client: nowrap

Merge in DNS/adguard-home from upd-dnsproxy to master

Squashed commit of the following:

commit 83fe60a9312e8146e12dd2a93f9b443d113c1a32
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Sep 29 14:27:04 2021 +0300

    all: upd dnsproxy

.twosky.json

@@ -19,7 +19,7 @@
       "it": "Italiano",
       "ja": "日本語",
       "ko": "한국어",
-      "nl": "Dutch",
+      "nl": "Nederlands",
       "no": "Norsk",
       "pl": "Polski",
       "pt-br": "Português (BR)",

CHANGELOG.md

@@ -10,13 +10,15 @@ and this project adheres to
 ## [Unreleased]
 
 <!--
-## [v0.107.0] - 2021-09-14 (APPROX.)
+## [v0.107.0] - 2021-09-28 (APPROX.)
 -->
 
 ### Added
 
-- New `FastestTimeout` field that replaces the default timeout for dialing the
+- DNS server IP addresses to the `mobileconfig` API responses ([#3568],
-  IP addresses when AdGuard Home works in "Fastest IP address" mode ([#1992]).
+  [#3607]).
+- Setting the timeout for IP address pinging in the "Fastest IP address" mode
+  through the new `fastest_timeout` field in the configuration file ([#1992]).
 - Static IP address detection on FreeBSD ([#3289]).
 - Optimistic cache ([#2145]).
 - New possible value of `6h` for `querylog_interval` setting ([#2504]).
@@ -46,8 +48,12 @@ and this project adheres to
 
 ### Changed
 
-- Don't show the private key in API responses if it was saved as a string
+- The `systemd` service script will now create the `/var/log` directory when it
-  ([#1898]).
+  doesn't exist ([#3579]).
+- Items in allowed clients, disallowed clients, and blocked hosts lists are now
+  required to be unique ([#3419]).
+- The TLS private key previously saved as a string isn't shown in API responses
+  anymore ([#1898]).
 - Better OpenWrt detection ([#3435]).
 - DNS-over-HTTPS queries that come from HTTP proxies in the `trusted_proxies`
   list now use the real IP address of the client instead of the address of the
@@ -110,6 +116,13 @@ In this release, the schema version has changed from 10 to 12.
 
 ### Fixed
 
+- Adding an IP into only one of the matching ipsets on Linux ([#3638]).
+- Removal of temporary filter files ([#3567]).
+- Panic when an upstream server responds with an empty question section
+  ([#3551]).
+- 9GAG blocking ([#3564]).
+- DHCP now follows RFCs more closely when it comes to response sending and
+  option selection ([#3443], [#3538]).
 - Occasional panics when reading old statistics databases ([#3506]).
 - `reload` service action on macOS and FreeBSD ([#3457]).
 - Inaccurate using of service actions in the installation script ([#3450]).
@@ -175,11 +188,21 @@ In this release, the schema version has changed from 10 to 12.
 [#3351]: https://github.com/AdguardTeam/AdGuardHome/issues/3351
 [#3372]: https://github.com/AdguardTeam/AdGuardHome/issues/3372
 [#3417]: https://github.com/AdguardTeam/AdGuardHome/issues/3417
+[#3419]: https://github.com/AdguardTeam/AdGuardHome/issues/3419
 [#3435]: https://github.com/AdguardTeam/AdGuardHome/issues/3435
 [#3437]: https://github.com/AdguardTeam/AdGuardHome/issues/3437
+[#3443]: https://github.com/AdguardTeam/AdGuardHome/issues/3443
 [#3450]: https://github.com/AdguardTeam/AdGuardHome/issues/3450
 [#3457]: https://github.com/AdguardTeam/AdGuardHome/issues/3457
 [#3506]: https://github.com/AdguardTeam/AdGuardHome/issues/3506
+[#3538]: https://github.com/AdguardTeam/AdGuardHome/issues/3538
+[#3551]: https://github.com/AdguardTeam/AdGuardHome/issues/3551
+[#3564]: https://github.com/AdguardTeam/AdGuardHome/issues/3564
+[#3567]: https://github.com/AdguardTeam/AdGuardHome/issues/3567
+[#3568]: https://github.com/AdguardTeam/AdGuardHome/issues/3568
+[#3579]: https://github.com/AdguardTeam/AdGuardHome/issues/3579
+[#3607]: https://github.com/AdguardTeam/AdGuardHome/issues/3607
+[#3638]: https://github.com/AdguardTeam/AdGuardHome/issues/3638
 
 
 
@@ -383,7 +406,7 @@ In this release, the schema version has changed from 10 to 12.
 - The field `"range_start"` in the `GET /control/dhcp/status` HTTP API response
   is now correctly named again ([#2678]).
 - DHCPv6 server's `ra_slaac_only` and `ra_allow_slaac` settings aren't reset to
-  `false` on update any more ([#2653]).
+  `false` on update anymore ([#2653]).
 - The `Vary` header is now added along with `Access-Control-Allow-Origin` to
   prevent cache-related and other issues in browsers ([#2658]).
 - The request body size limit is now set for HTTPS requests as well.

client/src/__locales/bg.json

@@ -218,6 +218,7 @@
     "reset_settings": "Изтрий всички настройки",
     "update_announcement": "Има нова AdGuard Home {{version}}! <0>Цъкни тук</0> за повече информация.",
     "disable_ipv6": "Изключете IPv6 протокола",
+    "check_updates_now": "Провери за актуализации",
     "show_blocked_responses": "Блокирано",
     "port_53_faq_link": "Порт 53 често е зает от \"DNSStubListener\" или \"systemd-resolved\" услуги. Моля, прочетете <0>тази инструкция</0> как да решите това."
 }

client/src/__locales/cs.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Budete muset nakonfigurovat Vaše zařízení nebo router, aby používali DNS server na následujících adresách:",
     "install_settings_all_interfaces": "Všechna rozhraní",
     "install_auth_title": "Ověřování",
-    "install_auth_desc": "Doporučujeme Vám nakonfigurovat v administrátorském webovém rozhraní AdGuard Home ověření Vaší identity heslem. I když je přístupné pouze ve Vaší lokální síti, je stále důležité chránit jej před neomezeným přístupem.",
+    "install_auth_desc": "V administrátorském webovém rozhraní AdGuard Home musí být nastaveno ověřovací heslo. I když je AdGuard Home přístupný pouze v místní síti, je důležité jej chránit před neomezeným přístupem.",
     "install_auth_username": "Uživatelské jméno",
     "install_auth_password": "Heslo",
     "install_auth_confirm": "Potvrďte heslo",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Opravdu chcete vyčistit statistiky?",
     "statistics_retention_confirm": "Opravdu chcete změnit uchovávání statistik? Pokud snížíte hodnotu intervalu, některá data budou ztracena",
     "statistics_cleared": "Statistiky úspěšně vyčištěny",
+    "statistics_enable": "Povolit statistiky",
     "interval_hours": "Hodiny: {{count}}",
     "interval_hours_plural": "Hodiny: {{count}}",
     "filters_configuration": "Konfigurace filtrů",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Klikněte pro zobrazení dotazů",
     "port_53_faq_link": "Port 53 je často obsazen službami \"DNSStubListener\" nebo \"systemd-resolved\". Přečtěte si <0>tento návod</0> o tom, jak to vyřešit.",
     "adg_will_drop_dns_queries": "AdGuard Home zruší všechny DNS dotazy tohoto klienta.",
-    "client_not_in_allowed_clients": "Tento klient není povolen, protože není na seznamu \"Povolení klienti\".",
+    "filter_allowlist": "VAROVÁNÍ: Tato akce také vyloučí pravidlo \"{{disallowed_rule}}\" ze seznamu povolených klientů.",
+    "last_rule_in_allowlist": "Nelze zakázat tohoto klienta, protože vyloučení pravidla \"{{disallowed_rule}}\" ZRUŠÍ seznam \"Povolených klientů\".",
     "experimental": "Experimentální",
     "use_saved_key": "Použít dříve uložený klíče"
 }

client/src/__locales/da.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Du skal opsætte dine enheder eller router til at bruge DNS-serveren på flg. adresser:",
     "install_settings_all_interfaces": "Alle grænseflader",
     "install_auth_title": "Godkendelse",
-    "install_auth_desc": "Det anbefales stærkt at opsætte adgangskodegodkendelse på din AdGuard Home admin webgrænseflade. Selvom den kun er tilgængelig på dit lokalnetværk, er det stadig vigtigt at få den beskyttet mod ubegrænset adgang.",
+    "install_auth_desc": "Adgangskodegodkendelse på din AdGuard Home admin-webflade skal opsættes. Selv hvis AdGuard Home kun er tilgængelig på lokalnetværket, er beskyttelse mod uautoriseret og ubegrænset adgang stadig vigtig.",
     "install_auth_username": "Brugernavn",
     "install_auth_password": "Adgangskode",
     "install_auth_confirm": "Bekræft adgangskode",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Sikker på, at du vil slette statistikkerne?",
     "statistics_retention_confirm": "Sikker på, at du vil ændre på statistikbevaring? Mindskes intervalværdien, vil nogle data gå tabt",
     "statistics_cleared": "Statistikkerne er ryddet",
+    "statistics_enable": "Aktivér statistikker",
     "interval_hours": "{{count}} time",
     "interval_hours_plural": "{{count}} timer",
     "filters_configuration": "Filteropsætninger",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Klik for at se forespørgsler",
     "port_53_faq_link": "Port 53 optages ofte af \"DNSStubListener\" eller \"systemd-resolved\" tjenester. Læs <0>denne instruktion</0> om, hvordan du løser dette.",
     "adg_will_drop_dns_queries": "AdGuard Home vil afbryde alle DNS-forespørgsler fra denne klient.",
-    "client_not_in_allowed_clients": "Klienten er ikke tilladt, fordi den ikke er på listen \"Tilladte klienter\".",
+    "filter_allowlist": "ADVARSEL: Denne handling udelukker også reglen \"{{disallowed_rule}}\" fra listen over tilladte klienter.",
+    "last_rule_in_allowlist": "Kan ikke afvise denne klient, da udelukkelse af reglen \"{{disallowed_rule}}\" DEAKTIVERER listen \"Tilladte klienter\".",
     "experimental": "Eksperimentel",
     "use_saved_key": "Brug den tidligere gemte nøgle"
 }

client/src/__locales/de.json

@@ -42,7 +42,7 @@
     "form_error_mac_format": "Ungültiges MAC-Format",
     "form_error_client_id_format": "Ungültiges Client-ID-Format",
     "form_error_server_name": "Ungültiger Servername",
-    "form_error_subnet": "Subnetz „{{cidr}}” enthält nicht die IP-Adresse „{{ip}}”",
+    "form_error_subnet": "Subnetz „{{cidr}}“ enthält nicht die IP-Adresse „{{ip}}“",
     "form_error_positive": "Muss größer als 0 sein.",
     "form_error_negative": "Muss gleich oder größer als 0 (Null) sein",
     "range_end_error": "Muss größer als der Bereichsbeginn sein",
@@ -62,9 +62,9 @@
     "dhcp_warning": "Wenn Sie den DHCP-Server trotzdem aktivieren möchten, stellen Sie sicher, dass sich in Ihrem Netzwerk kein anderer aktiver DHCP-Server befindet. Andernfalls kann es bei angeschlossenen Geräten zu einem Ausfall des Internets kommen!",
     "dhcp_error": "Es konnte nicht ermittelt werden, ob es einen anderen DHCP-Server im Netzwerk gibt.",
     "dhcp_static_ip_error": "Um den DHCP-Server nutzen zu können, muss eine statische IP-Adresse festgelegt werden. Es konnte nicht ermittelt werden, ob diese Netzwerkschnittstelle mit statischer IP-Adresse konfiguriert ist. Bitte legen Sie eine statische IP-Adresse manuell fest.",
-    "dhcp_dynamic_ip_found": "Ihr System verwendet die dynamische Konfiguration der IP-Adresse für die Schnittstelle <0>{{interfaceName}}</0>. Um den DHCP-Server nutzen zu können, muss eine statische IP-Adresse festgelegt werden. Ihre aktuelle IP-Adresse ist <0>{{ipAddress}}</0>. Diese IP-Adresse wird automatisch als statisch festgelegt, sobald Sie auf die Schaltfläche „DHCP-Server aktivieren” klicken.",
+    "dhcp_dynamic_ip_found": "Ihr System verwendet die dynamische Konfiguration der IP-Adresse für die Schnittstelle <0>{{interfaceName}}</0>. Um den DHCP-Server nutzen zu können, muss eine statische IP-Adresse festgelegt werden. Ihre aktuelle IP-Adresse ist <0>{{ipAddress}}</0>. Diese IP-Adresse wird automatisch als statisch festgelegt, sobald Sie auf die Schaltfläche „DHCP-Server aktivieren“ klicken.",
-    "dhcp_lease_added": "Statischer Lease „{{key}}” erfolgreich hinzugefügt",
+    "dhcp_lease_added": "Statischer Lease „{{key}}“ erfolgreich hinzugefügt",
-    "dhcp_lease_deleted": "Statischer Lease „{{key}}” erfolgreich entfernt",
+    "dhcp_lease_deleted": "Statischer Lease „{{key}}“ erfolgreich entfernt",
     "dhcp_new_static_lease": "Neuer statischer Lease",
     "dhcp_static_leases_not_found": "Keine statischen DHCP-Leases gefunden",
     "dhcp_add_static_lease": "Statischen Lease hinzufügen",
@@ -74,7 +74,7 @@
     "dhcp_reset": "Möchten Sie die DHCP-Konfiguration wirklich zurücksetzen?",
     "country": "Land",
     "city": "Stadt",
-    "delete_confirm": "Möchten Sie „{{key}}” wirklich löschen?",
+    "delete_confirm": "Möchten Sie „{{key}}“ wirklich löschen?",
     "form_enter_hostname": "Gerätenamen eingeben",
     "error_details": "Fehlerdetails",
     "response_details": "Einzelheiten der Antwort",
@@ -124,7 +124,7 @@
     "number_of_dns_query_days_plural": "Anzahl der DNS-Abfragen, die in den letzten {{count}} Tagen verarbeitet wurden",
     "number_of_dns_query_24_hours": "Anzahl der in den letzten 24 Stunden durchgeführten DNS-Anfragen",
     "number_of_dns_query_blocked_24_hours": "Anzahl der durch Werbefilter und Host-Sperrlisten abgelehnte DNS-Anfragen",
-    "number_of_dns_query_blocked_24_hours_by_sec": "Anzahl der durch das AdGuard-Modul „Internetsicherheit” gesperrten DNS-Anfragen",
+    "number_of_dns_query_blocked_24_hours_by_sec": "Anzahl der durch das AdGuard-Modul „Internetsicherheit“ gesperrten DNS-Anfragen",
     "number_of_dns_query_blocked_24_hours_adult": "Anzahl der gesperrten Webseiten mit jugendgefährdenden Inhalten",
     "enforced_save_search": "SafeSearch erzwungen",
     "number_of_dns_query_to_safe_search": "Anzahl der DNS-Anfragen bei denen SafeSearch für Suchanfragen erzwungen wurde",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Sie müssen Ihre Geräte oder Ihren Router so konfigurieren, dass er den DNS-Server unter den folgenden Adressen verwendet:",
     "install_settings_all_interfaces": "Alle Schnittstellen",
     "install_auth_title": "Authentifizierung",
-    "install_auth_desc": "Es wird dringend empfohlen, die Passwortauthentifizierung für Ihre AdGuard Home Administrator-Weboberfläche zu konfigurieren. Auch wenn es nur in Ihrem lokalen Netzwerk zugänglich ist, ist es dennoch wichtig, es vor unbefugtem Zugriff zu schützen.",
+    "install_auth_desc": "Die Passwortauthentifizierung für Ihre AdGuard Home Administrator-Weboberfläche muss konfiguriert sein. Auch wenn AdGuard Home nur in Ihrem lokalen Netzwerk zugänglich ist, ist es dennoch wichtig, es vor unbefugtem Zugriff zu schützen.",
     "install_auth_username": "Benutzername",
     "install_auth_password": "Passwort",
     "install_auth_confirm": "Passwort bestätigen",
@@ -325,22 +325,22 @@
     "install_devices_router_list_3": "Geben Sie dort Ihre AdGuard Home Server-Adressen ein.",
     "install_devices_router_list_4": "Bei einigen Routertypen kann kein eigener DNS-Server eingerichtet werden. In diesem Fall kann es helfen, AdGuard Home als <0>DHCP-Server</0> einzurichten. Andernfalls sollten Sie im Handbuch des Routers nachsehen, wie Sie DNS-Server auf Ihrem konkreten Router-Modell anpassen können.",
     "install_devices_windows_list_1": "Öffnen Sie die Systemsteuerung über das Startmenü oder die Windows-Suche.",
-    "install_devices_windows_list_2": "Öffnen Sie die Kategorie „Netzwerk und Internet” und dann „Netzwerk- und Freigabecenter”.",
+    "install_devices_windows_list_2": "Öffnen Sie die Kategorie „Netzwerk und Internet“ und dann „Netzwerk- und Freigabecenter“.",
-    "install_devices_windows_list_3": "Suchen Sie auf der linken Seite des Bildschirms nach „Adaptereinstellungen ändern” und klicken Sie darauf.",
+    "install_devices_windows_list_3": "Suchen Sie auf der linken Seite des Bildschirms nach „Adaptereinstellungen ändern“ und klicken Sie darauf.",
-    "install_devices_windows_list_4": "Wählen Sie Ihre aktive Verbindung aus, klicken Sie mit der rechten Maustaste darauf und wählen Sie „Eigenschaften”.",
+    "install_devices_windows_list_4": "Wählen Sie Ihre aktive Verbindung aus, klicken Sie mit der rechten Maustaste darauf und wählen Sie „Eigenschaften“.",
-    "install_devices_windows_list_5": "Suchen Sie in der Liste nach „Internet Protokoll Version 4 (TCP/IP)” (oder, für IPv6, „Internet Protocol Version 6 (TCP/IPv6)“), markieren Sie diese und klicken Sie dann erneut auf „Eigenschaften”.",
+    "install_devices_windows_list_5": "Suchen Sie in der Liste nach „Internet Protokoll Version 4 (TCP/IP)“ (oder, für IPv6, „Internet Protocol Version 6 (TCP/IPv6)“), markieren Sie diese und klicken Sie dann erneut auf „Eigenschaften“.",
-    "install_devices_windows_list_6": "Wählen Sie „Folgende DNS-Serveradressen verwenden” und geben Sie Ihre AdGuard Home-Serveradressen ein.",
+    "install_devices_windows_list_6": "Wählen Sie „Folgende DNS-Serveradressen verwenden“ und geben Sie Ihre AdGuard Home-Serveradressen ein.",
-    "install_devices_macos_list_1": "Klicken Sie auf das Apple-Symbol (oben links in der Menüzeile) und wählen den Eintrag „Systemeinstellungen”.",
+    "install_devices_macos_list_1": "Klicken Sie auf das Apple-Symbol (oben links in der Menüzeile) und wählen den Eintrag „Systemeinstellungen“.",
-    "install_devices_macos_list_2": "Klicken Sie dort auf „Netzwerk”",
+    "install_devices_macos_list_2": "Klicken Sie dort auf „Netzwerk“",
-    "install_devices_macos_list_3": "Wählen Sie die erste Verbindung in Ihrer Liste aus und klicken Sie auf „Weitere Optionen”.",
+    "install_devices_macos_list_3": "Wählen Sie die erste Verbindung in Ihrer Liste aus und klicken Sie auf „Weitere Optionen“.",
-    "install_devices_macos_list_4": "Wählen Sie den Tab „DNS” und geben Sie dort Ihre AdGuard Home-Serveradressen ein.",
+    "install_devices_macos_list_4": "Wählen Sie den Tab „DNS“ und geben Sie dort Ihre AdGuard Home-Serveradressen ein.",
-    "install_devices_android_list_1": "Tippen Sie auf dem Startbildschirm des Android-Menüs auf „Einstellungen”.",
+    "install_devices_android_list_1": "Tippen Sie auf dem Startbildschirm des Android-Menüs auf „Einstellungen“.",
-    "install_devices_android_list_2": "Tippen Sie im Menü auf „WLAN”. Der Bildschirm mit allen verfügbaren Netzwerken wird angezeigt (es ist nicht möglich, einen benutzerdefinierten DNS für die mobile Verbindung einzustellen).",
+    "install_devices_android_list_2": "Tippen Sie im Menü auf „WLAN“. Der Bildschirm mit allen verfügbaren Netzwerken wird angezeigt (es ist nicht möglich, einen benutzerdefinierten DNS für die mobile Verbindung einzustellen).",
-    "install_devices_android_list_3": "Drücken Sie lange auf das Netzwerk, mit dem Sie verbunden sind, und tippen Sie auf „Netzwerk ändern”.",
+    "install_devices_android_list_3": "Drücken Sie lange auf das Netzwerk, mit dem Sie verbunden sind, und tippen Sie auf „Netzwerk ändern“.",
-    "install_devices_android_list_4": "Bei einigen Geräten müssen Sie möglicherweise das Kontrollkästchen für „Erweitert” aktivieren, um weitere Einstellungen anzuzeigen. Um Ihre Android-DNS-Einstellungen anzupassen, müssen Sie die IP-Einstellungen von „DHCP” auf „Statisch” umstellen.",
+    "install_devices_android_list_4": "Bei einigen Geräten müssen Sie möglicherweise das Kontrollkästchen für „Erweitert“ aktivieren, um weitere Einstellungen anzuzeigen. Um Ihre Android-DNS-Einstellungen anzupassen, müssen Sie die IP-Einstellungen von „DHCP“ auf „Statisch“ umstellen.",
-    "install_devices_android_list_5": "Ändern Sie die Werte für „DNS 1” und „DNS 2” auf Ihre AdGuard Home-Serveradressen.",
+    "install_devices_android_list_5": "Ändern Sie die Werte für „DNS 1“ und „DNS 2“ auf Ihre AdGuard Home-Serveradressen.",
-    "install_devices_ios_list_1": "Tippen Sie auf dem Startbildschirm auf „Einstellungen”.",
+    "install_devices_ios_list_1": "Tippen Sie auf dem Startbildschirm auf „Einstellungen“.",
-    "install_devices_ios_list_2": "Wählen Sie „WLAN” im linken Menü (es ist nicht möglich, DNS für mobile Netzwerke zu konfigurieren).",
+    "install_devices_ios_list_2": "Wählen Sie „WLAN“ im linken Menü (es ist nicht möglich, DNS für mobile Netzwerke zu konfigurieren).",
     "install_devices_ios_list_3": "Tippen Sie auf den Namen des aktuell aktiven Netzwerks.",
     "install_devices_ios_list_4": "Geben Sie im DNS-Feld Ihre AdGuard Home-Serveradressen ein.",
     "get_started": "Anfangen",
@@ -356,7 +356,7 @@
     "encryption_redirect": "Automatisch auf HTTPS umleiten",
     "encryption_redirect_desc": "Wenn aktiviert, leitet AdGuard Home Sie automatisch von HTTP- auf HTTPS-Adressen um.",
     "encryption_https": "HTTPS-Port",
-    "encryption_https_desc": "Wenn der HTTPS-Port konfiguriert ist, ist die AdGuard Home-Administrationsschnittstelle über HTTPS zugänglich und bietet auch DNS-over-HTTPS am Server „/dns-query”.",
+    "encryption_https_desc": "Wenn der HTTPS-Port konfiguriert ist, ist die AdGuard Home-Administrationsschnittstelle über HTTPS zugänglich und bietet auch DNS-over-HTTPS am Server „/dns-query“.",
     "encryption_dot": "DNS-over-TLS",
     "encryption_dot_desc": "Wenn dieser Port konfiguriert ist, führt AdGuard Home auf diesem Port einen DNS-over-TLS-Server aus.",
     "encryption_doq": "Port für DNS-over-QUIC",
@@ -410,18 +410,18 @@
     "ip_address": "IP-Adresse",
     "client_identifier_desc": "Clients können durch die IP-Adresse, CIDR, MAC-Adresse oder eine spezielle Client-ID (können für DoT/DoH/DoQ verwendet werden) identifiziert werden. <0>Hier</0> erfahren Sie mehr darüber, wie Sie Kunden identifizieren.",
     "form_enter_ip": "IP-Adresse eingeben",
-    "form_enter_subnet_ip": "IP-Adresse zum Subnetz „{{cidr}}” hinzufügen",
+    "form_enter_subnet_ip": "IP-Adresse zum Subnetz „{{cidr}}“ hinzufügen",
     "form_enter_mac": "MAC-Adresse eingeben",
     "form_enter_id": "Kennung eingeben",
     "form_add_id": "Kennung hinzufügen",
     "form_client_name": "Clientnamen eingeben",
     "name": "Name",
     "client_global_settings": "Allgemeine Einstellungen nutzen",
-    "client_deleted": "Client „{{key}}” erfolgreich entfernt",
+    "client_deleted": "Client „{{key}}“ erfolgreich entfernt",
-    "client_added": "Client „{{key}}” erfolgreich hinzugefügt",
+    "client_added": "Client „{{key}}“ erfolgreich hinzugefügt",
-    "client_updated": "Client „{{key}}” erfolgreich aktualisiert",
+    "client_updated": "Client „{{key}}“ erfolgreich aktualisiert",
     "clients_not_found": "Keine Clients gefunden",
-    "client_confirm_delete": "Möchten Sie den Client „{{key}}” wirklich löschen?",
+    "client_confirm_delete": "Möchten Sie den Client „{{key}}“ wirklich löschen?",
     "list_confirm_delete": "Möchten Sie diese Liste wirklich löschen?",
     "auto_clients_title": "Clients (Laufzeit)",
     "auto_clients_desc": "Daten zu den Clients, die AdGuard Home verwenden, aber nicht in der Konfiguration gespeichert sind",
@@ -441,11 +441,11 @@
     "setup_dns_privacy_1": "<0>DNS-over-TLS:</0> Zeichenkette <1>{{address}}</1> verwenden.",
     "setup_dns_privacy_2": "<0>DNS-over-HTTPS:</0> Zeichenkette <1>{{address}}</1> verwenden.",
     "setup_dns_privacy_3": "<0>Hier ist eine Liste von Software, die Sie verwenden können.</0>",
-    "setup_dns_privacy_4": "Auf einem iOS 14 oder macOS Big Sur-Gerät können Sie eine spezielle Datei „.mobileconfig” herunterladen, die Server für <highlight>DNS-über-HTTPS</highlight> oder <highlight>DNS-über-TLS</highlight> zu den DNS-Einstellungen hinzufügt.",
+    "setup_dns_privacy_4": "Auf einem iOS 14 oder macOS Big Sur-Gerät können Sie eine spezielle Datei „.mobileconfig“ herunterladen, die Server für <highlight>DNS-über-HTTPS</highlight> oder <highlight>DNS-über-TLS</highlight> zu den DNS-Einstellungen hinzufügt.",
-    "setup_dns_privacy_android_1": "Android 9 unterstützt DNS-over-TLS nativ. Um es zu konfigurieren, gehen Sie zu „Einstellungen” → „Netzwerk & Internet” → „Erweitert” → „Privater DNS” und geben Sie dort Ihren Domainnamen ein.",
+    "setup_dns_privacy_android_1": "Android 9 unterstützt DNS-over-TLS nativ. Um es zu konfigurieren, gehen Sie zu „Einstellungen“ → „Netzwerk & Internet“ → „Erweitert“ → „Privater DNS“ und geben Sie dort Ihren Domainnamen ein.",
     "setup_dns_privacy_android_2": "<0>AdGuard für Android</0> unterstützt <1>DNS-over-HTTTPS</1> und <1>DNS-over-TLS</1>.",
-    "setup_dns_privacy_android_3": "„<0>Intra</0>” fügt <1>DNS-over-HTTPS</1>-Unterstützung zu Android hinzu.",
+    "setup_dns_privacy_android_3": "„<0>Intra</0>“ fügt <1>DNS-over-HTTPS</1>-Unterstützung zu Android hinzu.",
-    "setup_dns_privacy_ios_1": "„<0>DNSCloak</0>” unterstützt <1>DNS-over-HTTPS</1>, aber um es so zu konfigurieren, dass es Ihren eigenen Server verwendet, müssen Sie einen <2>DNS-Stempel</2> dafür generieren.",
+    "setup_dns_privacy_ios_1": "„<0>DNSCloak</0>“ unterstützt <1>DNS-over-HTTPS</1>, aber um es so zu konfigurieren, dass es Ihren eigenen Server verwendet, müssen Sie einen <2>DNS-Stempel</2> dafür generieren.",
     "setup_dns_privacy_ios_2": "<0>AdGuard für iOS</0> unterstützt die Einrichtung von <1>DNS-over-HTTTPS</1> und <1>DNS-over-TLS</1>.",
     "setup_dns_privacy_other_title": "Weitere Umsetzungen",
     "setup_dns_privacy_other_1": "AdGuard Home selbst kann ein sicherer DNS-Client auf jeder Plattform sein.",
@@ -455,11 +455,11 @@
     "setup_dns_privacy_other_5": "Weitere Umsetzungen finden Sie <0>hier</0> und <1>hier</1>.",
     "setup_dns_privacy_ioc_mac": "Konfiguration für iOS und macOS",
     "setup_dns_notice": "Um <1>DNS-over-HTTTPS</1> oder <1>DNS-over-TLS</1> verwenden zu können, müssen Sie in den AdGuard Home Einstellungen die <0>Verschlüsselung konfigurieren</0>.",
-    "rewrite_added": "DNS-Umschreibung für „{{key}}” erfolgreich hinzugefügt",
+    "rewrite_added": "DNS-Umschreibung für „{{key}}“ erfolgreich hinzugefügt",
-    "rewrite_deleted": "DNS-Umschreibung für „{{key}}” erfolgreich entfernt",
+    "rewrite_deleted": "DNS-Umschreibung für „{{key}}“ erfolgreich entfernt",
     "rewrite_add": "DNS-Umschreibung hinzufügen",
     "rewrite_not_found": "Keine DNS-Umschreibungen gefunden",
-    "rewrite_confirm_delete": "Möchten Sie die DNS-Umschreibung für „{{key}}” wirklich entfernen?",
+    "rewrite_confirm_delete": "Möchten Sie die DNS-Umschreibung für „{{key}}“ wirklich entfernen?",
     "rewrite_desc": "Ermöglicht die einfache Konfiguration der benutzerdefinierten DNS-Antwort für einen bestimmten Domainnamen.",
     "rewrite_applied": "Umschreibungsregel ist angewendet",
     "rewrite_hosts_applied": "Von Hostdatei-Regel umgeschrieben",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Möchten Sie die Statistiken wirklich löschen?",
     "statistics_retention_confirm": "Möchten Sie wirklich die Aufbewahrung der Statistiken ändern? Wenn Sie den Zeitabstand verringern, gehen einige Daten verloren.",
     "statistics_cleared": "Statistiken wurden erfolgreich gelöscht",
+    "statistics_enable": "Statistiken aktivieren",
     "interval_hours": "{{count}} Stunde",
     "interval_hours_plural": "{{count}} Stunden",
     "filters_configuration": "Filterkonfiguration",
@@ -538,7 +539,7 @@
     "disable_ipv6_desc": "Löschen Sie alle DNS-Abfragen für IPv6-Adressen (Typ AAAA).",
     "fastest_addr": "Schnellste IP-Adresse",
     "fastest_addr_desc": "Fragen Sie alle DNS-Server ab und geben Sie die schnellste IP-Adresse unter allen Antworten zurück. Dies verlangsamt DNS-Abfragen, da AdGuard Home auf Antworten von allen DNS-Servern warten muss, verbessert jedoch die Gesamtkonnektivität.",
-    "autofix_warning_text": "Wenn Sie auf „Beheben” klicken, konfiguriert AdGuardHome Ihr System für die Verwendung des AdGuardHome-DNS-Servers.",
+    "autofix_warning_text": "Wenn Sie auf „Beheben“ klicken, konfiguriert AdGuardHome Ihr System für die Verwendung des AdGuardHome-DNS-Servers.",
     "autofix_warning_list": "Es werden folgende Aufgaben ausgeführt: <0>Deaktivieren des DNSStubListener-Systems</0> <0>Festlegen der DNS-Server-Adresse auf 127.0.0.1</0> <0>Ersetzen des symbolischen Linkziels von /etc/resolv.conf auf /run/systemd/resolve/resolv.conf</0> <0>Anhalten des DNSStubListener (systemseitig aufgelöster Dienst wird nachladen)</0>",
     "autofix_warning_result": "Als Folge daraus werden alle DNS-Anforderungen von Ihrem System standardmäßig von AdGuardHome verarbeitet.",
     "tags_title": "Schlagwörter",
@@ -558,10 +559,10 @@
     "check_service": "Dienstname: {{service}}",
     "service_name": "Name des Dienstes",
     "check_not_found": "Nicht in Ihren Filterlisten enthalten",
-    "client_confirm_block": "Möchten Sie den Client „{{ip}}” wirklich sperren?",
+    "client_confirm_block": "Möchten Sie den Client „{{ip}}“ wirklich sperren?",
-    "client_confirm_unblock": "Möchten Sie den Client „{{ip}}” wirklich entsperren?",
+    "client_confirm_unblock": "Möchten Sie den Client „{{ip}}“ wirklich entsperren?",
-    "client_blocked": "Client „{{ip}}” erfolgreich gesperrt",
+    "client_blocked": "Client „{{ip}}“ erfolgreich gesperrt",
-    "client_unblocked": "Client „{{ip}}” erfolgreich entsperrt",
+    "client_unblocked": "Client „{{ip}}“ erfolgreich entsperrt",
     "static_ip": "Feste IP-Adresse",
     "static_ip_desc": "AdGuard Home ist ein Server und benötigt daher eine feste IP-Adresse, um ordnungsgemäß zu funktionieren. Andernfalls weist Ihr Router diesem Gerät möglicherweise irgendwann eine andere IP-Adresse zu.",
     "set_static_ip": "Feste IP-Adresse festlegen",
@@ -610,9 +611,10 @@
     "setup_config_to_enable_dhcp_server": "Einrichten der Konfiguration zur Aktivierung des DHCP-Servers",
     "original_response": "Ursprüngliche Antwort",
     "click_to_view_queries": "Anklicken, um Abfragen anzuzeigen",
-    "port_53_faq_link": "Port 53 wird oft von Diensten wie „DNSStubListener” oder „systemresolved” belegt. Bitte lesen Sie <0>diese Anweisung</0>, wie dies behoben werden kann.",
+    "port_53_faq_link": "Port 53 wird oft von Diensten wie „DNSStubListener“ oder „systemresolved“ belegt. Bitte lesen Sie <0>diese Anweisung</0>, wie dies behoben werden kann.",
     "adg_will_drop_dns_queries": "AdGuard Home wird alle DNS-Abfragen von diesem Client verwerfen.",
-    "client_not_in_allowed_clients": "Dieser Client ist nicht zugelassen, da dieser nicht in der Liste „Erlaubte Clients” aufgeführt ist.",
+    "filter_allowlist": "Warnhinweis: Durch diese Aktion wird außerdem die Regel „{{disallowed_rule}}“ aus der Liste der zugelassenen Clients ausgeschlossen.",
+    "last_rule_in_allowlist": "Dieser Client kann nicht gesperrt werden, da das Ausschließen der Regel „{{disallowed_rule}}“ die Liste „Zugelassene Clients“ deaktivieren würde.",
     "experimental": "Experimentell",
     "use_saved_key": "Zuvor gespeicherten Schlüssel verwenden"
 }

client/src/__locales/en.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "You will need to configure your devices or router to use the DNS server on the following addresses:",
     "install_settings_all_interfaces": "All interfaces",
     "install_auth_title": "Authentication",
-    "install_auth_desc": "It is highly recommended to configure password authentication to your AdGuard Home admin web interface. Even if it is accessible only in your local network, it is still important to protect it from unrestricted access.",
+    "install_auth_desc": "Password authentication to your AdGuard Home admin web interface must be configured. Even if AdGuard Home is accessible only in your local network, it is still important to protect it from unrestricted access.",
     "install_auth_username": "Username",
     "install_auth_password": "Password",
     "install_auth_confirm": "Confirm password",
@@ -613,7 +613,8 @@
     "click_to_view_queries": "Click to view queries",
     "port_53_faq_link": "Port 53 is often occupied by \"DNSStubListener\" or \"systemd-resolved\" services. Please read <0>this instruction</0> on how to resolve this.",
     "adg_will_drop_dns_queries": "AdGuard Home will be dropping all DNS queries from this client.",
-    "client_not_in_allowed_clients": "The client is not allowed because it is not in the \"Allowed clients\" list.",
+    "filter_allowlist": "WARNING: This action also will exclude the rule \"{{disallowed_rule}}\" from the list of allowed clients.",
+    "last_rule_in_allowlist": "Cannot disallow this client because excluding the rule \"{{disallowed_rule}}\" will DISABLE \"Allowed clients\" list.",
     "experimental": "Experimental",
     "use_saved_key": "Use the previously saved key"
 }

client/src/__locales/es.json

@@ -208,7 +208,7 @@
     "example_upstream_sdns": "puedes usar <0>DNS Stamps</0> para <1>DNSCrypt</1> o resolutores <2>DNS mediante HTTPS</2>",
     "example_upstream_tcp": "DNS regular (mediante TCP)",
     "all_lists_up_to_date_toast": "Todas las listas ya están actualizadas",
-    "updated_upstream_dns_toast": "Servidores de subida guardados correctamente",
+    "updated_upstream_dns_toast": "Servidores DNS de subida guardados correctamente",
     "dns_test_ok_toast": "Los servidores DNS especificados funcionan correctamente",
     "dns_test_not_ok_toast": "Servidor \"{{key}}\": no se puede utilizar, por favor revisa si lo has escrito correctamente",
     "unblock": "Desbloquear",
@@ -235,7 +235,7 @@
     "loading_table_status": "Cargando...",
     "page_table_footer_text": "Página",
     "rows_table_footer_text": "filas",
-    "updated_custom_filtering_toast": "Reglas de filtrado guardadas correctamente",
+    "updated_custom_filtering_toast": "Reglas personalizadas guardadas correctamente",
     "rule_removed_from_custom_filtering_toast": "Regla eliminada de las reglas de filtrado personalizado: {{rule}}",
     "rule_added_to_custom_filtering_toast": "Regla añadida a las reglas de filtrado personalizado: {{rule}}",
     "query_log_response_status": "Estado: {{value}}",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Deberás configurar tus dispositivos o router para usar el servidor DNS en las siguientes direcciones:",
     "install_settings_all_interfaces": "Todas las interfaces",
     "install_auth_title": "Autenticación",
-    "install_auth_desc": "Se recomienda encarecidamente configurar la autenticación por contraseña para la interfaz web de administración de AdGuard Home. Incluso si solo es accesible en tu red local, es importante que estés protegido contra el acceso no autorizado.",
+    "install_auth_desc": "Debe configurarse la autenticación por contraseña para la interfaz web de administración de AdGuard Home. Incluso si AdGuard Home es accesible solo en tu red local, es importante protegerlo del acceso no autorizado.",
     "install_auth_username": "Usuario",
     "install_auth_password": "Contraseña",
     "install_auth_confirm": "Confirmar contraseña",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "¿Estás seguro de que deseas borrar las estadísticas?",
     "statistics_retention_confirm": "¿Estás seguro de que deseas cambiar la retención de estadísticas? Si disminuye el valor del intervalo, se perderán algunos datos",
     "statistics_cleared": "Estadísticas borradas correctamente",
+    "statistics_enable": "Habilitar estadísticas",
     "interval_hours": "{{count}} hora",
     "interval_hours_plural": "{{count}} horas",
     "filters_configuration": "Configuración de filtros",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Clic para ver las consultas",
     "port_53_faq_link": "El puerto 53 suele estar ocupado por los servicios \"DNSStubListener\" o \"systemd-resolved\". Por favor lee <0>esta instrucción</0> sobre cómo resolver esto.",
     "adg_will_drop_dns_queries": "AdGuard Home descartará todas las consultas DNS de este cliente.",
-    "client_not_in_allowed_clients": "El cliente no está permitido porque no está en la lista de \"Clientes permitidos\".",
+    "filter_allowlist": "ADVERTENCIA: Esta acción también excluirá la regla \"{{disallowed_rule}}\" de la lista de clientes permitidos.",
+    "last_rule_in_allowlist": "No se puede desautorizar a este cliente porque al excluir la regla \"{{disallowed_rule}}\" DESHABILITARÁ la lista de \"Clientes permitidos\".",
     "experimental": "experimental",
     "use_saved_key": "Usar la clave guardada previamente"
 }

client/src/__locales/fr.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Vous devrez configurer vos appareils et votre routeur pour utiliser le serveur DNS sur les adresses suivantes :",
     "install_settings_all_interfaces": "Toutes les interfaces",
     "install_auth_title": "Authentification",
-    "install_auth_desc": "Il est fortement recommandé de configurer un mot de passe pour accéder à l'interface web administrateur AdGuard Home. Même si elle est disponible que dans votre réseau local, cela reste important de se protéger contre des accès non désirés.",
+    "install_auth_desc": "C'est nécessaire de configurer l'authentification par aide de mot de passe pour accéder à l'interface web administrateur de votre AdGuard Home. Même si AdGuard Home n'est accessible que dans votre réseau local, c'est important d'y restreindre accès aux tiers.",
     "install_auth_username": "Nom d'utilisateur",
     "install_auth_password": "Mot de passe",
     "install_auth_confirm": "Confirmer le mot de passe",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Voulez-vous vraiment effacer les statistiques ?",
     "statistics_retention_confirm": "Êtes-vous sûr de vouloir modifier le maintien des statistiques ? Si vous diminuez la valeur de l'intervalle, certaines données seront perdues",
     "statistics_cleared": "Statistiques effacées",
+    "statistics_enable": "Activer les statistiques",
     "interval_hours": "{{count}} heure",
     "interval_hours_plural": "{{count}} heures",
     "filters_configuration": "Configuration des filtres",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Cliquez pour voir les requêtes",
     "port_53_faq_link": "Le port 53 est souvent occupé par les services « DNSStubListener » ou « systemd-resolved ». Veuillez lire <0>cette instruction</0> pour savoir comment résoudre ce problème.",
     "adg_will_drop_dns_queries": "AdGuard Home ignorera toutes les requêtes DNS de ce client.",
-    "client_not_in_allowed_clients": "Le client n’est pas autorisé car il ne figure pas dans la liste « Clients autorisés ».",
+    "filter_allowlist": "ATTENTION : Cette action exclura également la règle « {{disallowed_rule}} » de la liste des clients autorisés.",
+    "last_rule_in_allowlist": "Impossible d’interdire ce client, car l’exclusion de la règle « {{disallowed_rule}} » DÉSACTIVERA la liste des « clients autorisés ».",
     "experimental": "Expérimental",
     "use_saved_key": "Utiliser la clef précédemment enregistrée"
 }

client/src/__locales/hu.json

@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Biztosan vissza akarja állítani a statisztikákat?",
     "statistics_retention_confirm": "Biztos benne, hogy megváltoztatja a statisztika megőrzési idejét? Ha csökkentette az értéket, a megadottnál korábbi adatok elvesznek",
     "statistics_cleared": "A statisztikák sikeresen vissza lettek állítva",
+    "statistics_enable": "Statisztikák engedélyezése",
     "interval_hours": "{{count}} óra",
     "interval_hours_plural": "{{count}} óra",
     "filters_configuration": "Szűrők beállításai",

client/src/__locales/id.json

@@ -235,7 +235,7 @@
     "loading_table_status": "Memuat...",
     "page_table_footer_text": "Halaman",
     "rows_table_footer_text": "baris",
-    "updated_custom_filtering_toast": "Perbarui aturan penyaringan khusus",
+    "updated_custom_filtering_toast": "Aturan kustom berhasil disimpan",
     "rule_removed_from_custom_filtering_toast": "Aturan dihapus dari aturan penyaringan khusus: {{rule}}",
     "rule_added_to_custom_filtering_toast": "Aturan ditambah ke aturan penyaringan khusus: {{rule}}",
     "query_log_response_status": "Status: {{value}}",
@@ -613,5 +613,6 @@
     "port_53_faq_link": "Port 53 sering ditempati oleh layanan \"DNSStubListener\" atau \"systemd-resolved\". Silakan baca <0>instruksi ini</0> tentang cara menyelesaikan ini.",
     "adg_will_drop_dns_queries": "AdGuard Home akan menghapus semua permintaan DNS dari klien ini.",
     "client_not_in_allowed_clients": "Klien tidak diizinkan karena tidak ada dalam daftar \"Klien yang diizinkan\".",
-    "experimental": "Eksperimental"
+    "experimental": "Eksperimental",
+    "use_saved_key": "Gunakan kunci yang disimpan sebelumnya"
 }

client/src/__locales/it.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Sarà necessario configurare i dispositivi o il router per utilizzare il server DNS nei seguenti indirizzi:",
     "install_settings_all_interfaces": "Tutte le interfacce",
     "install_auth_title": "Autenticazione",
-    "install_auth_desc": "Si consiglia vivamente di configurare l'autenticazione della password per l'interfaccia web di amministrazione di AdGuard Home. Anche se è accessibile solo nella rete locale, è comunque importante proteggerlo da accessi illimitati.",
+    "install_auth_desc": "L\\'autenticazione con password sulla tua interfaccia web da amministratore di AdGuard Home dev\\'esser configurata. Anche se AdGuard Home è accessibile solo dalla tua rete locale, è comunque importante proteggerlo da accessi non limitati.",
     "install_auth_username": "Nome utente",
     "install_auth_password": "Password",
     "install_auth_confirm": "Conferma password",
@@ -394,7 +394,7 @@
     "fix": "Risolvi",
     "dns_providers": "Qui c\\'è una <0>lista di provider DNS</0> da cui scegliere.",
     "update_now": "Aggiorna ora",
-    "update_failed": "Aggiornamento automatico non riuscito. Si prega di <a>seguire questi passaggi</a>per aggiornare manualmente.",
+    "update_failed": "Aggiornamento automatico non riuscito. Ti suggeriamo di <a>seguire questi passaggi</a> per aggiornare manualmente.",
     "processing_update": "Perfavore aspetta, AdGuard Home si sta aggiornando",
     "clients_title": "Client",
     "clients_desc": "Configura i dispositivi connessi ad AdGuard Home",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Sei sicuro di voler azzerare le statistiche?",
     "statistics_retention_confirm": "Sei sicuro di voler modificare la conservazione delle statistiche? Se il valore di intervallo dovesse diminuire, alcuni dati andranno persi",
     "statistics_cleared": "Statistiche azzerate correttamente",
+    "statistics_enable": "Attiva statistiche",
     "interval_hours": "{{count}} ora",
     "interval_hours_plural": "{{count}} ore",
     "filters_configuration": "Configurazione filtri",
@@ -566,7 +567,7 @@
     "static_ip_desc": "AdGuard Home è un server quindi ha bisogno di un indirizzo IP statico per funzionare correttamente. In caso contrario, ad un certo punto, il router potrebbe assegnare un indirizzo IP differente a questo dispositivo.",
     "set_static_ip": "Imposta un indirizzo IP statico",
     "install_static_ok": "Buone notizie! L'indirizzo IP statico è già configurato",
-    "install_static_error": "AdGuard Home non può configurarlo automaticamente per questa interfaccia di rete. Si prega di cercare un'istruzione su come farlo manualmente.",
+    "install_static_error": "AdGuard Home non può configurarlo automaticamente per questa interfaccia di rete. Ti suggeriamo di cercare un metodo alternativo per effettuare tale operazione manualmente.",
     "install_static_configure": "AdGuard Home ha rilevato l\\'utilizzo dell\\'indirizzo IP dinamico <0> {{ip}} </0>. Desideri impostarlo come indirizzo statico?",
     "confirm_static_ip": "AdGuard Home configurerà {{ip}} come indirizzo IP statico. Desideri procedere?",
     "list_updated": "{{count}} lista aggiornata",
@@ -610,9 +611,10 @@
     "setup_config_to_enable_dhcp_server": "Configurazione dell\\'installazione per l\\'attivazione del server DHCP",
     "original_response": "Responso originale",
     "click_to_view_queries": "Clicca per visualizzare le richieste",
-    "port_53_faq_link": "La Porta 53 è spesso occupata dai servizi \"DNSStubListener\" o \"systemd-resolved\". Si prega di leggere <0>queste istruzioni</0> per risolvere il problema.",
+    "port_53_faq_link": "La Porta 53 è spesso occupata dai servizi \"DNSStubListener\" o \"systemd-resolved\". Ti suggeriamo di leggere <0>queste istruzioni</0> per risolvere il problema.",
     "adg_will_drop_dns_queries": "AdGuard Home eliminerà tutte le richieste DNS da questo client.",
-    "client_not_in_allowed_clients": "Il client non è consentito perché non è nell'elenco \"Client consentiti\".",
+    "filter_allowlist": "ATTENZIONE: Quest\\'azione escluderà anche la regola \"{{disallowed_rule}}\" dall\\'elenco di clienti consentiti.",
+    "last_rule_in_allowlist": "Impossibile bloccare questo client perché escludere la regola \"{{disallowed_rule}}\" DISATIVERÁ l\\'elenco \"Clienti consentiti\".",
     "experimental": "Sperimentale",
     "use_saved_key": "Utilizza la chiave salvata in precedenza"
 }

client/src/__locales/ja.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "次のアドレスでDNSサーバを使用するようにあなたのデバイスまたはルータを設定する必要があります:",
     "install_settings_all_interfaces": "すべてのインターフェイス",
     "install_auth_title": "認証",
-    "install_auth_desc": "AdGuard Homeの管理ウェブインターフェースにパスワード認証を設定することを強くお勧めします。ローカルネットワークでのみアクセス可能であっても、制限のないアクセスから保護することは重要です。",
+    "install_auth_desc": "AdGuard Homeの管理ウェブインターフェースにパスワード認証を設定する必要があります。AdGuard Homeがローカルネットワークでのみアクセス可能であっても、制限のないアクセスから保護することは重要です。",
     "install_auth_username": "ユーザ名",
     "install_auth_password": "パスワード",
     "install_auth_confirm": "パスワード（確認用）",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "統計を消去してもよろしいですか？",
     "statistics_retention_confirm": "統計の保持を変更してもよろしいですか？ 期間を短くすると、一部のデータが失われます",
     "statistics_cleared": "統計の消去に成功しました",
+    "statistics_enable": "統計を有効にする",
     "interval_hours": "{{count}}時間",
     "interval_hours_plural": "{{count}}時間",
     "filters_configuration": "フィルタ設定",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "クエリを表示するにはクリックしてください",
     "port_53_faq_link": "多くの場合、ポート53は \"DNSStubListener\" または \"systemd-resolved\" サービスによって利用されています。これを解決する方法については、<0>この手順</0>をお読みください。",
     "adg_will_drop_dns_queries": "AdGuard Homeは、このクライアントからすべてのDNSクエリを落とします。",
-    "client_not_in_allowed_clients": "「許可されたクライアント」リストにないため、このクライアントは許可されていません。",
+    "filter_allowlist": "【注意】このアクションは、許可されたクライアントのリストから「{{disallowed_rule}}」というルールも除外します。",
+    "last_rule_in_allowlist": "ルール「{{disallowed_rule}}」を除外すると「許可されたクライアント」リストが無効になるため、このクライアントを拒否することはできません。",
     "experimental": "実験用",
     "use_saved_key": "以前に保存したキーを使用する"
 }

client/src/__locales/ko.json

@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "통계를 정말로 초기화하시겠습니까?",
     "statistics_retention_confirm": "정말로 통계 저장 기간을 변경하시겠습니까? 저장 주기를 낮출 경우, 일부 데이터가 손실됩니다",
     "statistics_cleared": "통계를 성공적으로 초기화했습니다.",
+    "statistics_enable": "통계 활성화",
     "interval_hours": "{{count}} 시간",
     "interval_hours_plural": "{{count}} 시간",
     "filters_configuration": "필터 구성",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "쿼리를 보려면 클릭합니다",
     "port_53_faq_link": "53번 포트는 보통 \"DNSStubListener\"나 \"systemd-resolved\" 서비스가 이미 사용하고 있습니다. 이 문제에 대한 해결 방법을 <0>설명</0>에서 찾아보세요.",
     "adg_will_drop_dns_queries": "AdGuard Home은 이 클라이언트에서 모든 DNS 쿼리를 삭제합니다.",
-    "client_not_in_allowed_clients": "이 클라이언트는 허용된 클라이언트 목록에 없으므로 허용되지 않습니다.",
+    "filter_allowlist": "경고: 이 경우 허용된 클라이언트 목록에서 '{{disallowed_rule}}' 규칙 또한 제외됩니다.",
+    "last_rule_in_allowlist": "'{{disallowed_rule}}' 규칙을 제외하면 '허용된 클라이언트' 목록이 꺼지므로 해당 클라이언트를 제외할 수 없습니다.",
     "experimental": "실험",
     "use_saved_key": "이전에 저장했던 키 사용하기"
 }

client/src/__locales/nl.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Je moet jouw apparaten of router configureren om de DNS-server te gebruiken op de volgende adressen:",
     "install_settings_all_interfaces": "Alle interfaces",
     "install_auth_title": "Authenticatie",
-    "install_auth_desc": "Het wordt ten zeerste aanbevolen om wachtwoordverificatie te configureren voor de AdGuard Home admin webinterface. Zelfs als het alleen toegankelijk is in uw lokale netwerk, is het nog steeds belangrijk om het te beschermen tegen onbeperkte toegang.",
+    "install_auth_desc": "Wachtwoordverificatie voor je AdGuard Home-beheerderswebinterface moet worden geconfigureerd. Zelfs als AdGuard Home alleen toegankelijk is in je lokale netwerk, is het nog steeds belangrijk om het te beschermen tegen onbeperkte toegang.",
     "install_auth_username": "Gebruikersnaam",
     "install_auth_password": "Wachtwoord",
     "install_auth_confirm": "Bevestig wachtwoord",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Alle statistieken werkelijk wissen?",
     "statistics_retention_confirm": "Weet u zeker dat u de bewaartermijn van de statistieken wilt wijzigen? Als u de intervalwaarde verlaagt, gaan sommige gegevens verloren",
     "statistics_cleared": "Statistieken succesvol gewist",
+    "statistics_enable": "Statistieken inschakelen",
     "interval_hours": "{{count}} uur",
     "interval_hours_plural": "{{count}} uren",
     "filters_configuration": "Filters instellingen",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Klik om queries te bekijken",
     "port_53_faq_link": "Poort 53 wordt vaak gebruikt door services als DNSStubListener- of de systeem DNS-resolver. Lees a.u.b. <0>deze instructie</0> hoe dit is op te lossen.",
     "adg_will_drop_dns_queries": "AdGuard Home zal alle DNS verzoeken van deze toepassing/dit systeem negeren.",
-    "client_not_in_allowed_clients": "De toepassing is niet toegestaan omdat deze niet in de lijst \"Toegestane toepassingen\" voorkomt.",
+    "filter_allowlist": "WAARSCHUWING: Deze actie zal ook de regel \"{{disallowed_rule}}\" uitsluiten van de lijst met toegestane clients.",
+    "last_rule_in_allowlist": "Kan deze client niet weigeren omdat het uitsluiten van de regel \"{{disallowed_rule}}\" de lijst \"Toegestane clients\" zal UITSCHAKELEN.",
     "experimental": "Experimenteel",
     "use_saved_key": "De eerder opgeslagen sleutel gebruiken"
 }

client/src/__locales/pl.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Konieczne będzie skonfigurowanie urządzenia lub routera do korzystania z serwera DNS pod następującymi adresami:",
     "install_settings_all_interfaces": "Wszystkie interfejsy",
     "install_auth_title": "Uwierzytelnianie",
-    "install_auth_desc": "Zalecamy skonfigurowanie strony AdGuard Home Admin, aby zweryfikować swoją tożsamość za pomocą hasła. Chociaż jest dostępny tylko w sieci lokalnej, nadal ważne jest, aby chronić go przed nieograniczonym dostępem.",
+    "install_auth_desc": "Należy skonfigurować uwierzytelnianie hasłem do interfejsu internetowego administratora AdGuard Home. Nawet jeśli AdGuard Home jest dostępny tylko w sieci lokalnej, nadal ważne jest, aby chronić go przed nieograniczonym dostępem.",
     "install_auth_username": "Nazwa użytkownika",
     "install_auth_password": "Hasło",
     "install_auth_confirm": "Potwierdź hasło",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Czy na pewno chcesz wyczyścić statystyki?",
     "statistics_retention_confirm": "Czy chcesz zmienić sposób przechowania statystyk? Jeżeli obniżysz wartość interwału, niektóre dane będą utracone",
     "statistics_cleared": "Statystyki zostały pomyślnie wyczyszczone",
+    "statistics_enable": "Włącz statystyki",
     "interval_hours": "{{count}} godzina",
     "interval_hours_plural": "{{count}} godziny",
     "filters_configuration": "Konfiguracja filtrów",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Kliknij, aby wyświetlić zapytania",
     "port_53_faq_link": "Port 53 jest często zajęty przez usługi \"DNSStubListener\" lub \"systemd-resolved\". Przeczytaj <0>tę instrukcję</0> jak to rozwiązać.",
     "adg_will_drop_dns_queries": "AdGuard Home odrzuci zapytanie DNS od tego klienta.",
-    "client_not_in_allowed_clients": "Klient nie jest dozwolony, ponieważ nie ma go na liście „Dozwoleni klienci”.",
+    "filter_allowlist": "OSTRZEŻENIE: To działanie spowoduje również wykluczenie reguły \"{{disallowed_rule}}\" z listy dozwolonych klientów.",
+    "last_rule_in_allowlist": "Nie można odrzucić tego klienta, ponieważ wykluczenie reguły \"{{disallowed_rule}}\" spowoduje WYŁĄCZENIE listy „Dozwolonych klientów”.",
     "experimental": "Funkcja eksperymentalna",
     "use_saved_key": "Użyj wcześniej zapisanego klucza"
 }

client/src/__locales/pt-br.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Você precisa configurar seu dispositivo ou roteador para usar o servidor DNS nos seguintes endereços:",
     "install_settings_all_interfaces": "Todas interfaces",
     "install_auth_title": "Autenticação",
-    "install_auth_desc": "É altamente recomendável configurar a autenticação por senha na interface web de administração do AdGuard Home. Mesmo que ela seja acessível somente em sua rede local, ainda assim é importante protegê-la contra acesso irrestrito.",
+    "install_auth_desc": "A autenticação de senha para a interface da web de administrador do AdGuard Home deve ser configurada. Mesmo que o AdGuard Home esteja acessível apenas em sua rede local, ainda é importante protegê-la de acesso irrestrito.",
     "install_auth_username": "Nome de usuário",
     "install_auth_password": "Senha",
     "install_auth_confirm": "Confirmar senha",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Você tem certeza de que deseja limpar as estatísticas?",
     "statistics_retention_confirm": "Você tem certeza que quer alterar o arquivamento das estatísticas? Se diminuir o valor do intervalo, alguns dados serão perdidos",
     "statistics_cleared": "As estatísticas foram limpas com sucesso",
+    "statistics_enable": "Ativar estatísticas",
     "interval_hours": "{{count}} hora",
     "interval_hours_plural": "{{count}} horas",
     "filters_configuration": "Configuração de filtros",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Clique para ver as consultas",
     "port_53_faq_link": "A porta 53 é frequentemente ocupada por serviços \"DNSStubListener\" ou \"systemd-resolved\". Por favor leia <0>essa instrução</0> para resolver isso.",
     "adg_will_drop_dns_queries": "O AdGuard Home descartará todas as consultas DNS deste cliente.",
-    "client_not_in_allowed_clients": "O cliente não é permitido porque não está na lista \"Clientes permitidos\".",
+    "filter_allowlist": "AVISO: Esta ação também excluirá a regra \"{{disallowed_rule}}\" da lista de clientes permitidos.",
+    "last_rule_in_allowlist": "Não é possível desautorizar este cliente porque excluir a regra \"{{disallowed_rule}}\" DESATIVARÁ a lista de \"Clientes permitidos\".",
     "experimental": "Experimental",
     "use_saved_key": "Use a chave salva anteriormente"
 }

client/src/__locales/pt-pt.json

@@ -99,10 +99,10 @@
     "homepage": "Página inicial",
     "report_an_issue": "Comunicar um problema",
     "privacy_policy": "Política de privacidade",
-    "enable_protection": "Ativar protecção",
+    "enable_protection": "Ativar proteção",
-    "enabled_protection": "Ativar protecção",
+    "enabled_protection": "Ativar proteção",
-    "disable_protection": "Desativar protecção",
+    "disable_protection": "Desativar proteção",
-    "disabled_protection": "Desativar protecção",
+    "disabled_protection": "Desativar proteção",
     "refresh_statics": "Repor estatísticas",
     "dns_query": "Consultas de DNS",
     "blocked_by": "<0>Bloqueado por filtros</0>",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Precisa de configurar o seu dispositivo ou router para usar o servidor DNS nos seguintes endereços:",
     "install_settings_all_interfaces": "Todas as interfaces",
     "install_auth_title": "Autenticação",
-    "install_auth_desc": "É altamente recomendável configurar a autenticação por palavra-passe para a sua interface web de administrador do AdGuard Home. Mesmo que seja acessível apenas na sua rede local, ainda assim é importante protegê-lo contra o acesso irrestrito.",
+    "install_auth_desc": "A autenticação de palavra-passe para a interface da web de administrador do AdGuard Home deve ser configurada. Mesmo que o AdGuard Home esteja acessível apenas em sua rede local, ainda é importante protegê-la de acesso irrestrito.",
     "install_auth_username": "Nome do utilizador",
     "install_auth_password": "Palavra-passe",
     "install_auth_confirm": "Confirmar palavra-passe",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Tem a certeza de que deseja limpar as estatísticas?",
     "statistics_retention_confirm": "Tem a certeza que quer alterar a retenção de estatísticas? Se diminuir o valor do intervalo, alguns dados serão perdidos",
     "statistics_cleared": "As estatísticas foram apagadas com sucesso",
+    "statistics_enable": "Ativar estatísticas",
     "interval_hours": "{{count}} hora",
     "interval_hours_plural": "{{count}} horas",
     "filters_configuration": "Definição dos filtros",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Clique para ver as consultas",
     "port_53_faq_link": "A porta 53 é frequentemente ocupada por serviços \"DNSStubListener\" ou \"systemd-resolved\". Por favor leia <0>essa instrução</0> para resolver isso.",
     "adg_will_drop_dns_queries": "O AdGuard Home descartará todas as consultas DNS deste cliente.",
-    "client_not_in_allowed_clients": "O cliente não é permitido porque não está na lista \"Clientes permitidos\".",
+    "filter_allowlist": "AVISO: Esta ação também excluirá a regra \"{{disallowed_rule}}\" da lista de clientes permitidos.",
+    "last_rule_in_allowlist": "Não é possível desautorizar este cliente porque excluir a regra \"{{disallowed_rule}}\" DESATIVARÁ a lista de \"Clientes permitidos\".",
     "experimental": "Experimental",
     "use_saved_key": "Use a chave guardada anteriormente"
 }

client/src/__locales/ru.json

@@ -277,7 +277,7 @@
     "form_enter_rate_limit": "Введите rate limit",
     "rate_limit": "Rate limit",
     "edns_enable": "Включить отправку EDNS Client Subnet",
-    "edns_cs_desc": "Отправлять подсети клиентов на DNS-сервера.",
+    "edns_cs_desc": "Отправлять подсети клиентов на DNS-серверы.",
     "rate_limit_desc": "Ограничение на количество запросов в секунду для каждого клиента (0 — неограниченно).",
     "blocking_ipv4_desc": "IP-адрес, возвращаемый при блокировке A-запроса",
     "blocking_ipv6_desc": "IP-адрес, возвращаемый при блокировке AAAA-запроса",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Вам будет нужно настроить свои устройства или роутер на использование DNS-сервера на одном из следующих адресов:",
     "install_settings_all_interfaces": "Все интерфейсы",
     "install_auth_title": "Авторизация",
-    "install_auth_desc": "Настоятельно рекомендуется настроить аутентификацию паролем для веб-интерфейса AdGuard Home. Даже если он доступен только в вашей локальной сети, важно защитить его от неограниченного доступа.",
+    "install_auth_desc": "Должна быть настроена аутентификация паролем для веб-интерфейса AdGuard Home. Даже если он доступен только в вашей локальной сети, важно защитить его от неограниченного доступа.",
     "install_auth_username": "Имя пользователя",
     "install_auth_password": "Пароль",
     "install_auth_confirm": "Подтвердить пароль",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Вы уверены, что хотите очистить статистику?",
     "statistics_retention_confirm": "Вы уверены, что хотите изменить срок хранения статистики? При сокращении интервала данные могут быть утеряны",
     "statistics_cleared": "Статистика успешно очищена",
+    "statistics_enable": "Включить статистику",
     "interval_hours": "{{count}} час",
     "interval_hours_plural": "{{count}} часов",
     "filters_configuration": "Настройка фильтров",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Нажмите, чтобы просмотреть запросы",
     "port_53_faq_link": "Порт 53 часто занят службами «DNSStubListener» или «systemd-resolved». Ознакомьтесь с <0>инструкцией</0> о том, как это разрешить.",
     "adg_will_drop_dns_queries": "AdGuard Home AdGuard Home сбросит все DNS-запросы от этого клиента.",
-    "client_not_in_allowed_clients": "Клиент не разрешён, так как его нет в списке «Разрешённых клиентов».",
+    "filter_allowlist": "ВНИМАНИЕ: Это действие также исключит правило «{{disallowed_rule}}» из списка разрешённых клиентов.",
+    "last_rule_in_allowlist": "Нельзя заблокировать этого клиента, так как исключение правила «{{disallowed_rule}}» ОТКЛЮЧИТ режим белого списка.",
     "experimental": "Экспериментальный",
     "use_saved_key": "Использовать сохранённый ранее ключ"
 }

client/src/__locales/si-lk.json

@@ -16,8 +16,8 @@
     "dhcp_enable": "ග.ධා.වි.කෙ. සේවාදායකය සබල කරන්න",
     "dhcp_disable": "ග.ධා.වි.කෙ. සේවාදායකය අබල කරන්න",
     "dhcp_config_saved": "ග.ධා.වි.කෙ. වින්‍යාසය සාර්ථකව සුරකින ලදි",
-    "dhcp_ipv4_settings": "ග.ධා.වි.කෙ. අයිපීවී 4 සැකසුම්",
+    "dhcp_ipv4_settings": "ග.ධා.වි.කෙ. අ.ජා.කෙ. 4 සැකසුම්",
-    "dhcp_ipv6_settings": "ග.ධා.වි.කෙ. අයිපීවී 6 සැකසුම්",
+    "dhcp_ipv6_settings": "ග.ධා.වි.කෙ. අ.ජා.කෙ. 6 සැකසුම්",
     "form_error_required": "අවශ්‍ය ක්ෂේත්‍රයකි",
     "form_error_ip4_format": "වලංගු නොවන IPv4 ආකෘතියකි",
     "form_error_ip6_format": "වලංගු නොවන IPv6 ආකෘතියකි",
@@ -221,8 +221,8 @@
     "refused": "REFUSED",
     "null_ip": "අභිශූන්‍යය අ.ජා. කෙ.",
     "custom_ip": "අභිරුචි අ.ජා. කෙ.",
-    "blocking_ipv4": "අයි.පී.වී.4 අවහිර කිරීම\n",
+    "blocking_ipv4": "අ.ජා.කෙ.4 අවහිර කිරීම",
-    "blocking_ipv6": "අයි.පී.වී.6 අවහිර කිරීම",
+    "blocking_ipv6": "අ.ජා.කෙ.6 අවහිර කිරීම",
     "client_id": "අනුග්‍රාහකයේ හැඳුනුම",
     "client_id_placeholder": "අනුග්‍රාහකයේ හැඳුනුම යොදන්න",
     "download_mobileconfig": "වින්‍යාසගත ගොනුව බාගන්න",
@@ -230,8 +230,8 @@
     "form_enter_rate_limit": "අනුපාත සීමාව ඇතුල් කරන්න",
     "rate_limit": "අනුපාත සීමාව",
     "rate_limit_desc": "එක් අනුග්‍රාහකයකට ඉඩ දී ඇති තත්පරයට ඉල්ලීම් ගණන. එය 0 ලෙස සැකසීම යනුවෙන් අදහස් කරන්නේ සීමාවක් නැති බවයි.",
-    "blocking_ipv4_desc": "අවහිර කළ A ඉල්ලීමක් සඳහා ආපසු එවිය යුතු අ.ජා. කෙ. (IP) ලිපිනය",
+    "blocking_ipv4_desc": "අවහිර කළ A ඉල්ලීමක් සඳහා ආපසු එවිය යුතු අ.ජා.කෙ. (IP) ලිපිනය",
-    "blocking_ipv6_desc": "අවහිර කළ AAAA ඉල්ලීමක් සඳහා ආපසු එවිය යුතු අ.ජා. කෙ. (IP) ලිපිනය",
+    "blocking_ipv6_desc": "අවහිර කළ AAAA ඉල්ලීමක් සඳහා ආපසු එවිය යුතු අ.ජා.කෙ. (IP) ලිපිනය",
     "blocking_mode_default": "පොදු: දැන්වීම් අවහිර කරන ආකාරයේ නීතියක් මගින් අවහිර කළ විට REFUSED සමඟ ප්‍රතිචාර දක්වයි; /etc/host-style ආකාරයේ නීතියක් මගින් අවහිර කළ විට නීතියේ දක්වා ඇති අ.ජා. කෙ. ලිපිනය සමඟ ප්‍රතිචාර දක්වයි",
     "blocking_mode_refused": "REFUSED: REFUSED කේතය සමඟ ප්‍රතිචාර දක්වයි",
     "blocking_mode_nxdomain": "නොපවතින වසම (NXDOMAIN): NXDOMAIN කේතය සමඟ ප්‍රතිචාර දක්වයි",
@@ -360,7 +360,7 @@
     "form_enter_subnet_ip": "\"{{cidr}}\" අනුජාලයෙහි අ.ජා. කෙ. ලිපිනයක් යොදන්න.",
     "form_enter_mac": "මා.ප්‍ර.පා. (MAC) ඇතුල් කරන්න",
     "form_enter_id": "හඳුන්වනය ඇතුල් කරන්න",
-    "form_add_id": "හඳුන්වනයක් එක් කරන්න",
+    "form_add_id": "හඳුන්වනයක් එකතු කරන්න",
     "form_client_name": "අනුග්‍රාහකයේ නම ඇතුල් කරන්න",
     "name": "නම",
     "client_global_settings": "ගෝලීය සැකසුම් භාවිතා කරන්න",
@@ -465,7 +465,7 @@
     "rewrite_ip_address": "අ.ජා. කෙ. ලිපිනය: මෙම අ.ජා. කෙටුම්පත A හෝ AAAA ප්‍රතිචාරයකට භාවිතා කරන්න",
     "rewrite_domain_name": "වසම් නාමය: අන්. නා. (CNAME) වාර්තාවක් එක් කරන්න",
     "disable_ipv6": "IPv6 ලිපින විසඳීම අබල කරන්න",
-    "disable_ipv6_desc": "අ.ජා. කෙ. අනු. 6 ලිපින (AAAA වර්ගය) සඳහා වන සියලුම ව.නා.ප. විමසුම් අතහැර දමනු ලැබේ.",
+    "disable_ipv6_desc": "අ.ජා.කෙ. අනු. 6 ලිපින (AAAA වර්ගය) සඳහා වන සියලුම ව.නා.ප. විමසුම් අතහැර දමනු ලැබේ.",
     "fastest_addr": "වේගවත්ම අන්තර්ජාල කෙටුම්පත් (IP) ලිපිනය",
     "fastest_addr_desc": "සියලුම ව.නා.ප. සේවාදායකයන්ගෙන් විමසා සියලු ප්‍රතිචාර අතරින් වේගවත්ම අ.ජා. කෙ. ලිපිනය ලබා දෙයි. සියලුම ව.නා.ප. සේවාදායකයන්ගේ ප්‍රතිචාර සඳහා ඇඩ්ගාර්ඩ් හෝම් රැඳී සිටිය යුතු බැවින් මෙය ව.නා.ප. විමසුම් මන්දගාමී කරන නමුත් සමස්ත සම්බන්ධතාවය වැඩි දියුණු කරයි.",
     "autofix_warning_text": "ඔබ \"නිරාකරණය කරන්න\" බොත්තම එබුවහොත්, ඔබගේ පද්ධතිය ඇඩ්ගාර්ඩ් හෝම් ව.නා.ප. සේවාදායකය භාවිතා කිරීමට වින්‍යාසගත කරනු ඇත.",

client/src/__locales/sk.json

@@ -208,7 +208,7 @@
     "example_upstream_sdns": "môžete použiť <0>DNS pečiatky</0> pre <1>DNSCrypt</1> alebo <2>DNS-over-HTTPS</2>",
     "example_upstream_tcp": "radová DNS (cez TCP)",
     "all_lists_up_to_date_toast": "Všetky zoznamy sú už aktuálne",
-    "updated_upstream_dns_toast": "Aktualizované upstream DNS servery",
+    "updated_upstream_dns_toast": "Upstream servery boli úspešne uložené",
     "dns_test_ok_toast": "Špecifikované DNS servery pracujú korektne",
     "dns_test_not_ok_toast": "Server \"{{key}}\": nemohol byť použitý, skontrolujte, či ste ho správne napísali",
     "unblock": "Odblokovať",
@@ -235,7 +235,7 @@
     "loading_table_status": "Načítavam...",
     "page_table_footer_text": "Stránka",
     "rows_table_footer_text": "riadky",
-    "updated_custom_filtering_toast": "Aktualizované vlastné filtračné pravidlá",
+    "updated_custom_filtering_toast": "Vlastné pravidlá boli úspešne uložené",
     "rule_removed_from_custom_filtering_toast": "Pravidlo odstránené z vlastných filtračných pravidiel: {{rule}}",
     "rule_added_to_custom_filtering_toast": "Pravidlo pridané do vlastných filtračných pravidiel: {{rule}}",
     "query_log_response_status": "Stav: {{value}}",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Budete musieť konfigurovať Vaše zariadenia alebo smerovač, aby používali DNS server na nasledujúcich adresách:",
     "install_settings_all_interfaces": "Všetky rozhrania",
     "install_auth_title": "Overenie identity",
-    "install_auth_desc": "Odporúčame Vám nakonfigurovať na administrátorskom webovom rozhraní AdGuard Home overenie Vašej identity heslom. Aj keď je prístupné iba vo Vašej lokálnej sieti, je stále dôležité chrániť ho pred neobmedzeným prístupom.",
+    "install_auth_desc": "Je potrebné nakonfigurovať autentifikáciu heslom do administrátorského webového rozhrania AdGuard Home. Aj keď je AdGuard Home prístupný iba vo Vašej lokálnej sieti, je stále dôležité chrániť ho pred neobmedzeným prístupom.",
     "install_auth_username": "Meno používateľa",
     "install_auth_password": "Heslo",
     "install_auth_confirm": "Potvrdenie hesla",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Naozaj chcete vynulovať štatistiku?",
     "statistics_retention_confirm": "Naozaj chcete zmeniť uchovávanie štatistík? Ak znížite hodnotu intervalu, niektoré údaje sa stratia",
     "statistics_cleared": "Štatistika bola úspešne vynulovaná",
+    "statistics_enable": "Zapnúť štatistiku",
     "interval_hours": "{{count}} hodina",
     "interval_hours_plural": "{{count}} hodín",
     "filters_configuration": "Konfigurácia filtrov",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Kliknite pre zobrazenie dopytov",
     "port_53_faq_link": "Port 53 je často obsadený službami \"DNSStubListener\" alebo \"systemd-resolved\". Prečítajte si <0>tento návod</0> o tom, ako to vyriešiť.",
     "adg_will_drop_dns_queries": "AdGuard Home zruší všetky DNS dopyty od tohto klienta.",
-    "client_not_in_allowed_clients": "Klient nemá povolenie, pretože sa nenachádza v zozname „Povolení klienti“.",
+    "filter_allowlist": "UPOZORNENIE: Táto akcia tiež vylúči pravidlo \"\"{{disallowed_rule}}\"\" zo zoznamu povolených klientov.",
+    "last_rule_in_allowlist": "Nemôžete zakázať tohto klienta, pretože vylúčenie pravidla \"{{disallowed_rule}}\" zakáže zoznam \"povolených klientov\".",
     "experimental": "Experimentálne",
     "use_saved_key": "Použiť predtým uložený kľúč"
 }

client/src/__locales/sl.json

@@ -208,7 +208,7 @@
     "example_upstream_sdns": "lahko uporabite <0>DNS Žige</0> za reševalce <1>DNSCrypt</1> ali <2>DNS-prek-HTTPS</2>",
     "example_upstream_tcp": "redni DNS (nad TCP)",
     "all_lists_up_to_date_toast": "Vsi seznami so že posodobljeni",
-    "updated_upstream_dns_toast": "Posodobljeni Zagonske strežnike DNS",
+    "updated_upstream_dns_toast": "Gorvodni trežniki so uspešno shranjeni",
     "dns_test_ok_toast": "Navedeni strežniki DNS delujejo pravilno",
     "dns_test_not_ok_toast": "Ni mogoče uporabiti: strežnika \"{{key}}\". Preverite, ali ste ga pravilno napisali",
     "unblock": "Omogoči",
@@ -235,7 +235,7 @@
     "loading_table_status": "Nalaganje...",
     "page_table_footer_text": "Stran",
     "rows_table_footer_text": "vrstic",
-    "updated_custom_filtering_toast": "Posodobljena pravila filtriranja po meri",
+    "updated_custom_filtering_toast": "Pravila po meri so uspešno shranjena",
     "rule_removed_from_custom_filtering_toast": "Pravilo je odstranjeno iz pravil filtriranja po meri: {{rule}}",
     "rule_added_to_custom_filtering_toast": "Pravilo je dodano pravilom filtriranja po meri: {{rule}}",
     "query_log_response_status": "Stanje: {{value}}",
@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Vaše naprave ali usmerjevalnik boste morali konfigurirati za uporabo strežnika DNS na naslednjih naslovih:",
     "install_settings_all_interfaces": "Vsi vmesniki",
     "install_auth_title": "Preverjanje pristnosti",
-    "install_auth_desc": "Zelo priporočljivo je, da konfigurirate overovitev pristnosti gesla za vaš skrbniški spletni vmesnik AdGuard Home. Tudi če je dostopen v vašem lokalnem omrežju, je še vedno pomembno, da ga zaščitite pred neomejenim dostopom.",
+    "install_auth_desc": "Nastavljeno mora biti preverjanje pristnosti gesla za skrbniški spletni vmesnik AdGuard Home. Tudi če je AdGuard Home dostopen samo v vašem lokalnem omrežju, je še vedno pomembno, da ga zaščitite pred neomejenim dostopom.",
     "install_auth_username": "Uporabniško ime",
     "install_auth_password": "Geslo",
     "install_auth_confirm": "Potrdite geslo",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "Ali ste prepričani, da želite počistiti statistiko?",
     "statistics_retention_confirm": "Ali ste prepričani, da želite spremeniti zadrževanje statistike? Če zmanjšate vrednost intervala, bodo nekateri podatki izgubljeni",
     "statistics_cleared": "Statistika je bila uspešno počiščena",
+    "statistics_enable": "Omogoči statistiko",
     "interval_hours": "{{count}} ur",
     "interval_hours_plural": "{{count}} ur",
     "filters_configuration": "Nastavitve filtrov",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Kliknite za prikaz poizvedb",
     "port_53_faq_link": "Vrata 53 pogosto zasedajo storitve 'DNSStubListener' ali 'Sistemsko razrešene storitve'. Preberite <0>to navodilo</0> o tem, kako to rešiti.",
     "adg_will_drop_dns_queries": "AdGuard Home bo izpustil vse poizvedbe DNS iz tega odjemalca.",
-    "client_not_in_allowed_clients": "Odjemalec ni dovoljen, ker ga ni na seznamu \"Dovoljeni odjemalci\".",
+    "filter_allowlist": "OPOZORILO: S to akcijo bo pravilo \"{{disallowed_rule}}\" izključeno s seznama dovoljenih odjemalcev.",
+    "last_rule_in_allowlist": "Tega odjemalca ni mogoče onemogočiti, ker izključitev pravila \"{{disallowed_rule}}\" bo ONEMOGOČILO seznam 'Dovoljeni odjemalci'.",
     "experimental": "Eksperimentalno",
     "use_saved_key": "Uporabi prej shranjeni ključ"
 }

client/src/__locales/sv.json

@@ -4,6 +4,7 @@
     "bootstrap_dns_desc": "Bootstrap-DNS-servrar används för att slå upp DoH/DoT-resolvrarnas IP-adresser som du specificerat som uppström.",
     "local_ptr_placeholder": "Ange en serveradress per rad",
     "check_dhcp_servers": "Letar efter DHCP-servrar",
+    "save_config": "Spara konfiguration",
     "enabled_dhcp": "DHCP-server aktiverad",
     "disabled_dhcp": "Dhcp-server avaktiverad",
     "dhcp_title": "DHCP-server (experimentell)",
@@ -314,6 +315,7 @@
     "statistics_clear_confirm": "Är du säker på att du vill radera statistiken?",
     "statistics_retention_confirm": "Är du säker på att du vill ändra retentionstiden för statistik? Om du minskar intervallet kommer viss data att gå förlorad",
     "statistics_cleared": "Statistiken har rensats",
+    "statistics_enable": "Aktivera statistik",
     "interval_hours": "{{count}} timme",
     "interval_hours_plural": "{{count}} timmar",
     "filters_configuration": "Filterinställningar",

client/src/__locales/tr.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "Cihazlarınızı veya yönlendiricinizi şu adresteki DNS sunucusunu kullanması için ayarlamanız gerekecek:",
     "install_settings_all_interfaces": "Tüm arayüzler",
     "install_auth_title": "Kimlik Doğrulama",
-    "install_auth_desc": "AdGuard Home yönetici web arayüzüne erişim için kullanıcı adı ve şifre yapılandırmanız önemle tavsiye edilir. Yalnızca yerel ağınızdan erişilebilir olsa bile izinsiz erişimden korumak yine de önemlidir.",
+    "install_auth_desc": "AdGuard Home yönetim web arayüzü için şifre doğrulaması yapılandırılmalıdır. AdGuard Home'a yalnızca yerel ağınızdan erişilebilir olsa bile, onu sınırsız erişimden korumak yine de önemlidir.",
     "install_auth_username": "Kullanıcı adı",
     "install_auth_password": "Parola",
     "install_auth_confirm": "Parolayı onayla",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "İstatistikleri temizlemek istediğinizden emin misiniz?",
     "statistics_retention_confirm": "İstatistik saklama süresini değiştirmek istediğinizden emin misiniz? Zaman değerini azaltırsanız, bazı veriler kaybolacaktır",
     "statistics_cleared": "İstatistikler başarıyla temizlendi",
+    "statistics_enable": "İstatistikleri etkinleştir",
     "interval_hours": "{{count}} saat",
     "interval_hours_plural": "{{count}} saat",
     "filters_configuration": "Filtre yapılandırması",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "Sorguları görmek için tıklayın",
     "port_53_faq_link": "53 numaralı bağlantı noktası genellikle \"DNSStubListener\" veya \"systemd-resolved\" hizmetleri tarafından kullanılır. Lütfen bu sorunun nasıl çözüleceğine ilişkin <0>bu talimatı</0> okuyun.",
     "adg_will_drop_dns_queries": "AdGuard Home, bu istemciden gelen tüm DNS sorgularını yok sayar.",
-    "client_not_in_allowed_clients": "\"İzin verilen istemciler\" listesinde olmadığı için istemciye izin verilmiyor.",
+    "filter_allowlist": "UYARI: Bu işlem ayrıca \"{{disallowed_rule}}\" kuralını izin verilen istemciler listesinden hariç tutacaktır.",
+    "last_rule_in_allowlist": "\"{{disallowed_rule}}\" kuralı hariç tutulduğunda \"İzin verilen istemciler\" listesi DEVRE DIŞI bırakılacağı için bu istemciye izin verilemez.",
     "experimental": "Deneysel",
     "use_saved_key": "Önceden kaydedilmiş anahtarı kullan"
 }

client/src/__locales/vi.json

@@ -112,6 +112,8 @@
     "for_last_24_hours": "trong 24 giờ qua",
     "for_last_days": "trong {{count}} ngày qua",
     "for_last_days_plural": "trong {{count}} ngày qua",
+    "stats_disabled": "Số liệu thống kê đã bị vô hiệu hóa. Bạn có thể bật nó từ <0> trang cài đặt </0>.",
+    "stats_disabled_short": "Số liệu thống kê đã bị vô hiệu hóa",
     "no_domains_found": "Không có tên miền nào",
     "requests_count": "Số lần yêu cầu",
     "top_blocked_domains": "Tên miền chặn nhiều",
@@ -206,7 +208,7 @@
     "example_upstream_sdns": "bạn có thể sử dụng <0>DNS Stamps</0> for <1>DNSCrypt</1> hoặc <2>DNS-over-HTTPS</2> ",
     "example_upstream_tcp": "DNS thông thường(dùng TCP)",
     "all_lists_up_to_date_toast": "Tất cả danh sách đã ở phiên bản mới nhất",
-    "updated_upstream_dns_toast": "Đã cập nhật máy chủ DNS tìm kiếm",
+    "updated_upstream_dns_toast": "Các máy chủ thượng nguồn đã được lưu thành công",
     "dns_test_ok_toast": "Máy chủ DNS có thể sử dụng",
     "dns_test_not_ok_toast": "Máy chủ \"\"': không thể sử dụng, vui lòng kiểm tra lại",
     "unblock": "Bỏ chặn",
@@ -233,7 +235,7 @@
     "loading_table_status": "Đang tải...",
     "page_table_footer_text": "Trang",
     "rows_table_footer_text": "hàng",
-    "updated_custom_filtering_toast": "Đã cập nhật bộ lọc tùy chỉnh",
+    "updated_custom_filtering_toast": "Đã cập nhật quy tắc lọc tuỳ chỉnh",
     "rule_removed_from_custom_filtering_toast": "Quy tắc đã được xoá khỏi quy tắc lọc tuỳ chỉnh {{rule}}",
     "rule_added_to_custom_filtering_toast": "Quy tắc đã được thêm vào quy tắc lọc tuỳ chỉnh: {{rule}}",
     "query_log_response_status": "Trạng thái: {{value}}",
@@ -501,6 +503,7 @@
     "statistics_clear_confirm": "Bạn có chắc chắn muốn xóa số liệu thống kê?",
     "statistics_retention_confirm": "Bạn có chắc chắn muốn thay đổi lưu giữ số liệu thống kê? Nếu bạn giảm giá trị khoảng, một số dữ liệu sẽ bị mất",
     "statistics_cleared": "Xoá thống kê thành công",
+    "statistics_enable": "Bật thống kê",
     "interval_hours": "{{count}} giờ",
     "interval_hours_plural": "{{count}} giờ",
     "filters_configuration": "Cấu hình bộ lọc",
@@ -608,6 +611,7 @@
     "click_to_view_queries": "Nhấp để xem truy xuất",
     "port_53_faq_link": "Cổng 53 thường được sử dụng \"DNSStubListener\" hoặc \"systemd-resolved\". Vui lòng đọc <0>hướng dẫn</0> để giải quyết vấn đề này.",
     "adg_will_drop_dns_queries": "AdGuard Home sẽ loại bỏ tất cả các truy vấn DNS từ ứng dụng khách này.",
-    "client_not_in_allowed_clients": "Ứng dụng khách không được phép vì nó không có trong danh sách \"Ứng dụng khách được phép\".",
+    "filter_allowlist": "CẢNH BÁO: Hành động này cũng sẽ loại trừ quy tắc \"{{disallowed_rule}}\" khỏi danh sách các ứng dụng khách được phép.",
+    "last_rule_in_allowlist": "Không thể không cho phép ứng dụng khách này vì việc loại trừ quy tắc \"{{disallowed_rule}}\" sẽ TẮT danh sách \"Ứng dụng khách được phép\".",
     "experimental": "Thử nghiệm"
 }

client/src/__locales/zh-cn.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "您将需要使用以下地址来设置您的设备或路由器的 DNS 服务器：",
     "install_settings_all_interfaces": "所有接口",
     "install_auth_title": "身份认证",
-    "install_auth_desc": "我们强烈建议您为 AdGuard Home 的网页管理界面配置密码。即使该页面只能通过您的本地网络访问，但避免它被不加限制地访问仍十分重要。",
+    "install_auth_desc": "您需要对 AdGuard Home 的网页管理界面配置密码认证。即使该 AdGuard Home 只能通过您的本地网络访问，避免 AdGuard Home 被不受限制地访问依旧十分重要。",
     "install_auth_username": "用户名",
     "install_auth_password": "密码",
     "install_auth_confirm": "确认密码",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "您确定要清除统计数据？",
     "statistics_retention_confirm": "您确定要更改统计记录保留时间吗？ 如果您减少间隔时间的值， 某些数据可能会丢失。",
     "statistics_cleared": "统计数据已成功清除",
+    "statistics_enable": "启用统计数据",
     "interval_hours": "{{count}} 小时",
     "interval_hours_plural": "{{count}} 小时",
     "filters_configuration": "过滤器配置",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "点击查看查询",
     "port_53_faq_link": "53端口常被DNSStubListener或systemdn解析的服务占用。请阅读<0>这份关于如何解决这一问题的说明</0>",
     "adg_will_drop_dns_queries": "AdGuard Home 会终止所有来自此客户端的DNS查询。",
-    "client_not_in_allowed_clients": "此客户端不被允许，因为它不在“允许的客户端”列表中。",
+    "filter_allowlist": "警告：此操作将把规则 \"{{disallowed_rule}}\" 排除在允许客户端的列表之外。",
+    "last_rule_in_allowlist": "无法禁止此客户端，因为排除 “{{disallowed_rule}}” 规则将禁用“允许客户端”的列表。",
     "experimental": "实验性的",
     "use_saved_key": "使用之前保存的密钥"
 }

client/src/__locales/zh-tw.json

@@ -306,7 +306,7 @@
     "install_settings_dns_desc": "您將需要配置您的裝置或路由器以使用於下列的位址上之 DNS 伺服器：",
     "install_settings_all_interfaces": "所有的介面",
     "install_auth_title": "驗證",
-    "install_auth_desc": "配置屬於您的 AdGuard Home 管理員網路介面之密碼驗證是被非常建議的。即使它僅在您的區域網路中為可存取的，保護它免於不受限制的存取為仍然重要的。",
+    "install_auth_desc": "往您的 AdGuard Home 管理員網路介面之密碼驗證必須被配置。即使 AdGuard Home 僅在您的區域網路中為可存取的，保護它免於不受限制的存取為仍然重要的。",
     "install_auth_username": "使用者名稱",
     "install_auth_password": "密碼",
     "install_auth_confirm": "確認密碼",
@@ -503,6 +503,7 @@
     "statistics_clear_confirm": "您確定您想要清除統計資料嗎？",
     "statistics_retention_confirm": "您確定您想要更改統計資料保留嗎？如果您減少該間隔值，某些資料將被丟失",
     "statistics_cleared": "統計資料被成功地清除",
+    "statistics_enable": "啟用統計資料",
     "interval_hours": "{{count}} 小時",
     "interval_hours_plural": "{{count}} 小時",
     "filters_configuration": "過濾器配置",
@@ -612,7 +613,8 @@
     "click_to_view_queries": "點擊以檢視查詢",
     "port_53_faq_link": "連接埠 53 常被 \"DNSStubListener\" 或 \"systemd-resolved\" 服務佔用。請閱讀有關如何解決這個的<0>用法說明</0>。",
     "adg_will_drop_dns_queries": "AdGuard Home 將持續排除來自此用戶端之所有的 DNS 查詢。",
-    "client_not_in_allowed_clients": "該用戶端未被允許，因為它不在\"已允許的用戶端\"清單中。",
+    "filter_allowlist": "警告：此操作將把 \"{{disallowed_rule}}\" 規則排除在已允許用戶端的清單之外。",
+    "last_rule_in_allowlist": "無法禁止此用戶端，因為排除 “{{disallowed_rule}}” 規則將禁用“已允許用戶端”的清單。",
     "experimental": "實驗性的",
     "use_saved_key": "使用該先前已儲存的金鑰"
 }

client/src/actions/access.js

@@ -52,25 +52,34 @@ export const toggleClientBlock = (ip, disallowed, disallowed_rule) => async (dis
     dispatch(toggleClientBlockRequest());
     try {
         const accessList = await apiClient.getAccessList();
-        const allowed_clients = accessList.allowed_clients ?? [];
         const blocked_hosts = accessList.blocked_hosts ?? [];
-        const disallowed_clients = accessList.disallowed_clients ?? [];
+        let allowed_clients = accessList.allowed_clients ?? [];
-
+        let disallowed_clients = accessList.disallowed_clients ?? [];
-        const updatedDisallowedClients = disallowed
-            ? disallowed_clients.filter((client) => client !== disallowed_rule)
-            : disallowed_clients.concat(ip);
 
+        if (disallowed) {
+            if (!disallowed_rule) {
+                allowed_clients = allowed_clients.concat(ip);
+            } else {
+                disallowed_clients = disallowed_clients
+                    .filter((client) => client !== disallowed_rule);
+            }
+        } else if (allowed_clients.length > 1) {
+            allowed_clients = allowed_clients
+                .filter((client) => client !== disallowed_rule);
+        } else {
+            disallowed_clients = disallowed_clients.concat(ip);
+        }
         const values = {
             allowed_clients,
             blocked_hosts,
-            disallowed_clients: updatedDisallowedClients,
+            disallowed_clients,
         };
 
         await apiClient.setAccessList(values);
         dispatch(toggleClientBlockSuccess(values));
 
         if (disallowed) {
-            dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule })));
+            dispatch(addSuccessToast(i18next.t('client_unblocked', { ip: disallowed_rule || ip })));
         } else {
             dispatch(addSuccessToast(i18next.t('client_blocked', { ip })));
         }

client/src/components/Dashboard/Clients.js

@@ -38,15 +38,23 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {
     const dispatch = useDispatch();
     const { t } = useTranslation();
     const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
 
     const buttonClass = classNames('button-action button-action--main', {
         'button-action--unblock': disallowed,
     });
 
     const toggleClientStatus = async (ip, disallowed, disallowed_rule) => {
-        const confirmMessage = disallowed
+        let confirmMessage;
-            ? t('client_confirm_unblock', { ip: disallowed_rule })
+
-            : `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
+        if (disallowed) {
+            confirmMessage = t('client_confirm_unblock', { ip: disallowed_rule || ip });
+        } else {
+            confirmMessage = `${t('adg_will_drop_dns_queries')} ${t('client_confirm_block', { ip })}`;
+            if (allowedСlients.length > 0) {
+                confirmMessage = confirmMessage.concat(`\n\n${t('filter_allowlist', { disallowed_rule })}`);
+            }
+        }
 
         if (window.confirm(confirmMessage)) {
             await dispatch(toggleClientBlock(ip, disallowed, disallowed_rule));
@@ -58,15 +66,16 @@ const renderBlockingButton = (ip, disallowed, disallowed_rule) => {
 
     const text = disallowed ? BLOCK_ACTIONS.UNBLOCK : BLOCK_ACTIONS.BLOCK;
 
-    const isNotInAllowedList = disallowed && disallowed_rule === '';
+    const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;
+    const disabled = processingSet || lastRuleInAllowlist;
     return (
         <div className="table__action pl-4">
             <button
                 type="button"
                 className={buttonClass}
-                onClick={isNotInAllowedList ? undefined : onClick}
+                onClick={onClick}
-                disabled={isNotInAllowedList || processingSet}
+                disabled={disabled}
-                title={t(isNotInAllowedList ? 'client_not_in_allowed_clients' : text)}
+                title={lastRuleInAllowlist ? t('last_rule_in_allowlist', { disallowed_rule }) : ''}
             >
                 <Trans>{text}</Trans>
             </button>

client/src/components/Dashboard/Counters.js

@@ -16,18 +16,31 @@ const Row = ({
         ? <LogsSearchLink response_status={response_status}>{formatNumber(count)}</LogsSearchLink>
         : count;
 
-    return <tr key={label}>
+    return (
-        <td>
+        <div className="counters__row" key={label}>
-            <Trans components={translationComponents}>{label}</Trans>
+            <div className="counters__column">
-            <Tooltip content={tooltipTitle} placement="top"
+                <span className="counters__title">
-                     className="tooltip-container tooltip-custom--narrow text-center">
+                    <Trans components={translationComponents}>
-                <svg className="icons icon--20 icon--lightgray ml-2">
+                        {label}
-                    <use xlinkHref="#question" />
+                    </Trans>
-                </svg>
+                </span>
-            </Tooltip>
+                <span className="counters__tooltip">
-        </td>
+                    <Tooltip
-        <td className="text-right"><strong>{content}</strong></td>
+                        content={tooltipTitle}
-    </tr>;
+                        placement="top"
+                        className="tooltip-container tooltip-custom--narrow text-center"
+                    >
+                        <svg className="icons icon--20 icon--lightgray ml-2">
+                            <use xlinkHref="#question" />
+                        </svg>
+                    </Tooltip>
+                </span>
+            </div>
+            <div className="counters__column counters__column--value">
+                <strong>{content}</strong>
+            </div>
+        </div>
+    );
 };
 
 const Counters = ({ refreshButton, subtitle }) => {
@@ -88,9 +101,9 @@ const Counters = ({ refreshButton, subtitle }) => {
             bodyType="card-table"
             refresh={refreshButton}
         >
-            <table className="table card-table">
+            <div className="counters">
-                <tbody>{rows.map(Row)}</tbody>
+                {rows.map(Row)}
-            </table>
+            </div>
         </Card>
     );
 };

client/src/components/Dashboard/Dashboard.css

@@ -49,3 +49,39 @@
         display: block;
     }
 }
+
+.counters__row {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    border-top: 1px solid #dee2e6;
+    padding: 0.75rem 1.5rem;
+}
+
+.counters__column--value {
+    flex-shrink: 0;
+    margin-left: 1.5rem;
+    text-align: right;
+    white-space: nowrap;
+}
+
+@media screen and (min-width: 768px) {
+    .counters__column {
+        display: flex;
+        align-items: center;
+        overflow: hidden;
+    }
+
+    .counters__title {
+        display: block;
+        max-width: 100%;
+        white-space: nowrap;
+        text-overflow: ellipsis;
+        overflow: hidden;
+    }
+
+    .counters__tooltip {
+        display: block;
+        flex-shrink: 0;
+    }
+}

client/src/components/Logs/Cells/ClientCell.js

@@ -28,6 +28,8 @@ const ClientCell = ({
     const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
     const processingRules = useSelector((state) => state.filtering.processingRules);
     const isDetailed = useSelector((state) => state.queryLogs.isDetailed);
+    const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
     const [isOptionsOpened, setOptionsOpened] = useState(false);
 
     const autoClient = autoClients.find((autoClient) => autoClient.name === client);
@@ -71,11 +73,12 @@ const ClientCell = ({
         const {
             confirmMessage,
             buttonKey: blockingClientKey,
-            isNotInAllowedList,
+            lastRuleInAllowlist,
         } = getBlockClientInfo(
             client,
             client_info?.disallowed || false,
             client_info?.disallowed_rule || '',
+            allowedСlients,
         );
 
         const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@@ -100,7 +103,7 @@ const ClientCell = ({
                         await dispatch(updateLogs());
                     }
                 },
-                disabled: isNotInAllowedList,
+                disabled: processingSet || lastRuleInAllowlist,
             },
         ];
 

client/src/components/Logs/Cells/helpers/index.js

@@ -2,17 +2,24 @@ import i18next from 'i18next';
 
 export const BUTTON_PREFIX = 'btn_';
 
-export const getBlockClientInfo = (ip, disallowed, disallowed_rule) => {
+export const getBlockClientInfo = (ip, disallowed, disallowed_rule, allowedСlients) => {
-    const confirmMessage = disallowed
+    let confirmMessage;
-        ? i18next.t('client_confirm_unblock', { ip: disallowed_rule })
+
-        : `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
+    if (disallowed) {
+        confirmMessage = i18next.t('client_confirm_unblock', { ip: disallowed_rule || ip });
+    } else {
+        confirmMessage = `${i18next.t('adg_will_drop_dns_queries')} ${i18next.t('client_confirm_block', { ip })}`;
+        if (allowedСlients.length > 0) {
+            confirmMessage = confirmMessage.concat(`\n\n${i18next.t('filter_allowlist', { disallowed_rule })}`);
+        }
+    }
 
     const buttonKey = i18next.t(disallowed ? 'allow_this_client' : 'disallow_this_client');
-    const isNotInAllowedList = disallowed && disallowed_rule === '';
+    const lastRuleInAllowlist = !disallowed && allowedСlients === disallowed_rule;
 
     return {
         confirmMessage,
         buttonKey,
-        isNotInAllowedList,
+        lastRuleInAllowlist,
     };
 };

client/src/components/Logs/Cells/index.js

@@ -50,6 +50,8 @@ const Row = memo(({
     const filters = useSelector((state) => state.filtering.filters, shallowEqual);
     const whitelistFilters = useSelector((state) => state.filtering.whitelistFilters, shallowEqual);
     const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
+    const processingSet = useSelector((state) => state.access.processingSet);
+    const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
 
     const clients = useSelector((state) => state.dashboard.clients);
 
@@ -104,11 +106,12 @@ const Row = memo(({
         const {
             confirmMessage,
             buttonKey: blockingClientKey,
-            isNotInAllowedList,
+            lastRuleInAllowlist,
         } = getBlockClientInfo(
             client,
             client_info?.disallowed || false,
             client_info?.disallowed_rule || '',
+            allowedСlients,
         );
 
         const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
@@ -147,7 +150,7 @@ const Row = memo(({
         const blockClientButton = <button
                 className='text-center font-weight-bold py-2 button-action--arrow-option'
                 onClick={onBlockingClientClick}
-                disabled={isNotInAllowedList}>
+                disabled={processingSet || lastRuleInAllowlist}>
             {t(blockingClientKey)}
         </button>;
 

client/src/components/Logs/index.js

@@ -15,6 +15,7 @@ import Disabled from './Disabled';
 import { getFilteringStatus } from '../../actions/filtering';
 import { getClients } from '../../actions';
 import { getDnsConfig } from '../../actions/dnsConfig';
+import { getAccessList } from '../../actions/access';
 import {
     getLogsConfig,
     resetFilteredLogs,
@@ -126,6 +127,7 @@ const Logs = () => {
                 await Promise.all([
                     dispatch(getLogsConfig()),
                     dispatch(getDnsConfig()),
+                    dispatch(getAccessList()),
                 ]);
             } catch (err) {
                 console.error(err);

client/src/components/Settings/Dns/Access/Form.js

@@ -1,6 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
-import { Field, reduxForm } from 'redux-form';
+import { connect } from 'react-redux';
+import { Field, reduxForm, formValueSelector } from 'redux-form';
 import { Trans, withTranslation } from 'react-i18next';
 import flow from 'lodash/flow';
 import { renderTextareaField } from '../../../../helpers/form';
@@ -31,16 +32,20 @@ const fields = [
     },
 ];
 
-const Form = (props) => {
+let Form = (props) => {
     const {
-        handleSubmit, submitting, invalid, processingSet,
+        allowedClients, handleSubmit, submitting, invalid, processingSet,
     } = props;
 
     const renderField = ({
-        id, title, subtitle, disabled = processingSet, normalizeOnBlur,
+        id, title, subtitle, disabled = false, processingSet, normalizeOnBlur,
     }) => <div key={id} className="form__group mb-5">
         <label className="form__label form__label--with-desc" htmlFor={id}>
             <Trans>{title}</Trans>
+            {disabled && <>
+                <span> </span>
+                (<Trans>disabled</Trans>)
+            </>}
         </label>
         <div className="form__desc form__desc--top">
             <Trans>{subtitle}</Trans>
@@ -51,7 +56,7 @@ const Form = (props) => {
             component={renderTextareaField}
             type="text"
             className="form-control form-control--textarea font-monospace"
-            disabled={disabled}
+            disabled={disabled || processingSet}
             normalizeOnBlur={normalizeOnBlur}
         />
     </div>;
@@ -66,7 +71,15 @@ const Form = (props) => {
 
     return (
         <form onSubmit={handleSubmit}>
-            {fields.map(renderField)}
+            {
+                fields.map((f) => {
+                    const props = { ...f };
+                    if (allowedClients && f.id === 'disallowed_clients') {
+                        props.disabled = true;
+                    }
+                    return renderField(props);
+                })
+            }
             <div className="card-actions">
                 <div className="btn-list">
                     <button
@@ -90,6 +103,21 @@ Form.propTypes = {
     processingSet: PropTypes.bool.isRequired,
     t: PropTypes.func.isRequired,
     textarea: PropTypes.bool,
+    allowedClients: PropTypes.string,
 };
 
-export default flow([withTranslation(), reduxForm({ form: FORM_NAME.ACCESS })])(Form);
+const selector = formValueSelector(FORM_NAME.ACCESS);
+
+Form = connect((state) => {
+    const allowedClients = selector(state, 'allowed_clients');
+    return {
+        allowedClients,
+    };
+})(Form);
+
+export default flow([
+    withTranslation(),
+    reduxForm({
+        form: FORM_NAME.ACCESS,
+    }),
+])(Form);

client/src/helpers/constants.js

@@ -202,7 +202,7 @@ export const FILTERS_URLS = {
 export const SERVICES = [
     {
         id: '9gag',
-        name: '9Gag',
+        name: '9GAG',
     },
     {
         id: 'amazon',

go.mod

@@ -3,11 +3,11 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.16
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.39.4
+	github.com/AdguardTeam/dnsproxy v0.39.8
-	github.com/AdguardTeam/golibs v0.9.2
+	github.com/AdguardTeam/golibs v0.9.3
 	github.com/AdguardTeam/urlfilter v0.14.6
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/ameshkov/dnscrypt/v2 v2.2.1
+	github.com/ameshkov/dnscrypt/v2 v2.2.2
 	github.com/digineo/go-ipset/v2 v2.2.1
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/go-ping/ping v0.0.0-20210506233800-ff8be3320020
@@ -18,15 +18,15 @@ require (
 	github.com/lucas-clemente/quic-go v0.21.1
 	github.com/mdlayher/netlink v1.4.0
 	github.com/mdlayher/raw v0.0.0-20210412142147-51b895745faf // indirect
-	github.com/miekg/dns v1.1.42
+	github.com/miekg/dns v1.1.43
 	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/objx v0.1.1 // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/ti-mo/netfilter v0.4.0
 	go.etcd.io/bbolt v1.3.6
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
-	golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985
+	golang.org/x/net v0.0.0-20210825183410-e898025ed96a
-	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
+	golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.4.0
 	howett.net/plist v0.0.0-20201203080718-1454fab16a06

go.sum

@@ -9,12 +9,13 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=
 github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
-github.com/AdguardTeam/dnsproxy v0.39.4 h1:vjcogr0qpSTvRYzbXabBXblfzYpx+LOn91kjtnYgcrU=
+github.com/AdguardTeam/dnsproxy v0.39.8 h1:miRhkZBx/19Rs1o10r3QC0D0Zc2J2Id/cqXwfvLOyM0=
-github.com/AdguardTeam/dnsproxy v0.39.4/go.mod h1:JZUxXM70BUlAmMaJEPa6Wh+Tz7eBAQx6DM1GMt+Ff5E=
+github.com/AdguardTeam/dnsproxy v0.39.8/go.mod h1:eDpJKAdkHORRwAedjuERv+7SWlcz4cn+5uwrbUAWHRY=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
-github.com/AdguardTeam/golibs v0.9.2 h1:H3BDFkaosxvb+UgFlNVyN66GZ+JglcZULnJ7z7PukyQ=
 github.com/AdguardTeam/golibs v0.9.2/go.mod h1:fCAMwPBJ8S7YMYbTWvYS+eeTLblP5E04IDtNAo7y7IY=
+github.com/AdguardTeam/golibs v0.9.3 h1:noeKHJEzrSwxzX0Zi3USM3cXf1qQV99SO772jet/uEY=
+github.com/AdguardTeam/golibs v0.9.3/go.mod h1:fCAMwPBJ8S7YMYbTWvYS+eeTLblP5E04IDtNAo7y7IY=
 github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
 github.com/AdguardTeam/urlfilter v0.14.6 h1:emqoKZElooHACYehRBYENeKVN1a/rspxiqTIMYLuoIo=
 github.com/AdguardTeam/urlfilter v0.14.6/go.mod h1:klx4JbOfc4EaNb5lWLqOwfg+pVcyRukmoJRvO55lL5U=
@@ -28,9 +29,8 @@ github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmH
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
-github.com/ameshkov/dnscrypt/v2 v2.1.3/go.mod h1:+8SbPbVXpxxcUsgGi8eodkqWPo1MyNHxKYC8hDpqLSo=
+github.com/ameshkov/dnscrypt/v2 v2.2.2 h1:lxtS1iSA2EjTOMToSi+2+rwspNA+b/wG5/JpccvE9CU=
-github.com/ameshkov/dnscrypt/v2 v2.2.1 h1:+cApRxzeBZqjUNsN26TTz7r5A8U+buON3kJgIYE3QWQ=
+github.com/ameshkov/dnscrypt/v2 v2.2.2/go.mod h1:+8SbPbVXpxxcUsgGi8eodkqWPo1MyNHxKYC8hDpqLSo=
-github.com/ameshkov/dnscrypt/v2 v2.2.1/go.mod h1:+8SbPbVXpxxcUsgGi8eodkqWPo1MyNHxKYC8hDpqLSo=
 github.com/ameshkov/dnsstamps v1.0.1/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
 github.com/ameshkov/dnsstamps v1.0.3/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
@@ -170,8 +170,8 @@ github.com/mdlayher/raw v0.0.0-20210412142147-51b895745faf/go.mod h1:7EpbotpCmVZ
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.40/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/miekg/dns v1.1.42 h1:gWGe42RGaIqXQZ+r3WUGEKBEtvPHY2SXo4dqixDNxuY=
+github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
-github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
@@ -262,8 +262,8 @@ golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -299,8 +299,9 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985 h1:4CSI6oo7cOjJKajidEljs9h+uP0rRZBPPPhcCbj5mw8=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210825183410-e898025ed96a h1:bRuuGXV8wwSdGTB+CtJf+FjgO1APK1CoO39T4BN/XBw=
+golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -354,8 +355,9 @@ golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf h1:2ucpDCmfkl8Bd/FsLtiD653Wf96cW37s+iGx93zsu4k=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e h1:XMgFehsDnnLGtjvjOfqWSUzt0alpTR1RSEuznObga2c=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

internal/aghnet/etchostscontainer_test.go

@@ -117,8 +117,8 @@ func TestEtcHostsContainerFSNotify(t *testing.T) {
 	assertWriting(t, f, "127.0.0.2   newhost\n")
 	require.NoError(t, f.Sync())
 
-	// Wait until fsnotify has triggerred and processed the
+	// Wait until fsnotify has triggered and processed the file-modification
-	// file-modification event.
+	// event.
 	time.Sleep(50 * time.Millisecond)
 
 	t.Run("notified", func(t *testing.T) {

internal/aghnet/ipset_linux.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 
 	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
 	"github.com/digineo/go-ipset/v2"
 	"github.com/mdlayher/netlink"
 	"github.com/ti-mo/netfilter"
@@ -67,6 +68,15 @@ type ipsetProps struct {
 // unit is a convenient alias for struct{}.
 type unit = struct{}
 
+// ipsInIpset is the type of a set of IP-address-to-ipset mappings.
+type ipsInIpset map[ipInIpsetEntry]unit
+
+// ipInIpsetEntry is the type for entries in an ipsInIpset set.
+type ipInIpsetEntry struct {
+	ipsetName string
+	ipArr     [net.IPv6len]byte
+}
+
 // ipsetMgr is the Linux Netfilter ipset manager.
 type ipsetMgr struct {
 	nameToIpset    map[string]ipsetProps
@@ -82,7 +92,7 @@ type ipsetMgr struct {
 	// are either added to all corresponding ipsets or not.  When that stops
 	// being the case, for example if we add dynamic reconfiguration of
 	// ipsets, this map will need to become a per-ipset-name one.
-	addedIPs map[[16]byte]unit
+	addedIPs ipsInIpset
 
 	ipv4Conn ipsetConn
 	ipv6Conn ipsetConn
@@ -199,7 +209,7 @@ func newIpsetMgrWithDialer(ipsetConf []string, dial ipsetDialer) (mgr IpsetManag
 
 		dial: dial,
 
-		addedIPs: make(map[[16]byte]unit),
+		addedIPs: make(ipsInIpset),
 	}
 
 	err = m.dialNetfilter(&netlink.Config{})
@@ -265,16 +275,19 @@ func (m *ipsetMgr) addIPs(host string, set ipsetProps, ips []net.IP) (n int, err
 	}
 
 	var entries []*ipset.Entry
-	var newAddedIPs [][16]byte
+	var newAddedEntries []ipInIpsetEntry
 	for _, ip := range ips {
-		var iparr [16]byte
+		e := ipInIpsetEntry{
-		copy(iparr[:], ip.To16())
+			ipsetName: set.name,
-		if _, added := m.addedIPs[iparr]; added {
+		}
+		copy(e.ipArr[:], ip.To16())
+
+		if _, added := m.addedIPs[e]; added {
 			continue
 		}
 
 		entries = append(entries, ipset.NewEntry(ipset.EntryIP(ip)))
-		newAddedIPs = append(newAddedIPs, iparr)
+		newAddedEntries = append(newAddedEntries, e)
 	}
 
 	n = len(entries)
@@ -299,8 +312,8 @@ func (m *ipsetMgr) addIPs(host string, set ipsetProps, ips []net.IP) (n int, err
 
 	// Only add these to the cache once we're sure that all of them were
 	// actually sent to the ipset.
-	for _, iparr := range newAddedIPs {
+	for _, e := range newAddedEntries {
-		m.addedIPs[iparr] = unit{}
+		m.addedIPs[e] = unit{}
 	}
 
 	return n, nil
@@ -330,6 +343,8 @@ func (m *ipsetMgr) addToSets(
 			return n, fmt.Errorf("unexpected family %s for ipset %q", set.family, set.name)
 		}
 
+		log.Debug("ipset: added %d ips to set %s", nn, set.name)
+
 		n += nn
 	}
 
@@ -346,6 +361,8 @@ func (m *ipsetMgr) Add(host string, ip4s, ip6s []net.IP) (n int, err error) {
 		return 0, nil
 	}
 
+	log.Debug("ipset: found %d sets", len(sets))
+
 	return m.addToSets(host, ip4s, ip6s, sets)
 }
 

internal/aghnet/systemresolvers_windows.go

@@ -99,7 +99,13 @@ func scanAddrs(s *bufio.Scanner) (addrs []string) {
 // local resolvers addresses on Windows.  We execute the external command for
 // now that is not the most accurate way.
 func (sr *systemResolvers) getAddrs() (addrs []string, err error) {
-	cmd := exec.Command("nslookup")
+	var cmdPath string
+	cmdPath, err = exec.LookPath("nslookup.exe")
+	if err != nil {
+		return nil, fmt.Errorf("looking up cmd path: %w", err)
+	}
+
+	cmd := exec.Command(cmdPath)
 
 	var stdin io.WriteCloser
 	stdin, err = cmd.StdinPipe()

internal/aghtest/upstream.go

@@ -167,7 +167,7 @@ func (u *TestBlockUpstream) RequestsCount() int {
 // TestErrUpstream implements upstream.Upstream interface for replacing real
 // upstream in tests.
 type TestErrUpstream struct {
-	// The error returned by Exchange may be unwraped to the Err.
+	// The error returned by Exchange may be unwrapped to the Err.
 	Err error
 }
 

internal/aghtime/duration.go

@@ -38,7 +38,7 @@ func (d Duration) String() (str string) {
 		rounded == 0,
 		rounded*time.Second != d.Duration,
 		rounded%60 != 0:
-		// Return the uncutted value if it's either equal to zero or has
+		// Return the uncut value if it's either equal to zero or has
 		// fractions of a second or even whole seconds in it.
 		return str
 
@@ -60,7 +60,7 @@ func (d Duration) MarshalText() (text []byte, err error) {
 //
 // TODO(e.burkov): Make it able to parse larger units like days.
 func (d *Duration) UnmarshalText(b []byte) (err error) {
-	defer func() { err = errors.Annotate(err, "unmarshalling duration: %w") }()
+	defer func() { err = errors.Annotate(err, "unmarshaling duration: %w") }()
 
 	d.Duration, err = time.ParseDuration(string(b))
 

internal/aghtime/duration_test.go

@@ -60,7 +60,7 @@ func TestDuration_String(t *testing.T) {
 }
 
 // durationEncodingTester is a helper struct to simplify testing different
-// Duration marshalling and unmarshalling cases.
+// Duration marshalling and unmarshaling cases.
 type durationEncodingTester struct {
 	PtrMap   map[string]*Duration `json:"ptr_map"   yaml:"ptr_map"`
 	PtrSlice []*Duration          `json:"ptr_slice" yaml:"ptr_slice"`
@@ -104,7 +104,7 @@ const (
 // Duration.
 const defaultTestDur = time.Millisecond
 
-// checkFields verifies m's fields.  It expects the m to be unmarshalled from
+// checkFields verifies m's fields.  It expects the m to be unmarshaled from
 // one of the constant strings above.
 func (m *durationEncodingTester) checkFields(t *testing.T, d Duration) {
 	t.Run("pointers_map", func(t *testing.T) {

internal/dhcpd/broadcast_bsd.go

@@ -0,0 +1,37 @@
+//go:build freebsd || openbsd
+// +build freebsd openbsd
+
+package dhcpd
+
+import (
+	"net"
+
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+)
+
+// broadcast sends resp to the broadcast address specific for network interface.
+func (s *v4Server) broadcast(peer net.Addr, conn net.PacketConn, resp *dhcpv4.DHCPv4) {
+	// peer is expected to be of type *net.UDPConn as the server4.NewServer
+	// initializes it.
+	udpPeer, ok := peer.(*net.UDPAddr)
+	if !ok {
+		log.Error("dhcpv4: peer is of unexpected type %T", peer)
+
+		return
+	}
+
+	// Despite the fact that server4.NewIPv4UDPConn explicitly sets socket
+	// options to allow broadcasting, it also binds the connection to a
+	// specific interface.  On FreeBSD and OpenBSD conn.WriteTo causes
+	// errors while writing to the addresses that belong to another
+	// interface.  So, use the broadcast address specific for the binded
+	// interface.
+	udpPeer.IP = s.conf.broadcastIP
+
+	log.Debug("dhcpv4: sending to %s: %s", peer, resp.Summary())
+
+	if _, err := conn.WriteTo(resp.ToBytes(), peer); err != nil {
+		log.Error("dhcpv4: conn.Write to %s failed: %s", peer, err)
+	}
+}

internal/dhcpd/broadcast_bsd_test.go

@@ -0,0 +1,87 @@
+//go:build freebsd || openbsd
+// +build freebsd openbsd
+
+package dhcpd
+
+import (
+	"bytes"
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestV4Server_Send_broadcast(t *testing.T) {
+	b := &bytes.Buffer{}
+	var peer *net.UDPAddr
+
+	conn := &fakePacketConn{
+		writeTo: func(p []byte, addr net.Addr) (n int, err error) {
+			udpPeer, ok := addr.(*net.UDPAddr)
+			require.True(t, ok)
+
+			peer = cloneUDPAddr(udpPeer)
+
+			n, err = b.Write(p)
+			require.NoError(t, err)
+
+			return n, nil
+		},
+	}
+
+	defaultPeer := &net.UDPAddr{
+		IP: net.IP{1, 2, 3, 4},
+		// Use neither client nor server port.
+		Port: 1234,
+	}
+	s := &v4Server{
+		conf: V4ServerConf{
+			broadcastIP: net.IP{1, 2, 3, 255},
+		},
+	}
+
+	testCases := []struct {
+		name string
+		req  *dhcpv4.DHCPv4
+		resp *dhcpv4.DHCPv4
+	}{{
+		name: "nak",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: netutil.IPv4Zero(),
+		},
+		resp: &dhcpv4.DHCPv4{
+			Options: dhcpv4.OptionsFromList(
+				dhcpv4.OptMessageType(dhcpv4.MessageTypeNak),
+			),
+		},
+	}, {
+		name: "fully_unspecified",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: netutil.IPv4Zero(),
+			ClientIPAddr:  netutil.IPv4Zero(),
+		},
+		resp: &dhcpv4.DHCPv4{
+			Options: dhcpv4.OptionsFromList(
+				dhcpv4.OptMessageType(dhcpv4.MessageTypeOffer),
+			),
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			s.send(cloneUDPAddr(defaultPeer), conn, tc.req, tc.resp)
+			assert.EqualValues(t, tc.resp.ToBytes(), b.Bytes())
+			assert.Equal(t, &net.UDPAddr{
+				IP:   s.conf.broadcastIP,
+				Port: defaultPeer.Port,
+				Zone: defaultPeer.Zone,
+			}, peer)
+		})
+
+		b.Reset()
+		peer = nil
+	}
+}

internal/dhcpd/broadcast_others.go

@@ -0,0 +1,51 @@
+//go:build aix || darwin || dragonfly || linux || netbsd || solaris
+// +build aix darwin dragonfly linux netbsd solaris
+
+package dhcpd
+
+import (
+	"net"
+
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+)
+
+// broadcast sends resp to the broadcast address specific for network interface.
+func (s *v4Server) broadcast(peer net.Addr, conn net.PacketConn, resp *dhcpv4.DHCPv4) {
+	respData := resp.ToBytes()
+
+	log.Debug("dhcpv4: sending to %s: %s", peer, resp.Summary())
+
+	// This write to 0xffffffff reverts some behavior changes made in
+	// https://github.com/AdguardTeam/AdGuardHome/issues/3289.  The DHCP
+	// server should broadcast the message to 0xffffffff but it's
+	// inconsistent with the actual mental model of DHCP implementation
+	// which requires the network interface selection to bind to.
+	//
+	// See https://github.com/AdguardTeam/AdGuardHome/issues/3480 and
+	// https://github.com/AdguardTeam/AdGuardHome/issues/3366.
+	//
+	// See also https://github.com/AdguardTeam/AdGuardHome/issues/3539.
+	if _, err := conn.WriteTo(respData, peer); err != nil {
+		log.Error("dhcpv4: conn.Write to %s failed: %s", peer, err)
+	}
+
+	// peer is expected to be of type *net.UDPConn as the server4.NewServer
+	// initializes it.
+	udpPeer, ok := peer.(*net.UDPAddr)
+	if !ok {
+		log.Error("dhcpv4: peer is of unexpected type %T", peer)
+
+		return
+	}
+
+	// Broadcast the message one more time using the interface-specific
+	// broadcast address.
+	udpPeer.IP = s.conf.broadcastIP
+
+	log.Debug("dhcpv4: sending to %s: %s", peer, resp.Summary())
+
+	if _, err := conn.WriteTo(respData, peer); err != nil {
+		log.Error("dhcpv4: conn.Write to %s failed: %s", peer, err)
+	}
+}

internal/dhcpd/broadcast_others_test.go

@@ -0,0 +1,96 @@
+//go:build aix || darwin || dragonfly || linux || netbsd || solaris
+// +build aix darwin dragonfly linux netbsd solaris
+
+package dhcpd
+
+import (
+	"bytes"
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestV4Server_Send_broadcast(t *testing.T) {
+	b := &bytes.Buffer{}
+	var peers []*net.UDPAddr
+
+	conn := &fakePacketConn{
+		writeTo: func(p []byte, addr net.Addr) (n int, err error) {
+			udpPeer, ok := addr.(*net.UDPAddr)
+			require.True(t, ok)
+
+			peers = append(peers, cloneUDPAddr(udpPeer))
+
+			n, err = b.Write(p)
+			require.NoError(t, err)
+
+			return n, nil
+		},
+	}
+
+	defaultPeer := &net.UDPAddr{
+		IP: net.IP{1, 2, 3, 4},
+		// Use neither client nor server port.
+		Port: 1234,
+	}
+	s := &v4Server{
+		conf: V4ServerConf{
+			broadcastIP: net.IP{1, 2, 3, 255},
+		},
+	}
+
+	testCases := []struct {
+		name string
+		req  *dhcpv4.DHCPv4
+		resp *dhcpv4.DHCPv4
+	}{{
+		name: "nak",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: netutil.IPv4Zero(),
+		},
+		resp: &dhcpv4.DHCPv4{
+			Options: dhcpv4.OptionsFromList(
+				dhcpv4.OptMessageType(dhcpv4.MessageTypeNak),
+			),
+		},
+	}, {
+		name: "fully_unspecified",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: netutil.IPv4Zero(),
+			ClientIPAddr:  netutil.IPv4Zero(),
+		},
+		resp: &dhcpv4.DHCPv4{
+			Options: dhcpv4.OptionsFromList(
+				dhcpv4.OptMessageType(dhcpv4.MessageTypeOffer),
+			),
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			s.send(cloneUDPAddr(defaultPeer), conn, tc.req, tc.resp)
+
+			// The same response is written twice.
+			respData := tc.resp.ToBytes()
+			assert.EqualValues(t, append(respData, respData...), b.Bytes())
+
+			require.Len(t, peers, 2)
+
+			assert.Equal(t, &net.UDPAddr{
+				IP:   defaultPeer.IP,
+				Port: defaultPeer.Port,
+			}, peers[0])
+			assert.Equal(t, &net.UDPAddr{
+				IP:   s.conf.broadcastIP,
+				Port: defaultPeer.Port,
+			}, peers[1])
+		})
+
+		b.Reset()
+		peers = nil
+	}
+}

internal/dhcpd/dhcpd_test.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -136,3 +137,12 @@ func TestNormalizeLeases(t *testing.T) {
 	assert.Equal(t, leases[1].HWAddr, staticLeases[1].HWAddr)
 	assert.Equal(t, leases[2].HWAddr, dynLeases[1].HWAddr)
 }
+
+// cloneUDPAddr returns a deep copy of a.
+func cloneUDPAddr(a *net.UDPAddr) (copy *net.UDPAddr) {
+	return &net.UDPAddr{
+		IP:   netutil.CloneIP(a.IP),
+		Port: a.Port,
+		Zone: a.Zone,
+	}
+}

internal/dhcpd/options.go

@@ -1,134 +0,0 @@
-package dhcpd
-
-import (
-	"encoding/hex"
-	"fmt"
-	"net"
-	"strconv"
-	"strings"
-
-	"github.com/AdguardTeam/golibs/errors"
-)
-
-// hexDHCPOptionParserHandler parses a DHCP option as a hex-encoded string.
-// For example:
-//
-//   252 hex 736f636b733a2f2f70726f78792e6578616d706c652e6f7267
-//
-func hexDHCPOptionParserHandler(s string) (data []byte, err error) {
-	data, err = hex.DecodeString(s)
-	if err != nil {
-		return nil, fmt.Errorf("decoding hex: %w", err)
-	}
-
-	return data, nil
-}
-
-// ipDHCPOptionParserHandler parses a DHCP option as a single IP address.
-// For example:
-//
-//   6 ip 192.168.1.1
-//
-func ipDHCPOptionParserHandler(s string) (data []byte, err error) {
-	ip := net.ParseIP(s)
-	if ip == nil {
-		return nil, errors.Error("invalid ip")
-	}
-
-	// Most DHCP options require IPv4, so do not put the 16-byte
-	// version if we can.  Otherwise, the clients will receive weird
-	// data that looks like four IPv4 addresses.
-	//
-	// See https://github.com/AdguardTeam/AdGuardHome/issues/2688.
-	if ip4 := ip.To4(); ip4 != nil {
-		data = ip4
-	} else {
-		data = ip
-	}
-
-	return data, nil
-}
-
-// textDHCPOptionParserHandler parses a DHCP option as a simple UTF-8 encoded
-// text.  For example:
-//
-//   252 text http://192.168.1.1/wpad.dat
-//
-func ipsDHCPOptionParserHandler(s string) (data []byte, err error) {
-	ipStrs := strings.Split(s, ",")
-	for i, ipStr := range ipStrs {
-		var ipData []byte
-		ipData, err = ipDHCPOptionParserHandler(ipStr)
-		if err != nil {
-			return nil, fmt.Errorf("parsing ip at index %d: %w", i, err)
-		}
-
-		data = append(data, ipData...)
-	}
-
-	return data, nil
-}
-
-// ipsDHCPOptionParserHandler parses a DHCP option as a comma-separates list of
-// IP addresses.  For example:
-//
-//   6 ips 192.168.1.1,192.168.1.2
-//
-func textDHCPOptionParserHandler(s string) (data []byte, err error) {
-	return []byte(s), nil
-}
-
-// dhcpOptionParserHandler is a parser for a single dhcp option type.
-type dhcpOptionParserHandler func(s string) (data []byte, err error)
-
-// dhcpOptionParser parses DHCP options.
-type dhcpOptionParser struct {
-	handlers map[string]dhcpOptionParserHandler
-}
-
-// newDHCPOptionParser returns a new dhcpOptionParser.
-func newDHCPOptionParser() (p *dhcpOptionParser) {
-	return &dhcpOptionParser{
-		handlers: map[string]dhcpOptionParserHandler{
-			"hex":  hexDHCPOptionParserHandler,
-			"ip":   ipDHCPOptionParserHandler,
-			"ips":  ipsDHCPOptionParserHandler,
-			"text": textDHCPOptionParserHandler,
-		},
-	}
-}
-
-// parse parses an option.  See the handlers' documentation for more info.
-func (p *dhcpOptionParser) parse(s string) (code uint8, data []byte, err error) {
-	defer func() { err = errors.Annotate(err, "invalid option string %q: %w", s) }()
-
-	s = strings.TrimSpace(s)
-	parts := strings.SplitN(s, " ", 3)
-	if len(parts) < 3 {
-		return 0, nil, errors.Error("need at least three fields")
-	}
-
-	codeStr := parts[0]
-	typ := parts[1]
-	val := parts[2]
-
-	var code64 uint64
-	code64, err = strconv.ParseUint(codeStr, 10, 8)
-	if err != nil {
-		return 0, nil, fmt.Errorf("parsing option code: %w", err)
-	}
-
-	code = uint8(code64)
-
-	h, ok := p.handlers[typ]
-	if !ok {
-		return 0, nil, fmt.Errorf("unknown option type %q", typ)
-	}
-
-	data, err = h(val)
-	if err != nil {
-		return 0, nil, err
-	}
-
-	return code, data, nil
-}

internal/dhcpd/options_test.go

@@ -1,109 +0,0 @@
-package dhcpd
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestDHCPOptionParser(t *testing.T) {
-	testCases := []struct {
-		name       string
-		in         string
-		wantErrMsg string
-		wantData   []byte
-		wantCode   uint8
-	}{{
-		name:       "hex_success",
-		in:         "6 hex c0a80101c0a80102",
-		wantErrMsg: "",
-		wantData:   []byte{0xC0, 0xA8, 0x01, 0x01, 0xC0, 0xA8, 0x01, 0x02},
-		wantCode:   6,
-	}, {
-		name:       "ip_success",
-		in:         "6 ip 1.2.3.4",
-		wantErrMsg: "",
-		wantData:   []byte{0x01, 0x02, 0x03, 0x04},
-		wantCode:   6,
-	}, {
-		name:       "ip_success_v6",
-		in:         "6 ip ::1234",
-		wantErrMsg: "",
-		wantData: []byte{
-			0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x00, 0x00,
-			0x00, 0x00, 0x12, 0x34,
-		},
-		wantCode: 6,
-	}, {
-		name:       "ips_success",
-		in:         "6 ips 192.168.1.1,192.168.1.2",
-		wantErrMsg: "",
-		wantData:   []byte{0xC0, 0xA8, 0x01, 0x01, 0xC0, 0xA8, 0x01, 0x02},
-		wantCode:   6,
-	}, {
-		name:       "text_success",
-		in:         "252 text http://192.168.1.1/",
-		wantErrMsg: "",
-		wantData:   []byte("http://192.168.1.1/"),
-		wantCode:   252,
-	}, {
-		name:       "bad_parts",
-		in:         "6 ip",
-		wantErrMsg: `invalid option string "6 ip": need at least three fields`,
-		wantCode:   0,
-		wantData:   nil,
-	}, {
-		name: "bad_code",
-		in:   "256 ip 1.1.1.1",
-		wantErrMsg: `invalid option string "256 ip 1.1.1.1": parsing option code: ` +
-			`strconv.ParseUint: parsing "256": value out of range`,
-		wantCode: 0,
-		wantData: nil,
-	}, {
-		name:       "bad_type",
-		in:         "6 bad 1.1.1.1",
-		wantErrMsg: `invalid option string "6 bad 1.1.1.1": unknown option type "bad"`,
-		wantCode:   0,
-		wantData:   nil,
-	}, {
-		name: "hex_error",
-		in:   "6 hex ZZZ",
-		wantErrMsg: `invalid option string "6 hex ZZZ": decoding hex: ` +
-			`encoding/hex: invalid byte: U+005A 'Z'`,
-		wantData: nil,
-		wantCode: 0,
-	}, {
-		name:       "ip_error",
-		in:         "6 ip 1.2.3.x",
-		wantErrMsg: `invalid option string "6 ip 1.2.3.x": invalid ip`,
-		wantData:   nil,
-		wantCode:   0,
-	}, {
-		name: "ips_error",
-		in:   "6 ips 192.168.1.1,192.168.1.x",
-		wantErrMsg: `invalid option string "6 ips 192.168.1.1,192.168.1.x": ` +
-			`parsing ip at index 1: invalid ip`,
-		wantData: nil,
-		wantCode: 0,
-	}}
-
-	p := newDHCPOptionParser()
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			code, data, err := p.parse(tc.in)
-			if tc.wantErrMsg == "" {
-				assert.Nil(t, err)
-			} else {
-				require.NotNil(t, err)
-				assert.Equal(t, tc.wantErrMsg, err.Error())
-			}
-
-			assert.Equal(t, tc.wantCode, code)
-			assert.Equal(t, tc.wantData, data)
-		})
-	}
-}

internal/dhcpd/options_unix.go

@@ -0,0 +1,192 @@
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+
+package dhcpd
+
+import (
+	"encoding/hex"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+)
+
+// The aliases for DHCP option types available for explicit declaration.
+const (
+	hexTyp  = "hex"
+	ipTyp   = "ip"
+	ipsTyp  = "ips"
+	textTyp = "text"
+)
+
+// parseDHCPOptionHex parses a DHCP option as a hex-encoded string.  For
+// example:
+//
+//   252 hex 736f636b733a2f2f70726f78792e6578616d706c652e6f7267
+//
+func parseDHCPOptionHex(s string) (val dhcpv4.OptionValue, err error) {
+	var data []byte
+	data, err = hex.DecodeString(s)
+	if err != nil {
+		return nil, fmt.Errorf("decoding hex: %w", err)
+	}
+
+	return dhcpv4.OptionGeneric{Data: data}, nil
+}
+
+// parseDHCPOptionIP parses a DHCP option as a single IP address.  For example:
+//
+//   6 ip 192.168.1.1
+//
+func parseDHCPOptionIP(s string) (val dhcpv4.OptionValue, err error) {
+	var ip net.IP
+	// All DHCPv4 options require IPv4, so don't put the 16-byte version.
+	// Otherwise, the clients will receive weird data that looks like four
+	// IPv4 addresses.
+	//
+	// See https://github.com/AdguardTeam/AdGuardHome/issues/2688.
+	if ip, err = netutil.ParseIPv4(s); err != nil {
+		return nil, err
+	}
+
+	return dhcpv4.IP(ip), nil
+}
+
+// parseDHCPOptionIPs parses a DHCP option as a comma-separates list of IP
+// addresses.  For example:
+//
+//   6 ips 192.168.1.1,192.168.1.2
+//
+func parseDHCPOptionIPs(s string) (val dhcpv4.OptionValue, err error) {
+	var ips dhcpv4.IPs
+	var ip net.IP
+	for i, ipStr := range strings.Split(s, ",") {
+		// See notes in the ipDHCPOptionParserHandler.
+		if ip, err = netutil.ParseIPv4(ipStr); err != nil {
+			return nil, fmt.Errorf("parsing ip at index %d: %w", i, err)
+		}
+
+		ips = append(ips, ip)
+	}
+
+	return ips, nil
+}
+
+// parseDHCPOptionText parses a DHCP option as a simple UTF-8 encoded
+// text.  For example:
+//
+//   252 text http://192.168.1.1/wpad.dat
+//
+func parseDHCPOptionText(s string) (val dhcpv4.OptionValue) {
+	return dhcpv4.OptionGeneric{Data: []byte(s)}
+}
+
+// parseDHCPOption parses an option.  See the documentation of parseDHCPOption*
+// for more info.
+func parseDHCPOption(s string) (opt dhcpv4.Option, err error) {
+	defer func() { err = errors.Annotate(err, "invalid option string %q: %w", s) }()
+
+	s = strings.TrimSpace(s)
+	parts := strings.SplitN(s, " ", 3)
+	if len(parts) < 3 {
+		return opt, errors.Error("need at least three fields")
+	}
+
+	var code64 uint64
+	code64, err = strconv.ParseUint(parts[0], 10, 8)
+	if err != nil {
+		return opt, fmt.Errorf("parsing option code: %w", err)
+	}
+
+	var optVal dhcpv4.OptionValue
+	switch typ, val := parts[1], parts[2]; typ {
+	case hexTyp:
+		optVal, err = parseDHCPOptionHex(val)
+	case ipTyp:
+		optVal, err = parseDHCPOptionIP(val)
+	case ipsTyp:
+		optVal, err = parseDHCPOptionIPs(val)
+	case textTyp:
+		optVal = parseDHCPOptionText(val)
+	default:
+		return opt, fmt.Errorf("unknown option type %q", typ)
+	}
+
+	if err != nil {
+		return opt, err
+	}
+
+	return dhcpv4.Option{
+		Code:  dhcpv4.GenericOptionCode(code64),
+		Value: optVal,
+	}, nil
+}
+
+// prepareOptions builds the set of DHCP options according to host requirements
+// document and values from conf.
+func prepareOptions(conf V4ServerConf) (opts dhcpv4.Options) {
+	opts = dhcpv4.Options{
+		// Set default values for host configuration parameters listed
+		// in Appendix A of RFC-2131.  Those parameters, if requested by
+		// client, should be returned with values defined by Host
+		// Requirements Document.
+		//
+		// See https://datatracker.ietf.org/doc/html/rfc2131#appendix-A.
+		//
+		// See also https://datatracker.ietf.org/doc/html/rfc1122,
+		// https://datatracker.ietf.org/doc/html/rfc1123, and
+		// https://datatracker.ietf.org/doc/html/rfc2132.
+
+		// IP-Layer Per Host
+
+		dhcpv4.OptionNonLocalSourceRouting.Code(): []byte{0},
+		// Set the current recommended default time to live for the
+		// Internet Protocol which is 64, see
+		// https://datatracker.ietf.org/doc/html/rfc1700.
+		dhcpv4.OptionDefaultIPTTL.Code(): []byte{64},
+
+		// IP-Layer Per Interface
+
+		dhcpv4.OptionPerformMaskDiscovery.Code():   []byte{0},
+		dhcpv4.OptionMaskSupplier.Code():           []byte{0},
+		dhcpv4.OptionPerformRouterDiscovery.Code(): []byte{1},
+		// The all-routers address is preferred wherever possible, see
+		// https://datatracker.ietf.org/doc/html/rfc1256#section-5.1.
+		dhcpv4.OptionRouterSolicitationAddress.Code(): net.IPv4allrouter.To4(),
+		dhcpv4.OptionBroadcastAddress.Code():          net.IPv4bcast.To4(),
+
+		// Link-Layer Per Interface
+
+		dhcpv4.OptionTrailerEncapsulation.Code():  []byte{0},
+		dhcpv4.OptionEthernetEncapsulation.Code(): []byte{0},
+
+		// TCP Per Host
+
+		dhcpv4.OptionTCPKeepaliveInterval.Code(): dhcpv4.Duration(0).ToBytes(),
+		dhcpv4.OptionTCPKeepaliveGarbage.Code():  []byte{0},
+
+		// Values From Configuration
+
+		dhcpv4.OptionRouter.Code():     netutil.CloneIP(conf.subnet.IP),
+		dhcpv4.OptionSubnetMask.Code(): dhcpv4.IPMask(conf.subnet.Mask).ToBytes(),
+	}
+
+	// Set values for explicitly configured options.
+	for i, o := range conf.Options {
+		opt, err := parseDHCPOption(o)
+		if err != nil {
+			log.Error("dhcpv4: bad option string at index %d: %s", i, err)
+
+			continue
+		}
+
+		opts.Update(opt)
+	}
+
+	return opts
+}

internal/dhcpd/options_unix_test.go

@@ -0,0 +1,177 @@
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+
+package dhcpd
+
+import (
+	"fmt"
+	"net"
+	"testing"
+
+	"github.com/insomniacslk/dhcp/dhcpv4"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseOpt(t *testing.T) {
+	testCases := []struct {
+		name       string
+		in         string
+		wantErrMsg string
+		wantOpt    dhcpv4.Option
+	}{{
+		name:       "hex_success",
+		in:         "6 hex c0a80101c0a80102",
+		wantErrMsg: "",
+		wantOpt: dhcpv4.OptDNS(
+			net.IP{0xC0, 0xA8, 0x01, 0x01},
+			net.IP{0xC0, 0xA8, 0x01, 0x02},
+		),
+	}, {
+		name:       "ip_success",
+		in:         "6 ip 1.2.3.4",
+		wantErrMsg: "",
+		wantOpt: dhcpv4.OptDNS(
+			net.IP{0x01, 0x02, 0x03, 0x04},
+		),
+	}, {
+		name:       "ip_fail_v6",
+		in:         "6 ip ::1234",
+		wantErrMsg: "invalid option string \"6 ip ::1234\": bad ipv4 address \"::1234\"",
+		wantOpt:    dhcpv4.Option{},
+	}, {
+		name:       "ips_success",
+		in:         "6 ips 192.168.1.1,192.168.1.2",
+		wantErrMsg: "",
+		wantOpt: dhcpv4.OptDNS(
+			net.IP{0xC0, 0xA8, 0x01, 0x01},
+			net.IP{0xC0, 0xA8, 0x01, 0x02},
+		),
+	}, {
+		name:       "text_success",
+		in:         "252 text http://192.168.1.1/",
+		wantErrMsg: "",
+		wantOpt: dhcpv4.OptGeneric(
+			dhcpv4.GenericOptionCode(252),
+			[]byte("http://192.168.1.1/"),
+		),
+	}, {
+		name:       "bad_parts",
+		in:         "6 ip",
+		wantErrMsg: `invalid option string "6 ip": need at least three fields`,
+		wantOpt:    dhcpv4.Option{},
+	}, {
+		name: "bad_code",
+		in:   "256 ip 1.1.1.1",
+		wantErrMsg: `invalid option string "256 ip 1.1.1.1": parsing option code: ` +
+			`strconv.ParseUint: parsing "256": value out of range`,
+		wantOpt: dhcpv4.Option{},
+	}, {
+		name:       "bad_type",
+		in:         "6 bad 1.1.1.1",
+		wantErrMsg: `invalid option string "6 bad 1.1.1.1": unknown option type "bad"`,
+		wantOpt:    dhcpv4.Option{},
+	}, {
+		name: "hex_error",
+		in:   "6 hex ZZZ",
+		wantErrMsg: `invalid option string "6 hex ZZZ": decoding hex: ` +
+			`encoding/hex: invalid byte: U+005A 'Z'`,
+		wantOpt: dhcpv4.Option{},
+	}, {
+		name:       "ip_error",
+		in:         "6 ip 1.2.3.x",
+		wantErrMsg: "invalid option string \"6 ip 1.2.3.x\": bad ipv4 address \"1.2.3.x\"",
+		wantOpt:    dhcpv4.Option{},
+	}, {
+		name: "ips_error",
+		in:   "6 ips 192.168.1.1,192.168.1.x",
+		wantErrMsg: "invalid option string \"6 ips 192.168.1.1,192.168.1.x\": " +
+			"parsing ip at index 1: bad ipv4 address \"192.168.1.x\"",
+		wantOpt: dhcpv4.Option{},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opt, err := parseDHCPOption(tc.in)
+			if tc.wantErrMsg != "" {
+				require.Error(t, err)
+				assert.Equal(t, tc.wantErrMsg, err.Error())
+
+				return
+			}
+
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.wantOpt.Code.Code(), opt.Code.Code())
+			assert.Equal(t, tc.wantOpt.Value.ToBytes(), opt.Value.ToBytes())
+		})
+	}
+}
+
+func TestPrepareOptions(t *testing.T) {
+	allDefault := dhcpv4.Options{
+		dhcpv4.OptionNonLocalSourceRouting.Code():     []byte{0},
+		dhcpv4.OptionDefaultIPTTL.Code():              []byte{64},
+		dhcpv4.OptionPerformMaskDiscovery.Code():      []byte{0},
+		dhcpv4.OptionMaskSupplier.Code():              []byte{0},
+		dhcpv4.OptionPerformRouterDiscovery.Code():    []byte{1},
+		dhcpv4.OptionRouterSolicitationAddress.Code(): []byte{224, 0, 0, 2},
+		dhcpv4.OptionBroadcastAddress.Code():          []byte{255, 255, 255, 255},
+		dhcpv4.OptionTrailerEncapsulation.Code():      []byte{0},
+		dhcpv4.OptionEthernetEncapsulation.Code():     []byte{0},
+		dhcpv4.OptionTCPKeepaliveInterval.Code():      []byte{0, 0, 0, 0},
+		dhcpv4.OptionTCPKeepaliveGarbage.Code():       []byte{0},
+	}
+	oneIP, otherIP := net.IP{1, 2, 3, 4}, net.IP{5, 6, 7, 8}
+
+	testCases := []struct {
+		name   string
+		opts   []string
+		checks dhcpv4.Options
+	}{{
+		name:   "all_default",
+		checks: allDefault,
+	}, {
+		name: "configured_ip",
+		opts: []string{
+			fmt.Sprintf("%d ip %s", dhcpv4.OptionBroadcastAddress, oneIP),
+		},
+		checks: dhcpv4.Options{
+			dhcpv4.OptionBroadcastAddress.Code(): oneIP,
+		},
+	}, {
+		name: "configured_ips",
+		opts: []string{
+			fmt.Sprintf("%d ips %s,%s", dhcpv4.OptionDomainNameServer, oneIP, otherIP),
+		},
+		checks: dhcpv4.Options{
+			dhcpv4.OptionDomainNameServer.Code(): append(oneIP, otherIP...),
+		},
+	}, {
+		name: "configured_bad",
+		opts: []string{
+			"20 hex",
+			"23 hex abc",
+			"32 ips 1,2,3,4",
+			"28 256.256.256.256",
+		},
+		checks: allDefault,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := prepareOptions(V4ServerConf{
+				// Just to avoid nil pointer dereference.
+				subnet:  &net.IPNet{},
+				Options: tc.opts,
+			})
+			for c, v := range tc.checks {
+				optVal := opts.Get(dhcpv4.GenericOptionCode(c))
+				require.NotNil(t, optVal)
+
+				assert.Len(t, optVal, len(v))
+				assert.Equal(t, v, optVal)
+			}
+		})
+	}
+}

internal/dhcpd/server.go

@@ -72,8 +72,6 @@ type V4ServerConf struct {
 	// gateway.
 	subnet *net.IPNet
 
-	options []dhcpOption
-
 	// notify is a way to signal to other components that leases have
 	// change.  notify must be called outside of locked sections, since the
 	// clients might want to get the new data.
@@ -104,8 +102,3 @@ type V6ServerConf struct {
 	// Server calls this function when leases data changes
 	notify func(uint32)
 }
-
-type dhcpOption struct {
-	code uint8
-	data []byte
-}

internal/dhcpd/v4.go

@@ -40,6 +40,9 @@ type v4Server struct {
 
 	// leasesLock protects leases, leaseHosts, and leasedOffsets.
 	leasesLock sync.Mutex
+
+	// options holds predefined DHCP options to return to clients.
+	options dhcpv4.Options
 }
 
 // WriteDiskConfig4 - write configuration
@@ -831,6 +834,9 @@ func (s *v4Server) processRelease(req, resp *dhcpv4.DHCPv4) (err error) {
 func (s *v4Server) process(req, resp *dhcpv4.DHCPv4) int {
 	var err error
 
+	// Include server's identifier option since any reply should contain it.
+	//
+	// See https://datatracker.ietf.org/doc/html/rfc2131#page-29.
 	resp.UpdateOption(dhcpv4.OptServerIdentifier(s.conf.dnsIPAddrs[0]))
 
 	// TODO(a.garipov): Refactor this into handlers.
@@ -873,17 +879,29 @@ func (s *v4Server) process(req, resp *dhcpv4.DHCPv4) int {
 	}
 
 	if l != nil {
-		resp.YourIPAddr = make([]byte, 4)
+		resp.YourIPAddr = netutil.CloneIP(l.IP)
-		copy(resp.YourIPAddr, l.IP)
 	}
 
+	// Set IP address lease time for all DHCPOFFER messages and DHCPACK
+	// messages replied for DHCPREQUEST.
+	//
+	// TODO(e.burkov):  Inspect why this is always set to configured value.
 	resp.UpdateOption(dhcpv4.OptIPAddressLeaseTime(s.conf.leaseTime))
-	resp.UpdateOption(dhcpv4.OptRouter(s.conf.subnet.IP))
-	resp.UpdateOption(dhcpv4.OptSubnetMask(s.conf.subnet.Mask))
-	resp.UpdateOption(dhcpv4.OptDNS(s.conf.dnsIPAddrs...))
 
-	for _, opt := range s.conf.options {
+	// Update values for each explicitly configured parameter requested by
-		resp.Options[opt.code] = opt.data
+	// client.
+	//
+	// See https://datatracker.ietf.org/doc/html/rfc2131#section-4.3.1.
+	requested := req.ParameterRequestList()
+	for _, code := range requested {
+		if configured := s.options; configured.Has(code) {
+			resp.UpdateOption(dhcpv4.OptGeneric(code, configured.Get(code)))
+		}
+	}
+	// Update the value of Domain Name Server option separately from others
+	// since its value is set after server's creating.
+	if requested.Has(dhcpv4.OptionDomainNameServer) {
+		resp.UpdateOption(dhcpv4.OptDNS(s.conf.dnsIPAddrs...))
 	}
 
 	return 1
@@ -897,7 +915,8 @@ func (s *v4Server) packetHandler(conn net.PacketConn, peer net.Addr, req *dhcpv4
 	log.Debug("dhcpv4: received message: %s", req.Summary())
 
 	switch req.MessageType() {
-	case dhcpv4.MessageTypeDiscover,
+	case
+		dhcpv4.MessageTypeDiscover,
 		dhcpv4.MessageTypeRequest,
 		dhcpv4.MessageTypeDecline,
 		dhcpv4.MessageTypeRelease:
@@ -928,28 +947,50 @@ func (s *v4Server) packetHandler(conn net.PacketConn, peer net.Addr, req *dhcpv4
 		resp.Options.Update(dhcpv4.OptMessageType(dhcpv4.MessageTypeNak))
 	}
 
-	// peer is expected to be of type *net.UDPConn as the server4.NewServer
+	s.send(peer, conn, req, resp)
-	// initializes it.
+}
-	udpPeer, ok := peer.(*net.UDPAddr)
+
-	if !ok {
+// send writes resp for peer to conn considering the req's parameters according
-		log.Error("dhcpv4: peer is of unexpected type %T", peer)
+// to RFC-2131.
+//
+// See https://datatracker.ietf.org/doc/html/rfc2131#section-4.1.
+func (s *v4Server) send(peer net.Addr, conn net.PacketConn, req, resp *dhcpv4.DHCPv4) {
+	var unicast bool
+	if giaddr := req.GatewayIPAddr; giaddr != nil && !giaddr.IsUnspecified() {
+		// Send any return messages to the server port on the BOOTP
+		// relay agent whose address appears in giaddr.
+		peer = &net.UDPAddr{
+			IP:   giaddr,
+			Port: dhcpv4.ServerPort,
+		}
+		unicast = true
+	} else if mtype := resp.MessageType(); mtype == dhcpv4.MessageTypeNak {
+		// Broadcast any DHCPNAK messages to 0xffffffff.
+	} else if ciaddr := req.ClientIPAddr; ciaddr != nil && !ciaddr.IsUnspecified() {
+		// Unicast DHCPOFFER and DHCPACK messages to the address in
+		// ciaddr.
+		peer = &net.UDPAddr{
+			IP:   ciaddr,
+			Port: dhcpv4.ClientPort,
+		}
+		unicast = true
+	}
+
+	// TODO(e.burkov):  Unicast the message to the actual link-layer address
+	// of the client if broadcast bit is not set.  Perhaps, use custom
+	// connection when creating the server.
+	//
+	// See https://github.com/AdguardTeam/AdGuardHome/issues/3443.
+
+	if !unicast {
+		s.broadcast(peer, conn, resp)
 
 		return
 	}
 
-	// Despite the fact that server4.NewIPv4UDPConn explicitly sets socket
+	log.Debug("dhcpv4: sending to %s: %s", peer, resp.Summary())
-	// options to allow broadcasting, it also binds the connection to a
-	// specific interface.  On FreeBSD conn.WriteTo causes errors while
-	// writing to the addresses that belong to another interface.  So, use
-	// the broadcast address specific for the binded interface in case
-	// server4.Server.Serve sets it to net.IPv4Bcast.
-	if udpPeer.IP.Equal(net.IPv4bcast) {
-		udpPeer.IP = s.conf.broadcastIP
-	}
 
-	log.Debug("dhcpv4: sending: %s", resp.Summary())
+	_, err := conn.WriteTo(resp.ToBytes(), peer)
-
-	_, err = conn.WriteTo(resp.ToBytes(), peer)
 	if err != nil {
 		log.Error("dhcpv4: conn.Write to %s failed: %s", peer, err)
 	}
@@ -1082,25 +1123,7 @@ func v4Create(conf V4ServerConf) (srv DHCPServer, err error) {
 		s.conf.leaseTime = time.Second * time.Duration(conf.LeaseDuration)
 	}
 
-	p := newDHCPOptionParser()
+	s.options = prepareOptions(s.conf)
-
-	for i, o := range conf.Options {
-		var code uint8
-		var data []byte
-		code, data, err = p.parse(o)
-		if err != nil {
-			log.Error("dhcpv4: bad option string at index %d: %s", i, err)
-
-			continue
-		}
-
-		opt := dhcpOption{
-			code: code,
-			data: data,
-		}
-
-		s.conf.options = append(s.conf.options, opt)
-	}
 
 	return s, nil
 }

internal/dhcpd/v4_test.go

@@ -4,9 +4,11 @@
 package dhcpd
 
 import (
+	"bytes"
 	"net"
 	"testing"
 
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -146,7 +148,9 @@ func TestV4StaticLease_Get(t *testing.T) {
 	mac := net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}
 
 	t.Run("discover", func(t *testing.T) {
-		req, err = dhcpv4.NewDiscovery(mac)
+		req, err = dhcpv4.NewDiscovery(mac, dhcpv4.WithRequestedOptions(
+			dhcpv4.OptionDomainNameServer,
+		))
 		require.NoError(t, err)
 
 		resp, err = dhcpv4.NewReplyFromRequest(req)
@@ -229,7 +233,10 @@ func TestV4DynamicLease_Get(t *testing.T) {
 	mac := net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}
 
 	t.Run("discover", func(t *testing.T) {
-		req, err = dhcpv4.NewDiscovery(mac)
+		req, err = dhcpv4.NewDiscovery(mac, dhcpv4.WithRequestedOptions(
+			dhcpv4.OptionFQDN,
+			dhcpv4.OptionRelayAgentInformation,
+		))
 		require.NoError(t, err)
 
 		resp, err = dhcpv4.NewReplyFromRequest(req)
@@ -255,9 +262,11 @@ func TestV4DynamicLease_Get(t *testing.T) {
 
 		assert.Equal(t, s.conf.subnet.Mask, resp.SubnetMask())
 		assert.Equal(t, s.conf.leaseTime.Seconds(), resp.IPAddressLeaseTime(-1).Seconds())
-		assert.Equal(t, []byte("012"), resp.Options[uint8(dhcpv4.OptionFQDN)])
+		assert.Equal(t, []byte("012"), resp.Options.Get(dhcpv4.OptionFQDN))
 
-		assert.Equal(t, net.IP{1, 2, 3, 4}, net.IP(resp.RelayAgentInfo().ToBytes()))
+		rai := resp.RelayAgentInfo()
+		require.NotNil(t, rai)
+		assert.Equal(t, net.IP{1, 2, 3, 4}, net.IP(rai.ToBytes()))
 	})
 
 	t.Run("request", func(t *testing.T) {
@@ -365,3 +374,83 @@ func TestNormalizeHostname(t *testing.T) {
 		})
 	}
 }
+
+// fakePacketConn is a mock implementation of net.PacketConn to simplify
+// testing.
+type fakePacketConn struct {
+	// writeTo is used to substitute net.PacketConn's WriteTo method.
+	writeTo func(p []byte, addr net.Addr) (n int, err error)
+	// net.PacketConn is embedded here simply to make *fakePacketConn a
+	// net.PacketConn without actually implementing all methods.
+	net.PacketConn
+}
+
+// WriteTo implements net.PacketConn interface for *fakePacketConn.
+func (fc *fakePacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	return fc.writeTo(p, addr)
+}
+
+func TestV4Server_Send_unicast(t *testing.T) {
+	b := &bytes.Buffer{}
+	var peer *net.UDPAddr
+
+	conn := &fakePacketConn{
+		writeTo: func(p []byte, addr net.Addr) (n int, err error) {
+			udpPeer, ok := addr.(*net.UDPAddr)
+			require.True(t, ok)
+
+			peer = cloneUDPAddr(udpPeer)
+
+			n, err = b.Write(p)
+			require.NoError(t, err)
+
+			return n, nil
+		},
+	}
+
+	defaultPeer := &net.UDPAddr{
+		IP: net.IP{1, 2, 3, 4},
+		// Use neither client nor server port.
+		Port: 1234,
+	}
+	defaultResp := &dhcpv4.DHCPv4{
+		OpCode: dhcpv4.OpcodeBootReply,
+	}
+	s := &v4Server{}
+
+	testCases := []struct {
+		name     string
+		req      *dhcpv4.DHCPv4
+		wantPeer net.Addr
+	}{{
+		name: "relay_agent",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: defaultPeer.IP,
+		},
+		wantPeer: &net.UDPAddr{
+			IP:   defaultPeer.IP,
+			Port: dhcpv4.ServerPort,
+		},
+	}, {
+		name: "known_client",
+		req: &dhcpv4.DHCPv4{
+			GatewayIPAddr: netutil.IPv4Zero(),
+			ClientIPAddr:  net.IP{2, 3, 4, 5},
+		},
+		wantPeer: &net.UDPAddr{
+			IP:   net.IP{2, 3, 4, 5},
+			Port: dhcpv4.ClientPort,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			s.send(defaultPeer, conn, tc.req, defaultResp)
+			assert.EqualValues(t, defaultResp.ToBytes(), b.Bytes())
+			assert.Equal(t, tc.wantPeer, peer)
+		})
+
+		b.Reset()
+		peer = nil
+	}
+}

internal/dnsforward/access.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
@@ -192,6 +193,60 @@ func (s *Server) handleAccessList(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func isUniq(slice []string) (ok bool, uniqueMap map[string]unit) {
+	exists := make(map[string]unit)
+	for _, key := range slice {
+		if _, has := exists[key]; has {
+			return false, nil
+		}
+		exists[key] = unit{}
+	}
+	return true, exists
+}
+
+func intersect(mapA, mapB map[string]unit) bool {
+	for key := range mapA {
+		if _, has := mapB[key]; has {
+			return true
+		}
+	}
+	return false
+}
+
+// validateAccessSet checks the internal accessListJSON lists.  To search for
+// duplicates, we cannot compare the new stringutil.Set and []string, because
+// creating a set for a large array can be an unnecessary algorithmic complexity
+func validateAccessSet(list accessListJSON) (err error) {
+	const (
+		errAllowedDup    errors.Error = "duplicates in allowed clients"
+		errDisallowedDup errors.Error = "duplicates in disallowed clients"
+		errBlockedDup    errors.Error = "duplicates in blocked hosts"
+		errIntersect     errors.Error = "some items in allowed and " +
+			"disallowed lists at the same time"
+	)
+
+	ok, allowedClients := isUniq(list.AllowedClients)
+	if !ok {
+		return errAllowedDup
+	}
+
+	ok, disallowedClients := isUniq(list.DisallowedClients)
+	if !ok {
+		return errDisallowedDup
+	}
+
+	ok, _ = isUniq(list.BlockedHosts)
+	if !ok {
+		return errBlockedDup
+	}
+
+	if intersect(allowedClients, disallowedClients) {
+		return errIntersect
+	}
+
+	return nil
+}
+
 func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
 	list := accessListJSON{}
 	err := json.NewDecoder(r.Body).Decode(&list)
@@ -201,6 +256,13 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	err = validateAccessSet(list)
+	if err != nil {
+		httpError(r, w, http.StatusBadRequest, err.Error())
+
+		return
+	}
+
 	var a *accessCtx
 	a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
 	if err != nil {

internal/dnsforward/dns.go

@@ -340,7 +340,7 @@ func (s *Server) processRestrictLocal(ctx *dnsContext) (rc resultCode) {
 
 	// Restrict an access to local addresses for external clients.  We also
 	// assume that all the DHCP leases we give are locally-served or at
-	// least don't need to be unaccessable externally.
+	// least don't need to be inaccessible externally.
 	if s.subnetDetector.IsLocallyServedNetwork(ip) {
 		if !ctx.isLocalClient {
 			log.Debug("dns: %q requests for internal ip", d.Addr)

internal/dnsforward/dnsforward.go

@@ -364,7 +364,7 @@ func (s *Server) startLocked() error {
 const defaultLocalTimeout = 1 * time.Second
 
 // collectDNSIPAddrs returns IP addresses the server is listening on without
-// port numbersю  For internal use only.
+// port numbers.  For internal use only.
 func (s *Server) collectDNSIPAddrs() (addrs []string, err error) {
 	addrs = make([]string, len(s.conf.TCPListenAddrs)+len(s.conf.UDPListenAddrs))
 	var i int

internal/dnsforward/dnsforward_test.go

@@ -275,7 +275,7 @@ func TestServer(t *testing.T) {
 			client := dns.Client{Net: tc.net}
 
 			reply, _, err := client.Exchange(createGoogleATestMessage(), addr.String())
-			require.NoErrorf(t, err, "сouldn't talk to server %s: %s", addr, err)
+			require.NoErrorf(t, err, "couldn't talk to server %s: %s", addr, err)
 
 			assertGoogleAResponse(t, reply)
 		})
@@ -330,7 +330,7 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 	client := &dns.Client{}
 
 	reply, _, err := client.Exchange(req, addr.String())
-	require.NoErrorf(t, err, "сouldn't talk to server %s: %s", addr, err)
+	require.NoErrorf(t, err, "couldn't talk to server %s: %s", addr, err)
 	assertGoogleAResponse(t, reply)
 }
 

internal/dnsforward/ipset.go

@@ -131,7 +131,7 @@ func (c *ipsetCtx) process(dctx *dnsContext) (rc resultCode) {
 		return resultCodeSuccess
 	}
 
-	log.Debug("ipset: added %d new ips", n)
+	log.Debug("ipset: added %d new ipset entries", n)
 
 	return resultCodeSuccess
 }

internal/dnsforward/ipset_test.go

@@ -15,7 +15,7 @@ type fakeIpsetMgr struct {
 	ip6s []net.IP
 }
 
-// Add implements the aghnet.IpsetManager inteface for *fakeIpsetMgr.
+// Add implements the aghnet.IpsetManager interface for *fakeIpsetMgr.
 func (m *fakeIpsetMgr) Add(host string, ip4s, ip6s []net.IP) (n int, err error) {
 	m.ip4s = append(m.ip4s, ip4s...)
 	m.ip6s = append(m.ip6s, ip6s...)

internal/filtering/blocked.go

@@ -197,7 +197,7 @@ var serviceRulesArray = []svc{
 	}},
 	{"9gag", []string{
 		"||9cache.com^",
-		"||gag.com^",
+		"||9gag.com^",
 	}},
 	{"telegram", []string{
 		"||t.me^",

internal/filtering/filtering.go

@@ -255,10 +255,14 @@ func (d *DNSFilter) GetConfig() (s Settings) {
 // WriteDiskConfig - write configuration
 func (d *DNSFilter) WriteDiskConfig(c *Config) {
 	d.confLock.Lock()
+	defer d.confLock.Unlock()
+
 	*c = d.Config
-	c.Rewrites = rewriteArrayDup(d.Config.Rewrites)
+	c.Rewrites = cloneRewrites(c.Rewrites)
-	// BlockedServices
+}
-	d.confLock.Unlock()
+
+func cloneRewrites(entries []RewriteEntry) (clone []RewriteEntry) {
+	return append([]RewriteEntry(nil), entries...)
 }
 
 // SetFilters - set new filters (synchronously or asynchronously)

internal/filtering/rewrites.go

@@ -27,8 +27,66 @@ type RewriteEntry struct {
 	Type uint16 `yaml:"-"`
 }
 
-func (r *RewriteEntry) equals(b RewriteEntry) bool {
+// equal returns true if the entry is considered equal to the other.
-	return r.Domain == b.Domain && r.Answer == b.Answer
+func (e *RewriteEntry) equal(other RewriteEntry) (ok bool) {
+	return e.Domain == other.Domain && e.Answer == other.Answer
+}
+
+// matchesQType returns true if the entry matched qtype.
+func (e *RewriteEntry) matchesQType(qtype uint16) (ok bool) {
+	// Add CNAMEs, since they match for all types requests.
+	if e.Type == dns.TypeCNAME {
+		return true
+	}
+
+	// Reject types other than A and AAAA.
+	if qtype != dns.TypeA && qtype != dns.TypeAAAA {
+		return false
+	}
+
+	// If the types match or the entry is set to allow only the other type,
+	// include them.
+	return e.Type == qtype || e.IP == nil
+}
+
+// normalize makes sure that the a new or decoded entry is normalized with
+// regards to domain name case, IP length, and so on.
+func (e *RewriteEntry) normalize() {
+	// TODO(a.garipov): Write a case-agnostic version of strings.HasSuffix
+	// and use it in matchDomainWildcard instead of using strings.ToLower
+	// everywhere.
+	e.Domain = strings.ToLower(e.Domain)
+
+	switch e.Answer {
+	case "AAAA":
+		e.IP = nil
+		e.Type = dns.TypeAAAA
+
+		return
+	case "A":
+		e.IP = nil
+		e.Type = dns.TypeA
+
+		return
+	default:
+		// Go on.
+	}
+
+	ip := net.ParseIP(e.Answer)
+	if ip == nil {
+		e.Type = dns.TypeCNAME
+
+		return
+	}
+
+	ip4 := ip.To4()
+	if ip4 != nil {
+		e.IP = ip4
+		e.Type = dns.TypeA
+	} else {
+		e.IP = ip
+		e.Type = dns.TypeAAAA
+	}
 }
 
 func isWildcard(host string) bool {
@@ -78,48 +136,9 @@ func (a rewritesSorted) Less(i, j int) bool {
 	return len(a[i].Domain) > len(a[j].Domain)
 }
 
-// prepare prepares the a new or decoded entry.
-func (r *RewriteEntry) prepare() {
-	// TODO(a.garipov): Write a case-agnostic version of strings.HasSuffix
-	// and use it in matchDomainWildcard instead of using strings.ToLower
-	// everywhere.
-	r.Domain = strings.ToLower(r.Domain)
-
-	switch r.Answer {
-	case "AAAA":
-		r.IP = nil
-		r.Type = dns.TypeAAAA
-
-		return
-	case "A":
-		r.IP = nil
-		r.Type = dns.TypeA
-
-		return
-	default:
-		// Go on.
-	}
-
-	ip := net.ParseIP(r.Answer)
-	if ip == nil {
-		r.Type = dns.TypeCNAME
-
-		return
-	}
-
-	ip4 := ip.To4()
-	if ip4 != nil {
-		r.IP = ip4
-		r.Type = dns.TypeA
-	} else {
-		r.IP = ip
-		r.Type = dns.TypeAAAA
-	}
-}
-
 func (d *DNSFilter) prepareRewrites() {
 	for i := range d.Rewrites {
-		d.Rewrites[i].prepare()
+		d.Rewrites[i].normalize()
 	}
 }
 
@@ -127,18 +146,15 @@ func (d *DNSFilter) prepareRewrites() {
 // CNAME, then A and AAAA; exact, then wildcard.  If the host is matched
 // exactly, wildcard entries aren't returned.  If the host matched by wildcards,
 // return the most specific for the question type.
-func findRewrites(a []RewriteEntry, host string, qtype uint16) []RewriteEntry {
+func findRewrites(entries []RewriteEntry, host string, qtype uint16) (matched []RewriteEntry) {
 	rr := rewritesSorted{}
-	for _, r := range a {
+	for _, e := range entries {
-		if r.Domain != host && !matchDomainWildcard(host, r.Domain) {
+		if e.Domain != host && !matchDomainWildcard(host, e.Domain) {
 			continue
 		}
 
-		// Return CNAMEs for all types requests, but only the
+		if e.matchesQType(qtype) {
-		// appropriate ones for A and AAAA.
+			rr = append(rr, e)
-		if r.Type == dns.TypeCNAME ||
-			(r.Type == qtype && (qtype == dns.TypeA || qtype == dns.TypeAAAA)) {
-			rr = append(rr, r)
 		}
 	}
 
@@ -169,12 +185,6 @@ func max(a, b int) int {
 	return b
 }
 
-func rewriteArrayDup(a []RewriteEntry) []RewriteEntry {
-	a2 := make([]RewriteEntry, len(a))
-	copy(a2, a)
-	return a2
-}
-
 type rewriteEntryJSON struct {
 	Domain string `json:"domain"`
 	Answer string `json:"answer"`
@@ -213,7 +223,7 @@ func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
 		Domain: jsent.Domain,
 		Answer: jsent.Answer,
 	}
-	ent.prepare()
+	ent.normalize()
 	d.confLock.Lock()
 	d.Config.Rewrites = append(d.Config.Rewrites, ent)
 	d.confLock.Unlock()
@@ -238,7 +248,7 @@ func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request)
 	arr := []RewriteEntry{}
 	d.confLock.Lock()
 	for _, ent := range d.Config.Rewrites {
-		if ent.equals(entDel) {
+		if ent.equal(entDel) {
 			log.Debug("Rewrites: removed element: %s -> %s", ent.Domain, ent.Answer)
 			continue
 		}

internal/filtering/rewrites_test.go

@@ -316,7 +316,7 @@ func TestRewritesExceptionIP(t *testing.T) {
 	}, {
 		name: "match_AAAA_host3.com",
 		host: "host3.com",
-		want: nil,
+		want: []net.IP{},
 		dtyp: dns.TypeAAAA,
 	}}
 

internal/home/clients.go

@@ -149,19 +149,19 @@ func (clients *clientsContainer) Reload() {
 }
 
 type clientObject struct {
-	Name                string   `yaml:"name"`
+	Name string `yaml:"name"`
-	Tags                []string `yaml:"tags"`
-	IDs                 []string `yaml:"ids"`
-	UseGlobalSettings   bool     `yaml:"use_global_settings"`
-	FilteringEnabled    bool     `yaml:"filtering_enabled"`
-	ParentalEnabled     bool     `yaml:"parental_enabled"`
-	SafeSearchEnabled   bool     `yaml:"safesearch_enabled"`
-	SafeBrowsingEnabled bool     `yaml:"safebrowsing_enabled"`
 
-	UseGlobalBlockedServices bool     `yaml:"use_global_blocked_services"`
+	Tags            []string `yaml:"tags"`
-	BlockedServices          []string `yaml:"blocked_services"`
+	IDs             []string `yaml:"ids"`
+	BlockedServices []string `yaml:"blocked_services"`
+	Upstreams       []string `yaml:"upstreams"`
 
-	Upstreams []string `yaml:"upstreams"`
+	UseGlobalSettings        bool `yaml:"use_global_settings"`
+	FilteringEnabled         bool `yaml:"filtering_enabled"`
+	ParentalEnabled          bool `yaml:"parental_enabled"`
+	SafeSearchEnabled        bool `yaml:"safesearch_enabled"`
+	SafeBrowsingEnabled      bool `yaml:"safebrowsing_enabled"`
+	UseGlobalBlockedServices bool `yaml:"use_global_blocked_services"`
 }
 
 func (clients *clientsContainer) tagKnown(tag string) (ok bool) {
@@ -286,38 +286,67 @@ func toQueryLogWHOIS(wi *RuntimeClientWHOISInfo) (cw *querylog.ClientWHOIS) {
 }
 
 // findMultiple is a wrapper around Find to make it a valid client finder for
-// the query log.  err is always nil.
+// the query log.  c is never nil; if no information about the client is found,
+// it returns an artificial client record by only setting the blocking-related
+// fields.  err is always nil.
 func (clients *clientsContainer) findMultiple(ids []string) (c *querylog.Client, err error) {
+	var artClient *querylog.Client
+	var art bool
 	for _, id := range ids {
-		var name string
+		c, art = clients.clientOrArtificial(net.ParseIP(id), id)
-		whois := &querylog.ClientWHOIS{}
+		if art {
-		ip := net.ParseIP(id)
+			artClient = c
 
-		c, ok := clients.Find(id)
+			continue
-		if ok {
-			name = c.Name
-		} else if ip != nil {
-			var rc *RuntimeClient
-			rc, ok = clients.FindRuntimeClient(ip)
-			if !ok {
-				continue
-			}
-
-			name = rc.Host
-			whois = toQueryLogWHOIS(rc.WHOISInfo)
 		}
 
-		disallowed, disallowedRule := clients.dnsServer.IsBlockedClient(ip, id)
+		return c, nil
-
-		return &querylog.Client{
-			Name:           name,
-			DisallowedRule: disallowedRule,
-			WHOIS:          whois,
-			Disallowed:     disallowed,
-		}, nil
 	}
 
-	return nil, nil
+	return artClient, nil
+}
+
+// clientOrArtificial returns information about one client.  If art is true,
+// this is an artificial client record, meaning that we currently don't have any
+// records about this client besides maybe whether or not it is blocked.  c is
+// never nil.
+func (clients *clientsContainer) clientOrArtificial(
+	ip net.IP,
+	id string,
+) (c *querylog.Client, art bool) {
+	defer func() {
+		c.Disallowed, c.DisallowedRule = clients.dnsServer.IsBlockedClient(ip, id)
+		if c.WHOIS == nil {
+			c.WHOIS = &querylog.ClientWHOIS{}
+		}
+	}()
+
+	client, ok := clients.Find(id)
+	if ok {
+		return &querylog.Client{
+			Name: client.Name,
+		}, false
+	}
+
+	if ip == nil {
+		// Technically should never happen, but still.
+		return &querylog.Client{
+			Name: "",
+		}, true
+	}
+
+	var rc *RuntimeClient
+	rc, ok = clients.FindRuntimeClient(ip)
+	if ok {
+		return &querylog.Client{
+			Name:  rc.Host,
+			WHOIS: toQueryLogWHOIS(rc.WHOISInfo),
+		}, false
+	}
+
+	return &querylog.Client{
+		Name: "",
+	}, true
 }
 
 func (clients *clientsContainer) Find(id string) (c *Client, ok bool) {

internal/home/config.go

@@ -162,8 +162,10 @@ type tlsConfigSettings struct {
 	dnsforward.TLSConfig `yaml:",inline" json:",inline"`
 }
 
-// initialize to default values, will be changed later when reading config or parsing command line
+// config is the global configuration structure.
-var config = configuration{
+//
+// TODO(a.garipov, e.burkov): This global is afwul and must be removed.
+var config = &configuration{
 	BindPort:     3000,
 	BetaBindPort: 0,
 	BindHost:     net.IP{0, 0, 0, 0},
@@ -171,7 +173,7 @@ var config = configuration{
 	AuthBlockMin: 15,
 	DNS: dnsConfig{
 		BindHosts:     []net.IP{{0, 0, 0, 0}},
-		Port:          53,
+		Port:          defaultPortDNS,
 		StatsInterval: 1,
 		FilteringConfig: dnsforward.FilteringConfig{
 			ProtectionEnabled:  true,      // whether or not use any of filtering features
@@ -200,9 +202,9 @@ var config = configuration{
 		UsePrivateRDNS:             true,
 	},
 	TLS: tlsConfigSettings{
-		PortHTTPS:       443,
+		PortHTTPS:       defaultPortHTTPS,
-		PortDNSOverTLS:  853, // needs to be passed through to dnsproxy
+		PortDNSOverTLS:  defaultPortTLS, // needs to be passed through to dnsproxy
-		PortDNSOverQUIC: 784,
+		PortDNSOverQUIC: defaultPortQUIC,
 	},
 	logSettings: logSettings{
 		LogCompress:   false,

internal/home/control.go

@@ -39,7 +39,7 @@ func httpError(w http.ResponseWriter, code int, format string, args ...interface
 func appendDNSAddrs(dst []string, addrs ...net.IP) (res []string) {
 	for _, addr := range addrs {
 		var hostport string
-		if config.DNS.Port != 53 {
+		if config.DNS.Port != defaultPortDNS {
 			hostport = netutil.JoinHostPort(addr.String(), config.DNS.Port)
 		} else {
 			hostport = addr.String()
@@ -285,8 +285,6 @@ func preInstallHandler(handler http.Handler) http.Handler {
 	return &preInstallHandlerStruct{handler}
 }
 
-const defaultHTTPSPort = 443
-
 // handleHTTPSRedirect redirects the request to HTTPS, if needed.  If ok is
 // true, the middleware must continue handling the request.
 func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
@@ -304,7 +302,7 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 
 	if r.TLS == nil && web.forceHTTPS {
 		hostPort := host
-		if port := web.conf.PortHTTPS; port != defaultHTTPSPort {
+		if port := web.conf.PortHTTPS; port != defaultPortHTTPS {
 			hostPort = netutil.JoinHostPort(host, port)
 		}
 

internal/home/controlfiltering.go

@@ -254,13 +254,21 @@ func (f *Filtering) handleFilteringRefresh(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	Context.controlLock.Unlock()
 	flags := filterRefreshBlocklists
 	if req.White {
 		flags = filterRefreshAllowlists
 	}
-	resp.Updated, err = f.refreshFilters(flags|filterRefreshForce, false)
+	func() {
-	Context.controlLock.Lock()
+		// Temporarily unlock the Context.controlLock because the
+		// f.refreshFilters waits for it to be unlocked but it's
+		// actually locked in ensure wrapper.
+		//
+		// TODO(e.burkov):  Reconsider this messy syncing process.
+		Context.controlLock.Unlock()
+		defer Context.controlLock.Lock()
+
+		resp.Updated, err = f.refreshFilters(flags|filterRefreshForce, false)
+	}()
 	if err != nil {
 		httpError(w, http.StatusInternalServerError, "%s", err)
 		return

internal/home/controlinstall.go

@@ -15,8 +15,8 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/netutil"
 )
 
 // getAddrsResponse is the response for /install/get_addresses endpoint.
@@ -29,8 +29,8 @@ type getAddrsResponse struct {
 // handleInstallGetAddresses is the handler for /install/get_addresses endpoint.
 func (web *Web) handleInstallGetAddresses(w http.ResponseWriter, r *http.Request) {
 	data := getAddrsResponse{}
-	data.WebPort = 80
+	data.WebPort = defaultPortHTTP
-	data.DNSPort = 53
+	data.DNSPort = defaultPortDNS
 
 	ifaces, err := aghnet.GetValidNetInterfacesForWeb()
 	if err != nil {
@@ -257,7 +257,8 @@ type applyConfigReq struct {
 	Password string            `json:"password"`
 }
 
-// Copy installation parameters between two configuration objects
+// copyInstallSettings copies the installation parameters between two
+// configuration structures.
 func copyInstallSettings(dst, src *configuration) {
 	dst.BindHost = src.BindHost
 	dst.BindPort = src.BindPort
@@ -286,55 +287,29 @@ func shutdownSrv(ctx context.Context, cancel context.CancelFunc, srv *http.Serve
 
 // Apply new configuration, start DNS server, restart Web server
 func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
-	req := applyConfigReq{}
+	req, restartHTTP, err := decodeApplyConfigReq(r.Body)
-	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
-		httpError(w, http.StatusBadRequest, "Failed to parse 'configure' JSON: %s", err)
+		httpError(w, http.StatusBadRequest, "%s", err)
+
 		return
 	}
 
-	if req.Web.Port == 0 || req.DNS.Port == 0 {
-		httpError(w, http.StatusBadRequest, "port value can't be 0")
-		return
-	}
-
-	restartHTTP := true
-	if config.BindHost.Equal(req.Web.IP) && config.BindPort == req.Web.Port {
-		// no need to rebind
-		restartHTTP = false
-	}
-
-	// validate that hosts and ports are bindable
-	if restartHTTP {
-		err = aghnet.CheckPortAvailable(req.Web.IP, req.Web.Port)
-		if err != nil {
-			httpError(
-				w,
-				http.StatusBadRequest,
-				"can not listen on IP:port %s: %s",
-				netutil.JoinHostPort(req.Web.IP.String(), req.Web.Port),
-				err,
-			)
-
-			return
-		}
-
-	}
-
 	err = aghnet.CheckPacketPortAvailable(req.DNS.IP, req.DNS.Port)
 	if err != nil {
 		httpError(w, http.StatusBadRequest, "%s", err)
+
 		return
 	}
 
 	err = aghnet.CheckPortAvailable(req.DNS.IP, req.DNS.Port)
 	if err != nil {
 		httpError(w, http.StatusBadRequest, "%s", err)
+
 		return
 	}
 
-	var curConfig configuration
+	curConfig := &configuration{}
-	copyInstallSettings(&curConfig, &config)
+	copyInstallSettings(curConfig, config)
 
 	Context.firstRun = false
 	config.BindHost = req.Web.IP
@@ -349,8 +324,9 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 	err = StartMods()
 	if err != nil {
 		Context.firstRun = true
-		copyInstallSettings(&config, &curConfig)
+		copyInstallSettings(config, curConfig)
 		httpError(w, http.StatusInternalServerError, "%s", err)
+
 		return
 	}
 
@@ -361,8 +337,9 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 	err = config.write()
 	if err != nil {
 		Context.firstRun = true
-		copyInstallSettings(&config, &curConfig)
+		copyInstallSettings(config, curConfig)
 		httpError(w, http.StatusInternalServerError, "Couldn't write config: %s", err)
+
 		return
 	}
 
@@ -387,6 +364,36 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// decodeApplyConfigReq decodes the configuration, validates some parameters,
+// and returns it along with the boolean indicating whether or not the HTTP
+// server must be restarted.
+func decodeApplyConfigReq(r io.Reader) (req *applyConfigReq, restartHTTP bool, err error) {
+	req = &applyConfigReq{}
+	err = json.NewDecoder(r).Decode(&req)
+	if err != nil {
+		return nil, false, fmt.Errorf("parsing request: %w", err)
+	}
+
+	if req.Web.Port == 0 || req.DNS.Port == 0 {
+		return nil, false, errors.Error("ports cannot be 0")
+	}
+
+	restartHTTP = !config.BindHost.Equal(req.Web.IP) || config.BindPort != req.Web.Port
+	if restartHTTP {
+		err = aghnet.CheckPortAvailable(req.Web.IP, req.Web.Port)
+		if err != nil {
+			return nil, false, fmt.Errorf(
+				"checking address %s:%d: %w",
+				req.Web.IP.String(),
+				req.Web.Port,
+				err,
+			)
+		}
+	}
+
+	return req, restartHTTP, err
+}
+
 func (web *Web) registerInstallHandlers() {
 	Context.mux.HandleFunc("/control/install/get_addresses", preInstall(ensureGET(web.handleInstallGetAddresses)))
 	Context.mux.HandleFunc("/control/install/check_config", preInstall(ensurePOST(web.handleInstallCheckConfig)))
@@ -546,8 +553,8 @@ type getAddrsResponseBeta struct {
 // functionality will appear in default handleInstallGetAddresses.
 func (web *Web) handleInstallGetAddressesBeta(w http.ResponseWriter, r *http.Request) {
 	data := getAddrsResponseBeta{}
-	data.WebPort = 80
+	data.WebPort = defaultPortHTTP
-	data.DNSPort = 53
+	data.DNSPort = defaultPortDNS
 
 	ifaces, err := aghnet.GetValidNetInterfacesForWeb()
 	if err != nil {

internal/home/dns.go

@@ -19,6 +19,15 @@ import (
 	yaml "gopkg.in/yaml.v2"
 )
 
+// Default ports.
+const (
+	defaultPortDNS   = 53
+	defaultPortHTTP  = 80
+	defaultPortHTTPS = 443
+	defaultPortQUIC  = 784
+	defaultPortTLS   = 853
+)
+
 // Called by other modules when configuration is changed
 func onConfigModified() {
 	_ = config.write()
@@ -253,7 +262,7 @@ func getDNSEncryption() (de dnsEncryption) {
 		hostname := tlsConf.ServerName
 		if tlsConf.PortHTTPS != 0 {
 			addr := hostname
-			if tlsConf.PortHTTPS != 443 {
+			if tlsConf.PortHTTPS != defaultPortHTTPS {
 				addr = netutil.JoinHostPort(addr, tlsConf.PortHTTPS)
 			}
 

internal/home/filter.go

@@ -18,6 +18,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/stringutil"
 )
 
 var nextFilterID = time.Now().Unix() // semi-stable way to generate an unique ID
@@ -535,26 +536,85 @@ func (f *Filtering) read(reader io.Reader, tmpFile *os.File, filter *filter) (in
 	}
 }
 
-// updateIntl returns true if filter update performed successfully.
+// finalizeUpdate closes and gets rid of temporary file f with filter's content
-func (f *Filtering) updateIntl(filter *filter) (updated bool, err error) {
+// according to updated.  It also saves new values of flt's name, rules number
-	updated = false
+// and checksum if sucсeeded.
-	log.Tracef("Downloading update for filter %d from %s", filter.ID, filter.URL)
+func finalizeUpdate(
+	f *os.File,
+	flt *filter,
+	updated bool,
+	name string,
+	rnum int,
+	cs uint32,
+) (err error) {
+	tmpFileName := f.Name()
 
-	tmpFile, err := os.CreateTemp(filepath.Join(Context.getDataDir(), filterDir), "")
+	// Close the file before renaming it because it's required on Windows.
+	//
+	// See https://github.com/adguardTeam/adGuardHome/issues/1553.
+	if err = f.Close(); err != nil {
+		return fmt.Errorf("closing temporary file: %w", err)
+	}
+
+	if !updated {
+		log.Tracef("filter #%d from %s has no changes, skip", flt.ID, flt.URL)
+
+		return os.Remove(tmpFileName)
+	}
+
+	log.Printf("saving filter %d contents to: %s", flt.ID, flt.Path())
+
+	if err = os.Rename(tmpFileName, flt.Path()); err != nil {
+		return errors.WithDeferred(err, os.Remove(tmpFileName))
+	}
+
+	flt.Name = stringutil.Coalesce(flt.Name, name)
+	flt.checksum = cs
+	flt.RulesCount = rnum
+
+	return nil
+}
+
+// processUpdate copies filter's content from src to dst and returns the name,
+// rules number, and checksum for it.  It also returns the number of bytes read
+// from src.
+func (f *Filtering) processUpdate(
+	src io.Reader,
+	dst *os.File,
+	flt *filter,
+) (name string, rnum int, cs uint32, n int, err error) {
+	if n, err = f.read(src, dst, flt); err != nil {
+		return "", 0, 0, 0, err
+	}
+
+	if _, err = dst.Seek(0, io.SeekStart); err != nil {
+		return "", 0, 0, 0, err
+	}
+
+	rnum, cs, name = f.parseFilterContents(dst)
+
+	return name, rnum, cs, n, nil
+}
+
+// updateIntl updates the flt rewriting it's actual file.  It returns true if
+// the actual update has been performed.
+func (f *Filtering) updateIntl(flt *filter) (ok bool, err error) {
+	log.Tracef("downloading update for filter %d from %s", flt.ID, flt.URL)
+
+	var name string
+	var rnum, n int
+	var cs uint32
+
+	var tmpFile *os.File
+	tmpFile, err = os.CreateTemp(filepath.Join(Context.getDataDir(), filterDir), "")
 	if err != nil {
-		return updated, err
+		return false, err
 	}
 	defer func() {
-		var derr error
+		err = errors.WithDeferred(err, finalizeUpdate(tmpFile, flt, ok, name, rnum, cs))
-		if tmpFile != nil {
+		ok = ok && err == nil
-			if derr = tmpFile.Close(); derr != nil {
+		if ok {
-				log.Printf("Couldn't close temporary file: %s", derr)
+			log.Printf("updated filter %d: %d bytes, %d rules", flt.ID, n, rnum)
-			}
-
-			tmpFileName := tmpFile.Name()
-			if derr = os.Remove(tmpFileName); derr != nil {
-				log.Printf("Couldn't delete temporary file %s: %s", tmpFileName, derr)
-			}
 		}
 	}()
 
@@ -562,72 +622,42 @@ func (f *Filtering) updateIntl(filter *filter) (updated bool, err error) {
 	// end users.
 	//
 	// See https://github.com/AdguardTeam/AdGuardHome/issues/3198.
-	err = tmpFile.Chmod(0o644)
+	if err = tmpFile.Chmod(0o644); err != nil {
-	if err != nil {
+		return false, fmt.Errorf("changing file mode: %w", err)
-		return updated, fmt.Errorf("changing file mode: %w", err)
 	}
 
-	var reader io.Reader
+	var r io.Reader
-	if filepath.IsAbs(filter.URL) {
+	if filepath.IsAbs(flt.URL) {
-		var f io.ReadCloser
+		var file io.ReadCloser
-		f, err = os.Open(filter.URL)
+		file, err = os.Open(flt.URL)
 		if err != nil {
-			return updated, fmt.Errorf("open file: %w", err)
+			return false, fmt.Errorf("open file: %w", err)
 		}
-		defer func() { err = errors.WithDeferred(err, f.Close()) }()
+		defer func() { err = errors.WithDeferred(err, file.Close()) }()
 
-		reader = f
+		r = file
 	} else {
 		var resp *http.Response
-		resp, err = Context.client.Get(filter.URL)
+		resp, err = Context.client.Get(flt.URL)
 		if err != nil {
-			log.Printf("Couldn't request filter from URL %s, skipping: %s", filter.URL, err)
+			log.Printf("requesting filter from %s, skip: %s", flt.URL, err)
 
-			return updated, err
+			return false, err
 		}
 		defer func() { err = errors.WithDeferred(err, resp.Body.Close()) }()
 
 		if resp.StatusCode != http.StatusOK {
-			log.Printf("Got status code %d from URL %s, skipping", resp.StatusCode, filter.URL)
+			log.Printf("got status code %d from %s, skip", resp.StatusCode, flt.URL)
-			return updated, fmt.Errorf("got status code != 200: %d", resp.StatusCode)
+
+			return false, fmt.Errorf("got status code != 200: %d", resp.StatusCode)
 		}
-		reader = resp.Body
+
+		r = resp.Body
 	}
 
-	total, err := f.read(reader, tmpFile, filter)
+	name, rnum, cs, n, err = f.processUpdate(r, tmpFile, flt)
-	if err != nil {
-		return updated, err
-	}
 
-	// Extract filter name and count number of rules
+	return cs != flt.checksum, err
-	_, _ = tmpFile.Seek(0, io.SeekStart)
-	rulesCount, checksum, filterName := f.parseFilterContents(tmpFile)
-	// Check if the filter has been really changed
-	if filter.checksum == checksum {
-		log.Tracef("Filter #%d at URL %s hasn't changed, not updating it", filter.ID, filter.URL)
-		return updated, nil
-	}
-
-	log.Printf("Filter %d has been updated: %d bytes, %d rules",
-		filter.ID, total, rulesCount)
-	if len(filter.Name) == 0 {
-		filter.Name = filterName
-	}
-	filter.RulesCount = rulesCount
-	filter.checksum = checksum
-	filterFilePath := filter.Path()
-	log.Printf("Saving filter %d contents to: %s", filter.ID, filterFilePath)
-
-	// Closing the file before renaming it is necessary on Windows
-	_ = tmpFile.Close()
-	err = os.Rename(tmpFile.Name(), filterFilePath)
-	if err != nil {
-		return updated, err
-	}
-	tmpFile = nil
-	updated = true
-
-	return updated, nil
 }
 
 // loads filter contents from the file in dataDir

internal/home/filter_test.go

@@ -1,76 +1,118 @@
 package home
 
 import (
-	"fmt"
+	"io/fs"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
+	"path"
+	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func testStartFilterListener(t *testing.T) net.Listener {
+const testFltsFileName = "1.txt"
+
+func testStartFilterListener(t *testing.T, fltContent *[]byte) (l net.Listener) {
 	t.Helper()
 
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n, werr := w.Write(*fltContent)
+		require.NoError(t, werr)
+		require.Equal(t, len(*fltContent), n)
+	})
+
+	var err error
+	l, err = net.Listen("tcp", ":0")
+	require.NoError(t, err)
+
+	go func() {
+		_ = http.Serve(l, h)
+	}()
+	t.Cleanup(func() {
+		require.NoError(t, l.Close())
+	})
+
+	return l
+}
+
+func TestFilters(t *testing.T) {
 	const content = `||example.org^$third-party
 	# Inline comment example
 	||example.com^$third-party
 	0.0.0.0 example.com
 	`
 
-	mux := http.NewServeMux()
+	fltContent := []byte(content)
-	mux.HandleFunc("/filters/1.txt", func(w http.ResponseWriter, r *http.Request) {
-		_, werr := w.Write([]byte(content))
-		assert.Nil(t, werr)
-	})
 
-	listener, err := net.Listen("tcp", ":0")
+	l := testStartFilterListener(t, &fltContent)
-	require.Nil(t, err)
-
-	go func() {
-		_ = http.Serve(listener, mux)
-	}()
-
-	t.Cleanup(func() {
-		assert.Nil(t, listener.Close())
-	})
-
-	return listener
-}
-
-func TestFilters(t *testing.T) {
-	l := testStartFilterListener(t)
-	dir := t.TempDir()
 
 	Context = homeContext{
-		workDir: dir,
+		workDir: t.TempDir(),
 		client: &http.Client{
 			Timeout: 5 * time.Second,
 		},
 	}
 	Context.filters.Init()
 
-	f := filter{
+	f := &filter{
-		URL: fmt.Sprintf("http://127.0.0.1:%d/filters/1.txt", l.Addr().(*net.TCPAddr).Port),
+		URL: (&url.URL{
+			Scheme: "http",
+			Host: (&netutil.IPPort{
+				IP:   net.IP{127, 0, 0, 1},
+				Port: l.Addr().(*net.TCPAddr).Port,
+			}).String(),
+			Path: path.Join(filterDir, testFltsFileName),
+		}).String(),
 	}
 
-	// Download.
+	updateAndAssert := func(t *testing.T, want require.BoolAssertionFunc, wantRulesCount int) {
-	ok, err := Context.filters.update(&f)
+		ok, err := Context.filters.update(f)
-	require.Nil(t, err)
+		require.NoError(t, err)
-	require.True(t, ok)
+		want(t, ok)
-	assert.Equal(t, 3, f.RulesCount)
 
-	// Refresh.
+		assert.Equal(t, wantRulesCount, f.RulesCount)
-	ok, err = Context.filters.update(&f)
-	require.Nil(t, err)
-	require.False(t, ok)
 
-	err = Context.filters.load(&f)
+		var dir []fs.DirEntry
-	require.Nil(t, err)
+		dir, err = os.ReadDir(filepath.Join(Context.getDataDir(), filterDir))
+		require.NoError(t, err)
 
-	f.unload()
+		assert.Len(t, dir, 1)
-	require.Nil(t, os.Remove(f.Path()))
+
+		require.FileExists(t, f.Path())
+
+		err = Context.filters.load(f)
+		require.NoError(t, err)
+	}
+
+	t.Run("download", func(t *testing.T) {
+		updateAndAssert(t, require.True, 3)
+	})
+
+	t.Run("refresh_idle", func(t *testing.T) {
+		updateAndAssert(t, require.False, 3)
+	})
+
+	t.Run("refresh_actually", func(t *testing.T) {
+		fltContent = []byte(`||example.com^`)
+		t.Cleanup(func() {
+			fltContent = []byte(content)
+		})
+
+		updateAndAssert(t, require.True, 1)
+	})
+
+	t.Run("load_unload", func(t *testing.T) {
+		err := Context.filters.load(f)
+		require.NoError(t, err)
+
+		f.unload()
+	})
+
+	require.NoError(t, os.Remove(f.Path()))
 }

internal/home/home.go

@@ -69,7 +69,7 @@ type homeContext struct {
 
 	configFilename   string // Config filename (can be overridden via the command line arguments)
 	workDir          string // Location of our directory, used to protect against CWD being somewhere else
-	firstRun         bool   // if set to true, don't run any services except HTTP web inteface, and serve only first-run html
+	firstRun         bool   // if set to true, don't run any services except HTTP web interface, and serve only first-run html
 	pidFileName      string // PID file name.  Empty if no PID file was created.
 	disableUpdate    bool   // If set, don't check for updates
 	controlLock      sync.Mutex
@@ -349,7 +349,7 @@ func run(args options, clientBuildFS fs.FS) {
 
 	setupContext(args)
 
-	err = configureOS(&config)
+	err = configureOS(config)
 	fatalOnError(err)
 
 	// clients package uses filtering package's static data (filtering.BlockedSvcKnown()),

internal/home/mobileconfig.go

@@ -3,6 +3,7 @@ package home
 import (
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"path"
@@ -14,31 +15,54 @@ import (
 	"howett.net/plist"
 )
 
+// dnsSettings is the DNSSetting.DNSSettings mobileconfig profile.
+//
+// See https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings.
 type dnsSettings struct {
+	// DNSProtocol is the required protocol to be used.  The valid values
+	// are "HTTPS" and "TLS".
 	DNSProtocol string
-	ServerURL   string `plist:",omitempty"`
+
-	ServerName  string `plist:",omitempty"`
+	// ServerURL is the URI template of the DoH server.  It must be empty if
-	clientID    string
+	// DNSProtocol is not "HTTPS".
+	ServerURL string `plist:",omitempty"`
+
+	// ServerName is the hostname of the DoT server.  It must be empty if
+	// DNSProtocol is not "TLS".
+	ServerName string `plist:",omitempty"`
+
+	// ServerAddresses is a list IP addresses of the server.
+	ServerAddresses []net.IP `plist:",omitempty"`
 }
 
+// payloadContent is a Device Management Profile payload.
+//
+// See https://developer.apple.com/documentation/devicemanagement/configuring_multiple_devices_using_profiles#3234127.
 type payloadContent struct {
-	Name               string
+	DNSSettings *dnsSettings
-	PayloadDescription string
+
-	PayloadDisplayName string
-	PayloadIdentifier  string
 	PayloadType        string
+	PayloadIdentifier  string
 	PayloadUUID        string
-	DNSSettings        dnsSettings
+	PayloadDisplayName string
+	PayloadDescription string
 	PayloadVersion     int
 }
 
+// dnsSettingsPayloadType is the payload type for a DNSSettings profile.
+const dnsSettingsPayloadType = "com.apple.dnsSettings.managed"
+
+// mobileConfig contains the TopLevel properties for configuring Device
+// Management Profiles.
+//
+// See https://developer.apple.com/documentation/devicemanagement/toplevel.
 type mobileConfig struct {
 	PayloadDescription       string
 	PayloadDisplayName       string
 	PayloadIdentifier        string
 	PayloadType              string
 	PayloadUUID              string
-	PayloadContent           []payloadContent
+	PayloadContent           []*payloadContent
 	PayloadVersion           int
 	PayloadRemovalDisallowed bool
 }
@@ -52,7 +76,7 @@ const (
 	dnsProtoTLS   = "TLS"
 )
 
-func getMobileConfig(d dnsSettings) ([]byte, error) {
+func encodeMobileConfig(d *dnsSettings, clientID string) ([]byte, error) {
 	var dspName string
 	switch proto := d.DNSProtocol; proto {
 	case dnsProtoHTTPS:
@@ -60,41 +84,41 @@ func getMobileConfig(d dnsSettings) ([]byte, error) {
 		u := &url.URL{
 			Scheme: schemeHTTPS,
 			Host:   d.ServerName,
-			Path:   path.Join("/dns-query", d.clientID),
+			Path:   path.Join("/dns-query", clientID),
 		}
 		d.ServerURL = u.String()
+
 		// Empty the ServerName field since it is only must be presented
 		// in DNS-over-TLS configuration.
-		//
-		// See https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings.
 		d.ServerName = ""
 	case dnsProtoTLS:
 		dspName = fmt.Sprintf("%s DoT", d.ServerName)
-		if d.clientID != "" {
+		if clientID != "" {
-			d.ServerName = d.clientID + "." + d.ServerName
+			d.ServerName = clientID + "." + d.ServerName
 		}
 	default:
 		return nil, fmt.Errorf("bad dns protocol %q", proto)
 	}
 
-	data := mobileConfig{
+	payloadID := fmt.Sprintf("%s.%s", dnsSettingsPayloadType, genUUIDv4())
-		PayloadContent: []payloadContent{{
+	data := &mobileConfig{
-			Name:               dspName,
+		PayloadDescription: "Adds AdGuard Home to macOS Big Sur " +
-			PayloadDescription: "Configures device to use AdGuard Home",
+			"and iOS 14 or newer systems",
-			PayloadDisplayName: dspName,
+		PayloadDisplayName: dspName,
-			PayloadIdentifier:  fmt.Sprintf("com.apple.dnsSettings.managed.%s", genUUIDv4()),
+		PayloadIdentifier:  genUUIDv4(),
-			PayloadType:        "com.apple.dnsSettings.managed",
+		PayloadType:        "Configuration",
+		PayloadUUID:        genUUIDv4(),
+		PayloadContent: []*payloadContent{{
+			PayloadType:        dnsSettingsPayloadType,
+			PayloadIdentifier:  payloadID,
 			PayloadUUID:        genUUIDv4(),
+			PayloadDisplayName: dspName,
+			PayloadDescription: "Configures device to use AdGuard Home",
 			PayloadVersion:     1,
 			DNSSettings:        d,
 		}},
-		PayloadDescription:       "Adds AdGuard Home to Big Sur and iOS 14 or newer systems",
-		PayloadDisplayName:       dspName,
-		PayloadIdentifier:        genUUIDv4(),
-		PayloadRemovalDisallowed: false,
-		PayloadType:              "Configuration",
-		PayloadUUID:              genUUIDv4(),
 		PayloadVersion:           1,
+		PayloadRemovalDisallowed: false,
 	}
 
 	return plist.MarshalIndent(data, plist.XMLFormat, "\t")
@@ -133,13 +157,22 @@ func handleMobileConfig(w http.ResponseWriter, r *http.Request, dnsp string) {
 		}
 	}
 
-	d := dnsSettings{
+	dnsIPs, err := collectDNSIPs()
-		DNSProtocol: dnsp,
+	if err != nil {
-		ServerName:  host,
+		// Don't add a lot of formatting, since the error is already
-		clientID:    clientID,
+		// wrapped by collectDNSIPs.
+		respondJSONError(w, http.StatusInternalServerError, err.Error())
+
+		return
 	}
 
-	mobileconfig, err := getMobileConfig(d)
+	d := &dnsSettings{
+		DNSProtocol:     dnsp,
+		ServerName:      host,
+		ServerAddresses: dnsIPs,
+	}
+
+	mobileconfig, err := encodeMobileConfig(d, clientID)
 	if err != nil {
 		respondJSONError(w, http.StatusInternalServerError, err.Error())
 
@@ -170,3 +203,25 @@ func handleMobileConfigDoH(w http.ResponseWriter, r *http.Request) {
 func handleMobileConfigDoT(w http.ResponseWriter, r *http.Request) {
 	handleMobileConfig(w, r, dnsProtoTLS)
 }
+
+// collectDNSIPs returns a slice of IP addresses the server is listening
+// on, including the addresses on all interfaces in cases of unspecified IPs but
+// excluding loopback addresses.
+func collectDNSIPs() (ips []net.IP, err error) {
+	// TODO(a.garipov): This really shouldn't be a function that parses
+	// a list of strings.  Instead, we need a function that returns this
+	// data as []net.IP or []*netutil.IPPort.  Maybe someday.
+	addrs, err := collectDNSAddresses()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, addr := range addrs {
+		ip := net.ParseIP(addr)
+		if ip != nil && !ip.IsLoopback() {
+			ips = append(ips, ip)
+		}
+	}
+
+	return ips, nil
+}

internal/home/mobileconfig_test.go

@@ -3,16 +3,42 @@ package home
 import (
 	"bytes"
 	"encoding/json"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"howett.net/plist"
 )
 
+// setupDNSIPs is a helper that sets up the server IP address configuration for
+// tests and also tears it down in a cleanup function.
+func setupDNSIPs(t testing.TB) {
+	t.Helper()
+
+	prevConfig := config
+	prevTLS := Context.tls
+	t.Cleanup(func() {
+		config = prevConfig
+		Context.tls = prevTLS
+	})
+
+	config = &configuration{
+		DNS: dnsConfig{
+			BindHosts: []net.IP{netutil.IPv4Zero()},
+			Port:      defaultPortDNS,
+		},
+	}
+
+	Context.tls = &TLSMod{}
+}
+
 func TestHandleMobileConfigDoH(t *testing.T) {
+	setupDNSIPs(t)
+
 	t.Run("success", func(t *testing.T) {
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/doh.mobileconfig?host=example.org", nil)
 		require.NoError(t, err)
@@ -25,11 +51,16 @@ func TestHandleMobileConfigDoH(t *testing.T) {
 		var mc mobileConfig
 		_, err = plist.Unmarshal(w.Body.Bytes(), &mc)
 		require.NoError(t, err)
-
 		require.Len(t, mc.PayloadContent, 1)
-		assert.Equal(t, "example.org DoH", mc.PayloadContent[0].Name)
+
 		assert.Equal(t, "example.org DoH", mc.PayloadContent[0].PayloadDisplayName)
-		assert.Equal(t, "https://example.org/dns-query", mc.PayloadContent[0].DNSSettings.ServerURL)
+
+		s := mc.PayloadContent[0].DNSSettings
+		require.NotNil(t, s)
+
+		assert.NotEmpty(t, s.ServerAddresses)
+		assert.Empty(t, s.ServerName)
+		assert.Equal(t, "https://example.org/dns-query", s.ServerURL)
 	})
 
 	t.Run("error_no_host", func(t *testing.T) {
@@ -66,15 +97,22 @@ func TestHandleMobileConfigDoH(t *testing.T) {
 		var mc mobileConfig
 		_, err = plist.Unmarshal(w.Body.Bytes(), &mc)
 		require.NoError(t, err)
-
 		require.Len(t, mc.PayloadContent, 1)
-		assert.Equal(t, "example.org DoH", mc.PayloadContent[0].Name)
+
 		assert.Equal(t, "example.org DoH", mc.PayloadContent[0].PayloadDisplayName)
-		assert.Equal(t, "https://example.org/dns-query/cli42", mc.PayloadContent[0].DNSSettings.ServerURL)
+
+		s := mc.PayloadContent[0].DNSSettings
+		require.NotNil(t, s)
+
+		assert.NotEmpty(t, s.ServerAddresses)
+		assert.Empty(t, s.ServerName)
+		assert.Equal(t, "https://example.org/dns-query/cli42", s.ServerURL)
 	})
 }
 
 func TestHandleMobileConfigDoT(t *testing.T) {
+	setupDNSIPs(t)
+
 	t.Run("success", func(t *testing.T) {
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/dot.mobileconfig?host=example.org", nil)
 		require.NoError(t, err)
@@ -87,11 +125,16 @@ func TestHandleMobileConfigDoT(t *testing.T) {
 		var mc mobileConfig
 		_, err = plist.Unmarshal(w.Body.Bytes(), &mc)
 		require.NoError(t, err)
-
 		require.Len(t, mc.PayloadContent, 1)
-		assert.Equal(t, "example.org DoT", mc.PayloadContent[0].Name)
+
 		assert.Equal(t, "example.org DoT", mc.PayloadContent[0].PayloadDisplayName)
-		assert.Equal(t, "example.org", mc.PayloadContent[0].DNSSettings.ServerName)
+
+		s := mc.PayloadContent[0].DNSSettings
+		require.NotNil(t, s)
+
+		assert.NotEmpty(t, s.ServerAddresses)
+		assert.Equal(t, "example.org", s.ServerName)
+		assert.Empty(t, s.ServerURL)
 	})
 
 	t.Run("error_no_host", func(t *testing.T) {
@@ -129,10 +172,15 @@ func TestHandleMobileConfigDoT(t *testing.T) {
 		var mc mobileConfig
 		_, err = plist.Unmarshal(w.Body.Bytes(), &mc)
 		require.NoError(t, err)
-
 		require.Len(t, mc.PayloadContent, 1)
-		assert.Equal(t, "example.org DoT", mc.PayloadContent[0].Name)
+
 		assert.Equal(t, "example.org DoT", mc.PayloadContent[0].PayloadDisplayName)
-		assert.Equal(t, "cli42.example.org", mc.PayloadContent[0].DNSSettings.ServerName)
+
+		s := mc.PayloadContent[0].DNSSettings
+		require.NotNil(t, s)
+
+		assert.NotEmpty(t, s.ServerAddresses)
+		assert.Equal(t, "cli42.example.org", s.ServerName)
+		assert.Empty(t, s.ServerURL)
 	})
 }

internal/home/service.go

@@ -17,8 +17,8 @@ import (
 	"github.com/kardianos/service"
 )
 
-// TODO(a.garipov): Move shell templates into actual files.  Either during the
+// TODO(a.garipov): Consider moving the shell templates into actual files and
-// v0.106.0 cycle using packr or during the following cycle using go:embed.
+// using go:embed instead of using large string constants.
 
 const (
 	launchdStdoutPath  = "/var/log/AdGuardHome.stdout.log"
@@ -310,16 +310,24 @@ func configureService(c *service.Config) {
 	// This key is used to start the job as soon as it has been loaded. For daemons this means execution at boot time, for agents execution at login.
 	c.Option["RunAtLoad"] = true
 
-	// POSIX
+	// POSIX / systemd
 
-	// Redirect StdErr & StdOut to files.
+	// Redirect stderr and stdout to files.  Make sure we always restart.
 	c.Option["LogOutput"] = true
+	c.Option["Restart"] = "always"
 
-	// Use modified service file templates.
+	// Start only once network is up on Linux/systemd.
+	if runtime.GOOS == "linux" {
+		c.Dependencies = []string{
+			"After=syslog.target network-online.target",
+		}
+	}
+
+	// Use the modified service file templates.
 	c.Option["SystemdScript"] = systemdScript
 	c.Option["SysvScript"] = sysvScript
 
-	// On OpenWrt we're using a different type of sysvScript.
+	// Use different scripts on OpenWrt and FreeBSD.
 	if aghos.IsOpenWrt() {
 		c.Option["SysvScript"] = openWrtScript
 	} else if runtime.GOOS == "freebsd" {
@@ -368,17 +376,26 @@ var launchdConfig = `<?xml version='1.0' encoding='UTF-8'?>
 </plist>
 `
 
-// Note: we should keep it in sync with the template from service_systemd_linux.go file
+// systemdScript is an improved version of the systemd script originally from
-// Add "After=" setting for systemd service file, because we must be started only after network is online
+// the systemdScript constant in file service_systemd_linux.go in module
-// Set "RestartSec" to 10
+// github.com/kardianos/service.  The following changes have been made:
+//
+// 1.  The RestartSec setting is set to a lower value of 10 to make sure we
+//     always restart quickly.
+//
+// 2.  The ExecStartPre setting is added to make sure that the log directory is
+//     always created to prevent the 209/STDOUT errors.
+//
 const systemdScript = `[Unit]
 Description={{.Description}}
 ConditionFileIsExecutable={{.Path|cmdEscape}}
-After=syslog.target network-online.target
+{{range $i, $dep := .Dependencies}}
+{{$dep}} {{end}}
 
 [Service]
 StartLimitInterval=5
 StartLimitBurst=10
+ExecStartPre=/bin/mkdir -p /var/log/
 ExecStart={{.Path|cmdEscape}}{{range .Arguments}} {{.|cmd}}{{end}}
 {{if .ChRoot}}RootDirectory={{.ChRoot|cmd}}{{end}}
 {{if .WorkingDirectory}}WorkingDirectory={{.WorkingDirectory|cmdEscape}}{{end}}
@@ -389,7 +406,9 @@ ExecStart={{.Path|cmdEscape}}{{range .Arguments}} {{.|cmd}}{{end}}
 StandardOutput=file:/var/log/{{.Name}}.out
 StandardError=file:/var/log/{{.Name}}.err
 {{- end}}
-Restart=always
+{{if gt .LimitNOFILE -1 }}LimitNOFILE={{.LimitNOFILE}}{{end}}
+{{if .Restart}}Restart={{.Restart}}{{end}}
+{{if .SuccessExitStatus}}SuccessExitStatus={{.SuccessExitStatus}}{{end}}
 RestartSec=10
 EnvironmentFile=-/etc/sysconfig/{{.Name}}
 

openapi/CHANGELOG.md

@@ -4,12 +4,25 @@
 
 ## v0.107: API changes
 
+### New possible value of `"name"` field in `QueryLogItemClient`
+
+* The value of `"name"` field in `GET /control/querylog` method is never empty:
+  either persistent client's name or runtime client's hostname.
+
+### Lists in `AccessList`
+
+* Fields `"allowed_clients"`, `"disallowed_clients"` and `"blocked_hosts"` in
+  `POST /access/set` now should contain only unique elements.
+
+* Fields `"allowed_clients"` and `"disallowed_clients"` cannot contain the same
+  elements.
+
 ### The new field `"private_key_saved"` in `TlsConfig`
 
 * The new field `"private_key_saved"` in `POST /control/tls/configure`,
-`POST /control/tls/validate` and `GET /control/tls/status` is true if the
+  `POST /control/tls/validate` and `GET /control/tls/status` is true if the
-private key was previously saved as a string and now the private key omitted
+  private key was previously saved as a string and now the private key omitted
-from communication between server and client due to security issues.
+  from communication between server and client due to security issues.
 
 ### The new field `"cache_optimistic"` in DNS configuration
 

openapi/openapi.yaml

@@ -567,7 +567,7 @@
       'operationId': 'filteringRefresh'
       'summary': >
         Reload filtering rules from URLs.  This might be needed if new URL was
-        just added and you dont want to wait for automatic refresh to kick in.
+        just added and you don't want to wait for automatic refresh to kick in.
         This API request is ratelimited, so you can call it freely as often as
         you like, it wont create unnecessary burden on servers that host the
         URL.  This should work as intended, a `force` parameter is offered as
@@ -1962,15 +1962,14 @@
             The rule due to which the client is allowed or blocked.
         'name':
           'description': >
-            Persistent client's name or an empty string if this is a runtime
+            Persistent client's name or runtime client's hostname.  May be
-            client.
+            empty.
           'type': 'string'
         'whois':
           '$ref': '#/components/schemas/QueryLogItemClientWhois'
       'required':
       - 'disallowed'
       - 'disallowed_rule'
-      - 'ids'
       - 'name'
       - 'whois'
       'type': 'object'
@@ -2363,7 +2362,10 @@
     'AccessSetRequest':
       '$ref': '#/components/schemas/AccessList'
     'AccessList':
-      'description': 'Client and host access list'
+      'description': >
+        Client and host access list.  Each of the lists should contain only
+        unique elements.  In addition, allowed and disallowed lists cannot
+        contain the same elements.
       'properties':
         'allowed_clients':
           'description': >

scripts/install.sh

@@ -47,7 +47,7 @@ is_little_endian() {
 # machine.  The required software:
 #
 #   curl
-#   unzip (macOS) / tar (other unices)
+#   unzip (macOS) / tar (other unixes)
 #
 check_required() {
 	required_darwin="unzip"
@@ -426,6 +426,8 @@ download() {
 	then
 		error_exit "cannot download the package from $url into $pkg_name"
 	fi
+
+	log "successfully downloaded $pkg_name"
 }
 
 # Function unpack unpacks the passed archive depending on it's extension.
@@ -433,7 +435,7 @@ unpack() {
 	log "unpacking package from $pkg_name into $out_dir"
 	if ! mkdir -p "$out_dir"
 	then
-		error_exit "cannot create directory at the $out_dir"
+		error_exit "cannot create directory $out_dir"
 	fi
 
 	case "$pkg_ext"
@@ -449,6 +451,8 @@ unpack() {
 		;;
 	esac
 
+	log "successfully unpacked, contents: $( echo; ls -l -A "$agh_dir" )"
+
 	rm "$pkg_name"
 }
 
@@ -507,6 +511,8 @@ install_service() {
 		return 0
 	fi
 
+	log "installation failed, removing $agh_dir"
+
 	rm -r "$agh_dir"
 
 	# Some devices detected to have armv7 CPU face the compatibility

scripts/snap/snap.tmpl.yaml

@@ -23,9 +23,9 @@
   'adguard-home':
     'command': 'AdGuardHome --no-check-update -w $SNAP_DATA'
     'plugs':
-    # Add the "netrwork-bind" plug to bind to interfaces.
+    # Add the "network-bind" plug to bind to interfaces.
     - 'network-bind'
-    # Add the "netrwork-observe" plug to be able to bind to ports below 1024
+    # Add the "network-observe" plug to be able to bind to ports below 1024
     # (cap_net_bind_service) and also to bind to a particular interface using
     # SO_BINDTODEVICE (cap_net_raw).
     - 'network-observe'