pbr: update to 1.1.7-21

* switch to dstnat chain from dstnat_lan chain for dns & tor policies (thanks @egc112)
* re-introduce procd_lan_interface for better LAN detection
* improve is_domain function
* introduce health-check for requried fw4 chains
* bugfix: avoid double counters for dns policies
* bugfix: remove faulty counters for tor policies
* rename interface_process to process_interface for better code readability
* overhaul pbr.user.aws script for a much better performance and more compact
  (gzipped) storage of the ranges json locally (thanks @bigsmile74)

Signed-off-by: Stan Grishin <stangri@melmac.ca>

net/pbr/files/usr/share/nftables.d/chain-post/dstnat/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_dstnat comment "Jump into pbr dstnat chain";

net/pbr/files/usr/share/nftables.d/chain-post/dstnat_lan/30-pbr.nft

@@ -1 +0,0 @@
-jump pbr_dstnat_lan comment "Jump into pbr dstnat_lan chain";

net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft

@@ -1,4 +1,4 @@
-chain pbr_dstnat_lan {}
+chain pbr_dstnat {}
 chain pbr_forward {}
 chain pbr_input {}
 chain pbr_output {}

net/pbr/files/usr/share/pbr/pbr.user.aws

@@ -1,34 +1,29 @@
 #!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-
-TARGET_INTERFACE='wan'
-TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
-TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
+# shellcheck disable=SC2015,SC3003,SC3060
+TARGET_URL='https://ip-ranges.amazonaws.com/ip-ranges.json'
+TARGET_DL_FILE='/var/pbr_tmp_aws_ip_ranges.gz'
 TARGET_TABLE='inet fw4'
-TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
-TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
-# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
-# TARGET_DL_FILE_6="/var/pbr_tmp_aws_ip_ranges.ipv6"
-_ret=0
+TARGET_INTERFACE='wan'
 
-if [ ! -s "$TARGET_DL_FILE_4" ]; then
-	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
-fi
+_ret=1
 
-if [ -s "$TARGET_DL_FILE_4" ]; then
-	params=
-	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
-	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
-fi
+mkdir -p "${TARGET_DL_FILE%/*}"
 
-if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
-	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
-fi
+[ -s "$TARGET_DL_FILE" ] || \
+	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" | \
+		gzip > "$TARGET_DL_FILE"
 
-if [ -s "$TARGET_DL_FILE_6" ]; then
-	params=
-	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
-	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
-fi
+[ "$(uci get pbr.config.ipv6_enabled)" = "1" ] && vers="4 6" || vers="4"
+
+for ver in $vers;do
+	case "$ver" in
+		4) search='@.prefixes[*].ip_prefix';;
+		6) search='@.ipv6_prefixes[*].ipv6_prefix';;
+	esac
+	params="$(zcat "$TARGET_DL_FILE" | jsonfilter -e "$search")"
+	[ -n "$params" ] && _ret=0 || continue
+	nftset="pbr_${TARGET_INTERFACE}_${ver}_dst_ip_user"
+	nft "add element $TARGET_TABLE $nftset { ${params//$'\n'/, } }" || _ret=1
+done
 
 return $_ret