netmode doc

This reverts commit 61bda623ca

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.18.12
+PKG_VERSION:=1.18.16
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=adfdb54d625b952c533670f093dae008782ff56a
+PKG_SOURCE_VERSION:=72c3307651cb583121fa5b4abcaad957ddc264bd
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -107,7 +107,7 @@ endif
 
 CMAKE_OPTIONS += \
 	-DBBF_VENDOR_PREFIX:String="$(CONFIG_BBF_VENDOR_PREFIX)" \
-	-DBBFDMD_MAX_MSG_LEN:Integer=10485760 \
+	-DBBFDMD_MAX_MSG_LEN:Integer=20971520 \
 	-DCMAKE_BUILD_TYPE:String="Debug" \
 
 

bbfdm/files/etc/bbfdm/critical_services.json

@@ -10,10 +10,8 @@
 			"/etc/bbfdm/dmmap/PPP",
 			"/etc/bbfdm/dmmap/Routing",
 			"/etc/config/dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
-			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
 			"/etc/config/time",
 			"/etc/bbfdm/dmmap/dmmap_time",
 			"/etc/config/mapcontroller",
@@ -36,10 +34,8 @@
 			"/etc/bbfdm/dmmap/PPP",
 			"/etc/bbfdm/dmmap/Routing",
 			"/etc/config/dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
-			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
-			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
 			"/etc/config/mapcontroller",
 			"/etc/config/wireless",
 			"/etc/bbfdm/dmmap/WiFi",

bridgemngr/Config.in

@@ -5,6 +5,12 @@ config BRIDGEMNGR_BRIDGE_VLAN
 	help
 	   Set this option to use bridge-vlan as backend for VLAN objects.
 
+config BRIDGEMNGR_COPY_PBITS
+	bool "Copy pbits from cvlan to svlan"
+	default y
+	help
+	   Set this option to copy cvlan pbits to svlan pbits by default (driver vlan).
+
 config BRIDGEMNGR_BRIDGE_VENDOR_EXT
 	bool "Use bridge BBF vendor extensions"
 	default y

bridgemngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.1.4
+PKG_VERSION:=1.1.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr.git
-PKG_SOURCE_VERSION:=e5e0d9adfc919c25d88a867d42a9c500cb09f834
+PKG_SOURCE_VERSION:=882f8c8cc9a97372297d192cc916c4f8ffe7c25a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -51,6 +51,10 @@ ifeq ($(CONFIG_BRIDGEMNGR_BRIDGE_VLAN),y)
 	TARGET_CFLAGS += -DBRIDGE_VLAN_BACKEND
 endif
 
+ifeq ($(CONFIG_BRIDGEMNGR_COPY_PBITS),y)
+	TARGET_CFLAGS+=-DBRIDGEMNGR_COPY_PBITS
+endif
+
 define Package/bridgemngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/config

decollector/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.2.2.7
+PKG_VERSION:=6.2.3.8
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=9d1399c09f55da14a8de55828ba57c0e296ce62f
+PKG_SOURCE_VERSION:=8396091a83aefaf8423dfd41a957b04f3ed821e7
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

dectmngr/Makefile

@@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.11
+PKG_VERSION:=3.7.13
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/dectmngr.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=815ee44808169b8e1efa2cac44bd7d238ad33cdc
+PKG_SOURCE_VERSION:=5c2720563b3ed889e9d4de6fdb9b0f6a9d584094
 PKG_MIRROR_HASH:=skip
 endif
 

dhcpmngr/Config.in

@@ -0,0 +1,12 @@
+if PACKAGE_dhcpmngr
+
+config DHCPMNGR_ENABLE_VENDOR_EXT
+	bool "Use datamodel vendor extensions"
+	default y
+	help
+	   Set this option to use bridge BBF vendor extensions.
+
+config DHCPMNGR_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+endif

dhcpmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dhcpmngr
-PKG_VERSION:=1.0.6
+PKG_VERSION:=1.1.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dhcpmngr.git
-PKG_SOURCE_VERSION:=986f66608959f4f589009d580b046e250d8c620d
+PKG_SOURCE_VERSION:=74d96cd70119e4ea08767d68b45b4922162d0328
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -39,6 +39,22 @@ define Package/dhcpmngr/description
   Package to add Device.DHCPv4. and Device.DHCPv6. data model support.
 endef
 
+define Package/$(PKG_NAME)/config
+        source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(CONFIG_DHCPMNGR_ENABLE_VENDOR_EXT),y)
+MAKE_FLAGS += DHCPMNGR_ENABLE_VENDOR_EXT=y
+endif
+
+ifeq ($(CONFIG_DHCPMNGR_VENDOR_PREFIX),"")
+VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX)
+else
+VENDOR_PREFIX = $(CONFIG_DHCPMNGR_VENDOR_PREFIX)
+endif
+
+TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(VENDOR_PREFIX)\\\"
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
 	$(CP) -rf ~/git/dhcpmngr/* $(PKG_BUILD_DIR)/

dmcli-plugins/Makefile

@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2023 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli-plugins
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=2.2.6
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli-plugin-easydm.git
+PKG_SOURCE_VERSION:=bc8b8527e8a41bdba73cb277a3c6c3b42b045153
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli-plugins
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=Easy-to-use data model on top of TR181
+  URL:=http://genexis.eu
+  DEPENDS:=+dmcli
+endef
+
+define Package/dmcli-plugins/description
+  EasyDM offers a user-friendly approach to configuring TR-181
+  simplifying the process with its intuitive interface.
+endef
+
+define Build/Compile
+	true
+endef
+
+define Package/dmcli-plugins/install
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli/plugins
+	$(CP) $(PKG_BUILD_DIR)/src/*.js $(1)/usr/lib/dmcli/plugins/
+endef
+
+$(eval $(call BuildPackage,dmcli-plugins))

dmcli/Config.in

@@ -0,0 +1,9 @@
+if PACKAGE_dmcli
+
+config DMCLI_REMOTE_CONNECTION
+        bool "Add dmcli remote controller configuration"
+        default n
+        help
+                This adds a usp controller configuration for dmcli remote connection from different machine/laptop/server.
+
+endif

dmcli/Makefile

@@ -0,0 +1,76 @@
+#
+# Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=1.9.6
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli.git
+PKG_SOURCE_VERSION:=f03188eff6c2cab59e4c8f18a435c940ff5043f5
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=DMCLI (datamodel-based CLI)
+  URL:=http://genexis.eu
+  DEPENDS:=+usp-js +DMCLI_REMOTE_CONNECTION:mosquitto-auth-plugin +shadow-utils +@BUSYBOX_CONFIG_ADDUSER
+endef
+
+define Package/dmcli/description
+  CLI to view and configure datamodels of CPE
+endef
+
+define Package/dmcli/conffiles
+/etc/dmcli/dmcli.conf
+endef
+
+define Package/dmcli/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/dmcli/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dmcli $(1)/usr/bin/
+
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli
+	$(CP) $(PKG_BUILD_DIR)/common $(1)/usr/lib/dmcli/
+	mv $(1)/usr/lib/dmcli/common/os_qjs.js $(1)/usr/lib/dmcli/common/os.js
+	rm $(1)/usr/lib/dmcli/common/os_node.js
+	$(CP) $(PKG_BUILD_DIR)/core $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/cli $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/data $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/plugins $(1)/usr/lib/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_DMCLI_REMOTE_CONNECTION),y)
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote $(1)/etc/uci-defaults/
+else
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote-remove $(1)/etc/uci-defaults/
+endif
+
+	$(INSTALL_DIR) $(1)/etc/dmcli
+	$(CP) ./files/etc/dmcli/dmcli.acl $(1)/etc/dmcli/
+	$(CP) ./files/etc/dmcli/dmcli.conf $(1)/etc/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/users/roles/
+	$(INSTALL_DATA) ./files/etc/users/roles/operator.json $(1)/etc/users/roles/
+endef
+
+$(eval $(call BuildPackage,dmcli))

dmcli/files/etc/dmcli/dmcli.acl

@@ -0,0 +1,4 @@
+user operator
+topic read /usp/operator/controller/reply-to
+topic read /usp/operator/controller
+topic write /usp/operator/endpoint

dmcli/files/etc/dmcli/dmcli.conf

@@ -0,0 +1,45 @@
+{
+   "Settings": {
+      "USP": {
+         "ActiveConnectionProfile": "local",
+         "ConnectionProfile": [
+            {
+               "Name": "local",
+               "Host": "127.0.0.1",
+               "Port": 9002,
+               "Username": "operator",
+               "Protocol": "ws",
+               "FromId": "oui:000F94:device-controller-operator",
+               "PublishEndpoint": "/usp/operator/endpoint",
+               "SubscribeEndpoint": "/usp/operator/controller"
+            }
+         ],
+         "Session": {
+            "AutoStart": false
+         },
+         "Notification": {
+            "LogTo": "console",
+            "Format": "brief",
+            "LogFile": "usp-notification.log"
+         }
+      },
+      "CLI": {
+         "Home": "/",
+         "Color": "true",
+         "Mode": "Command",
+         "ShowCommandTime": false,
+         "SortDMTree": false
+      },
+      "Prompt": {
+         "Auto": true,
+         "Color": "default",
+         "SelectedBackgroundColor": "yellow",
+         "PageSize": "3",
+         "AutoPromptOnEmptyCommand": false,
+         "AutoPromptInstanceNumbers": false
+      },
+      "Log": {
+         "Level": "Error"
+      }
+   }
+}

dmcli/files/etc/uci-defaults/36-dmcli

@@ -0,0 +1,120 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/functions/iopsys-environment.sh
+. /usr/share/libubox/jshn.sh
+
+DMCLI_CONF="/etc/dmcli/dmcli.conf"
+CONTROLLER_ID='oui:000F94:device-controller-operator'
+DMCLI_RESP_TOPIC="/usp/operator/endpoint"
+DMCLI_CTRL_TOPIC="/usp/operator/controller"
+DMCLI_PORT="9002"
+
+grep -q "^operator:" /etc/passwd || {
+	adduser -g 'Operator' -D -H -s /usr/bin/dmcli --home '/usr/lib/dmcli' 'operator'
+	hash=""
+	if type get_operator_password_hash > /dev/null 2>&1; then
+		hash=$(get_operator_password_hash)
+	fi
+	if [ -z "$hash" ]; then
+		hash='$6$zP4Wk/VQJOLwwofC$teuhnYFQBcA8YUZo/Q0quDMi4SsOHmfBcyvt5VNchPnzgwF1nfNNliC3yBVW22NwmwttPEWeBEBfnMTBB0rYs/'
+	fi
+	echo "operator:${hash}" | chpasswd -e
+}
+
+grep -q "^/usr/bin/dmcli$" /etc/shells || {
+	echo '/usr/bin/dmcli' >> /etc/shells
+}
+
+uci -q del_list sshd.@sshd[0].AllowUsers='operator'
+uci -q add_list sshd.@sshd[0].AllowUsers='operator'
+
+uci -q delete users.operator
+uci -q set users.operator=user
+uci -q set users.operator.enabled=1
+uci -q set users.operator.shell='dmcli'
+uci -q set users.operator.member_roles='operator'
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli_local
+	uci_set mosquitto dmcli_local enabled 1
+	uci_set mosquitto dmcli_local port "${DMCLI_PORT}"
+	uci_set mosquitto dmcli_local protocol 'websockets'
+	uci_set mosquitto dmcli_local acl_file '/etc/dmcli/dmcli.acl'
+	uci_set mosquitto dmcli_local no_remote_access '1'
+	uci_set mosquitto dmcli_local allow_anonymous '1'
+fi
+
+if [ -f "/etc/config/obuspa" ]; then
+	uci_add obuspa mqtt mqtt_operator
+	uci_set obuspa mqtt_operator BrokerAddress '127.0.0.1'
+	uci_set obuspa mqtt_operator BrokerPort '1883'
+	uci_set obuspa mqtt_operator TransportProtocol 'TCP/IP'
+
+	uci_add obuspa mtp mtp_operator
+	uci_set obuspa mtp_operator Protocol 'MQTT'
+	uci_set obuspa mtp_operator ResponseTopicConfigured "${DMCLI_RESP_TOPIC}"
+	uci_set obuspa mtp_operator mqtt 'mqtt_operator'
+
+	uci_add obuspa controller controller_operator
+	uci_set obuspa controller_operator EndpointID "${CONTROLLER_ID}"
+	uci_set obuspa controller_operator Protocol 'MQTT'
+	uci_set obuspa controller_operator Topic "${DMCLI_CTRL_TOPIC}"
+	uci_set obuspa controller_operator mqtt 'mqtt_operator'
+	uci_set obuspa controller_operator assigned_role_name 'operator'
+fi
+
+_get_endpoint_id() {
+	local id serial oui
+
+	id="$(uci -q get obuspa.localagent.EndpointID)"
+	if [ -n "${id}" ]; then
+		echo "${id}"
+		return 0
+	fi
+
+	serial="$(db -q get device.deviceinfo.SerialNumber)"
+	oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
+
+	echo "os::${oui}-${serial//+/%2B}"
+}
+
+update_dmcli_conf() {
+	local endpointid confTmpFile
+	local port fromid publish subscribe toid
+
+	if [ -f "${DMCLI_CONF}" ]; then
+		endpointid="$(_get_endpoint_id)"
+		json_load_file "${DMCLI_CONF}" || return
+		json_select "Settings" || return
+			json_select "USP" || return
+				json_select "ConnectionProfile" || return
+					json_select "1" || return
+						json_get_var port "Port"
+						json_get_var fromid "FromId"
+						json_get_var publish "PublishEndpoint"
+						json_get_var subscribe "SubscribeEndpoint"
+						json_get_var toid "ToId"
+
+						json_add_int "Port" "${DMCLI_PORT}"
+						json_add_string "FromId" "${CONTROLLER_ID}"
+						json_add_string "PublishEndpoint" "${DMCLI_RESP_TOPIC}"
+						json_add_string "SubscribeEndpoint" "${DMCLI_CTRL_TOPIC}"
+						json_add_string "ToId" "${endpointid}"
+					json_select ..
+				json_select ..
+			json_select ..
+		json_select ..
+
+		if [ "${port}" != "${DMCLI_PORT}" ] || [ "${fromid}" != "${CONTROLLER_ID}" ] || \
+			[ "${publish}" != "${DMCLI_RESP_TOPIC}" ] || [ "${subscribe}" != "${DMCLI_CTRL_TOPIC}" ] || \
+			[ "${toid}" != "${endpointid}" ]; then
+			confTmpFile="$(mktemp -u -p "$(dirname "$DMCLI_CONF")" "$(basename "$DMCLI_CONF").XXXXXXX")"
+			json_pretty
+			json_dump > "${confTmpFile}" || return
+			mv -f "${confTmpFile}" "${DMCLI_CONF}" || return
+		fi
+	fi
+}
+
+update_dmcli_conf || exit

dmcli/files/etc/uci-defaults/36-dmcli-remote

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli
+	uci_set mosquitto dmcli enabled 1
+	uci_set mosquitto dmcli port '9003'
+	uci_set mosquitto dmcli protocol 'websockets'
+	uci_set mosquitto dmcli auth_plugin '/usr/lib/mosquitto_auth_plugin.so'
+	uci_set mosquitto dmcli acl_file '/etc/dmcli/dmcli.acl'
+fi
+
+exit 0

dmcli/files/etc/uci-defaults/36-dmcli-remote-remove

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_remove mosquitto dmcli
+fi
+
+exit 0

dmcli/files/etc/users/roles/operator.json

@@ -0,0 +1,14 @@
+{
+  "tr181": {
+    "name": "operator",
+    "instance": 6,
+    "permission": [
+      {
+        "object": "Device.",
+        "perm": [
+          "PERMIT_ALL"
+        ]
+      }
+    ]
+  }
+}

dmcli/src/Makefile

@@ -0,0 +1,7 @@
+all: dmcli
+
+dmcli: main.c
+	$(CC) $(CFLAGS) -Wall -Werror -o $@ $^
+
+clean:
+	rm -f dmcli

dmcli/src/main.c

@@ -0,0 +1,32 @@
+/*
+* Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+* This Software and its content are protected by the Dutch Copyright Act
+* ('Auteurswet'). All and any copying and distribution of the software
+* and its content without authorization by Genexis Netherlands B.V. is
+* prohibited. The prohibition includes every form of reproduction and
+* distribution.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+/* C Wrapper for operator to login to the CLI via ssh: the shell in
+ * the passwd file cannot be a script that requires an interpreter. */
+int main(int argc, char *argv[])
+{
+	char *cmd[3 + (argc > 1 ? argc - 1 : 0)];
+
+	cmd[0] = "/usr/bin/qjs";
+	cmd[1] = "/usr/lib/dmcli/cli/main.js";
+	cmd[2] = NULL;
+
+	if (argc > 1) {
+		memcpy(&cmd[2], &argv[1], (argc - 1) * sizeof(char *));
+		cmd[2 + argc - 1] = NULL;
+	}
+
+	execv(cmd[0], cmd);
+	fprintf(stderr, "%s: command not found\n", cmd[0]);
+	return 127;
+}

dnsmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmngr
-PKG_VERSION:=1.0.18
+PKG_VERSION:=1.0.20
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dnsmngr.git
-PKG_SOURCE_VERSION:=80fa147e6f1f0d9c1a62a62a693ff3adaef45363
+PKG_SOURCE_VERSION:=83e485fae8905f9061257264cf43ea41e47743a6
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

ethmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethmngr
-PKG_VERSION:=3.1.3
+PKG_VERSION:=3.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=7bc8297e1a74adb522f7635bab4f93a1a2620216
+PKG_SOURCE_VERSION:=0283fb5cb74a7baca46c4360da680757c57c86ac
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

firewallmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.10
+PKG_VERSION:=1.0.12
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=05ad0d6f7f21520eecd05429c14d1963de2a8463
+PKG_SOURCE_VERSION:=30319c67fb4db285a2bcd272b1c10bc040eecf19
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

gateway-info/files/etc/uci-defaults/86-set-gateway-device-info

@@ -110,7 +110,7 @@ configure_send_op125() {
 
 
 	if [ "${uci}" = "network" ]; then
-		new_send_opt="$sendopt $opt125"
+		[ -n "${sendopt}" ] && new_send_opt="$sendopt $opt125" || new_send_opt="$opt125"
 		uci -q set network."${intf}".sendopts="$new_send_opt"
 	else
 		new_send_opt="$sendopt$opt125"
@@ -228,7 +228,7 @@ enable_dhcp_option125() {
 
 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${wan}".reqopts="$newreqopts"
 		fi
 

hostmngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostmngr
-PKG_VERSION:=1.4.0
+PKG_VERSION:=1.4.3
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=230d55ae6769e1ebde02cef3f718e6c4cf1b1962
+PKG_SOURCE_VERSION:=667866b8149d3df83a05536319eac02aee0b6d75
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.10.5
+PKG_VERSION:=9.10.10
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=7f4a159f6ff49584655e57bb801218eb083fba67
+PKG_SOURCE_VERSION:=63251b6c9789b1428604af0a5c1d23d32d14a8b8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -84,6 +84,7 @@ define Package/icwmp/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/icwmpd $(1)/usr/sbin/icwmpd
 	$(INSTALL_DATA) ./files/etc/config/cwmp $(1)/etc/config/cwmp
 	$(INSTALL_BIN) ./files/etc/init.d/icwmpd $(1)/etc/init.d/icwmpd
+	$(INSTALL_BIN) ./files/etc/uci-defaults/50-cwmp-align-keep-config $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/

icwmp/files/etc/config/cwmp

@@ -42,7 +42,9 @@ config cpe 'cpe'
 	option periodic_notify_interval '10'
 	option incoming_rule 'Port_Only'
 	option active_notif_throttle '0'
-	option fw_upgrade_keep_settings '1'
+	#option KeepConfig '1'
+	#option KeepOpConf '1'
+	#option ConfigScope 'UserOnly'
 	option clock_sync_timeout '128'
 	option disable_datatype_check '0'
 	#list allowed_cr_ip '10.5.1.0/24'

icwmp/files/etc/init.d/icwmpd

@@ -97,7 +97,9 @@ validate_cpe_section()
 		'periodic_notify_enable:bool' \
 		'enable:bool:1' \
 		'periodic_notify_interval:uinteger' \
-		'fw_upgrade_keep_settings:bool'
+		'KeepConfig:bool' \
+		'KeepOpConf:bool' \
+		'ConfigScope:string'
 }
 
 validate_defaults() {
@@ -168,13 +170,21 @@ start_service() {
 
 stop_service()
 {
-	local switch_bank
+	local switch_bank KeepConfig KeepOpConf ConfigScope
 
 	copy_cwmp_varstate_files_to_etc
-	
 	switch_bank=$(uci -q -c /var/state/ get icwmp.cpe.switch_bank)
-	if [ -n "$switch_bank" ] && [ "$switch_bank" = "1" ]; then
-		[ -x /etc/sysmngr/fwbank ] && /etc/sysmngr/fwbank call copy_config
+	if [ "$switch_bank" = "1" ] && [ -x /etc/sysmngr/fwbank ]; then
+		KeepConfig="$(uci -q get cwmp.cpe.KeepConfig)"
+		KeepOpConf="$(uci -q get cwmp.cpe.KeepOpConf)"
+		ConfigScope="$(uci -q get cwmp.cpe.ConfigScope)"
+
+		json_init
+		[ -n "${KeepConfig}" ] && json_add_boolean "keep_config" "${KeepConfig}"
+		[ -n "${KeepOpConf}" ] && json_add_boolean "keep_opconf" "${KeepOpConf}"
+		[ -n "${ConfigScope}" ] && json_add_string "config_scope" "${ConfigScope}"
+
+		json_dump| /etc/sysmngr/fwbank call copy_config
 	fi
 }
 

icwmp/files/etc/uci-defaults/50-cwmp-align-keep-config

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+keep_settings="$(uci -q get cwmp.cpe.fw_upgrade_keep_settings)"
+if [ -n "${keep_settings}" ]; then
+	uci -q delete cwmp.cpe.fw_upgrade_keep_settings
+	uci -q set cwmp.cpe.KeepConfig="${keep_settings}"
+fi

ieee1905/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.39
+PKG_VERSION:=8.7.44
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=85fa0fe16d6a5a3452422b72186f6bbb16a13c62
+PKG_SOURCE_VERSION:=29ba8f04dc6bd7e77683352c0c71988f51fbadf8
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

iopsys-analytics/Makefile

@@ -4,7 +4,7 @@ PKG_NAME:=iopsys-analytics
 PKG_RELEASE:=$(COMMITCOUNT)
 PKG_LICENSE:=PROPRIETARY
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=25e32ac5a860aec6e53e3449565b71595073e014
+PKG_SOURCE_VERSION:=5ad41ca8eb5de887487feb7148b5dce44943218c
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/iopsys-analytics.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

libdpp/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libdpp
-PKG_VERSION:=2.1.1
+PKG_VERSION:=2.1.3
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=6024efd3db9dd490c07465ea9b0c15120063165c
+PKG_SOURCE_VERSION:=fdfe23e51ff77ca6d2661ad6208d097758524147
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/libdpp.git
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz

libeasy/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libeasy
-PKG_VERSION:=7.5.0
+PKG_VERSION:=7.5.1
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=18f93677bb4d33ebb6249324a5043294f0eae16c
+PKG_SOURCE_VERSION:=b981f7e1bd51f66041cd0c25d15af74ae1e3bc75
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libeasy.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

libqos/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libqos
-PKG_VERSION:=7.2.109
+PKG_VERSION:=7.2.111
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libqos.git
-PKG_SOURCE_VERSION:=4948d372c3d7e43a0ba9aee517dbb83b94bba3dc
+PKG_SOURCE_VERSION:=2e4c6a9c27e0f4f68dfe7a5c930afefd8dc7119a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
@@ -65,7 +65,7 @@ define Package/libqos
   SUBMENU:=IOPSYS HAL libs
   MENU:=1
   TITLE:= QoS library (libqos)
-  DEPENDS+=+libnl +libnl-route +libeasy +TARGET_brcmbca:bcm963xx-bsp
+  DEPENDS+=+libnl +libnl-route +libeasy +TARGET_brcmbca:bcm963xx-bsp +TARGET_airoha:libuci
 endef
 
 define Package/libqos/config

libvoice-airoha/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-airoha
 PKG_RELEASE:=1
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.8
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=3a30086a68a3409f0396acb01380f91daabf7a2f
+PKG_SOURCE_VERSION:=9763c574ec69e2aa492db4f1296d4bcd53776fba
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha

@@ -25,6 +25,5 @@ db commit
 # configure the PCM for DECT/DCX81
 [ -f "/proc/device-tree/aliases/dcx81-uart" ] && {
     uci set dect.global.pcm_fsync='SHORT_LF'
-    uci set dect.global.pcm_slot_start='8'
     uci set dect.global.dect_channel_start='3'
 }

libwifi/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.22.6
+PKG_VERSION:=7.22.10
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=ddeb681a9f99202b1ded6c965591bb8c1f5cb05d
+PKG_SOURCE_VERSION:=4759a74db66dd0b4bfa6707683129a317ae42779
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libwifi.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

logmngr/Makefile

@@ -65,8 +65,10 @@ define Package/logmngr/install
 	$(INSTALL_DIR) $(1)/lib/logmngr
 ifeq ($(CONFIG_LOGMNGR_BACKEND_FLUENTBIT),y)
 	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp/
 	$(INSTALL_BIN) ./files/logread $(1)/sbin/
 	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
+	$(INSTALL_BIN) ./files/etc/hotplug.d/ntp/20-reload_fluent_bit $(1)/etc/hotplug.d/ntp/
 else ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/syslog-ng.sh $(1)/lib/logmngr/
 endif

logmngr/files/etc/hotplug.d/ntp/20-reload_fluent_bit

@@ -0,0 +1,14 @@
+#!/bin/sh
+# This hotplug script reloads fluent-bit, so that kmsg logs' timestamp gets in sync
+
+[ "$ACTION" = stratum ] || exit 0
+
+# only once
+if ! uci -q get time.global.first_use_date > /dev/null 2>&1; then
+	flb_pid="$(pidof fluent-bit)"
+
+	if [ -n "$flb_pid" ]; then
+		logger -t "logmngr.hotplug" -p info "reload fluent-bit due to ntp sync"
+		kill -SIGHUP "$flb_pid"
+	fi
+fi

logmngr/files/etc/init.d/logmngr

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=12
+START=09
 
 USE_PROCD=1
 

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -63,7 +63,7 @@ create_service_section() {
 	append_conf "    flush        1"
 	append_conf "    daemon       off"
 	append_conf "    log_level    info"
-	append_conf "    coro_stack_size    24576"
+	append_conf "    coro_stack_size    1048576"
 	append_conf "    parsers_file /etc/fluent-bit/parsers.conf"
 	append_conf "    hot_reload        on"
 	append_conf ""

map-agent/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.4.3.6
+PKG_VERSION:=6.5.0.9
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=e37b8f1a4b988b907416161e3c8fe83cd39597c3
+PKG_SOURCE_VERSION:=f4d201acde3320b1019c1831315e58a8ecb0290c
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause

map-agent/files/etc/init.d/mapagent

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=98
+START=97
 STOP=20
 
 USE_PROCD=1

map-agent/files/lib/multiap/map_genconfig

@@ -70,7 +70,8 @@ generate_multiap_config() {
 
 		ifprefix_radio=""
 		if is_logan; then
-			uci set mapagent.agent.mld_prefix="bss"
+			uci set mapagent.agent.mld_ap_prefix="bss"
+			uci set mapagent.agent.mld_sta_prefix="sta"
 			ifname_sta=""
 			case "$band" in
 				2g)

map-controller/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.4.8
+PKG_VERSION:=6.4.4.16
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=a863fc3a9d248b0be7385524e0680155ff614467
+PKG_SOURCE_VERSION:=2f8d2afc604c090637acdb01e630e233cd9aceff
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0

map-controller/files/etc/uci-defaults/99-mapcntlr-add-qos-rule-id

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+cfg="mapcontroller"
+config_load "$cfg"
+
+used_ids=""
+
+collect_used_ids() {
+	local section="$1"
+	local id
+
+	id=$(uci -q get ${cfg}.${section}.id)
+	if [ -n "$id" ] && printf "%s" "$id" | grep -qE '^[0-9]+$'; then
+		used_ids="$used_ids $id"
+	fi
+}
+
+# Find first available ID from 0 to INT32_MAX
+find_first_available_id() {
+	local max_int=2147483647
+	local expected=0
+	local id
+
+	# Convert list to sorted unique list
+	sorted_ids=$(printf "%s\n" $used_ids | sort -n | uniq)
+
+	for id in $sorted_ids; do
+		if [ "$id" -eq "$expected" ]; then
+			expected=$((expected + 1))
+		elif [ "$id" -gt "$expected" ]; then
+			# Found a gap -> return the gap
+			echo "$expected"
+			return
+		fi
+	done
+
+	# If no gaps, next available is `expected`
+	if [ "$expected" -le "$max_int" ]; then
+		echo "$expected"
+	else
+		echo -1
+	fi
+}
+
+# Assign ID if missing
+add_qos_rule_id() {
+	local section="$1"
+	local id
+
+	id=$(uci -q get ${cfg}.${section}.id)
+	if [ -z "$id" ]; then
+		new_id=$(find_first_available_id)
+		[ "$new_id" -ge 0 ] || return # No available ID
+		uci -q set ${cfg}.${section}.id="$new_id"
+
+		used_ids="$used_ids $new_id"
+	fi
+}
+
+# Step 1: Collect all existing IDs
+config_foreach collect_used_ids qos_rule
+
+# Step 2: Assign IDs to rules missing them
+config_foreach add_qos_rule_id qos_rule

map-controller/files/etc/uci-defaults/99-mapcntlr-uci-rename-singletons

@@ -14,5 +14,3 @@ for sec in $sections; do
 
     uci rename $cfg.$s=$sec
 done
-
-uci commit $cfg

map-plugins/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-plugins
-PKG_VERSION:=1.2.5
+PKG_VERSION:=1.2.7
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=05c0aa02b60b27aa57bf80b8fb068b1ee8bfc8ac
+PKG_SOURCE_VERSION:=dd873ca4e2cb321302dae1955da24d1be271b2b1
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -71,5 +71,11 @@ define Build/Compile
 	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef
 
+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+        rsync -r --exclude=.* ~/git/map-plugins/ $(PKG_BUILD_DIR)/
+endef
+endif
+
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))

mosquitto-auth-plugin/Makefile

@@ -14,7 +14,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mosquitto-auth-plugin
-PKG_VERSION:=1.2.0
+PKG_VERSION:=1.2.1
 
 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0

mosquitto-auth-plugin/src/mosquitto_auth_plugin.c

@@ -53,6 +53,7 @@ typedef struct {
 	user_acl_t users[MAX_USERS];
 	int user_count;
 	mosquitto_plugin_id_t *identifier;
+	char *config_file;
 } plugin_data_t;
 
 /* Parse CIDR notation for IPv4 or IPv6 (e.g., "192.168.1.0/24" or "2001:db8::/32") */
@@ -548,6 +549,30 @@ static int basic_auth_callback(int event, void *event_data, void *userdata)
 	return check_subnet_on_auth(pdata, ed);
 }
 
+static int reload_callback(int event, void *event_data, void *userdata)
+{
+	plugin_data_t *pdata = userdata;
+
+	if (pdata == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reloading subnet ACL configuration from '%s'",
+		pdata->config_file ? pdata->config_file : "(none)");
+
+	/* Reload subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, pdata->config_file) != 0) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to reload subnet ACL configuration, keeping old config");
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reload complete, now tracking %d user(s)", pdata->user_count);
+
+	return MOSQ_ERR_SUCCESS;
+}
+
 int mosquitto_plugin_version(int supported_version_count,
 			     const int *supported_versions)
 {
@@ -576,8 +601,20 @@ int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
 
 	pdata->identifier = identifier;
 
+	/* Store config file path for reload */
+	if (config_file != NULL) {
+		pdata->config_file = strdup(config_file);
+		if (pdata->config_file == NULL) {
+			free(pdata);
+			return MOSQ_ERR_NOMEM;
+		}
+	} else {
+		pdata->config_file = NULL;
+	}
+
 	/* Load subnet ACL configuration */
 	if (load_subnet_acl_config(pdata, config_file) != 0) {
+		free(pdata->config_file);
 		free(pdata);
 		return MOSQ_ERR_UNKNOWN;
 	}
@@ -588,6 +625,20 @@ int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
 	if (rc != MOSQ_ERR_SUCCESS) {
 		mosquitto_log_printf(MOSQ_LOG_ERR,
 			"subnet_acl: Failed to register authentication callback");
+		free(pdata->config_file);
+		free(pdata);
+		return rc;
+	}
+
+	/* Register reload callback to handle SIGHUP */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_RELOAD,
+	                                 reload_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register reload callback");
+		mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		free(pdata->config_file);
 		free(pdata);
 		return rc;
 	}
@@ -609,6 +660,9 @@ int mosquitto_plugin_cleanup(void *user_data,
 	if (pdata) {
 		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_BASIC_AUTH,
 		                              basic_auth_callback, NULL);
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_RELOAD,
+		                              reload_callback, NULL);
+		free(pdata->config_file);
 		free(pdata);
 	}
 

netmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmngr
-PKG_VERSION:=1.2.0
+PKG_VERSION:=1.2.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=ff08a8cc5c860056a022e5376a973dee5a323595
+PKG_SOURCE_VERSION:=8240c6089cdd44f268db135920800b8fc1d65ca9
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

netmode/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmode
-PKG_VERSION:=1.1.8
+PKG_VERSION:=1.1.11
 PKG_RELEASE:=1
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0-only

netmode/README.md

@@ -1,109 +1,380 @@
-# Creating Custom Netmodes in IOWRT
+# Netmode - Network Mode Switching for OpenWrt/iopsys
 
-This guide provides developers with detailed instructions on how to create and manage custom network modes (netmodes) in IOWRT. The `netmode` script allows for flexible network configuration, and developers can define their own modes by structuring the necessary files and scripts within the `/etc/netmodes/` directory.
+**Version**: 1.1.11
+**License**: GPL-2.0-only
+**Maintainer**: iopsys
 
-## Table of Contents
-1. [Overview of Netmodes](#overview-of-netmodes)
-2. [Directory Structure](#directory-structure)
-3. [Creating a Custom Netmode](#creating-a-custom-netmode)
-   - [Step 1: Pre-Execution Scripts](#step-1-pre-execution-scripts)
-   - [Step 2: UCI Configuration Files](#step-2-uci-configuration-files)
-   - [Step 3: Custom Execution Scripts](#step-3-custom-execution-scripts)
-   - [Step 4: Post-Execution Scripts](#step-4-post-execution-scripts)
-4. [Enabling and Switching Netmodes](#enabling-and-switching-netmodes)
+## Overview
 
-## Overview of Netmodes
+Netmode is a network configuration management package for OpenWrt/iopsys-based routers that enables seamless switching between different WAN connection types. It provides a unified interface for managing network modes including DHCP, PPPoE, Static IP, and Bridge configurations.
 
-Netmodes in IOWRT provide a way to switch between different network configurations based on the needs of the environment. Developers can create custom netmodes by organizing scripts and configuration files in specific directories under `/etc/netmodes/<NETMODE_NAME>`.
+### Key Features
 
-## Directory Structure
+- **Simple Mode Switching**: Change WAN connection type with a single command
+- **Multiple Mode Support**: DHCP, PPPoE, Static IP, and Bridged mode
+- **Automatic Configuration**: Handles network, firewall, DHCP, and multicast settings
+- **TR-069/USP Integration**: Remote management via BBF data model
+- **Extensible Architecture**: Easy to add custom network modes
+- **Safe Transitions**: Proper cleanup and validation during mode switches
 
-A custom netmode is defined within the `/etc/netmodes/<NETMODE_NAME>` directory, which should contain the following subdirectories:
+## Quick Start
 
-- **/lib/netmode/pre/**: Generic scripts executed before the netmode-specific configurations are applied.
-- **/etc/netmodes/<NETMODE_NAME>/uci/**: Contains UCI configuration files that will be copied to `/etc/config/` during the application of the netmode.
-- **/etc/netmodes/<NETMODE_NAME>/scripts/**: Custom scripts specific to the netmode that are executed after the UCI configurations are applied.
-- **/lib/netmode/post/**: Generic scripts executed after the netmode-specific configurations are completed.
+### Installation
 
-## Creating a Custom Netmode
+```bash
+# Install via opkg
+opkg update
+opkg install netmode
 
-To create a new netmode, follow these steps:
+# Or build from source
+make package/feeds/iopsys/netmode/compile
+```
 
-### Step 1: Pre-Execution Scripts
+### Basic Usage
 
-Scripts located in `/lib/netmode/pre/` are executed before any mode-specific actions. These are typically used for preparing the system or cleaning up configurations from the previous netmode.
+```bash
+# Check current mode
+cat /etc/netmodes/.last_mode
 
-- **Create Pre-Execution Scripts**:
-  - Place your generic pre-execution scripts in `/lib/netmode/pre/`.
-  - Example script (`/lib/netmode/pre/cleanup.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Cleaning up old network configurations..."
-    # Add commands here
-    ```
+# Switch to DHCP mode
+uci set netmode.global.mode='routed-dhcp'
+uci commit netmode
+service netmode restart
 
-### Step 2: UCI Configuration Files
+# Switch to PPPoE mode
+uci set netmode.global.mode='routed-pppoe'
+uci set netmode.@supported_args[2].value='username@isp.com'
+uci set netmode.@supported_args[3].value='password'
+uci commit netmode
+service netmode restart
+```
 
-The UCI configuration files stored in `/etc/netmodes/<NETMODE_NAME>/uci/` will be copied to `/etc/config/`, effectively applying the desired network configuration.
+## Supported Modes
 
-- **Place UCI Config Files**:
-  - Create UCI configuration files under `/etc/netmodes/<NETMODE_NAME>/uci/`.
-  - Example (`/etc/netmodes/bridge/uci/network`):
-````bash
-config device 'br_lan'
-        option name 'br-lan'
-        option type 'bridge'
-        option multicast_to_unicast '0'
-        option bridge_empty '1'
-        list ports 'eth1'
-        list ports 'eth3'
-        list ports 'eth4'
+| Mode | Description | Use Case |
+|------|-------------|----------|
+| **routed-dhcp** | Router with DHCP WAN | Cable/Fiber internet with automatic IP |
+| **routed-pppoe** | Router with PPPoE WAN | DSL internet with authentication |
+| **routed-static** | Router with Static IP WAN | Business connections with fixed IP |
+| **bridged** | L2 Bridge Mode | Transparent bridge, no routing |
 
-config interface 'lan'
-        option proto 'dhcp'
-        option device 'br-lan'
-        option force_link '1'
-        option reqopts '43 125'
-````
+## Documentation
 
-### Step 3: Custom Execution Scripts
+Comprehensive documentation is available in the following guides:
 
-After the UCI files are applied, any scripts in `/etc/netmodes/<NETMODE_NAME>/scripts/` are executed. These can be used to perform additional configuration tasks that are specific to the netmode.
+### For Users
+- **[USER_GUIDE.md](USER_GUIDE.md)** - Complete user guide with configuration examples
+  - Getting started
+  - Mode descriptions
+  - Common use cases
+  - Troubleshooting
+  - FAQ
 
-- **Create Custom Scripts**:
-  - Add scripts to `/etc/netmodes/<NETMODE_NAME>/scripts/`.
-  - Example (`/etc/netmodes/bridge/scripts/setup_bridge.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Setting up bridge mode..."
-    # Additional configuration commands here
-    ```
+### For Developers
+- **[DEVELOPER_GUIDE.md](DEVELOPER_GUIDE.md)** - Developer documentation
+  - Development environment setup
+  - Code organization
+  - API reference
+  - Testing framework
+  - Contributing guidelines
 
-### Step 4: Post-Execution Scripts
+### For Implementers
+- **[IMPLEMENTATION_GUIDE.md](IMPLEMENTATION_GUIDE.md)** - Implementation details
+  - Architecture overview
+  - Creating custom modes
+  - Environment variables
+  - Hook system
+  - Data model integration
 
-Finally, the generic scripts in `/lib/netmode/post/` are executed. These scripts typically finalize the setup or perform any necessary cleanups.
+## Architecture
 
-- **Create Post-Execution Scripts**:
-  - Place scripts in `/lib/netmode/post/`.
-  - Example script (`/lib/netmode/post/restart_services.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Restarting network services..."
-    # Add commands here
-    ```
+```
+┌─────────────────────────────────────────┐
+│         Netmode System                   │
+├─────────────────────────────────────────┤
+│  UCI Config → Init Service → Mode Scripts│
+│       ↓             ↓              ↓     │
+│  Environment    Pre-hooks      UCI Copy │
+│   Variables       ↓              ↓       │
+│       ↓       Mode Scripts   Post-hooks │
+│       └──────────┴────────────┘         │
+│              Network Reconfiguration     │
+└─────────────────────────────────────────┘
+```
 
-## Enabling and Switching Netmodes
+### Components
 
-The netmode mechanism can be enabled or disabled via the UCI configuration, and you can switch between netmodes using UCI commands.
+- **Init Service** (`/etc/init.d/netmode`): Orchestrates mode switching
+- **Mode Scripts** (`/etc/netmodes/<mode>/scripts/`): Mode-specific configuration
+- **UCI Config** (`/etc/config/netmode`): Mode definitions and parameters
+- **Data Model** (`datamodel.json`): BBF TR-181 integration
+- **Hooks** (`/lib/netmode/{pre,post}/`): Pre/post mode switch scripts
 
-- **Enable Netmode**:
-  ```bash
-  uci set netmode.global.enabled=1
-  uci commit netmode
-    ```
-    
-- **Switch Netmode**:
-  ```bash
-  uci set netmode.global.mode='<NETMODE_NAME>'
-  uci commit netmode
-    ```
+## Configuration Examples
+
+### DHCP with VLAN
+
+```bash
+uci set netmode.global.mode='routed-dhcp'
+uci set netmode.@supported_args[0].value='100'  # VLAN ID
+uci commit netmode
+service netmode restart
+```
+
+### PPPoE with Custom DNS
+
+```bash
+uci set netmode.global.mode='routed-pppoe'
+uci set netmode.@supported_args[2].value='user@isp.com'
+uci set netmode.@supported_args[3].value='password123'
+uci set netmode.@supported_args[6].value='8.8.8.8,8.8.4.4'
+uci commit netmode
+service netmode restart
+```
+
+### Static IP Business Connection
+
+```bash
+uci set netmode.global.mode='routed-static'
+uci set netmode.@supported_args[6].value='203.0.113.10'
+uci set netmode.@supported_args[7].value='255.255.255.0'
+uci set netmode.@supported_args[8].value='203.0.113.1'
+uci commit netmode
+service netmode restart
+```
+
+## Creating Custom Modes
+
+Custom network modes can be added by following these steps:
+
+1. **Create mode directory structure**:
+   ```bash
+   mkdir -p /etc/netmodes/my-mode/scripts
+   ```
+
+2. **Define mode in supported_modes.json**:
+   ```json
+   {
+     "name": "my-mode",
+     "description": "My Custom Mode",
+     "supported_args": [...]
+   }
+   ```
+
+3. **Create mode script**:
+   ```bash
+   cat > /etc/netmodes/my-mode/scripts/10-my-mode << 'EOF'
+   #!/bin/sh
+   # Configuration logic here
+   EOF
+   chmod +x /etc/netmodes/my-mode/scripts/10-my-mode
+   ```
+
+4. **Import to UCI and test**:
+   ```bash
+   sh /etc/uci-defaults/40_netmode_populated_supported_modes
+   uci set netmode.global.mode='my-mode'
+   service netmode restart
+   ```
+
+See [IMPLEMENTATION_GUIDE.md](IMPLEMENTATION_GUIDE.md#creating-a-new-network-mode) for detailed instructions.
+
+## TR-069/USP Integration
+
+Netmode exposes a BBF TR-181 data model for remote management:
+
+**Data Model Path**: `Device.X_IOPSYS_EU_NetMode.`
+
+```
+Device.X_IOPSYS_EU_NetMode.
+├── Enable (boolean, r/w)
+├── Mode (string, r/w)
+├── SupportedModesNumberOfEntries (unsignedInt, r)
+└── SupportedModes.{i}.
+    ├── Name (string, r)
+    ├── Description (string, r)
+    └── SupportedArguments.{i}.
+        ├── Name (string, r)
+        ├── Type (string, r)
+        ├── Required (boolean, r)
+        └── Value (string, r/w)
+```
+
+Example TR-069 operation:
+```xml
+<SetParameterValues>
+  <ParameterList>
+    <ParameterValueStruct>
+      <Name>Device.X_IOPSYS_EU_NetMode.Mode</Name>
+      <Value>routed-dhcp</Value>
+    </ParameterValueStruct>
+  </ParameterList>
+</SetParameterValues>
+```
+
+## System Requirements
+
+- **Platform**: OpenWrt/iopsys
+- **Dependencies**:
+  - `dm-service` (BBF data model service)
+  - `uci`
+  - `procd`
+  - `libubox` (jshn)
+- **Recommended**:
+  - `logread` for monitoring
+  - `firewall`, `odhcpd`, `mcast` for full functionality
+
+## File Structure
+
+```
+netmode/
+├── Makefile                          # Package build definition
+├── README.md                         # This file
+├── IMPLEMENTATION_GUIDE.md           # Implementation guide
+├── DEVELOPER_GUIDE.md                # Developer documentation
+├── USER_GUIDE.md                     # User documentation
+├── bbfdm_service.json                # BBF service registration
+└── files/
+    ├── etc/
+    │   ├── config/netmode            # UCI configuration
+    │   ├── init.d/netmode            # Init script (START=11)
+    │   ├── uci-defaults/             # First-boot scripts
+    │   └── netmodes/
+    │       ├── supported_modes.json  # Mode definitions
+    │       ├── routed-dhcp/scripts/
+    │       ├── routed-pppoe/scripts/
+    │       ├── routed-static/scripts/
+    │       └── bridged/scripts/
+    └── lib/
+        ├── netmode/
+        │   ├── pre/                  # Pre-switch hooks
+        │   └── post/                 # Post-switch hooks
+        └── upgrade/keep.d/netmode    # Sysupgrade preservation
+```
+
+## Troubleshooting
+
+### Mode Not Switching
+
+```bash
+# Check if enabled
+uci get netmode.global.enabled
+
+# Check logs
+logread | grep netmode
+
+# Force mode change
+rm /etc/netmodes/.last_mode
+service netmode restart
+```
+
+### No Internet After Switch
+
+```bash
+# Verify mode applied
+cat /etc/netmodes/.last_mode
+
+# Check WAN status
+ifconfig wan
+ip route
+
+# Restart network
+/etc/init.d/network restart
+```
+
+### PPPoE Authentication Failed
+
+```bash
+# Check credentials
+uci show network.wan | grep -E "username|password"
+
+# Check logs
+logread | grep ppp
+
+# Verify VLAN if required
+uci get network.wan.device
+```
+
+See [USER_GUIDE.md](USER_GUIDE.md#troubleshooting) for comprehensive troubleshooting.
+
+## Development
+
+### Building
+
+```bash
+# Clone repository
+cd feeds/iopsys/netmode
+
+# Build package
+make package/feeds/iopsys/netmode/compile V=s
+
+# Install on device
+scp bin/packages/*/iopsys/netmode_*.ipk root@192.168.1.1:/tmp/
+ssh root@192.168.1.1 "opkg install /tmp/netmode_*.ipk"
+```
+
+### Testing
+
+```bash
+# Run mode switch test
+./test-mode-switch.sh routed-dhcp
+
+# Monitor logs
+logread -f | grep netmode
+
+# Verify configuration
+uci show network
+cat /etc/netmodes/.last_mode
+```
+
+### Contributing
+
+Contributions are welcome! Please follow these steps:
+
+1. Fork the repository
+2. Create a feature branch
+3. Make your changes
+4. Test thoroughly on target hardware
+5. Update documentation
+6. Submit a pull request
+
+See [DEVELOPER_GUIDE.md](DEVELOPER_GUIDE.md#contributing-guidelines) for detailed guidelines.
+
+## License
+
+This project is licensed under the GNU General Public License v2.0 only.
+
+See `/LICENSE` for more information.
+
+## Support
+
+- **Documentation**: See guides in this repository
+- **Issues**: Contact iopsys development team
+- **Community**: OpenWrt and iopsys forums
+
+## Changelog
+
+### Version 1.1.11
+- Current stable release
+- Support for DHCP, PPPoE, Static IP, and Bridge modes
+- BBF TR-181 data model integration
+- Comprehensive documentation
+
+## Acknowledgments
+
+- OpenWrt project for the underlying platform
+- iopsys for development and maintenance
+- Contributors and testers
+
+## Related Projects
+
+- [OpenWrt](https://openwrt.org/) - Linux operating system for embedded devices
+- [iopsys](https://www.iopsys.eu/) - Broadband device management
+- [BBF](https://www.broadband-forum.org/) - Broadband Forum standards
+
+---
+
+**For detailed information, please refer to the specific guides:**
+- Users: [USER_GUIDE.md](USER_GUIDE.md)
+- Developers: [DEVELOPER_GUIDE.md](DEVELOPER_GUIDE.md)
+- Implementers: [IMPLEMENTATION_GUIDE.md](IMPLEMENTATION_GUIDE.md)

netmode/USER_GUIDE.md

@@ -0,0 +1,857 @@
+# Netmode User Guide
+
+## Table of Contents
+1. [Introduction](#introduction)
+2. [Getting Started](#getting-started)
+3. [Available Network Modes](#available-network-modes)
+4. [Configuration Methods](#configuration-methods)
+5. [Common Use Cases](#common-use-cases)
+6. [Troubleshooting](#troubleshooting)
+7. [FAQ](#faq)
+8. [Glossary](#glossary)
+
+---
+
+## Introduction
+
+### What is Netmode?
+
+Netmode is a network configuration management system for iopsys-based routers that allows you to easily switch between different WAN (Wide Area Network) connection types without manual configuration.
+
+### Why Use Netmode?
+
+- **Simplicity**: Switch network modes with a single command
+- **Flexibility**: Support for multiple WAN connection types
+- **Consistency**: Ensures proper configuration of all related network services
+- **Remote Management**: Can be controlled via TR-069/USP protocols
+- **Safety**: Automatically handles complex network reconfigurations
+
+### Supported Connection Types
+
+- **DHCP**: Automatic IP configuration (most common for cable/fiber connections)
+- **PPPoE**: Username/password authentication (common for DSL connections)
+- **Static IP**: Manual IP configuration (business connections)
+- **Bridged Mode**: Bridge/modem mode (disable routing)
+
+---
+
+## Getting Started
+
+### Checking if Netmode is Installed
+
+```bash
+# Check if netmode package is installed
+opkg list-installed | grep netmode
+
+# Check netmode service status
+service netmode status
+```
+
+Expected output:
+```
+netmode - 1.1.11-1 - Network Modes and Utils
+```
+
+### Checking Current Mode
+
+```bash
+# View current configuration
+uci show netmode.global
+
+# Check active mode
+cat /etc/netmodes/.last_mode
+```
+
+Example output:
+```
+netmode.global=netmode
+netmode.global.enabled='1'
+netmode.global.mode='routed-dhcp'
+```
+
+### Viewing Available Modes
+
+```bash
+# List all supported modes
+uci show netmode | grep "supported_modes.*name"
+```
+
+Example output:
+```
+netmode.@supported_modes[0].name='routed-dhcp'
+netmode.@supported_modes[1].name='routed-pppoe'
+netmode.@supported_modes[2].name='routed-static'
+netmode.@supported_modes[3].name='bridged'
+```
+
+---
+
+## Available Network Modes
+
+### 1. Routed DHCP Mode
+
+**Mode Name**: `routed-dhcp`
+
+**When to Use**:
+- Cable internet connection
+- Fiber internet connection
+- Any ISP that automatically provides IP configuration
+
+**Features**:
+- Automatic IP address assignment
+- Built-in router (NAT)
+- Firewall enabled
+- DHCP server for local devices
+- IPv4 and IPv6 support
+
+**Configuration Parameters**:
+- `vlanid` (optional): VLAN ID if required by ISP
+- `dns_servers` (optional): Custom DNS servers (comma-separated)
+
+**Example Configuration**:
+```bash
+# Basic DHCP mode
+uci set netmode.global.mode='routed-dhcp'
+uci commit netmode
+service netmode restart
+
+# DHCP with VLAN ID 100
+uci set netmode.global.mode='routed-dhcp'
+# Find VLAN argument and set value
+uci set netmode.@supported_args[0].value='100'
+uci commit netmode
+service netmode restart
+```
+
+---
+
+### 2. Routed PPPoE Mode
+
+**Mode Name**: `routed-pppoe`
+
+**When to Use**:
+- DSL internet connection
+- ISP requires username and password authentication
+- Connection uses PPPoE protocol
+
+**Features**:
+- Username/password authentication
+- Built-in router (NAT)
+- Firewall enabled
+- DHCP server for local devices
+- Automatic MTU optimization
+
+**Required Parameters**:
+- `username`: PPPoE username (provided by ISP)
+- `password`: PPPoE password (provided by ISP)
+
+**Optional Parameters**:
+- `vlanid`: VLAN ID if required by ISP
+- `mtu`: Maximum transmission unit (default: 1492 for PPPoE)
+- `dns_servers`: Custom DNS servers (comma-separated)
+
+**Example Configuration**:
+```bash
+# Set mode
+uci set netmode.global.mode='routed-pppoe'
+
+# Set username (find correct argument index)
+uci set netmode.@supported_args[2].value='myuser@isp.com'
+
+# Set password
+uci set netmode.@supported_args[3].value='mypassword'
+
+# Optional: Set VLAN
+uci set netmode.@supported_args[4].value='100'
+
+# Optional: Set MTU
+uci set netmode.@supported_args[5].value='1492'
+
+# Apply configuration
+uci commit netmode
+service netmode restart
+```
+
+**Important Notes**:
+- Device will reboot after configuration
+- Keep ISP credentials safe
+- Most DSL connections use VLAN ID 7 or 100 (check with ISP)
+- MTU typically 1492 for PPPoE (auto-configured)
+
+---
+
+### 3. Routed Static IP Mode
+
+**Mode Name**: `routed-static`
+
+**When to Use**:
+- Business internet connection with static IP
+- ISP provided specific IP address, subnet mask, and gateway
+- Fixed IP address required for services (web server, VPN, etc.)
+
+**Features**:
+- Manual IP configuration
+- Built-in router (NAT)
+- Firewall enabled
+- DHCP server for local devices
+- Fixed WAN IP address
+
+**Required Parameters**:
+- `ipaddr`: Static IP address (e.g., 93.21.0.104)
+- `netmask`: Subnet mask (e.g., 255.255.255.0)
+- `gateway`: Default gateway IP (e.g., 93.21.0.1)
+
+**Optional Parameters**:
+- `vlanid`: VLAN ID if required
+- `dns_servers`: DNS servers (comma-separated, e.g., 8.8.8.8,8.8.4.4)
+
+**Example Configuration**:
+```bash
+# Set mode
+uci set netmode.global.mode='routed-static'
+
+# Set IP address
+uci set netmode.@supported_args[6].value='93.21.0.104'
+
+# Set subnet mask
+uci set netmode.@supported_args[7].value='255.255.255.0'
+
+# Set gateway
+uci set netmode.@supported_args[8].value='93.21.0.1'
+
+# Optional: Set DNS servers
+uci set netmode.@supported_args[9].value='8.8.8.8,8.8.4.4'
+
+# Apply configuration
+uci commit netmode
+service netmode restart
+```
+
+**Important Notes**:
+- Use exact IP settings provided by ISP
+- Incorrect settings will result in no internet connectivity
+- DNS servers are optional but recommended
+- Device will reboot after configuration
+
+---
+
+### 4. Bridged Mode
+
+**Mode Name**: `bridged`
+
+**When to Use**:
+- Using router as a bridge/modem only
+- Another router handles routing and DHCP
+- ISP requires bridge mode
+- Cascading routers (not recommended, prefer this mode on upstream device)
+
+**Features**:
+- All LAN and WAN ports bridged together
+- No routing (NAT disabled)
+- Firewall disabled
+- DHCP server disabled
+- Device acts as transparent bridge
+
+**Configuration Parameters**:
+- No parameters required
+
+**Example Configuration**:
+```bash
+# Set mode
+uci set netmode.global.mode='bridged'
+uci commit netmode
+service netmode restart
+```
+
+**Important Notes**:
+- Device will obtain IP from upstream router/ISP
+- Web interface may be inaccessible until device gets IP
+- To access device: connect directly and check DHCP leases on upstream router
+- Device will reboot after configuration
+- Use this mode carefully - you may lose access to the device
+
+**Reverting from Bridge Mode**:
+If you lose access, connect via serial console or perform factory reset.
+
+---
+
+## Configuration Methods
+
+### Method 1: UCI Command Line (SSH/Console)
+
+**Step-by-step procedure**:
+
+```bash
+# 1. Connect to device
+ssh root@192.168.1.1
+
+# 2. View current configuration
+uci show netmode
+
+# 3. Set desired mode
+uci set netmode.global.mode='routed-dhcp'
+
+# 4. Set any required parameters (example for PPPoE)
+uci set netmode.@supported_args[2].value='username@isp.com'
+uci set netmode.@supported_args[3].value='password123'
+
+# 5. Save configuration
+uci commit netmode
+
+# 6. Apply changes
+service netmode restart
+
+# 7. Monitor logs (optional)
+logread -f | grep netmode
+```
+
+### Method 2: TR-069/CWMP (Remote Management)
+
+If your device is managed by an ACS (Auto Configuration Server):
+
+**Get current mode**:
+```xml
+GetParameterValues
+  Device.X_IOPSYS_EU_NetMode.Mode
+```
+
+**Set PPPoE mode**:
+```xml
+SetParameterValues
+  Device.X_IOPSYS_EU_NetMode.Mode = "routed-pppoe"
+  Device.X_IOPSYS_EU_NetMode.SupportedModes.2.SupportedArguments.1.Value = "username@isp.com"
+  Device.X_IOPSYS_EU_NetMode.SupportedModes.2.SupportedArguments.2.Value = "password123"
+```
+
+**Trigger mode change**:
+```bash
+# On device (via TR-069 script)
+service netmode restart
+```
+
+### Method 3: Web Interface (if available)
+
+Some firmware may provide a web interface for netmode configuration.
+
+Typical location: **Network → WAN → Connection Type**
+
+---
+
+## Common Use Cases
+
+### Use Case 1: Switching from DHCP to PPPoE
+
+**Scenario**: ISP changed from cable to DSL connection
+
+```bash
+# 1. Connect to router
+ssh root@192.168.1.1
+
+# 2. Find username and password argument indices
+uci show netmode | grep -A3 "name='username'"
+# Note the index numbers
+
+# 3. Set mode and credentials
+uci set netmode.global.mode='routed-pppoe'
+uci set netmode.@supported_args[2].value='newuser@dsl-isp.com'
+uci set netmode.@supported_args[3].value='newpassword'
+
+# 4. If ISP requires VLAN (e.g., VLAN 7)
+uci set netmode.@supported_args[4].value='7'
+
+# 5. Apply
+uci commit netmode
+service netmode restart
+
+# Device will reboot
+```
+
+### Use Case 2: Adding Custom DNS Servers
+
+**Scenario**: Want to use Google DNS or Cloudflare DNS
+
+```bash
+# For DHCP mode
+uci set netmode.global.mode='routed-dhcp'
+
+# Find dns_servers argument index
+uci show netmode | grep -B2 "name='dns_servers'"
+
+# Set custom DNS (Google DNS example)
+uci set netmode.@supported_args[1].value='8.8.8.8,8.8.4.4'
+
+# Or Cloudflare DNS
+uci set netmode.@supported_args[1].value='1.1.1.1,1.0.0.1'
+
+# Apply
+uci commit netmode
+service netmode restart
+```
+
+### Use Case 3: Configuring VLAN for ISP
+
+**Scenario**: ISP requires VLAN tagging (common for fiber)
+
+```bash
+# Identify your mode (example: DHCP)
+uci set netmode.global.mode='routed-dhcp'
+
+# Find VLAN argument
+uci show netmode | grep -B2 "name='vlanid'"
+
+# Set VLAN ID (ISP will provide this, commonly 100, 7, or other)
+uci set netmode.@supported_args[0].value='100'
+
+# Apply
+uci commit netmode
+service netmode restart
+```
+
+### Use Case 4: Setting Up Bridge Mode for Secondary Router
+
+**Scenario**: Using dedicated router behind ISP modem
+
+```bash
+# Configure device as bridge
+uci set netmode.global.mode='bridged'
+uci commit netmode
+service netmode restart
+
+# After reboot, device will be in bridge mode
+# Connect to it via the IP it receives from upstream
+```
+
+### Use Case 5: Business Static IP Setup
+
+**Scenario**: ISP provided static IP configuration
+
+**ISP Information**:
+- IP Address: 203.0.113.10
+- Subnet Mask: 255.255.255.248
+- Gateway: 203.0.113.9
+- DNS: 203.0.113.1, 203.0.113.2
+
+```bash
+# Set mode
+uci set netmode.global.mode='routed-static'
+
+# Configure IP settings (find argument indices first)
+uci show netmode | grep -B2 "name='ipaddr'"
+uci show netmode | grep -B2 "name='netmask'"
+uci show netmode | grep -B2 "name='gateway'"
+
+# Set values
+uci set netmode.@supported_args[6].value='203.0.113.10'
+uci set netmode.@supported_args[7].value='255.255.255.248'
+uci set netmode.@supported_args[8].value='203.0.113.9'
+uci set netmode.@supported_args[9].value='203.0.113.1,203.0.113.2'
+
+# Apply
+uci commit netmode
+service netmode restart
+```
+
+---
+
+## Troubleshooting
+
+### Problem: No Internet After Mode Switch
+
+**Symptoms**:
+- Cannot access websites
+- No WAN IP address
+- Local network works but no internet
+
+**Diagnosis**:
+```bash
+# Check WAN interface status
+ifconfig wan
+
+# Check if WAN has IP
+ip addr show wan
+
+# Check routing table
+ip route
+
+# Check DNS resolution
+nslookup google.com
+
+# Check mode applied correctly
+cat /etc/netmodes/.last_mode
+uci show netmode.global.mode
+```
+
+**Solutions**:
+
+1. **For DHCP mode**:
+   ```bash
+   # Restart network
+   /etc/init.d/network restart
+
+   # Release and renew DHCP
+   udhcpc -i wan -n
+   ```
+
+2. **For PPPoE mode**:
+   ```bash
+   # Check credentials
+   uci show network.wan.username
+   uci show network.wan.password
+
+   # Check PPPoE connection
+   logread | grep pppd
+
+   # Restart PPPoE
+   ifdown wan
+   ifup wan
+   ```
+
+3. **For Static IP mode**:
+   ```bash
+   # Verify settings
+   uci show network.wan
+
+   # Check if gateway is reachable
+   ping -c 3 $(uci get network.wan.gateway)
+   ```
+
+### Problem: Cannot Access Router After Mode Change
+
+**Symptoms**:
+- Cannot reach router web interface
+- Cannot SSH to router
+- Router appears offline
+
+**Solutions**:
+
+1. **Check router IP address**:
+   - Routed modes: Router should be at `192.168.1.1`
+   - Bridged mode: Router gets IP from upstream device
+
+2. **For bridged mode**:
+   ```bash
+   # Connect to upstream router
+   # Check DHCP leases for your device MAC address
+   # Or connect via serial console
+   ```
+
+3. **Factory reset** (last resort):
+   - Hold reset button for 10 seconds
+   - Device will reset to default configuration
+
+### Problem: Mode Not Switching
+
+**Symptoms**:
+- `.last_mode` not updated
+- Old configuration still active
+- No changes after restart
+
+**Diagnosis**:
+```bash
+# Check if netmode is enabled
+uci get netmode.global.enabled
+
+# Check logs
+logread | grep netmode
+
+# Check if mode exists
+ls /etc/netmodes/*/scripts/
+```
+
+**Solutions**:
+```bash
+# Enable netmode if disabled
+uci set netmode.global.enabled='1'
+uci commit netmode
+
+# Force mode change by removing last_mode
+rm /etc/netmodes/.last_mode
+service netmode restart
+```
+
+### Problem: PPPoE Authentication Failure
+
+**Symptoms**:
+- WAN interface shows "connecting" but never connects
+- Logs show authentication errors
+
+**Diagnosis**:
+```bash
+# Check PPPoE logs
+logread | grep ppp
+
+# Common errors:
+# - "authentication failed"
+# - "LCP timeout"
+# - "CHAP authentication failed"
+```
+
+**Solutions**:
+```bash
+# Verify credentials (double-check with ISP)
+uci show network.wan.username
+uci show network.wan.password
+
+# Some ISPs require VLAN tagging
+uci set netmode.@supported_args[4].value='7'  # or ISP-specific VLAN
+uci commit netmode
+service netmode restart
+
+# Check if service name is required (rare)
+uci set network.wan.service='ISP-SERVICE-NAME'
+uci commit network
+```
+
+### Problem: Slow Internet After Mode Switch
+
+**Symptoms**:
+- Internet works but very slow
+- High latency
+
+**Solutions**:
+
+1. **Check MTU settings** (especially for PPPoE):
+   ```bash
+   # Set MTU for PPPoE
+   uci set netmode.@supported_args[5].value='1492'
+   uci commit netmode
+   service netmode restart
+   ```
+
+2. **Check for DNS issues**:
+   ```bash
+   # Test DNS resolution speed
+   time nslookup google.com
+
+   # Use faster DNS
+   uci set netmode.@supported_args[X].value='1.1.1.1,1.0.0.1'
+   uci commit netmode
+   service netmode restart
+   ```
+
+3. **Check WAN speed**:
+   ```bash
+   # Install iperf3 and test
+   opkg update
+   opkg install iperf3
+   ```
+
+---
+
+## FAQ
+
+### General Questions
+
+**Q: Will I lose my configuration when switching modes?**
+
+A: Netmode preserves most router settings (WiFi, firewall rules, etc.), but WAN-specific settings are reconfigured. Local network settings remain unchanged.
+
+**Q: How long does a mode switch take?**
+
+A: The mode switch itself takes a few seconds, but the device will reboot, which takes 1-2 minutes total.
+
+**Q: Can I switch modes remotely?**
+
+A: Yes, via SSH or TR-069/USP if configured. However, be careful with bridge mode as you may lose connectivity.
+
+**Q: Do I need to reboot manually?**
+
+A: No, the system automatically reboots after applying a new mode.
+
+**Q: Can I schedule a mode switch?**
+
+A: Yes, using cron:
+```bash
+# Switch to bridged mode at 2 AM
+echo "0 2 * * * uci set netmode.global.mode='bridged' && uci commit && service netmode restart" | crontab -
+```
+
+### Mode-Specific Questions
+
+**Q: Which mode should I use?**
+
+A: Depends on your ISP:
+- Cable/Fiber without login: **routed-dhcp**
+- DSL with username/password: **routed-pppoe**
+- Static IP business connection: **routed-static**
+- Using as bridge only: **bridged**
+
+**Q: Can I use PPPoE with VLAN?**
+
+A: Yes, set both the mode and VLAN ID:
+```bash
+uci set netmode.global.mode='routed-pppoe'
+uci set netmode.@supported_args[4].value='100'
+```
+
+**Q: What's the difference between routed and bridged mode?**
+
+A:
+- **Routed modes**: Router performs NAT, runs firewall, provides DHCP to local network
+- **Bridged mode**: Router acts as transparent bridge, no NAT, no firewall, no DHCP
+
+**Q: Can I customize the LAN IP in routed modes?**
+
+A: Yes, but not through netmode. After mode switch, manually configure:
+```bash
+uci set network.lan.ipaddr='192.168.2.1'
+uci commit network
+/etc/init.d/network restart
+```
+
+### Technical Questions
+
+**Q: Where are my credentials stored?**
+
+A: In `/etc/config/netmode` (UCI configuration). They are cleared from memory after mode application for security.
+
+**Q: Can I create custom modes?**
+
+A: Yes, advanced users can create custom modes. See the IMPLEMENTATION_GUIDE.md and DEVELOPER_GUIDE.md.
+
+**Q: Does netmode support IPv6?**
+
+A: Yes, routed-dhcp and routed-pppoe modes support IPv6 (DHCPv6).
+
+**Q: What happens to firewall rules?**
+
+A: Firewall is enabled for routed modes and disabled for bridged mode. Custom rules are preserved.
+
+**Q: Can I use multiple WAN connections?**
+
+A: Netmode manages the primary WAN. For multi-WAN setups, configure secondary WANs manually after netmode configuration.
+
+---
+
+## Glossary
+
+**Bridge Mode**: Operating mode where the router acts as a transparent network bridge without routing or NAT.
+
+**DHCP (Dynamic Host Configuration Protocol)**: Automatic IP address assignment protocol.
+
+**DMZ (Demilitarized Zone)**: Network segment that sits between internal network and external network.
+
+**DNS (Domain Name System)**: Service that translates domain names to IP addresses.
+
+**Gateway**: Router IP address that connects local network to the internet.
+
+**ISP (Internet Service Provider)**: Company providing internet access.
+
+**LAN (Local Area Network)**: Internal network (devices in your home/office).
+
+**MTU (Maximum Transmission Unit)**: Largest packet size that can be transmitted. PPPoE typically uses 1492.
+
+**NAT (Network Address Translation)**: Technology allowing multiple devices to share one public IP address.
+
+**PPPoE (Point-to-Point Protocol over Ethernet)**: Authentication protocol commonly used for DSL connections.
+
+**Static IP**: Fixed IP address that doesn't change (opposite of DHCP).
+
+**Subnet Mask**: Defines the network portion of an IP address (e.g., 255.255.255.0).
+
+**TR-069/CWMP**: Remote management protocol for network devices.
+
+**UCI (Unified Configuration Interface)**: OpenWrt configuration system.
+
+**USP (User Services Platform)**: Next-generation device management protocol.
+
+**VLAN (Virtual LAN)**: Network segmentation using VLAN tags (802.1Q).
+
+**WAN (Wide Area Network)**: External network connection (internet).
+
+---
+
+## Getting Help
+
+### Log Collection
+
+When reporting issues, collect these logs:
+
+```bash
+# System logs
+logread > /tmp/system.log
+
+# Network configuration
+uci export network > /tmp/network.conf
+uci export netmode > /tmp/netmode.conf
+
+# Interface status
+ifconfig > /tmp/interfaces.txt
+ip route > /tmp/routes.txt
+
+# Copy to external system
+scp /tmp/*.{log,conf,txt} user@external-host:/path/
+```
+
+### Support Resources
+
+- **Documentation**: Check IMPLEMENTATION_GUIDE.md and DEVELOPER_GUIDE.md
+- **Community Forums**: OpenWrt and iopsys community forums
+- **Issue Tracker**: Report bugs to iopsys development team
+- **ISP Support**: Contact ISP for connection-specific parameters (VLAN, credentials, etc.)
+
+### Before Contacting Support
+
+Please have ready:
+1. Current mode: `cat /etc/netmodes/.last_mode`
+2. Netmode version: `opkg info netmode | grep Version`
+3. Error logs: `logread | grep netmode`
+4. Network configuration: `uci export netmode`
+5. What you're trying to achieve
+6. What you've already tried
+
+---
+
+## Quick Reference Card
+
+### Common Commands
+
+```bash
+# View current mode
+cat /etc/netmodes/.last_mode
+
+# List available modes
+uci show netmode | grep "supported_modes.*name"
+
+# Switch to DHCP
+uci set netmode.global.mode='routed-dhcp'
+uci commit netmode && service netmode restart
+
+# Switch to PPPoE
+uci set netmode.global.mode='routed-pppoe'
+uci set netmode.@supported_args[2].value='username'
+uci set netmode.@supported_args[3].value='password'
+uci commit netmode && service netmode restart
+
+# Switch to Bridge
+uci set netmode.global.mode='bridged'
+uci commit netmode && service netmode restart
+
+# View logs
+logread | grep netmode
+
+# Reset to last mode
+rm /etc/netmodes/.last_mode
+service netmode restart
+```
+
+### Emergency Recovery
+
+```bash
+# If locked out after bridge mode
+# Connect via serial console and run:
+uci set netmode.global.mode='routed-dhcp'
+uci commit netmode
+service netmode restart
+
+# Factory reset (hold reset button 10 seconds)
+# Or via console:
+firstboot -y && reboot
+```
+
+---
+
+**Document Version**: 1.0
+**Package Version**: 1.1.11
+**Last Updated**: 2024
+**License**: GPL-2.0-only

netmode/files/etc/init.d/netmode

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=10
+START=11
 USE_PROCD=1
 
 . /lib/functions.sh
@@ -117,6 +117,7 @@ start_service() {
 	config_get_bool enabled global enabled '0'
 	[ $enabled -eq 0 ] && return
 
+	[ -d $MODEDIR ] || mkdir -p $MODEDIR
 	# Get the desired netmode from config
 	config_get mode global mode ""
 	# Check if netmode is set as boot environment parameter
@@ -127,9 +128,12 @@ start_service() {
 	# Get the last saved mode
 	lastmode="$(cat $MODEDIR/.last_mode 2>/dev/null)"
 	# Return if desired mode is same as last saved mode
-	[ "$mode" == "$lastmode" ] && return
+	if [ "$mode" = "$lastmode" ]; then
+		_log "Not switching mode[${mode}], lastmode[${lastmode}]"
+		return
+	fi
 
-	_log "Switching to [${mode}] Mode" >/dev/console
+	_log "Switching to [${mode}] Mode"
 
 	# Configure env variables
 	configure_env_vars ${mode}
@@ -147,20 +151,19 @@ start_service() {
 
 	# Execute mode specific scripts
 	if [ -d $MODEDIR/$mode/scripts ]; then
-		_log "Executing $MODEDIR/$mode/scripts/* scripts"
 		for script in $(ls $MODEDIR/$mode/scripts/); do
+			_log "Executing [${mode}], script [${script}]"
 			sh $MODEDIR/$mode/scripts/$script
 		done
 	fi
 
+	# Save mode as last mode
+	echo "$mode" > $MODEDIR/.last_mode
+	_log "Switching to Mode [${mode}] done, last mode updated"
+
 	# Execute netmode generic post-mode-switch scripts
 	libnetmode_exec "post"
 	cleanup_env_vars "${mode}"
-
-	# Save mode as last mode
-	[ -d $MODEDIR ] || mkdir -p $MODEDIR
-	echo "$mode" > $MODEDIR/.last_mode
-	_log "Switching to Mode [${mode}] done, last mode updated" >/dev/console
 }
 
 service_triggers()

netmode/files/etc/netmodes/bridged/scripts/10-bridged

@@ -61,8 +61,8 @@ l2_network_config() {
 	uci -q set network.lan6.device='@lan'
 	uci -q set network.lan6.reqprefix='no'
 
-	uci -q set network.wan.disabled='1'
-	uci -q set network.wan6.disabled='1'
+	uci -q delete network.wan
+	uci -q delete network.wan6
 
 	uci -q delete network.br_lan.ports
 	uci -q set network.br_lan.bridge_empty='1'
@@ -116,12 +116,3 @@ l2_network_config() {
 
 l2_network_config
 l2_mcast_config
-
-# If device is already boot-up, assume netmode changed during runtime
-if [ -f /var/run/boot_complete ]; then
-	/etc/init.d/odhcpd stop 2>/dev/null
-	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
-		ubus call uci commit "{\"config\":\"$config\"}"
-		sleep 1
-	done
-fi

netmode/files/etc/netmodes/routed-dhcp/scripts/10-routed-dhcp

@@ -43,22 +43,31 @@ l3_network_config() {
 	uci -q delete network.wan.netmask
 
 	uci -q set network.wan6=interface
-	uci -q set network.wan6.proto='dhcpv6'
+	uci -q set network.wan6.proto="dhcpv6"
 	uci -q delete network.wan6.disabled
 
-	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
-		uci -q set network.vlan_${NETMODE_vlanid}=device
-		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
-		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
-		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
-		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+	# Delete all VLAN sections; new ones will be created in next function if required
+	for vlandev_sec in $(uci show network | grep "type=.*8021q" | cut -d'.' -f1,2); do
+		uci -q delete $vlandev_sec
+	done
 
-		wandev="$wandev.$NETMODE_vlanid"
+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		vlandev="$wandev.$NETMODE_vlanid"
+		vlandev_sec=$(echo $vlandev | tr '.' '_')
+		uci -q set network.${vlandev_sec}=device
+		uci -q set network.${vlandev_sec}.type="8021q"
+		uci -q set network.${vlandev_sec}.name="$vlandev"
+		uci -q set network.${vlandev_sec}.ifname="$wandev"
+		uci -q set network.${vlandev_sec}.vid=$NETMODE_vlanid
+
+		wandev="$vlandev"
 	fi
 
 	uci -q set network.wan.device="$wandev"
 	uci -q set network.wan6.device="$wandev"
 
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
 		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
@@ -117,12 +126,3 @@ l3_network_config() {
 
 l3_network_config
 l3_mcast_config
-
-# If device is already boot-up, assume netmode changed during runtime
-if [ -f /var/run/boot_complete ]; then
-	/etc/init.d/odhcpd restart 2>/dev/null
-	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
-		ubus call uci commit "{\"config\":\"$config\"}"
-		sleep 1
-	done
-fi

netmode/files/etc/netmodes/routed-pppoe/scripts/10-routed-pppoe

@@ -42,20 +42,28 @@ l3_network_pppoe_config() {
 	uci -q delete network.wan.gateway
 	uci -q delete network.wan.netmask
 
-	uci -q set network.wan6.disabled='1'
+	uci -q delete network.wan6
+
+	# Delete all VLAN sections; new ones will be created in next function if required
+	for vlandev_sec in $(uci show network | grep "type=.*8021q" | cut -d'.' -f1,2); do
+		uci -q delete $vlandev_sec
+	done
 
 	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
-		uci -q set network.vlan_${NETMODE_vlanid}=device
-		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
-		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
-		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
-		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+		vlandev="$wandev.$NETMODE_vlanid"
+		vlandev_sec=$(echo $vlandev | tr '.' '_')
+		uci -q set network.${vlandev_sec}=device
+		uci -q set network.${vlandev_sec}.type="8021q"
+		uci -q set network.${vlandev_sec}.name="$vlandev"
+		uci -q set network.${vlandev_sec}.ifname="$wandev"
+		uci -q set network.${vlandev_sec}.vid=$NETMODE_vlanid
 
-		wandev="$wandev.$NETMODE_vlanid"
+		wandev="$vlandev"
 	fi
 
 	uci -q set network.wan.device="$wandev"
-	uci -q set network.wan6.device="$wandev"
+
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
 
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
@@ -115,12 +123,3 @@ l3_network_pppoe_config() {
 
 l3_network_pppoe_config
 l3_mcast_config
-
-# If device is already boot-up, assume netmode changed during runtime
-if [ -f /var/run/boot_complete ]; then
-	/etc/init.d/odhcpd restart 2>/dev/null
-	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
-		ubus call uci commit "{\"config\":\"$config\"}"
-		sleep 1
-	done
-fi

netmode/files/etc/netmodes/routed-static/scripts/10-routed-static

@@ -43,20 +43,28 @@ l3_network_config() {
 	uci -q delete network.wan.username
 	uci -q delete network.wan.password
 
-	uci -q set network.wan6.disabled='1'
+	uci -q delete network.wan6
+
+	# Delete all VLAN sections; new ones will be created in next function if required
+	for vlandev_sec in $(uci show network | grep "type=.*8021q" | cut -d'.' -f1,2); do
+		uci -q delete $vlandev_sec
+	done
 
 	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
-		uci -q set network.vlan_${NETMODE_vlanid}=device
-		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
-		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
-		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
-		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+		vlandev="$wandev.$NETMODE_vlanid"
+		vlandev_sec=$(echo $vlandev | tr '.' '_')
+		uci -q set network.${vlandev_sec}=device
+		uci -q set network.${vlandev_sec}.type="8021q"
+		uci -q set network.${vlandev_sec}.name="$vlandev"
+		uci -q set network.${vlandev_sec}.ifname="$wandev"
+		uci -q set network.${vlandev_sec}.vid=$NETMODE_vlanid
 
-		wandev="$wandev.$NETMODE_vlanid"
+		wandev="$vlandev"
 	fi
 
 	uci -q set network.wan.device="$wandev"
-	uci -q set network.wan6.device="$wandev"
+
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
 
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
@@ -116,12 +124,3 @@ l3_network_config() {
 
 l3_network_config
 l3_mcast_config
-
-# If device is already boot-up, assume netmode changed during runtime
-if [ -f /var/run/boot_complete ]; then
-	/etc/init.d/odhcpd restart 2>/dev/null
-	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
-		ubus call uci commit "{\"config\":\"$config\"}"
-		sleep 1
-	done
-fi

netmode/files/etc/netmodes/supported_modes.json

@@ -43,6 +43,12 @@
           "required": false,
           "type": "integer"
         },
+        {
+          "name": "mtu",
+          "description": "MTU",
+          "required": false,
+          "type": "integer"
+        },
         {
           "name": "dns_servers",
           "description": "DNS Servers",

netmode/files/etc/uci-defaults/40_netmode_set_default_netmode

@@ -1,7 +1,28 @@
 #!/bin/sh
 
 enabled="$(uci -q get netmode.global.enabled)"
-[ "$enabled" == "1" ] || exit 0
+if [ "$enabled" != "1" ]; then
+	exit 0
+fi
+
+opconf_file="/opconf/opconf.json"
+[ -f $opconf_file ] || opconf_file="/usr_data/opconf/opconf.json"
+
+# Check if netmode getting provisioned from opconf, in case of opconf
+# provisioning, mode setting not required
+mode="$(jsonfilter -i $opconf_file -e @.netmode.mode 2>/dev/null)"
+if [ -n "${mode}" ]; then
+	exit 0
+fi
+
+# Check if opconf has wan provisioning enabled, if yes, get the proto/mode from opconf
+proto="$(jsonfilter -i $opconf_file -e '@.network.wan[@.name="wan"].proto' 2>/dev/null)"
+if [ -n "${proto}" ]; then
+	mode="routed-${proto}"
+	uci -q set netmode.global.mode="${mode}"
+	echo "${mode}" > /etc/netmodes/.last_mode
+	exit 0
+fi
 
 mode="$(uci -q get netmode.global.mode)"
 wanproto=$(uci -q get network.wan.proto)
@@ -13,7 +34,9 @@ if [ -n "$mode" ]; then
 	fi
 fi
 
-[ -f /etc/netmodes/supported_modes.json ] || exit 0
+if [ ! -f "/etc/netmodes/supported_modes.json" ]; then
+	exit 0
+fi
 
 # NetMode is enabled without a Mode being set
 # Figure out the current mode from network config
@@ -26,10 +49,12 @@ esac
 
 found=0
 for md in $(jsonfilter -i /etc/netmodes/supported_modes.json -e "@.supported_modes.*.name"); do
-	[ "$md" == "$curmode" ] && found=1
+	[ "$md" = "$curmode" ] && found=1
 done
 
 if [ $found -eq 1 ]; then
 	uci -q set netmode.global.mode="$curmode"
 	echo "$curmode" > /etc/netmodes/.last_mode
+else
+	exit 1
 fi

netmode/files/lib/netmode/post/datamodel_init.sh

@@ -1,21 +1,21 @@
 #!/bin/sh
 
-# This script is to cleanup dmmap and restart datamodel related services
-# when wan mode changes
-
-if [ -d "/etc/bbfdm/dmmap/" ]; then
-	rm -rf /etc/bbfdm/dmmap/*
-fi
-
-# If device is booting up, no need to restart services
 if [ ! -f /var/run/boot_complete ]; then
-	return 0
+	exit 0
 fi
 
-if [ -x "/etc/init.d/bbfdm.services" ]; then
-	/etc/init.d/bbfdm.services restart
+if [ -f /etc/bbfdm/dmmap/PPP ]; then
+	rm -f /etc/bbfdm/dmmap/PPP
 fi
 
-if [ -x "/etc/init.d/bbfdmd" ]; then
-	/etc/init.d/bbfdmd restart
+if [ -f /etc/bbfdm/dmmap/IP ]; then
+	rm -f /etc/bbfdm/dmmap/IP
 fi
+
+if [ -f /etc/bbfdm/dmmap/Ethernet ]; then
+	rm -f /etc/bbfdm/dmmap/Ethernet
+fi
+
+sleep 5
+
+reboot -f

obuspa/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=10.0.7.5
+PKG_VERSION:=10.0.7.10
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=f3b5b79476adadc55830de9466361c0eeced473e
+PKG_SOURCE_VERSION:=c3b7c7653edb63326e7070b6891a95ad6cf7a2ee
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

obuspa/files/etc/init.d/obuspa

@@ -715,7 +715,7 @@ start_service() {
 
 	mkdir -p /tmp/obuspa/
 	config_load obuspa
-	config_get_bool enabled global enabled 0
+	config_get_bool enabled global enabled 1
 
 	procd_open_instance ${CONFIGURATION}
 	if [ "${enabled}" -eq 1 ]; then

obuspa/files/etc/uci-defaults/93-obuspa_mdns_adv

@@ -53,13 +53,7 @@ add_mdns_advertise() {
 	json_dump > /etc/umdns/obuspa_mdns.json
 }
 
-config_load obuspa
-config_get_bool enable_obuspa global enabled 1
-
-if [ "${enable_obuspa}" -eq 1 ]; then
-	role="$(get_device_role)"
-
-	if [ "${role}" == "gateway" ]; then
-		add_mdns_advertise
-	fi
+role="$(get_device_role)"
+if [ "${role}" == "gateway" ]; then
+	add_mdns_advertise
 fi

obuspa/files/etc/uci-defaults/obuspa-set-dhcp-option

@@ -19,19 +19,11 @@ get_access_role()
 
 configure_dhcp_options() {
 	local enabled inerface discovery
-	config_load obuspa
+
 	config_get_bool enabled global enabled 1
 	config_get interface global interface
 	config_get_bool discovery global dhcp_discovery 1
 
-	if [ "${enabled}" -eq 0 ]; then
-		return 0
-	fi
-
-	if [ "${discovery}" -eq 0 ]; then
-		return 0
-	fi
-
 	if [ -z "${interface}" ]; then
 		role="$(get_access_role)"
 
@@ -66,12 +58,12 @@ configure_dhcp_options() {
 
 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${interface}".reqopts="$newreqopts"
 		fi
 
 		if [ ${send124_present} -eq 0 ]; then
-			newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70"
+			[ -n "${sendopts}" ] && newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70" ||  newsendopts="124:00:00:0D:E9:04:03:75:73:70"
 			uci -q set network."${interface}".sendopts="$newsendopts"
 		fi
 	fi

obuspa/patches/1000-SecuredRole-bbfdm.patch

@@ -1,176 +0,0 @@
-Index: obuspa-10.0.5.0/src/core/device.h
-===================================================================
---- obuspa-10.0.5.0.orig/src/core/device.h
-+++ obuspa-10.0.5.0/src/core/device.h
-@@ -311,6 +311,9 @@ int DEVICE_CTRUST_InstSelToRoleInstance(
- char *DEVICE_CTRUST_InstSelToPermTarget(int role_index, void *is, int *perm_instance);
- int DEVICE_CTRUST_SetRoleParameter(int instance, char *param_name, char *new_value);
- int DEVICE_CTRUST_SetPermissionParameter(int instance1, int instance2, char *param_name, char *new_value);
-+
-+bool DEVICE_CTRUST_IsControllerSecured(void);
-+
- int DEVICE_CTRUST_DumpPermissionSelectors(int role_instance, char *path);
- int DEVICE_REQUEST_Init(void);
- int DEVICE_REQUEST_Add(char *path, char *command_key, int *instance);
-Index: obuspa-10.0.5.0/src/core/device_ctrust.c
-===================================================================
---- obuspa-10.0.5.0.orig/src/core/device_ctrust.c
-+++ obuspa-10.0.5.0/src/core/device_ctrust.c
-@@ -246,6 +246,7 @@ credential_t *FindCredentialByCertInstan
- int Get_CredentialRole(dm_req_t *req, char *buf, int len);
- int Get_CredentialCertificate(dm_req_t *req, char *buf, int len);
- int Get_CredentialNumEntries(dm_req_t *req, char *buf, int len);
-+int Validate_SecuredRoles(dm_req_t *req, char *value);
- void ApplySearchExpressionPermissions(char *path, inst_sel_t *sel);
- bool ValidateDataModelPathSegment(char *segment, bool is_last, char *path);
- 
-@@ -293,6 +294,9 @@ int DEVICE_CTRUST_Init(void)
-     // Create a timer which will be used to apply all modified permissions to the data model, after processing a USP Message
-     SYNC_TIMER_Add(ApplyModifiedPermissions, 0, END_OF_TIME);
- 
-+    // Register Device.LocalAgent.ControllerTrust.SecuredRoles parameter
-+    err |= USP_REGISTER_DBParam_ReadWrite(DEVICE_CTRUST_ROOT ".SecuredRoles", "", Validate_SecuredRoles, NULL, DM_STRING);
-+
-     // Register parameters implemented by this component
-     // Device.LocalAgent.ControllerTrust.Role.{i}
-     err |= USP_REGISTER_Object(DEVICE_ROLE_ROOT, ValidateAdd_CTrustRole, NULL, Notify_CTrustRoleAdded,
-@@ -3533,3 +3537,139 @@ exit:
-     return err;
- }
- #endif // REMOVE_DEVICE_SECURITY
-+
-+
-+/*********************************************************************//**
-+**
-+** Validate_SecuredRoles
-+**
-+** Validates Device.LocalAgent.ControllerTrust.SecuredRoles
-+** Each list item MUST be the Path Name of a row in the Device.LocalAgent.ControllerTrust.Role table
-+**
-+** \param   req - pointer to structure identifying the parameter
-+** \param   value - value that the controller would like to set the parameter to
-+**
-+** \return  USP_ERR_OK if successful
-+**
-+**************************************************************************/
-+int Validate_SecuredRoles(dm_req_t *req, char *value)
-+{
-+    char *role_path;
-+    char *saveptr;
-+    char *str;
-+    char temp[MAX_DM_PATH];
-+    int role_instance;
-+    int err;
-+
-+    // Empty string is valid
-+    if (*value == '\0')
-+    {
-+        return USP_ERR_OK;
-+    }
-+
-+    // Copy the value as strtok_r modifies the string
-+    USP_STRNCPY(temp, value, sizeof(temp));
-+
-+    // Iterate through comma-separated list
-+    str = temp;
-+    role_path = strtok_r(str, ",", &saveptr);
-+    while (role_path != NULL)
-+    {
-+        // Trim whitespace
-+        role_path = TEXT_UTILS_TrimBuffer(role_path);
-+
-+        // Verify that this path exists in the Role table using DM_ACCESS_ValidateReference
-+        err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance);
-+        if (err != USP_ERR_OK)
-+        {
-+            USP_ERR_SetMessage("%s: Role path '%s' does not exist in Device.LocalAgent.ControllerTrust.Role table", __FUNCTION__, role_path);
-+            return USP_ERR_INVALID_VALUE;
-+        }
-+
-+        role_path = strtok_r(NULL, ",", &saveptr);
-+    }
-+
-+    return USP_ERR_OK;
-+}
-+
-+/*********************************************************************//**
-+**
-+** DEVICE_CTRUST_IsControllerSecured
-+**
-+** Determines whether the specified controller has a secured role
-+**
-+** \param   combined_role - pointer to structure containing the role indexes for this controller
-+**
-+** \return  true if the controller has a secured role, false otherwise
-+**
-+**************************************************************************/
-+bool DEVICE_CTRUST_IsControllerSecured()
-+{
-+    char secured_roles[MAX_DM_PATH];
-+    char *role_path;
-+    char *saveptr;
-+    char *str;
-+    char temp[MAX_DM_PATH];
-+    int err;
-+    role_t *role;
-+    int role_instance;
-+    combined_role_t combined_role;
-+    controller_info_t ci;
-+
-+    // Exit if unable to get the secured roles
-+    err = DATA_MODEL_GetParameterValue("Device.LocalAgent.ControllerTrust.SecuredRoles", secured_roles, sizeof(secured_roles), 0);
-+    if (err != USP_ERR_OK)
-+    {
-+        return false;
-+    }
-+
-+    // Empty string means no secured roles
-+    if (*secured_roles == '\0')
-+    {
-+        return false;
-+    }
-+
-+    MSG_HANDLER_GetControllerInfo(&ci);
-+    if (ci.endpoint_id == NULL)
-+    {
-+        return false;
-+    }
-+    if(strlen(ci.endpoint_id) == 0)
-+    {
-+        return false;
-+    }
-+
-+    MSG_HANDLER_GetMsgRole(&combined_role);
-+    // Copy the value as strtok_r modifies the string
-+    USP_STRNCPY(temp, secured_roles, sizeof(temp));
-+
-+    // Iterate through comma-separated list
-+    str = temp;
-+    role_path = strtok_r(str, ",", &saveptr);
-+    while (role_path != NULL)
-+    {
-+        // Trim whitespace
-+        role_path = TEXT_UTILS_TrimBuffer(role_path);
-+
-+        // Extract the instance number from the role path
-+        err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance);
-+        if (err == USP_ERR_OK)
-+        {
-+            // Find the role in our internal array
-+            role = FindRoleByInstance(role_instance);
-+            if (role != NULL)
-+            {
-+                // Check if this role matches either the inherited or assigned role
-+                if ((role - roles == combined_role.inherited_index) ||
-+                    (role - roles == combined_role.assigned_index))
-+                {
-+                    return true;
-+                }
-+            }
-+        }
-+
-+        role_path = strtok_r(NULL, ",", &saveptr);
-+    }
-+
-+    return false;
-+}

parental-control/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=parental-control
-PKG_VERSION:=1.4.3
+PKG_VERSION:=1.4.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/parental-control.git
-PKG_SOURCE_VERSION:=f7ec652c763bf6ffd550bf7d51b2c125774b79af
+PKG_SOURCE_VERSION:=11777ff069888fc543c2501110313b654bbbfbc9
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -27,7 +27,7 @@ define Package/parental-control
   CATEGORY:=Utilities
   TITLE:=URL filter
   DEPENDS:=+libuci +libnetfilter-queue +libnfnetlink +iptables-mod-nfqueue +libpthread
-  DEPENDS+=+libubox +ubus +conntrack +libcurl +cmph
+  DEPENDS+=+libubox +ubus +conntrack +libcurl +cmph +libjson-c
   DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef
 
@@ -83,18 +83,14 @@ define Package/parental-control/install
 	$(INSTALL_DATA) ./files/etc/uci-defaults/95-firewall_parentalcontrol.ucidefaults $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/etc/uci-defaults/35-migrate_urlfilter.ucidefaults $(1)/etc/uci-defaults/
 
-	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
-	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/parentalcontrol $(1)/lib/upgrade/keep.d/parentalcontrol
-
 	$(BBFDM_REGISTER_SERVICES) -v ${VENDOR_PREFIX} ./bbfdm_service.json $(1) parentalcontrol
 
 	$(INSTALL_DATA) ./files/etc/uci-defaults/40-parental_control_update_bundle_path $(1)/etc/uci-defaults/
 ifeq ($(CONFIG_PARENTAL_CONTROL_URLFILTERING),y)
-	$(INSTALL_DATA) ./files/etc/uci-defaults/50-parental_control_add_bundles $(1)/etc/uci-defaults/
-	$(CP) ./files/urlbundle_override.json $(1)/etc/parentalcontrol/
+	$(INSTALL_DATA) ./files/etc/parentalcontrol/url_bundles.json $(1)/etc/parentalcontrol/
+	$(INSTALL_DATA) ./files/etc/parentalcontrol/urlbundle_override.json $(1)/etc/parentalcontrol/
 else
 	$(BBFDM_INSTALL_MS_PLUGIN) -v ${VENDOR_PREFIX} ./files/urlbundle_override.json $(1) parentalcontrol
-	$(INSTALL_DATA) ./files/etc/uci-defaults/50-parental_control_disable_urlfilter $(1)/etc/uci-defaults/
 endif
 endef
 

parental-control/files/etc/config/parentalcontrol

@@ -1,3 +1,4 @@
 config globals 'globals'
     option enable '1'
     option loglevel '3'
+    option urlfilter '0'

parental-control/files/etc/parentalcontrol/url_bundles.json

@@ -0,0 +1,76 @@
+{
+    "urlBundles": [
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt",
+            "name": "Abuse"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt",
+            "name": "Ads"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt",
+            "name": "Crypto"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt",
+            "name": "Drugs"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt",
+            "name": "Everything else"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt",
+            "name": "Facebook/Instagram"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt",
+            "name": "Fraud"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt",
+            "name": "Gambling"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt",
+            "name": "Malware"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt",
+            "name": "Phishing"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt",
+            "name": "Piracy"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt",
+            "name": "Porn"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt",
+            "name": "Ransomware"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt",
+            "name": "Redirect"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt",
+            "name": "Scam"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt",
+            "name": "TikTok"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt",
+            "name": "Torrent"
+        },
+        {
+            "url": "https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt",
+            "name": "Tracking"
+        }
+    ]
+}

parental-control/files/etc/uci-defaults/40-parental_control_update_bundle_path

@@ -25,14 +25,6 @@ check_mounted_app_partition() {
 
 if check_mounted_app_partition; then
 	uci -q set parentalcontrol.globals.bundle_path="${APPS_DIR}/parentalcontrol"
-
-	# configure the urlfilter if not configured
-	urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
-	if [ -z "${urlfilter}" ]; then
-		uci -q set parentalcontrol.globals.urlfilter='1'
-	fi
-else
-	uci -q set parentalcontrol.globals.urlfilter='0'
 fi
 
 exit 0

parental-control/files/etc/uci-defaults/50-parental_control_add_bundles

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-[ ! -f "/etc/config/parentalcontrol" ] && exit 0
-
-COUNT=1
-
-add_urlbundle()
-{
-	local name url
-
-	url="${1}"; shift
-	name="$*"
-
-	uci -q set parentalcontrol.urlbundle_${COUNT}=urlbundle
-	uci -q set parentalcontrol.urlbundle_${COUNT}.name="${name}"
-	uci -q set parentalcontrol.urlbundle_${COUNT}.download_url="${url}"
-
-	COUNT="$((COUNT+1))"
-}
-
-urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
-if [ "${urlfilter}" -eq "1" ]; then
-	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt" "Abuse"
-	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt" "Ads"
-	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt" "Crypto"
-	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt" "Drugs"
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt' "Everything else"
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt' 'Facebook/Instagram'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt' 'Fraud'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt' 'Gambling'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt' 'Malware'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt' 'Phishing'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt' 'Piracy'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt' 'Porn'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt' 'Ransomware'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt' 'Redirect'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt' 'Scam'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt' 'TikTok'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt' 'Torrent'
-	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt' 'Tracking'
-fi
-
-exit 0

parental-control/files/etc/uci-defaults/50-parental_control_disable_urlfilter

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-[ ! -f "/etc/config/parentalcontrol" ] && exit 0
-
-uci -q set parentalcontrol.globals.urlfilter='0'
-
-_delete_urlbundle() {
-	uci_remove parentalcontrol "${1}"
-}
-
-config_load "parentalcontrol"
-config_foreach _delete_urlbundle urlbundle

parental-control/files/lib/parentalcontrol/parentalcontrol.sh

@@ -311,31 +311,6 @@ handle_schedule() {
 	generate_ip_rule "$utc_start_relative_day" "$utc_end_relative_day" "$utc_start_time" "$utc_stop_time" "$target"
 }
 
-# Function that parses input for MAC addresses or hostnames
-parse_macs_or_hostnames() {
-	local input="$1"
-	local lease_file="/tmp/dhcp.leases"
-
-	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
-	[ -f "$lease_file" ] || { log "Error: No DHCP lease file found."; return 1; }
-
-	for item in $input; do
-		case "$item" in
-			??:??:??:??:??:??)
-				# It's a MAC address, print it as is
-				echo "$item"
-				;;
-			*)
-				# Assume it's a hostname and search for its MAC address in the leases file
-				mac=$(awk -v hostname="$item" '$4 == hostname {print $2}' "$lease_file")
-				if [ -n "$mac" ]; then
-					echo "$mac"
-				fi
-				;;
-		esac
-	done
-}
-
 handle_bedtime() {
 	local mac_addresses="$1"
 	local mac
@@ -370,38 +345,61 @@ handle_internet_break() {
 	done
 }
 
+parse_macs() {
+	local maclist="$1"
+	local m mac
+
+	for m in $maclist; do
+		# trim whitespace
+		mac="$(echo "$m" | tr -d ' \t\r\n')"
+
+		# validate format
+		if echo "$mac" | grep -qE '^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$'; then
+			echo "$mac"
+		else
+			log "parse_macs(): Invalid MAC in mac list: '$mac'"
+		fi
+	done
+}
+
 handle_profile() {
 	local profile_section="$1"
-	local internet_break_enable bedtime_enable hostlist
+	local internet_break_enable bedtime_enable hostlist maclist
 
-	config_get hostlist "$profile_section" "host"
+        config_get_bool internet_break_enable "$profile_section" "internet_break_enable" 0
+        config_get_bool bedtime_enable "$profile_section" "bedtime_enable" 0
 
-	if [ -z "$hostlist" ]; then
+        if [ $internet_break_enable -eq 0 ] && [ $bedtime_enable -eq 0 ]; then
 		return
 	fi
 
-	ACCESS_RULE=""
+        config_get hostlist "$profile_section" "host"
+        config_get maclist  "$profile_section" "mac"
 
-	# convert hostnames to mac addresses if needed
-	# and replace newlines with space because it messes up the for loops in
-	# handle_internet_break and handle_bedtime functions
-	local mac_addresses="$(parse_macs_or_hostnames "${hostlist}" | tr '\n' ' ')"
+        # If both lists are empty, nothing to do
+        if [ -z "$hostlist" ] && [ -z "$maclist" ]; then
+                return
+        fi
 
-	# default value of Hosts.AccessControl.{i}.Enable is false,
-	# so, if not defined in uci as 1, assume 0
-	config_get_bool internet_break_enable "$profile_section" "internet_break_enable" 0
-	if [ $internet_break_enable -gt 0 ]; then
-		handle_internet_break "${mac_addresses}"
-		# handle_internet_break may have loaded schedules uci
-		# so, reload parentalcontrol
-		config_load "parentalcontrol"
-	fi
+        ACCESS_RULE=""
 
-	config_get_bool bedtime_enable "$profile_section" "bedtime_enable" 0
-	if [ $bedtime_enable -gt 0 ]; then
-		handle_bedtime "${mac_addresses}"
-	fi
+	# both uci options contain mac addresses
+	# one is given directly by the user
+	# other is resolved by the data model from Hosts.Host object
+        local mac_addresses="$(parse_macs "${hostlist} ${maclist}" | awk '{ if (NF && !seen[$0]++) { print $0 } }' | tr '\n' ' ')"
 
+        # default value of Hosts.AccessControl.{i}.Enable is false,
+        # so, if not defined in uci as 1, assume 0
+        if [ $internet_break_enable -gt 0 ]; then
+                handle_internet_break "${mac_addresses}"
+                # handle_internet_break may have loaded schedules uci
+                # so, reload parentalcontrol
+                config_load "parentalcontrol"
+        fi
+
+        if [ $bedtime_enable -gt 0 ]; then
+                handle_bedtime "${mac_addresses}"
+        fi
 }
 
 add_internet_schedule_rules() {
@@ -567,38 +565,44 @@ remove_internet_schedule_rules() {
 	fi
 }
 
+get_host_ip_from_mac() {
+	local mac="$1"
+	local ip=""
+
+	# Validate MAC format
+	if ! echo "$mac" | grep -qE '^([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$'; then
+		log "get_host_ip_from_mac(): Invalid MAC address format '$mac'"
+		return 1
+	fi
+
+	# Try to find IP from ARP table
+	ip="$(cat /proc/net/arp | awk -v mac="$mac" 'tolower($4) == tolower(mac) {print $1; exit}')"
+
+	if [ -n "$ip" ]; then
+		URLFILTER_IPS="${URLFILTER_IPS} ${ip}"
+		return 0
+	else
+		log "get_host_ip_from_mac(): No IP found for MAC $mac in ARP table"
+		return 1
+	fi
+}
+
 # Global array for resolved IPs
 URLFILTER_IPS=""
 
-# Resolve hostname or MAC to IP from lease_file
-get_host_ip() {
-	local host="$1"
-	local ip
-	local lease_file="/tmp/dhcp.leases"
-
-	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
-	[ -f "$lease_file" ] || { log "Error: get_host_ip(): No DHCP lease file found."; return 1; }
-
-	# try DHCP lease lookup
-	ip="$(awk -v h="$host" '
-	{
-		mac=$2; ipaddr=$3; name=$4
-		if (h == name || h == mac) { print ipaddr; exit }
-	}' "$lease_file")"
-
-	[ -n "$ip" ] && URLFILTER_IPS="$URLFILTER_IPS $ip"
-}
-
-# Process each profile section
 resolve_profile_hosts() {
 	local section="$1"
-	local hostlist
+	local hostlist maclist h m
 
 	config_get hostlist "$section" host
-	[ -z "$hostlist" ] && return
+	config_get maclist  "$section" mac
 
 	for h in $hostlist; do
-		get_host_ip "$h"
+		get_host_ip_from_mac "$h"
+	done
+
+	for m in $maclist; do
+		get_host_ip_from_mac "$m"
 	done
 }
 

parental-control/files/lib/parentalcontrol/sync_bundles.sh

@@ -1,10 +1,12 @@
 #!/bin/sh
 
 . /lib/functions.sh
+. /usr/share/libubox/jshn.sh
 
 LOCKFILE="/tmp/sync_bundles.lock"
 log_level="$(uci -q get parentalcontrol.globals.loglevel)"
 log_level="${log_level:-1}"
+URLBUNDLE_JSON="/etc/parentalcontrol/url_bundles.json"
 DEBUG=0
 
 log_err() {
@@ -85,6 +87,7 @@ update_bundle_file_from_url() {
 		local success=0
 		while [ $attempt -le 3 ]; do
 			if curl -s -o "$temp_file" "$download_url"; then
+				log_info "Download successful for $download_url"
 				success=1
 				break
 			else
@@ -218,24 +221,33 @@ cleanup_bundle_files() {
 	# Collect all download_url entries using config_foreach
 	local urls=""
 	get_download_url() {
-		local section="$1"
-		config_get url "$section" download_url
-		config_get_bool enable "$1" enable 1
+		local enable url
+
+		json_select "${2}"
+
+		json_get_var url url
+		json_get_var enable enable
+		enable="${enable:-1}"
 
 		if [ "${enable}" -eq 0 ]; then
-			# bundle is disabled
+			log_info "get_download_url: Skipping bundle ${name} not enabled"
+			json_select ..
 			return 0
 		fi
+
 		url="${url#file://}"
 		url="${url#https://}"
 		url="${url#http://}"
 
 		url="${url##*/}" # Get everything after the last '/'
 		urls="$urls $url"
+		json_select ..
 	}
 
-	config_load parentalcontrol
-	config_foreach get_download_url urlbundle
+	json_init
+	json_load_file "${URLBUNDLE_JSON}"
+
+	json_for_each_item get_download_url "urlBundles"
 
 	# Loop through all files in the directory
 	for file in "$dir"/*; do
@@ -294,30 +306,29 @@ handle_filter_for_bundles() {
 	fi
 
 	check_bundle_exists() {
-		local enable download_url name cfg
+		local enable url name
 
-		cfg="$1"
-		config_get name "$cfg" name
-		config_get_bool enable "$cfg" enable 1
-		config_get download_url "$cfg" download_url
+		json_select "${2}"
+
+		json_get_var name name
+		json_get_var url url
+		json_get_var enable enable
+		enable="${enable:-1}"
 
 		if [ "${enable}" -eq 0 ]; then
-			log_info "Skipping bundle ${name} not enabled"
+			log_info "check_bundle_exists: Skipping bundle ${name} not enabled"
+			json_select ..
 			return 0
 		fi
 
-		handle_download_url "$download_url" "$name"
-		local exit_status=$?
-		if [ "$exit_status" -eq 1 ]; then
-			uci -q set "parentalcontrol.${cfg}.status"="Error"
-		else
-			uci -q set "parentalcontrol.${cfg}.status"=""
-		fi
-
-		uci commit parentalcontrol
+		handle_download_url "${url}" "${name}"
+		json_select ..
 	}
 
-	config_foreach check_bundle_exists urlbundle
+	json_init
+	json_load_file "${URLBUNDLE_JSON}"
+
+	json_for_each_item check_bundle_exists "urlBundles"
 }
 
 # Open file descriptor 200 for locking

parental-control/files/lib/upgrade/keep.d/parentalcontrol

@@ -1 +0,0 @@
-/etc/parentalcontrol/dhcp.leases

qosmngr/files/airoha/lib/qos/airoha.sh

@@ -411,33 +411,35 @@ hw_commit_all() {
         /userfs/bin/qosrule discpline Enable 0
     fi
 
-    if [ -x /userfs/bin/blapi_cmd ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for tc in $(seq 0 7); do
-            if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
-                sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-            if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
-                [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                                                                        $1 == last+1 {last=$1;next}
-                                                                                                        {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
-                                                                                                        END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
-                sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-        done
-    fi
+    if ! strings /proc/device-tree/compatible | grep -qFx econet,en7523; then
+        if [ -x /userfs/bin/blapi_cmd ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for tc in $(seq 0 7); do
+                if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
+                    sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+                if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
+                    [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                                                            $1 == last+1 {last=$1;next}
+                                                                                                            {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
+                                                                                                            END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
+                    sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+            done
+        fi
 
-    if [ -x /userfs/bin/ifc ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for pbit in $(seq 0 7); do
-            /userfs/bin/ifc add vip pbit $pbit
-        done
+        if [ -x /userfs/bin/ifc ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for pbit in $(seq 0 7); do
+                /userfs/bin/ifc add vip pbit $pbit
+            done
+        fi
     fi
 
     hw_nat -! > /dev/null 2>&1

self-diagnostics/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=self-diagnostics
-PKG_VERSION:=1.0.16
+PKG_VERSION:=1.0.17
 PKG_RELEASE:=1
 
 PKG_LICENSE:=GPL-2.0-only

self-diagnostics/files/usr/libexec/rpcd/self-diagnostics

@@ -1,39 +0,0 @@
-#!/bin/sh
-
-BIN="/usr/sbin/self-diagnostics"
-. /usr/share/libubox/jshn.sh
-
-case "$1" in
-	list)
-		echo '{"list": {}, "generate" : {"modules":"String"}}'
-	;;
-	call)
-		case "$2" in
-			generate)
-				read -t 1 -r input
-				local out
-
-				json_load "${input}"
-				json_get_var modules modules
-				if [ -z "${modules}" ]; then
-					out="$(${BIN} -j)"
-				else
-					out="$(${BIN} -j -m "${modules}")"
-				fi
-				if [ -z "${out}" ]; then
-					echo '{}'
-				else
-					echo "${out}"
-				fi
-			;;
-			list)
-				out="$(${BIN} -j -l)"
-				if [ -z "${out}" ]; then
-					echo '{}'
-				else
-					echo "${out}"
-				fi
-			;;
-		esac
-	;;
-esac

self-diagnostics/files/usr/sbin/self-diagnostics

@@ -1,11 +1,12 @@
 #!/bin/sh
 
+# shellcheck disable=SC1091
 . /usr/share/libubox/jshn.sh
 
 JSON_OUT=0
 SPEC_DIR="/usr/share/self-diagnostics/spec"
 SPEC_EXT_DIR="/etc/self-diagnostics/spec"
-REPORT_PATH="/var/log/"
+REPORT_PATH="/var/log"
 REPORT_TEMP_DIR="$(mktemp -p ${REPORT_PATH} -d)"
 REPORT_NAME="self-test-diagnostics"
 VERBOSE=0
@@ -17,18 +18,19 @@ log()
 {
 	log_file="${REPORT_TEMP_DIR}/execution.log"
 	if [ "$VERBOSE" -eq 1 ]; then
-		logger -p debug -t $0 "$*"
+		logger -p debug -t "$0" "$*"
 	fi
-	echo "[$(date +%Y:%m:%d-%H:%M:%S)] $*" >> ${log_file}
+	echo "[$(date +%Y:%m:%d-%H:%M:%S)] $*" >> "${log_file}"
 }
 
 err_log()
 {
 	log_file="${REPORT_TEMP_DIR}/execution.log"
-	logger -p err -t $0 "$*"
-	echo "[$(date +%Y:%m:%d-%H:%M:%S) ERR] $*" >> ${log_file}
+	logger -p err -t "$0" "$*"
+	echo "[$(date +%Y:%m:%d-%H:%M:%S) ERR] $*" >> "${log_file}"
 }
 
+# shellcheck disable=SC3043
 generate_report()
 {
 	local filename
@@ -39,19 +41,19 @@ generate_report()
 	[ -f "${filename}.tar.gz" ] && rm "${filename}.tar.gz"
 
 	log "# Report generation completed #"
-	cd ${REPORT_TEMP_DIR} && {
+	cd "${REPORT_TEMP_DIR}" && {
 		filename="${filename}.tar"
-		tar -cf "${filename}" *
+		tar -cf "${filename}" ./*.log
 	}
 
 	if [ -n "$COMPOPTS" ]; then
-		gzip -${COMPOPTS} -f "${filename}"
+		gzip -"${COMPOPTS}" -f "${filename}"
 		filename="${filename}.gz"
 	fi
 
 	# Move logs if failed to generate tar
 	if [ ! -f "${filename}" ]; then
-		mv ${REPORT_TEMP_DIR}/*.log ${REPORT_PATH}/
+		mv "${REPORT_TEMP_DIR}"/*.log "${REPORT_PATH}"/
 	fi
 
 	if [ "${JSON_OUT}" -eq 1 ]; then
@@ -78,7 +80,7 @@ cleanup()
 {
 	if [ -d "${REPORT_TEMP_DIR}" ]; then
 		generate_report
-		rm -rf ${REPORT_TEMP_DIR}
+		rm -rf "${REPORT_TEMP_DIR}"
 	fi
 }
 
@@ -87,7 +89,7 @@ term_cleanup()
 	if [ -d "${REPORT_TEMP_DIR}" ]; then
 		err_log "Exiting due to TERM/INT signal"
 		generate_report
-		rm -rf ${REPORT_TEMP_DIR}
+		rm -rf "${REPORT_TEMP_DIR}"
 	fi
 }
 
@@ -111,8 +113,8 @@ help()
 # Alias ubus to have a smaller 5-second timeout on all subsequent calls
 ubus()
 {
-	if [ "${1}" == "call" ]; then
-		if command ubus list $2 >/dev/null 2>&1; then
+	if [ "${1}" = "call" ]; then
+		if command ubus list >/dev/null 2>&1; then
 			command ubus "$@";
 		fi
 	else
@@ -121,6 +123,7 @@ ubus()
 
 }
 
+# shellcheck disable=SC3043,SC3060,SC2034
 config_load()
 {
 	local temp
@@ -157,7 +160,7 @@ config_load()
 
 	temp="$(uci -q get self-diagnostics.globals.report_name)"
 	[ -n "${temp}" ] && \
-		REPORT_NAME="$(eval echo ${temp})"
+		REPORT_NAME="$(eval echo "${temp}")"
 
 	REPORT_NAME="${REPORT_NAME//[ \/]/_}"
 
@@ -170,9 +173,42 @@ config_load()
 		VERBOSE="${temp}"
 }
 
+# shellcheck disable=SC2129,SC3043
+run_cmd()
+{
+	local exec_timeout name cmd description
+	local export_path rc start_time end_time
+
+	exec_timeout="${1}"; shift
+	name="${1}"; shift
+	cmd="${1}"; shift
+	description="${*}"
+
+	start_time="$(date +%s)"
+	export_path="${REPORT_TEMP_DIR}/${name}.log"
+	log "Executing $cmd with timeout $exec_timeout"
+	echo "##########################################" >> "$export_path"
+	echo "# $description #">> "$export_path"
+	echo "# Exec [$cmd], timeout [$exec_timeout], start_time [$(date +%Y:%m:%d-%H:%M:%S)] #" >> "$export_path"
+	echo "##########################################" >> "$export_path"
+	eval timeout "${exec_timeout}" "$cmd" >> "$export_path" 2>&1
+	rc=$?
+	end_time="$(date +%s)"
+	echo "######## Execution done in [$((end_time - start_time)) ], return code $rc ######" >> "$export_path"
+
+	if [ "$rc" -eq 0 ]; then
+		log "Execution [$cmd] completed"
+	else
+		err_log "Execution [$cmd] Failed/Timeout with $rc exit code"
+	fi
+
+	echo >> "$export_path"
+}
+
+# shellcheck disable=SC2154,SC3060,SC3043
 exec_spec()
 {
-	local json_file exec_skip name timeout exec_timeout rc start_time end_time
+	local json_file exec_skip name timeout exec_timeout start_time end_time
 
 	start_time="$(date +%s)"
 	json_file="$1"
@@ -189,20 +225,18 @@ exec_spec()
 		return 1
 	}
 
-	name="$(basename ${json_file})"
-	export_path="${REPORT_TEMP_DIR}/${name//.json/.log}"
-
+	name="$(basename "${json_file}")"
 	exec_skip=0
 	if json_is_a dependency array; then
 		json_select "dependency"
 		json_get_keys ekeys
 
 		for key in $ekeys; do
-			if json_is_a $key object; then
-				json_select $key
+			if json_is_a "$key" object; then
+				json_select "$key"
 				json_get_var type type
 
-				if [ "$type" == "file" ]; then
+				if [ "$type" = "file" ]; then
 					json_get_var file file
 					if [ ! -e "$file" ]; then
 						err_log "${json_file} has unmet file dependency $file"
@@ -230,8 +264,8 @@ exec_spec()
 		json_get_keys keys
 
 		for key in $keys; do
-			if json_is_a $key object; then
-				json_select $key
+			if json_is_a "$key" object; then
+				json_select "${key}"
 				local cmd_skip file
 
 				cmd_skip=0
@@ -240,13 +274,13 @@ exec_spec()
 					json_select "dependency"
 					json_get_keys d_keys
 
-					for d_key in $d_keys; do
-						if json_is_a $d_key object; then
-							json_select $d_key
+					for d_key in ${d_keys}; do
+						if json_is_a "${d_key}" object; then
+							json_select "${d_key}"
 							json_get_var type type
-							if [ "$type" == "file" ]; then
+							if [ "$type" = "file" ]; then
 								json_get_var file file
-								if [ ! -e $file ]; then
+								if [ ! -e "${file}" ]; then
 									json_select ..
 									cmd_skip=1
 									continue
@@ -273,22 +307,7 @@ exec_spec()
 				else
 					exec_timeout=$TIMEOUT
 				fi
-				log "Executing $cmd with timeout $exec_timeout"
-				echo "##########################################" >> $export_path
-				echo "# $description #">> $export_path
-				echo "# Exec [$cmd], timeout [$exec_timeout] #" >> $export_path
-				echo "##########################################" >> $export_path
-				eval timeout ${exec_timeout} $cmd >> $export_path 2>&1
-				rc=$?
-				echo "######## Execution done return code $rc ######" >> $export_path
-
-				if [ "$rc" -eq 0 ]; then
-					log "Execution [$cmd] completed"
-				else
-					err_log "Execution [$cmd] Failed/Timeout with $rc exit code"
-				fi
-
-				echo >> $export_path
+				run_cmd "${exec_timeout}" "${name//.json/}" "${cmd}" "${description}"
 				json_select ..
 			fi
 		done
@@ -300,20 +319,21 @@ exec_spec()
 	log ""
 }
 
+# shellcheck disable=SC3043,SC3060
 generate_module()
 {
-	local modules="${@}"
+	local modules="${*}"
 	local file module
 
 	config_load
 
-	log "Modules [$@]"
+	log "Modules [$*]"
 	for module in $modules; do
 		module="${module/.json/}"
-		file="$(find $SPEC_DIR -type f -name ${module}.json)"
+		file="$(find "${SPEC_DIR}" -type f -name "${module}.json")"
 		[ -z "$file" ] && {
 			[ -d "${SPEC_EXT_DIR}" ] && \
-				file="$(find $SPEC_EXT_DIR -type f -name ${module}.json)"
+				file="$(find "${SPEC_EXT_DIR}" -type f -name "${module}.json")"
 		}
 
 		[ -f "$file" ] && \
@@ -321,15 +341,16 @@ generate_module()
 	done
 }
 
+# shellcheck disable=SC3043
 generate_all()
 {
 	local files
 
 	config_load
 
-	files="$(find ${SPEC_DIR} -type f -name *.json)"
+	files="$(find "${SPEC_DIR}" -type f -name "*.json")"
 	[ -d "${SPEC_EXT_DIR}" ] && \
-		files="${files} $(find $SPEC_EXT_DIR -type f -name *.json)"
+		files="${files} $(find "${SPEC_EXT_DIR}" -type f -name "*.json")"
 
 	[ -z "$files" ] && {
 		return 0
@@ -341,6 +362,7 @@ generate_all()
 
 }
 
+# shellcheck disable=SC3060,SC3043
 list_modules()
 {
 	local files
@@ -354,7 +376,7 @@ list_modules()
 	fi
 
 	cd ${SPEC_DIR} && {
-		for file in $(ls); do
+		for file in *.json; do
 			if [ "${JSON_OUT}" -eq 1 ]; then
 				json_add_string "" "${file/.json/}"
 			else
@@ -372,7 +394,7 @@ list_modules()
 	fi
 
 	cd ${SPEC_EXT_DIR} && {
-		for file in $(ls); do
+		for file in *.json; do
 			if [ "${JSON_OUT}" -eq 1 ]; then
 				json_add_string "" "${file/.json/}"
 			else
@@ -411,6 +433,10 @@ while getopts "m:hlj" opts; do
 		m)
 			modules="$modules ${OPTARG}"
 			;;
+		*)
+			help
+			exit
+			;;
 	esac
 done
 
@@ -422,5 +448,5 @@ fi
 if [ -z "${modules}" ]; then
 	generate_all
 else
-	generate_module ${modules}
+	generate_module "${modules}"
 fi

self-diagnostics/src/selftest.c

@@ -54,18 +54,35 @@ int get_operate_args_SelfTest(char *refparam, struct dmctx *ctx, void *data, cha
 int operate_Device_SelfTest(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
 {
 	char cmd[512] = {0};
-	char output[512] = {0};
+	char buffer[512] = {0};
+	json_object *jobj = NULL;
+	const char *filename;
 
-	snprintf(cmd, sizeof(cmd), "sh %s", DIAG_BIN);
+	snprintf(cmd, sizeof(cmd), "sh %s -j 2>/dev/null", DIAG_BIN);
 
-	if (run_cmd(cmd, output, sizeof(output)) != 0)
+	if (run_cmd(cmd, buffer, sizeof(buffer)) != 0) {
+		BBFDM_ERR("Failed to run cmd[%s]", cmd);
 		goto err;
+	}
 
-	// truncate the new line char from end
-	remove_new_line(output);
-
-	if (!file_exists(output))
+	if (DM_STRLEN(buffer) == 0) {
+		BBFDM_ERR("No output from cmd[%s]", cmd);
 		goto err;
+	}
+
+	jobj = json_tokener_parse(buffer);
+	if (jobj == NULL) {
+		BBFDM_ERR("Fail to parse output[%s] in json", buffer);
+		goto err;
+	}
+
+	filename = dmjson_get_value(jobj, 1, "result");
+	snprintf(buffer, sizeof(buffer), "%s", filename);
+	json_object_put(jobj);
+	if (!file_exists(filename)) {
+		BBFDM_ERR("File [%s] does not exists or not accessible", filename);
+		goto err;
+	}
 
 	/* Add in dmmap_logmngr */
 	struct uci_section *s = get_origin_section_from_dmmap("dmmap_logmngr", "self_test", "self_test_log");
@@ -74,7 +91,7 @@ int operate_Device_SelfTest(char *refparam, struct dmctx *ctx, void *data, char
 		dmuci_rename_section_by_section(s, "self_test_log");
 	}
 
-	dmuci_set_value_by_section(s, "log_file", output);
+	dmuci_set_value_by_section(s, "log_file", filename);
 	dmuci_commit_package_bbfdm("dmmap_logmngr");
 
 	/* Get self test log instance */

sshmngr/Config.in

@@ -28,4 +28,15 @@ config SSHMNGR_SFTP
 	default y
 	help
 	   Enable this option to support the SFTP protocol.
+
+config SSHMNGR_SECURITY_MFA
+	bool "MFA using PAM and Google authenticator"
+	depends on SSHMNGR_BACKEND_OPENSSH_PAM
+	default n
+	help
+	   Enable this option to use MFA with PAM based Google authenticator.
+
+config SSHMNGR_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
 endif

sshmngr/Makefile

@@ -34,6 +34,7 @@ define Package/sshmngr
   DEPENDS+=+SSHMNGR_BACKEND_OPENSSH_PAM:openssh-server-pam +SSHMNGR_BACKEND_OPENSSH_PAM:openssh-client-utils
   DEPENDS+=+SSHMNGR_BACKEND_DROPBEAR:dropbear
   DEPENDS+=+SSHMNGR_SFTP:openssh-sftp-server
+  DEPENDS+=+SSHMNGR_SECURITY_MFA:google-authenticator-libpam
 endef
 
 define Package/sshmngr/description
@@ -44,6 +45,13 @@ define Package/$(PKG_NAME)/config
         source "$(SOURCE)/Config.in"
 endef
 
+ifeq ($(CONFIG_SSHMNGR_VENDOR_PREFIX),"")
+VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX)
+else
+VENDOR_PREFIX = $(CONFIG_SSHMNGR_VENDOR_PREFIX)
+endif
+
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
 	$(CP) -rf ./sshmngr/* $(PKG_BUILD_DIR)/
@@ -67,6 +75,16 @@ endif
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libsshmngr.so $(1) $(PKG_NAME)
 
+ifeq ($(CONFIG_SSHMNGR_BACKEND_OPENSSH_PAM),y)
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/openssh_backend/lib/sshmngr/pam_config.sh $(1)/lib/sshmngr/
+	$(INSTALL_BIN) ./files/openssh_backend/etc/uci-defaults/91-set-sshd-pam $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_SSHMNGR_SECURITY_MFA),y)
+	$(INSTALL_BIN) ./files/openssh_backend/etc/uci-defaults/92-set-ssh-mfa $(1)/etc/uci-defaults/
+	$(BBFDM_INSTALL_MS_PLUGIN) -v ${VENDOR_PREFIX} ./files/openssh_backend/ssh_mfa_override.json $(1) $(PKG_NAME)
+endif
+endif
+
 ifeq ($(CONFIG_PACKAGE_fail2ban),y)
 	$(INSTALL_DIR) $(1)/etc/fail2ban/jail.d
 	$(INSTALL_DIR) $(1)/etc/fail2ban/filter.d/

sshmngr/files/common/usr/libexec/rpcd/sshmngr

@@ -3,6 +3,8 @@
 . /usr/share/libubox/jshn.sh
 . /lib/sshmngr/backend.sh
 
+MFA_SECRET_FILE="/etc/security/mfa_secret"
+
 add_server_name()
 {
 	local server_sec="${1}"
@@ -44,7 +46,7 @@ get_pid()
 
 case "$1" in
 	list)
-		echo '{ "dump" : {"server_name":"string"}, "kill_session" : {"session_pid":"string","server_name":"string"}, "list_keys" : {}, "add_pubkey" : {"current_key":"string","new_key":"string"}, "remove_pubkey" : {"key":"string"} }'
+		echo '{ "dump" : {"server_name":"string"}, "kill_session" : {"session_pid":"string","server_name":"string"}, "list_keys" : {}, "add_pubkey" : {"current_key":"string","new_key":"string"}, "remove_pubkey" : {"key":"string"}, "get_mfa_key" : {}, "get_mfa_recovery" : {} }'
 	;;
 	call)
 		case "$2" in
@@ -221,6 +223,31 @@ case "$1" in
 				fi
 				echo '{}'
 			;;
+
+			get_mfa_key)
+				mfa_key=""
+				if [ -f "${MFA_SECRET_FILE}" ]; then
+					mfa_key="$(head -n 1 "$MFA_SECRET_FILE" 2>/dev/null)"
+				fi
+
+				json_init
+				json_add_string "mfa_key" "${mfa_key}"
+				json_dump
+			;;
+
+			get_mfa_recovery)
+				mfa_recovery_codes=""
+
+				if [ -f "${MFA_SECRET_FILE}" ]; then
+					mfa_recovery_codes="$(tail -n 3 "$MFA_SECRET_FILE" 2>/dev/null | tr '\n' ',')"
+					# remove trailing comma
+					mfa_recovery_codes="${mfa_recovery_codes%,}"
+				fi
+
+				json_init
+				json_add_string "recovery_codes" "${mfa_recovery_codes}"
+				json_dump
+			;;
 		esac
 	;;
 esac

sshmngr/files/openssh_backend/etc/uci-defaults/91-set-sshd-pam

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# create or over-write our desired file
+# /etc/pam.d/sshd
+cat << 'EOF' > /etc/pam.d/sshd
+auth       required     pam_env.so
+auth       include      sshd-auth
+account    required     pam_nologin.so
+account    include      sshd-account
+session    include      common-session
+session    required     pam_limits.so
+password   include      sshd-password
+EOF
+
+# /etc/pam.d/sshd-auth
+cat << 'EOF' > /etc/pam.d/sshd-auth
+auth    [success=1 default=ignore]    pam_unix.so nullok_secure
+auth    requisite                     pam_deny.so
+auth    required                      pam_permit.so
+EOF
+
+# /etc/pam.d/sshd-password
+cat << 'EOF' > /etc/pam.d/sshd-password
+password    [success=1 default=ignore]    pam_unix.so sha512
+password    requisite                     pam_deny.so
+password    required                      pam_permit.so
+EOF
+
+# /etc/pam.d/sshd-account
+cat << 'EOF' > /etc/pam.d/sshd-account
+account    [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
+account    requisite                                            pam_deny.so
+account    required                                             pam_permit.so
+EOF
+
+exit 0

sshmngr/files/openssh_backend/etc/uci-defaults/92-set-ssh-mfa

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ -f /etc/config/sshd ]; then
+	# make sure not to change already existing setting
+	if ! uci -q get sshd.@sshd[0].UseMFA 2>&1 > /dev/null; then
+		uci -q set sshd.@sshd[0].UseMFA=1
+	fi
+fi
+
+exit 0

sshmngr/files/openssh_backend/lib/sshmngr/pam_config.sh

@@ -0,0 +1,228 @@
+#!/bin/sh
+
+# List of required .so files
+REQUIRED_MODULES="
+/usr/lib/security/pam_faildelay.so
+/usr/lib/security/pam_faillock.so
+/usr/lib/security/pam_unix.so
+/usr/lib/security/pam_deny.so
+/usr/lib/security/pam_permit.so
+/usr/lib/security/pam_passwdqc.so
+"
+
+MFA_APP="google-authenticator"
+MFA_LIB="/usr/lib/security/pam_google_authenticator.so"
+MFA_DIR="/etc/security"
+MFA_SECRET_FILE="${MFA_DIR}/mfa_secret"
+MFA_QR_FILE="${MFA_DIR}/mfa_qr"
+
+log() {
+	echo "$*" | logger -t sshd.init -p info
+}
+
+log_err() {
+	echo "$*" | logger -t sshd.init -p err
+}
+
+check_required_modules() {
+	for mod in $REQUIRED_MODULES; do
+		if [ ! -f "$mod" ]; then
+			log_err "ERROR: Cannot setup security policy, missing PAM module: $mod"
+			return 1
+		fi
+	done
+
+	return 0
+}
+
+write_line() {
+	local filepath="$1"
+	local line="$2"
+
+	echo "$line" >> "$filepath"
+}
+
+compare_and_replace() {
+	local src dst
+	src="$1"
+	dst="$2"
+
+	if [ ! -f "$dst" ] || ! cmp -s "$src" "$dst"; then
+		cp "$src" "$dst"
+		log "Updated $dst"
+	fi
+}
+
+setup_mfa() {
+	mkdir -p "$MFA_DIR"
+
+	if [ -f "${MFA_SECRET_FILE}" ] && [ -f "${MFA_QR_FILE}" ]; then
+		log "Not updating MFA files, they already exist"
+		return
+	fi
+
+	touch "$MFA_SECRET_FILE"
+	touch "$MFA_QR_FILE"
+	chmod 600 "$MFA_SECRET_FILE"
+	chmod 600 "$MFA_QR_FILE"
+
+	local cmd="$MFA_APP -f -s $MFA_SECRET_FILE -C -t -d -r 3 -R 30 -w 3 -Q UTF8 -e 3"
+
+	log "Running MFA app: $cmd"
+	# if the google-authenticator senses that the output is not going to a terminal
+	# then it does not print out the QR, so simple redirection does not work
+	# we have to run the command inside a pseudo-terminal using script command
+	# and then redirect that output to a file
+	cmd="script -q -c \"$cmd\" $MFA_QR_FILE > /dev/null"
+	eval "$cmd"
+}
+
+update_auth() {
+	# Write /etc/pam.d/sshd-auth
+	local tmp_file pam_file
+	tmp_file="/tmp/sshd-auth"
+	pam_file="/etc/pam.d/sshd-auth"
+
+	local auth_enabled="${1}"
+	local enabled="${2}"
+	local mfa_enabled="${3}"
+
+	local faildelay="$(uci -q get users.authentication_policy.fail_delay || echo 3)"
+	local faillock_lockout_time="$(uci -q get users.authentication_policy.faillock_lockout_time || echo 300)"
+	local faillock_attempts="$(uci -q get users.authentication_policy.faillock_attempts || echo 6)"
+
+	# Convert seconds to microseconds for pam_faildelay
+	local faildelay_usec=$((faildelay * 1000000))
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+		write_line "$tmp_file" "auth	optional	pam_faildelay.so delay=$faildelay_usec"
+		write_line "$tmp_file" "auth	required	pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+	fi
+
+	write_line "$tmp_file" "auth	[success=1 default=bad]	pam_unix.so nullok_secure"
+	write_line "$tmp_file" "auth	[default=die]	pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+
+	if [ "$mfa_enabled" -eq 1 ]; then
+		write_line "$tmp_file" "auth	[success=1 default=bad]	pam_google_authenticator.so secret=$MFA_SECRET_FILE"
+		write_line "$tmp_file" "auth	[default=die]	pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+	fi
+
+	write_line "$tmp_file" "auth	sufficient	pam_faillock.so authsucc audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+
+	write_line "$tmp_file" "auth	requisite	pam_deny.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+build_pam_passwdqc_line() {
+	local base="password requisite pam_passwdqc.so"
+	local k v line
+
+	for line in $(uci show users.passwdqc 2>/dev/null); do
+		case "$line" in
+			users.passwdqc=*) continue ;;
+			users.passwdqc.enabled=*) continue ;;
+		esac
+
+		k="${line%%=*}"
+		k="${k#users.passwdqc.}"
+		v="${line#*=}"
+		v="${v%\'}"
+		v="${v#\'}"
+		base="$base $k=$v"
+	done
+
+	base="$base match=0"
+
+	echo "$base"
+}
+
+# NOTE:
+# for some reason setting min 8 makes passwdqc accept minimum 12 letter password with this configuration
+# if we set it to 12 then we need atleast 16 characters and so on
+# passphrase = 0 means no space separated words
+# passphrase = N means the number of words required for a passphrase or 0 to disable the support for user-chosen passphrases.
+# rest can be figured out from passwdqc man page
+update_password() {
+	local tmp_file pam_file enabled line
+	tmp_file="/tmp/sshd-password"
+	pam_file="/etc/pam.d/sshd-password"
+
+	local auth_enabled="${1}"
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	# Check if section exists
+	if uci -q get users.passwdqc >/dev/null 2>&1; then
+		# if enabled is not present it is assumed to be 0
+		enabled=$(uci -q get users.passwdqc.enabled || echo "0")
+		if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+			line="$(build_pam_passwdqc_line)"
+			write_line "$tmp_file" "$line"
+		fi
+	fi
+
+	write_line "$tmp_file" "password	[success=1 default=ignore]	pam_unix.so sha512"
+	write_line "$tmp_file" ""
+	write_line "$tmp_file" "password	requisite			pam_deny.so"
+	write_line "$tmp_file" "password	required			pam_permit.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+update_account() {
+	# Write /etc/pam.d/sshd-account
+	local tmp_file pam_file
+	tmp_file="/tmp/sshd-account"
+	pam_file="/etc/pam.d/sshd-account"
+
+	local auth_enabled="${1}"
+	local enabled="${2}"
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+		write_line "$tmp_file" "account 	required       		pam_faillock.so"
+	fi
+
+	write_line "$tmp_file" "account		[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so"
+	write_line "$tmp_file" ""
+	write_line "$tmp_file" "account		requisite		pam_deny.so"
+	write_line "$tmp_file" "account		required		pam_permit.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+handle_security_policy() {
+	local auth_enabled enabled
+	local use_mfa mfa_enabled
+
+	# Read UCI values
+	auth_enabled="$(uci -q get users.users.auth_policy_enable || echo 0)"
+	enabled="$(uci -q get users.authentication_policy.enabled || echo 0)"
+	use_mfa="$(uci -q get sshd.@sshd[0].UseMFA || echo 0)"
+
+	# if any .so files are missing, then we cannot setup security
+	if ! check_required_modules; then
+		return
+	fi
+
+	# Detect and enable MFA only if requested and module exists
+	if which "$MFA_APP" > /dev/null 2>&1 && [ "$use_mfa" = "1" ] && [ -f "$MFA_LIB" ]; then
+		mfa_enabled=1
+		setup_mfa
+	else
+		rm -rf "${MFA_QR_FILE}"
+		rm -rf "${MFA_SECRET_FILE}"
+		mfa_enabled=0
+	fi
+
+	update_auth "${auth_enabled}" "${enabled}" "${mfa_enabled}"
+	update_account "${auth_enabled}" "${enabled}"
+	update_password "${auth_enabled}"
+}

sshmngr/files/openssh_backend/ssh_mfa_override.json

@@ -0,0 +1,68 @@
+{
+    "json_plugin_version": 2,
+    "Device.SSH.Server.{i}.": {
+        "type": "object",
+        "protocols": [
+            "cwmp",
+            "usp"
+        ],
+        "access": false,
+        "array": false,
+	"{BBF_VENDOR_PREFIX}UseMFA": {
+            "type": "boolean",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+	    "mapping": [
+		{
+			"data": "@Parent",
+			"type": "uci_sec",
+			"key": "UseMFA"
+		}
+	    ]
+	},
+	"{BBF_VENDOR_PREFIX}MFA_Key": {
+            "type": "string",
+            "read": true,
+            "write": false,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+	    "mapping": [
+		{
+			"type": "ubus",
+			"ubus": {
+				"object": "sshmngr",
+				"method": "get_mfa_key",
+				"args": {},
+				"key": "mfa_key"
+			}
+		}
+	    ]
+	},
+	"{BBF_VENDOR_PREFIX}MFA_Recovery_Codes": {
+            "type": "string",
+            "read": true,
+            "write": false,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+	    "mapping": [
+		{
+			"type": "ubus",
+			"ubus": {
+				"object": "sshmngr",
+				"method": "get_mfa_recovery",
+				"args": {},
+				"key": "recovery_codes"
+			}
+		}
+	    ]
+        }
+    }
+}

sulu/sulu-base/Makefile

@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-base
-PKG_VERSION:=5.2.2
+PKG_VERSION:=5.3.10
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu.git
-PKG_SOURCE_VERSION:=b2bf5c9615e0e81afb2e6bcbf6c75b347e24c705
+PKG_SOURCE_VERSION:=15f36f48dee8a675d7829181bf508a75c0a66a8a
 PKG_MIRROR_HASH:=skip
 
 SULU_MOD:=core

sulu/sulu-builder/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=5.2.2
+PKG_VERSION:=5.3.10
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu-builder.git
-PKG_SOURCE_VERSION:=d270fcaec14aaf53b1a8983e71b2c61dec1ab1ed
+PKG_SOURCE_VERSION:=6a82c845c5203a7e33737d668659e60203f9f68f
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/sulu-$(PKG_VERSION)/sulu-builder-$(PKG_SOURCE_VERSION)

sulu/sulu-builder/files/etc/sulu/sulu.sh

@@ -5,8 +5,9 @@
 . /lib/functions.sh
 . /usr/share/libubox/jshn.sh
 
-RESTART_REQ=0
-_RESTART_SERVICES="0"
+SULU_CON_CONFIG="/sulu/presets/connection-config.json"
+SULU_ACL_FILE=""
+SULU_CON_ROLES=""
 
 slog() {
 	echo "$*" | logger -t sulu.sh -p debug
@@ -27,49 +28,21 @@ _get_agent_id() {
 	fi
 }
 
-_get_sulu_user_roles() {
-	roles=$(uci -q get userinterface._sulu_s.role)
-
-	for role in ${roles}; do
-		sulu_user_roles="${sulu_user_roles} ${role}"
-	done
-
-	if [ -n "${sulu_user_roles}" ]; then
-		sulu_user_roles=$(echo -e "${sulu_user_roles// /\\n}" | sort | uniq)
-	fi
-
-	echo "${sulu_user_roles}"
-}
-
-_get_sulu_root() {
-	local root
-
-	root="$(uci -q get nginx._sulu_s.root)"
-	echo "${root:-/sulu}"
-}
-
-_get_sulu_connection_config() {
-	local config
-
-	config="$(_get_sulu_root)/presets/connection-config.json"
-	echo "${config}"
-}
-
-_get_sulu_session_mode() {
-	uci -q get sulu.global.SessionMode
-}
-
 _get_sulu_acl_file() {
 	uci -q get mosquitto.sulu.acl_file
 }
 
+_sulu_conn_config_users() {
+	for user in ${SULU_CON_ROLES}; do
+		json_add_object "${user}"
+		json_add_string 'fromId' "self::sulu-${user}"
+		json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${user}/endpoint"
+		json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${user}/controller"
+		json_close_object
+	done
+}
+
 generate_sulu_conn_config() {
-	local users SCONFIG session
-
-	users="$(_get_sulu_user_roles)"
-	session="$(_get_sulu_session_mode)"
-	SCONFIG="$(_get_sulu_connection_config)"
-
 	json_init
 	json_add_string 'Current-connection' 'main'
 	json_add_object 'Connections'
@@ -79,41 +52,25 @@ generate_sulu_conn_config() {
 			json_add_string 'toId' "os::$(_get_agent_id)"
 			json_add_string 'port' "auto"
 			json_add_string 'path' "/wss"
-
-			if [ "${session}" = "Require" ]; then
-				json_add_boolean 'useSession' 1
-			fi
-
 			json_add_string 'protocol' 'autoWs'
+
 			json_add_object 'overrides'
 			{
-				for user in ${users}; do
-					json_add_object "${user}"
-					{
-						json_add_string 'fromId' "self::sulu-${user}"
-						json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${user}/endpoint"
-						json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${user}/controller"
-						json_close_object
-					}
-				done
+				_sulu_conn_config_users
 				json_close_object
 			}
 			json_close_object
 		}
 		json_close_object
 	}
-
-	json_dump >"${SCONFIG}"
+	json_dump >"${SULU_CON_CONFIG}"
 }
 
-_update_obuspa_config_rbac() {
-	local agent users session
+update_obuspa_config() {
+	local agent
 
 	agent="$(_get_agent_id)"
-	users="$(_get_sulu_user_roles)"
-	session="$(_get_sulu_session_mode)"
-
-	for user in ${users}; do
+	for user in ${SULU_CON_ROLES}; do
 		local section
 
 		# Add mqtt
@@ -123,7 +80,6 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" BrokerAddress "127.0.0.1"
 			uci_set obuspa "${section}" BrokerPort "1883"
 			uci_set obuspa "${section}" TransportProtocol "TCP/IP"
-			RESTART_REQ=1
 		fi
 
 		# Add mtp
@@ -133,7 +89,6 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" Protocol "MQTT"
 			uci_set obuspa "${section}" ResponseTopicConfigured "/usp/${agent}/${user}/endpoint"
 			uci_set obuspa "${section}" mqtt "mqtt_sulu_$user"
-			RESTART_REQ=1
 		fi
 
 		# Add controller
@@ -145,88 +100,61 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" Topic "/usp/${agent}/${user}/controller"
 			uci_set obuspa "${section}" mqtt "mqtt_sulu_$user"
 			uci_set obuspa "${section}" assigned_role_name "$user"
-			RESTART_REQ=1
-		fi
-
-		obMode="$(uci_get obuspa "${section}" SessionMode)"
-		if [ "${session}" != "${obMode}" ]; then
-			uci_set obuspa "${section}" SessionMode "${session}"
-			RESTART_REQ=1
 		fi
 	done
 }
 
-_create_mosquitto_acl() {
-	local agentid users
-	local ACL_FILE acl_users
+create_mosquitto_acl() {
+	local agentid
+	local acl_users
 
-	RESTART_REQ="0"
-
-	ACL_FILE="$(_get_sulu_acl_file)"
-	if [ -z "${ACL_FILE}" ]; then
+	SULU_ACL_FILE="$(_get_sulu_acl_file)"
+	if [ -z "${SULU_ACL_FILE}" ]; then
 		return 0
 	fi
 
-	users="$(_get_sulu_user_roles)"
-	if [ -f "${ACL_FILE}" ]; then
-		acl_users="$(awk '/^user / {print $2}' "${ACL_FILE}")"
-		for user in ${acl_users}; do
-			if ! echo "$users" | grep -qwF "$user"; then
-				rm -f "${ACL_FILE}"
-				RESTART_REQ="1"
-				break
-			fi
-		done
-	fi
-	[ -f "${ACL_FILE}" ] || touch "${ACL_FILE}"
-
+	echo > "${SULU_ACL_FILE}"
 	agentid="$(_get_agent_id)"
-	for user in ${users}; do
-		if ! grep -qxF "user $user" "${ACL_FILE}"; then
+	for user in ${SULU_CON_ROLES}; do
+		if ! grep -qxF "user $user" "${SULU_ACL_FILE}"; then
 			{
 				echo "user ${user}"
 				echo "topic read  /usp/${agentid}/${user}/controller/reply-to"
 				echo "topic write /usp/${agentid}/${user}/endpoint"
 				echo "topic read  /usp/${agentid}/${user}/controller"
 				echo ""
-			} >> "${ACL_FILE}"
-			RESTART_REQ="1"
+			} >> "${SULU_ACL_FILE}"
 		fi
 	done
+	chown mosquitto:mosquitto "${SULU_ACL_FILE}"
+	chmod 640 "${SULU_ACL_FILE}"
+}
 
-	if [ "${_RESTART_SERVICES}" -eq "1" ] && [ "${RESTART_REQ}" -gt "0" ]; then
-		slog "Restarting mosquitto..."
-		ubus call uci commit '{"config":"mosquitto"}'
+get_sulu_roles() {
+	local sec path_prefix redirect role
+
+	sec="${1}"
+
+	config_get path_prefix "${sec}" path_prefix ""
+	config_get redirect "${sec}" redirect ""
+	config_get role "${sec}" role ""
+
+	if [ -n "${redirect}" ]; then
+		return 0
+	fi
+
+	if [ "${path_prefix}" != "/sulu" ]; then
+		return 0
+	fi
+
+	if [ -n "${role}" ]; then
+		SULU_CON_ROLES="${SULU_CON_ROLES} ${role}"
 	fi
 }
 
-update_obuspa_config() {
-	RESTART_REQ=0
-	_update_obuspa_config_rbac
-	uci_commit obuspa
+config_load userinterface
+config_foreach get_sulu_roles http_access
 
-	if [ "${_RESTART_SERVICES}" -eq "1" ] && [ "${RESTART_REQ}" -gt "0" ]; then
-		slog "Restarting obuspa..."
-		ubus call uci commit '{"config":"obuspa"}'
-	fi
-}
-
-configure_sulu() {
-	_create_mosquitto_acl
-	update_obuspa_config
-	generate_sulu_conn_config
-}
-
-while getopts ":r" opt; do
-	case ${opt} in
-	r)
-		_RESTART_SERVICES="1"
-		;;
-	*)
-		slog "Invalid option: ${OPTARG}"
-		exit 1
-		;;
-	esac
-done
-
-configure_sulu
+generate_sulu_conn_config
+create_mosquitto_acl
+update_obuspa_config

sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config

@@ -39,7 +39,8 @@ add_sulu_config_to_mosquitto()
 
 add_sulu_userinterface_uci()
 {
-	if [ -f "/etc/config/userinterface" ]; then
+	# check if sulu already configured
+	if ! uci show userinterface| grep -q "path_prefix='/sulu'"; then
 		uci_add userinterface http_access _sulu_s
 		uci_set userinterface _sulu_s path_prefix '/sulu'
 		uci_set userinterface _sulu_s port '8443'

sulu/sulu-theme-genexis/Makefile

@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-theme-genexis
-PKG_VERSION:=5.2.2
+PKG_VERSION:=5.3.10
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/sulu-theme-genexis

sysmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sysmngr
-PKG_VERSION:=1.0.31
+PKG_VERSION:=1.1.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/sysmngr.git
-PKG_SOURCE_VERSION:=d84dd91e19ec8e2a6baf3efa9ff319bf9d6f746a
+PKG_SOURCE_VERSION:=9e5cbc3c00e4e8ab1678baf5d8ff369a9345da09
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -112,16 +112,6 @@ define Package/$(PKG_NAME)/install
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	
 	$(INSTALL_BIN) ./files/etc/sysmngr/fwbank $(1)/etc/sysmngr/fwbank
-
-ifeq ($(CONFIG_SYSMNGR_TEMPERATURE_STATUS),y)
-	$(INSTALL_DIR) $(1)/etc/sysmngr
-ifeq ($(CONFIG_TARGET_brcmbca),y)
-	$(INSTALL_BIN) ./files/etc/sysmngr/broadcom.sh $(1)/etc/sysmngr/temperature.sh
-else
-	$(INSTALL_BIN) ./files/etc/sysmngr/default.sh $(1)/etc/sysmngr/temperature.sh
-endif
-endif
-
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))

sysmngr/files/etc/sysmngr/broadcom.sh

@@ -1,84 +0,0 @@
-#!/bin/sh
-
-. /usr/share/libubox/jshn.sh
-. /lib/functions.sh
-
-function get_wlan_temperature()
-{
-  add_wlan_temp() {
-    local temp="$(wlctl -i "$1" phy_tempsense)"
-    [ -n "$temp" ] || temp='-274'
-
-    json_add_object
-    json_add_string "name" "wlan-$1"
-    json_add_int "temperature" "$temp"
-    json_close_object
-  }
-
-  config_load wireless
-  config_foreach add_wlan_temp wifi-device
-}
-
-function get_sfp_temperature()
-{
-  local temp=""
-  local sfp="$(ubus call sfp.ddm get-temperature)"
-
-  json_load "$sfp"
-  json_get_var temp temperature
-
-  [ -n "$temp" ] || temp='-274'
-
-  echo "$temp"
-}
-
-function get_cpu_temperature()
-{
-  local cpu="$(cat /sys/devices/virtual/thermal/thermal_zone0/temp 2>/dev/null)"
-  [ -n "$cpu" ] || cpu='-274000'
-
-  echo "${cpu:0:-3}"
-}
-
-function get_temperature_status()
-{
-  local hasSfp="$(db -q get hw.board.hasSfp)"
-
-  json_init
-
-  json_add_array "status"
-
-  json_add_object
-  json_add_string "name" "cpu"
-  json_add_int "temperature" "$(get_cpu_temperature)"
-  json_close_object
-
-  [ -s /etc/config/wireless ] && get_wlan_temperature
-
-  [ "$hasSfp" = "1" ] && {
-	  json_add_object
-	  json_add_string "name" "sfp"
-	  json_add_int "temperature" "$(get_sfp_temperature)"
-	  json_close_object
-  }
-
-  json_close_array
-
-  json_dump
-}
-
-function dump_invalid()
-{
-  json_init
-  json_add_string "fault" "invalid request"
-  json_dump
-}
-
-case "$1" in
-    status)
-        get_temperature_status
-        ;;
-    *)
-        dump_invalid
-        ;;
-esac

sysmngr/files/etc/sysmngr/default.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-
-. /usr/share/libubox/jshn.sh
-. /lib/functions.sh
-
-function get_wlan_temperature()
-{
-  :
-}
-
-function get_sfp_temperature()
-{
-  echo "-274"
-}
-
-function get_cpu_temperature()
-{
-  echo "-274"
-}
-
-function get_temperature_status()
-{
-  local hasSfp="$(db -q get hw.board.hasSfp)"
-
-  json_init
-
-  json_add_array "status"
-
-  json_add_object
-  json_add_string "name" "cpu"
-  json_add_int "temperature" "$(get_cpu_temperature)"
-  json_close_object
-
-  [ -s /etc/config/wireless ] && get_wlan_temperature
-
-  [ "$hasSfp" = "1" ] && {
-	  json_add_object
-	  json_add_string "name" "sfp"
-	  json_add_int "temperature" "$(get_sfp_temperature)"
-	  json_close_object
-  }
-
-  json_close_array
-
-  json_dump
-}
-
-function dump_invalid()
-{
-  json_init
-  json_add_string "fault" "invalid request"
-  json_dump
-}
-
-case "$1" in
-    status)
-        get_temperature_status
-        ;;
-    *)
-        dump_invalid
-        ;;
-esac

sysmngr/files/etc/sysmngr/fwbank

@@ -22,7 +22,30 @@ fwbank_get_bootbank() {
 
 case "$1" in
 	list)
-		echo '{ "dump" : {}, "set_bootbank" : {"bank":32}, "copy_config" : {}, "upgrade": {"path":"String","auto_activate":true,"bank":32,"keep_settings":true}}'
+		json_init
+		json_add_object "dump"
+		json_close_object
+
+		json_add_object "set_bootbank"
+		json_add_int "bank" 32
+		json_close_object
+
+		json_add_object "copy_config"
+		json_add_boolean "keep_settings" 1
+		json_add_boolean "keep_opconf" 1
+		json_add_string "config_scope" "String"
+		json_close_object
+
+		json_add_object "upgrade"
+		json_add_string "path" "String"
+		json_add_boolean "auto_activate" 1
+		json_add_int "bank" 32
+		json_add_boolean "keep_settings" 1
+		json_add_boolean "keep_opconf" 1
+		json_add_string "config_scope" "String"
+		json_add_boolean "reboot" 1
+		json_close_object
+		json_dump
 	;;
 	call)
 		case "$2" in
@@ -125,19 +148,44 @@ case "$1" in
 				fi
 			;;
 			copy_config)
-				if [ -z "$UPGRADE_BACKUP" ]; then
-					UPGRADE_BACKUP=/tmp/sysupgrade.tgz
+				read -r input
+				json_load "${input}"
+				json_get_var keep_settings keep_settings
+				json_get_var keep_opconf keep_opconf
+				json_get_var config_scope config_scope
+
+				# Set the default value for keep_settings
+				keep_settings=${keep_settings:-1}
+
+				if command -v "opconf_conf_handler" >/dev/null 2>&1; then
+					if ! mountpoint -q /usr_data; then
+						logger -t sysmngr.fwbank "copy_config: usr_data partition not present"
+						config_scope="All"
+					fi
+
+					arg="-k ${keep_settings}"
+					[ -n  "${keep_opconf}" ] && arg="${arg} -o ${keep_opconf}"
+					[ -n  "${config_scope}" ] && arg="${arg} -s ${config_scope}"
+
+					opconf_conf_handler ${arg}
+				else
+					# Fallback to default old behaviour in case opconf not present
+					config_scope="All"
 				fi
 
 				ret=0
+				if [ "${keep_settings}" -eq "1" ] && [ "${config_scope}" = "All" ]; then
+					if [ -z "$UPGRADE_BACKUP" ]; then
+						UPGRADE_BACKUP=/tmp/sysupgrade.tgz
+					fi
 
-				sysupgrade -b "$UPGRADE_BACKUP" || ret=1
-
-				if [ "$ret" -eq 0 ]; then
-					if command -v platform_copy_config >/dev/null 2>&1; then
-						platform_copy_config 1>&2 || ret=1
-					else
-						ret=1
+					sysupgrade -b "$UPGRADE_BACKUP" || ret=1
+					if [ "$ret" -eq 0 ]; then
+						if command -v platform_copy_config >/dev/null 2>&1; then
+							platform_copy_config 1>&2 || ret=1
+						else
+							ret=1
+						fi
 					fi
 				fi
 
@@ -157,6 +205,9 @@ case "$1" in
 				json_get_var auto_activate auto_activate
 				json_get_var bank bank
 				json_get_var keep_settings keep_settings
+				json_get_var keep_opconf keep_opconf
+				json_get_var config_scope config_scope
+				json_get_var reboot reboot
 
 				ret=0
 
@@ -180,6 +231,7 @@ case "$1" in
 
 				# Set the default value for keep_settings
 				keep_settings=${keep_settings:-1}
+				reboot=${reboot:-0}
 
 				# This ubus call does not reboot the system at any one time.
 				# Although, the newly upgraded bank is activated by default.
@@ -187,14 +239,36 @@ case "$1" in
 				# "--no-activate" otherwise.
 				sysupgrade_flag=""
 				if [ "${auto_activate}" -eq 1 ]; then
-					sysupgrade_flag="--no-reboot"
+					if [ "${reboot}" -eq 0 ]; then
+						sysupgrade_flag="--no-reboot"
+					fi
 				else
 					sysupgrade_flag="--no-activate"
 				fi
 
+				if command -v "opconf_conf_handler" >/dev/null 2>&1; then
+					if ! mountpoint -q /usr_data; then
+						logger -t sysmngr.fwbank "upgrade: usr_data partition not present"
+						config_scope="All"
+					fi
+
+					arg="-k ${keep_settings}"
+					[ -n  "${keep_opconf}" ] && arg="${arg} -o ${keep_opconf}"
+					[ -n  "${config_scope}" ] && arg="${arg} -s ${config_scope}"
+
+					opconf_conf_handler ${arg}
+				else
+					# Fallback to default old behaviour in case opconf not present
+					config_scope="All"
+				fi
+
 				# Set the flag to do not save configuration over reflash
 				if [ "${keep_settings}" -eq 0 ]; then
 					sysupgrade_flag="${sysupgrade_flag} -n"
+				elif [ "${keep_settings}" -eq 1 ]; then
+					if [ "${config_scope}" != "All" ]; then
+						sysupgrade_flag="${sysupgrade_flag} -n"
+					fi
 				fi
 
 				# Call sysupgrade synchonously. It should not time out the ubus call,

tr143/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tr143
-PKG_VERSION:=1.1.8
+PKG_VERSION:=1.1.13
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/tr143d.git
-PKG_SOURCE_VERSION:=5f8404e01e5e4478de528027fa12717c1a2256f3
+PKG_SOURCE_VERSION:=be8ee7b6c52817914f66875d36061f2f62b80af8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -36,16 +36,20 @@ endef
 MAKE_PATH:=src
 
 define Package/tr143/install
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libtr143d.so $(1) netmngr 11
 
 ifeq ($(CONFIG_TARGET_SUBTARGET),"an7581")
 	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/airoha/scripts/download $(1)
+	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/airoha/scripts/upload $(1)
+	$(INSTALL_DATA) ./files/an7581/etc/uci-defaults/* $(1)/etc/uci-defaults/
 else
 	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/scripts/download $(1)
+	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/scripts/upload $(1)
+	$(INSTALL_DATA) ./files/other/etc/uci-defaults/* $(1)/etc/uci-defaults/
 endif
 
 	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/scripts/traceroute $(1)
-	$(BBFDM_INSTALL_SCRIPT) $(PKG_BUILD_DIR)/scripts/upload $(1)
 	$(BBFDM_INSTALL_SCRIPT) -d $(PKG_BUILD_DIR)/scripts/bbf_diag/ipping $(1)
 	$(BBFDM_INSTALL_SCRIPT) -d $(PKG_BUILD_DIR)/scripts/bbf_diag/serverselection $(1)
 	$(BBFDM_INSTALL_SCRIPT) -d $(PKG_BUILD_DIR)/scripts/bbf_diag/udpecho $(1)