[bot] AutoMerging: merge all upstream's changes:

* https://github.com/coolsnowwolf/lede:
  kernel: bump to 5.4.227, 5.10.159, 5.15.83 (coolsnowwolf#10619)
  dnsmasq: drop mini_ttl option
  dnsmasq: add support for filter-AAAA/A
  dnsmasq: add logfacility file to jail mounts
  firewall: set default fullcone to high performance mode
  generic: fix linux 6.1 flowoffload support
  kernel: kmod-ipt-ulog: Remove package
  rockchip: fix opc-h68k tf boot fail on some cards
  dnsmasq: bump to v2.8.7
  silicon: fix kernel target

Author: github-actions[bot]

include/kernel-5.10

@@ -1,2 +1,2 @@
-LINUX_VERSION-5.10 = .158
-LINUX_KERNEL_HASH-5.10.158 = 1e0a24bb5510caa18b3601b25e12cc2a1ce123948de551f4f2cdbb40aea707e7
+LINUX_VERSION-5.10 = .159
+LINUX_KERNEL_HASH-5.10.159 = 1ba9bf57b6bf36d76447d5044b80b746cb5fd61d981c811603dc763b7789cea7

include/kernel-5.15

@@ -1,2 +1,2 @@
-LINUX_VERSION-5.15 = .82
-LINUX_KERNEL_HASH-5.15.82 = fceef6bb79bac494663ccde34453521fc616cd94272fd30564752b3742381b65
+LINUX_VERSION-5.15 = .83
+LINUX_KERNEL_HASH-5.15.83 = 40590843c04c85789105157f69efbd71a4efe87ae2568e40d1b7258c3f747ff3

include/kernel-5.4

@@ -1,2 +1,2 @@
-LINUX_VERSION-5.4 = .226
-LINUX_KERNEL_HASH-5.4.226 = 0c1f552a1d2f63b3ecd4d33189f0003bc91fb8ff79967a7e295d015c280c9a44
+LINUX_VERSION-5.4 = .227
+LINUX_KERNEL_HASH-5.4.227 = 5eefc5037415f31c942d3cfa430b96c2a273246cf7e51db1e51b1d89887f0593

include/kernel-6.1

@@ -1,2 +1,2 @@
-LINUX_VERSION-6.1 =
+LINUX_VERSION-6.1 = 
 LINUX_KERNEL_HASH-6.1 = 2ca1f17051a430f6fed1196e4952717507171acfd97d96577212502703b25deb

include/netfilter.mk

@@ -230,11 +230,6 @@ $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_IRC, $(P_XT)nf_connt
 $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_IRC, $(P_XT)nf_nat_irc))
 
 
-# ulog
-
-$(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
-
-
 # nflog
 
 $(eval $(call nf_add,IPT_NFLOG,CONFIG_NETFILTER_XT_TARGET_NFLOG, $(P_XT)xt_NFLOG))
@@ -321,7 +316,6 @@ $(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat))
 
 # watchers
 $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log))
-$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog))
 $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog))
 $(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFQUEUE, $(P_EBT)ebt_nfqueue))
 
@@ -393,7 +387,6 @@ IPT_BUILTIN += $(IPT_NAT6-y)
 IPT_BUILTIN += $(IPT_NAT_EXTRA-y)
 IPT_BUILTIN += $(NF_NATHELPER-y)
 IPT_BUILTIN += $(NF_NATHELPER_EXTRA-y)
-IPT_BUILTIN += $(IPT_ULOG-y)
 IPT_BUILTIN += $(IPT_TPROXY-y)
 IPT_BUILTIN += $(NFNETLINK-y)
 IPT_BUILTIN += $(NFNETLINK_LOG-y)

package/kernel/linux/modules/netfilter.mk

@@ -604,23 +604,6 @@ endef
 $(eval $(call KernelPackage,nf-nathelper-extra))
 
 
-define KernelPackage/ipt-ulog
-  TITLE:=Module for user-space packet logging
-  KCONFIG:=$(KCONFIG_IPT_ULOG)
-  FILES:=$(foreach mod,$(IPT_ULOG-m),$(LINUX_DIR)/net/$(mod).ko)
-  AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_ULOG-m)))
-  $(call AddDepends/ipt)
-endef
-
-define KernelPackage/ipt-ulog/description
- Netfilter (IPv4) module for user-space packet logging
- Includes:
- - ULOG
-endef
-
-$(eval $(call KernelPackage,ipt-ulog))
-
-
 define KernelPackage/ipt-nflog
   TITLE:=Module for user-space packet logging
   KCONFIG:=$(KCONFIG_IPT_NFLOG)

package/kernel/linux/modules/usb.mk

@@ -1154,7 +1154,6 @@ endef
 
 $(eval $(call KernelPackage,usb-net-asix))
 
-
 define KernelPackage/usb-net-asix-ax88179
   TITLE:=Kernel module for USB-to-Gigabit-Ethernet Asix convertors
   DEPENDS:=+kmod-libphy

package/network/config/firewall/Makefile

@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git

package/network/config/firewall/files/firewall.config

@@ -3,7 +3,7 @@ config defaults
 	option input		ACCEPT
 	option output		ACCEPT
 	option forward		REJECT
-	option fullcone	0
+	option fullcone	2
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1
 

package/network/services/dnsmasq/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2016 OpenWrt.org
+# Copyright (C) 2006-2022 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_UPSTREAM_VERSION:=2.86
+PKG_UPSTREAM_VERSION:=2.87
 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
-PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq
-PKG_HASH:=28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08
+PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
+PKG_HASH:=0228c0364a7f2356fd7e7f1549937cbf3099a78d3b2eb1ba5bb0c31e2b89de7a
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -30,6 +30,7 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
@@ -61,10 +62,11 @@ endef
 
 define Package/dnsmasq-full
 $(call Package/dnsmasq/Default)
-  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default)
   DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
 	+PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
-	+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
+	+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \
+	+PACKAGE_dnsmasq_full_nftset:nftables-json
   VARIANT:=full
   PROVIDES:=dnsmasq
 endef
@@ -83,7 +85,7 @@ define Package/dnsmasq-full/description
 $(call Package/dnsmasq/description)
 
 This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS
-and IPset, Conntrack support & NO_ID enabled by default.
+and nftset, Conntrack support & NO_ID enabled by default.
 endef
 
 define Package/dnsmasq/conffiles
@@ -100,7 +102,7 @@ define Package/dnsmasq-full/config
 	config PACKAGE_dnsmasq_full_dhcpv6
 		bool "Build with DHCPv6 support."
 		depends on IPV6 && PACKAGE_dnsmasq_full_dhcp
-		default n
+		default y
 	config PACKAGE_dnsmasq_full_dnssec
 		bool "Build with DNSSEC support."
 		default n
@@ -110,6 +112,9 @@ define Package/dnsmasq-full/config
 	config PACKAGE_dnsmasq_full_ipset
 		bool "Build with IPset support."
 		default y
+	config PACKAGE_dnsmasq_full_nftset
+		bool "Build with Nftset support."
+		default n
 	config PACKAGE_dnsmasq_full_conntrack
 		bool "Build with Conntrack support."
 		default n
@@ -144,6 +149,7 @@ ifeq ($(BUILD_VARIANT),full)
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
@@ -182,6 +188,7 @@ define Package/dnsmasq/install
 	$(INSTALL_DATA) ./files/dnsmasq_acl.json $(1)/usr/share/acl.d/
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/50-dnsmasq-migrate-resolv-conf-auto.sh $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/50-dnsmasq-migrate-ipset.sh $(1)/etc/uci-defaults
 endef
 
 Package/dnsmasq-dhcpv6/install = $(Package/dnsmasq/install)

package/network/services/dnsmasq/files/50-dnsmasq-migrate-ipset.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+ipsets=$(uci -q get dhcp.@dnsmasq[0].ipset)
+[ -z "$ipsets" ] && exit 0
+
+for ipset in $ipsets; do
+	names=${ipset##*/}
+	domains=${ipset%/*}
+
+	[ -z "$names" ] || [ -z "$domains" ] && continue
+
+	uci add dhcp ipset
+
+	OLDIFS="$IFS"
+
+	IFS=","
+	for name in $names; do
+		uci add_list dhcp.@ipset[-1].name="$name"
+	done
+
+	IFS="/"
+	for domain in ${domains:1}; do
+		uci add_list dhcp.@ipset[-1].domain="$domain"
+	done
+
+	IFS="$OLDIFS"
+
+	uci del_list dhcp.@dnsmasq[0].ipset="$ipset"
+done
+
+uci commit dhcp
+exit 0

package/network/services/dnsmasq/files/dhcp.conf

@@ -20,11 +20,10 @@ config dnsmasq
 	#list notinterface	lo
 	#list bogusnxdomain     '64.94.110.11'
 	option localservice	1  # disable to allow DNS requests from non-local subnets
-	option filter_aaaa	1
-	option filter_a		0
-	option cachesize	8000
-	option mini_ttl		3600
 	option ednspacket_max	1232
+	option filter_aaaa	0
+	option filter_a		0
+	#list addnmount		/some/path # read-only mount path to expose it to dnsmasq
 
 config dhcp lan
 	option interface	lan