diff --git a/lang/golang/golang-compiler.mk b/lang/golang/golang-compiler.mk
index 144f2a4af7..50cc449051 100644
--- a/lang/golang/golang-compiler.mk
+++ b/lang/golang/golang-compiler.mk
@@ -60,9 +60,10 @@ define GoCompiler/Default/Install/Bin
 
 	$(call GoCompiler/Default/Install/install-share-data,$(1),$(2),$(3),api)
 
+	$(INSTALL_DATA) -p "$(1)/go.env" "$(2)/lib/go-$(3)/"
 	$(INSTALL_DATA) -p "$(1)/VERSION" "$(2)/lib/go-$(3)/"
 
-	for file in AUTHORS CONTRIBUTING.md CONTRIBUTORS LICENSE PATENTS README.md SECURITY.md; do \
+	for file in CONTRIBUTING.md LICENSE PATENTS README.md SECURITY.md; do \
 		if [ -f "$(1)/$$$$file" ]; then \
 			$(INSTALL_DATA) -p "$(1)/$$$$file" "$(2)/share/go-$(3)/" ; \
 		fi ; \
diff --git a/lang/golang/golang-package.mk b/lang/golang/golang-package.mk
index 4f164c4c12..cc00505368 100644
--- a/lang/golang/golang-package.mk
+++ b/lang/golang/golang-package.mk
@@ -215,7 +215,8 @@ GO_PKG_BUILD_VARS= \
 	GOPATH="$(GO_PKG_BUILD_DIR)" \
 	GOCACHE="$(GO_BUILD_CACHE_DIR)" \
 	GOMODCACHE="$(GO_MOD_CACHE_DIR)" \
-	GOENV=off
+	GOENV=off \
+	GOTOOLCHAIN=local
 
 GO_PKG_VARS= \
 	$(GO_PKG_TARGET_VARS) \
diff --git a/lang/golang/golang-values.mk b/lang/golang/golang-values.mk
index 469629b7e3..1584d22fc8 100644
--- a/lang/golang/golang-values.mk
+++ b/lang/golang/golang-values.mk
@@ -29,6 +29,7 @@ unexport \
   GOOS \
   GOPATH \
   GOROOT \
+  GOTOOLCHAIN \
   GOTMPDIR \
   GOWORK
 # Unmodified:
@@ -219,7 +220,7 @@ GO_PIE_SUPPORTED_OS_ARCH:= \
   \
   aix_ppc64 \
   \
-  linux_ppc64le linux_riscv64 linux_s390x
+  linux_loong64 linux_ppc64le linux_riscv64 linux_s390x
 
 # From https://go.dev/src/cmd/go/internal/work/init.go
 go_pie_install_suffix=$(if $(filter $(1),aix_ppc64 windows_386 windows_amd64 windows_arm windows_arm64),,shared)
diff --git a/lang/golang/golang/Makefile b/lang/golang/golang/Makefile
index 1fd180bdd6..97ae3a8cdf 100644
--- a/lang/golang/golang/Makefile
+++ b/lang/golang/golang/Makefile
@@ -7,8 +7,8 @@
 
 include $(TOPDIR)/rules.mk
 
-GO_VERSION_MAJOR_MINOR:=1.20
-GO_VERSION_PATCH:=8
+GO_VERSION_MAJOR_MINOR:=1.21
+GO_VERSION_PATCH:=1
 
 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@@ -21,7 +21,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \
 
 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e
+PKG_HASH:=bfa36bf75e9a1e9cbbdb9abcf9d1707e479bd3a07880a8ae3564caee5711cb99
 
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@@ -63,6 +63,7 @@ HOST_GO_VALID_OS_ARCH:= \
   \
   aix_ppc64 \
   js_wasm \
+  wasip1_wasm \
   \
   freebsd_riscv64 \
   \
@@ -297,7 +298,7 @@ $(eval $(call GoCompiler/AddProfile,Package,$(PKG_BUILD_DIR),$(PKG_GO_PREFIX),$(
 PKG_GO_ZBOOTSTRAP_MODS:= \
 	s/defaultGO386 = `[^`]*`/defaultGO386 = `$(or $(GO_386),sse2)`/; \
 	s/defaultGOAMD64 = `[^`]*`/defaultGOAMD64 = `$(or $(GO_AMD64),v1)`/; \
-	s/defaultGOARM = `[^`]*`/defaultGOARM = `$(or $(GO_ARM),5)`/; \
+	s/defaultGOARM = `[^`]*`/defaultGOARM = `$(or $(GO_ARM),7)`/; \
 	s/defaultGOMIPS = `[^`]*`/defaultGOMIPS = `$(or $(GO_MIPS),hardfloat)`/; \
 	s/defaultGOMIPS64 = `[^`]*`/defaultGOMIPS64 = `$(or $(GO_MIPS64),hardfloat)`/; \
 	s/defaultGOPPC64 = `[^`]*`/defaultGOPPC64 = `$(or $(GO_PPC64),power8)`/;
diff --git a/lang/golang/golang/patches/001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch b/lang/golang/golang/patches/001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch
deleted file mode 100644
index aecf5309f7..0000000000
--- a/lang/golang/golang/patches/001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 5ccf9f47bf4f5ba53e0ab7338a7fd4626714cfb2 Mon Sep 17 00:00:00 2001
-From: Jeffery To <jeffery.to@gmail.com>
-Date: Tue, 23 Nov 2021 15:05:37 +0800
-Subject: [PATCH] cmd/link: use gold on ARM/ARM64 only if gold is available
-
-COPY relocation handling on ARM/ARM64 has been fixed in recent versions
-of the GNU linker. This switches to gold only if gold is available.
-
-Fixes #22040.
----
- src/cmd/link/internal/ld/lib.go | 19 +++++++------------
- 1 file changed, 7 insertions(+), 12 deletions(-)
-
---- a/src/cmd/link/internal/ld/lib.go
-+++ b/src/cmd/link/internal/ld/lib.go
-@@ -1548,25 +1548,20 @@ func (ctxt *Link) hostlink() {
- 		}
- 
- 		if ctxt.Arch.InFamily(sys.ARM, sys.ARM64) && buildcfg.GOOS == "linux" {
--			// On ARM, the GNU linker will generate COPY relocations
--			// even with -znocopyreloc set.
-+			// On ARM, older versions of the GNU linker will generate
-+			// COPY relocations even with -znocopyreloc set.
- 			// https://sourceware.org/bugzilla/show_bug.cgi?id=19962
- 			//
--			// On ARM64, the GNU linker will fail instead of
--			// generating COPY relocations.
-+			// On ARM64, older versions of the GNU linker will fail
-+			// instead of generating COPY relocations.
- 			//
--			// In both cases, switch to gold.
--			altLinker = "gold"
--
--			// If gold is not installed, gcc will silently switch
--			// back to ld.bfd. So we parse the version information
--			// and provide a useful error if gold is missing.
-+			// In both cases, switch to gold if gold is available.
- 			name, args := flagExtld[0], flagExtld[1:]
- 			args = append(args, "-fuse-ld=gold", "-Wl,--version")
- 			cmd := exec.Command(name, args...)
- 			if out, err := cmd.CombinedOutput(); err == nil {
--				if !bytes.Contains(out, []byte("GNU gold")) {
--					log.Fatalf("ARM external linker must be gold (issue #15696), but is not: %s", out)
-+				if bytes.Contains(out, []byte("GNU gold")) {
-+					altLinker = "gold"
- 				}
- 			}
- 		}
diff --git a/lang/python/django/Makefile b/lang/python/django/Makefile
index b518cf12db..62c2a1c01f 100644
--- a/lang/python/django/Makefile
+++ b/lang/python/django/Makefile
@@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=django
-PKG_VERSION:=4.2.3
+PKG_VERSION:=4.2.5
 PKG_RELEASE:=1
 
 PYPI_NAME:=Django
-PKG_HASH:=45a747e1c5b3d6df1b141b1481e193b033fd1fdbda3ff52677dc81afdaacbaed
+PKG_HASH:=5e5c1c9548ffb7796b4a8a4782e9a2e5a3df3615259fc1bfd3ebc73b646146c1
 
 PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
 PKG_LICENSE:=BSD-3-Clause
diff --git a/lang/python/python-bidict/Makefile b/lang/python/python-bidict/Makefile
index f95eb07e98..1e90deb040 100644
--- a/lang/python/python-bidict/Makefile
+++ b/lang/python/python-bidict/Makefile
@@ -8,18 +8,16 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=python-bidict
-PKG_VERSION:=0.21.2
-PKG_RELEASE:=2
+PKG_VERSION:=0.22.1
+PKG_RELEASE:=1
 
 PYPI_NAME:=bidict
-PKG_HASH:=4fa46f7ff96dc244abfc437383d987404ae861df797e2fd5b190e233c302be09
+PKG_HASH:=1e0f7f74e4860e6d0943a05d4134c63a2fad86f3d4732fb265bd79e4e856d81d
 
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=MPL-2.0
 PKG_LICENSE_FILES:=LICENSE
 
-PKG_BUILD_DEPENDS:=python-setuptools-scm/host
-
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
 include ../python3-package.mk
@@ -28,8 +26,8 @@ define Package/python3-bidict
   SUBMENU:=Python
   SECTION:=lang
   CATEGORY:=Languages
-  TITLE:=The bidirectional mapping library
-  URL:=https://github.com/jab/bidict
+  TITLE:=Bidirectional mapping library
+  URL:=https://bidict.readthedocs.io/
   DEPENDS:= \
 	+python3-light
 endef
diff --git a/lang/python/python3-networkx/Makefile b/lang/python/python-networkx/Makefile
similarity index 80%
rename from lang/python/python3-networkx/Makefile
rename to lang/python/python-networkx/Makefile
index e4d75305b7..d0ea86c3d6 100644
--- a/lang/python/python3-networkx/Makefile
+++ b/lang/python/python-networkx/Makefile
@@ -5,12 +5,12 @@
 
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=python3-networkx
-PKG_VERSION:=2.8.8
+PKG_NAME:=python-networkx
+PKG_VERSION:=3.1
 PKG_RELEASE:=1
 
 PYPI_NAME:=networkx
-PKG_HASH:=230d388117af870fce5647a3c52401fcf753e94720e6ea6b4197a5355648885e
+PKG_HASH:=de346335408f84de0eada6ff9fafafff9bcda11f0a0dfaa931133debb146ab61
 
 PKG_LICENSE:=BSD-3-clause
 PKG_LICENSE_FILES:=LICENSE.txt
@@ -25,8 +25,8 @@ define Package/python3-networkx
   CATEGORY:=Languages
   SUBMENU:=Python
   TITLE:=Creating and manipulating graphs and networks
-  URL:=https://networkx.github.io/
-  DEPENDS:=+python3-light +python3-decorator
+  URL:=https://networkx.org/
+  DEPENDS:=+python3-light +python3-uuid +python3-xml
 endef
 
 define Package/python3-networkx/description
diff --git a/net/adblock-fast/Makefile b/net/adblock-fast/Makefile
index 317a3d1aae..72a3324ac0 100644
--- a/net/adblock-fast/Makefile
+++ b/net/adblock-fast/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=adblock-fast
 PKG_VERSION:=1.0.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=GPL-3.0-or-later
 
@@ -18,6 +18,10 @@ define Package/adblock-fast
   TITLE:=AdBlock Fast Service
   URL:=https://docs.openwrt.melmac.net/adblock-fast/
   DEPENDS:=+jshn +curl
+	DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk
+	DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep
+	DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed
+	DEPENDS+=+!BUSYBOX_DEFAULT_SORT:coreutils-sort
   CONFLICTS:=simple-adblock
   PROVIDES:=simple-adblock
   PKGARCH:=all
diff --git a/net/adblock-fast/files/etc/config/adblock-fast b/net/adblock-fast/files/etc/config/adblock-fast
index 10cdf5186e..f459411f03 100644
--- a/net/adblock-fast/files/etc/config/adblock-fast
+++ b/net/adblock-fast/files/etc/config/adblock-fast
@@ -13,7 +13,7 @@ config adblock-fast 'config'
 	option curl_retry '3'
 	option debug '0'
 	option dns 'dnsmasq.servers'
-	option dnsmasq_instance '*'
+	list dnsmasq_instance '*'
 #	option dnsmasq_config_file_url 'https://big.oisd.nl/dnsmasq2'
 	option download_timeout '10'
 	option force_dns '1'
diff --git a/net/adblock-fast/files/etc/init.d/adblock-fast b/net/adblock-fast/files/etc/init.d/adblock-fast
index 2a75e69383..6d0cade3f4 100755
--- a/net/adblock-fast/files/etc/init.d/adblock-fast
+++ b/net/adblock-fast/files/etc/init.d/adblock-fast
@@ -151,6 +151,7 @@ get_text() {
 		errorParsingList) r="failed to parse";;
 		errorNoSSLSupport) r="no HTTPS/SSL support on device";;
 		errorCreatingDirectory) r="failed to create output/cache/gzip file directory";;
+		errorDetectingFileType) r="failed to detect format";;
 
 		statusNoInstall) r="$serviceName is not installed or not found";;
 		statusStopped) r="Stopped";;
@@ -268,20 +269,35 @@ append_url() {
 	fi
 }
 
-detect_file_type() {
-	local file="$1"
-	if [ "$(head -1 "$file")" = '[Adblock Plus]' ]; then
-		echo 'adBlockPlus'
-	elif grep -q '^server=' "$file"; then
-		echo 'dnsmasqFile'
-	elif grep -q '^local=' "$file"; then
-		echo 'dnsmasq2File'
-	elif grep -q '^0.0.0.0' "$file" || grep -q '^127.0.0.1' "$file"; then
-		echo 'hosts'
-	else
-		echo 'domains'
-	fi
-}
+ detect_file_type() {
+ 	local file="$1"
+ 	if [ "$(head -1 "$file")" = '[Adblock Plus]' ] || \
+ 		grep -q '^||' "$file"; then
+ 		echo 'adBlockPlus'
+ 	elif grep -q '^server=' "$file"; then
+ 		echo 'dnsmasqFile'
+ 	elif grep -q '^local=' "$file"; then
+ 		echo 'dnsmasq2File'
+ 	elif grep -q '^0.0.0.0' "$file" || grep -q '^127.0.0.1' "$file"; then
+ 		echo 'hosts'
+ 	elif [ -n "$(sed "$domainsFilter" "$file" | head -1)" ]; then
+ 		echo 'domains'
+ 	fi
+ }
+# detect_file_type() {
+# 	local file="$1"
+# 	if [ -n "$(sed "$adBlockPlusFilter" "$file" | head -1)" ]; then
+# 		echo 'adBlockPlus'
+# 	elif [ -n "$(sed "$dnsmasqFileFilter" "$file" | head -1)" ]; then
+# 		echo 'dnsmasqFile'
+# 	elif [ -n "$(sed "$dnsmasq2FileFilter" "$file" | head -1)" ]; then
+# 		echo 'dnsmasq2File'
+# 	elif [ -n "$(sed "$hostsFilter" "$file" | head -1)" ]; then
+# 		echo 'hosts'
+# 	elif [ -n "$(sed "$domainsFilter" "$file" | head -1)" ]; then
+# 		echo 'domains'
+# 	fi
+# }
 
 load_environment() {
 	local i j
@@ -543,7 +559,7 @@ get_local_filesize() {
 	echo -en "$size"
 }
 
-resolver() {
+resolver_config() {
 	local cfg="$1" param="$2"
 	case "$param" in
 		dnsmasq.addnhosts)
@@ -580,10 +596,10 @@ dns() {
 
 			config_load 'dhcp'
 			if [ "$dnsmasq_instance" = "*" ]; then
-				config_foreach resolver 'dnsmasq' "$dns"
+				config_foreach resolver_config 'dnsmasq' "$dns"
 			elif [ -n "$dnsmasq_instance" ]; then
 				for i in $dnsmasq_instance; do
-					resolver "@dnsmasq[$i]" "$dns" || resolver "$i" "$dns"
+					resolver_config "@dnsmasq[$i]" "$dns" || resolver_config "$i" "$dns"
 				done
 			fi
 
@@ -849,16 +865,23 @@ process_file_url() {
 		format="$(detect_file_type "$R_TMP")"
 		case "$format" in
 			adBlockPlus) filter="$adBlockPlusFilter";;
-#			dnsmasqFile) filter="$dnsmasqFileFilter";;
-#			dnsmasq2File) filter="$dnsmasq2FileFilter";;
+			dnsmasqFile) filter="$dnsmasqFileFilter";;
+			dnsmasq2File) filter="$dnsmasq2FileFilter";;
 			domains) filter="$domainsFilter";;
 			hosts) filter="$hostsFilter";;
+			*)
+				output 1 "$_FAIL_"
+				output 2 "[DL] $type $label $__FAIL__\\n"
+				echo "errorDetectingFileType|${url}" >> "$sharedMemoryError"
+				rm -f "$R_TMP"
+				return 0
+			;;
 		esac
-		[ -n "$filter" ] && sed -i "$filter" "$R_TMP"
+		sed -i "$filter" "$R_TMP"
 		if [ ! -s "$R_TMP" ]; then
 			output 1 "$_FAIL_"
 			output 2 "[DL] $type $label ($format) $__FAIL__\\n"
-			echo "errorParsingList|${1}" >> "$sharedMemoryError"
+			echo "errorParsingList|${url}" >> "$sharedMemoryError"
 		else
 			cat "${R_TMP}" >> "$D_TMP"
 			output 1 "$_OK_"
@@ -1596,7 +1619,7 @@ killcache() {
 	rm -f "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}"
 	rm -f "$unboundCache" "$unboundGzip"
 	config_load 'dhcp'
-	config_foreach resolver 'dnsmasq' 'cleanup'
+	config_foreach resolver_config 'dnsmasq' 'cleanup'
 	uci_commit 'dhcp'
 	return 0
 }
diff --git a/net/apache/Makefile b/net/apache/Makefile
index 9a6c881585..5005a233dd 100644
--- a/net/apache/Makefile
+++ b/net/apache/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=apache
-PKG_VERSION:=2.4.52
+PKG_VERSION:=2.4.57
 PKG_RELEASE:=1
 PKG_SOURCE_NAME:=httpd
 
 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@APACHE/httpd/
-PKG_HASH:=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
+PKG_HASH:=dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
 
@@ -66,7 +66,7 @@ endef
 define Package/apache
 $(call Package/apache/Default)
   USERID:=apache=377:apache=377
-  DEPENDS:=+libapr +libaprutil +libpcre
+  DEPENDS:=+libapr +libaprutil +libpcre2
 endef
 
 define Package/apache/description
@@ -201,7 +201,7 @@ CONFIGURE_ARGS+= \
 	--with-apr-util="$(STAGING_DIR)/usr/bin/apu-1-config" \
 	--with-apr="$(STAGING_DIR)/usr/bin/apr-1-config" \
 	--with-mpm=prefork \
-	--with-pcre="$(STAGING_DIR)/usr/bin/pcre-config" \
+	--with-pcre="$(STAGING_DIR)/usr/bin/pcre2-config" \
 	--with-program-name=apache2 \
 	--with-ssl
 
diff --git a/net/apache/patches/020-openssl-deprecated.patch b/net/apache/patches/020-openssl-deprecated.patch
index c4f600fa85..94115840a6 100644
--- a/net/apache/patches/020-openssl-deprecated.patch
+++ b/net/apache/patches/020-openssl-deprecated.patch
@@ -1,6 +1,6 @@
 --- a/modules/md/md_crypt.c
 +++ b/modules/md/md_crypt.c
-@@ -1139,23 +1139,23 @@ const char *md_cert_get_serial_number(co
+@@ -1194,23 +1194,23 @@ int md_certs_are_equal(const md_cert_t *
  
  int md_cert_is_valid_now(const md_cert_t *cert)
  {
@@ -102,7 +102,7 @@
   * when the user points at an explicit non-engine flavor of OpenSSL
 --- a/support/ab.c
 +++ b/support/ab.c
-@@ -652,11 +652,11 @@ static void ssl_print_cert_info(BIO *bio
+@@ -665,11 +665,11 @@ static void ssl_print_cert_info(BIO *bio
  
      BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
      BIO_printf(bio,"Valid from: ");
@@ -116,7 +116,7 @@
      BIO_printf(bio,"\n");
  
      pk = X509_get_pubkey(cert);
-@@ -2634,8 +2634,10 @@ int main(int argc, const char * const ar
+@@ -2647,8 +2647,10 @@ int main(int argc, const char * const ar
      CRYPTO_malloc_init();
  #endif
  #endif
diff --git a/net/iperf3/Makefile b/net/iperf3/Makefile
index c7133bd569..dbe09c1e03 100644
--- a/net/iperf3/Makefile
+++ b/net/iperf3/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=iperf
-PKG_VERSION:=3.13
+PKG_VERSION:=3.15
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.es.net/pub/iperf
-PKG_HASH:=bee427aeb13d6a2ee22073f23261f63712d82befaa83ac8cb4db5da4c2bdc865
+PKG_HASH:=bdb77c11f72bce90214883159577fa24412013e62b2083cf5f54391d79b1d8ff
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
diff --git a/net/openvswitch/Makefile b/net/openvswitch/Makefile
index 7f47c28226..43b8bfaf55 100644
--- a/net/openvswitch/Makefile
+++ b/net/openvswitch/Makefile
@@ -251,6 +251,7 @@ CONFIGURE_ARGS+= \
 CONFIGURE_VARS += \
 	$(if $(CONFIG_OPENVSWITCH_WITH_LIBUNBOUND),,ac_cv_lib_unbound_ub_ctx_create=no) \
 	ovs_cv_flake8=no \
+	ovs_cv_groff=no \
 	ovs_cv_python3=$(PYTHON3) \
 	ovs_cv_python3_host=$(HOST_PYTHON3_BIN) \
 	SPHINXBUILD=none \
diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile
index 755ed1394c..64360168a2 100644
--- a/net/tailscale/Makefile
+++ b/net/tailscale/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tailscale
-PKG_VERSION:=1.46.1
+PKG_VERSION:=1.50.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=a567bafec720869faa25eb1886dac1b519679c8dbe5762d1e9cdb653898df076
+PKG_HASH:=a7e024577854c07b793c4bbd81a497250e6a1b4536e303351a388810f13b7316
 
 PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@@ -66,12 +66,6 @@ define Package/tailscaled/conffiles
 /etc/tailscale/
 endef
 
-define Build/Prepare
-	$(PKG_UNPACK)
-	[ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR)
-	$(Build/Patch)
-endef
-
 define Package/tailscale/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin
diff --git a/net/tailscale/README.md b/net/tailscale/README.md
index eaffa57d7a..7bad0a3c3a 100644
--- a/net/tailscale/README.md
+++ b/net/tailscale/README.md
@@ -8,6 +8,8 @@ To install them run
 ```
 opkg install tailscale tailscaled
 ```
+> [!NOTE]
+> By default this package will use nftables. If you wish to use iptables, the config file `/etc/config/tailscale` can be modfied, changing the line `fw_mode 'nftables'` to `fw_mode 'iptables'`. You can then run `/etc/init.d/tailscale restart` to restart tailscale using your chosen method
 
 ## First setup
 
@@ -25,9 +27,4 @@ Run command and finish device registration with the given URL.
 tailscale up
 ```
 
-If you are running with nftables, it is not supported by tailscale,
-so disable it and configure firewall by yourself and add argument
---netfilter-mode off
-to tailscale up command to disable iptables use.
-
-After that, you should see your router in tailscale admin page.
+See the [OpenWrt wiki](https://openwrt.org/docs/guide-user/services/vpn/tailscale/start) for more detailed setup instructions
diff --git a/net/tailscale/files/tailscale.conf b/net/tailscale/files/tailscale.conf
index 194d8df4fb..0261582ac0 100644
--- a/net/tailscale/files/tailscale.conf
+++ b/net/tailscale/files/tailscale.conf
@@ -3,3 +3,5 @@ config settings 'settings'
 	option log_stdout '1'
 	option port '41641'
 	option state_file '/etc/tailscale/tailscaled.state'
+	# default to using nftables - change below to 'iptables' if still using iptables
+	option fw_mode 'nftables'
\ No newline at end of file
diff --git a/net/tailscale/files/tailscale.init b/net/tailscale/files/tailscale.init
index 6548fa2200..5100c7ceed 100644
--- a/net/tailscale/files/tailscale.init
+++ b/net/tailscale/files/tailscale.init
@@ -17,12 +17,17 @@ start_service() {
   config_get_bool std_err "settings" log_stderr 1
   config_get port "settings" port 41641
   config_get state_file "settings" state_file /etc/tailscale/tailscaled.state
+  config_get fw_mode "settings" fw_mode nftables
 
   /usr/sbin/tailscaled --cleanup
 
   procd_open_instance
   procd_set_param command /usr/sbin/tailscaled
 
+  # Starting with v1.48.1 ENV variable is required to enable use of iptables / nftables.
+  # Use nftables by default - can be changed to 'iptables' in tailscale config
+  procd_set_param env TS_DEBUG_FIREWALL_MODE="$fw_mode"
+
   # Set the port to listen on for incoming VPN packets.
   # Remote nodes will automatically be informed about the new port number,
   # but you might want to configure this in order to set external firewall
diff --git a/net/tailscale/patches/010-remove_iptables.patch b/net/tailscale/patches/010-remove_iptables.patch
deleted file mode 100644
index b719a6ae54..0000000000
--- a/net/tailscale/patches/010-remove_iptables.patch
+++ /dev/null
@@ -1,1071 +0,0 @@
---- a/cmd/derper/depaware.txt
-+++ b/cmd/derper/depaware.txt
-@@ -12,7 +12,6 @@ tailscale.com/cmd/derper dependencies: (
-    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-         github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
-      💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
--   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-         github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
-@@ -144,7 +143,7 @@ tailscale.com/cmd/derper dependencies: (
-         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-    L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-         tailscale.com/util/mak                                       from tailscale.com/syncs+
--        tailscale.com/util/multierr                                  from tailscale.com/health+
-+        tailscale.com/util/multierr                                  from tailscale.com/health
-         tailscale.com/util/set                                       from tailscale.com/health+
-         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-         tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
---- a/cmd/tailscale/depaware.txt
-+++ b/cmd/tailscale/depaware.txt
-@@ -10,7 +10,6 @@ tailscale.com/cmd/tailscale dependencies
-    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
-    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
--   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-    L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
---- a/cmd/tailscaled/depaware.txt
-+++ b/cmd/tailscaled/depaware.txt
-@@ -75,7 +75,6 @@ tailscale.com/cmd/tailscaled dependencie
-    L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
-    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
-    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
--   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-    W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
-    W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
-@@ -477,13 +476,13 @@ tailscale.com/cmd/tailscaled dependencie
-         net/textproto                                                from golang.org/x/net/http/httpguts+
-         net/url                                                      from crypto/x509+
-         os                                                           from crypto/rand+
--        os/exec                                                      from github.com/coreos/go-iptables/iptables+
-+        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
-         os/signal                                                    from tailscale.com/cmd/tailscaled
-         os/user                                                      from github.com/godbus/dbus/v5+
-         path                                                         from github.com/godbus/dbus/v5+
-         path/filepath                                                from crypto/x509+
-         reflect                                                      from crypto/x509+
--        regexp                                                       from github.com/coreos/go-iptables/iptables+
-+        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints/v2+
-         regexp/syntax                                                from regexp
-         runtime/debug                                                from github.com/klauspost/compress/zstd+
-         runtime/pprof                                                from tailscale.com/log/logheap+
---- a/go.mod
-+++ b/go.mod
-@@ -14,7 +14,6 @@ require (
- 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64
- 	github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0
- 	github.com/aws/aws-sdk-go-v2/service/ssm v1.36.3
--	github.com/coreos/go-iptables v0.6.0
- 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
- 	github.com/creack/pty v1.1.18
- 	github.com/dave/jennifer v1.6.1
---- a/go.sum
-+++ b/go.sum
-@@ -216,8 +216,6 @@ github.com/containerd/stargz-snapshotter
- github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
- github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
- github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
--github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
--github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
- github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
- github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
- github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
---- a/util/linuxfw/iptables.go
-+++ /dev/null
-@@ -1,29 +0,0 @@
--// Copyright (c) Tailscale Inc & AUTHORS
--// SPDX-License-Identifier: BSD-3-Clause
--
--// TODO(#8502): add support for more architectures
--//go:build linux && (arm64 || amd64)
--
--package linuxfw
--
--import (
--	"tailscale.com/types/logger"
--)
--
--// DebugNetfilter prints debug information about iptables rules to the
--// provided log function.
--func DebugIptables(logf logger.Logf) error {
--	// unused.
--	return nil
--}
--
--// DetectIptables returns the number of iptables rules that are present in the
--// system, ignoring the default "ACCEPT" rule present in the standard iptables
--// chains.
--//
--// It only returns an error when the kernel returns an error (i.e. when a
--// syscall fails); when there are no iptables rules, it is valid for this
--// function to return 0, nil.
--func DetectIptables() (int, error) {
--	panic("unused")
--}
---- a/util/linuxfw/iptables_runner.go
-+++ /dev/null
-@@ -1,488 +0,0 @@
--// Copyright (c) Tailscale Inc & AUTHORS
--// SPDX-License-Identifier: BSD-3-Clause
--
--//go:build linux
--
--package linuxfw
--
--import (
--	"fmt"
--	"net/netip"
--	"os/exec"
--	"strings"
--
--	"github.com/coreos/go-iptables/iptables"
--	"tailscale.com/net/tsaddr"
--	"tailscale.com/types/logger"
--	"tailscale.com/util/multierr"
--)
--
--type iptablesInterface interface {
--	// Adding this interface for testing purposes so we can mock out
--	// the iptables library, in reality this is a wrapper to *iptables.IPTables.
--	Insert(table, chain string, pos int, args ...string) error
--	Append(table, chain string, args ...string) error
--	Exists(table, chain string, args ...string) (bool, error)
--	Delete(table, chain string, args ...string) error
--	ClearChain(table, chain string) error
--	NewChain(table, chain string) error
--	DeleteChain(table, chain string) error
--}
--
--type iptablesRunner struct {
--	ipt4 iptablesInterface
--	ipt6 iptablesInterface
--
--	v6Available    bool
--	v6NATAvailable bool
--}
--
--func checkIP6TablesExists() error {
--	// Some distros ship ip6tables separately from iptables.
--	if _, err := exec.LookPath("ip6tables"); err != nil {
--		return fmt.Errorf("path not found: %w", err)
--	}
--	return nil
--}
--
--// NewIPTablesRunner constructs a NetfilterRunner that programs iptables rules.
--// If the underlying iptables library fails to initialize, that error is
--// returned. The runner probes for IPv6 support once at initialization time and
--// if not found, no IPv6 rules will be modified for the lifetime of the runner.
--func NewIPTablesRunner(logf logger.Logf) (*iptablesRunner, error) {
--	ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
--	if err != nil {
--		return nil, err
--	}
--
--	supportsV6, supportsV6NAT := false, false
--	v6err := checkIPv6(logf)
--	ip6terr := checkIP6TablesExists()
--	switch {
--	case v6err != nil:
--		logf("disabling tunneled IPv6 due to system IPv6 config: %v", v6err)
--	case ip6terr != nil:
--		logf("disabling tunneled IPv6 due to missing ip6tables: %v", ip6terr)
--	default:
--		supportsV6 = true
--		supportsV6NAT = supportsV6 && checkSupportsV6NAT()
--		logf("v6nat = %v", supportsV6NAT)
--	}
--
--	var ipt6 *iptables.IPTables
--	if supportsV6 {
--		ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
--		if err != nil {
--			return nil, err
--		}
--	}
--	return &iptablesRunner{ipt4, ipt6, supportsV6, supportsV6NAT}, nil
--}
--
--// HasIPV6 returns true if the system supports IPv6.
--func (i *iptablesRunner) HasIPV6() bool {
--	return i.v6Available
--}
--
--// HasIPV6NAT returns true if the system supports IPv6 NAT.
--func (i *iptablesRunner) HasIPV6NAT() bool {
--	return i.v6NATAvailable
--}
--
--func isErrChainNotExist(err error) bool {
--	return errCode(err) == 1
--}
--
--// getIPTByAddr returns the iptablesInterface with correct IP family
--// that we will be using for the given address.
--func (i *iptablesRunner) getIPTByAddr(addr netip.Addr) iptablesInterface {
--	nf := i.ipt4
--	if addr.Is6() {
--		nf = i.ipt6
--	}
--	return nf
--}
--
--// AddLoopbackRule adds an iptables rule to permit loopback traffic to
--// a local Tailscale IP.
--func (i *iptablesRunner) AddLoopbackRule(addr netip.Addr) error {
--	if err := i.getIPTByAddr(addr).Insert("filter", "ts-input", 1, "-i", "lo", "-s", addr.String(), "-j", "ACCEPT"); err != nil {
--		return fmt.Errorf("adding loopback allow rule for %q: %w", addr, err)
--	}
--
--	return nil
--}
--
--// tsChain returns the name of the tailscale sub-chain corresponding
--// to the given "parent" chain (e.g. INPUT, FORWARD, ...).
--func tsChain(chain string) string {
--	return "ts-" + strings.ToLower(chain)
--}
--
--// DelLoopbackRule removes the iptables rule permitting loopback
--// traffic to a Tailscale IP.
--func (i *iptablesRunner) DelLoopbackRule(addr netip.Addr) error {
--	if err := i.getIPTByAddr(addr).Delete("filter", "ts-input", "-i", "lo", "-s", addr.String(), "-j", "ACCEPT"); err != nil {
--		return fmt.Errorf("deleting loopback allow rule for %q: %w", addr, err)
--	}
--
--	return nil
--}
--
--// getTables gets the available iptablesInterface in iptables runner.
--func (i *iptablesRunner) getTables() []iptablesInterface {
--	if i.HasIPV6() {
--		return []iptablesInterface{i.ipt4, i.ipt6}
--	}
--	return []iptablesInterface{i.ipt4}
--}
--
--// getNATTables gets the available iptablesInterface in iptables runner.
--// If the system does not support IPv6 NAT, only the IPv4 iptablesInterface
--// is returned.
--func (i *iptablesRunner) getNATTables() []iptablesInterface {
--	if i.HasIPV6NAT() {
--		return i.getTables()
--	}
--	return []iptablesInterface{i.ipt4}
--}
--
--// AddHooks inserts calls to tailscale's netfilter chains in
--// the relevant main netfilter chains. The tailscale chains must
--// already exist. If they do not, an error is returned.
--func (i *iptablesRunner) AddHooks() error {
--	// divert inserts a jump to the tailscale chain in the given table/chain.
--	// If the jump already exists, it is a no-op.
--	divert := func(ipt iptablesInterface, table, chain string) error {
--		tsChain := tsChain(chain)
--
--		args := []string{"-j", tsChain}
--		exists, err := ipt.Exists(table, chain, args...)
--		if err != nil {
--			return fmt.Errorf("checking for %v in %s/%s: %w", args, table, chain, err)
--		}
--		if exists {
--			return nil
--		}
--		if err := ipt.Insert(table, chain, 1, args...); err != nil {
--			return fmt.Errorf("adding %v in %s/%s: %w", args, table, chain, err)
--		}
--		return nil
--	}
--
--	for _, ipt := range i.getTables() {
--		if err := divert(ipt, "filter", "INPUT"); err != nil {
--			return err
--		}
--		if err := divert(ipt, "filter", "FORWARD"); err != nil {
--			return err
--		}
--	}
--
--	for _, ipt := range i.getNATTables() {
--		if err := divert(ipt, "nat", "POSTROUTING"); err != nil {
--			return err
--		}
--	}
--	return nil
--}
--
--// AddChains creates custom Tailscale chains in netfilter via iptables
--// if the ts-chain doesn't already exist.
--func (i *iptablesRunner) AddChains() error {
--	// create creates a chain in the given table if it doesn't already exist.
--	// If the chain already exists, it is a no-op.
--	create := func(ipt iptablesInterface, table, chain string) error {
--		err := ipt.ClearChain(table, chain)
--		if isErrChainNotExist(err) {
--			// nonexistent chain. let's create it!
--			return ipt.NewChain(table, chain)
--		}
--		if err != nil {
--			return fmt.Errorf("setting up %s/%s: %w", table, chain, err)
--		}
--		return nil
--	}
--
--	for _, ipt := range i.getTables() {
--		if err := create(ipt, "filter", "ts-input"); err != nil {
--			return err
--		}
--		if err := create(ipt, "filter", "ts-forward"); err != nil {
--			return err
--		}
--	}
--
--	for _, ipt := range i.getNATTables() {
--		if err := create(ipt, "nat", "ts-postrouting"); err != nil {
--			return err
--		}
--	}
--
--	return nil
--}
--
--// AddBase adds some basic processing rules to be supplemented by
--// later calls to other helpers.
--func (i *iptablesRunner) AddBase(tunname string) error {
--	if err := i.addBase4(tunname); err != nil {
--		return err
--	}
--	if i.HasIPV6() {
--		if err := i.addBase6(tunname); err != nil {
--			return err
--		}
--	}
--	return nil
--}
--
--// addBase4 adds some basic IPv6 processing rules to be
--// supplemented by later calls to other helpers.
--func (i *iptablesRunner) addBase4(tunname string) error {
--	// Only allow CGNAT range traffic to come from tailscale0. There
--	// is an exception carved out for ranges used by ChromeOS, for
--	// which we fall out of the Tailscale chain.
--	//
--	// Note, this will definitely break nodes that end up using the
--	// CGNAT range for other purposes :(.
--	args := []string{"!", "-i", tunname, "-s", tsaddr.ChromeOSVMRange().String(), "-j", "RETURN"}
--	if err := i.ipt4.Append("filter", "ts-input", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-input: %w", args, err)
--	}
--	args = []string{"!", "-i", tunname, "-s", tsaddr.CGNATRange().String(), "-j", "DROP"}
--	if err := i.ipt4.Append("filter", "ts-input", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-input: %w", args, err)
--	}
--
--	// Forward all traffic from the Tailscale interface, and drop
--	// traffic to the tailscale interface by default. We use packet
--	// marks here so both filter/FORWARD and nat/POSTROUTING can match
--	// on these packets of interest.
--	//
--	// In particular, we only want to apply SNAT rules in
--	// nat/POSTROUTING to packets that originated from the Tailscale
--	// interface, but we can't match on the inbound interface in
--	// POSTROUTING. So instead, we match on the inbound interface in
--	// filter/FORWARD, and set a packet mark that nat/POSTROUTING can
--	// use to effectively run that same test again.
--	args = []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}
--	if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
--	}
--	args = []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}
--	if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
--	}
--	args = []string{"-o", tunname, "-s", tsaddr.CGNATRange().String(), "-j", "DROP"}
--	if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
--	}
--	args = []string{"-o", tunname, "-j", "ACCEPT"}
--	if err := i.ipt4.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v4/filter/ts-forward: %w", args, err)
--	}
--
--	return nil
--}
--
--// addBase6 adds some basic IPv4 processing rules to be
--// supplemented by later calls to other helpers.
--func (i *iptablesRunner) addBase6(tunname string) error {
--	// TODO: only allow traffic from Tailscale's ULA range to come
--	// from tailscale0.
--
--	args := []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}
--	if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
--	}
--	args = []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}
--	if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
--	}
--	// TODO: drop forwarded traffic to tailscale0 from tailscale's ULA
--	// (see corresponding IPv4 CGNAT rule).
--	args = []string{"-o", tunname, "-j", "ACCEPT"}
--	if err := i.ipt6.Append("filter", "ts-forward", args...); err != nil {
--		return fmt.Errorf("adding %v in v6/filter/ts-forward: %w", args, err)
--	}
--
--	return nil
--}
--
--// DelChains removes the custom Tailscale chains from netfilter via iptables.
--func (i *iptablesRunner) DelChains() error {
--	for _, ipt := range i.getTables() {
--		if err := delChain(ipt, "filter", "ts-input"); err != nil {
--			return err
--		}
--		if err := delChain(ipt, "filter", "ts-forward"); err != nil {
--			return err
--		}
--	}
--
--	for _, ipt := range i.getNATTables() {
--		if err := delChain(ipt, "nat", "ts-postrouting"); err != nil {
--			return err
--		}
--	}
--
--	return nil
--}
--
--// DelBase empties but does not remove custom Tailscale chains from
--// netfilter via iptables.
--func (i *iptablesRunner) DelBase() error {
--	del := func(ipt iptablesInterface, table, chain string) error {
--		if err := ipt.ClearChain(table, chain); err != nil {
--			if isErrChainNotExist(err) {
--				// nonexistent chain. That's fine, since it's
--				// the desired state anyway.
--				return nil
--			}
--			return fmt.Errorf("flushing %s/%s: %w", table, chain, err)
--		}
--		return nil
--	}
--
--	for _, ipt := range i.getTables() {
--		if err := del(ipt, "filter", "ts-input"); err != nil {
--			return err
--		}
--		if err := del(ipt, "filter", "ts-forward"); err != nil {
--			return err
--		}
--	}
--	for _, ipt := range i.getNATTables() {
--		if err := del(ipt, "nat", "ts-postrouting"); err != nil {
--			return err
--		}
--	}
--
--	return nil
--}
--
--// DelHooks deletes the calls to tailscale's netfilter chains
--// in the relevant main netfilter chains.
--func (i *iptablesRunner) DelHooks(logf logger.Logf) error {
--	for _, ipt := range i.getTables() {
--		if err := delTSHook(ipt, "filter", "INPUT", logf); err != nil {
--			return err
--		}
--		if err := delTSHook(ipt, "filter", "FORWARD", logf); err != nil {
--			return err
--		}
--	}
--	for _, ipt := range i.getNATTables() {
--		if err := delTSHook(ipt, "nat", "POSTROUTING", logf); err != nil {
--			return err
--		}
--	}
--
--	return nil
--}
--
--// AddSNATRule adds a netfilter rule to SNAT traffic destined for
--// local subnets.
--func (i *iptablesRunner) AddSNATRule() error {
--	args := []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"}
--	for _, ipt := range i.getNATTables() {
--		if err := ipt.Append("nat", "ts-postrouting", args...); err != nil {
--			return fmt.Errorf("adding %v in nat/ts-postrouting: %w", args, err)
--		}
--	}
--	return nil
--}
--
--// DelSNATRule removes the netfilter rule to SNAT traffic destined for
--// local subnets. An error is returned if the rule does not exist.
--func (i *iptablesRunner) DelSNATRule() error {
--	args := []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"}
--	for _, ipt := range i.getNATTables() {
--		if err := ipt.Delete("nat", "ts-postrouting", args...); err != nil {
--			return fmt.Errorf("deleting %v in nat/ts-postrouting: %w", args, err)
--		}
--	}
--	return nil
--}
--
--// IPTablesCleanup removes all Tailscale added iptables rules.
--// Any errors that occur are logged to the provided logf.
--func IPTablesCleanup(logf logger.Logf) {
--	err := clearRules(iptables.ProtocolIPv4, logf)
--	if err != nil {
--		logf("linuxfw: clear iptables: %v", err)
--	}
--
--	err = clearRules(iptables.ProtocolIPv6, logf)
--	if err != nil {
--		logf("linuxfw: clear ip6tables: %v", err)
--	}
--}
--
--// delTSHook deletes hook in a chain that jumps to a ts-chain. If the hook does not
--// exist, it's a no-op since the desired state is already achieved but we log the
--// error because error code from the iptables module resists unwrapping.
--func delTSHook(ipt iptablesInterface, table, chain string, logf logger.Logf) error {
--	tsChain := tsChain(chain)
--	args := []string{"-j", tsChain}
--	if err := ipt.Delete(table, chain, args...); err != nil {
--		// TODO(apenwarr): check for errCode(1) here.
--		// Unfortunately the error code from the iptables
--		// module resists unwrapping, unlike with other
--		// calls. So we have to assume if Delete fails,
--		// it's because there is no such rule.
--		logf("deleting %v in %s/%s: %v", args, table, chain, err)
--		return nil
--	}
--	return nil
--}
--
--// delChain flushs and deletes a chain. If the chain does not exist, it's a no-op
--// since the desired state is already achieved. otherwise, it returns an error.
--func delChain(ipt iptablesInterface, table, chain string) error {
--	if err := ipt.ClearChain(table, chain); err != nil {
--		if isErrChainNotExist(err) {
--			// nonexistent chain. nothing to do.
--			return nil
--		}
--		return fmt.Errorf("flushing %s/%s: %w", table, chain, err)
--	}
--	if err := ipt.DeleteChain(table, chain); err != nil {
--		return fmt.Errorf("deleting %s/%s: %w", table, chain, err)
--	}
--	return nil
--}
--
--// clearRules clears all the iptables rules created by Tailscale
--// for the given protocol. If error occurs, it's logged but not returned.
--func clearRules(proto iptables.Protocol, logf logger.Logf) error {
--	ipt, err := iptables.NewWithProtocol(proto)
--	if err != nil {
--		return err
--	}
--
--	var errs []error
--
--	if err := delTSHook(ipt, "filter", "INPUT", logf); err != nil {
--		errs = append(errs, err)
--	}
--	if err := delTSHook(ipt, "filter", "FORWARD", logf); err != nil {
--		errs = append(errs, err)
--	}
--	if err := delTSHook(ipt, "nat", "POSTROUTING", logf); err != nil {
--		errs = append(errs, err)
--	}
--
--	if err := delChain(ipt, "filter", "ts-input"); err != nil {
--		errs = append(errs, err)
--	}
--	if err := delChain(ipt, "filter", "ts-forward"); err != nil {
--		errs = append(errs, err)
--	}
--
--	if err := delChain(ipt, "nat", "ts-postrouting"); err != nil {
--		errs = append(errs, err)
--	}
--
--	return multierr.New(errs...)
--}
---- a/util/linuxfw/iptables_runner_test.go
-+++ /dev/null
-@@ -1,420 +0,0 @@
--// Copyright (c) Tailscale Inc & AUTHORS
--// SPDX-License-Identifier: BSD-3-Clause
--
--//go:build linux
--
--package linuxfw
--
--import (
--	"errors"
--	"net/netip"
--	"strings"
--	"testing"
--
--	"tailscale.com/net/tsaddr"
--)
--
--var errExec = errors.New("execution failed")
--
--type fakeIPTables struct {
--	t *testing.T
--	n map[string][]string
--}
--
--type fakeRule struct {
--	table, chain string
--	args         []string
--}
--
--func newIPTables(t *testing.T) *fakeIPTables {
--	return &fakeIPTables{
--		t: t,
--		n: map[string][]string{
--			"filter/INPUT":    nil,
--			"filter/OUTPUT":   nil,
--			"filter/FORWARD":  nil,
--			"nat/PREROUTING":  nil,
--			"nat/OUTPUT":      nil,
--			"nat/POSTROUTING": nil,
--		},
--	}
--}
--
--func (n *fakeIPTables) Insert(table, chain string, pos int, args ...string) error {
--	k := table + "/" + chain
--	if rules, ok := n.n[k]; ok {
--		if pos > len(rules)+1 {
--			n.t.Errorf("bad position %d in %s", pos, k)
--			return errExec
--		}
--		rules = append(rules, "")
--		copy(rules[pos:], rules[pos-1:])
--		rules[pos-1] = strings.Join(args, " ")
--		n.n[k] = rules
--	} else {
--		n.t.Errorf("unknown table/chain %s", k)
--		return errExec
--	}
--	return nil
--}
--
--func (n *fakeIPTables) Append(table, chain string, args ...string) error {
--	k := table + "/" + chain
--	return n.Insert(table, chain, len(n.n[k])+1, args...)
--}
--
--func (n *fakeIPTables) Exists(table, chain string, args ...string) (bool, error) {
--	k := table + "/" + chain
--	if rules, ok := n.n[k]; ok {
--		for _, rule := range rules {
--			if rule == strings.Join(args, " ") {
--				return true, nil
--			}
--		}
--		return false, nil
--	} else {
--		n.t.Logf("unknown table/chain %s", k)
--		return false, errExec
--	}
--}
--
--func hasChain(n *fakeIPTables, table, chain string) bool {
--	k := table + "/" + chain
--	if _, ok := n.n[k]; ok {
--		return true
--	} else {
--		return false
--	}
--}
--
--func (n *fakeIPTables) Delete(table, chain string, args ...string) error {
--	k := table + "/" + chain
--	if rules, ok := n.n[k]; ok {
--		for i, rule := range rules {
--			if rule == strings.Join(args, " ") {
--				rules = append(rules[:i], rules[i+1:]...)
--				n.n[k] = rules
--				return nil
--			}
--		}
--		n.t.Errorf("delete of unknown rule %q from %s", strings.Join(args, " "), k)
--		return errExec
--	} else {
--		n.t.Errorf("unknown table/chain %s", k)
--		return errExec
--	}
--}
--
--func (n *fakeIPTables) ClearChain(table, chain string) error {
--	k := table + "/" + chain
--	if _, ok := n.n[k]; ok {
--		n.n[k] = nil
--		return nil
--	} else {
--		n.t.Logf("note: ClearChain: unknown table/chain %s", k)
--		return errors.New("exitcode:1")
--	}
--}
--
--func (n *fakeIPTables) NewChain(table, chain string) error {
--	k := table + "/" + chain
--	if _, ok := n.n[k]; ok {
--		n.t.Errorf("table/chain %s already exists", k)
--		return errExec
--	}
--	n.n[k] = nil
--	return nil
--}
--
--func (n *fakeIPTables) DeleteChain(table, chain string) error {
--	k := table + "/" + chain
--	if rules, ok := n.n[k]; ok {
--		if len(rules) != 0 {
--			n.t.Errorf("%s is not empty", k)
--			return errExec
--		}
--		delete(n.n, k)
--		return nil
--	} else {
--		n.t.Errorf("%s does not exist", k)
--		return errExec
--	}
--}
--
--func newFakeIPTablesRunner(t *testing.T) *iptablesRunner {
--	ipt4 := newIPTables(t)
--	ipt6 := newIPTables(t)
--
--	iptr := &iptablesRunner{ipt4, ipt6, true, true}
--	return iptr
--}
--
--func TestAddAndDeleteChains(t *testing.T) {
--	iptr := newFakeIPTablesRunner(t)
--	err := iptr.AddChains()
--	if err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the chains were created.
--	tsChains := []struct{ table, chain string }{ // table/chain
--		{"filter", "ts-input"},
--		{"filter", "ts-forward"},
--		{"nat", "ts-postrouting"},
--	}
--
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		for _, tc := range tsChains {
--			// Exists returns error if the chain doesn't exist.
--			if _, err := proto.Exists(tc.table, tc.chain); err != nil {
--				t.Errorf("chain %s/%s doesn't exist", tc.table, tc.chain)
--			}
--		}
--	}
--
--	err = iptr.DelChains()
--	if err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the chains were deleted.
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		for _, tc := range tsChains {
--			if _, err = proto.Exists(tc.table, tc.chain); err == nil {
--				t.Errorf("chain %s/%s still exists", tc.table, tc.chain)
--			}
--		}
--	}
--
--}
--
--func TestAddAndDeleteHooks(t *testing.T) {
--	iptr := newFakeIPTablesRunner(t)
--	// don't need to test what happens if the chains don't exist, because
--	// this is handled by fake iptables, in realife iptables would return error.
--	if err := iptr.AddChains(); err != nil {
--		t.Fatal(err)
--	}
--	defer iptr.DelChains()
--
--	if err := iptr.AddHooks(); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were created.
--	tsRules := []fakeRule{ // table/chain/rule
--		{"filter", "INPUT", []string{"-j", "ts-input"}},
--		{"filter", "FORWARD", []string{"-j", "ts-forward"}},
--		{"nat", "POSTROUTING", []string{"-j", "ts-postrouting"}},
--	}
--
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		for _, tr := range tsRules {
--			if exists, err := proto.Exists(tr.table, tr.chain, tr.args...); err != nil {
--				t.Fatal(err)
--			} else if !exists {
--				t.Errorf("rule %s/%s/%s doesn't exist", tr.table, tr.chain, strings.Join(tr.args, " "))
--			}
--			// check if the rule is at front of the chain
--			if proto.(*fakeIPTables).n[tr.table+"/"+tr.chain][0] != strings.Join(tr.args, " ") {
--				t.Errorf("v4 rule %s/%s/%s is not at the top", tr.table, tr.chain, strings.Join(tr.args, " "))
--			}
--		}
--	}
--
--	if err := iptr.DelHooks(t.Logf); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were deleted.
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		for _, tr := range tsRules {
--			if exists, err := proto.Exists(tr.table, tr.chain, tr.args...); err != nil {
--				t.Fatal(err)
--			} else if exists {
--				t.Errorf("rule %s/%s/%s still exists", tr.table, tr.chain, strings.Join(tr.args, " "))
--			}
--		}
--	}
--
--	if err := iptr.AddHooks(); err != nil {
--		t.Fatal(err)
--	}
--}
--
--func TestAddAndDeleteBase(t *testing.T) {
--	iptr := newFakeIPTablesRunner(t)
--	tunname := "tun0"
--	if err := iptr.AddChains(); err != nil {
--		t.Fatal(err)
--	}
--
--	if err := iptr.AddBase(tunname); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were created.
--	tsRulesV4 := []fakeRule{ // table/chain/rule
--		{"filter", "ts-input", []string{"!", "-i", tunname, "-s", tsaddr.ChromeOSVMRange().String(), "-j", "RETURN"}},
--		{"filter", "ts-input", []string{"!", "-i", tunname, "-s", tsaddr.CGNATRange().String(), "-j", "DROP"}},
--		{"filter", "ts-forward", []string{"-o", tunname, "-s", tsaddr.CGNATRange().String(), "-j", "DROP"}},
--	}
--
--	tsRulesCommon := []fakeRule{ // table/chain/rule
--		{"filter", "ts-forward", []string{"-i", tunname, "-j", "MARK", "--set-mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask}},
--		{"filter", "ts-forward", []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "ACCEPT"}},
--		{"filter", "ts-forward", []string{"-o", tunname, "-j", "ACCEPT"}},
--	}
--
--	// check that the rules were created for ipt4
--	for _, tr := range append(tsRulesV4, tsRulesCommon...) {
--		if exists, err := iptr.ipt4.Exists(tr.table, tr.chain, tr.args...); err != nil {
--			t.Fatal(err)
--		} else if !exists {
--			t.Errorf("rule %s/%s/%s doesn't exist", tr.table, tr.chain, strings.Join(tr.args, " "))
--		}
--	}
--
--	// check that the rules were created for ipt6
--	for _, tr := range tsRulesCommon {
--		if exists, err := iptr.ipt6.Exists(tr.table, tr.chain, tr.args...); err != nil {
--			t.Fatal(err)
--		} else if !exists {
--			t.Errorf("rule %s/%s/%s doesn't exist", tr.table, tr.chain, strings.Join(tr.args, " "))
--		}
--	}
--
--	if err := iptr.DelBase(); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were deleted.
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		for _, tr := range append(tsRulesV4, tsRulesCommon...) {
--			if exists, err := proto.Exists(tr.table, tr.chain, tr.args...); err != nil {
--				t.Fatal(err)
--			} else if exists {
--				t.Errorf("rule %s/%s/%s still exists", tr.table, tr.chain, strings.Join(tr.args, " "))
--			}
--		}
--	}
--
--	if err := iptr.DelChains(); err != nil {
--		t.Fatal(err)
--	}
--}
--
--func TestAddAndDelLoopbackRule(t *testing.T) {
--	iptr := newFakeIPTablesRunner(t)
--	// We don't need to test for malformed addresses, AddLoopbackRule
--	// takes in a netip.Addr, which is already valid.
--	fakeAddrV4 := netip.MustParseAddr("192.168.0.2")
--	fakeAddrV6 := netip.MustParseAddr("2001:db8::2")
--
--	if err := iptr.AddChains(); err != nil {
--		t.Fatal(err)
--	}
--	if err := iptr.AddLoopbackRule(fakeAddrV4); err != nil {
--		t.Fatal(err)
--	}
--	if err := iptr.AddLoopbackRule(fakeAddrV6); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were created.
--	tsRulesV4 := fakeRule{ // table/chain/rule
--		"filter", "ts-input", []string{"-i", "lo", "-s", fakeAddrV4.String(), "-j", "ACCEPT"}}
--
--	tsRulesV6 := fakeRule{ // table/chain/rule
--		"filter", "ts-input", []string{"-i", "lo", "-s", fakeAddrV6.String(), "-j", "ACCEPT"}}
--
--	// check that the rules were created for ipt4 and ipt6
--	if exist, err := iptr.ipt4.Exists(tsRulesV4.table, tsRulesV4.chain, tsRulesV4.args...); err != nil {
--		t.Fatal(err)
--	} else if !exist {
--		t.Errorf("rule %s/%s/%s doesn't exist", tsRulesV4.table, tsRulesV4.chain, strings.Join(tsRulesV4.args, " "))
--	}
--	if exist, err := iptr.ipt6.Exists(tsRulesV6.table, tsRulesV6.chain, tsRulesV6.args...); err != nil {
--		t.Fatal(err)
--	} else if !exist {
--		t.Errorf("rule %s/%s/%s doesn't exist", tsRulesV6.table, tsRulesV6.chain, strings.Join(tsRulesV6.args, " "))
--	}
--
--	// check that the rule is at the top
--	chain := "filter/ts-input"
--	if iptr.ipt4.(*fakeIPTables).n[chain][0] != strings.Join(tsRulesV4.args, " ") {
--		t.Errorf("v4 rule %s/%s/%s is not at the top", tsRulesV4.table, tsRulesV4.chain, strings.Join(tsRulesV4.args, " "))
--	}
--	if iptr.ipt6.(*fakeIPTables).n[chain][0] != strings.Join(tsRulesV6.args, " ") {
--		t.Errorf("v6 rule %s/%s/%s is not at the top", tsRulesV6.table, tsRulesV6.chain, strings.Join(tsRulesV6.args, " "))
--	}
--
--	// delete the rules
--	if err := iptr.DelLoopbackRule(fakeAddrV4); err != nil {
--		t.Fatal(err)
--	}
--	if err := iptr.DelLoopbackRule(fakeAddrV6); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rules were deleted.
--	if exist, err := iptr.ipt4.Exists(tsRulesV4.table, tsRulesV4.chain, tsRulesV4.args...); err != nil {
--		t.Fatal(err)
--	} else if exist {
--		t.Errorf("rule %s/%s/%s still exists", tsRulesV4.table, tsRulesV4.chain, strings.Join(tsRulesV4.args, " "))
--	}
--
--	if exist, err := iptr.ipt6.Exists(tsRulesV6.table, tsRulesV6.chain, tsRulesV6.args...); err != nil {
--		t.Fatal(err)
--	} else if exist {
--		t.Errorf("rule %s/%s/%s still exists", tsRulesV6.table, tsRulesV6.chain, strings.Join(tsRulesV6.args, " "))
--	}
--
--	if err := iptr.DelChains(); err != nil {
--		t.Fatal(err)
--	}
--}
--
--func TestAddAndDelSNATRule(t *testing.T) {
--	iptr := newFakeIPTablesRunner(t)
--
--	if err := iptr.AddChains(); err != nil {
--		t.Fatal(err)
--	}
--
--	rule := fakeRule{ // table/chain/rule
--		"nat", "ts-postrouting", []string{"-m", "mark", "--mark", TailscaleSubnetRouteMark + "/" + TailscaleFwmarkMask, "-j", "MASQUERADE"},
--	}
--
--	// Add SNAT rule
--	if err := iptr.AddSNATRule(); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rule was created for ipt4 and ipt6
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		if exist, err := proto.Exists(rule.table, rule.chain, rule.args...); err != nil {
--			t.Fatal(err)
--		} else if !exist {
--			t.Errorf("rule %s/%s/%s doesn't exist", rule.table, rule.chain, strings.Join(rule.args, " "))
--		}
--	}
--
--	// Delete SNAT rule
--	if err := iptr.DelSNATRule(); err != nil {
--		t.Fatal(err)
--	}
--
--	// Check that the rule was deleted for ipt4 and ipt6
--	for _, proto := range []iptablesInterface{iptr.ipt4, iptr.ipt6} {
--		if exist, err := proto.Exists(rule.table, rule.chain, rule.args...); err != nil {
--			t.Fatal(err)
--		} else if exist {
--			t.Errorf("rule %s/%s/%s still exists", rule.table, rule.chain, strings.Join(rule.args, " "))
--		}
--	}
--
--	if err := iptr.DelChains(); err != nil {
--		t.Fatal(err)
--	}
--}
---- a/wgengine/router/router_linux.go
-+++ b/wgengine/router/router_linux.go
-@@ -37,7 +37,7 @@ const (
- )
- 
- // netfilterRunner abstracts helpers to run netfilter commands. It is
--// implemented by linuxfw.IPTablesRunner and linuxfw.NfTablesRunner.
-+// implemented by linuxfw.NfTablesRunner.
- type netfilterRunner interface {
- 	AddLoopbackRule(addr netip.Addr) error
- 	DelLoopbackRule(addr netip.Addr) error
-@@ -54,23 +54,15 @@ type netfilterRunner interface {
- 	HasIPV6NAT() bool
- }
- 
--// newNetfilterRunner creates a netfilterRunner using either nftables or iptables.
--// As nftables is still experimental, iptables will be used unless TS_DEBUG_USE_NETLINK_NFTABLES is set.
-+// newNetfilterRunner creates a netfilterRunner using nftables.
-+// nftables is still experimental.
- func newNetfilterRunner(logf logger.Logf) (netfilterRunner, error) {
- 	var nfr netfilterRunner
- 	var err error
--	if envknob.Bool("TS_DEBUG_USE_NETLINK_NFTABLES") {
--		logf("router: using nftables")
--		nfr, err = linuxfw.NewNfTablesRunner(logf)
--		if err != nil {
--			return nil, err
--		}
--	} else {
--		logf("router: using iptables")
--		nfr, err = linuxfw.NewIPTablesRunner(logf)
--		if err != nil {
--			return nil, err
--		}
-+	logf("router: using nftables")
-+	nfr, err = linuxfw.NewNfTablesRunner(logf)
-+	if err != nil {
-+		return nil, err
- 	}
- 	return nfr, nil
- }
-@@ -1294,7 +1286,6 @@ func normalizeCIDR(cidr netip.Prefix) st
- // netfilter runner is used, the cleanup function for the other one doesn't do anything.
- func cleanup(logf logger.Logf, interfaceName string) {
- 	if interfaceName != "userspace-networking" {
--		linuxfw.IPTablesCleanup(logf)
- 		linuxfw.NfTablesCleanUp(logf)
- 	}
- }
diff --git a/net/tunneldigger/Makefile b/net/tunneldigger/Makefile
index 8cab922f06..f314bf2bfe 100644
--- a/net/tunneldigger/Makefile
+++ b/net/tunneldigger/Makefile
@@ -5,8 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=https://github.com/wlanslovenija/tunneldigger.git
 PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2021-03-08
 PKG_SOURCE_VERSION:=4f72b30578ac3dbc5482f4a54054bf870355bdf5
-PKG_MIRROR_HASH:=babc71c757b757026f63e298bd4bd0edceae220827fff5cfad0af3f04ed529c7
+PKG_MIRROR_HASH:=f4f7bbb5782771c4f775f60a52a9ecf0636ce929d89688f671ee4eb6bedb9f91
 
 PKG_MAINTAINER:=Nick Hainke <vincent@systemli.org>
 PKG_LICENSE:=AGPL-3.0
diff --git a/net/tunneldigger/files/tunneldigger.init b/net/tunneldigger/files/tunneldigger.init
index ea37751d5d..bacaace816 100644
--- a/net/tunneldigger/files/tunneldigger.init
+++ b/net/tunneldigger/files/tunneldigger.init
@@ -21,6 +21,7 @@ parse_broker() {
 	config_get limit_bw_down "$section" limit_bw_down
 	config_get hook_script "$section" hook_script
 	config_get bind_interface "$section" bind_interface
+	config_get group "$section" group
 	
 	[ $enabled -eq 0 ] && return
 
@@ -53,6 +54,7 @@ parse_broker() {
 	procd_append_param command -i "${interface}"
 	procd_append_param command -t "${tunnel_id}"
 	procd_append_param command ${broker_opts}
+	[ -n "$group" ] && procd_set_param group "$group"
 	procd_set_param stdout 1
 	procd_set_param stderr 1
 	procd_set_param respawn
diff --git a/utils/btrfs-progs/Makefile b/utils/btrfs-progs/Makefile
index ce1eae5eb7..fa297fafa7 100644
--- a/utils/btrfs-progs/Makefile
+++ b/utils/btrfs-progs/Makefile
@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=btrfs-progs
-PKG_VERSION:=6.3
+PKG_VERSION:=6.5.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/kernel/people/kdave/btrfs-progs
-PKG_HASH:=40a0bdff787ecb490e5533dbcefd4852176daf12aae5a1158203db43d8ad6a7d
+PKG_HASH:=dacbb28136e82586af802205263a428c3d1941778bc3fdc9b1b386ea12eb904e
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-v$(PKG_VERSION)
 
 PKG_MAINTAINER:=Karel Kočí <karel.koci@nic.cz>
diff --git a/utils/syncthing/Makefile b/utils/syncthing/Makefile
index be1d983727..e8b744a463 100644
--- a/utils/syncthing/Makefile
+++ b/utils/syncthing/Makefile
@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=syncthing
-PKG_VERSION:=1.23.2
+PKG_VERSION:=1.24.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=syncthing-source-v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/syncthing/syncthing/releases/download/v$(PKG_VERSION)
-PKG_HASH:=3d0eca0e6f4eaaeba4879918b3f54f47d59fb5f4288a83af821d509271ada189
+PKG_HASH:=4a9459667f9b70a7d1e7d572c7c9d02431ef8f055679eef368300ce1a826608f
 
 PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)/$(PKG_NAME)
 
@@ -26,13 +26,13 @@ GO_PKG_BUILD_PKG:=\
 	$(if $(CONFIG_PACKAGE_strelaysrv),$(GO_PKG)/cmd/strelaysrv/)
 GO_PKG_INSTALL_EXTRA:=^gui/
 
+GO_PKG_TAGS:=noupgrade
 GO_PKG_LDFLAGS_X:=\
 	$(GO_PKG)/lib/build.Version=v$(PKG_VERSION) \
 	$(GO_PKG)/lib/build.Stamp=$(SOURCE_DATE_EPOCH) \
 	$(GO_PKG)/lib/build.User=openwrt \
 	$(GO_PKG)/lib/build.Host=openwrt \
-	$(GO_PKG)/lib/build.Tags=noupgrade
-GO_PKG_TAGS:=noupgrade
+	$(GO_PKG)/lib/build.Tags=$(GO_PKG_TAGS)
 
 include $(INCLUDE_DIR)/package.mk
 include ../../lang/golang/golang-package.mk