Merge 40eda07e97 into 2c6d5adac0

* allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
* removed the default protocol/port limitation from asn feed

Signed-off-by: Dirk Brenken <dev@brenken.org>

.circleci/Dockerfile

@@ -1,93 +0,0 @@
-FROM debian:10
-
-
-# Configuration version history
-# v1.0   - Initial version by Etienne Champetier
-# v1.0.1 - Run as non-root, add unzip, xz-utils
-# v1.0.2 - Add bzr
-# v1.0.3 - Verify usign signatures
-# v1.0.4 - Add support for Python3
-# v1.0.5 - Add 19.07 public keys, verify keys
-# v1.0.6 - Add 21.02 public keys, update Debian image to version 10, add rsync
-# v1.0.7 - Add 22.03 public keys, 18.06 v2 gpg key, 18.06 usign key
-
-RUN apt update && apt install -y \
-build-essential \
-bzr \
-curl \
-jq \
-gawk \
-gettext \
-git \
-libncurses5-dev \
-libssl-dev \
-python \
-python3 \
-signify-openbsd \
-subversion \
-rsync \
-time \
-unzip \
-wget \
-xz-utils \
-zlib1g-dev \
-&& rm -rf /var/lib/apt/lists/*
-
-RUN useradd -c "OpenWrt Builder" -m -d /home/build -s /bin/bash build
-USER build
-ENV HOME /home/build
-
-# OpenWrt Build System (PGP key for unattended snapshot builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-snapshots@openwrt.org>' | grep '^fpr:::::::::54CC74307A2C6DC9CE618269CD84BCED626471F1:$' \
- && echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 17.01 "Reboot" release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-17.01@openwrt.org>' | grep '^fpr:::::::::B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:$' \
- && echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
-
-# OpenWrt Release Builder (18.06 Signing Key)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<openwrt-devel@lists.openwrt.org>' | grep '^fpr:::::::::6768C55E79B032D77A28DA5F0F20257417E1CE16:$' \
- && echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 18.06 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/15807931.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-18.06@openwrt.org>' | grep '^fpr:::::::::AD0507363D2BCE9C9E36CEC4FBCB78F015807931:$' \
- && echo 'AD0507363D2BCE9C9E36CEC4FBCB78F015807931:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 19.07 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/2074BE7A.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-19.07@openwrt.org>' | grep '^fpr:::::::::D9C6901F45C9B86858687DFF28A39BC32074BE7A:$' \
- && echo 'D9C6901F45C9B86858687DFF28A39BC32074BE7A:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 21.02 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/88CA59E8.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-21.02@openwrt.org>' | grep '^fpr:::::::::667205E379BAF348863A5C6688CA59E88F681580:$' \
- && echo '667205E379BAF348863A5C6688CA59E88F681580:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (GnuPGP key for 22.03 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CD54E82DADB3684D.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-22.03@openwrt.org>' | grep '^fpr:::::::::BF856781A01293C8409ABE72CD54E82DADB3684D:$' \
- && echo 'BF856781A01293C8409ABE72CD54E82DADB3684D:6:' | gpg --import-ownertrust
-
-# untrusted comment: Public usign key for unattended snapshot builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde' --create-dirs -o /home/build/usign/b5043e70f9a75cde \
- && echo 'd7ac10f9ed1b38033855f3d27c9327d558444fca804c685b17d9dcfb0648228f */home/build/usign/b5043e70f9a75cde' | sha256sum --check
-
-# untrusted comment: Public usign key for 18.06 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/1035ac73cc4e59e3' --create-dirs -o /home/build/usign/1035ac73cc4e59e3 \
- && echo '8dc2e7f5c4e634437e6641f4df77a18bf59f0c8e9016c8ba4be5d4a0111e68c2 */home/build/usign/1035ac73cc4e59e3' | sha256sum --check
-
-# untrusted comment: Public usign key for 19.07 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/f94b9dd6febac963' --create-dirs -o /home/build/usign/f94b9dd6febac963 \
- && echo 'b1d09457cfbc36fccfe18382d65c54a2ade3e7fd3902da490a53aa517b512755 */home/build/usign/f94b9dd6febac963' | sha256sum --check
-
-# untrusted comment: Public usign key for 21.02 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' --create-dirs -o /home/build/usign/2f8b0b98e08306bf \
- && echo 'd102bdd75421c62490b97f520f9db06aadb44ad408b244755d26e96ea5cd3b7f */home/build/usign/2f8b0b98e08306bf' | sha256sum --check
-
-# untrusted comment: Public usign key for 22.03 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/4d017e6f1ed5d616' --create-dirs -o /home/build/usign/4d017e6f1ed5d616 \
- && echo 'f3c5fdf447d7c2743442e68077d60acc7c3e91754849e1f4b6be837b4204b7e2 */home/build/usign/4d017e6f1ed5d616' | sha256sum --check

.circleci/README

@@ -1,6 +0,0 @@
-# Build/update the docker image
-
-docker pull debian:10
-docker build --rm -t docker.io/openwrtorg/packages-cci:latest .
-docker tag <IMAGE ID> docker.io/openwrtorg/packages-cci:<VERSION-TAG>
-docker push docker.io/openwrtorg/packages-cci

.circleci/config.yml

@@ -1,182 +0,0 @@
-version: 2.0
-jobs:
-  build:
-    docker:
-      - image: docker.io/openwrtorg/packages-cci:v1.0.7
-    environment:
-      - SDK_HOST: "downloads.openwrt.org"
-      - SDK_PATH: "snapshots/targets/ath79/generic"
-      - SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
-      - BRANCH: "master"
-    steps:
-      - checkout:
-          path: ~/openwrt_packages
-
-      - run:
-          name: Check changes / verify commits
-          working_directory: ~/openwrt_packages
-          command: |
-             cat >> $BASH_ENV <<EOF
-             echo_red()   { printf "\033[1;31m\$*\033[m\n"; }
-             echo_green() { printf "\033[1;32m\$*\033[m\n"; }
-             echo_blue()  { printf "\033[1;34m\$*\033[m\n"; }
-             EOF
-             source $BASH_ENV
-
-             RET=0
-             for commit in $(git rev-list HEAD ^origin/$BRANCH); do
-               echo_blue "=== Checking commit '$commit'"
-               if git show --format='%P' -s $commit | grep -qF ' '; then
-                 echo_red "Pull request should not include merge commits"
-                 RET=1
-               fi
-
-               author="$(git show -s --format=%aN $commit)"
-               if echo $author | grep -q '\S\+\s\+\S\+'; then
-                 echo_green "Author name ($author) seems ok"
-               else
-                 echo_red "Author name ($author) need to be your real name 'firstname lastname'"
-                 RET=1
-               fi
-
-               subject="$(git show -s --format=%s $commit)"
-               if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
-                 echo_green "Commit subject line seems ok ($subject)"
-               else
-                 echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
-                 RET=1
-               fi
-
-               body="$(git show -s --format=%b $commit)"
-               sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
-               if echo "$body" | grep -qF "$sob"; then
-                 echo_green "Signed-off-by match author"
-               else
-                 echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
-                 RET=1
-               fi
-             done
-
-             exit $RET
-
-      - run:
-          name: Download the SDK
-          working_directory: ~/sdk
-          command: |
-             curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
-             curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
-             curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
-             if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
-                 echo_red "Missing sha256sums signature files"
-                 exit 1
-             fi
-             [ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
-             if [ -f sha256sums.sig ]; then
-                 VERIFIED=
-                 for KEY in ~/usign/*; do
-                     echo "Trying $KEY..."
-                     if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
-                         echo "...verified"
-                         VERIFIED=1
-                         break
-                     fi
-                 done
-                 if [ -z "$VERIFIED" ]; then
-                     echo_red "Could not verify usign signature"
-                     exit 1
-                 fi
-             fi
-             rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
-             sha256sum -c --ignore-missing sha256sums
-
-      - run:
-          name: Prepare build_dir
-          working_directory: ~/build_dir
-          command: |
-             tar Jxf ~/sdk/$SDK_FILE --strip=1
-             touch .config
-             make prepare-tmpinfo scripts/config/conf
-             ./scripts/config/conf --defconfig=.config Config.in
-             make prereq
-             rm .config
-             cat > feeds.conf <<EOF
-             src-git base https://github.com/openwrt/openwrt.git;$BRANCH
-             src-link packages $HOME/openwrt_packages
-             src-git luci https://github.com/openwrt/luci.git;$BRANCH
-             EOF
-             cat feeds.conf
-             ./scripts/feeds update -a > /dev/null
-             make defconfig > /dev/null
-             # enable BUILD_LOG
-             sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
-
-      - run:
-          name: Install & download source, check package, compile
-          working_directory: ~/build_dir
-          command: |
-             set +o pipefail
-             PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
-             if [ -z "$PKGS" ] ; then
-                 echo_blue "WARNING: No new or modified packages found!"
-                 exit 0
-             fi
-
-             echo_blue "=== Found new/modified packages: $PKGS"
-             for PKG in $PKGS ; do
-                 echo_blue "===+ Install: $PKG"
-                 ./scripts/feeds install "$PKG"
-
-                 echo_blue "===+ Download: $PKG"
-                 make "package/$PKG/download" V=s
-
-                 echo_blue "===+ Check package: $PKG"
-                 make "package/$PKG/check" V=s 2>&1 | tee logtmp
-                 RET=${PIPESTATUS[0]}
-
-                 if [ $RET -ne 0 ]; then
-                     echo_red   "=> Package check failed: $RET)"
-                     exit $RET
-                 fi
-
-                 badhash_msg="HASH does not match "
-                 badhash_msg+="|HASH uses deprecated hash,"
-                 badhash_msg+="|HASH is missing,"
-                 if grep -qE "$badhash_msg" logtmp; then
-                     echo_red   "=> Package HASH check failed"
-                     exit 1
-                 fi
-                 echo_green "=> Package check OK"
-             done
-
-             make \
-                 -f .config \
-                 -f tmp/.packagedeps \
-                 -f <(echo '$(info $(sort $(package-y) $(package-m)))'; echo -en 'a:\n\t@:') \
-              | tr ' ' '\n' >enabled-package-subdirs.txt
-             for PKG in $PKGS ; do
-                 if ! grep -m1 -qE "(^|/)$PKG$" enabled-package-subdirs.txt; then
-                        echo_red "===+ Building: $PKG skipped. It cannot be enabled with $SDK_FILE"
-                        continue
-                 fi
-                 echo_blue "===+ Building: $PKG"
-                 make "package/$PKG/compile" -j3 V=s || {
-                        RET=$?
-                        echo_red "===+ Building: $PKG failed, rebuilding with -j1 for human readable error log"
-                        make "package/$PKG/compile" -j1 V=s; exit $RET
-                 }
-             done
-
-      - store_artifacts:
-          path: ~/build_dir/logs
-
-      - store_artifacts:
-          path: ~/build_dir/bin
-
-workflows:
-  version: 2
-  buildpr:
-    jobs:
-      - build:
-          filters:
-            branches:
-              ignore: master

admin/syslog-ng/Makefile

@@ -1,8 +1,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=syslog-ng
-PKG_VERSION:=4.6.0
-PKG_RELEASE:=2
+PKG_VERSION:=4.7.1
+PKG_RELEASE:=1
 
 PKG_MAINTAINER:=Josef Schlehofer <pepe.schlehofer@gmail.com>
 PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later
@@ -11,7 +11,7 @@ PKG_CPE_ID:=cpe:/a:balabit:syslog-ng
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/syslog-ng/syslog-ng/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
-PKG_HASH:=b69e3360dfb96a754a4e1cbead4daef37128b1152a23572356db4ab64a475d4f
+PKG_HASH:=5477189a2d12325aa4faebfcf59f5bdd9084234732f0c3ec16dd253847dacf1c
 
 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1

admin/syslog-ng/files/syslog-ng.conf

@@ -1,7 +1,7 @@
 # Collect all local logs into a single file /var/log/messages.
 # See https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
 
-@version: 4.6
+@version: 4.7
 @include "scl.conf"
 
 options {

net/banip/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.9.5
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 

net/banip/files/README.md

@@ -15,7 +15,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | adguard             | adguard IPs                    |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
 | adguardtrackers     | adguardtracker IPs             |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
 | antipopads          | antipopads IPs                 |         |         |    x    | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists)        |
-| asn                 | ASN segments                   |         |         |    x    | tcp: 80, 443 | [Link](https://asn.ipinfo.app)                               |
+| asn                 | ASN segments                   |    x    |    x    |    x    |              | [Link](https://asn.ipinfo.app)                               |
 | backscatterer       | backscatterer IPs              |    x    |    x    |         |              | [Link](https://www.uceprotect.net/en/index.php)              |
 | becyber             | malicious attacker IPs         |    x    |    x    |         |              | [Link](https://github.com/duggytuxy/malicious_ip_addresses)  |
 | binarydefense       | binary defense banlist         |    x    |    x    |         |              | [Link](https://iplists.firehol.org/?ipset=bds_atif)          |
@@ -114,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
 * If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
 * Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
-* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
+* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
 
 ## banIP CLI interface
 * All important banIP functions are accessible via CLI.
@@ -428,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
 		"descr": "tor exit nodes",
-		"flag": "tcp 80-89 443"
+		"flag": "gz tcp 80-88 udp 50000"
 	},
 	[...]
 ```
 Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.  
-Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.  
+Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.  
 
 ## Support
 Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>

net/banip/files/banip-functions.sh

@@ -595,24 +595,30 @@ f_etag() {
 # build initial nft file with base table, chains and rules
 #
 f_nftinit() {
-	local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}"
+	local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}"
 
 	wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 	[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 	[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
 
 	for flag in ${ban_allowflag}; do
-		if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
-			allow_proto="${flag}"
-		elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
-			if [ -z "${allow_dport}" ]; then
-				allow_dport="${flag}"
-			else
-				allow_dport="${allow_dport}, ${flag}"
+		if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
+			if [ -z "${tmp_proto}" ]; then
+				tmp_proto="${flag}"
+			elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_proto="${tmp_proto}, ${flag}"
+			fi
+		elif [ -n "${flag//[![:digit]-]/}" ]; then
+			if [ -z "${tmp_port}" ]; then
+				tmp_port="${flag}"
+			elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_port="${tmp_port}, ${flag}"
 			fi
 		fi
 	done
-	[ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }"
+	if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
+		allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
+	fi
 
 	if [ "${ban_logprerouting}" = "1" ]; then
 		log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
@@ -697,7 +703,7 @@ f_nftinit() {
 #
 f_down() {
 	local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
-	local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target
+	local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag
 	local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
 
 	start_ts="$(date +%s)"
@@ -756,19 +762,25 @@ f_down() {
 	# prepare feed flags
 	#
 	for flag in ${feed_flag}; do
-		if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
+		if [ "${flag}" = "gz" ]; then
 			feed_comp="${flag}"
-		elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
-			feed_proto="${flag}"
-		elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
-			if [ -z "${feed_dport}" ]; then
-				feed_dport="${flag}"
-			else
-				feed_dport="${feed_dport}, ${flag}"
+		elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
+			if [ -z "${tmp_proto}" ]; then
+				tmp_proto="${flag}"
+			elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_proto="${tmp_proto}, ${flag}"
+			fi
+		elif [ -n "${flag//[![:digit]-]/}" ]; then
+			if [ -z "${tmp_port}" ]; then
+				tmp_port="${flag}"
+			elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
+				tmp_port="${tmp_port}, ${flag}"
 			fi
 		fi
 	done
-	[ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }"
+	if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
+		feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
+	fi
 
 	# chain/rule maintenance
 	#

net/banip/files/banip.feeds

@@ -36,8 +36,7 @@
 		"url_6": "https://asn.ipinfo.app/api/text/list/",
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
-		"descr": "ASN IP segments",
-		"flag": "tcp 80 443"
+		"descr": "ASN IP segments"
 	},
 	"backscatterer":{
 		"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",

net/jool/files/readme.md

@@ -1,28 +1,35 @@
-# [Jool](https://www.jool.mx)
+# [Jool](https://nicmx.github.io/Jool/en/index.html)
 
 ## Documentation
 
-[See here](https://www.jool.mx/en/documentation.html).
+[See here](https://nicmx.github.io/Jool/en/documentation.html).
 
-You might also want to see [contact info](https://www.jool.mx/en/contact.html).
+You might also want to see [contact info](https://nicmx.github.io/Jool/en/contact.html).
 
 ## Usage
 
 ### Start script
 
 This package includes a start script that will:
-    1. Read the configuration file `/etc/config/jool`
-    2. Determine what services are active
-    3. Run jool with procd
 
-For now this means that:
-    * The services will be disabled by default in the uci config `(/etc/config/jool)`
-    * The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
-    * There is no uci support and configuration will be saved at `/etc/jool/*
-    * Only one instance of jool(nat64) can run with the boot script
-    * Only one instance of jool(siit) can run with the boot script
-    * For now there is no way of overriding of the configuration file's paths
+  1. Read the configuration file `/etc/config/jool`
+  2. Determine what services are active
+  3. Run `jool` with procd
 
-The configuration files the startup script useses for each jool instance are:
-    * jool(nat64): `/etc/jool/jool-nat64.conf.json`
-    * jool(siit): `/etc/jool/jool-siit.conf.json`
+### For now this means that
+  
+- The services will be disabled by default in the uci config `(/etc/config/jool)`
+- The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
+- There is no uci support and configuration will be saved at `/etc/jool/`
+- Only one instance of jool(nat64) can run with the boot script
+- Only one instance of jool(siit) can run with the boot script
+- For now there is no way of overriding of the configuration file's paths
+
+The configuration files the startup script uses for each jool instance are:
+
+- jool(nat64): `/etc/jool/jool-nat64.conf.json`
+- jool(siit): `/etc/jool/jool-siit.conf.json`
+
+### OpenWrt tutorial
+
+For a more detailed tutorial refer to this [wiki page](https://openwrt.org/docs/guide-user/network/ipv6/nat64).

net/nut/Config.in

@@ -22,7 +22,7 @@
 		bool "Build with support for SNMP drivers"
 		help
 			If you have a UPS you can connect to via SNMP, select this.
-		default n
+		default y
 
 	config NUT_DRIVER_SERIAL
 		depends on PACKAGE_nut

net/nut/Makefile

@@ -97,9 +97,6 @@ define Package/nut-common
 	$(call Package/nut/Default)
 	TITLE+= (common)
 	DEPENDS:= nut \
-		+NUT_DRIVER_SNMP:libnetsnmp \
-		+NUT_DRIVER_USB:libusb-compat \
-		+NUT_DRIVER_NEON:libneon \
 		+NUT_SSL:libopenssl
 endef
 
@@ -368,10 +365,9 @@ define DriverPackage
 		$(call Package/nut/Default)
 		TITLE:=$(2) (NUT $(1) driver)
 		DEPENDS:=nut +nut-server
-		$(if $(filter $(1),snmp),DEPENDS+= @NUT_DRIVER_SNMP)
-		$(if $(filter $(1),usb),DEPENDS+= @NUT_DRIVER_USB)
-		$(if $(filter $(1),serial),DEPENDS+= @NUT_DRIVER_SERIAL)
-                $(if $(filter $(1),neon),DEPENDS+= @NUT_DRIVER_NEON)
+		$(if $(filter $(1),snmp),DEPENDS+= +libnetsnmp)
+		$(if $(filter $(1),usb),DEPENDS+= +libusb-compat)
+                $(if $(filter $(1),neon),DEPENDS+= +libneon)
         endef
 	# Deliberately empty description in order to trigger a build failure.
 	# It should be overridden by the list below, and when updating to a