16ef7e4ec2
adblock-fast: update to 1.2.2-r10
...
* bugfix: always print errors/warnings on non-quiet start
* bugfix: return proper enabled status in RPCD
* bugfix: return stupped status in RPCD when procd data is empty
* bugfix: correctly process verbosity=0
* delete LICENSE file and only keep it upstream
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit 0058dd1233stangri@melmac.ca >
2026-03-08 17:47:29 -07:00
ab3db05190
adblock: update 4.5.2‑3
...
* the suspend/resume function now uses the external
DNS bridge when this function is used
* refine the f_nftadd function
* more file debug logging
* LuCI: add unfiltered DNS-Server to the DNS bridge selection
* LuCI: minor fixes
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 5a495b2240
2026-03-08 18:54:50 +01:00
f9c6661a75
adblock: update 4.5.2‑2
...
* fixed the debug errorfile handling
* fixed a typo in the nftadd function
* minor cornercase improvements
* LuCI: minor cleanups & fixes
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 57ec85084c
2026-03-05 21:05:01 +01:00
c52a949ebc
acme-acme.sh: support --cert-profile option
...
acme 3.1.2 added a new --cert-profile option to request specific certificates.
This makes it possible to request shortlived six day certificates from Letsencrypt.
Signed-off-by: Norman Gehrsitz <openwrt@gehrsitz.eu >
2026-03-05 13:14:28 +01:00
8898f78be4
bsbf-resources: update to GIT HEAD of 2026-03-03
...
Update bsbf-resources to the GIT HEAD of 2026-03-03.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit 91e2ddb985
2026-03-05 10:11:12 +02:00
a63a350e16
bsbf-autoconf-cellular: add
...
bsbf-autoconf-cellular creates a network with MBIM or QMI protocol using a
newly created network interface. It uses metric values from 1 to 8.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit a6be73da21
2026-03-05 10:11:12 +02:00
96ae116ff3
bsbf-openwrt-resources: add
...
Designate bsbf-openwrt-resources as the package to contain the BSBF
packages without a remote source to fetch.
Move bsbf-bonding and bsbf-usb-netdev-autodhcp into bsbf-openwrt-resources.
Change bsbf-usb-netdev-autodhcp to bsbf-autoconf-dhcp along with the logic.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit 6037422f53
2026-03-05 10:11:12 +02:00
2f9538d9d2
adblock-fast: update to 1.2.2-r8
...
* bugfix: support TMP and final block-list destination on different
partitions
* update pause-related code/defaults/validation
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit 5ad634eac9stangri@melmac.ca >
2026-03-04 12:22:23 -08:00
6f610724a9
bsbf-bonding: add
...
bsbf-bonding configures the system for the BondingShouldBeFree bonding
solution client.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit 292214e76a
2026-03-04 12:42:03 +02:00
d66d8f63fc
bsbf-usb-netdev-autodhcp: add
...
bsbf-usb-netdev-autodhcp creates a network with a DHCP client using a newly
created network interface. It uses metric values from 1 to 8.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit fea7b41d64
2026-03-04 12:42:03 +02:00
3590e61fa4
bsbf-resources: add
...
bsbf-resources contains the resources for the BondingShouldBeFree bonding
solution client.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit e69b0b24fa
2026-03-04 12:42:03 +02:00
3e2e9596ce
tcp-in-udp: add
...
TCP-in-UDP is a lightweight TCP in UDP tunnel utilising eBPF.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com >
(cherry picked from commit ea1ea71298
2026-03-04 12:42:03 +02:00
2b3a45c536
https-dns-proxy: update to 2025.12.29-4
...
* add explicit LICENSE file to the repository
* pretty up Makefile
* minor shell script styling improvements
* better parsing if individual dnsmasq instances are used in config
* functional test
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit eea712197estangri@melmac.ca >
2026-03-03 17:43:28 -08:00
4d8e082d37
pbr: update to 1.2.2-r8
...
* bugfix: don't mask RFC1918 in the support output
* bugfix: proper processing of downed interfaces
Thanks to everyone who reported/tested and @egc112 for collecting feedback.
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit abff4ba825stangri@melmac.ca >
2026-03-03 17:42:01 -08:00
506c37591d
adblock: release 4.5.2‑1
...
* added a new firewall feature: the DNS‑Bridge.
This temporary DNS bridge ensures that an external fallback DNS server
is automatically used during local DNS restarts, providing Zero‑Downtime DNS resolution.
* The debug mode now captures internal error output in a dedicated log file,
located by default in the adblock base directory as /tmp/adb_error.log.
* LuCI: exposed the previously missing adb_cores option (auto‑detected by default).
* LuCI: added support for the new DNS‑Bridge options (Zero‑Downtime during DNS restarts).
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit d4a62496f9
2026-03-01 06:54:44 +01:00
33e3f91968
pbr: update to 1.2.2-r6
...
Update pbr from 1.2.1-r87 to 1.2.2-r6. This release
adds mwan4 (Multi-WAN) integration, a diagnostic
`support` command, IPv6 lease-to-nftset handling,
improved split-uplink detection, stricter UCI
validation, shell variable quoting fixes across 30+
locations, and a comprehensive 126-case test suite
with a full mock OpenWrt sysroot.
Signed-off-by: Stan Grishin <stangri@melmac.ca >
---
- **31 files changed**, +1,745 / -227 lines
(net +1,518)
- **1 commit**: `61c8923` —
`pbr: update to 1.2.2-r6`
---
- Version bumped from `1.2.1-r87` to `1.2.2-r6`
- URL updated from `github.com/stangri/pbr/` to
`github.com/mossdef-org/pbr/`
- No dependency changes
---
Three options changed from scalar to list type:
| Option | Old Type | New Type |
|---------------------|----------|----------|
| `ignored_interface` | `option` | `list` |
| `lan_device` | `option` | `list` |
| `resolver_instance` | `option` | `list` |
Options reordered: scalars first, then lists,
matching UCI convention. No values changed.
---
The init script (`/etc/init.d/pbr`) received
significant additions and fixes across ~660 lines
(+443/-218).
Bumped from `24` to `25`.
**mwan4 (Multi-WAN) Integration (8 new functions):**
- `mwan4_is_installed()` — Detect mwan4 package
- `mwan4_is_running()` — Check service status
- `mwan4_get_iface_list()` — Get enabled interfaces
- `mwan4_get_strategy_list()` — Get strategies
- `mwan4_get_iface_mark_chain()` — Get nft mark
chain for interface
- `mwan4_get_iface_nft_sets()` — Get nftset names
- `mwan4_get_strategy_chain()` — Get strategy chain
- `mwan4_get_mmx_mask()` — Get Multi-WAN mark mask
Enables PBR to coordinate with mwan4 for combined
policy routing and multi-WAN failover.
**Diagnostic `support` Command:**
- New `support()` function generates masked
diagnostic output for troubleshooting
- `print_config_masked()` redacts sensitive data
(passwords, keys, tokens, PSKs, endpoints)
while preserving IP addresses and structure
**IPv6 Lease Handling:**
- New `ipv6_leases_to_nftset()` parses DHCPv6
leases from `/tmp/hosts/odhcpd`
- Complements existing `ipv4_leases_to_nftset()`
**Split Uplink Detection (3 new functions):**
- `is_uplink4()` — Check IPv4 uplink interface
- `is_uplink6()` — Check IPv6 uplink interface
- `is_uplink()` — Unified check (v4 or v6)
- New `ipv6_default_lookup` variable for split
IPv4/IPv6 uplink routing table assignment
**ubus Integration:**
- New `ubus_get_interface()` queries PBR gateway
data via ubus
**Shell Variable Quoting (30+ locations):**
Systematic conversion of bare variable references
to brace-quoted syntax throughout the script:
- `$2` to `${2}` in string replacements
- `$_ret` to `${_ret}` in conditional expansions
- `$_mark` to `${_mark}` in nft rule generation
- `$nftset6` to `${nftset6}` in dnsmasq rules
- `$nft_set_timeout` to `${nft_set_timeout}`
- `$xrayIfacePrefix` to `${xrayIfacePrefix}`
- And many more across rule generation, output
strings, and conditional expressions
**Specific Fixes:**
- `pbr_get_gateway6()`: Changed `is_wan` to
`is_uplink4` for correct IPv4 uplink detection
- `is_netifd_interface()`: Now checks both
`ip4table` and `ip6table` (was IPv4 only)
- `load_environment()`: Fixed inverted flag check
(`-z` changed to `-n` for `loadEnvironmentFlag`)
- Dnsmasq instance detection: Fixed UCI section
lookup with proper variable handling
- Help text URL: `#WarningMessagesDetails` changed
to `#warning-messages-details` (kebab-case)
- `uplink_ip_rules_priority`: Changed from
`uinteger` to `range(99,32765)` to enforce
valid Linux routing policy DB bounds
Three options now use `config_get_list` instead of
`config_get` to support multiple values:
- `ignored_interface`
- `lan_device`
- `resolver_instance`
**Rule Cleanup Refactored:**
- Replaced complex awk-based rule parsing with
priority-range approach
- Calculates `prio_min = priority - max_ifaces`
and `prio_max = priority`, iterates and deletes
rules within range
- Skips netifd-managed fwmark rules
- Added legacy rule cleanup for
`suppress_prefixlength` entries
**Firewall Sync:**
- Added `fw4 -q reload` after successful nft file
installation to ensure fw4 state synchronizes
with PBR's nftables changes
**Resolver Instance Handling:**
- Added robustness checks in
`_dnsmasq_instance_config()`: file existence
check and instance validity check
- Better section name resolution with UCI query
- Added missing `setup` parameter in resolver
instance setup calls
- `uci_get_device()` — Replaced with inline call
- `uci_get_protocol()` — Replaced with inline call
---
In `70-pbr`, fixed shell variable quoting:
```sh
${DEVICE:+ ($DEVICE)}
${DEVICE:+ (${DEVICE})}
```
---
In `pbr.user.netflix`, fixed two instances of
bare variable expansion in parameter substitution:
```sh
params="${params:+$params, }${p}"
params="${params:+${params}, }${p}"
```
---
A full test suite is added in `net/pbr/tests/`
(21 new files, ~1,300 lines) using the shunit2
framework with a complete mock OpenWrt sysroot.
**Runner (`run_tests.sh`):**
- Discovers test files via glob pattern
- Supports pattern-based filtering via CLI arg
- Executes each test in isolated bash subprocess
- Captures output, reports pass/fail with color
- Accumulates stats and lists failures at end
- Requires `shunit2` package
**Setup (`lib/setup.sh`):**
- Creates temporary mock sysroot (`$MOCK_ROOT`)
- Sets `IPKG_INSTROOT` for OpenWrt path resolution
- Installs mock libraries, configs, and binaries
- Stubs `rc.common`, procd, logger, resolveip,
jsonfilter, pidof, sync
- Sources pbr init script with `readonly` keyword
stripped (allows test overrides)
- Redirects all file paths to temp directories
**UCI Config API (`lib/mocks/functions.sh`):**
- Full `config_load` parser for UCI syntax
- `config_get`, `config_get_bool`,
`config_get_list`, `config_foreach`,
`config_list_foreach`
- `uci_set`, `uci_get`, `uci_add_list`,
`uci_remove`, `uci_remove_list`, `uci_commit`
- Stores state in associative arrays
**Network API (`lib/mocks/network.sh`):**
- `network_get_device`, `network_get_physdev`,
`network_get_gateway`, `network_get_gateway6`,
`network_get_protocol`, `network_get_ipaddr`,
`network_get_ip6addr`, `network_get_dnsserver`,
`network_flush_cache`
- Backed by `MOCK_NET_*` variables that tests
override to simulate different network states
- Pre-configured: wan (eth0/dhcp/192.168.1.1),
wan6 (eth0/dhcpv6/fd00::1), wg0 (wireguard),
lan (br-lan/static), loopback (lo/static)
**JSON Shell (`lib/mocks/jshn.sh`):**
- Minimal JSON-in-shell implementation
- `json_init`, `json_add_string/boolean/int`,
`json_add_object/array`, `json_close_*`,
`json_select`, `json_get_var`, `json_get_keys`,
`json_dump`, `json_load`
- Associative array backend with path tracking
**Mock Binaries:**
- `nft` — Returns fw4 table structure with
standard chains (input, forward, output,
dstnat, mangle_*); passes syntax checks
- `dnsmasq` — Reports version with nftset support
- `readlink` — Returns `/usr/libexec/ip-full`
for `*/sbin/ip` (simulates ip-full installed)
**Mock UCI Configs:**
- `pbr` — Full config: enabled, policies
(vpn_all, vpn_gaming, disabled_policy),
dns_policy, nft settings, interface lists
- `network` — Interfaces: loopback, lan, wan,
wan6, wg0 (wireguard)
- `firewall` — Zones: lan (accept all),
wan (reject input/forward)
- `dhcp` — DHCP server stub
- `system` — Hostname and timezone
**01_validation — Input Validation (67 cases):**
`01_ipv4_validation` (13 cases):
- Valid IPs: 192.168.1.1, 10.0.0.1, 172.16.0.1
- Valid CIDR: /8, /24, /32, /0
- Invalid: octets >255, wrong octet count,
CIDR >32, IPv6 addresses, domain names
`02_ipv6_validation` (21 cases):
- Valid: ::1, fe80::1, 2001:db8::1, fd00::1,
full addresses, ::/0
- Invalid: IPv4 addrs, plain strings, MACs
- Scope detection: global (2001:db8::/32),
link-local (fe80::/10), ULA (fd00::/8)
`03_domain_validation` (8 cases):
- Host: single labels (router, host123)
- Hostname: multi-label (example.com,
sub.example.com, deep.sub.example.com)
- Domain: FQDN or single-label
- Invalid: IPs, empty strings, MAC notation
`04_misc_validators` (25 cases):
- MAC addresses (colon notation, case variants)
- Integer validation (positive, not negative)
- Negation marker (! prefix detection)
- URL schemes (http, https, ftp, file://)
- Version comparison (is_greater,
is_greater_or_equal)
- Family mismatch (IPv4/IPv6 mixing detection)
**02_string_utils — String Functions (8 cases):**
`01_str_functions`:
- `str_contains` — Substring search
- `str_contains_word` — Word-boundary search
- `str_to_lower` / `str_to_upper` — Case convert
- `str_first_word` — Token extraction
- `str_replace` — String substitution
- `str_extras_to_underscore` — Normalize delims
- `str_extras_to_space` — Expand delimiters
**03_wan_detection — Interface Detection
(13 cases):**
`01_wan_types`:
- `is_wan4` — Detects wan/wanX, not wan6/lan/wg0
- `is_wan6` — Detects wan6/mwan6 (IPv6-aware)
- `is_wan6_disabled` — Disabled when ipv6 off
- `is_wan` — Unified v4+v6 detection
- `is_uplink4` / `is_uplink6` — Uplink detection
- `is_tor` — Case-insensitive tor detection
- `is_ignore_target` — Ignore target detection
- `is_list` — Comma/space list vs single value
**04_config — Configuration Loading (13 cases):**
`01_load_config` (7 cases):
- Default values from UCI config
- Hex value parsing (fw_mask, uplink_mark)
- XOR calculation (fw_maskXor = ~fw_mask)
- List parsing (ignored_interface, resolver)
- nft parameters (auto-merge, flags)
- Config-loaded flag tracking
`02_disabled_service` (2 cases):
- Disabled: enabled option becomes unset
- Enabled: enabled option is set
`03_config_ipv6` (4 cases):
- IPv6 enabled: config and uplink interface set
- IPv6 disabled: both unset
- Reload behavior verification
**05_nft — nftables Integration (14 cases):**
`01_nft_file_operations` (8 cases):
- File creation with nft shebang
- Chain creation (dstnat, forward, output,
prerouting)
- Jump rules and guard rules
- File append, content search, file deletion
`02_nft_check_element` (6 cases):
- fw4 table existence
- Chain existence (input, forward, output,
dstnat, mangle_*)
- Non-existent chain detection
**06_network — Network Functions (11 cases):**
`01_gateway_discovery` (4 cases):
- IPv4 gateway from mock (192.168.1.1)
- IPv4 gateway fallback (ip addr parsing)
- IPv6 gateway from mock (fd00::1)
- Interface finding for uplinks
`02_supported_interfaces` (7 cases):
- Ignored: loopback in ignored list
- LAN detection vs non-LAN
- Uplink support (wan is supported)
- LAN/loopback not supported
- Wireguard supported (wg0)
- Explicit custom interface support
---
```sh
cd net/pbr/tests && sh run_tests.sh
```
Requires: `bash`, `shunit2`.
Optional filter: `sh run_tests.sh 01_validation`
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit cf1d2770edstangri@melmac.ca >
2026-02-26 17:01:07 -08:00
824b0e3a67
adblock-fast: update to 1.2.2-r6
...
Update adblock-fast from 1.2.1-r7 to 1.2.2-r6. This is a major
architectural rewrite that ports the core business logic from a ~2,700-line
monolithic shell script (`/etc/init.d/adblock-fast`) to a ~2,850-line ucode
module (`/lib/adblock-fast/adblock-fast.uc`), reducing the init script to a
thin ~130-line procd wrapper. The rewrite also introduces a comprehensive
test suite and adds the AGPL-3.0-or-later LICENSE file.
---
- **36 files changed**, +5,787 / -2,836 lines (net +2,951)
- **1 commit**: `0263b2b` — `adblock-fast: update to 1.2.2-r6`
---
The previous implementation embedded all business logic (download pipeline,
domain processing, resolver configuration, status reporting, caching)
inside the init.d script as a ~2,700-line POSIX shell script. This made the
code difficult to test, maintain, and extend. Shell limitations (no native
data structures, reliance on subshell `eval`, global namespace pollution)
also introduced fragility and performance overhead from repeated subprocess
spawning for UCI/ubus operations.
```
/etc/init.d/adblock-fast (131 lines) — Thin procd wrapper
/lib/adblock-fast/adblock-fast.uc (2849 lines) — Core logic (ucode)
/lib/adblock-fast/cli.uc (95 lines) — CLI action dispatcher
```
The init script now delegates all operations to the ucode module via:
```sh
readonly _ucode="ucode -S -L /lib/${packageName} /lib/${packageName}/cli.uc --"
```
The CLI dispatcher (`cli.uc`) maps init script actions (start, stop,
status, allow, check, pause, etc.) to the module's exported functions.
The init script retains only procd lifecycle glue (`start_service`,
`stop_service`, `service_triggers`, `service_data`) and UCI validation
schemas.
1. **Native UCI/ubus bindings** — Direct `cursor()` and `connect()` calls
replace subprocess-heavy `uci get/set` and `jsonfilter` pipelines
2. **Proper data structures** — Objects and arrays for config, status
tracking, DNS mode definitions; no more string-concatenation state
management
3. **Streaming I/O** — 64KB chunked file reads for blocklist processing
instead of loading entire files into memory via pipes
4. **Memoized environment detection** — Platform capabilities (installed
resolvers, ipset/nftset support, downloader detection) cached on first
call
5. **Centralized trigger logic** — Config diff comparison
(`adb_config_cache()`) determines download/restart/skip in one place
6. **Testable** — Module exports enable direct unit testing without mocking
an entire init system
---
- `+ucode` — ucode interpreter runtime
- `+ucode-mod-fs` — Filesystem operations (readfile, writefile, popen,
stat, etc.)
- `+ucode-mod-uci` — Native UCI cursor API
- `+ucode-mod-ubus` — Native ubus RPC API
- `+jshn` — No longer needed (was used for JSON parsing in shell)
- URL updated from `github.com/stangri/adblock-fast/` to
`github.com/mossdef-org/adblock-fast/`
- Install target now installs `/lib/adblock-fast/adblock-fast.uc` and
`/lib/adblock-fast/cli.uc` alongside the init script
- Version stamp now patches the ucode module
(`version:` field) instead of init script (`PKG_VERSION` variable)
- `postinst` script removed (service enable handled elsewhere)
- `prerm` script simplified: only purges cache, no longer
stops service or removes rc.d symlinks (handled by procd)
---
The module supports all existing DNS resolver integrations through a
unified `dns_modes{}` configuration map. Each mode defines output file
paths, gzip cache names, sed format/parse filters, and grep patterns:
| Mode | Output Format |
|----------------------|--------------------------------------------------|
| `dnsmasq.addnhosts` | `127.0.0.1 domain` (+ `:: domain` with IPv6) |
| `dnsmasq.conf` | `local=/domain/` |
| `dnsmasq.ipset` | `ipset=/domain/adb` |
| `dnsmasq.nftset` | `nftset=/domain/4#inet#fw4#adb4[,6#...]` |
| `dnsmasq.servers` | `server=/domain/` (block) / `server=/domain/#` (allow) |
| `smartdns.domainset` | Raw domain (with smartdns conf wrapper) |
| `smartdns.ipset` | Raw domain (with smartdns ipset conf) |
| `smartdns.nftset` | Raw domain (with smartdns nftset conf) |
| `unbound.adb_list` | `local-zone: "domain." always_nxdomain` |
The download pipeline auto-detects blocklist format from content:
| Format | Detection | Example |
|--------------|-------------------------------------|----------------------------|
| AdBlock Plus | `[Adblock Plus]` header / `^||` | `\|\|example.com^` |
| dnsmasq | `^server=` | `server=/example.com/` |
| dnsmasq2 | `^local=` | `local=/example.com/` |
| dnsmasq3 | `^address=` | `address=/example.com/0.0.0.0` |
| hosts | `^0.0.0.0\s` or `^127.0.0.1\s` | `0.0.0.0 example.com` |
| domains | (fallback — plain domain list) | `example.com` |
```
For each file_url UCI section:
→ Download URL (curl with retries, timeout, optional max-file-size)
→ Auto-detect format → Apply format-specific sed filter → Extract domains
→ Append to accumulator (blocked or allowed)
Merge phase:
→ sort -u (deduplicate)
→ Subdomain optimization (awk label-reverse → sort → dedup → reverse)
→ Remove allowed domains (sed -f generated_script)
→ Inject canary domains (iCloud Private Relay, Mozilla DoH)
→ Inject manually blocked_domain entries from config
→ Format for target DNS resolver
→ Optional validity check (remove malformed entries)
→ Atomic rename to output file
Resolver phase:
→ Update resolver config (UCI: addnhosts, conf-dir, server files)
→ Sanity check (dnsmasq --test)
→ Restart resolver service
→ Heartbeat probe (resolve canary domain to verify blocking)
→ Revert on failure
```
| Function | Purpose |
|-----------------------|------------------------------------------------------|
| `start(args)` | Main lifecycle: download, restore from cache, or restart |
| `stop()` | Disable blocking, flush kernel state, cleanup |
| `status_service()` | Report status to syslog/ubus |
| `allow(domain)` | Whitelist domain in live blocklist + UCI config |
| `check(pattern)` | Search current blocklist for domain |
| `check_tld()` | Detect TLD entries (sanity check) |
| `check_leading_dot()` | Detect leading-dot errors |
| `check_lists(domain)` | Search upstream list URLs for domain |
| `dl()` | Force re-download all lists |
| `killcache()` | Purge all cached files |
| `pause(seconds)` | Temporarily disable blocking |
| `show_blocklist()` | Output parsed blocklist to stdout |
| `sizes()` | Fetch/display configured blocklist file sizes |
| `get_init_status()` | Full service state for UI/RPC clients |
| `get_init_list()` | Enabled/disabled status |
| `get_platform_support()` | Detect installed resolvers and features |
| `get_file_url_filesizes()` | Return cached/live URL metadata |
- 40+ localized message codes (e.g., `errorDownloadingList`,
`errorConfigValidationFail`, `warningSanityCheckTLD`)
- Errors/warnings accumulated in `status_data{}` arrays
- Synced atomically to ubus service data for UI consumption
- Status states: `statusSuccess`, `statusFail`, `statusDownloading`,
`statusProcessing`, `statusRestarting`, `statusPaused`
---
The init script (`/etc/init.d/adblock-fast`) is reduced from ~2,700 to ~130
lines. It now serves exclusively as a procd service wrapper:
- **procd lifecycle**: `start_service()` calls ucode `start`, captures
shell output for `service_data()`; `stop_service()` calls ucode `stop`
- **Service triggers**: WAN interface triggers, config change triggers, UCI
validation (unchanged from previous version)
- **Extra commands**: `allow`, `check`, `check_tld`, `check_leading_dot`,
`check_lists`, `dl`, `killcache`, `pause`, `show_blocklist`, `sizes`,
`version` — all delegate directly to ucode CLI dispatcher
- **procd data bridge**: `emit_procd_shell()` in ucode generates shell
statements that the init script `eval`s for `service_data()` and
`service_stopped()`/`service_started()` hooks (firewall restart flag)
---
The `90-adblock-fast` uci-defaults script is simplified from 181 to 65
lines:
- **Removed**: Entire `simple-adblock` migration path (config, cache files,
URL lists). This migration was for the initial transition from
simple-adblock to adblock-fast and is no longer needed.
- **Retained**: List name migration (adds `name` option to `file_url`
sections that lack one, using pristine default config as reference),
config key renames (`debug` → `debug_init_script`, `proc_debug` →
`debug_performance`, `sanity_check` → `dnsmasq_sanity_check`)
- **Simplified**: Uses direct `uci` commands instead of sourcing the init
script for `uci_get`/`uci_set` helpers. Pristine config lookup now
supports both apk (`.apk-new`) and opkg (`-opkg`) package manager
conventions.
---
A full test suite is added in `net/adblock-fast/tests/` (16 new files,
~1,800 lines) mock-and-expect pattern.
- **Module patching**: Converts ES6 imports to CommonJS requires, redirects
hardcoded system paths to temp directories for isolation
- **Resolver stubs**: Mock binaries for dnsmasq (v2.89), smartdns, unbound,
ipset, nft, resolveip
- **Test case format**: Markup-based (`-- Testcase --`,
`-- Environment --`, `-- Expect stdout --`, `-- File path --`) with
support for inline test data and per-test environment overrides
- **Assertion model**: Compares stdout, stderr, and exit code against
expected values using `diff -u`
- **Shell validation**: Syntax-checks init.d and uci-defaults scripts via
`sh -n`
- **Automatic cleanup**: Trap-based temp directory removal
**UCI Mock** (`tests/lib/mocklib/uci.uc`):
- Full `cursor()` interface: `load`, `get`, `get_all`, `foreach`, `set`,
`delete`, `list_add`, `list_remove`, `commit`, `changes`
- Loads JSON fixtures from `tests/mocks/uci/` (adblock-fast, dhcp, network,
smartdns, unbound configs)
- Supports `@type[index]` extended section addressing
**ubus Mock** (`tests/lib/mocklib/ubus.uc`):
- `connect()` → `call(object, method, args)` with signature-based fixture
lookup
- Fixtures in `tests/mocks/ubus/` (system info, network interface
dump/status, dnsmasq service list)
**System Call Interception** (`tests/lib/mocklib.uc`):
- Blocks service operations: `/etc/init.d/*`, `logger`, `sleep`,
`dnsmasq --test`
- Passes through data processing: `sed`, `sort`, `grep`, `awk`
- Fixed timestamp (`1615382640`) for reproducible output
- Null `getenv()` for environment isolation
**01_pipeline** — Data processing pipeline (9 tests):
1. `01_all_dns_modes` — Verifies all 9 DNS output modes produce valid,
deduplicated output (~162-165 domains from 2 input lists)
2. `02_input_format_detection` — Validates auto-detection of domains,
hosts, AdBlock Plus, and dnsmasq input formats
3. `03_subdomain_dedup` — Confirms parent domains retained, child
subdomains removed (e.g., blocks `example.com`, skips `sub.example.com`)
4. `04_allowed_domains` — Verifies `allowed_domain` config removes domains
from output while preserving others
5. `05_canary_domains` — Confirms iCloud Private Relay and Mozilla DoH
canary domain injection when enabled
6. `06_servers_mode_allow` — Validates dnsmasq.servers mode prepends
explicit allow entries (`server=/domain/#` format)
7. `07_ipv6_addnhosts` — Verifies dual-stack output (both `127.0.0.1` and
`::` entries) in addnhosts mode with IPv6 enabled
8. `08_ipv6_nftset` — Confirms nftset mode includes IPv6 set references
(`4#inet#fw4#adb4,6#inet#fw4#adb6`) when IPv6 enabled
9. `09_unbound_header` — Validates `server:` header line prepended in
unbound output mode
**02_config** — Configuration handling (1 test):
1. `01_blocked_domain_injection` — Verifies `blocked_domain` config entries
appear in output
**03_functional** — CLI command tests (2 tests):
1. `01_check_domain` — Tests `check()` correctly identifies blocked vs.
unblocked domains with appropriate output messages
2. `02_show_blocklist` — Tests `show_blocklist()` outputs parsed domain
list (162 domains, correct format)
5 curated test data files with ~160+ unique test domains across multiple
formats (plain domains, hosts, AdBlock Plus, dnsmasq), including:
- Valid tracking/ad domains for positive matching
- Overlapping domains across files for deduplication testing
- Parent/child domain pairs for subdomain optimization testing
- Invalid entries (IPs, malformed, special chars) for filter robustness
- Mock UCI/ubus fixtures simulating a standard OpenWrt environment
(512MB RAM, WAN interface up, dnsmasq running)
---
Adds the full AGPL-3.0-or-later license text (661 lines), matching the
`PKG_LICENSE` field already declared in the Makefile.
---
- Package compat bumped from `11` to `13` (in the ucode module's
`pkg.compat` constant), reflecting the architectural change
- All existing UCI configuration options preserved (same validation schema)
- All existing extra_commands preserved (same CLI interface)
- All existing DNS resolver modes preserved (same output formats)
- procd service triggers and config triggers unchanged
- `simple-adblock` migration path removed from uci-defaults (obsolete)
---
```sh
cd net/adblock-fast/tests && sh run_tests.sh
```
Requires: `ucode`, `ucode-mod-fs`, `ucode-mod-uci`, `ucode-mod-ubus`,
`sed`, `sort`, `grep`, `awk` (standard OpenWrt buildroot tools).
Signed-off-by: Stan Grishin <stangri@melmac.ca >
(cherry picked from commit bb3625e94astangri@melmac.ca >
2026-02-26 17:00:14 -08:00
50ac74e3cc
net/sqm-scripts: bump to v1.7.2
...
This versions changes the default value of use_mq to off, as a
cautionary measure.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk >
2026-02-25 15:58:09 +01:00
2c5bfc048c
telegraf: update to 1.37.3
...
- Update Telegraf to v1.37.3
Signed-off-by: Niklas Thorild <niklas@thorild.se >
(cherry picked from commit 55f8be8cbe
2026-02-24 21:49:56 +02:00
d6f79bdfd0
adblock: update 4.5.1-4
...
* fix/stabilize the f_list "merge" function
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 19f9f78614
2026-02-23 17:08:58 +01:00
5c7ae162b7
net/sqm-scripts: bump to v1.7.1
...
Contains a bugfix for cake_mq. Also add 'ip' as a dependency to be able
to create multi-queue ifb devices.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk >
2026-02-23 16:17:45 +01:00
9dfc2f3d5d
adguardhome: bump to 0.107.72
...
Changes: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.72
Signed-off-by: George Sapkin <george@sapk.in >
(cherry picked from commit 3bdbc94744
2026-02-22 15:29:40 +02:00
ce992a83bc
adguardhome: fix procd
...
Move START and STOP to be within the first 10 lines so they can be
properly detected by procd.
Signed-off-by: George Sapkin <george@sapk.in >
(cherry picked from commit 779b1ef2aa
2026-02-22 15:29:40 +02:00
b94ea571d1
adguardhome: respawn on crash
...
Respawn service on crash.
Signed-off-by: George Sapkin <george@sapk.in >
(cherry picked from commit d2617ca21f
2026-02-22 15:29:40 +02:00
011a130ece
btop: patch to move the log file to tmpfs
...
The log file path is hardcoded as $HOME/.local/state/btop.log, i.e. to the router’s flash storage rather than to tmpfs. This patch sets the log file path to /tmp/log/btop.log
Signed-off-by: XCas13 <xcas13@gmail.com >
2026-02-22 14:29:09 +02:00
7844f3ba86
libutp: deactivate -Werror
...
With fortify sources libutp fails to compile because the fortify sources
for musl use the GNU extension include_next. Do not fail when the
compiler issues a warning.
Fixes the following compile error:
```
In file included from libutp-2023.02.14~c95738b1/utp_utils.cpp:23:
/include/fortify/stdlib.h:22:2: error: #include_next is a GCC extension [-Werror]
22 | #include_next <stdlib.h>
| ^~~~~~~~~~~~
```
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de >
(cherry picked from commit 0814aba3b0
2026-02-22 14:28:17 +02:00
3ff01f4033
banip: update 1.8.0-3
...
* support the new possible nft expiry options in the backend as well
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 091ba82c38
2026-02-21 11:49:17 +01:00
639ccbbeb8
inadyn: remove package
...
This software is no longer maintained, and upstream
repo has been archived.
No package depends on this.
Signed-off-by: Yanase Yuki <dev@zpc.st >
(cherry picked from commit 1d876b0894
2026-02-21 12:11:33 +02:00
c71c46060a
borgbackup: update to 1.4.3
...
This update fixces incompatibility with python-msgpack 1.1.2.
Add missing dependency on python3-openssl and drop the optional
dependency on python-pyfuse3, which doesn't work with the current
version.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com >
2026-02-21 12:11:07 +02:00
3143938c37
adblock: update 4.5.1-3
...
* added IPFire DBL: a comprehensive, community-maintained domain blocklist
divided in 12 categories
* LuCI: eslint fixes
* LuCI: added IPFire feed/category selection
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit cadf02496c
2026-02-20 20:23:18 +01:00
3552ee36b7
travelmate: update 2.4.0-2
...
* fixed a busybox awk problem in the new scan function
* minor cleanups
* LuCI: more eslint fixes
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 559c6c7dec
2026-02-20 18:08:01 +01:00
f1aecb3433
travelmate: release 2.4.0-1
...
* rework wlan scanning
- drop iw/ip - use ubus/iwinfo calls instead
- build a new, central wlan scan function (used in LuCI and during
* simplify uci config parsing
Signed-off-by: Dirk Brenken <dev@brenken.org >
(cherry picked from commit 7431a315ba
2026-02-18 21:28:55 +01:00
bb66559be4
telegraf: update to 1.37.2
...
- Update Telegraf to v1.37.2
Signed-off-by: Niklas Thorild <niklas@thorild.se >
(cherry picked from commit e46fbad872
2026-02-18 20:56:14 +02:00
078ddaf826
telegraf: replace prometheus plugin with http plugin
...
- Replace inputs.prometheus with inputs.http
Signed-off-by: Niklas Thorild <niklas@thorild.se >
(cherry picked from commit 73aa31caca
2026-02-18 20:56:14 +02:00
56a452a9e7
jool: update to 4.1.15
...
Changelog: https://github.com/NICMx/Jool/releases/tag/v4.1.15
- Add support for kernels 6.15-6.18
- Add support for RHEL 9.6, 9.7
Drops 200-fix-compilation-in-v6.18.patch as upstream accepted
Signed-off-by: Goetz Goerisch <ggoerisch@gmail.com >
(cherry picked from commit 229cd0bfe5
2026-02-18 20:55:07 +02:00
35797006b7
django: bump to version 6.0.2
...
Release notes:
https://docs.djangoproject.com/en/dev/releases/6.0/
https://docs.djangoproject.com/en/dev/releases/6.0.1/
https://docs.djangoproject.com/en/dev/releases/6.0.2/
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com >
(cherry picked from commit b54cc9b69e
2026-02-18 13:33:34 +02:00
1a250e0c4a
vim: bump to 9.2.0
...
Update URLs.
Remove inactive maintainer.
Changes: https://www.vim.org/vim-9.2-released.php
Signed-off-by: George Sapkin <george@sapk.in >
(cherry picked from commit 9dd488df07
2026-02-18 10:16:46 +02:00
a480660bc7
zabbix: fix unnecessary virtual provides
...
We aren't using packages with the same name as the provides, so don't
use an virtual (@) provides for providing zabbix-get
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit 696e549e9d
2026-02-16 20:58:48 +02:00
3e995d0f43
zabbix: set PKGARCH all for non-binary packages
...
For non-compiled package that are architecture independant, set
PKGARCH:=all.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit 4635838819
2026-02-16 20:58:48 +02:00
e2147cefdc
zabbix: fix no-configure build variant
...
When selecting only a package of "no-configure" build variant, e.g.
CONFIG_PACKAGE_zabbix-frontend-server=y
but not any other zabbix package, then the build fails.
The sources are not extracted and the install fails finally with:
make[4]: Entering directory '/srv/openwrt/openwrt-2.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[4]: *** No rule to make target 'install'. Stop.
make[4]: Leaving directory '/srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[3]: *** [Makefile:522: /srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22/.built] Error 2
This PR fixes this by always running the standard Prepare stage,
but skip the Install one when nothing needs to be compiled.
Signed-off-by: Michael Heimpold <mhei@heimpold.de >
(cherry picked from commit 849db7361d
2026-02-16 20:58:48 +02:00
ea801cb3fb
zabbix: fix recursive depedency warning on build
...
The error in the #24828 patch series left Kconfig recursive depedency
error on zabbix-frontend-server. We fix this by update the database
depedencies on zabbix-frontend-server. Now, you must select the PHP8
database module you want _before_ zabbix-frontend-server will be
visible in menuconfig.
This is not a big problem, because zabbix-frontend-server already
depends on having php8 slected before the frontend can be built.
Closes : #28458
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit ff7353dbbc
2026-02-16 20:58:48 +02:00
47273e2f32
zabbix: fix package rename missed database config
...
Due to package renaming the selection of database for the server and
proxy was missing from the Kconfig menu. This caused build failures for
proxy and server.
We now fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit b032682381
2026-02-16 20:58:48 +02:00
c326ec74a4
zabbix: fix compile skipped due to line continuation
...
Using line continuation (\\) in GNU Make \$(foreach ...) and
\$(call ...) resulted in the install section for many of the packages
not being defined. This resulted in 'skipping [package-name] no install
section' messages and no new package being generated.
We remove the line continuation from the parts foreach and call, in
ordeer to restore compilation and creation of packages.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit 8bc0c6c7cf
2026-02-16 20:58:48 +02:00
57e83b56ca
zabbix: deduplicate and reorganize package defines
...
In preparation for further changes, deduplicate package definitions,
and reorganize them. At the same time make use of provides to ensure
both existing names are preserved, and that it is possible to be
specific about the variant of the package one wants.
Also, condense the package conffiles, install, postinst, etc handling.
This is more maintainable (less copy and paste and less to modify).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca >
(cherry picked from commit 75146ea2be
2026-02-16 20:58:48 +02:00
94754edbe7
bluld: bump to version 1.1.3
...
Release notes:
https://github.com/ktgeek/bluld/releases/tag/v1.1.3
Signed-off-by: Keith T. Garner <kgarner@kgarner.com >
(cherry picked from commit 5ea0e44e79
2026-02-16 20:58:11 +02:00
f3267a4f59
mjpg-streamer: drop package
...
Based on the discussion in the previous PR, drop the package. Main source
has not been updated in 8 years and the fork in 5.
Link: https://github.com/openwrt/packages/pull/27878
Signed-off-by: George Sapkin <george@sapk.in >
(cherry picked from commit e058c0dac3
2026-02-16 10:16:08 +02:00
b7a5497cbf
sqm-scripts: bump to v1.7.0
...
- Add nat to the default [IN|E]GRESS_CAKE_OPTS in defaults.sh
- Add support for cake_mq
Signed-off-by: Rany Hany <rany_hany@riseup.net >
(cherry picked from commit 7f4a121db5
2026-02-15 10:47:35 +02:00
18f992e909
natmap: update to 20260214
...
Upstream changelog:
https://github.com/heiher/natmap/releases/tag/20260214
Signed-off-by: Ray Wang <git@hev.cc >
(cherry picked from commit 6ca009121c
2026-02-15 10:24:38 +02:00
8ab35c9323
haproxy: implement force_reload init option
...
- It will be used for acme-renew events
- Fixes issue #28038
Signed-off-by: Christian Lachner <gladiac@gmail.com >
2026-02-14 15:00:48 +02:00
892a99bc67
haproxy: update to v3.2.12
...
- Fixes CVE-2026-26080 and CVE-2026-26081
https://www.haproxy.com/blog/cves-2026-quic-denial-of-service
- Updated haproxy PKG_VERSION and PKG_HASH
- See changes: http://git.haproxy.org/?p=haproxy-3.2.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com >
2026-02-14 15:00:48 +02:00
Stan Grishin
Dirk Brenken
Norman Gehrsitz
Chester A. Unal
Toke Høiland-Jørgensen
Niklas Thorild
George Sapkin
XCas13
Hauke Mehrtens
Yanase Yuki
Miroslav Lichvar
Goetz Goerisch
Wei-Ting Yang
Daniel F. Dickinson
Michael Heimpold
Keith T. Garner
Rany Hany
Ray Wang
Christian Lachner