Merge 5e27e2cc5d into 4628b6bd43

Closes #23774

Signed-off-by: Paul Donald <newtwen+github@gmail.com>

libs/libpfring/Makefile

@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=libpfring
-PKG_VERSION:=8.4.0
-PKG_RELEASE:=2
+PKG_VERSION:=8.6.1
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/ntop/PF_RING/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=2756a45ab250da11850160beb62aa879075aedfb49bf8f323b404f02b0c36670
+PKG_HASH:=c3b3233a59bb642457e60596d2e5b58b4207cccd713f3fe7b0ce5c9ea1a4a131
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/PF_RING-$(PKG_VERSION)
 
 PKG_MAINTAINER:=Banglang Huang <banglang.huang@foxmail.com>

libs/libpfring/patches/0001-fix-cross-compiling.patch

@@ -1,6 +1,6 @@
 --- a/userland/configure
 +++ b/userland/configure
-@@ -3868,12 +3868,6 @@ $as_echo "no" >&6; }
+@@ -3873,12 +3873,6 @@ $as_echo "no" >&6; }
          if test "$IS_FREEBSD" != "1" && test "$cross_compiling" != "yes" ; then
        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if r/w locks are supported" >&5
  $as_echo_n "checking if r/w locks are supported... " >&6; }
@@ -13,7 +13,7 @@
    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
  
-@@ -3886,7 +3880,7 @@ else
+@@ -3891,7 +3885,7 @@ else
  
  
  _ACEOF
@@ -22,7 +22,7 @@
     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
  $as_echo "yes" >&6; }
  cat >>confdefs.h <<_ACEOF
-@@ -3900,7 +3894,6 @@ $as_echo "no" >&6; }
+@@ -3905,7 +3899,6 @@ $as_echo "no" >&6; }
  fi
  rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
    conftest.$ac_objext conftest.beam conftest.$ac_ext

libs/libpfring/patches/002-implement-probabilistic-sampling.patch

@@ -1,89 +0,0 @@
-From 405caa1424358032574230ec5479e64834869298 Mon Sep 17 00:00:00 2001
-From: Alfredo Cardigliano <cardigliano@ntop.org>
-Date: Thu, 13 Apr 2023 13:03:28 +0200
-Subject: [PATCH] Implement probabilistic sampling
-
----
- kernel/linux/pf_ring.h |  4 +++-
- kernel/pf_ring.c       | 34 ++++++++++++++++++++++++----------
- 2 files changed, 27 insertions(+), 11 deletions(-)
-
---- a/kernel/linux/pf_ring.h
-+++ b/kernel/linux/pf_ring.h
-@@ -1310,7 +1310,9 @@ struct pf_ring_socket {
-   u_char *ring_slots;       /* Points to ring_memory+sizeof(FlowSlotInfo) */
- 
-   /* Packet Sampling */
--  u_int32_t pktToSample, sample_rate;
-+  u_int32_t sample_rate;
-+  u_int32_t pkts_to_sample;
-+  u_int32_t sample_rnd_shift;
- 
-   /* Virtual Filtering Device */
-   virtual_filtering_device_element *v_filtering_dev;
---- a/kernel/pf_ring.c
-+++ b/kernel/pf_ring.c
-@@ -3695,6 +3695,26 @@ int bpf_filter_skb(struct sk_buff *skb,
- 
- /* ********************************** */
- 
-+int sample_packet(struct pf_ring_socket *pfr) {
-+  if(pfr->pkts_to_sample <= 1) {
-+    u_int32_t rnd = 0;
-+
-+    get_random_bytes(&rnd, sizeof(u_int32_t));
-+    rnd = rnd % pfr->sample_rate;
-+
-+    pfr->pkts_to_sample = pfr->sample_rate - pfr->sample_rnd_shift + rnd;
-+
-+    pfr->sample_rnd_shift = rnd;
-+
-+    return 1; /* Pass packet */
-+  } else {
-+    pfr->pkts_to_sample--;
-+    return 0; /* Discard packet */
-+  }
-+}
-+
-+/* ********************************** */
-+
- u_int32_t default_rehash_rss_func(struct sk_buff *skb, struct pfring_pkthdr *hdr)
- {
-   return hash_pkt_header(hdr, 0);
-@@ -3805,12 +3825,9 @@ static int add_skb_to_ring(struct sk_buf
-     if(pfr->sample_rate > 1) {
-       spin_lock_bh(&pfr->ring_index_lock);
- 
--      if(pfr->pktToSample <= 1) {
--	pfr->pktToSample = pfr->sample_rate;
--      } else {
-+      if(!sample_packet(pfr)) {
-+        /* Discard packet */
-         pfr->slots_info->tot_pkts++;
--	pfr->pktToSample--;
--
- 	spin_unlock_bh(&pfr->ring_index_lock);
- 	atomic_dec(&pfr->num_ring_users);
- 	return(-1);
-@@ -4161,11 +4178,8 @@ int pf_ring_skb_ring_handler(struct sk_b
- 
-         if(pfr->sample_rate > 1) {
-           spin_lock_bh(&pfr->ring_index_lock);
--          if(pfr->pktToSample <= 1) {
--            pfr->pktToSample = pfr->sample_rate;
--          } else {
-+          if (!sample_packet(pfr)) {
-             pfr->slots_info->tot_pkts++;
--            pfr->pktToSample--;
-             rc = 0;
-           }
-           spin_unlock_bh(&pfr->ring_index_lock);
-@@ -7957,7 +7971,7 @@ static int ring_getsockopt(struct socket
- 	if(copy_to_user(optval, lowest_if_mac, ETH_ALEN))
- 	  return(-EFAULT);
-       } else {
--        char *dev_addr = pfr->ring_dev->dev->dev_addr;
-+        const char *dev_addr = pfr->ring_dev->dev->dev_addr;
- 
-         if (dev_addr == NULL) /* e.g. 'any' device */
-           dev_addr = empty_mac;

libs/libpfring/patches/100-fix-compilation-warning.patch

@@ -1,6 +1,6 @@
 --- a/kernel/pf_ring.c
 +++ b/kernel/pf_ring.c
-@@ -3902,7 +3902,7 @@ static int hash_pkt_cluster(ring_cluster
+@@ -3903,7 +3903,7 @@ static int hash_pkt_cluster(ring_cluster
        break;
      }
      /* else, fall through, because it's like 2-tuple for non-TCP packets */

libs/libpfring/patches/101-kernel-pf_ring-better-define-sa_data-size.patch

@@ -1,72 +0,0 @@
-From fae2437c2af80d3ea64f5bc9678a5b697772295b Mon Sep 17 00:00:00 2001
-From: Christian Marangi <ansuelsmth@gmail.com>
-Date: Mon, 18 Mar 2024 10:03:43 +0100
-Subject: [PATCH] kernel: pf_ring: better define sa_data size
-
-pfring_mod_bind() needs to specify the interface
-name using struct sockaddr that is defined as
-
-struct sockaddr { ushort sa_family; char sa_data[14]; };
-
-so the total interface name length is 13 chars (plus \0 trailer).
-
-Since sa_data size is arbitrary, define a more precise size for
-PF_RING socket use.
-
-This fix some compilation error with fortify string and makes the array
-handling more deterministic.
-
-Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
----
- kernel/pf_ring.c | 22 ++++++++++++++++++----
- 1 file changed, 18 insertions(+), 4 deletions(-)
-
---- a/kernel/pf_ring.c
-+++ b/kernel/pf_ring.c
-@@ -155,6 +155,18 @@
- #endif
- #endif
- 
-+/*
-+  pfring_mod_bind() needs to specify the interface
-+	name using struct sockaddr that is defined as
-+
-+  struct sockaddr { ushort sa_family; char sa_data[14]; };
-+
-+  so the total interface name length is 13 chars (plus \0 trailer).
-+  Since sa_data size is arbitrary, define a more precise size for
-+  PF_RING socket use.
-+*/
-+#define RING_SA_DATA_LEN 14
-+
- /* ************************************************* */
- 
- #if(LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0))
-@@ -1029,7 +1041,7 @@ pf_ring_device *pf_ring_device_name_look
- 	  so the total interface name length is 13 chars (plus \0 trailer).
- 	  The check below is to trap this case.
- 	 */
--	|| ((l >= 13) && (strncmp(dev_ptr->device_name, name, 13) == 0)))
-+	|| ((l >= RING_SA_DATA_LEN - 1) && (strncmp(dev_ptr->device_name, name, RING_SA_DATA_LEN - 1) == 0)))
-        && device_net_eq(dev_ptr, net))
-       return dev_ptr;
-   }
-@@ -5571,15 +5583,15 @@ static int ring_bind(struct socket *sock
-    * Check legality
-    */
-   if (addr_len == sizeof(struct sockaddr)) {
--    char name[sizeof(sa->sa_data)+1];
-+    char name[RING_SA_DATA_LEN];
- 
-     if (sa->sa_family != PF_RING)
-       return(-EINVAL);
- 
--    memcpy(name, sa->sa_data, sizeof(sa->sa_data));
-+    memcpy(name, sa->sa_data, RING_SA_DATA_LEN - 1);
- 
-     /* Add trailing zero if missing */
--    name[sizeof(name)-1] = '\0';
-+    name[RING_SA_DATA_LEN-1] = '\0';
- 
-     debug_printk(2, "searching device %s\n", name);
- 

net/banip/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.9.5
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 

net/banip/files/README.md

@@ -15,7 +15,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | adguard             | adguard IPs                    |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
 | adguardtrackers     | adguardtracker IPs             |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
 | antipopads          | antipopads IPs                 |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
-| asn                 | ASN segments                   |         |         |    x    | tcp: 80, 443 | [Link](https://asn.ipinfo.app)                               |
+| asn                 | ASN segments                   |    x    |    x    |    x    |              | [Link](https://asn.ipinfo.app)                               |
 | backscatterer       | backscatterer IPs              |    x    |    x    |         |              | [Link](https://www.uceprotect.net/en/index.php)              |
 | becyber             | malicious attacker IPs         |    x    |    x    |         |              | [Link](https://github.com/duggytuxy/malicious_ip_addresses)  |
 | binarydefense       | binary defense banlist         |    x    |    x    |         |              | [Link](https://iplists.firehol.org/?ipset=bds_atif)          |
@@ -114,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
 * If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
 * Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
-* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
+* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
 
 ## banIP CLI interface
 * All important banIP functions are accessible via CLI.
@@ -428,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
 		"descr": "tor exit nodes",
-		"flag": "tcp 80-89 443"
+		"flag": "gz tcp 80-88 udp 50000"
 	},
 	[...]
 ```
 Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.  
-Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.  
+Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.  
 
 ## Support
 Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>

net/banip/files/banip-functions.sh

@@ -595,24 +595,30 @@ f_etag() {
 # build initial nft file with base table, chains and rules
 #
 f_nftinit() {
-	local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}"
+	local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}"
 
 	wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 	[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 	[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 
 	for flag in ${ban_allowflag}; do
-		if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
-			allow_proto="${flag}"
-		elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
-			if [ -z "${allow_dport}" ]; then
-				allow_dport="${flag}"
-			else
-				allow_dport="${allow_dport}, ${flag}"
+		if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
+			if [ -z "${tmp_proto}" ]; then
+				tmp_proto="${flag}"
+			elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_proto="${tmp_proto}, ${flag}"
+			fi
+		elif [ -n "${flag//[![:digit]-]/}" ]; then
+			if [ -z "${tmp_port}" ]; then
+				tmp_port="${flag}"
+			elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_port="${tmp_port}, ${flag}"
 			fi
 		fi
 	done
-	[ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }"
+	if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
+		allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
+	fi
 
 	if [ "${ban_logprerouting}" = "1" ]; then
 		log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
@@ -697,7 +703,7 @@ f_nftinit() {
 #
 f_down() {
 	local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
-	local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target
+	local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag
 	local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
 
 	start_ts="$(date +%s)"
@@ -756,19 +762,25 @@ f_down() {
 	# prepare feed flags
 	#
 	for flag in ${feed_flag}; do
-		if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
+		if [ "${flag}" = "gz" ]; then
 			feed_comp="${flag}"
-		elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
-			feed_proto="${flag}"
-		elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
-			if [ -z "${feed_dport}" ]; then
-				feed_dport="${flag}"
-			else
-				feed_dport="${feed_dport}, ${flag}"
+		elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
+			if [ -z "${tmp_proto}" ]; then
+				tmp_proto="${flag}"
+			elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_proto="${tmp_proto}, ${flag}"
+			fi
+		elif [ -n "${flag//[![:digit]-]/}" ]; then
+			if [ -z "${tmp_port}" ]; then
+				tmp_port="${flag}"
+			elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_port="${tmp_port}, ${flag}"
 			fi
 		fi
 	done
-	[ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }"
+	if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
+		feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
+	fi
 
 	# chain/rule maintenance
 	#

net/banip/files/banip.feeds

@@ -36,8 +36,7 @@
 		"url_6": "https://asn.ipinfo.app/api/text/list/",
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
-		"descr": "ASN IP segments",
-		"flag": "tcp 80 443"
+		"descr": "ASN IP segments"
 	},
 	"backscatterer":{
 		"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",

net/p910nd/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=p910nd
 PKG_VERSION:=0.97
-PKG_RELEASE:=13
+PKG_RELEASE:=14
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/p910nd

net/p910nd/files/p910nd.hotplug

@@ -281,8 +281,7 @@ get_and_store_printer_info() {
 		[ "$DEBUG" ] && echo ${MFG:+MFG=$MFG} ${MDL:+MDL=$MDL} ${CMD:+CMD=$CMD} ${CLS:+CLS=$CLS} ${DES:+DES=$DES} ${SN:+SN=$SN}
 
 		[ "$DEBUG" ] && echo 'uci set' for UCI_DEV_CFG_NUMBER: $UCI_DEV_CFG_NUMBER
-		# Take the USB info as fact: set bidir regardless. It seems to be a source of confusion.
-		eval "$uqsddu_cmd.bidirectional='$BIDIR'"
+		[ -z "$(eval "$uqgddu_cmd".bidirectional)" ] && eval "$uqsddu_cmd.bidirectional='$BIDIR'"
 		[ -z "$(eval "$uqgddu_cmd".port)" ] && eval "$uqsddu_cmd.port='0'"
 		[ -z "$(eval "$uqgddu_cmd".enabled)" ] && eval "$uqsddu_cmd.enabled='1'"
 		[ -z "$(eval "$uqgddu_cmd".usbvidpid)" ] && [ -n "$THIS_USB_VIDPID" ] && eval "$uqsddu_cmd.usbvidpid='$THIS_USB_VIDPID'"