pbr: update to 1.1.6-20

This version is the final version supporting iptables and:

* it separates the old iptables/nft-capable init script from the new nft-only init script
* the new nft-script is a significant rewrite of the old recursive calls/policy parsing
  and tries to create inline nft sets which offers performance improvements

Signed-off-by: Stan Grishin <stangri@melmac.ca>

net/pbr/Makefile

@@ -1,11 +1,11 @@
-# Copyright 2017-2023 MOSSDeF, Stan Grishin (stangri@melmac.ca)
-# This is free software, licensed under the GNU General Public License v3.
+# Copyright 2017-2024 MOSSDeF, Stan Grishin (stangri@melmac.ca).
+# This is free software, licensed under AGPL-3.0-or-later.
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pbr
-PKG_VERSION:=1.1.4
-PKG_RELEASE:=16
+PKG_VERSION:=1.1.6
+PKG_RELEASE:=20
 PKG_LICENSE:=AGPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 
@@ -16,12 +16,11 @@ define Package/pbr/default
   CATEGORY:=Network
   SUBMENU:=Routing and Redirection
   TITLE:=Policy Based Routing Service
-  URL:=https://docs.openwrt.melmac.net/pbr/
+  URL:=https://github.com/stangri/pbr/
   DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
 	DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk
 	DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep
 	DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed
-  CONFLICTS:=vpnbypass vpn-policy-routing
   PROVIDES:=pbr
   PKGARCH:=all
 endef
@@ -32,7 +31,6 @@ $(call Package/pbr/default)
   DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json
   VARIANT:=nftables
   DEFAULT_VARIANT:=1
-  PROVIDES+=vpnbypass vpn-policy-routing
 endef
 
 define Package/pbr-iptables
@@ -44,7 +42,7 @@ endef
 
 define Package/pbr-netifd
 $(call Package/pbr/default)
-  TITLE+= with netifd support
+  TITLE+= with nft/nft set and netifd support
   VARIANT:=netifd
 endef
 
@@ -54,18 +52,18 @@ endef
 
 define Package/pbr/description
   $(call Package/pbr/default/description)
-  This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
+  This version supports OpenWrt (23.05 and newer) with firewall4/nft.
 endef
 
 define Package/pbr-iptables/description
   $(call Package/pbr/default/description)
-  This version supports OpenWrt with firewall3/ipset/iptables.
+  This version supports OpenWrt (22.03 and older) with firewall3/ipset/iptables.
 endef
 
 define Package/pbr-netifd/description
   $(call Package/pbr/default/description)
-  This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
-  This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
+  This version supports OpenWrt with (23.05 and newer) firewall4/nft.
+  This version uses OpenWrt native netifd/tables to set up interfaces. This is a WIP.
 endef
 
 define Package/pbr/default/conffiles
@@ -83,26 +81,24 @@ define Build/Compile
 endef
 
 define Package/pbr/default/install
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
-	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
 	$(INSTALL_DATA) ./files/usr/share/pbr/.keep $(1)/usr/share/pbr/.keep
-	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
-	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.wg_server_and_client $(1)/usr/share/pbr/pbr.user.wg_server_and_client
 endef
-#	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
-#	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
 
 define Package/pbr/install
 $(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
+	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
 	$(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
 	$(INSTALL_DIR) $(1)/usr/share/nftables.d
 	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
@@ -111,16 +107,24 @@ endef
 
 define Package/pbr-iptables/install
 $(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/pbr-iptables $(1)/etc/init.d/pbr
+	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
 	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
+	$(INSTALL_CONF) ./files/etc/config/pbr-iptables $(1)/etc/config/pbr
+	$(INSTALL_DIR) $(1)/usr/share/pbr
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws-iptables $(1)/usr/share/pbr/pbr.user.aws
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix-iptables $(1)/usr/share/pbr/pbr.user.netflix
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/91-pbr-iptables $(1)/etc/uci-defaults/91-pbr-iptables
 endef
 
 define Package/pbr-netifd/install
 $(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults

net/pbr/README.md

@@ -0,0 +1,4 @@
+# README
+
+Documentation for this project is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).
+

net/pbr/files/etc/config/pbr

@@ -6,14 +6,14 @@ config pbr 'config'
 	list resolver_instance '*'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver'
-	option nft_file_support '0'
 	option boot_timeout '30'
 	option rule_create_option 'add'
 	option procd_boot_delay '0'
 	option procd_reload_delay '1'
 	option webui_show_ignore_target '0'
+	option nft_rule_counter '0'
 	option nft_set_auto_merge '1'
-	option nft_set_counter '1'
+	option nft_set_counter '0'
 	option nft_set_flags_interval '1'
 	option nft_set_flags_timeout '0'
 	option nft_set_gc_interval ''
@@ -37,6 +37,12 @@ config include
 	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
 	option enabled '0'
 
+config dns_policy
+	option name 'Redirect Local IP DNS'
+	option src_addr '192.168.1.5'
+	option dest_dns '1.1.1.1'
+	option enabled '0'
+
 config policy
 	option name 'Ignore Local Requests'
 	option interface 'ignore'

net/pbr/files/etc/config/pbr-iptables

@@ -0,0 +1,50 @@
+config pbr 'config'
+	option enabled '0'
+	option verbosity '2'
+	option strict_enforcement '1'
+	option resolver_set 'dnsmasq.ipset'
+	list resolver_instance '*'
+	option ipv6_enabled '0'
+	list ignored_interface 'vpnserver'
+	option boot_timeout '30'
+	option rule_create_option 'add'
+	option procd_boot_delay '0'
+	option procd_reload_delay '1'
+	option webui_show_ignore_target '0'
+	list webui_supported_protocol 'all'
+	list webui_supported_protocol 'tcp'
+	list webui_supported_protocol 'udp'
+	list webui_supported_protocol 'tcp udp'
+	list webui_supported_protocol 'icmp'
+
+config include
+	option path '/usr/share/pbr/pbr.user.aws'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.netflix'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
+	option enabled 0
+
+config policy
+	option name 'Plex/Emby Local Server'
+	option interface 'wan'
+	option src_port '8096 8920 32400'
+	option enabled '0'
+
+config policy
+	option name 'Plex/Emby Remote Servers'
+	option interface 'wan'
+	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
+	option enabled '0'
+
+config policy
+	option name 'WireGuard Server'
+	option interface 'wan'
+	option src_port '51820'
+	option chain 'OUTPUT'
+	option proto 'udp'
+	option enabled '0'

net/pbr/files/etc/uci-defaults/91-pbr-nft

@@ -14,12 +14,6 @@ if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.nftset' ]; then
 	if check_dnsmasq_nftset; then
 		output "Setting resolver_set to 'dnsmasq.nftset'... "
 		uci_set pbr config resolver_set 'dnsmasq.nftset' && output_okn || output_failn
-	elif check_agh_ipset; then
-		output "Setting resolver_set to 'adguardhome.ipset'... "
-		uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn
-	elif check_dnsmasq_ipset; then
-		output "Setting resolver_set to 'dnsmasq.ipset'... "
-		uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn
 	else
 		output "Setting resolver_set to 'none'... "
 		uci_set pbr config resolver_set 'none' && output_okn || output_failn

net/pbr/files/usr/share/nftables.d/chain-post/dstnat_lan/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_dstnat_lan comment "Jump into pbr dstnat_lan chain";

net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft

@@ -1,3 +1,4 @@
+chain pbr_dstnat_lan {}
 chain pbr_forward {}
 chain pbr_input {}
 chain pbr_output {}

net/pbr/files/usr/share/pbr/pbr.user.aws

@@ -4,8 +4,6 @@
 TARGET_INTERFACE='wan'
 TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
 TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
-TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
-TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
 TARGET_TABLE='inet fw4'
 TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
 TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
@@ -16,31 +14,21 @@ _ret=0
 if [ ! -s "$TARGET_DL_FILE_4" ]; then
 	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
 fi
+
 if [ -s "$TARGET_DL_FILE_4" ]; then
-	if [ -n "$nft" ] && [ -x "$nft" ]; then
-		while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
-	elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
-		if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
-			_ret=0
-		else
-			_ret=1
-		fi
-	fi
+	params=
+	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
+	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
 fi
 
 if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
 	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
 fi
+
 if [ -s "$TARGET_DL_FILE_6" ]; then
-	if [ -n "$nft" ] && [ -x "$nft" ]; then
-		while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
-	elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
-		if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
-			_ret=0
-		else
-			_ret=1
-		fi
-	fi
+	params=
+	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
+	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
 fi
 
 return $_ret

net/pbr/files/usr/share/pbr/pbr.user.aws-iptables

@@ -0,0 +1,46 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+
+TARGET_INTERFACE='wan'
+TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
+TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
+TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
+TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
+TARGET_TABLE='inet fw4'
+TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
+TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
+# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
+# TARGET_DL_FILE_6="/var/pbr_tmp_aws_ip_ranges.ipv6"
+_ret=0
+
+if [ ! -s "$TARGET_DL_FILE_4" ]; then
+	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
+fi
+if [ -s "$TARGET_DL_FILE_4" ]; then
+	if [ -n "$nft" ] && [ -x "$nft" ]; then
+		while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
+	elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
+			_ret=0
+		else
+			_ret=1
+		fi
+	fi
+fi
+
+if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
+	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
+fi
+if [ -s "$TARGET_DL_FILE_6" ]; then
+	if [ -n "$nft" ] && [ -x "$nft" ]; then
+		while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
+	elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
+			_ret=0
+		else
+			_ret=1
+		fi
+	fi
+fi
+
+return $_ret

net/pbr/files/usr/share/pbr/pbr.user.netflix

@@ -6,8 +6,6 @@
 TARGET_INTERFACE='wan'
 TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
 TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
-TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
-TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
 TARGET_TABLE='inet fw4'
 TARGET_ASN='2906'
 TARGET_DL_FILE_4="/var/pbr_tmp_AS${TARGET_ASN}.ipv4"
@@ -34,16 +32,11 @@ if [ ! -s "$TARGET_DL_FILE_4" ]; then
 		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE_4"
 	fi
 fi
+
 if [ -s "$TARGET_DL_FILE_4" ]; then
-	if [ -n "$nft" ] && [ -x "$nft" ]; then
-		while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
-	elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
-		if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
-			_ret=0
-		else
-			_ret=1
-		fi
-	fi
+	params=
+	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
+	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
 fi
 
 if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
@@ -53,15 +46,9 @@ if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
 	fi
 fi
 if [ -s "$TARGET_DL_FILE_6" ]; then
-	if [ -n "$nft" ] && [ -x "$nft" ]; then
-		while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
-	elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
-		if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
-			_ret=0
-		else
-			_ret=1
-		fi
-	fi
+	params=
+	while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
+	[ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
 fi
 
 return $_ret

net/pbr/files/usr/share/pbr/pbr.user.netflix-iptables

@@ -0,0 +1,67 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
+# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
+
+TARGET_INTERFACE='wan'
+TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
+TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
+TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
+TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
+TARGET_TABLE='inet fw4'
+TARGET_ASN='2906'
+TARGET_DL_FILE_4="/var/pbr_tmp_AS${TARGET_ASN}.ipv4"
+# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
+# TARGET_DL_FILE_6="/var/pbr_tmp_AS${TARGET_ASN}.ipv6"
+DB_SOURCE='ipinfo.io'
+#DB_SOURCE='api.hackertarget.com'
+#DB_SOURCE='api.bgpview.io'
+REGEX_IPV4='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}'
+REGEX_IPV6='.*::.*'
+_ret=0
+
+if [ ! -s "$TARGET_DL_FILE_4" ]; then
+	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
+		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed -n "s|\(.*\)/AS${TARGET_ASN}/\($REGEX_IPV4\)\"|\2|p" > "$TARGET_DL_FILE_4"
+	fi
+	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
+		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE_4"
+	fi
+	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
+		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE_4"
+	fi
+fi
+if [ -s "$TARGET_DL_FILE_4" ]; then
+	if [ -n "$nft" ] && [ -x "$nft" ]; then
+		while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
+	elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
+			_ret=0
+		else
+			_ret=1
+		fi
+	fi
+fi
+
+if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
+	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
+		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed -n "s|\(.*\)/AS${TARGET_ASN}/\($REGEX_IPV6\)\"|\2|p" > "$TARGET_DL_FILE_6"
+	fi
+fi
+if [ -s "$TARGET_DL_FILE_6" ]; then
+	if [ -n "$nft" ] && [ -x "$nft" ]; then
+		while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
+	elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
+			_ret=0
+		else
+			_ret=1
+		fi
+	fi
+fi
+
+return $_ret

net/pbr/files/usr/share/pbr/pbr.user.wg_server_and_client

@@ -6,10 +6,11 @@ WAN_INTERFACE='wan'
 _ret='1'
 
 insert_ip_rule() {
-	local proto listen_port
+	local disabled proto listen_port
+	config_get disabled "$1" disabled "0"
 	config_get proto "$1" proto
 	config_get listen_port "$1" listen_port
-	if [ "$proto" = 'wireguard' ] && [ -n "$listen_port" ]; then
+	if [ "$disabled" -ne '1' ] && [ "$proto" = 'wireguard' ] && [ -n "$listen_port" ]; then
 		ip rule del sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1
 		ip rule add sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1 && _ret=0
 	fi