-off-by: Wei-Ting Yang <redacted>

inadyn: remove package

This software is no longer maintained, and upstream
repo has been archived.
No package depends on this.

Signed-off-by: Yanase Yuki <redacted>

borgbackup: update to 1.4.3

This update fixes incompatibility with python-msgpack 1.1.2.
Add missing dependency on python3-openssl and drop the optional
dependency on python-pyfuse3, which doesn't work with the current
version.

Signed-off-by: Miroslav Lichvar <redacted>

travelmate: release 2.4.0-1

* rework wlan scanning
- drop iw/ip - use ubus/iwinfo calls instead
- build a new, central wlan scan function (used in LuCI and during
* simplify uci config parsing

Signed-off-by: Dirk Brenken <redacted>

modbus: update to 3.1.12

Update modbus to version 3.1.12

https://github.com/stephane/libmodbus/releases/tag/v3.1.12
Fix FD_SET overflow when socket fd >= FD_SETSIZE.
Check dest pointer not null and nb in read functions.
NULL check for src and nb < 1 validation in write functions.
modbus_reply: don't compute address for FC 0x07/0x11.
Use O_NONBLOCK instead of deprecated O_NDELAY.
Explicit cast for Coverity CID 416366.
Document required buffer size of modbus_receive.
Document macros for error codes corresponding to Modbus exceptions.
Fix example of modbus_rtu_set_serial_mode.
Test filesystem provides symlink in autogen.sh.
Sync API signatures with the documentation.
Many documentation fixes and typo corrections.
Add coverage target and helper script.

Signed-off-by: Hannu Nyman <redacted>

mstflint: update to 4.34.1-4

This commit updates the mstflint package
to the latest 4.34.1-4 release.

Release notes:
https://github.com/Mellanox/mstflint/releases/tag/v4.34.1-4

Signed-off-by: Til Kaiser <redacted>

liburing: update to v2.14

- Updated download URL and hash
- Switched to GitHub mirror
- Adapted configure parameters to fix build errors
- See changes: https://github.com/axboe/liburing/releases/tag/liburing-2.14

Signed-off-by: Christian Lachner <redacted>

nginx: fix module depends on nginx

Closes #28587
nginx: many module recursive dependencies

The solution turns out to be pretty trivial.
Replace the +nginx in the module DEPENDS.

This means the modules do not 'select' nginx, but the do 'depend on'
nginx. So nginx is required to install the modules.

This is the same approach taken with PHP8 and #28585 for Zabbix.

Signed-off-by: Daniel F. Dickinson <redacted>

ddns-scripts: add API-based registered IP verification for Cloudflare proxied
records

Problem:
When using Cloudflare with proxy enabled (orange cloud), DNS lookups
return Cloudflare's edge IP instead of the actual origin IP registered
in the dashboard. This causes ddns-scripts to incorrectly detect IP
mismatches, triggering unnecessary updates and potential rate limiting.

Solution:
Add an optional 'use_api_check' configuration option that enables
provider scripts to fetch the registered IP directly via their API,
bypassing DNS lookups.

Changes:
- dynamic_dns_functions.sh: Add API check block to get_registered_ip()
  (~25 lines). When use_api_check is enabled, sources the provider
  script with GET_REGISTERED_IP=1 flag. Falls back to DNS lookup if
  API check is disabled, unsupported, or fails.

- update_cloudflare_com_v4.sh: Add handler for GET_REGISTERED_IP mode
  (~15 lines). Reuses existing cURL setup and authentication to query
  Cloudflare API for actual record content.

- etc/config/ddns: Document use_api_check option

Behavior:
- use_api_check=0 or unset: DNS lookup (existing behavior, no changes)
- use_api_check=1 with API support: API query for registered IP
- use_api_check=1 without API support: Falls back to DNS lookup
- API failure: Gracefully falls back to DNS lookup

Testing:
- Cloudflare (proxied): Correctly retrieves origin IP via API
- Cloudflare (non-proxied): Works correctly
- No-IP: DNS lookup works (no regression)
- IPv4 and IPv6 records tested
- API failure gracefully falls back to DNS

Signed-off-by: Wayne King 244781262+bdk38@users.noreply.github.com

vim: bump to 9.2.0

Update URLs.

Remove inactive maintainer.

Changes: https://www.vim.org/vim-9.2-released.php
Signed-off-by: George Sapkin <redacted>

haproxy: update config (maxconn, nbthread, ssl)

Configuration changes:

- max connections adjusted
- ulimit-n disabled
- nbprocs removed
- nbthread added
- ssl params added

Signed-off-by: Andrey Zotikov <redacted>

jool: update to 4.1.15

Changelog: https://github.com/NICMx/Jool/releases/tag/v4.1.15
- Add support for kernels 6.15-6.18
- Add support for RHEL 9.6, 9.7

Drops 200-fix-compilation-in-v6.18.patch as upstream accepted

Signed-off-by: Goetz Goerisch <redacted>

bluld: bump to version 1.1.3

Release notes:
https://github.com/ktgeek/bluld/releases/tag/v1.1.3

Signed-off-by: Keith T. Garner <redacted>

telegraf: update to 1.37.2
- Update Telegraf to v1.37.2

Signed-off-by: Niklas Thorild <redacted>

telegraf: replace prometheus plugin with http plugin

- Replace inputs.prometheus with inputs.http

Signed-off-by: Niklas Thorild <redacted>

tor: update to 0.4.8.22 stable

Minor release, see the changelog [1] for what's new.

[1] https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.22/ChangeLog

Signed-off-by: Rui Salvaterra <redacted>

libmodbus: update hash for v3.1.11 tarball

Upstream modified the tarball and re-uploaded, so the hash changed.
See: https://github.com/stephane/libmodbus/issues/829#issuecomment-3898494353

Signed-off-by: Michael Heimpold <redacted>

haproxy: update to v3.2.12

- Fixes CVE-2026-26080 and CVE-2026-26081
https://www.haproxy.com/blog/cves-2026-quic-denial-of-service
- Updated haproxy PKG_VERSION and PKG_HASH
- See changes: http://git.haproxy.org/?p=haproxy-3.2.git;a=shortlog

Signed-off-by: Christian Lachner <redacted>

natmap: update to 20260214

Upstream changelog:
https://github.com/heiher/natmap/releases/tag/20260214

Signed-off-by: Ray Wang <redacted>

python-gevent: use LF for Makefile

Done with all other Makefiles.

Signed-off-by: Rosen Penev <redacted>

python-gevent: update to 25.9.1

Fixes compilation.

Signed-off-by: Rosen Penev <redacted>

bluez: update to 5.86

Refreshed patches.

Signed-off-by: Rosen Penev <redacted>

sqm-scripts: bump to v1.7.0

- Add nat to the default [IN|E]GRESS_CAKE_OPTS in defaults.sh
- Add support for cake_mq

Signed-off-by: Rany Hany <redacted>

zabbix: fix unnecessary virtual provides

We aren't using packages with the same name as the provides, so don't
use an virtual (@) provides for providing zabbix-get

Signed-off-by: Daniel F. Dickinson <redacted>

zabbix: set PKGARCH all for non-binary packages

For non-compiled package that are architecture independant, set
PKGARCH:=all.

Signed-off-by: Daniel F. Dickinson <redacted>

rtpmidid: update to 26.01

See release notes at
https://github.com/davidmoreno/rtpmidid/releases/tag/v26.01

Signed-off-by: Daniel Golle <redacted>

isc-dhcp: don't die when a network restart happens

Our triggering code was using the logical network name and
not the ifname as required.

Signed-off-by: Philip Prindeville <redacted>

golang: replace 1.25 with to 1.26.0

Replace golang1.25 with golang1.26 with version 1.26.0.

Update OS/arch combinations.

Bump bootstrap to 1.24.13.

Link: https://go.dev/doc/go1.26
Link: https://github.com/openwrt/packages/pull/28552
Signed-off-by: George Sapkin <redacted>

modemmanager: fix netifd proto sim path

Use specific SIM path instead of 'any' when unlocking with PIN
code. This fixes PIN unlock issues on devices with multiple modems
where 'any' could select the wrong modem.

Bump modemmanager PKG_RELEASE

Signed-off-by: micpf <redacted>

ddns-script: update namesilo.com

switch xml parser to xmllint because xmlstarlet is not available

Signed-off-by: Lin Fan <redacted>

lf: update to r41

https://github.com/gokcehan/lf/releases/tag/r41

Signed-off-by: Nate Robinson <redacted>

conserver: update to version 8.3.0

version 8.3.0 (February 2, 2026):
        - Don't use `true` variable (Stanisław Pitucha <redacted>)
        - Add VPATH to Makefile.in (saproj <redacted>)
        - FileUnopen: always return a valid file descriptor (Jeff Moyer <redacted>)
        - fix SEGFAULT on early exit with IPv6 enabled (Bjørn Mork <redacted>)
        - In AddrsMatch, keep copies of addrinfos to free. (Darren Tucker <redacted>)
        - Increase buffer size for GSSAPI exchanges (Alexander Bokovoy <redacted>)
        - Show "(inactive)" rather than an invalid pty device name for ondemand consoles that
          are closed. Show "(inactive)" rather than "(null)" for ondemand consoles that have
          never been opened. (Greg Becker <redacted>)
        - Prevent spy-mode clients from being promoted to the attached/writable state. (Greg Becker <redacted>)
        - autoconf upgrade (Jörg Sommer <redacted>)
        - reinitcheck allows time units (Jacek Tomasiak <redacted>)
        - reduce level of string alloc management debug messages (Greg A. Woods <redacted>)
        - fix bug with parser and "#" lines, fix debug output in ParseFile()
        - Fix clobbering of breaklist and replstring (Anton Lundin <redacted>)
        - Use strcmp() rather than strcasecmp() to compare console names when reading the config
          file and creating the list of consoles. (Greg Becker <redacted>)
        - Added passwordfile config option (Jason Ni <redacted>)

Drop upstreamed patches:
  002-addrsmatch-freeaddrinfo.patch
  002-fix-SEGFAULT-on-early-exit-with-IPv6-enabled.patch

Signed-off-by: Bjørn Mork <redacted>

mjpg-streamer: drop package

Based on the discussion in the previous PR, drop the package. Main source
has not been updated in 8 years and the fork in 5.

Link: https://github.com/openwrt/packages/pull/27878
Signed-off-by: George Sapkin <redacted>

kea: make building with Openssl deprecated APIs off

Some of the X.509 API got retired in 3.0.0 so we should check
against the backward compatibility not being enabled.

Signed-off-by: Philip Prindeville <redacted>

rp-pppoe: fix pppoe-server init script

There were 2 missing "$" when options "maxsessions" and "optionsfile"
are checked for some content.

Also the local declaration of "optionsfile" was incorrect.

Signed-off-by: Martin Schiller <redacted>

ddns-scripts: remove postinst and prerm script call

For reasons that have not been investigated in detail, the package blocks
during 'postinst' with the new 'apk' backend when the package is installed
on the target.

After much back and forth, it turned out that the '/etc/init.d/ddns start'
command is responsible for this. The call is blocking.

The command '/etc/init.d/ddns enabled' in the 'postinst' also makes no sense
here, as it only checks whether the ddns service is enabled. The return value
is not checked at all. And the 'prerm' script is also not needed, as the
calls made there are implicitly called during package deinstallation.

Therefore, this commit removes the entire and not needed 'postinst' and
'prerm' script call.

Signed-off-by: Florian Eckert <redacted>

wget: use explicit API version levels

Per Doug Freed's review comments.

Signed-off-by: Philip Prindeville <redacted>

owut: activate by default in buildbot

This will activate owut in buildbot builds for targets with large flash
by default. This will integrate it into most images by default.

The buildbots already build LuCI with luci-app-attendedsysupgrade. This
adds ucode-mod-uclient and owut to the image.

These are the package sizes for mips_24kc:
29270 bin/packages/mips_24kc/packages/owut-2026.01.13~2526d84b-r1.apk
5449 bin/packages/mips_24kc/base/ucode-mod-uclient-2026.01.31~931bbfeb-r1.apk

Signed-off-by: Hauke Mehrtens <redacted>

nano: update to 8.7.1

Update nano editor to version 8.7.1.

Signed-off-by: Hannu Nyman <redacted>

wget: build against Openssl w/o deprecated API

If you're building against 3.0.0 or later and you've defined
OPENSSL_NO_DEPRECATED, this breaks.

Signed-off-by: Philip Prindeville <redacted>

wget: don't build http-ntml as it's deprecated

NTML uses DES and MD4, both of which are retired.

Signed-off-by: Philip Prindeville <redacted>

adblock: update 4.5.1-2

* make sure to only return exactly one MAC address in the cgi

Signed-off-by: Dirk Brenken <redacted>

adblock: release 4.5.1

* Remote DNS Allow: this additional firewall feature lets selected client devices
temporarily bypass local DNS blocking and use an external, unfiltered DNS resolver.
* LuCI: new Firewall options for remote Access
* readme update

Signed-off-by: Dirk Brenken <redacted>

v2raya: Update to 2.2.7.5

Release note: https://github.com/v2rayA/v2rayA/releases/tag/v2.2.7.5

Signed-off-by: Tianling Shen <redacted>

openlist: Update to 4.1.10

Release note: https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10

Signed-off-by: Tianling Shen <redacted>

cloudflared: Update to 2026.1.2

Release note: https://github.com/cloudflare/cloudflared/releases/tag/2026.1.2

Signed-off-by: Tianling Shen <redacted>

yq: Update to 4.52.2

Release note: https://github.com/mikefarah/yq/releases/tag/v4.52.2

Signed-off-by: Tianling Shen <redacted>

rclone: Update to 1.73.0

Release note: https://github.com/rclone/rclone/releases/tag/v1.73.0

Signed-off-by: Tianling Shen <redacted>

xray-core: Update to 26.2.4

Release note: https://github.com/XTLS/Xray-core/releases/tag/v26.2.4

Signed-off-by: Tianling Shen <redacted>

v2ray-geodata: Update to latest version

Update all geodata.

Signed-off-by: Tianling Shen <redacted>

dos2unix: Update to 7.5.4

2026-01-30: Version 7.5.4
  * Don't return an error code if a binary file is skipped.
    Reverting change in 7.5.3.
  * Refactored code.

Signed-off-by: Tianling Shen <redacted>

ustreamer: update to 6.52

fix a build error when compiled with WITH_SETPROCTITLE=1
undefined reference to setproctitle_init

[1] https://github.com/openwrt/packages/pull/28472#issuecomment-3863583824

Signed-off-by: Georgi Valkov <redacted>

transmission: update to 4.1.0

See release notes for more info on this new major release

https://github.com/transmission/transmission/releases/tag/4.1.0

Signed-off-by: Daniel Golle <redacted>

libutp: update to 2024-11-16

transmission/libutp@490874c Merge pull request #17 from tearfur/malformed-logs
transmission/libutp@2d29ce9 Merge pull request #18 from tearfur/ftbfs-log
transmission/libutp@6c7ee3f Merge pull request #16 from brad0/openbsd_monotonic
transmission/libutp@1e7e6c6 fix: FTBFS when `UTP_DEBUG_LOGGING` is defined
transmission/libutp@eedd8b9 fix: malformed logs produced by `struct_utp_context::log()`
transmission/libutp@14d6f57 Use monotonic clock on OpenBSD
transmission/libutp@52645d6 chore: remove invalid assertion
transmission/libutp@4ed4d43 refactor: use std::unordered_map instead of bespoke utpHashTable
transmission/libutp@13545a9 fixup! chore: savepoint
transmission/libutp@d0f70e6 chore: add code comments for new code that needs it
transmission/libutp@b109597 chore: remove extra include string.h
transmission/libutp@13b5cb4 chore: remove unnecessary #include utp_hash.h
transmission/libutp@958758b copyediting: tab damage, constify
transmission/libutp@165a316 refactor: replace UTPSocketHT method with one more narrowly-scoped
transmission/libutp@9bbf6b3 perf: do not rebuild UTPSocketKey in LookupAdjacent
transmission/libutp@a271636 chore: savepoint
transmission/libutp@d339167 feat: make UTPSocketKey std::hash-friendly
transmission/libutp@1354618 refactor: use std::min(), std::max() instead of bespoke
transmission/libutp@7480820 chore: remove redundant explicit types when invoking std::min, std::max
transmission/libutp@3189aba chore: restore undefs
transmission/libutp@1849bd1 chore: make vsc happy
transmission/libutp@24c967b refactor: make explicit type for std::min, std::max
transmission/libutp@1862df0 refactor: make explicit type for std::min, std::max
transmission/libutp@8080115 refactor: use std::min(), std::max() instead of bespoke
transmission/libutp@2589200 refactor: use std::vector instead of bespoke Array class
transmission/libutp@09ef1be Fix build on *BSD (#10)
transmission/libutp@4d4a3ce fixup! refactor: use std::vector instead of bespoke Array class
transmission/libutp@1320d78 Merge branch 'post-3.4-transmission' into refactor/replace-bespoke-to-std-pt-1
transmission/libutp@8bdf5e8 Try to reduce the number of CI builds
transmission/libutp@4ec3c96 Merge branch 'post-3.4-transmission' into refactor/replace-bespoke-to-std-pt-1
transmission/libutp@5820d8e Bump minimum CMake version to 3.12 to match Transmission (#9)
transmission/libutp@d9d3754 refactor: use std::vector instead of bespoke Array class
transmission/libutp@9cb9f9c build: Require C11 (#5)

Signed-off-by: Daniel Golle <redacted>

libdht: update to 2023-03-18

jech/dht@0bbb8f4 Full declaration of dht_uninit

Signed-off-by: Daniel Golle <redacted>

libdeflate: update to 1.25

ebiggers/libdeflate@c8c56a2 (tag: v1.25) v1.25
ebiggers/libdeflate@095bcab cmake: make installed package relocatable
ebiggers/libdeflate@7b9232c ci.yml: Use windows-latest for windows-visualstudio-build-and-test
ebiggers/libdeflate@d65d5db Add link to SwiftDeflate wrapper
ebiggers/libdeflate@6bb4936 lib/x86: drop any mention of `evex512`
ebiggers/libdeflate@2a3762c lib/x86/cpu_features.h: drop evex512 on gcc-16

Signed-off-by: Daniel Golle <redacted>

nfs-kernel-server: update to 2.8.5

Changelog: https://www.kernel.org/pub/linux/utils/nfs-utils/2.8.5/2.8.5-Changelog

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <redacted>

expat: update to 2.7.4

Changelog:
https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes

Fixes: CVE-2026-24515 CVE-2026-25210
Signed-off-by: Nick Hainke <redacted>