packages/net/pbr, branch master

pbr: update to 1.2.2-r12

2026-03-17T18:58:22Z

* fix: detect/support point-to-point interfaces in dynamic routing mode * fix: avoid IPv4/IPv6 address collisions on Tor policies * fix: do not set triggers on boot when service is disabled in config * fix: more robust forward stop/enable Signed-off-by: Stan Grishin

pbr: update to 1.2.2-r10

2026-03-08T17:29:54Z

* add support for OpenVPN netifd detection (thanks @egc112) * add support for disable LAN->WAN forwarding when `strict_enforcement` is set on start and restart (thanks @egc112) * fix: always create marking chains for interfaces * fix: insert DSCP/ICMP-related nft rules after marking chains * fix: shellcheck-related improvements Signed-off-by: Stan Grishin

pbr: update to 1.2.2-r8

2026-03-04T01:41:55Z

* bugfix: don't mask RFC1918 in the support output * bugfix: proper processing of downed interfaces Thanks to everyone who reported/tested and @egc112 for collecting feedback. Signed-off-by: Stan Grishin

pbr: update to 1.2.2-r6

2026-02-27T01:01:02Z

Update pbr from 1.2.1-r87 to 1.2.2-r6. This release adds mwan4 (Multi-WAN) integration, a diagnostic `support` command, IPv6 lease-to-nftset handling, improved split-uplink detection, stricter UCI validation, shell variable quoting fixes across 30+ locations, and a comprehensive 126-case test suite with a full mock OpenWrt sysroot. Signed-off-by: Stan Grishin --- - **31 files changed**, +1,745 / -227 lines (net +1,518) - **1 commit**: `61c8923` — `pbr: update to 1.2.2-r6` --- - Version bumped from `1.2.1-r87` to `1.2.2-r6` - URL updated from `github.com/stangri/pbr/` to `github.com/mossdef-org/pbr/` - No dependency changes --- Three options changed from scalar to list type: | Option | Old Type | New Type | |---------------------|----------|----------| | `ignored_interface` | `option` | `list` | | `lan_device` | `option` | `list` | | `resolver_instance` | `option` | `list` | Options reordered: scalars first, then lists, matching UCI convention. No values changed. --- The init script (`/etc/init.d/pbr`) received significant additions and fixes across ~660 lines (+443/-218). Bumped from `24` to `25`. **mwan4 (Multi-WAN) Integration (8 new functions):** - `mwan4_is_installed()` — Detect mwan4 package - `mwan4_is_running()` — Check service status - `mwan4_get_iface_list()` — Get enabled interfaces - `mwan4_get_strategy_list()` — Get strategies - `mwan4_get_iface_mark_chain()` — Get nft mark chain for interface - `mwan4_get_iface_nft_sets()` — Get nftset names - `mwan4_get_strategy_chain()` — Get strategy chain - `mwan4_get_mmx_mask()` — Get Multi-WAN mark mask Enables PBR to coordinate with mwan4 for combined policy routing and multi-WAN failover. **Diagnostic `support` Command:** - New `support()` function generates masked diagnostic output for troubleshooting - `print_config_masked()` redacts sensitive data (passwords, keys, tokens, PSKs, endpoints) while preserving IP addresses and structure **IPv6 Lease Handling:** - New `ipv6_leases_to_nftset()` parses DHCPv6 leases from `/tmp/hosts/odhcpd` - Complements existing `ipv4_leases_to_nftset()` **Split Uplink Detection (3 new functions):** - `is_uplink4()` — Check IPv4 uplink interface - `is_uplink6()` — Check IPv6 uplink interface - `is_uplink()` — Unified check (v4 or v6) - New `ipv6_default_lookup` variable for split IPv4/IPv6 uplink routing table assignment **ubus Integration:** - New `ubus_get_interface()` queries PBR gateway data via ubus **Shell Variable Quoting (30+ locations):** Systematic conversion of bare variable references to brace-quoted syntax throughout the script: - `$2` to `${2}` in string replacements - `$_ret` to `${_ret}` in conditional expansions - `$_mark` to `${_mark}` in nft rule generation - `$nftset6` to `${nftset6}` in dnsmasq rules - `$nft_set_timeout` to `${nft_set_timeout}` - `$xrayIfacePrefix` to `${xrayIfacePrefix}` - And many more across rule generation, output strings, and conditional expressions **Specific Fixes:** - `pbr_get_gateway6()`: Changed `is_wan` to `is_uplink4` for correct IPv4 uplink detection - `is_netifd_interface()`: Now checks both `ip4table` and `ip6table` (was IPv4 only) - `load_environment()`: Fixed inverted flag check (`-z` changed to `-n` for `loadEnvironmentFlag`) - Dnsmasq instance detection: Fixed UCI section lookup with proper variable handling - Help text URL: `#WarningMessagesDetails` changed to `#warning-messages-details` (kebab-case) - `uplink_ip_rules_priority`: Changed from `uinteger` to `range(99,32765)` to enforce valid Linux routing policy DB bounds Three options now use `config_get_list` instead of `config_get` to support multiple values: - `ignored_interface` - `lan_device` - `resolver_instance` **Rule Cleanup Refactored:** - Replaced complex awk-based rule parsing with priority-range approach - Calculates `prio_min = priority - max_ifaces` and `prio_max = priority`, iterates and deletes rules within range - Skips netifd-managed fwmark rules - Added legacy rule cleanup for `suppress_prefixlength` entries **Firewall Sync:** - Added `fw4 -q reload` after successful nft file installation to ensure fw4 state synchronizes with PBR's nftables changes **Resolver Instance Handling:** - Added robustness checks in `_dnsmasq_instance_config()`: file existence check and instance validity check - Better section name resolution with UCI query - Added missing `setup` parameter in resolver instance setup calls - `uci_get_device()` — Replaced with inline call - `uci_get_protocol()` — Replaced with inline call --- In `70-pbr`, fixed shell variable quoting: ```sh ${DEVICE:+ ($DEVICE)} ${DEVICE:+ (${DEVICE})} ``` --- In `pbr.user.netflix`, fixed two instances of bare variable expansion in parameter substitution: ```sh params="${params:+$params, }${p}" params="${params:+${params}, }${p}" ``` --- A full test suite is added in `net/pbr/tests/` (21 new files, ~1,300 lines) using the shunit2 framework with a complete mock OpenWrt sysroot. **Runner (`run_tests.sh`):** - Discovers test files via glob pattern - Supports pattern-based filtering via CLI arg - Executes each test in isolated bash subprocess - Captures output, reports pass/fail with color - Accumulates stats and lists failures at end - Requires `shunit2` package **Setup (`lib/setup.sh`):** - Creates temporary mock sysroot (`$MOCK_ROOT`) - Sets `IPKG_INSTROOT` for OpenWrt path resolution - Installs mock libraries, configs, and binaries - Stubs `rc.common`, procd, logger, resolveip, jsonfilter, pidof, sync - Sources pbr init script with `readonly` keyword stripped (allows test overrides) - Redirects all file paths to temp directories **UCI Config API (`lib/mocks/functions.sh`):** - Full `config_load` parser for UCI syntax - `config_get`, `config_get_bool`, `config_get_list`, `config_foreach`, `config_list_foreach` - `uci_set`, `uci_get`, `uci_add_list`, `uci_remove`, `uci_remove_list`, `uci_commit` - Stores state in associative arrays **Network API (`lib/mocks/network.sh`):** - `network_get_device`, `network_get_physdev`, `network_get_gateway`, `network_get_gateway6`, `network_get_protocol`, `network_get_ipaddr`, `network_get_ip6addr`, `network_get_dnsserver`, `network_flush_cache` - Backed by `MOCK_NET_*` variables that tests override to simulate different network states - Pre-configured: wan (eth0/dhcp/192.168.1.1), wan6 (eth0/dhcpv6/fd00::1), wg0 (wireguard), lan (br-lan/static), loopback (lo/static) **JSON Shell (`lib/mocks/jshn.sh`):** - Minimal JSON-in-shell implementation - `json_init`, `json_add_string/boolean/int`, `json_add_object/array`, `json_close_*`, `json_select`, `json_get_var`, `json_get_keys`, `json_dump`, `json_load` - Associative array backend with path tracking **Mock Binaries:** - `nft` — Returns fw4 table structure with standard chains (input, forward, output, dstnat, mangle_*); passes syntax checks - `dnsmasq` — Reports version with nftset support - `readlink` — Returns `/usr/libexec/ip-full` for `*/sbin/ip` (simulates ip-full installed) **Mock UCI Configs:** - `pbr` — Full config: enabled, policies (vpn_all, vpn_gaming, disabled_policy), dns_policy, nft settings, interface lists - `network` — Interfaces: loopback, lan, wan, wan6, wg0 (wireguard) - `firewall` — Zones: lan (accept all), wan (reject input/forward) - `dhcp` — DHCP server stub - `system` — Hostname and timezone **01_validation — Input Validation (67 cases):** `01_ipv4_validation` (13 cases): - Valid IPs: 192.168.1.1, 10.0.0.1, 172.16.0.1 - Valid CIDR: /8, /24, /32, /0 - Invalid: octets >255, wrong octet count, CIDR >32, IPv6 addresses, domain names `02_ipv6_validation` (21 cases): - Valid: ::1, fe80::1, 2001:db8::1, fd00::1, full addresses, ::/0 - Invalid: IPv4 addrs, plain strings, MACs - Scope detection: global (2001:db8::/32), link-local (fe80::/10), ULA (fd00::/8) `03_domain_validation` (8 cases): - Host: single labels (router, host123) - Hostname: multi-label (example.com, sub.example.com, deep.sub.example.com) - Domain: FQDN or single-label - Invalid: IPs, empty strings, MAC notation `04_misc_validators` (25 cases): - MAC addresses (colon notation, case variants) - Integer validation (positive, not negative) - Negation marker (! prefix detection) - URL schemes (http, https, ftp, file://) - Version comparison (is_greater, is_greater_or_equal) - Family mismatch (IPv4/IPv6 mixing detection) **02_string_utils — String Functions (8 cases):** `01_str_functions`: - `str_contains` — Substring search - `str_contains_word` — Word-boundary search - `str_to_lower` / `str_to_upper` — Case convert - `str_first_word` — Token extraction - `str_replace` — String substitution - `str_extras_to_underscore` — Normalize delims - `str_extras_to_space` — Expand delimiters **03_wan_detection — Interface Detection (13 cases):** `01_wan_types`: - `is_wan4` — Detects wan/wanX, not wan6/lan/wg0 - `is_wan6` — Detects wan6/mwan6 (IPv6-aware) - `is_wan6_disabled` — Disabled when ipv6 off - `is_wan` — Unified v4+v6 detection - `is_uplink4` / `is_uplink6` — Uplink detection - `is_tor` — Case-insensitive tor detection - `is_ignore_target` — Ignore target detection - `is_list` — Comma/space list vs single value **04_config — Configuration Loading (13 cases):** `01_load_config` (7 cases): - Default values from UCI config - Hex value parsing (fw_mask, uplink_mark) - XOR calculation (fw_maskXor = ~fw_mask) - List parsing (ignored_interface, resolver) - nft parameters (auto-merge, flags) - Config-loaded flag tracking `02_disabled_service` (2 cases): - Disabled: enabled option becomes unset - Enabled: enabled option is set `03_config_ipv6` (4 cases): - IPv6 enabled: config and uplink interface set - IPv6 disabled: both unset - Reload behavior verification **05_nft — nftables Integration (14 cases):** `01_nft_file_operations` (8 cases): - File creation with nft shebang - Chain creation (dstnat, forward, output, prerouting) - Jump rules and guard rules - File append, content search, file deletion `02_nft_check_element` (6 cases): - fw4 table existence - Chain existence (input, forward, output, dstnat, mangle_*) - Non-existent chain detection **06_network — Network Functions (11 cases):** `01_gateway_discovery` (4 cases): - IPv4 gateway from mock (192.168.1.1) - IPv4 gateway fallback (ip addr parsing) - IPv6 gateway from mock (fd00::1) - Interface finding for uplinks `02_supported_interfaces` (7 cases): - Ignored: loopback in ignored list - LAN detection vs non-LAN - Uplink support (wan is supported) - LAN/loopback not supported - Wireguard supported (wg0) - Explicit custom interface support --- ```sh cd net/pbr/tests && sh run_tests.sh ``` Requires: `bash`, `shunit2`. Optional filter: `sh run_tests.sh 01_validation` Signed-off-by: Stan Grishin

pbr: update to 1.2.1-r87

2026-02-05T21:06:55Z

Makefile: * Remove installation of /usr/share/nftables.d/* files as they are no longer needed Init script: * bugfixes/more mature netifd extensions support * refactor of the nft_file function and global variables it uses * the "main" atomic nft file now includes creation of pbr chains and jumps from relevant fw4 chains to pbr chains * more consistent use of "uplink" wording in the output and variable names * implement resolver 'wait' call and use it before trying to resolve any policy entries * major overhaul of the split uplink case (IPv4-only wan and IPv6-only wan6), should now create/use a single pbr_wan table for both legacy and IPv6 routing and the same marking chain * updates to IDs and text of some error messages (needs luci app update) * major speed improvements for service stop * unify the cleanup_* functions into a single cleanup function * reject creating/additions to nft sets for src_address entries as dnsmasq doesn't populate sets with local addresses * minor bugfixes/code cleanups * refactor processing of WG servers due to split uplink support (thanks @egc112!) * clearer (hopefully) argument names for process_interface calls * small improvements to status_service Signed-off-by: Stan Grishin

pbr: update to 1.2.1-45

2026-01-09T02:04:37Z

Makefile: * remove traces of variants and simplify * more sensible DEPENDS section (thanks @BKPepe) Init-script: * introduce prefixlength option to speed up tables operations (thanks @egc112) Signed-off-by: Stan Grishin

pbr: update to 1.2.1-r41

2025-12-13T01:20:11Z

Remove many obsolete files. Makefile: * remove netifd-flavour related code * remove trailing white spaces Init-script: * proper deletion of default network rules for IPv{4,6} * fix netifd function error when IPv6 is enabled * remove trailing white spaces Signed-off-by: Stan Grishin

pbr: update to 1.2.1-r35

2025-12-09T01:41:03Z

pbr 1.2.1-r35 Makefile: * split uci-defaults into different purpose files * add handling of netifd integration Config: * update with default values for all options (thanks @betonmischer86) Init-script: * add netifd integration handling * add ip() function to emulate ip rule replace * add netbird intrfaces support (thanks @egc112) * reorganize loading/handling of options in load_package_config() * improve display of interface triggers in service_triggers() * remove chains cleanup from stop_service() due to exclusive use of fw4 nft files * improve status_service() output * drop input and postrouting as valid options for policy chain Uci-defaults files: * 91-pbr-nft: cosmetic improvements Default nft files: * drop use of input and postrouting chanins Custom User files: * dns-prefetch: functional improvements (thanks @betonmischer86) Signed-off-by: Stan Grishin

pbr: update to 1.2.0-r2

2025-10-10T23:34:52Z

Makefile: * stop shipping/dealing with the firewall hotplug (obsolete) * install a third user-script (dnsprefetch) by @betonmischer Config: * remove obsolete options * include the new user script Init-script: * start much earlier so that on boot, the procd_add_raw_trigger works on all systems * create a ubus() helper function so that service delete does not produce "Command not found" * rename options to better reflect their function: * procd_lan_device to lan_device * procd_wan_interface to uplink_interface * procd_wan6_interface to uplink_interface6 * procd_wan6_metric to uplink_interface6_metric * wan_ip_rules_priority to uplink_ip_rules_priority * wan_mark to uplink_mark * visually separate run-time variables from variables loaded from config options * use ${IPKG_INSTROOT} when sourcing files * fix typo in str_to_dnsmasq_nftset() * use pidof to kill dnsmasq in dnsmasq_kill() * add helper function uci_add_list_if_new() * add helper function uci_changes() * add helper function ubus() so that service delete does not produce "Command not found" * implement the dnsmasq features check similar to dnsmasq init script * add get_url() function similar to luci package * add/modify error and warning messages * change how mktemp is used for more reliable file creation * unset non-true boolean package config options on load for easier checks later * improve handling of nft/nft set options * fewer calls to resolver() and resolver() optimization to speed up the service * use softlinks instead of duplicating dnsmasq nftset files into each instance * prevent duplication of dnsmasq nftset elements * option to target a specific dest dns port in DNS policies * bugfix: more reliable interface reloads * display README links to errors/warnings sections if any errors/warnings discovered Uci-defaults: * transition from old options to new ones Signed-off-by: Stan Grishin

pbr: 1.1.8-36 bugfixes

2025-08-19T17:05:18Z

- drop load_environment_flag and always load environment on start, making restart command great again - store/restore existing jshn namespace when using json() - remove unneeded sleepCount in is_wan_up() - move updated README inside files/ Signed-off-by: Stan Grishin