R#33747 DUT reboot when configured multiple IPTV network

setting the lookup method to group_ip_src_ip_vid, to avoid reboot while using multiple IPTV network. Testing done: - by configuring multiple IPTV network, as tag on WAN and untagged on LAN. - by configuring network as untagged on both WAN and LAN. - by sending join and leave to upstream server on both the above scenarios. Change-Id: I806363ccde7336548d2321c2f247f709de379245
map-agent: 6.5.0.5
2025-12-25 03:24:14 +08:00 · 2025-11-27 11:09:53 +00:00 · 2025-11-27 12:03:22 +01:00 · 2025-11-27 14:28:45 +05:30 · 2025-11-27 14:21:59 +05:30 · 2025-11-27 09:32:02 +01:00
136 changed files with 3186 additions and 2496 deletions
--- a/bbfdm/Makefile
+++ b/bbfdm/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=bbfdm
-PKG_VERSION:=1.18.2
+PKG_VERSION:=1.18.14

 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=786863cf0ef48dd70610598cdf8e2bbc0462a504
+PKG_SOURCE_VERSION:=a0347e59b69d8e0b20d6c26b7ddb02450813545d
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/bbfdm/files/etc/bbfdm/critical_services.json
+++ b/bbfdm/files/etc/bbfdm/critical_services.json
@@ -10,10 +10,8 @@
 			"/etc/bbfdm/dmmap/PPP",
 			"/etc/bbfdm/dmmap/Routing",
 			"/etc/config/dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
-			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
 			"/etc/config/time",
 			"/etc/bbfdm/dmmap/dmmap_time",
 			"/etc/config/mapcontroller",
@@ -36,10 +34,8 @@
 			"/etc/bbfdm/dmmap/PPP",
 			"/etc/bbfdm/dmmap/Routing",
 			"/etc/config/dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
-			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
 			"/etc/config/mapcontroller",
 			"/etc/config/wireless",
 			"/etc/bbfdm/dmmap/WiFi",
--- a/bridgemngr/Config.in
+++ b/bridgemngr/Config.in
@@ -5,6 +5,12 @@ config BRIDGEMNGR_BRIDGE_VLAN
 	help
 	   Set this option to use bridge-vlan as backend for VLAN objects.

+config BRIDGEMNGR_COPY_PBITS
+	bool "Copy pbits from cvlan to svlan"
+	default y
+	help
+	   Set this option to copy cvlan pbits to svlan pbits by default (driver vlan).
+
 config BRIDGEMNGR_BRIDGE_VENDOR_EXT
 	bool "Use bridge BBF vendor extensions"
 	default y
--- a/bridgemngr/Makefile
+++ b/bridgemngr/Makefile
@@ -5,14 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.1.1
+PKG_VERSION:=1.1.6

-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr
-PKG_SOURCE_VERSION:=b6a657e1c83b49f09323b4012ef229c604b82854
+PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr.git
+PKG_SOURCE_VERSION:=882f8c8cc9a97372297d192cc916c4f8ffe7c25a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -52,6 +51,10 @@ ifeq ($(CONFIG_BRIDGEMNGR_BRIDGE_VLAN),y)
 	TARGET_CFLAGS += -DBRIDGE_VLAN_BACKEND
 endif

+ifeq ($(CONFIG_BRIDGEMNGR_COPY_PBITS),y)
+	TARGET_CFLAGS+=-DBRIDGEMNGR_COPY_PBITS
+endif
+
 define Package/bridgemngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/config
--- a/bulkdata/Makefile
+++ b/bulkdata/Makefile
@@ -7,13 +7,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=bulkdata
-PKG_VERSION:=2.1.20
+PKG_VERSION:=2.1.23

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bulkdata.git
-PKG_SOURCE_VERSION:=a5e57962938ca143ede65d92be90b6e9fce66e15
+PKG_SOURCE_VERSION:=f54550f2d587a701c0a8d5cac4a0910a99ce92cf
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/decollector/Config.in
+++ b/decollector/Config.in
@@ -4,4 +4,16 @@ config DECOLLECTOR_EASYMESH_VERSION
 	int "Support Easymesh version"
 	default 6

+config DECOLLECTOR_BUILD_TR181_PLUGIN
+	bool "Build TR-181 mapping module (responsible for Device.WiFi.DataElements.)"
+	default y
+
+config DECOLLECTOR_VENDOR_EXTENSIONS
+	bool "Iopsys vendor extensions for Device.WiFi.DataElements."
+	default y
+
+config DECOLLECTOR_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+
 endmenu
--- a/decollector/Makefile
+++ b/decollector/Makefile
@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=decollector
-PKG_VERSION:=6.2.1.12
+PKG_VERSION:=6.2.3.4

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=ce738316065e4608811312f0a254d1fee22fa343
+PKG_SOURCE_VERSION:=aa09f90ca39101a0a33ec9c61993a944671e0724
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -24,6 +24,7 @@ PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

 include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk

 define Package/decollector
  SECTION:=utils
@@ -66,6 +67,18 @@ MAKE_PATH:=src

 TARGET_CFLAGS += -DEASYMESH_VERSION=$(CONFIG_DECOLLECTOR_EASYMESH_VERSION)

+ifeq ($(CONFIG_DECOLLECTOR_BUILD_TR181_PLUGIN),y)
+MAKE_FLAGS += DECOLLECTOR_BUILD_TR181_PLUGIN=y
+ifeq ($(CONFIG_DECOLLECTOR_VENDOR_EXTENSIONS),y)
+TARGET_CFLAGS += -DDECOLLECTOR_VENDOR_EXTENSIONS
+ifeq ($(CONFIG_DECOLLECTOR_VENDOR_PREFIX),"")
+TARGET_CFLAGS += -DCUSTOM_PREFIX=\\\"$(CONFIG_BBF_VENDOR_PREFIX)\\\"
+else
+TARGET_CFLAGS += -DCUSTOM_PREFIX=\\\"$(CONFIG_DECOLLECTOR_VENDOR_PREFIX)\\\"
+endif
+endif
+endif
+
 EXECS := \
 	$(if $(CONFIG_PACKAGE_decollector),decollector)

@@ -76,6 +89,7 @@ define Package/decollector/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/decollector.init $(1)/etc/init.d/decollector
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/decollector $(1)/usr/sbin/
+	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 endef

 $(eval $(call BuildPackage,decollector))
--- a/decollector/bbfdm_service.json
+++ b/decollector/bbfdm_service.json
@@ -0,0 +1,26 @@
+{
+  "daemon": {
+    "enable": "1",
+    "service_name": "decollector",
+    "unified_daemon": true,
+    "services": [
+      {
+        "parent_dm": "Device.WiFi.",
+        "object": "DataElements"
+      }
+    ],
+    "config": {
+      "loglevel": "3"
+    },
+    "apply_handler": {
+      "uci": [
+        {
+          "file": [
+            "mapcontroller"
+          ],
+          "external_handler": "/etc/wifidmd/bbf_config_reload.sh"
+        }
+      ]
+    }
+  }
+}
--- a/dectmngr/Makefile
+++ b/dectmngr/Makefile
@@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.11
+PKG_VERSION:=3.7.13

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/dectmngr.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=815ee44808169b8e1efa2cac44bd7d238ad33cdc
+PKG_SOURCE_VERSION:=5c2720563b3ed889e9d4de6fdb9b0f6a9d584094
 PKG_MIRROR_HASH:=skip
 endif

--- a/dhcpmngr/Makefile
+++ b/dhcpmngr/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dhcpmngr
-PKG_VERSION:=1.0.6
+PKG_VERSION:=1.1.3

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dhcpmngr.git
-PKG_SOURCE_VERSION:=986f66608959f4f589009d580b046e250d8c620d
+PKG_SOURCE_VERSION:=5c10fc1228c7e62f18315df57460dd8a876964e3
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/dmcli-plugins/Makefile
+++ b/dmcli-plugins/Makefile
@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2023 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli-plugins
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=2.2.6
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli-plugin-easydm.git
+PKG_SOURCE_VERSION:=bc8b8527e8a41bdba73cb277a3c6c3b42b045153
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli-plugins
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=Easy-to-use data model on top of TR181
+  URL:=http://genexis.eu
+  DEPENDS:=+dmcli
+endef
+
+define Package/dmcli-plugins/description
+  EasyDM offers a user-friendly approach to configuring TR-181
+  simplifying the process with its intuitive interface.
+endef
+
+define Build/Compile
+	true
+endef
+
+define Package/dmcli-plugins/install
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli/plugins
+	$(CP) $(PKG_BUILD_DIR)/src/*.js $(1)/usr/lib/dmcli/plugins/
+endef
+
+$(eval $(call BuildPackage,dmcli-plugins))
--- a/dmcli/Config.in
+++ b/dmcli/Config.in
@@ -0,0 +1,9 @@
+if PACKAGE_dmcli
+
+config DMCLI_REMOTE_CONNECTION
+        bool "Add dmcli remote controller configuration"
+        default n
+        help
+                This adds a usp controller configuration for dmcli remote connection from different machine/laptop/server.
+
+endif
--- a/dmcli/Makefile
+++ b/dmcli/Makefile
@@ -0,0 +1,75 @@
+#
+# Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=1.9.4
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli.git
+PKG_SOURCE_VERSION:=6171e208611ba4ea1abdab2b70a8fa30f55476ca
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=DMCLI (datamodel-based CLI)
+  URL:=http://genexis.eu
+  DEPENDS:=+usp-js +DMCLI_REMOTE_CONNECTION:mosquitto-auth-plugin +shadow-utils +@BUSYBOX_CONFIG_ADDUSER
+endef
+
+define Package/dmcli/description
+  CLI to view and configure datamodels of CPE
+endef
+
+define Package/dmcli/conffiles
+/etc/dmcli/dmcli.conf
+endef
+
+define Package/dmcli/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/dmcli/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dmcli $(1)/usr/bin/
+
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli
+	$(CP) $(PKG_BUILD_DIR)/common $(1)/usr/lib/dmcli/
+	mv $(1)/usr/lib/dmcli/common/os_qjs.js $(1)/usr/lib/dmcli/common/os.js
+	rm $(1)/usr/lib/dmcli/common/os_node.js
+	$(CP) $(PKG_BUILD_DIR)/core $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/cli $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/data $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/plugins $(1)/usr/lib/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_DMCLI_REMOTE_CONNECTION),y)
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote $(1)/etc/uci-defaults/
+else
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote-remove $(1)/etc/uci-defaults/
+endif
+
+	$(INSTALL_DIR) $(1)/etc/dmcli
+	$(CP) ./files/etc/dmcli/dmcli.acl $(1)/etc/dmcli/
+	$(CP) ./files/etc/dmcli/dmcli.conf $(1)/etc/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/users/roles/
+	$(INSTALL_DATA) ./files/etc/users/roles/operator.json $(1)/etc/users/roles/
+endef
+
+$(eval $(call BuildPackage,dmcli))
--- a/dmcli/files/etc/dmcli/dmcli.acl
+++ b/dmcli/files/etc/dmcli/dmcli.acl
@@ -0,0 +1,4 @@
+user operator
+topic read /usp/operator/controller/reply-to
+topic read /usp/operator/controller
+topic write /usp/operator/endpoint
--- a/dmcli/files/etc/dmcli/dmcli.conf
+++ b/dmcli/files/etc/dmcli/dmcli.conf
@@ -0,0 +1,45 @@
+{
+   "Settings": {
+      "USP": {
+         "ActiveConnectionProfile": "local",
+         "ConnectionProfile": [
+            {
+               "Name": "local",
+               "Host": "127.0.0.1",
+               "Port": 9002,
+               "Username": "operator",
+               "Protocol": "ws",
+               "FromId": "oui:000F94:device-controller-operator",
+               "PublishEndpoint": "/usp/operator/endpoint",
+               "SubscribeEndpoint": "/usp/operator/controller"
+            }
+         ],
+         "Session": {
+            "AutoStart": false
+         },
+         "Notification": {
+            "LogTo": "console",
+            "Format": "brief",
+            "LogFile": "usp-notification.log"
+         }
+      },
+      "CLI": {
+         "Home": "/",
+         "Color": "true",
+         "Mode": "Command",
+         "ShowCommandTime": false,
+         "SortDMTree": false
+      },
+      "Prompt": {
+         "Auto": true,
+         "Color": "default",
+         "SelectedBackgroundColor": "yellow",
+         "PageSize": "3",
+         "AutoPromptOnEmptyCommand": false,
+         "AutoPromptInstanceNumbers": false
+      },
+      "Log": {
+         "Level": "Error"
+      }
+   }
+}
--- a/dmcli/files/etc/uci-defaults/36-dmcli
+++ b/dmcli/files/etc/uci-defaults/36-dmcli
@@ -0,0 +1,120 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/functions/iopsys-environment.sh
+. /usr/share/libubox/jshn.sh
+
+DMCLI_CONF="/etc/dmcli/dmcli.conf"
+CONTROLLER_ID='oui:000F94:device-controller-operator'
+DMCLI_RESP_TOPIC="/usp/operator/endpoint"
+DMCLI_CTRL_TOPIC="/usp/operator/controller"
+DMCLI_PORT="9002"
+
+grep -q "^operator:" /etc/passwd || {
+	adduser -g 'Operator' -D -H -s /usr/bin/dmcli --home '/usr/lib/dmcli' 'operator'
+	hash=""
+	if type get_operator_password_hash > /dev/null 2>&1; then
+		hash=$(get_operator_password_hash)
+	fi
+	if [ -z "$hash" ]; then
+		hash='$6$zP4Wk/VQJOLwwofC$teuhnYFQBcA8YUZo/Q0quDMi4SsOHmfBcyvt5VNchPnzgwF1nfNNliC3yBVW22NwmwttPEWeBEBfnMTBB0rYs/'
+	fi
+	echo "operator:${hash}" | chpasswd -e
+}
+
+grep -q "^/usr/bin/dmcli$" /etc/shells || {
+	echo '/usr/bin/dmcli' >> /etc/shells
+}
+
+uci -q del_list sshd.@sshd[0].AllowUsers='operator'
+uci -q add_list sshd.@sshd[0].AllowUsers='operator'
+
+uci -q delete users.operator
+uci -q set users.operator=user
+uci -q set users.operator.enabled=1
+uci -q set users.operator.shell='dmcli'
+uci -q set users.operator.member_roles='operator'
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli_local
+	uci_set mosquitto dmcli_local enabled 1
+	uci_set mosquitto dmcli_local port "${DMCLI_PORT}"
+	uci_set mosquitto dmcli_local protocol 'websockets'
+	uci_set mosquitto dmcli_local acl_file '/etc/dmcli/dmcli.acl'
+	uci_set mosquitto dmcli_local no_remote_access '1'
+	uci_set mosquitto dmcli_local allow_anonymous '1'
+fi
+
+if [ -f "/etc/config/obuspa" ]; then
+	uci_add obuspa mqtt mqtt_operator
+	uci_set obuspa mqtt_operator BrokerAddress '127.0.0.1'
+	uci_set obuspa mqtt_operator BrokerPort '1883'
+	uci_set obuspa mqtt_operator TransportProtocol 'TCP/IP'
+
+	uci_add obuspa mtp mtp_operator
+	uci_set obuspa mtp_operator Protocol 'MQTT'
+	uci_set obuspa mtp_operator ResponseTopicConfigured "${DMCLI_RESP_TOPIC}"
+	uci_set obuspa mtp_operator mqtt 'mqtt_operator'
+
+	uci_add obuspa controller controller_operator
+	uci_set obuspa controller_operator EndpointID "${CONTROLLER_ID}"
+	uci_set obuspa controller_operator Protocol 'MQTT'
+	uci_set obuspa controller_operator Topic "${DMCLI_CTRL_TOPIC}"
+	uci_set obuspa controller_operator mqtt 'mqtt_operator'
+	uci_set obuspa controller_operator assigned_role_name 'operator'
+fi
+
+_get_endpoint_id() {
+	local id serial oui
+
+	id="$(uci -q get obuspa.localagent.EndpointID)"
+	if [ -n "${id}" ]; then
+		echo "${id}"
+		return 0
+	fi
+
+	serial="$(db -q get device.deviceinfo.SerialNumber)"
+	oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
+
+	echo "os::${oui}-${serial//+/%2B}"
+}
+
+update_dmcli_conf() {
+	local endpointid confTmpFile
+	local port fromid publish subscribe toid
+
+	if [ -f "${DMCLI_CONF}" ]; then
+		endpointid="$(_get_endpoint_id)"
+		json_load_file "${DMCLI_CONF}" || return
+		json_select "Settings" || return
+			json_select "USP" || return
+				json_select "ConnectionProfile" || return
+					json_select "1" || return
+						json_get_var port "Port"
+						json_get_var fromid "FromId"
+						json_get_var publish "PublishEndpoint"
+						json_get_var subscribe "SubscribeEndpoint"
+						json_get_var toid "ToId"
+
+						json_add_int "Port" "${DMCLI_PORT}"
+						json_add_string "FromId" "${CONTROLLER_ID}"
+						json_add_string "PublishEndpoint" "${DMCLI_RESP_TOPIC}"
+						json_add_string "SubscribeEndpoint" "${DMCLI_CTRL_TOPIC}"
+						json_add_string "ToId" "${endpointid}"
+					json_select ..
+				json_select ..
+			json_select ..
+		json_select ..
+
+		if [ "${port}" != "${DMCLI_PORT}" ] || [ "${fromid}" != "${CONTROLLER_ID}" ] || \
+			[ "${publish}" != "${DMCLI_RESP_TOPIC}" ] || [ "${subscribe}" != "${DMCLI_CTRL_TOPIC}" ] || \
+			[ "${toid}" != "${endpointid}" ]; then
+			confTmpFile="$(mktemp -u -p "$(dirname "$DMCLI_CONF")" "$(basename "$DMCLI_CONF").XXXXXXX")"
+			json_pretty
+			json_dump > "${confTmpFile}" || return
+			mv -f "${confTmpFile}" "${DMCLI_CONF}" || return
+		fi
+	fi
+}
+
+update_dmcli_conf || exit
--- a/dmcli/files/etc/uci-defaults/36-dmcli-remote
+++ b/dmcli/files/etc/uci-defaults/36-dmcli-remote
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli
+	uci_set mosquitto dmcli enabled 1
+	uci_set mosquitto dmcli port '9003'
+	uci_set mosquitto dmcli protocol 'websockets'
+	uci_set mosquitto dmcli auth_plugin '/usr/lib/mosquitto_auth_plugin.so'
+	uci_set mosquitto dmcli acl_file '/etc/dmcli/dmcli.acl'
+fi
+
+exit 0
--- a/dmcli/files/etc/uci-defaults/36-dmcli-remote-remove
+++ b/dmcli/files/etc/uci-defaults/36-dmcli-remote-remove
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_remove mosquitto dmcli
+fi
+
+exit 0
--- a/dmcli/files/etc/users/roles/operator.json
+++ b/dmcli/files/etc/users/roles/operator.json
@@ -0,0 +1,14 @@
+{
+  "tr181": {
+    "name": "operator",
+    "instance": 6,
+    "permission": [
+      {
+        "object": "Device.",
+        "perm": [
+          "PERMIT_ALL"
+        ]
+      }
+    ]
+  }
+}
--- a/dmcli/src/Makefile
+++ b/dmcli/src/Makefile
@@ -0,0 +1,7 @@
+all: dmcli
+
+dmcli: main.c
+	$(CC) $(CFLAGS) -Wall -Werror -o $@ $^
+
+clean:
+	rm -f dmcli
--- a/dmcli/src/main.c
+++ b/dmcli/src/main.c
@@ -0,0 +1,32 @@
+/*
+* Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+* This Software and its content are protected by the Dutch Copyright Act
+* ('Auteurswet'). All and any copying and distribution of the software
+* and its content without authorization by Genexis Netherlands B.V. is
+* prohibited. The prohibition includes every form of reproduction and
+* distribution.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+/* C Wrapper for operator to login to the CLI via ssh: the shell in
+ * the passwd file cannot be a script that requires an interpreter. */
+int main(int argc, char *argv[])
+{
+	char *cmd[3 + (argc > 1 ? argc - 1 : 0)];
+
+	cmd[0] = "/usr/bin/qjs";
+	cmd[1] = "/usr/lib/dmcli/cli/main.js";
+	cmd[2] = NULL;
+
+	if (argc > 1) {
+		memcpy(&cmd[2], &argv[1], (argc - 1) * sizeof(char *));
+		cmd[2 + argc - 1] = NULL;
+	}
+
+	execv(cmd[0], cmd);
+	fprintf(stderr, "%s: command not found\n", cmd[0]);
+	return 127;
+}
--- a/dnsmngr/Makefile
+++ b/dnsmngr/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dnsmngr
-PKG_VERSION:=1.0.18
+PKG_VERSION:=1.0.19

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dnsmngr.git
-PKG_SOURCE_VERSION:=80fa147e6f1f0d9c1a62a62a693ff3adaef45363
+PKG_SOURCE_VERSION:=205938aa1f686d5b43460e4a17f3900ed82bd29f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/dslmngr/files/airoha/sbin/xdsl_wan
+++ b/dslmngr/files/airoha/sbin/xdsl_wan
@@ -5,6 +5,8 @@ source "/lib/functions/network.sh"
 source "/lib/functions/system.sh"

 PREVLINK=""
+LINK=""
+LINKSPEED=""
 PREVWANMODE=""
 WANMODE=""
 CONFIGURED=0
@@ -150,6 +152,12 @@ while [ true ]; do

 	if [ "$LINK" != "$PREVLINK" -a \( "$LINK" = "down" -o "$LINK" = "up" \) ]; then
 		if [ "$LINK" = "down" ]; then
+			if [ ! -s /tmp/qos/wan_link_shape_rate ]; then
+				rm -rf /tmp/qos/wan_link_shape_rate
+				rm -rf /tmp/qos/wan_link_speed
+				/usr/sbin/qos-uplink-bandwidth
+			fi
+
 			[ "$CONFIGURED" -eq 0 ] && configure_lines # Needs to be done once the slave SoC is in down state and we've not been able to auto-sync.
 			if [ -n "$WANMODE" ]; then
 				if [ "$WANMODE" = "PTM" ]; then
@@ -226,6 +234,26 @@ while [ true ]; do

 			call_wan_hotplug "up" "$WANPORT"
 			PREVWANMODE="$WANMODE"
+
+			if [ ! -s /tmp/qos/wan_link_shape_rate ]; then
+				LINKSPEED="$(awk '/far-end interleaved channel bit rate/{print $6}' /proc/tc3162/adsl_stats)"
+				LINKSPEED=$((LINKSPEED))
+				if [ "$LINKSPEED" -eq 0 ]; then
+					LINKSPEED="$(awk '/far-end fast channel bit rate/{print $6}' /proc/tc3162/adsl_stats)"
+					LINKSPEED=$((LINKSPEED))
+				fi
+
+				if [ "$LINKSPEED" -ne 0 ]; then
+					mkdir -p /tmp/qos
+					touch /tmp/qos/wan_link_shape_rate
+
+					/userfs/bin/qosrule discpline Rate uplink-bandwidth ${LINKSPEED}
+					hw_nat -! > /dev/null 2>&1
+				else
+					rm -rf /tmp/qos/wan_link_speed
+					/usr/sbin/qos-uplink-bandwidth
+				fi
+			fi
 		fi

 		# Toggle link state
--- a/ethmngr/Makefile
+++ b/ethmngr/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=ethmngr
-PKG_VERSION:=3.1.0
+PKG_VERSION:=3.1.4

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=da6b25430123f03a74b59369b36dc4a777207d3f
+PKG_SOURCE_VERSION:=0283fb5cb74a7baca46c4360da680757c57c86ac
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
--- a/fdtextract/Makefile
+++ b/fdtextract/Makefile
@@ -10,19 +10,14 @@ PKG_NAME:=fdtextract
 PKG_RELEASE:=1
 PKG_VERSION:=1.0

-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/fdtextract.git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/system/fdtextract.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=e3cefda3b26c9aea3021b20725ce7b31b33eebc4
+PKG_SOURCE_VERSION:=7917dbcb29724476cd46164eec29848df1e5fb67
 PKG_MIRROR_HASH:=skip

 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=LICENSE

-RSTRIP:=true
-export BUILD_DIR
-
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_PARALLEL:=1

@@ -40,9 +35,7 @@ endef

 define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/fdtextract $(1)/usr/sbin/
-	$(STRIP) $(1)/usr/sbin/fdtextract
 endef

 $(eval $(call BuildPackage,$(PKG_NAME)))
--- a/firewallmngr/Makefile
+++ b/firewallmngr/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.10
+PKG_VERSION:=1.0.12

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=05ad0d6f7f21520eecd05429c14d1963de2a8463
+PKG_SOURCE_VERSION:=30319c67fb4db285a2bcd272b1c10bc040eecf19
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/gateway-info/files/etc/uci-defaults/86-set-gateway-device-info
+++ b/gateway-info/files/etc/uci-defaults/86-set-gateway-device-info
@@ -110,7 +110,7 @@ configure_send_op125() {


 	if [ "${uci}" = "network" ]; then
-		new_send_opt="$sendopt $opt125"
+		[ -n "${sendopt}" ] && new_send_opt="$sendopt $opt125" || new_send_opt="$opt125"
 		uci -q set network."${intf}".sendopts="$new_send_opt"
 	else
 		new_send_opt="$sendopt$opt125"
@@ -228,7 +228,7 @@ enable_dhcp_option125() {

 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${wan}".reqopts="$newreqopts"
 		fi

--- a/hostmngr/Makefile
+++ b/hostmngr/Makefile
@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=hostmngr
-PKG_VERSION:=1.3.1
+PKG_VERSION:=1.4.2

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=3663ca4d001508509774115d6797b932f9ed4f69
+PKG_SOURCE_VERSION:=ac50f621e19f74b7af4e4b8c1e810503507cc3dd
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
--- a/icwmp/Makefile
+++ b/icwmp/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=icwmp
-PKG_VERSION:=9.10.1
+PKG_VERSION:=9.10.10

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=c4b0fa4272ab44a8c78462d5cc8df6501acbeb55
+PKG_SOURCE_VERSION:=63251b6c9789b1428604af0a5c1d23d32d14a8b8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -84,6 +84,7 @@ define Package/icwmp/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/icwmpd $(1)/usr/sbin/icwmpd
 	$(INSTALL_DATA) ./files/etc/config/cwmp $(1)/etc/config/cwmp
 	$(INSTALL_BIN) ./files/etc/init.d/icwmpd $(1)/etc/init.d/icwmpd
+	$(INSTALL_BIN) ./files/etc/uci-defaults/50-cwmp-align-keep-config $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/
--- a/icwmp/files/etc/config/cwmp
+++ b/icwmp/files/etc/config/cwmp
@@ -42,7 +42,9 @@ config cpe 'cpe'
 	option periodic_notify_interval '10'
 	option incoming_rule 'Port_Only'
 	option active_notif_throttle '0'
-	option fw_upgrade_keep_settings '1'
+	#option KeepConfig '1'
+	#option KeepOpConf '1'
+	#option ConfigScope 'UserOnly'
 	option clock_sync_timeout '128'
 	option disable_datatype_check '0'
 	#list allowed_cr_ip '10.5.1.0/24'
--- a/icwmp/files/etc/init.d/icwmpd
+++ b/icwmp/files/etc/init.d/icwmpd
@@ -97,7 +97,9 @@ validate_cpe_section()
 		'periodic_notify_enable:bool' \
 		'enable:bool:1' \
 		'periodic_notify_interval:uinteger' \
-		'fw_upgrade_keep_settings:bool'
+		'KeepConfig:bool' \
+		'KeepOpConf:bool' \
+		'ConfigScope:string'
 }

 validate_defaults() {
@@ -168,13 +170,21 @@ start_service() {

 stop_service()
 {
-	local switch_bank
+	local switch_bank KeepConfig KeepOpConf ConfigScope

 	copy_cwmp_varstate_files_to_etc
-	
 	switch_bank=$(uci -q -c /var/state/ get icwmp.cpe.switch_bank)
-	if [ -n "$switch_bank" ] && [ "$switch_bank" = "1" ]; then
-		[ -x /etc/sysmngr/fwbank ] && /etc/sysmngr/fwbank call copy_config
+	if [ "$switch_bank" = "1" ] && [ -x /etc/sysmngr/fwbank ]; then
+		KeepConfig="$(uci -q get cwmp.cpe.KeepConfig)"
+		KeepOpConf="$(uci -q get cwmp.cpe.KeepOpConf)"
+		ConfigScope="$(uci -q get cwmp.cpe.ConfigScope)"
+
+		json_init
+		[ -n "${KeepConfig}" ] && json_add_boolean "keep_config" "${KeepConfig}"
+		[ -n "${KeepOpConf}" ] && json_add_boolean "keep_opconf" "${KeepOpConf}"
+		[ -n "${ConfigScope}" ] && json_add_string "config_scope" "${ConfigScope}"
+
+		json_dump| /etc/sysmngr/fwbank call copy_config
 	fi
 }

--- a/icwmp/files/etc/uci-defaults/50-cwmp-align-keep-config
+++ b/icwmp/files/etc/uci-defaults/50-cwmp-align-keep-config
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+keep_settings="$(uci -q get cwmp.cpe.fw_upgrade_keep_settings)"
+if [ -n "${keep_settings}" ]; then
+	uci -q delete cwmp.cpe.fw_upgrade_keep_settings
+	uci -q set cwmp.cpe.KeepConfig="${keep_settings}"
+fi
--- a/icwmp/files/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user
+++ b/icwmp/files/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user
@@ -77,6 +77,7 @@ get_opt43() {
 config_load cwmp
 config_get wan_intf cpe default_wan_interface "wan"
 config_get dhcp_discovery acs dhcp_discovery "0"
+config_get_bool insecure_enable acs insecure_enable "0"
 config_get dhcp_url acs dhcp_url ""
 config_get min_wait_intvl acs dhcp_retry_min_wait_interval "0"
 config_get intvl_multi acs dhcp_retry_interval_multiplier "0"
@@ -102,6 +103,17 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 		return 0
 	fi

+	if [ "${insecure_enable}" -eq "0" ]; then
+		case $DHCP_ACS_URL in
+		https://*)
+			log "ACS url $DHCP_ACS_URL has https"
+			;;
+		*)
+			return 0
+			;;
+		esac
+	fi
+
 	sec=$(uci -q get cwmp.acs)

 	if [ -z "${sec}" ]; then
--- a/ieee1905/Makefile
+++ b/ieee1905/Makefile
@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.37
+PKG_VERSION:=8.7.42

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=c711e1e132478d6443ffb5aad15d12b90f0d59b5
+PKG_SOURCE_VERSION:=2e7d1377794b8d4f8aad252265110b09b129fdc8
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
--- a/iopsys-analytics/Makefile
+++ b/iopsys-analytics/Makefile
@@ -34,6 +34,9 @@ define Package/$(PKG_NAME)
    +@PACKAGE_syslog-ng:SYSLOGNG_LOGROTATE              \
    +PACKAGE_fluent-bit:logrotate                       \
    +@DMCLI_REMOTE_CONNECTION
+  # tools used in development/testing
+  DEPENDS+=                                             \
+    +iperf3

 endef

--- a/libeasy/Makefile
+++ b/libeasy/Makefile
@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libeasy
-PKG_VERSION:=7.5.0
+PKG_VERSION:=7.5.1

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=18f93677bb4d33ebb6249324a5043294f0eae16c
+PKG_SOURCE_VERSION:=b981f7e1bd51f66041cd0c25d15af74ae1e3bc75
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libeasy.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
--- a/libqos/Makefile
+++ b/libqos/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libqos
-PKG_VERSION:=7.2.109
+PKG_VERSION:=7.2.110

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libqos.git
-PKG_SOURCE_VERSION:=4948d372c3d7e43a0ba9aee517dbb83b94bba3dc
+PKG_SOURCE_VERSION:=b36f26d6d14c8fa65b4559381f6a43219d55e93a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
--- a/libvoice-airoha/Makefile
+++ b/libvoice-airoha/Makefile
@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=libvoice-airoha
 PKG_RELEASE:=1
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.8
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE

@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=3a30086a68a3409f0396acb01380f91daabf7a2f
+PKG_SOURCE_VERSION:=9763c574ec69e2aa492db4f1296d4bcd53776fba
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha
+++ b/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha
@@ -25,6 +25,5 @@ db commit
 # configure the PCM for DECT/DCX81
 [ -f "/proc/device-tree/aliases/dcx81-uart" ] && {
    uci set dect.global.pcm_fsync='SHORT_LF'
-    uci set dect.global.pcm_slot_start='8'
    uci set dect.global.dect_channel_start='3'
 }
--- a/libwifi/Makefile
+++ b/libwifi/Makefile
@@ -1,28 +1,32 @@
 #
-# Copyright (C) 2020-2023 Iopsys
+# Copyright (C) 2019-2024 Iopsys
+# Copyright (C) 2025 Genexis Sweden AB
 #

 include $(TOPDIR)/rules.mk

 PKG_NAME:=libwifi
-PKG_VERSION:=7.14.0
+PKG_VERSION:=7.22.10

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=b4b8f524a93d03fd1f89d4c32b8eaca90d9ccc1a
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
-PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
+PKG_SOURCE_VERSION:=4759a74db66dd0b4bfa6707683129a317ae42779
+PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libwifi.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=LGPL-2.1-only
-PKG_LICENSE_FILES:=LICENSE
+PKG_LICENSE_FILES:=
+PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@genexis.eu>
+
+MAKE_VERBOSE := 1

 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/cmake.mk

 ifeq ($(CONFIG_TARGET_brcmbca),y)
  TARGET_PLATFORM=BROADCOM
@@ -49,8 +53,14 @@ else ifeq ($(CONFIG_TARGET_airoha),y)
  endif
 else ifeq ($(CONFIG_TARGET_mediatek),y)
  TARGET_PLATFORM=MEDIATEK
-  TARGET_WIFI_TYPE=MEDIATEK
-  TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
+  TARGET_WIFI_TYPE=MAC80211
+  ifeq ($(CONFIG_TARGET_DEVICE_mediatek_filogic_DEVICE_cx750),y)
+    TARGET_WIFI_TYPE=MEDIATEK
+    TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
+  else ifeq ($(CONFIG_TARGET_DEVICE_mediatek_filogic_DEVICE_mediatek_mt7987a-spim-nand-an8801sb),y)
+    TARGET_WIFI_TYPE=MEDIATEK
+    TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
+  endif
 else ifeq ($(CONFIG_TARGET_ipq95xx),y)
  TARGET_PLATFORM=IPQ95XX
  TARGET_WIFI_TYPE=QUALCOMM
@@ -66,13 +76,13 @@ else
 endif

 ifneq ($(CONFIG_PACKAGE_kmod-mt7915e_en7523),)
-  TARGET_CFLAGS=-DMT7915_VENDOR_EXT
+  TARGET_CFLAGS +=-DMT7915_VENDOR_EXT
 endif

 PKG_BUILD_DEPENDS:=PACKAGE_kmod-mt7915e_en7523:mt76_en7523

 ifneq ($(CONFIG_PACKAGE_libwifi),)
-TARGET_CFLAGS +=-DHAS_WIFI
+  CMAKE_OPTIONS +=-DHAS_WIFI=ON
 endif

 ifeq ($(CONFIG_LIBWIFI_USE_CTRL_IFACE),y)
@@ -83,18 +93,8 @@ ifeq ($(CONFIG_LIBWIFI_SKIP_PROBES),y)
  TARGET_CFLAGS +=-DLIBWIFI_BRCM_SKIP_PROBES
 endif

-TARGET_CFLAGS += \
-	-I$(STAGING_DIR)/usr/include \
-	-I$(STAGING_DIR)/usr/include/openssl \
-	-I$(STAGING_DIR)/usr/include/libnl3

-MAKE_FLAGS += \
-	CFLAGS="$(TARGET_CFLAGS) -Wall -I./" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	FPIC="$(FPIC)" \
-	PLATFORM="$(TARGET_PLATFORM)" \
-	WIFI_TYPE="$(TARGET_WIFI_TYPE)" \
-	subdirs="$(subdirs)"
+CMAKE_OPTIONS += -DPLATFORM=$(TARGET_PLATFORM) -DWIFI_TYPE=$(TARGET_WIFI_TYPE)

 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -102,43 +102,39 @@ define Build/Prepare
 endef
 endif

-define Package/libwifi-common
-  SECTION:=libs
-  CATEGORY:=Libraries
-  TITLE:=libwifi
-  SUBMENU:=IOPSYS HAL libs
-  DEPENDS:=+libopenssl
-  MENU:=1
+define Package/libwifiutils
+	SECTION:=libs
+	CATEGORY:=Libraries
+	TITLE:= WiFi utility library (libwifiutils.so)
+	DEPENDS+=+libnl +libnl-route +libeasy +libopenssl
+endef
+
+define Package/libwifiutils/description
+	Library provides WiFi utility functions
+endef
+
+define Package/libwifi
+	SECTION:=libs
+	CATEGORY:=Libraries
+	TITLE:= WiFi HAL library (libwifi-7.so.m)
+	DEPENDS+=+libnl +libnl-route +libeasy +libwifiutils +TARGET_brcmbca:bcm963xx-bsp
 endef

 define Package/libwifi/description
-  Library provides WiFi HAL APIs and WiFi common utility functions
-endef
-
-define Package/libwifiutils
-  $(call Package/libwifi-common)
-  TITLE:= WiFi utility library (libwifiutils.so)
-  DEPENDS+=+libnl +libnl-route +libeasy
+	Library provides WiFi HAL APIs
 endef

 define Build/InstallDev/libwifiutils
 	$(INSTALL_DIR) $(1)/usr/include
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/wifidefs.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/wifiutils.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/libwifiutils*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/wifidefs.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/wifiutils.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/libwifiutils*.so* $(1)/usr/lib/
 endef

 define Package/libwifiutils/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/libwifiutils*.so* $(1)/usr/lib/
-endef
-
-
-define Package/libwifi
-  $(call Package/libwifi-common)
-  TITLE:= WiFi library (libwifi)
-  DEPENDS+=+libnl +libnl-route +libeasy +libwifiutils +TARGET_brcmbca:bcm963xx-bsp
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/libwifiutils*.so* $(1)/usr/lib/
 endef

 define Package/libwifi/config
@@ -159,13 +155,12 @@ define Package/libwifi/config
  endif
 endef

-
 define Build/InstallDev/libwifi
 	$(INSTALL_DIR) $(1)/usr/include
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/wifiops.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/wifi.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/libwifi-7*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/wifiops.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/wifi.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/libwifi-7*.so* $(1)/usr/lib/
 endef


@@ -178,7 +173,7 @@ endef

 define Package/libwifi/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/libwifi-7*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/libwifi-7*.so* $(1)/usr/lib/
 endef

 $(eval $(call BuildPackage,libwifiutils))
--- a/logmngr/files/etc/config/logmngr
+++ b/logmngr/files/etc/config/logmngr
@@ -8,7 +8,7 @@ config source 'default_source'

 config template 'default_template'
 	option name 'default_template'
-	option expression '{time} {hostname} {ident}: {message}'
+	option expression '{time} {hostname} {ident}[{pid}]: {message}'

 config action 'default_action'
 	option name 'default_action'
--- a/logmngr/files/etc/init.d/logmngr
+++ b/logmngr/files/etc/init.d/logmngr
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common

-START=12
+START=09

 USE_PROCD=1

--- a/logmngr/files/etc/uci-defaults/10-logmngr_config_migrate
+++ b/logmngr/files/etc/uci-defaults/10-logmngr_config_migrate
@@ -11,7 +11,7 @@ fi
 if ! uci -q get logmngr.default_template > /dev/null; then
 	uci -q set logmngr.default_template=template
 	uci -q set logmngr.default_template.name='default_template'
-	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}: {message}'
+	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}[{pid}]: {message}'
 fi

 if uci -q get logmngr.a1 >/dev/null; then
--- a/logmngr/files/lib/logmngr/fluent-bit.sh
+++ b/logmngr/files/lib/logmngr/fluent-bit.sh
@@ -77,6 +77,12 @@ create_default_filters() {
 	append_conf "    rename          msg     message"
 	append_conf ""

+	append_conf "[FILTER]"
+	append_conf "    name            modify"
+	append_conf "    match           *"
+	append_conf "    add             pid     0"
+	append_conf ""
+
 	append_conf "[FILTER]"
 	append_conf "    name            sysinfo"
 	append_conf "    match           *"
@@ -94,6 +100,7 @@ create_input_section() {

 	append_conf "[INPUT]"
 	append_conf "    name        syslog"
+	append_conf "    unix_perm   0666"
 	append_conf "    tag         $tag"
 	append_conf "    path        /dev/log"
 	append_conf ""
--- a/map-agent/Config.in
+++ b/map-agent/Config.in
@@ -55,6 +55,10 @@ config AGENT_OPER_CHANNEL_CHANGE_RELAY_MCAST
 config AGENT_USE_LIBDPP
 	bool "Depend on libdpp for DPP EasyConnect"

+config AGENT_ZEROTOUCH_DPP
+	bool "Enable Zero-touch DPP bootstrapping. Depends on libztdpp.so"
+	default n
+
 config AGENT_CHECK_PARTIAL_WIFI_RELOAD
 	bool "Option that allow SSID/PSK simple reload"
 	default y
--- a/map-agent/Makefile
+++ b/map-agent/Makefile
@@ -1,13 +1,14 @@
 #
-# Copyright (C) 2020-2023 IOPSYS Software Solutions AB
+# Copyright (C) 2020-2024 IOPSYS Software Solutions AB
+# Copyright (C) 2025 Genexis Sweden AB
 #

 include $(TOPDIR)/rules.mk

 PKG_NAME:=map-agent
-PKG_VERSION:=6.4.1.11
+PKG_VERSION:=6.5.0.5
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=671bb0e693adbeb3e06b967350ce7f96ee91321b
+PKG_SOURCE_VERSION:=5734cb47c704e75378eaccc823a7da9f47304c99
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>

 PKG_LICENSE:=BSD-3-Clause
@@ -26,7 +27,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/map-agent
  SECTION:=utils
  CATEGORY:=Utilities
-  TITLE:=WiFi multi-AP Agent (EasyMesh R2)
+  TITLE:=Wi-Fi Multi-AP Agent (EasyMesh R6)
  DEPENDS:=+libwifi +libuci +libubox +ubus +libeasy +libieee1905 +ieee1905 \
 	   +ieee1905-map-plugin +ip-bridge +AGENT_USE_LIBDPP:libdpp \
 	   +uuidgen +openssl-util +!TARGET_brcmbca:ebtables-legacy \
@@ -37,8 +38,12 @@ ifeq ($(CONFIG_AGENT_USE_LIBDPP),y)
  TARGET_CFLAGS += -DUSE_LIBDPP
 endif

+ifeq ($(CONFIG_AGENT_ZEROTOUCH_DPP),y)
+  TARGET_CFLAGS += -DZEROTOUCH_DPP
+endif
+
 define Package/map-agent/description
- This package implements EasyMesh R2 compliant WiFi Agent.
+  This package provides EasyMesh R6 compliant Wi-Fi Multi-AP Agent.
 endef

 define Package/map-agent/config
--- a/map-agent/files/etc/init.d/mapagent
+++ b/map-agent/files/etc/init.d/mapagent
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common

-START=98
+START=97
 STOP=20

 USE_PROCD=1
--- a/map-agent/files/lib/multiap/map_genconfig
+++ b/map-agent/files/lib/multiap/map_genconfig
@@ -49,19 +49,16 @@ generate_multiap_config() {
 			2g)
 				mode_band=2
 				priority=2
-				dpp_chan="81/1"
 				channels="1 6 11"
 			;;
 			5g)
 				mode_band=5
 				priority=1
-				dpp_chan="128/36"
 				channels="36-64 100-112"
 			;;
 			6g)
 				mode_band=6
 				priority=0
-				dpp_chan="133/49"
 			;;
 		esac

@@ -73,7 +70,8 @@ generate_multiap_config() {

 		ifprefix_radio=""
 		if is_logan; then
-			uci set mapagent.agent.mld_prefix="bss"
+			uci set mapagent.agent.mld_ap_prefix="bss"
+			uci set mapagent.agent.mld_sta_prefix="sta"
 			ifname_sta=""
 			case "$band" in
 				2g)
@@ -162,13 +160,17 @@ generate_multiap_config() {
 				uci set mapagent.@bsta[-1].band="$mode_band"
 				uci set mapagent.@bsta[-1].priority="$priority"

-				#uci add mapagent dpp_uri
-				#uci set mapagent.@dpp_uri[-1].type="qrcode"
-				#uci set mapagent.@dpp_uri[-1].device="$device"
-				#uci set mapagent.@dpp_uri[-1].ifname="$ifname"
-				#uci set mapagent.@dpp_uri[-1].band="$mode_band"
-				#uci set mapagent.@dpp_uri[-1].chirp_interval="10"
-				#uci add_list mapagent.@dpp_uri[-1].dpp_chan="$dpp_chan"
+				# add dpp_chirp section for 2.4GHz bSTA
+				if [ $mode_band -eq 2 ]; then
+					uci add mapagent dpp_chirp
+					uci set mapagent.@dpp_chirp[-1].type="qrcode"
+					uci set mapagent.@dpp_chirp[-1].device="$device"
+					uci set mapagent.@dpp_chirp[-1].ifname="$ifname"
+					uci set mapagent.@dpp_chirp[-1].band="$mode_band"
+					for channel in $channels; do
+						uci add_list mapagent.@dpp_chirp[-1].channel="$channel"
+					done
+				fi

 				if [ $generate_wireless_sta_config -eq 1 ]; then
 					secname="default_sta_${device}"
--- a/map-controller/Config.in
+++ b/map-controller/Config.in
@@ -39,6 +39,10 @@ config CONTROLLER_EASYMESH_VENDOR_EXT_OUI
 config CONTROLLER_USE_LIBDPP
 	bool "Depend on libdpp for DPP EasyConnect"

+config CONTROLLER_ZEROTOUCH_DPP
+	bool "Enable Zero-touch DPP bootstrapping via passphrase."
+	default n
+
 config CONTROLLER_PROPAGATE_PROBE_REQ
 	depends on CONTROLLER_EASYMESH_VENDOR_EXT
 	bool "Enable publishing probe requests vendor specific messages as UBUS events"
--- a/map-controller/Makefile
+++ b/map-controller/Makefile
@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.2.6
+PKG_VERSION:=6.4.4.13
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=5e93ea36c4fb93dd473b233b098ecacf6395a20c
+PKG_SOURCE_VERSION:=bd0fb2b63830e19038d9495517c03fdc3900cdfa
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>

 LOCAL_DEV=0
@@ -36,6 +36,9 @@ ifeq ($(CONFIG_CONTROLLER_USE_LIBDPP),y)
  TARGET_CFLAGS += -DUSE_LIBDPP
 endif

+ifeq ($(CONFIG_CONTROLLER_ZEROTOUCH_DPP),y)
+  TARGET_CFLAGS += -DZEROTOUCH_DPP
+endif

 define Package/map-controller/description
 This package provides WiFi MultiAP Controller as per the EasyMesh-R2 specs.
@@ -81,6 +84,7 @@ define Build/InstallDev
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_commands_impl.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_commands.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_apis.h $(1)/usr/include/map-controller
+	$(CP) $(PKG_BUILD_DIR)/src/cntlr_plugin.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/wifi_opclass.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/steer_module.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/timer.h $(1)/usr/include/map-controller
--- a/map-controller/files/etc/config/mapcontroller
+++ b/map-controller/files/etc/config/mapcontroller
@@ -4,16 +4,16 @@ config controller 'controller'
 	option registrar '2 5 6'
 	option debug '2'
 	option bcn_metrics_max_num '10'
-	option initial_channel_scan '0'
 	option enable_ts '0'
 	option primary_vid '1'
 	option primary_pcp '0'
 	option stale_sta_timeout '20d'
 	option de_collect_interval '60'
+	list plugin 'zerotouch'

-config sta_steering
+config sta_steering 'sta_steering'
 	option enable_sta_steer '1'
-	option enable_bsta_steer '0'
+	option enable_bsta_steer '1'
 	option rcpi_threshold_2g '70'
 	option rcpi_threshold_5g '86'
 	option rcpi_threshold_6g '86'
@@ -23,8 +23,10 @@ config sta_steering
 	option plugins_enabled '1'
 	option plugins_policy 'any'
 	list plugins 'rcpi'
+	list plugins 'rate'
+	list plugins 'bsteer'

-config channel_plan
+config channel_plan 'channel_plan'
 	option preclear_dfs '0'
 	option acs '0'

--- a/map-controller/files/etc/init.d/mapcontroller
+++ b/map-controller/files/etc/init.d/mapcontroller
@@ -20,7 +20,6 @@ validate_controller_section() {
 		'registrar:string' \
 		'debug:range(0,16)' \
 		'bcn_metrics_max_num:range(1,256)' \
-		'initial_channel_scan:bool:true' \
 		'resend_num:uinteger:0' \
 		'allow_bgdfs:range(0,2629744)' \
 		'stale_sta_timeout:string' \
--- a/map-controller/files/etc/uci-defaults/99-mapcntlr-uci-rename-singletons
+++ b/map-controller/files/etc/uci-defaults/99-mapcntlr-uci-rename-singletons
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+cfg=mapcontroller
+
+# singleton sections
+sections="channel_plan sta_steering"
+
+for sec in $sections; do
+    # find unnamed section of given type, only index 0
+    s=$(uci show $cfg | grep -oE "@${sec}\[0\]" | sort -u)
+    [ "$s" = "" ] && continue
+
+    uci rename $cfg.$s=$sec
+done
+
+uci commit $cfg
--- a/map-plugins/Makefile
+++ b/map-plugins/Makefile
@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=map-plugins
-PKG_VERSION:=1.0.31
+PKG_VERSION:=1.2.7

 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=565cade8fe08807b345404c567243fbdfdcb96c8
+PKG_SOURCE_VERSION:=dd873ca4e2cb321302dae1955da24d1be271b2b1
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -27,12 +27,18 @@ include $(INCLUDE_DIR)/package.mk

 include $(wildcard plugins/*.mk)

+TARGET_CFLAGS += \
+	-I$(STAGING_DIR)/usr/include \
+	-I$(STAGING_DIR)/usr/include/libnl3 \
+	-D_GNU_SOURCE
+
 MAKE_FLAGS += \
 	CFLAGS="$(TARGET_CFLAGS) -Wall"

 plugins := \
 	$(if $(CONFIG_PACKAGE_map-plugins-steer-rate),steer-rate)   \
-	$(if $(CONFIG_PACKAGE_map-plugins-bsteer),bsteer)
+	$(if $(CONFIG_PACKAGE_map-plugins-bsteer),bsteer) \
+	$(if $(CONFIG_PACKAGE_map-plugins-zero-touch),zero-touch)

 ppkg:=$(patsubst plugins/%.mk,map-plugins-%,$(wildcard plugins/*.mk))

@@ -53,7 +59,8 @@ define Package/map-plugins
 endef

 define Package/map-plugins/description
-	Provides extra Multi-AP services viz. steering, channel-planning, self-organizing network etc.
+	Provides extra Multi-AP services viz. steering, channel-planning,
+	self-organizing network, zero-touch onboarding etc.
 endef

 define Package/map-plugins/install
@@ -64,5 +71,11 @@ define Build/Compile
 	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef

+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+        rsync -r --exclude=.* ~/git/map-plugins/ $(PKG_BUILD_DIR)/
+endef
+endif
+
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))
--- a/map-plugins/plugins/zero-touch.mk
+++ b/map-plugins/plugins/zero-touch.mk
@@ -0,0 +1,22 @@
+define Package/map-plugins-zero-touch
+	$(call Package/map-plugins/Default)
+	TITLE:=Full Zero-touch bootstrapping of Wi-Fi Repeater device(s)
+	DEPENDS= +libubox +libuci +libubus +libeasy +libnl-genl \
+		 +libjson-c +libblobmsg-json +map-controller \
+		 +map-plugins
+endef
+
+define Package/map-plugins-zero-touch/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/lib/mapcontroller
+	$(CP) $(PKG_BUILD_DIR)/zero-touch/zerotouch.so $(1)/usr/lib/mapcontroller/zerotouch.so
+	$(CP) $(PKG_BUILD_DIR)/zero-touch/libztdpp.so $(1)/usr/lib/libztdpp.so
+
+endef
+
+define Build/Compile/map-plugins-zero-touch
+	$(MAKE) -C $(PKG_BUILD_DIR)/zero-touch \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDFLAGS="$(TARGET_LDFLAGS)";
+endef
--- a/mcastmngr/files/broadcom/lib/mcast/broadcom.sh
+++ b/mcastmngr/files/broadcom/lib/mcast/broadcom.sh
@@ -235,7 +235,7 @@ configure_mcpd() {

 setup_mcast_mode() {
 	# set the mode at chip to allow both tagged and untagged multicast forwarding
-	bs /b/c iptv lookup_method=group_ip_src_ip
+	bs /b/c iptv lookup_method=group_ip_src_ip_vid
 }

 configure_mcast() {
--- a/mosquitto-auth-plugin/Config.in
+++ b/mosquitto-auth-plugin/Config.in
@@ -1,4 +1,4 @@
-if PACKAGE_mosquitto-auth-shadow
+if PACKAGE_mosquitto-auth-plugin

 config MOSQUITTO_AUTH_PAM_SUPPORT
 	bool "Enable support of Linux PAM module for Authentication"
--- a/mosquitto-auth-plugin/Makefile
+++ b/mosquitto-auth-plugin/Makefile
@@ -13,8 +13,8 @@

 include $(TOPDIR)/rules.mk

-PKG_NAME:=mosquitto-auth-shadow
-PKG_VERSION:=1.1.0
+PKG_NAME:=mosquitto-auth-plugin
+PKG_VERSION:=1.2.1

 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0
@@ -24,7 +24,7 @@ PKG_CONFIG_DEPENDS:=CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT

 include $(INCLUDE_DIR)/package.mk

-define Package/mosquitto-auth-shadow
+define Package/mosquitto-auth-plugin
  SECTION:=net
  CATEGORY:=Network
  TITLE:=mosquitto - /etc/shadow authentication plugin
@@ -32,12 +32,12 @@ define Package/mosquitto-auth-shadow
  USERID:=mosquitto=200:mosquitto=200 mosquitto=200:shadow=11
 endef

-define Package/mosquitto-auth-shadow/description
+define Package/mosquitto-auth-plugin/description
  Plugin for the mosquitto MQTT message broker that authenticates
  users using /etc/shadow
 endef

-define Package/mosquitto-auth-shadow/config
+define Package/mosquitto-auth-plugin/config
 	source "$(SOURCE)/Config.in"
 endef

@@ -45,10 +45,10 @@ ifeq ($(CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT),y)
 TARGET_CFLAGS+=-DENABLE_PAM_SUPPORT
 endif

-define Package/mosquitto-auth-shadow/install
+define Package/mosquitto-auth-plugin/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_shadow.so $(1)/usr/lib/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_plugin.so $(1)/usr/lib/
 	$(CP) ./files/* $(1)/
 endef

-$(eval $(call BuildPackage,mosquitto-auth-shadow))
+$(eval $(call BuildPackage,mosquitto-auth-plugin))
--- a/mosquitto-auth-plugin/files/etc/uci-defaults/14_set-shadow-permissions
+++ b/mosquitto-auth-plugin/files/etc/uci-defaults/14_set-shadow-permissions
--- a/mosquitto-auth-plugin/src/Makefile
+++ b/mosquitto-auth-plugin/src/Makefile
@@ -11,14 +11,14 @@
 #   Erik Karlsson - initial implementation
 #

-TARGETS = mosquitto_auth_shadow.so
+TARGETS = mosquitto_auth_plugin.so

 all: $(TARGETS)

 %.pic.o: %.c
 	$(CC) $(CFLAGS) -Wall -Werror -fPIC -c -o $@ $<

-mosquitto_auth_shadow.so: mosquitto_auth_shadow.pic.o
+mosquitto_auth_plugin.so: mosquitto_auth_plugin.pic.o
 	$(CC) $(LDFLAGS) -shared -o $@ $^ $(if $(filter -DENABLE_PAM_SUPPORT,$(CFLAGS)),-lpam)

 clean:
--- a/mosquitto-auth-plugin/src/mosquitto_auth_plugin.c
+++ b/mosquitto-auth-plugin/src/mosquitto_auth_plugin.c
@@ -0,0 +1,670 @@
+/*
+ * Copyright (c) 2022 Genexis B.V.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Erik Karlsson - initial implementation
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <mosquitto.h>
+#include <mosquitto_broker.h>
+#include <mosquitto_plugin.h>
+
+#ifdef ENABLE_PAM_SUPPORT
+#include <security/pam_appl.h>
+#endif
+
+#define MAX_USERS 256
+#define MAX_SUBNETS_PER_USER 32
+
+typedef struct {
+	union {
+		uint32_t ipv4_network;
+		uint8_t ipv6_network[16];
+	};
+	union {
+		uint32_t ipv4_netmask;
+		uint8_t ipv6_netmask[16];
+	};
+	int is_ipv6;
+} subnet_t;
+
+typedef struct {
+	char username[64];
+	subnet_t allow_subnets[MAX_SUBNETS_PER_USER];
+	int allow_count;
+	subnet_t deny_subnets[MAX_SUBNETS_PER_USER];
+	int deny_count;
+} user_acl_t;
+
+typedef struct {
+	user_acl_t users[MAX_USERS];
+	int user_count;
+	mosquitto_plugin_id_t *identifier;
+	char *config_file;
+} plugin_data_t;
+
+/* Parse CIDR notation for IPv4 or IPv6 (e.g., "192.168.1.0/24" or "2001:db8::/32") */
+static int parse_subnet(const char *cidr, subnet_t *subnet)
+{
+	char ip_str[128];
+	char *slash;
+	int prefix_len;
+	struct in_addr addr4;
+	struct in6_addr addr6;
+
+	strncpy(ip_str, cidr, sizeof(ip_str) - 1);
+	ip_str[sizeof(ip_str) - 1] = '\0';
+
+	slash = strchr(ip_str, '/');
+	if (slash != NULL) {
+		*slash = '\0';
+		prefix_len = atoi(slash + 1);
+	}
+
+	/* Try IPv4 first */
+	if (inet_pton(AF_INET, ip_str, &addr4) == 1) {
+		subnet->is_ipv6 = 0;
+		if (slash == NULL)
+			prefix_len = 32;
+		if (prefix_len < 0 || prefix_len > 32)
+			return -1;
+
+		subnet->ipv4_network = ntohl(addr4.s_addr);
+		subnet->ipv4_netmask = prefix_len == 0 ? 0 : (~0U << (32 - prefix_len));
+		subnet->ipv4_network &= subnet->ipv4_netmask;
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, ip_str, &addr6) == 1) {
+		subnet->is_ipv6 = 1;
+		if (slash == NULL)
+			prefix_len = 128;
+		if (prefix_len < 0 || prefix_len > 128)
+			return -1;
+
+		/* Copy network address */
+		memcpy(subnet->ipv6_network, addr6.s6_addr, 16);
+
+		/* Generate netmask */
+		memset(subnet->ipv6_netmask, 0, 16);
+		for (int i = 0; i < prefix_len / 8; i++)
+			subnet->ipv6_netmask[i] = 0xff;
+		if (prefix_len % 8)
+			subnet->ipv6_netmask[prefix_len / 8] = ~((1 << (8 - (prefix_len % 8))) - 1);
+
+		/* Apply netmask to network address */
+		for (int i = 0; i < 16; i++)
+			subnet->ipv6_network[i] &= subnet->ipv6_netmask[i];
+
+		return 0;
+	}
+
+	return -1;
+}
+
+/* Check if IPv4 address is in subnet */
+static int ipv4_in_subnet(uint32_t ip, const subnet_t *subnet)
+{
+	if (subnet->is_ipv6)
+		return 0;
+	return (ip & subnet->ipv4_netmask) == subnet->ipv4_network;
+}
+
+/* Check if IPv6 address is in subnet */
+static int ipv6_in_subnet(const uint8_t *ip, const subnet_t *subnet)
+{
+	if (!subnet->is_ipv6)
+		return 0;
+	for (int i = 0; i < 16; i++) {
+		if ((ip[i] & subnet->ipv6_netmask[i]) != subnet->ipv6_network[i])
+			return 0;
+	}
+	return 1;
+}
+
+/* Check if IP is in any subnet in the list */
+static int ip_in_subnet_list(const char *client_address, const subnet_t *subnets, int count)
+{
+	struct in_addr addr4;
+	struct in6_addr addr6;
+	uint32_t ipv4;
+
+	/* Try IPv4 */
+	if (inet_pton(AF_INET, client_address, &addr4) == 1) {
+		ipv4 = ntohl(addr4.s_addr);
+		for (int i = 0; i < count; i++) {
+			if (ipv4_in_subnet(ipv4, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, client_address, &addr6) == 1) {
+		for (int i = 0; i < count; i++) {
+			if (ipv6_in_subnet(addr6.s6_addr, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	return 0;
+}
+
+/* Find or create user ACL entry */
+static user_acl_t* find_or_create_user_acl(plugin_data_t *pdata, const char *username)
+{
+	user_acl_t *user;
+
+	/* Find existing user */
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+
+	/* Create new user if not found */
+	if (pdata->user_count >= MAX_USERS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Max users exceeded");
+		return NULL;
+	}
+
+	user = &pdata->users[pdata->user_count];
+	strncpy(user->username, username, sizeof(user->username) - 1);
+	user->username[sizeof(user->username) - 1] = '\0';
+	user->allow_count = 0;
+	user->deny_count = 0;
+	pdata->user_count++;
+
+	return user;
+}
+
+/* Parse subnet ACL file with simplified format
+ * Format:
+ * # Comment lines
+ * subnet allow <username> <cidr>
+ * subnet deny <username> <cidr>
+ */
+static int load_subnet_acl_config(plugin_data_t *pdata, const char *config_file)
+{
+	FILE *fp;
+	char line[512];
+	int line_num = 0;
+
+	/* Initialize user count */
+	pdata->user_count = 0;
+
+	/* Config file is optional - if not provided, no subnet filtering */
+	if (config_file == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_INFO,
+			"subnet_acl: No subnet ACL file specified, subnet filtering disabled");
+		return 0;
+	}
+
+	/* If config file is specified but cannot be opened, this is a fatal error */
+	fp = fopen(config_file, "r");
+	if (fp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to open subnet ACL file '%s'", config_file);
+		return -1;
+	}
+
+	while (fgets(line, sizeof(line), fp) != NULL) {
+		char *token, *saveptr;
+		char *action, *username, *cidr;
+		user_acl_t *user;
+		subnet_t subnet;
+
+		line_num++;
+
+		/* Remove newline and comments */
+		line[strcspn(line, "\r\n")] = '\0';
+		char *comment = strchr(line, '#');
+		if (comment)
+			*comment = '\0';
+
+		/* Trim leading whitespace */
+		char *line_start = line;
+		while (*line_start == ' ' || *line_start == '\t')
+			line_start++;
+
+		/* Skip empty lines */
+		if (*line_start == '\0')
+			continue;
+
+		/* Parse: subnet allow|deny <username> <cidr> */
+		token = strtok_r(line_start, " \t", &saveptr);
+		if (token == NULL)
+			continue;
+
+		/* Must start with "subnet" */
+		if (strcmp(token, "subnet") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid directive '%s' at line %d (expected 'subnet')",
+				token, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get allow/deny */
+		action = strtok_r(NULL, " \t", &saveptr);
+		if (action == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing allow/deny at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		if (strcmp(action, "allow") != 0 && strcmp(action, "deny") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid action '%s' at line %d (use 'allow' or 'deny')",
+				action, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get username */
+		username = strtok_r(NULL, " \t", &saveptr);
+		if (username == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing username at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get CIDR */
+		cidr = strtok_r(NULL, " \t", &saveptr);
+		if (cidr == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing CIDR at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Parse subnet */
+		if (parse_subnet(cidr, &subnet) != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid CIDR '%s' at line %d", cidr, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Find or create user */
+		user = find_or_create_user_acl(pdata, username);
+		if (user == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Max users (%d) exceeded at line %d", MAX_USERS, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Add to appropriate list */
+		if (strcmp(action, "allow") == 0) {
+			if (user->allow_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max allow subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->allow_subnets[user->allow_count] = subnet;
+			user->allow_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' allow subnet %s",
+				user->username, cidr);
+
+		} else { /* deny */
+			if (user->deny_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max deny subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->deny_subnets[user->deny_count] = subnet;
+			user->deny_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' deny subnet %s",
+				user->username, cidr);
+		}
+	}
+
+	fclose(fp);
+
+	/* Log summary */
+	for (int i = 0; i < pdata->user_count; i++) {
+		user_acl_t *user = &pdata->users[i];
+		if (user->allow_count > 0 || user->deny_count > 0) {
+			mosquitto_log_printf(MOSQ_LOG_INFO,
+				"subnet_acl: User '%s' has %d allow and %d deny subnet rules",
+				user->username, user->allow_count, user->deny_count);
+		}
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Loaded subnet restrictions for %d user(s)", pdata->user_count);
+
+	return 0;
+}
+
+/* Find user ACL entry */
+static const user_acl_t* find_user_acl(const plugin_data_t *pdata, const char *username)
+{
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+	return NULL;
+}
+
+/* Check subnet access on authentication (connection time)
+ * Returns: MOSQ_ERR_SUCCESS if allowed, MOSQ_ERR_AUTH if denied
+ */
+static int check_subnet_on_auth(plugin_data_t *pdata, struct mosquitto_evt_basic_auth *ed)
+{
+	const user_acl_t *user_acl;
+	const char *client_address;
+
+	/* Skip if no subnet config loaded */
+	if (pdata == NULL || pdata->user_count == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Skip anonymous users */
+	if (ed->username == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Find user's subnet ACL */
+	user_acl = find_user_acl(pdata, ed->username);
+
+	/* If user not in config or has no subnet rules, allow */
+	if (user_acl == NULL || (user_acl->allow_count == 0 && user_acl->deny_count == 0))
+		return MOSQ_ERR_SUCCESS;
+
+	/* Get client IP address */
+	client_address = mosquitto_client_address(ed->client);
+	if (client_address == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_WARNING,
+			"subnet_acl: Could not get client address for user '%s', denying connection",
+			ed->username);
+		return MOSQ_ERR_AUTH;
+	}
+
+	/* Check deny list first - deny takes precedence */
+	if (user_acl->deny_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->deny_subnets, user_acl->deny_count)) {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED by deny rule",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* If there are allow rules, IP must match one of them */
+	if (user_acl->allow_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->allow_subnets, user_acl->allow_count)) {
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' from %s allowed by allow rule",
+				ed->username, client_address);
+			return MOSQ_ERR_SUCCESS;
+		} else {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED (not in allowed subnets)",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* No subnet rules for this user - allow */
+	return MOSQ_ERR_SUCCESS;
+}
+
+#ifdef ENABLE_PAM_SUPPORT
+static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+	int i;
+	const char *pass = (const char *)appdata_ptr;
+
+	*resp = calloc(num_msg, sizeof(struct pam_response));
+	if (*resp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
+		return PAM_BUF_ERR;
+	}
+
+	if (pass == NULL)
+		return PAM_SUCCESS;
+
+	for (i = 0; i < num_msg; ++i) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+			(*resp)[i].resp = strdup(pass);
+			if ((*resp)[i].resp == NULL) {
+				for (int j = 0; j < i ; j++)
+					free((*resp)[j].resp);
+
+				free(*resp);
+				*resp = NULL;
+				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
+				return PAM_BUF_ERR;
+			}
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct pam_conv conv;
+	int retval;
+	pam_handle_t *pamh = NULL;
+
+	conv.conv = pam_conversation;
+	conv.appdata_ptr = (void *)ed->password;
+
+	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
+		return MOSQ_ERR_AUTH;
+	}
+
+	retval = pam_authenticate(pamh, 0);
+	pam_end(pamh, retval);
+	if (retval == PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
+		return MOSQ_ERR_SUCCESS;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
+	return MOSQ_ERR_AUTH;
+}
+#else
+static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct spwd spbuf, *sp = NULL;
+	char buf[256];
+	struct crypt_data data;
+	char *hash;
+
+	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
+
+	if (sp == NULL || sp->sp_pwdp == NULL)
+		return MOSQ_ERR_AUTH;
+
+	/* Empty string as hash means password is not required */
+	if (sp->sp_pwdp[0] == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	if (ed->password == NULL)
+		return MOSQ_ERR_AUTH;
+
+	memset(&data, 0, sizeof(data));
+	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
+
+	if (hash == NULL)
+		return MOSQ_ERR_AUTH;
+
+	if (strcmp(hash, sp->sp_pwdp) == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	return MOSQ_ERR_AUTH;
+}
+#endif
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+	struct mosquitto_evt_basic_auth *ed = event_data;
+	plugin_data_t *pdata = userdata;
+	int auth_result;
+
+	/* Let other plugins or broker decide about anonymous login */
+	if (ed->username == NULL)
+		return MOSQ_ERR_PLUGIN_DEFER;
+
+	/* First check username/password authentication */
+#ifdef ENABLE_PAM_SUPPORT
+	auth_result = process_pam_auth_callback(ed);
+#else
+	auth_result = process_shadow_auth_callback(ed);
+#endif
+
+	/* If authentication failed, reject immediately */
+	if (auth_result != MOSQ_ERR_SUCCESS)
+		return auth_result;
+
+	/* Authentication succeeded, now check subnet restrictions */
+	return check_subnet_on_auth(pdata, ed);
+}
+
+static int reload_callback(int event, void *event_data, void *userdata)
+{
+	plugin_data_t *pdata = userdata;
+
+	if (pdata == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reloading subnet ACL configuration from '%s'",
+		pdata->config_file ? pdata->config_file : "(none)");
+
+	/* Reload subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, pdata->config_file) != 0) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to reload subnet ACL configuration, keeping old config");
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reload complete, now tracking %d user(s)", pdata->user_count);
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+int mosquitto_plugin_version(int supported_version_count,
+			     const int *supported_versions)
+{
+	return 5;
+}
+
+int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
+			  void **user_data,
+			  struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata;
+	const char *config_file = NULL;
+	int rc;
+
+	/* Find subnet config file option */
+	for (int i = 0; i < opt_count; i++) {
+		if (strcmp(opts[i].key, "subnet_acl_file") == 0) {
+			config_file = opts[i].value;
+			break;
+		}
+	}
+
+	pdata = calloc(1, sizeof(plugin_data_t));
+	if (pdata == NULL)
+		return MOSQ_ERR_NOMEM;
+
+	pdata->identifier = identifier;
+
+	/* Store config file path for reload */
+	if (config_file != NULL) {
+		pdata->config_file = strdup(config_file);
+		if (pdata->config_file == NULL) {
+			free(pdata);
+			return MOSQ_ERR_NOMEM;
+		}
+	} else {
+		pdata->config_file = NULL;
+	}
+
+	/* Load subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, config_file) != 0) {
+		free(pdata->config_file);
+		free(pdata);
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	/* Register authentication callback only - subnet check is done during auth */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
+	                                 basic_auth_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register authentication callback");
+		free(pdata->config_file);
+		free(pdata);
+		return rc;
+	}
+
+	/* Register reload callback to handle SIGHUP */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_RELOAD,
+	                                 reload_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register reload callback");
+		mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		free(pdata->config_file);
+		free(pdata);
+		return rc;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_INFO,
+		"subnet_acl: Plugin initialized with %d user(s)", pdata->user_count);
+
+	/* Only assign user_data after all possible error paths */
+	*user_data = pdata;
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+int mosquitto_plugin_cleanup(void *user_data,
+			     struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata = user_data;
+
+	if (pdata) {
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_RELOAD,
+		                              reload_callback, NULL);
+		free(pdata->config_file);
+		free(pdata);
+	}
+
+	return MOSQ_ERR_SUCCESS;
+}
--- a/mosquitto-auth-shadow/src/mosquitto_auth_shadow.c
+++ b/mosquitto-auth-shadow/src/mosquitto_auth_shadow.c
@@ -1,153 +0,0 @@
-/*
- * Copyright (c) 2022 Genexis B.V.
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Public License 2.0 which is available at
- * https://www.eclipse.org/legal/epl-2.0/
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Contributors:
- *   Erik Karlsson - initial implementation
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <shadow.h>
-#include <crypt.h>
-#include <stdlib.h>
-#include <mosquitto.h>
-#include <mosquitto_broker.h>
-#include <mosquitto_plugin.h>
-
-#ifdef ENABLE_PAM_SUPPORT
-#include <security/pam_appl.h>
-
-static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
-{
-	int i;
-	const char *pass = (const char *)appdata_ptr;
-
-	*resp = calloc(num_msg, sizeof(struct pam_response));
-	if (*resp == NULL) {
-		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
-		return PAM_BUF_ERR;
-	}
-
-	if (pass == NULL)
-		return PAM_SUCCESS;
-
-	for (i = 0; i < num_msg; ++i) {
-		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-			(*resp)[i].resp = strdup(pass);
-			if ((*resp)[i].resp == NULL) {
-				for (int j = 0; j < i ; j++)
-					free((*resp)[j].resp);
-
-				free(*resp);
-				*resp = NULL;
-				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
-				return PAM_BUF_ERR;
-			}
-		}
-	}
-	return PAM_SUCCESS;
-}
-
-static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
-{
-	struct pam_conv conv;
-	int retval;
-	pam_handle_t *pamh = NULL;
-
-	conv.conv = pam_conversation;
-	conv.appdata_ptr = (void *)ed->password;
-
-	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
-	if (retval != PAM_SUCCESS) {
-		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
-		return MOSQ_ERR_AUTH;
-	}
-
-	retval = pam_authenticate(pamh, 0);
-	pam_end(pamh, retval);
-	if (retval == PAM_SUCCESS) {
-		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
-		return MOSQ_ERR_SUCCESS;
-	}
-
-	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
-	return MOSQ_ERR_AUTH;
-}
-#else
-static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
-{
-	struct spwd spbuf, *sp = NULL;
-	char buf[256];
-	struct crypt_data data;
-	char *hash;
-
-	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
-
-	if (sp == NULL || sp->sp_pwdp == NULL)
-		return MOSQ_ERR_AUTH;
-
-	/* Empty string as hash means password is not required */
-	if (sp->sp_pwdp[0] == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	if (ed->password == NULL)
-		return MOSQ_ERR_AUTH;
-
-	memset(&data, 0, sizeof(data));
-	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
-
-	if (hash == NULL)
-		return MOSQ_ERR_AUTH;
-
-	if (strcmp(hash, sp->sp_pwdp) == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	return MOSQ_ERR_AUTH;
-}
-#endif
-
-static int basic_auth_callback(int event, void *event_data, void *userdata)
-{
-	struct mosquitto_evt_basic_auth *ed = event_data;
-
-	/* Let other plugins or broker decide about anonymous login */
-	if (ed->username == NULL)
-		return MOSQ_ERR_PLUGIN_DEFER;
-
-#ifdef ENABLE_PAM_SUPPORT
-	return process_pam_auth_callback(ed);
-#else
-	return process_shadow_auth_callback(ed);
-#endif
-}
-
-int mosquitto_plugin_version(int supported_version_count,
-			     const int *supported_versions)
-{
-	return 5;
-}
-
-int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
-			  void **user_data,
-			  struct mosquitto_opt *opts, int opt_count)
-{
-	*user_data = identifier;
-
-	return mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
-					   basic_auth_callback, NULL, NULL);
-}
-
-int mosquitto_plugin_cleanup(void *user_data,
-			     struct mosquitto_opt *opts, int opt_count)
-{
-	mosquitto_plugin_id_t *identifier = user_data;
-
-	return mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
-					     basic_auth_callback, NULL);
-}
--- a/netmngr/Makefile
+++ b/netmngr/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=netmngr
-PKG_VERSION:=1.2.0
+PKG_VERSION:=1.2.4

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=ff08a8cc5c860056a022e5376a973dee5a323595
+PKG_SOURCE_VERSION:=8240c6089cdd44f268db135920800b8fc1d65ca9
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/netmode/Makefile
+++ b/netmode/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=netmode
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.10
 PKG_RELEASE:=1
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0-only
--- a/netmode/files/etc/config/netmode
+++ b/netmode/files/etc/config/netmode
@@ -1,2 +1,2 @@
 config netmode global
-	option enabled 0
+	option enabled 1
--- a/netmode/files/etc/init.d/netmode
+++ b/netmode/files/etc/init.d/netmode
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common

-START=10
+START=11
 USE_PROCD=1

 . /lib/functions.sh
--- a/netmode/files/etc/netmodes/routed-dhcp/scripts/10-routed-dhcp
+++ b/netmode/files/etc/netmodes/routed-dhcp/scripts/10-routed-dhcp
@@ -17,6 +17,8 @@ l3_mcast_config() {
 l3_network_config() {
 	logger -s -p user.info -t "netmode" "Generating L3 network configuration"

+	wandev="$(uci -q get network.WAN.ifname)"
+
 	# Configure L3 Network Mode
 	uci -q set network.lan=interface
 	uci -q set network.lan.device='br-lan'
@@ -36,11 +38,37 @@ l3_network_config() {
 	uci -q delete network.wan.disabled
 	uci -q delete network.wan.username
 	uci -q delete network.wan.password
+	uci -q delete network.wan.ipaddr
+	uci -q delete network.wan.gateway
+	uci -q delete network.wan.netmask

 	uci -q set network.wan6=interface
 	uci -q set network.wan6.proto='dhcpv6'
 	uci -q delete network.wan6.disabled

+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
 	uci -q delete network.br_lan.ports
 	uci -q set network.br_lan.bridge_empty='1'

@@ -61,12 +89,6 @@ l3_network_config() {
 			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
 		fi
 		json_select ..
-		json_select wan 2>/dev/null
-		json_get_var device device
-		if [ -n "$device" ]; then
-			uci -q set network.wan.device="$device"
-			uci -q set network.wan6.device="$device"
-		fi
 		json_cleanup
 	fi

--- a/netmode/files/etc/netmodes/routed-pppoe/scripts/10-routed-pppoe
+++ b/netmode/files/etc/netmodes/routed-pppoe/scripts/10-routed-pppoe
@@ -17,6 +17,8 @@ l3_mcast_config() {
 l3_network_pppoe_config() {
 	logger -s -p user.info -t "netmode" "Generating L3 network configuration"

+	wandev="$(uci -q get network.WAN.ifname)"
+
 	# Configure L3 Network Mode
 	uci -q set network.lan=interface
 	uci -q set network.lan.device='br-lan'
@@ -36,9 +38,35 @@ l3_network_pppoe_config() {
 	uci -q set network.wan.username="$NETMODE_username"
 	uci -q set network.wan.password="$NETMODE_password"
 	uci -q delete network.wan.disabled
+	uci -q delete network.wan.ipaddr
+	uci -q delete network.wan.gateway
+	uci -q delete network.wan.netmask

 	uci -q set network.wan6.disabled='1'

+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
 	uci -q delete network.br_lan.ports
 	uci -q set network.br_lan.bridge_empty='1'

@@ -59,12 +87,6 @@ l3_network_pppoe_config() {
 			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
 		fi
 		json_select ..
-		json_select wan 2>/dev/null
-		json_get_var device device
-		if [ -n "$device" ]; then
-			uci -q set network.wan.device="$device"
-			uci -q set network.wan6.device="$device"
-		fi
 		json_cleanup
 	fi

--- a/netmode/files/etc/netmodes/routed-static/scripts/10-routed-static
+++ b/netmode/files/etc/netmodes/routed-static/scripts/10-routed-static
@@ -0,0 +1,129 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /usr/share/libubox/jshn.sh
+
+source "/etc/device_info"
+
+l3_mcast_config() {
+	# configure L3 mcast config
+	logger -s -p user.info -t "netmode" "Generating L3 mcast configuration"
+
+	rm -f /etc/config/mcast
+	sh /rom/etc/uci-defaults/61-mcast_config_generate
+	uci -q commit mcast
+}
+
+l3_network_config() {
+	logger -s -p user.info -t "netmode" "Generating L3 network configuration"
+
+	wandev="$(uci -q get network.WAN.ifname)"
+
+	# Configure L3 Network Mode
+	uci -q set network.lan=interface
+	uci -q set network.lan.device='br-lan'
+	uci -q set network.lan.proto='static'
+	uci -q set network.lan.ipaddr='192.168.1.1'
+	uci -q set network.lan.netmask='255.255.255.0'
+	uci -q set network.lan.ip6assign='60'
+	uci -q delete network.lan.vendorid
+	uci -q delete network.lan.clientid
+	uci -q delete network.lan.reqopts
+	uci -q delete network.lan.sendopts
+
+	uci -q delete network.lan6	
+
+	uci -q set network.wan=interface
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan.proto='static'
+	uci -q set network.wan.ipaddr="$NETMODE_ipaddr"
+	uci -q set network.wan.gateway="$NETMODE_gateway"
+	uci -q set network.wan.netmask="$NETMODE_netmask"
+	uci -q delete network.wan.disabled
+	uci -q delete network.wan.username
+	uci -q delete network.wan.password
+
+	uci -q set network.wan6.disabled='1'
+
+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
+	uci -q delete network.br_lan.ports
+	uci -q set network.br_lan.bridge_empty='1'
+
+	add_port_to_br_lan() {
+		port="$1"
+		[ -n "$port" -a -d /sys/class/net/$port ] || continue
+		uci add_list network.br_lan.ports="$port"
+	}
+
+	if [ -f /etc/board.json ]; then
+		json_load_file /etc/board.json
+		json_select network
+		json_select lan
+		if json_is_a ports array; then
+			json_for_each_item add_port_to_br_lan ports
+		else
+			json_get_var device device
+			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
+		fi
+		json_select ..
+		json_cleanup
+	fi
+
+	uci -q commit network
+
+	# Enable DHCP Server
+	uci -q set dhcp.lan.ignore=0
+	uci -q set dhcp.wan.ignore=1
+	uci -q commit dhcp
+	/etc/init.d/odhcpd enable
+
+	# Enable SSDPD
+	uci -q set ssdpd.ssdp.enabled="1"
+	uci -q commit ssdpd
+
+	# Update CWMP Agent WAN Interface
+	uci -q set cwmp.cpe.default_wan_interface="wan"
+	uci -q commit cwmp
+
+	# Update gateway WAN Interface
+	uci -q set gateway.global.wan_interface="wan"
+	uci -q commit gateway
+
+	# Enable firewall
+	uci -q set firewall.globals.enabled="1"
+	uci -q commit firewall
+}
+
+l3_network_config
+l3_mcast_config
+
+# If device is already boot-up, assume netmode changed during runtime
+if [ -f /var/run/boot_complete ]; then
+	/etc/init.d/odhcpd restart 2>/dev/null
+	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
+		ubus call uci commit "{\"config\":\"$config\"}"
+		sleep 1
+	done
+fi
--- a/netmode/files/etc/netmodes/supported_modes.json
+++ b/netmode/files/etc/netmodes/supported_modes.json
@@ -3,25 +3,96 @@
  "supported_modes": [
    {
      "name": "routed-dhcp",
-      "description": "WAN with DHCP proto (Layer 3)"
+      "description": "DHCP",
+      "supported_args": [
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
+        }
+      ]
    },
    {
      "name": "routed-pppoe",
-      "description": "WAN with PPPoE (Layer 3)",
+      "description": "PPPoE",
      "supported_args": [
        {
          "name": "username",
-          "description": "PPPoE username",
+          "description": "PPPoE Username",
          "required": true,
-	  "type": "string",
+          "type": "string",
          "#value": "TestUser"
        },
        {
          "name": "password",
-          "description": "PPPoE password",
+          "description": "PPPoE Password",
          "required": true,
-	  "type": "string",
+          "type": "string",
          "#value": "TestPassword"
+        },
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "mtu",
+          "description": "MTU",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "name": "routed-static",
+      "description": "Static",
+      "supported_args": [
+        {
+          "name": "ipaddr",
+          "description": "IP Address",
+          "required": true,
+          "type": "string",
+          "#value": "93.21.0.104"
+        },
+        {
+          "name": "netmask",
+          "description": "Subnet Mask",
+          "required": true,
+          "type": "string",
+          "#value": "255.255.255.0"
+        },
+        {
+          "name": "gateway",
+          "description": "Default Gateway",
+          "required": true,
+          "type": "string",
+          "#value": "93.21.0.1"
+        },
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
        }
      ]
    }
--- a/netmode/files/etc/uci-defaults/40_netmode_populated_supported_modes
+++ b/netmode/files/etc/uci-defaults/40_netmode_populated_supported_modes
--- a/netmode/files/etc/uci-defaults/40_netmode_set_default_netmode
+++ b/netmode/files/etc/uci-defaults/40_netmode_set_default_netmode
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+enabled="$(uci -q get netmode.global.enabled)"
+[ "$enabled" == "1" ] || exit 0
+
+mode="$(uci -q get netmode.global.mode)"
+wanproto=$(uci -q get network.wan.proto)
+
+if [ -n "$mode" ]; then
+	# check if wanproto and mode aligned
+	if [ "${mode}" = "routed-${wanproto}" ]; then
+		exit 0
+	fi
+fi
+
+[ -f /etc/netmodes/supported_modes.json ] || exit 0
+
+# NetMode is enabled without a Mode being set
+# Figure out the current mode from network config
+curmode=""
+case "$wanproto" in
+	dhcp) curmode="routed-dhcp" ;;
+	pppoe) curmode="routed-pppoe" ;;
+	static) curmode="routed-static" ;;
+esac
+
+found=0
+for md in $(jsonfilter -i /etc/netmodes/supported_modes.json -e "@.supported_modes.*.name"); do
+	[ "$md" == "$curmode" ] && found=1
+done
+
+if [ $found -eq 1 ]; then
+	uci -q set netmode.global.mode="$curmode"
+	echo "$curmode" > /etc/netmodes/.last_mode
+fi
--- a/netmode/files/lib/netmode/post/datamodel_init.sh
+++ b/netmode/files/lib/netmode/post/datamodel_init.sh
@@ -1,25 +1,11 @@
 #!/bin/sh

-# This script is to cleanup dmmap and restart datamodel related services
+# This script is to restart related datamodel microservices
 # when wan mode changes

-if [ -d "/etc/bbfdm/dmmap/" ]; then
-	rm -rf /etc/bbfdm/dmmap/*
-fi

-# If device is booting up, no need to restart services
 if [ ! -f /var/run/boot_complete ]; then
 	return 0
 fi

-if [ -x "/etc/init.d/bbfdm.services" ]; then
-	/etc/init.d/bbfdm.services restart
-fi
-
-if [ -x "/etc/init.d/bbfdmd" ]; then
-	/etc/init.d/bbfdmd restart
-fi
-
-if [ -x "/etc/init.d/obuspa" ]; then
-	/etc/init.d/obuspa restart
-fi
+reboot &
--- a/netmode/files/lib/upgrade/keep.d/netmode
+++ b/netmode/files/lib/upgrade/keep.d/netmode
@@ -0,0 +1 @@
+/etc/netmodes/.last_mode
--- a/obuspa/Makefile
+++ b/obuspa/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=obuspa
-PKG_VERSION:=10.0.7.4
+PKG_VERSION:=10.0.7.7

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=84d5ae575134d501b8ca171a5a65c6f410f01d08
+PKG_SOURCE_VERSION:=f3b5b79476adadc55830de9466361c0eeced473e
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -32,8 +32,9 @@ define Package/obuspa
  SUBMENU:=TRx69
  TITLE:=USP agent
  MENU:=1
-  DEPENDS:=+libopenssl +libuci +libblobmsg-json +libcurl +libsqlite3 +libubox +libubus +libmosquitto-ssl +libwebsockets-openssl +ca-certificates \
-		+OBUSPA_LOCAL_MQTT_LISTENER:mosquitto-ssl +libjson-c
+  DEPENDS:=+libopenssl +libcurl +libsqlite3 +libmosquitto-ssl +libwebsockets-openssl
+  DEPENDS+=+libjson-c +libubox +libubus +libuci +libblobmsg-json
+  DEPENDS+=+ca-certificates +OBUSPA_LOCAL_MQTT_LISTENER:mosquitto-ssl
  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef

--- a/obuspa/files/etc/init.d/obuspa
+++ b/obuspa/files/etc/init.d/obuspa
@@ -6,19 +6,18 @@ USE_PROCD=1

 PROG=/usr/sbin/obuspa
 CONFIGURATION=obuspa
-
 ENV_PROFILE="/root/.profile"
 KEEP_FILE="/lib/upgrade/keep.d/obuspa"

 RESET_FILE="/tmp/obuspa/fw_defaults"
-SQL_DB_FILE="/tmp/obuspa/usp.db"
-DB_DUMP="/tmp/obuspa/usp.dump_$(date +%s)"
+
+OBUSPA_BOOT_MARKER="/etc/obuspa/.boot"

 BASEPATH=""
 INSTANCE_COUNT=0
+CLIENT_ID_PREFIX=""

 . /lib/functions/network.sh
-. /usr/share/libubox/jshn.sh
 . /etc/obuspa/usp_utils.sh

 global_init()
@@ -30,6 +29,7 @@ global_init()
 log()
 {
 	echo "$*"|logger -t obuspa.init -p debug
+	echo "$*" >/dev/console
 }

 db_set_reset_file()
@@ -47,37 +47,9 @@ db_set_reset_file()
 	fi
 }

-db_set_sql()
-{
-	local param value
-
-	param="${1}"
-	shift
-	value="$*"
-
-	if [ -n "${param}" ] && [ -n "${value}" ]; then
-		if grep -q "${param} " ${DB_DUMP}; then
-			value="${value//\//\\/}"
-			sed -i "s/${param} .*/${param} \"${value}\"/g" ${DB_DUMP}
-		else
-			echo "${param} \"${value}\"" >> ${DB_DUMP}
-		fi
-	fi
-}
-
 db_set()
 {
-	# if sql db dump file present, update it
-	if [ -f "${DB_DUMP}" ]; then
-		db_set_sql "$@"
-	else
-		db_set_reset_file "$@"
-	fi
-}
-
-dump_db()
-{
-	${PROG} -v0 -f ${SQL_DB_FILE} -c show database |grep "^Internal.\|^Device."|sed '{s/=> /"/g;s/$/"/g}' | sort  > ${DB_DUMP}
+	db_set_reset_file "$@"
 }

 # if db present then check if it matches with existing instances
@@ -92,21 +64,6 @@ get_base_path()
 	path=""
 	count=0

-	if [ -f "${DB_DUMP}" ]; then
-		path=$(grep -E "${refpath}\d+.Alias \"${value}\"" ${DB_DUMP})
-		path=${path%.*}
-		if [ -z "${path}" ]; then
-			path=$(grep -oE "${refpath}\d+" ${DB_DUMP} |sort -r|head -n 1)
-			if [ -n "${path}" ]; then
-				count=${path##*.}
-				count=$(( count + 1 ))
-			else
-				count=1
-			fi
-			path="${refpath}${count}"
-		fi
-	fi
-
 	if [ -z "${path}" ]; then
 		INSTANCE_COUNT=$(( INSTANCE_COUNT + 1 ))
 		path="${refpath}${INSTANCE_COUNT}"
@@ -122,9 +79,7 @@ get_refrence_path()
 	value="${2}"
 	path=""

-	if [ -f "${DB_DUMP}" ]; then
-		path=$(grep -E "${dmref}\d+.Alias " ${DB_DUMP}|grep -w "${value}")
-	elif [ -f "${RESET_FILE}" ]; then
+	if [ -f "${RESET_FILE}" ]; then
 		path=$(grep -E "${dmref}\d+.Alias " ${RESET_FILE}|grep -w "${value}")
 	fi
 	path=${path%.*}
@@ -136,7 +91,7 @@ update_keep()
 	file=${1}

 	if [ -z "${file}" ]; then
-		return;
+		return 0
 	fi

 	if [ ! -f "${KEEP_FILE}" ]; then
@@ -263,7 +218,7 @@ configure_localagent()

 	validate_localagent_section "${1}" || {
 		log "Validation of localagent section failed"
-		return 0;
+		return 0
 	}

 	db_set Device.LocalAgent.EndpointID "${EndpointID}"
@@ -271,7 +226,7 @@ configure_localagent()

 update_reset_reason()
 {
-	[ -f "/tmp/reset_reason" ] || return 0;
+	[ -f "/tmp/reset_reason" ] || return 0

 	if grep -qwi "defaultreset" /tmp/reset_reason; then
 		db_set Internal.Reboot.Cause "FactoryReset"
@@ -310,10 +265,6 @@ get_role_index()
 		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${CTRUST_RESET_FILE} |grep $name)"
 		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
 		echo "$val"
-	elif [ -f "${DB_DUMP}" ]; then
-		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${DB_DUMP} |grep $name)"
-		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
-		echo "$val"
 	else
 		log "Not able to get role ${name}, use Untrusted role"
 		echo "${drole}"
@@ -331,19 +282,19 @@ configure_controller()
 	sec="${1}"
 	validate_controller_section "${1}" || {
 		log "Validation of controller section failed"
-		return 1;
+		return 1
 	}

 	sec="${sec/controller_/cpe-}"
 	get_base_path "Device.LocalAgent.Controller." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi

 	if [ -z "${Protocol}" ]; then
 		log "controller:: Protocol cannot be empty"
-		return 1;
+		return 1
 	fi

 	dm_ref=""
@@ -439,14 +390,14 @@ configure_subscription()
 	sec="${1}"
 	validate_subscription_section "${1}" || {
 		log "Validation of subscription section failed"
-		return 1;
+		return 1
 	}

 	sec="${sec/sub_/cpe-}"
 	get_base_path "Device.LocalAgent.Subscription." "sub_${1}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi

 	if [ -n "${controller}" ]; then
@@ -483,12 +434,12 @@ configure_challenges()
 	get_base_path "Device.LocalAgent.ControllerTrust.Challenge." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi

 	if [ -z "${role_name}" ] && [ -z "${Role}" ]; then
-		log "Either role_name or Role must defined for a challenge";
-		return 1;
+		log "Either role_name or Role must defined for a challenge"
+		return 1
 	fi

 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -515,18 +466,18 @@ configure_mtp() {
 	sec="${1}"
 	validate_mtp_section "${1}" || {
 		log "Validation of mtp section failed"
-		return 1;
+		return 1
 	}
 	sec="${sec/mtp_/cpe-}"
 	get_base_path "Device.LocalAgent.MTP." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi

 	if [ -z "${Protocol}" ]; then
 		log "Protocol not defined for the mtp[${1}] section"
-		return 1;
+		return 1
 	fi

 	dm_ref=""
@@ -584,14 +535,14 @@ configure_stomp_connection() {
 	sec="${1}"
 	validate_stomp_connection_section "${1}" || {
 		log "Validation of stomp section failed"
-		return 1;
+		return 1
 	}

 	sec="${sec/stomp_/cpe-}"
 	get_base_path "Device.STOMP.Connection." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi

 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -614,14 +565,18 @@ configure_mqtt_client() {
 	sec="${1}"
 	validate_mqtt_client_section "${1}" || {
 		log "Validation of mqtt section failed"
-		return 1;
+		return 1
 	}

 	sec="${sec/mqtt_/cpe-}"
 	get_base_path "Device.MQTT.Client." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
+	fi
+
+	if [ -z "${ClientID}" ]; then
+		ClientID="${CLIENT_ID_PREFIX}-${sec}"
 	fi

 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -648,6 +603,9 @@ configure_obuspa() {
 	fi

 	if [ -n "${log_level}" ]; then
+		if [ "${log_level}" -gt "4" ]; then
+			log_level="4"
+		fi
 		procd_append_param command -v "${log_level}"
 	fi

@@ -676,13 +634,13 @@ configure_obuspa() {

 	if [ -n "${db_file}" ]; then
 		update_keep "${db_file}"
-		procd_append_param command -f "${SQL_DB_FILE}"
+		procd_append_param command -f "${db_file}"
+		if [ -f "${db_file}-journal" ]; then
+			log "SQL Journal detected ..."
+		fi
 	fi

 	if [ -f "${RESET_FILE}" ]; then
-		if [ -f "${SQL_DB_FILE}" ]; then
-			mv ${SQL_DB_FILE} ${SQL_DB_FILE}.old
-		fi
 		procd_append_param command -r ${RESET_FILE}
 	fi

@@ -701,301 +659,34 @@ configure_obuspa() {
 	fi
 }

-get_instances_from_db_dump()
-{
-	local obj inst
-
-	obj="${1}\d+"
-	if [ ! -f "${DB_DUMP}" ]; then
-		echo ""
-		return 0;
-	fi
-
-	inst="$(grep -oE "${obj}" "${DB_DUMP}"|uniq)"
-	echo "$inst"
-}
-
-get_param_value_from_dump()
-{
-	local param value
-
-	param="${1}"
-
-	if [ -z "${param}" ] || [ ! -f "${DB_DUMP}" ]; then
-		log "error getting param"
-		echo ""
-		return 0
-	fi
-
-	value="$(grep "^${param} " ${DB_DUMP}|awk '{print $2}')"
-
-	echo "${value//\"/}"
-}
-
-update_uci_sec()
-{
-	local sec tmp
-
-	sec="${1}"
-	stype="${2}"
-	if [ -z "$sec" ] || [ -z "$stype" ]; then
-		log "No section name, error"
-		return 0
-	fi
-
-	tmp="$(uci_get obuspa "${sec}")"
-	if [ "$tmp" != "$stype" ]; then
-		uci_add obuspa "${stype}" "${sec}"
-	fi
-}
-
-sync_db_controller()
-{
-	local cntrs copts sec pvalue protocol
-
-	copts="Enable EndpointID PeriodicNotifInterval"
-	popts="Destination Topic Host Port Path EnableEncryption"
-
-	cntrs="$(get_instances_from_db_dump Device.LocalAgent.Controller.)"
-	for cntr in $cntrs; do
-		sec="$(get_param_value_from_dump "${cntr}".Alias)"
-		sec="${sec/cpe-/controller_}"
-		sec="${sec/-/_}"
-
-		update_uci_sec "${sec}" controller
-		for param in ${copts}; do
-			pvalue="$(get_param_value_from_dump "${cntr}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-
-		protocol="$(get_param_value_from_dump "${cntr}".MTP.1.Protocol)"
-		if [ -z "${protocol}" ]; then
-			break;
-		fi
-		uci_set obuspa "${sec}" "Protocol" "${protocol}"
-		for param in ${popts}; do
-			pvalue="$(get_param_value_from_dump "${cntr}".MTP.1."${protocol}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-	done
-}
-
-sync_db_localagent_mtp()
-{
-	local mtps opts popts sec pvalue protocol
-
-	opts="Enable"
-	popts="ResponseTopicConfigured Destination Port Path EnableEncryption PublishQoS"
-
-	mtps="$(get_instances_from_db_dump Device.LocalAgent.MTP.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/mtp_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" mtp
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-
-		protocol="$(get_param_value_from_dump "${inst}".Protocol)"
-		if [ -z "${protocol}" ]; then
-			break;
-		fi
-		uci_set obuspa "${sec}" "Protocol" "${protocol}"
-		for param in ${popts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${protocol}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-	done
-}
-
-
-sync_db_mqtt_client()
-{
-	local mtps copts sec pvalue protocol
-
-	opts="Enable BrokerAddress BrokerPort Username ProtocolVersion TransportProtocol ClientID"
-
-	mtps="$(get_instances_from_db_dump Device.MQTT.Client.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/mqtt_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" mqtt
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-	done
-}
-
-sync_db_stomp_connection()
-{
-	local mtps copts sec pvalue protocol
-
-	opts="Enable Host Port Username EnableEncryption EnableHeartbeats VirtualHost"
-
-	mtps="$(get_instances_from_db_dump Device.STOMP.Connection.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/stomp_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" stomp
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-	done
-}
-
-sync_update_sec()
-{
-	local _sync
-	config_get _sync "${1}" _sync ""
-	if [ -z "${_sync}" ]; then
-		uci_remove obuspa "${1}"
-		log "Deleting obuspa.${1} section ..."
-	else
-		uci_remove obuspa "${1}" _sync
-	fi
-}
-
-sync_uci_with_db()
-{
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	config_load obuspa
-	sync_db_controller
-	sync_db_localagent_mtp
-	sync_db_mqtt_client
-	sync_db_stomp_connection
-	uci_commit obuspa
-
-	config_load obuspa
-	config_foreach sync_update_sec controller
-	config_foreach sync_update_sec mtp
-	config_foreach sync_update_sec mqtt
-	config_foreach sync_update_sec stomp
-	uci_commit obuspa
-}
-
-delete_sql_db_entry_with_pattern()
-{
-	local params pattern
-
-	pattern="${1}"
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	if [ "${#pattern}" -lt 7 ]; then
-		return 0;
-	fi
-
-	#log "Deleting with pattern [${pattern}] from ${DB_DUMP}"
-	sed -i "/${pattern}/d" ${DB_DUMP}
-}
-
-check_n_delete_db()
-{
-	local sec t r path
-
-	sec="${1}"
-	if uci -q get obuspa."${sec}" >/dev/null 2>&1; then
-		return 0
-	fi
-
-	t="${2}"
-	r="${3}"
-	sec="${sec/${t}_/cpe-}"
-
-	path=$(grep -E "${r}\d+.Alias \"${sec}\"" ${DB_DUMP})
-	path=${path%.*}
-
-	delete_sql_db_entry_with_pattern "${path}"
-}
-
-workaround_remove_download_pattern()
-{
-	local inst
-
-	inst="$(cat ${DB_DUMP} |grep -E "Device.DeviceInfo.FirmwareImage.\d.Download()"|grep -oE "Device.LocalAgent.Request.\d.")"
-
-	if [ -n "${inst}" ]; then
-		log "Workaround to remove the old download Request [$inst]"
-		delete_sql_db_entry_with_pattern "${inst}"
-	fi
-}
-
-reverse_update_db_with_uci()
-{
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	export UCI_CONFIG_DIR="/tmp/obuspa"
-	config_load obuspa
-	config_foreach check_n_delete_db controller controller "Device.LocalAgent.Controller."
-	config_foreach check_n_delete_db mtp mtp "Device.LocalAgent.MTP."
-	config_foreach check_n_delete_db mqtt mqtt "Device.MQTT.Client."
-	config_foreach check_n_delete_db stomp stomp "Device.STOMP.Connection."
-	unset UCI_CONFIG_DIR
-}
-
 # Create factory reset file
 db_init()
 {
-	local reason role_file
+	local reason

 	reason="${1}"
-	mkdir -p /tmp/obuspa/
-
-	# Load configuration
-	config_load $CONFIGURATION
-	config_get SQL_DB_FILE global db_file "/tmp/obuspa/usp.db"
-	config_get role_file global role_file ""
-
-	if [ -f "${SQL_DB_FILE}.old" ] && [ ! -f "${SQL_DB_FILE}" ]; then
-		log "Copying old db, since new db not present ..."
-		mv ${SQL_DB_FILE}.old ${SQL_DB_FILE}
+	# remove usp.db, in case of reload
+	if [ -f "${OBUSPA_BOOT_MARKER}" ] && [ "${reason}" = "update" ]; then
+		log "Deleting ${OBUSPA_BOOT_MARKER} in order to enforce values from UCI..."
+		rm -f "${OBUSPA_BOOT_MARKER}"
 	fi

-	# Dump datamodel parameters from DB
-	if [ -f "${SQL_DB_FILE}" ]; then
-		dump_db
-	fi
-
-	# In case of Reboot or service restart update the uci
-        # from usp.db file
-	if [ -f "${DB_DUMP}" ] && [ "${reason}" != "update" ]; then
-		# Only do this if db have reasonable data
-		val="$(awk 'END{print NR}' ${DB_DUMP})"
-		if [ "$val" -gt 15 ]; then
-			log "Syncing obuspa uci with usp.db ...."
-			sync_uci_with_db
-		fi
-	fi
-
-	# remove entries from db if deleted from uci, only in case of reload
-	if [ -f "${DB_DUMP}" ] && [ "${reason}" = "update" ] && [ -f "/tmp/obuspa/obuspa" ]; then
-		log "Deleting entries from usp.db if uci not present ...."
-		reverse_update_db_with_uci
+	if [ -f "${OBUSPA_BOOT_MARKER}" ]; then
+		return 0
 	fi

 	# Remove reset file if present
-	[ -f "${RESET_FILE}" ] && mv ${RESET_FILE} ${RESET_FILE}.old
+	[ -f "${RESET_FILE}" ] && rm ${RESET_FILE}
+
+	CLIENT_ID_PREFIX="$(db -q get device.deviceinfo.ManufacturerOUI)"
+	CLIENT_ID_PREFIX="${CLIENT_ID_PREFIX}-$(db -q get device.deviceinfo.SerialNumber)"
+	CLIENT_ID_PREFIX="${CLIENT_ID_PREFIX//+/%2b}"

 	#log "Create reset file ...."
 	config_load $CONFIGURATION
 	config_get dualstack_pref global dualstack_pref "IPv6"

+	log "Enforcing UCI values, no boot marker found."
 	global_init
 	config_foreach configure_localagent localagent
 	global_init
@@ -1011,21 +702,12 @@ db_init()
 	global_init
 	config_foreach configure_challenges challenge

+	# enforce ctrust only on upgrades, not on reloads
+	if [ -f "${CTRUST_RESET_FILE}" ] && [ -z "${reason}" ]; then
+		cat ${CTRUST_RESET_FILE} >> ${RESET_FILE}
+	fi
 	update_reset_reason
 	update_dual_stack_pref "${dualstack_pref}"
-
-	uci_commit ${CONFIGURATION}
-
-	cp /etc/config/obuspa /tmp/obuspa/
-	if [ -f "${DB_DUMP}" ]; then
-		workaround_remove_download_pattern
-		mv ${DB_DUMP} ${RESET_FILE}
-	fi
-
-	if [ -f "${CTRUST_RESET_FILE}" ]; then
-		cat ${CTRUST_RESET_FILE} >> ${RESET_FILE}
-		rm ${CTRUST_RESET_FILE}
-	fi
 }

 start_service() {
@@ -1033,25 +715,22 @@ start_service() {

 	mkdir -p /tmp/obuspa/
 	config_load obuspa
-	config_get_bool enabled global enabled 0
+	config_get_bool enabled global enabled 1

 	procd_open_instance ${CONFIGURATION}
 	if [ "${enabled}" -eq 1 ]; then
-		db_init "${1}"
 		procd_set_param command ${PROG}
+		db_init "${1}"
 		configure_obuspa
 		procd_set_param respawn \
 			"${respawn_threshold:-10}" \
 			"${respawn_timeout:-10}" "${respawn_retry:-5}"
-		#procd_set_param limits core="unlimited"
 	fi
 	procd_close_instance ${CONFIGURATION}
 }

 stop_service() {
-	if command -v timeout >/dev/null 2>&1; then
-		timeout 5 ${PROG} -c stop
-	fi
+	${PROG} -c stop
 }

 reload_service() {
@@ -1060,5 +739,6 @@ reload_service() {
 }

 service_triggers() {
+	export PROCD_RELOAD_DELAY=3000
 	procd_add_reload_trigger "obuspa"
 }
--- a/obuspa/files/etc/obuspa/usp_utils.sh
+++ b/obuspa/files/etc/obuspa/usp_utils.sh
@@ -1,10 +1,12 @@
 #!/bin/sh

-CTRUST_RESET_FILE="/tmp/obuspa/ctrust_reset"
+CTRUST_RESET_FILE="/etc/obuspa/ctrust_reset"
 VENDOR_PREFIX_FILE="/etc/obuspa/vendor_prefix"
 FW_DEFAULT_ROLE_DIR="/etc/users/roles"
 SECURE_ROLES=""

+CTRUST_RESET_FILE_TEMP="/tmp/obuspa/ctrust_reset"
+
 mkdir -p /tmp/obuspa/

 # include jshn.sh
@@ -23,9 +25,9 @@ db_add()
 	value="$*"

 	if [ -n "${param}" ] && [ -n "${value}" ]; then
-		echo "${param} \"${value}\"">>${CTRUST_RESET_FILE}
+		echo "${param} \"${value}\"">>${CTRUST_RESET_FILE_TEMP}
 	else
-		echo >>${CTRUST_RESET_FILE}
+		echo >>${CTRUST_RESET_FILE_TEMP}
 	fi
 }

@@ -252,7 +254,10 @@ configure_ctrust_role()
 	if [ -n "${SECURE_ROLES}" ]; then
 		db_add Device.LocalAgent.ControllerTrust.SecuredRoles "${SECURE_ROLES}"
 	fi
+
+	if [ -f "${CTRUST_RESET_FILE_TEMP}" ]; then
+		mv -f "${CTRUST_RESET_FILE_TEMP}" "${CTRUST_RESET_FILE}"
+	fi
 }

 # configure_ctrust_role "${@}"
-
--- a/obuspa/files/etc/uci-defaults/61-override-ct-roles
+++ b/obuspa/files/etc/uci-defaults/61-override-ct-roles
@@ -4,5 +4,3 @@
 . /etc/obuspa/usp_utils.sh

 configure_ctrust_role
-
-exit 0
--- a/obuspa/files/etc/uci-defaults/93-obuspa_mdns_adv
+++ b/obuspa/files/etc/uci-defaults/93-obuspa_mdns_adv
@@ -53,13 +53,7 @@ add_mdns_advertise() {
 	json_dump > /etc/umdns/obuspa_mdns.json
 }

-config_load obuspa
-config_get_bool enable_obuspa global enabled 1
-
-if [ "${enable_obuspa}" -eq 1 ]; then
-	role="$(get_device_role)"
-
-	if [ "${role}" == "gateway" ]; then
-		add_mdns_advertise
-	fi
+role="$(get_device_role)"
+if [ "${role}" == "gateway" ]; then
+	add_mdns_advertise
 fi
--- a/obuspa/files/etc/uci-defaults/obuspa-set-dhcp-option
+++ b/obuspa/files/etc/uci-defaults/obuspa-set-dhcp-option
@@ -19,19 +19,11 @@ get_access_role()

 configure_dhcp_options() {
 	local enabled inerface discovery
-	config_load obuspa
+
 	config_get_bool enabled global enabled 1
 	config_get interface global interface
 	config_get_bool discovery global dhcp_discovery 1

-	if [ "${enabled}" -eq 0 ]; then
-		return 0
-	fi
-
-	if [ "${discovery}" -eq 0 ]; then
-		return 0
-	fi
-
 	if [ -z "${interface}" ]; then
 		role="$(get_access_role)"

@@ -66,12 +58,12 @@ configure_dhcp_options() {

 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${interface}".reqopts="$newreqopts"
 		fi

 		if [ ${send124_present} -eq 0 ]; then
-			newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70"
+			[ -n "${sendopts}" ] && newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70" ||  newsendopts="124:00:00:0D:E9:04:03:75:73:70"
 			uci -q set network."${interface}".sendopts="$newsendopts"
 		fi
 	fi
--- a/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user
+++ b/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user
@@ -8,6 +8,7 @@ RETRY_MIN_INTERVAL="5"
 RETRY_INTERVAL_MUL="2000"
 ENDPOINT_ID=""
 CONTROLLER_DISCOVERED=0
+OBUSPA_BOOT_MARKER="/etc/obuspa/.boot"

 log()
 {
@@ -272,6 +273,17 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 		fi
 	done

+	# Check if any of the existing controller section matches with the endpointid
+	if [ -z "${dhcp_controller}" ] && [ -n "${ENDPOINT_ID}" ]; then
+		for controller in $controllers; do
+			endpointid=$(uci -q get obuspa."${controller}".EndpointID)
+			if [ "${endpointid}" = "${ENDPOINT_ID}" ]; then
+				dhcp_controller="${controller}"
+				break
+			fi
+		done
+	fi
+
 	if [ -n "${dhcp_controller}" ]; then
 		cont_proto=$(uci -q get obuspa."${dhcp_controller}".Protocol)
 		if [ "${cont_proto}" = "MQTT" ]; then
@@ -376,8 +388,7 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 				fi

 				if [ -z "${dhcp_mtp}" ]; then
-					sec=$(uci -q add obuspa mtp)
-					uci -q rename obuspa."${sec}"='dhcpmtp'
+					uci -q set obuspa.dhcpmtp="mtp"
 					dhcp_mtp="dhcpmtp"
 					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
@@ -394,8 +405,7 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 					user="$(uci -q get obuspa.global.username)"
 					pass="$(uci -q get obuspa.global.password)"

-					sec=$(uci -q add obuspa mqtt)
-					uci -q rename obuspa."${sec}"='dhcpmqtt'
+					uci -q set obuspa.dhcpmqtt="mqtt"
 					dhcp_mqtt="dhcpmqtt"
 					uci -q set obuspa."${dhcp_mqtt}".Enable='1'
 					uci -q set obuspa."${dhcp_mqtt}".Username="${user}"
@@ -408,8 +418,7 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 				uci -q set obuspa."${dhcp_mqtt}".ProtocolVersion='5.0'

 				if [ -z "${dhcp_mtp}" ]; then
-					sec=$(uci -q add obuspa mtp)
-					uci -q rename obuspa."${sec}"='dhcpmtp'
+					uci -q set obuspa.dhcpmtp="mtp"
 					dhcp_mtp="dhcpmtp"
 					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
@@ -467,64 +476,64 @@ if [ "${wan_intf}" = "${INTERFACE}" ]; then
 			fi
 		fi
 	else
-		uci -q delete obuspa.dhcpmtp
-		uci -q delete obuspa.dhcpmqtt
+		# Only setup a new controller, only if mandatory param present
+		if [ -n "${ENDPOINT_ID}" ] && [ -n "${URL}" ]; then
+			uci -q delete obuspa.dhcpmtp
+			uci -q delete obuspa.dhcpmqtt

-		sec=$(uci -q add obuspa controller)
-		uci -q rename obuspa."${sec}"='dhcpcontroller'
-		uci -q set obuspa.dhcpcontroller.dhcp_discovered="1"
-		uci -q set obuspa.dhcpcontroller.EndpointID="${ENDPOINT_ID}"
-		uci -q set obuspa.dhcpcontroller.ProvisioningCode="${PROV_CODE}"
-		uci -q set obuspa.dhcpcontroller.Protocol="${offered_proto}"
-		uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
-		uci -q set obuspa.dhcpcontroller.Enable='1'
+			uci -q set obuspa.dhcpcontroller="controller"
+			uci -q set obuspa.dhcpcontroller.dhcp_discovered="1"
+			uci -q set obuspa.dhcpcontroller.EndpointID="${ENDPOINT_ID}"
+			uci -q set obuspa.dhcpcontroller.ProvisioningCode="${PROV_CODE}"
+			uci -q set obuspa.dhcpcontroller.Protocol="${offered_proto}"
+			uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
+			uci -q set obuspa.dhcpcontroller.Enable='1'

-		if [ -n "${offered_proto}" ]; then
-			if [ "${offered_proto}" = "MQTT" ]; then
-				user="$(uci -q get obuspa.global.username)"
-				pass="$(uci -q get obuspa.global.password)"
+			if [ -n "${offered_proto}" ]; then
+				if [ "${offered_proto}" = "MQTT" ]; then
+					user="$(uci -q get obuspa.global.username)"
+					pass="$(uci -q get obuspa.global.password)"

-				uci -q set obuspa.dhcpcontroller.Topic="${topic}"
-				uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'
+					uci -q set obuspa.dhcpcontroller.Topic="${topic}"
+					uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'

-				sec=$(uci -q add obuspa mqtt)
-				uci -q rename obuspa."${sec}"='dhcpmqtt'
-				uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
-				uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
-				uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}"
-				uci -q set obuspa.dhcpmqtt.Enable='1'
-				uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
-				uci -q set obuspa.dhcpmqtt.Username="${user}"
-				uci -q set obuspa.dhcpmqtt.Password="${pass}"
+					uci -q set obuspa.dhcpmqtt="mqtt"
+					uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
+					uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
+					uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}"
+					uci -q set obuspa.dhcpmqtt.Enable='1'
+					uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
+					uci -q set obuspa.dhcpmqtt.Username="${user}"
+					uci -q set obuspa.dhcpmqtt.Password="${pass}"


-				agent_topic=$(get_agent_topic)
-				sec=$(uci -q add obuspa mtp)
-				uci -q rename obuspa."${sec}"='dhcpmtp'
-				uci -q set obuspa.dhcpmtp.Protocol='MQTT'
-				uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
-				uci -q set obuspa.dhcpmtp.Enable='1'
-				uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
-			else
-				uci -q set obuspa.dhcpcontroller.Path="${topic}"
-				uci -q set obuspa.dhcpcontroller.Host="${ip}"
-				uci -q set obuspa.dhcpcontroller.Port="${port}"
-				uci -q set obuspa.dhcpcontroller.EnableEncryption="${mtp_encrypt}"
+					agent_topic=$(get_agent_topic)
+					uci -q set obuspa.dhcpmtp="mtp"
+					uci -q set obuspa.dhcpmtp.Protocol='MQTT'
+					uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
+					uci -q set obuspa.dhcpmtp.Enable='1'
+					uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
+				else
+					uci -q set obuspa.dhcpcontroller.Path="${topic}"
+					uci -q set obuspa.dhcpcontroller.Host="${ip}"
+					uci -q set obuspa.dhcpcontroller.Port="${port}"
+					uci -q set obuspa.dhcpcontroller.EnableEncryption="${mtp_encrypt}"

-				sec=$(uci -q add obuspa mtp)
-				uci -q rename obuspa."${sec}"='dhcpmtp'
-
-				uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
-				uci -q set obuspa.dhcpmtp.Port="${port}"
-				uci -q set obuspa.dhcpmtp.Enable='1'
-				uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa.dhcpmtp="mtp"
+					uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
+					uci -q set obuspa.dhcpmtp.Port="${port}"
+					uci -q set obuspa.dhcpmtp.Enable='1'
+					uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
+				fi
 			fi
+			uci_change=1
 		fi
-
-		uci_change=1
 	fi

 	if [ ${uci_change} -eq 1 ]; then
+		if [ -f "${OBUSPA_BOOT_MARKER}" ]; then
+			rm -f "${OBUSPA_BOOT_MARKER}"
+		fi
 		log "# Reloading obuspa as dhcp config changed"
 		ubus call uci commit '{"config":"obuspa"}'
 	fi
--- a/obuspa/patches/2005-set-sql-journal-mode.patch
+++ b/obuspa/patches/2005-set-sql-journal-mode.patch
@@ -0,0 +1,28 @@
+diff --git a/src/core/database.c b/src/core/database.c
+index 7ad9dae..edebd7c 100644
+--- a/src/core/database.c
+++ b/src/core/database.c
+@@ -955,6 +955,7 @@ void DATABASE_Dump(void)
+ int OpenUspDatabase(char *db_file)
+ {
+     int err;
+    char *err_msg = 0;
+ 
+     // Exit if unable to open the database
+     err = sqlite3_open(db_file, &db_handle);
+@@ -965,6 +966,15 @@ int OpenUspDatabase(char *db_file)
+         return USP_ERR_INTERNAL_ERROR;
+     }
+ 
+    // Execute the PRAGMA statement
+    const char *sql = "PRAGMA journal_mode = MEMORY;";
+    err = sqlite3_exec(db_handle, sql, 0, 0, &err_msg);
+    if (err != SQLITE_OK) {
+        USP_LOG_Error("%s: Failed to set journal_mode: %s", __func__, err_msg);
+        sqlite3_free(err_msg);
+        return USP_ERR_INTERNAL_ERROR;
+    }
+
+     // Exit if unable to create the data model parameter table (if it does not already exist)
+     #define CREATE_TABLE_STR "create table if not exists data_model (hash integer, instances text, value text, primary key (hash, instances));"
+     err = sqlite3_exec(db_handle, CREATE_TABLE_STR, NULL, NULL, NULL);
--- a/obuspa/patches/2006-force-db-update.patch
+++ b/obuspa/patches/2006-force-db-update.patch
@@ -0,0 +1,23 @@
+diff --git a/src/core/database.c b/src/core/database.c
+index 7ad9dae..0bf9c90 100644
+--- a/src/core/database.c
+++ b/src/core/database.c
+@@ -1479,3 +1479,7 @@ int GetAllEntriesForParameter(db_hash_t hash, kv_vector_t *kvv)
+     return result;
+ }
+ 
+void DATABASE_force_reset_file()
+{
+    schedule_factory_reset_init = true;
+}
+diff --git a/src/core/database.h b/src/core/database.h
+index c88cf3a..376aa7a 100644
+--- a/src/core/database.h
+++ b/src/core/database.h
+@@ -67,5 +67,6 @@ void DATABASE_Dump(void);
+ int DATABASE_ReadDataModelInstanceNumbers(bool remove_unknown_params);
+ db_hash_t DATABASE_GetMigratedHash(db_hash_t hash);
+ 
+void DATABASE_force_reset_file();
+ #endif
+ 
--- a/parental-control/Makefile
+++ b/parental-control/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=parental-control
-PKG_VERSION:=1.3.2
+PKG_VERSION:=1.4.4

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/parental-control.git
-PKG_SOURCE_VERSION:=7ae6eaa6cc946ed05693bc84c61edbb16b1727bd
+PKG_SOURCE_VERSION:=d0eabdda9790d1df3cec30589c97214731108367
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -83,9 +83,6 @@ define Package/parental-control/install
 	$(INSTALL_DATA) ./files/etc/uci-defaults/95-firewall_parentalcontrol.ucidefaults $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/etc/uci-defaults/35-migrate_urlfilter.ucidefaults $(1)/etc/uci-defaults/

-	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
-	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/parentalcontrol $(1)/lib/upgrade/keep.d/parentalcontrol
-
 	$(BBFDM_REGISTER_SERVICES) -v ${VENDOR_PREFIX} ./bbfdm_service.json $(1) parentalcontrol

 	$(INSTALL_DATA) ./files/etc/uci-defaults/40-parental_control_update_bundle_path $(1)/etc/uci-defaults/
--- a/parental-control/files/etc/init.d/parentalcontrol
+++ b/parental-control/files/etc/init.d/parentalcontrol
@@ -12,7 +12,9 @@ validate_global_section() {
 	uci_validate_section parentalcontrol globals globals \
 	    'enable:bool:1' \
 	    'loglevel:uinteger:3' \
+	    'queue_num:uinteger:53' \
 	    'bundle_path:string' \
+	    'default_wan_interface:string:wan' \
 	    'urlfilter:bool'
 }

@@ -24,11 +26,12 @@ remove_fw_rules() {
 }

 configure_fw_rules() {
-	local enable urlfilter
+	local enable urlfilter queue_num

 	config_load parentalcontrol
 	config_get_bool enable globals enable 0
 	config_get_bool urlfilter globals urlfilter 0
+	config_get queue_num globals queue_num 53

 	remove_fw_rules

@@ -37,6 +40,11 @@ configure_fw_rules() {
 		return 0
 	fi

+	if [ "${queue_num}" -lt 0 ] || [ "${queue_num}" -gt 65535 ]; then
+	        log "ERROR: queue_num not in 0-65535"
+		return 1
+	fi
+
 	if [ "${urlfilter}" -eq "1" ]; then
 		if [ ! -f "${OVERRIDE_JSON}" ]; then
 			# throw error
@@ -52,7 +60,7 @@ configure_fw_rules() {
 			fi

 			# this is for urlfilter daemon
-			add_iptables_nfqueue_rules
+			add_iptables_nfqueue_rules "$queue_num"
 		fi
 	fi

@@ -107,7 +115,7 @@ start_service() {

 	procd_open_instance "parentalcontrol"
 	procd_set_param command nice -n 10 "${PROG}"  # Lower priority
-	procd_append_param command -l ${loglevel}
+	procd_append_param command -l "${loglevel}"
 	procd_set_param respawn
 	procd_close_instance
 }
@@ -120,11 +128,19 @@ stop_service() {
 }

 reload_service() {
+	local arg="$1"
+
 	ret=$(ubus call service list '{"name":"parentalcontrol"}' | jsonfilter -qe '@.parentalcontrol.instances.parentalcontrol.running')
 	if [ "$ret" != "true" ]; then
 		stop
 		start
 	else
+		if [ "$arg" = "network" ]; then
+			pidof_sync="$(pidof sync_bundles.sh)"
+			[ -n "$pidof_sync" ] && kill "$pidof_sync"
+			sleep 5
+		fi
+
 		configure_fw_rules
 		copy_dhcp_leases
 		ubus send parentalcontrol.reload
@@ -132,6 +148,19 @@ reload_service() {
 }

 service_triggers() {
+	local enable urlfilter default_wan_interface 
+
+	validate_global_section || {
+		return 1
+	}
+
+	if [ "${urlfilter}" = "1" ] && [ "$enable" = "1" ] && [ -n "$default_wan_interface" ]; then
+		log "Adding interface trigger for $default_wan_interface"
+		procd_open_trigger
+		procd_add_interface_trigger "interface.*.up" "$default_wan_interface" /etc/init.d/parentalcontrol reload "network"
+		procd_close_trigger
+	fi
+
 	procd_add_reload_trigger "parentalcontrol"
 	procd_add_reload_trigger "schedules"
 }
--- a/parental-control/files/lib/parentalcontrol/parentalcontrol.sh
+++ b/parental-control/files/lib/parentalcontrol/parentalcontrol.sh
@@ -311,31 +311,6 @@ handle_schedule() {
 	generate_ip_rule "$utc_start_relative_day" "$utc_end_relative_day" "$utc_start_time" "$utc_stop_time" "$target"
 }

-# Function that parses input for MAC addresses or hostnames
-parse_macs_or_hostnames() {
-	local input="$1"
-	local lease_file="/tmp/dhcp.leases"
-
-	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
-	[ -f "$lease_file" ] || { log "Error: No DHCP lease file found."; return 1; }
-
-	for item in $input; do
-		case "$item" in
-			??:??:??:??:??:??)
-				# It's a MAC address, print it as is
-				echo "$item"
-				;;
-			*)
-				# Assume it's a hostname and search for its MAC address in the leases file
-				mac=$(awk -v hostname="$item" '$4 == hostname {print $2}' "$lease_file")
-				if [ -n "$mac" ]; then
-					echo "$mac"
-				fi
-				;;
-		esac
-	done
-}
-
 handle_bedtime() {
 	local mac_addresses="$1"
 	local mac
@@ -370,38 +345,61 @@ handle_internet_break() {
 	done
 }

+parse_macs() {
+	local maclist="$1"
+	local m mac
+
+	for m in $maclist; do
+		# trim whitespace
+		mac="$(echo "$m" | tr -d ' \t\r\n')"
+
+		# validate format
+		if echo "$mac" | grep -qE '^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$'; then
+			echo "$mac"
+		else
+			log "parse_macs(): Invalid MAC in mac list: '$mac'"
+		fi
+	done
+}
+
 handle_profile() {
 	local profile_section="$1"
-	local internet_break_enable bedtime_enable hostlist
+	local internet_break_enable bedtime_enable hostlist maclist

-	config_get hostlist "$profile_section" "host"
+        config_get_bool internet_break_enable "$profile_section" "internet_break_enable" 0
+        config_get_bool bedtime_enable "$profile_section" "bedtime_enable" 0

-	if [ -z "$hostlist" ]; then
+        if [ $internet_break_enable -eq 0 ] && [ $bedtime_enable -eq 0 ]; then
 		return
 	fi

-	ACCESS_RULE=""
+        config_get hostlist "$profile_section" "host"
+        config_get maclist  "$profile_section" "mac"

-	# convert hostnames to mac addresses if needed
-	# and replace newlines with space because it messes up the for loops in
-	# handle_internet_break and handle_bedtime functions
-	local mac_addresses="$(parse_macs_or_hostnames "${hostlist}" | tr '\n' ' ')"
+        # If both lists are empty, nothing to do
+        if [ -z "$hostlist" ] && [ -z "$maclist" ]; then
+                return
+        fi

-	# default value of Hosts.AccessControl.{i}.Enable is false,
-	# so, if not defined in uci as 1, assume 0
-	config_get_bool internet_break_enable "$profile_section" "internet_break_enable" 0
-	if [ $internet_break_enable -gt 0 ]; then
-		handle_internet_break "${mac_addresses}"
-		# handle_internet_break may have loaded schedules uci
-		# so, reload parentalcontrol
-		config_load "parentalcontrol"
-	fi
+        ACCESS_RULE=""

-	config_get_bool bedtime_enable "$profile_section" "bedtime_enable" 0
-	if [ $bedtime_enable -gt 0 ]; then
-		handle_bedtime "${mac_addresses}"
-	fi
+	# both uci options contain mac addresses
+	# one is given directly by the user
+	# other is resolved by the data model from Hosts.Host object
+        local mac_addresses="$(parse_macs "${hostlist} ${maclist}" | awk '{ if (NF && !seen[$0]++) { print $0 } }' | tr '\n' ' ')"

+        # default value of Hosts.AccessControl.{i}.Enable is false,
+        # so, if not defined in uci as 1, assume 0
+        if [ $internet_break_enable -gt 0 ]; then
+                handle_internet_break "${mac_addresses}"
+                # handle_internet_break may have loaded schedules uci
+                # so, reload parentalcontrol
+                config_load "parentalcontrol"
+        fi
+
+        if [ $bedtime_enable -gt 0 ]; then
+                handle_bedtime "${mac_addresses}"
+        fi
 }

 add_internet_schedule_rules() {
@@ -438,102 +436,118 @@ add_internet_schedule_rules() {
 }

 add_iptables_nfqueue_rules() {
-	local filter_used
+    local queue_num="$1"

-	# Check if urlfilter used
-	if ! uci show parentalcontrol | grep -q profile_urlfilter; then
-		return
-	fi
+    # Check if urlfilter used
+    if ! uci show parentalcontrol | grep -q profile_urlfilter; then
+        return
+    fi

-	# IPv4 rules
-	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -ne 0 ]; then
-		# capture DNS responses (UDP/TCP sport 53) in FORWARD
-		iptables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv4
+    # FORWARD
+    if ! iptables -w -nL | grep -q "URLFILTER_FORWARD"; then
+        iptables -w -N URLFILTER_FORWARD
+        iptables -w -I FORWARD 1 -j URLFILTER_FORWARD

-		# INPUT: DNS replies to router, skip loopback
-		iptables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+        # capture DNS responses (sport 53)
+        iptables -w -A URLFILTER_FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_FORWARD -p udp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass

-		# OUTPUT: DNS replies from router, skip loopback
-		iptables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+        # HTTP/HTTPS flows
+        iptables -w -A URLFILTER_FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi

-		# HTTP/HTTPS flows for urlfilter
-		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    # INPUT
+    if ! iptables -w -nL | grep -q "URLFILTER_INPUT"; then
+        iptables -w -N URLFILTER_INPUT
+        iptables -w -I INPUT 1 -j URLFILTER_INPUT

-		# disable acceleration for https packet so that they can be read by urlfilter
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+        iptables -w -A URLFILTER_INPUT -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_INPUT -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi

-	# IPv6 rules
-	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -ne 0 ]; then
-		# capture DNS responses (UDP/TCP sport 53) in FORWARD
-		ip6tables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+    # OUTPUT
+    if ! iptables -w -nL | grep -q "URLFILTER_OUTPUT"; then
+        iptables -w -N URLFILTER_OUTPUT
+        iptables -w -I OUTPUT 1 -j URLFILTER_OUTPUT

-		# INPUT: DNS replies to router, skip loopback
-		ip6tables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+        iptables -w -A URLFILTER_OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi

-		# OUTPUT: DNS replies from router, skip loopback
-		ip6tables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+    # ebtables bypass for IPv4
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 6  --ip-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 6  --ip-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53    -j SKIPLOG 2>/dev/null

-		# HTTP/HTTPS flows for urlfilter
-		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv6
+    # FORWARD
+    if ! ip6tables -w -nL | grep -q "URLFILTER_FORWARD6"; then
+        ip6tables -w -N URLFILTER_FORWARD6
+        ip6tables -w -I FORWARD 1 -j URLFILTER_FORWARD6

-		# disable acceleration for https packet so that they can be read by urlfilter
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+        ip6tables -w -A URLFILTER_FORWARD6 -p tcp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_FORWARD6 -p udp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+
+        ip6tables -w -A URLFILTER_FORWARD6 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_FORWARD6 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # INPUT
+    if ! ip6tables -w -nL | grep -q "URLFILTER_INPUT6"; then
+        ip6tables -w -N URLFILTER_INPUT6
+        ip6tables -w -I INPUT 1 -j URLFILTER_INPUT6
+
+        ip6tables -w -A URLFILTER_INPUT6 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_INPUT6 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # OUTPUT
+    if ! ip6tables -w -nL | grep -q "URLFILTER_OUTPUT6"; then
+        ip6tables -w -N URLFILTER_OUTPUT6
+        ip6tables -w -I OUTPUT 1 -j URLFILTER_OUTPUT6
+
+        ip6tables -w -A URLFILTER_OUTPUT6 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_OUTPUT6 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # ebtables bypass for IPv6
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6  --ip6-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6  --ip6-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53    -j SKIPLOG 2>/dev/null
 }

 remove_iptables_nfqueue_rules() {
-	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		# DNS response rules
-		iptables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv4
+    for chain in URLFILTER_FORWARD URLFILTER_INPUT URLFILTER_OUTPUT; do
+        if iptables -w -nL | grep -q "$chain"; then
+            iptables -w -D FORWARD -j $chain 2>/dev/null
+            iptables -w -D INPUT   -j $chain 2>/dev/null
+            iptables -w -D OUTPUT  -j $chain 2>/dev/null
+            iptables -w -F $chain
+            iptables -w -X $chain
+        fi
+    done

-		# HTTP/HTTPS
-		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 6  --ip-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 6  --ip-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53    -j SKIPLOG 2>/dev/null

-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+    # IPv6
+    for chain in URLFILTER_FORWARD6 URLFILTER_INPUT6 URLFILTER_OUTPUT6; do
+        if ip6tables -w -nL | grep -q "$chain"; then
+            ip6tables -w -D FORWARD -j $chain 2>/dev/null
+            ip6tables -w -D INPUT   -j $chain 2>/dev/null
+            ip6tables -w -D OUTPUT  -j $chain 2>/dev/null
+            ip6tables -w -F $chain
+            ip6tables -w -X $chain
+        fi
+    done

-	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		# DNS response rules
-		ip6tables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-
-		# HTTP/HTTPS
-		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6  --ip6-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6  --ip6-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53    -j SKIPLOG 2>/dev/null
 }

 remove_internet_schedule_rules() {
@@ -551,38 +565,44 @@ remove_internet_schedule_rules() {
 	fi
 }

+get_host_ip_from_mac() {
+	local mac="$1"
+	local ip=""
+
+	# Validate MAC format
+	if ! echo "$mac" | grep -qE '^([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$'; then
+		log "get_host_ip_from_mac(): Invalid MAC address format '$mac'"
+		return 1
+	fi
+
+	# Try to find IP from ARP table
+	ip="$(cat /proc/net/arp | awk -v mac="$mac" 'tolower($4) == tolower(mac) {print $1; exit}')"
+
+	if [ -n "$ip" ]; then
+		URLFILTER_IPS="${URLFILTER_IPS} ${ip}"
+		return 0
+	else
+		log "get_host_ip_from_mac(): No IP found for MAC $mac in ARP table"
+		return 1
+	fi
+}
+
 # Global array for resolved IPs
 URLFILTER_IPS=""

-# Resolve hostname or MAC to IP from lease_file
-get_host_ip() {
-	local host="$1"
-	local ip
-	local lease_file="/tmp/dhcp.leases"
-
-	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
-	[ -f "$lease_file" ] || { log "Error: get_host_ip(): No DHCP lease file found."; return 1; }
-
-	# try DHCP lease lookup
-	ip="$(awk -v h="$host" '
-	{
-		mac=$2; ipaddr=$3; name=$4
-		if (h == name || h == mac) { print ipaddr; exit }
-	}' "$lease_file")"
-
-	[ -n "$ip" ] && URLFILTER_IPS="$URLFILTER_IPS $ip"
-}
-
-# Process each profile section
 resolve_profile_hosts() {
 	local section="$1"
-	local hostlist
+	local hostlist maclist h m

 	config_get hostlist "$section" host
-	[ -z "$hostlist" ] && return
+	config_get maclist  "$section" mac

 	for h in $hostlist; do
-		get_host_ip "$h"
+		get_host_ip_from_mac "$h"
+	done
+
+	for m in $maclist; do
+		get_host_ip_from_mac "$m"
 	done
 }

--- a/parental-control/files/lib/parentalcontrol/sync_bundles.sh
+++ b/parental-control/files/lib/parentalcontrol/sync_bundles.sh
@@ -161,7 +161,23 @@ handle_download_url() {
 		# If the URL is HTTP, fetch the file size
 		local bundle_file_size
 		if echo "$sanitized_url" | grep -qE "^https?://"; then
-			bundle_file_size="$(curl -I "$sanitized_url" 2>&1 | grep -i 'content-length' | cut -d: -f2 | xargs)"
+			bundle_file_header="$(curl -Is --max-time 30 "$sanitized_url" 2>/var/log/urlfilter_curl_err.log)"
+			curl_rc=$?
+
+			case $curl_rc in
+				0)
+					# Success
+					;;
+				6|7|28|35|52|55|56)
+					log_info "handle_download_url: URL not reachable (curl rc=$curl_rc): ${sanitized_url}"
+					return 1
+					;;
+				*)
+					log_info "handle_download_url: unexpected curl rc=$curl_rc for ${sanitized_url}"
+					;;
+			esac
+
+			bundle_file_size="$(echo "$bundle_file_header" | grep -i 'content-length' | cut -d: -f2 | xargs)"
 			[ -z "$bundle_file_size" ] && bundle_file_size=0
 		else
 			# If it's a file:// URL, get the file size from the filesystem
--- a/parental-control/files/lib/upgrade/keep.d/parentalcontrol
+++ b/parental-control/files/lib/upgrade/keep.d/parentalcontrol
@@ -1 +0,0 @@
-/etc/parentalcontrol/dhcp.leases
--- a/passwdqc/Makefile
+++ b/passwdqc/Makefile
@@ -30,7 +30,7 @@ define Build/Compile
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		CC="$(TARGET_CC)" \
 		LDFLAGS="$(TARGET_LDFLAGS)" \
-		pam_wrapped
+		all_wrapped
 endef

 define Package/$(PKG_NAME)/install
@@ -39,6 +39,9 @@ define Package/$(PKG_NAME)/install

 	$(INSTALL_DIR) $(1)/usr/lib/security
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/pam_passwdqc.so $(1)/usr/lib/security/
+
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/pwqcheck $(1)/usr/sbin/
 endef

 $(eval $(call BuildPackage,$(PKG_NAME)))
--- a/periodicstats/Makefile
+++ b/periodicstats/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=periodicstats
-PKG_VERSION:=1.6.0
+PKG_VERSION:=1.6.3

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/periodicstats.git
-PKG_SOURCE_VERSION:=63c65f55d00442f5bc1f5a3100abf94e52cd0075
+PKG_SOURCE_VERSION:=351db77e982b1f4887e5878345fe98be72d262fb
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/ponmngr/files/common/etc/uci-defaults/60-xpon-generate
+++ b/ponmngr/files/common/etc/uci-defaults/60-xpon-generate
@@ -1,13 +1,17 @@
 #!/bin/sh

+. /lib/functions/system.sh
+. /lib/functions/iopsys-environment.sh

 configure_serial_number() {
 	# check if serial number is present in the production data
-	local production_sn="$(fw_printenv -n gponsn)"
+	local production_sn="$(get_xpon_serial 2>/dev/null)"
+	[ ${#production_sn} -eq 12 ] || production_sn="$(fw_printenv -n gponsn)"
+
 	if [ ${#production_sn} -eq 12 ]; then
 		uci set xpon.ani.serial_number="${production_sn}"
 	else
-		local macaddr="$(fw_printenv -n ethaddr | tr -d ':' | tr 'a-z' 'A-Z')"
+		local macaddr="$(get_mac_label | tr -d ':' | tr 'a-z' 'A-Z')"
 		local vendor_id="IOPS"
 		local vssn="${macaddr:4:8}"

@@ -20,8 +24,10 @@ configure_ploam_password() {
 	local passwd="$(uci -q get xpon.ani.ploam_password)"

 	if [ -z "${passwd}" ]; then
-		local production_passwd="$(fw_printenv -n gponpswd)"
-		if [ -n ${#production_passwd} ]; then
+		local production_passwd="$(get_xpon_password 2>/dev/null)"
+		[ -n "${production_passwd}" ] || production_passwd="$(fw_printenv -n gponpswd)"
+
+		if [ -n "${production_passwd}" ]; then
 			uci set xpon.ani.ploam_password="${production_passwd}"
 			uci set xpon.ani.ploam_hexadecimalpassword=0
 		fi
@@ -36,10 +42,12 @@ configure_loid_authentication() {
 	local loidpwd="$(uci -q get xpon.ani.loid_password)"

 	if [ -z "${loid}" ]; then
-		production_loid="$(fw_printenv -n gponloid)"
+		production_loid="$(get_xpon_loid 2>/dev/null)"
+		[ -n "${production_loid}" ] || production_loid="$(fw_printenv -n gponloid)"
 	fi
 	if [ -z "${loidpwd}" ]; then
-		production_loidpwd="$(fw_printenv -n gponloid_password)"
+		production_loidpwd="$(get_xpon_loid_password 2>/dev/null)"
+		[ -n "${production_loidpwd}" ] || production_loidpwd="$(fw_printenv -n gponloid_password)"
 	fi

 	if [ -n "${production_loid}" ]; then
@@ -48,7 +56,6 @@ configure_loid_authentication() {
 	if [ -n "${production_loidpwd}" ]; then
 		uci set xpon.ani.loid_password="${production_loidpwd}"
 	fi
-
 }

 if [ -s "/etc/config/xpon" ]; then
@@ -72,4 +79,3 @@ uci set xpon.ani.enable="1"
 configure_serial_number
 configure_ploam_password
 configure_loid_authentication
-
--- a/qosmngr/Makefile
+++ b/qosmngr/Makefile
@@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=qosmngr
-PKG_VERSION:=1.1.0
+PKG_VERSION:=1.1.2

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/qosmngr.git
-PKG_SOURCE_VERSION:=1a15f1da7a1474d29aad77b8ad3272fcf4b4f6d1
+PKG_SOURCE_VERSION:=ee6692438c5d533758c2ea50624c049cda2d07da
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/qosmngr/files/airoha/lib/qos/airoha.sh
+++ b/qosmngr/files/airoha/lib/qos/airoha.sh
@@ -134,6 +134,10 @@ hw_init_all() {
    # set_wan_ingress_rate "0" - Not needed, done in policer.sh
    set_wan_egress_rate "0" "0"

+    # Don't put TCP ACKs into a high priority queue
+    echo 0 > /proc/qdma_lan/tcp_ack_flag
+    echo 0 > /proc/qdma_wan/tcp_ack_flag
+
    return 0
 }

@@ -407,32 +411,36 @@ hw_commit_all() {
        /userfs/bin/qosrule discpline Enable 0
    fi

-    if [ -x /userfs/bin/blapi_cmd ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for tc in $(seq 0 7); do
-            if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
-                sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-            if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
-                [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                                                                        $1 == last+1 {last=$1;next}
-                                                                                                        {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
-                                                                                                        END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
-                sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-        done
+    if ! strings /proc/device-tree/compatible | grep -qFx econet,en7523; then
+        if [ -x /userfs/bin/blapi_cmd ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for tc in $(seq 0 7); do
+                if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
+                    sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+                if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
+                    [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                                                            $1 == last+1 {last=$1;next}
+                                                                                                            {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
+                                                                                                            END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
+                    sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+            done
+        fi
+
+        if [ -x /userfs/bin/ifc ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for pbit in $(seq 0 7); do
+                /userfs/bin/ifc add vip pbit $pbit
+            done
+        fi
    fi

-    if [ -x /userfs/bin/ifc ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for pbit in $(seq 0 7); do
-            /userfs/bin/ifc add vip pbit $pbit
-        done
-    fi
+    hw_nat -! > /dev/null 2>&1
 }
--- a/qosmngr/files/airoha/usr/sbin/qos-uplink-bandwidth
+++ b/qosmngr/files/airoha/usr/sbin/qos-uplink-bandwidth
@@ -14,11 +14,13 @@ PREV_LINKSPEED=$(cat ${LINKSPEED_FILE} 2>/dev/null)
 [ -z "${PREV_LINKSPEED}" ] && PREV_LINKSPEED=0

 if [ $((LINKSPEED)) -ne $((PREV_LINKSPEED)) -a $((LINKSPEED)) -ne 0 ]; then
-	if [ $((LINKSPEED)) -ge 10000 ]; then
+	if [ $((LINKSPEED)) -ge 100 ]; then
 		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000*999/1000))
 	else
-		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000))
+		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000*990/1000))
 	fi
 	mkdir -p "/tmp/qos"
 	echo ${LINKSPEED} > ${LINKSPEED_FILE}
+
+	hw_nat -! > /dev/null 2>&1
 fi
--- a/self-diagnostics/Makefile
+++ b/self-diagnostics/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=self-diagnostics
-PKG_VERSION:=1.0.16
+PKG_VERSION:=1.0.17
 PKG_RELEASE:=1

 PKG_LICENSE:=GPL-2.0-only
--- a/self-diagnostics/files/usr/libexec/rpcd/self-diagnostics
+++ b/self-diagnostics/files/usr/libexec/rpcd/self-diagnostics
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-BIN="/usr/sbin/self-diagnostics"
-. /usr/share/libubox/jshn.sh
-
-case "$1" in
-	list)
-		echo '{"list": {}, "generate" : {"modules":"String"}}'
-	;;
-	call)
-		case "$2" in
-			generate)
-				read -t 1 -r input
-				local out
-
-				json_load "${input}"
-				json_get_var modules modules
-				if [ -z "${modules}" ]; then
-					out="$(${BIN} -j)"
-				else
-					out="$(${BIN} -j -m "${modules}")"
-				fi
-				if [ -z "${out}" ]; then
-					echo '{}'
-				else
-					echo "${out}"
-				fi
-			;;
-			list)
-				out="$(${BIN} -j -l)"
-				if [ -z "${out}" ]; then
-					echo '{}'
-				else
-					echo "${out}"
-				fi
-			;;
-		esac
-	;;
-esac
--- a/self-diagnostics/files/usr/sbin/self-diagnostics
+++ b/self-diagnostics/files/usr/sbin/self-diagnostics
@@ -1,11 +1,12 @@
 #!/bin/sh

+# shellcheck disable=SC1091
 . /usr/share/libubox/jshn.sh

 JSON_OUT=0
 SPEC_DIR="/usr/share/self-diagnostics/spec"
 SPEC_EXT_DIR="/etc/self-diagnostics/spec"
-REPORT_PATH="/var/log/"
+REPORT_PATH="/var/log"
 REPORT_TEMP_DIR="$(mktemp -p ${REPORT_PATH} -d)"
 REPORT_NAME="self-test-diagnostics"
 VERBOSE=0
@@ -17,18 +18,19 @@ log()
 {
 	log_file="${REPORT_TEMP_DIR}/execution.log"
 	if [ "$VERBOSE" -eq 1 ]; then
-		logger -p debug -t $0 "$*"
+		logger -p debug -t "$0" "$*"
 	fi
-	echo "[$(date +%Y:%m:%d-%H:%M:%S)] $*" >> ${log_file}
+	echo "[$(date +%Y:%m:%d-%H:%M:%S)] $*" >> "${log_file}"
 }

 err_log()
 {
 	log_file="${REPORT_TEMP_DIR}/execution.log"
-	logger -p err -t $0 "$*"
-	echo "[$(date +%Y:%m:%d-%H:%M:%S) ERR] $*" >> ${log_file}
+	logger -p err -t "$0" "$*"
+	echo "[$(date +%Y:%m:%d-%H:%M:%S) ERR] $*" >> "${log_file}"
 }

+# shellcheck disable=SC3043
 generate_report()
 {
 	local filename
@@ -39,19 +41,19 @@ generate_report()
 	[ -f "${filename}.tar.gz" ] && rm "${filename}.tar.gz"

 	log "# Report generation completed #"
-	cd ${REPORT_TEMP_DIR} && {
+	cd "${REPORT_TEMP_DIR}" && {
 		filename="${filename}.tar"
-		tar -cf "${filename}" *
+		tar -cf "${filename}" ./*.log
 	}

 	if [ -n "$COMPOPTS" ]; then
-		gzip -${COMPOPTS} -f "${filename}"
+		gzip -"${COMPOPTS}" -f "${filename}"
 		filename="${filename}.gz"
 	fi

 	# Move logs if failed to generate tar
 	if [ ! -f "${filename}" ]; then
-		mv ${REPORT_TEMP_DIR}/*.log ${REPORT_PATH}/
+		mv "${REPORT_TEMP_DIR}"/*.log "${REPORT_PATH}"/
 	fi

 	if [ "${JSON_OUT}" -eq 1 ]; then
@@ -78,7 +80,7 @@ cleanup()
 {
 	if [ -d "${REPORT_TEMP_DIR}" ]; then
 		generate_report
-		rm -rf ${REPORT_TEMP_DIR}
+		rm -rf "${REPORT_TEMP_DIR}"
 	fi
 }

@@ -87,7 +89,7 @@ term_cleanup()
 	if [ -d "${REPORT_TEMP_DIR}" ]; then
 		err_log "Exiting due to TERM/INT signal"
 		generate_report
-		rm -rf ${REPORT_TEMP_DIR}
+		rm -rf "${REPORT_TEMP_DIR}"
 	fi
 }

@@ -111,8 +113,8 @@ help()
 # Alias ubus to have a smaller 5-second timeout on all subsequent calls
 ubus()
 {
-	if [ "${1}" == "call" ]; then
-		if command ubus list $2 >/dev/null 2>&1; then
+	if [ "${1}" = "call" ]; then
+		if command ubus list >/dev/null 2>&1; then
 			command ubus "$@";
 		fi
 	else
@@ -121,6 +123,7 @@ ubus()

 }

+# shellcheck disable=SC3043,SC3060,SC2034
 config_load()
 {
 	local temp
@@ -157,7 +160,7 @@ config_load()

 	temp="$(uci -q get self-diagnostics.globals.report_name)"
 	[ -n "${temp}" ] && \
-		REPORT_NAME="$(eval echo ${temp})"
+		REPORT_NAME="$(eval echo "${temp}")"

 	REPORT_NAME="${REPORT_NAME//[ \/]/_}"

@@ -170,9 +173,42 @@ config_load()
 		VERBOSE="${temp}"
 }

+# shellcheck disable=SC2129,SC3043
+run_cmd()
+{
+	local exec_timeout name cmd description
+	local export_path rc start_time end_time
+
+	exec_timeout="${1}"; shift
+	name="${1}"; shift
+	cmd="${1}"; shift
+	description="${*}"
+
+	start_time="$(date +%s)"
+	export_path="${REPORT_TEMP_DIR}/${name}.log"
+	log "Executing $cmd with timeout $exec_timeout"
+	echo "##########################################" >> "$export_path"
+	echo "# $description #">> "$export_path"
+	echo "# Exec [$cmd], timeout [$exec_timeout], start_time [$(date +%Y:%m:%d-%H:%M:%S)] #" >> "$export_path"
+	echo "##########################################" >> "$export_path"
+	eval timeout "${exec_timeout}" "$cmd" >> "$export_path" 2>&1
+	rc=$?
+	end_time="$(date +%s)"
+	echo "######## Execution done in [$((end_time - start_time)) ], return code $rc ######" >> "$export_path"
+
+	if [ "$rc" -eq 0 ]; then
+		log "Execution [$cmd] completed"
+	else
+		err_log "Execution [$cmd] Failed/Timeout with $rc exit code"
+	fi
+
+	echo >> "$export_path"
+}
+
+# shellcheck disable=SC2154,SC3060,SC3043
 exec_spec()
 {
-	local json_file exec_skip name timeout exec_timeout rc start_time end_time
+	local json_file exec_skip name timeout exec_timeout start_time end_time

 	start_time="$(date +%s)"
 	json_file="$1"
@@ -189,20 +225,18 @@ exec_spec()
 		return 1
 	}

-	name="$(basename ${json_file})"
-	export_path="${REPORT_TEMP_DIR}/${name//.json/.log}"
-
+	name="$(basename "${json_file}")"
 	exec_skip=0
 	if json_is_a dependency array; then
 		json_select "dependency"
 		json_get_keys ekeys

 		for key in $ekeys; do
-			if json_is_a $key object; then
-				json_select $key
+			if json_is_a "$key" object; then
+				json_select "$key"
 				json_get_var type type

-				if [ "$type" == "file" ]; then
+				if [ "$type" = "file" ]; then
 					json_get_var file file
 					if [ ! -e "$file" ]; then
 						err_log "${json_file} has unmet file dependency $file"
@@ -230,8 +264,8 @@ exec_spec()
 		json_get_keys keys

 		for key in $keys; do
-			if json_is_a $key object; then
-				json_select $key
+			if json_is_a "$key" object; then
+				json_select "${key}"
 				local cmd_skip file

 				cmd_skip=0
@@ -240,13 +274,13 @@ exec_spec()
 					json_select "dependency"
 					json_get_keys d_keys

-					for d_key in $d_keys; do
-						if json_is_a $d_key object; then
-							json_select $d_key
+					for d_key in ${d_keys}; do
+						if json_is_a "${d_key}" object; then
+							json_select "${d_key}"
 							json_get_var type type
-							if [ "$type" == "file" ]; then
+							if [ "$type" = "file" ]; then
 								json_get_var file file
-								if [ ! -e $file ]; then
+								if [ ! -e "${file}" ]; then
 									json_select ..
 									cmd_skip=1
 									continue
@@ -273,22 +307,7 @@ exec_spec()
 				else
 					exec_timeout=$TIMEOUT
 				fi
-				log "Executing $cmd with timeout $exec_timeout"
-				echo "##########################################" >> $export_path
-				echo "# $description #">> $export_path
-				echo "# Exec [$cmd], timeout [$exec_timeout] #" >> $export_path
-				echo "##########################################" >> $export_path
-				eval timeout ${exec_timeout} $cmd >> $export_path 2>&1
-				rc=$?
-				echo "######## Execution done return code $rc ######" >> $export_path
-
-				if [ "$rc" -eq 0 ]; then
-					log "Execution [$cmd] completed"
-				else
-					err_log "Execution [$cmd] Failed/Timeout with $rc exit code"
-				fi
-
-				echo >> $export_path
+				run_cmd "${exec_timeout}" "${name//.json/}" "${cmd}" "${description}"
 				json_select ..
 			fi
 		done
@@ -300,20 +319,21 @@ exec_spec()
 	log ""
 }

+# shellcheck disable=SC3043,SC3060
 generate_module()
 {
-	local modules="${@}"
+	local modules="${*}"
 	local file module

 	config_load

-	log "Modules [$@]"
+	log "Modules [$*]"
 	for module in $modules; do
 		module="${module/.json/}"
-		file="$(find $SPEC_DIR -type f -name ${module}.json)"
+		file="$(find "${SPEC_DIR}" -type f -name "${module}.json")"
 		[ -z "$file" ] && {
 			[ -d "${SPEC_EXT_DIR}" ] && \
-				file="$(find $SPEC_EXT_DIR -type f -name ${module}.json)"
+				file="$(find "${SPEC_EXT_DIR}" -type f -name "${module}.json")"
 		}

 		[ -f "$file" ] && \
@@ -321,15 +341,16 @@ generate_module()
 	done
 }

+# shellcheck disable=SC3043
 generate_all()
 {
 	local files

 	config_load

-	files="$(find ${SPEC_DIR} -type f -name *.json)"
+	files="$(find "${SPEC_DIR}" -type f -name "*.json")"
 	[ -d "${SPEC_EXT_DIR}" ] && \
-		files="${files} $(find $SPEC_EXT_DIR -type f -name *.json)"
+		files="${files} $(find "${SPEC_EXT_DIR}" -type f -name "*.json")"

 	[ -z "$files" ] && {
 		return 0
@@ -341,6 +362,7 @@ generate_all()

 }

+# shellcheck disable=SC3060,SC3043
 list_modules()
 {
 	local files
@@ -354,7 +376,7 @@ list_modules()
 	fi

 	cd ${SPEC_DIR} && {
-		for file in $(ls); do
+		for file in *.json; do
 			if [ "${JSON_OUT}" -eq 1 ]; then
 				json_add_string "" "${file/.json/}"
 			else
@@ -372,7 +394,7 @@ list_modules()
 	fi

 	cd ${SPEC_EXT_DIR} && {
-		for file in $(ls); do
+		for file in *.json; do
 			if [ "${JSON_OUT}" -eq 1 ]; then
 				json_add_string "" "${file/.json/}"
 			else
@@ -411,6 +433,10 @@ while getopts "m:hlj" opts; do
 		m)
 			modules="$modules ${OPTARG}"
 			;;
+		*)
+			help
+			exit
+			;;
 	esac
 done

@@ -422,5 +448,5 @@ fi
 if [ -z "${modules}" ]; then
 	generate_all
 else
-	generate_module ${modules}
+	generate_module "${modules}"
 fi
--- a/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json
+++ b/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json
@@ -51,6 +51,10 @@
 			"description": "MAP Agent Backhaul Info",
 			"cmd": "ubus call map.agent backhaul_info"
 		},
+		{
+			"description": "MAP Agent Backhaul Status",
+			"cmd": "ubus call map.agent backhaul"
+		},
 		{
 			"description": "MAP Controller Status",
 			"cmd": "ubus call map.controller status"
--- a/self-diagnostics/src/selftest.c
+++ b/self-diagnostics/src/selftest.c
@@ -54,18 +54,35 @@ int get_operate_args_SelfTest(char *refparam, struct dmctx *ctx, void *data, cha
 int operate_Device_SelfTest(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
 {
 	char cmd[512] = {0};
-	char output[512] = {0};
+	char buffer[512] = {0};
+	json_object *jobj = NULL;
+	const char *filename;

-	snprintf(cmd, sizeof(cmd), "sh %s", DIAG_BIN);
+	snprintf(cmd, sizeof(cmd), "sh %s -j 2>/dev/null", DIAG_BIN);

-	if (run_cmd(cmd, output, sizeof(output)) != 0)
+	if (run_cmd(cmd, buffer, sizeof(buffer)) != 0) {
+		BBFDM_ERR("Failed to run cmd[%s]", cmd);
 		goto err;
+	}

-	// truncate the new line char from end
-	remove_new_line(output);
-
-	if (!file_exists(output))
+	if (DM_STRLEN(buffer) == 0) {
+		BBFDM_ERR("No output from cmd[%s]", cmd);
 		goto err;
+	}
+
+	jobj = json_tokener_parse(buffer);
+	if (jobj == NULL) {
+		BBFDM_ERR("Fail to parse output[%s] in json", buffer);
+		goto err;
+	}
+
+	filename = dmjson_get_value(jobj, 1, "result");
+	snprintf(buffer, sizeof(buffer), "%s", filename);
+	json_object_put(jobj);
+	if (!file_exists(filename)) {
+		BBFDM_ERR("File [%s] does not exists or not accessible", filename);
+		goto err;
+	}

 	/* Add in dmmap_logmngr */
 	struct uci_section *s = get_origin_section_from_dmmap("dmmap_logmngr", "self_test", "self_test_log");
@@ -74,7 +91,7 @@ int operate_Device_SelfTest(char *refparam, struct dmctx *ctx, void *data, char
 		dmuci_rename_section_by_section(s, "self_test_log");
 	}

-	dmuci_set_value_by_section(s, "log_file", output);
+	dmuci_set_value_by_section(s, "log_file", filename);
 	dmuci_commit_package_bbfdm("dmmap_logmngr");

 	/* Get self test log instance */
--- a/ssdpd/src/datamodel.c
+++ b/ssdpd/src/datamodel.c
@@ -341,6 +341,30 @@ static int set_UPnPDevice_Enable(char *refparam, struct dmctx *ctx, void *data,
 	return 0;
 }

+/*#Device.UPnP.Device.UPnPIGD!UCI:upnpd/upnpd,config/igdv1*/
+static int get_UPnPDevice_UPnPIGD(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_option_value_fallback_def("upnpd", "config", "igdv1", "1");
+	return 0;
+}
+
+static int set_UPnPDevice_UPnPIGD(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	bool b;
+
+	switch (action) {
+		case VALUECHECK:
+			if (bbfdm_validate_boolean(ctx, value))
+				return FAULT_9007;
+			return 0;
+		case VALUESET:
+			string_to_bool(value, &b);
+			dmuci_set_value("upnpd", "config", "igdv1", b ? "1" : "0");
+			return 0;
+	}
+	return 0;
+}
+
 static int get_UPnPDeviceCapabilities_UPnPArchitecture(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
 	*value = "1";
@@ -809,12 +833,12 @@ DMLEAF tUPnPDeviceCapabilitiesParams[] = {
 DMLEAF tUPnPDeviceParams[] = {
 /* PARAM, permission, type, getvalue, setvalue, bbfdm_type, version*/
 {"Enable", &DMWRITE, DMT_BOOL, get_UPnPDevice_Enable, set_UPnPDevice_Enable, BBFDM_BOTH},
+{"UPnPIGD", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPIGD, set_UPnPDevice_UPnPIGD, BBFDM_BOTH},
 //{"UPnPMediaServer", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPMediaServer, set_UPnPDevice_UPnPMediaServer, BBFDM_BOTH},
 //{"UPnPMediaRenderer", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPMediaRenderer, set_UPnPDevice_UPnPMediaRenderer, BBFDM_BOTH},
 //{"UPnPWLANAccessPoint", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPWLANAccessPoint, set_UPnPDevice_UPnPWLANAccessPoint, BBFDM_BOTH},
 //{"UPnPQoSDevice ", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPQoSDevice , set_UPnPDevice_UPnPQoSDevice , BBFDM_BOTH},
 //{"UPnPQoSPolicyHolder", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPQoSPolicyHolder, set_UPnPDevice_UPnPQoSPolicyHolder, BBFDM_BOTH},
-//{"UPnPIGD", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPIGD, set_UPnPDevice_UPnPIGD, BBFDM_BOTH},
 //{"UPnPDMBasicMgmt", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPDMBasicMgmt, set_UPnPDevice_UPnPDMBasicMgmt, BBFDM_BOTH},
 //{"UPnPDMConfigurationMgmt", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPDMConfigurationMgmt, set_UPnPDevice_UPnPDMConfigurationMgmt, BBFDM_BOTH},
 //{"UPnPDMSoftwareMgmt", &DMWRITE, DMT_BOOL, get_UPnPDevice_UPnPDMSoftwareMgmt, set_UPnPDevice_UPnPDMSoftwareMgmt, BBFDM_BOTH},
--- a/Show More
+++ b/Show More