feat: enable persistent var (EXPERIMENTAL) by gsanchietti · Pull Request #1680 · NethServer/nethsecurity

gsanchietti · 2026-05-15T14:06:15Z

EXPERIMENTAL: test how the image behaves

Upstream commit: openwrt/openwrt@57807f5

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

Store Threat Shield DNS local allow and block list edits in UCI so rapid API calls no longer rewrite adblock files or restart the service immediately. Write the physical adblock list files during the next reload, add a one-shot migration for existing list files, and document the staged workflow for the affected API methods. Refs #1572 Assisted-by: Copilot:gpt-5.4

The init file from upstream replaces the dpd_action option values. Notably it replaces `restart` with `start`, but `start` value is not supported by Strongswan 6. Make sure if `restart` is set, the value is preserved. From the manual: Action to perform for this CHILD_SA on DPD timeout. The default clear closes the CHILD_SA and does not take further action. trap installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand (note that this is redundant if start_action includes trap. restart immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA.

…ing (#1677)

…lity Implement two key improvements to package restoration after system upgrades: 1. Resilient retry mechanism: Script now tracks installation failures and exits with code 1 when packages fail to install. The procd respawn policy (respawn 300 30 10) will automatically retry on the next boot, accounting for WAN initialization delays and transient network failures. 2. Reliable output reporting: Only report "Restored package: X" when the package installation actually succeeds (apk exit code 0). Failed installations are reported separately, and the service is not disabled until all packages are successfully restored. This relies on apk's reliable exit codes instead of opkg's unreliable behavior. The service now remains enabled after failures, allowing the procd respawn mechanism to retry on subsequent boots until all packages are restored. Closes #1606 Assisted-by: Copilot:claude-haiku-4.5

…matic updates

EXPERIMENTAL: test how the image behaves

gsanchietti · 2026-05-20T09:41:54Z

The persistent var could be useful to retain the following files:

/var/log/lastlog is always empty
/var/log/messages is already stored also in /mnt/data
/var/log/wtmp could be useful, but we do not have the last command to parse it, also similar info is already present inside the messages

But has many drawbacks:

upstream implementation does not support mounting a different partition under /var
it stores also many files in /vat/etc that are recreated by applications upon starts, such files should be temporary
the messages file can get bigger and fill all the root
victoria metrics are stored inside /var/lib/victoria-metrics-data and can get bigger and fill the root
despite of the linked commit, having a persistent var does not preserve dhcp leases across reboots because they are saved by default on a temp directory (dhcp.ns_dnsmasq.leasefile='/tmp/dhcp.leases')

In the end, I think that persistent may cause many problems on long running machines.
My opinion is to ditch the feature and eventually move the DHCP lease to storage, when present.

gsanchietti self-assigned this May 15, 2026

Tbaile force-pushed the nethsecurity-8.8 branch 2 times, most recently from 4001fc2 to 841b872 Compare May 20, 2026 07:12

gsanchietti mentioned this pull request May 20, 2026

OpenWRT 25.12 #1638

Open

39 tasks

Tbaile added 26 commits May 20, 2026 11:05

build: openwrt 25.12.1

6e48353

chore: updated build container

34bc1c6

build(ppp): upstream patched the package

71297d3

build: openwrt 25.12.2

e0dfdf2

build(netifyd): updated binaries

2f2b966

fix: updated syntax due to python update

142f196

chore: updated checkmk version

68e7811

build: added suffix support

6bcf128

updated variable generation

63104fc

chore: updated python semver package

e0e9dee

fixed release path

fd69a11

feat: added victoria-metrics package

4bda23a

feat: added victoria-logs

f336a02

feat: added telegraf package

d22b8c0

fix: updated spdx

430d085

feat: compiling packages

79a6015

fix: accidentally overwrote telegraf config

92192bf

fix: addressed deprecation warnings and removed not useful comments

c500942

fix: adjusted config for sensors and ethtool

e6fb87b

chore: updated monitoring tools

3366ac0

chore: downgraded version to keep compatibility with go

8e9257c

chore: added skill to update packages

cccc7a9

ci: fixed versioning for image build

fff7f6d

chore: removed ipcalc fork

0fd5c77

chore: removed jinja2 fork

61c03b9

build: updated signing method for APKs (#1659)

3bb8293

Tbaile and others added 23 commits May 20, 2026 11:05

chore(ns-ui): version bump

80de1ec

chore(skill): improve OpenWrt package update

b26a723

chore: updated adblock to 4.5.5-3

d03d4fd

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

fix(adblock): reload nft rules

64f1c26

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

chore(ui): bump to dev commit

8b69a3e

refactor: using http sink for flows ingestion (#1678)

82bb798

chore: build pyton3 from commits instead of versions for ease of test…

78fbbd1

…ing (#1677)

build: removing routing and video from feeds

c1058bc

refactor: migrate package management from opkg to apk

b2004ec

fix: update installation commands from opkg to apk across documentation

d5fe247

chore(doc): update command for custom repos

1c272db

fix(distfeed-setup): ensure version is stripped of suffix when unset

a312fe2

fix(update-packages): fix packages update flow

1353814

fix(update-packages): disabled custom feeds packages update with auto…

a279c5b

…matic updates

fix(ns-plug): revert 40_ns-plug_automatic_updates

8ee53ab

fix(snort.uc): fix installation command for apk

459d060

build: added back snmpd (#1683)

a2b24fd

chore: updated snort (#1682)

91a55f8

chore(ns-ui): hash bump

03b27b7

gsanchietti force-pushed the nethsecurity-8.8 branch from b0a81c6 to 03b27b7 Compare May 20, 2026 09:06

feat: enable persistent var (EXPERIMENTAL)

405d0ee

EXPERIMENTAL: test how the image behaves

gsanchietti force-pushed the persistent_var branch from cfadbbe to 405d0ee Compare May 20, 2026 09:08

gsanchietti assigned filippocarletti and unassigned gsanchietti May 26, 2026

Tbaile force-pushed the nethsecurity-8.8 branch from f19bdfc to 1ce9f52 Compare June 4, 2026 07:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: enable persistent var (EXPERIMENTAL)#1680

feat: enable persistent var (EXPERIMENTAL)#1680
gsanchietti wants to merge 65 commits into
nethsecurity-8.8from
persistent_var

gsanchietti commented May 15, 2026 •

edited

Loading

Uh oh!

gsanchietti commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

gsanchietti commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gsanchietti commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

gsanchietti commented May 15, 2026 •

edited

Loading