Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.
Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
evenly amongst peers.
Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4216ad05af)
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, release 3
- update PKG_RELEASE to 3
files/etc/init.d/https-dns-proxy:
- refactor nftable rules to explicitly add and flush the table and
chains instead of block replacement
- make nftable `delete table` call silent in `notrack_nft remove`
- update `notrack_nft remove` to check for absence of nftable table
instead of just checking the file
- ensure `notrack_nft remove` sets _error=1 on failure
- ignore dnsmasq instances with port 0 in
`dnsmasq_instance_append_force_dns_port`
tests/run_tests.sh:
- add test case to ensure dnsmasq port 0 is ignored
- update `notrack_nft remove` test to confirm success when both file
and table are absent
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 4bac71e3cd)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
Fix nftables rule directory creation
- Bump PKG_RELEASE to 2.
files/etc/init.d/https-dns-proxy:
- Add 'mkdir -p' before writing nftables rules to ensure the parent
directory exists. This fixes an issue where the directory might not
exist on initial installation, causing errors.
tests/run_tests.sh:
- Add comprehensive regression tests for notrack_nft.
- Mock 'nft' to track invocations and control return codes for testing.
- Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
- Verify 'notrack_nft' correctly creates the parent directory if missing.
- Test content of generated nftables snippet, idempotence, and removal.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 3d9a73bd7e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- update dependencies from perl to python
- support dropbear
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
(cherry picked from commit b0a6a9147b)
Rsyncd only needs a subset of all capabilities so create
a dedicated user with these capabilities. This is better from both a
security and an isolation perspective than running as root.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 2a7364534e)
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 0d5f7a16c1)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:Add nftables notrack for localhost traffic
- Removed. License is now included in the main project.
net/https-dns-proxy/Makefile:
- Bumped PKG_RELEASE to 5.
net/https-dns-proxy/files/etc/config/https-dns-proxy:
- Added 'option notrack_dns '1'' to the default configuration.
net/https-dns-proxy/files/etc/init.d/https-dns-proxy:
- Defined NOTRACK_NFT_FILE constant.
- Added 'notrack_dns' and 'notrack_ports' variables.
- Implemented 'notrack_nft' function to manage nftables rules for notracking local DNS traffic.
- Enabled loading of 'notrack_dns' boolean from configuration.
- Modified start_instance to collect listen_port into notrack_ports if notrack_dns is enabled.
- Modified start_service to call notrack_nft update/remove based on notrack_dns and collected ports.
- Modified stop_service to call notrack_nft remove.
- Updated service_started and service_stopped to trigger firewall config changes when notrack_dns is enabled.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit fa4b35ad53)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Use GitHub for sources URL
- Remove autoreconf fixup (it works out-of-the-box)
- Remove squid-mod-cachemgr package since cachemgr.cgi was removed upstream
- Rename ac_cv_epoll_works to squid_cv_epoll_works to follow upstream
- Don't customize target CFLAGS and LDFLAGS (they work as is)
- Remove nettle configure patch - upstream handles it correctly now
- Remove dummy comment in config menu
Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
(cherry picked from commit 55404adb91)
* Switch Hagezi URL to a more compact higher-level only domains list as we
prefer it anyways and there's less processing (thanks @dave14305)
* When update_config_sizes is unset, save collected sizes to RAM to improve
luci app performance (thanks @sshaikh)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 5e0b94f2a4)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fix: avoid unnecessary dnsmasq restarts (thanks @egc112)
fix: insert, not add dns policies to ensure higher priority than the DNS
hijack rules (thanks @egc112)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 727ca8a3a5)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
The RFC-1918 zones are automatically synthesized locally by bind
to avoid forwarding queries about them to root nameservers. As
a result, we can't easily replace them with rndc addzone on the
fly. We need this for DHCP integration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit 505ca0a0d4)
* add: ucode-mod-uloop dependency
* add: parallel downloads using uloop
* fix: explicit allow for domains from allow-lists
* fix: get environment information for getInitStatus RPCD call
* add: update tests
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 65ed2877ef)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fix: ensure output in CLI in status and quick start commands
* fix: ensure relevant directories exist when using a (gzip) cache file on
first boot
* add: update functional tests
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit f4e6ada26d)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Fixes multiple security critical bugs with H3 handling. CVE submission is
pending.
- Updated haproxy PKG_VERSION and PKG_HASH
- Removed get-latest-patches.sh as it is not used anymore.
- See changes: http://git.haproxy.org/?p=haproxy-3.0.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Config:
* update pause_timeout default value to 60
* add config option rpcd_token
Init script:
* add validation for rpcd_token
Ucode script:
* fix: always reload config options on RPCD calls to prevent stale values
* fix: shell_quote curl params
* fix: do not reload is_tty on each call
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 139d73b583)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fix: detect/support point-to-point interfaces in dynamic routing mode
* fix: avoid IPv4/IPv6 address collisions on Tor policies
* fix: do not set triggers on boot when service is disabled in config
* fix: more robust forward stop/enable
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit ba216150c0)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Update the openvpn package to the latest version in
the 2.6.x branch while development of the 2.7.x branch
become stable enough to merge.
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
(cherry picked from commit e0ab7d0dfa)
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
* add support for OpenVPN netifd detection (thanks @egc112)
* add support for disable LAN->WAN forwarding when `strict_enforcement` is
set on start and restart (thanks @egc112)
* fix: always create marking chains for interfaces
* fix: insert DSCP/ICMP-related nft rules after marking chains
* fix: shellcheck-related improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e799f47439)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: always print errors/warnings on non-quiet start
* bugfix: return proper enabled status in RPCD
* bugfix: return stupped status in RPCD when procd data is empty
* bugfix: correctly process verbosity=0
* delete LICENSE file and only keep it upstream
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 0058dd1233)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: support TMP and final block-list destination on different
partitions
* update pause-related code/defaults/validation
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 5ad634eac9)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add explicit LICENSE file to the repository
* pretty up Makefile
* minor shell script styling improvements
* better parsing if individual dnsmasq instances are used in config
* functional test
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit eea712197e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: don't mask RFC1918 in the support output
* bugfix: proper processing of downed interfaces
Thanks to everyone who reported/tested and @egc112 for collecting feedback.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit abff4ba825)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* switch from nslookup to resolveip and add dependencey
* fix/use new OutputFormatFilter names for all resolvers
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit eacb797256)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add an option dnsmasq_validity_check to enable removal of invalid
domains from the final dnsmasq files
* renamed option sanity_check to dnsmasq_sanity_check
* better names for Format Filters and Parse Filters variables
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e714c02b3e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Fixes security issues:
- CVE-2025-13878: Malformed BRID and HHIT records could trigger an
assertion failure.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 11aee85513)
Tianling Shen