13 files changed, 530 insertions, 39 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7db4480b6..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -101,6 +101,7 @@ bitwarden
 bleachbit
 blender
 blender-2.8
+blender-3.6
 bless
 blobby
 blobwars
@@ -274,6 +275,7 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
+fluffychat
 font-manager
 fontforge
 fossamail
@@ -480,6 +482,7 @@ kwrite
 lbry-viewer
 leafpad
 #less # breaks man
+lettura
 librecad
 libreoffice
 librewolf
@@ -822,13 +825,16 @@ telegram
 telegram-desktop
 telnet
 terasology
+termshark
 tesseract
 textmaker18
 textmaker18free
 thunderbird
 thunderbird-beta
 thunderbird-wayland
+tidal-hifi
 tilp
+tiny-rdm
 tor-browser
 tor-browser-ar
 tor-browser-ca
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a4f727c0a..bb20a0da6 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -43,6 +43,16 @@ int appimage_find_profile(const char *archive) {
         assert(archive);
         assert(strlen(archive));
 
+        // extract the name of the appimage from a full path
+        // example: archive = /opt/kdenlive-20.12.2-x86_64.appimage
+        const char *arc = strrchr(archive, '/');
+        if (arc)
+                arc++;
+        else
+                arc = archive;
+        if (arg_debug)
+                printf("Looking for a %s profile\n", arc);
+
         // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
         FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
         if (!fp) {
@@ -56,7 +66,8 @@ int appimage_find_profile(const char *archive) {
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-                if (strcasestr(archive, buf)) {
+                char *found = strcasestr(arc, buf);
+                if (found == arc) {
                         fclose(fp);
                         return profile_find_firejail(buf, 1);
                 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 182f26e53..28fecfb98 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -281,6 +281,8 @@ void fs_blacklist(void) {
         if (!entry)
                 return;
 
+        timetrace_start();
+
         size_t noblacklist_c = 0;
         size_t noblacklist_m = 32;
         char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -463,6 +465,8 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
+
+        fmessage("Base filesystem installed in %0.2f ms\n", timetrace_end());
 }
 
 //***********************************************
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
 
         // file size
         char *sz;
-        if (asprintf(&sz, "%d", (int) s.st_size) == -1)
+        if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
                 errExit("asprintf");
 
         // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b0d5dac17..0c9c80137 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -420,7 +420,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("x11");
         }
 #endif
-#ifdef HAVE_NETWORK
         else if (strcmp(argv[i], "--nettrace") == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         if (getuid() != 0) {
@@ -524,8 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
 
-
-
+#ifdef HAVE_NETWORK
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
@@ -3217,13 +3215,18 @@ int main(int argc, char **argv, char **envp) {
 
                 gid_t g;
                 if (!arg_nogroups || !check_can_drop_all_groups()) {
-                        // add audio group
+                        // add audio groups
                         if (!arg_nosound) {
                                 g = get_group_id("audio");
                                 if (g) {
                                         sprintf(ptr, "%d %d 1\n", g, g);
                                         ptr += strlen(ptr);
                                 }
+                                g = get_group_id("pipewire");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
 
                         // add video group
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 6bc6230f0..fea842d93 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -47,6 +47,16 @@ static void init_paths(void) {
                 errExit("calloc");
         memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
+        // lots of distros set /bin as a symlink to /usr/bin;
+        // we remove /bin form the path to speed up path-based operations such as blacklist
+        int bin_symlink = 0;
+        p = realpath("/bin", NULL);
+        if (p) {
+                if (strcmp(p, "/usr/bin") == 0)
+                        bin_symlink = 1;
+        }
+        free(p);
+
         // fill in 'paths' with pointers to elements of 'path'
         unsigned int i = 0, j;
         unsigned int len;
@@ -62,6 +72,14 @@ static void init_paths(void) {
                 if (len == 0)
                         goto skip;
 
+                //deal with /bin - /usr/bin symlink
+                if (bin_symlink > 0) {
+                        if (strcmp(elt, "/bin") == 0 || strcmp(elt, "/usr/bin") == 0)
+                                bin_symlink++;
+                        if (bin_symlink == 3)
+                                goto skip;
+                }
+
                 // filter out duplicate entries
                 for (j = 0; j < i; j++)
                         if (strcmp(elt, paths[j]) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bdaaed433..8cc5c1166 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -484,7 +484,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+        else if (strncmp(ptr, "dbus-user ", 10) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 10;
                 if (strcmp("filter", ptr) == 0) {
@@ -551,7 +551,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 1;
         }
-        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+        else if (strncmp(ptr, "dbus-system ", 12) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 12;
                 if (strcmp("filter", ptr) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 538f5be67..827be5d85 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -878,7 +878,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // appimage
         //****************************
-        appimage_mount();
+        if (arg_appimage)
+                appimage_mount();
 
         //****************************
         // private mode
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 970832b38..bd32181b5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -207,6 +207,8 @@ static void clean_supplementary_groups(gid_t gid) {
         if (!arg_nosound) {
                 copy_group_ifcont("audio", groups, ngroups,
                                   new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("pipewire", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
         }
 
         if (!arg_novideo) {
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 5a0b97e89..4db8e7478 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -308,6 +308,8 @@ static inline const char *common_port(uint16_t port) {
                         return "Tor";
                 else if (port == 9030)
                         return "Tor";
+                else if (port == 9040)
+                        return "Tor";
                 else if (port == 9050)
                         return "Tor";
                 else if (port == 9051)
@@ -506,16 +508,16 @@ static void print_stats(FILE *fp) {
 
         fprintf(fp, "\n\nIP map");
         if (fp == stdout)
-                ansi_faint("  - server-address network (packets)\n");
+                ansi_faint("  - network (packets)\n");
         else
-                fprintf(fp, "  - server-address network (packets)\n");
+                fprintf(fp, "  - network (packets)\n");
         radix_print(fp, 1);
 
         fprintf(fp, "\n\nEvents %d", ev_cnt);
         if (fp == stdout)
-                ansi_faint(" - time address:port data\n");
+                ansi_faint(" - time address data\n");
         else
-                fprintf(fp, " - time address:port data\n");
+                fprintf(fp, " - time address data\n");
         ev_print(fp);
 
 }
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index fa6c74b62..aeac58c6a 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -188,6 +188,7 @@
 104.244.40.0/21 Twitter
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
+129.144.0.0/12 Oracle
 129.134.0.0/16 Facebook
 140.82.112.0/20 GitHub
 143.55.64.0/20 GitHub
@@ -221,7 +222,6 @@
 185.125.188.0/22 Ubuntu One
 185.199.108.0/22 GitHub
 185.205.69.0/24 Tutanota
-185.238.113.0/24 Bitchute
 188.64.224.0/21 Twitter
 190.217.33.0/24 Steam
 192.0.64.0/18 Wordpress
@@ -253,7 +253,12 @@
 63.141.247.168/29 BitChute
 63.141.247.240/29 BitChute
 69.30.200.200/29 BitChute
+69.30.230.64/29 BitChute
+69.30.241.40/29 BitChute
 69.30.241.48/29 BitChute
+69.30.243.168/29 BitChute
+69.30.245.232/29 BitChute
+69.30.253.16/29 BitChute
 69.197.182.184/29 BitChute
 74.91.28.208/29 BitChute
 74.91.29.208/29 BitChute
@@ -263,27 +268,40 @@
 107.150.45.120/29 BitChute
 142.54.180.104/29 BitChute
 142.54.181.184/29 BitChute
+142.54.188.112/29 BitChute
 142.54.189.192/29 BitChute
 173.208.154.8/29 BitChute
 173.208.154.160/29 BitChute
+173.208.176.128/29 BitChute
 173.208.185.200/29 BitChute
+173.208.203.224/29 BitChute
 173.208.203.248/29 BitChute
 173.208.211.224/29 BitChute
 173.208.216.40/29 BitChute
 173.208.219.112/29 BitChute
 173.208.246.160/29 BitChute
+185.238.113.0/24 BitChute
+192.151.147.16/29 BitChute
 192.151.158.136/29 BitChute
 192.187.97.88/29 BitChute
 192.187.114.16/29 BitChute
 192.187.114.96/29 BitChute
+192.187.118.168/29 BitChute
+192.187.121.208/29 BitChute
 192.187.123.112/29 BitChute
 192.187.126.0/29 BitChute
 198.204.226.120/29 BitChute
 198.204.228.48/29 BitChute
+198.204.235.88/29 BitChute
+198.204.235.216/29 BitChute
 198.204.245.32/29 BitChute
 198.204.245.88/29 BitChute
 198.204.250.208/29 BitChute
+198.204.253.64/29 BitChute
+198.204.253.184/29 BitChute
 199.168.96.24/29 BitChute
+199.168.96.64/29 BitChute
+204.12.220.136/29 BitChute
 204.12.194.176/29 BitChute
 204.12.194.248/29 BitChute
 204.12.220.232/29 BitChute
@@ -292,6 +310,7 @@
 # WholeSale Internet
 69.30.192.0/18 WholeSale Internet
 69.197.128.0/18 WholeSale Internet
+142.54.160.0/19 WholeSale Internet
 173.208.128.0/17 WholeSale Internet
 204.12.192.0/18 WholeSale Internet
 208.67.0.0/21 WholeSale Internet
@@ -322,6 +341,7 @@
 66.243.0.0/17 Level 3
 66.243.128.0/18 Level 3
 66.251.192.0/19 Level 3
+74.202.0.0/15 Level 3
 205.128.0.0/14 Level 3
 205.180.0.0/14 Level 3
 205.184.0.0/19 Level 3
@@ -350,6 +370,7 @@
 69.16.173.0/24 StackPath
 69.16.174.0/23 StackPath
 69.16.176.0/20 StackPath
+74.209.128.0/20 StackPath
 151.139.0.0/16 StackPath
 205.185.194.0/23 StackPath
 205.185.196.0/23 StackPath
@@ -379,6 +400,7 @@
 45.79.0.0/16 Linode
 50.116.0.0/18 Linode
 66.175.208.0/20 Linode
+74.207.224.0/19 Linode
 103.29.68.0/22 Linode
 104.200.16.0/21 Linode
 104.200.24.0/22 Linode
@@ -486,6 +508,7 @@
 23.72.0.0/13 Akamai
 23.192.0.0/11 Akamai
 72.246.0.0/15 Akamai
+74.121.124.0/22 Akamai
 92.122.160.0/20 Akamai
 96.6.0.0/15 Akamai
 96.16.0.0/15 Akamai
@@ -559,6 +582,7 @@
 20.48.0.0/12 Microsoft
 20.128.0.0/16 Microsoft
 20.192.0.0/10 Microsoft
+23.96.0.0/13 Microsoft
 40.76.0.0/14 Microsoft
 40.96.0.0/12 Microsoft
 40.112.0.0/13 Microsoft
@@ -567,11 +591,38 @@
 40.80.0.0/12 Microsoft
 40.120.0.0/14 Microsoft
 40.125.0.0/17 Microsoft
+51.4.0.0/15 Microsoft
+51.8.0.0/16 Microsoft
+51.10.0.0/14 Microsoft
+51.51.0.0/16 Microsoft
+51.53.0.0/16 Microsoft
+51.103.0.0/16 Microsoft
+51.107.0.0/16 Microsoft
+51.116.0.0/16 Microsoft
+51.120.0.0/16 Microsoft
+51.124.0.0/16 Microsoft
+51.132.0.0/16 Microsoft
+51.136.0.0/16 Microsoft
+51.140.0.0/15 Microsoft
+52.96.0.0/12 Microsoft
+52.112.0.0/14 Microsoft
+52.120.0.0/14 Microsoft
+52.125.0.0/16 Microsoft
+52.126.0.0/15 Microsoft
+52.132.0.0/14 Microsoft
+52.136.0.0/13 Microsoft
 52.145.0.0/16 Microsoft
+52.146.0.0/15 Microsoft
 52.148.0.0/14 Microsoft
 52.152.0.0/13 Microsoft
-52.146.0.0/15 Microsoft
 52.160.0.0/11 Microsoft
+52.224.0.0/11 Microsoft
+74.160.0.0/14 Microsoft
+74.176.0.0/14 Microsoft
+74.224.0.0/14 Microsoft
+74.234.0.0/15 Microsoft
+74.240.0.0/14 Microsoft
+74.248.0.0/15 Microsoft
 168.61.0.0/16 Microsoft
 168.62.0.0/15 Microsoft
 
@@ -587,6 +638,7 @@
 206.190.32.0/19 Yahoo
 209.73.160.0/19 Yahoo
 209.191.64.0/18 Yahoo
+212.82.100.0/22 Yahoo
 216.115.96.0/20 Yahoo
 
 # Google
@@ -596,6 +648,18 @@
 8.35.192.0/20 Google
 23.236.48.0/20 Google
 23.251.128.0/19 Google
+34.4.16.0/20 Google
+34.4.64.0/18 Google
+34.4.6.0/23 Google
+34.16.0.0/12 Google
+34.32.0.0/11 Google
+34.4.128.0/17 Google
+34.8.0.0/13 Google
+34.4.8.0/21 Google
+34.5.0.0/16 Google
+34.6.0.0/15 Google
+34.4.32.0/19 Google
+34.4.5.0/24 Google
 34.64.0.0/10 Google
 34.128.0.0/10 Google
 35.184.0.0/13 Google
@@ -1846,6 +1910,7 @@
 34.192.0.0/12 Amazon
 34.208.0.0/12 Amazon
 34.224.0.0/12 Amazon
+34.225.127.72/10 Amazon
 34.240.0.0/13 Amazon
 34.248.0.0/13 Amazon
 35.71.64.0/22 Amazon
@@ -3394,7 +3459,7 @@
 54.93.0.0/16 Amazon
 54.94.0.0/16 Amazon
 54.95.0.0/16 Amazon
-54.144.0.0/14 Amazon
+54.144.0.0/12 Amazon
 54.148.0.0/15 Amazon
 54.150.0.0/16 Amazon
 54.151.0.0/17 Amazon
@@ -3405,7 +3470,7 @@
 54.154.0.0/16 Amazon
 54.155.0.0/16 Amazon
 54.156.0.0/14 Amazon
-54.160.0.0/13 Amazon
+54.160.0.0/11 Amazon
 54.168.0.0/16 Amazon
 54.169.0.0/16 Amazon
 54.170.0.0/15 Amazon
@@ -3418,7 +3483,7 @@
 54.182.0.0/16 Amazon
 54.183.0.0/16 Amazon
 54.184.0.0/13 Amazon
-54.192.0.0/16 Amazon
+54.192.0.0/12 Amazon
 54.193.0.0/16 Amazon
 54.194.0.0/15 Amazon
 54.196.0.0/15 Amazon
@@ -3429,12 +3494,12 @@
 54.204.0.0/15 Amazon
 54.206.0.0/16 Amazon
 54.207.0.0/16 Amazon
-54.208.0.0/15 Amazon
+54.208.0.0/13 Amazon
 54.210.0.0/15 Amazon
 54.212.0.0/15 Amazon
 54.214.0.0/16 Amazon
 54.215.0.0/16 Amazon
-54.216.0.0/15 Amazon
+54.216.0.0/14 Amazon
 54.218.0.0/16 Amazon
 54.219.0.0/16 Amazon
 54.220.0.0/16 Amazon
@@ -3694,6 +3759,10 @@
 72.21.192.0/19 Amazon
 72.41.0.0/20 Amazon
 72.44.32.0/19 Amazon
+74.127.0.0/18 Amazon
+74.190.0.0/16 Amazon
+74.230.0.0/16 Amazon
+74.250.0.0/16 Amazon
 75.2.0.0/17 Amazon
 75.101.128.0/17 Amazon
 76.223.0.0/17 Amazon
@@ -5675,3 +5744,374 @@
 64.120.69.0/24 Leaseweb
 69.147.236.0/24 Leaseweb
 70.32.34.0/24 Leaseweb
+
+
+
+# GoDaddy
+103.1.172.0/22 GoDaddy
+103.1.172.0/24 GoDaddy
+103.1.174.0/24 GoDaddy
+103.1.175.0/24 GoDaddy
+104.238.64.0/18 GoDaddy
+104.238.64.0/19 GoDaddy
+104.238.64.0/22 GoDaddy
+104.238.64.0/24 GoDaddy
+107.180.0.0/17 GoDaddy
+107.180.0.0/18 GoDaddy
+107.180.100.0/22 GoDaddy
+107.180.104.0/22 GoDaddy
+107.180.108.0/22 GoDaddy
+107.180.120.0/22 GoDaddy
+107.180.64.0/19 GoDaddy
+118.139.160.0/19 GoDaddy
+118.139.160.0/21 GoDaddy
+132.148.0.0/16 GoDaddy
+132.148.16.0/20 GoDaddy
+132.148.16.0/22 GoDaddy
+132.148.164.0/22 GoDaddy
+132.148.184.0/21 GoDaddy
+132.148.192.0/20 GoDaddy
+132.148.20.0/22 GoDaddy
+132.148.24.0/22 GoDaddy
+132.148.32.0/21 GoDaddy
+148.66.128.0/19 GoDaddy
+148.66.128.0/22 GoDaddy
+148.66.136.0/22 GoDaddy
+148.66.140.0/22 GoDaddy
+148.66.144.0/21 GoDaddy
+148.72.0.0/17 GoDaddy
+148.72.16.0/22 GoDaddy
+148.72.204.0/22 GoDaddy
+148.72.204.0/24 GoDaddy
+148.72.206.0/23 GoDaddy
+148.72.208.0/21 GoDaddy
+148.72.220.0/22 GoDaddy
+148.72.224.0/19 GoDaddy
+148.72.224.0/20 GoDaddy
+148.72.240.0/22 GoDaddy
+148.72.244.0/22 GoDaddy
+148.72.32.0/21 GoDaddy
+148.72.32.0/23 GoDaddy
+148.72.34.0/24 GoDaddy
+148.72.36.0/24 GoDaddy
+148.72.4.0/22 GoDaddy
+148.72.44.0/22 GoDaddy
+148.72.88.0/22 GoDaddy
+160.153.32.0/19 GoDaddy
+160.153.64.0/18 GoDaddy
+160.153.64.0/19 GoDaddy
+160.153.96.0/19 GoDaddy
+166.62.0.0/19 GoDaddy
+166.62.0.0/22 GoDaddy
+166.62.0.0/24 GoDaddy
+166.62.100.0/22 GoDaddy
+166.62.10.0/23 GoDaddy
+166.62.1.0/24 GoDaddy
+166.62.112.0/20 GoDaddy
+166.62.116.0/22 GoDaddy
+166.62.120.0/22 GoDaddy
+166.62.12.0/22 GoDaddy
+166.62.12.0/24 GoDaddy
+166.62.13.0/24 GoDaddy
+166.62.15.0/24 GoDaddy
+166.62.16.0/22 GoDaddy
+166.62.17.0/24 GoDaddy
+166.62.20.0/22 GoDaddy
+166.62.2.0/24 GoDaddy
+166.62.23.0/24 GoDaddy
+166.62.24.0/22 GoDaddy
+166.62.24.0/24 GoDaddy
+166.62.25.0/24 GoDaddy
+166.62.26.0/23 GoDaddy
+166.62.28.0/22 GoDaddy
+166.62.3.0/24 GoDaddy
+166.62.32.0/19 GoDaddy
+166.62.32.0/22 GoDaddy
+166.62.36.0/22 GoDaddy
+166.62.40.0/22 GoDaddy
+166.62.4.0/22 GoDaddy
+166.62.4.0/24 GoDaddy
+166.62.44.0/22 GoDaddy
+166.62.5.0/24 GoDaddy
+166.62.52.0/22 GoDaddy
+166.62.56.0/22 GoDaddy
+166.62.60.0/22 GoDaddy
+166.62.6.0/23 GoDaddy
+166.62.64.0/18 GoDaddy
+166.62.64.0/19 GoDaddy
+166.62.80.0/22 GoDaddy
+166.62.8.0/22 GoDaddy
+166.62.8.0/24 GoDaddy
+166.62.84.0/22 GoDaddy
+166.62.88.0/22 GoDaddy
+166.62.9.0/24 GoDaddy
+
+# IBM cloud service
+# https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-ibm-cloud-ip-ranges
+# last update Aug 2023
+159.8.198.0/23 IBM
+169.38.118.0/23 IBM
+173.192.118.0/23 IBM
+192.255.18.0/24 IBM
+198.23.118.0/23 IBM
+169.46.118.0/23 IBM
+169.47.118.0/23 IBM
+169.48.118.0/24 IBM
+159.122.118.0/23 IBM
+161.156.118.0/24 IBM
+149.81.118.0/23 IBM
+5.10.118.0/23 IBM
+158.175.127.0/24 IBM
+141.125.118.0/23 IBM
+158.176.118.0/23 IBM
+159.122.138.0/23 IBM
+169.54.118.0/23 IBM
+163.68.118.0/24 IBM
+163.69.118.0/24 IBM
+163.73.118.0/24 IBM
+159.8.118.0/23 IBM
+169.57.138.0/23 IBM
+50.23.118.0/23 IBM
+169.45.118.0/23 IBM
+169.62.118.0/24 IBM
+174.133.118.0/23 IBM
+168.1.18.0/23 IBM
+130.198.118.0/23 IBM
+135.90.118.0/23 IBM
+161.202.118.0/23 IBM
+128.168.118.0/23 IBM
+165.192.118.0/23 IBM
+158.85.118.0/23 IBM
+163.74.118.0/23 IBM
+163.75.118.0/23 IBM
+208.43.118.0/23 IBM
+192.255.38.0/24 IBM
+169.55.118.0/23 IBM
+169.60.118.0/23 IBM
+169.61.118.0/23 IBM
+159.8.197.0/24 IBM
+169.38.117.0/24 IBM
+50.23.203.0/24 IBM
+108.168.157.0/24 IBM
+173.192.117.0/24 IBM
+192.155.205.0/24 IBM
+169.46.187.0/24 IBM
+198.23.117.0/24 IBM
+169.46.117.0/24 IBM
+169.47.117.0/24 IBM
+169.48.117.0/24 IBM
+159.122.117.0/24 IBM
+161.156.117.0/24 IBM
+149.81.117.0/24 IBM
+5.10.117.0/24 IBM
+158.175.117.0/24 IBM
+141.125.117.0/24 IBM
+158.176.117.0/24 IBM
+159.122.137.0/24 IBM
+169.54.117.0/24 IBM
+159.8.117.0/24 IBM
+169.57.137.0/24 IBM
+50.23.117.0/24 IBM
+169.45.117.0/24 IBM
+174.133.117.0/24 IBM
+168.1.17.0/24 IBM
+130.198.117.0/24 IBM
+135.90.117.0/24 IBM
+161.202.117.0/24 IBM
+128.168.117.0/24 IBM
+165.192.117.0/24 IBM
+158.85.117.0/24 IBM
+50.22.248.0/25 IBM
+169.54.27.0/24 IBM
+198.11.250.0/24 IBM
+208.43.117.0/24 IBM
+169.55.117.0/24 IBM
+169.60.117.0/24 IBM
+169.61.117.0/24 IBM
+12.96.160.0/24 IBM
+66.98.240.192/26 IBM
+67.18.139.0/24 IBM
+67.19.0.0/24 IBM
+70.84.160.0/24 IBM
+70.85.125.0/24 IBM
+75.125.126.8/32 IBM
+209.85.4.0/26 IBM
+216.12.193.9/32 IBM
+216.40.193.0/24 IBM
+216.234.234.0/24 IBM
+
+# Hetzner
+116.202.0.0/16 Hetzner
+116.203.0.0/16 Hetzner
+128.140.0.0/17 Hetzner
+135.181.0.0/16 Hetzner
+142.132.128.0/17 Hetzner
+157.90.0.0/16 Hetzner
+159.69.0.0/16 Hetzner
+162.55.0.0/16 Hetzner
+167.233.0.0/16 Hetzner
+167.235.0.0/16 Hetzner
+168.119.0.0/16 Hetzner
+176.9.0.0/16 Hetzner
+178.63.0.0/16 Hetzner
+188.34.128.0/17 Hetzner
+188.40.0.0/16 Hetzner
+195.201.0.0/16 Hetzner
+213.239.192.0/18 Hetzner
+23.88.0.0/17 Hetzner
+37.27.0.0/16 Hetzner
+46.4.0.0/16 Hetzner
+49.12.0.0/16 Hetzner
+49.13.0.0/16 Hetzner
+5.75.128.0/17 Hetzner
+5.9.0.0/16 Hetzner
+65.108.0.0/16 Hetzner
+65.109.0.0/16 Hetzner
+65.21.0.0/16 Hetzner
+78.46.0.0/15 Hetzner
+85.10.192.0/18 Hetzner
+88.198.0.0/16 Hetzner
+88.99.0.0/16 Hetzner
+91.107.128.0/17 Hetzner
+94.130.0.0/16 Hetzner
+95.216.0.0/16 Hetzner
+95.217.0.0/16 Hetzner
+
+# Liquid Web
+159.135.48.0/20 Liquid Web
+162.212.134.0/24 Liquid Web
+162.252.104.0/22 Liquid Web
+172.255.59.0/24 Liquid Web
+173.199.128.0/18 Liquid Web
+184.106.55.0/24 Liquid Web
+192.126.88.0/22 Liquid Web
+192.133.82.0/24 Liquid Web
+192.138.16.0/21 Liquid Web
+192.190.220.0/22 Liquid Web
+192.251.32.0/24 Liquid Web
+199.189.224.0/22 Liquid Web
+199.195.118.0/24 Liquid Web
+205.174.24.0/22 Liquid Web
+207.246.248.0/21 Liquid Web
+208.75.148.0/22 Liquid Web
+208.79.232.0/21 Liquid Web
+208.86.152.0/21 Liquid Web
+209.124.89.0/24 Liquid Web
+209.188.80.0/20 Liquid Web
+209.59.128.0/18 Liquid Web
+50.28.0.0/18 Liquid Web
+50.28.5.0/24 Liquid Web
+50.28.64.0/19 Liquid Web
+50.57.240.0/20 Liquid Web
+64.50.144.0/20 Liquid Web
+64.50.144.0/23 Liquid Web
+64.50.148.0/22 Liquid Web
+64.50.152.0/21 Liquid Web
+64.91.224.0/19 Liquid Web
+67.225.128.0/17 Liquid Web
+67.227.128.0/17 Liquid Web
+67.43.0.0/20 Liquid Web
+68.66.211.0/24 Liquid Web
+69.160.56.0/24 Liquid Web
+69.16.192.0/18 Liquid Web
+69.16.222.0/23 Liquid Web
+69.167.128.0/18 Liquid Web
+72.52.128.0/17 Liquid Web
+96.30.0.0/18 Liquid Web
+
+# OVH
+107.189.64.0/18 OVH
+135.125.0.0/17 OVH
+135.125.128.0/17 OVH
+135.148.0.0/17 OVH
+135.148.128.0/17 OVH
+137.74.0.0/16 OVH
+139.99.0.0/17 OVH
+139.99.128.0/17 OVH
+141.94.0.0/16 OVH
+141.95.0.0/17 OVH
+141.95.128.0/17 OVH
+142.4.192.0/19 OVH
+142.44.128.0/17 OVH
+144.217.0.0/16 OVH
+145.239.0.0/16 OVH
+146.59.0.0/16 OVH
+146.59.0.0/17 OVH
+147.135.0.0/17 OVH
+147.135.128.0/17 OVH
+148.113.0.0/18 OVH
+148.113.128.0/17 OVH
+149.202.0.0/16 OVH
+149.56.0.0/16 OVH
+151.80.0.0/16 OVH
+15.204.0.0/17 OVH
+15.204.128.0/17 OVH
+152.228.128.0/17 OVH
+15.235.0.0/17 OVH
+15.235.128.0/17 OVH
+158.69.0.0/16 OVH
+162.19.0.0/17 OVH
+162.19.128.0/17 OVH
+164.132.0.0/16 OVH
+167.114.0.0/17 OVH
+167.114.128.0/18 OVH
+167.114.192.0/19 OVH
+176.31.0.0/16 OVH
+178.32.0.0/15 OVH
+185.15.68.0/22 OVH
+185.45.160.0/22 OVH
+188.165.0.0/16 OVH
+192.240.152.0/21 OVH
+192.95.0.0/18 OVH
+192.99.0.0/16 OVH
+193.70.0.0/17 OVH
+198.100.144.0/20 OVH
+198.244.128.0/17 OVH
+198.245.48.0/20 OVH
+198.27.64.0/18 OVH
+198.27.92.0/24 OVH
+198.50.128.0/17 OVH
+213.186.32.0/19 OVH
+213.251.128.0/18 OVH
+213.32.0.0/17 OVH
+217.182.0.0/16 OVH
+23.92.224.0/19 OVH
+37.187.0.0/16 OVH
+37.59.0.0/16 OVH
+40.160.0.0/17 OVH
+46.105.0.0/16 OVH
+46.105.198.0/24 OVH
+46.105.199.0/24 OVH
+46.105.200.0/24 OVH
+46.105.201.0/24 OVH
+46.105.202.0/24 OVH
+46.105.203.0/24 OVH
+46.105.204.0/24 OVH
+46.105.206.0/24 OVH
+46.105.207.0/24 OVH
+46.244.32.0/20 OVH
+51.161.0.0/17 OVH
+51.161.128.0/17 OVH
+
+# Ionos
+74.208.0.0/16 Ionos
+
+# WPEngine
+141.193.213.0/24 WPEngine
+
+# Dreamhost
+208.113.128.0/17 Dreamhost
+
+# Shopify
+23.227.32.0/19 Shopify
+
+# Sucuri
+66.248.200.0/22 Sucuri
+185.93.228.0/22 Sucuri
+192.88.134.0/23 Sucuri
+192.124.249.0/24 Sucuri
+192.161.0.0/24 Sucuri
+
+# HostGator
+# Bluehost
+# Squarespace
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index ca7c61c8e..602f7218c 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1104,13 +1104,13 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pciconfig_write
           "pciconfig_write,"
 #endif
-#ifdef SYS_s390_mmio_read
-          "s390_mmio_read,"
+#ifdef SYS_s390_pci_mmio_read
+          "s390_pci_mmio_read,"
 #endif
-#ifdef SYS_s390_mmio_write
-          "s390_mmio_write"
+#ifdef SYS_s390_pci_mmio_write
+          "s390_pci_mmio_write"
 #endif
-#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_pci_mmio_read) && !defined(SYS_s390_pci_mmio_write)
           "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
 #endif
         },
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 19fc94ebd..06969e851 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -788,7 +788,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-dnstrace[=name|pid]
 Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -828,7 +827,6 @@ $ sudo firejail --dnstrace
 .br
 11:32:08  9.9.9.9        www.youtube.com (type 1)
 .br
-#endif
 
 .TP
 \fB\-\-env=name=value
@@ -930,7 +928,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-icmptrace[=name|pid]
 Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -956,7 +953,6 @@ $ sudo firejail --icmptrace
 .br
 20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
 .br
-#endif
 
 .TP
 \fB\-\-\include=file.profile
@@ -1643,6 +1639,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+#endif
 .TP
 \fB\-\-nettrace[=name|pid]
 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -1658,17 +1655,15 @@ Example:
 .br
 $ sudo firejail --nettrace
 .br
-                        95 KB/s  geoip 457, IP database 4436
-.br
-   52 KB/s ***********           64.222.84.207:443 United States
+                       93 KB/s  address:port (protocol) network
 .br
-   33 KB/s *******               89.147.74.105:63930 Hungary
+  14 B/s  **                    104.24.8.4:443(QUIC) Cloudflare
 .br
-    0 B/s                        45.90.28.0:443 NextDNS
+  80 KB/s *****************     192.187.97.90:443(TLS) BitChute
 .br
-    0 B/s                        94.70.122.176:52309(UDP) Greece
+   1 B/s                        149.56.228.45:443(DoH) Canada
 .br
-  339 B/s                        104.26.7.35:443 Cloudflare
+(D)isplay, (S)ave, (C)lear, e(X)it
 .br
 
 .br
@@ -1677,7 +1672,6 @@ the country the traffic originates from is added to the trace.
 We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
-#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -2263,6 +2257,18 @@ All modifications are discarded when the sandbox is closed.
 Example:
 .br
 $ firejail --private-opt=firefox /opt/firefox/firefox
+.br
+
+.br
+Note: Program installations in /opt tend to be relatively large and private-opt
+copies the entire path(s) into RAM, which may significantly increase RAM usage
+and break \fBfile-copy-limit\fR in firejail.config.
+Therefore, in general it is recommended to use "whitelist /opt/PATH" instead of
+"private-opt PATH".
+For details, see
+.UR https://github.com/netblue30/firejail/discussions/5307
+#5307
+.UE
 
 .TP
 \fB\-\-private-srv=file,directory
@@ -2850,7 +2856,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-shutdown=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-snitrace[=name|pid]
 Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
@@ -2892,7 +2897,6 @@ $ sudo firejail --snitrace
 .br
 07:53:11  192.0.73.2       1.gravatar.com
 .br
-#endif
 
 .TP
 \fB\-\-tab