decollector: remove libbbfdm-api-v2 as its part of libbbfdm-api

There are differences in tar generation between OpenWrt 23.05 and 25.12.
This hash had been added automatically by the version-bump script
update_git_source_package.sh from maintainer-tools.  This causes the
build to fail on later OpenWrt versions such as 25.12. For now, skip
hash verification. Once we have moved to 25.

For now, we have multiple choices:
* backport changes done to tarball generation to 23.05-based OpenWrt
  branch
* only update hashes using OpenWrt 25.12 based branch (23.05-based
  branch will happily ignore and redownload in such cases, which is not
  an issue as long as we do not upload those tarballs
* use skip for now and do not use bump-script from OpenWrt and only
  adopt using proper hashes when we have moved to OpenWrt 25.12

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

bbfdm/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.16.6.2
+PKG_VERSION:=1.18.18
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=aa480554461c82e6f6f44ee6c23108d3e44fce21
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=fbf01a9e30e7ecccc2453af7abfbccf939e27d43
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -55,7 +55,7 @@ define Package/dm-service
   CATEGORY:=Utilities
   SUBMENU:=TRx69
   TITLE:=Datamodel ubus backend to expose micro-service tree
-  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +libbbfdm-ubus +bbf_configmngr
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +libbbfdm-ubus +bbf_configmngr +libeasy
 endef
 
 define Package/bbf_configmngr
@@ -107,7 +107,7 @@ endif
 
 CMAKE_OPTIONS += \
 	-DBBF_VENDOR_PREFIX:String="$(CONFIG_BBF_VENDOR_PREFIX)" \
-	-DBBFDMD_MAX_MSG_LEN:Integer=10485760 \
+	-DBBFDMD_MAX_MSG_LEN:Integer=20971520 \
 	-DCMAKE_BUILD_TYPE:String="Debug" \
 
 
@@ -183,6 +183,7 @@ define Package/bbf_configmngr/install
 
 	$(INSTALL_BIN) ./files/etc/init.d/bbf_configd $(1)/etc/init.d/bbf_configd
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utilities/files/usr/share/bbfdm/scripts/bbf_config_notify.sh $(1)/usr/share/bbfdm/scripts/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utilities/files/usr/share/bbfdm/scripts/bbf_default_reload.sh $(1)/etc/bbfdm/
 	$(INSTALL_DATA) ./files/etc/bbfdm/critical_services.json $(1)/etc/bbfdm/
 endef
 

bbfdm/files/etc/bbfdm/critical_services.json

@@ -1,23 +1,47 @@
 {
 	"usp": [
-			"firewall",
-			"network",
-			"dhcp",
-			"time",
-			"wireless",
-			"ieee1905",
-			"mapcontroller",
-			"mosquitto",
-			"nginx",
-			"netmode"
+			"/etc/config/firewall",
+			"/etc/bbfdm/dmmap/dmmap_firewall",
+			"/etc/config/network",
+			"/etc/bbfdm/dmmap/IP",
+			"/etc/bbfdm/dmmap/Ethernet",
+			"/etc/bbfdm/dmmap/GRE",
+			"/etc/bbfdm/dmmap/IPv6rd",
+			"/etc/bbfdm/dmmap/PPP",
+			"/etc/bbfdm/dmmap/Routing",
+			"/etc/config/dhcp",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
+			"/etc/config/time",
+			"/etc/bbfdm/dmmap/dmmap_time",
+			"/etc/config/mapcontroller",
+			"/etc/config/wireless",
+			"/etc/bbfdm/dmmap/WiFi",
+			"/etc/config/ieee1905",
+			"/etc/config/mosquitto",
+			"/etc/config/nginx",
+			"/etc/config/netmode",
+			"/etc/bbfdm/dmmap/dmmap_netmode"
 	],
 	"cwmp": [
-			"firewall",
-			"network",
-			"dhcp",
-			"mapcontroller",
-			"wireless",
-			"time",
-			"netmode"
+			"/etc/config/firewall",
+			"/etc/bbfdm/dmmap/dmmap_firewall",
+			"/etc/config/network",
+			"/etc/bbfdm/dmmap/IP",
+			"/etc/bbfdm/dmmap/Ethernet",
+			"/etc/bbfdm/dmmap/GRE",
+			"/etc/bbfdm/dmmap/IPv6rd",
+			"/etc/bbfdm/dmmap/PPP",
+			"/etc/bbfdm/dmmap/Routing",
+			"/etc/config/dhcp",
+			"/etc/bbfdm/dmmap/DHCPv4",
+			"/etc/bbfdm/dmmap/DHCPv6",
+			"/etc/config/mapcontroller",
+			"/etc/config/wireless",
+			"/etc/bbfdm/dmmap/WiFi",
+			"/etc/config/time",
+			"/etc/bbfdm/dmmap/dmmap_time",
+			"/etc/config/netmode",
+			"/etc/bbfdm/dmmap/dmmap_netmode"
 	]
 }

bbfdm/files/etc/init.d/bbf_configd

@@ -10,19 +10,10 @@ log() {
 	echo "${@}"|logger -t bbf.config -p info
 }
 
-create_needed_directories()
-{
-	mkdir -p /tmp/bbfdm/.cwmp
-	mkdir -p /tmp/bbfdm/.usp
-	mkdir -p /tmp/bbfdm/.bbfdm
-}
-
 start_service()
 {
 	local log_level
 
-	create_needed_directories
-
 	config_load bbfdm
 	config_get log_level "reload_handler" log_level 2
 
@@ -36,6 +27,6 @@ start_service()
 service_triggers() {
 	for config_file in /etc/config/*; do
 		config_name=$(basename "$config_file")
-		procd_add_config_trigger "config.change" "$config_name" /usr/share/bbfdm/scripts/bbf_config_notify.sh
+		procd_add_config_trigger "config.change" "$config_name" /usr/share/bbfdm/scripts/bbf_config_notify.sh "$config_name"
 	done
 }

bbk_cli/Makefile

@@ -9,7 +9,7 @@ PKG_SOURCE_VERSION:=7b810a696c78b746185c11282bdbe3fb7f8c5d4b
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/dotse/bbk.git
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 

bootchart2/Makefile

@@ -15,7 +15,7 @@ PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/mmeeks/bootchart.git
 PKG_SOURCE_VERSION:=3ab81137cafe25c2ca4bc3a5f322a63646f9ce8d
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 
 PKG_LICENSE:=GPLv2

bridgemngr/Config.in

@@ -5,6 +5,12 @@ config BRIDGEMNGR_BRIDGE_VLAN
 	help
 	   Set this option to use bridge-vlan as backend for VLAN objects.
 
+config BRIDGEMNGR_COPY_PBITS
+	bool "Copy pbits from cvlan to svlan"
+	default y
+	help
+	   Set this option to copy cvlan pbits to svlan pbits by default (driver vlan).
+
 config BRIDGEMNGR_BRIDGE_VENDOR_EXT
 	bool "Use bridge BBF vendor extensions"
 	default y

bridgemngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.0.18.2
+PKG_VERSION:=1.1.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr
-PKG_SOURCE_VERSION:=71ed529be038392071b0399bcfe9d46e89d3cb46
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr.git
+PKG_SOURCE_VERSION:=882f8c8cc9a97372297d192cc916c4f8ffe7c25a
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -51,6 +51,10 @@ ifeq ($(CONFIG_BRIDGEMNGR_BRIDGE_VLAN),y)
 	TARGET_CFLAGS += -DBRIDGE_VLAN_BACKEND
 endif
 
+ifeq ($(CONFIG_BRIDGEMNGR_COPY_PBITS),y)
+	TARGET_CFLAGS+=-DBRIDGEMNGR_COPY_PBITS
+endif
+
 define Package/bridgemngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/config

bulkdata/Makefile

@@ -7,14 +7,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bulkdata
-PKG_VERSION:=2.1.20
+PKG_VERSION:=2.1.23
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bulkdata.git
-PKG_SOURCE_VERSION:=a5e57962938ca143ede65d92be90b6e9fce66e15
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=f54550f2d587a701c0a8d5cac4a0910a99ce92cf
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

bulut/Makefile

@@ -11,7 +11,7 @@ PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bulut/bulut-gw-client.git
 PKG_SOURCE_VERSION:=227700c44817afa2c392fa08bf4cf70fa6177f01
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

ddnsmngr/Makefile

@@ -12,7 +12,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ddnsmngr.git
 PKG_SOURCE_VERSION:=44af9a7b3fec3929f8554af9633a5b8068189b48
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

decollector/Config.in

@@ -4,4 +4,16 @@ config DECOLLECTOR_EASYMESH_VERSION
 	int "Support Easymesh version"
 	default 6
 
+config DECOLLECTOR_BUILD_TR181_PLUGIN
+	bool "Build TR-181 mapping module (responsible for Device.WiFi.DataElements.)"
+	default y
+
+config DECOLLECTOR_VENDOR_EXTENSIONS
+	bool "Iopsys vendor extensions for Device.WiFi.DataElements."
+	default y
+
+config DECOLLECTOR_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+
 endmenu

decollector/Makefile

@@ -6,14 +6,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.2.1.8
+PKG_VERSION:=6.2.3.9
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=b7e294d7c610adfd80cf40a0628c189695dc5156
+PKG_SOURCE_VERSION:=d1d948a48952fe2091e84af1293a6e77857439cf
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@@ -24,6 +24,7 @@ PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
 
 include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk
 
 define Package/decollector
   SECTION:=utils
@@ -31,6 +32,7 @@ define Package/decollector
   TITLE:=WiFi DataElements Collector Proxy
   DEPENDS:=+libuci +libubox +ubus +libpthread +libnl-genl \
 	   +libeasy +libwifiutils +libieee1905 +ieee1905-map-plugin
+  DEPENDS+=+libbbfdm-api +libbbfdm-ubus
 endef
 
 define Package/decollector/description
@@ -66,6 +68,18 @@ MAKE_PATH:=src
 
 TARGET_CFLAGS += -DEASYMESH_VERSION=$(CONFIG_DECOLLECTOR_EASYMESH_VERSION)
 
+ifeq ($(CONFIG_DECOLLECTOR_BUILD_TR181_PLUGIN),y)
+MAKE_FLAGS += DECOLLECTOR_BUILD_TR181_PLUGIN=y
+ifeq ($(CONFIG_DECOLLECTOR_VENDOR_EXTENSIONS),y)
+TARGET_CFLAGS += -DDECOLLECTOR_VENDOR_EXTENSIONS
+ifeq ($(CONFIG_DECOLLECTOR_VENDOR_PREFIX),"")
+TARGET_CFLAGS += -DCUSTOM_PREFIX=\\\"$(CONFIG_BBF_VENDOR_PREFIX)\\\"
+else
+TARGET_CFLAGS += -DCUSTOM_PREFIX=\\\"$(CONFIG_DECOLLECTOR_VENDOR_PREFIX)\\\"
+endif
+endif
+endif
+
 EXECS := \
 	$(if $(CONFIG_PACKAGE_decollector),decollector)
 
@@ -76,6 +90,7 @@ define Package/decollector/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/decollector.init $(1)/etc/init.d/decollector
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/decollector $(1)/usr/sbin/
+	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 endef
 
 $(eval $(call BuildPackage,decollector))

decollector/bbfdm_service.json

@@ -0,0 +1,26 @@
+{
+  "daemon": {
+    "enable": "1",
+    "service_name": "decollector",
+    "unified_daemon": true,
+    "services": [
+      {
+        "parent_dm": "Device.WiFi.",
+        "object": "DataElements"
+      }
+    ],
+    "config": {
+      "loglevel": "3"
+    },
+    "apply_handler": {
+      "uci": [
+        {
+          "file": [
+            "mapcontroller"
+          ],
+          "external_handler": "/etc/wifidmd/bbf_config_reload.sh"
+        }
+      ]
+    }
+  }
+}

dectmngr/Makefile

@@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.10
+PKG_VERSION:=3.7.13
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/dectmngr.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=1f851980a6ba616df54f79930225f8bcd563b711
+PKG_SOURCE_VERSION:=5c2720563b3ed889e9d4de6fdb9b0f6a9d584094
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -20,7 +20,7 @@ export BUILD_DIR
 
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_BUILD_PARALLEL:=1
 
 include $(INCLUDE_DIR)/package.mk

dhcpmngr/Config.in

@@ -0,0 +1,12 @@
+if PACKAGE_dhcpmngr
+
+config DHCPMNGR_ENABLE_VENDOR_EXT
+	bool "Use datamodel vendor extensions"
+	default y
+	help
+	   Set this option to use bridge BBF vendor extensions.
+
+config DHCPMNGR_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+endif

dhcpmngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dhcpmngr
-PKG_VERSION:=1.0.6
+PKG_VERSION:=1.1.6
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dhcpmngr.git
-PKG_SOURCE_VERSION:=986f66608959f4f589009d580b046e250d8c620d
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=74d96cd70119e4ea08767d68b45b4922162d0328
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -39,6 +39,22 @@ define Package/dhcpmngr/description
   Package to add Device.DHCPv4. and Device.DHCPv6. data model support.
 endef
 
+define Package/$(PKG_NAME)/config
+        source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(CONFIG_DHCPMNGR_ENABLE_VENDOR_EXT),y)
+MAKE_FLAGS += DHCPMNGR_ENABLE_VENDOR_EXT=y
+endif
+
+ifeq ($(CONFIG_DHCPMNGR_VENDOR_PREFIX),"")
+VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX)
+else
+VENDOR_PREFIX = $(CONFIG_DHCPMNGR_VENDOR_PREFIX)
+endif
+
+TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(VENDOR_PREFIX)\\\"
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
 	$(CP) -rf ~/git/dhcpmngr/* $(PKG_BUILD_DIR)/

dmcli-plugins/Makefile

@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2023 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli-plugins
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=2.2.6
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli-plugin-easydm.git
+PKG_SOURCE_VERSION:=bc8b8527e8a41bdba73cb277a3c6c3b42b045153
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli-plugins
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=Easy-to-use data model on top of TR181
+  URL:=http://genexis.eu
+  DEPENDS:=+dmcli
+endef
+
+define Package/dmcli-plugins/description
+  EasyDM offers a user-friendly approach to configuring TR-181
+  simplifying the process with its intuitive interface.
+endef
+
+define Build/Compile
+	true
+endef
+
+define Package/dmcli-plugins/install
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli/plugins
+	$(CP) $(PKG_BUILD_DIR)/src/*.js $(1)/usr/lib/dmcli/plugins/
+endef
+
+$(eval $(call BuildPackage,dmcli-plugins))

dmcli/Config.in

@@ -0,0 +1,9 @@
+if PACKAGE_dmcli
+
+config DMCLI_REMOTE_CONNECTION
+        bool "Add dmcli remote controller configuration"
+        default n
+        help
+                This adds a usp controller configuration for dmcli remote connection from different machine/laptop/server.
+
+endif

dmcli/Makefile

@@ -0,0 +1,76 @@
+#
+# Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+# This Software and its content are protected by the Dutch Copyright Act
+# ('Auteurswet'). All and any copying and distribution of the software
+# and its content without authorization by Genexis Netherlands B.V. is
+# prohibited. The prohibition includes every form of reproduction and
+# distribution.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmcli
+PKG_LICENSE:=PROPRIETARY GENEXIS
+PKG_VERSION:=1.9.6
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/dmcli.git
+PKG_SOURCE_VERSION:=f03188eff6c2cab59e4c8f18a435c940ff5043f5
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
+PKG_MIRROR_HASH:=skip
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dmcli
+  SECTION:=tools
+  CATEGORY:=Genexis
+  TITLE:=DMCLI (datamodel-based CLI)
+  URL:=http://genexis.eu
+  DEPENDS:=+usp-js +DMCLI_REMOTE_CONNECTION:mosquitto-auth-plugin +shadow-utils +@BUSYBOX_CONFIG_ADDUSER
+endef
+
+define Package/dmcli/description
+  CLI to view and configure datamodels of CPE
+endef
+
+define Package/dmcli/conffiles
+/etc/dmcli/dmcli.conf
+endef
+
+define Package/dmcli/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/dmcli/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dmcli $(1)/usr/bin/
+
+	$(INSTALL_DIR) $(1)/usr/lib/dmcli
+	$(CP) $(PKG_BUILD_DIR)/common $(1)/usr/lib/dmcli/
+	mv $(1)/usr/lib/dmcli/common/os_qjs.js $(1)/usr/lib/dmcli/common/os.js
+	rm $(1)/usr/lib/dmcli/common/os_node.js
+	$(CP) $(PKG_BUILD_DIR)/core $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/cli $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/data $(1)/usr/lib/dmcli/
+	$(CP) $(PKG_BUILD_DIR)/plugins $(1)/usr/lib/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_DMCLI_REMOTE_CONNECTION),y)
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote $(1)/etc/uci-defaults/
+else
+	$(INSTALL_DATA) ./files/etc/uci-defaults/36-dmcli-remote-remove $(1)/etc/uci-defaults/
+endif
+
+	$(INSTALL_DIR) $(1)/etc/dmcli
+	$(CP) ./files/etc/dmcli/dmcli.acl $(1)/etc/dmcli/
+	$(CP) ./files/etc/dmcli/dmcli.conf $(1)/etc/dmcli/
+
+	$(INSTALL_DIR) $(1)/etc/users/roles/
+	$(INSTALL_DATA) ./files/etc/users/roles/operator.json $(1)/etc/users/roles/
+endef
+
+$(eval $(call BuildPackage,dmcli))

dmcli/files/etc/dmcli/dmcli.acl

@@ -0,0 +1,4 @@
+user operator
+topic read /usp/operator/controller/reply-to
+topic read /usp/operator/controller
+topic write /usp/operator/endpoint

dmcli/files/etc/dmcli/dmcli.conf

@@ -0,0 +1,45 @@
+{
+   "Settings": {
+      "USP": {
+         "ActiveConnectionProfile": "local",
+         "ConnectionProfile": [
+            {
+               "Name": "local",
+               "Host": "127.0.0.1",
+               "Port": 9002,
+               "Username": "operator",
+               "Protocol": "ws",
+               "FromId": "oui:000F94:device-controller-operator",
+               "PublishEndpoint": "/usp/operator/endpoint",
+               "SubscribeEndpoint": "/usp/operator/controller"
+            }
+         ],
+         "Session": {
+            "AutoStart": false
+         },
+         "Notification": {
+            "LogTo": "console",
+            "Format": "brief",
+            "LogFile": "usp-notification.log"
+         }
+      },
+      "CLI": {
+         "Home": "/",
+         "Color": "true",
+         "Mode": "Command",
+         "ShowCommandTime": false,
+         "SortDMTree": false
+      },
+      "Prompt": {
+         "Auto": true,
+         "Color": "default",
+         "SelectedBackgroundColor": "yellow",
+         "PageSize": "3",
+         "AutoPromptOnEmptyCommand": false,
+         "AutoPromptInstanceNumbers": false
+      },
+      "Log": {
+         "Level": "Error"
+      }
+   }
+}

dmcli/files/etc/uci-defaults/36-dmcli

@@ -0,0 +1,120 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/functions/iopsys-environment.sh
+. /usr/share/libubox/jshn.sh
+
+DMCLI_CONF="/etc/dmcli/dmcli.conf"
+CONTROLLER_ID='oui:000F94:device-controller-operator'
+DMCLI_RESP_TOPIC="/usp/operator/endpoint"
+DMCLI_CTRL_TOPIC="/usp/operator/controller"
+DMCLI_PORT="9002"
+
+grep -q "^operator:" /etc/passwd || {
+	adduser -g 'Operator' -D -H -s /usr/bin/dmcli --home '/usr/lib/dmcli' 'operator'
+	hash=""
+	if type get_operator_password_hash > /dev/null 2>&1; then
+		hash=$(get_operator_password_hash)
+	fi
+	if [ -z "$hash" ]; then
+		hash='$6$zP4Wk/VQJOLwwofC$teuhnYFQBcA8YUZo/Q0quDMi4SsOHmfBcyvt5VNchPnzgwF1nfNNliC3yBVW22NwmwttPEWeBEBfnMTBB0rYs/'
+	fi
+	echo "operator:${hash}" | chpasswd -e
+}
+
+grep -q "^/usr/bin/dmcli$" /etc/shells || {
+	echo '/usr/bin/dmcli' >> /etc/shells
+}
+
+uci -q del_list sshd.@sshd[0].AllowUsers='operator'
+uci -q add_list sshd.@sshd[0].AllowUsers='operator'
+
+uci -q delete users.operator
+uci -q set users.operator=user
+uci -q set users.operator.enabled=1
+uci -q set users.operator.shell='dmcli'
+uci -q set users.operator.member_roles='operator'
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli_local
+	uci_set mosquitto dmcli_local enabled 1
+	uci_set mosquitto dmcli_local port "${DMCLI_PORT}"
+	uci_set mosquitto dmcli_local protocol 'websockets'
+	uci_set mosquitto dmcli_local acl_file '/etc/dmcli/dmcli.acl'
+	uci_set mosquitto dmcli_local no_remote_access '1'
+	uci_set mosquitto dmcli_local allow_anonymous '1'
+fi
+
+if [ -f "/etc/config/obuspa" ]; then
+	uci_add obuspa mqtt mqtt_operator
+	uci_set obuspa mqtt_operator BrokerAddress '127.0.0.1'
+	uci_set obuspa mqtt_operator BrokerPort '1883'
+	uci_set obuspa mqtt_operator TransportProtocol 'TCP/IP'
+
+	uci_add obuspa mtp mtp_operator
+	uci_set obuspa mtp_operator Protocol 'MQTT'
+	uci_set obuspa mtp_operator ResponseTopicConfigured "${DMCLI_RESP_TOPIC}"
+	uci_set obuspa mtp_operator mqtt 'mqtt_operator'
+
+	uci_add obuspa controller controller_operator
+	uci_set obuspa controller_operator EndpointID "${CONTROLLER_ID}"
+	uci_set obuspa controller_operator Protocol 'MQTT'
+	uci_set obuspa controller_operator Topic "${DMCLI_CTRL_TOPIC}"
+	uci_set obuspa controller_operator mqtt 'mqtt_operator'
+	uci_set obuspa controller_operator assigned_role_name 'operator'
+fi
+
+_get_endpoint_id() {
+	local id serial oui
+
+	id="$(uci -q get obuspa.localagent.EndpointID)"
+	if [ -n "${id}" ]; then
+		echo "${id}"
+		return 0
+	fi
+
+	serial="$(db -q get device.deviceinfo.SerialNumber)"
+	oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
+
+	echo "os::${oui}-${serial//+/%2B}"
+}
+
+update_dmcli_conf() {
+	local endpointid confTmpFile
+	local port fromid publish subscribe toid
+
+	if [ -f "${DMCLI_CONF}" ]; then
+		endpointid="$(_get_endpoint_id)"
+		json_load_file "${DMCLI_CONF}" || return
+		json_select "Settings" || return
+			json_select "USP" || return
+				json_select "ConnectionProfile" || return
+					json_select "1" || return
+						json_get_var port "Port"
+						json_get_var fromid "FromId"
+						json_get_var publish "PublishEndpoint"
+						json_get_var subscribe "SubscribeEndpoint"
+						json_get_var toid "ToId"
+
+						json_add_int "Port" "${DMCLI_PORT}"
+						json_add_string "FromId" "${CONTROLLER_ID}"
+						json_add_string "PublishEndpoint" "${DMCLI_RESP_TOPIC}"
+						json_add_string "SubscribeEndpoint" "${DMCLI_CTRL_TOPIC}"
+						json_add_string "ToId" "${endpointid}"
+					json_select ..
+				json_select ..
+			json_select ..
+		json_select ..
+
+		if [ "${port}" != "${DMCLI_PORT}" ] || [ "${fromid}" != "${CONTROLLER_ID}" ] || \
+			[ "${publish}" != "${DMCLI_RESP_TOPIC}" ] || [ "${subscribe}" != "${DMCLI_CTRL_TOPIC}" ] || \
+			[ "${toid}" != "${endpointid}" ]; then
+			confTmpFile="$(mktemp -u -p "$(dirname "$DMCLI_CONF")" "$(basename "$DMCLI_CONF").XXXXXXX")"
+			json_pretty
+			json_dump > "${confTmpFile}" || return
+			mv -f "${confTmpFile}" "${DMCLI_CONF}" || return
+		fi
+	fi
+}
+
+update_dmcli_conf || exit

dmcli/files/etc/uci-defaults/36-dmcli-remote

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_add mosquitto listener dmcli
+	uci_set mosquitto dmcli enabled 1
+	uci_set mosquitto dmcli port '9003'
+	uci_set mosquitto dmcli protocol 'websockets'
+	uci_set mosquitto dmcli auth_plugin '/usr/lib/mosquitto_auth_plugin.so'
+	uci_set mosquitto dmcli acl_file '/etc/dmcli/dmcli.acl'
+fi
+
+exit 0

dmcli/files/etc/uci-defaults/36-dmcli-remote-remove

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ -f "/etc/config/mosquitto" ]; then
+	uci_remove mosquitto dmcli
+fi
+
+exit 0

dmcli/files/etc/users/roles/operator.json

@@ -0,0 +1,14 @@
+{
+  "tr181": {
+    "name": "operator",
+    "instance": 6,
+    "permission": [
+      {
+        "object": "Device.",
+        "perm": [
+          "PERMIT_ALL"
+        ]
+      }
+    ]
+  }
+}

dmcli/src/Makefile

@@ -0,0 +1,7 @@
+all: dmcli
+
+dmcli: main.c
+	$(CC) $(CFLAGS) -Wall -Werror -o $@ $^
+
+clean:
+	rm -f dmcli

dmcli/src/main.c

@@ -0,0 +1,32 @@
+/*
+* Copyright (c) 2021 Genexis Netherlands B.V. All rights reserved.
+* This Software and its content are protected by the Dutch Copyright Act
+* ('Auteurswet'). All and any copying and distribution of the software
+* and its content without authorization by Genexis Netherlands B.V. is
+* prohibited. The prohibition includes every form of reproduction and
+* distribution.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+/* C Wrapper for operator to login to the CLI via ssh: the shell in
+ * the passwd file cannot be a script that requires an interpreter. */
+int main(int argc, char *argv[])
+{
+	char *cmd[3 + (argc > 1 ? argc - 1 : 0)];
+
+	cmd[0] = "/usr/bin/qjs";
+	cmd[1] = "/usr/lib/dmcli/cli/main.js";
+	cmd[2] = NULL;
+
+	if (argc > 1) {
+		memcpy(&cmd[2], &argv[1], (argc - 1) * sizeof(char *));
+		cmd[2 + argc - 1] = NULL;
+	}
+
+	execv(cmd[0], cmd);
+	fprintf(stderr, "%s: command not found\n", cmd[0]);
+	return 127;
+}

dnsmngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmngr
-PKG_VERSION:=1.0.18
+PKG_VERSION:=1.0.21
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dnsmngr.git
-PKG_SOURCE_VERSION:=80fa147e6f1f0d9c1a62a62a693ff3adaef45363
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=ef3714cc7555f763dfab626add8f90d7bc0a33b5
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

dslmngr/Makefile

@@ -15,7 +15,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/dslmngr.git
 PKG_SOURCE_VERSION:=8fb4093b4d26b3cb06603e110d424005e33cf5d6
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MAINTAINER:=Rahul Thakur <rahul.thakur@iopsys.eu>
 PKG_MIRROR_HASH:=skip
 endif

ebtables-extensions/Makefile

@@ -14,7 +14,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ebtables-extensions.git
 PKG_SOURCE_VERSION:=7357622d806833d93d317164dc6673fbf5fd1629
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

ethmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethmngr
-PKG_VERSION:=3.0.8
+PKG_VERSION:=3.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=c73e5b15718ca40b2740bbe6151dfbb2bcca16df
+PKG_SOURCE_VERSION:=0283fb5cb74a7baca46c4360da680757c57c86ac
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

fatrace/Makefile

@@ -16,7 +16,7 @@ PKG_SOURCE_VERSION:=98af6019a4a1b478a6fa35f74528cb3cd404ae40
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.launchpad.net/fatrace
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 

fdtextract/Makefile

@@ -10,20 +10,15 @@ PKG_NAME:=fdtextract
 PKG_RELEASE:=1
 PKG_VERSION:=1.0
 
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/fdtextract.git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/system/fdtextract.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=e3cefda3b26c9aea3021b20725ce7b31b33eebc4
+PKG_SOURCE_VERSION:=7917dbcb29724476cd46164eec29848df1e5fb67
 PKG_MIRROR_HASH:=skip
 
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=LICENSE
 
-RSTRIP:=true
-export BUILD_DIR
-
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_BUILD_PARALLEL:=1
 
 include $(INCLUDE_DIR)/package.mk
@@ -40,9 +35,7 @@ endef
 
 define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/fdtextract $(1)/usr/sbin/
-	$(STRIP) $(1)/usr/sbin/fdtextract
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))

firewallmngr/Config.in

@@ -8,11 +8,5 @@ config FIREWALLMNGR_PORT_TRIGGER
 	help
 	   Set this option to include support for PortTrigger object.
 
-config FIREWALLMNGR_NAT_INTERFACE_SETTING
-	bool "Include Device.NAT.InterfaceSetting"
-	default n
-	help
-	   Set this option to include support for NAT InterfaceSetting object.
-
 endmenu
 endif

firewallmngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.9.1
+PKG_VERSION:=1.0.12
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=3ce0550dbbc49617c36202fc8d63e453467a246e
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=30319c67fb4db285a2bcd272b1c10bc040eecf19
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -52,10 +52,6 @@ ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER
 endif
 
-ifeq ($(CONFIG_FIREWALLMNGR_NAT_INTERFACE_SETTING),y)
-	TARGET_CFLAGS += -DINCLUDE_NAT_IF_SETTING
-endif
-
 define Package/firewallmngr/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults

fluent-bit/Makefile

@@ -13,7 +13,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/fluent/fluent-bit.git
 PKG_SOURCE_VERSION=v$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

gateway-info/Makefile

@@ -15,7 +15,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/gateway-info.git
 PKG_SOURCE_VERSION:=dd15893a8291e556a8c49ff9e143c763db0379b5
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

gateway-info/files/etc/uci-defaults/86-set-gateway-device-info

@@ -110,7 +110,7 @@ configure_send_op125() {
 
 
 	if [ "${uci}" = "network" ]; then
-		new_send_opt="$sendopt $opt125"
+		[ -n "${sendopt}" ] && new_send_opt="$sendopt $opt125" || new_send_opt="$opt125"
 		uci -q set network."${intf}".sendopts="$new_send_opt"
 	else
 		new_send_opt="$sendopt$opt125"
@@ -228,7 +228,7 @@ enable_dhcp_option125() {
 
 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${wan}".reqopts="$newreqopts"
 		fi
 

gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user

@@ -40,22 +40,22 @@ get_vivsoi() {
 
 	#hex-string 2 character=1 Byte
 	# length in hex string will be twice of actual Byte length
-	[ "$len" -gt "8" ] || return
+	[ "${len}" -gt 8 ] || return
 
 	data="${opt125}"
 	rem_len="${len}"
-	while [ $rem_len -gt 0 ]; do
+	while [ "${rem_len}" -gt 0 ]; do
 		ent_id=${data:0:8}
 		ent_id=$(printf "%d\n" "0x$ent_id")
 
-		if [ $ent_id -ne  3561 ]; then
+		if [ "${ent_id}" -ne  3561 ]; then
 			len_val=${data:8:2}
 			data_len=$(printf "%d\n" "0x$len_val")
 			# add 4 byte for ent_id and 1 byte for len
 			data_len=$(( data_len * 2 + 10 ))
 			# move ahead data to next enterprise id
 			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - $data_len ))
+			rem_len=$(( rem_len - data_len ))
 			continue
 		fi
 
@@ -66,7 +66,7 @@ get_vivsoi() {
 		data_len=$(( data_len * 2 + 10 ))
 
 		opt_len=$(printf "%d\n" "0x$len_val")
-		[ $opt_len -eq 0 ] && return
+		[ "${opt_len}" -eq 0 ] && return
 
 		# populate the option data of enterprise id
 		sub_data_len=$(( opt_len * 2))
@@ -74,7 +74,7 @@ get_vivsoi() {
 		sub_data=${data:10:"${sub_data_len}"}
 
 		# parsing of suboption of option 125
-		while [ $sub_data_len -gt 0 ]; do
+		while [ "${sub_data_len}" -gt 0 ]; do
 			# get the suboption id
 			sub_opt_id=${sub_data:0:2}
 			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
@@ -85,20 +85,20 @@ get_vivsoi() {
 			sub_opt_len=$(( sub_opt_len * 2 ))
 
 			# get the value of sub option starting 4 means starting after length
-			sub_opt_val=${sub_data:4:${sub_opt_len}}
+			sub_opt_val=${sub_data:4:"${sub_opt_len}"}
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
 				"4")
-				OUI=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				OUI=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 				"5")
-				SERIAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				SERIAL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 				"6")
-				CLASS=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				CLASS=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 			esac
@@ -110,7 +110,7 @@ get_vivsoi() {
 			sub_data_len=$((sub_data_len - sub_opt_end))
 
 			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+			sub_data=${sub_data:"${sub_opt_end}":"${sub_data_len}"}
 		done
 
 		# move ahead data to next enterprise id
@@ -131,15 +131,13 @@ send_host_query() {
 		sleep 5
 
 		json_load "$(ubus call umdns browse)"
-		json_select discovered_services
-		if [ "${?}" -ne 0 ]; then
+		if ! json_select discovered_services; then
 			json_cleanup
 			loop=$(( loop - 1 ))
 			continue
 		fi
 
-		json_select _usp-agt-mqtt._tcp
-		if [ "${?}" -ne 0 ]; then
+		if ! json_select _usp-agt-mqtt._tcp; then
 			json_cleanup
 			loop=$(( loop - 1 ))
 			continue
@@ -156,7 +154,7 @@ send_host_query() {
 
 	json_get_keys keys
 	for key in $keys; do
-		json_select $key
+		json_select "${key}"
 		json_get_var _host host ""
 
 		if [ -z "${_host}" ] || [[ "${sent_host}" =~ " ${_host}" ]]; then
@@ -166,9 +164,10 @@ send_host_query() {
 
 		sent_host="${sent_host} ${_host}"
 		cmd="ubus call umdns query '{\"question\":\"$_host\",\"interface\":\"$intf\"}'"
-		eval $cmd
+		sh -c "${cmd}"
 		resp=0
 		json_select ..
+		sleep 2 # umdns query sometime takes time to resolve so adding some sleep
 	done
 
 	json_cleanup
@@ -185,32 +184,29 @@ get_usp_agent_id() {
 	fi
 
 	json_load "$(ubus call umdns browse)"
-	json_select discovered_services
-	if [ "${?}" -ne 0 ]; then
+	if ! json_select discovered_services; then
 		json_cleanup
-		echo ${ID}
+		echo "${ID}"
 		return 0
 	fi
 
-	json_select _usp-agt-mqtt._tcp
-	if [ "${?}" -ne 0 ]; then
+	if ! json_select _usp-agt-mqtt._tcp; then
 		json_cleanup
-		echo ${ID}
+		echo "${ID}"
 		return 0
 	fi
 
 	json_get_keys keys
 	for key in $keys; do
-		json_select $key
-		json_select $family
-		if [ "${?}" -ne 0 ]; then
+		json_select "${key}"
+		if ! json_select "${family}"; then
 			json_select ..
 			continue
 		fi
 
 		json_get_keys ips
 		for ip in $ips; do
-			json_get_var ip_val $ip
+			json_get_var ip_val "${ip}"
 			if [ "${ip_val}" != "${dhcp_ip}" ]; then
 				continue
 			fi
@@ -219,8 +215,8 @@ get_usp_agent_id() {
 			json_select txt
 			json_get_keys txts
 			for _txt in $txts; do
-				json_get_var text_val $_txt
-				if [[ "${text_val:0:3}" == "ID=" ]]; then
+				json_get_var text_val "${_txt}"
+				if [[ "${text_val:0:3}" = "ID=" ]]; then
 					ID="${text_val:3}"
 					break
 				fi
@@ -238,16 +234,16 @@ get_usp_agent_id() {
 	done
 
 	json_cleanup
-	echo ${ID}
+	echo "${ID}"
 }
 
 get_mac_address() {
 	ip="${1}"
 	device="${2}"
 
-	mac="$(cat /proc/net/arp | grep $ip | awk '{print $4}')"
+	mac=$(grep "${ip}" /proc/net/arp | awk '{print $4}')
 	if [ -z "${mac}" ]; then
-		arp_resp="$(arping -b -f -c 5 -I $device $ip | grep 'Unicast reply from' | awk '{print $5}')"
+		arp_resp=$(arping -b -f -c 5 -I "${device}" "${ip}" | grep 'Unicast reply from' | awk '{print $5}')
 		if [ -n "${arp_resp}" ]; then
 			mac=${arp_resp:1:-1}
 		fi
@@ -260,7 +256,7 @@ send_unknown_gw_event() {
 	mac="${1}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.unknown '{\"hwaddr\":\"$mac\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 send_cwmp_gw_event() {
@@ -269,14 +265,14 @@ send_cwmp_gw_event() {
 	serial="${3}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.cwmp '{\"oui\":\"$oui\",\"class\":\"$class\",\"serial\":\"$serial\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 send_usp_gw_event() {
 	endpoint="${1}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.usp '{\"endpoint\":\"$endpoint\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 config_load gateway
@@ -287,13 +283,13 @@ if [ "${enable}" -eq 0 ]; then
 	return 0
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
-	if [ "${1}" == "deconfig" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
+	if [ "${1}" = "deconfig" ]; then
 		rm -rf /var/state/gwinfo
 		return 0
 	fi
 
-	json_load "$(ifstatus ${INTERFACE})"
+	json_load "$(ifstatus "${INTERFACE}")"
 	json_get_var dev_name device ""
 	json_select data
 	json_get_var dhcp_ip dhcpserver ""
@@ -303,7 +299,7 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		return 0
 	fi
 
-	MAC="$(get_mac_address $dhcp_ip $dev_name)"
+	MAC=$(get_mac_address "${dhcp_ip}" "${dev_name}")
 
 	mkdir -p /var/state
 	touch /var/state/gwinfo
@@ -326,8 +322,8 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		return 0
 	fi
 
-	len=$(printf "$opt125"|wc -c)
-	get_vivsoi "$opt125" "$len"
+	len=$(echo -n "${opt125}" | wc -c)
+	get_vivsoi "${opt125}" "${len}"
 
 	if [ "${GW_DISCOVERED}" -eq 0 ]; then
 		send_unknown_gw_event "${MAC}"
@@ -341,19 +337,18 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 	uci -q -c /var/state commit gwinfo
 
 	# Check for USP parameters
-	ubus -t 15 wait_for umdns
-	if [ "${?}" -ne 0 ]; then
+	if ! ubus -t 15 wait_for umdns; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0
 	fi
 
-	resp=$(send_host_query $dev_name)
+	resp=$(send_host_query "${dev_name}")
 	if [ "${resp}" -ne 0 ]; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0
 	fi
 
-	ID="$(get_usp_agent_id $dhcp_ip)"
+	ID=$(get_usp_agent_id "${dhcp_ip}")
 	if [ -z "${ID}" ]; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0

hostmngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostmngr
-PKG_VERSION:=1.3.3
+PKG_VERSION:=1.4.3
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=fee5bd0067fc1f30498bc2b81e893d170796b459
+PKG_SOURCE_VERSION:=667866b8149d3df83a05536319eac02aee0b6d75
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

icwmp/Config.in

@@ -19,4 +19,8 @@ config ICWMP_VENDOR_PREFIX
 config ICWMP_ENABLE_SMM_SUPPORT
 	bool "Enable software module management support"
 	default n
+
+config ICWMP_ENABLE_ANNEX_F_INFORM_PARAM
+	bool "Enable Device.Gateway. and Device.ManagementServer.ManageableDevice. as inform parameter"
+	default y
 endmenu

icwmp/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.9.9.4
+PKG_VERSION:=9.10.13
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=868f749f3fd61a094cc4792ea842a261443a99ad
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=fc34f19ec5ab691b3d815a0d1d917903d310db75
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -84,11 +84,15 @@ define Package/icwmp/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/icwmpd $(1)/usr/sbin/icwmpd
 	$(INSTALL_DATA) ./files/etc/config/cwmp $(1)/etc/config/cwmp
 	$(INSTALL_BIN) ./files/etc/init.d/icwmpd $(1)/etc/init.d/icwmpd
+	$(INSTALL_BIN) ./files/etc/uci-defaults/50-cwmp-align-keep-config $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-migrate-gw-info $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/999-cwmp-conn-config $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_ICWMP_ENABLE_ANNEX_F_INFORM_PARAM),y)
+	$(INSTALL_BIN) ./files/etc/uci-defaults/99-cwmp-annex-f-config $(1)/etc/uci-defaults/
+endif
 	$(INSTALL_BIN) ./files/etc/icwmpd/vendor_log.sh $(1)/etc/icwmpd/vendor_log.sh
 	$(INSTALL_BIN) ./files/etc/icwmpd/firewall.cwmp $(1)/etc/icwmpd/firewall.cwmp
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/icwmp $(1)/lib/upgrade/keep.d/icwmp

icwmp/files/etc/config/cwmp

@@ -31,7 +31,6 @@ config cpe 'cpe'
 	option bind_retries '5'
 	option userid '' #$OUI-$SER
 	option passwd ''
-	option port '7547'
 	option provisioning_code ''
 	option amd_version '5'
 	# compression possible configs: InstanceNumber, InstanceAlias
@@ -43,7 +42,9 @@ config cpe 'cpe'
 	option periodic_notify_interval '10'
 	option incoming_rule 'Port_Only'
 	option active_notif_throttle '0'
-	option fw_upgrade_keep_settings '1'
+	#option KeepConfig '1'
+	#option KeepOpConf '1'
+	#option ConfigScope 'UserOnly'
 	option clock_sync_timeout '128'
 	option disable_datatype_check '0'
 	#list allowed_cr_ip '10.5.1.0/24'

icwmp/files/etc/icwmpd/firewall.cwmp

@@ -133,9 +133,56 @@ add_firewall_rule() {
 	fi
 }
 
+remove_port_protection() {
+	local enabled chain rule rule_num
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "$1" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		while rule=$(iptables -w -t nat -nL "$chain" --line-numbers | grep -m 1 -w CWMP_Port_protection); do
+			rule_num=${rule%%[$' \t']*}
+			iptables -w -t nat -D "$chain" "$rule_num"
+		done
+	fi
+}
+
+cleanup_port_protection() {
+	config_load firewall
+	config_foreach remove_port_protection zone masq
+}
+
+install_port_protection() {
+	local PORT="${3}"
+	local enabled zonename chain
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "${1}" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		iptables -w -t nat -I "$chain" -p tcp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+		iptables -w -t nat -I "$chain" -p udp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+	fi
+}
+
+add_port_protection() {
+	config_load firewall
+	config_foreach install_port_protection zone masq "${1}"
+}
+
 configure_connection_req_rules() {
 	app="${1}"
 
+	cleanup_port_protection
+
 	wan="$(uci -q get cwmp.cpe.default_wan_interface)"
 	wan="${wan:-wan}"
 
@@ -175,8 +222,11 @@ configure_connection_req_rules() {
 		fi
 	fi
 
-	port=$(uci -q get cwmp.cpe.port)
-	port="${port:-7547}"
+	port=$(uci -q -c /var/state get icwmp.cpe.port)
+	if [ -z "${port}" ]; then
+		log "cwmp cpe port not configured"
+		exit 0
+	fi
 
 	ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
 	if [ -n "${ipaddr}" ]; then
@@ -197,6 +247,8 @@ configure_connection_req_rules() {
 		# Close the ACS port at Lan side
 		close_downstream_acs_port "${lan}" "${port}"
 	fi
+
+	add_port_protection "${port}"
 }
 
 load_zone_names

icwmp/files/etc/init.d/icwmpd

@@ -97,7 +97,9 @@ validate_cpe_section()
 		'periodic_notify_enable:bool' \
 		'enable:bool:1' \
 		'periodic_notify_interval:uinteger' \
-		'fw_upgrade_keep_settings:bool'
+		'KeepConfig:bool' \
+		'KeepOpConf:bool' \
+		'ConfigScope:string'
 }
 
 validate_defaults() {
@@ -168,13 +170,21 @@ start_service() {
 
 stop_service()
 {
-	local switch_bank
+	local switch_bank KeepConfig KeepOpConf ConfigScope
 
 	copy_cwmp_varstate_files_to_etc
-	
 	switch_bank=$(uci -q -c /var/state/ get icwmp.cpe.switch_bank)
-	if [ -n "$switch_bank" ] && [ "$switch_bank" = "1" ]; then
-		[ -x /etc/sysmngr/fwbank ] && /etc/sysmngr/fwbank call copy_config
+	if [ "$switch_bank" = "1" ] && [ -x /etc/sysmngr/fwbank ]; then
+		KeepConfig="$(uci -q get cwmp.cpe.KeepConfig)"
+		KeepOpConf="$(uci -q get cwmp.cpe.KeepOpConf)"
+		ConfigScope="$(uci -q get cwmp.cpe.ConfigScope)"
+
+		json_init
+		[ -n "${KeepConfig}" ] && json_add_boolean "keep_config" "${KeepConfig}"
+		[ -n "${KeepOpConf}" ] && json_add_boolean "keep_opconf" "${KeepOpConf}"
+		[ -n "${ConfigScope}" ] && json_add_string "config_scope" "${ConfigScope}"
+
+		json_dump| /etc/sysmngr/fwbank call copy_config
 	fi
 }
 

icwmp/files/etc/uci-defaults/50-cwmp-align-keep-config

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+keep_settings="$(uci -q get cwmp.cpe.fw_upgrade_keep_settings)"
+if [ -n "${keep_settings}" ]; then
+	uci -q delete cwmp.cpe.fw_upgrade_keep_settings
+	uci -q set cwmp.cpe.KeepConfig="${keep_settings}"
+fi

icwmp/files/etc/uci-defaults/90-cwmpfirewall

@@ -5,7 +5,6 @@ uci -q batch <<-EOT
         set firewall.cwmp=include
         set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp
         set firewall.cwmp.reload=1
-        commit firewall
 EOT
 
 exit 0

icwmp/files/etc/uci-defaults/99-cwmp-annex-f-config

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+validate_inform_parameter() {
+	local section="${1}"
+	local target_param="${2}"
+	local parameter_name
+
+	config_get parameter_name "${section}" parameter_name
+	if [ "${parameter_name}" = "${target_param}" ]; then
+		return 0
+	fi
+
+	return 1
+}
+
+check_param_exists() {
+	local target_param="${1}" 
+	local found=1
+
+	check_section() {
+		local section="${1}"
+		if validate_inform_parameter "${section}" "${target_param}"; then
+			found=0
+		fi
+	}
+
+	config_foreach check_section inform_parameter
+	return "${found}"
+}
+
+configure_annex_f_inform_param() {
+	[ -f /etc/config/gateway ] || return 0
+
+	config_load cwmp
+
+	if ! check_param_exists "Device.GatewayInfo."; then
+		uci -q set cwmp.gw_info_param=inform_parameter
+		uci -q set cwmp.gw_info_param.enable='1'
+		uci -q set cwmp.gw_info_param.events_list='0 BOOTSTRAP,1 BOOT'
+		uci -q set cwmp.gw_info_param.parameter_name='Device.GatewayInfo.'
+	fi
+
+	if ! check_param_exists "Device.ManagementServer.ManageableDevice."; then
+		uci -q set cwmp.mng_dev_param=inform_parameter
+		uci -q set cwmp.mng_dev_param.enable='1'
+		uci -q set cwmp.mng_dev_param.events_list='0 BOOTSTRAP,1 BOOT'
+		uci -q set cwmp.mng_dev_param.parameter_name='Device.ManagementServer.ManageableDevice.'
+	fi
+}
+
+configure_annex_f_inform_param

icwmp/files/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user

@@ -16,12 +16,12 @@ get_opt43() {
 	local opt43="$1"
 	local len="$2"
 
-	[ "$len" -gt "2" ] || return
+	[ "${len}" -gt 2 ] || return
 
 	first_byte=${opt43:0:2}
 	first_byte=$(printf "%d\n" "0x$first_byte")
 
-	if [ $len -ge 4 ] && [ $first_byte -ge 1 ] && [ $first_byte -le 4 ]; then
+	if [ "${len}" -ge 4 ] && [ "${first_byte}" -ge 1 ] && [ "${first_byte}" -le 4 ]; then
 		# it is in encapsulated form
 		# opt43 encapsulated vendor-specific option has data in below format
 		#  Code   Len   Data item        Code   Len   Data item        Code
@@ -35,7 +35,7 @@ get_opt43() {
 		data="${opt43}"
 		rem_len="${len}"
 		# parsing of suboption of option 43
-		while [ $rem_len -gt 0 ]; do
+		while [ "${rem_len}" -gt 0 ]; do
 			# get the suboption id
 			sub_opt_id=${data:0:2}
 			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
@@ -50,13 +50,13 @@ get_opt43() {
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
-				"1") DHCP_ACS_URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"1") DHCP_ACS_URL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"2") DHCP_PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"2") DHCP_PROV_CODE=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"3") MIN_WAIT_INVL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"3") MIN_WAIT_INVL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"4") INVL_MULTIPLIER=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"4") INVL_MULTIPLIER=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
 			esac
 
@@ -70,13 +70,14 @@ get_opt43() {
 			rem_len=$((rem_len - sub_opt_end))
 		done
 	else
-		DHCP_ACS_URL=$(echo -n $opt43 | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+		DHCP_ACS_URL=$(echo -n "${opt43}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 	fi
 }
 
 config_load cwmp
 config_get wan_intf cpe default_wan_interface "wan"
 config_get dhcp_discovery acs dhcp_discovery "0"
+config_get_bool insecure_enable acs insecure_enable "0"
 config_get dhcp_url acs dhcp_url ""
 config_get min_wait_intvl acs dhcp_retry_min_wait_interval "0"
 config_get intvl_multi acs dhcp_retry_interval_multiplier "0"
@@ -92,9 +93,9 @@ if [ "$discovery_enable" = "0" ]; then
 	return 0
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
 	if [ -n "$opt43" ]; then
-		len=$(printf "$opt43"|wc -c)
+		len=$(echo -n "$opt43"|wc -c)
 		get_opt43 "$opt43" "$len"
 	fi
 
@@ -102,6 +103,17 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		return 0
 	fi
 
+	if [ "${insecure_enable}" -eq "0" ]; then
+		case $DHCP_ACS_URL in
+		https://*)
+			log "ACS url $DHCP_ACS_URL has https"
+			;;
+		*)
+			return 0
+			;;
+		esac
+	fi
+
 	sec=$(uci -q get cwmp.acs)
 
 	if [ -z "${sec}" ]; then

ieee1905/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.33
+PKG_VERSION:=8.7.44
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=f28f1c04cae008d7d6448ba02b992506af28448c
+PKG_SOURCE_VERSION:=29ba8f04dc6bd7e77683352c0c71988f51fbadf8
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -116,7 +116,7 @@ MAKE_PATH:=src
 
 
 define Package/ieee1905/install
-	$(CP) ./files/* $(1)/
+	$(CP) ./files/etc $(1)/
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_DIR) $(1)/usr/lib/ieee1905
 	$(INSTALL_DIR) $(1)/usr/sbin

ieee1905/files/datamodel_description.json

@@ -0,0 +1,23 @@
+{
+	"Device.IEEE1905.AL.": {
+		"type": "object",
+		"protocols": [
+			"cwmp",
+			"usp"
+		],
+		"access": false,
+		"array": false,
+		"{BBF_VENDOR_PREFIX}LocalOnlyMode": {
+			"type": "boolean",
+			"read": true,
+			"write": true,
+			"protocols": [
+				"cwmp",
+				"usp"
+			],
+			"description": "Enable or disable interfaces from ieee1905.",
+			"datatype": "boolean"
+		}
+	}
+}
+

imonitor/Makefile

@@ -13,7 +13,7 @@ PKG_INSTALL:=1
 PKG_SOURCE_PROTO=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/imonitor.git
 PKG_SOURCE_VERSION:=4beb1d5d6925507f1850a84c0b83aaf12a082f7f
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 PKG_SOURCE_SUBDIR:=${PKG_NAME}-${PKG_VERSION}
 PKG_INSTALL:=1

iopsys-analytics/Makefile

@@ -4,7 +4,7 @@ PKG_NAME:=iopsys-analytics
 PKG_RELEASE:=$(COMMITCOUNT)
 PKG_LICENSE:=PROPRIETARY
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=25e32ac5a860aec6e53e3449565b71595073e014
+PKG_SOURCE_VERSION:=5ad41ca8eb5de887487feb7148b5dce44943218c
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/iopsys-analytics.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -34,6 +34,9 @@ define Package/$(PKG_NAME)
     +@PACKAGE_syslog-ng:SYSLOGNG_LOGROTATE              \
     +PACKAGE_fluent-bit:logrotate                       \
     +@DMCLI_REMOTE_CONNECTION
+  # tools used in development/testing
+  DEPENDS+=                                             \
+    +iperf3
 
 endef
 

ipt-trigger/Makefile

@@ -14,7 +14,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=ac1beae4794f99533b28db7d0e6e80f4c268a3e8
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ipt-trigger.git
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

libdpp/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libdpp
-PKG_VERSION:=2.1.2
+PKG_VERSION:=2.1.3
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=5f1184c52be19f3bfd3bc7e9bc582ef09b0a2b1c
+PKG_SOURCE_VERSION:=fdfe23e51ff77ca6d2661ad6208d097758524147
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/libdpp.git
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz

libeasy/Makefile

@@ -1,32 +1,28 @@
 #
-# Copyright (C) 2020-2023 Iopsys
+# Copyright (C) 2025 Genexis Sweden AB
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libeasy
-PKG_VERSION:=7.4.6
+PKG_VERSION:=7.5.1
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=ca7b20068c9d373e41045a2e899a9c697576262c
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libeasy.git
-PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
+PKG_SOURCE_VERSION:=b981f7e1bd51f66041cd0c25d15af74ae1e3bc75
+PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libeasy.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=LGPL-2.1-only
-PKG_LICENSE_FILES:=LICENSE
+PKG_LICENSE_FILES:=
+PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@genexis.eu>
 
 include $(INCLUDE_DIR)/package.mk
-
-TARGET_CFLAGS += \
-	-I$(STAGING_DIR)/usr/include \
-	-I$(STAGING_DIR)/usr/include/openssl \
-	-I$(STAGING_DIR)/usr/include/libnl3
+include $(INCLUDE_DIR)/cmake.mk
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -34,9 +30,6 @@ define Build/Prepare
 endef
 endif
 
-MAKE_FLAGS += \
-	CFLAGS="$(TARGET_CFLAGS) -Wall"
-
 define Package/libeasy
   SECTION:=libs
   CATEGORY:=Libraries
@@ -47,7 +40,7 @@ define Package/libeasy
 endef
 
 define Package/libeasy/description
-  Library provides common utility functions
+  This package provides libeasy.so for common utility functions.
 endef
 
 define Build/InstallDev/libeasy
@@ -67,6 +60,7 @@ define Build/InstallDev/libeasy
 endef
 
 define Build/InstallDev
+	$(call Build/InstallDev/cmake,$(1))
 	$(call Build/InstallDev/libeasy,$(1),$(2))
 endef
 

libpicoevent-bcm/Makefile

@@ -17,7 +17,7 @@ PKG_NAME:=libpicoevent-bcm
 PKG_LICENSE:=LGPL-2.1-only
 PKG_LICENSE_FILES:=LICENSE
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 
 include $(INCLUDE_DIR)/package.mk

libpicoevent/Makefile

@@ -17,7 +17,7 @@ PKG_NAME:=libpicoevent
 PKG_LICENSE:=LGPL-2.1-only
 PKG_LICENSE_FILES:=LICENSE
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 
 include $(INCLUDE_DIR)/package.mk

libqos/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libqos
-PKG_VERSION:=7.2.109
+PKG_VERSION:=7.2.111
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libqos.git
-PKG_SOURCE_VERSION:=4948d372c3d7e43a0ba9aee517dbb83b94bba3dc
+PKG_SOURCE_VERSION:=2e4c6a9c27e0f4f68dfe7a5c930afefd8dc7119a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
@@ -65,7 +65,7 @@ define Package/libqos
   SUBMENU:=IOPSYS HAL libs
   MENU:=1
   TITLE:= QoS library (libqos)
-  DEPENDS+=+libnl +libnl-route +libeasy +TARGET_brcmbca:bcm963xx-bsp
+  DEPENDS+=+libnl +libnl-route +libeasy +TARGET_brcmbca:bcm963xx-bsp +TARGET_airoha:libuci
 endef
 
 define Package/libqos/config

libtrace/Makefile

@@ -6,7 +6,7 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/apietila/libtrace.git
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.zst
 PKG_SOURCE_VERSION:=e4b4c5cce35a52da152776a00532aa0b80879c5b
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 

libvoice-airoha/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-airoha
 PKG_RELEASE:=1
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.8
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,8 +17,8 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=3a30086a68a3409f0396acb01380f91daabf7a2f
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=9763c574ec69e2aa492db4f1296d4bcd53776fba
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha

@@ -25,6 +25,5 @@ db commit
 # configure the PCM for DECT/DCX81
 [ -f "/proc/device-tree/aliases/dcx81-uart" ] && {
     uci set dect.global.pcm_fsync='SHORT_LF'
-    uci set dect.global.pcm_slot_start='8'
     uci set dect.global.dect_channel_start='3'
 }

libvoice-broadcom/Makefile

@@ -18,7 +18,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
 PKG_SOURCE_VERSION:=baf5ebfb45404714bbfcc3068080f93265934d8a
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

libvoice-d2/Makefile

@@ -18,7 +18,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
 PKG_SOURCE_VERSION:=0b2bef862fb5aea0b285e339459f46779224e2d0
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

libwifi/Makefile

@@ -1,27 +1,32 @@
 #
-# Copyright (C) 2020-2023 Iopsys
+# Copyright (C) 2019-2024 Iopsys
+# Copyright (C) 2025 Genexis Sweden AB
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.13.7
+PKG_VERSION:=7.22.11
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=0b3cc45334c167d164c2c79e82522f13698abf92
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
-PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
+PKG_SOURCE_VERSION:=6572047d613d4dc88ed83a80fb4ae0798ab71078
+PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libwifi.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=LGPL-2.1-only
-PKG_LICENSE_FILES:=LICENSE
+PKG_LICENSE_FILES:=
+PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@genexis.eu>
+
+MAKE_VERBOSE := 1
 
 include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/cmake.mk
 
 ifeq ($(CONFIG_TARGET_brcmbca),y)
   TARGET_PLATFORM=BROADCOM
@@ -42,10 +47,20 @@ else ifeq ($(CONFIG_TARGET_armvirt),y)
 else ifeq ($(CONFIG_TARGET_airoha),y)
   TARGET_PLATFORM=ECONET
   TARGET_WIFI_TYPE=MEDIATEK
-  TARGET_CFLAGS +=-DIOPSYS_ECONET
+  TARGET_CFLAGS +=-DIOPSYS_ECONET -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
   ifeq ($(CONFIG_TARGET_airoha_an7581),y)
     TARGET_CFLAGS +=-DCONFIG_MTK
   endif
+else ifeq ($(CONFIG_TARGET_mediatek),y)
+  TARGET_PLATFORM=MEDIATEK
+  TARGET_WIFI_TYPE=MAC80211
+  ifeq ($(CONFIG_TARGET_DEVICE_mediatek_filogic_DEVICE_cx750),y)
+    TARGET_WIFI_TYPE=MEDIATEK
+    TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
+  else ifeq ($(CONFIG_TARGET_DEVICE_mediatek_filogic_DEVICE_mediatek_mt7987a-spim-nand-an8801sb),y)
+    TARGET_WIFI_TYPE=MEDIATEK
+    TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
+  endif
 else ifeq ($(CONFIG_TARGET_ipq95xx),y)
   TARGET_PLATFORM=IPQ95XX
   TARGET_WIFI_TYPE=QUALCOMM
@@ -67,7 +82,7 @@ endif
 PKG_BUILD_DEPENDS:=PACKAGE_kmod-mt7915e_en7523:mt76_en7523
 
 ifneq ($(CONFIG_PACKAGE_libwifi),)
-TARGET_CFLAGS +=-DHAS_WIFI
+  CMAKE_OPTIONS +=-DHAS_WIFI=ON
 endif
 
 ifeq ($(CONFIG_LIBWIFI_USE_CTRL_IFACE),y)
@@ -78,18 +93,8 @@ ifeq ($(CONFIG_LIBWIFI_SKIP_PROBES),y)
   TARGET_CFLAGS +=-DLIBWIFI_BRCM_SKIP_PROBES
 endif
 
-TARGET_CFLAGS += \
-	-I$(STAGING_DIR)/usr/include \
-	-I$(STAGING_DIR)/usr/include/openssl \
-	-I$(STAGING_DIR)/usr/include/libnl3
 
-MAKE_FLAGS += \
-	CFLAGS="$(TARGET_CFLAGS) -Wall -I./" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	FPIC="$(FPIC)" \
-	PLATFORM="$(TARGET_PLATFORM)" \
-	WIFI_TYPE="$(TARGET_WIFI_TYPE)" \
-	subdirs="$(subdirs)"
+CMAKE_OPTIONS += -DPLATFORM=$(TARGET_PLATFORM) -DWIFI_TYPE=$(TARGET_WIFI_TYPE)
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -97,43 +102,39 @@ define Build/Prepare
 endef
 endif
 
-define Package/libwifi-common
-  SECTION:=libs
-  CATEGORY:=Libraries
-  TITLE:=libwifi
-  SUBMENU:=IOPSYS HAL libs
-  DEPENDS:=+libopenssl
-  MENU:=1
+define Package/libwifiutils
+	SECTION:=libs
+	CATEGORY:=Libraries
+	TITLE:= WiFi utility library (libwifiutils.so)
+	DEPENDS+=+libnl +libnl-route +libeasy +libopenssl
+endef
+
+define Package/libwifiutils/description
+	Library provides WiFi utility functions
+endef
+
+define Package/libwifi
+	SECTION:=libs
+	CATEGORY:=Libraries
+	TITLE:= WiFi HAL library (libwifi-7.so.m)
+	DEPENDS+=+libnl +libnl-route +libeasy +libwifiutils +TARGET_brcmbca:bcm963xx-bsp
 endef
 
 define Package/libwifi/description
-  Library provides WiFi HAL APIs and WiFi common utility functions
-endef
-
-define Package/libwifiutils
-  $(call Package/libwifi-common)
-  TITLE:= WiFi utility library (libwifiutils.so)
-  DEPENDS+=+libnl +libnl-route +libeasy
+	Library provides WiFi HAL APIs
 endef
 
 define Build/InstallDev/libwifiutils
 	$(INSTALL_DIR) $(1)/usr/include
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/wifidefs.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/wifiutils.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/libwifiutils*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/wifidefs.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/wifiutils.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/libwifiutils*.so* $(1)/usr/lib/
 endef
 
 define Package/libwifiutils/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/libwifiutils*.so* $(1)/usr/lib/
-endef
-
-
-define Package/libwifi
-  $(call Package/libwifi-common)
-  TITLE:= WiFi library (libwifi)
-  DEPENDS+=+libnl +libnl-route +libeasy +libwifiutils +TARGET_brcmbca:bcm963xx-bsp
+	$(CP) $(PKG_BUILD_DIR)/libwifiutils/libwifiutils*.so* $(1)/usr/lib/
 endef
 
 define Package/libwifi/config
@@ -154,13 +155,12 @@ define Package/libwifi/config
   endif
 endef
 
-
 define Build/InstallDev/libwifi
 	$(INSTALL_DIR) $(1)/usr/include
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/wifiops.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/wifi.h $(1)/usr/include/
-	$(CP) $(PKG_BUILD_DIR)/libwifi-7*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/wifiops.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/wifi.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/libwifi-7*.so* $(1)/usr/lib/
 endef
 
 
@@ -173,7 +173,7 @@ endef
 
 define Package/libwifi/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_BUILD_DIR)/libwifi-7*.so* $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/libwifi/libwifi-7*.so* $(1)/usr/lib/
 endef
 
 $(eval $(call BuildPackage,libwifiutils))

logmngr/Makefile

@@ -12,7 +12,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/logmngr.git
 PKG_SOURCE_VERSION:=62441fdfe14a39bff8fff7c62307bd7b54d7240f
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 
@@ -65,8 +65,10 @@ define Package/logmngr/install
 	$(INSTALL_DIR) $(1)/lib/logmngr
 ifeq ($(CONFIG_LOGMNGR_BACKEND_FLUENTBIT),y)
 	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp/
 	$(INSTALL_BIN) ./files/logread $(1)/sbin/
 	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
+	$(INSTALL_BIN) ./files/etc/hotplug.d/ntp/20-reload_fluent_bit $(1)/etc/hotplug.d/ntp/
 else ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/syslog-ng.sh $(1)/lib/logmngr/
 endif

logmngr/files/etc/config/logmngr

@@ -8,7 +8,7 @@ config source 'default_source'
 
 config template 'default_template'
 	option name 'default_template'
-	option expression '{time} {hostname} {ident}: {message}'
+	option expression '{time} {hostname} {ident}[{pid}]: {message}'
 
 config action 'default_action'
 	option name 'default_action'

logmngr/files/etc/hotplug.d/ntp/20-reload_fluent_bit

@@ -0,0 +1,14 @@
+#!/bin/sh
+# This hotplug script reloads fluent-bit, so that kmsg logs' timestamp gets in sync
+
+[ "$ACTION" = stratum ] || exit 0
+
+# only once
+if ! uci -q get time.global.first_use_date > /dev/null 2>&1; then
+	flb_pid="$(pidof fluent-bit)"
+
+	if [ -n "$flb_pid" ]; then
+		logger -t "logmngr.hotplug" -p info "reload fluent-bit due to ntp sync"
+		kill -SIGHUP "$flb_pid"
+	fi
+fi

logmngr/files/etc/init.d/logmngr

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=12
+START=09
 
 USE_PROCD=1
 

logmngr/files/etc/uci-defaults/10-logmngr_config_migrate

@@ -11,7 +11,7 @@ fi
 if ! uci -q get logmngr.default_template > /dev/null; then
 	uci -q set logmngr.default_template=template
 	uci -q set logmngr.default_template.name='default_template'
-	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}: {message}'
+	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}[{pid}]: {message}'
 fi
 
 if uci -q get logmngr.a1 >/dev/null; then

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -63,7 +63,7 @@ create_service_section() {
 	append_conf "    flush        1"
 	append_conf "    daemon       off"
 	append_conf "    log_level    info"
-	append_conf "    coro_stack_size    24576"
+	append_conf "    coro_stack_size    1048576"
 	append_conf "    parsers_file /etc/fluent-bit/parsers.conf"
 	append_conf "    hot_reload        on"
 	append_conf ""
@@ -77,6 +77,12 @@ create_default_filters() {
 	append_conf "    rename          msg     message"
 	append_conf ""
 
+	append_conf "[FILTER]"
+	append_conf "    name            modify"
+	append_conf "    match           *"
+	append_conf "    add             pid     0"
+	append_conf ""
+
 	append_conf "[FILTER]"
 	append_conf "    name            sysinfo"
 	append_conf "    match           *"

loop-detector/Makefile

@@ -13,7 +13,7 @@ PKG_SOURCE_VERSION:=d0fb770eacd6691b98df138b60f5116e02f71a9b
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/loop-detector
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

map-agent/Config.in

@@ -63,8 +63,12 @@ config AGENT_CHECK_PARTIAL_WIFI_RELOAD
 	bool "Option that allow SSID/PSK simple reload"
 	default y
 
-config DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER
-	bool "Let dynbhd through AP-Autoconfiguration Search and DHCP Discovery determine the controller or agent role"
+config DYNBH
+	bool "Enable map-agent dynamic Ethernet backhaul management"
+	default n
+
+config DYNBH_DYNAMICALLY_PERSIST_CONTROLLER
+	bool "Let map-agent through AP-Autoconfiguration Search and DHCP Discovery determine the controller or agent role"
 
 config AGENT_UNASSOC_STA_CONT_MONITOR
 	bool "Enable continuos monitoring of unassociated clients"

map-agent/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.3.7.0
+PKG_VERSION:=6.5.0.10
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=ab9fa6ffc6978c84ab9a3b410d31c71c3b185430
+PKG_SOURCE_VERSION:=1a9763bd4e520975e6951f77e85f369487cf1318
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause
@@ -38,14 +38,6 @@ ifeq ($(CONFIG_AGENT_USE_LIBDPP),y)
   TARGET_CFLAGS += -DUSE_LIBDPP
 endif
 
-define Package/dynbhd
-  SECTION:=utils
-  CATEGORY:=Utilities
-  TITLE:=Dynamic Backhaul Daemon
-  DEPENDS:=+libwifi +libuci +libubox +ubus +libeasy +libieee1905 +ieee1905 \
-	  +ieee1905-map-plugin +map-agent
-endef
-
 ifeq ($(CONFIG_AGENT_ZEROTOUCH_DPP),y)
   TARGET_CFLAGS += -DZEROTOUCH_DPP
 endif
@@ -54,10 +46,6 @@ define Package/map-agent/description
   This package provides EasyMesh R6 compliant Wi-Fi Multi-AP Agent.
 endef
 
-define Package/dynbhd/description
- Dyanmic LAN/WAN port detection and loop avoidance.
-endef
-
 define Package/map-agent/config
 	source "$(SOURCE)/Config.in"
 endef
@@ -115,7 +103,11 @@ ifeq ($(CONFIG_AGENT_CHECK_PARTIAL_WIFI_RELOAD),y)
 TARGET_CFLAGS += -DCHECK_PARTIAL_WIFI_RELOAD
 endif
 
-ifeq ($(CONFIG_DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER),y)
+ifeq ($(CONFIG_DYNBH),y)
+TARGET_CFLAGS += -DDYNBH
+endif
+
+ifeq ($(CONFIG_DYNBH_DYNAMICALLY_PERSIST_CONTROLLER),y)
 TARGET_CFLAGS += -DPERSIST_CONTROLLER
 endif
 
@@ -128,6 +120,10 @@ MAKE_PATH:=src
 define Package/map-agent/install
 	$(INSTALL_DIR) $(1)/etc
 	$(CP) ./files/* $(1)/
+ifeq ($(CONFIG_DYNBH),y)
+	$(RM) $(1)/etc/hotplug.d/ethernet/map-dynamic-backhaul
+	$(RM) $(1)/etc/hotplug.d/ethernet/map-topology-discovery
+endif
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_DIR) $(1)/lib/wifi
@@ -135,15 +131,6 @@ define Package/map-agent/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/mapagent $(1)/usr/sbin/
 endef
 
-define Package/dynbhd/install
-	$(INSTALL_DIR) $(1)/etc
-	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_DIR) $(1)/lib/wifi/dynbhd
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/ethernet
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/dynbhd $(1)/usr/sbin/dynbhd
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/api $(1)/lib/wifi/dynbhd/api
-#	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/map-dynamic-backhaul $(1)/etc/hotplug.d/ethernet/map-dynamic-backhaul
-endef
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -152,4 +139,3 @@ endef
 endif
 
 $(eval $(call BuildPackage,map-agent))
-$(eval $(call BuildPackage,dynbhd))

map-agent/files/etc/config/mapagent

@@ -17,7 +17,7 @@ config dynamic_backhaul
 	option missing_bh_reconfig_timer '1800'
 
 config controller_select
-	option id 'auto'
+	option mode 'auto'
 	option probe_int '20'
 	option retry_int '9'
 	option autostart '1'

map-agent/files/etc/hotplug.d/ethernet/map-dynamic-backhaul

@@ -27,11 +27,6 @@ done
 al_brnet="${al_bridge:3}"
 [ "$(uci -q get network.${al_brnet}.proto)" == "dhcp" ] || exit 0
 
-############## Dynamic Backhaul Daemon ##############
-if [ -n "$(which dynbhd)" ]; then
-	exit 0
-fi
-########################################################
 
 ################ Dedicated ETH WAN Port ################
 wanport="$(jsonfilter -i /etc/board.json -e @.network.wan.device)"
@@ -95,7 +90,8 @@ if [ "$LINK" = "up" ]; then
 	config_foreach remove_from_bridge bsta
 	config_foreach update_bstas bsta down
 
-	/lib/wifi/multiap set_uplink "eth" "$PORT"
+	hwaddr="$(ifconfig $PORT | grep -i hwaddr | awk '{print $5}' | awk '{print tolower($0)}')"
+	/lib/wifi/multiap set_uplink "eth" "$PORT" "$hwaddr"
 else
 	/lib/wifi/multiap unset_uplink "eth"
 	#rm -f "$map_bh_file"

map-agent/files/etc/init.d/mapagent

@@ -1,26 +1,12 @@
 #!/bin/sh /etc/rc.common
 
-START=98
+START=97
 STOP=20
 
 USE_PROCD=1
 
 IS_CFG_VALID=1
 
-MAP_DEV="map_dev"
-MAP_IF="map"
-
-
-start_dynbhd_service() {
-	rm -f /var/run/multiap/multiap.backhaul
-	procd_open_instance
-	procd_set_param command "/usr/sbin/dynbhd"
-	procd_set_param respawn
-#	procd_set_param stdout 1
-#	procd_set_param stderr 1
-	procd_close_instance
-}
-
 validate_agent_section() {
 	uci_validate_section mapagent agent "agent" \
 		'enabled:bool:true' \
@@ -51,7 +37,7 @@ validate_cs_section() {
 
 	uci_validate_section mapagent $section "${section}" \
 		'local:bool:false' \
-		'id:string' \
+		'mode:string' \
 		'probe_int:range(0,1000):20' \
 		'retry_int:range(0,255):3' \
 		'autostart:bool:false'
@@ -179,17 +165,6 @@ create_dir() {
 }
 
 start_service() {
-	if [ -f /usr/sbin/dynbhd ]; then
-		# Start dynbhd only if the device is operating in extender/repeater mode
-		al_bridge="$(uci -q get mapagent.agent.al_bridge)"
-		if [ "${al_bridge:0:3}" = "br-" ]; then
-			al_brnet="${al_bridge:3}"
-			if [ "$(uci -q get network.${al_brnet}.proto)" == "dhcp" ]; then
-				start_dynbhd_service
-			fi
-		fi
-	fi
-
 	config_load "mapagent"
 	validate_agent_config || return 1;
 

map-agent/files/etc/uci-defaults/994-map-set-cntlr-sel-mode

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+adapt_cntlr_sel() {
+	local section=$1
+        id=$(uci -q get mapagent.@controller_select[0].id)
+
+        uci -q del mapagent.@controller_select[0].id
+
+        # re-apply any custom value
+        [ -z "${id}" ] || uci -q set mapagent.@controller_select[0].mode="${id}"
+}
+
+adapt_cntlr_sel

map-agent/files/lib/multiap/map_genconfig

@@ -10,6 +10,11 @@ network_mode="$(fw_printenv -n netmode)" # default is layer3
 multiap_mode="$(fw_printenv -n multiap_mode)" # default is full
 disable_mlo="$(fw_printenv -n disable_mlo)"
 
+is_logan() {
+	[ -d /sys/module/mt_wifi ] && return 0
+	return 1
+}
+
 is_airoha() {
 	[ -f /proc/device-tree/compatible ] || return
 	strings /proc/device-tree/compatible | grep -qE '^(econet,|airoha,)'; return
@@ -64,45 +69,45 @@ generate_multiap_config() {
 		device="$dev"
 
 		ifprefix_radio=""
-		if is_airoha; then
+		if is_logan; then
+			uci set mapagent.agent.mld_ap_prefix="bss"
+			uci set mapagent.agent.mld_sta_prefix="sta"
+			ifname_sta=""
+			case "$band" in
+				2g)
+					ifprefix="ra%"
+					ifname="ra0"
+					ifname_bh="ra1"
+					ifname_sta="apcli0"
+				;;
+				5g)
+					ifprefix="rai%"
+					ifname="rai0"
+					ifname_bh="rai1"
+					ifname_sta="apclii0"
+				;;
+				6g)
+					ifprefix="rax%"
+					ifname="rax0"
+					ifname_bh="rax1"
+					ifname_sta="apclix0"
+				;;
+			esac
+			ifprefix_radio="${ifprefix}"
+			if [ "${network_mode}" == "extender" ]; then
+				ifname="${ifname_sta}"
+			fi
+
+			[ "$disable_mlo" == "1" ] || {
+				uci set wireless.$dev.mlo="1"
+				uci set wireless.$dev.mlo_capable="1"
+			}
+		elif is_airoha; then
 			if [ -d "/sys/module/mt76" ]; then
 				ifprefix="wlan%_%"
 				ifname="wlan${devidx}_0"
 				ifname_bh="wlan${devidx}_1"
-			else
-				uci set mapagent.agent.mld_prefix="bss"
-				ifname_sta=""
-				case "$band" in
-					2g)
-						ifprefix="ra%"
-						ifname="ra0"
-						ifname_bh="ra1"
-						ifname_sta="apcli0"
-					;;
-					5g)
-						ifprefix="rai%"
-						ifname="rai0"
-						ifname_bh="rai1"
-						ifname_sta="apclii0"
-					;;
-					6g)
-						ifprefix="rax%"
-						ifname="rax0"
-						ifname_bh="rax1"
-						ifname_sta="apclix0"
-					;;
-				esac
-				ifprefix_radio="${ifprefix}"
-				if [ "${network_mode}" == "extender" ]; then
-					ifname="${ifname_sta}"
-				fi
-
-				[ "$disable_mlo" == "1" ] || {
-					uci set wireless.$dev.mlo="1"
-					uci set wireless.$dev.mlo_capable="1"
-				}
 			fi
-
 			uci set wireless.$dev.channels="$channels"
 			uci commit wireless
 		elif is_broadcom; then

map-controller/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.4.0
+PKG_VERSION:=6.4.5.0
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=d2e91ca156dbe0b44f0fc551b0a353137343fdf1
+PKG_SOURCE_VERSION:=f335cf5bfdf700843173fcdd5d61d1900cc0aa8a
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0

map-controller/files/etc/config/mapcontroller

@@ -4,17 +4,16 @@ config controller 'controller'
 	option registrar '2 5 6'
 	option debug '2'
 	option bcn_metrics_max_num '10'
-	option initial_channel_scan '0'
 	option enable_ts '0'
 	option primary_vid '1'
 	option primary_pcp '0'
-	option stale_sta_timeout '30d'
+	option stale_sta_timeout '20d'
 	option de_collect_interval '60'
 	list plugin 'zerotouch'
 
 config sta_steering 'sta_steering'
 	option enable_sta_steer '1'
-	option enable_bsta_steer '0'
+	option enable_bsta_steer '1'
 	option rcpi_threshold_2g '70'
 	option rcpi_threshold_5g '86'
 	option rcpi_threshold_6g '86'

map-controller/files/etc/init.d/mapcontroller

@@ -20,7 +20,6 @@ validate_controller_section() {
 		'registrar:string' \
 		'debug:range(0,16)' \
 		'bcn_metrics_max_num:range(1,256)' \
-		'initial_channel_scan:bool:true' \
 		'resend_num:uinteger:0' \
 		'allow_bgdfs:range(0,2629744)' \
 		'stale_sta_timeout:string' \

map-controller/files/etc/uci-defaults/99-mapcntlr-add-qos-rule-id

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+cfg="mapcontroller"
+config_load "$cfg"
+
+used_ids=""
+
+collect_used_ids() {
+	local section="$1"
+	local id
+
+	id=$(uci -q get ${cfg}.${section}.id)
+	if [ -n "$id" ] && printf "%s" "$id" | grep -qE '^[0-9]+$'; then
+		used_ids="$used_ids $id"
+	fi
+}
+
+# Find first available ID from 0 to INT32_MAX
+find_first_available_id() {
+	local max_int=2147483647
+	local expected=0
+	local id
+
+	# Convert list to sorted unique list
+	sorted_ids=$(printf "%s\n" $used_ids | sort -n | uniq)
+
+	for id in $sorted_ids; do
+		if [ "$id" -eq "$expected" ]; then
+			expected=$((expected + 1))
+		elif [ "$id" -gt "$expected" ]; then
+			# Found a gap -> return the gap
+			echo "$expected"
+			return
+		fi
+	done
+
+	# If no gaps, next available is `expected`
+	if [ "$expected" -le "$max_int" ]; then
+		echo "$expected"
+	else
+		echo -1
+	fi
+}
+
+# Assign ID if missing
+add_qos_rule_id() {
+	local section="$1"
+	local id
+
+	id=$(uci -q get ${cfg}.${section}.id)
+	if [ -z "$id" ]; then
+		new_id=$(find_first_available_id)
+		[ "$new_id" -ge 0 ] || return # No available ID
+		uci -q set ${cfg}.${section}.id="$new_id"
+
+		used_ids="$used_ids $new_id"
+	fi
+}
+
+# Step 1: Collect all existing IDs
+config_foreach collect_used_ids qos_rule
+
+# Step 2: Assign IDs to rules missing them
+config_foreach add_qos_rule_id qos_rule

map-controller/files/etc/uci-defaults/99-mapcntlr-uci-rename-singletons

@@ -14,5 +14,3 @@ for sec in $sections; do
 
     uci rename $cfg.$s=$sec
 done
-
-uci commit $cfg

map-plugins/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-plugins
-PKG_VERSION:=1.1.2
+PKG_VERSION:=1.2.7
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=a76610182366cf05ed7e8f5fbac26890b709eeb4
+PKG_SOURCE_VERSION:=dd873ca4e2cb321302dae1955da24d1be271b2b1
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -59,7 +59,8 @@ define Package/map-plugins
 endef
 
 define Package/map-plugins/description
-	Provides extra Multi-AP services viz. steering, channel-planning, self-organizing network etc.
+	Provides extra Multi-AP services viz. steering, channel-planning,
+	self-organizing network, zero-touch onboarding etc.
 endef
 
 define Package/map-plugins/install
@@ -70,5 +71,11 @@ define Build/Compile
 	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef
 
+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+        rsync -r --exclude=.* ~/git/map-plugins/ $(PKG_BUILD_DIR)/
+endef
+endif
+
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))

mcastmngr/Makefile

@@ -14,7 +14,7 @@ ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/mcastmngr.git
 PKG_SOURCE_VERSION:=17d73b8f1947823a0d32ed589a240a2642904fe1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

mosquitto-auth-plugin/Config.in

@@ -0,0 +1,7 @@
+if PACKAGE_mosquitto-auth-plugin
+
+config MOSQUITTO_AUTH_PAM_SUPPORT
+	bool "Enable support of Linux PAM module for Authentication"
+	default y
+
+endif

mosquitto-auth-plugin/Makefile

@@ -13,33 +13,42 @@
 
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=mosquitto-auth-shadow
-PKG_VERSION:=1.0.1
+PKG_NAME:=mosquitto-auth-plugin
+PKG_VERSION:=1.2.1
 
 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0
 
 PKG_BUILD_PARALLEL:=1
+PKG_CONFIG_DEPENDS:=CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/mosquitto-auth-shadow
+define Package/mosquitto-auth-plugin
   SECTION:=net
   CATEGORY:=Network
   TITLE:=mosquitto - /etc/shadow authentication plugin
-  DEPENDS:=+mosquitto-ssl
+  DEPENDS:=+mosquitto-ssl +MOSQUITTO_AUTH_PAM_SUPPORT:libpam
   USERID:=mosquitto=200:mosquitto=200 mosquitto=200:shadow=11
 endef
 
-define Package/mosquitto-auth-shadow/description
+define Package/mosquitto-auth-plugin/description
   Plugin for the mosquitto MQTT message broker that authenticates
   users using /etc/shadow
 endef
 
-define Package/mosquitto-auth-shadow/install
+define Package/mosquitto-auth-plugin/config
+	source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT),y)
+TARGET_CFLAGS+=-DENABLE_PAM_SUPPORT
+endif
+
+define Package/mosquitto-auth-plugin/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_shadow.so $(1)/usr/lib/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_plugin.so $(1)/usr/lib/
 	$(CP) ./files/* $(1)/
 endef
 
-$(eval $(call BuildPackage,mosquitto-auth-shadow))
+$(eval $(call BuildPackage,mosquitto-auth-plugin))

mosquitto-auth-plugin/src/Makefile

@@ -11,15 +11,15 @@
 #   Erik Karlsson - initial implementation
 #
 
-TARGETS = mosquitto_auth_shadow.so
+TARGETS = mosquitto_auth_plugin.so
 
 all: $(TARGETS)
 
 %.pic.o: %.c
 	$(CC) $(CFLAGS) -Wall -Werror -fPIC -c -o $@ $<
 
-mosquitto_auth_shadow.so: mosquitto_auth_shadow.pic.o
-	$(CC) $(LDFLAGS) -shared -o $@ $^
+mosquitto_auth_plugin.so: mosquitto_auth_plugin.pic.o
+	$(CC) $(LDFLAGS) -shared -o $@ $^ $(if $(filter -DENABLE_PAM_SUPPORT,$(CFLAGS)),-lpam)
 
 clean:
 	rm -f *.o $(TARGETS)

mosquitto-auth-plugin/src/mosquitto_auth_plugin.c

@@ -0,0 +1,670 @@
+/*
+ * Copyright (c) 2022 Genexis B.V.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Erik Karlsson - initial implementation
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <mosquitto.h>
+#include <mosquitto_broker.h>
+#include <mosquitto_plugin.h>
+
+#ifdef ENABLE_PAM_SUPPORT
+#include <security/pam_appl.h>
+#endif
+
+#define MAX_USERS 256
+#define MAX_SUBNETS_PER_USER 32
+
+typedef struct {
+	union {
+		uint32_t ipv4_network;
+		uint8_t ipv6_network[16];
+	};
+	union {
+		uint32_t ipv4_netmask;
+		uint8_t ipv6_netmask[16];
+	};
+	int is_ipv6;
+} subnet_t;
+
+typedef struct {
+	char username[64];
+	subnet_t allow_subnets[MAX_SUBNETS_PER_USER];
+	int allow_count;
+	subnet_t deny_subnets[MAX_SUBNETS_PER_USER];
+	int deny_count;
+} user_acl_t;
+
+typedef struct {
+	user_acl_t users[MAX_USERS];
+	int user_count;
+	mosquitto_plugin_id_t *identifier;
+	char *config_file;
+} plugin_data_t;
+
+/* Parse CIDR notation for IPv4 or IPv6 (e.g., "192.168.1.0/24" or "2001:db8::/32") */
+static int parse_subnet(const char *cidr, subnet_t *subnet)
+{
+	char ip_str[128];
+	char *slash;
+	int prefix_len;
+	struct in_addr addr4;
+	struct in6_addr addr6;
+
+	strncpy(ip_str, cidr, sizeof(ip_str) - 1);
+	ip_str[sizeof(ip_str) - 1] = '\0';
+
+	slash = strchr(ip_str, '/');
+	if (slash != NULL) {
+		*slash = '\0';
+		prefix_len = atoi(slash + 1);
+	}
+
+	/* Try IPv4 first */
+	if (inet_pton(AF_INET, ip_str, &addr4) == 1) {
+		subnet->is_ipv6 = 0;
+		if (slash == NULL)
+			prefix_len = 32;
+		if (prefix_len < 0 || prefix_len > 32)
+			return -1;
+
+		subnet->ipv4_network = ntohl(addr4.s_addr);
+		subnet->ipv4_netmask = prefix_len == 0 ? 0 : (~0U << (32 - prefix_len));
+		subnet->ipv4_network &= subnet->ipv4_netmask;
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, ip_str, &addr6) == 1) {
+		subnet->is_ipv6 = 1;
+		if (slash == NULL)
+			prefix_len = 128;
+		if (prefix_len < 0 || prefix_len > 128)
+			return -1;
+
+		/* Copy network address */
+		memcpy(subnet->ipv6_network, addr6.s6_addr, 16);
+
+		/* Generate netmask */
+		memset(subnet->ipv6_netmask, 0, 16);
+		for (int i = 0; i < prefix_len / 8; i++)
+			subnet->ipv6_netmask[i] = 0xff;
+		if (prefix_len % 8)
+			subnet->ipv6_netmask[prefix_len / 8] = ~((1 << (8 - (prefix_len % 8))) - 1);
+
+		/* Apply netmask to network address */
+		for (int i = 0; i < 16; i++)
+			subnet->ipv6_network[i] &= subnet->ipv6_netmask[i];
+
+		return 0;
+	}
+
+	return -1;
+}
+
+/* Check if IPv4 address is in subnet */
+static int ipv4_in_subnet(uint32_t ip, const subnet_t *subnet)
+{
+	if (subnet->is_ipv6)
+		return 0;
+	return (ip & subnet->ipv4_netmask) == subnet->ipv4_network;
+}
+
+/* Check if IPv6 address is in subnet */
+static int ipv6_in_subnet(const uint8_t *ip, const subnet_t *subnet)
+{
+	if (!subnet->is_ipv6)
+		return 0;
+	for (int i = 0; i < 16; i++) {
+		if ((ip[i] & subnet->ipv6_netmask[i]) != subnet->ipv6_network[i])
+			return 0;
+	}
+	return 1;
+}
+
+/* Check if IP is in any subnet in the list */
+static int ip_in_subnet_list(const char *client_address, const subnet_t *subnets, int count)
+{
+	struct in_addr addr4;
+	struct in6_addr addr6;
+	uint32_t ipv4;
+
+	/* Try IPv4 */
+	if (inet_pton(AF_INET, client_address, &addr4) == 1) {
+		ipv4 = ntohl(addr4.s_addr);
+		for (int i = 0; i < count; i++) {
+			if (ipv4_in_subnet(ipv4, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, client_address, &addr6) == 1) {
+		for (int i = 0; i < count; i++) {
+			if (ipv6_in_subnet(addr6.s6_addr, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	return 0;
+}
+
+/* Find or create user ACL entry */
+static user_acl_t* find_or_create_user_acl(plugin_data_t *pdata, const char *username)
+{
+	user_acl_t *user;
+
+	/* Find existing user */
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+
+	/* Create new user if not found */
+	if (pdata->user_count >= MAX_USERS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Max users exceeded");
+		return NULL;
+	}
+
+	user = &pdata->users[pdata->user_count];
+	strncpy(user->username, username, sizeof(user->username) - 1);
+	user->username[sizeof(user->username) - 1] = '\0';
+	user->allow_count = 0;
+	user->deny_count = 0;
+	pdata->user_count++;
+
+	return user;
+}
+
+/* Parse subnet ACL file with simplified format
+ * Format:
+ * # Comment lines
+ * subnet allow <username> <cidr>
+ * subnet deny <username> <cidr>
+ */
+static int load_subnet_acl_config(plugin_data_t *pdata, const char *config_file)
+{
+	FILE *fp;
+	char line[512];
+	int line_num = 0;
+
+	/* Initialize user count */
+	pdata->user_count = 0;
+
+	/* Config file is optional - if not provided, no subnet filtering */
+	if (config_file == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_INFO,
+			"subnet_acl: No subnet ACL file specified, subnet filtering disabled");
+		return 0;
+	}
+
+	/* If config file is specified but cannot be opened, this is a fatal error */
+	fp = fopen(config_file, "r");
+	if (fp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to open subnet ACL file '%s'", config_file);
+		return -1;
+	}
+
+	while (fgets(line, sizeof(line), fp) != NULL) {
+		char *token, *saveptr;
+		char *action, *username, *cidr;
+		user_acl_t *user;
+		subnet_t subnet;
+
+		line_num++;
+
+		/* Remove newline and comments */
+		line[strcspn(line, "\r\n")] = '\0';
+		char *comment = strchr(line, '#');
+		if (comment)
+			*comment = '\0';
+
+		/* Trim leading whitespace */
+		char *line_start = line;
+		while (*line_start == ' ' || *line_start == '\t')
+			line_start++;
+
+		/* Skip empty lines */
+		if (*line_start == '\0')
+			continue;
+
+		/* Parse: subnet allow|deny <username> <cidr> */
+		token = strtok_r(line_start, " \t", &saveptr);
+		if (token == NULL)
+			continue;
+
+		/* Must start with "subnet" */
+		if (strcmp(token, "subnet") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid directive '%s' at line %d (expected 'subnet')",
+				token, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get allow/deny */
+		action = strtok_r(NULL, " \t", &saveptr);
+		if (action == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing allow/deny at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		if (strcmp(action, "allow") != 0 && strcmp(action, "deny") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid action '%s' at line %d (use 'allow' or 'deny')",
+				action, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get username */
+		username = strtok_r(NULL, " \t", &saveptr);
+		if (username == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing username at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get CIDR */
+		cidr = strtok_r(NULL, " \t", &saveptr);
+		if (cidr == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing CIDR at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Parse subnet */
+		if (parse_subnet(cidr, &subnet) != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid CIDR '%s' at line %d", cidr, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Find or create user */
+		user = find_or_create_user_acl(pdata, username);
+		if (user == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Max users (%d) exceeded at line %d", MAX_USERS, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Add to appropriate list */
+		if (strcmp(action, "allow") == 0) {
+			if (user->allow_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max allow subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->allow_subnets[user->allow_count] = subnet;
+			user->allow_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' allow subnet %s",
+				user->username, cidr);
+
+		} else { /* deny */
+			if (user->deny_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max deny subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->deny_subnets[user->deny_count] = subnet;
+			user->deny_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' deny subnet %s",
+				user->username, cidr);
+		}
+	}
+
+	fclose(fp);
+
+	/* Log summary */
+	for (int i = 0; i < pdata->user_count; i++) {
+		user_acl_t *user = &pdata->users[i];
+		if (user->allow_count > 0 || user->deny_count > 0) {
+			mosquitto_log_printf(MOSQ_LOG_INFO,
+				"subnet_acl: User '%s' has %d allow and %d deny subnet rules",
+				user->username, user->allow_count, user->deny_count);
+		}
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Loaded subnet restrictions for %d user(s)", pdata->user_count);
+
+	return 0;
+}
+
+/* Find user ACL entry */
+static const user_acl_t* find_user_acl(const plugin_data_t *pdata, const char *username)
+{
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+	return NULL;
+}
+
+/* Check subnet access on authentication (connection time)
+ * Returns: MOSQ_ERR_SUCCESS if allowed, MOSQ_ERR_AUTH if denied
+ */
+static int check_subnet_on_auth(plugin_data_t *pdata, struct mosquitto_evt_basic_auth *ed)
+{
+	const user_acl_t *user_acl;
+	const char *client_address;
+
+	/* Skip if no subnet config loaded */
+	if (pdata == NULL || pdata->user_count == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Skip anonymous users */
+	if (ed->username == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Find user's subnet ACL */
+	user_acl = find_user_acl(pdata, ed->username);
+
+	/* If user not in config or has no subnet rules, allow */
+	if (user_acl == NULL || (user_acl->allow_count == 0 && user_acl->deny_count == 0))
+		return MOSQ_ERR_SUCCESS;
+
+	/* Get client IP address */
+	client_address = mosquitto_client_address(ed->client);
+	if (client_address == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_WARNING,
+			"subnet_acl: Could not get client address for user '%s', denying connection",
+			ed->username);
+		return MOSQ_ERR_AUTH;
+	}
+
+	/* Check deny list first - deny takes precedence */
+	if (user_acl->deny_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->deny_subnets, user_acl->deny_count)) {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED by deny rule",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* If there are allow rules, IP must match one of them */
+	if (user_acl->allow_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->allow_subnets, user_acl->allow_count)) {
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' from %s allowed by allow rule",
+				ed->username, client_address);
+			return MOSQ_ERR_SUCCESS;
+		} else {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED (not in allowed subnets)",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* No subnet rules for this user - allow */
+	return MOSQ_ERR_SUCCESS;
+}
+
+#ifdef ENABLE_PAM_SUPPORT
+static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+	int i;
+	const char *pass = (const char *)appdata_ptr;
+
+	*resp = calloc(num_msg, sizeof(struct pam_response));
+	if (*resp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
+		return PAM_BUF_ERR;
+	}
+
+	if (pass == NULL)
+		return PAM_SUCCESS;
+
+	for (i = 0; i < num_msg; ++i) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+			(*resp)[i].resp = strdup(pass);
+			if ((*resp)[i].resp == NULL) {
+				for (int j = 0; j < i ; j++)
+					free((*resp)[j].resp);
+
+				free(*resp);
+				*resp = NULL;
+				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
+				return PAM_BUF_ERR;
+			}
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct pam_conv conv;
+	int retval;
+	pam_handle_t *pamh = NULL;
+
+	conv.conv = pam_conversation;
+	conv.appdata_ptr = (void *)ed->password;
+
+	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
+		return MOSQ_ERR_AUTH;
+	}
+
+	retval = pam_authenticate(pamh, 0);
+	pam_end(pamh, retval);
+	if (retval == PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
+		return MOSQ_ERR_SUCCESS;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
+	return MOSQ_ERR_AUTH;
+}
+#else
+static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct spwd spbuf, *sp = NULL;
+	char buf[256];
+	struct crypt_data data;
+	char *hash;
+
+	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
+
+	if (sp == NULL || sp->sp_pwdp == NULL)
+		return MOSQ_ERR_AUTH;
+
+	/* Empty string as hash means password is not required */
+	if (sp->sp_pwdp[0] == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	if (ed->password == NULL)
+		return MOSQ_ERR_AUTH;
+
+	memset(&data, 0, sizeof(data));
+	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
+
+	if (hash == NULL)
+		return MOSQ_ERR_AUTH;
+
+	if (strcmp(hash, sp->sp_pwdp) == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	return MOSQ_ERR_AUTH;
+}
+#endif
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+	struct mosquitto_evt_basic_auth *ed = event_data;
+	plugin_data_t *pdata = userdata;
+	int auth_result;
+
+	/* Let other plugins or broker decide about anonymous login */
+	if (ed->username == NULL)
+		return MOSQ_ERR_PLUGIN_DEFER;
+
+	/* First check username/password authentication */
+#ifdef ENABLE_PAM_SUPPORT
+	auth_result = process_pam_auth_callback(ed);
+#else
+	auth_result = process_shadow_auth_callback(ed);
+#endif
+
+	/* If authentication failed, reject immediately */
+	if (auth_result != MOSQ_ERR_SUCCESS)
+		return auth_result;
+
+	/* Authentication succeeded, now check subnet restrictions */
+	return check_subnet_on_auth(pdata, ed);
+}
+
+static int reload_callback(int event, void *event_data, void *userdata)
+{
+	plugin_data_t *pdata = userdata;
+
+	if (pdata == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reloading subnet ACL configuration from '%s'",
+		pdata->config_file ? pdata->config_file : "(none)");
+
+	/* Reload subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, pdata->config_file) != 0) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to reload subnet ACL configuration, keeping old config");
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Reload complete, now tracking %d user(s)", pdata->user_count);
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+int mosquitto_plugin_version(int supported_version_count,
+			     const int *supported_versions)
+{
+	return 5;
+}
+
+int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
+			  void **user_data,
+			  struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata;
+	const char *config_file = NULL;
+	int rc;
+
+	/* Find subnet config file option */
+	for (int i = 0; i < opt_count; i++) {
+		if (strcmp(opts[i].key, "subnet_acl_file") == 0) {
+			config_file = opts[i].value;
+			break;
+		}
+	}
+
+	pdata = calloc(1, sizeof(plugin_data_t));
+	if (pdata == NULL)
+		return MOSQ_ERR_NOMEM;
+
+	pdata->identifier = identifier;
+
+	/* Store config file path for reload */
+	if (config_file != NULL) {
+		pdata->config_file = strdup(config_file);
+		if (pdata->config_file == NULL) {
+			free(pdata);
+			return MOSQ_ERR_NOMEM;
+		}
+	} else {
+		pdata->config_file = NULL;
+	}
+
+	/* Load subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, config_file) != 0) {
+		free(pdata->config_file);
+		free(pdata);
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	/* Register authentication callback only - subnet check is done during auth */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
+	                                 basic_auth_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register authentication callback");
+		free(pdata->config_file);
+		free(pdata);
+		return rc;
+	}
+
+	/* Register reload callback to handle SIGHUP */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_RELOAD,
+	                                 reload_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register reload callback");
+		mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		free(pdata->config_file);
+		free(pdata);
+		return rc;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_INFO,
+		"subnet_acl: Plugin initialized with %d user(s)", pdata->user_count);
+
+	/* Only assign user_data after all possible error paths */
+	*user_data = pdata;
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+int mosquitto_plugin_cleanup(void *user_data,
+			     struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata = user_data;
+
+	if (pdata) {
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_RELOAD,
+		                              reload_callback, NULL);
+		free(pdata->config_file);
+		free(pdata);
+	}
+
+	return MOSQ_ERR_SUCCESS;
+}

mosquitto-auth-shadow/src/mosquitto_auth_shadow.c

@@ -1,81 +0,0 @@
-/*
- * Copyright (c) 2022 Genexis B.V.
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Public License 2.0 which is available at
- * https://www.eclipse.org/legal/epl-2.0/
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Contributors:
- *   Erik Karlsson - initial implementation
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <shadow.h>
-#include <crypt.h>
-#include <mosquitto.h>
-#include <mosquitto_broker.h>
-#include <mosquitto_plugin.h>
-
-static int basic_auth_callback(int event, void *event_data, void *userdata)
-{
-	struct mosquitto_evt_basic_auth *ed = event_data;
-	struct spwd spbuf, *sp = NULL;
-	char buf[256];
-	struct crypt_data data;
-	char *hash;
-
-	/* Let other plugins or broker decide about anonymous login */
-	if (ed->username == NULL)
-		return MOSQ_ERR_PLUGIN_DEFER;
-
-	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
-
-	if (sp == NULL || sp->sp_pwdp == NULL)
-		return MOSQ_ERR_AUTH;
-
-	/* Empty string as hash means password is not required */
-	if (sp->sp_pwdp[0] == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	if (ed->password == NULL)
-		return MOSQ_ERR_AUTH;
-
-	memset(&data, 0, sizeof(data));
-	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
-
-	if (hash == NULL)
-		return MOSQ_ERR_AUTH;
-
-	if (strcmp(hash, sp->sp_pwdp) == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	return MOSQ_ERR_AUTH;
-}
-
-int mosquitto_plugin_version(int supported_version_count,
-			     const int *supported_versions)
-{
-	return 5;
-}
-
-int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
-			  void **user_data,
-			  struct mosquitto_opt *opts, int opt_count)
-{
-	*user_data = identifier;
-
-	return mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
-					   basic_auth_callback, NULL, NULL);
-}
-
-int mosquitto_plugin_cleanup(void *user_data,
-			     struct mosquitto_opt *opts, int opt_count)
-{
-	mosquitto_plugin_id_t *identifier = user_data;
-
-	return mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
-					     basic_auth_callback, NULL);
-}

netmngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmngr
-PKG_VERSION:=1.1.8
+PKG_VERSION:=1.2.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=6310f32b80f8abeccbf99ad55ce88792b19342d6
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_SOURCE_VERSION:=8240c6089cdd44f268db135920800b8fc1d65ca9
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.zst
 PKG_MIRROR_HASH:=skip
 endif
 

netmode/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmode
-PKG_VERSION:=1.1.5
+PKG_VERSION:=1.1.11
 PKG_RELEASE:=1
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0-only
@@ -18,6 +18,7 @@ include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk
 define Package/netmode
   CATEGORY:=Utilities
   TITLE:=Network Modes and Utils
+  DEPENDS:=+dm-service
 endef
 
 define Package/netmode/description

netmode/README.md

@@ -1,109 +0,0 @@
-# Creating Custom Netmodes in IOWRT
-
-This guide provides developers with detailed instructions on how to create and manage custom network modes (netmodes) in IOWRT. The `netmode` script allows for flexible network configuration, and developers can define their own modes by structuring the necessary files and scripts within the `/etc/netmodes/` directory.
-
-## Table of Contents
-1. [Overview of Netmodes](#overview-of-netmodes)
-2. [Directory Structure](#directory-structure)
-3. [Creating a Custom Netmode](#creating-a-custom-netmode)
-   - [Step 1: Pre-Execution Scripts](#step-1-pre-execution-scripts)
-   - [Step 2: UCI Configuration Files](#step-2-uci-configuration-files)
-   - [Step 3: Custom Execution Scripts](#step-3-custom-execution-scripts)
-   - [Step 4: Post-Execution Scripts](#step-4-post-execution-scripts)
-4. [Enabling and Switching Netmodes](#enabling-and-switching-netmodes)
-
-## Overview of Netmodes
-
-Netmodes in IOWRT provide a way to switch between different network configurations based on the needs of the environment. Developers can create custom netmodes by organizing scripts and configuration files in specific directories under `/etc/netmodes/<NETMODE_NAME>`.
-
-## Directory Structure
-
-A custom netmode is defined within the `/etc/netmodes/<NETMODE_NAME>` directory, which should contain the following subdirectories:
-
-- **/lib/netmode/pre/**: Generic scripts executed before the netmode-specific configurations are applied.
-- **/etc/netmodes/<NETMODE_NAME>/uci/**: Contains UCI configuration files that will be copied to `/etc/config/` during the application of the netmode.
-- **/etc/netmodes/<NETMODE_NAME>/scripts/**: Custom scripts specific to the netmode that are executed after the UCI configurations are applied.
-- **/lib/netmode/post/**: Generic scripts executed after the netmode-specific configurations are completed.
-
-## Creating a Custom Netmode
-
-To create a new netmode, follow these steps:
-
-### Step 1: Pre-Execution Scripts
-
-Scripts located in `/lib/netmode/pre/` are executed before any mode-specific actions. These are typically used for preparing the system or cleaning up configurations from the previous netmode.
-
-- **Create Pre-Execution Scripts**:
-  - Place your generic pre-execution scripts in `/lib/netmode/pre/`.
-  - Example script (`/lib/netmode/pre/cleanup.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Cleaning up old network configurations..."
-    # Add commands here
-    ```
-
-### Step 2: UCI Configuration Files
-
-The UCI configuration files stored in `/etc/netmodes/<NETMODE_NAME>/uci/` will be copied to `/etc/config/`, effectively applying the desired network configuration.
-
-- **Place UCI Config Files**:
-  - Create UCI configuration files under `/etc/netmodes/<NETMODE_NAME>/uci/`.
-  - Example (`/etc/netmodes/bridge/uci/network`):
-````bash
-config device 'br_lan'
-        option name 'br-lan'
-        option type 'bridge'
-        option multicast_to_unicast '0'
-        option bridge_empty '1'
-        list ports 'eth1'
-        list ports 'eth3'
-        list ports 'eth4'
-
-config interface 'lan'
-        option proto 'dhcp'
-        option device 'br-lan'
-        option force_link '1'
-        option reqopts '43 125'
-````
-
-### Step 3: Custom Execution Scripts
-
-After the UCI files are applied, any scripts in `/etc/netmodes/<NETMODE_NAME>/scripts/` are executed. These can be used to perform additional configuration tasks that are specific to the netmode.
-
-- **Create Custom Scripts**:
-  - Add scripts to `/etc/netmodes/<NETMODE_NAME>/scripts/`.
-  - Example (`/etc/netmodes/bridge/scripts/setup_bridge.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Setting up bridge mode..."
-    # Additional configuration commands here
-    ```
-
-### Step 4: Post-Execution Scripts
-
-Finally, the generic scripts in `/lib/netmode/post/` are executed. These scripts typically finalize the setup or perform any necessary cleanups.
-
-- **Create Post-Execution Scripts**:
-  - Place scripts in `/lib/netmode/post/`.
-  - Example script (`/lib/netmode/post/restart_services.sh`):
-    ```bash
-    #!/bin/sh
-    echo "Restarting network services..."
-    # Add commands here
-    ```
-
-## Enabling and Switching Netmodes
-
-The netmode mechanism can be enabled or disabled via the UCI configuration, and you can switch between netmodes using UCI commands.
-
-- **Enable Netmode**:
-  ```bash
-  uci set netmode.global.enabled=1
-  uci commit netmode
-    ```
-    
-- **Switch Netmode**:
-  ```bash
-  uci set netmode.global.mode='<NETMODE_NAME>'
-  uci commit netmode
-    ```

netmode/docs/ADVANCED_MODE_GUIDE.md

@@ -0,0 +1,901 @@
+# Advanced Mode - Complete Configuration Guide
+
+## Table of Contents
+1. [Overview](#overview)
+2. [Interface Types](#interface-types)
+3. [Configuration Examples](#configuration-examples)
+4. [Use Case Scenarios](#use-case-scenarios)
+5. [TR-069/USP Configuration](#tr-069usp-configuration)
+6. [Troubleshooting](#troubleshooting)
+
+---
+
+## Overview
+
+The **advanced** mode is a unified, flexible network configuration mode for OpenWrt/iopsys routers. It provides a single, powerful interface for configuring:
+
+- **Bridge interfaces** with VLAN/QinQ support (traditional VLAN devices)
+- **Bridge VLAN filtering** (modern kernel bridge features - recommended)
+- **Routed interfaces** with VLAN/MACVLAN support
+- **Standalone interfaces** (direct VLAN without bridge)
+- **Mixed scenarios** (combine bridges and routed interfaces)
+
+### Key Features
+
+- ✅ Unified configuration syntax
+- ✅ Multiple interface types in one configuration
+- ✅ VLAN (802.1Q) and QinQ (802.1ad) support
+- ✅ Modern bridge VLAN filtering for better performance
+- ✅ MACVLAN support for multi-service routing
+- ✅ Per-interface port assignment
+- ✅ Flexible protocol configuration (DHCP, none, static)
+- ✅ UCI device name resolution (LAN1 → eth1)
+- ✅ Automatic reconfiguration on parameter changes
+
+### Configuration Parameters
+
+| Parameter | Description | Example |
+|-----------|-------------|---------|
+| `interface_names` | Comma-separated interface names | `wan,iptv,mgmt` |
+| `interface_types` | Comma-separated interface types | `bridge:transparent,brvlan:wan-tagged:1499,route:vlan:100,direct:200` |
+| `ports` | Comma-separated port assignments | `ALL,LAN1-LAN2-WAN,WAN` |
+| `macaddrs` | Comma-separated MAC addresses (optional) | `BaseMACAddress,BaseMACAddressP1,AA:BB:CC:DD:EE:FF` |
+
+### How It Works
+
+When you change any configuration parameter and restart netmode:
+1. The system detects the configuration change automatically
+2. Old network configuration is cleaned up (interfaces, bridges, VLANs)
+3. System configuration is preserved (loopback, physical devices)
+4. New configuration is applied based on your parameters
+5. No manual intervention needed!
+
+---
+
+## Interface Types
+
+### Bridge Types (Traditional VLAN Devices)
+
+Bridge types create L2 bridge interfaces using traditional VLAN devices (eth0.100, etc.).
+
+| Type | Syntax | Description |
+|------|--------|-------------|
+| **Transparent** | `bridge:transparent` | No VLAN tagging on any port |
+| **Tagged** | `bridge:tagged:VID` | All ports tagged with same VLAN ID |
+| **WAN-Tagged** | `bridge:wan-tagged:VID` | Only WAN port tagged, LAN ports untagged |
+| **Transparent QinQ** | `bridge:transparent-qinq:SVID` | LAN untagged, WAN single S-tag (802.1ad) |
+| **Transparent QinQ (Double)** | `bridge:transparent-qinq:CVID:SVID` | LAN untagged, WAN double-tagged (C+S) |
+| **Tagged QinQ** | `bridge:tagged-qinq:CVID:SVID` | LAN C-tagged, WAN double-tagged (C+S) |
+| **QinQ (All ports)** | `bridge:qinq:CVID:SVID` | All ports double-tagged |
+
+### Bridge VLAN Filtering Types (Modern Approach)
+
+Bridge VLAN filtering uses kernel bridge VLAN filtering instead of creating VLAN devices. **Recommended for new deployments.**
+
+| Type | Syntax | Description |
+|------|--------|-------------|
+| **Tagged** | `brvlan:tagged:VID` | All ports tagged with VLAN ID (uses bridge-vlan) |
+| **WAN-Tagged** | `brvlan:wan-tagged:VID` | WAN tagged, LAN untagged (uses bridge-vlan) |
+| **Mixed** | `brvlan:mixed:VID` | Custom tagged/untagged configuration |
+
+**See [BRIDGE_VLAN_FILTERING.md](BRIDGE_VLAN_FILTERING.md) for detailed documentation.**
+
+### Routed Types
+
+Routed types create L3 routed interfaces (with NAT/firewall).
+
+| Type | Syntax | Description |
+|------|--------|-------------|
+| **VLAN Routing** | `route:vlan:VID` | Routed interface on VLAN |
+| **MACVLAN Routing** | `route:macvlan:MAC` | MACVLAN device with custom MAC (supports macros) |
+| **VLAN + MAC Routing** | `route:vlan:VID:MAC` | Routed interface on VLAN with custom MAC |
+| **Transparent Routing** | `route:transparent` | Routed interface on base device (no VLAN) |
+
+### Standalone Types
+
+Standalone types create VLAN interfaces without bridges or routing (proto=none by default).
+
+| Type | Syntax | Description |
+|------|--------|-------------|
+| **Direct VLAN** | `direct:VID` | Standalone VLAN interface, proto=none |
+
+### Device Reference Types
+
+Device reference types allow multiple interfaces to share the same underlying device.
+
+| Type | Syntax | Description |
+|------|--------|-------------|
+| **Device Reference** | `device-ref:INTERFACE` | References the device from another interface |
+
+**Use Case**: Create separate IPv4 and IPv6 interfaces (wan and wan6) that share the same bridge or VLAN device.
+
+**Example**:
+```bash
+# wan creates bridge on VLAN 2501 with DHCP
+# wan6 shares the same br-wan device with DHCPv6
+interface_names='wan,wan6'
+interface_types='bridge:tagged:2501,device-ref:wan-dhcpv6'
+ports='WAN,WAN'
+```
+
+**Result**:
+- `wan`: Creates `br-wan` bridge device on VLAN 2501, proto=dhcp
+- `wan6`: Uses same `br-wan` device, proto=dhcpv6
+
+**Note**: The referenced interface must be defined before the device-ref interface in the interface_names list.
+
+### Modifiers
+
+Modifiers can be appended to any interface type:
+
+| Modifier | Effect | Example |
+|----------|--------|---------|
+| `-pppoe` | Set proto=pppoe (PPPoE authentication) | `route:vlan:101-pppoe` |
+| `-dhcpv6` | Set proto=dhcpv6 (DHCPv6 client) | `bridge:tagged:2501-dhcpv6` |
+| `-dhcp` | Set proto=dhcp (DHCP client - explicit) | `bridge:transparent-dhcp` |
+| `-static` | Set proto=static (static IP) | `bridge:transparent-static` |
+| `-none`, `-n` | Set proto=none (no IP configuration) | `bridge:tagged:100-none` or `bridge:tagged:100-n` |
+| `-iptv` | Signify that this is an iptv interface (affects firewall and mcast) | `route:vlan:200-iptv` |
+| `-inet` | Signify that this is an internet interface (affects firewall) | `route:vlan:200-inet` |
+| `-mgmt` | Signify that this is a management interface (affects firewall) | `route:vlan:200-mgmt` |
+| `-disabled`, `-d` | Create but mark as disabled | `route:vlan:200-disabled` or `route:vlan:200-d` |
+
+
+#### Notes
+
+- The `-none` and `-n` modifiers are equivalent, as are `-disabled` and `-d`.
+- If no protocol modifier is specified, interfaces default to `proto=dhcp`.
+- Protocols and disabled can be clubbed together, and disabled should be in the last, for example: `transparent-qinq:2-n-d` will set proto as none and disable the interface, similarly other protocols can be used.
+- iptv, inet and mgmt modifier can only be used with route interfaces, and they can be clubbed with disabled modifier, but disable should be in the last.
+
+#### Static IP Auto-Configuration
+
+When using the `-static` modifier with an interface named `lan`, the system automatically configures:
+
+**Network Configuration**:
+- IP Address: 192.168.1.1
+- Netmask: 255.255.255.0
+- IPv6 Prefix: /60
+
+**DHCP Server Configuration**:
+- Start: 192.168.1.100
+- Limit: 150 addresses (100-250)
+- Lease time: 1 hour
+- DHCPv4: server
+- DHCPv6: server
+- Router Advertisement: server
+- SLAAC: enabled
+- RA flags: managed-config, other-config
+
+**Example**:
+```bash
+interface_names='lan,wan'
+interface_types='bridge:transparent-static,bridge:tagged:2501'
+ports='ALL_LAN,WAN'
+```
+
+For non-LAN interfaces with `-static`, only `proto=static` is set without additional configuration.
+
+**Note**: Direct interfaces default to `proto=none`, so `-n` is implicit.
+
+### MAC Address Assignment
+
+You can assign custom MAC addresses to interfaces using the `macaddrs` parameter. This is useful when ISPs require specific MAC addresses per service or for multi-service configurations.
+
+**Supported Formats:**
+
+| Format | Description | Example |
+|--------|-------------|---------|
+| **Explicit MAC** | Direct MAC address assignment | `AA:BB:CC:DD:EE:FF` |
+| **BaseMACAddress** | Use base MAC from `fw_printenv -n ethaddr` | `BaseMACAddress` |
+| **BaseMACAddressP1** | Base MAC + 1 | `BaseMACAddressP1` |
+| **BaseMACAddressPN** | Base MAC + N (any number) | `BaseMACAddressP5` |
+
+**Example:**
+```bash
+# If base MAC is 94:3F:0C:D5:76:00
+uci set netmode.@supported_args[3].value='BaseMACAddress,BaseMACAddressP1,AA:BB:CC:DD:EE:FF'
+# Results in:
+# Interface 1: 94:3F:0C:D5:76:00
+# Interface 2: 94:3F:0C:D5:76:01
+# Interface 3: AA:BB:CC:DD:EE:FF
+```
+
+**Note**: MAC addresses are assigned to interfaces in order. If you have 3 interfaces but only specify 2 MAC addresses, the 3rd interface will use the system default.
+
+---
+
+## Configuration Examples
+
+### Example 1: Simple Transparent Bridge
+
+**Scenario**: All ports bridged together, no VLANs
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan'                    # interface_names
+uci set netmode.@supported_args[13].value='bridge:transparent'     # interface_types
+uci set netmode.@supported_args[14].value='ALL'                    # ports
+uci commit netmode
+service netmode restart
+```
+
+**Result**: Creates `br-wan` bridge with all LAN+WAN ports, proto=dhcp
+
+---
+
+### Example 2: LAN-Only Bridge with Routed WAN
+
+**Scenario**: Bridge all LAN ports together, WAN as separate routed interface
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='lan,wan'
+uci set netmode.@supported_args[13].value='bridge:transparent,route:transparent'
+uci set netmode.@supported_args[14].value='ALL_LAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**: Creates `br-lan` bridge with all LAN ports only, WAN routed separately
+
+---
+
+### Example 3: VLAN-Tagged Bridge (Managed Network)
+
+**Scenario**: All ports tagged with VLAN 100
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='mgmt'
+uci set netmode.@supported_args[13].value='bridge:tagged:100'
+uci set netmode.@supported_args[14].value='ALL'
+uci commit netmode
+service netmode restart
+```
+
+**Result**: Creates `br-mgmt` with all ports tagged as `.100`
+
+---
+
+### Example 4: Multiple Service Bridges (VLAN Segregation)
+
+**Scenario**: Separate bridges for Internet (VLAN 100), IPTV (VLAN 200), Management (VLAN 300)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='inet,iptv,mgmt'
+uci set netmode.@supported_args[13].value='bridge:tagged:100-n,bridge:tagged:200-n,bridge:tagged:300'
+uci set netmode.@supported_args[14].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `br-inet`: LAN1.100 + LAN2.100 + WAN.100, proto=none
+- `br-iptv`: LAN3.200 + LAN4.200 + WAN.200, proto=none
+- `br-mgmt`: WAN.300, proto=dhcp
+
+---
+
+### Example 5: QinQ Configuration (Wholesale Provider)
+
+**Scenario**: Customer A on C-tag 10 S-tag 100, Customer B on C-tag 20 S-tag 100
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='customer_a,customer_b'
+uci set netmode.@supported_args[13].value='bridge:qinq:10:100-n,bridge:qinq:20:100-n'
+uci set netmode.@supported_args[14].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `br-customer_a`: All ports double-tagged (100.10)
+- `br-customer_b`: All ports double-tagged (100.20)
+
+---
+
+### Example 6: Routed Multi-Service with Custom MAC Addresses
+
+**Scenario**: ISP requires different MAC addresses for Internet and IPTV services
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='mgmt_wan,wan,iptv_wan,lan'
+uci set netmode.@supported_args[13].value='route:macvlan:BaseMACAddressP2-mgmt,route:macvlan:BaseMACAddressP3-inet,route:macvlan:BaseMACAddressP4-iptv,bridge:transparent-static'
+uci set netmode.@supported_args[14].value='WAN,WAN,WAN,ALL_LAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `mgmt_wan`: Routed interface on WAN with base MAC + 2(58:00:32:C0:0E:42)
+- `wan`: Routed interface on WAN with base MAC + 3 (58:00:32:C0:0E:43)
+- `iptv_wan`: Routed interface on WAN with base MAC + 4 (58:00:32:C0:0E:44)
+- `lan`: bridged interface on ALL LAN ports with base MAC (58:00:32:C0:0E:40)
+
+---
+
+### Example 7: Routed Multi-Service (VLAN-based)
+
+**Scenario**: Internet on VLAN 100, IPTV on VLAN 200, Management on VLAN 300, all routed
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='mgmt_wan,wan,iptv_wan,lan'
+uci set netmode.@supported_args[13].value='route:vlan:300-mgmt,route:vlan:100-inet,route:vlan:200-iptv,bridge:transparent-static'
+uci set netmode.@supported_args[14].value='WAN,WAN,WAN,ALL_LAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `wan`: Routed on WAN.100, proto=dhcp
+- `iptv`: Routed on WAN.200, proto=dhcp
+- `mgmt`: Routed on WAN.300, proto=dhcp
+
+---
+
+### Example 8: Routed Multi-Service (MACVLAN with Macros)
+
+**Scenario**: Internet and IPTV using MACVLAN devices with MAC address macros
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv'
+uci set netmode.@supported_args[13].value='route:transparent,route:macvlan:BaseMACAddressP1'
+uci set netmode.@supported_args[14].value='WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `wan`: Routed on WAN with default MAC (94:3F:0C:D5:76:00)
+- `iptv`: MACVLAN device on WAN with base MAC + 1 (94:3F:0C:D5:76:01)
+
+**Alternative with explicit MAC:**
+```bash
+uci set netmode.@supported_args[13].value='route:transparent,route:macvlan:AA:BB:CC:DD:EE:FF'
+```
+
+---
+
+### Example 9: Routed Multi-Service (VLAN + MACVLAN)
+
+**Scenario**: Internet on VLAN 100, IPTV on VLAN 200 with custom MAC
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv'
+uci set netmode.@supported_args[13].value='route:vlan:100,route:vlan:200:AA:BB:CC:DD:EE:FF'
+uci set netmode.@supported_args[14].value='WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `wan`: Routed on WAN.100 (default MAC), proto=dhcp
+- `iptv`: Routed on WAN.200 with custom MAC, proto=dhcp
+
+---
+
+### Example 10: Standalone VLAN Interface (Direct)
+
+**Scenario**: WAN as standalone VLAN 2501 interface (no bridge, no routing)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan'
+uci set netmode.@supported_args[13].value='direct:2501'
+uci set netmode.@supported_args[14].value='WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**: Creates WAN.2501 interface, proto=none (no DHCP)
+
+---
+
+### Example 11: Mixed Bridge and Routed Interfaces
+
+**Scenario**: IPTV bridged on VLAN 200, Internet routed on VLAN 100
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv'
+uci set netmode.@supported_args[13].value='route:vlan:100,bridge:tagged:200-n'
+uci set netmode.@supported_args[14].value='WAN,LAN1-LAN2-WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Result**:
+- `wan`: Routed on WAN.100, proto=dhcp (firewall enabled)
+- `br-iptv`: Bridge on LAN1.200 + LAN2.200 + WAN.200, proto=none
+
+---
+
+## Use Case Scenarios
+
+### Scenario 1: ISP Triple-Play Service (Routed)
+
+**Requirement**: Internet on VLAN 100, IPTV on VLAN 200, VoIP on VLAN 300, all routed
+
+**Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv,voip'
+uci set netmode.@supported_args[13].value='route:vlan:100,route:vlan:200,route:vlan:300'
+uci set netmode.@supported_args[14].value='WAN,WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Network Topology**:
+```
+WAN (ae_wan)
+  ├── wan (VLAN 100) - Internet - Routed
+  ├── iptv (VLAN 200) - IPTV - Routed
+  └── voip (VLAN 300) - VoIP - Routed
+```
+
+---
+
+### Scenario 2: ISP Triple-Play with MACVLAN
+
+**Requirement**: Internet normal MAC, IPTV with custom MAC, VoIP with custom MAC
+
+**Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv,voip'
+uci set netmode.@supported_args[13].value='route:transparent,route:macvlan:AA:BB:CC:DD:EE:01,route:macvlan:AA:BB:CC:DD:EE:02'
+uci set netmode.@supported_args[14].value='WAN,WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+---
+
+### Scenario 3: Enterprise VLAN Segregation (Bridged)
+
+**Requirement**: Guest WiFi on VLAN 100, Corporate on VLAN 200, Management on VLAN 300, all bridged
+
+**Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='guest,corporate,mgmt'
+uci set netmode.@supported_args[13].value='bridge:tagged:100-n,bridge:tagged:200-n,bridge:tagged:300'
+uci set netmode.@supported_args[14].value='LAN1-WAN,LAN2-LAN3-WAN,WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Network Topology**:
+```
+LAN1.100 ──┬── WAN.100 ──[ br-guest ] (proto=none)
+LAN2.200 ──┬── WAN.200 ──[ br-corporate ] (proto=none)
+LAN3.200 ──┘
+WAN.300 ────[ br-mgmt ] (proto=dhcp)
+```
+
+---
+
+### Scenario 4: Wholesale QinQ Provider
+
+**Requirement**: Multiple customers on single fiber, S-tag 100, different C-tags
+
+**Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='cust_a,cust_b,cust_c'
+uci set netmode.@supported_args[13].value='bridge:qinq:10:100-n,bridge:qinq:20:100-n,bridge:qinq:30:100-n'
+uci set netmode.@supported_args[14].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN,LAN5-LAN6-WAN'
+uci commit netmode
+service netmode restart
+```
+
+---
+
+### Scenario 5: Hybrid Bridge + Routed
+
+**Requirement**: Internet routed, IPTV bridged to STBs
+
+**Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv'
+uci set netmode.@supported_args[13].value='route:vlan:100,bridge:tagged:200-n'
+uci set netmode.@supported_args[14].value='WAN,LAN1-LAN2-LAN3-WAN'
+uci commit netmode
+service netmode restart
+```
+
+**Network Topology**:
+```
+WAN.100 ─── [ wan - routed ] (NAT, firewall enabled)
+
+LAN1.200 ──┐
+LAN2.200 ──┼─ WAN.200 ──[ br-iptv ] (transparent bridge, proto=none)
+LAN3.200 ──┘
+```
+
+---
+
+## Port List Specifications
+
+### Port List Syntax
+
+- **`ALL`**: All LAN ports + WAN port + EXT port (resolved from UCI or board.json)
+- **`ALL_LAN`**: All LAN ports only (no WAN, no EXT) - useful for LAN-only bridges
+- **`LAN`**: Single LAN port (for devices with one LAN port)
+- **`WAN`**: Only WAN port
+- **`EXT`**: Only EXT port
+- **`LAN-WAN`**: Single LAN port and WAN
+- **`LAN1-LAN2-WAN`**: LAN1, LAN2, and WAN
+- **`LAN1-LAN3-EXT`**: LAN1, LAN3, and EXT
+- **`WAN-EXT`**: WAN and EXT ports
+
+**Note**: For devices with a single LAN port, use `LAN`. For devices with multiple LAN ports, use `LAN1-8`. The `ALL` and `ALL_LAN` macros automatically detect which configuration is present.
+
+#### Individual untagged port
+
+- Suppose we have a bridge:tagged type interface, so all the ports are going to be tagged in this case. To mark any of the ports untagged individually, ":u" modifier can be used with the port, for example, to make LAN3 untagged (transparent) here: "LAN2-LAN3:u-LAN4-WAN".
+
+### Device Name Resolution
+
+Port macros (LAN, LAN1-LAN8, WAN, EXT) are automatically resolved to actual device names:
+- `LAN` → `uci get network.LAN.name` → e.g., `eth1` (single LAN port devices)
+- `LAN1` → `uci get network.LAN1.name` → e.g., `eth1` (multi-port devices)
+- `WAN` → `uci get network.WAN.name` → e.g., `ae_wan`
+- `EXT` → `uci get network.EXT.name` → e.g., `eth5`
+
+If UCI device section doesn't exist, the system falls back to board.json.
+
+---
+
+## TR-069/USP Configuration
+
+### TR-181 Data Model Mapping
+
+The advanced mode uses three arguments in TR-181:
+
+1. **SupportedArguments.1** = `interface_names`
+2. **SupportedArguments.2** = `interface_types`
+3. **SupportedArguments.3** = `ports`
+
+### Example 1: Transparent Bridge via TR-069
+
+```xml
+<SetParameterValues>
+  <ParameterList>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.Mode</Name>
+      <Value>advanced</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.1.Value</Name>
+      <Value>wan</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.2.Value</Name>
+      <Value>bridge:transparent</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.3.Value</Name>
+      <Value>ALL</Value>
+    </ParameterValueStruct>
+  </ParameterList>
+</SetParameterValues>
+```
+
+### Example 2: Routed Multi-Service via TR-069
+
+```xml
+<SetParameterValues>
+  <ParameterList>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.Mode</Name>
+      <Value>advanced</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.1.Value</Name>
+      <Value>wan,iptv,mgmt</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.2.Value</Name>
+      <Value>route:vlan:100,route:vlan:200,route:vlan:300</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.3.Value</Name>
+      <Value>WAN,WAN,WAN</Value>
+    </ParameterValueStruct>
+  </ParameterList>
+</SetParameterValues>
+```
+
+### Example 3: QinQ Bridge via TR-069
+
+```xml
+<SetParameterValues>
+  <ParameterList>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.Mode</Name>
+      <Value>advanced</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.1.Value</Name>
+      <Value>customer_a,customer_b</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.2.Value</Name>
+      <Value>bridge:qinq:10:100-n,bridge:qinq:20:100-n</Value>
+    </ParameterValueStruct>
+    <ParameterValueStruct>
+      <Name>Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.3.Value</Name>
+      <Value>LAN1-LAN2-WAN,LAN3-LAN4-WAN</Value>
+    </ParameterValueStruct>
+  </ParameterList>
+</SetParameterValues>
+```
+
+---
+
+## Troubleshooting
+
+### Issue: VLANs Not Working
+
+**Diagnosis**:
+```bash
+# Check VLAN devices created
+uci show network | grep 8021q
+
+# Check interface status
+ip link show
+ip addr show
+
+# Verify VLAN traffic
+tcpdump -i eth4 -e -n vlan
+```
+
+**Solution**:
+```bash
+# Ensure kernel module loaded
+modprobe 8021q
+lsmod | grep 8021
+
+# Check switch configuration (if applicable)
+swconfig dev switch0 show
+```
+
+---
+
+### Issue: QinQ Not Working
+
+**Diagnosis**:
+```bash
+# Check for 8021ad devices
+uci show network | grep 8021ad
+
+# Verify kernel support
+modprobe 8021q
+lsmod | grep 8021
+```
+
+**Solution**:
+```bash
+# Install QinQ support
+opkg install kmod-8021q
+
+# Verify S-tag ethertype (0x88a8)
+tcpdump -i eth4 -e -n -xx vlan
+```
+
+---
+
+### Issue: MACVLAN Interface Not Getting IP
+
+**Diagnosis**:
+```bash
+# Check MACVLAN device
+ip link show | grep macvlan
+
+# Check MAC address
+ip link show <interface>_macvlan | grep ether
+
+# Test DHCP
+udhcpc -i <interface>_macvlan -n
+```
+
+**Solution**:
+```bash
+# Verify passthru mode
+uci show network | grep -A5 macvlan
+
+# Ensure MAC is unique
+# Some ISPs require specific MAC format
+```
+
+---
+
+### Issue: Mixed Bridge/Route Not Working
+
+**Diagnosis**:
+```bash
+# Check firewall status
+uci show firewall.globals.enabled
+
+# Verify interfaces
+ip addr show
+
+# Check routing table
+ip route show
+```
+
+**Solution**:
+Firewall is always enabled. For debugging:
+```bash
+# Temporarily disable firewall
+uci set firewall.globals.enabled='0'
+uci commit firewall
+/etc/init.d/firewall restart
+```
+
+---
+
+### Issue: Port Not Added to Bridge
+
+**Diagnosis**:
+```bash
+# Check UCI device resolution
+uci get network.LAN1.name
+
+# Check bridge ports
+brctl show
+
+# Check UCI bridge configuration
+uci show network | grep -A10 "type='bridge'"
+```
+
+**Solution**:
+```bash
+# Verify device sections exist
+uci show network | grep "device="
+
+# Check board.json for defaults
+cat /etc/board.json | grep -A20 network
+```
+
+---
+
+## Verification Commands
+
+### Check Configuration
+
+```bash
+# View current mode
+cat /etc/netmodes/.last_mode
+
+# View netmode configuration
+uci show netmode
+
+# View network configuration
+uci show network
+
+# View environment variables (during mode switch)
+logread | grep "Interface names:"
+```
+
+### Check Interface Status
+
+```bash
+# All interfaces
+ip addr show
+
+# Bridges
+brctl show
+bridge link show
+
+# VLAN devices
+ip -d link show type vlan
+
+# MACVLAN devices
+ip -d link show type macvlan
+```
+
+### Check Connectivity
+
+```bash
+# DHCP on interface
+udhcpc -i wan -n
+
+# Ping gateway
+ping -c 3 $(ip route | grep default | awk '{print $3}')
+
+# DNS resolution
+nslookup google.com
+
+# VLAN traffic capture
+tcpdump -i eth4 -e -n vlan
+```
+
+### Check Logs
+
+```bash
+# Netmode logs
+logread | grep netmode-advanced
+
+# Network logs
+logread | grep network
+
+# Live monitoring
+logread -f | grep -E "(netmode|network)"
+```
+
+---
+
+## Migration from Old Modes
+
+### From `bridged` Mode
+
+**Old Configuration**:
+```bash
+uci set netmode.global.mode='bridged'
+uci set netmode.@supported_args[0].value='wan'
+uci set netmode.@supported_args[1].value='transparent'
+uci set netmode.@supported_args[2].value='ALL'
+```
+
+**New Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan'
+uci set netmode.@supported_args[13].value='bridge:transparent'
+uci set netmode.@supported_args[14].value='ALL'
+```
+
+**Change**: Add `bridge:` prefix to interface type.
+
+---
+
+### From `routed-multi-service` Mode
+
+**Old Configuration**:
+```bash
+uci set netmode.global.mode='routed-multi-service'
+uci set netmode.@supported_args[0].value='100'  # inet_vlanid
+uci set netmode.@supported_args[2].value='200'  # iptv_vlanid
+uci set netmode.@supported_args[4].value='300'  # mgmt_vlanid
+```
+
+**New Configuration**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[12].value='wan,iptv,mgmt'
+uci set netmode.@supported_args[13].value='route:vlan:100,route:vlan:200,route:vlan:300'
+uci set netmode.@supported_args[14].value='WAN,WAN,WAN'
+```
+
+**Change**: Explicit interface names and unified syntax.
+
+---
+
+## Best Practices
+
+1. **VLAN Planning**: Document all VLAN IDs before deployment
+2. **Port Assignment**: Create clear mapping of ports to services
+3. **Testing**: Test on lab environment before production
+4. **Monitoring**: Use `tcpdump` to verify VLAN tags
+5. **Firewall**: Be aware that routed interfaces enable firewall
+6. **Naming**: Use descriptive interface names (iptv, mgmt, voip)
+7. **Documentation**: Keep ISP-specific requirements documented
+8. **Backup**: Always backup configuration before major changes
+
+---
+
+**Document Version**: 1.0
+**Package Version**: 1.1.11+
+**Last Updated**: 2024-12-12
+**Mode Status**: Production Ready

netmode/docs/ADVANCED_MODE_IMPLEMENTATION.md

@@ -0,0 +1,567 @@
+# Advanced Mode - Implementation Summary
+
+## Overview
+
+The **advanced** mode is a unified network configuration mode that consolidates and extends the functionality of the previous `bridged` and `routed-multi-service` modes into a single, flexible interface.
+
+## Design Rationale
+
+### Problems with Old Approach
+
+1. **Mode Fragmentation**: Separate modes for bridged and routed scenarios
+2. **Limited Flexibility**: Couldn't mix bridges and routed interfaces
+3. **Confusing Naming**: "bridged" mode actually supported standalone interfaces too
+4. **Parameter Proliferation**: routed-multi-service had 6+ parameters for just 3 services
+5. **No Scalability**: Adding new services required new parameters
+
+### New Unified Approach
+
+The advanced mode uses a **declarative, array-based configuration**:
+
+```
+interface_names:  wan,    iptv,           mgmt
+interface_types:  route:vlan:100, bridge:tagged:200, direct:300
+ports:       WAN,    LAN1-LAN2-WAN,  WAN
+```
+
+**Benefits**:
+- ✅ Single mode for all scenarios
+- ✅ Scalable (add N interfaces without new parameters)
+- ✅ Flexible (mix bridge/route/standalone)
+- ✅ Intuitive syntax
+- ✅ Self-documenting configuration
+
+## Architecture
+
+### File Structure
+
+```
+netmode/
+├── files/
+│   ├── etc/netmodes/advanced/
+│   │   └── scripts/
+│   │       └── 10-advanced           # Main mode script
+│   ├── lib/netmode/
+│   │   └── advanced_helper.sh        # Helper library
+│   └── etc/netmodes/supported_modes.json
+└── docs/
+    ├── ADVANCED_MODE_GUIDE.md         # Complete guide
+    └── ADVANCED_MODE_QUICK_REFERENCE.md
+```
+
+### Components
+
+#### 1. advanced_helper.sh
+
+**Purpose**: Core library for interface creation
+
+**Key Functions**:
+- `parse_interface_type()` - Parse interface type specifications
+- `create_bridge()` - Create bridge interfaces with VLAN/QinQ
+- `create_routed_interface()` - Create routed interfaces with VLAN/MACVLAN
+- `create_standalone_interface()` - Create direct VLAN interfaces
+- `parse_port_list()` - Resolve port macros to device names
+- `resolve_device_name()` - Resolve LAN1/WAN to actual device names
+- `cleanup_interfaces()` - Clean up all interfaces before applying new config
+
+#### 2. 10-advanced Script
+
+**Purpose**: Main mode script
+
+**Flow**:
+1. Parse environment variables (NETMODE_*)
+2. Split comma-separated values
+3. Loop through each interface
+4. Parse interface type
+5. Call appropriate creation function (bridge/route/direct)
+6. Configure multicast, DHCP, firewall
+7. Update service dependencies
+
+#### 3. supported_modes.json
+
+**Purpose**: Mode definition for UCI import
+
+**Configuration**:
+```json
+{
+  "name": "advanced",
+  "description": "Advanced Mode - Unified configuration...",
+  "supported_args": [
+    {
+      "name": "interface_names",
+      "description": "Interface names (comma-separated...)",
+      "type": "string"
+    },
+    ...
+  ]
+}
+```
+
+## Interface Type Syntax
+
+### Design Philosophy
+
+**Format**: `MODE:SUBTYPE[:PARAMS][:MODIFIERS]`
+
+Examples:
+- `bridge:transparent` - Mode=bridge, Subtype=transparent
+- `bridge:tagged:100` - Mode=bridge, Subtype=tagged, Param=VID
+- `route:vlan:100:AA:BB:CC:DD:EE:FF` - Mode=route, Subtype=vlan, Params=VID+MAC
+- `direct:2501-n` - Mode=direct, Param=VID, Modifier=proto_none
+
+### Parsing Logic
+
+The `parse_interface_type()` function:
+
+1. **Extract modifiers** (-n, -d)
+2. **Parse mode prefix** (bridge:/route:/direct:)
+3. **Parse subtype** (transparent/tagged/vlan/macvlan)
+4. **Parse parameters** (VID, SVID, MAC address)
+5. **Export to environment variables** for caller
+
+## UCI Device Resolution
+
+### Problem
+
+Port macros (LAN1, LAN2, WAN) are logical names that need to be mapped to actual hardware interfaces.
+
+### Solution
+
+```bash
+resolve_device_name() {
+    local device_id="$1"
+    local resolved_name=""
+
+    # Try UCI device section
+    resolved_name="$(uci -q get network.${device_id}.name)"
+
+    # Fallback to input
+    if [ -z "$resolved_name" ]; then
+        resolved_name="$device_id"
+    fi
+
+    echo "$resolved_name"
+}
+```
+
+**Example**:
+```
+LAN1 → uci get network.LAN1.name → eth1
+WAN  → uci get network.WAN.name  → ae_wan
+```
+
+### Port List Resolution
+
+The `parse_port_list()` function:
+
+1. **Check for "ALL"** → Resolve all LAN1-8 + WAN
+2. **Parse dash-separated** → LAN1-LAN2-WAN → resolve each
+3. **Return space-separated** → "eth1 eth2 ae_wan"
+
+## VLAN Device Creation
+
+### 802.1Q (C-tag)
+
+```bash
+create_vlan_device "eth0" "100" "8021q"
+```
+
+Creates:
+```
+config device 'eth0__100'
+    option type '8021q'
+    option enabled '1'
+    option vid '100'
+    option ifname 'eth0'
+    option name 'eth0.100'
+```
+
+### 802.1ad (S-tag)
+
+```bash
+create_vlan_device "eth0" "300" "8021ad"
+```
+
+Creates:
+```
+config device 'eth0__300'
+    option type '8021ad'
+    option enabled '1'
+    option vid '300'
+    option ifname 'eth0'
+    option name 'eth0.300'
+```
+
+### QinQ (Double Tagging)
+
+For `bridge:qinq:100:300`:
+
+```bash
+# Create S-tag first
+svlan=$(create_vlan_device "eth0" "300" "8021ad")  # eth0.300
+
+# Create C-tag on top of S-tag
+cvlan=$(create_vlan_device "$svlan" "100" "8021q")  # eth0.300.100
+```
+
+Result: `eth0.300.100` (S-tag 300, C-tag 100)
+
+## MACVLAN Device Creation
+
+For `route:macvlan:AA:BB:CC:DD:EE:FF`:
+
+```bash
+create_macvlan_device "ae_wan" "AA:BB:CC:DD:EE:FF" "iptv"
+```
+
+Creates:
+```
+config device 'iptv_macvlan'
+    option type 'macvlan'
+    option enabled '1'
+    option ifname 'ae_wan'
+    option name 'iptv_macvlan'
+    option macaddr 'AA:BB:CC:DD:EE:FF'
+    option mode 'passthru'
+```
+
+## Bridge Creation
+
+### Transparent Bridge
+
+For `bridge:transparent` with `ports='ALL'`:
+
+```bash
+create_bridge "wan" "bridge:transparent" "ALL"
+```
+
+Creates:
+```
+config interface 'wan'
+    option proto 'dhcp'
+    option device 'br-wan'
+
+config device 'br_wan'
+    option name 'br-wan'
+    option type 'bridge'
+    option bridge_empty '1'
+    list ports 'eth1'
+    list ports 'eth2'
+    list ports 'ae_wan'
+```
+
+### VLAN-Tagged Bridge
+
+For `bridge:tagged:100` with `ports='ALL'`:
+
+Creates VLAN devices on all ports first, then adds to bridge:
+```
+config device 'br_mgmt'
+    option name 'br-mgmt'
+    option type 'bridge'
+    list ports 'eth1.100'
+    list ports 'eth2.100'
+    list ports 'ae_wan.100'
+```
+
+## Routed Interface Creation
+
+For `route:vlan:100`:
+
+```bash
+create_routed_interface "wan" "vlan" "100" "" "dhcp" "ae_wan" "0"
+```
+
+Creates:
+```
+config device 'ae_wan__100'
+    option type '8021q'
+    option vid '100'
+    option ifname 'ae_wan'
+    option name 'ae_wan.100'
+
+config interface 'wan'
+    option proto 'dhcp'
+    option device 'ae_wan.100'
+```
+
+## Firewall Logic
+
+The advanced mode has **intelligent firewall handling**:
+
+```bash
+configure_firewall() {
+    local has_routed=0
+
+    # Check if ANY interface is routed
+    for if_type in $interface_types; do
+        if echo "$if_type" | grep -q "^route:"; then
+            has_routed=1
+            break
+        fi
+    done
+
+    if [ "$has_routed" = "1" ]; then
+        uci set firewall.globals.enabled="1"  # Enable for routed
+    else
+        uci set firewall.globals.enabled="0"  # Disable for bridge-only
+    fi
+}
+```
+
+**Logic**:
+- If **any** interface is routed → Enable firewall
+- If **all** interfaces are bridges → Disable firewall
+
+## Environment Variable Flow
+
+### Input (UCI → Environment)
+
+```bash
+# In netmode init script
+export NETMODE_interface_names="wan,iptv,mgmt"
+export NETMODE_interface_types="route:vlan:100,route:vlan:200,route:vlan:300"
+export NETMODE_ports="WAN,WAN,WAN"
+```
+
+### Parsing (Script)
+
+```bash
+# In 10-advanced script
+local interface_names="${NETMODE_interface_names:-wan}"
+local interface_types="${NETMODE_interface_types:-bridge:transparent}"
+local ports="${NETMODE_ports:-ALL}"
+
+# Split by comma
+IFS=','
+for name in $interface_names; do
+    names_arr="$names_arr $name"
+done
+```
+
+### Output (UCI Network Config)
+
+```
+config interface 'wan'
+    option proto 'dhcp'
+    option device 'ae_wan.100'
+
+config interface 'iptv'
+    option proto 'dhcp'
+    option device 'ae_wan.200'
+...
+```
+
+## Cleanup Strategy
+
+Before applying new configuration, all existing interfaces are cleaned up:
+
+```bash
+cleanup_interfaces() {
+    # Delete VLAN devices (8021q and 8021ad)
+    for vlandev_sec in $(uci show network | grep -E "\.type='(8021q|8021ad)'" ...); do
+        uci delete "$vlandev_sec"
+    done
+
+    # Delete MACVLAN devices
+    for macvlandev_sec in $(uci show network | grep "\.type='macvlan'" ...); do
+        uci delete "$macvlandev_sec"
+    done
+
+    # Delete bridge devices
+    for brdev_sec in $(uci show network | grep "\.type='bridge'" ...); do
+        uci delete "$brdev_sec"
+    done
+
+    # Delete standard interfaces
+    uci delete network.lan
+    uci delete network.wan
+    uci delete network.wan6
+}
+```
+
+This ensures a clean slate for the new configuration.
+
+## Migration Path
+
+### From bridged Mode
+
+**Before**:
+```bash
+mode='bridged'
+interface_names='wan,lan100'
+interface_types='transparent,tagged:100'
+ports='ALL,LAN1-LAN2'
+```
+
+**After**:
+```bash
+mode='advanced'
+interface_names='wan,lan100'
+interface_types='bridge:transparent,bridge:tagged:100'
+ports='ALL,LAN1-LAN2'
+```
+
+**Change**: Add `bridge:` prefix to types.
+
+### From routed-multi-service Mode
+
+**Before**:
+```bash
+mode='routed-multi-service'
+inet_vlanid='100'
+iptv_vlanid='200'
+mgmt_vlanid='300'
+```
+
+**After**:
+```bash
+mode='advanced'
+interface_names='wan,iptv,mgmt'
+interface_types='route:vlan:100,route:vlan:200,route:vlan:300'
+ports='WAN,WAN,WAN'
+```
+
+**Change**: Explicit interface names and unified syntax.
+
+## Testing Approach
+
+### Unit Testing
+
+Test individual helper functions:
+
+```bash
+# Test device resolution
+resolve_device_name "LAN1"  # Should return eth1
+
+# Test port parsing
+parse_port_list "LAN1-LAN2-WAN"  # Should return "eth1 eth2 ae_wan"
+
+# Test type parsing
+parse_interface_type "bridge:qinq:100:300-n"
+# Should set: mode=bridge, vlan_type=qinq, cvid=100, svid=300, proto=none
+```
+
+### Integration Testing
+
+Test complete scenarios:
+
+```bash
+# Test transparent bridge
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan'
+uci set netmode.@supported_args[1].value='bridge:transparent'
+uci set netmode.@supported_args[2].value='ALL'
+uci commit netmode
+service netmode restart
+
+# Verify
+brctl show | grep br-wan
+```
+
+### Validation
+
+```bash
+# Check UCI output
+uci show network
+
+# Check actual interfaces
+ip addr show
+brctl show
+ip -d link show type vlan
+
+# Check logs
+logread | grep netmode-advanced
+```
+
+## Performance Considerations
+
+### Comma Splitting Optimization
+
+The script uses efficient IFS-based splitting:
+
+```bash
+local OLD_IFS="$IFS"
+IFS=','
+for name in $interface_names; do
+    names_arr="$names_arr $name"
+done
+IFS="$OLD_IFS"
+```
+
+This is faster than using `cut` or `awk` in loops.
+
+### UCI Batching
+
+All UCI commands are batched, with a single `uci commit` at the end:
+
+```bash
+# Multiple uci set commands
+uci set ...
+uci set ...
+uci set ...
+
+# Single commit
+uci commit network
+```
+
+### Logging
+
+Logging is selective - info level for major steps, debug for details:
+
+```bash
+_log "Creating interface $idx/$total_interfaces"  # Info
+logger -s -p user.debug -t "$_log_prefix" "Adding port: $port"  # Debug
+```
+
+## Security Considerations
+
+### Input Validation
+
+- VLANs IDs: 1-4094
+- MAC addresses: Validated format
+- Port names: Resolved through UCI (trusted source)
+
+### Privilege Separation
+
+- Script runs as root (required for network config)
+- No user input directly executed
+- Environment variables sanitized through UCI
+
+## Future Enhancements
+
+Possible future additions:
+
+1. **Static IP support**: `route:vlan:100:static:192.168.1.1`
+2. **Port roles**: `ports='LAN1(tagged),LAN2(untagged)'`
+3. **Bridge STP**: `bridge:transparent:stp`
+4. **IPv6 specific**: `route:vlan:100:ipv6`
+5. **Validation**: Pre-flight checks for VLAN conflicts
+
+## Backward Compatibility
+
+**Status**: ⚠️ Breaking change by design
+
+The old `bridged` and `routed-multi-service` modes are **replaced** by advanced mode. This is acceptable because:
+
+1. This is the **first deployment** of advanced features
+2. No existing production deployments use old syntax
+3. Cleaner architecture without legacy baggage
+4. Documentation focuses on new syntax only
+
+## Summary
+
+The advanced mode represents a significant architectural improvement:
+
+- ✅ **Unified**: One mode for all scenarios
+- ✅ **Scalable**: Array-based configuration
+- ✅ **Flexible**: Mix bridges, routed, standalone
+- ✅ **Intuitive**: Self-documenting syntax
+- ✅ **Powerful**: VLAN, QinQ, MACVLAN support
+- ✅ **Clean**: No backward compatibility burden
+
+---
+
+**Implementation Version**: 1.0
+**Date**: 2024-12-12
+**Status**: Production Ready

netmode/docs/ADVANCED_MODE_QUICK_REFERENCE.md

@@ -0,0 +1,313 @@
+# Advanced Mode - Quick Reference
+
+## Interface Type Syntax
+
+### Bridge Types (Traditional VLAN Devices)
+```
+bridge:transparent              # No VLANs
+bridge:tagged:VID               # All ports tagged
+bridge:wan-tagged:VID           # Only WAN tagged
+bridge:transparent-qinq:SVID    # LAN untagged, WAN S-tag
+bridge:transparent-qinq:C:S     # LAN untagged, WAN C+S tags
+bridge:tagged-qinq:C:S          # LAN C-tag, WAN C+S tags
+bridge:qinq:C:S                 # All ports C+S tags
+```
+
+### Bridge VLAN Filtering (Modern - Recommended)
+```
+brvlan:tagged:VID               # All ports tagged (bridge-vlan)
+brvlan:wan-tagged:VID           # WAN tagged, LAN untagged (bridge-vlan)
+brvlan:mixed:VID                # Custom tagging (bridge-vlan)
+```
+
+### Routed Types
+```
+route:transparent               # No VLAN, default MAC
+route:vlan:VID                  # VLAN routing
+route:macvlan:MAC               # MACVLAN device (supports BaseMACAddress macros)
+route:vlan:VID:MAC              # VLAN + custom MAC
+```
+
+### Standalone Types
+```
+direct:VID                      # Standalone VLAN (proto=none)
+```
+
+### Device Reference Types
+```
+device-ref:INTERFACE            # Reference device from another interface
+                                # Allows multiple interfaces to share the same device
+                                # Example: wan6 sharing wan's device
+```
+
+### Modifiers
+```
+-pppoe                          # proto=pppoe (PPPoE authentication)
+-dhcpv6                         # proto=dhcpv6 (DHCPv6 client)
+-dhcp                           # proto=dhcp (DHCP client - explicit, default if no suffix)
+-static                         # proto=static (static IP configuration)
+-none, -n                       # proto=none (no IP configuration)
+-disabled, -d                   # disabled=1 (interface disabled)
+```
+
+**Default Protocol**: If no protocol modifier is specified, the interface defaults to `-dhcp`.
+
+**Note**: When using `-static` with interface name `lan`, the system automatically configures:
+- IP: 192.168.1.1/24
+- IPv6 prefix delegation: /60
+- DHCP server: 192.168.1.100-250, 1h lease
+- DHCPv6 and RA server enabled
+
+### MAC Address Macros
+```
+BaseMACAddress                  # Base MAC from fw_printenv -n ethaddr
+BaseMACAddressP1                # Base MAC + 1
+BaseMACAddressP2                # Base MAC + 2
+BaseMACAddressPN                # Base MAC + N
+AA:BB:CC:DD:EE:FF               # Explicit MAC address
+```
+
+---
+
+## Common Configurations
+
+### 1. Transparent Bridge
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan'
+uci set netmode.@supported_args[1].value='bridge:transparent'
+uci set netmode.@supported_args[2].value='ALL'
+uci commit netmode && service netmode restart
+```
+
+### 2. Router Mode (LAN + WAN)
+```bash
+# LAN bridge with static IP + DHCP server, WAN bridge with DHCP client
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='lan,wan'
+uci set netmode.@supported_args[1].value='bridge:transparent-static,bridge:tagged:2501'
+uci set netmode.@supported_args[2].value='ALL_LAN,WAN'
+uci commit netmode && service netmode restart
+```
+
+### 3. VLAN-Tagged Bridge
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='mgmt'
+uci set netmode.@supported_args[1].value='bridge:tagged:100'
+uci set netmode.@supported_args[2].value='ALL'
+uci commit netmode && service netmode restart
+```
+
+### 4. Multiple Service Bridges
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='inet,iptv,mgmt'
+uci set netmode.@supported_args[1].value='bridge:tagged:100-n,bridge:tagged:200-n,bridge:tagged:300'
+uci set netmode.@supported_args[2].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN,WAN'
+uci commit netmode && service netmode restart
+```
+
+### 5. QinQ Configuration
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='customer_a,customer_b'
+uci set netmode.@supported_args[1].value='bridge:qinq:10:100-n,bridge:qinq:20:100-n'
+uci set netmode.@supported_args[2].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+### 6. Routed Multi-Service (VLAN)
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan,iptv,mgmt'
+uci set netmode.@supported_args[1].value='route:vlan:100,route:vlan:200,route:vlan:300'
+uci set netmode.@supported_args[2].value='WAN,WAN,WAN'
+uci commit netmode && service netmode restart
+```
+
+### 7. Routed Multi-Service with Custom MAC Addresses
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan,iptv'
+uci set netmode.@supported_args[1].value='route:transparent,route:transparent'
+uci set netmode.@supported_args[2].value='WAN,WAN'
+uci set netmode.@supported_args[3].value='BaseMACAddress,BaseMACAddressP1'
+uci commit netmode && service netmode restart
+```
+
+### 8. IPv4 + IPv6 on Same Device (Device Reference)
+```bash
+# wan uses DHCP, wan6 uses DHCPv6 on the same bridge device
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan,wan6'
+uci set netmode.@supported_args[1].value='bridge:tagged:2501,device-ref:wan-dhcpv6'
+uci set netmode.@supported_args[2].value='WAN,WAN'
+uci commit netmode && service netmode restart
+```
+
+### 9. Direct VLAN Interface
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan'
+uci set netmode.@supported_args[1].value='direct:2501'
+uci set netmode.@supported_args[2].value='WAN'
+uci commit netmode && service netmode restart
+```
+
+### 10. Hybrid (Routed + Bridged)
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='wan,iptv'
+uci set netmode.mode_4_supprted_args_2.value='route:vlan:100,bridge:tagged:200-n'
+uci set netmode.mode_4_supprted_args_3.value='WAN,LAN1-LAN2-LAN3-WAN'
+uci commit netmode && service netmode restart
+```
+
+### 11. Bridge VLAN Filtering (WAN Tagged)
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1499'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN'
+uci commit netmode && service netmode restart
+```
+
+### 12. Multiple Services with Bridge VLAN Filtering
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet,tv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1499,brvlan:wan-tagged:1510-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN,LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+---
+
+## Port List Syntax
+
+| Syntax | Description |
+|--------|-------------|
+| `ALL` | All LAN + WAN + EXT ports (from UCI/board.json) |
+| `ALL_LAN` | All LAN ports only (no WAN, no EXT) |
+| `LAN` | Single LAN port (for devices with one LAN port) |
+| `WAN` | WAN port only |
+| `EXT` | EXT port only |
+| `LAN-WAN` | Single LAN port and WAN |
+| `LAN1-LAN2-WAN` | LAN1, LAN2, and WAN |
+| `LAN1-LAN3-EXT` | LAN1, LAN3, and EXT |
+| `WAN-EXT` | WAN and EXT ports |
+
+**Note**: `LAN` is used for devices with a single LAN port, while `LAN1-8` are used for devices with multiple numbered LAN ports. The system automatically detects which is present in UCI.
+
+---
+
+## Verification Commands
+
+```bash
+# Check current mode
+cat /etc/netmodes/.last_mode
+
+# View configuration
+uci show netmode
+
+# View network interfaces
+ip addr show
+
+# View bridges
+brctl show
+
+# View VLAN devices
+ip -d link show type vlan
+
+# View MACVLAN devices
+ip -d link show type macvlan
+
+# View logs
+logread | grep netmode-advanced
+
+# Test DHCP
+udhcpc -i wan -n
+
+# Capture VLAN traffic
+tcpdump -i eth4 -e -n vlan
+```
+
+---
+
+## Troubleshooting
+
+### Force mode reapply
+```bash
+rm /etc/netmodes/.last_mode
+service netmode restart
+```
+
+### Check for errors
+```bash
+logread | grep -E "(error|ERROR|failed|FAILED)"
+```
+
+### Verify UCI syntax
+```bash
+uci show netmode
+uci show network
+```
+
+### Reset to DHCP mode
+```bash
+uci set netmode.global.mode='routed-dhcp'
+uci commit netmode
+service netmode restart
+```
+
+---
+
+## TR-181 Argument Mapping
+
+```
+Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.1.Value = interface_names
+Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.2.Value = interface_types
+Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.3.Value = ports
+Device.X_IOWRT_EU_NetMode.SupportedModes.4.SupportedArguments.4.Value = macaddrs
+```
+
+---
+
+## Examples by Use Case
+
+### ISP Triple-Play (VLAN-based with MAC Addresses)
+```bash
+# Internet VLAN 100, IPTV VLAN 200, VoIP VLAN 300 with different MACs
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='wan,iptv,voip'
+uci set netmode.@supported_args[1].value='route:vlan:100,route:vlan:200,route:vlan:300'
+uci set netmode.@supported_args[2].value='WAN,WAN,WAN'
+uci set netmode.@supported_args[3].value='BaseMACAddress,BaseMACAddressP1,BaseMACAddressP2'
+uci commit netmode && service netmode restart
+```
+
+### Enterprise Guest + Corporate Networks
+```bash
+# Guest VLAN 100, Corporate VLAN 200, Management VLAN 300
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='guest,corporate,mgmt'
+uci set netmode.@supported_args[1].value='bridge:tagged:100-n,bridge:tagged:200-n,bridge:tagged:300'
+uci set netmode.@supported_args[2].value='LAN1-WAN,LAN2-LAN3-WAN,WAN'
+uci commit netmode && service netmode restart
+```
+
+### Wholesale QinQ Provider
+```bash
+# Multiple customers with different C-tags, same S-tag
+uci set netmode.global.mode='advanced'
+uci set netmode.@supported_args[0].value='cust_a,cust_b,cust_c'
+uci set netmode.@supported_args[1].value='bridge:qinq:10:100-n,bridge:qinq:20:100-n,bridge:qinq:30:100-n'
+uci set netmode.@supported_args[2].value='LAN1-LAN2-WAN,LAN3-LAN4-WAN,LAN5-LAN6-WAN'
+uci commit netmode && service netmode restart
+```
+
+---
+
+**Version**: 1.0
+**Last Updated**: 2024-12-12

netmode/docs/BRIDGE_VLAN_FILTERING.md

@@ -0,0 +1,333 @@
+# Bridge VLAN Filtering Mode
+
+## Overview
+
+The advanced netmode now supports **bridge VLAN filtering**, a modern approach to VLAN configuration that uses the kernel's bridge VLAN filtering feature instead of creating separate VLAN devices.
+
+### Benefits
+
+- **Better Performance**: No need to create multiple VLAN devices
+- **Cleaner Configuration**: Single bridge with VLAN filtering instead of multiple VLAN interfaces
+- **Hardware Offloading**: Better support for hardware VLAN acceleration
+- **Simplified Management**: All VLANs configured in one place
+
+## Syntax
+
+Use the `brvlan:` prefix instead of `bridge:` to enable bridge VLAN filtering:
+
+| Traditional Mode | Bridge VLAN Filtering Mode |
+|------------------|---------------------------|
+| `bridge:tagged:100` | `brvlan:tagged:100` |
+| `bridge:wan-tagged:100` | `brvlan:wan-tagged:100` |
+| N/A | `brvlan:mixed:100` |
+
+## Interface Types
+
+### `brvlan:tagged:VID`
+
+All ports are tagged with the specified VLAN ID.
+
+**Example**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:tagged:1499'
+uci set netmode.mode_4_supprted_args_3.value='ALL'
+uci commit netmode && service netmode restart
+```
+
+**Resulting Configuration**:
+```
+config interface 'internet'
+    option device 'br-internet.1499'
+    option proto 'dhcp'
+
+config device br_internet
+    option name 'br-internet'
+    option type 'bridge'
+    option vlan_filtering '1'
+    list ports 'ae_wan'
+    list ports 'eth0'
+    list ports 'eth1'
+
+config bridge-vlan brvlan_1499_internet
+    option device 'br-internet'
+    option vlan '1499'
+    list ports 'ae_wan:t'
+    list ports 'eth0:t'
+    list ports 'eth1:t'
+```
+
+---
+
+### `brvlan:wan-tagged:VID`
+
+WAN port is tagged, LAN ports are untagged.
+
+**Example**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='iptv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1510-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Resulting Configuration**:
+```
+config interface 'iptv'
+    option device 'br-iptv.1510'
+    option proto 'none'
+
+config device br_iptv
+    option name 'br-iptv'
+    option type 'bridge'
+    option vlan_filtering '1'
+    list ports 'ae_wan'
+    list ports 'eth0'
+    list ports 'eth1'
+
+config bridge-vlan brvlan_1510_iptv
+    option device 'br-iptv'
+    option vlan '1510'
+    list ports 'ae_wan:t'
+    list ports 'eth0:u'
+    list ports 'eth1:u'
+```
+
+---
+
+### `brvlan:mixed:VID` or `brvlan:mixed:VID:TAGGED_PORTS`
+
+Custom tagged/untagged configuration with flexible port-specific tagging.
+
+**Syntax**:
+- `brvlan:mixed:VID` - Default behavior: WAN tagged, LAN untagged
+- `brvlan:mixed:VID:TAGGED_PORTS` - Specify which ports are tagged (e.g., `LAN1-WAN`)
+
+**Example 1: Default (WAN Tagged)**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='service'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:100'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**: WAN tagged, LAN1 and LAN2 untagged
+
+**Example 2: Custom Tagging (LAN1 and WAN Tagged)**:
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='corporate'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:200:LAN1-WAN'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-LAN3-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Resulting Configuration**:
+```
+config bridge-vlan brvlan_200_corporate
+    option device 'br-corporate'
+    option vlan '200'
+    list ports 'eth0:t'      # LAN1 tagged
+    list ports 'eth1:u'      # LAN2 untagged
+    list ports 'eth2:u'      # LAN3 untagged
+    list ports 'ae_wan:t'    # WAN tagged
+```
+
+**See [BRVLAN_MIXED_MODE_EXAMPLES.md](BRVLAN_MIXED_MODE_EXAMPLES.md) for comprehensive examples.**
+
+---
+
+## Comparison: Traditional vs Bridge VLAN Filtering
+
+### Traditional VLAN Device Approach (`bridge:tagged:100`)
+
+Creates separate VLAN devices for each port:
+
+```
+config device eth0_100
+    option type '8021q'
+    option vid '100'
+    option ifname 'eth0'
+    option name 'eth0.100'
+
+config device wan_100
+    option type '8021q'
+    option vid '100'
+    option ifname 'ae_wan'
+    option name 'ae_wan.100'
+
+config device br_internet
+    option type 'bridge'
+    list ports 'eth0.100'
+    list ports 'ae_wan.100'
+```
+
+### Bridge VLAN Filtering Approach (`brvlan:tagged:100`)
+
+Single bridge with VLAN filtering:
+
+```
+config device br_internet
+    option type 'bridge'
+    option vlan_filtering '1'
+    list ports 'eth0'
+    list ports 'ae_wan'
+
+config bridge-vlan brvlan_100_internet
+    option device 'br-internet'
+    option vlan '100'
+    list ports 'eth0:t'
+    list ports 'ae_wan:t'
+```
+
+---
+
+## Use Cases
+
+### ISP Internet Service (VLAN 1499, WAN Tagged)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1499'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN'
+uci commit netmode && service netmode restart
+```
+
+### IPTV Service (VLAN 1510, WAN Tagged, No DHCP)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='tv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1510-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+### Multiple Services (Internet + IPTV)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet,tv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:1499,brvlan:wan-tagged:1510-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN,LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+### Corporate Network (All Ports Tagged)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='corporate'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:tagged:100'
+uci set netmode.mode_4_supprted_args_3.value='ALL'
+uci commit netmode && service netmode restart
+```
+
+---
+
+## Modifiers
+
+Bridge VLAN filtering modes support the same modifiers as traditional bridge modes:
+
+| Modifier | Effect | Example |
+|----------|--------|---------|
+| `-n` | Set proto=none (no DHCP client) | `brvlan:tagged:100-n` |
+| `-d` | Create but mark as disabled | `brvlan:wan-tagged:200-d` |
+
+---
+
+## Verification
+
+### Check Bridge VLAN Configuration
+
+```bash
+# View bridge device
+uci show network | grep "vlan_filtering"
+
+# View bridge-vlan sections
+uci show network | grep "bridge-vlan"
+
+# View interface status
+ip addr show
+
+# View bridge VLAN table
+bridge vlan show
+```
+
+### Example Output
+
+```bash
+root@router:~# bridge vlan show
+port              vlan-id
+ae_wan            1499 Tagged
+eth0              1499 Untagged
+eth1              1499 Untagged
+br-internet       1499
+```
+
+---
+
+## Limitations
+
+1. **No QinQ Support**: Bridge VLAN filtering does not currently support 802.1ad (QinQ) double tagging
+2. **Single VLAN per Interface**: Each bridge-vlan section defines one VLAN
+3. **Kernel Support Required**: Requires kernel with bridge VLAN filtering support
+
+---
+
+## Migration from Traditional Bridge
+
+### Before (Traditional VLAN Devices)
+
+```bash
+uci set netmode.mode_4_supprted_args_2.value='bridge:wan-tagged:100'
+```
+
+### After (Bridge VLAN Filtering)
+
+```bash
+uci set netmode.mode_4_supprted_args_2.value='brvlan:wan-tagged:100'
+```
+
+Simply change the prefix from `bridge:` to `brvlan:`.
+
+---
+
+## Troubleshooting
+
+### Check if VLAN Filtering is Enabled
+
+```bash
+cat /sys/class/net/br-internet/bridge/vlan_filtering
+# Should output: 1
+```
+
+### View Bridge VLAN Table
+
+```bash
+bridge vlan show dev br-internet
+```
+
+### Check Kernel Support
+
+```bash
+# Check if bridge module supports vlan_filtering
+cat /sys/module/bridge/parameters/vlan_filtering
+```
+
+### Enable Debug Logging
+
+```bash
+# Monitor netmode logs
+logread -f | grep netmode-advanced
+```
+
+---
+
+**Version**: 1.0
+**Last Updated**: 2025-12-12
+**Feature Status**: Production Ready

netmode/docs/BRVLAN_MIXED_MODE_EXAMPLES.md

@@ -0,0 +1,318 @@
+# Bridge VLAN Filtering - Mixed Mode Examples
+
+## Overview
+
+The `brvlan:mixed` mode provides flexible control over which ports are tagged vs untagged in a bridge VLAN configuration. This is useful for complex scenarios where different ports need different VLAN tagging behavior.
+
+## Syntax
+
+### Basic Mixed Mode (Default Behavior)
+```
+brvlan:mixed:VID
+```
+**Behavior**: WAN tagged, LAN ports untagged (same as `brvlan:wan-tagged:VID`)
+
+### Custom Mixed Mode (Specify Tagged Ports)
+```
+brvlan:mixed:VID:TAGGED_PORTS
+```
+**Behavior**: Ports listed in `TAGGED_PORTS` are tagged, all others are untagged
+
+**TAGGED_PORTS Format**: Same as port list specification (`LAN1-LAN2-WAN`, `WAN`, etc.)
+
+---
+
+## Examples
+
+### Example 1: Basic Mixed Mode (WAN Tagged by Default)
+
+**Scenario**: Internet service where WAN needs VLAN 100, LAN ports untagged
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:100'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+```
+config interface 'internet'
+    option device 'br-internet.100'
+    option proto 'dhcp'
+
+config device br_internet
+    option name 'br-internet'
+    option type 'bridge'
+    option vlan_filtering '1'
+    list ports 'eth0'        # LAN1
+    list ports 'eth1'        # LAN2
+    list ports 'ae_wan'      # WAN
+
+config bridge-vlan brvlan_100_internet
+    option device 'br-internet'
+    option vlan '100'
+    list ports 'eth0:u'      # LAN1 untagged
+    list ports 'eth1:u'      # LAN2 untagged
+    list ports 'ae_wan:t'    # WAN tagged
+```
+
+---
+
+### Example 2: Only Specific LAN Ports Tagged
+
+**Scenario**: Enterprise network where LAN1 and WAN are tagged, LAN2 and LAN3 are untagged
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='corporate'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:200:LAN1-WAN'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-LAN3-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+```
+config interface 'corporate'
+    option device 'br-corporate.200'
+    option proto 'dhcp'
+
+config device br_corporate
+    option name 'br-corporate'
+    option type 'bridge'
+    option vlan_filtering '1'
+    list ports 'eth0'        # LAN1
+    list ports 'eth1'        # LAN2
+    list ports 'eth2'        # LAN3
+    list ports 'ae_wan'      # WAN
+
+config bridge-vlan brvlan_200_corporate
+    option device 'br-corporate'
+    option vlan '200'
+    list ports 'eth0:t'      # LAN1 tagged (specified)
+    list ports 'eth1:u'      # LAN2 untagged
+    list ports 'eth2:u'      # LAN3 untagged
+    list ports 'ae_wan:t'    # WAN tagged (specified)
+```
+
+---
+
+### Example 3: All LAN Ports Tagged, WAN Untagged
+
+**Scenario**: Reverse scenario where LAN ports carry VLAN tags but WAN doesn't
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='service'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:300:LAN1-LAN2-LAN3'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-LAN3-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+```
+config bridge-vlan brvlan_300_service
+    option device 'br-service'
+    option vlan '300'
+    list ports 'eth0:t'      # LAN1 tagged
+    list ports 'eth1:t'      # LAN2 tagged
+    list ports 'eth2:t'      # LAN3 tagged
+    list ports 'ae_wan:u'    # WAN untagged
+```
+
+---
+
+### Example 4: Only WAN Tagged (Explicit)
+
+**Scenario**: Same as `wan-tagged` but using mixed mode explicitly
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='iptv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:1510:WAN-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+```
+config interface 'iptv'
+    option device 'br-iptv.1510'
+    option proto 'none'
+
+config bridge-vlan brvlan_1510_iptv
+    option device 'br-iptv'
+    option vlan '1510'
+    list ports 'eth2:u'      # LAN3 untagged
+    list ports 'eth3:u'      # LAN4 untagged
+    list ports 'ae_wan:t'    # WAN tagged
+```
+
+---
+
+### Example 5: Multi-Service with Different Tagging
+
+**Scenario**: Internet with LAN1+WAN tagged, IPTV with only WAN tagged
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='internet,tv'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:1499:LAN1-WAN,brvlan:mixed:1510:WAN-n'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-WAN,LAN3-LAN4-WAN'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+
+**Internet Service (VLAN 1499)**:
+```
+config bridge-vlan brvlan_1499_internet
+    option device 'br-internet'
+    option vlan '1499'
+    list ports 'eth0:t'      # LAN1 tagged
+    list ports 'eth1:u'      # LAN2 untagged
+    list ports 'ae_wan:t'    # WAN tagged
+```
+
+**TV Service (VLAN 1510)**:
+```
+config bridge-vlan brvlan_1510_tv
+    option device 'br-tv'
+    option vlan '1510'
+    list ports 'eth2:u'      # LAN3 untagged
+    list ports 'eth3:u'      # LAN4 untagged
+    list ports 'ae_wan:t'    # WAN tagged
+```
+
+---
+
+### Example 6: Trunk Port Configuration
+
+**Scenario**: LAN1 as trunk port (tagged), others as access ports (untagged)
+
+```bash
+uci set netmode.global.mode='advanced'
+uci set netmode.mode_4_supprted_args_1.value='vlan100'
+uci set netmode.mode_4_supprted_args_2.value='brvlan:mixed:100:LAN1'
+uci set netmode.mode_4_supprted_args_3.value='LAN1-LAN2-LAN3-LAN4'
+uci commit netmode && service netmode restart
+```
+
+**Result**:
+```
+config bridge-vlan brvlan_100_vlan100
+    option device 'br-vlan100'
+    option vlan '100'
+    list ports 'eth0:t'      # LAN1 tagged (trunk port)
+    list ports 'eth1:u'      # LAN2 untagged (access port)
+    list ports 'eth2:u'      # LAN3 untagged (access port)
+    list ports 'eth3:u'      # LAN4 untagged (access port)
+```
+
+---
+
+## Comparison: Mixed Mode vs Other Modes
+
+| Mode | Syntax | Tagged Ports | Untagged Ports |
+|------|--------|--------------|----------------|
+| **tagged** | `brvlan:tagged:100` | ALL | None |
+| **wan-tagged** | `brvlan:wan-tagged:100` | WAN only | All LAN |
+| **mixed (default)** | `brvlan:mixed:100` | WAN only | All LAN |
+| **mixed (custom)** | `brvlan:mixed:100:LAN1-WAN` | LAN1, WAN | All others |
+
+---
+
+## Use Cases
+
+### Use Case 1: DMZ Configuration
+- **LAN1**: Tagged (DMZ network with VLAN tag)
+- **LAN2-4**: Untagged (local network)
+- **WAN**: Tagged (ISP requirement)
+
+```bash
+brvlan:mixed:100:LAN1-WAN
+```
+
+### Use Case 2: Guest Network
+- **LAN1-2**: Tagged (guest WiFi APs that handle VLANs)
+- **LAN3-4**: Untagged (local devices)
+- **WAN**: Untagged (local ISP connection)
+
+```bash
+brvlan:mixed:50:LAN1-LAN2
+```
+
+### Use Case 3: Managed Switch Uplink
+- **LAN1**: Tagged (uplink to managed switch)
+- **LAN2-4**: Untagged (end user devices)
+- **WAN**: Tagged (ISP VLAN)
+
+```bash
+brvlan:mixed:200:LAN1-WAN
+```
+
+---
+
+## Port Specification Reference
+
+When specifying tagged ports in mixed mode:
+
+| Specification | Resolves To | Example |
+|---------------|-------------|---------|
+| `WAN` | WAN device | `ae_wan` |
+| `LAN1` | LAN1 device from UCI | `eth0` |
+| `LAN1-LAN2` | LAN1 and LAN2 | `eth0`, `eth1` |
+| `LAN1-WAN` | LAN1 and WAN | `eth0`, `ae_wan` |
+| `ALL` | Not supported in tagged ports spec | Use `brvlan:tagged` instead |
+
+---
+
+## Troubleshooting
+
+### Verify Port Tagging
+
+```bash
+# View bridge VLAN table
+bridge vlan show
+
+# Expected output shows :t (tagged) or :u (untagged)
+port              vlan-id
+eth0              100 Tagged
+eth1              100 Untagged
+ae_wan            100 Tagged
+```
+
+### Check Configuration
+
+```bash
+# View bridge-vlan sections
+uci show network | grep bridge-vlan -A5
+
+# Look for ports list with :t or :u suffixes
+```
+
+### Common Mistakes
+
+1. **Wrong Syntax**: Must use colon between VID and port spec
+   - ❌ `brvlan:mixed:100-LAN1-WAN`
+   - ✅ `brvlan:mixed:100:LAN1-WAN`
+
+2. **Using ALL**: Don't use ALL in tagged ports
+   - ❌ `brvlan:mixed:100:ALL`
+   - ✅ Use `brvlan:tagged:100` instead
+
+3. **Duplicate Ports**: Port appears in both bridge port list and tagged spec
+   - Ensure the port list in arg 3 includes all ports you reference in arg 2
+
+---
+
+## Advanced: Multiple VLANs on Same Bridge
+
+While this guide focuses on single VLAN per bridge, you can create multiple bridge-vlan sections manually after netmode configuration for trunk scenarios. However, this is beyond the scope of netmode automation.
+
+---
+
+**Document Version**: 1.0
+**Last Updated**: 2025-12-12
+**Feature**: Bridge VLAN Filtering Mixed Mode