ethmngr: add ruleng ethport recipe

(cherry picked from commit 130cf8fd53)

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.14.4
+PKG_VERSION:=1.15.14
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=c8967d6bf47c8bc96cf8df94236b4edfc95aabea
+PKG_SOURCE_VERSION:=e3757b5f37d2683b08edf9dae175210093e47cea
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -70,6 +70,15 @@ define Package/bbfdmd/config
 	source "$(SOURCE)/Config_bbfdmd.in"
 endef
 
+# Below config is a hack to force-recompile dependent micro-services
+define Package/libbbfdm-api/config
+	if PACKAGE_bbfdmd
+		config BBF_LIBBBFDM_VERSION
+			string "Internal config variable to force recompile"
+			default "v${PKG_VERSION}"
+	endif
+endef
+
 define Package/libbbfdm-api/description
  Library contains the API(UCI, UBUS, JSON, CLI and Browse) of libbbfdm
 endef
@@ -154,6 +163,9 @@ define Package/dm-service/install
 
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dm-service/dm-service $(1)/usr/sbin/
+
+	$(BBFDM_REGISTER_SERVICES) -v ${CONFIG_BBF_VENDOR_PREFIX} ./bbfdm_service.json $(1) core
+	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/libbbfdm/libcore.so $(1) core
 endef
 
 define Package/bbf_configmngr/install

bbfdm/bbfdm.mk

@@ -6,6 +6,7 @@ BBFDM_BASE_DM_PATH=/usr/share/bbfdm
 BBFDM_INPUT_PATH=/etc/bbfdm/micro_services
 BBFDM_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
+PKG_CONFIG_DEPENDS += CONFIG_BBF_LIBBBFDM_VERSION
 #BBFDM_VERSION:=$(shell grep -oP '(?<=^PKG_VERSION:=).*' ${BBFDM_DIR}/Makefile)
 #BBFDM_TOOLS:=$(BUILD_DIR)/bbfdm-$(BBFDM_VERSION)/tools
 
@@ -89,28 +90,3 @@ BBFDM_INSTALL_SCRIPT:=$(BBFDM_DIR)/tools/bbfdm.sh -s
 
 
 BBFDM_REGISTER_SERVICES:=$(BBFDM_DIR)/tools/bbfdm.sh -t
-
-# Deprecated functions errors
-define BbfdmInstallPluginInMicroservice
-	$(warning # BbfdmInstallPluginInMicroservice function is deprecated, use BBFDM_INSTALL_MS_PLUGIN macro #)
-	$(INSTALL_DIR) $(1)
-	$(INSTALL_DATA) $(2) $(1)/
-endef
-
-define BbfdmInstallMicroServiceInputFile
-	$(warning # function BbfdmInstallMicroServiceInputFile deprecated, input file auto generated with BBFDM_INSTALL_MS_DM #)
-	$(INSTALL_DIR) $(1)/etc/bbfdm/micro_services
-	$(INSTALL_DATA) $(2) $(1)/etc/bbfdm/micro_services/$(PKG_NAME).json
-endef
-
-define BbfdmInstallPlugin
-	$(warning # function BbfdmInstallPlugin deprecated, use BBFDM_INSTALL_CORE_PLUGIN macro #)
-	$(INSTALL_DIR) $(1)/etc/bbfdm/plugins
-	$(INSTALL_DATA) $(2) $(1)/etc/bbfdm/plugins/
-endef
-
-define BbfdmInstallPluginWithPriority
-	$(warning # fucntion BbfdmInstallPluginWithPriority deprecated, use BBFDM_INSTALL_CORE_PLUGIN #)
-	$(INSTALL_DIR) $(1)/etc/bbfdm/plugins
-	$(INSTALL_DATA) $(3) $(1)/etc/bbfdm/plugins/$(2)_$(shell basename ${3})
-endef

bbfdm/bbfdm_service.json

@@ -0,0 +1,54 @@
+{
+  "daemon": {
+    "enable": "1",
+    "service_name": "core",
+    "unified_daemon": false,
+    "services": [
+      {
+        "parent_dm": "Device.",
+        "object": "LANConfigSecurity"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "Schedules"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "Security",
+        "proto": "cwmp"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "PacketCaptureDiagnostics"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "SelfTestDiagnostics"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "Syslog"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "{BBF_VENDOR_PREFIX}OpenVPN",
+        "proto": "usp"
+      },	  
+      {
+        "parent_dm": "Device.",
+        "object": "RootDataModelVersion"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "Reboot()"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "FactoryReset()"
+      }
+    ],
+    "config": {
+      "loglevel": "3"
+    }
+  }
+}

bbfdm/files/etc/bbfdm/critical_services.json

@@ -3,8 +3,12 @@
 			"firewall",
 			"network",
 			"dhcp",
+			"time",
 			"wireless",
-			"time"
+			"ieee1905",
+			"mapcontroller",
+			"mosquitto",
+			"nginx"
 	],
 	"cwmp": [
 			"firewall",

bbfdm/files/etc/config/bbfdm

@@ -1,7 +1,7 @@
 config bbfdmd 'bbfdmd'
 	option enable '1'
 	option debug '0'
-	option loglevel '4'
+	option loglevel '3'
 
 config micro_services 'micro_services'
 	option enable '1'

bbfdm/files/etc/uci-defaults/96-sysctl-translation

@@ -51,10 +51,6 @@ parse_bbfdm_sysctl_conf_file() {
 
 	# Replace the original file with the modified content
 	mv "$tmpfile" "${bbfdm_sysctl_conf}"
-
-	# Apply the changes
-	uci commit network
-	sysctl -e -p "${bbfdm_sysctl_conf}" >&-
 }
 
 parse_bbfdm_sysctl_conf_file

bbfdm/tools/bbfdm.sh

@@ -12,6 +12,7 @@ DEST=""
 VENDOR_EXTN=""
 TOOLS="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 SRC=""
+EXTRA_DATA=""
 
 while getopts ":mpsdtv:" opt; do
 	case ${opt} in
@@ -46,6 +47,9 @@ shift
 DEST="${1}"
 shift
 DATA="${1}"
+shift
+EXTRA_DATA="${1}"
+
 
 install_bin() {
 	if ! install -m0755 ${1} ${2}; then
@@ -144,8 +148,9 @@ if [ "${INPUT_FILE}" -eq "1" ]; then
 		exit 1
 	fi
 
-	if [ -z "${DATA}" ]; then
-		echo "# Package name not provided ...."
+	service_name="$(cat ${SRC}|jq -r '.daemon.service_name')"
+	if [ -z "${service_name}" ]; then
+		echo "# service_name not defined in service json ...."
 		exit 1
 	fi
 
@@ -156,7 +161,7 @@ if [ "${INPUT_FILE}" -eq "1" ]; then
 	fi
 
 	install_dir ${DEST}/etc/bbfdm/services
-	install_data ${tempfile} ${DEST}/etc/bbfdm/services/${DATA}.json
+	install_data ${tempfile} ${DEST}/etc/bbfdm/services/${service_name}.json
 
 	if [ -f "${tempfile}" ]; then
 		rm ${tempfile}
@@ -176,18 +181,19 @@ if [ "${MICRO_SERVICE}" -eq "1" ]; then
 		bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/${DATA}.${extn##*.}
 	else
 		install_dir ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/${DATA}
-		bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/${DATA}/$(basename ${SRC})
+		bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/${DATA}/$(printf "%02d" ${EXTRA_DATA})$(basename ${SRC})
 	fi
 else
 	if [ "${PLUGIN}" -eq "1" ]; then
+		echo "# WARNING: BBFDM_INSTALL_CORE_PLUGIN macro will be deprecated soon. Please use BBFDM_INSTALL_MS_PLUGIN macro instead, specifying 'core' as micro-service name #"
 		priority="${DATA:-0}"
-		install_dir ${DEST}/${BBFDM_BASE_DM_PATH}/plugins
+		install_dir ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/core
 
 		if [ "${priority}" -gt "0" ]; then
 			# install with priority if defined
-			bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/plugins/${priority}_$(basename ${SRC})
+			bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/core/${priority}_$(basename ${SRC})
 		elif [ "${priority}" -eq "0" ]; then
-			bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/plugins/$(basename ${SRC})
+			bbfdm_install_dm ${SRC} ${DEST}/${BBFDM_BASE_DM_PATH}/micro_services/core/$(basename ${SRC})
 		else
 			echo "# Priority should be an unsigned integer"
 			exit 1

bridgemngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.0.11
+PKG_VERSION:=1.0.14
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr
-PKG_SOURCE_VERSION:=18c2921a1cf5bfa027c11c5e6ca605ef69fd1168
+PKG_SOURCE_VERSION:=99bc3a3a0a2571917eda7085c21952f779fdb471
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -59,8 +59,8 @@ define Package/bridgemngr/install
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libbridgemngr.so $(1) $(PKG_NAME)
 ifeq ($(CONFIG_BRIDGEMNGR_BRIDGE_VENDOR_EXT), y)
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libbridgeext.so $(1) $(PKG_NAME)
-	$(BBFDM_INSTALL_MS_PLUGIN) -v ${VENDOR_PREFIX} ./files/VLAN_Filtering_Extension.json $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libbridgeext.so $(1) $(PKG_NAME) 10
+	$(BBFDM_INSTALL_MS_PLUGIN) -v ${VENDOR_PREFIX} ./files/VLAN_Filtering_Extension.json $(1) $(PKG_NAME) 11
 endif
 
 	$(INSTALL_BIN) ./files/etc/init.d/bridging $(1)/etc/init.d/

bulkdata/bbfdm_service.json

@@ -3,11 +3,11 @@
     "enable": "1",
     "service_name": "bulkdata",
     "unified_daemon": true,
+    "proto": "cwmp",
     "services": [
       {
         "parent_dm": "Device.",
-        "object": "BulkData",
-        "proto": "cwmp"
+        "object": "BulkData"
       }
     ],
     "config": {

ddnsmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ddnsmngr
-PKG_VERSION:=1.0.10
+PKG_VERSION:=1.0.11
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ddnsmngr.git
-PKG_SOURCE_VERSION:=5144e73fad92d23ae706894a4357436c3fe89355
+PKG_SOURCE_VERSION:=9f2f4dabc71c4f405b1c5df576d20d793d299e94
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

decollector/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.1.0.7
+PKG_VERSION:=6.2.0.1
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=db4eae19a3f716eec5a37aa2786b9bbbe3160b54
+PKG_SOURCE_VERSION:=575ecfff3779aadcea83d890ba975109c0f7d6a3
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

dectmngr/Makefile

@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.3
+PKG_VERSION:=3.7.4
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
@@ -56,11 +56,14 @@ endif
 
 define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_DIR) $(1)/etc/dspg
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/app/dectmngr $(1)/usr/sbin/
 	$(STRIP) $(1)/usr/sbin/dectmngr
+ifeq ($(CONFIG_TARGET_airoha),)
+	$(CP) ./firmware/common/* $(1)/etc/dspg/
+endif
 	$(CP) ./files/etc/* $(1)/etc/
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/dect $(1)/lib/upgrade/keep.d/dect
 endef

dhcpmngr/files/etc/uci-defaults/unbound.odhcpd.uci_default

@@ -10,7 +10,6 @@ uci -q get dhcp.odhcpd >/dev/null 2>&1 && {
 		[ -e /usr/lib/unbound/odhcpd.sh ] && [ -e /usr/sbin/unbound ] && {
 			# then set unbound script as leasetrigger in dhcp UCI
 			uci -q set dhcp.odhcpd.leasetrigger='/usr/lib/unbound/odhcpd.sh'
-			uci commit dhcp
 		}
 	}
 }

dnsmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmngr
-PKG_VERSION:=1.0.14
+PKG_VERSION:=1.0.16
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dnsmngr.git
-PKG_SOURCE_VERSION:=e64ec01b57d8b32e5230b34f6a3866250b1a8faf
+PKG_SOURCE_VERSION:=32bd2501fca8a4f45ba13ee0e4762756c60fe721
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -64,11 +64,15 @@ ifeq ($(CONFIG_DNSMNGR_BACKEND_DNSMASQ),y)
 endif
 
 define Package/dnsmngr/install
+	$(INSTALL_DIR) $(1)/etc/umdns
+	$(INSTALL_DIR) $(1)/etc/umdns/tmp
+	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/dnsmngr $(1)/lib/upgrade/keep.d/dnsmngr
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libdnsmngr.so $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_SCRIPT) -d $(PKG_BUILD_DIR)/scripts/nslookup $(1)
 ifeq ($(CONFIG_DNSMNGR_DNS_SD),y)
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libdns_sd.so $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libdns_sd.so $(1) $(PKG_NAME) 10
 endif
 endef
 

dnsmngr/files/lib/upgrade/keep.d/dnsmngr

@@ -0,0 +1 @@
+/etc/umdns/*

ebtables-extensions/Makefile

@@ -6,14 +6,14 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ebtables-extensions
-PKG_VERSION:=2.0.4
+PKG_VERSION:=2.0.5
 PKG_LICENSE:=GPL-2.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ebtables-extensions.git
-PKG_SOURCE_VERSION:=9a2af49b455ee25ca0694274e004ced7c09855a0
+PKG_SOURCE_VERSION:=7357622d806833d93d317164dc6673fbf5fd1629
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -189,9 +189,7 @@ define KernelPackage/ebt-mldsnooping/description
 	Kernel module to enable MLD snooping for ebtables
 endef
 
-ifeq ($(CONFIG_TARGET_brcmbca),y)
-	include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
-endif
+-include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
 
 define Build/Prepare
 
@@ -236,7 +234,6 @@ endif
 	$(CP) $(PKG_BUILD_DIR)/src/ebt_mldsnooping.h $(1)/include/uapi/linux/netfilter_bridge/
 endef
 
-KERNEL_MAKE_FLAGS += -I$(LINUX_DIR)/include
 ifeq ($(CONFIG_TARGET_airoha),y)
   KERNEL_MAKE_FLAGS += PLATFORM="ECONET"
 endif

ethmngr/Makefile

@@ -5,14 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethmngr
-PKG_VERSION:=3.0.5
+PKG_VERSION:=3.0.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=01e1c5f6642a8fa79fc445c71558ad02bda40eb5
-PKG_MAINTAINER:=Rahul Thakur <rahul.thakur@iopsys.eu>
+PKG_SOURCE_VERSION:=171cf63d972c6fa81b97281531e457a0967c16c7
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

ethmngr/files/etc/ruleng/ethport.json

@@ -0,0 +1,20 @@
+{
+	"ethport_update": {
+		"if" : [
+			{
+				"event": "network.device"
+			}
+		],
+		"then" : [
+			{
+				"cli": "/sbin/hotplug-call ethernet",
+				"envs": {
+					"PORT": "&network.device->ifname",
+					"LINK": "&network.device->link"
+				},
+				"timeout": 1
+			}
+		]
+	}
+}
+

ethmngr/files/etc/uci-defaults/ruleng.ethport

@@ -0,0 +1,2 @@
+uci -q set ruleng.ethport=rule
+uci -q set ruleng.ethport.recipe='/etc/ruleng/ethport.json'

firewallmngr/Makefile

@@ -29,7 +29,7 @@ define Package/firewallmngr
   CATEGORY:=Network
   TITLE:=Package to add Device.Firewall and Device.NAT. data model support.
   DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +firewall
-  DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:kmod-ipt-trigger +FIREWALLMNGR_PORT_TRIGGER:kmod-ip6t-trigger
+  DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:iptables-mod-trigger
   DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:iptables-mod-nfqueue
   DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef

firewallmngr/files/firewall.portmap

@@ -2,71 +2,40 @@
 
 . /lib/functions.sh
 
-log() {
-	echo "${@}"|logger -t firewall.dnat -p info
-}
-
-exec_cmd() {
-	if ! eval "$*"; then
-		log "Failed to run [$*]"
-	fi
-}
-
 reorder_dnat_rules() {
-	nat_chains=$(iptables -t nat -S | grep -E "^-N zone[a-zA-Z0-9_]+prerouting$" | cut -d' ' -f 2)
+	nat_chains=$(iptables -w -t nat -S | grep -E "^-N zone[a-zA-Z0-9_]+prerouting$" | cut -d' ' -f 2)
 
 	for chain in ${nat_chains}; do
 		# Collect empty remote host & empty dport rules
-		EMPTY_HOST_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep -v "\-s ")
-		if [ -n "${EMPTY_HOST_PORT}" ]; then
-			echo "${EMPTY_HOST_PORT}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
-				exec_cmd $cmd1
-			done
-		fi
+		EMPTY_HOST_PORT=$(iptables -w -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep -v "\-s ")
 
 		# Collect empty remote host but non empty dport rules
-		EMPTY_HOST=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep "\-\-dport" | grep -v "\-s ")
-		if [ -n "${EMPTY_HOST}" ]; then
-			echo "${EMPTY_HOST}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
-				exec_cmd $cmd1
-			done
-		fi
+		EMPTY_HOST=$(iptables -w -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep "\-\-dport" | grep -v "\-s ")
 
 		# Collect non empty remote host but empty dport rules
-		EMPTY_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep "\-s ")
-		if [ -n "${EMPTY_PORT}" ]; then
-			echo "${EMPTY_PORT}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
-				exec_cmd $cmd1
-			done
-		fi
+		EMPTY_PORT=$(iptables -w -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep "\-s ")
 
-		# Now add rules as per datamodel precedence shown below
-		## Non empty remote host, empty dport
-		## empty remote host, non empty dport
-		## empty remote host, empty dport
-		if [ -n "${EMPTY_PORT}" ]; then
-			echo "${EMPTY_PORT}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd)"
-				exec_cmd $cmd1
-			done
-		fi
+		# Skip this chain if no matching rules were found
+		[ -n "${EMPTY_HOST_PORT}" -o -n "${EMPTY_HOST}" -o -n "${EMPTY_PORT}" ] || continue
 
-		if [ -n "${EMPTY_HOST}" ]; then
-			echo "${EMPTY_HOST}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd)"
-				exec_cmd $cmd1
-			done
-		fi
+		(
+			echo '*nat'
 
-		if [ -n "${EMPTY_HOST_PORT}" ]; then
-			echo "${EMPTY_HOST_PORT}" | while read cmd; do
-				cmd1="iptables -t nat $(echo $cmd)"
-				exec_cmd $cmd1
-			done
-		fi
+			# Delete collected rules
+			[ -n "${EMPTY_HOST_PORT}" ] && echo "${EMPTY_HOST_PORT}" | sed 's/^-A /-D /'
+			[ -n "${EMPTY_HOST}" ] && echo "${EMPTY_HOST}" | sed 's/^-A /-D /'
+			[ -n "${EMPTY_PORT}" ] && echo "${EMPTY_PORT}" | sed 's/^-A /-D /'
+
+			# Now add rules as per datamodel precedence shown below
+			## Non empty remote host, empty dport
+			## empty remote host, non empty dport
+			## empty remote host, empty dport
+			[ -n "${EMPTY_PORT}" ] && echo "${EMPTY_PORT}"
+			[ -n "${EMPTY_HOST}" ] && echo "${EMPTY_HOST}"
+			[ -n "${EMPTY_HOST_PORT}" ] && echo "${EMPTY_HOST_PORT}"
+
+			echo 'COMMIT'
+		) | iptables-restore -w -n
 	done
 }
 

firewallmngr/files/firewall.service

@@ -7,7 +7,7 @@ log() {
 }
 
 exec_cmd() {
-	if ! eval "$*"; then
+	if ! "$@"; then
 		log "Failed to run [$*]"
 		echo "-1"
 		return 0
@@ -73,7 +73,7 @@ add_iptable_rule() {
 		fi
 
 		if [ -z "${src_prefix}" ]; then
-			res=$(exec_cmd "iptables ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
+			res=$(exec_cmd iptables -w ${cmd} -m comment --comment IPtables_service_rule -j "${action}")
 		else
 			#Add ipv4 sources if any
 			src_list=""
@@ -86,7 +86,7 @@ add_iptable_rule() {
 
 			if [ -n "$src_list" ]; then
 				src_list=$(echo "${src_list}" | sed "s/,$//")
-				res=$(exec_cmd "iptables -s $src_list ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
+				res=$(exec_cmd iptables -w -s "$src_list" ${cmd} -m comment --comment IPtables_service_rule -j "${action}")
 			fi
 		fi
 	fi
@@ -97,7 +97,7 @@ add_iptable_rule() {
 		fi
 
 		if [ -z "${src_prefix}" ]; then
-			res=$(exec_cmd "ip6tables ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
+			res=$(exec_cmd ip6tables -w ${cmd} -m comment --comment IP6tables_service_rule -j "${action}")
 		else
 			#Add ipv6 sources if any
 			src_list=""
@@ -110,7 +110,7 @@ add_iptable_rule() {
 
 			if [ -n "$src_list" ]; then
 				src_list=$(echo "${src_list}" | sed "s/,$//")
-				res=$(exec_cmd "ip6tables -s $src_list ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
+				res=$(exec_cmd ip6tables -w -s "$src_list" ${cmd} -m comment --comment IP6tables_service_rule -j "${action}")
 			fi
 		fi
 	fi

gateway-info/Makefile

@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2025 IOPSYS Software Solutions AB
+#
+# This is free software, licensed under the BSD-3-Clause
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gateway-info
+PKG_VERSION:=1.0.2
+
+LOCAL_DEV:=0
+ifneq ($(LOCAL_DEV),1)
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/gateway-info.git
+PKG_SOURCE_VERSION:=dd15893a8291e556a8c49ff9e143c763db0379b5
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MIRROR_HASH:=skip
+endif
+
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+include ../bbfdm/bbfdm.mk
+
+define Package/gateway-info
+  CATEGORY:=Utilities
+  TITLE:=GatewayInfo Data Model Support
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +umdns
+  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +iputils-arping
+endef
+
+define Package/gateway-info/description
+	Package to add Device.GatewayInfo. data model support.
+endef
+
+MAKE_PATH:=src
+
+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+	$(CP) ~/git/gateway-info/* $(PKG_BUILD_DIR)/
+endef
+endif
+
+define Package/gateway-info/install
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/etc/udhcpc.user.d
+	$(INSTALL_DIR) $(1)/etc/bbfdm/services
+	$(INSTALL_DIR) $(1)/usr/share/bbfdm/micro_services
+	$(INSTALL_DATA) ./files/etc/config/gateway $(1)/etc/config/gateway
+	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_gateway_info.user $(1)/etc/udhcpc.user.d/udhcpc_gateway_info.user
+	$(INSTALL_BIN) ./files/etc/uci-defaults/86-set-gateway-device-info $(1)/etc/uci-defaults/
+	$(BBFDM_REGISTER_SERVICES) ./files/bbfdm_service.json $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libgwinfo.so $(1) $(PKG_NAME)
+endef
+
+$(eval $(call BuildPackage,gateway-info))

gateway-info/files/bbfdm_service.json

@@ -1,12 +1,12 @@
 {
   "daemon": {
     "enable": "1",
-    "service_name": "wifidmd.dataelements",
+    "service_name": "gateway-info",
     "unified_daemon": false,
     "services": [
       {
         "parent_dm": "Device.",
-        "object": "WiFi"
+        "object": "GatewayInfo"
       }
     ],
     "config": {

gateway-info/files/etc/config/gateway

@@ -0,0 +1,4 @@
+config global 'global'
+	option enable '1'
+	option wan_interface 'wan'
+	option lan_interface 'lan'

gateway-info/files/etc/uci-defaults/86-set-gateway-device-info

@@ -0,0 +1,288 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+convert_to_hex() {
+	local val=""
+	local optval="${1}"
+	OPTIND=1
+	while getopts ":" opt "-$optval"
+	do
+		temp=$(printf "%02X" "'${OPTARG:-:}")
+		val="${val}:${temp}"
+	done
+
+	echo "${val}"
+}
+
+configure_send_op125() {
+	local sendopt="${1}"
+	local intf="${2}"
+	local uci="${3}"
+	local hex_oui=""
+	local hex_serial=""
+	local hex_class=""
+	local oui_len=0
+	local serial_len=0
+	local class_len=0
+
+	if [ "${uci}" = "network" ]; then
+		local opt125="125:00:00:0D:E9"
+	else
+		if [ -z "${sendopt}" ]; then
+			local opt125="125,00:00:0D:E9"
+		else
+			local opt125=":00:00:0D:E9"
+		fi
+	fi
+
+	config_get oui cpe manufacturer_oui ""
+	if [ -z "${oui}" ]; then
+		oui=$(db -q get device.deviceinfo.ManufacturerOUI)
+	fi
+
+	oui=$(echo "${oui}" | tr 'a-f' 'A-F')
+
+	config_get serial cpe serial_number ""
+	if [ -z "${serial}" ]; then
+		serial=$(db -q get device.deviceinfo.SerialNumber)
+	fi
+
+	config_get class cpe product_class ""
+	if [ -z "${class}" ]; then
+		class=$(db -q get device.deviceinfo.ProductClass)
+	fi
+
+	oui_len=$(echo -n "${oui}" | wc -m)
+	serial_len=$(echo -n "${serial}" | wc -m)
+	class_len=$(echo -n "${class}" | wc -m)
+
+	if [ "${oui_len}" -eq 0 ] || [ "${serial_len}" -eq 0 ]; then
+		return 0
+	fi
+
+	opt125_len=$((oui_len + serial_len + class_len))
+	if [ "${class_len}" -gt 0 ]; then
+		opt125_len=$((opt125_len + 6))
+	else
+		opt125_len=$((opt125_len + 4))
+	fi
+
+	hex_opt125_len=$(printf "%02X" "${opt125_len}")
+	opt125="${opt125}:${hex_opt125_len}"
+	hex_oui=$(convert_to_hex "${oui}")
+	if [ -z "${hex_oui}" ]; then
+		return 0
+	fi
+
+	hex_oui_len=$(printf "%02X" "${oui_len}")
+	if [ "${uci}" = "network" ]; then
+		opt125="${opt125}:01:${hex_oui_len}${hex_oui}"
+	else
+		opt125="${opt125}:04:${hex_oui_len}${hex_oui}"
+	fi
+
+	hex_serial=$(convert_to_hex "${serial}")
+	if [ -z "${hex_serial}" ]; then
+		return 0
+	fi
+
+	hex_serial_len=$(printf "%02X" "${serial_len}")
+	if [ "${uci}" = "network" ]; then
+		opt125="${opt125}:02:${hex_serial_len}${hex_serial}"
+	else
+		opt125="${opt125}:05:${hex_serial_len}${hex_serial}"
+	fi
+
+	if [ "${class_len}" -gt 0 ]; then
+		hex_class=$(convert_to_hex "${class}")
+		if [ -z "${hex_class}" ]; then
+			return 0
+		fi
+
+		hex_class_len=$(printf "%02X" "${class_len}")
+		if [ "${uci}" = "network" ]; then
+			opt125="${opt125}:03:${hex_class_len}${hex_class}"
+		else
+			opt125="${opt125}:06:${hex_class_len}${hex_class}"
+		fi
+	fi
+
+
+	if [ "${uci}" = "network" ]; then
+		new_send_opt="$sendopt $opt125"
+		uci -q set network."${intf}".sendopts="$new_send_opt"
+	else
+		new_send_opt="$sendopt$opt125"
+		uci -q add_list dhcp."${intf}".dhcp_option="$new_send_opt"
+	fi
+}
+
+check_for_suboptions() {
+	# Check if option 4 and 5 present inside enterprise id 3561
+	data=$(echo "${1}" | sed 's/://g')
+	len=$(printf "${data}"|wc -c)
+
+	rem_len="${len}"
+	while [ $rem_len -gt 8 ]; do
+		subopt_present=0
+
+		ent_id="${data:0:8}"
+		ent_id=$(printf "%d\n" "0x$ent_id")
+		if [ $ent_id -ne 3561 ]; then
+			len_val=${data:8:2}
+			data_len=$(printf "%d\n" "0x$len_val")
+			# add 4 byte for ent_id and 1 byte for len
+			data_len=$(( data_len * 2 + 10 ))
+			# move ahead data to next enterprise id
+			data=${data:"${data_len}":"${rem_len}"}
+			rem_len=$(( rem_len - data_len ))
+			continue
+		fi
+
+		# read the length of enterprise data
+		len_val=${data:8:2}
+		data_len=$(printf "%d\n" "0x$len_val")
+		# add 4 byte for ent_id and 1 byte for len
+		data_len=$(( data_len * 2 + 10 ))
+
+		len_val=${data:8:2}
+		opt_len=$(printf "%d\n" "0x$len_val")
+		if [ $opt_len -eq 0 ]; then
+			echo ${subopt_present}
+			return 0
+		fi
+
+		# populate the option data of enterprise id
+		sub_data_len=$(( opt_len * 2))
+		# starting 10 means ahead of length field
+		sub_data=${data:10:"${sub_data_len}"}
+
+		# parsing of suboption of option 125
+		while [ $sub_data_len -gt 0 ]; do
+			# get the suboption id
+			sub_opt_id=${sub_data:0:2}
+			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
+			case "${sub_opt_id}" in
+			"4") subopt_present=1
+			;;
+			"5") subopt_present=1
+			;;
+			esac
+
+			if [ ${subopt_present} -eq 1 ]; then
+				break;
+			fi
+
+			# get the length of suboption
+			sub_opt_len=${sub_data:2:2}
+			sub_opt_len=$(printf "%d\n" "0x$sub_opt_len")
+			sub_opt_len=$(( sub_opt_len * 2 ))
+
+			# add 2 bytes for sub_opt id and sub_opt len field
+			sub_opt_end=$(( sub_opt_len + 4 ))
+
+			# update the remaining sub option hex string length
+			sub_data_len=$((sub_data_len - sub_opt_end))
+
+			# fetch next sub option hex string
+			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+		done
+
+		if [ ${subopt_present} -eq 1 ]; then
+			break;
+		else
+			# move ahead data to next enterprise id
+			rem_len=$(( rem_len - $data_len ))
+			data=${data:"${data_len}":"${rem_len}"}
+		fi
+	done
+
+	echo ${subopt_present}
+}
+
+enable_dhcp_option125() {
+	local wan="${1}"
+	local reqopts="$(uci -q get network."${wan}".reqopts)"
+	local sendopts="$(uci -q get network."${wan}".sendopts)"
+	local proto="$(uci -q get network."${wan}".proto)"
+	local newreqopts=""
+	local newsendopts=""
+	local req125_present=0
+	local send125_present=0
+	local opt125="125:"
+
+	for ropt in $reqopts; do
+		case $ropt in
+			125) req125_present=1 ;;
+			*) ;;
+		esac
+	done
+
+	for sopt in $sendopts; do
+		if [[ "$sopt" == "$opt125"* ]]; then
+			send125_present=1
+			break
+		fi
+	done
+
+	if [ "${proto}" = "dhcp" ]; then
+		if [ ${req125_present} -eq 0 ]; then
+			newreqopts="$reqopts 125"
+			uci -q set network."${wan}".reqopts="$newreqopts"
+		fi
+
+		if [ ${send125_present} -eq 0 ]; then
+			configure_send_op125 "${sendopts}" "${wan}" "network"
+		fi
+	fi
+}
+
+enable_dnsmasq_option125() {
+	local lan="${1}"
+	local send125_present=0
+	local opt125="125,"
+
+	local proto="$(uci -q get dhcp."${lan}".dhcpv4)"
+	if [ "${proto}" = "server" ]; then
+		opt_list="$(uci -q get dhcp."${lan}".dhcp_option)"
+		base_opt=""
+
+		for sopt in $opt_list; do
+			if [[ "$sopt" == "$opt125"* ]]; then
+				send125_present=$(check_for_suboptions "${sopt:4}")
+				base_opt="${sopt}"
+				break
+			fi
+		done
+
+		if [ ${send125_present} -eq 0 ]; then
+			uci -q del_list dhcp."${lan}".dhcp_option="${base_opt}"
+			configure_send_op125 "${base_opt}" "${lan}" "dhcp"
+		fi
+	fi
+}
+
+configure_gateway_device_info() {
+	wan_intf=""
+	lan_intf=""
+
+	config_load gateway
+	config_get_bool enable global enable '1'
+	config_get wan_intf global wan_interface "wan"
+	config_get lan_intf global lan_interface "lan"
+
+	if [ "${enable}" -eq 0 ]; then
+		return 0
+	fi
+
+	# Set dhcp_option 125 for device info if not already configured
+	enable_dhcp_option125 "${wan_intf}"
+
+	if [ "${wan_intf}" != "${lan_intf}" ]; then
+		# This is extender no need to configure gateway info
+		enable_dnsmasq_option125 "${lan_intf}"
+	fi
+}
+
+configure_gateway_device_info

gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user

@@ -0,0 +1,367 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /usr/share/libubox/jshn.sh
+
+CLASS=""
+OUI=""
+SERIAL=""
+GW_DISCOVERED=0
+_json_no_warning=1
+
+get_vivsoi() {
+	# opt125 environment variable has data in below format
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	# |	 enterprise-number1	  |
+	# |				  |
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	# |   data-len1   |		  |
+	# +-+-+-+-+-+-+-+-+ option-data1  |
+	# /				  /
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -----
+	# |	 enterprise-number2	  |   ^
+	# |				  |   |
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
+	# |   data-len2   |		  | optional
+	# +-+-+-+-+-+-+-+-+ option-data2  |   |
+	# /				  /   |
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
+	# ~	       ...		  ~   V
+	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -----
+
+	#  Enterprise Id  Len  Sub Op  SLen  Data Sub Op  SLen Data	  Sub Op  SLen Data
+	# +-------------+-----+------+------+----+------+-----+----+-----+------+-----+----+
+	# |	id    |  n  |	1  |  n1  | D1 |   2  |  n2 | D2 | ... |   6  |  n6 | D6 |
+	# +-------------+-----+------+------+----+------+-----+----+-----+------+-----+----+
+
+	local opt125="$1"
+	local len="$2"
+	local ent_id
+
+	#hex-string 2 character=1 Byte
+	# length in hex string will be twice of actual Byte length
+	[ "$len" -gt "8" ] || return
+
+	data="${opt125}"
+	rem_len="${len}"
+	while [ $rem_len -gt 0 ]; do
+		ent_id=${data:0:8}
+		ent_id=$(printf "%d\n" "0x$ent_id")
+
+		if [ $ent_id -ne  3561 ]; then
+			len_val=${data:8:2}
+			data_len=$(printf "%d\n" "0x$len_val")
+			# add 4 byte for ent_id and 1 byte for len
+			data_len=$(( data_len * 2 + 10 ))
+			# move ahead data to next enterprise id
+			data=${data:"${data_len}":"${rem_len}"}
+			rem_len=$(( rem_len - $data_len ))
+			continue
+		fi
+
+		# read the length of enterprise data
+		len_val=${data:8:2}
+		data_len=$(printf "%d\n" "0x$len_val")
+		# add 4 byte for ent_id and 1 byte for len
+		data_len=$(( data_len * 2 + 10 ))
+
+		opt_len=$(printf "%d\n" "0x$len_val")
+		[ $opt_len -eq 0 ] && return
+
+		# populate the option data of enterprise id
+		sub_data_len=$(( opt_len * 2))
+		# starting 10 means ahead of length field
+		sub_data=${data:10:"${sub_data_len}"}
+
+		# parsing of suboption of option 125
+		while [ $sub_data_len -gt 0 ]; do
+			# get the suboption id
+			sub_opt_id=${sub_data:0:2}
+			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
+
+			# get the length of suboption
+			sub_opt_len=${sub_data:2:2}
+			sub_opt_len=$(printf "%d\n" "0x$sub_opt_len")
+			sub_opt_len=$(( sub_opt_len * 2 ))
+
+			# get the value of sub option starting 4 means starting after length
+			sub_opt_val=${sub_data:4:${sub_opt_len}}
+
+			# assign the value found in sub option
+			case "${sub_opt_id}" in
+				"4")
+				OUI=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				GW_DISCOVERED=1
+				;;
+				"5")
+				SERIAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				GW_DISCOVERED=1
+				;;
+				"6")
+				CLASS=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				GW_DISCOVERED=1
+				;;
+			esac
+
+			# add 2 bytes for sub_opt id and sub_opt len field
+			sub_opt_end=$(( sub_opt_len + 4 ))
+
+			# update the remaining sub option hex string length
+			sub_data_len=$((sub_data_len - sub_opt_end))
+
+			# fetch next sub option hex string
+			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+		done
+
+		# move ahead data to next enterprise id
+		data=${data:"${data_len}":"${rem_len}"}
+		rem_len=$(( rem_len - data_len ))
+	done
+}
+
+send_host_query() {
+	intf="${1}"
+	resp=1
+	loop=3
+	usp_serv_found=0
+	sent_host=" "
+
+	ubus call umdns update
+	while [ "${loop}" -ne 0 ]; do
+		sleep 5
+
+		json_load "$(ubus call umdns browse)"
+		json_select discovered_services
+		if [ "${?}" -ne 0 ]; then
+			json_cleanup
+			loop=$(( loop - 1 ))
+			continue
+		fi
+
+		json_select _usp-agt-mqtt._tcp
+		if [ "${?}" -ne 0 ]; then
+			json_cleanup
+			loop=$(( loop - 1 ))
+			continue
+		fi
+
+		usp_serv_found=1
+		break
+	done
+
+	if [ "${usp_serv_found}" -eq 0 ]; then
+		echo "${resp}"
+		return 0
+	fi
+
+	json_get_keys keys
+	for key in $keys; do
+		json_select $key
+		json_get_var _host host ""
+
+		if [ -z "${_host}" ] || [[ "${sent_host}" =~ " ${_host}" ]]; then
+			json_select ..
+			continue
+		fi
+
+		sent_host="${sent_host} ${_host}"
+		cmd="ubus call umdns query '{\"question\":\"$_host\",\"interface\":\"$intf\"}'"
+		eval $cmd
+		resp=0
+		json_select ..
+	done
+
+	json_cleanup
+	echo "${resp}"
+}
+
+get_usp_agent_id() {
+	dhcp_ip="${1}"
+	family="ipv4"
+	ID=""
+
+	if [[ "${dhcp_ip}" =~ ":" ]]; then
+		family="ipv6"
+	fi
+
+	json_load "$(ubus call umdns browse)"
+	json_select discovered_services
+	if [ "${?}" -ne 0 ]; then
+		json_cleanup
+		echo ${ID}
+		return 0
+	fi
+
+	json_select _usp-agt-mqtt._tcp
+	if [ "${?}" -ne 0 ]; then
+		json_cleanup
+		echo ${ID}
+		return 0
+	fi
+
+	json_get_keys keys
+	for key in $keys; do
+		json_select $key
+		json_select $family
+		if [ "${?}" -ne 0 ]; then
+			json_select ..
+			continue
+		fi
+
+		json_get_keys ips
+		for ip in $ips; do
+			json_get_var ip_val $ip
+			if [ "${ip_val}" != "${dhcp_ip}" ]; then
+				continue
+			fi
+
+			json_select ..
+			json_select txt
+			json_get_keys txts
+			for _txt in $txts; do
+				json_get_var text_val $_txt
+				if [[ "${text_val:0:3}" == "ID=" ]]; then
+					ID="${text_val:3}"
+					break
+				fi
+			done
+
+			break
+		done
+
+		json_select ..
+		json_select ..
+
+		if [ -n "${ID}" ]; then
+			break
+		fi
+	done
+
+	json_cleanup
+	echo ${ID}
+}
+
+get_mac_address() {
+	ip="${1}"
+	device="${2}"
+
+	mac="$(cat /proc/net/arp | grep $ip | awk '{print $4}')"
+	if [ -z "${mac}" ]; then
+		arp_resp="$(arping -b -f -c 5 -I $device $ip | grep 'Unicast reply from' | awk '{print $5}')"
+		if [ -n "${arp_resp}" ]; then
+			mac=${arp_resp:1:-1}
+		fi
+	fi
+
+	echo "${mac}"
+}
+
+send_unknown_gw_event() {
+	mac="${1}"
+
+	cmd="ubus -t 5 send gateway-info.gateway.unknown '{\"hwaddr\":\"$mac\"}'"
+	eval $cmd
+}
+
+send_cwmp_gw_event() {
+	oui="${1}"
+	class="${2}"
+	serial="${3}"
+
+	cmd="ubus -t 5 send gateway-info.gateway.cwmp '{\"oui\":\"$oui\",\"class\":\"$class\",\"serial\":\"$serial\"}'"
+	eval $cmd
+}
+
+send_usp_gw_event() {
+	endpoint="${1}"
+
+	cmd="ubus -t 5 send gateway-info.gateway.usp '{\"endpoint\":\"$endpoint\"}'"
+	eval $cmd
+}
+
+config_load gateway
+config_get_bool enable global enable '1'
+config_get wan_intf global wan_interface "wan"
+
+if [ "${enable}" -eq 0 ]; then
+	return 0
+fi
+
+if [ "${wan_intf}" == "${INTERFACE}" ]; then
+	if [ "${1}" == "deconfig" ]; then
+		rm -rf /var/state/gwinfo
+		return 0
+	fi
+
+	json_load "$(ifstatus ${INTERFACE})"
+	json_get_var dev_name device ""
+	json_select data
+	json_get_var dhcp_ip dhcpserver ""
+	json_cleanup
+
+	if [ -z "${dhcp_ip}" ] || [ -z "${dev_name}" ]; then
+		return 0
+	fi
+
+	MAC="$(get_mac_address $dhcp_ip $dev_name)"
+
+	mkdir -p /var/state
+	touch /var/state/gwinfo
+	sec=$(uci -q -c /var/state get gwinfo.gatewayinfo)
+	if [ -z "${sec}" ]; then
+		sec=$(uci -q -c /var/state add gwinfo gatewayinfo)
+		uci -q -c /var/state rename gwinfo."${sec}"="gatewayinfo"
+	fi
+
+	uci -q -c /var/state set gwinfo.gatewayinfo.hwaddr="$MAC"
+	uci -q -c /var/state set gwinfo.gatewayinfo.endpoint=""
+	uci -q -c /var/state set gwinfo.gatewayinfo.class=""
+	uci -q -c /var/state set gwinfo.gatewayinfo.oui=""
+	uci -q -c /var/state set gwinfo.gatewayinfo.serial=""
+	uci -q -c /var/state set gwinfo.gatewayinfo.proto=""
+	uci -q -c /var/state commit gwinfo
+
+	if [ -z "$opt125" ]; then
+		send_unknown_gw_event "${MAC}"
+		return 0
+	fi
+
+	len=$(printf "$opt125"|wc -c)
+	get_vivsoi "$opt125" "$len"
+
+	if [ "${GW_DISCOVERED}" -eq 0 ]; then
+		send_unknown_gw_event "${MAC}"
+		return 0
+	fi
+
+	uci -q -c /var/state set gwinfo.gatewayinfo.class="$CLASS"
+	uci -q -c /var/state set gwinfo.gatewayinfo.oui="$OUI"
+	uci -q -c /var/state set gwinfo.gatewayinfo.serial="$SERIAL"
+	uci -q -c /var/state set gwinfo.gatewayinfo.proto="CWMP"
+	uci -q -c /var/state commit gwinfo
+
+	# Check for USP parameters
+	ubus -t 15 wait_for umdns
+	if [ "${?}" -ne 0 ]; then
+		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
+		return 0
+	fi
+
+	resp=$(send_host_query $dev_name)
+	if [ "${resp}" -ne 0 ]; then
+		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
+		return 0
+	fi
+
+	ID="$(get_usp_agent_id $dhcp_ip)"
+	if [ -z "${ID}" ]; then
+		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
+		return 0
+	fi
+
+	uci -q -c /var/state set gwinfo.gatewayinfo.endpoint="$ID"
+	uci -q -c /var/state set gwinfo.gatewayinfo.proto="USP"
+	uci -q -c /var/state commit gwinfo
+
+	send_usp_gw_event "${ID}"
+fi

gryphon-led-module/Makefile

@@ -18,7 +18,8 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=gryphon-led-kernel-module
-PKG_RELEASE:=1
+PKG_VERSION:=1.0.0
+PKG_LICENSE:=GPL-2.0
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -26,41 +27,18 @@ define KernelPackage/$(PKG_NAME)
   SUBMENU:=LED modules
   TITLE:=LED driver for Gryphon
   FILES:=$(PKG_BUILD_DIR)/$(PKG_NAME).$(LINUX_KMOD_SUFFIX)
-  KCONFIG:=CONFIG_PACKAGE_kmod-gryphon-led-kernel-module=y
   AUTOLOAD:=$(call AutoLoad,60,$(PKG_NAME))
-  DEPENDS:= +(TARGET_brcmbca):bcm963xx-bsp
-  PKG_LICENSE:=GPLv2
-  PKG_LICENSE_URL:=
 endef
 
 define KernelPackage/$(PKG_NAME)/description
   This package contains the LED driver for Gryphon devices.
 endef
 
-EXTRA_KCONFIG:= CONFIG_RGB_LED=m
-
-MODULE_INCLUDE=-I$(PKG_BUILD_DIR)
-
 # support compilation against BCM SDK kernel
-include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
-
-define Build/Prepare
-	mkdir -p $(PKG_BUILD_DIR)/kdevlinks/
-	$(CP) -s `pwd`/src/* $(PKG_BUILD_DIR)/kdevlinks/
-	$(CP) src/* $(PKG_BUILD_DIR)
-endef
+-include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
 
 define Build/Compile
-	$(MAKE) -C "$(LINUX_DIR)" \
-		CROSS_COMPILE="$(TARGET_CROSS)" \
-		ARCH="$(LINUX_KARCH)" \
-		SUBDIRS="$(PKG_BUILD_DIR)" \
-		EXTRA_CFLAGS="-DKERNEL_MODULE $(BUILDFLAGS) -I$(LINUX_DIR)/include -include generated/autoconf.h $(MODULE_INCLUDE)" \
-		modules
-endef
-
-define Build/InstallDev
-	$(INSTALL_DIR) $(1)/usr/include
+	$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)" modules
 endef
 
 $(eval $(call KernelPackage,$(PKG_NAME)))

gryphon-led-module/src/main.c

@@ -28,6 +28,7 @@
 #include <linux/gpio/consumer.h>
 #include <linux/of.h>
 #include <linux/version.h>
+#include <linux/string.h>
 
 #include "sk9822.h"
 
@@ -46,11 +47,6 @@ static ssize_t get_led_color(struct device *dev,
 	int len;
 	struct sk9822_leds *sk9822 = dev_get_drvdata(dev);
 
-	if (IS_ERR(sk9822)) {
-		printk(KERN_ERR "Platform get drvdata returned NULL\n");
-		return -EIO;
-	}
-
 	len = scnprintf(buf, PAGE_SIZE, "%02x%02x%02x\n", sk9822->led_colors[0].r, sk9822->led_colors[0].g, sk9822->led_colors[0].b);
 	if (len <= 0) {
 		dev_err(dev, "sk9822: Invalid sprintf len: %d\n", len);
@@ -73,11 +69,6 @@ static ssize_t set_led_color(struct device *dev,
 	size_t buflen = count;
 	struct sk9822_leds *sk9822 = dev_get_drvdata(dev);
 
-	if (IS_ERR(sk9822)) {
-		printk(KERN_ERR "Platform get drvdata returned NULL\n");
-		return -EIO;
-	}
-
 	/* strip newline */
 	if ((count > 0) && (buf[count-1] == '\n')) {
 		buflen--;
@@ -111,11 +102,6 @@ static ssize_t get_led_brightness(struct device *dev,
 	int len;
 	struct sk9822_leds *sk9822 = dev_get_drvdata(dev);
 
-	if (IS_ERR(sk9822)) {
-		printk(KERN_ERR "Platform get drvdata returned NULL\n");
-		return -EIO;
-	}
-
 	len = scnprintf(buf, PAGE_SIZE, "%x\n", sk9822->led_brightness);
 	if (len <= 0) {
 		dev_err(dev, "sk9822: Invalid sprintf len: %d\n", len);
@@ -138,11 +124,6 @@ static ssize_t set_led_brightness(struct device *dev,
 	struct sk9822_leds *sk9822 = dev_get_drvdata(dev);
 	unsigned long val = SK9822_DEFAULT_BRIGHTNESS;
 
-	if (IS_ERR(sk9822)) {
-		printk(KERN_ERR "Platform get drvdata returned NULL\n");
-		return -EIO;
-	}
-
 	if (kstrtoul(buf, 16, &val)) {
 		return -EINVAL;
 	}
@@ -209,49 +190,33 @@ static int canyon_led_probe(struct platform_device *pdev)
 
 	platform_set_drvdata(pdev, leds);
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
-	leds->clock_gpio = gpiod_get_index(&pdev->dev, "led", 0);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
-	leds->clock_gpio = gpiod_get_index(&pdev->dev, "led", 0, GPIOD_OUT_HIGH);
-#else
-	dev_warn(&pdev->dev, "Kernel version Not supported\n");
-	exit(1);
-#endif
+	leds->clock_gpio = devm_gpiod_get_index(&pdev->dev, "led", 0, GPIOD_OUT_HIGH);
 	if (IS_ERR(leds->clock_gpio)) {
 		dev_err(&pdev->dev, "Failed to acquire clock GPIO %ld\n",
 				PTR_ERR(leds->clock_gpio));
 		return PTR_ERR(leds->clock_gpio);
 	}
 
-	gpiod_direction_output(leds->clock_gpio, 1);
-	if (IS_ERR(leds->clock_gpio)) {
-		dev_err(&pdev->dev, "Failed to acquire clock GPIO %ld\n",
-				PTR_ERR(leds->clock_gpio));
-		return PTR_ERR(leds->clock_gpio);
+	ret = gpiod_direction_output(leds->clock_gpio, 1);
+	if (ret) {
+		dev_err(&pdev->dev, "Failed to set clock GPIO output %d\n", ret);
+		return ret;
 	} else {
 		printk(KERN_INFO "Got clock gpio\n");
 		gpiod_set_value(leds->clock_gpio, 0);
 	}
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
-	leds->data_gpio = gpiod_get_index(&pdev->dev, "led", 1);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
-	leds->data_gpio = gpiod_get_index(&pdev->dev, "led", 1, GPIOD_OUT_HIGH);
-#else
-	dev_warn(&pdev->dev, "Kernel version Not supported\n");
-	exit(1);
-#endif
+	leds->data_gpio = devm_gpiod_get_index(&pdev->dev, "led", 1, GPIOD_OUT_HIGH);
 	if (IS_ERR(leds->data_gpio)) {
 		dev_err(&pdev->dev, "Failed to acquire data GPIO %ld\n",
 				PTR_ERR(leds->data_gpio));
 		return PTR_ERR(leds->data_gpio);
 	}
 
-	gpiod_direction_output(leds->data_gpio, 1);
-	if (IS_ERR(leds->data_gpio)) {
-		dev_err(&pdev->dev, "Failed to acquire data GPIO %ld\n",
-				PTR_ERR(leds->data_gpio));
-		return PTR_ERR(leds->data_gpio);
+	ret = gpiod_direction_output(leds->data_gpio, 1);
+	if (ret) {
+		dev_err(&pdev->dev, "Failed to set data GPIO output %d\n", ret);
+		return ret;
 	} else {
 		printk(KERN_INFO "Got data gpio\n");
 		gpiod_set_value(leds->data_gpio, 0);
@@ -264,45 +229,31 @@ static int canyon_led_probe(struct platform_device *pdev)
 		return ret;
 	}
 
-#if 0
-	printk(KERN_INFO "Flash LEDs to verify they work\n");
-	sk9822_set_color_str(leds, "00FF00");
-	sk9822_update(leds);
-	msleep(200);
-	sk9822_set_color_str(leds, "000000");
-	sk9822_update(leds);
-#endif
-
 	printk(KERN_INFO "canyon led successfully probed\n");
 
 	return 0;
 }
 
+static void canyon_led_off(struct sk9822_leds *leds)
+{
+	leds->led_brightness = 0;
+	memset(leds->led_colors, 0, sizeof(cRGB) * leds->led_count);
+	sk9822_update(leds);
+}
+
 static int canyon_led_remove(struct platform_device *pdev)
 {
-	struct sk9822_leds *leds;
-
 	sysfs_remove_group(&pdev->dev.kobj, &sk9822_dev_attr_group);
-
-	leds = platform_get_drvdata(pdev);
-	if (IS_ERR(leds)) {
-		printk(KERN_ERR "Platform get drvdata returned NULL\n");
-		return -1;
-	}
-
-	if (leds->clock_gpio) {
-		gpiod_put(leds->clock_gpio);
-	}
-
-	if (leds->data_gpio) {
-		gpiod_put(leds->data_gpio);
-	}
-
-	printk(KERN_NOTICE "Bye, bye\n");
+	canyon_led_off(platform_get_drvdata(pdev));
 
 	return 0;
 }
 
+static void canyon_led_shutdown(struct platform_device *pdev)
+{
+	canyon_led_off(platform_get_drvdata(pdev));
+}
+
 /**
  * platform driver metadata
  */
@@ -315,6 +266,7 @@ static const struct of_device_id canyon_led_of_ids[] = {
 static struct platform_driver canyon_led = {
 	.probe = &canyon_led_probe,
 	.remove = &canyon_led_remove,
+	.shutdown = &canyon_led_shutdown,
 	.driver = {
 		.name = DRIVER_NAME,
 		.owner = THIS_MODULE,

hostmngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostmngr
-PKG_VERSION:=1.2.14
+PKG_VERSION:=1.2.16
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=6ea9fdb38a8e067b850841d6e7f7266bf76c363a
+PKG_SOURCE_VERSION:=3b50823da3f2904191332634c1e45d46090def1d
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -77,7 +77,7 @@ define Package/hostmngr/install
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/bbf_plugin/libhostmngr.so $(1) $(PKG_NAME)
 
 ifeq ($(CONFIG_HOSTMNGR_DATAMODEL_EXT),y)
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/bbf_plugin/libhostext.so $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/bbf_plugin/libhostext.so $(1) $(PKG_NAME) 10
 endif
 
 endef

hostmngr/files/scripts/hosts_acl.sh

@@ -271,14 +271,14 @@ touch $ACL_FILE
 echo "iptables -w -F hosts_forward" >> $ACL_FILE
 echo "ip6tables -w -F hosts_forward" >> $ACL_FILE
 
-hosts_ipv4_forward=$(iptables -t filter --list -n | grep hosts_forward)
+hosts_ipv4_forward=$(iptables -w -t filter --list -n | grep hosts_forward)
 if [ -z "$hosts_ipv4_forward" ]; then
 	echo "iptables -w -t filter -N hosts_forward" >> $ACL_FILE
 	ret=$?
 	[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE
 fi
 
-hosts_ipv6_forward=$(ip6tables -t filter --list -n | grep hosts_forward)
+hosts_ipv6_forward=$(ip6tables -w -t filter --list -n | grep hosts_forward)
 if [ -z "$hosts_ipv6_forward" ]; then
 	echo "ip6tables -w -t filter -N hosts_forward" >> $ACL_FILE
 	ret=$?

icwmp/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020-2023 IOPSYS Software Solutions AB
+# Copyright (C) 2020-2025 IOPSYS Software Solutions AB
 #
 # This is free software, licensed under the BSD-3-Clause
 # See /LICENSE for more information.
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.8.29
+PKG_VERSION:=9.8.41
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=4075ec2c530fb1590aa484f98ed37c9dda5216f5
+PKG_SOURCE_VERSION:=1e192605446b420c103a08e8a145be114ebdcabc
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -72,14 +72,14 @@ define Package/icwmp/install
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/85-migrate-gw-info $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/icwmpd/vendor_log.sh $(1)/etc/icwmpd/vendor_log.sh
 	$(INSTALL_BIN) ./files/etc/icwmpd/firewall.cwmp $(1)/etc/icwmpd/firewall.cwmp
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/icwmp $(1)/lib/upgrade/keep.d/icwmp
-	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_icwmp_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_icwmp_opt125.user
 	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user $(1)/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/libcwmpdm.so $(1) $(PKG_NAME)
-	$(BBFDM_INSTALL_MS_PLUGIN) ./files/etc/bbfdm/json/CWMPManagementServer.json $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) ./files/etc/bbfdm/json/CWMPManagementServer.json $(1) $(PKG_NAME) 20
 endef
 
 $(eval $(call BuildPackage,icwmp))

icwmp/files/etc/config/cwmp

@@ -13,11 +13,15 @@ config acs 'acs'
 	#­ possible configs interval :[1000:65535]
 	option retry_interval_multiplier '2000'
 	option skip_dhcp_boot_options '0'
+	option insecure_enable '0'
+	option get_rpc_methods '0'
 
 config cpe 'cpe'
 	option enable '1'
 	option default_wan_interface 'wan'
 	option default_lan_interface 'lan'
+	#option client_cert_path '/etc/icwmpd/client.pem'
+	#option client_key_path '/etc/icwmpd/client.key'
 	option log_to_console 'disable'
 	option log_to_file 'disable'
 	# log_severity possible configs: EMERG, ALERT, CRITIC ,ERROR, WARNING, NOTICE, INFO, DEBUG
@@ -38,9 +42,9 @@ config cpe 'cpe'
 	option periodic_notify_interval '10'
 	option incoming_rule 'Port_Only'
 	option active_notif_throttle '0'
-	option disable_gatewayinfo '0'
 	option fw_upgrade_keep_settings '1'
 	option clock_sync_timeout '128'
+	option disable_datatype_check '0'
 	
 config lwn 'lwn'
 	option enable '0'

icwmp/files/etc/init.d/icwmpd

@@ -73,231 +73,6 @@ enable_dhcp_option43() {
 	fi
 }
 
-convert_to_hex() {
-	local val=""
-	local optval="${1}"
-	OPTIND=1
-	while getopts ":" opt "-$optval"
-	do
-		temp=$(printf "%02X" "'${OPTARG:-:}")
-		val="${val}:${temp}"
-	done
-
-	echo "${val}"
-}
-
-configure_send_op125() {
-	local sendopt="${1}"
-	local intf="${2}"
-	local uci="${3}"
-	local hex_oui=""
-	local hex_serial=""
-	local hex_class=""
-	local oui_len=0
-	local serial_len=0
-	local class_len=0
-
-	if [ "${uci}" = "network" ]; then
-		local opt125="125:00:00:0D:E9"
-	else
-		if [ -z "${sendopt}" ]; then
-			local opt125="125,00:00:0D:E9"
-		else
-			local opt125=":00:00:0D:E9"
-		fi
-	fi
-
-	config_get oui cpe manufacturer_oui ""
-	if [ -z "${oui}" ]; then
-		oui=$(db -q get device.deviceinfo.ManufacturerOUI)
-	fi
-
-	oui=$(echo "${oui}" | tr 'a-f' 'A-F')
-
-	config_get serial cpe serial_number ""
-	if [ -z "${serial}" ]; then
-		serial=$(db -q get device.deviceinfo.SerialNumber)
-	fi
-
-	config_get class cpe product_class ""
-	if [ -z "${class}" ]; then
-		class=$(db -q get device.deviceinfo.ProductClass)
-	fi
-
-	oui_len=$(echo -n "${oui}" | wc -m)
-	serial_len=$(echo -n "${serial}" | wc -m)
-	class_len=$(echo -n "${class}" | wc -m)
-
-	if [ "${oui_len}" -eq 0 ] || [ "${serial_len}" -eq 0 ]; then
-		return 0
-	fi
-
-	opt125_len=$((oui_len + serial_len + class_len))
-	if [ "${class_len}" -gt 0 ]; then
-		opt125_len=$((opt125_len + 6))
-	else
-		opt125_len=$((opt125_len + 4))
-	fi
-
-	hex_opt125_len=$(printf "%02X" "${opt125_len}")
-	opt125="${opt125}:${hex_opt125_len}"
-	hex_oui=$(convert_to_hex "${oui}")
-	if [ -z "${hex_oui}" ]; then
-		return 0
-	fi
-
-	hex_oui_len=$(printf "%02X" "${oui_len}")
-	if [ "${uci}" = "network" ]; then
-		opt125="${opt125}:01:${hex_oui_len}${hex_oui}"
-	else
-		opt125="${opt125}:04:${hex_oui_len}${hex_oui}"
-	fi
-
-	hex_serial=$(convert_to_hex "${serial}")
-	if [ -z "${hex_serial}" ]; then
-		return 0
-	fi
-
-	hex_serial_len=$(printf "%02X" "${serial_len}")
-	if [ "${uci}" = "network" ]; then
-		opt125="${opt125}:02:${hex_serial_len}${hex_serial}"
-	else
-		opt125="${opt125}:05:${hex_serial_len}${hex_serial}"
-	fi
-
-	if [ "${class_len}" -gt 0 ]; then
-		hex_class=$(convert_to_hex "${class}")
-		if [ -z "${hex_class}" ]; then
-			return 0
-		fi
-
-		hex_class_len=$(printf "%02X" "${class_len}")
-		if [ "${uci}" = "network" ]; then
-			opt125="${opt125}:03:${hex_class_len}${hex_class}"
-		else
-			opt125="${opt125}:06:${hex_class_len}${hex_class}"
-		fi
-	fi
-
-
-	if [ "${uci}" = "network" ]; then
-		new_send_opt="$sendopt $opt125"
-		uci -q set network."${intf}".sendopts="$new_send_opt"
-	else
-		new_send_opt="$sendopt$opt125"
-		uci -q add_list dhcp."${intf}".dhcp_option="$new_send_opt"
-	fi
-}
-
-check_for_suboptions() {
-	# Check if option 4 and 5 present inside enterprise id 3561
-	data=$(echo "${1}" | sed 's/://g')
-	len=$(printf "${data}"|wc -c)
-
-	rem_len="${len}"
-	while [ $rem_len -gt 8 ]; do
-		subopt_present=0
-
-		ent_id="${data:0:8}"
-		ent_id=$(printf "%d\n" "0x$ent_id")
-		if [ $ent_id -ne 3561 ]; then
-			len_val=${data:8:2}
-			data_len=$(printf "%d\n" "0x$len_val")
-			# add 4 byte for ent_id and 1 byte for len
-			data_len=$(( data_len * 2 + 10 ))
-			# move ahead data to next enterprise id
-			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - data_len ))
-			continue
-		fi
-
-		# read the length of enterprise data
-		len_val=${data:8:2}
-		data_len=$(printf "%d\n" "0x$len_val")
-		# add 4 byte for ent_id and 1 byte for len
-		data_len=$(( data_len * 2 + 10 ))
-
-		len_val=${data:8:2}
-		opt_len=$(printf "%d\n" "0x$len_val")
-		if [ $opt_len -eq 0 ]; then
-			echo ${subopt_present}
-			return 0
-		fi
-
-		# populate the option data of enterprise id
-		sub_data_len=$(( opt_len * 2))
-		# starting 10 means ahead of length field
-		sub_data=${data:10:"${sub_data_len}"}
-
-		# parsing of suboption of option 125
-		while [ $sub_data_len -gt 0 ]; do
-			# get the suboption id
-			sub_opt_id=${sub_data:0:2}
-			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
-			case "${sub_opt_id}" in
-			"4") subopt_present=1
-			;;
-			"5") subopt_present=1
-			;;
-			esac
-
-			if [ ${subopt_present} -eq 1 ]; then
-				break;
-			fi
-
-			# get the length of suboption
-			sub_opt_len=${sub_data:2:2}
-			sub_opt_len=$(printf "%d\n" "0x$sub_opt_len")
-			sub_opt_len=$(( sub_opt_len * 2 ))
-
-			# add 2 bytes for sub_opt id and sub_opt len field
-			sub_opt_end=$(( sub_opt_len + 4 ))
-
-			# update the remaining sub option hex string length
-			sub_data_len=$((sub_data_len - sub_opt_end))
-
-			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
-		done
-
-		if [ ${subopt_present} -eq 1 ]; then
-			break;
-		else
-			# move ahead data to next enterprise id
-			rem_len=$(( rem_len - $data_len ))
-			data=${data:"${data_len}":"${rem_len}"}
-		fi
-	done
-
-	echo ${subopt_present}
-}
-
-enable_dnsmasq_option125() {
-	local lan="${1}"
-	local send125_present=0
-	local opt125="125,"
-
-	local proto="$(uci -q get dhcp."${lan}".dhcpv4)"
-	if [ "${proto}" = "server" ]; then
-		opt_list="$(uci -q get dhcp."${lan}".dhcp_option)"
-		base_opt=""
-
-		for sopt in $opt_list; do
-			if [[ "$sopt" == "$opt125"* ]]; then
-				send125_present=$(check_for_suboptions "${sopt:4}")
-				base_opt="${sopt}"
-				break
-			fi
-		done
-
-		if [ ${send125_present} -eq 0 ]; then
-			uci -q del_list dhcp."${lan}".dhcp_option="${base_opt}"
-			configure_send_op125 "${base_opt}" "${lan}" "dhcp"
-			ubus call uci commit '{"config":"dhcp"}'
-		fi
-	fi
-}
-
 set_vendor_id() {
 	local wan="${1}"
 	local proto="$(uci -q get network."${wan}".proto)"
@@ -314,51 +89,6 @@ set_vendor_id() {
 	fi
 }
 
-enable_dhcp_option125() {
-	local wan="${1}"
-	local reqopts="$(uci -q get network."${wan}".reqopts)"
-	local sendopts="$(uci -q get network."${wan}".sendopts)"
-	local proto="$(uci -q get network."${wan}".proto)"
-	local newreqopts=""
-	local newsendopts=""
-	local req125_present=0
-	local send125_present=0
-	local network_uci_update=0
-	local opt125="125:"
-
-	for ropt in $reqopts; do
-		case $ropt in
-			125) req125_present=1 ;;
-			*) ;;
-		esac
-	done
-
-	for sopt in $sendopts; do
-		if [[ "$sopt" == "$opt125"* ]]; then
-			send125_present=1
-			break
-		fi
-	done
-
-	if [ "${proto}" = "dhcp" ]; then
-		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
-			uci -q set network."${wan}".reqopts="$newreqopts"
-			network_uci_update=1
-		fi
-
-		if [ ${send125_present} -eq 0 ]; then
-			configure_send_op125 "${sendopts}" "${wan}" "network"
-			network_uci_update=1
-		fi
-	fi
-
-	if [ ${network_uci_update} -eq 1 ]; then
-		uci commit network
-		ubus call network reload
-	fi
-}
-
 wait_for_resolvfile() {
 	local time=$1
 	local tm=1
@@ -481,13 +211,10 @@ validate_defaults() {
 }
 
 boot() {
-	local dhcp_discovery wan_interface skip_dhcp_boot_options disable_gatewayinfo
+	local dhcp_discovery wan_interface skip_dhcp_boot_options
 
 	config_load cwmp
 	config_get wan_interface cpe default_wan_interface "wan"
-	config_get disable_gatewayinfo cpe disable_gatewayinfo "0"
-
-	config_get dhcp_discovery acs dhcp_discovery "0"
 	config_get dhcp_discovery acs dhcp_discovery "0"
 	config_get skip_dhcp_boot_options acs skip_dhcp_boot_options "0"
 
@@ -500,15 +227,6 @@ boot() {
 		fi
 	fi
 
-	config_get lan_interface cpe default_lan_interface ""
-	if [ -n "${lan_interface}" ]; then
-		if [ "${disable_gatewayinfo}" -ne 1 ]; then
-			# Set dhcp_option 125 if not already configured
-			enable_dhcp_option125 "${wan_interface}"
-			enable_dnsmasq_option125 "${lan_interface}"
-		fi
-	fi
-	
 	config_get ssl_capath acs ssl_capath
 
 	if [ -n "${ssl_capath}" ]; then
@@ -545,7 +263,14 @@ start_service() {
 
 stop_service()
 {
+	local switch_bank
+
 	copy_cwmp_varstate_files_to_etc
+	
+	switch_bank=$(uci -q -c /var/state/ get icwmp.cpe.switch_bank)
+	if [ -n "$switch_bank" ] && [ "$switch_bank" = "1" ]; then
+		[ -x /etc/sysmngr/fwbank ] && /etc/sysmngr/fwbank call copy_config
+	fi
 }
 
 reload_service() {

icwmp/files/etc/uci-defaults/85-migrate-gw-info

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Script to migrate gateway-info options to gateway uci
+if [ ! -f "/etc/config/cwmp" ] && [ ! -f "/etc/config/gateway" ]; then
+	exit 0
+fi
+
+val="$(uci -q get cwmp.cpe.disable_gatewayinfo)"
+
+if [ -n "$val" ] && [ "$val" -eq 1 ]; then
+	uci -q set gateway.global.enable=0
+fi
+
+uci -q set cwmp.cpe.disable_gatewayinfo=""

icwmp/files/etc/udhcpc.user.d/udhcpc_icwmp_opt125.user

@@ -1,139 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-CLASS=""
-OUI=""
-SERIAL=""
-
-get_vivsoi() {
-	# opt125 environment variable has data in below format
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	# |	 enterprise-number1	  |
-	# |				  |
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	# |   data-len1   |		  |
-	# +-+-+-+-+-+-+-+-+ option-data1  |
-	# /				  /
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -----
-	# |	 enterprise-number2	  |   ^
-	# |				  |   |
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
-	# |   data-len2   |		  | optional
-	# +-+-+-+-+-+-+-+-+ option-data2  |   |
-	# /				  /   |
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
-	# ~	       ...		  ~   V
-	# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -----
-
-	#  Enterprise Id  Len  Sub Op  SLen  Data Sub Op  SLen Data	  Sub Op  SLen Data
-	# +-------------+-----+------+------+----+------+-----+----+-----+------+-----+----+
-	# |	id    |  n  |	1  |  n1  | D1 |   2  |  n2 | D2 | ... |   6  |  n6 | D6 |
-	# +-------------+-----+------+------+----+------+-----+----+-----+------+-----+----+
-
-	local opt125="$1"
-	local len="$2"
-	local ent_id
-
-	#hex-string 2 character=1 Byte
-	# length in hex string will be twice of actual Byte length
-	[ "$len" -gt "8" ] || return
-
-	data="${opt125}"
-	rem_len="${len}"
-	while [ $rem_len -gt 0 ]; do
-		ent_id=${data:0:8}
-		ent_id=$(printf "%d\n" "0x$ent_id")
-
-		if [ $ent_id -ne  3561 ]; then
-			len_val=${data:8:2}
-			data_len=$(printf "%d\n" "0x$len_val")
-			# add 4 byte for ent_id and 1 byte for len
-			data_len=$(( data_len * 2 + 10 ))
-			# move ahead data to next enterprise id
-			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - $data_len ))
-			continue
-		fi
-
-		# read the length of enterprise data
-		len_val=${data:8:2}
-		data_len=$(printf "%d\n" "0x$len_val")
-		# add 4 byte for ent_id and 1 byte for len
-		data_len=$(( data_len * 2 + 10 ))
-
-		opt_len=$(printf "%d\n" "0x$len_val")
-		[ $opt_len -eq 0 ] && return
-
-		# populate the option data of enterprise id
-		sub_data_len=$(( opt_len * 2))
-		# starting 10 means ahead of length field
-		sub_data=${data:10:"${sub_data_len}"}
-
-		# parsing of suboption of option 125
-		while [ $sub_data_len -gt 0 ]; do
-			# get the suboption id
-			sub_opt_id=${sub_data:0:2}
-			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
-
-			# get the length of suboption
-			sub_opt_len=${sub_data:2:2}
-			sub_opt_len=$(printf "%d\n" "0x$sub_opt_len")
-			sub_opt_len=$(( sub_opt_len * 2 ))
-
-			# get the value of sub option starting 4 means starting after length
-			sub_opt_val=${sub_data:4:${sub_opt_len}}
-
-			# assign the value found in sub option
-			case "${sub_opt_id}" in
-				"4") OUI=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
-				;;
-				"5") SERIAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
-				;;
-				"6") CLASS=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
-				;;
-			esac
-
-			# add 2 bytes for sub_opt id and sub_opt len field
-			sub_opt_end=$(( sub_opt_len + 4 ))
-
-			# update the remaining sub option hex string length
-			sub_data_len=$((sub_data_len - sub_opt_end))
-
-			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
-		done
-
-		# move ahead data to next enterprise id
-		data=${data:"${data_len}":"${rem_len}"}
-		rem_len=$(( rem_len - data_len ))
-	done
-}
-
-config_load cwmp
-config_get_bool enable_cwmp cpe enable 1
-config_get wan_intf cpe default_wan_interface "wan"
-
-if [ "$enable_cwmp" = "0" ]; then
-	return 0
-fi
-
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
-	if [ -n "$opt125" ]; then
-		len=$(printf "$opt125"|wc -c)
-		get_vivsoi "$opt125" "$len"
-	fi
-
-	mkdir -p /var/state
-	touch /var/state/icwmp
-	sec=$(uci -q -c /var/state get icwmp.gatewayinfo)
-	if [ -z "${sec}" ]; then
-		sec=$(uci -q -c /var/state add icwmp gatewayinfo)
-		uci -q -c /var/state rename icwmp."${sec}"="gatewayinfo"
-	fi
-
-	uci -q -c /var/state set icwmp.gatewayinfo.class="$CLASS"
-	uci -q -c /var/state set icwmp.gatewayinfo.oui="$OUI"
-	uci -q -c /var/state set icwmp.gatewayinfo.serial="$SERIAL"
-	uci -q -c /var/state commit icwmp
-fi

ieee1905/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.0
+PKG_VERSION:=8.7.4
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=e65188bb2a05cf83f50ecf2ef8042cf75abe94a0
+PKG_SOURCE_VERSION:=c01ef079c78045670a834dbc0fbb937652dd7e70
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

ieee1905/files/etc/uci-defaults/30-set-ieee1905-al-macaddr

@@ -18,5 +18,3 @@ mac=$(uci -q get ieee1905.ieee1905.macaddress)
 [ "$mac" != "" ] && exit 0
 
 uci set ieee1905.ieee1905.macaddress="$LMAC"
-uci commit ieee1905
-

ipt-trigger/Makefile

@@ -24,7 +24,7 @@ define KernelPackage/ipt-trigger
   SUBMENU:=Other modules
   TITLE:=Kernel module for iptables port trigger
   FILES:=$(PKG_BUILD_DIR)/src/ipv4/ipt_TRIGGER.ko
-  DEPENDS+=+kmod-nf-nat +xtables-legacy
+  DEPENDS+=+kmod-nf-nat +kmod-ipt-core
   AUTOLOAD:=$(call AutoLoad,30,ipt_TRIGGER,1)
   KCONFIG:=
 endef
@@ -32,7 +32,7 @@ endef
 define KernelPackage/ip6t-trigger
   SUBMENU:=Other modules
   TITLE:=Kernel module for ip6tables port trigger
-  DEPENDS+=+kmod-nf-nat +xtables-legacy
+  DEPENDS+=+kmod-nf-nat +kmod-ipt-core
   FILES:=$(PKG_BUILD_DIR)/src/ipv6/ip6t_TRIGGER.ko
   AUTOLOAD:=$(call AutoLoad,30,ip6t_TRIGGER,1)
   KCONFIG:=
@@ -46,9 +46,7 @@ define KernelPackage/ip6t-trigger/description
 	Kernel module to enable port trigger for ip6tables
 endef
 
-ifeq ($(CONFIG_TARGET_brcmbca),y)
-	include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
-endif
+-include ../../broadcom/bcmkernel/bcm-kernel-toolchain.mk
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -67,8 +65,6 @@ define Build/InstallDev
 	$(CP) $(PKG_BUILD_DIR)/include/ipt_TRIGGER.h $(1)/include/linux/netfilter_ipv4/
 endef
 
-KERNEL_MAKE_FLAGS += -I$(LINUX_DIR)/include
-
 define Build/Compile
 	$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)/src/ipv4/" modules
 	$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)/src/ipv6/" modules

libvoice-airoha/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-airoha
 PKG_RELEASE:=1
-PKG_VERSION:=1.0.12
+PKG_VERSION:=1.1.2
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=68f0b4f3edecea9b8f05e72b6bbf3952d3946b7c
+PKG_SOURCE_VERSION:=1ded9a4bb0f2f8a5f3989799b5500e328e086c99
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+hasVoice=$(db -q get hw.board.hasVoice)
+
+[ "$hasVoice" = "1" ] || exit 0
+
+SLIC=`cat /proc/device-tree/airoha-voice/slic-type`
+[ "${SLIC#pef}" != "${SLIC}" ] || exit 0
+
+echo Configure TxGain and RxGain for MXL SLIC $SLIC
+
+ports=$(db -q get hw.board.VoicePorts)
+for p in $(seq 0 $((ports-1))); do
+    uci set asterisk.extension${p}.txgain='10'
+    uci set asterisk.extension${p}.rxgain='-15'
+done

libwifi/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.9.0
+PKG_VERSION:=7.10.9
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=b4d974c213eb2ad0b98165241b83bbda013ba452
+PKG_SOURCE_VERSION:=b2718296b4312e0bb6bd4cab802453d696a666d2
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
@@ -60,11 +60,11 @@ else
   TARGET_CFLAGS +=-DIOPSYS_MAC80211
 endif
 
-ifneq ($(CONFIG_PACKAGE_kmod-mt7915e),)
+ifneq ($(CONFIG_PACKAGE_kmod-mt7915e_en7523),)
   TARGET_CFLAGS=-DMT7915_VENDOR_EXT
 endif
 
-PKG_BUILD_DEPENDS:=PACKAGE_kmod-mt7915e:mt76
+PKG_BUILD_DEPENDS:=PACKAGE_kmod-mt7915e_en7523:mt76_en7523
 
 ifneq ($(CONFIG_PACKAGE_libwifi),)
 TARGET_CFLAGS +=-DHAS_WIFI

linux-pam/Makefile

@@ -0,0 +1,38 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=linux-pam
+PKG_VERSION:=1.7.0
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam.git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_MIRROR_HASH:=skip
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/meson.mk
+
+define Package/linux-pam
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Linux PAM Module
+  DEPENDS:=+libpam
+endef
+
+MESON_ARGS += \
+	-Dprefix=/usr \
+	-Ddefault_library=shared \
+	-Ddocs=disabled \
+	-Deconf=disabled \
+	-Dselinux=disabled \
+	-Dnis=disabled \
+	-Dexamples=false \
+	-Dxtests=false
+
+define Package/linux-pam/install
+	$(INSTALL_DIR) $(1)/usr/lib/security
+	$(INSTALL_DIR) $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock
+endef
+
+$(eval $(call BuildPackage,linux-pam))

linux-pam/files/pam_faillock.uci_default

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+create_faillock_files()
+{
+	# also create files needed by pam_faillock
+	touch /var/log/faillock
+	chmod 700 /var/log/faillock
+	touch /var/log/btmp
+	chmod 700 /var/log/btmp
+}
+
+update_pam_common_auth()
+{
+	local file="/etc/pam.d/common-auth"
+	local deny=6
+	local unlock_time=300
+
+	# update pam_unix.so line
+	sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file"
+
+	# Insert pam_faillock lines before and after pam_unix.so
+	sed -i -E "/pam_unix.so nullok_secure/i auth     required       pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+	sed -i -E "/pam_unix.so nullok_secure/a auth     [default=die]  pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+}
+
+update_pam_common_account()
+{
+	# update account file
+	sed -i "/pam_unix.so/ i account  required       pam_faillock.so" /etc/pam.d/common-account
+}
+
+if [ -f "/usr/lib/security/pam_faillock.so" ]; then
+	update_pam_common_auth
+	update_pam_common_account
+	create_faillock_files
+fi
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=1
+	uci commit sshd
+fi
+
+exit 0

logmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=logmngr
-PKG_VERSION:=1.0.8
+PKG_VERSION:=1.0.14
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/logmngr.git
-PKG_SOURCE_VERSION:=7c2056c9f5dc23fd1260846c72210365ec69c882
+PKG_SOURCE_VERSION:=1561b71a2225af737db9f091204247ab4e141abb
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -28,8 +28,10 @@ define Package/logmngr
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=Logging Manager
- DEPENDS:=+LOGMNGR_BACKEND_FLUENTBIT:fluent-bit +LOGMNGR_LOGROTATE:logrotate
+ DEPENDS:=+LOGMNGR_BACKEND_FLUENTBIT:fluent-bit
+ DEPENDS+=+@LOGMNGR_BACKEND_FLUENTBIT:BUSYBOX_CONFIG_KLOGD
  DEPENDS+=+LOGMNGR_BACKEND_SYSLOG_NG:syslog-ng
+ DEPENDS+=+LOGMNGR_LOGROTATE:logrotate
  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef
 
@@ -52,27 +54,28 @@ define Package/logmngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/logmngr.init $(1)/etc/init.d/logmngr
 
-	$(INSTALL_DIR) $(1)/usr/sbin
-
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/10-logmngr_config_generate $(1)/etc/uci-defaults/
 
 	$(INSTALL_DIR) $(1)/lib/logmngr
 ifeq ($(CONFIG_LOGMNGR_BACKEND_FLUENTBIT),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
-	$(INSTALL_BIN) ./files/logread $(1)/usr/sbin
+	$(INSTALL_DIR) $(1)/usr/libexec
+	$(INSTALL_BIN) ./files/logmngr-klogd $(1)/usr/libexec/
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) ./files/logread $(1)/usr/sbin/
 endif
 ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/syslog-ng.sh $(1)/lib/logmngr/
 endif
-	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1) core 10
 ifeq ($(CONFIG_LOGMNGR_LOGROTATE),y)
 	$(INSTALL_BIN) ./files/11-logmngr_logrotate_config_generate $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/lib/logmngr/logrotate.sh $(1)/lib/logmngr/
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbflogrotate.so $(1) sysmngr
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbflogrotate.so $(1) sysmngr 11
 endif
 ifeq ($(CONFIG_LOGMNGR_VENDOR_LOG_FILE),y)
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfvendorlog.so $(1) sysmngr
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfvendorlog.so $(1) sysmngr 12
 endif
 endef
 

logmngr/files/10-logmngr_config_generate

@@ -1,13 +1,12 @@
 #!/bin/sh
 
-if [ -s "/etc/config/logmngr" ]; then
-	if uci -q get logmngr.@globals[0] >/dev/null; then
-		# return if there is any valid content
-		exit
-	else
-		rm -f /etc/config/logmngr
-	fi
+if uci -q get logmngr.@globals[0] >/dev/null; then
+	# return if there is any valid content
+	exit 0
+else
+	rm -f /etc/config/logmngr
 fi
+
 touch /etc/config/logmngr
 
 uci set logmngr.globals=globals
@@ -25,4 +24,3 @@ uci set logmngr.lr1=log_remote
 uci set logmngr.lr1.enable=0
 uci set logmngr.lr1.action="ac1"
 uci set logmngr.lr1.port="514"
-uci commit logmngr

logmngr/files/11-logmngr_logrotate_config_generate

@@ -1,14 +1,13 @@
 #!/bin/sh
 
-if [ -s "/etc/config/logmngr" ]; then
-	if uci -q get logmngr.@log_rotate[0] >/dev/null; then
-		# return if there is any valid content
-		exit
-	fi
-	uci set logmngr.lro1=log_rotate
-	uci set logmngr.lro1.enable=1
-	uci set logmngr.lro1.file_name="/var/log/messages"
-	uci set logmngr.lro1.file_count=1
-	uci set logmngr.lro1.max_file_size=1000000
-	uci commit logmngr
+# Adds a default log rotate policy if none exists
+if uci -q get logmngr.@log_rotate[0] >/dev/null; then
+	# return if there is any valid content
+	exit 0
 fi
+
+uci set logmngr.lro1=log_rotate
+uci set logmngr.lro1.enable=1
+uci set logmngr.lro1.file_name="/var/log/messages"
+uci set logmngr.lro1.file_count=1
+uci set logmngr.lro1.max_file_size=1000000

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -6,6 +6,10 @@
 CONF_FILE=/etc/fluent-bit/fluent-bit.conf
 TMP_CONF_FILE=/tmp/fluent-bit/fluent-bit.conf
 
+append_conf() {
+	echo "$*" >> ${TMP_CONF_FILE}
+}
+
 create_config_file() {
 	mkdir -p /tmp/fluent-bit
 	rm -f ${TMP_CONF_FILE}
@@ -20,10 +24,12 @@ create_service_section() {
 	echo "    daemon       off" >> ${TMP_CONF_FILE}
 	echo "    log_level    info" >> ${TMP_CONF_FILE}
 	echo "    parsers_file /etc/fluent-bit/parsers.conf" >> ${TMP_CONF_FILE}
+	echo "" >> ${TMP_CONF_FILE}
 }
 
 create_input_section() {
 	local tag="$1"
+
 	# the input in our case is always syslog, hence, this section of the
 	# fluent-bit.conf file has hardcoded values as well that do not depend
 	# on any uci value
@@ -31,6 +37,7 @@ create_input_section() {
 	echo "    name        syslog" >> ${TMP_CONF_FILE}
 	echo "    tag         $tag" >> ${TMP_CONF_FILE}
 	echo "    path        /dev/log" >> ${TMP_CONF_FILE}
+	echo "" >> ${TMP_CONF_FILE}
 }
 
 generate_facility_regex() {
@@ -55,7 +62,6 @@ generate_facility_regex() {
 			echo "    regex        pri $pri" >> ${TMP_CONF_FILE}
 		done
 	done
-
 }
 
 generate_severity_regex() {
@@ -205,7 +211,6 @@ handle_log_remote() {
 		return
 	fi
 
-
 	local address
 	config_get address $section log_ip
 	if [ -z "$address" ]; then
@@ -216,9 +221,17 @@ handle_log_remote() {
 	echo "    name         syslog" >> ${TMP_CONF_FILE}
 	echo "    match        $match" >> ${TMP_CONF_FILE}
 	echo "    host         $address" >> ${TMP_CONF_FILE}
+	append_conf "    syslog_appname_key   ident"
+	append_conf "    syslog_procid_key    pid"
+	append_conf "    syslog_message_key   message"
+
+	local hostname="$(uci -q get 'system.@system[0].hostname')"
+	if [ -n "${hostname}" ]; then
+		append_conf "    syslog_hostname_preset    ${hostname}"
+	fi
 
 	local proto # holds value tcp or udp
-	config_get proto $section proto
+	config_get proto ${section} proto
 	if [ -n "$proto" ]; then
 		if [ "$proto" == "tls" ]; then
 			echo "    mode         tcp" >> ${TMP_CONF_FILE}
@@ -281,41 +294,44 @@ handle_action() {
 	# with this and action and setup output accordingly.
 	config_foreach handle_log_file log_file "$tag"
 	config_foreach handle_log_remote log_remote "$tag"
-
-
 }
 
 handle_action_section() {
 	config_foreach handle_action action
 }
 
-apply_config_file() {
-	cp ${TMP_CONF_FILE} ${CONF_FILE}
-}
-
 PROG=/usr/sbin/fluent-bit
 logmngr_init() {
-	create_config_file
+	local enabled
 
 	config_load logmngr
-	local enabled
-	config_get enabled globals enable
-
-	if [ "$enabled" == "0" ]; then
-		return
-	fi
+	config_get_bool enabled globals enable "1"
 
+	create_config_file
 	create_service_section
 	handle_action_section
-	apply_config_file
 
 	if [ -f /lib/logmngr/logrotate.sh ]; then
 		logrotate_init
 	fi
 
+	if [ "$enabled" == "0" ]; then
+		return
+	fi
+
 	procd_open_instance logmngr
-	procd_set_param command $PROG -c $CONF_FILE
-	procd_set_param file $CONF_FILE
+	if [ -s "${TMP_CONF_FILE}" ]; then
+		procd_set_param command $PROG -c ${TMP_CONF_FILE}
+		procd_set_param file ${TMP_CONF_FILE}
+	elif [ -s "${CONF_FILE}" ]; then
+		procd_set_param command $PROG -c ${CONF_FILE}
+		procd_set_param file ${CONF_FILE}
+	fi
+	procd_set_param respawn
+	procd_close_instance
+
+	procd_open_instance klogd
+	procd_set_param command /usr/libexec/logmngr-klogd
 	procd_set_param respawn
 	procd_close_instance
 }

logmngr/files/logmngr-klogd

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+until [ -S /dev/log ]; do
+	sleep 1
+done
+
+exec /sbin/klogd -n

logmngr/files/logread

@@ -89,13 +89,13 @@ else
 				exit 0
 				;;
 			-f)
-				tail -f "${logfile}"
+				tail -F "${logfile}"
 				exit 0
 				;;
 			-fe)
 				shift
 				pattern="${1}"
-				tail -f "${logfile}" | grep -E "${pattern}"
+				tail -F "${logfile}" | grep -E "${pattern}"
 				exit 0
 				;;
 			-h|*)

map-agent/Config.in

@@ -62,5 +62,9 @@ config AGENT_CHECK_PARTIAL_WIFI_RELOAD
 config DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER
 	bool "Let dynbhd through AP-Autoconfiguration Search and DHCP Discovery determine the controller or agent role"
 
+config AGENT_UNASSOC_STA_CONT_MONITOR
+	bool "Enable continuos monitoring of unassociated clients"
+	default n
+
 endmenu
 endif

map-agent/Makefile

@@ -5,9 +5,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.3.1.2
+PKG_VERSION:=6.3.3.9
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=4547277f0637a4e7f18ff676350400efb4e37138
+PKG_SOURCE_VERSION:=81b815c32aafbf5476bba4691ce36b9a446c3363
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause
@@ -115,6 +115,10 @@ ifeq ($(CONFIG_DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER),y)
 TARGET_CFLAGS += -DPERSIST_CONTROLLER
 endif
 
+ifeq ($(CONFIG_AGENT_UNASSOC_STA_CONT_MONITOR),y)
+TARGET_CFLAGS += -DUNASSOC_STA_CONT_MONITOR
+endif
+
 MAKE_PATH:=src
 
 define Package/map-agent/install

map-agent/files/etc/hotplug.d/ethernet/map-dynamic-backhaul

@@ -7,9 +7,21 @@ map_bh_file="/var/run/multiap/multiap.backhaul"
 al_bridge="$(uci -q get mapagent.agent.al_bridge)"
 [ "${al_bridge:0:3}" = "br-" ] || exit 0
 
+# Get all sections where the port appears in 'ports' list
+port_bridge_sec_list="$(uci show network | grep -w $PORT | grep '\.ports' | cut -d'.' -f2)"
+
+# Find the first section with type='bridge' and get its name
+for port_bridge_sec in $port_bridge_sec_list; do
+	if [ "$(uci -q get network.$port_bridge_sec.type)" = "bridge" ]; then
+		port_bridge_name="$(uci -q get network.$port_bridge_sec.name)"
+		break
+	fi
+done
+
+# Exit if the PORT Bridge Name is empty
+[ -z "$port_bridge_name" ]  && exit 0
+
 # Exit if the PORT is not member of the AL Bridge
-port_bridge_sec="$(uci show network | grep -w $PORT | grep '\.ports' | cut -d'.' -f2)"
-port_bridge_name="$(uci -q get network.$port_bridge_sec.name)"
 [ "$port_bridge_name" = "$al_bridge" ] || exit 0
 
 # Exit if the device is not operating in extender/repeater mode

map-agent/files/etc/hotplug.d/ethernet/map-topology-discovery

@@ -15,7 +15,7 @@ rc="$?"
 issue_discovery() {
 	local iface="$1"
 
-	res=$(ubus -t5 call ieee1905 buildcmdu "{\"type\":0, \"ifname\":\"${iface}\"}" > /dev/null 2>&1)
+	res=$(ubus -t5 call ieee1905 buildcmdu "{\"type\":0, \"ifname\":\"${iface}\"}") > /dev/null 2>&1
 	json_load "$res" > /dev/null 2>&1
 	json_get_var data data
 

map-controller/Config.in

@@ -10,6 +10,11 @@ config CONTROLLER_EASYMESH_VENDOR_EXT
 	bool "Enable extra features through Easymesh vendor extension"
 	default y
 
+config CONTROLLER_PROVISION_DISABLED_AP
+	depends on CONTROLLER_EASYMESH_VENDOR_EXT
+	bool "Enable vendor extension that provisions disabled APs to agents"
+	default n
+
 config CONTROLLER_EASYMESH_VENDOR_EXT_OUI_DEFAULT
 	hex "Vendor OUI default"
 	default 0xB456FA

map-controller/Makefile

@@ -1,14 +1,15 @@
 #
-# Copyright (C) 2020-2023 IOPSYS Software Solutions AB
+# Copyright (C) 2020-2024 IOPSYS Software Solutions AB
+# Copyright (C) 2025 Genexis AB
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.2.2.1
+PKG_VERSION:=6.3.0.10
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=f3d3ef332678f6417d78529323119a71ba715337
-PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
+PKG_SOURCE_VERSION:=4abd4db59e3bc5e19c263dba07a10d5326bfa98c
+PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
@@ -26,7 +27,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/map-controller
   SECTION:=utils
   CATEGORY:=Utilities
-  TITLE:=WiFi Multi-AP Controller (EasyMesh R2)
+  TITLE:=WiFi Multi-AP Controller (supporting EasyMesh R6)
   DEPENDS:=+libuci +libubox +ubus +libeasy +libwifiutils +libieee1905 +ieee1905 +ieee1905-map-plugin \
 	   +CONTROLLER_USE_LIBDPP:libdpp
 endef
@@ -61,6 +62,9 @@ endif
 ifeq ($(CONFIG_CONTROLLER_EASYMESH_VENDOR_EXT),y)
 TARGET_CFLAGS += -DEASYMESH_VENDOR_EXT_OUI=$(CONFIG_CONTROLLER_EASYMESH_VENDOR_EXT_OUI)
 TARGET_CFLAGS += -DEASYMESH_VENDOR_EXT
+ifeq ($(CONFIG_CONTROLLER_PROVISION_DISABLED_AP),y)
+TARGET_CFLAGS += -DPROVISION_DISABLED_AP
+endif
 endif
 
 ifeq ($(CONFIG_CONTROLLER_PROPAGATE_PROBE_REQ),y)

map-controller/files/etc/config/mapcontroller

@@ -14,23 +14,17 @@ config controller 'controller'
 	option de_collect_interval '60'
 
 config sta_steering
-	option steer_module 'rcpi'
-	option enabled '1'
-	option enable_sta_steer '0'
+	option enable_sta_steer '1'
 	option enable_bsta_steer '0'
-	option use_bcn_metrics '0'
-	option use_usta_metrics '0'
-	option bandsteer '0'
-	option diffsnr '8'
 	option rcpi_threshold_2g '70'
 	option rcpi_threshold_5g '86'
 	option rcpi_threshold_6g '86'
 	option report_rcpi_threshold_2g '80'
 	option report_rcpi_threshold_5g '96'
 	option report_rcpi_threshold_6g '96'
-	option steer_retry_int '30'
-	option steer_int '180'
-	option steer_disable_int '600'
+	option plugins_enabled '1'
+	option plugins_policy 'any'
+	list plugins 'rcpi'
 
 ###################
 # Default AP sections credentials will by updated

map-controller/files/etc/init.d/mapcontroller

@@ -172,7 +172,7 @@ start_service() {
 	create_dir
 
 	procd_open_instance
-	procd_set_param command "/usr/sbin/mapcontroller" "-d"
+	procd_set_param command "/usr/sbin/mapcontroller" "-d" "-o" "/tmp/mapcontroller.log" "-f"
 
 	if [ -f /etc/config/mapagent ]; then
 	        local local_ctrl=0

map-controller/files/etc/uci-defaults/99-mapcontroller-sta-steering

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+cfg=mapcontroller
+
+config_load $cfg
+
+adapt_sta_steering() {
+	steer_module=$(uci -q get $cfg.@sta_steering[0].steer_module)
+	bandsteer=$(uci -q get $cfg.@sta_steering[0].bandsteer)
+	enabled=$(uci -q get $cfg.@sta_steering[0].enabled)
+	diffsnr=$(uci -q get $cfg.@sta_steering[0].diffsnr)
+	stri=$(uci -q get $cfg.@sta_steering[0].steer_retry_int)
+	sti=$(uci -q get $cfg.@sta_steering[0].steer_int)
+	stdi=$(uci -q get $cfg.@sta_steering[0].steer_disable_int)
+
+	uci -q del $cfg.@sta_steering[0].enabled
+	uci -q del $cfg.@sta_steering[0].steer_module
+	uci -q del $cfg.@sta_steering[0].use_bcn_metrics
+	uci -q del $cfg.@sta_steering[0].use_usta_metrics
+	uci -q del $cfg.@sta_steering[0].bandsteer
+	uci -q del $cfg.@sta_steering[0].diffsnr
+
+	uci del_list $cfg.@sta_steering[0].plugins="rcpi"
+	uci add_list $cfg.@sta_steering[0].plugins="rcpi"
+	uci -q set $cfg.@sta_steering[0].plugins_enabled="1"
+	uci -q set $cfg.@sta_steering[0].plugins_policy="any"
+
+	# re-apply any custom legacy value(s) in 'sta-steer' section
+	if [ -n "${enabled}" -o -n "${bandsteer}" -o -n "${diffsnr}" -o -n "${sti}" -o -n "${stri}" -o -n "${stdi}" ]; then
+		# create 'rcpi' named 'sta-steer' section if there is none
+		[ $(uci -q get mapcontroller.rcpi) ] || uci set $cfg.rcpi=sta-steer
+
+		# set custom value(s)
+		[ -z "${enabled}" ] || uci -q set $cfg.rcpi.enabled="${enabled}"
+		[ -z "${bandsteer}" ] || uci -q set $cfg.rcpi.bandsteer="${bandsteer}"
+		[ -z "${diffsnr}" ] || uci -q set $cfg.rcpi.diffsnr="${diffsnr}"
+		[ -z "${sti}" ] || uci -q set $cfg.rcpi.steer_int="${sti}"
+		[ -z "${stri}" ] || uci -q set $cfg.rcpi.steer_retry_int="${stri}"
+		[ -z "${stdi}" ] || uci -q set $cfg.rcpi.steer_disable_int="${stdi}"
+		uci reorder $cfg.rcpi=2
+	fi
+}
+
+adapt_sta_steering

map-topology/Config.in

@@ -1,26 +0,0 @@
-if (PACKAGE_map-topology)
-
-menu "Configurations"
-
-config TOPOLOGYD_EASYMESH_VENDOR_EXT
-	bool "Enable extra features through Easymesh vendor extension"
-	default y
-
-config TOPOLOGYD_EASYMESH_VENDOR_EXT_OUI_DEFAULT
-	hex "Vendor OUI default"
-	default 0xB456FA
-
-config TOPOLOGYD_EASYMESH_VENDOR_EXT_OUI
-	hex "Vendor OUI in 0xAABBCC format"
-	default TOPOLOGYD_EASYMESH_VENDOR_EXT_OUI_DEFAULT
-	help
-	Extra features not covered by the base EasyMesh specification can be
-	enabled through TOPOLOGYD_EASYMESH_VENDOR_EXT. Please provide the Vendor's OUI
-	through which such features would be exposed.
-
-config TOPOLOGYD_HOST_WAN_STATS
-	bool "Enable wan statistics collection per hosts"
-	default y
-
-endmenu
-endif

map-topology/Makefile

@@ -1,71 +0,0 @@
-#
-# Copyright (C) 2020-22 IOPSYS Software Solutions AB
-#
-
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-
-PKG_NAME:=map-topology
-PKG_VERSION:=2.5.2.1
-
-LOCAL_DEV:=0
-ifneq ($(LOCAL_DEV),1)
-PKG_SOURCE_VERSION:=914f1ead2e65c1e24ed2d8786aa883730db2208f
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-topology.git
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
-PKG_MIRROR_HASH:=skip
-endif
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_BUILD_DEPENDS:=ieee1905
-
-PKG_LICENSE:=BSD-3-Clause
-PKG_LICENSE_FILES:=LICENSE
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/map-topology
-	CATEGORY:=Utilities
-	DEPENDS:=+libubox +ubus +libpthread +libuci +libeasy \
-		 +libavahi-nodbus-support +libnetfilter-conntrack +libnfnetlink +libmnl
-	TITLE:=Utility to build topology of a multi-AP network
-endef
-
-define Package/map-topology/config
-	source "$(SOURCE)/Config.in"
-endef
-
-TARGET_CFLAGS += \
-	-Wno-error=deprecated-declarations \
-	-I$(STAGING_DIR)/usr/include \
-	-I$(STAGING_DIR)/usr/include/libnl3 \
-	-I$(STAGING_DIR)/usr/include/libnetfilter_conntrack \
-	-D_GNU_SOURCE
-
-define Package/map-topology/description
-	Constructs network topology and show it as json structure over UBUS
-endef
-
-MAKE_PATH:=src
-
-ifeq ($(CONFIG_TOPOLOGYD_EASYMESH_VENDOR_EXT),y)
-TARGET_CFLAGS += -DEASYMESH_VENDOR_EXT_OUI=$(CONFIG_TOPOLOGYD_EASYMESH_VENDOR_EXT_OUI)
-endif
-
-ifeq ($(CONFIG_TOPOLOGYD_HOST_WAN_STATS),y)
-TARGET_CFLAGS += -DHOST_WAN_STATS
-endif
-
-ifeq ($(LOCAL_DEV),1)
-define Build/Prepare
-        $(CP) -rf ~/git/map-topology/* $(PKG_BUILD_DIR)/
-endef
-endif
-
-define Package/map-topology/install
-	$(CP) ./files/* $(1)/
-	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/topologyd $(1)/usr/sbin/
-endef
-
-$(eval $(call BuildPackage,map-topology))

map-topology/files/etc/config/topology

@@ -1,7 +0,0 @@
-
-config topology 'topology'
-	option enabled '1'
-	option depth '8'
-	option interval '60'
-	option maxlog '32'
-	option profile '4'

map-topology/files/etc/init.d/topologyd

@@ -1,93 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=97
-STOP=21
-
-USE_PROCD=1
-
-IS_CFG_VALID=1
-
-validate_topology_config() {
-	uci_validate_section topology topology "topology" \
-			'enabled:bool:true' \
-			'depth:range(0,16)' \
-			'interval:range(0,65535)' \
-			'maxlog:range(0,128)' \
-
-	[ "$?" -ne 0 ] && {
-		logger -s -t "topology" "Validation of topology UCI file failed"
-		return 1
-	}
-	return 0
-}
-
-validate_global_section() {
-	uci_validate_section hosts global "global" \
-		'ageing_timer:uinteger' \
-		'reboot_persistent:bool'
-
-	[ "$?" -ne 0 ] && {
-		logger -s -t "hosts" "Validation of global section failed"
-		IS_CFG_VALID=0
-		return 1
-	}
-	return 0
-}
-
-validate_host_section() {
-	local section="$1"
-
-	uci_validate_section hosts $section "${1}" \
-			'macaddr:macaddr' \
-			'interface_type:or("wifi","eth")' \
-			'active:bool' \
-			'active_last_change:string'
-
-	[ "$?" -ne 0 ] && {
-		logger -s -t "hosts" "Validation of host section $section failed"
-		IS_CFG_VALID=0
-		return 1
-	}
-	return 0
-}
-
-validate_hosts_config() {
-	IS_CFG_VALID=1
-
-	validate_global_section &&
-		config_foreach validate_host_section host
-
-	[ "$IS_CFG_VALID" -ne 1 ] && {
-		logger -s -t "topology" "Validation of hosts UCI file failed"
-		return 1
-	}
-	return 0
-}
-
-start_service() {
-	config_load "topology"
-	validate_topology_config || return 1;
-
-	config_load "hosts"
-	validate_hosts_config || return 1;
-
-	if [ -f "/proc/sys/net/netfilter/nf_conntrack_timestamp" ]; then
-		echo 1 >/proc/sys/net/netfilter/nf_conntrack_timestamp
-	fi
-
-	procd_open_instance
-        procd_set_param command "/usr/sbin/topologyd"
-	procd_set_param respawn
-#	procd_set_param stdout 1
-	procd_set_param stderr 1
-	procd_close_instance
-}
-
-service_triggers()
-{
-	procd_add_reload_trigger "network"
-}
-
-reload_service() {
-	procd_send_signal "topologyd"
-}

mcastmngr/Makefile

@@ -6,14 +6,14 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=mcastmngr
-PKG_VERSION:=1.2.10
+PKG_VERSION:=1.2.11
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/mcastmngr.git
-PKG_SOURCE_VERSION:=275d7e5448333e53f8bc980344b39f7f577d4664
+PKG_SOURCE_VERSION:=17d73b8f1947823a0d32ed589a240a2642904fe1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

mcastmngr/files/common/etc/uci-defaults/61-mcast_config_generate

@@ -16,8 +16,6 @@ generate_igmp_global_params(){
 	uci set mcast.@mld[-1].mldv2_unsolicited_report_interval="1"
 	uci set mcast.@mld[-1].qrv="2"
 	uci set mcast.@mld[-1].force_version="0"
-
-	uci commit mcast
 }
 
 generate_mld_proxy_config(){
@@ -73,8 +71,6 @@ generate_mcast_config(){
 
 	generate_igmp_proxy_config "$up_itf"
 	generate_mld_proxy_config "$up_itf"
-
-	uci commit mcast
 }
 
 interfaces_ok(){

mcastmngr/files/linux/etc/firewall.mcast

@@ -1,2 +1,2 @@
 # Forward multicast packets from wan to lan
-iptables -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT
+iptables -w -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT

netmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmngr
-PKG_VERSION:=1.1.3
+PKG_VERSION:=1.1.5
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=f9a0e9490743c55bf7c6df02495b4dbba8c66aeb
+PKG_SOURCE_VERSION:=77158d2ee3ac2d144681f6352d6d18dde0db4b22
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -74,7 +74,6 @@ endif
 define Package/netmngr/install
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libnetmngr.so $(1) $(PKG_NAME)
-	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/src/libinterface_stack.so $(1)
 endef
 
 ifeq ($(LOCAL_DEV),1)

netmngr/bbfdm_service.json

@@ -27,6 +27,10 @@
       {
         "parent_dm": "Device.",
         "object": "IPv6rd"
+      },
+      {
+        "parent_dm": "Device.",
+        "object": "InterfaceStack"
       }
     ],
     "config": {

netmode/files/etc/uci-defaults/62-netmode.l2mode

@@ -99,6 +99,10 @@ l2_network_config() {
 	uci -q set cwmp.cpe.default_wan_interface="lan"
 	uci -q commit cwmp
 
+	# Update gateway WAN Interface
+	uci -q set gateway.global.wan_interface="lan"
+	uci -q commit gateway
+
 	# disable firewall
 	uci -q set firewall.globals.enabled="0"
 	uci -q commit firewall

obuspa/Config.in

@@ -66,4 +66,8 @@ config OBUSPA_CWMP_DATAMODEL_SUPPORT
 config OBUSPA_VENDOR_PREFIX
 	string "Package specific datamodel Vendor Prefix for TR181 extensions"
 	default ""
+
+config OBUSPA_OVERRIDE_CT_ROLE
+	bool "Override ControllerTrust role with factory default roles"
+	default y
 endif

obuspa/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=9.0.4.4
+PKG_VERSION:=9.0.4.13
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=1e5638d104075741a62d777ea9a2c508740c3634
+PKG_SOURCE_VERSION:=9bd0c3c895cbcf34b922329c55a8262180b1fa86
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -132,6 +132,8 @@ define Package/obuspa/install
 	$(INSTALL_BIN) ./files/etc/uci-defaults/60-generate-ctrust-defaults $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/obuspa-set-dhcp-option $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/92-obuspa_firewall $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/93-obuspa_mdns_adv $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/94-obuspa_set_credential $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/firewall.usp $(1)/etc/
 	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user
 ifeq ($(CONFIG_OBUSPA_CWMP_DATAMODEL_SUPPORT),y)
@@ -145,6 +147,9 @@ ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL),y)
 	$(INSTALL_BIN) ./files/etc/init.d/usptest $(1)/etc/init.d/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/55-test-usp-controller $(1)/etc/uci-defaults/
 endif
+ifeq ($(CONFIG_OBUSPA_OVERRIDE_CT_ROLE),y)
+	$(INSTALL_BIN) ./files/etc/uci-defaults/61-override-ct-roles $(1)/etc/uci-defaults/
+endif
 endef
 
 $(eval $(call BuildPackage,obuspa))

obuspa/bbfdm_service.json

@@ -2,22 +2,20 @@
   "daemon": {
     "enable": "1",
     "service_name": "obuspa",
+    "proto": "cwmp",
     "unified_daemon": false,
     "services": [
       {
         "parent_dm": "Device.",
-        "object": "USPAgent",
-        "proto": "cwmp"
+        "object": "USPAgent"
       },
       {
         "parent_dm": "Device.",
-        "object": "MQTT",
-        "proto": "cwmp"
+        "object": "MQTT"
       },
       {
         "parent_dm": "Device.",
-        "object": "STOMP",
-        "proto": "cwmp"
+        "object": "STOMP"
       }
     ],
     "config": {

obuspa/files/etc/config/obuspa

@@ -5,7 +5,6 @@ config obuspa 'global'
 	option log_level '2'
 	option prototrace '0'
 	option db_file '/etc/obuspa/usp.db'
-	#option max_group_sep '2'
 	#option ipc_timeout '30'
 	#option max_cache_time '600'
 	#option trust_cert '/etc/obuspa/ca.pem'

obuspa/files/etc/init.d/obuspa

@@ -290,6 +290,16 @@ get_role_index()
 		return 0
 	fi
 
+	if [ "${name}" = "full_access" ] || [ "${name}" = "Full Access" ]; then
+		echo "Device.LocalAgent.ControllerTrust.Role.1"
+		return 0
+	fi
+
+	if [ "${name}" = "Untrusted" ]; then
+		echo "Device.LocalAgent.ControllerTrust.Role.1"
+		return 0
+	fi
+
 	# Get if from CTRUST file first if present, then from dbdump and then use default Untrusted role
 	if [ -f "${CTRUST_RESET_FILE}" ]; then
 		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${CTRUST_RESET_FILE} |grep $name)"
@@ -958,12 +968,6 @@ db_init()
 		mv ${SQL_DB_FILE}.old ${SQL_DB_FILE}
 	fi
 
-	if [ -f "${role_file}" ]; then
-		configure_ctrust_role "${role_file}"
-		uci_set obuspa global role_file ""
-		uci commit ${CONFIGURATION}
-	fi
-
 	# Dump datamodel parameters from DB
 	if [ -f "${SQL_DB_FILE}" ]; then
 		dump_db

obuspa/files/etc/obuspa/usp_utils.sh

@@ -3,7 +3,9 @@
 CTRUST_RESET_FILE="/tmp/obuspa/ctrust_reset"
 VENDOR_PREFIX_FILE="/etc/obuspa/vendor_prefix"
 FW_DEFAULT_ROLE_DIR="/etc/users/roles"
+SECURE_ROLES=""
 
+mkdir -p /tmp/obuspa/
 
 # include jshn.sh
 if [ -f "/usr/local/share/libubox/jshn.sh" ]; then
@@ -144,7 +146,7 @@ configure_permission()
 
 configure_roles()
 {
-	local rinst rname
+	local rinst rname is_secure
 
 	if [ "$#" -ne 2 ]; then
 	    echo "Illegal number of parameters"
@@ -153,10 +155,10 @@ configure_roles()
 
 	json_select $2
 	json_get_var rname name
+	json_get_var is_secure secure_role
 
 	if [ "${rname}" = "full_access" ]; then
 		rinst=1
-		rname="Full Access"
 	elif [ "${rname}" = "Untrusted" ]; then
 		rinst=2
 	else
@@ -167,27 +169,57 @@ configure_roles()
 	db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1
 	db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname}
 
+	if [ "${is_secure}" = "1" ] || [ "${is_secure}" = "true" ]; then
+		if [ -z "${SECURE_ROLES}" ]; then
+			SECURE_ROLES="Device.LocalAgent.ControllerTrust.Role.${rinst}"
+		else
+			SECURE_ROLES="${SECURE_ROLES},Device.LocalAgent.ControllerTrust.Role.${rinst}"
+		fi
+	fi
+
 	json_for_each_item configure_permission permission "${name}" ${rinst}
 	json_select ..
 }
 
 configure_roles_dir()
 {
-	local rinst rname
+	local rinst rname is_secure
 
-	if [ "$#" -ne 2 ]; then
+	if [ "$#" -ne 1 ]; then
 	    echo "Illegal number of parameters"
 	    exit 1
 	fi
 
-	rname="${1}"
-	rinst="${2}"
+	if [ "${1}" = "full_access" ]; then
+		rinst=1
+		rname="full_access"
+	elif [ "${1}" = "Untrusted" ]; then
+		rinst=2
+		rname="Untrusted"
+	else
+		json_get_var rname name
+		json_get_var rinst instance
+
+		if [ -z "${rname}" ] || [ -z "${rinst}" ]; then
+			echo "Deprecated role format ignoring ${1}.json ..."
+			return 0
+		fi
+	fi
+	json_get_var is_secure secure_role
 
 	db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Alias cpe-${rinst}
 	db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1
 	db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname}
 
-	json_for_each_item configure_permission permission "${name}" ${rinst}
+	if [ "${is_secure}" = "1" ] || [ "${is_secure}" = "true" ]; then
+		if [ -z "${SECURE_ROLES}" ]; then
+			SECURE_ROLES="Device.LocalAgent.ControllerTrust.Role.${rinst}"
+		else
+			SECURE_ROLES="${SECURE_ROLES},Device.LocalAgent.ControllerTrust.Role.${rinst}"
+		fi
+	fi
+
+	json_for_each_item configure_permission permission "${name}" "$((rinst))"
 	json_select ..
 }
 
@@ -196,22 +228,31 @@ configure_ctrust_role()
 	local num
 	local roles_obj
 
+	if [ -f "${CTRUST_RESET_FILE}" ]; then
+		return 0
+	fi
+
 	mkdir -p /tmp/obuspa/
+	SECURE_ROLES=""
+	
 	if [ -f "${1}" ]; then
 		json_init
 		json_load_file "${1}"
 		json_for_each_item configure_roles roles
 	else
-		num=3
 		for f in $(ls -1 ${FW_DEFAULT_ROLE_DIR}); do
 			echo "Loading $f ....."
 			json_init
 			json_load_file "${FW_DEFAULT_ROLE_DIR}/${f}"
 			json_select tr181
-			configure_roles_dir "${f/.json/}" "${num}"
-			num=$((num + 1))
+			configure_roles_dir "${f/.json/}"
 		done
 	fi
+
+	if [ -n "${SECURE_ROLES}" ]; then
+		db_add Device.LocalAgent.ControllerTrust.SecuredRoles "${SECURE_ROLES}"
+	fi
 }
 
 # configure_ctrust_role "${@}"
+

obuspa/files/etc/uci-defaults/60-generate-ctrust-defaults

@@ -4,12 +4,14 @@
 . /etc/obuspa/usp_utils.sh
 
 rfile="$(uci -q get obuspa.global.role_file)"
-
+db_file="$(uci -q get obuspa.global.db_file)"
 # Reset the role_file if present
 if [ -n "${rfile}" ]; then
 	uci -q set obuspa.global.role_file=""
 fi
 
-configure_ctrust_role "${rfile}"
+if [ ! -f "${db_file}" ]; then
+	configure_ctrust_role
+fi
 
 exit 0

obuspa/files/etc/uci-defaults/61-override-ct-roles

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /etc/obuspa/usp_utils.sh
+
+configure_ctrust_role
+
+exit 0

obuspa/files/etc/uci-defaults/93-obuspa_mdns_adv

@@ -0,0 +1,65 @@
+#!/bin/sh
+
+. /usr/share/libubox/jshn.sh
+. /lib/functions.sh
+
+get_oui_from_db() {
+	db -q get device.deviceinfo.ManufacturerOUI
+}
+
+get_serial_from_db() {
+	db -q get device.deviceinfo.SerialNumber
+}
+
+get_endpoint_id() {
+	AgentEndpointID="$(uci -q get obuspa.localagent.EndpointID)"
+	if [ -z "${AgentEndpointID}" ]; then
+		serial=$(get_serial_from_db)
+		oui=$(get_oui_from_db)
+		AgentEndpointID=$(echo "os::${oui}-${serial//+/%2B}")
+	fi
+
+	echo "${AgentEndpointID}"
+}
+
+get_device_role()
+{
+	local mode lan_proto
+
+	lan_proto="$(uci -q get network.lan.proto)"
+
+	if [ "${lan_proto}" == "dhcp" ]; then
+		mode="extender"
+	else
+		mode="gateway"
+	fi
+
+	echo "$mode"
+}
+
+add_mdns_advertise() {
+	mkdir -p /etc/umdns
+	usp_id="$(get_endpoint_id)"
+
+	json_init
+	json_add_object "usp_mdns"
+	json_add_string "service" "_usp-agt-mqtt._tcp.local"
+	json_add_int "port" 0
+	json_add_array "txt"
+	json_add_string "" "ID=$usp_id"
+	json_close_array
+	json_close_object
+
+	json_dump > /etc/umdns/obuspa_mdns.json
+}
+
+config_load obuspa
+config_get_bool enable_obuspa global enabled 1
+
+if [ "${enable_obuspa}" -eq 1 ]; then
+	role="$(get_device_role)"
+
+	if [ "${role}" == "gateway" ]; then
+		add_mdns_advertise
+	fi
+fi

obuspa/files/etc/uci-defaults/94-obuspa_set_credential

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+# Get Manufacturer OUI.
+oui=$(db -q get device.deviceinfo.ManufacturerOUI)
+oui=$(echo "${oui}" | tr 'a-f' 'A-F')
+
+# Get system serial number.
+serial=$(db -q get device.deviceinfo.SerialNumber)
+
+username="${oui}-${serial}"
+password="iopsys"
+
+# Get userid values
+config_load obuspa
+config_get user global username ""
+config_get pass global password ""
+
+# Only set if they are empty or not same
+if [ -z "${user}" ] || [ "${user}" != "${username}" ]; then
+    uci -q set obuspa.global.username="${username}"
+fi
+
+if [ -z "${pass}" ] || [ "${pass}" != "${password}" ]; then
+    uci -q set obuspa.global.password="${password}"
+fi
+
+# No need for commit here, it is done by uci_apply_defaults().

obuspa/files/etc/uci-defaults/obuspa-set-dhcp-option

@@ -38,13 +38,11 @@ configure_dhcp_options() {
 		if [ "${role}" = "extender" ]; then
 			interface="lan"
 			uci -q set obuspa.global.interface="lan"
-			uci commit obuspa
 		else
 			interface="wan"
 		fi
 	fi
 
-	network_uci_update=0
 	reqopts="$(uci -q get network."${interface}".reqopts)"
 	proto="$(uci -q get network."${interface}".proto)"
 	local req125_present=0
@@ -70,19 +68,13 @@ configure_dhcp_options() {
 		if [ ${req125_present} -eq 0 ]; then
 			newreqopts="$reqopts 125"
 			uci -q set network."${interface}".reqopts="$newreqopts"
-			network_uci_update=1
 		fi
 
 		if [ ${send124_present} -eq 0 ]; then
 			newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70"
 			uci -q set network."${interface}".sendopts="$newsendopts"
-			network_uci_update=1
 		fi
 	fi
-
-	if [ ${network_uci_update} -eq 1 ]; then
-		uci commit network
-	fi
 }
 
 configure_dhcp_options

obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user

@@ -7,6 +7,7 @@ PROV_CODE=""
 RETRY_MIN_INTERVAL="5"
 RETRY_INTERVAL_MUL="2000"
 ENDPOINT_ID=""
+CONTROLLER_DISCOVERED=0
 
 log()
 {
@@ -101,15 +102,25 @@ get_vivsoi() {
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
-				"25") URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"25")
+					URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					CONTROLLER_DISCOVERED=1
 				;;
-				"26") PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"26")
+					PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					CONTROLLER_DISCOVERED=1
 				;;
-				"27") RETRY_MIN_INTERVAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"27")
+					RETRY_MIN_INTERVAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					CONTROLLER_DISCOVERED=1
 				;;
-				"28") RETRY_INTERVAL_MUL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"28")
+					RETRY_INTERVAL_MUL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					CONTROLLER_DISCOVERED=1
 				;;
-				"29") ENDPOINT_ID=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"29")
+					ENDPOINT_ID=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					CONTROLLER_DISCOVERED=1
 				;;
 			esac
 
@@ -144,6 +155,20 @@ get_access_role()
 	echo "$mode"
 }
 
+get_agent_topic()
+{
+	AgentEndpointID="$(uci -q get obuspa.localagent.EndpointID)"
+	if [ -z "${AgentEndpointID}" ]; then
+		serial=$(get_serial_from_db)
+		oui=$(get_oui_from_db)
+		AgentEndpointID=$(echo "${oui}-${serial//+/%2B}")
+	fi
+
+	topic_base=$(echo "${AgentEndpointID}" | sed -E 's/[^[:alnum:]]/_/g')
+	agent_topic="/usp/${topic_base}/endpoint"
+	echo "${agent_topic}"
+}
+
 config_load obuspa
 config_get_bool enable_obuspa global enabled 1
 config_get wan_intf global interface
@@ -171,7 +196,7 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		get_vivsoi "$opt125" "$len"
 	fi
 
-	if [ -z "$URL" ] || [ -z "$ENDPOINT_ID" ]; then
+	if [ "${CONTROLLER_DISCOVERED}" -eq 0 ]; then
 		return 0
 	fi
 
@@ -180,151 +205,325 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 	port=""
 	topic=""
 	is_fqdn=1
+	offered_proto=""
+	mtp_encrypt=""
+	dhcp_controller=""
+	dhcp_mtp=""
+	dhcp_mqtt=""
 
-	case $URL in
-	ws://*) is_fqdn=0;;
-	wss://*) is_fqdn=0;;
-	mqtt://*) is_fqdn=0;;
-	mqtts://*) is_fqdn=0;;
-	*) is_fqdn=1
-	esac;
+	if [ -n "$URL" ]; then
+		case $URL in
+		ws://*) is_fqdn=0;;
+		wss://*) is_fqdn=0;;
+		mqtt://*) is_fqdn=0;;
+		mqtts://*) is_fqdn=0;;
+		*://*) return 0;;
+		*) is_fqdn=1
+		esac;
 
-	if [ ${is_fqdn} -eq 1 ]; then
-		# This is an FQDN, perform DNS query
-		nslookup -type=a $URL > /tmp/fqdn_ip
-		nslookup -type=ptr $URL > /tmp/fqdn_ptr
-		return 0
-	else
-		proto=$(echo "${URL}" | awk -F: '{print $1}')
-		dest=$(echo "${URL}" | awk -F/ '{print $3}')
-		ip=$(echo "${dest}" | awk -F: '{print $1}')
-		port=$(echo "${dest}" | awk -F: '{print $2}')
-		topic=$(echo "${URL}" | sed  's/^.*:'"${port}"'/\1/g')
+		if [ ${is_fqdn} -eq 1 ]; then
+			case $URL in
+			*.local*)
+				# TODO extend for mdns handling
+				;;
+			*)
+				# This is an FQDN, perform DNS query
+				nslookup $URL > /tmp/fqdn_ip
+				nslookup -type=ptr $URL > /tmp/fqdn_ptr
+				nslookup -type=srv $URL > /tmp/fqdn_srv
+				nslookup -type=txt $URL > /tmp/fqdn_srv
+
+				# TODO extend to collect information from dns-sd records
+				;;
+			esac
+
+			return 0
+		else
+			proto=$(echo "${URL}" | awk -F: '{print $1}')
+			dest=$(echo "${URL}" | awk -F/ '{print $3}')
+			ip=$(echo "${dest}" | awk -F: '{print $1}')
+			port=$(echo "${dest}" | awk -F: '{print $2}')
+			topic=$(echo "${URL}" | sed  's/^.*:'"${port}"'/\1/g')
+		fi
 	fi
 
-	offered_proto=""
 	if [ "${proto}" == "mqtt" ] || [ "${proto}" == "mqtts" ]; then
 		offered_proto="MQTT"
+		if [ "${proto}" == "mqtt" ]; then
+			mtp_encrypt="TCP/IP"
+		else
+			mtp_encrypt="TLS"
+		fi
 	elif [ "${proto}" == "ws" ] || [ "${proto}" == "wss" ]; then
 		offered_proto="WebSocket"
-	else
-		return 0
+		if [ "${proto}" == "wss" ]; then
+			mtp_encrypt="1"
+		else
+			mtp_encrypt="0"
+		fi
+	fi
+
+	controllers=$(uci -q show obuspa | grep "=controller" | cut -d'=' -f1 | cut -d'.' -f2)
+	for controller in $controllers; do
+		dhcp_disc=$(uci -q get obuspa.$controller.dhcp_discovered)
+		if [ "${dhcp_disc}" -eq 1 ]; then
+			dhcp_controller="${controller}"
+			break
+		fi
+	done
+
+	if [ -n "${dhcp_controller}" ]; then
+		cont_proto="$(uci -q get obuspa.$dhcp_controller.Protocol)"
+		if [ "${cont_proto}" == "MQTT" ]; then
+			dhcp_mqtt="$(uci -q get obuspa.$dhcp_controller.mqtt)"
+
+			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
+			for mtp in $mtps; do
+				mtp_mqtt="$(uci -q get obuspa.$mtp.mqtt)"
+				if [ "${mtp_mqtt}" == "${dhcp_mqtt}" ]; then
+					dhcp_mtp="${mtp}"
+					break
+				fi
+			done
+		elif [ "${cont_proto}" == "WebSocket" ]; then
+			cont_port="$(uci -q get obuspa.$dhcp_controller.Port)"
+			cont_encr="$(uci -q get obuspa.$dhcp_controller.EnableEncryption)"
+
+			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
+			for mtp in $mtps; do
+				mtp_port="$(uci -q get obuspa.$mtp.Port)"
+				mtp_encr="$(uci -q get obuspa.$mtp.EnableEncryption)"
+				if [ "${mtp_port}" == "${cont_port}" ] && [ "${mtp_encr}" == "${cont_encr}" ]; then
+					dhcp_mtp="${mtp}"
+					break
+				fi
+			done
+		fi
 	fi
 
 	uci_change=0
-	mtp_encrypt="0"
-	## Handling of controller section
-	ct_endpoint=$(uci -q get obuspa.dhcpcontroller.EndpointID)
-	ct_proto=$(uci -q get obuspa.dhcpcontroller.Protocol)
-	ct_topic=$(uci -q get obuspa.dhcpcontroller.Topic)
-	ct_enable=$(uci -q get obuspa.dhcpcontroller.Enable)
-	ct_prov=$(uci -q get obuspa.dhcpcontroller.ProvisioningCode)
+	proto_changed="0"
+
+	if [ -n "${dhcp_controller}" ]; then
+		## Handling of controller section
+		ct_endpoint=$(uci -q get obuspa.$dhcp_controller.EndpointID)
+		ct_proto=$(uci -q get obuspa.$dhcp_controller.Protocol)
+		ct_prov=$(uci -q get obuspa.$dhcp_controller.ProvisioningCode)
+
+		if [ "${ct_proto}" = "MQTT" ]; then
+			ct_topic=$(uci -q get obuspa.$dhcp_controller.Topic)
+		else
+			ct_topic=$(uci -q get obuspa.$dhcp_controller.Path)
+		fi
+
+		if [ -n "${ENDPOINT_ID}" ] && [ "${ct_endpoint}" != "${ENDPOINT_ID}" ]; then
+			uci -q set obuspa.$dhcp_controller.EndpointID="${ENDPOINT_ID}"
+			uci_change=1
+		fi
+
+		if [ -n "${offered_proto}" ] && [ "${ct_proto}" != "${offered_proto}" ]; then
+			uci -q set obuspa.$dhcp_controller.Protocol="${offered_proto}"
+			if [ "${offered_proto}" != "MQTT" ]; then
+				uci -q set obuspa.$dhcp_controller.mqtt=""
+				uci -q set obuspa.$dhcp_controller.Topic=""
+				uci -q set obuspa.$dhcp_controller.Host="${ip}"
+				uci -q set obuspa.$dhcp_controller.Port="${port}"
+				uci -q set obuspa.$dhcp_controller.Path="${ct_topic}"
+				uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+			else
+				uci -q set obuspa.$dhcp_controller.EnableEncryption=""
+				uci -q set obuspa.$dhcp_controller.Path=""
+				uci -q set obuspa.$dhcp_controller.Host=""
+				uci -q set obuspa.$dhcp_controller.Port=""
+
+				if [ -z "${dhcp_mqtt}" ]; then
+					uci -q set obuspa.$dhcp_controller.mqtt='dhcpmqtt'
+				else
+					uci -q set obuspa.$dhcp_controller.mqtt="${dhcp_mqtt}"
+				fi
+
+				uci -q set obuspa.$dhcp_controller.Topic="${ct_topic}"
+			fi
+
+			proto_changed=1
+			uci_change=1
+		fi
+
+		if [ -n "${topic}" ] && [ "${ct_topic}" != "${topic}" ]; then
+			protocol="${ct_proto}"
+			if [ -n "${offered_proto}" ]; then
+				protocol="${offered_proto}"
+			fi
+
+			if [ "${protocol}" == "MQTT" ]; then
+				uci -q set obuspa.$dhcp_controller.Topic="${topic}"
+			else
+				uci -q set obuspa.$dhcp_controller.Path="${topic}"
+			fi
+
+			uci_change=1
+		fi
+
+		if [ -n "${PROV_CODE}" ] && [ "${ct_prov}" != "${PROV_CODE}" ]; then
+			uci -q set obuspa.$dhcp_controller.ProvisioningCode="${PROV_CODE}"
+			uci_change=1
+		fi
+
+		if [ "${proto_changed}" -eq 1 ]; then
+			if [ "${offered_proto}" == "WebSocket" ]; then
+				if [ -n "${dhcp_mqtt}" ]; then
+					uci -q del obuspa.$dhcp_mqtt
+				fi
+
+				if [ -z "${dhcp_mtp}" ]; then
+					sec=$(uci -q add obuspa mtp)
+					uci -q rename obuspa."${sec}"='dhcpmtp'
+					dhcp_mtp="dhcpmtp"
+					uci -q set obuspa.$dhcp_mtp.Enable='1'
+				fi
+
+				uci -q set obuspa.$dhcp_mtp.mqtt=''
+				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured=''
+				uci -q set obuspa.$dhcp_mtp.Protocol='WebSocket'
+				uci -q set obuspa.$dhcp_mtp.Port="${port}"
+				uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
+
+				uci_change=1
+			else
+				if [ -z "${dhcp_mqtt}" ]; then
+					user="$(uci -q get obuspa.global.username)"
+					pass="$(uci -q get obuspa.global.password)"
+
+					sec=$(uci -q add obuspa mqtt)
+					uci -q rename obuspa."${sec}"='dhcpmqtt'
+					dhcp_mqtt="dhcpmqtt"
+					uci -q set obuspa.$dhcp_mqtt.Enable='1'
+					uci -q set obuspa.$dhcp_mqtt.Username="${user}"
+					uci -q set obuspa.$dhcp_mqtt.Password="${pass}"
+				fi
+
+				uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
+				uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
+				uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
+				uci -q set obuspa.$dhcp_mqtt.ProtocolVersion='5.0'
+
+				if [ -z "${dhcp_mtp}" ]; then
+					sec=$(uci -q add obuspa mtp)
+					uci -q rename obuspa."${sec}"='dhcpmtp'
+					dhcp_mtp="dhcpmtp"
+					uci -q set obuspa.$dhcp_mtp.Enable='1'
+				fi
+
+				agent_topic=$(get_agent_topic)
+				uci -q set obuspa.$dhcp_mtp.Port=""
+				uci -q set obuspa.$dhcp_mtp.EnableEncryption=""
+				uci -q set obuspa.$dhcp_mtp.Protocol='MQTT'
+				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured="${agent_topic}"
+				uci -q set obuspa.$dhcp_mtp.mqtt="${dhcp_mqtt}"
+
+				uci_change=1
+			fi
+		else
+			if [ "${ct_proto}" == "WebSocket" ]; then
+				conf_ip="$(uci -q get obuspa.$dhcp_controller.Host)"
+				conf_port="$(uci -q get obuspa.$dhcp_mtp.Port)"
+				conf_encr="$(uci -q get obuspa.$dhcp_mtp.EnableEncryption)"
+
+				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
+					uci -q set obuspa.$dhcp_controller.Host="${ip}"
+					uci_change=1
+				fi
+
+				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
+					uci -q set obuspa.$dhcp_mtp.Port="${port}"
+					uci -q set obuspa.$dhcp_controller.Port="${port}"
+					uci_change=1
+				fi
+
+				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
+					uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+					uci_change=1
+				fi
+			else
+				conf_ip="$(uci -q get obuspa.$dhcp_mqtt.BrokerAddress)"
+				conf_port="$(uci -q get obuspa.$dhcp_mqtt.BrokerPort)"
+				conf_encr="$(uci -q get obuspa.$dhcp_mqtt.TransportProtocol)"
+
+				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
+					uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
+					uci_change=1
+				fi
+
+				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
+					uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
+					uci_change=1
+				fi
+
+				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
+					uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
+					uci_change=1
+				fi
+			fi
+		fi
+	else
+		uci -q del obuspa.dhcpmtp
+		uci -q del obuspa.dhcpmqtt
 
-	if [ "${ct_endpoint}" != "${ENDPOINT_ID}" ] || [ "${ct_proto}" != "${offered_proto}" ] || [ "${ct_topic}" != "${topic}" ] || [ "${ct_enable}" != "1" ] || [ "${ct_prov}" != "${PROV_CODE}" ]; then
-		uci -q del obuspa.dhcpcontroller
 		sec=$(uci -q add obuspa controller)
 		uci -q rename obuspa."${sec}"='dhcpcontroller'
+		uci -q set obuspa.dhcpcontroller.dhcp_discovered="1"
 		uci -q set obuspa.dhcpcontroller.EndpointID="${ENDPOINT_ID}"
 		uci -q set obuspa.dhcpcontroller.ProvisioningCode="${PROV_CODE}"
 		uci -q set obuspa.dhcpcontroller.Protocol="${offered_proto}"
-		if [ "${offered_proto}" == "MQTT" ]; then
-			uci -q set obuspa.dhcpcontroller.Topic="${topic}"
-			uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'
-		else
-			uci -q set obuspa.dhcpcontroller.Path="${topic}"
-			uci -q set obuspa.dhcpcontroller.Host="${ip}"
-			uci -q set obuspa.dhcpcontroller.Port="${port}"
-			if [ "${proto}" == "wss" ]; then
-				uci -q set obuspa.dhcpcontroller.EnableEncryption='1'
-				mtp_encrypt="1"
+		uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
+		uci -q set obuspa.dhcpcontroller.Enable='1'
+
+		if [ -n "${offered_proto}" ]; then
+			if [ "${offered_proto}" == "MQTT" ]; then
+				user="$(uci -q get obuspa.global.username)"
+				pass="$(uci -q get obuspa.global.password)"
+
+				uci -q set obuspa.dhcpcontroller.Topic="${topic}"
+				uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'
+
+				sec=$(uci -q add obuspa mqtt)
+				uci -q rename obuspa."${sec}"='dhcpmqtt'
+				uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
+				uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
+				uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}"
+				uci -q set obuspa.dhcpmqtt.Enable='1'
+				uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
+				uci -q set obuspa.dhcpmqtt.Username="${user}"
+				uci -q set obuspa.dhcpmqtt.Password="${pass}"
+
+
+				agent_topic=$(get_agent_topic)
+				sec=$(uci -q add obuspa mtp)
+				uci -q rename obuspa."${sec}"='dhcpmtp'
+				uci -q set obuspa.dhcpmtp.Protocol='MQTT'
+				uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
+				uci -q set obuspa.dhcpmtp.Enable='1'
+				uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
 			else
-				uci -q set obuspa.dhcpcontroller.EnableEncryption='0'
-				mtp_encrypt="0"
+				uci -q set obuspa.dhcpcontroller.Path="${topic}"
+				uci -q set obuspa.dhcpcontroller.Host="${ip}"
+				uci -q set obuspa.dhcpcontroller.Port="${port}"
+				uci -q set obuspa.dhcpcontroller.EnableEncryption="${mtp_encrypt}"
+
+				sec=$(uci -q add obuspa mtp)
+				uci -q rename obuspa."${sec}"='dhcpmtp'
+
+				uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
+				uci -q set obuspa.dhcpmtp.Port="${port}"
+				uci -q set obuspa.dhcpmtp.Enable='1'
+				uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
 			fi
 		fi
 
-		uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
-		uci -q set obuspa.dhcpcontroller.Enable='1'
 		uci_change=1
 	fi
 
-	if [ "${offered_proto}" == "WebSocket" ]; then
-		ex_mqtt=$(uci -q get obuspa.dhcpmqtt)
-		if [ -n "${ex_mqtt}" ]; then
-			uci -q del obuspa.dhcpmqtt
-			uci_change=1
-		fi
-
-		## Handling of mtp section
-		ct_proto=$(uci -q get obuspa.dhcpmtp.Protocol)
-		ct_port=$(uci -q get obuspa.dhcpmtp.Port)
-		ct_enable=$(uci -q get obuspa.dhcpmtp.Enable)
-		ct_encrypt=$(uci -q get obuspa.dhcpmtp.EnableEncryption)
-
-		if [ "${ct_proto}" != "WebSocket" ] || [ "${ct_port}" != "${port}" ] || [ "${ct_enable}" != "1" ] || [ "${ct_encrypt}" != "${mtp_encrypt}" ]; then
-			uci -q del obuspa.dhcpmtp
-			sec=$(uci -q add obuspa mtp)
-			uci -q rename obuspa."${sec}"='dhcpmtp'
-			uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
-			uci -q set obuspa.dhcpmtp.Port="${port}"
-			uci -q set obuspa.dhcpmtp.Enable='1'
-			uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
-			uci_change=1
-		fi
-	else
-		if [ "${proto}" == "mqtt" ]; then
-			transport_proto="TCP/IP"
-		else
-			transport_proto="TLS"
-		fi
-
-		## Handling of mqtt section
-		ct_address=$(uci -q get obuspa.dhcpmqtt.BrokerAddress)
-		ct_port=$(uci -q get obuspa.dhcpmqtt.BrokerPort)
-		ct_proto=$(uci -q get obuspa.dhcpmqtt.TransportProtocol)
-		ct_enable=$(uci -q get obuspa.dhcpmqtt.Enable)
-		ct_ver=$(uci -q get obuspa.dhcpmqtt.ProtocolVersion)
-
-		if [ "${ct_address}" != "${ip}" ] || [ "${ct_port}" != "${port}" ] || [ "${ct_proto}" != "${transport_proto}" ] || [ "${ct_enable}" != "1" ] || [ "${ct_ver}" != "5.0" ]; then
-			uci -q del obuspa.dhcpmqtt
-			sec=$(uci -q add obuspa mqtt)
-			uci -q rename obuspa."${sec}"='dhcpmqtt'
-			uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
-			uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
-			uci -q set obuspa.dhcpmqtt.TransportProtocol="${transport_proto}"
-			uci -q set obuspa.dhcpmqtt.Enable='1'
-			uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
-			uci_change=1
-		fi
-
-		## Handling of mtp section
-		ct_proto=$(uci -q get obuspa.dhcpmtp.Protocol)
-		ct_topic=$(uci -q get obuspa.dhcpmtp.ResponseTopicConfigured)
-		ct_enable=$(uci -q get obuspa.dhcpmtp.Enable)
-
-		config_load obuspa
-		config_get AgentEndpointID localagent EndpointID ""
-		if [ -z "${AgentEndpointID}" ]; then
-			serial=$(get_serial_from_db)
-			oui=$(get_oui_from_db)
-			AgentEndpointID=$(echo "${oui}-${serial//+/%2B}")
-		fi
-
-		topic_base=$(echo "${AgentEndpointID}" | sed -E 's/[^[:alnum:]]/_/g')
-		agent_topic="/usp/${topic_base}/endpoint"
-
-		if [ "${ct_proto}" != "MQTT" ] || [ "${ct_topic}" != "${agent_topic}" ] || [ "${ct_enable}" != "1" ]; then
-			uci -q del obuspa.dhcpmtp
-			sec=$(uci -q add obuspa mtp)
-			uci -q rename obuspa."${sec}"='dhcpmtp'
-			uci -q set obuspa.dhcpmtp.Protocol='MQTT'
-			uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
-			uci -q set obuspa.dhcpmtp.Enable='1'
-			uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
-			uci_change=1
-		fi
-	fi
-
 	if [ ${uci_change} -eq 1 ]; then
 		log "# Reloading obuspa as dhcp config changed"
 		ubus call uci commit '{"config":"obuspa"}'

obuspa/files/etc/users/roles/extender.json

@@ -1,5 +1,7 @@
 {
   "tr181": {
+    "name": "extender",
+    "instance": 3,
     "permission": [
       {
         "object": "Device.",

obuspa/files/etc/users/roles/full_access.json

@@ -1,12 +0,0 @@
-{
-  "tr181": {
-    "permission": [
-      {
-        "object": "Device.",
-        "perm": [
-          "PERMIT_ALL"
-        ]
-      }
-    ]
-  }
-}

obuspa/patches/0004-bulkdata_extn.patch

@@ -455,16 +455,37 @@ index 915b282..f799793 100755
  
      // From the point of view of this code, the report(s) have been successfully sent, so don't retain them
      // NOTE: Sending of the reports successfully is delegated to the USP notification retry mechanism
-@@ -2547,7 +2729,7 @@ void bulkdata_process_profile_mqtt(bulkdata_profile_t *bp)
+@@ -2547,11 +2729,24 @@ void bulkdata_process_profile_mqtt(bulkdata_profile_t *bp)
      }
  
      // Exit if unable to generate the report
 -    report = bulkdata_generate_json_report(bp, ctrl.report_timestamp);
-+    report = bulkdata_generate_json_report(bp, ctrl.report_timestamp, ctrl.report_format);
-     if (report == NULL)
-     {
- 	    USP_ERR_SetMessage("%s: bulkdata_generate_json_report failed", __FUNCTION__);
-@@ -2762,7 +2944,7 @@ int bulkdata_reduce_to_alt_name(char *spec, char *path, char *alt_name, char *ou
+-    if (report == NULL)
+-    {
+-	    USP_ERR_SetMessage("%s: bulkdata_generate_json_report failed", __FUNCTION__);
+-	    return;
++    if (strcmp(ctrl.encoding_type, BULKDATA_ENCODING_TYPE_JSON) == 0) {
++        report = bulkdata_generate_json_report(bp, ctrl.report_timestamp, ctrl.report_format);
++        if (report == NULL)
++        {
++            USP_ERR_SetMessage("%s: bulkdata_generate_json_report failed", __FUNCTION__);
++            return;
++        }
++    } else if (strcmp(ctrl.encoding_type, BULKDATA_ENCODING_TYPE_CSV) == 0) {
++        report = bulkdata_generate_csv_report(bp, ctrl.field_separator, ctrl.row_separator, ctrl.escape_char,
++					      ctrl.csv_format, ctrl.row_timestamp);
++        if (report == NULL)
++        {
++            USP_ERR_SetMessage("%s: bulkdata_generate_csv_report failed", __FUNCTION__);
++            return;
++        }
++    } else {
++        USP_ERR_SetMessage("%s: bulkdata invalid report encoding type %s", __FUNCTION__, ctrl.encoding_type);
++        return;
+     }
+
+     // Print out the JSON report, if debugging is enabled
+@@ -2762,7 +2957,7 @@ int bulkdata_reduce_to_alt_name(char *spec, char *path, char *alt_name, char *ou
  ** \return  pointer to NULL terminated dynamically allocated buffer containing the serialized report to send
  **
  **************************************************************************/
@@ -473,7 +494,7 @@ index 915b282..f799793 100755
  {
      JsonNode *top;          // top of report
      JsonNode *array;        // array of reports (retained + current)
-@@ -2867,6 +3049,483 @@ char *bulkdata_generate_json_report(bulkdata_profile_t *bp, char *report_timesta
+@@ -2867,6 +3062,483 @@ char *bulkdata_generate_json_report(bulkdata_profile_t *bp, char *report_timesta
      return result;
  }
  
@@ -957,7 +978,7 @@ index 915b282..f799793 100755
  /*********************************************************************//**
  **
  **  bulkdata_compress_report
-@@ -3070,6 +3729,20 @@ int bulkdata_schedule_sending_http_report(profile_ctrl_params_t *ctrl, bulkdata_
+@@ -3070,6 +3742,20 @@ int bulkdata_schedule_sending_http_report(profile_ctrl_params_t *ctrl, bulkdata_
          flags |= BDC_FLAG_DATE_HEADER;
      }
  

obuspa/patches/0005-CTrust-SecureRoles.patch

@@ -0,0 +1,562 @@
+Index: obuspa-9.0.4.3/src/core/data_model.c
+===================================================================
+--- obuspa-9.0.4.3.orig/src/core/data_model.c
++++ obuspa-9.0.4.3/src/core/data_model.c
+@@ -57,6 +57,7 @@
+ #include "iso8601.h"
+ #include "group_get_vector.h"
+ #include "plugin.h"
++#include "device_ctrust.h"
+ 
+ #ifdef ENABLE_COAP
+ #include "usp_coap.h"
+@@ -507,6 +508,14 @@ int DATA_MODEL_GetParameterValue(char *p
+         return USP_ERR_INVALID_PATH;
+     }
+ 
++    // Check if the parameter is secured and the controller has a secured role, and if the SHOW_PASSWORD flag is not set
++    if (!(flags & SHOW_PASSWORD) && node->registered.param_info.type_flags & DM_SECURE && !DEVICE_CTRUST_IsControllerSecured())
++    {
++        // Return an empty string for secured parameters when controller doesn't have secured role
++        *buf = '\0';
++        return USP_ERR_OK;
++    }
++
+     // NOTE: We do not check 'is_qualified_instance' here, because the only time it would be unqualified, is if the
+     //       path represented a multi-instance object. If path does represent this, then it will be caught below (switch statement)
+ 
+@@ -537,8 +546,8 @@ int DATA_MODEL_GetParameterValue(char *p
+             break;
+ 
+         case kDMNodeType_DBParam_Secure:
+-            // Return an empty string, if special flag is not set
+-            if ((flags & SHOW_PASSWORD)==0)
++	    // Return an empty string if the parameter is secured and the controller has a secured role, and if the SHOW_PASSWORD flag is not set
++            if (!(flags & SHOW_PASSWORD) && node->registered.param_info.type_flags & DM_SECURE && !DEVICE_CTRUST_IsControllerSecured())
+             {
+                 *buf = '\0';
+                 break;
+Index: obuspa-9.0.4.3/src/core/device_ctrust.c
+===================================================================
+--- obuspa-9.0.4.3.orig/src/core/device_ctrust.c
++++ obuspa-9.0.4.3/src/core/device_ctrust.c
+@@ -64,6 +64,7 @@
+ #include "text_utils.h"
+ #include "dm_inst_vector.h"
+ #include "database.h"
++#include "device_ctrust.h"
+ 
+ //------------------------------------------------------------------------------
+ // Location of the controller trust tables within the data model
+@@ -228,6 +229,7 @@ credential_t *FindCredentialByCertInstan
+ int Get_CredentialRole(dm_req_t *req, char *buf, int len);
+ int Get_CredentialCertificate(dm_req_t *req, char *buf, int len);
+ int Get_CredentialNumEntries(dm_req_t *req, char *buf, int len);
++int Validate_SecuredRoles(dm_req_t *req, char *value);
+ 
+ #ifndef REMOVE_DEVICE_SECURITY
+ int InitChallengeTable();
+@@ -347,6 +349,10 @@ int DEVICE_CTRUST_Init(void)
+                         challenge_response_input_args, NUM_ELEM(challenge_response_input_args),
+                         NULL, 0);
+ #endif
++
++    // Register Device.LocalAgent.ControllerTrust.SecuredRoles parameter
++    err |= USP_REGISTER_DBParam_ReadWrite(DEVICE_CTRUST_ROOT ".SecuredRoles", "", Validate_SecuredRoles, NULL, DM_STRING);
++
+     // Exit if any errors occurred
+     if (err != USP_ERR_OK)
+     {
+@@ -2793,3 +2799,128 @@ exit:
+     return err;
+ }
+ #endif // REMOVE_DEVICE_SECURITY
++
++
++/*********************************************************************//**
++**
++** Validate_SecuredRoles
++**
++** Validates Device.LocalAgent.ControllerTrust.SecuredRoles
++** Each list item MUST be the Path Name of a row in the Device.LocalAgent.ControllerTrust.Role table
++**
++** \param   req - pointer to structure identifying the parameter
++** \param   value - value that the controller would like to set the parameter to
++**
++** \return  USP_ERR_OK if successful
++**
++**************************************************************************/
++int Validate_SecuredRoles(dm_req_t *req, char *value)
++{
++    char *role_path;
++    char *saveptr;
++    char *str;
++    char temp[MAX_DM_PATH];
++    int role_instance;
++    int err;
++
++    // Empty string is valid
++    if (*value == '\0')
++    {
++        return USP_ERR_OK;
++    }
++
++    // Copy the value as strtok_r modifies the string
++    USP_STRNCPY(temp, value, sizeof(temp));
++
++    // Iterate through comma-separated list
++    str = temp;
++    role_path = strtok_r(str, ",", &saveptr);
++    while (role_path != NULL)
++    {
++        // Trim whitespace
++        role_path = TEXT_UTILS_TrimBuffer(role_path);
++
++        // Verify that this path exists in the Role table using DM_ACCESS_ValidateReference
++        err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance);
++        if (err != USP_ERR_OK)
++        {
++            USP_ERR_SetMessage("%s: Role path '%s' does not exist in Device.LocalAgent.ControllerTrust.Role table", __FUNCTION__, role_path);
++            return USP_ERR_INVALID_VALUE;
++        }
++
++        role_path = strtok_r(NULL, ",", &saveptr);
++    }
++
++    return USP_ERR_OK;
++}
++
++/*********************************************************************//**
++**
++** DEVICE_CTRUST_IsControllerSecured
++**
++** Determines whether the specified controller has a secured role
++**
++** \param   combined_role - pointer to structure containing the role indexes for this controller
++**
++** \return  true if the controller has a secured role, false otherwise
++**
++**************************************************************************/
++bool DEVICE_CTRUST_IsControllerSecured()
++{
++    char secured_roles[MAX_DM_PATH];
++    char *role_path;
++    char *saveptr;
++    char *str;
++    char temp[MAX_DM_PATH];
++    int err;
++    role_t *role;
++    int role_instance;
++    combined_role_t combined_role;
++
++    // Exit if unable to get the secured roles
++    err = DATA_MODEL_GetParameterValue("Device.LocalAgent.ControllerTrust.SecuredRoles", secured_roles, sizeof(secured_roles), 0);
++    if (err != USP_ERR_OK)
++    {
++        return false;
++    }
++
++    // Empty string means no secured roles
++    if (*secured_roles == '\0')
++    {
++        return false;
++    }
++
++    MSG_HANDLER_GetMsgRole(&combined_role);
++    // Copy the value as strtok_r modifies the string
++    USP_STRNCPY(temp, secured_roles, sizeof(temp));
++
++    // Iterate through comma-separated list
++    str = temp;
++    role_path = strtok_r(str, ",", &saveptr);
++    while (role_path != NULL)
++    {
++        // Trim whitespace
++        role_path = TEXT_UTILS_TrimBuffer(role_path);
++
++        // Extract the instance number from the role path
++        err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance);
++        if (err == USP_ERR_OK)
++        {
++            // Find the role in our internal array
++            role = FindRoleByInstance(role_instance);
++            if (role != NULL)
++            {
++                // Check if this role matches either the inherited or assigned role
++                if ((role - roles == combined_role.inherited_index) ||
++                    (role - roles == combined_role.assigned_index))
++                {
++                    return true;
++                }
++            }
++        }
++
++        role_path = strtok_r(NULL, ",", &saveptr);
++    }
++
++    return false;
++}
+Index: obuspa-9.0.4.3/src/core/device_ctrust.h
+===================================================================
+--- /dev/null
++++ obuspa-9.0.4.3/src/core/device_ctrust.h
+@@ -0,0 +1,48 @@
++/*
++ *
++ * Copyright (C) 2019-2025, Broadband Forum
++ * Copyright (C) 2016-2025,  CommScope, Inc
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * 3. Neither the name of the copyright holder nor the names of its
++ *    contributors may be used to endorse or promote products derived from
++ *    this software without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
++ * THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/**
++ * \file device_ctrust.h
++ *
++ * Header file containing the API functions provided by Controller Trust component
++ *
++ */
++#ifndef DEVICE_CTRUST_H
++#define DEVICE_CTRUST_H
++
++#include "device.h"
++
++bool DEVICE_CTRUST_IsControllerSecured(void);
++
++#endif
+Index: obuspa-9.0.4.3/src/include/usp_api.h
+===================================================================
+--- obuspa-9.0.4.3.orig/src/include/usp_api.h
++++ obuspa-9.0.4.3/src/include/usp_api.h
+@@ -418,6 +418,7 @@ typedef struct
+ #define DM_DECIMAL      0x00000100      // 64 bit floating point number (double)
+ #define DM_LONG         0x00000200      // 64 bit signed integer (long long)
+ #define DM_VALUE_CHANGE_WILL_IGNORE  0x00000400 // Do not emit value change notifications for this parameter
++#define DM_SECURE       0x00000800      // secure parameter
+ 
+ //-------------------------------------------------------------------------
+ // Functions to register the data model
+Index: obuspa-9.0.4.3/src/core/group_get_vector.c
+===================================================================
+--- obuspa-9.0.4.3.orig/src/core/group_get_vector.c
++++ obuspa-9.0.4.3/src/core/group_get_vector.c
+@@ -49,6 +49,16 @@
+ #include "group_get_vector.h"
+ #include "int_vector.h"
+ #include "data_model.h"
++#include "device_ctrust.h"   // Added to use DEVICE_CTRUST_IsControllerSecured()
++
++//------------------------------------------------------------------------------
++// New function to check secure flag and controller state
++static int IsSecuredParamNotAccessible(char *path)
++{
++    dm_instances_t inst;
++    dm_node_t *node = DM_PRIV_GetNodeFromPath(path, &inst, NULL, 0);
++    return (node && (node->registered.param_info.type_flags & DM_SECURE) && !DEVICE_CTRUST_IsControllerSecured());
++}
+ 
+ //------------------------------------------------------------------------------
+ // Forward declarations. Note these are not static, because we need them in the symbol table for USP_LOG_Callstack() to show them
+@@ -282,14 +292,14 @@ void GROUP_GET_VECTOR_GetValues(group_ge
+     return;
+ #endif
+ 
+-    // Iterate over all parameters, getting them if non grouped, otherwise adding them to the relevant group to get
++    // Iterate over all parameters, getting them if non-grouped, otherwise adding them to the relevant group to get
+     memset(ggv_indexes, 0, sizeof(ggv_indexes));
+     for (i=0; i < ggv->num_entries; i++)
+     {
+         gge = &ggv->vector[i];
+         if (gge->group_id == NON_GROUPED)
+         {
+-            // If the parameter is not grouped, then get its value now.
++            // For non-grouped parameters, directly call DATA_MODEL_GetParameterValue which handles secure parameters internally
+             gge->err_code = DATA_MODEL_GetParameterValue(gge->path, buf, sizeof(buf), 0);
+             if (gge->err_code != USP_ERR_OK)
+             {
+@@ -320,7 +330,6 @@ void GROUP_GET_VECTOR_GetValues(group_ge
+                 chunk_size = MIN(GROUP_GET_CHUNK_SIZE, iv->num_entries - start_index);
+                 GetParameterGroup(i, ggv, iv, start_index, chunk_size);
+             }
+-
+         }
+     }
+ 
+@@ -378,88 +387,101 @@ void GetParameterGroup(int group_id, gro
+         return;
+     }
+ 
+-    // Add all parameters to get in this group to a key value vector
+-    // NOTE: We form the key value vector manually to avoid copying the param paths.
+-    //       Ownership of the param paths stay with the group get vector
+-    params.num_entries = chunk_size;
+-    params.vector = USP_MALLOC(sizeof(kv_pair_t) * chunk_size);
++    // Prepare a mapping for non-secure parameters and process secure ones directly
++    int non_secure_count = 0;
++    int *non_secure_map = USP_MALLOC(chunk_size * sizeof(int));
+     for (i=0; i < chunk_size; i++)
+     {
+         index = iv->vector[start_index + i];
+         gge = &ggv->vector[index];
+         USP_ASSERT(gge->path != NULL);
+-
+-        kv = &params.vector[i];
+-        kv->key = gge->path;
+-        kv->value = NULL;
++        if (IsSecuredParamNotAccessible(gge->path))
++        {
++            // For secure parameter when controller is not secured, return empty value
++            gge->value = USP_STRDUP("");
++            gge->err_code = USP_ERR_OK;
++        }
++        else
++        {
++            non_secure_map[non_secure_count] = index;
++            non_secure_count++;
++        }
+     }
+ 
+-    // Exit if group callback fails
+-    USP_ERR_ClearMessage();
+-    err = get_group_cb(group_id, &params);
+-    if (err != USP_ERR_OK)
++    // If there are non-secure parameters, call the group callback for them
++    if (non_secure_count > 0)
+     {
+-        // Mark all results for params in this group with an error
+-        usp_err_msg = USP_ERR_GetMessage();
+-        for (i=0; i < chunk_size; i++)
++        params.num_entries = non_secure_count;
++        params.vector = USP_MALLOC(sizeof(kv_pair_t) * non_secure_count);
++        for (i=0; i < non_secure_count; i++)
+         {
+-            index = iv->vector[start_index + i];
++            index = non_secure_map[i];
+             gge = &ggv->vector[index];
+-            gge->err_code = USP_ERR_INTERNAL_ERROR;
++            USP_ASSERT(gge->path != NULL);
++            kv = &params.vector[i];
++            kv->key = gge->path;
++            kv->value = NULL;
++        }
+ 
+-            // Assign an error message to this param
+-            if (usp_err_msg[0] != '\0')
+-            {
+-                gge->err_msg = USP_STRDUP(usp_err_msg);
+-            }
+-            else
++        USP_ERR_ClearMessage();
++        err = get_group_cb(group_id, &params);
++        if (err != USP_ERR_OK)
++        {
++            // Mark all non-secure results with an error
++            usp_err_msg = USP_ERR_GetMessage();
++            for (i=0; i < non_secure_count; i++)
+             {
+-                // Form an error message if none was provided
+-                USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback failed for param %s", __FUNCTION__, gge->path);
+-                gge->err_msg = USP_STRDUP(err_msg);
++                index = non_secure_map[i];
++                gge = &ggv->vector[index];
++                gge->err_code = USP_ERR_INTERNAL_ERROR;
++                if (usp_err_msg[0] != '\0')
++                {
++                    gge->err_msg = USP_STRDUP(usp_err_msg);
++                }
++                else
++                {
++                    USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback failed for param %s", __FUNCTION__, gge->path);
++                    gge->err_msg = USP_STRDUP(err_msg);
++                }
++                USP_SAFE_FREE(params.vector[i].value);
+             }
+-
+-            // NOTE: The group get might have populated a value for some params, so free these values
+-            USP_SAFE_FREE(params.vector[i].value);
++            USP_FREE(params.vector);
++            USP_FREE(non_secure_map);
++            return;
+         }
+-        goto exit;
+-    }
+ 
+-    // Move all parameter values obtained to the group get vector
+-    // NOTE: Ownership of the value string transfers from the params vector to the group get vector
+-    usp_err_msg = USP_ERR_GetMessage();
+-    empty_count = 0;
+-    for (i=0; i < chunk_size; i++)
+-    {
+-        kv = &params.vector[i];
+-        index = iv->vector[start_index + i];
+-        gge = &ggv->vector[index];
+-
+-        if (kv->value != NULL)
+-        {
+-            gge->value = kv->value;
+-        }
+-        else
++        // Move all parameter values obtained to the group get vector for non-secure parameters
++        usp_err_msg = USP_ERR_GetMessage();
++        empty_count = 0;
++        for (i=0; i < non_secure_count; i++)
+         {
+-            // If this is the first parameter with no value, and an error message has been set, then use the error message
+-            if ((usp_err_msg[0] != '\0') && (empty_count == 0))
++            index = non_secure_map[i];
++            gge = &ggv->vector[index];
++            kv = &params.vector[i];
++
++            if (kv->value != NULL)
+             {
+-                USP_SNPRINTF(err_msg, sizeof(err_msg), "%s", usp_err_msg);
++                gge->value = kv->value;
+             }
+             else
+             {
+-                USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path);
++                if ((usp_err_msg[0] != '\0') && (empty_count == 0))
++                {
++                    USP_SNPRINTF(err_msg, sizeof(err_msg), "%s", usp_err_msg);
++                }
++                else
++                {
++                    USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path);
++                }
++                gge->err_code = USP_ERR_INTERNAL_ERROR;
++                gge->err_msg = USP_STRDUP(err_msg);
++                empty_count++;
+             }
+-            gge->err_code = USP_ERR_INTERNAL_ERROR;
+-            gge->err_msg = USP_STRDUP(err_msg);
+-            empty_count++;
+         }
++        USP_FREE(params.vector);
+     }
+ 
+-exit:
+-    // Destroy the key-value vector.
+-    // As ownership of all strings in it have transferred to the group get vector, we only have to free the array itself
+-    USP_FREE(params.vector);
++    USP_FREE(non_secure_map);
+ }
+ 
+ /*********************************************************************//**
+@@ -486,9 +508,10 @@ void GetParametersIndividually(group_get
+     for (i=0; i < ggv->num_entries; i++)
+     {
+         gge = &ggv->vector[i];
++
+         if (gge->group_id == NON_GROUPED)
+         {
+-            // Non-grouped parameters can directly call DATA_MODEL_GetParameterValue()
++            // For non-grouped parameters, directly call DATA_MODEL_GetParameterValue which handles secure parameters internally
+             gge->err_code = DATA_MODEL_GetParameterValue(gge->path, buf, sizeof(buf), 0);
+             if (gge->err_code == USP_ERR_OK)
+             {
+@@ -497,42 +520,51 @@ void GetParametersIndividually(group_get
+         }
+         else
+         {
+-            // Grouped parameters cannot call DATA_MODEL_GetParameterValue(), as that would cause infinite recursion
+-            get_group_cb = group_vendor_hooks[gge->group_id].get_group_cb;
+-            if (get_group_cb == NULL)
++            // For grouped parameters, check if the parameter is secure and the controller is not secured
++            if (IsSecuredParamNotAccessible(gge->path))
+             {
+-                // Set an error message, if no group callback registered for this parameter
+-                USP_ERR_SetMessage("%s: No registered group callback to get param %s", __FUNCTION__, gge->path);
+-                gge->err_code = USP_ERR_INTERNAL_ERROR;
++                gge->value = USP_STRDUP("");
++                gge->err_code = USP_ERR_OK;
+             }
+             else
+             {
+-                // Get this grouped parameter individually using the group get callback
+-                pv.num_entries = 1;
+-                pv.vector = &param;
+-                param.key = gge->path;
+-                param.value = NULL;
+-
+-                USP_ERR_ClearMessage();
+-                gge->err_code = get_group_cb(gge->group_id, &pv);
+-                if (gge->err_code != USP_ERR_OK)
++                // Grouped parameters cannot call DATA_MODEL_GetParameterValue(), as that would cause infinite recursion
++                get_group_cb = group_vendor_hooks[gge->group_id].get_group_cb;
++                if (get_group_cb == NULL)
+                 {
+-                    USP_ERR_ReplaceEmptyMessage("%s: group get failed for '%s' (%s)", __FUNCTION__, gge->path, USP_ERR_UspErrToString(gge->err_code));
+-                    USP_SAFE_FREE(param.value)
++                    // Set an error message, if no group callback registered for this parameter
++                    USP_ERR_SetMessage("%s: No registered group callback to get param %s", __FUNCTION__, gge->path);
++                    gge->err_code = USP_ERR_INTERNAL_ERROR;
+                 }
+                 else
+                 {
+-                    if (param.value != NULL)
++                    // Get this grouped parameter individually using the group get callback
++                    pv.num_entries = 1;
++                    pv.vector = &param;
++                    param.key = gge->path;
++                    param.value = NULL;
++
++                    USP_ERR_ClearMessage();
++                    gge->err_code = get_group_cb(gge->group_id, &pv);
++                    if (gge->err_code != USP_ERR_OK)
+                     {
+-                        // Move ownership of the returned string from param.value to gge->value
+-                        gge->value = param.value;
+-                        param.value = NULL;  // not strictly necessary
++                        USP_ERR_ReplaceEmptyMessage("%s: group get failed for '%s' (%s)", __FUNCTION__, gge->path, USP_ERR_UspErrToString(gge->err_code));
++                        USP_SAFE_FREE(param.value)
+                     }
+                     else
+                     {
+-                        // If no value was returned, then this is also reported as an error in the group get array
+-                        USP_ERR_ReplaceEmptyMessage("%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path);
+-                        gge->err_code = USP_ERR_INTERNAL_ERROR;
++                        if (param.value != NULL)
++                        {
++                            // Move ownership of the returned string from param.value to gge->value
++                            gge->value = param.value;
++                            param.value = NULL;  // not strictly necessary
++                        }
++                        else
++                        {
++                            // If no value was returned, then this is also reported as an error in the group get array
++                            USP_ERR_ReplaceEmptyMessage("%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path);
++                            gge->err_code = USP_ERR_INTERNAL_ERROR;
++                        }
+                     }
+                 }
+             }
+@@ -545,3 +577,4 @@ void GetParametersIndividually(group_get
+         }
+     }
+ }
++

obuspa/patches/0006-contains-expression.patch

@@ -0,0 +1,121 @@
+Index: obuspa-9.0.4.11/src/core/expr_vector.c
+===================================================================
+--- obuspa-9.0.4.11.orig/src/core/expr_vector.c
++++ obuspa-9.0.4.11/src/core/expr_vector.c
+@@ -58,6 +58,7 @@ char *expr_op_2_str[kExprOp_Max] =
+     "<",  // kExprOp_LessThan
+     ">",  // kExprOp_GreaterThan
+     "=",  // kExprOp_Equals
++    "~=", // kExprOp_Contains
+ };
+ 
+ 
+@@ -482,6 +483,15 @@ char *SplitOnOperator(char *buf, expr_op
+         *op = '\0';
+         return &op[2];
+     }
++
++    // Exit if found the "~=" operator
++    op = strstr(buf, "~=");
++    if (op != NULL)
++    {
++        *p_op = kExprOp_Contains;
++        *op = '\0';
++        return &op[2];
++    }
+ 
+     // Exit if found the "<" operator
+     op = strchr(buf, '<');
+Index: obuspa-9.0.4.11/src/core/path_resolver.c
+===================================================================
+--- obuspa-9.0.4.11.orig/src/core/path_resolver.c
++++ obuspa-9.0.4.11/src/core/path_resolver.c
+@@ -1481,7 +1481,7 @@ int ResolveUniqueKey(char *resolved, cha
+     char temp[MAX_DM_PATH];
+     bool is_match;
+     bool is_ref_match;
+-    expr_op_t valid_ops[] = {kExprOp_Equal, kExprOp_NotEqual, kExprOp_LessThanOrEqual, kExprOp_GreaterThanOrEqual, kExprOp_LessThan, kExprOp_GreaterThan};
++    expr_op_t valid_ops[] = {kExprOp_Equal, kExprOp_NotEqual, kExprOp_LessThanOrEqual, kExprOp_GreaterThanOrEqual, kExprOp_LessThan, kExprOp_GreaterThan, kExprOp_Contains};
+     unsigned short permission_bitmask;
+ 
+     // Exit if unable to find the end of the unique key
+@@ -1815,6 +1815,67 @@ int DoUniqueKeysMatch(int index, search_
+         }
+         USP_ASSERT(gge->value != NULL);     // GROUP_GET_VECTOR_GetValues() should have set an error message if the vendor hook didn't set a value for the parameter
+ 
++        if (ec->op == kExprOp_Contains) {
++            // NOTE: There is no "list" flag defined for the key parameter, which should be a limitation at the moment.
++            // The code below assumes comma-separated values in the key parameter value for the "contains" operator
++            char *list_copy = USP_STRDUP(gge->value);
++            char *saveptr;
++            char *token;
++            bool found = false;
++
++            // Split the list and compare each element
++            token = strtok_r(list_copy, ",", &saveptr);
++            while (token != NULL)
++            {
++                // Trim whitespace from token
++                TEXT_UTILS_TrimBuffer(token);
++
++                // Compare based on type
++                if (type_flags & (DM_INT | DM_UINT | DM_ULONG | DM_LONG | DM_DECIMAL))
++                {
++                    err = DM_ACCESS_CompareNumber(token, kExprOp_Equal, ec->value, &result);
++                }
++                else if (type_flags & DM_BOOL)
++                {
++                    err = DM_ACCESS_CompareBool(token, kExprOp_Equal, ec->value, &result);
++                }
++                else if (type_flags & DM_DATETIME)
++                {
++                    err = DM_ACCESS_CompareDateTime(token, kExprOp_Equal, ec->value, &result);
++                }
++                else
++                {
++                    // Default string comparison
++                    err = DM_ACCESS_CompareString(token, kExprOp_Equal, ec->value, &result);
++                }
++
++                if (err != USP_ERR_OK)
++                {
++                    USP_FREE(list_copy);
++                    return err;
++                }
++
++                if (result)
++                {
++                    found = true;
++                    break;
++                }
++
++                token = strtok_r(NULL, ",", &saveptr);
++            }
++
++            USP_FREE(list_copy);
++
++            // Exit if element not found in list
++            if (!found)
++            {
++                return USP_ERR_OK;
++            }
++
++            // Skip the normal comparison since we already handled it
++            continue;
++        }
++
+         // Determine the function to call to perform the comparison
+         if (type_flags & (DM_INT | DM_UINT | DM_ULONG | DM_LONG | DM_DECIMAL))
+         {
+Index: obuspa-9.0.4.11/src/include/usp_api.h
+===================================================================
+--- obuspa-9.0.4.11.orig/src/include/usp_api.h
++++ obuspa-9.0.4.11/src/include/usp_api.h
+@@ -105,6 +105,7 @@ typedef enum
+     kExprOp_LessThan,               // '<'
+     kExprOp_GreaterThan,            // '>'
+     kExprOp_Equals,                 // '='
++    kExprOp_Contains,               // '~='
+ 
+     kExprOp_Max
+ } expr_op_t;

obuspa/patches/1002-mqtt-qos.patch

@@ -0,0 +1,11 @@
+--- a/src/core/device_bulkdata.c	2025-02-18 16:49:27.507575767 +0530
++++ b/src/core/device_bulkdata.c	2025-02-18 16:51:45.535693108 +0530
+@@ -374,6 +374,8 @@
+     // Device.BulkData.Profile.{i}.MQTT
+     err |= USP_REGISTER_DBParam_ReadWrite("Device.BulkData.Profile.{i}.MQTT.Reference", "", Validate_BulkDataMqttReference, NULL, DM_STRING);
+     err |= USP_REGISTER_DBParam_ReadWrite("Device.BulkData.Profile.{i}.MQTT.PublishTopic", "", NULL, NULL, DM_STRING);
++    err |= USP_REGISTER_DBParam_ReadWrite("Device.BulkData.Profile.{i}.MQTT.PublishQoS", TO_STR(MQTT_FALLBACK_QOS), NULL, NULL, DM_UINT);
++    err |= USP_REGISTER_DBParam_ReadWrite("Device.BulkData.Profile.{i}.MQTT.PublishRetain", "false", NULL, NULL, DM_BOOL);
+ #endif
+ 
+     // Register Push! Event

obuspa/patches/1003-ct-full-access-rename.patch

@@ -0,0 +1,13 @@
+diff --git a/src/core/data_model.c b/src/core/data_model.c
+index 360c5e2..136de0d 100644
+--- a/src/core/data_model.c
++++ b/src/core/data_model.c
+@@ -5180,7 +5180,7 @@ int RegisterDefaultControllerTrust(void)
+     int err = USP_ERR_OK;
+ 
+     // Register 'Full Access' role
+-    err |= USP_DM_RegisterRoleName(ROLE_FULL_ACCESS, "Full Access");
++    err |= USP_DM_RegisterRoleName(ROLE_FULL_ACCESS, "full_access");
+     err |= USP_DM_AddControllerTrustPermission(ROLE_FULL_ACCESS, dm_root, PERMIT_ALL);
+ 
+     // Register 'Untrusted' role

obuspc/files/etc/uci-defaults/100-add-mosquitto-listener

@@ -15,4 +15,3 @@ port=$(uci -q get uspc.mqtt.BrokerPort)
 uci -q set mosquitto.uspc.enabled="1"
 uci -q set mosquitto.uspc.port=$port
 uci -q set mosquitto.uspc.allow_anonymous="1"
-uci commit mosquitto

owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy

@@ -8,7 +8,6 @@ uci set owsd.ubusproxy.enable="1"
 uci set owsd.ubusproxy.peer_key="/etc/ubusx/ubusx_demo_only.key"
 uci set owsd.ubusproxy.peer_cert="/etc/ubusx/ubusx_demo_only.crt"
 uci set owsd.ubusproxy.peer_ca="/etc/ubusx/ubusxDemoCA.crt"
-uci commit owsd
 
 # do not create wan_https section if it exists already
 [ "$(uci -q get owsd.wan_https)" == "owsd-listen" ] && exit 0
@@ -25,5 +24,3 @@ uci set owsd.wan_https.ca="/etc/ubusx/ubusxDemoCA.crt"
 uci set owsd.wan_https.whitelist_interface_as_origin="1"
 uci del_list owsd.wan_https.origin="*"
 uci add_list owsd.wan_https.origin="*"
-uci commit owsd
-

packet-capture-diagnostics/Makefile

@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=packet-capture-diagnostics
-PKG_VERSION:=1.0.2
+PKG_VERSION:=1.0.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
@@ -46,7 +46,7 @@ endif
 
 define Package/packet-capture-diagnostics/install
 	$(BBFDM_INSTALL_SCRIPT) ./files/scripts/packetcapture $(1)
-	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/src/libpackcapture.so $(1)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libpackcapture.so $(1) core 12
 endef
 
 $(eval $(call BuildPackage,packet-capture-diagnostics))

parental-control/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=parental-control
-PKG_VERSION:=1.0.4
+PKG_VERSION:=1.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/parental-control.git
-PKG_SOURCE_VERSION:=eea7793e26b52f45f4e47e849894ac3f8cdc3747
+PKG_SOURCE_VERSION:=a746707e4231bd190000a752785974ccaf9dd6da
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -59,8 +59,10 @@ endef
 endif
 
 define Package/parental-control/install
+	$(INSTALL_DIR) $(1)/etc/parentalcontrol
 	$(INSTALL_DIR) $(1)/lib/parentalcontrol
 	$(INSTALL_DATA) ./files/lib/parentalcontrol/parentalcontrol.sh $(1)/lib/parentalcontrol/
+	$(INSTALL_BIN) ./files/lib/parentalcontrol/sync_bundles.sh $(1)/lib/parentalcontrol/
 
 	$(INSTALL_DIR) $(1)/etc
 	$(INSTALL_DATA) ./files/etc/firewall.parentalcontrol $(1)/etc/
@@ -78,11 +80,13 @@ define Package/parental-control/install
 	$(INSTALL_DATA) ./files/etc/uci-defaults/95-firewall_parentalcontrol.ucidefaults $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/etc/uci-defaults/95-migrate_urlfilter.ucidefaults $(1)/etc/uci-defaults/
 
+	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/parentalcontrol $(1)/lib/upgrade/keep.d/parentalcontrol
+
 	$(BBFDM_REGISTER_SERVICES) -v ${VENDOR_PREFIX} ./bbfdm_service.json $(1) parentalcontrol
 
 ifeq ($(CONFIG_PARENTAL_CONTROL_INCLUDE_URLFILTER_BUNDLES),y)
-	$(INSTALL_DIR) $(1)/etc/parental-control
-	$(INSTALL_DATA) ./files/etc/parental-control/urlbundles.tar.xz $(1)/etc/parental-control/
+	$(INSTALL_DATA) ./files/etc/parentalcontrol/urlbundles.tar.xz $(1)/etc/parentalcontrol/
 endif
 endef
 

parental-control/files/etc/config/parentalcontrol

@@ -1,3 +1,93 @@
 config globals 'globals'
-	option enable '0'
-	option loglevel '3'
+    option enable '0'
+    option loglevel '3'
+
+config urlbundle 'urlbundle_1'
+    option enable '0'
+    option name 'Abuse'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt'
+
+config urlbundle 'urlbundle_2'
+    option enable '0'
+    option name 'Ads'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt'
+
+config urlbundle 'urlbundle_3'
+    option enable '0'
+    option name 'Crypto'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt'
+
+config urlbundle 'urlbundle_4'
+    option enable '1'
+    option name 'Drugs'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt'
+
+config urlbundle 'urlbundle_5'
+    option enable '0'
+    option name 'Everything else'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt'
+
+config urlbundle 'urlbundle_6'
+    option enable '1'
+    option name 'Facebook/Instagram'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt'
+
+config urlbundle 'urlbundle_7'
+    option enable '1'
+    option name 'Fraud'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt'
+
+config urlbundle 'urlbundle_8'
+    option enable '1'
+    option name 'Gambling'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt'
+
+config urlbundle 'urlbundle_9'
+    option enable '0'
+    option name 'Malware'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt'
+
+config urlbundle 'urlbundle_10'
+    option enable '1'
+    option name 'Phishing'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt'
+
+config urlbundle 'urlbundle_11'
+    option enable '1'
+    option name 'Piracy'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt'
+
+config urlbundle 'urlbundle_12'
+    option enable '0'
+    option name 'Porn'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt'
+
+config urlbundle 'urlbundle_13'
+    option enable '1'
+    option name 'Ransomware'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt'
+
+config urlbundle 'urlbundle_14'
+    option enable '0'
+    option name 'Redirect'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt'
+
+config urlbundle 'urlbundle_15'
+    option enable '1'
+    option name 'Scam'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt'
+
+config urlbundle 'urlbundle_16'
+    option enable '0'
+    option name 'TikTok'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt'
+
+config urlbundle 'urlbundle_17'
+    option enable '0'
+    option name 'Torrent'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt'
+
+config urlbundle 'urlbundle_18'
+    option enable '0'
+    option name 'Tracking'
+    option download_url 'https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt'

parental-control/files/etc/init.d/parentalcontrol

@@ -11,7 +11,8 @@ PROG=/usr/sbin/urlfilter
 validate_global_section() {
 	uci_validate_section parentalcontrol globals globals \
 	    'enable:bool:1' \
-	    'loglevel:uinteger:3'
+	    'loglevel:uinteger:3' \
+	    'bundle_path:string'
 }
 
 remove_fw_rules() {
@@ -47,19 +48,48 @@ configure_fw_rules() {
 	add_internet_schedule_rules
 }
 
+copy_dhcp_leases() {
+	src="/tmp/dhcp.leases"
+	dest="/etc/parentalcontrol/dhcp.leases"
+	dest_dir="/etc/parentalcontrol/"
+
+	# Ensure the destination directory exists
+	mkdir -p "$dest_dir" || { logger -p err "Failed to create directory $dest_dir."; return 1; }
+
+	# Check if the source file exists and is not empty
+	if [ -s "$src" ]; then
+		# Compare the content of the source and destination
+		if ! cmp -s "$src" "$dest"; then
+			# Use atomic copy to prevent partial writes
+			tmp_dest="${dest}.tmp"
+			cp "$src" "$tmp_dest" && mv "$tmp_dest" "$dest"
+		fi
+	fi
+}
+
 start_service() {
-	local enable loglevel
+	local enable loglevel bundle_path
 
 	config_load parentalcontrol
 	validate_global_section
 
+	[ -n "${bundle_path}" ] && mkdir -p ${bundle_path}
+
 	# add default bundles
 	process_default_bundles
 	# add firewall rules
 	configure_fw_rules
 
-	procd_open_instance parentalcontrol_dm
-	procd_set_param command ${PROG}
+	# if the router is, for example, upgraded and then it boots up
+	# then /tmp/dhcp.leases will be empty until clients try to get a lease,
+	# in that case, hostnames will not be processed by the daemon,
+	# for this we copy /tmp/dhcp.leases to /etc/parentalcontrol/dhcp.leases
+	# which will be persistent acrros reboots and upgrade where settings are kept
+	# and will be used as a backup in case /tmp/dhcp.leases is empty
+	copy_dhcp_leases
+
+	procd_open_instance "parentalcontrol_dm"
+	procd_set_param command nice -n 10 "${PROG}"  # Lower priority
 	procd_append_param command -l ${loglevel}
 	procd_set_param respawn
 	procd_close_instance
@@ -69,6 +99,7 @@ stop_service() {
 	# remove default bundles
 	remove_default_bundles
 	remove_fw_rules
+	copy_dhcp_leases
 }
 
 reload_service() {
@@ -78,6 +109,7 @@ reload_service() {
 		start
 	else
 		configure_fw_rules
+		copy_dhcp_leases
 		ubus send parentalcontrol.reload
 	fi
 }

parental-control/files/etc/uci-defaults/95-migrate_urlfilter.ucidefaults

@@ -125,8 +125,4 @@ config_load "urlfilter"
 config_foreach handle_profile profile
 config_foreach handle_filter filter
 
-# Commit changes
-uci commit parentalcontrol
-uci commit schedules
-
 rm -f "$urlfilter_config"

parental-control/files/lib/parentalcontrol/parentalcontrol.sh

@@ -13,8 +13,8 @@ IP_RULE=""
 ACL_FILE=""
 parentalcontrol_ipv4_forward=""
 parentalcontrol_ipv6_forward=""
-default_bundle_dir="/tmp/urlfilter/default/"
-bundle_archive="/etc/parental-control/urlbundles.tar.xz"
+default_bundle_dir="/tmp/parentalcontrol/default/"
+bundle_archive="/etc/parentalcontrol/urlbundles.tar.xz"
 
 log() {
 	echo "$*" |logger -t urlfilter.init -p debug
@@ -412,14 +412,14 @@ add_internet_schedule_rules() {
 	echo "iptables -w -F parentalcontrol_forward" >> $ACL_FILE
 	echo "ip6tables -w -F parentalcontrol_forward" >> $ACL_FILE
 
-	parentalcontrol_ipv4_forward=$(iptables -t filter --list -n | grep parentalcontrol_forward)
+	parentalcontrol_ipv4_forward=$(iptables -w -t filter --list -n | grep parentalcontrol_forward)
 	if [ -z "$parentalcontrol_ipv4_forward" ]; then
 		echo "iptables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
 		ret=$?
 		[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j parentalcontrol_forward" >> $ACL_FILE
 	fi
 
-	parentalcontrol_ipv6_forward=$(ip6tables -t filter --list -n | grep parentalcontrol_forward)
+	parentalcontrol_ipv6_forward=$(ip6tables -w -t filter --list -n | grep parentalcontrol_forward)
 	if [ -z "$parentalcontrol_ipv6_forward" ]; then
 		echo "ip6tables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
 		ret=$?
@@ -442,8 +442,8 @@ add_iptables_nfqueue_rules() {
 		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -457,8 +457,8 @@ add_iptables_nfqueue_rules() {
 		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -473,8 +473,8 @@ remove_iptables_nfqueue_rules() {
 		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 		iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		iptables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
@@ -486,8 +486,8 @@ remove_iptables_nfqueue_rules() {
 		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null

parental-control/files/lib/parentalcontrol/sync_bundles.sh

@@ -0,0 +1,279 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+LOCKFILE="/tmp/sync_bundles.lock"
+
+# this script handles syncing bundles
+# if its a remote file, then it would be downloaded and placed in bundle_dir
+bundle_path="$(uci -q get parentalcontrol.globals.bundle_path)"
+if [ -z "${bundle_path}" ]; then
+	bundle_path="/tmp/parentalcontrol"
+fi
+
+stringstore_dir="${bundle_path}/stringstore"
+bundle_dir="${bundle_path}/urlbundles"
+bundle_sizes="${bundle_path}/bundle_sizes"
+
+# Ensure required directories and files exist
+initialize_environment() {
+	mkdir -p "$bundle_dir"
+	mkdir -p "$stringstore_dir"
+	[ ! -f "$bundle_sizes" ] && touch "$bundle_sizes"
+}
+
+# Function to sanitize URLs to avoid code injection and ensure safety
+sanitize_url() {
+	local raw_url="$1"
+	echo "$raw_url" | sed 's/[^a-zA-Z0-9_.:/?-]//g'
+}
+
+update_bundle_file_from_url() {
+	local download_url="$1"
+	local bundle_file_name="$2"
+	local bundle_file_size="$3"
+	local bundle_name="$4"
+	local file_name="$5"
+	local available_memory
+
+	available_memory=$(df "$bundle_dir" | tail -n 1 | awk '{print $(NF-2)}') # Available memory in 1K blocks
+	local needed_blocks=$((bundle_file_size / 1024)) # Convert bundle_file_size to 1K blocks
+	local max_size=$((10 * 1024 * 1024)) # 10MB in bytes
+
+	if [ "$available_memory" -le "$needed_blocks" ]; then
+		logger -p info "Error: Not enough disk space for bundle: ${bundle_name}"
+		return 1
+	fi
+
+	if [ "$bundle_file_size" -gt "$max_size" ]; then
+		logger -p info "update_bundle_file_from_url: Error: File size for ${bundle_name} exceeds 10MB"
+		return 1
+	fi
+
+	# Determine file path
+	local file_path
+	if echo "$download_url" | grep -q "^file://"; then
+		file_path=${download_url#file://}
+	else
+		# Random delay (0-5s) before starting the download
+		local delay=$((RANDOM % 6))
+		logger -p info "update_bundle_file_from_url: Waiting ${delay}s before downloading..."
+		sleep "$delay"
+
+		# Retry logic with exponential backoff
+		local temp_file="${bundle_dir}/tmp_${file_name}"
+		local attempt=1
+		local success=0
+		while [ $attempt -le 3 ]; do
+			curl -s -o "$temp_file" "$download_url"
+			if [ $? -eq 0 ]; then
+				success=1
+				break
+			else
+				logger -p info "update_bundle_file_from_url: Download failed. Retrying $attempt ..."
+				local backoff=$(( (2 ** attempt) + (RANDOM % 3) )) # Exponential backoff + 0-2s jitter
+				sleep "$backoff"
+			fi
+			attempt=$(( attempt+1 ))
+		done
+
+		if [ $success -ne 1 ]; then
+			logger -p info "update_bundle_file_from_url: Failed to download bundle: ${bundle_name}"
+			rm -f "$temp_file"
+			return 1
+		fi
+		file_path="$temp_file"
+	fi
+
+	# Handle compressed files
+	local final_path="${bundle_dir}/${bundle_file_name}"
+	if [[ "$file_path" =~ \.xz$ ]]; then
+		if ! xz -dc "$file_path" > "$final_path"; then
+			logger -p info "update_bundle_file_from_url: Decompression failed."
+			rm -f "$final_path"
+			rm -f "$file_path"
+			return 1
+		fi
+
+		rm -f "$file_path"
+	elif [[ "$file_path" =~ \.gz$ ]]; then
+		if ! gzip -dc "$file_path" > "$final_path"; then
+			logger -p info "update_bundle_file_from_url: Decompression failed."
+			rm -f "$final_path"
+			rm -f "$file_path"
+			return 1
+		fi
+
+		rm -f "$file_path"
+	else
+		mv "$file_path" "$final_path"
+	fi
+
+	# file would have lines of the format: 0.0.0.0 www.facebook.com
+	# so we keep only the url part and remove duplicates
+	local processed_final_path="${final_path}_urls"
+	awk '{print $NF}' "$final_path" | sort -u > "$processed_final_path"
+
+	# delete unprocessed file
+	rm -rf "$final_path"
+
+	# Update the bundle size and send ubus event
+	echo "$bundle_file_name $bundle_file_size" >> "$bundle_sizes"
+	ubus send "parentalcontrol.bundle.update" "{\"bundle_file_path\":\"${processed_final_path}\",\"bundle_name\":\"${bundle_name}\"}"
+
+	return 0
+}
+
+handle_download_url() {
+	local raw_download_url="$1"
+	local bundle_name="$2"
+
+	local sanitized_url
+	sanitized_url=$(sanitize_url "$raw_download_url")
+
+	local file_name="${sanitized_url##*/}" # Get everything after the last '/'
+
+	local bundle_file_name="${file_name}.urlbundle"
+	local unprocessed_file=0
+	local file_path="${sanitized_url#file://}"
+
+	if echo "$sanitized_url" | grep -qE "^https?://|^file://"; then
+		local previous_bundle_size
+		previous_bundle_size=$(grep "^${bundle_file_name} " "$bundle_sizes" | awk '{print $2}')
+
+		# If the URL is HTTP, fetch the file size
+		local bundle_file_size
+		if echo "$sanitized_url" | grep -qE "^https?://"; then
+			bundle_file_size="$(curl -I "$sanitized_url" 2>&1 | grep -i 'content-length' | cut -d: -f2 | xargs)"
+			[ -z "$bundle_file_size" ] && bundle_file_size=0
+		else
+			# If it's a file:// URL, get the file size from the filesystem
+			bundle_file_size=$(ls -l "$file_path" 2>/dev/null | awk '{print $5}')
+			[ -z "$bundle_file_size" ] && bundle_file_size=0
+		fi
+
+		if [ -n "$previous_bundle_size" ] && [ "$bundle_file_size" -eq "$previous_bundle_size" ]; then
+			return
+		fi
+
+		if echo "$sanitized_url" | grep -q "^file://" && ! echo "$sanitized_url" | grep -Eq "\.(xz|gz)$"; then
+			# the file is not processed and hence not moved if it is a local uncompressed file
+			sed -i "/^${bundle_file_name} /d" "$bundle_sizes"
+			echo "$bundle_file_name $bundle_file_size" >> "$bundle_sizes"
+			ubus send "parentalcontrol.bundle.update" "{\"bundle_file_path\":\"${file_path}\",\"bundle_name\":\"${bundle_name}\"}"
+			return
+		fi
+
+		# Remove existing entries
+		if [ -n "$previous_bundle_size" ]; then
+			sed -i "/^${bundle_file_name} /d" "$bundle_sizes"
+			rm -f "${bundle_dir}/${bundle_file_name}"
+		fi
+
+		update_bundle_file_from_url "$sanitized_url" "$bundle_file_name" "$bundle_file_size" "$bundle_name" "$file_name"
+		return $?
+	else
+		logger -p info "Error: Unsupported URL format for ${bundle_file_name}"
+		return 1
+	fi
+
+	return 0
+}
+
+cleanup_bundle_files() {
+	local dir="$1"
+	[ -d "$dir" ] || return 1
+
+	# Collect all download_url entries using config_foreach
+	local urls=""
+	get_download_url() {
+		local section="$1"
+		config_get url "$section" download_url
+		config_get_bool enable "$1" enable 0
+
+		if [ "${enable}" -eq 0 ]; then
+			# bundle is disabled
+			return 0
+		fi
+		url="${url#file://}"
+		url="${url#https://}"
+		url="${url#http://}"
+
+		url="${url##*/}" # Get everything after the last '/'
+		urls="$urls $url"
+	}
+
+	config_load parentalcontrol
+	config_foreach get_download_url urlbundle
+
+	# Loop through all files in the directory
+	for file in "$dir"/*; do
+		[ -f "$file" ] || continue  # Skip non-files
+
+		# Remove the suffix after the last dot
+		base_name="$(basename "$file")"
+		name="${base_name%.*}"  # Removes the last dot and suffix
+
+		# Check if the name is present in the collected urls
+		if ! echo "$urls" | grep -q "$name"; then
+			rm -f "$file"
+			sed -i "/^${name} /d" "$bundle_sizes"
+		fi
+	done
+}
+
+# Main handler for all profile URL bundles
+handle_filter_for_bundles() {
+	ubus -t 20 wait_for bbfdm.parentalcontrol
+
+	if [ "$?" -ne 0 ]; then
+		logger -p error "bbfdm.parentalcontrol object not found"
+		return
+	fi
+
+	initialize_environment
+
+	cleanup_bundle_files "$bundle_dir"
+	cleanup_bundle_files "$stringstore_dir"
+
+	config_load parentalcontrol
+
+	config_get_bool enable globals enable 0
+	if [ "${enable}" -eq 0 ]; then
+		# Parental control is disabled
+		return 0
+	fi
+
+	local profile enable bundles bundle_name download_url
+
+	check_bundle_exists() {
+		local cfg="$1"
+		config_get name "$cfg" name
+		config_get_bool enable "$cfg" enable 0
+		config_get download_url "$cfg" download_url
+
+		if [ "${enable}" -eq 0 ]; then
+			# bundle is disabled
+			return 0
+		fi
+
+		handle_download_url "$download_url" "$name"
+		local exit_status=$?
+		if [ "$exit_status" -eq 1 ]; then
+			uci -q set "parentalcontrol.${cfg}.status"="Error"
+		else
+			uci -q set "parentalcontrol.${cfg}.status"=""
+		fi
+
+		uci commit parentalcontrol
+	}
+
+	config_foreach check_bundle_exists urlbundle
+}
+
+# Open file descriptor 200 for locking
+exec 200>"$LOCKFILE"
+# Try to acquire an exclusive lock; exit if another instance is running
+flock -n 200 || { logger -p info "sync_bundles.sh is already running, exiting."; exit 1; }
+
+handle_filter_for_bundles

parental-control/files/lib/upgrade/keep.d/parentalcontrol

@@ -0,0 +1 @@
+/etc/parentalcontrol/dhcp.leases