From 86a52dd35ac155c632da896ec24c25f5d0272641 Mon Sep 17 00:00:00 2001
From: ABE <abe@abewartech.github.io>
Date: Thu, 25 Dec 2025 09:30:31 +0700
Subject: [PATCH] feat: Upgrade OpenWrt to 24.10.5, migrate to nftables/fw4,
 update architecture targets, and tune network parameters.

---
 .gitlab-ci.yml          |  2 +-
 Dockerfile              | 15 +++++++++++----
 build.sh                | 35 ++++++++++++++++++++---------------
 etc/config/firewall.tpl | 28 ++++++++++++++++++++++++++++
 openwrt.conf.example    |  8 ++++----
 run.sh                  | 21 ++++++++++++++++-----
 6 files changed, 80 insertions(+), 29 deletions(-)
 create mode 100644 etc/config/firewall.tpl

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7fa4971..86e0283 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,6 @@
 variables:
   CI_IMAGE: $DOCKER_HUB_USER/openwrt
-  RELEASE: "19.07.7"
+  RELEASE: "24.10.5"
 
 .build:
   image: docker:latest
diff --git a/Dockerfile b/Dockerfile
index 7def92a..1c79b1f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,15 +7,22 @@ RUN opkg remove --force-depends \
       iw* && \
     opkg update && \
     opkg install luci \
-      wpad-wolfssl \
-      iw-full \
+      wpad-basic-mbedtls \
+      iw \
       ip-full \
       kmod-mac80211 \
       dnsmasq-full \
-      iptables-mod-checksum
+      luci-mod-rpc \
+      luci-lib-ipkg \
+      luci-compat \
+      luasocket \
+      irqbalance \
+      zram-swap \
+      kmod-nft-offload
 RUN opkg list-upgradable | awk '{print $1}' | xargs opkg upgrade || true
 
-RUN echo "iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill" >> /etc/firewall.user
+RUN mkdir -p /etc/nftables.d && \
+    echo 'chain postrouting_mangle { type filter hook postrouting priority mangle; policy accept; udp dport 68 checksum fill; }' > /etc/nftables.d/10-checksum-fill.nft
 RUN sed -i '/^exit 0/i cat \/tmp\/resolv.conf > \/etc\/resolv.conf' /etc/rc.local
 
 ARG ts
diff --git a/build.sh b/build.sh
index 2448999..3e61be1 100755
--- a/build.sh
+++ b/build.sh
@@ -11,12 +11,12 @@ download_rootfs() {
 				version="https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2708/version.buildinfo"
 				gen_rootfs_from_img
 				return
-			elif [ "$ARCH" = "armvirt-32" ] ; then
-				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armvirt/32/openwrt-armvirt-32-default-rootfs.tar.gz"
-				version="https://downloads.openwrt.org/snapshots/targets/armvirt/32/version.buildinfo"
-			elif [ "$ARCH" = "armvirt-64" ] ; then
-				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armvirt/64/openwrt-armvirt-64-default-rootfs.tar.gz"
-				version="https://downloads.openwrt.org/snapshots/targets/armvirt/64/version.buildinfo"
+			elif [ "$ARCH" = "armvirt-32" ] || [ "$ARCH" = "armsr-armv7" ] ; then
+				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armsr/armv7/openwrt-armsr-armv7-rootfs.tar.gz"
+				version="https://downloads.openwrt.org/snapshots/targets/armsr/armv7/version.buildinfo"
+			elif [ "$ARCH" = "armvirt-64" ] || [ "$ARCH" = "armsr-armv8" ] ; then
+				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armsr/armv8/openwrt-armsr-armv8-rootfs.tar.gz"
+				version="https://downloads.openwrt.org/snapshots/targets/armsr/armv8/version.buildinfo"
 			elif [ "$ARCH" = "x86-64" ] ; then
 				rootfs_url="https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-rootfs.tar.gz"
 				version="https://downloads.openwrt.org/snapshots/targets/x86/64/version.buildinfo"
@@ -27,18 +27,23 @@ download_rootfs() {
 		;;
 		*)
 			if [ "$ARCH" = "bcm2708" ] ; then
-				img_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/brcm2708/bcm2708/openwrt-${OPENWRT_SOURCE_VER}-brcm2708-bcm2708-rpi-squashfs-factory.img.gz"
-				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/brcm2708/bcm2708/version.buildinfo"
+				img_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/bcm27xx/bcm2708/openwrt-${OPENWRT_SOURCE_VER}-bcm27xx-bcm2708-rpi-squashfs-factory.img.gz"
+				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/bcm27xx/bcm2708/version.buildinfo"
 				gen_rootfs_from_img
 				return
-			elif [ "$ARCH" = "armvirt-32" ] ; then
-				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/32/openwrt-${OPENWRT_SOURCE_VER}-armvirt-32-default-rootfs.tar.gz"
-				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/32/version.buildinfo"
-			elif [ "$ARCH" = "armvirt-64" ] ; then
-				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/64/openwrt-${OPENWRT_SOURCE_VER}-armvirt-64-default-rootfs.tar.gz"
-				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/64/version.buildinfo"
+			elif [ "$ARCH" = "armvirt-32" ] || [ "$ARCH" = "armsr-armv7" ] ; then
+				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv7/openwrt-${OPENWRT_SOURCE_VER}-armsr-armv7-rootfs.tar.gz"
+				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv7/version.buildinfo"
+			elif [ "$ARCH" = "armvirt-64" ] || [ "$ARCH" = "armsr-armv8" ] ; then
+				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv8/openwrt-${OPENWRT_SOURCE_VER}-armsr-armv8-rootfs.tar.gz"
+				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv8/version.buildinfo"
 			elif [ "$ARCH" = "x86-64" ] ; then
-				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-generic-rootfs.tar.gz"
+				# Filename pattern changed for x86-64 in newer releases (no more -generic)
+				if [ "$(echo ${OPENWRT_SOURCE_VER} | cut -d. -f1)" -ge 21 ]; then
+					rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-rootfs.tar.gz"
+				else
+					rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-generic-rootfs.tar.gz"
+				fi
 				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/version.buildinfo"
 			else
 				echo "Unsupported architecture!"
diff --git a/etc/config/firewall.tpl b/etc/config/firewall.tpl
new file mode 100644
index 0000000..74ee1b5
--- /dev/null
+++ b/etc/config/firewall.tpl
@@ -0,0 +1,28 @@
+config defaults
+	option syn_flood '1'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option flow_offloading '1'
+	option flow_offloading_hw '0'
+
+config zone
+	option name 'lan'
+	list network 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+
+config zone
+	option name 'wan'
+	list network 'wan'
+	list network 'wan6'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
+
+config forwarding
+	option src 'lan'
+	option dest 'wan'
diff --git a/openwrt.conf.example b/openwrt.conf.example
index fe56f29..462f64d 100644
--- a/openwrt.conf.example
+++ b/openwrt.conf.example
@@ -2,16 +2,16 @@
 
 ## General
 # OpenWrt version. Set to 'snapshot' to build from latest snapshot
-OPENWRT_SOURCE_VER=19.07.7
-# Architecture: one of x86-64, armvirt-32 (Raspberry Pi 2 / 3 / 4),
-# armvirt-64 (Raspberry Pi 3 / 4 running 64-bit OS, ODroid-C2 or similar),
+OPENWRT_SOURCE_VER=24.10.5
+# Architecture: one of x86-64, armsr-armv7 (Raspberry Pi 2 / 3 / 4 / 5),
+# armsr-armv8 (Raspberry Pi 3 / 4 / 5 running 64-bit OS),
 # or bcm2708 (Raspberry Pi Zero)
 ARCH=x86-64
 # Image & tag for pre-built Docker image, or if building locally
 IMAGE=oofnik/openwrt
 TAG=latest
 # container name
-CONTAINER=openwrt_1
+CONTAINER=openwrt_24
 # optional additional Docker create args, e.g. for PPPoE "--device /dev/ppp"
 ADDITIONAL_DOCKER_CREATE_ARGS=""
 
diff --git a/run.sh b/run.sh
index 1062d73..64c9530 100755
--- a/run.sh
+++ b/run.sh
@@ -122,6 +122,12 @@ _create_or_start_container() {
 			--sysctl net.netfilter.nf_conntrack_acct=1 \
 			--sysctl net.ipv6.conf.all.disable_ipv6=0 \
 			--sysctl net.ipv6.conf.all.forwarding=1 \
+			--sysctl net.core.rmem_max=16777216 \
+			--sysctl net.core.wmem_max=16777216 \
+			--sysctl net.ipv4.tcp_rmem="4096 87380 16777216" \
+			--sysctl net.ipv4.tcp_wmem="4096 65536 16777216" \
+			--sysctl net.core.netdev_max_backlog=5000 \
+			--sysctl net.core.somaxconn=1024 \
 			${ADDITIONAL_DOCKER_CREATE_ARGS} --name $CONTAINER $IMAGE:$TAG >/dev/null
 		docker network connect $WAN_NAME $CONTAINER
 
@@ -133,12 +139,17 @@ _create_or_start_container() {
 _reload_fw() {
 	echo "* reloading firewall rules"
 	docker exec -i $CONTAINER sh -c '
-		for iptables in iptables ip6tables; do
-			for table in filter nat mangle; do
-				$iptables -t $table -F
+		if command -v fw4 >/dev/null; then
+			nft flush ruleset
+			/sbin/fw4 -q restart
+		else
+			for iptables in iptables ip6tables; do
+				for table in filter nat mangle; do
+					$iptables -t $table -F
+				done
 			done
-		done
-		/sbin/fw3 -q restart'
+			/sbin/fw3 -q restart
+		fi'
 }
 
 _prepare_wifi() {