23 files changed, 977 insertions, 253 deletions

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a56e8a91b..84fe44d73 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
 
         // don't copy it if we already have the file
         struct stat s;
-        if (stat(outfname, &s) == 0) {
+        if (lstat(outfname, &s) == 0) {
                 if (first)
                         first = 0;
                 else if (!arg_quiet)
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
         }
 
         // extract mode and ownership
-        if (stat(infname, &s) != 0)
+        if (lstat(infname, &s) != 0)
                 goto out;
 
         uid_t uid = s.st_uid;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a89add9d0..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,6 +1,8 @@
 # /etc/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
+# Note: Normal comment lines should start with `# ` and commented code lines
+# should start with just `#` (no spaces).
 0ad
 1password
 2048-qt
@@ -51,7 +53,7 @@ ani-cli
 anydesk
 apktool
 apostrophe
-# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#ar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
 ardour4
@@ -63,9 +65,9 @@ arm
 artha
 assogiate
 asunder
-# atom
-# atom-beta
-# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#atom
+#atom-beta
+#atool # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 atril
 atril-previewer
 atril-thumbnailer
@@ -99,6 +101,7 @@ bitwarden
 bleachbit
 blender
 blender-2.8
+blender-3.6
 bless
 blobby
 blobwars
@@ -112,10 +115,10 @@ brave-browser-beta
 brave-browser-dev
 brave-browser-nightly
 brave-browser-stable
-# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bunzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 bzflag
-# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 cachy-browser
 calibre
 calligra
@@ -145,12 +148,13 @@ chromium-freeworld
 cin
 cinelerra
 cinelerra-gg
+clac
 clamdscan
 clamdtop
 clamscan
 clamtk
-clawsker
 claws-mail
+clawsker
 clementine
 clion
 clion-eap
@@ -182,6 +186,7 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
 daisy
 darktable
 dconf-editor
@@ -192,7 +197,6 @@ deluge
 desktopeditors
 devhelp
 dex2jar
-d-feet
 dia
 dig
 digikam
@@ -236,14 +240,14 @@ enpass
 eog
 eom
 ephemeral
-#epiphany - see #2995
+#epiphany # see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-#evolution - see #3647
+#evolution # see #3647
 exfalso
 exiftool
 falkon
@@ -271,8 +275,9 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-fontforge
+fluffychat
 font-manager
+fontforge
 fossamail
 four-in-a-row
 fractal
@@ -319,7 +324,7 @@ git-cola
 gitg
 github-desktop
 gitter
-# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
+#gjs # https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
 gl-117
 glaxium
 globaltime
@@ -384,12 +389,12 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
-gtk2-youtube-viewer
-gtk3-youtube-viewer
 gtk-lbry-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -410,8 +415,8 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
@@ -430,6 +435,7 @@ jdownloader
 jerry
 jitsi
 jitsi-meet-desktop
+journal-viewer
 jumpnbump
 jumpnbump-menu
 k3b
@@ -440,7 +446,7 @@ karbon
 kate
 kazam
 kcalc
-# kdeinit4
+#kdeinit4
 kdenlive
 kdiff3
 keepass
@@ -450,7 +456,7 @@ keepassx2
 keepassxc
 keepassxc-cli
 keepassxc-proxy
-# kfind
+#kfind
 kget
 kid3
 kid3-cli
@@ -467,15 +473,16 @@ kodi
 konversation
 kopete
 krita
-# krunner
+#krunner
 ktorrent
 ktouch
 kube
-# kwin_x11
+#kwin_x11
 kwrite
 lbry-viewer
 leafpad
-# less - breaks man
+#less # breaks man
+lettura
 librecad
 libreoffice
 librewolf
@@ -500,12 +507,12 @@ lollypop
 lomath
 loweb
 lowriter
-# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrz # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrztar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzuntar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 luminance-hdr
 lximage-qt
 lxmusic
@@ -559,7 +566,6 @@ mp3wrap
 mpDris2
 mpg123
 mpg123-alsa
-mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -568,6 +574,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -636,11 +643,11 @@ onionshare-cli
 onionshare-gui
 ooffice
 ooviewdoc
+open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
-open-invaders
 openmw
 openmw-launcher
 openoffice.org
@@ -697,9 +704,9 @@ profanity
 psi
 psi-plus
 pybitmessage
-# pycharm-community - FB note: may enable later
-# pycharm-professional
-# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#pycharm-community # FB note: may enable later
+#pycharm-professional
+#pzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
 qcomicbook
 qemu-launcher
@@ -780,22 +787,22 @@ sniffnet
 snox
 soffice
 sol
-soundconverter
 sound-juicer
+soundconverter
 spectacle
 spectral
 spotify
 sqlitebrowser
 ssh
-# ssh-agent - problems on Arch with Fish shell (#1568)
+#ssh-agent # problems on Arch with Fish shell (#1568)
 standardnotes-desktop
 start-tor-browser
 steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -818,15 +825,17 @@ telegram
 telegram-desktop
 telnet
 terasology
+termshark
 tesseract
 textmaker18
 textmaker18free
 thunderbird
 thunderbird-beta
 thunderbird-wayland
+tidal-hifi
 tilp
+tiny-rdm
 tor-browser
-torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -848,7 +857,6 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
-torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -859,6 +867,8 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
+torbrowser
+torbrowser-launcher
 torcs
 totem
 tracker
@@ -888,7 +898,7 @@ uget-gtk
 unbound
 unf
 unknown-horizons
-# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 url-eater
 utox
 uudeview
@@ -901,10 +911,10 @@ vivaldi-beta
 vivaldi-snapshot
 vivaldi-stable
 vlc
-#vmplayer - unable to install kernel modules (see #5861)
-#vmware - unable to install kernel modules (see #5861)
-#vmware-player - unable to install kernel modules (see #5861)
-#vmware-workstation - unable to install kernel modules (see #5861)
+#vmplayer # unable to install kernel modules (see #5861)
+#vmware # unable to install kernel modules (see #5861)
+#vmware-player # unable to install kernel modules (see #5861)
+#vmware-workstation # unable to install kernel modules (see #5861)
 vscodium
 vulturesclaw
 vultureseye
@@ -968,8 +978,8 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtubemusic-nativefier
 youtube-viewer
+youtubemusic-nativefier
 yt-dlp
 ytmdesktop
 zaproxy
@@ -979,10 +989,10 @@ zeal
 zim
 zlib-flate
 zoom
-# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zpaq # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdgrep # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdless # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdmt # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 zulip
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a4f727c0a..bb20a0da6 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -43,6 +43,16 @@ int appimage_find_profile(const char *archive) {
         assert(archive);
         assert(strlen(archive));
 
+        // extract the name of the appimage from a full path
+        // example: archive = /opt/kdenlive-20.12.2-x86_64.appimage
+        const char *arc = strrchr(archive, '/');
+        if (arc)
+                arc++;
+        else
+                arc = archive;
+        if (arg_debug)
+                printf("Looking for a %s profile\n", arc);
+
         // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
         FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
         if (!fp) {
@@ -56,7 +66,8 @@ int appimage_find_profile(const char *archive) {
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-                if (strcasestr(archive, buf)) {
+                char *found = strcasestr(arc, buf);
+                if (found == arc) {
                         fclose(fp);
                         return profile_find_firejail(buf, 1);
                 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 182f26e53..28fecfb98 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -281,6 +281,8 @@ void fs_blacklist(void) {
         if (!entry)
                 return;
 
+        timetrace_start();
+
         size_t noblacklist_c = 0;
         size_t noblacklist_m = 32;
         char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -463,6 +465,8 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
+
+        fmessage("Base filesystem installed in %0.2f ms\n", timetrace_end());
 }
 
 //***********************************************
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 583888e0e..b43c36c1a 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
                 fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
 
         // bring in xauth libraries
+
+        char *xauth_bin = find_in_path("xauth");
         if (arg_x11_xorg)
-                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+                fslib_mount_libs(xauth_bin, 1); // parse as user
+
+        free(xauth_bin);
 
         fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
 
         // file size
         char *sz;
-        if (asprintf(&sz, "%d", (int) s.st_size) == -1)
+        if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
                 errExit("asprintf");
 
         // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b0d5dac17..0c9c80137 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -420,7 +420,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("x11");
         }
 #endif
-#ifdef HAVE_NETWORK
         else if (strcmp(argv[i], "--nettrace") == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         if (getuid() != 0) {
@@ -524,8 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
 
-
-
+#ifdef HAVE_NETWORK
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
@@ -3217,13 +3215,18 @@ int main(int argc, char **argv, char **envp) {
 
                 gid_t g;
                 if (!arg_nogroups || !check_can_drop_all_groups()) {
-                        // add audio group
+                        // add audio groups
                         if (!arg_nosound) {
                                 g = get_group_id("audio");
                                 if (g) {
                                         sprintf(ptr, "%d %d 1\n", g, g);
                                         ptr += strlen(ptr);
                                 }
+                                g = get_group_id("pipewire");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
 
                         // add video group
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 6bc6230f0..fea842d93 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -47,6 +47,16 @@ static void init_paths(void) {
                 errExit("calloc");
         memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
+        // lots of distros set /bin as a symlink to /usr/bin;
+        // we remove /bin form the path to speed up path-based operations such as blacklist
+        int bin_symlink = 0;
+        p = realpath("/bin", NULL);
+        if (p) {
+                if (strcmp(p, "/usr/bin") == 0)
+                        bin_symlink = 1;
+        }
+        free(p);
+
         // fill in 'paths' with pointers to elements of 'path'
         unsigned int i = 0, j;
         unsigned int len;
@@ -62,6 +72,14 @@ static void init_paths(void) {
                 if (len == 0)
                         goto skip;
 
+                //deal with /bin - /usr/bin symlink
+                if (bin_symlink > 0) {
+                        if (strcmp(elt, "/bin") == 0 || strcmp(elt, "/usr/bin") == 0)
+                                bin_symlink++;
+                        if (bin_symlink == 3)
+                                goto skip;
+                }
+
                 // filter out duplicate entries
                 for (j = 0; j < i; j++)
                         if (strcmp(elt, paths[j]) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bdaaed433..8cc5c1166 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -484,7 +484,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+        else if (strncmp(ptr, "dbus-user ", 10) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 10;
                 if (strcmp("filter", ptr) == 0) {
@@ -551,7 +551,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 1;
         }
-        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+        else if (strncmp(ptr, "dbus-system ", 12) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 12;
                 if (strcmp("filter", ptr) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 538f5be67..827be5d85 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -878,7 +878,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // appimage
         //****************************
-        appimage_mount();
+        if (arg_appimage)
+                appimage_mount();
 
         //****************************
         // private mode
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 87b771867..bd32181b5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -207,6 +207,8 @@ static void clean_supplementary_groups(gid_t gid) {
         if (!arg_nosound) {
                 copy_group_ifcont("audio", groups, ngroups,
                                   new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("pipewire", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
         }
 
         if (!arg_novideo) {
@@ -1474,7 +1476,7 @@ int ascii_isxdigit(unsigned char c) {
         return ret;
 }
 
-// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.txt.
+// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.1.in.
 //
 // Allow only ASCII letters, digits and a few special characters; names with
 // only numbers are rejected; spaces and control characters are rejected.
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2eaa9bde5..3721a2c2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 
-
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
                 exit(1);
         }
 
+        char *xauth_bin = find_in_path("xauth");
+
         // check xauth utility is present in the system
-        struct stat s;
-        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
+        if (!xauth_bin) {
+                fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
                 fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                 exit(1);
         }
+
+        struct stat s;
+        if (stat(xauth_bin, &s) == -1) {
+                fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
+                exit(1);
+        }
         if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
                 exit(1);
         }
         if (s.st_size > 1024 * 1024) {
-                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
+                fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
                 exit(1);
         }
-        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // copy xauth in the sandbox and set mode to 0711
         // users are not able to trace the running xauth this way
         if (arg_debug)
-                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
-        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
-                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
-                exit(1);
-        }
+                printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
+
+        copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
+
+        free(xauth_bin);
 
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 77739c1f3..63d69d1cd 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -185,7 +185,7 @@ static int procevent_netlink_setup(void) {
                 if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &bsize, &blen) == -1)
                         fprintf(stderr, "Error: cannot read rx buffer size\n");
                 else
-                        printf("rx buffer size %d\n", bsize / 2); // the value returned is duble the real one, see man 7 socket
+                        printf("rx buffer size %d\n", bsize / 2); // the value returned is double the real one, see man 7 socket
         }
 
         // send monitoring message
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 6324a17db..38222fe2e 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -66,7 +66,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
 
         // filter output
         char tmp[sizeof(last)];
-        snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s (type %u)%s",
+        snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  DNS %s (type %u)%s",
                 t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1,
                 type, (nxdomain)? " NXDOMAIN": "");
         if (strcmp(tmp, last)) {
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index d4fbf703a..d0a4f115a 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -32,16 +32,15 @@ static char last[512] = {'\0'};
 static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
         assert(pkt);
 
+        // expecting a handshake packet and client hello
+        if (pkt[0] != 0x16 || pkt[5] != 0x01)
+                return;
+
         char ip[30];
         sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_dest));
         time_t seconds = time(NULL);
         struct tm *t = localtime(&seconds);
 
-        // expecting a handshake packet and client hello
-        if (pkt[0] != 0x16 || pkt[5] != 0x01)
-                goto errout;
-
-
         // look for server name indication
         unsigned char *ptr = pkt;
         unsigned int i = 0;
@@ -74,7 +73,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
         if (name) {
                 // filter output
                 char tmp[sizeof(last)];
-                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
+                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  SNI %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
                 if (strcmp(tmp, last)) {
                         printf("%s\n", tmp);
                         fflush(0);
@@ -85,11 +84,6 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
                 goto nosni;
         return;
 
-errout:
-        printf("%02d:%02d:%02d  %-15s  Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
-        fflush(0);
-        return;
-
 nosni:
         printf("%02d:%02d:%02d  %-15s  no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
         return;
diff --git a/src/fnettrace/event.c b/src/fnettrace/event.c
new file mode 100644
index 000000000..f4ccf5360
--- /dev/null
+++ b/src/fnettrace/event.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2014-2023 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+
+typedef struct event_t {
+        struct event_t *next;
+        char *record;
+} Event;
+
+static Event *event = NULL;
+static Event *last_event = NULL;
+int ev_cnt = 0;
+
+void ev_clear(void) {
+        ev_cnt = 0;
+        Event *ev = event;
+        while (ev) {
+                Event *next = ev->next;
+                free(ev->record);
+                free(ev);
+                ev = next;
+        }
+        event = NULL;
+}
+
+void ev_add(char *record) {
+        assert(record);
+
+        // braking recursivity
+        if (*record == '\0')
+                return;
+
+        char *ptr = strchr(record, '\n');
+        if (ptr)
+                *ptr = '\0';
+
+        // filter out duplicates
+        if (event && strcmp(event->record, record) == 0)
+                return;
+
+        Event *ev = malloc(sizeof(Event));
+        if (!ev)
+                errExit("malloc");
+        memset(ev, 0, sizeof(Event));
+
+        ev->record = strdup(record);
+        if (!ev->record)
+                errExit("strdup");
+
+        if (event == NULL) {
+                event = ev;
+                last_event = ev;
+        }
+        else {
+                last_event->next = ev;
+                last_event = ev;
+        }
+        ev_cnt++;
+
+        // recursivity
+        if (ptr)
+                ev_add(++ptr);
+}
+
+void ev_print(FILE *fp) {
+        assert(fp);
+
+        Event *ev = event;
+        while (ev) {
+                fprintf(fp, "   ");
+                if (strstr(ev->record, "NXDOMAIN")) {
+                        if (fp == stdout)
+                                ansi_red(ev->record);
+                        else
+                                fprintf(fp, "%s", ev->record);
+                }
+                else if (strstr(ev->record, "SSH connection")) {
+                        if (fp == stdout)
+                                ansi_red(ev->record);
+                        else
+                                fprintf(fp, "%s", ev->record);
+                }
+                else
+                        fprintf(fp, "%s", ev->record);
+                fprintf(fp, "\n");
+                ev = ev->next;
+        }
+}
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
index b4a8f26c7..9b4973235 100644
--- a/src/fnettrace/fnettrace.h
+++ b/src/fnettrace/fnettrace.h
@@ -53,6 +53,27 @@ static inline void ansi_clrscr(void) {
         fflush(0);
 }
 
+static inline void ansi_bold(const char *str) {
+        char str1[] = {0x1b, '[', '1', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
+static inline void ansi_faint(const char *str) {
+        char str1[] = {0x1b, '[', '2', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
+static inline void ansi_red(const char *str) {
+        char str1[] = {0x1b, '[', '9', '1', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
 static inline uint8_t hash(uint32_t ip) {
         uint8_t *ptr = (uint8_t *) &ip;
         // simple byte xor
@@ -78,4 +99,11 @@ void terminal_restore(void);
 // runprog.c
 int runprog(const char *program);
 
+// event.c
+extern int ev_cnt;
+void ev_clear(void);
+void ev_add(char *record);
+void ev_print(FILE *fp);
+
+
 #endif
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 3bafd9090..4db8e7478 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -27,6 +27,12 @@
 
 static char *arg_log = NULL;
 
+// only 0 or negative values; positive values as defined in RFC
+#define PROTOCOL_ICMP 0
+#define PROTOCOL_SSH -1
+
+
+
 //*****************************************************************
 // packet stats
 //*****************************************************************
@@ -42,41 +48,18 @@ uint32_t stats_tor = 0;
 uint32_t stats_http = 0;
 uint32_t stats_ssh = 0;
 
-//*****************************************************************
-// sni/dns log storage
-//*****************************************************************
-typedef struct lognode_t {
-#define LOG_RECORD_LEN 255
-        char record[LOG_RECORD_LEN + 1];
-} LogNode;
-// circular list of SNI log records
-#define SNIMAX 64
-LogNode sni_table[SNIMAX] = {0};
-int sni_index = 0;
-
-// circular list of SNI log records
-#define DNSMAX 64
-LogNode dns_table[SNIMAX] = {0};
-int dns_index = 0;
-
-static void print_sni(void) {
-        int i;
-        for (i = sni_index; i < SNIMAX; i++)
-                if (*sni_table[i].record)
-                        printf("   %s", sni_table[i].record);
-        for (i = 0; i < sni_index; i++)
-                if (*sni_table[i].record)
-                        printf("   %s", sni_table[i].record);
-}
-
-static void print_dns(void) {
-        int i;
-        for (i = dns_index; i < DNSMAX; i++)
-                if (*dns_table[i].record)
-                        printf("   %s", dns_table[i].record);
-        for (i = 0; i < dns_index; i++)
-                if (*dns_table[i].record)
-                        printf("   %s", dns_table[i].record);
+static void clear_stats(void) {
+        stats_pkts = 0;
+        stats_icmp_echo = 0;
+        stats_dns = 0;
+        stats_dns_dot = 0;
+        stats_dns_doh = 0;
+        stats_dns_doq = 0;
+        stats_tls = 0;
+        stats_quic = 0;
+        stats_tor = 0;
+        stats_http = 0;
+        stats_ssh = 0;
 }
 
 //*****************************************************************
@@ -92,7 +75,7 @@ typedef struct hnode_t {
         uint32_t  bytes;        // number of bytes received in the last display interval
         uint32_t pkts;  // number of packets received in the last display interval
         uint16_t port_src;
-        uint8_t protocol;
+        int protocol;
 
         // the firewall is build based on source address, and in the linked list
         // we could have elements with the same address but different ports
@@ -135,7 +118,7 @@ void hfree(HNode *ptr) {
 }
 
 // using protocol 0 and port 0 for ICMP
-static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
+static void hnode_add(uint32_t ip_src, int protocol, uint16_t port_src, uint32_t bytes) {
         uint8_t h = hash(ip_src);
 
         // find
@@ -325,6 +308,8 @@ static inline const char *common_port(uint16_t port) {
                         return "Tor";
                 else if (port == 9030)
                         return "Tor";
+                else if (port == 9040)
+                        return "Tor";
                 else if (port == 9050)
                         return "Tor";
                 else if (port == 9051)
@@ -383,7 +368,9 @@ static void hnode_print(unsigned bw) {
         else
                 sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
 //      int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
-        int len = snprintf(line, LINE_MAX, "%32s address:port (protocol) network\n", stats);
+        char faint1[] = {0x1b, '[', '2', 'm', '\0'};
+        char faint2[] = {0x1b, '[', '0', 'm', '\0'};
+        int len = snprintf(line, LINE_MAX, "%32s %saddress:port (protocol) network%s\n", stats, faint1, faint2);
         adjust_line(line, len, cols);
         printf("%s", line);
 
@@ -461,10 +448,14 @@ static void hnode_print(unsigned bw) {
                                 protocol = "UDP";
                         else if (ptr->protocol == 0x06)
                                 protocol = "TCP";
+                        else if (ptr->protocol == PROTOCOL_SSH) {
+                                protocol = "SSH";
+                                stats_ssh += ptr->pkts;
+                        }
 
                         if (protocol == NULL)
                                 protocol = "";
-                        if (ptr->port_src == 0)
+                        if (ptr->port_src == PROTOCOL_ICMP)
                                 len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d (ICMP) %s\n",
                                                bytes, bwline, PRINT_IP(ptr->ip_src), ptr->rnode->name);
                         else
@@ -490,7 +481,7 @@ static void hnode_print(unsigned bw) {
 
                 ptr = next;
         }
-        printf("press any key to access stats\n");
+        ansi_faint("(D)isplay, (S)ave, (C)lear, e(X)it\n");
 
 #ifdef DEBUG
         {
@@ -505,10 +496,34 @@ static void hnode_print(unsigned bw) {
 #endif
 }
 
+static void print_stats(FILE *fp) {
+        assert(fp);
+
+        fprintf(fp, "Stats: %u packets\n", stats_pkts);
+        fprintf(fp, "   encrypted: TLS %u, QUIC %u, Tor %u\n",
+                stats_tls, stats_quic, stats_tor);
+        fprintf(fp, "   unencrypted: HTTP %u\n", stats_http);
+        fprintf(fp, "   C&C backchannel: SSH %u, PING %u, DNS %u, DoH %u, DoT %u, DoQ %u\n",
+                stats_ssh, stats_icmp_echo, stats_dns, stats_dns_doh, stats_dns_dot, stats_dns_doq);
+
+        fprintf(fp, "\n\nIP map");
+        if (fp == stdout)
+                ansi_faint("  - network (packets)\n");
+        else
+                fprintf(fp, "  - network (packets)\n");
+        radix_print(fp, 1);
+
+        fprintf(fp, "\n\nEvents %d", ev_cnt);
+        if (fp == stdout)
+                ansi_faint(" - time address data\n");
+        else
+                fprintf(fp, " - time address data\n");
+        ev_print(fp);
 
-void print_stats(void) {
 }
 
+
+
 // trace rx traffic coming in
 static void run_trace(void) {
         // trace only rx ipv4 tcp and upd
@@ -523,7 +538,7 @@ static void run_trace(void) {
         if (p1 != -1)
                 printf("loading snitrace...");
 
-        int p2 = runprog(LIBDIR "/firejail/fnettrace-dns --nolocal");
+        int p2 = runprog(LIBDIR "/firejail/fnettrace-dns");
         if (p2 != -1)
                 printf("loading dnstrace...");
         unsigned last_print_traces = 0;
@@ -575,40 +590,67 @@ static void run_trace(void) {
                 int icmp = 0;
 
                 if (FD_ISSET(0, &rfds)) {
-                        getchar();
-                        printf("\n\nStats: %u packets\n", stats_pkts);
-                        printf("   encrypted: TLS %u, QUIC %u, SSH %u, Tor %u\n",
-                                stats_tls, stats_quic, stats_ssh, stats_tor);
-                        printf("   unencrypted: HTTP %u\n", stats_http);
-                        printf("   C&C backchannel: PING %u, DNS %u, DoH %u, DoT %u, DoQ %u\n",
-                                stats_icmp_echo, stats_dns, stats_dns_doh, stats_dns_dot, stats_dns_doq);
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nSNI log - time server-address SNI\n");
-                        print_sni();
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nDNS log - time server-address domain\n");
-                        print_dns();
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nIP table: %d addresses - server-address network (packets)\n", radix_nodes);
-                        radix_print(1);
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
+                        int c = getchar();
+                        if (c == 'c' || c == 'C') {
+                                clear_stats();
+                                ev_clear();
+                                radix_clear_data();
+                                continue;
+                        }
+                        else if (c == 'd' || c == 'D') {
+                                printf("\n\n");
+                                ansi_bold("__________________________________________________________________________\n");
+                                print_stats(stdout);
+                                ansi_bold("__________________________________________________________________________\n");
+                                ansi_faint("press any key to continue...");
+                                fflush(0);
+
+                                getchar();
+                                continue;
+                        }
+                        if (c == 's' || c == 'S') {
+                                printf("The file is saved in /tmp directory. Please enter the file name: ");
+                                fflush(0);
+
+                                char buf[LINE_MAX + 5]; // eave some room to add /tmp/
+                                strcpy(buf, "/tmp/");
+                                terminal_restore();
+                                if (fgets(buf + 5, LINE_MAX, stdin) == NULL)
+                                        errExit("fgets");
+                                terminal_set();
+
+                                // remove '\n' and open the file
+                                char *ptr = strchr(buf, '\n');
+                                if (!ptr) { // we should have a '\n'
+                                        printf("Error: invalid file name\n");
+                                        sleep(5);
+                                        continue;
+                                }
+                                *ptr = '\0';
+
+                                FILE *fp = fopen(buf, "w");
+                                if (!fp) {
+                                        printf("Error: cannot open file %s\n", buf);
+                                        perror("fopen");
+                                        sleep(5);
+                                        continue;
+                                }
+
+                                printf("Saving stats in %s file...\n", buf);
+                                print_stats(fp);
+                                fclose(fp);
+                                int rv = chmod(buf, 0600);
+                                (void) rv;
+                                sleep(1);
+                                continue;
+                        }
+                        else if (c == 'x' || c == 'X')
+                                break;
                         continue;
                 }
                 else if (FD_ISSET(p1, &rfds)) {
-                        char buf[1024];
-                        ssize_t sz = read(p1, buf, 1024 - 1);
+                        char buf[LINE_MAX];
+                        ssize_t sz = read(p1, buf, LINE_MAX - 1);
                         if (sz == -1)
                                 errExit("error reading snitrace");
                         if (sz == 0) {
@@ -618,19 +660,13 @@ static void run_trace(void) {
                         if (strncmp(buf, "SNI trace", 9) == 0)
                                 continue;
 
-                        if (sz > LOG_RECORD_LEN)
-                                sz = LOG_RECORD_LEN;
                         buf[sz] = '\0';
-                        strcpy(sni_table[sni_index].record, buf);
-                        if (++sni_index >= SNIMAX) {
-                                sni_index = 0;
-                                *sni_table[sni_index].record = '\0';
-                        }
+                        ev_add(buf);
                         continue;
                 }
                 else if (FD_ISSET(p2, &rfds)) {
-                        char buf[1024];
-                        ssize_t sz = read(p2, buf, 1024 - 1);
+                        char buf[LINE_MAX];
+                        ssize_t sz = read(p2, buf, LINE_MAX - 1);
                         if (sz == -1)
                                 errExit("error reading dnstrace");
                         if (sz == 0) {
@@ -640,16 +676,11 @@ static void run_trace(void) {
                         if (strncmp(buf, "DNS trace", 9) == 0)
                                 continue;
 
-                        if (sz > LOG_RECORD_LEN)
-                                sz = LOG_RECORD_LEN;
                         buf[sz] = '\0';
-                        strcpy(dns_table[dns_index].record, buf);
-                        if (++dns_index >= DNSMAX) {
-                                dns_index = 0;
-                                *dns_table[dns_index].record = '\0';
-                        }
+                        ev_add(buf);
                         continue;
                 }
+                // by default we assume TCP
                 else if (FD_ISSET(s2, &rfds))
                         sock = s2;
                 else if (FD_ISSET(s3, &rfds)) {
@@ -658,7 +689,7 @@ static void run_trace(void) {
                 }
 
                 unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
-                if (bytes >= 20) { // size of IP header
+                if (bytes >= 20) { // minimum size of IP packet
 #ifdef DEBUG
                         {
                                 uint32_t ip_src;
@@ -682,12 +713,30 @@ static void run_trace(void) {
                                 uint8_t hlen = (buf[0] & 0x0f) * 4;
                                 uint16_t port_src = 0;
                                 if (icmp)
-                                        hnode_add(ip_src, 0, 0, bytes + 14);
-                                else {
+                                        hnode_add(ip_src, PROTOCOL_ICMP, 0, bytes + 14);
+                                else { // itcp or udp
                                         memcpy(&port_src, buf + hlen, 2);
                                         port_src = ntohs(port_src);
-
-                                        uint8_t protocol = buf[9];
+                                        int protocol = (int) buf[9];
+
+                                        // detect ssh on a standard or not so standard port (22)
+                                        if (protocol == 6) { // tcp
+                                                uint8_t dataoffset = *(buf + hlen + 12);
+                                                uint8_t tcphlen = (dataoffset >> 2);
+                                                if (memcmp(buf + hlen + tcphlen, "SSH-", 4) == 0) {
+                                                        time_t seconds = time(NULL);
+                                                        struct tm *t = localtime(&seconds);
+                                                        char ip[30];
+                                                        sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_src));
+                                                        char *msg;
+                                                        if (asprintf(&msg, "%02d:%02d:%02d  %-15s  SSH connection",
+                                                                t->tm_hour, t->tm_min, t->tm_sec, ip) == -1)
+                                                                errExit("asprintf");
+                                                        ev_add(msg);
+                                                        free(msg);
+                                                        protocol = PROTOCOL_SSH;
+                                                }
+                                        }
                                         hnode_add(ip_src, protocol, port_src, bytes + 14);
                                 }
 
@@ -705,7 +754,10 @@ static void run_trace(void) {
         close(s1);
         close(s2);
         close(s3);
-        print_stats();
+        if (p1 != -1)
+                close(p1);
+        if (p2 != -1)
+                close(p2);
 }
 
 
@@ -765,7 +817,7 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--print-map") == 0) {
                         char *fname = "static-ip-map.txt";
                         load_hostnames(fname);
-                        radix_print(0);
+                        radix_print(stdout, 0);
                         return 0;
                 }
                 else if (strncmp(argv[i], "--squash-map=", 13) == 0) {
@@ -787,7 +839,7 @@ int main(int argc, char **argv) {
                         printf("# License GPLv2\n");
                         printf("#\n");
 
-                        radix_print(0);
+                        radix_print(stdout, 0);
                         printf("\n#\n#\n# input %d, output %d\n#\n#\n", in, radix_nodes);
                         fprintf(stderr, "static ip map: input %d, output %d\n", in, radix_nodes);
                         return 0;
diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c
index 322ee2643..9dfa725a2 100644
--- a/src/fnettrace/radix.c
+++ b/src/fnettrace/radix.c
@@ -151,21 +151,22 @@ RNode *radix_longest_prefix_match(uint32_t ip) {
 }
 
 static uint32_t sum;
-static void print(RNode *ptr, int level, int pkts) {
+static void print(FILE *fp, RNode *ptr, int level, int pkts) {
+        assert(fp);
         if (!ptr)
                 return;
         if (ptr->name) {
                 if (pkts) {
                         if (ptr->pkts) {
-                                printf("   %d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
-                                printf("%s", ptr->name);
-                                printf(" (%u)\n", ptr->pkts);
+                                fprintf(fp, "   %d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
+                                fprintf(fp, "%s", ptr->name);
+                                fprintf(fp, " (%u)\n", ptr->pkts);
                         }
                 }
                 else {
-                        printf("%d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
-                        printf("%s", ptr->name);
-                        printf("\n");
+                        fprintf(fp, "%d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
+                        fprintf(fp, "%s", ptr->name);
+                        fprintf(fp, "\n");
                 }
         }
 
@@ -174,21 +175,21 @@ static void print(RNode *ptr, int level, int pkts) {
 
         level++;
         sum <<= 1;
-        print(ptr->zero, level, pkts);
+        print(fp, ptr->zero, level, pkts);
         sum++;
-        print(ptr->one, level, pkts);
+        print(fp, ptr->one, level, pkts);
         sum--;
         sum >>= 1;
 }
 
-void radix_print(int pkts) {
+void radix_print(FILE *fp, int pkts) {
         if (!head)
                 return;
         sum = 0;
-        print(head->zero, 1, pkts);
+        print(fp, head->zero, 1, pkts);
         assert(sum == 0);
         sum = 1;
-        print(head->one, 1, pkts);
+        print(fp, head->one, 1, pkts);
         assert(sum == 1);
 }
 
@@ -241,3 +242,18 @@ void radix_squash(void) {
         assert(sum == 1);
 
 }
+
+static void clear_data(RNode *ptr) {
+        if (!ptr)
+                return;
+        ptr->pkts = 0;
+        clear_data(ptr->zero);
+        clear_data(ptr->one);
+}
+
+void radix_clear_data(void) {
+        if (!head)
+                return;
+        clear_data(head->zero);
+        clear_data(head->one);
+}
diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h
index 358524723..686d60ace 100644
--- a/src/fnettrace/radix.h
+++ b/src/fnettrace/radix.h
@@ -30,7 +30,8 @@ typedef struct rnode_t {
 extern int radix_nodes;
 RNode *radix_longest_prefix_match(uint32_t ip);
 RNode*radix_add(uint32_t ip, uint32_t mask, char *name);
-void radix_print(int pkts);
+void radix_print(FILE *fp, int pkts);
 void radix_squash(void);
+void radix_clear_data(void);
 
 #endif
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index eb66df73f..830df058f 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -92,7 +92,7 @@
 8.8.4.0/24 Google DNS
 8.8.8.0/24 Google DNS
 8.20.247.20/32 Comodo DNS
-8.26.56.26/32 Comodo DNS
+8.26.56.0/24 Comodo DNS
 9.9.9.0/24 Quad9 DNS
 45.90.28.0/22 NextDNS
 45.11.45.0/24 DNS-SB
@@ -103,8 +103,7 @@
 76.76.10.0/24 ControlD DNS
 76.76.19.0/24 Alternate DNS
 76.223.122.150/32 Alternate DNS
-77.88.8.8/32 Yandex DNS
-77.88.8.1/32 Yandex DNS
+77.88.8.0/24 Yandex DNS
 80.80.80.0/24 Freenom DNS Cloud
 80.80.81.0/24 Freenom DNS Cloud
 84.200.69.80/32 DSN Watch
@@ -123,8 +122,7 @@
 205.171.3.66/32 CentyrLink DNS
 205.171.202.166/32 CentyrLink DNS
 208.67.216.0/21 OpenDNS
-216.146.35.35/32 Dyn DNS
-216.146.36.36/32 Dyn DNS
+216.146.32.0/20 Dyn DNS
 
 # whois
 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service
@@ -167,12 +165,9 @@
 66.211.176.0/20 eBay
 66.218.64.0/19 Yahoo
 66.220.144.0/20 Facebook
-69.30.200.200/29 BitChute
 69.53.224.0/19 Netflix
 69.171.224.0/19 Facebook
-69.197.182.184/29 BitChute
 74.6.0.0/16 Yahoo
-74.91.29.208/29 BitChute
 87.250.254.0/24 Yandex
 91.105.192.0/23 Telegram
 91.108.4.0/22 Telegram
@@ -185,22 +180,16 @@
 91.189.94.0/24 Ubuntu One
 95.161.64.0/20 Telegram
 99.181.64.0/18 Twitch
-69.197.138.24/29 BitChute
 103.10.124.0/23 Steam
 103.28.54.0/24 Steam
 103.53.48.0/23 Twitch
 104.244.40.0/21 Twitter
-107.150.32.0/19 BitChute
-107.150.35.192/29 BitChute
-107.150.45.120/29 BitChute
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
+129.144.0.0/12 Oracle
 129.134.0.0/16 Facebook
 140.82.112.0/20 GitHub
-142.54.180.104/29 BitChute
-142.54.181.184/29 BitChute
-142.54.189.192/29 BitChute
-143.55.64.0/20 Github
+143.55.64.0/20 GitHub
 146.66.152.0/24 Steam
 146.66.155.0/24 Steam
 149.154.160.0/20 Telegram
@@ -219,10 +208,6 @@
 162.213.32.0/22 Ubuntu One
 162.254.192.0/21 Steam
 172.98.56.0/22 Rumble
-173.208.154.8/29 BitChute
-173.208.154.160/29 BitChute
-173.208.185.200/29 BitChute
-173.208.219.112/29 BitChute
 178.154.131.0/24 Yandex
 185.2.220.0/22 Netflix
 185.9.188.0/22 Netflix
@@ -235,7 +220,6 @@
 185.125.188.0/22 Ubuntu One
 185.199.108.0/22 GitHub
 185.205.69.0/24 Tutanota
-185.238.113.0/24 Bitchute
 188.64.224.0/21 Twitter
 190.217.33.0/24 Steam
 192.0.64.0/18 Wordpress
@@ -243,24 +227,15 @@
 192.30.252.0/22 GitHub
 192.69.96.0/22 Steam
 192.108.239.0/24 Twitch
-192.151.158.136/29 BitChute
 192.173.64.0/18 Netflix
-192.187.97.88/29 BitChute
-192.187.114.96/29 BitChute
-192.187.123.112/29 BitChute
-192.187.126.0/29 BitChute
 192.189.200.0/23 Dropbox
 194.169.254.0/24 Ubuntu One
 198.38.96.0/19 Netflix
 198.45.48.0/20 Netflix
-198.204.226.120/29 BitChute
-198.204.245.88/29 BitChute
 198.252.206.0/24 Stack Exchange
 199.9.248.0/21 Twitch
 199.16.156.0/22 Twitter
 199.59.148.0/22 Twitter
-199.168.96.24/29 BitChute
-204.12.194.176/29 BitChute
 205.185.194.0/24 Steam
 205.196.6.0/24 Steam
 207.45.72.0/22 Netflix
@@ -270,9 +245,77 @@
 208.75.76.0/22 Netflix
 208.78.164.0/22 Steam
 208.80.152.0/22 Wikipedia
-208.110.68.56/29 BitChute
 209.140.128.0/18 eBay
 
+# BitChute
+63.141.247.168/29 BitChute
+63.141.247.240/29 BitChute
+69.30.200.200/29 BitChute
+69.30.230.64/29 BitChute
+69.30.241.40/29 BitChute
+69.30.241.48/29 BitChute
+69.30.243.168/29 BitChute
+69.30.245.232/29 BitChute
+69.30.253.16/29 BitChute
+69.197.182.184/29 BitChute
+74.91.28.208/29 BitChute
+74.91.29.208/29 BitChute
+69.197.138.24/29 BitChute
+107.150.32.0/19 BitChute
+107.150.35.192/29 BitChute
+107.150.45.120/29 BitChute
+142.54.180.104/29 BitChute
+142.54.181.184/29 BitChute
+142.54.188.112/29 BitChute
+142.54.189.192/29 BitChute
+173.208.154.8/29 BitChute
+173.208.154.160/29 BitChute
+173.208.176.128/29 BitChute
+173.208.185.200/29 BitChute
+173.208.203.224/29 BitChute
+173.208.203.248/29 BitChute
+173.208.211.224/29 BitChute
+173.208.216.40/29 BitChute
+173.208.219.112/29 BitChute
+173.208.246.160/29 BitChute
+185.238.113.0/24 BitChute
+192.151.147.16/29 BitChute
+192.151.158.136/29 BitChute
+192.187.97.88/29 BitChute
+192.187.114.16/29 BitChute
+192.187.114.96/29 BitChute
+192.187.118.168/29 BitChute
+192.187.121.208/29 BitChute
+192.187.122.72/29 BitChute
+192.187.123.112/29 BitChute
+192.187.126.0/29 BitChute
+198.204.226.120/29 BitChute
+198.204.228.48/29 BitChute
+198.204.235.88/29 BitChute
+198.204.235.216/29 BitChute
+198.204.245.32/29 BitChute
+198.204.245.88/29 BitChute
+198.204.250.208/29 BitChute
+198.204.253.64/29 BitChute
+198.204.253.184/29 BitChute
+199.168.96.24/29 BitChute
+199.168.96.64/29 BitChute
+204.12.220.136/29 BitChute
+204.12.194.176/29 BitChute
+204.12.194.248/29 BitChute
+204.12.220.232/29 BitChute
+208.110.68.56/29 BitChute
+
+# WholeSale Internet
+69.30.192.0/18 WholeSale Internet
+69.197.128.0/18 WholeSale Internet
+142.54.160.0/19 WholeSale Internet
+173.208.128.0/17 WholeSale Internet
+204.12.192.0/18 WholeSale Internet
+208.67.0.0/21 WholeSale Internet
+208.110.64.0/19 WholeSale Internet
+208.110.91.0/24 WholeSale Internet
+
 # Imperva
 199.83.128.0/21 Imperva
 198.143.32.0/19 Imperva
@@ -297,6 +340,7 @@
 66.243.0.0/17 Level 3
 66.243.128.0/18 Level 3
 66.251.192.0/19 Level 3
+74.202.0.0/15 Level 3
 205.128.0.0/14 Level 3
 205.180.0.0/14 Level 3
 205.184.0.0/19 Level 3
@@ -325,6 +369,7 @@
 69.16.173.0/24 StackPath
 69.16.174.0/23 StackPath
 69.16.176.0/20 StackPath
+74.209.128.0/20 StackPath
 151.139.0.0/16 StackPath
 205.185.194.0/23 StackPath
 205.185.196.0/23 StackPath
@@ -354,6 +399,7 @@
 45.79.0.0/16 Linode
 50.116.0.0/18 Linode
 66.175.208.0/20 Linode
+74.207.224.0/19 Linode
 103.29.68.0/22 Linode
 104.200.16.0/21 Linode
 104.200.24.0/22 Linode
@@ -461,6 +507,8 @@
 23.72.0.0/13 Akamai
 23.192.0.0/11 Akamai
 72.246.0.0/15 Akamai
+74.121.124.0/22 Akamai
+92.122.160.0/20 Akamai
 96.6.0.0/15 Akamai
 96.16.0.0/15 Akamai
 104.64.0.0/10 Akamai
@@ -533,6 +581,7 @@
 20.48.0.0/12 Microsoft
 20.128.0.0/16 Microsoft
 20.192.0.0/10 Microsoft
+23.96.0.0/13 Microsoft
 40.76.0.0/14 Microsoft
 40.96.0.0/12 Microsoft
 40.112.0.0/13 Microsoft
@@ -541,11 +590,38 @@
 40.80.0.0/12 Microsoft
 40.120.0.0/14 Microsoft
 40.125.0.0/17 Microsoft
+51.4.0.0/15 Microsoft
+51.8.0.0/16 Microsoft
+51.10.0.0/14 Microsoft
+51.51.0.0/16 Microsoft
+51.53.0.0/16 Microsoft
+51.103.0.0/16 Microsoft
+51.107.0.0/16 Microsoft
+51.116.0.0/16 Microsoft
+51.120.0.0/16 Microsoft
+51.124.0.0/16 Microsoft
+51.132.0.0/16 Microsoft
+51.136.0.0/16 Microsoft
+51.140.0.0/15 Microsoft
+52.96.0.0/12 Microsoft
+52.112.0.0/14 Microsoft
+52.120.0.0/14 Microsoft
+52.125.0.0/16 Microsoft
+52.126.0.0/15 Microsoft
+52.132.0.0/14 Microsoft
+52.136.0.0/13 Microsoft
 52.145.0.0/16 Microsoft
+52.146.0.0/15 Microsoft
 52.148.0.0/14 Microsoft
 52.152.0.0/13 Microsoft
-52.146.0.0/15 Microsoft
 52.160.0.0/11 Microsoft
+52.224.0.0/11 Microsoft
+74.160.0.0/14 Microsoft
+74.176.0.0/14 Microsoft
+74.224.0.0/14 Microsoft
+74.234.0.0/15 Microsoft
+74.240.0.0/14 Microsoft
+74.248.0.0/15 Microsoft
 168.61.0.0/16 Microsoft
 168.62.0.0/15 Microsoft
 
@@ -561,6 +637,7 @@
 206.190.32.0/19 Yahoo
 209.73.160.0/19 Yahoo
 209.191.64.0/18 Yahoo
+212.82.100.0/22 Yahoo
 216.115.96.0/20 Yahoo
 
 # Google
@@ -570,6 +647,18 @@
 8.35.192.0/20 Google
 23.236.48.0/20 Google
 23.251.128.0/19 Google
+34.4.16.0/20 Google
+34.4.64.0/18 Google
+34.4.6.0/23 Google
+34.16.0.0/12 Google
+34.32.0.0/11 Google
+34.4.128.0/17 Google
+34.8.0.0/13 Google
+34.4.8.0/21 Google
+34.5.0.0/16 Google
+34.6.0.0/15 Google
+34.4.32.0/19 Google
+34.4.5.0/24 Google
 34.64.0.0/10 Google
 34.128.0.0/10 Google
 35.184.0.0/13 Google
@@ -1820,6 +1909,7 @@
 34.192.0.0/12 Amazon
 34.208.0.0/12 Amazon
 34.224.0.0/12 Amazon
+34.225.127.72/10 Amazon
 34.240.0.0/13 Amazon
 34.248.0.0/13 Amazon
 35.71.64.0/22 Amazon
@@ -3368,7 +3458,7 @@
 54.93.0.0/16 Amazon
 54.94.0.0/16 Amazon
 54.95.0.0/16 Amazon
-54.144.0.0/14 Amazon
+54.144.0.0/12 Amazon
 54.148.0.0/15 Amazon
 54.150.0.0/16 Amazon
 54.151.0.0/17 Amazon
@@ -3379,7 +3469,7 @@
 54.154.0.0/16 Amazon
 54.155.0.0/16 Amazon
 54.156.0.0/14 Amazon
-54.160.0.0/13 Amazon
+54.160.0.0/11 Amazon
 54.168.0.0/16 Amazon
 54.169.0.0/16 Amazon
 54.170.0.0/15 Amazon
@@ -3392,7 +3482,7 @@
 54.182.0.0/16 Amazon
 54.183.0.0/16 Amazon
 54.184.0.0/13 Amazon
-54.192.0.0/16 Amazon
+54.192.0.0/12 Amazon
 54.193.0.0/16 Amazon
 54.194.0.0/15 Amazon
 54.196.0.0/15 Amazon
@@ -3403,12 +3493,12 @@
 54.204.0.0/15 Amazon
 54.206.0.0/16 Amazon
 54.207.0.0/16 Amazon
-54.208.0.0/15 Amazon
+54.208.0.0/13 Amazon
 54.210.0.0/15 Amazon
 54.212.0.0/15 Amazon
 54.214.0.0/16 Amazon
 54.215.0.0/16 Amazon
-54.216.0.0/15 Amazon
+54.216.0.0/14 Amazon
 54.218.0.0/16 Amazon
 54.219.0.0/16 Amazon
 54.220.0.0/16 Amazon
@@ -3668,6 +3758,10 @@
 72.21.192.0/19 Amazon
 72.41.0.0/20 Amazon
 72.44.32.0/19 Amazon
+74.127.0.0/18 Amazon
+74.190.0.0/16 Amazon
+74.230.0.0/16 Amazon
+74.250.0.0/16 Amazon
 75.2.0.0/17 Amazon
 75.101.128.0/17 Amazon
 76.223.0.0/17 Amazon
@@ -5649,3 +5743,374 @@
 64.120.69.0/24 Leaseweb
 69.147.236.0/24 Leaseweb
 70.32.34.0/24 Leaseweb
+
+
+
+# GoDaddy
+103.1.172.0/22 GoDaddy
+103.1.172.0/24 GoDaddy
+103.1.174.0/24 GoDaddy
+103.1.175.0/24 GoDaddy
+104.238.64.0/18 GoDaddy
+104.238.64.0/19 GoDaddy
+104.238.64.0/22 GoDaddy
+104.238.64.0/24 GoDaddy
+107.180.0.0/17 GoDaddy
+107.180.0.0/18 GoDaddy
+107.180.100.0/22 GoDaddy
+107.180.104.0/22 GoDaddy
+107.180.108.0/22 GoDaddy
+107.180.120.0/22 GoDaddy
+107.180.64.0/19 GoDaddy
+118.139.160.0/19 GoDaddy
+118.139.160.0/21 GoDaddy
+132.148.0.0/16 GoDaddy
+132.148.16.0/20 GoDaddy
+132.148.16.0/22 GoDaddy
+132.148.164.0/22 GoDaddy
+132.148.184.0/21 GoDaddy
+132.148.192.0/20 GoDaddy
+132.148.20.0/22 GoDaddy
+132.148.24.0/22 GoDaddy
+132.148.32.0/21 GoDaddy
+148.66.128.0/19 GoDaddy
+148.66.128.0/22 GoDaddy
+148.66.136.0/22 GoDaddy
+148.66.140.0/22 GoDaddy
+148.66.144.0/21 GoDaddy
+148.72.0.0/17 GoDaddy
+148.72.16.0/22 GoDaddy
+148.72.204.0/22 GoDaddy
+148.72.204.0/24 GoDaddy
+148.72.206.0/23 GoDaddy
+148.72.208.0/21 GoDaddy
+148.72.220.0/22 GoDaddy
+148.72.224.0/19 GoDaddy
+148.72.224.0/20 GoDaddy
+148.72.240.0/22 GoDaddy
+148.72.244.0/22 GoDaddy
+148.72.32.0/21 GoDaddy
+148.72.32.0/23 GoDaddy
+148.72.34.0/24 GoDaddy
+148.72.36.0/24 GoDaddy
+148.72.4.0/22 GoDaddy
+148.72.44.0/22 GoDaddy
+148.72.88.0/22 GoDaddy
+160.153.32.0/19 GoDaddy
+160.153.64.0/18 GoDaddy
+160.153.64.0/19 GoDaddy
+160.153.96.0/19 GoDaddy
+166.62.0.0/19 GoDaddy
+166.62.0.0/22 GoDaddy
+166.62.0.0/24 GoDaddy
+166.62.100.0/22 GoDaddy
+166.62.10.0/23 GoDaddy
+166.62.1.0/24 GoDaddy
+166.62.112.0/20 GoDaddy
+166.62.116.0/22 GoDaddy
+166.62.120.0/22 GoDaddy
+166.62.12.0/22 GoDaddy
+166.62.12.0/24 GoDaddy
+166.62.13.0/24 GoDaddy
+166.62.15.0/24 GoDaddy
+166.62.16.0/22 GoDaddy
+166.62.17.0/24 GoDaddy
+166.62.20.0/22 GoDaddy
+166.62.2.0/24 GoDaddy
+166.62.23.0/24 GoDaddy
+166.62.24.0/22 GoDaddy
+166.62.24.0/24 GoDaddy
+166.62.25.0/24 GoDaddy
+166.62.26.0/23 GoDaddy
+166.62.28.0/22 GoDaddy
+166.62.3.0/24 GoDaddy
+166.62.32.0/19 GoDaddy
+166.62.32.0/22 GoDaddy
+166.62.36.0/22 GoDaddy
+166.62.40.0/22 GoDaddy
+166.62.4.0/22 GoDaddy
+166.62.4.0/24 GoDaddy
+166.62.44.0/22 GoDaddy
+166.62.5.0/24 GoDaddy
+166.62.52.0/22 GoDaddy
+166.62.56.0/22 GoDaddy
+166.62.60.0/22 GoDaddy
+166.62.6.0/23 GoDaddy
+166.62.64.0/18 GoDaddy
+166.62.64.0/19 GoDaddy
+166.62.80.0/22 GoDaddy
+166.62.8.0/22 GoDaddy
+166.62.8.0/24 GoDaddy
+166.62.84.0/22 GoDaddy
+166.62.88.0/22 GoDaddy
+166.62.9.0/24 GoDaddy
+
+# IBM cloud service
+# https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-ibm-cloud-ip-ranges
+# last update Aug 2023
+159.8.198.0/23 IBM
+169.38.118.0/23 IBM
+173.192.118.0/23 IBM
+192.255.18.0/24 IBM
+198.23.118.0/23 IBM
+169.46.118.0/23 IBM
+169.47.118.0/23 IBM
+169.48.118.0/24 IBM
+159.122.118.0/23 IBM
+161.156.118.0/24 IBM
+149.81.118.0/23 IBM
+5.10.118.0/23 IBM
+158.175.127.0/24 IBM
+141.125.118.0/23 IBM
+158.176.118.0/23 IBM
+159.122.138.0/23 IBM
+169.54.118.0/23 IBM
+163.68.118.0/24 IBM
+163.69.118.0/24 IBM
+163.73.118.0/24 IBM
+159.8.118.0/23 IBM
+169.57.138.0/23 IBM
+50.23.118.0/23 IBM
+169.45.118.0/23 IBM
+169.62.118.0/24 IBM
+174.133.118.0/23 IBM
+168.1.18.0/23 IBM
+130.198.118.0/23 IBM
+135.90.118.0/23 IBM
+161.202.118.0/23 IBM
+128.168.118.0/23 IBM
+165.192.118.0/23 IBM
+158.85.118.0/23 IBM
+163.74.118.0/23 IBM
+163.75.118.0/23 IBM
+208.43.118.0/23 IBM
+192.255.38.0/24 IBM
+169.55.118.0/23 IBM
+169.60.118.0/23 IBM
+169.61.118.0/23 IBM
+159.8.197.0/24 IBM
+169.38.117.0/24 IBM
+50.23.203.0/24 IBM
+108.168.157.0/24 IBM
+173.192.117.0/24 IBM
+192.155.205.0/24 IBM
+169.46.187.0/24 IBM
+198.23.117.0/24 IBM
+169.46.117.0/24 IBM
+169.47.117.0/24 IBM
+169.48.117.0/24 IBM
+159.122.117.0/24 IBM
+161.156.117.0/24 IBM
+149.81.117.0/24 IBM
+5.10.117.0/24 IBM
+158.175.117.0/24 IBM
+141.125.117.0/24 IBM
+158.176.117.0/24 IBM
+159.122.137.0/24 IBM
+169.54.117.0/24 IBM
+159.8.117.0/24 IBM
+169.57.137.0/24 IBM
+50.23.117.0/24 IBM
+169.45.117.0/24 IBM
+174.133.117.0/24 IBM
+168.1.17.0/24 IBM
+130.198.117.0/24 IBM
+135.90.117.0/24 IBM
+161.202.117.0/24 IBM
+128.168.117.0/24 IBM
+165.192.117.0/24 IBM
+158.85.117.0/24 IBM
+50.22.248.0/25 IBM
+169.54.27.0/24 IBM
+198.11.250.0/24 IBM
+208.43.117.0/24 IBM
+169.55.117.0/24 IBM
+169.60.117.0/24 IBM
+169.61.117.0/24 IBM
+12.96.160.0/24 IBM
+66.98.240.192/26 IBM
+67.18.139.0/24 IBM
+67.19.0.0/24 IBM
+70.84.160.0/24 IBM
+70.85.125.0/24 IBM
+75.125.126.8/32 IBM
+209.85.4.0/26 IBM
+216.12.193.9/32 IBM
+216.40.193.0/24 IBM
+216.234.234.0/24 IBM
+
+# Hetzner
+116.202.0.0/16 Hetzner
+116.203.0.0/16 Hetzner
+128.140.0.0/17 Hetzner
+135.181.0.0/16 Hetzner
+142.132.128.0/17 Hetzner
+157.90.0.0/16 Hetzner
+159.69.0.0/16 Hetzner
+162.55.0.0/16 Hetzner
+167.233.0.0/16 Hetzner
+167.235.0.0/16 Hetzner
+168.119.0.0/16 Hetzner
+176.9.0.0/16 Hetzner
+178.63.0.0/16 Hetzner
+188.34.128.0/17 Hetzner
+188.40.0.0/16 Hetzner
+195.201.0.0/16 Hetzner
+213.239.192.0/18 Hetzner
+23.88.0.0/17 Hetzner
+37.27.0.0/16 Hetzner
+46.4.0.0/16 Hetzner
+49.12.0.0/16 Hetzner
+49.13.0.0/16 Hetzner
+5.75.128.0/17 Hetzner
+5.9.0.0/16 Hetzner
+65.108.0.0/16 Hetzner
+65.109.0.0/16 Hetzner
+65.21.0.0/16 Hetzner
+78.46.0.0/15 Hetzner
+85.10.192.0/18 Hetzner
+88.198.0.0/16 Hetzner
+88.99.0.0/16 Hetzner
+91.107.128.0/17 Hetzner
+94.130.0.0/16 Hetzner
+95.216.0.0/16 Hetzner
+95.217.0.0/16 Hetzner
+
+# Liquid Web
+159.135.48.0/20 Liquid Web
+162.212.134.0/24 Liquid Web
+162.252.104.0/22 Liquid Web
+172.255.59.0/24 Liquid Web
+173.199.128.0/18 Liquid Web
+184.106.55.0/24 Liquid Web
+192.126.88.0/22 Liquid Web
+192.133.82.0/24 Liquid Web
+192.138.16.0/21 Liquid Web
+192.190.220.0/22 Liquid Web
+192.251.32.0/24 Liquid Web
+199.189.224.0/22 Liquid Web
+199.195.118.0/24 Liquid Web
+205.174.24.0/22 Liquid Web
+207.246.248.0/21 Liquid Web
+208.75.148.0/22 Liquid Web
+208.79.232.0/21 Liquid Web
+208.86.152.0/21 Liquid Web
+209.124.89.0/24 Liquid Web
+209.188.80.0/20 Liquid Web
+209.59.128.0/18 Liquid Web
+50.28.0.0/18 Liquid Web
+50.28.5.0/24 Liquid Web
+50.28.64.0/19 Liquid Web
+50.57.240.0/20 Liquid Web
+64.50.144.0/20 Liquid Web
+64.50.144.0/23 Liquid Web
+64.50.148.0/22 Liquid Web
+64.50.152.0/21 Liquid Web
+64.91.224.0/19 Liquid Web
+67.225.128.0/17 Liquid Web
+67.227.128.0/17 Liquid Web
+67.43.0.0/20 Liquid Web
+68.66.211.0/24 Liquid Web
+69.160.56.0/24 Liquid Web
+69.16.192.0/18 Liquid Web
+69.16.222.0/23 Liquid Web
+69.167.128.0/18 Liquid Web
+72.52.128.0/17 Liquid Web
+96.30.0.0/18 Liquid Web
+
+# OVH
+107.189.64.0/18 OVH
+135.125.0.0/17 OVH
+135.125.128.0/17 OVH
+135.148.0.0/17 OVH
+135.148.128.0/17 OVH
+137.74.0.0/16 OVH
+139.99.0.0/17 OVH
+139.99.128.0/17 OVH
+141.94.0.0/16 OVH
+141.95.0.0/17 OVH
+141.95.128.0/17 OVH
+142.4.192.0/19 OVH
+142.44.128.0/17 OVH
+144.217.0.0/16 OVH
+145.239.0.0/16 OVH
+146.59.0.0/16 OVH
+146.59.0.0/17 OVH
+147.135.0.0/17 OVH
+147.135.128.0/17 OVH
+148.113.0.0/18 OVH
+148.113.128.0/17 OVH
+149.202.0.0/16 OVH
+149.56.0.0/16 OVH
+151.80.0.0/16 OVH
+15.204.0.0/17 OVH
+15.204.128.0/17 OVH
+152.228.128.0/17 OVH
+15.235.0.0/17 OVH
+15.235.128.0/17 OVH
+158.69.0.0/16 OVH
+162.19.0.0/17 OVH
+162.19.128.0/17 OVH
+164.132.0.0/16 OVH
+167.114.0.0/17 OVH
+167.114.128.0/18 OVH
+167.114.192.0/19 OVH
+176.31.0.0/16 OVH
+178.32.0.0/15 OVH
+185.15.68.0/22 OVH
+185.45.160.0/22 OVH
+188.165.0.0/16 OVH
+192.240.152.0/21 OVH
+192.95.0.0/18 OVH
+192.99.0.0/16 OVH
+193.70.0.0/17 OVH
+198.100.144.0/20 OVH
+198.244.128.0/17 OVH
+198.245.48.0/20 OVH
+198.27.64.0/18 OVH
+198.27.92.0/24 OVH
+198.50.128.0/17 OVH
+213.186.32.0/19 OVH
+213.251.128.0/18 OVH
+213.32.0.0/17 OVH
+217.182.0.0/16 OVH
+23.92.224.0/19 OVH
+37.187.0.0/16 OVH
+37.59.0.0/16 OVH
+40.160.0.0/17 OVH
+46.105.0.0/16 OVH
+46.105.198.0/24 OVH
+46.105.199.0/24 OVH
+46.105.200.0/24 OVH
+46.105.201.0/24 OVH
+46.105.202.0/24 OVH
+46.105.203.0/24 OVH
+46.105.204.0/24 OVH
+46.105.206.0/24 OVH
+46.105.207.0/24 OVH
+46.244.32.0/20 OVH
+51.161.0.0/17 OVH
+51.161.128.0/17 OVH
+
+# Ionos
+74.208.0.0/16 Ionos
+
+# WPEngine
+141.193.213.0/24 WPEngine
+
+# Dreamhost
+208.113.128.0/17 Dreamhost
+
+# Shopify
+23.227.32.0/19 Shopify
+
+# Sucuri
+66.248.200.0/22 Sucuri
+185.93.228.0/22 Sucuri
+192.88.134.0/23 Sucuri
+192.124.249.0/24 Sucuri
+192.161.0.0/24 Sucuri
+
+# HostGator
+# Bluehost
+# Squarespace
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index ca7c61c8e..602f7218c 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1104,13 +1104,13 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pciconfig_write
           "pciconfig_write,"
 #endif
-#ifdef SYS_s390_mmio_read
-          "s390_mmio_read,"
+#ifdef SYS_s390_pci_mmio_read
+          "s390_pci_mmio_read,"
 #endif
-#ifdef SYS_s390_mmio_write
-          "s390_mmio_write"
+#ifdef SYS_s390_pci_mmio_write
+          "s390_pci_mmio_write"
 #endif
-#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_pci_mmio_read) && !defined(SYS_s390_pci_mmio_write)
           "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
 #endif
         },
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 19fc94ebd..06969e851 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -788,7 +788,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-dnstrace[=name|pid]
 Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -828,7 +827,6 @@ $ sudo firejail --dnstrace
 .br
 11:32:08  9.9.9.9        www.youtube.com (type 1)
 .br
-#endif
 
 .TP
 \fB\-\-env=name=value
@@ -930,7 +928,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-icmptrace[=name|pid]
 Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -956,7 +953,6 @@ $ sudo firejail --icmptrace
 .br
 20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
 .br
-#endif
 
 .TP
 \fB\-\-\include=file.profile
@@ -1643,6 +1639,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+#endif
 .TP
 \fB\-\-nettrace[=name|pid]
 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -1658,17 +1655,15 @@ Example:
 .br
 $ sudo firejail --nettrace
 .br
-                        95 KB/s  geoip 457, IP database 4436
-.br
-   52 KB/s ***********           64.222.84.207:443 United States
+                       93 KB/s  address:port (protocol) network
 .br
-   33 KB/s *******               89.147.74.105:63930 Hungary
+  14 B/s  **                    104.24.8.4:443(QUIC) Cloudflare
 .br
-    0 B/s                        45.90.28.0:443 NextDNS
+  80 KB/s *****************     192.187.97.90:443(TLS) BitChute
 .br
-    0 B/s                        94.70.122.176:52309(UDP) Greece
+   1 B/s                        149.56.228.45:443(DoH) Canada
 .br
-  339 B/s                        104.26.7.35:443 Cloudflare
+(D)isplay, (S)ave, (C)lear, e(X)it
 .br
 
 .br
@@ -1677,7 +1672,6 @@ the country the traffic originates from is added to the trace.
 We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
-#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -2263,6 +2257,18 @@ All modifications are discarded when the sandbox is closed.
 Example:
 .br
 $ firejail --private-opt=firefox /opt/firefox/firefox
+.br
+
+.br
+Note: Program installations in /opt tend to be relatively large and private-opt
+copies the entire path(s) into RAM, which may significantly increase RAM usage
+and break \fBfile-copy-limit\fR in firejail.config.
+Therefore, in general it is recommended to use "whitelist /opt/PATH" instead of
+"private-opt PATH".
+For details, see
+.UR https://github.com/netblue30/firejail/discussions/5307
+#5307
+.UE
 
 .TP
 \fB\-\-private-srv=file,directory
@@ -2850,7 +2856,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-shutdown=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-snitrace[=name|pid]
 Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
@@ -2892,7 +2897,6 @@ $ sudo firejail --snitrace
 .br
 07:53:11  192.0.73.2       1.gravatar.com
 .br
-#endif
 
 .TP
 \fB\-\-tab