firewallmngr: Fix for new issue identified

* Added firewallmngr module with firewallmngr uci
* added compile time flag to include/exclude module
* script library to conver firewallmngr uci to firewall uci
* include files of some modules removed and handling added to
  add rule entry in uci file of firewallmngr

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.9.0
+PKG_VERSION:=1.9.6
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=40d22bedaf26fac6c91d6c0ec456a0fc37872c8d
+PKG_SOURCE_VERSION:=6730d2784bbac93d87705db83a5157eaeb436f7d
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -117,13 +117,7 @@ define Package/libbbfdm/install
 	$(INSTALL_DIR) $(1)/usr/share/bbfdm/
 	$(CP) $(PKG_BUILD_DIR)/libbbfdm/libbbfdm.so $(1)/usr/share/bbfdm/libbbfdm.so
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/bbf $(1)/lib/upgrade/keep.d/bbf
-	$(INSTALL_BIN) ./files/etc/uci-defaults/95-portmap-firewall $(1)/etc/uci-defaults/95-portmap-firewall
-	$(INSTALL_BIN) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/97-firewall-service
-	$(INSTALL_BIN) ./files/etc/uci-defaults/99-link-core-plugins $(1)/etc/uci-defaults/99-link-core-plugins
-	$(INSTALL_BIN) ./files/etc/uci-defaults/90-remove-nonexisting-microservices $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-fix-bbfdmd-enabled-option $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/firewall.portmap $(1)/etc/firewall.portmap
-	$(INSTALL_BIN) ./files/etc/firewall.service $(1)/etc/firewall.service
 ifeq ($(findstring iopsys,$(CONFIG_BBF_VENDOR_LIST)),iopsys)
 	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/libbbfdm/dmtree/vendor/iopsys/libbbfdm_iopsys_ext.so $(1)
 endif

bbfdm/files/etc/uci-defaults/90-remove-nonexisting-microservices

@@ -1,18 +0,0 @@
-#!/bin/sh
-. /lib/functions.sh
-
-remove_nonexisting_microservice() {
-	local input_json
-
-	config_get input_json "$1" input_json ""
-
-	if [ -z "${input_json}" ]; then
-		uci_remove bbfdm "${1}"
-	fi
-}
-
-config_load bbfdm
-config_foreach remove_nonexisting_microservice "micro_service"
-
-exit 0
-

bbfdm/files/etc/uci-defaults/99-link-core-plugins

@@ -1,34 +0,0 @@
-#!/bin/sh
-
-UNIFIED_PATH="/usr/share/bbfdm/plugins/"
-
-log() {
-	echo "$@" | logger -t bbfdm.uci-default -p info
-}
-
-# Link JSON plugins
-for f in `ls -1 /etc/bbfdm/json/*.json`; do
-	log "# BBFDM JSON plugin ${f} not aligned #"
-	ln -s ${f} "${UNIFIED_PATH}"
-done
-
-# Link DotSo plugins
-for f in `ls -1 /usr/lib/bbfdm/*.so`; do
-	log "# BBFDM DotSO plugin ${f} not aligned #"
-	ln -s ${f} "${UNIFIED_PATH}"
-done
-
-# Link JSON plugins
-for f in `ls -1 /etc/bbfdm/plugins/*.json`; do
-	log "# BBFDM JSON plugin ${f} not aligned #"
-	ln -s ${f} "${UNIFIED_PATH}"
-done
-
-# Link DotSo plugins
-for f in `ls -1 /etc/bbfdm/plugins/*.so`; do
-	log "# BBFDM DotSO plugin ${f} not aligned #"
-	ln -s ${f} "${UNIFIED_PATH}"
-done
-
-exit 0
-

bridgemngr/Config.in

@@ -0,0 +1,11 @@
+if PACKAGE_bridgemngr
+
+menu "Configuration"
+
+config BRIDGEMNGR_BRIDGE_VLAN
+	bool "Use bridge-vlan backend"
+	help
+	   Set this option to use bridge-vlan as backend for VLAN objects.
+
+endmenu
+endif

bridgemngr/Makefile

@@ -5,14 +5,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.0.2
+PKG_VERSION:=1.0.5
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr
-PKG_SOURCE_VERSION:=9cddf87b527ef1614a8a39db67e6578ff1810031
+PKG_SOURCE_VERSION:=c0f2e17f6d4f96aecfe72ab90be885939413176d
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -33,10 +33,18 @@ define Package/bridgemngr/description
 	Package to add Device.Bridging. data model support.
 endef
 
+define Package/$(PKG_NAME)/config
+	source "$(SOURCE)/Config.in"
+endef
+
 MAKE_PATH:=src
 
 TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(CONFIG_BBF_VENDOR_PREFIX)\\\"
 
+ifeq ($(CONFIG_BRIDGEMNGR_BRIDGE_VLAN),y)
+	TARGET_CFLAGS += -DBRIDGE_VLAN_BACKEND
+endif
+
 define Package/bridgemngr/install
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libbridgemngr.so $(1) $(PKG_NAME)
 ifeq ($(findstring iopsys,$(CONFIG_BBF_VENDOR_LIST)),iopsys)

ddnsmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ddnsmngr
-PKG_VERSION:=1.0.6
+PKG_VERSION:=1.0.7
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ddnsmngr.git
-PKG_SOURCE_VERSION:=e81bdbd983e7eb40fcb7337af3fba2f13115d3b7
+PKG_SOURCE_VERSION:=4b0c679c4dc3e3725de5c0c55ed60f24b87c6edd
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

decollector/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.0.0.10
+PKG_VERSION:=6.0.0.13
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=43abd0d735ff0e0961226ced376545c1d4736952
+PKG_SOURCE_VERSION:=d75639d9ae82538103123b32fc0de9280e84cabb
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

dslmngr/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dslmngr
-PKG_VERSION:=1.2.4
+PKG_VERSION:=1.2.5
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/dslmngr.git
-PKG_SOURCE_VERSION:=d71bef278b8222dee1c278723f8264aa8faf5e40
+PKG_SOURCE_VERSION:=4a6f6f829006e481eeb20bcb121f7938d12c60ec
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MAINTAINER:=Rahul Thakur <rahul.thakur@iopsys.eu>
 PKG_MIRROR_HASH:=skip

easy-qos/Makefile

@@ -1,47 +0,0 @@
-#
-# Copyright (C) 2019 iopsys Software Solutions AB
-#
-# This is free software, licensed under the GNU General Public License v2.
-# 
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=easy-qos
-PKG_VERSION:=1.1
-PKG_RELEASE:=0
-
-PKG_LICENSE:=GPLv2
-PKG_LICENSE_FILES:=none
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/easy-qos
-  SECTION:=net
-  CATEGORY:=Network
-  TITLE:=Easy QoS
-  DEPENDS:=@(TARGET_brcmbca||TARGET_airoha)
-endef
-
-define Package/easy-qos/description
-	This package contains Easy QoS utility
-endef
-
-define Build/Prepare
-	mkdir -p $(PKG_BUILD_DIR)
-	$(CP) ./files/* $(PKG_BUILD_DIR)/
-endef
-
-define Build/Compile
-endef
-
-define Package/easy-qos/install
-	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(CP) ./files/etc/config/easy_qos $(1)/etc/config/
-	$(CP) ./files/etc/init.d/easy_qos.iptables $(1)/etc/init.d/easy_qos
-	$(CP) ./files/etc/uci-defaults/* $(1)/etc/uci-defaults/
-	$(CP) ./files/etc/firewall.easyqos $(1)/etc/firewall.easyqos
-endef
-
-$(eval $(call BuildPackage,easy-qos))

easy-qos/files/etc/firewall.easyqos

@@ -1 +0,0 @@
-/etc/init.d/easy_qos reload

easy-qos/files/etc/init.d/easy_qos.ebtables

@@ -1,140 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=99
-USE_PROCD=1
-
-log() {
-	echo "${@}"|logger -t easy_qos.ebtable -p debug
-}
-
-exec_log() {
-	${@}
-	if [ "${?}" -ne 0 ]; then
-		log "Failed to create ${@}";
-	fi
-}
-
-get_priority() {
-	local prio=$(echo $1|tr 'A-Z' 'a-z');
-	case "${prio}" in
-		"lowest")
-			echo 0;;
-		"low")
-			echo 1;;
-		"besteffort")
-			echo 2;;
-		"normal")
-			echo 3;;
-		"video")
-			echo 4;;
-		"medium")
-			echo 5;;
-		"high")
-			echo 6;;
-		"highest")
-			echo 7;;
-	esac
-}
-
-validate_rule_section()
-{
-	uci_validate_section easy_qos rule "${1}" \
-		'priority:string' \
-		'macaddr:string' \
-		'proto:string:none' \
-		'port:list(uinteger)' \
-		'comment:string:none'
-}
-
-# Clear existing rules before applying new rules
-clear_existing_rules() {
-	local rule=$(ebtables --concurrent -t broute -L BROUTING|grep -m 1 mark)
-	while [ -n "${rule}" ]; do
-		exec_log ebtables --concurrent -t broute -D BROUTING ${rule}
-		rule=$(ebtables --concurrent -t broute -L BROUTING|grep -m 1 mark)
-	done
-}
-
-create_rule() {
-	local protocol=$1; shift
-	local mac=$1; shift
-	local mark="0x$1"; shift
-	local forward_port=$1;
-	local cmd="";
-	local protocol_number
-
-	cmd="-j mark --mark-or ${mark}";
-	if [ -n "${forward_port}" ]; then
-		cmd="--ip-destination-port ${forward_port} ${cmd}";
-	fi
-	
-	case "${protocol}" in
-		"tcp")
-			protocol_number=6;;
-		"udp")
-			protocol_number=17;;
-		"dccp")
-			protocol_number=33;;
-		"sctp")
-			protocol_number=132;;
-		*)
-			log "Protocol ${protocol} not supported in ebtables"
-			return;;
-	esac
-			
-	cmd="--ip-proto ${protocol_number} $cmd"
-	cmd="-p ip $cmd"
-
-	cmd="-s ${mac} $cmd"
-	exec_log ebtables --concurrent -t broute -A BROUTING ${cmd}
-}
-
-manage_rule() {
-	local cfg="$1"
-	local priority macaddr proto port comment prio_num protocol
-
-	validate_rule_section "${1}" || {
-		log "Validation of section failed"
-		return 1;
-	}
-
-	protocol=$(echo ${proto}|tr 'A-Z' 'a-z')
-	prio_num=$(get_priority ${priority})
-	if [ -n "${macaddr}" -a -n "${prio_num}" ]; then
-		for p in ${port}; do
-			if [ "${protocol}" == "none" -o "${protocol}" == "tcpudp" ]; then
-				create_rule tcp ${macaddr} ${prio_num} ${p}
-				create_rule udp ${macaddr} ${prio_num} ${p}
-			else
-				create_rule ${protocol} ${macaddr} ${prio_num} ${p}
-			fi
-		done
-		# Create rule for all ports if port is not mentioned in uci
-		if [ -z "${port}" ]; then
-			if [ "${protocol}" == "none" -o "${protocol}" == "tcpudp" ]; then
-				create_rule tcp ${macaddr} ${prio_num}
-				create_rule udp ${macaddr} ${prio_num}
-			else
-				create_rule ${protocol} ${macaddr} ${prio_num}
-			fi
-		fi
-	fi
-}
-
-reload_service() {
-	# Do not apply rules if ebtables is not present in system
-	[ -x /usr/sbin/ebtables ] || return;
-
-	clear_existing_rules
-	config_load easy_qos
-	config_foreach manage_rule rule
-}
-
-start_service() {
-	reload_service
-}
-
-service_triggers() {
-	procd_add_reload_trigger "easy_qos"
-}
-

easy-qos/files/etc/init.d/easy_qos.iptables

@@ -1,186 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-. /usr/share/libubox/jshn.sh
-
-START=99
-USE_PROCD=1
-
-CLIENT_LIST="/tmp/easy_qos_client.list"
-
-log() {
-	echo "${@}"|logger -t easy_qos -p debug
-}
-
-exec_log() {
-	${@}
-	if [ "${?}" -ne 0 ]; then
-		log "Failed to create ${@}";
-	fi
-}
-
-get_priority() {
-	local prio=$(echo $1|tr 'A-Z' 'a-z');
-	case "${prio}" in
-		"lowest")
-			echo 0;;
-		"low")
-			echo 1;;
-		"besteffort")
-			echo 2;;
-		"normal")
-			echo 3;;
-		"video")
-			echo 4;;
-		"medium")
-			echo 5;;
-		"high")
-			echo 6;;
-		"highest")
-			echo 7;;
-	esac
-}
-
-clean_client_entries() {
-	[ -f ${CLIENT_LIST} ] && rm ${CLIENT_LIST}
-}
-
-map_client_entries() {
-	local clients ip mac host
-
-	json_load "$(ubus call router.network 'clients')"
-	json_get_keys keys
-
-	for key in ${keys};
-	do
-		json_select ${key}
-		json_get_vars ipaddr macaddr hostname
-		clients="${macaddr} ${ipaddr} ${hostname};${clients}"
-		json_select ..
-	done
-
-	json_init
-
-#	json_add_array "clients"
-	IFS=";"
-	for client in ${clients};
-	do
-		macaddr=$(echo ${client} | cut -d" " -f1)
-		json_add_object "${macaddr//:/_}"
-		json_add_string "ip" "$(echo ${client} | cut -d" " -f2)"
-		json_add_string "macaddr" "$(echo ${client} | cut -d" " -f1)"
-		json_add_string "host" "$(echo ${client} | cut -d" " -f3)"
-		json_close_object
-	done
-
-	IFS=' '
-	echo `json_dump` > ${CLIENT_LIST}
-	json_cleanup
-}
-
-# Find the IP of a corresponding mac from arp table
-get_ipaddress() {
-	local clients ip mac host
-
-	json_load "$(cat ${CLIENT_LIST})"
-	json_get_keys keys
-
-	# jshn seems a bit iffy on having : in key, replace by _
-	json_select "${1//:/_}" 2 > /dev/null
-	json_get_var ip ip
-
-	echo "$ip"
-}
-
-validate_rule_section()
-{
-	uci_validate_section easy_qos rule "${1}" \
-		'priority:string' \
-		'macaddr:string' \
-		'proto:string:none' \
-		'port:list(uinteger)' \
-		'comment:string:none'
-}
-
-# Clear existing rules before applying new rules
-clear_existing_rules() {
-	local rule=$(iptables -t mangle -S PREROUTING | grep -m 1 MARK |sed 's/-A/-D/1')
-	while [ -n "${rule}" ]; do
-		exec_log iptables -t mangle ${rule}
-		rule=$(iptables -t mangle -S PREROUTING | grep -m 1 MARK |sed 's/-A/-D/1')
-	done
-}
-
-check_and_create() {
-	iptables -t mangle -C PREROUTING ${@} 2>/dev/null
-	# Create rule if not exists
-	if [ ${?} -ne 0 ]; then
-		exec_log iptables -t mangle -A PREROUTING ${@}
-	else
-		log "Rule exists for ${@}"
-	fi
-}
-
-create_rule() {
-	local proto=$1; shift
-	local src_ip=$1; shift
-	local mark="0x$1/0x$1"; shift
-	local ports=$1;
-	local cmd="";
-
-	cmd="-j MARK --set-xmark ${mark}";
-	if [ -n "${ports}" ]; then
-		cmd="--match multiport --dports ${ports} ${cmd}";
-	fi
-
-	if [ "${proto}" == "icmp" ]; then
-		cmd="-p icmp -m icmp --icmp-type 8 $cmd"
-	elif [ "${proto}" == "all" ]; then
-		cmd="-p all $cmd"
-	else
-		cmd="-p ${proto} -m ${proto} $cmd"
-	fi
-	cmd="-s ${src_ip} $cmd"
-
-	check_and_create ${cmd} 
-}
-
-manage_rule() {
-	local cfg="$1"
-	local priority macaddr proto port comment prio_num ip port_list
-
-	validate_rule_section "${1}" || {
-		log "Validation of section failed"
-		return 1;
-	}
-
-	prio_num=$(get_priority ${priority})
-	ip=$(get_ipaddress ${macaddr})
-	port_list=$(echo ${port}|sed 's/ /,/g')
-
-	if [ -n "${ip}" -a -n "${prio_num}" ]; then
-		if [ "${proto}" == "none" -o "${proto}" == "tcpudp" ]; then
-			create_rule tcp ${ip} ${prio_num} ${port_list}
-			create_rule udp ${ip} ${prio_num} ${port_list}
-		else
-			create_rule ${proto} ${ip} ${prio_num} ${port_list}
-		fi
-	fi
-}
-
-reload_service() {
-	clear_existing_rules
-	map_client_entries
-	config_load easy_qos
-	config_foreach manage_rule rule
-	clean_client_entries
-}
-
-start_service() {
-	reload_service
-	echo "Easy QoS installed">/dev/console;
-}
-
-service_triggers() {
-	procd_add_reload_trigger "easy_qos"
-}
-

easy-qos/files/etc/uci-defaults/60-easyqos-reqs

@@ -1,8 +0,0 @@
-# Add firewall include
-uci -q batch <<-EOT
-        delete firewall.easyqos
-        set firewall.easyqos=include
-        set firewall.easyqos.path=/etc/firewall.easyqos
-        set firewall.easyqos.reload=1
-        commit firewall
-EOT

ebtables-extensions/Makefile

@@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ebtables-extensions
-PKG_VERSION:=1.0.2
+PKG_VERSION:=1.0.3
 PKG_LICENSE:=GPL-2.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=a23a70f5518a42d663156a156c1e3356f695b5ad
+PKG_SOURCE_VERSION:=d3de8b0ac52ce9f96ef5a0a6277a6730879fc793
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ebtables-extensions.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

ethmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethmngr
-PKG_VERSION:=2.1.7
+PKG_VERSION:=2.1.9
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=d029ce86fe99b7896f096f68eda3f6caa000ee5f
+PKG_SOURCE_VERSION:=2d35e86cc8dfd7ef4e0d8579f5d314e90faadc90
 PKG_MAINTAINER:=Rahul Thakur <rahul.thakur@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

firewallmngr/Config.in

@@ -8,5 +8,11 @@ config FIREWALLMNGR_PORT_TRIGGER
 	help
 	   Set this option to include support for PortTrigger object.
 
+config FIREWALLMNGR_BACKEND_FIREWALLMNGR
+	bool "Include Firewallmanager uci"
+	default n
+	help
+	   Set this option to include support for firewallmngr uci.
+
 endmenu
 endif

firewallmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.0.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=f5c3e2c93a8a992ab24291eb2c67adf77de7f896
+PKG_SOURCE_VERSION:=d4bdd162cf37b3373df2448a70dcb4fbc1113535
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -43,26 +43,55 @@ endef
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
-	$(CP) -rf ~/git/firewallmngr/* $(PKG_BUILD_DIR)/
+	$(CP) -rf ./firewallmngr/* $(PKG_BUILD_DIR)/
 endef
 endif
 
 ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER
 endif
+ifeq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
+	TARGET_CFLAGS += -DINCLUDE_BACKEND_FIREWALLMNGR
+
+endif
 
 define Package/firewallmngr/install
 	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
 ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/lib/port-trigger
 
 	$(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/
 	$(INSTALL_DATA) ./files/port-trigger/etc/config/port-trigger $(1)/etc/config/
 	$(INSTALL_DATA) ./files/port-trigger/lib/port-trigger/port_trigger.sh $(1)/lib/port-trigger/
 endif
+ifeq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/lib/fwmngr
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) ./files/firewallmngr_backend_firewallmngr/etc/uci-defaults/00-firewallmngr $(1)/etc/uci-defaults/00-firewallmngr
+	$(INSTALL_DATA) ./files/firewallmngr_backend_firewallmngr/etc/config/firewallmngr  $(1)/etc/config/
+	$(INSTALL_BIN) ./files/firewallmngr_backend_firewallmngr/etc/init.d/firewallmngr  $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr.sh  $(1)/lib/fwmngr/
+	$(INSTALL_DATA) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr_functions.sh  $(1)/lib/fwmngr/
+	$(INSTALL_DATA) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/uci_migration.sh  $(1)/lib/fwmngr/
+	$(INSTALL_BIN) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/is_intf_bridge  $(1)/lib/fwmngr/
+	$(INSTALL_BIN) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/firewallmngr_preconfig  $(1)/lib/fwmngr/
+	$(INSTALL_DATA) ./files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr_twamp.sh  $(1)/lib/fwmngr/
+
+	$(BBFDM_INSTALL_MS_DM) ./files/firewallmngr_backend_firewallmngr/etc/firewallmngr/firewallmngr.json $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/firewallmngr $(1)/usr/sbin
+else
+	$(INSTALL_BIN) ./files/firewall.portmap $(1)/etc/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/95-portmap-firewall $(1)/etc/uci-defaults/
+
+	$(INSTALL_BIN) ./files/firewall.service $(1)/etc/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
+endif
 endef
 
 $(eval $(call BuildPackage,firewallmngr))

firewallmngr/files/firewallmngr_backend_firewallmngr/etc/bbfdm/micro_services/firewallmngr.json

@@ -0,0 +1,18 @@
+{
+	"daemon": {
+		"config": {
+			"loglevel": "4"
+		},
+		"input": {
+			"type": "JSON",
+			"name": "/etc/firewallmngr/firewallmngr.json",
+			"plugin_dir": "/etc/firewallmngr/plugins"
+		},
+		"output": {
+			"type": "UBUS",
+			"parent_dm": "Device.",
+			"root_obj": "bbfdm",
+			"multiple_objects": ["Firewall","NAT"]
+		}
+	}
+}

firewallmngr/files/firewallmngr_backend_firewallmngr/etc/config/firewallmngr

@@ -0,0 +1,160 @@
+config firewall 'firewall'
+	option enable '1'
+	option config 'Advanced'
+	option advanced_level 'level1'
+
+config level 'level1'
+	option name 'level1'
+	option chain 'chain1'
+	option port_mapping_enabled '1'
+	option default_policy 'reject'
+	option default_log_policy '0'
+	option enable '1'
+
+config chain 'chain1'
+	option enable '1'
+	option name 'chain1'
+
+config rule 'default_rule_0'
+	option chain 'chain1'
+	option enable '1'
+	option order '1'
+	option name 'Allow-DHCP-Renew'
+	option target 'Accept'
+	option src 'wan'
+	option family '4'
+	option proto '17'
+	option dest_port '68'
+
+config rule 'default_rule_1'
+	option chain 'chain1'
+	option enable '1'
+	option order '2'
+	option name 'Allow-Ping'
+	option target 'Accept'
+	option src 'wan'
+	list icmp_type 'echo-request'
+	option family '4'
+	option proto '1'
+
+config rule 'default_rule_2'
+	option chain 'chain1'
+	option enable '1'
+	option order '3'
+	option name 'Allow-IGMP'
+	option target 'Accept'
+	option src 'wan'
+	option family '4'
+	option proto '2'
+
+config rule 'default_rule_3'
+	option chain 'chain1'
+	option enable '1'
+	option order '4'
+	option name 'Allow-DHCPv6'
+	option target 'Accept'
+	option src 'wan'
+	option family '6'
+	option proto '17'
+	option dest_port '546'
+
+config rule 'default_rule_4'
+	option chain 'chain1'
+	option enable '1'
+	option order '5'
+	option name 'Allow-MLD'
+	option target 'Accept'
+	option src 'wan'
+	option family '6'
+	option src_ip 'fe80::'
+	option source_mask 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option proto '1'
+
+config rule 'default_rule_5'
+	option chain 'chain1'
+	option enable '1'
+	option order '6'
+	option name 'Allow-ICMPv6-Input'
+	option target 'Accept'
+	option src 'wan'
+	option family '6'
+	list icmp_type  'echo-request'
+	list icmp_type  'echo-reply'
+	list icmp_type  'destination-unreachable'
+	list icmp_type  'packet-too-big'
+	list icmp_type  'time-exceeded'
+	list icmp_type  'bad-header'
+	list icmp_type  'unknown-header-type'
+	list icmp_type  'router-solicitation'
+	list icmp_type  'neighbour-solicitation'
+	list icmp_type  'router-advertisement'
+	list icmp_type  'neighbour-advertisement'
+	option limit  '1000/sec'
+	option proto '1'
+
+config rule 'default_rule_6'
+	option chain 'chain1'
+	option enable '1'
+	option order '7'
+	option name 'Allow-ICMPv6-Forward'
+	option target 'Accept'
+	option src 'wan'
+	option dest_all_interfaces '1'
+	option family '6'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit  '1000/sec'
+	option proto '1'
+
+config rule 'default_rule_7'
+	option chain 'chain1'
+	option enable '1'
+	option order '8'
+	option name 'Allow-IPSec-ESP'
+	option target 'Accept'
+	option src 'wan'
+	option dest 'lan'
+	option proto '50'
+
+config rule 'default_rule_8'
+	option chain 'chain1'
+	option enable '1'
+	option order '9'
+	option name 'Allow-ISAKMP'
+	option target 'Accept'
+	option src 'wan'
+	option dest 'lan'
+	option proto '17'
+	option dest_port '500'
+
+config rule 'default_rule_9'
+	option chain 'chain1'
+	option enable '0'
+	option order '10'
+	option name 'Support-UDP-Traceroute'
+	option target 'Reject'
+	option src 'wan'
+	option family '4'
+	option proto '17'
+	option dest_port '33434'
+	option dest_port_range_max '33689'
+
+config rule 'default_forward_rule'
+	option chain 'chain1'
+	option enable '1'
+	option order '65535'
+	option name 'forward-rule'
+	option src 'lan'
+	option dest 'wan'
+	option proto '-1'
+	option target 'Accept'
+

firewallmngr/files/firewallmngr_backend_firewallmngr/etc/init.d/firewallmngr

@@ -0,0 +1,27 @@
+#!/bin/sh /etc/rc.common
+
+START=18
+USE_PROCD=1
+
+USE_PROCD=1
+NAME=firewallmngr
+PROG=/usr/sbin/firewallmngr
+
+. /lib/fwmngr/fwmngr.sh
+
+
+start_service() {
+	configure_firewall
+	procd_open_instance firewallmngr
+	procd_set_param command ${PROG}
+	procd_set_param respawn
+	procd_close_instance
+}
+
+boot() {
+	start
+}
+
+service_triggers() {
+	procd_add_reload_trigger firewallmngr
+}

firewallmngr/files/firewallmngr_backend_firewallmngr/etc/uci-defaults/00-firewallmngr

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+. /lib/fwmngr/fwmngr_functions.sh
+. /lib/fwmngr/uci_migration.sh
+
+
+rule_sec=$(uci show firewall | grep "=rule")
+[ -z "$rule_sec" ] && return
+rule_sec=$(echo $rule_sec | grep "fwmngr")
+
+if [ -z "$rule_sec" ]; then
+	generate_firewallmngr_config
+fi
+if [ -f /etc/firewall.ddos ]; then
+        uci -q get firewall.ddos || {
+                uci -q set firewall.ddos=include
+                uci -q set firewall.ddos.path="/etc/firewall.ddos"
+                uci -q set firewall.ddos.reload=1
+fi
+if [ -f /etc/firewall.protect_port ]; then
+        uci -q get firewall.protect_port || {
+                uci -q set firewall.protect_port='include'
+                uci -q set firewall.protect_port.path='/etc/firewall.protect_port'
+                uci -q set firewall.protect_port.reload='1'
+        }
+fi
+
+

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/firewallmngr_preconfig

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+rule_max_order_val=0
+config_load firewallmngr
+
+firewallmngr_generate_nat_interface_setting() {
+	local intf="$1"
+	local is_bridge="false"
+	local masq="0"
+	local intf_dev
+	local type=""
+	local nat_intf_setting=""
+
+
+	type=$(uci -q get firewallmngr."$intf")
+	[ "$type" = "natif" ] && return
+
+	nat_intf_setting=$(uci  add "firewallmngr" "natif")
+	uci set firewallmngr."$nat_intf_setting".interface="$intf"
+
+	if [ $(/lib/fwmngr/is_intf_bridge "$intf") -eq 1 ]; then
+		uci set firewallmngr."$nat_intf_setting".enabled="0"
+	else
+		uci set firewallmngr."$nat_intf_setting".enabled="1"
+	fi
+
+	uci rename firewallmngr."$nat_intf_setting"="$intf"
+}
+
+firewallmngr_process_rule_interface() {
+	local rule="$1"
+	local src_intf=""
+	local dest_intf=""
+
+	config_get src_intf "$rule" "src"
+	config_get dest_intf "$rule" "dest"
+
+	[ -z "$src_intf" ] || firewallmngr_generate_nat_interface_setting "$src_intf"
+	[ -z "$dest_intf" ] || firewallmngr_generate_nat_interface_setting "$dest_intf"
+}
+
+firewallmngr_process_rule_param() {
+	local order=""
+	config_get order "$1" order
+
+	if [ -z "$order" ] || [ "$order" = "65535" ]; then
+		return
+	fi
+	rule_max_order_val=$(( rule_max_order_val + 1 ))
+	if [ ${order} -gt ${rule_max_order_val} ]; then
+		uci -q set firewallmngr."$1".order="$rule_max_order_val"
+		uci -q reorder firewallmngr."$1"=${rule_max_order_val}
+	fi
+
+	firewallmngr_process_rule_interface "$1"
+}
+
+firewallmngr_set_rule_order() {
+	local order=""
+	config_get order "$1" order
+
+	if [ -n "$order" ]; then
+		uci -q reorder firewallmngr."$1"=${order}
+		return
+	fi
+	rule_max_order_val=$(( rule_max_order_val + 1 ))
+	uci -q set firewallmngr."$1".order="$rule_max_order_val"
+	uci -q reorder firewallmngr."$1"=${rule_max_order_val}
+}
+
+config_foreach firewallmngr_process_rule_param rule
+config_foreach firewallmngr_set_rule_order rule
+
+uci commit firewallmngr

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr.sh

@@ -0,0 +1,195 @@
+#!/bin/sh
+#set -x
+
+. /lib/functions.sh
+. /lib/fwmngr/fwmngr_functions.sh
+
+
+fw_rule_sections=""
+fw_redirect_sections=""
+fw_include_sections=""
+
+clean_expiry() {
+	[ -f "/tmp/fw3.atjobs" ] || return
+	for job in $(cat /tmp/fw3.atjobs); do
+		atrm $job 2>/dev/null
+	done
+	rm -f /tmp/fw3.atjobs
+}
+
+schedule_expiry() {
+
+        [ -f "/usr/bin/at" ] || return
+
+        expire_at() {
+                local cfg=$1
+                local expiry atdate
+
+                config_get expiry $cfg expiry
+
+                [ -n "$expiry" ] || return
+
+                atdate="$(date +'%Y%m%d%H%M.%S' -d @$expiry)"
+
+                [ -n "$atdate" ] || return
+
+                sec=$(echo $atdate | cut -d. -f2)
+                at_date=$(echo $atdate | cut -d. -f1)
+
+                echo "sleep $sec && uci -q delete firewallmngr.$cfg; ubus call uci commit '{\"config\":\"firewallmngr\"}'" | \
+                        at -t $at_date 2>&1 | grep job | awk '{print$2}' >> /tmp/fw3.atjobs
+        }
+
+        config_foreach expire_at rule
+        config_foreach expire_at redirect
+}
+
+firewall_cleanup() {
+	local count=1
+
+	list=$(uci show firewall)
+        section_list=$(echo "$list" | grep "fwmngr")
+
+        section_list=$(echo "$section_list" | awk -F. '{ print $2 }')
+        section_list=$(echo "$section_list" | awk -F= '{ print $1 }')
+
+        fw_rule_sections=$(echo "$list" | grep -v fwmngr | grep "=rule")
+        fw_rule_sections=$(echo "$fw_rule_sections" | awk -F= '{ print $1 }')
+        fw_rule_sections=$(echo "$fw_rule_sections" | awk -F. '{ print $2 }')
+        fw_redirect_sections=$(echo "$list" | grep -v fwmngr | grep "=redirect")
+        fw_redirect_sections=$(echo "$fw_redirect_sections" | awk -F= '{ print $1 }')
+        fw_redirect_sections=$(echo "$fw_redirect_sections" | awk -F. '{ print $2 }')
+        fw_include_sections=$(echo "$list" | grep -v fwmngr | grep "=include")
+        fw_include_sections=$(echo "$fw_include_sections" | awk -F= '{ print $1 }')
+        fw_include_sections=$(echo "$fw_include_sections" | awk -F. '{ print $2 }')
+
+        for sec in $section_list; do
+                uci -q delete firewall."$sec"
+        done
+	uci commit firewall
+}
+
+firewallmngr_preload() {
+	firewall_cleanup
+
+	/lib/fwmngr/firewallmngr_preconfig
+}
+
+firewall_handle_section_dmz() {
+	local dmz_cfg="$1"
+	local dest_uci="$2"
+	local dmz_sec=""
+	local enable=""
+	local origin=""
+	local description=""
+	local interface=""
+	local dest_ip=""
+	local source_prefix=""
+	
+	config_get enable "$dmz_cfg" "enabled" 0
+	[ "$enable" = "1" ] || return
+	config_get dest_ip "$dmz_cfg" "dest_ip"
+	config_get interface "$dmz_cfg" "interface"
+	if [ -z "$dest_ip" ] || [ -z "$interface" ]; then
+		return
+	fi
+	config_get origin "$dmz_cfg" "origin"
+	config_get description "$dmz_cfg" "description"
+	config_get source_prefix "$dmz_cfg" "source_prefix"
+
+	if [ "$dest_uci" = "firewall" ]; then
+		zones=$(uci show firewall | grep "=zone")
+		for zn in zones; do
+			zn_arg=$(echo $zn | awk -F= '{ print $1 }')
+			if [ "$interface" = "$(uci -q get $zn_arg.network)" ]; then
+				zn_name=$(uci -q get "$zn_arg".name)
+			fi
+		done
+	fi
+
+	dmz_sec=$(uci add "$dest_uci" redirect)
+	uci set "$dest_uci"."$dmz_sec".src="$zn_name"
+	uci set "$dest_uci"."$dmz_sec".enabled="1"
+	uci set "$dest_uci"."$dmz_sec".dest_ip="$dest_ip"
+	uci set "$dest_uci"."$dmz_sec".origin="$origin"
+	uci set "$dest_uci"."$dmz_sec".src_ip="$source_prefix"
+	uci set "$dest_uci"."$dmz_sec".target="DNAT"
+
+       	uci rename "$dest_uci"."$dmz_sec"="fwmngr_$dmz_cfg"
+}
+
+handle_section_nat_interface_setting() {
+	local nat_intf_cfg="$1"
+	local interface=""
+	local enable=""
+
+	config_get enable "$nat_intf_cfg" "enabled"
+	[ -z "$enable" ] && return
+	config_get interface "$nat_intf_cfg" "interface"
+	if [ -n "$interface" ]; then
+		create_firewall_zone_config "$interface" "$enable"
+	fi
+}
+
+generate_firewall_config() {
+	local minus_one
+
+
+	firewallmngr_preload
+	uci commit firewallmngr
+	fw_config="$(uci -q get firewallmngr.firewall.config)"
+	[ -z "$fw_config" ] && return
+	[ "$fw_config" = "Advanced" ] || return
+
+#get active chain name
+	chain_name=$(firewallmngr_get_active_chain)
+
+#configure firewall global config
+	global_exist=$(uci -q get firewall.globals)
+	if [ -z "$global_exist" ]; then
+		global_sec=$(uci   add firewall globals)
+		uci   set firewall."$global_sec".enabled="1"
+		uci   rename firewall."$global_sec"="globals"
+	fi
+
+#configure firewall default config
+	default_sec=$(uci  add firewall defaults)
+	uci   set firewall."$default_sec".syn_flood="1"
+	uci   set firewall."$default_sec".input="$INPUT"
+	uci   set firewall."$default_sec".output="$OUTPUT"
+	uci   set firewall."$default_sec".forward="$FORWARD"
+        uci   rename firewall."$default_sec"="fwmngr_default"
+
+	config_load firewallmngr
+	config_foreach handle_section_nat_interface_setting natif
+	uci commit firewall
+#loop through rules in firewallmngr uci and write rule in firewall
+	config_foreach handle_section_firewall_rule rule "$chain_name" "firewall"
+	uci commit firewall
+
+	config_foreach handle_section_nat_port_mapping nat_portmapping "firewall"
+	config_foreach firewall_handle_section_dmz dmz "firewall"
+	config_foreach handle_section_service service "firewall"
+
+#reorder sections to place rule created by user at the end
+	minus_one=$((2**16))
+	for sec in $fw_rule_sections; do
+		uci -q reorder firewall."$sec"=${minus_one}
+	done
+	for sec in $fw_redirect_sections; do
+		uci -q reorder firewall."$sec"=${minus_one}
+	done
+	for sec in $fw_include_sections; do
+		uci -q reorder firewall."$sec"=${minus_one}
+	done
+
+	ubus call uci commit '{"config":"firewall"}'
+	schedule_expiry
+}
+
+configure_firewall () {
+	if ! [ -f "/etc/config/firewall" ]; then
+		touch /etc/config/firewall
+	fi
+	generate_firewall_config
+}

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr_functions.sh

@@ -0,0 +1,627 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+INPUT="REJECT"
+OUTPUT="ACCEPT"
+FORWARD="REJECT"
+
+firewallmngr_get_active_chain() {
+	local fw_level=""
+	local chain_name=""
+	local fw_level=""
+	local chain=""
+
+	fw_level="$(uci -q get firewallmngr.firewall.advanced_level)"
+	[ -z "$fw_level" ] && return
+	enabled="$(uci -q get firewallmngr."${fw_level}".enable)"
+
+	[ "$enabled" = "1" ] || exit
+
+	chain="$(uci -q get firewallmngr."${fw_level}".chain)"
+	[ -z "$chain" ] && exit
+
+	enabled="$(uci -q get firewallmngr."${chain}".enable)"
+	chain_name="$(uci -q get firewallmngr."${chain}".name)"
+	echo "$chain_name"
+}
+
+
+create_firewall_zone_config() {
+	local intf="$1"
+	local masq="$2"
+	local is_bridge="false"
+	local intf_dev=""
+	local ntwrk=""
+	local interface=$(echo "$intf" | awk -F" " '{ print $1 }')
+
+	type=$(uci -q get firewall."$interface")
+	[ "$type" = "zone" ] && return
+
+	zone_sec=$(uci add "firewall" "zone")
+	uci set firewall."$zone_sec".masq="$masq"
+	uci set firewall."$zone_sec".name="$interface"
+	uci set firewall."$zone_sec".output="$OUTPUT"
+
+	if [ $(/lib/fwmngr/is_intf_bridge "$interface") -eq 1 ]; then
+		uci set firewall."$zone_sec".input="ACCEPT"
+		uci set firewall."$zone_sec".forward="ACCEPT"
+	else
+		if [ "$(uci -q get firewallmngr.globals.enabled)" = "0" ]; then
+			uci set firewall."$zone_sec".input="ACCEPT"
+		else
+			uci set firewall."$zone_sec".input="REJECT"
+		fi
+		uci set firewall."$zone_sec".forward="REJECT"
+	fi
+	for ntwrk in $intf; do
+		uci add_list firewall."$zone_sec".network="$ntwrk"
+	done
+	uci rename firewall."$zone_sec"="$interface"
+}
+
+firewallmngr_set_ip() {
+	local rule_sec="$1"
+	local src_ip="$2"
+	local dest_ip="$3"
+
+	mask=$(echo "$src_ip"|grep "/")
+	if [ -z "$src_ip" ]; then
+		uci set firewallmngr."$rule_sec".src_ip="$src_ip"
+	else
+		ip=$(echo "$src_ip" | awk -F"/" '{ print $0 }')
+		mask=$(echo "$src_ip" | awk -F"/" '{ print $2 }')
+		uci set firewallmngr."$rule_sec".src_ip="$ip"
+		uci set firewallmngr."$rule_sec".source_mask="$mask"
+	fi
+
+	mask=$(echo "$src_ip"|grep "/")
+	if [ -z "$dest_ip" ]; then
+		uci set firewallmngr."$rule_sec".dest_ip="$dest_ip"
+	else
+		ip=$(echo "$dest_ip" | awk -F"/" '{ print $0 }')
+		mask=$(echo "$dest_ip" | awk -F"/" '{ print $2 }')
+		uci set firewallmngr."$rule_sec".dest_ip="$ip"
+		uci set firewallmngr."$rule_sec".dest_mask="$mask"
+	fi
+}
+
+firewall_set_ip() {
+	local rule_sec="$1"
+	local src_ip="$2"
+	local dest_ip="$3"
+
+	uci set firewall."$rule_sec".src_ip="$src_ip"
+	uci set firewall."$rule_sec".dest_ip="$dest_ip"
+}
+
+firewallmngr_set_port() {
+	local rule_sec="$1"
+	local src_port="$2"
+	local dest_port="$3"
+	local src_port_range_max="$4"
+	local dest_port_range_max="$5"
+
+	range=$(echo "$src_port" | grep ":")
+	if [ -z "$range" ]; then
+		uci set firewallmngr."$rule_sec".src_port="$src_port"
+	else
+		min_port=$(echo "$src_port" | awk -F":" '{ print $1 }')
+		max_port=$(echo "$src_port" | awk -F":" '{ print $2 }')
+
+		uci set firewallmngr."$rule_sec".src_port="$min_port"
+		uci set firewallmngr."$rule_sec".src_port_range_max="$max_port"
+	fi
+	range=$(echo "$dest_port" | grep ":")
+	if [ -z "$range" ]; then
+		uci set firewallmngr."$rule_sec".dest_port="$dest_port"
+	else
+		min_port=$(echo "$dest_port" | awk -F":" '{ print $1 }')
+		max_port=$(echo "$dest_port" | awk -F":" '{ print $2 }')
+
+		uci set firewallmngr."$rule_sec".dest_port="$min_port"
+		uci set firewallmngr."$rule_sec".dest_port_range_max="$max_port"
+	fi
+
+}
+
+firewall_set_port() {
+	local rule_sec="$1"
+	local src_port="$2"
+	local dest_port="$3"
+	local src_port_range_max="$4"
+	local dest_port_range_max="$5"
+
+	if [ -z "$dest_port_range_max" ] || [ "$dest_port_range_max" = "-1" ]; then
+		[ "$dest_port" == "-1" ] || uci set firewall."$rule_sec".dest_port="$dest_port"
+	else
+		uci set firewall."$rule_sec".dest_port="$dest_port:$dest_port_range_max"
+	fi
+
+	if [ -z "$src_port_range_max" ] || [ "$src_port_range_max" = "-1" ]; then
+		[ "$src_port" == "-1" ] || uci set firewall."$rule_sec".src_port="$src_port"
+	else
+		uci set firewall."$rule_sec".src_port="$src_port:$src_port_range_max"
+	fi
+}
+
+firewallmngr_set_interface() {
+	local rule_sec="$1"
+	local src_intf="$2"
+	local dest_intf="$3"
+
+	if [ "$src_intf" = "*" ]; then
+		uci set firewallmngr."$rule_sec".source_all_interfaces="1"
+	else
+		uci set firewallmngr."$rule_sec".source_all_interfaces="0"
+		uci set firewallmngr."$rule_sec".src="$src_intf"
+	fi
+	if [ "$dest_intf" = "*" ]; then
+		uci set firewallmngr."$rule_sec".dest_all_interfaces="1"
+	else
+		uci set firewallmngr."$rule_sec".dest_all_interfaces="0"
+		uci set firewallmngr."$rule_sec".dest="$dest_intf"
+	fi
+
+}
+
+firewall_set_interface() {
+	local rule_sec="$1"
+	local src_intf="$2"
+	local dest_intf="$3"
+	uci set firewall."$rule_sec".src="$src_intf"
+	uci set firewall."$rule_sec".dest="$dest_intf"
+}
+
+
+firewallmngr_get_rule_ip_family() {
+	local version="$1"
+
+	if [ "$version" == "ipv4" ]; then
+		echo "4"
+	elif [ "$version" == "ipv6" ]; then
+		echo "6"
+	else
+		echo "-1"
+	fi
+}
+
+firewall_get_rule_ip_family() {
+	local version="$1"
+
+	if [ "$version" == "4" ]; then
+		echo "ipv4"
+	elif [ "$version" == "6" ]; then
+		echo "ipv6"
+	else
+		echo "-1"
+	fi
+}
+
+firewallmngr_set_ip_family() {
+	local rule_sec="$1"
+	local ip_family="$2"
+
+	if [ -z "$ip_family" ]; then
+		uci set firewallmngr."$rule_sec".family="-1"
+		return
+	fi
+	uci set firewallmngr."$rule_sec".family="$ip_family"
+}
+
+firewall_set_ip_family() {
+	local rule_sec="$1"
+	local ip_family="$2"
+
+	[ "$ip_family" == "-1" ] ||  uci set firewall."$rule_sec".family="$ip_family"
+}
+
+firewallmngr_set_rule_target() {
+	local rule_sec="$1"
+	local target="$2"
+	local targetchain="$3"
+	local action
+	if [ "$target" = "MARK" ]; then
+		uci set firewallmngr."$rule_sec".target="Return"
+	elif [ "$target" = "TargetChain" ]; then
+		uci set firewallmngr."$rule_sec".target="$targetchain"
+	else
+		action=$(echo "$target" | awk '{for(i=1;i<=NF;i++){$i=toupper(substr($i,1,1)) substr($i,2)}} 1')
+		uci set firewallmngr."$rule_sec".target="$action"
+	fi
+}
+
+firewall_set_rule_target() {
+	local rule_sec="$1"
+	local target="$2"
+	local targetchain="$3"
+
+	target="$(echo $target | awk '{ print toupper($0) }')"
+	if [ "$target" = "ACCEPT" ] || [ "$target" = "REJECT" ] || [ "$target" = "DROP" ]; then
+		uci set firewall."$rule_sec".target="$(echo $target | awk '{ print toupper($0) }')"
+	elif [ "$target" = "Retrun" ]; then
+		uci set firewall."$rule_sec".target="MARK"
+	elif [ "$target" = "TargetChain" ]; then
+		uci set firewall."$rule_sec".target="$targetchain"
+	else
+		uci set firewall."$rule_sec".target="DROP"
+	fi
+}
+
+set_rule_protocol() {
+	local rule_sec="$1"
+	local protocol="$2"
+	local rule_rd="$3"
+	local dest_uci="$4"
+
+	set_icmp_type() {
+		uci add_list "$dest_uci"."$rule_sec".icmp_type="$1"
+	}
+
+	if [ -z "$protocol" ] || [ "$protocol" = "0" ] || [ "$protocol" = "all" ] || [ "$protocol" = "-1" ]; then
+		uci set "$dest_uci"."$rule_sec".proto="all"
+		return
+	fi
+
+	if [ "$dest_uci" = "firewallmngr" ]; then
+		protocol=$(grep -m 1 "$protocol" "/etc/protocols" | awk -F" " '{ print $2 }')
+	fi
+	uci set "$dest_uci"."$rule_sec".proto="$protocol"
+	if [ "$protocol" = "1" ] || [ "$protocol" = "icmp" ]; then
+		config_list_foreach "$rule_rd" "icmp_type" set_icmp_type
+	fi
+}
+
+handle_section_firewall_rule() {
+	local rule="$1"
+	local chain_name="$2"
+	local dest_uci="$3"
+	local chain=""
+	local is_enable=""
+	local src_intf=""
+	local ip_version=""
+	local ip_family=""
+	local protocol=""
+	local dest_intf=""
+	local target=""
+	local targetchain=""
+	local desc=""
+	local dest_port=""
+	local src_port=""
+	local src_port_range_max=""
+	local dest_port_range_max=""
+	local src_ip=""
+	local dest_ip=""
+	local source_mac=""
+	local source_all_interfaces=""
+	local dest_all_interfaces=""
+	local source_mask=""
+	local dest_mask=""
+	local limit=""
+	local expiry=""
+	local order=""
+
+	config_get is_enable "$rule" "enable" 1
+	[ "$is_enable" = "1" ] || return
+
+	if [ "$dest_uci" = "firewall" ]; then
+		config_get chain "$rule" "chain"
+		[ "$chain" = "$chain_name" ] || return
+	fi
+
+	config_get desc "$rule" "name"
+	config_get src_intf "$rule" "src"
+	config_get dest_intf "$rule" "dest"
+	config_get ip_version "$rule" "family"
+	function="$dest_uci"_get_rule_ip_family
+	ip_family="$($function $ip_version)"
+	config_get protocol "$rule" "proto"
+	config_get src_port "$rule" "src_port"
+	config_get dest_port "$rule" "dest_port"
+	config_get src_ip "$rule" "src_ip"
+	config_get source_mask "$rule" "source_mask"
+	[ -n "$source_mask" ] && src_ip="${src_ip}/$(echo $source_mask | awk -F/ '{ print $2 }')"
+	config_get dest_ip "$rule" "dest_ip"
+	config_get dest_mask "$rule" "dest_mask"
+	[ -n "$dest_mask" ] && dest_ip="${dest_ip}/$(echo $dest_mask | awk -F/ '{ print $2 }')"
+	config_get dest_port_range_max "$rule" "dest_port_range_max"
+	config_get src_port_range_max "$rule" "src_port_range_max"
+	config_get target "$rule" "target"
+	config_get targetchain "$rule" "targetchain"
+	config_get source_mac "$rule" "src_mac"
+	config_get order "$rule" "order"
+	config_get limit "$rule" "limit"
+	config_get expiry "$rule" "expiry"
+	config_get source_all_interfaces "$rule" "source_all_interfaces"
+	[ "$source_all_interfaces" = "1" ] && src_intf="*"
+	config_get dest_all_interfaces "$rule" "dest_all_interfaces"
+	[ "$dest_all_interfaces" = "1" ] && dest_intf="*"
+
+	rule_sec=$(uci add "$dest_uci" rule)
+	uci set "$dest_uci"."$rule_sec".chain="$chain_name"
+	uci set "$dest_uci"."$rule_sec".enabled="1"
+	uci set "$dest_uci"."$rule_sec".name="$desc"
+
+	"$dest_uci"_set_interface "$rule_sec" "$src_intf" "$dest_intf"
+	"$dest_uci"_set_ip_family "$rule_sec" "$ip_family"
+	"$dest_uci"_set_rule_target "$rule_sec" "$target" "$targetchain"
+	set_rule_protocol "$rule_sec" "$protocol" "$rule" "$dest_uci"
+
+	"$dest_uci"_set_port "$rule_sec" "$src_port" "$dest_port" "$src_port_range_max" "$dest_port_range_max"
+
+	"$dest_uci"_set_ip "$rule_sec" "$src_ip" "$dest_ip"
+
+	uci set "$dest_uci"."$rule_sec".src_mac="$source_mac"
+	uci set "$dest_uci"."$rule_sec".order="$order"
+	uci set "$dest_uci"."$rule_sec".limit="$limit"
+	uci set "$dest_uci"."$rule_sec".expiry="$expiry"
+
+	if [ "$dest_uci" = "firewall" ]; then
+        	uci rename "$dest_uci"."$rule_sec"="fwmngr_$rule"
+	else
+        	uci rename "$dest_uci"."$rule_sec"="$rule"
+	fi
+}
+
+firewallmngr_configure_service_rule() {
+	local interface="$1"
+	local dest_port="$2"
+	local ip_family="$3"
+	local protocol="$4"
+	local icmp_type="$5"
+	local source_prefix="$6"
+	local action="$7"
+	local service_cfg="$8"
+	local service_sec
+	
+	service_sec_add_list_value() {
+		for value in $1; do
+			uci add_list firewallmngr."$service_sec"."$2"="$value"
+		done
+	}
+
+	service_sec=$(uci add firewall service)
+	uci set firewallmngr."$service_sec".enabled="1"
+	uci set firewallmngr."$service_sec".name="service rule"
+	uci set firewallmngr."$service_sec".src="$interface"
+	uci set firewallmngr."$service_sec".icmp_type="$icmp_type"
+	uci set firewallmngr."$service_sec".family=$(firewallmngr_get_rule_ip_family "$ip_family")
+	firewallmngr_set_rule_target "$service_sec" "$action" ""
+
+	service_sec_add_list_value "$dest_port" "dest_port"
+	service_sec_add_list_value "$protocol" "protocol"
+	service_sec_add_list_value "$source_prefix" "src_prefix"
+
+	uci rename firewallmngr."$service_sec"="${service_cfg}"
+}
+
+firewall_configure_service_rule() {
+	local interface="$1"
+	local dest_port="$2"
+	local ip_family="$3"
+	local protocol="$4"
+	local icmp_type="$5"
+	local source_prefix="$6"
+	local action="$7"
+	local service_cfg="$8"
+	local service_sec
+
+	service_sec=$(uci add firewall rule)
+	uci set firewall."$service_sec".enabled="1"
+	uci set firewall."$service_sec".name="service rule"
+	uci set firewall."$service_sec".src="$interface"
+	[ "$dest_port" == "-1" ] || uci set firewall."$service_sec".dest_port="$dest_port"
+	uci set firewall."$service_sec".family=$(firewall_get_rule_ip_family "$ip_family")
+	[ "$protocol" == "-1" ] || uci set firewall."$service_sec".proto="$protocol"
+	[ "$icmp_type"  == "-1" ] || uci set firewall."$service_sec".icmp_type="$icmp_type"
+	uci set firewall."$service_sec".src_ip="$source_prefix"
+	firewall_set_rule_target "$service_sec" "$action" ""
+
+	[ -z "$service_cfg" ] || uci rename firewall."$service_sec"="fwmngr_${service_cfg}"
+}
+
+handle_section_service() {
+	local service_cfg="$1"
+	local dest_uci="$2"
+	local service_sec=""
+	local enable=""
+	local interface=""
+	local dest_port=""
+	local protocol=""
+	local icmp_type=""
+	local source_prefix=""
+	local action=""
+	local ip_family=""
+
+	get_service_proto_list() {
+		protocol="$protocol $1"
+	}
+	get_service_src_prefix_list() {
+		source_prefix="$source_prefix $1"
+	}
+	get_service_dest_port_list() {
+		dest_port="$dest_port $1"
+	}
+
+	config_get enable "$service_cfg" "enable" 0
+	[ "$enable" == "1" ] || return
+	config_get interface "$service_cfg" "interface"
+	[ -z "$interface" ] && return
+	config_get ip_family "$service_cfg" "family"
+
+	config_list_foreach "$service_cfg" "proto" get_service_proto_list
+	config_list_foreach "$service_cfg" "dest_port" get_service_dest_port_list
+	config_list_foreach "$service_cfg" "src_prefix" get_service_src_prefix_list
+
+	config_get icmp_type "$service_cfg" "icmp_type"
+	config_get action "$service_cfg" "target"
+
+	"$dest_uci"_configure_service_rule "$interface" "$dest_port" "$ip_family" "$protocol" "$icmp_type" "$source_prefix" "$action" "$service_cfg"
+
+}
+
+firewallmngr_set_all_intf_src_dip() {
+	local redirect_section="$1"
+	local zn_name="$2"
+	local all_interface="$3"
+
+	config_get src_dip "$redirect_section" "src_dip"
+
+	if [ "$src_dip" = "*" ]; then
+		uci set firewallmngr."$redirect_sec".all_interface="1"
+	else
+		uci set firewallmngr."$redirect_sec".all_interface="0"
+	fi
+}
+
+firewall_set_all_intf_src_dip() {
+	local redirect_section="$1"
+	local zn_name="$2"
+	local all_interface="$3"
+
+	if [ "$all_interface" = "1" ]; then
+		if [ -z "$zn_name" ]; then
+			uci set firewall."$redirect_sec".src="wan"
+		else
+			uci set firewall."$redirect_sec".src="$zn_name"
+		fi
+		uci set firewall."$redirect_sec".src_dip="*"
+	else
+		uci set firewall."$redirect_sec".src="$zn_name"
+		uci set firewall."$redirect_sec".src_dip=""
+	fi
+}
+
+firewallmngr_set_src_dport() {
+        local redirect_sec="$1"
+        lodcal external_port="$2"
+        local external_port_end="$3"
+
+	range=$(echo "$external_port" | grep "-")
+	if [ -z "$range" ]; then
+		uci set firewallmngr."$redirect_sec".src_dport="$external_port"
+	else
+		min_port=$(echo "$external_port" | awk -F"-" '{ print $1 }')
+		max_port=$(echo "$external_port" | awk -F"-" '{ print $2 }')
+
+		uci set firewallmngr."$redirect_sec".src_dport="$min_port"
+		uci set firewallmngr."$redirect_sec".src_dport_end="$max_port"
+	fi
+} 
+
+firewall_set_src_dport() {
+        local redirect_sec="$1"
+        local external_port="$2"
+        local external_port_end="$3"
+
+	if [ "$external_port_end" = "0" ]; then
+		if ! [ "$external_port" = "0" ]; then
+			uci set firewall."$redirect_sec".src_dport="$external_port"
+		fi
+	else
+		uci set firewall."$redirect_sec".src_dport="$external_port-$external_port_end"
+	fi
+} 
+
+
+# handling for firewallmngr to firewall
+handle_section_nat_port_mapping() {
+	local nat_port_cfg="$1"
+	local dest_uci="$2"
+	local enable=""
+	local interface=""
+	local all_interface=""
+	local lease_duration=""
+	local remote_host=""
+	local external_port=""
+	local external_port_end=""
+	local internal_port=""
+	local protocol=""
+	local internal_client=""
+	local description=""
+	local redirect_sec=""
+	local epoch_sec=""
+	local stop_epoch=""
+	local stop_ymd=""
+	local stop_hms=""
+	local zn_name=""
+
+	config_get enable "$nat_port_cfg" "enabled"
+	config_get interface "$nat_port_cfg" "src"
+
+	if [ "$dest_uci" = "firewall" ]; then
+		zones=$(uci show firewall | grep "=zone")
+		for zn in zones; do
+			zn_arg=$(echo $zn | awk -F= '{ print $1 }')
+			if [ "$interface" = "$(uci -q get $zn_arg.network)" ]; then
+				zn_name=$(uci -q get "$zn_arg".name)
+				masq=$(uci -q get "$zn_arg".masq)
+			fi
+		done
+		if [ -z "$enable" ] && ! [ "$masq" = "1" ]; then
+			return
+		fi
+	fi
+
+	config_get internal_client "$nat_port_cfg" "dest_ip"
+	config_get all_interface "$nat_port_cfg" "all_interface"
+	config_get lease_duration "$nat_port_cfg" "lease_duration"
+	config_get remote_host "$nat_port_cfg" "src_ip"
+	config_get external_port "$nat_port_cfg" "src_dport" "0"
+	config_get external_port_end "$nat_port_cfg" "src_dport_end" "0"
+	config_get internal_port "$nat_port_cfg" "dest_port"
+	config_get protocol "$nat_port_cfg" "proto"
+	protocol=$(echo $protocol | awk '{ print tolower($0) }')
+	config_get description "$nat_port_cfg" "name"
+
+	redirect_sec=$(uci add "$dest_uci" redirect)
+
+	"dest_uci"_set_all_intf_src_dip "$redirect_sec" "$zn_name" "$all_interface"
+
+	if [ "$dest_uci" = "firewall" ]; then
+		if [ -n "$lease_duration" ] && ! [ "$lease_duration" == "0" ]; then
+			epoch_sec=$(date +%s)
+			stop_epoch=$(( epoch_sec + lease_duration ))
+			stop_ymd=$(date -d @${stop_epoh} +%Y-%m-%d)
+			stop_hms=$(date -d @${stop_epoch} +%H:%M:%S)
+			uci set "$dest_uci"."$redirect_sec".stop_date="$stop_ymd"
+			uci set "$dest_uci"."$redirect_sec".stop_time="$stop_hms"
+		fi
+	fi
+
+	"$dest_uci"_set_src_dport "$redirect_section" "$external_port" "$external_port_end"
+
+	uci  set "$dest_uci"."$redirect_sec".enabled="1"
+	uci  set "$dest_uci"."$redirect_sec".target="DNAT"
+	uci  set "$dest_uci"."$redirect_sec".dest_ip="$internal_client"
+	[ -z "$protocol" ] || uci set "$dest_uci"."$redirect_sec".proto="$protocol"
+	[ -z "$remote_host" ] || uci  set "$dest_uci"."$redirect_sec".src_ip="$remote_host"
+	[ -z "$internal_port" ] || uci set "$dest_uci"."$redirect_sec".dest_port="$internal_port"
+	[ -z "$description" ] || uci set "$dest_uci"."$redirect_sec".name="$description"
+
+	if [ "$dest_uci" = "firewall" ]; then
+        	uci rename "$dest_uci"."$redirect_sec"="fwmngr_$nat_port_cfg"
+	else
+        	uci rename "$dest_uci"."$redirect_sec"="$nat_port_cfg"
+	fi
+}
+
+handle_include_section() {
+	local include_sec="$1"
+	local dest_uci="$2"
+
+	config_get path "$include_sec" "path"
+	config_get reload "$include_sec" "reload"
+	config_get include_type "$include_sec" "type"
+
+	sec=$(uci   add "$dest_uci" include)
+	[ -z "$path" ] || uci   set "$dest_uci"."$sec".path="$path"
+	[ -z "$reload" ] || uci   set "$dest_uci"."$sec".reload="$reload"
+	[ -z "$include_type" ] || uci   set "$dest_uci"."$sec".type="$include_type"
+	if [ "$dest_uci" = "firewall" ]; then
+        	uci   rename "$dest_uci"."$sec"="fwmngr_$include_sec"
+	else
+        	uci   rename "$dest_uci"."$sec"="$include_sec"
+	fi
+	
+}

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/fwmngr_twamp.sh

@@ -0,0 +1,60 @@
+#! /bin/sh
+
+active_chain=""
+remove_twamp_reflector_rules() {
+	config_get name "$1" name
+
+	if [ "$name" = "Twamp Reflector Rule" ]; then
+		uci delete firewallmngr."$1"
+	fi
+
+}
+
+handle_twamp_reflector_rules() {
+	local twamp_cfg="$1"
+	local sec_name=""
+	local action="Acept"
+
+	config_get enable "$twamp_cfg" enable "1"
+	config_get port "$twamp_cfg" port
+	config_get interface "$twamp_cfg" interface
+
+	if [ "${enable}" -eq 0 ] || [ -z "$port" ] || [ -z "$interface" ]; then
+		return
+	fi
+	sec_name="twamp_${interface}_${port}"
+	rule_twamp=$(uci add firewallmngr rule)
+	uci set firewallmngr."$rule_twamp".enable="1"
+	uci set firewallmngr."$rule_twamp".chain="$active_chain"
+	uci set firewallmngr."$rule_twamp".dest_port="$port"
+	uci set firewallmngr."$rule_twamp".name="Twamp Reflector Rule"
+	uci set firewallmngr."$rule_twamp".interface="$interface"
+	uci set firewallmngr."$rule_twamp".ip_version="4"
+	uci set firewallmngr."$rule_twamp".protocol="17"
+	uci set firewallmngr."$rule_twamp".target="$action"
+	uci rename firewallmngr."$rule_twamp"="fwmngr_$sec_name"
+}
+
+firewallmngr_get_active_chain() {
+	config_get creator "$1" creator
+	[ "$creator" = "PortMapping" ] && return
+
+	config_get enable "$1" enable
+	if [ -n "$enable" ] && [ "$enable" = "1" ]; then
+		config_get active_chain "$1" name
+	fi
+}
+
+handle_twamp_rules() {
+	twamp_enable=$(uci -q get twamp.twamp.enable)
+
+	config_load firewallmngr
+	config_foreach firewallmngr_get_active_chain chain
+
+	config_foreach remove_twamp_reflector_rules rule
+	config_load twamp
+	if [ -n "$twamp_enable" ] && [ "$twamp_enable" == "1" ]; then
+		config_foreach handle_twamp_reflector_rules twamp_reflector
+	fi
+	uci commit firewallmngr
+}

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/is_intf_bridge

@@ -0,0 +1,23 @@
+#!/bin/sh
+. /lib/functions.sh
+
+interface=$1
+intf_dev=""
+is_bridge=0
+
+is_device_type_bridge() {
+	local dev
+	local dev_type
+
+	config_get dev "$1" "name"
+	config_get dev_type "$1" "type"
+	if [ "$dev" = "$intf_dev" ] && [ "$dev_type" = "bridge" ]; then
+		is_bridge=1
+	fi
+}
+
+intf_dev=$(uci -q get network."$interface".device)
+config_load network
+config_foreach is_device_type_bridge device 
+
+echo $is_bridge

firewallmngr/files/firewallmngr_backend_firewallmngr/lib/fwmngr/uci_migration.sh

@@ -0,0 +1,158 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/fwmngr/fwmngr_functions.sh
+
+uci_mig_include_sections=""
+include_deprecated_list="hosts cwmp dmz mcast twamp portmap service"
+final_include_cfg=""
+
+
+firewallmngr_zone_to_nat_interface_setting() {
+	zone="$1"
+
+	config_get interface "$zone" "network"
+	[ -n "$interface" ] || return
+	config_get enable "$zone" "masq" "0"
+	nat_intf_setting=$(uci add "firewallmngr" "natif")
+	uci set firewallmngr."$nat_intf_setting".enabled="$enable"
+	uci set firewallmngr."$nat_intf_setting".interface="$interface"
+
+	uci rename firewallmngr."$nat_intf_setting"=$(echo "$interface" | awk -F" " '{ print $1 }')
+}
+
+handle_section_forwarding_rule() {
+	local fwd="$1"
+	local chain="$2"
+
+	config_get src_intf "$fwd" "src" 
+	config_get dest_intf "$fwd" "dest"
+
+	rule_sec=$(uci add "firewallmngr" rule)
+	firewallmngr_set_interface "$rule_sec" "$src_intf" "$dest_intf"
+	uci set firewallmngr."$rule_sec".chain="$chain"
+	uci set firewallmngr."$rule_sec".name="$fwd"
+	uci set firewallmngr."$rule_sec".target="accept"
+       	uci rename firewallmngr."$rule_sec"="fwmngr_$fwd"
+}
+
+firewallmngr_handle_section_dmz() {
+	local dmz_cfg="$1"
+	local dest_uci="$2"
+	local dmz_sec=""
+	local enabled=""
+	local origin=""
+	local description=""
+	local interface=""
+	local dest_ip=""
+	local source_prefix=""
+	
+	config_get dest_ip "$dmz_cfg" "dest_ip"
+	config_get interface "$dmz_cfg" "interface"
+	config_get origin "$dmz_cfg" "origin"
+	config_get source_prefix "$dmz_cfg" "source_prefix"
+	config_get description "$dmz_cfg" "description"
+	config_get enabled "$dmz_cfg" "enabled"
+
+	dmz_sec=$(uci add firewallmngr dmz)
+
+	uci set firewallmngr."$dmz_sec".enabled="$enabled"
+	uci set firewallmngr."$dmz_sec".dest_ip="$dest_ip"
+	uci set firewallmngr."$dmz_sec".interface="$interface"
+	uci set firewallmngr."$dmz_sec".origin="$origin"
+	uci set firewallmngr."$dmz_sec".description="$description"
+	uci set firewallmngr."$dmz_sec".source_prefix="$source_prefix"
+
+       	uci rename firewallmngr."$dmz_sec"="$dmz_cfg"
+}
+
+#This call must be triggered from procd boot function
+cleanup_firewallmngr_rule_section() {
+	rule_sec=$(uci show firewallmngr | grep "=rule")
+	for sec in $rule_sec; do
+		rule=$(echo "$sec" | awk -F= '{ print $1 }')
+		uci delete "$rule"
+	done
+	uci commit firewallmngr
+}
+
+firewallmngr_delete_install_dmz_rule() {
+	local dmz_cfgs
+
+	dmz_cfgs=$(uci show firewall | grep "=dmz")
+	for dmz in $dmz_cfgs; do
+		dmz=$(echo $dmz | awk -F= '{ print $1 }')
+		uci del "$dmz"
+	done
+	uci commit firewall
+}
+
+firewall_delete_deprecated_include_section() {
+	new_inc_list=""
+
+	inc_list=$(uci show firewall | grep "=include")
+	for inc in $inc_list; do
+		inc=$(echo "$inc"| awk -F"=" '{ print $1 }')
+
+		inc_name=$(echo "$inc" | awk -F. '{ print $2 }')
+		inc_path=$(uci -q get "$inc".path | awk -F/ '{ print $NF }')
+		inc_file=$(echo "$inc_path" | awk -F. '{ print $2 }')
+
+		inc_ignore=$(echo "$include_deprecated_list"| grep -w "$inc_name")
+		if [ -z "$inc_ignore" ]; then
+			inc_ignore=$(echo "$include_deprecated_list"| grep -w "$inc_file")
+		fi
+		[ -z "$inc_ignore" ] || uci delete "$inc"
+
+	done
+	uci commit firewall
+
+
+}
+
+firewall_backup_include_section() {
+	list=$(uci show firewall)
+        uci_mig_include_sections=$(echo "$list" | grep "=include")
+        uci_mig_include_sections=$(echo "$fw_include_sections" | awk -F= '{ print $1 }')
+        uci_mig_include_sections=$(echo "$fw_include_sections" | awk -F. '{ print $2 }')
+}
+
+firewall_uci_cleanup() {
+# cleanup all sections of firewall uci, firewall uci will be generated by firewallmngr init
+	section_cleanup () {
+		local sec="$1"
+
+		rule_sec=$(uci show firewall | grep "$sec")
+		for rule in $rule_sec; do
+			rule=$(echo "$rule" | awk -F= '{ print $1 }')
+			uci delete "$rule"
+		done
+	}
+
+	section_cleanup "=rule"
+	section_cleanup "=zone"
+	section_cleanup "=redirect"
+	section_cleanup "=dmz"
+	section_cleanup "=service"
+	section_cleanup "=forwarding"
+	section_cleanup "=defaults"
+	section_cleanup "=globals"
+	uci commit firewall
+}
+
+generate_firewallmngr_config() {
+	chain_name=$(firewallmngr_get_active_chain)
+	cleanup_firewallmngr_rule_section
+	config_load firewall
+	config_foreach handle_section_firewall_rule rule "$chain_name" "firewallmngr"
+	config_foreach firewallmngr_zone_to_nat_interface_setting zone 
+	config_foreach handle_section_nat_port_mapping redirect "firewallmngr"
+	config_foreach firewallmngr_handle_section_dmz dmz "firewallmngr"
+	config_foreach handle_section_service service "firewallmngr"
+	config_foreach handle_section_forwarding_rule forwarding "$chain_name"
+
+	uci commit firewallmngr
+
+	firewall_uci_cleanup
+	firewall_delete_deprecated_include_section
+}

hostmngr/Makefile

@@ -62,7 +62,11 @@ define Package/hostmngr/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/hostmngr $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/usr/share/hostmngr
+ifneq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
 	$(INSTALL_DATA) ./files/scripts/hosts_acl.sh $(1)/usr/share/hostmngr/
+else
+	$(INSTALL_DATA) ./files/scripts/hostmngr_backend_firewallmngr/hosts_acl.sh $(1)/usr/share/hostmngr/
+endif
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/bbf_plugin/libhostmngr.so $(1) $(PKG_NAME)
 endef
 

hostmngr/files/scripts/hostmngr_backend_firewallmngr/hosts_acl.sh

@@ -0,0 +1,299 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+day=""
+next_days=""
+prev_days=""
+schedule_added=""
+
+ACCESS_RULE=""
+IP_RULE=""
+IP_RULE1=""
+
+get_next_day() {
+	local weekday="$1"
+	case "$weekday" in
+		"Mon"|"Monday") echo "Tuesday"
+		;;
+		"Tue"|"Tuesday") echo "Wednesday"
+		;;
+		"Wed"|"Wednesday") echo "Thursday"
+		;;
+		"Thu"|"Thursday") echo "Friday"
+		;;
+		"Fri"|"Friday") echo "Saturday"
+		;;
+		"Sat"|"Saturday") echo "Sunday"
+		;;
+		"Sun"|"Sunday") echo "Monday"
+		;;
+	esac
+}
+
+get_previous_day() {
+	local weekday="$1"
+	case "$weekday" in
+		"Mon"|"Monday") echo "Sunday"
+		;;
+		"Tue"|"Tuesday") echo "Monday"
+		;;
+		"Wed"|"Wednesday") echo "Tuesday"
+		;;
+		"Thu"|"Thursday") echo "Wednesday"
+		;;
+		"Fri"|"Friday") echo "Thursday"
+		;;
+		"Sat"|"Saturday") echo "Friday"
+		;;
+		"Sun"|"Sunday") echo "Saturday"
+		;;
+	esac
+}
+
+ip_rule_west_zone() {
+	local utc_start_t_h="$1"
+	local utc_stop_t_h="$2"
+	local local_start_t_h="$3"
+	local local_stop_t_h="$4"
+	local utc_start_time="$5"
+	local utc_stop_time="$6"
+
+	if [ "$utc_start_t_h" -lt "$local_start_t_h" ]; then
+		IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time"
+		if [ -n "$next_days" ]; then
+			IP_RULE="$IP_RULE --weekdays $next_days"
+		fi
+	else
+		if [ "$utc_stop_t_h" -lt "$local_stop_t_h" ]; then
+			IP_RULE1="$IP_RULE"
+			IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop 23:59"
+			IP_RULE1="$IP_RULE1 -m time --timestart 00:00 --timestop $utc_stop_time"
+			if [ -n "$next_days" ]; then
+				IP_RULE1="$IP_RULE1 --weekdays $next_days"
+			fi
+		else
+			IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time"
+		fi
+		if [ -n "$day" ]; then
+			IP_RULE="$IP_RULE --weekdays $day"
+		fi
+	fi
+}
+
+ip_rule_east_zone() {
+	local utc_start_t_h="$1"
+	local utc_stop_t_h="$2"
+	local local_start_t_h="$3"
+	local local_stop_t_h="$4"
+	local utc_start_time="$5"
+	local utc_stop_time="$6"
+
+	if [ "$utc_start_t_h" -lt "$local_start_t_h" ]; then
+		IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time"
+		if [ -n "$day" ]; then
+			IP_RULE="$IP_RULE --weekdays $day"
+		fi
+	else
+		if [ "$utc_stop_t_h" -lt "$local_stop_t_h" ]; then
+			IP_RULE1="$IP_RULE"
+			IP_RULE="$IP_RULE -m time --timestart 00:00 --timestop $utc_stop_time"
+			IP_RULE1="$IP_RULE1 -m time --timestart $utc_start_time --timestop 23:59"
+			if [ -n "$prev_days" ]; then
+				IP_RULE1="$IP_RULE1 --weekdays $prev_days"
+			fi
+		else
+			IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time"
+		fi
+		if [ -n "$day" ]; then
+			IP_RULE="$IP_RULE --weekdays $day"
+		fi
+	fi
+}
+
+
+add_access_rule() {
+	local rule="$1"
+	echo "iptables -w -A hosts_forward ${rule}" >> $ACL_FILE
+	echo "ip6tables -w -A hosts_forward ${rule}" >> $ACL_FILE
+}
+
+handle_day_list() {
+	local value=$1
+
+	val=$(echo $value | cut -c 1-3)
+	next_day_val=$(get_next_day $val)
+	prev_day_val=$(get_previous_day $val)
+	if [ -z $day ]; then
+		day="$val"
+		next_days="$next_day_val"
+		prev_days="$prev_day_val"
+	else
+		day="$day,$val"
+		next_days="$next_days,$next_day_val"
+		prev_days="$prev_days,$prev_day_val"
+	fi
+}
+
+handle_schedule() {
+	local schd_section="$1"
+	local ac_section="$2"
+	local acs_id
+	local start_time
+	local duration
+
+	IP_RULE="$ACCESS_RULE"
+	IP_RULE1=""
+	day=""
+	next_days=""
+	prev_days=""
+
+	config_get acs_id "$schd_section" "dm_parent"
+
+	if [ "$acs_id" != "$ac_section" ]; then
+		return # schedule not for this access control section
+	fi
+
+	local is_enabled
+	config_get is_enabled "$schd_section" "enable" 0
+	if [ "$is_enabled" == "0" ]; then
+		return
+	fi
+
+	local all_days="Monday Tuesday Wednesday Thursday Friday Saturday Sunday"
+	local day_config
+	config_get day_config "$schd_section" "day" "$all_days"
+
+	IFS=" "
+	for d in $day_config; do
+		handle_day_list $d
+	done
+
+	config_get start_time "$schd_section" "start_time" "00:00"
+	config_get duration "$schd_section" "duration"
+
+	zone=$(date +%z | cut -c 1)
+	local_start_time=$start_time
+	hh=$(echo $local_start_time | awk -F: '{ print $1 }')
+	mm=$(echo $local_start_time | awk -F: '{ print $2 }')
+	hh_s=`expr $hh \* 3600`
+	mm_s=`expr $mm \* 60`
+	ss=$(( hh_s + mm_s ))
+	local_start_hh=$hh
+
+        if [ -n "$duration" ]; then
+                stop_ss=$(( ss + duration ))
+                hh=$(( stop_ss / 3600 ))
+               	rem_ss=$(( stop_ss % 3600 ))
+               	mm=$(( rem_ss / 60 ))
+               	ss=$(( rem_ss % 60 ))
+		local_stop_time="$hh:$mm:$ss"
+		local_stop_hh=$hh
+	else
+		# if duartion is not specified, then apply rule to end of the day
+		local_stop_time="23:59:59"
+		local_stop_hh="23"
+	fi
+
+	utc_start_time=$(date -u -d @$(date "+%s" -d "$local_start_time") +%H:%M)
+	utc_stop_time=$(date -u -d @$(date "+%s" -d "$local_stop_time") +%H:%M)
+	utc_start_hh=$(echo $utc_start_time | awk -F: '{ print $1 }')
+	utc_stop_hh=$(echo $utc_stop_time | awk -F: '{ print $1 }')
+	if [ "$zone" == "-" ]; then
+		ip_rule_west_zone $utc_start_hh $utc_stop_hh $local_start_hh $local_stop_hh $utc_start_time $utc_stop_time
+	else
+		ip_rule_east_zone $utc_start_hh $utc_stop_hh $local_start_hh $local_stop_hh $utc_start_time $utc_stop_time
+	fi
+
+	IP_RULE="$IP_RULE -j ACCEPT"
+	if [ -n "$IP_RULE1" ]; then
+		IP_RULE1="$IP_RULE1 -j ACCEPT"
+	fi
+
+	add_access_rule "$IP_RULE"
+	if [ -n "$IP_RULE1" ]; then
+		add_access_rule "$IP_RULE1"
+	fi
+
+	# for access rules to be effective for a schedule, need to add DROP rule
+	# to block the access outside the defined schedule
+	if [ "$schedule_added" == "0" ]; then
+		schedule_added="1"
+	fi
+}
+
+handle_access_control() {
+	local ac_section="$1"
+	local is_enabled
+
+	# default value of Hosts.AccessControl.{i}.Enable is false,
+	# so, if not defined in uci as 1, assume 0
+	config_get is_enabled "$ac_section" "enable" 0
+	if [ "$is_enabled" == "0" ]; then
+		return
+	fi
+
+	local mac_addr
+	config_get mac_addr "$ac_section" "macaddr"
+	if [ -z "$mac_addr" ]; then
+		return
+	else
+		ACCESS_RULE="-m mac --mac-source $mac_addr"
+	fi
+
+	local access_policy
+	config_get access_policy "$ac_section" "access_policy"
+	if [ -z "$access_policy" ]; then
+		return # since system default is allow so no need to do anything
+	fi
+
+	# As per Data Model, if access policy is deny, then schedule is to be ignored
+	# and no access is to be provided for the device
+	if [ "$access_policy" == "Deny" ]; then
+		ACCESS_RULE="$ACCESS_RULE -j DROP"
+		add_access_rule "$ACCESS_RULE"
+		return # no need to parse schedule
+	fi
+
+	schedule_added="0"
+	# check if schedule is defined for this access_control instance
+	# and if yes, create rule accordingly
+	config_foreach handle_schedule  ac_schedule "$ac_section"
+
+	# for access rule to work, need to have default drop rule as last rule
+	if [ "$schedule_added" == "1" ]; then
+		IP_RULE="$ACCESS_RULE -j DROP"
+		add_access_rule "$IP_RULE"
+	fi
+}
+
+ACL_FILE="/tmp/hosts_access_control/access_control.rules"
+
+rm -f $ACL_FILE
+
+mkdir -p /tmp/hosts_access_control/
+touch $ACL_FILE
+
+echo "iptables -w -F hosts_forward" >> $ACL_FILE
+echo "ip6tables -w -F hosts_forward" >> $ACL_FILE
+
+hosts_ipv4_forward=$(iptables -t filter --list -n | grep hosts_forward)
+if [ -z "$hosts_ipv4_forward" ]; then
+	echo "iptables -w -t filter -N hosts_forward" >> $ACL_FILE
+	ret=$?
+	[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE
+fi
+
+hosts_ipv6_forward=$(ip6tables -t filter --list -n | grep hosts_forward)
+if [ -z "$hosts_ipv6_forward" ]; then
+	echo "ip6tables -w -t filter -N hosts_forward" >> $ACL_FILE
+	ret=$?
+	[ $ret -eq 0 ] && echo "ip6tables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE
+fi
+
+# Load /etc/config/hosts UCI file
+config_load hosts
+config_foreach handle_access_control access_control
+
+# apply the rules
+sh $ACL_FILE

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.7.16
+PKG_VERSION:=9.7.19
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=5d633f53df3af3e55011e0e29cd204e856529f3e
+PKG_SOURCE_VERSION:=db40cb6311003c9a49e78f0e2f740aae465266a8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -50,10 +50,16 @@ define Package/icwmp/install
 	$(INSTALL_DIR) $(1)/etc/udhcpc.user.d
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/icwmpd $(1)/usr/sbin/icwmpd
 	$(INSTALL_DATA) ./files/etc/config/cwmp $(1)/etc/config/cwmp
+ifneq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
 	$(INSTALL_BIN) ./files/etc/firewall.cwmp $(1)/etc/firewall.cwmp
 	$(INSTALL_BIN) ./files/etc/init.d/icwmpd $(1)/etc/init.d/icwmpd
-	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
+else
+	$(INSTALL_DIR) $(1)/usr/share/icwmp
+	$(INSTALL_BIN) ./files/etc/init.d/icwmp_backend_firewallmngr/icwmpd $(1)/etc/init.d/icwmpd
+	$(INSTALL_BIN) ./files/script/icwmp_backend_firewallmngr/firewall_cwmp.sh $(1)/usr/share/icwmp/
+endif
+	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/icwmp $(1)/lib/upgrade/keep.d/icwmp
 	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_icwmp_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_icwmp_opt125.user

icwmp/files/etc/init.d/icwmp_backend_firewallmngr/icwmpd

@@ -0,0 +1,589 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2015-2019 iopsys Software Solutions AB
+
+START=99
+STOP=00
+
+USE_PROCD=1
+PROG="/usr/sbin/icwmpd"
+
+. /lib/functions.sh
+. /usr/share/libubox/jshn.sh
+
+include /lib/network
+
+log() {
+	echo "${@}"|logger -t cwmp.init -p info
+}
+
+regenerate_ssl_link() {
+	local cert_dir
+
+	cert_dir="${1%/}"
+	if [ -f "${cert_dir}" ]; then
+		return 0
+	fi
+
+	# do not generate the c_rehash if its system default cert path
+	# ca-certificate package already generates c_rehash on compilation
+	[ ! -d "${cert_dir}" ] || [ "${cert_dir}" = "/etc/ssl/certs" ] && return 0
+
+	generate_links() {
+		local file_type="$1"
+		local files="${cert_dir}"/*."${file_type}"
+		for cfile in ${files}; do
+			if [ -f "${cfile}" ]; then
+				rehash="$(openssl x509 -hash -noout -in "${cfile}")"
+				if [ ! -f "${cert_dir}/${rehash}.0" ]; then
+					log "Generating c_rehash for ${cfile}=>${rehash}.0"
+					ln -s "${cfile}" "${cert_dir}/${rehash}.0"
+				fi
+			fi
+		done
+	}
+
+	generate_links "pem"
+}
+
+enable_dhcp_option43() {
+	local wan="${1}"
+
+	### Ask for DHCP Option 43 only if CWMP is enabled ###
+	local reqopts="$(uci -q get network."${wan}".reqopts)"
+	local proto="$(uci -q get network."${wan}".proto)"
+	local newreqopts=""
+	local option43_present=0
+
+	for ropt in $reqopts; do
+		case $ropt in
+			43) option43_present=1 ;;
+			*) ;;
+		esac
+	done
+
+	if [ ${option43_present} -eq 1 ]; then
+		return;
+	fi
+
+	newreqopts="$reqopts 43"
+	if [ "${proto}" = "dhcp" ]; then
+		uci -q set network."${wan}".reqopts="$newreqopts"
+		uci commit network
+		ubus call network reload
+	fi
+}
+
+convert_to_hex() {
+	local val=""
+	local optval="${1}"
+	OPTIND=1
+	while getopts ":" opt "-$optval"
+	do
+		temp=$(printf "%02X" "'${OPTARG:-:}")
+		val="${val}:${temp}"
+	done
+
+	echo "${val}"
+}
+
+configure_send_op125() {
+	local sendopt="${1}"
+	local intf="${2}"
+	local uci="${3}"
+	local hex_oui=""
+	local hex_serial=""
+	local hex_class=""
+	local oui_len=0
+	local serial_len=0
+	local class_len=0
+
+	if [ "${uci}" = "network" ]; then
+		local opt125="125:00:00:0D:E9"
+	else
+		if [ -z "${sendopt}" ]; then
+			local opt125="125,00:00:0D:E9"
+		else
+			local opt125=":00:00:0D:E9"
+		fi
+	fi
+
+	config_get oui cpe manufacturer_oui ""
+	if [ -z "${oui}" ]; then
+		oui=$(db -q get device.deviceinfo.ManufacturerOUI)
+	fi
+
+	oui=$(echo "${oui}" | tr 'a-f' 'A-F')
+
+	config_get serial cpe serial_number ""
+	if [ -z "${serial}" ]; then
+		serial=$(db -q get device.deviceinfo.SerialNumber)
+	fi
+
+	config_get class cpe product_class ""
+	if [ -z "${class}" ]; then
+		class=$(db -q get device.deviceinfo.ProductClass)
+	fi
+
+	oui_len=$(echo -n "${oui}" | wc -m)
+	serial_len=$(echo -n "${serial}" | wc -m)
+	class_len=$(echo -n "${class}" | wc -m)
+
+	if [ "${oui_len}" -eq 0 ] || [ "${serial_len}" -eq 0 ]; then
+		return 0
+	fi
+
+	opt125_len=$((oui_len + serial_len + class_len))
+	if [ "${class_len}" -gt 0 ]; then
+		opt125_len=$((opt125_len + 6))
+	else
+		opt125_len=$((opt125_len + 4))
+	fi
+
+	hex_opt125_len=$(printf "%02X" "${opt125_len}")
+	opt125="${opt125}:${hex_opt125_len}"
+	hex_oui=$(convert_to_hex "${oui}")
+	if [ -z "${hex_oui}" ]; then
+		return 0
+	fi
+
+	hex_oui_len=$(printf "%02X" "${oui_len}")
+	if [ "${uci}" = "network" ]; then
+		opt125="${opt125}:01:${hex_oui_len}${hex_oui}"
+	else
+		opt125="${opt125}:04:${hex_oui_len}${hex_oui}"
+	fi
+
+	hex_serial=$(convert_to_hex "${serial}")
+	if [ -z "${hex_serial}" ]; then
+		return 0
+	fi
+
+	hex_serial_len=$(printf "%02X" "${serial_len}")
+	if [ "${uci}" = "network" ]; then
+		opt125="${opt125}:02:${hex_serial_len}${hex_serial}"
+	else
+		opt125="${opt125}:05:${hex_serial_len}${hex_serial}"
+	fi
+
+	if [ "${class_len}" -gt 0 ]; then
+		hex_class=$(convert_to_hex "${class}")
+		if [ -z "${hex_class}" ]; then
+			return 0
+		fi
+
+		hex_class_len=$(printf "%02X" "${class_len}")
+		if [ "${uci}" = "network" ]; then
+			opt125="${opt125}:03:${hex_class_len}${hex_class}"
+		else
+			opt125="${opt125}:06:${hex_class_len}${hex_class}"
+		fi
+	fi
+
+
+	if [ "${uci}" = "network" ]; then
+		new_send_opt="$sendopt $opt125"
+		uci -q set network."${intf}".sendopts="$new_send_opt"
+	else
+		new_send_opt="$sendopt$opt125"
+		uci -q add_list dhcp."${intf}".dhcp_option="$new_send_opt"
+	fi
+}
+
+check_for_suboptions() {
+	# Check if option 4 and 5 present inside enterprise id 3561
+	data=$(echo "${1}" | sed 's/://g')
+	len=$(printf "${data}"|wc -c)
+
+	rem_len="${len}"
+	while [ $rem_len -gt 8 ]; do
+		subopt_present=0
+
+		ent_id="${data:0:8}"
+		ent_id=$(printf "%d\n" "0x$ent_id")
+		if [ $ent_id -ne 3561 ]; then
+			len_val=${data:8:2}
+			data_len=$(printf "%d\n" "0x$len_val")
+			# add 4 byte for ent_id and 1 byte for len
+			data_len=$(( data_len * 2 + 10 ))
+			# move ahead data to next enterprise id
+			data=${data:"${data_len}":"${rem_len}"}
+			rem_len=$(( rem_len - data_len ))
+			continue
+		fi
+
+		# read the length of enterprise data
+		len_val=${data:8:2}
+		data_len=$(printf "%d\n" "0x$len_val")
+		# add 4 byte for ent_id and 1 byte for len
+		data_len=$(( data_len * 2 + 10 ))
+
+		len_val=${data:8:2}
+		opt_len=$(printf "%d\n" "0x$len_val")
+		if [ $opt_len -eq 0 ]; then
+			echo ${subopt_present}
+			return 0
+		fi
+
+		# populate the option data of enterprise id
+		sub_data_len=$(( opt_len * 2))
+		# starting 10 means ahead of length field
+		sub_data=${data:10:"${sub_data_len}"}
+
+		# parsing of suboption of option 125
+		while [ $sub_data_len -gt 0 ]; do
+			# get the suboption id
+			sub_opt_id=${sub_data:0:2}
+			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
+			case "${sub_opt_id}" in
+			"4") subopt_present=1
+			;;
+			"5") subopt_present=1
+			;;
+			esac
+
+			if [ ${subopt_present} -eq 1 ]; then
+				break;
+			fi
+
+			# get the length of suboption
+			sub_opt_len=${sub_data:2:2}
+			sub_opt_len=$(printf "%d\n" "0x$sub_opt_len")
+			sub_opt_len=$(( sub_opt_len * 2 ))
+
+			# add 2 bytes for sub_opt id and sub_opt len field
+			sub_opt_end=$(( sub_opt_len + 4 ))
+
+			# update the remaining sub option hex string length
+			sub_data_len=$((sub_data_len - sub_opt_end))
+
+			# fetch next sub option hex string
+			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+		done
+
+		if [ ${subopt_present} -eq 1 ]; then
+			break;
+		else
+			# move ahead data to next enterprise id
+			rem_len=$(( rem_len - $data_len ))
+			data=${data:"${data_len}":"${rem_len}"}
+		fi
+	done
+
+	echo ${subopt_present}
+}
+
+enable_dnsmasq_option125() {
+	local lan="${1}"
+	local send125_present=0
+	local opt125="125,"
+
+	local proto="$(uci -q get dhcp."${lan}".dhcpv4)"
+	if [ "${proto}" = "server" ]; then
+		opt_list="$(uci -q get dhcp."${lan}".dhcp_option)"
+		base_opt=""
+
+		for sopt in $opt_list; do
+			if [[ "$sopt" == "$opt125"* ]]; then
+				send125_present=$(check_for_suboptions "${sopt:4}")
+				base_opt="${sopt}"
+				break
+			fi
+		done
+
+		if [ ${send125_present} -eq 0 ]; then
+			uci -q del_list dhcp."${lan}".dhcp_option="${base_opt}"
+			configure_send_op125 "${base_opt}" "${lan}" "dhcp"
+			ubus call uci commit '{"config":"dhcp"}'
+		fi
+	fi
+}
+
+set_vendor_id() {
+	local wan="${1}"
+	local proto="$(uci -q get network."${wan}".proto)"
+
+	if [ "${proto}" = "dhcp" ]; then
+		vendorid="$(uci -q get network."${wan}".vendorid)"
+		if [ -z "${vendorid}" ]; then
+			uci -q set network."${wan}".vendorid="dslforum.org"
+			ubus call uci commit '{"config":"network"}'
+		elif [[ $vendorid != *"dslforum.org"* ]]; then
+			uci -q set network."${wan}".vendorid="${vendorid},dslforum.org"
+			ubus call uci commit '{"config":"network"}'
+		fi
+	fi
+}
+
+enable_dhcp_option125() {
+	local wan="${1}"
+	local reqopts="$(uci -q get network."${wan}".reqopts)"
+	local sendopts="$(uci -q get network."${wan}".sendopts)"
+	local proto="$(uci -q get network."${wan}".proto)"
+	local newreqopts=""
+	local newsendopts=""
+	local req125_present=0
+	local send125_present=0
+	local network_uci_update=0
+	local opt125="125:"
+
+	for ropt in $reqopts; do
+		case $ropt in
+			125) req125_present=1 ;;
+			*) ;;
+		esac
+	done
+
+	for sopt in $sendopts; do
+		if [[ "$sopt" == "$opt125"* ]]; then
+			send125_present=1
+			break
+		fi
+	done
+
+	if [ "${proto}" = "dhcp" ]; then
+		if [ ${req125_present} -eq 0 ]; then
+			newreqopts="$reqopts 125"
+			uci -q set network."${wan}".reqopts="$newreqopts"
+			network_uci_update=1
+		fi
+
+		if [ ${send125_present} -eq 0 ]; then
+			configure_send_op125 "${sendopts}" "${wan}" "network"
+			network_uci_update=1
+		fi
+	fi
+
+	if [ ${network_uci_update} -eq 1 ]; then
+		uci commit network
+		ubus call network reload
+	fi
+}
+
+wait_for_resolvfile() {
+	local time=$1
+	local tm=1
+
+	local resolvfile="$(uci -q get dhcp.@dnsmasq[0].resolvfile)"
+	[ -n "$resolvfile" ] || return
+
+	while [ ! -f "$resolvfile" ]; do
+		sleep 1
+		[ "$tm" -ge "$time" ] && break
+		tm=$((tm+1))
+	done
+}
+
+copy_cwmp_etc_files_to_varstate() {
+	mkdir -p /var/run/icwmpd
+
+	if [ -f /etc/icwmpd/icwmpd_backup_session.xml ]; then
+		cp -f /etc/icwmpd/icwmpd_backup_session.xml /var/run/icwmpd/ 2>/dev/null
+	fi
+
+	if [ -f /etc/icwmpd/dm_enabled_notify.xml ]; then
+		cp -f /etc/icwmpd/dm_enabled_notify /var/run/icwmpd/ 2>/dev/null
+	fi
+}
+
+copy_cwmp_varstate_files_to_etc() {
+	if [ -f /var/run/icwmpd/icwmpd_backup_session.xml ]; then
+		cp -f /var/run/icwmpd/icwmpd_backup_session.xml /etc/icwmpd/ 2>/dev/null
+	fi
+
+	if [ -f /var/run/icwmpd/dm_enabled_notify.xml ]; then
+		cp -f /var/run/icwmpd/dm_enabled_notify /etc/icwmpd/ 2>/dev/null
+	fi
+
+	# move the successful custom notify import marker to persistent storage
+	if [ -f /var/run/icwmpd/icwmpd_notify_import_marker ]; then
+		cp -f /var/run/icwmpd/icwmpd_notify_import_marker /etc/icwmpd/
+	fi
+}
+
+validate_acs_section()
+{
+	uci_validate_section cwmp acs "acs" \
+		'passwd:string' \
+		'periodic_inform_enable:bool' \
+		'periodic_inform_interval:uinteger' \
+		'periodic_inform_time:string' \
+		'url:string' \
+		'dhcp_discovery:string' \
+		'skip_dhcp_boot_options:bool:0' \
+		'dhcp_url:string' \
+		'compression:or("GZIP","Deflate","Disabled")' \
+		'retry_min_wait_interval:range(1, 65535)' \
+		'retry_interval_multiplier:range(1000, 65535)' \
+		'ssl_capath:string'
+
+}
+
+validate_cpe_section()
+{
+	uci_validate_section cwmp cpe "cpe" \
+		'interface:string' \
+		'default_wan_interface:string' \
+		'log_to_console:or("enable","disable")' \
+		'log_to_file:or("enable","disable")' \
+		'log_severity:or("EMERG", "ALERT", "CRITIC" ,"ERROR", "WARNING", "NOTICE", "INFO", "DEBUG")' \
+		'log_file_name:string' \
+		'log_max_size:uinteger' \
+		'userid:string' \
+		'passwd:string' \
+		'port:uinteger' \
+		'provisioning_code:string:""' \
+		'amd_version:range(1, 6)' \
+		'instance_mode:or("InstanceNumber","InstanceAlias")' \
+		'session_timeout:uinteger' \
+		'notification:bool' \
+		'exec_download:bool' \
+		'periodic_notify_enable:bool' \
+		'enable:bool:1' \
+		'periodic_notify_interval:uinteger' \
+		'fw_upgrade_keep_settings:bool'
+}
+
+validate_defaults() {
+	local ssl_capath enable url dhcp_url
+
+	config_load cwmp
+
+	validate_acs_section || {
+		log "Validation of acs section failed"
+		return 1;
+	}
+
+	if [ -z "${url}" ] && [ -z "${dhcp_url}" ]; then
+		log "No ACS URL is configured"
+		return 1
+	fi
+
+	ssl_capath="${ssl_capath%/}"
+	# Put the cert pem file in keep list
+	if [ -d "${ssl_capath}" ] && [ "${ssl_capath}" != "/etc/ssl/certs" ]; then
+		if ! grep "*.pem\|*.crt" /lib/upgrade/keep.d/icwmp; then
+			echo "${ssl_capath}"'/*.pem' >> /lib/upgrade/keep.d/icwmp
+			echo "${ssl_capath}"'/*.crt' >> /lib/upgrade/keep.d/icwmp
+		fi
+	fi
+
+	validate_cpe_section || {
+		log "Validation of cpe section failed"
+		return 1;
+	}
+
+	if [ "$enable" = "0" ]; then
+		log "CWMP service disabled"
+		return 1
+	fi
+
+	return 0;
+}
+
+boot() {
+	local dhcp_discovery wan_interface skip_dhcp_boot_options disable_gatewayinfo
+
+	config_load cwmp
+	config_get wan_interface cpe default_wan_interface "wan"
+	config_get disable_gatewayinfo cpe disable_gatewayinfo "0"
+
+	config_get dhcp_discovery acs dhcp_discovery "0"
+	config_get dhcp_discovery acs dhcp_discovery "0"
+	config_get skip_dhcp_boot_options acs skip_dhcp_boot_options "0"
+
+	if [ "${dhcp_discovery}" = "enable" ] || [ "${dhcp_discovery}" = "1" ]; then
+		if [ "${skip_dhcp_boot_options}" -ne 1 ]; then
+			# Set dhcp option 43 if not already configured
+			enable_dhcp_option43 "${wan_interface}"
+			# Set dhcp option 60
+			set_vendor_id "${wan_interface}"
+		fi
+	fi
+
+	config_get lan_interface cpe default_lan_interface ""
+	if [ -n "${lan_interface}" ]; then
+		if [ "${disable_gatewayinfo}" -ne 1 ]; then
+			# Set dhcp_option 125 if not already configured
+			enable_dhcp_option125 "${wan_interface}"
+			enable_dnsmasq_option125 "${lan_interface}"
+		fi
+	fi
+	
+	config_get ssl_capath acs ssl_capath
+
+	if [ -n "${ssl_capath}" ]; then
+		regenerate_ssl_link "${ssl_capath}"
+	fi
+
+	# Copy backup data so that if it restart latter on, it gets the info
+	copy_cwmp_etc_files_to_varstate
+	mkdir -p /var/run/icwmpd/
+	touch /var/run/icwmpd/cwmp
+
+	start
+}
+
+start_service() {
+
+	sh /usr/share/icwmp/firewall_cwmp.sh
+	procd_open_instance icwmp
+
+	validate_defaults || {
+		log "Validation of defaults failed"
+		procd_close_instance
+		return 1;
+	}
+
+	procd_set_param command "$PROG"
+	procd_append_param command -b
+
+	procd_set_param respawn \
+		"${respawn_threshold:-5}" \
+		"${respawn_timeout:-10}" "${respawn_retry:-3}"
+
+	procd_close_instance
+}
+
+stop_service()
+{
+	copy_cwmp_varstate_files_to_etc
+}
+
+reload_service() {
+	local ret
+
+	log "Reload service $ret"
+	ret="0"
+
+	validate_defaults || {
+		stop
+		start
+		return 0;
+	}
+
+	ret=$(ubus call service list '{"name":"icwmpd"}' | jsonfilter -qe '@.icwmpd.instances.icwmp.running')
+	if [ "$ret" != "true" ]; then
+		log "Reloading cwmp service ..."
+		stop
+		start
+		return 0
+	fi
+
+	tr069_status="$(ubus -t 1 call tr069 status)"
+	ret="$?"
+	if [ "$ret" = "7" ]; then
+		# ubus timed out may be due to uloop is busy in some task so return
+		log "Skipping ubus reload due to ubus timeout"
+		return 0
+	fi
+
+	status="$(echo "${tr069_status}" | jsonfilter -qe '@.cwmp.status')"
+	if [ "$status" = "up" ]; then
+		ubus -t 1 call tr069 command '{"command":"reload"}'
+	fi
+}
+
+service_triggers() {
+       procd_add_reload_trigger "cwmp"
+}
+

icwmp/files/script/icwmp_backend_firewallmngr/firewall_cwmp.sh

@@ -0,0 +1,107 @@
+#!/bin/sh
+
+. /lib/functions.sh
+order_offset=2
+
+get_firewall_zone() {
+	zone="$(uci show firewall|grep network|grep ${1}|cut -d. -f 2)"
+	zone="${zone:-wan}" # defaults to wan zone
+	echo "$zone"
+}
+
+cleanup_rule_firewallmngr() {
+	local rule_sec="$1"
+
+	config_get description "$rule_sec" "name"
+	[ "$description" = "Open_ACS_port" ] || return
+	uci -q delete firewallmngr."$rule_sec"
+	order_offset=0
+
+}
+
+reorder_previous_rule() {
+	local rule_sec="$1"
+	local order
+
+	config_get order "$rule_sec" "order"
+	[ -n $order ] || return
+	uci set firewallmngr."$rule_sec".order=$(( order + order_offset ))
+}
+
+enable="$(uci -q get cwmp.cpe.enable)"
+enable="${enable:-1}"
+
+if [ "$enable" -eq 0 ]; then
+	exit 0;
+fi
+
+wan="$(uci -q get cwmp.cpe.default_wan_interface)"
+wan="${wan:-wan}"
+
+zone_name="$(get_firewall_zone $wan)"
+active_level=$(uci -q get firewallmngr.firewall.advanced_level)
+active_chain=$(uci -q get firewallmngr."$active_level".chain)
+
+port=$(uci -q get cwmp.cpe.port)
+port="${port:-7547}"
+
+incoming_rule=$(uci -q get cwmp.cpe.incoming_rule|awk '{print tolower($0)}')
+incoming_rule="${incoming_rule:-port_only}"
+
+ipaddr=$(uci -c /var/state -q get icwmp.acs.ip)
+ip6addr=$(uci -c /var/state -q get icwmp.acs.ip6)
+
+config_load firewallmngr
+config_foreach cleanup_rule_firewallmngr "rule"
+config_foreach reorder_previous_rule "rule"
+rule_sec=$(uci add firewallmngr rule)
+rule1_sec=$(uci add firewallmngr rule)
+uci set firewallmngr."$rule_sec".family="4"
+uci set firewallmngr."$rule1_sec".family="6"
+uci set firewallmngr."$rule_sec".src="$zone_name"
+uci set firewallmngr."$rule1_sec".src="$zone_name"
+uci set firewallmngr."$rule_sec".chain="$active_chain"
+uci set firewallmngr."$rule1_sec".chain="$active_chain"
+uci set firewallmngr."$rule_sec".proto="6"
+uci set firewallmngr."$rule1_sec".proto="6"
+uci set firewallmngr."$rule_sec".order="1"
+uci set firewallmngr."$rule1_sec".order="2"
+uci reorder firewallmngr."$rule_sec"=1
+uci reorder firewallmngr."$rule1_sec"=2
+
+# default incoming rule is Port only
+if [ "${incoming_rule}" = "ip_only" ]; then
+	if [ -n "${ipaddr}" ]; then
+		uci -q set firewallmngr."$rule_sec".source_ip=${ipaddr}
+	fi
+	if [ -n "${ip6addr}" ]; then
+		uci -q set firewallmngr."$rule1_sec".source_ip=${ip6addr}
+	fi
+elif [ "${incoming_rule}" = "port_only" ]; then
+	if [ -n "${port}" ]; then
+		uci -q set firewallmngr."$rule_sec".dest_port=${port}
+		uci -q set firewallmngr."$rule1_sec".dest_port=${port}
+	fi
+else
+	if [ -n "${ipaddr}" ]; then
+		uci -q set firewallmngr."$rule_sec".source_ip=${ipaddr}
+	fi
+
+	if [ -n "${ip6addr}" ]; then
+		uci -q set firewallmngr."$rule1_sec".source_ip=${ip6addr}
+	fi
+
+	if [ -n "${port}" ]; then
+		uci -q set firewallmngr."$rule_sec".dest_port=${port}
+		uci -q set firewallmngr."$rule1_sec".dest_port=${port}
+	fi
+fi
+
+uci set firewallmngr."$rule_sec".name="Open_ACS_port"
+uci set firewallmngr."$rule1_sec".name="Open_ACS_port"
+uci set firewallmngr."$rule_sec".target="Accept"
+uci set firewallmngr."$rule1_sec".target="Accept"
+uci set firewallmngr."$rule_sec".enable="1"
+uci set firewallmngr."$rule1_sec".enable="1"
+ubus call uci commit '{"config":"firewallmngr"}'
+

ieee1905/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.4.2
+PKG_VERSION:=8.4.6
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=4d60d4a9b55940fffa39b7799abf2a7962ae2113
+PKG_SOURCE_VERSION:=e2f68a0ba54a6abf3481cdbb24d2dcc81e7f199c
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

iopsys-analytics/Makefile

@@ -4,7 +4,7 @@ PKG_NAME:=iopsys-analytics
 PKG_RELEASE:=$(COMMITCOUNT)
 PKG_LICENSE:=PROPRIETARY
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=fb84c1019a8a0fbfb624d9df8eb3604806645510
+PKG_SOURCE_VERSION:=aea91816de703cf1c72490f51c2aa73c2f61640d
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/iopsys-analytics.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

ipt-trigger/Makefile

@@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ipt-trigger
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.0.2
 PKG_LICENSE:=GPL-2.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=8d4b4520a2935a5717a27f486a3fc78357b2a0cd
+PKG_SOURCE_VERSION:=4f3d4427403e0a9be7653c1b92907ae8ae5f21ae
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/ipt-trigger.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

libqos/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libqos
-PKG_VERSION:=7.2.107
+PKG_VERSION:=7.2.108
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=de659f50c0ae1cd4ec64315b301c53595eaf39de
+PKG_SOURCE_VERSION:=6a72e35e1a662e2f707e4901679676a9c09b3bc2
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libqos.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

libvoice-broadcom/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-broadcom
 PKG_RELEASE:=1
-PKG_VERSION:=1.0.13
+PKG_VERSION:=1.0.14
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=f1509651217d027376b5b7fc3f64ca86662e9b2d
+PKG_SOURCE_VERSION:=7fde62b9634c63b9bc71d1c20541798971a78dc8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libvoice-d2/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-d2
 PKG_RELEASE:=1
-PKG_VERSION:=1.1.11
+PKG_VERSION:=1.1.12
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=95fb29a31f7665abbe87af4a74cf52b7e5f22a29
+PKG_SOURCE_VERSION:=772955d814af8bbf91cf5c76f128cd1d17755625
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libwifi/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.4.71
+PKG_VERSION:=7.5.0
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=5a048ebb4f591e704e59be9123f565c6fbbe2833
+PKG_SOURCE_VERSION:=b85c43cca01d001a90604e11c7cf9286a5332c33
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz

map-agent/Makefile

@@ -5,9 +5,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.1.1.2
+PKG_VERSION:=6.1.1.6
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=d0ff409ffe6bb03c97e14b34932f437f58f4e241
+PKG_SOURCE_VERSION:=775f7d6316b980fba90c837ff483af914d546500
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause

map-agent/files/lib/multiap/map_genconfig

@@ -199,11 +199,16 @@ map_genconf () {
 		else
 			uci set mapcontroller.controller.enabled="1"
 			[ "$disable_mlo" == "1" ] && {
-				mapcontroller_disable_mld() {
-					uci set mapcontroller.$1.enabled='0'
+				mapcontroller_remove_mld() {
+					uci delete mapcontroller.$1
 				}
+				mapcontroller_remove_mld_id() {
+					uci delete mapcontroller.$1.mld_id
+				}
+
 				config_load mapcontroller
-				config_foreach mapcontroller_disable_mld mld
+				config_foreach mapcontroller_remove_mld mld
+				config_foreach mapcontroller_remove_mld_id ap
 			}
 		fi
 		uci -q commit mapcontroller

map-controller/Makefile

@@ -5,9 +5,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.1.1.2
+PKG_VERSION:=6.1.1.5
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=480a5304591632729212408d77d220f707cb9d6b
+PKG_SOURCE_VERSION:=cb27de727b787bdb58bc4bf42fdef8732cb78134
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 LOCAL_DEV=0

mcastmngr/Makefile

@@ -49,7 +49,21 @@ define Package/mcastmngr/install
 ifneq ($(CONFIG_TARGET_brcmbca),)
 	$(CP) ./files/broadcom/* $(1)/
 else
-	$(CP) ./files/linux/* $(1)/
+	$(INSTALL_DIR) $(1)/lib
+	$(INSTALL_DIR) $(1)/lib/mcast
+	$(INSTALL_DIR) $(1)/usr
+	$(INSTALL_DIR) $(1)/usr/libexec
+	$(INSTALL_DIR) $(1)/usr/libexec/rpcd
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/linux/usr/libexec/rpcd/mcast $(1)/usr/libexec/rpcd/
+	$(INSTALL_BIN) ./files/linux/etc/uci-defaults/60-mcast_config_generate $(1)/etc/uci-defaults/
+ifneq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
+	$(INSTALL_BIN) ./files/linux/etc/firewall.mcast $(1)/etc/
+	$(INSTALL_BIN) ./files/linux/lib/mcast/linux.sh $(1)/lib/mcast/
+else
+	$(INSTALL_BIN) ./files/linux/lib/mcast/mcast_backend_firewallmngr/linux.sh $(1)/lib/mcast/
+endif
 endif
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/bbf_plugin/libmcast_bbf.so $(1) $(PKG_NAME)
 endef

mcastmngr/files/common/etc/hotplug.d/ethernet/mcast.hotplug

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+[ "$LINK" = "up" -a -n "$PORT" ] || exit 0
+
+compare_mcast_snooping_interface() {
+	local interface dev running
+
+	config_get interface "$1" interface
+
+	for dev in $interface; do
+		if [ "$PORT" = "$dev" ]; then
+			running=$(ubus call service list '{"name": "mcast"}' | jsonfilter -e '@.mcast.instances')
+			if [ -z "${running}" ]; then
+				/etc/init.d/mcast start
+			else
+				ubus call uci commit '{"config":"mcast"}'
+			fi
+			exit
+		fi
+	done
+}
+
+config_load mcast
+config_foreach compare_mcast_snooping_interface "snooping"

mcastmngr/files/common/etc/hotplug.d/iface/mcast.hotplug

@@ -1,27 +1,22 @@
 #!/bin/sh
 
-[ "$ACTION" = ifup ] || exit 0
+[ "$ACTION" = "ifup" -a -n "$INTERFACE" ] || exit 0
 
 . /lib/functions/network.sh
 
-network_get_device l3device $INTERFACE
+network_get_device l3device "$INTERFACE"
 
 [ -n "$l3device" ] || exit 0
 
 compare_mcast_proxy_upstream() {
-        local upstream
-	local mode="$2"
+	local upstream dev running
 
-	if [ "$mode" == "proxy" ]; then
-		config_get upstream $1 upstream_interface
-	else
-		config_get upstream $1 interface
-	fi
+	config_get upstream "$1" upstream_interface
 
 	for dev in $upstream; do
-		if [ "$l3device" == "$dev" ]; then
+		if [ "$l3device" = "$dev" ]; then
 			running=$(ubus call service list '{"name": "mcast"}' | jsonfilter -e '@.mcast.instances')
-			if [ -z "${running}" ];then
+			if [ -z "${running}" ]; then
 				/etc/init.d/mcast start
 			else
 				ubus call uci commit '{"config":"mcast"}'
@@ -32,5 +27,4 @@ compare_mcast_proxy_upstream() {
 }
 
 config_load mcast
-config_foreach compare_mcast_proxy_upstream "proxy" "proxy"
-config_foreach compare_mcast_proxy_upstream "snooping" "snooping"
+config_foreach compare_mcast_proxy_upstream "proxy"

mcastmngr/files/linux/lib/mcast/linux.sh

@@ -262,10 +262,6 @@ config_mcproxy_instance() {
 		downstreams=$igmp_p_down_interfaces
 		mcast_mode=$igmp_p_mode
 
-		# mcproxy reserves two multicast subscriptions for igmp router service groups
-		local mg=$(cat /proc/sys/net/ipv4/igmp_max_memberships)
-		mg=$((mg+2))
-		echo $mg > /proc/sys/net/ipv4/igmp_max_memberships
 	elif [ "$protocol" == "mld" ]; then
 		case "$version" in
 			[1-2])

mcastmngr/files/linux/lib/mcast/mcast_backend_firewallmngr/linux.sh

@@ -0,0 +1,468 @@
+#!/bin/sh
+
+. /lib/mcast/common.sh
+. /lib/functions/network.sh
+
+include /lib/network
+
+CONFFILE=
+PROG_EXE=/usr/sbin/mcproxy
+PROG_PARAMS=
+PROG_PARAMS_SEPARATOR=:
+
+snooping_bridges=
+
+
+__device_is_bridge() {
+	local device="$2"
+	local devsec__="$(uci show network | grep -F ".name='$device'" | cut -d'.' -f2)"
+	local sectype="$(uci -q get network.$devsec__)"
+	local devtype="$(uci -q get network.$devsec__.type)"
+	[ "$sectype" != "device" -o "$devtype" != "bridge" ] && return 1
+	eval "$1=$devsec__"
+}
+
+device_is_bridge() {
+	local device="$1"
+	local devsec=
+	__device_is_bridge devsec "$device" || return 1
+}
+
+device_ports() {
+	local device="$1"
+	local devsec=
+
+	if __device_is_bridge devsec "$device"; then
+		echo "$(uci get network.$devsec.ports)"
+	else
+		echo "$device"
+	fi
+}
+
+device_has_ip() {
+	local protocol="$1"
+	local device="$2"
+
+	# Read the openwrt interface for the device.
+	# Device can have multiple logical interfaces like wan and wan6
+	# but same l3 device
+	local ifaces=$(ubus call network.interface dump | jsonfilter -e "@.interface[@.device='$device'].interface")
+	for iface in $ifaces; do
+		local ip=
+		case "$protocol" in
+			"igmp") network_get_ipaddr ip "$iface" ;;
+			"mld") network_get_ipaddr6 ip "$iface" ;;
+		esac
+		[ -n "$ip" ] && return
+	done
+
+	return 1
+}
+
+config_mcproxy_interfaces() {
+	local protocol="$1"
+	local upstreams="$2"
+	local downstreams="$3"
+	local exceptions="$4"
+
+	if [ -z "$upstreams" ] || [ -z "$downstreams" ]; then
+		return 1
+	fi
+
+	local str_up=""
+	for upstream in $upstreams; do
+		device_has_ip "$protocol" "$upstream" || continue
+		str_up="$str_up \"$upstream\""
+	done
+	[ -z "$str_up" ] && return 1
+
+	local str_down=""
+	for downstream in $downstreams; do
+		device_has_ip "$protocol" "$downstream" || continue
+		str_down="$str_down \"$downstream\""
+	done
+	[ -z "$str_down" ] && return 1
+
+	echo -e "pinstance main:$str_up ==>$str_down;\n" >> $CONFFILE
+
+	for excp in $exceptions; do
+		local filter=""
+
+		case $excp in
+		*/*)
+			ip_start="$(ipcalc.sh $excp | grep IP | awk '{print substr($0,4)}')"
+			ip_end="$(ipcalc.sh $excp | grep BROADCAST | awk '{print substr($0,11)}')"
+			filter="$filter ($ip_start - $ip_end | *)"
+			;;
+		*)
+			filter="$filter ($excp | *)"
+			;;
+		esac
+
+		for upstream in $str_up; do
+			echo "pinstance main upstream $upstream in blacklist table{$filter };" >> $CONFFILE
+			echo "pinstance main upstream $upstream out blacklist table{$filter };" >> $CONFFILE
+		done
+
+		for downstream in $str_down; do
+			echo "pinstance main downstream $downstream in blacklist table{$filter };" >> $CONFFILE
+			echo "pinstance main downstream $downstream out blacklist table{$filter };" >> $CONFFILE
+		done
+	done
+}
+
+config_sysfs_mcast_snooping() {
+	local downstreams="$1"
+	local snooping="$2"
+
+	for downstream in $downstreams; do
+		if device_is_bridge "$downstream"; then
+			echo 0 > /sys/class/net/$downstream/bridge/multicast_snooping
+			echo $snooping > /sys/class/net/$downstream/bridge/multicast_snooping
+		fi
+	done
+}
+
+config_sysfs_mcast_fastleave() {
+	local downstreams="$1"
+	local fastleave="$2"
+	local prt
+
+	for downstream in $downstreams; do
+		for prt in $(device_ports $downstream); do
+			if [ -f  /sys/class/net/$prt/brport/multicast_fast_leave ]; then
+				echo $fastleave > /sys/class/net/$prt/brport/multicast_fast_leave
+			fi
+		done
+	done
+}
+
+config_sysfs_mcast_version() {
+	local protocol="$1"
+	local interfaces="$2"
+	local version="$3"
+
+	for iface in $interfaces; do
+		echo $version > /sys/class/net/$iface/bridge/multicast_"$protocol"_version
+	done
+}
+
+config_sysfs_mcast_robustness() {
+	local interfaces="$1"
+	local robustness="$2"
+
+	for iface in $interfaces; do
+		echo $robustness > /sys/class/net/$iface/bridge/multicast_last_member_count
+	done
+}
+
+config_sysfs_mcast_query_interval() {
+	local interfaces="$1"
+	local query_interval="$2"
+
+	for iface in $interfaces; do
+		echo $query_interval > /sys/class/net/$iface/bridge/multicast_query_interval
+	done
+}
+
+config_sysfs_mcast_q_resp_interval() {
+	local interfaces="$1"
+	local q_resp_interval="$2"
+
+	for iface in $interfaces; do
+		echo $q_resp_interval > /sys/class/net/$iface/bridge/multicast_query_response_interval
+	done
+}
+
+config_sysfs_mcast_last_mem_q_int() {
+	local interfaces="$1"
+	local last_mem_q_int="$2"
+
+	for iface in $interfaces; do
+		echo $last_mem_q_int > /sys/class/net/$iface/bridge/multicast_last_member_interval
+	done
+}
+
+config_sysfs_mcast_flood() {
+	local downstreams=$1
+	local mcast_mode=$2
+	local prt
+
+	local mcast_flood=
+	if [ $mcast_mode == "2" ]; then # disable mcast flood
+		mcast_flood=0
+	else
+		mcast_flood=1
+	fi
+
+	for downstream in $downstreams; do
+		for prt in $(device_ports $downstream); do
+			if [ -f  /sys/class/net/$prt/brport/multicast_flood ]; then
+				echo $mcast_flood > /sys/class/net/$prt/brport/multicast_flood
+			fi
+		done
+	done
+}
+
+config_snooping_mode() {
+	local interfaces="$1"
+	local snooping="$2"
+
+	# snooping_mode:
+	#  0 - snooping is disabled
+	#  1 - multicast flood is enabled
+	#  2 - multicast flood is disabled
+	[ -z "$snooping_mode" ] && snooping_mode=2
+
+	if [ "$snooping_mode" == 0 ]; then
+		config_sysfs_mcast_snooping "$interfaces" 0
+	else
+		config_sysfs_mcast_snooping "$interfaces" 1
+	fi
+
+	config_sysfs_mcast_flood "$interfaces" "$snooping_mode"
+}
+
+config_mcproxy_instance() {
+	local protocol="$1"
+	local version="$2"
+
+	local robustness=
+	local query_interval=
+	local q_resp_interval=
+	local last_mem_q_int=
+	local fast_leave=0
+	local exceptions=
+	local upstreams=
+	local downstreams=
+	local mcast_mode=2 # default value 2 is for blocking mode
+
+	CONFFILE=/var/etc/mcproxy_"$protocol".conf
+	rm -f $CONFFILE
+	touch $CONFFILE
+
+	if [ "$protocol" == "igmp" ]; then
+		case "$version" in
+			[1-3])
+				echo -e "protocol IGMPv${version};\n" >> $CONFFILE
+				;;
+			*)
+				echo -e "protocol IGMPv2;\n" >> $CONFFILE
+				;;
+		esac
+
+		robustness=$igmp_p_robustness
+		query_interval=$igmp_query_interval
+		q_resp_interval=$igmp_q_resp_interval
+		last_mem_q_int=$igmp_last_mem_q_int
+		fast_leave=$igmp_fast_leave
+		exceptions=$igmp_p_exceptions
+
+		upstreams=$igmp_p_up_interfaces
+		downstreams=$igmp_p_down_interfaces
+		mcast_mode=$igmp_p_mode
+
+	elif [ "$protocol" == "mld" ]; then
+		case "$version" in
+			[1-2])
+				echo -e "protocol MLDv${version};\n" >> $CONFFILE
+				;;
+			*)
+				echo -e "protocol MLDv2;\n" >> $CONFFILE
+				;;
+		esac
+
+		robustness=$mld_p_robustness
+		query_interval=$mld_query_interval
+		q_resp_interval=$mld_q_resp_interval
+		last_mem_q_int=$mld_last_mem_q_int
+		fast_leave=$mld_fast_leave
+		exceptions=$mld_p_exceptions
+
+		upstreams=$mld_p_up_interfaces
+		downstreams=$mld_p_down_interfaces
+		mcast_mode=$mld_p_mode
+	fi
+
+	[ -n "$max_groups" ] && echo -e "max_groups $max_groups;" >> $CONFFILE
+	[ -n "$robustness" ] && echo -e "rv $robustness;" >> $CONFFILE
+	[ -n "$query_interval" ] && echo -e "qi $query_interval;" >> $CONFFILE
+	[ -n "$q_resp_interval" ] && echo -e "qri $q_resp_interval;" >> $CONFFILE
+	[ -n "$last_mem_q_int" ] && echo -e "lmqi $last_mem_q_int;" >> $CONFFILE
+	[ -n "$fast_leave" ] && echo -e "fastleave $fast_leave;\n" >> $CONFFILE
+
+	config_mcproxy_interfaces "$protocol" "$upstreams" "$downstreams" "$exceptions" || return
+
+	# for snooping to work we should enable it on the bridge, doing it from
+	# here instead of from inside network config
+	if [ "$downstreams" != "$snooping_bridges" ]; then
+		if [ "$mcast_mode" == "0" ]; then
+			config_sysfs_mcast_snooping "$downstreams" 0
+		else
+			config_sysfs_mcast_snooping "$downstreams" 1
+		fi
+
+		[ -n $fast_leave ] &&
+			config_sysfs_mcast_fastleave "$downstreams" "$fast_leave"
+		config_sysfs_mcast_flood "$downstreams" "$mcast_mode"
+	fi
+
+	PROG_PARAMS="${PROG_PARAMS} -f ${CONFFILE}${PROG_PARAMS_SEPARATOR}"
+}
+
+disable_snooping_iface() {
+	local iface="$(uci -q get network.$1.name)"
+	config_sysfs_mcast_snooping "$iface" 0
+}
+
+disable_snooping() {
+	config_load network
+	config_foreach disable_snooping_iface device
+}
+
+config_snooping() {
+	local protocol="$1"
+
+	local version=
+	local robustness=
+	local query_interval=
+	local q_resp_interval=
+	local last_mem_q_int=
+	local fast_leave=0
+	local snooping_mode=
+	local interfaces=
+
+	local HZ=100
+
+	local all_interfaces=
+	if [ "$protocol" == "igmp" ]; then
+		all_interfaces=$igmp_s_iface
+	elif [ "$protocol" == "mld" ]; then
+		all_interfaces=$mld_s_iface
+	fi
+	for iface in $all_interfaces; do
+		device_is_bridge "$iface" || continue
+		interfaces="$interfaces $iface"
+	done
+	[ -z "$interfaces" ] && return
+	snooping_bridges="$interfaces"
+
+	if [ "$protocol" == "igmp" ]; then
+		case "$igmp_s_version" in
+			[1-3])
+				version="$igmp_s_version"
+				;;
+			*)
+				version="2"
+				;;
+		esac
+
+		robustness=$igmp_s_robustness
+		query_interval=$(( igmp_s_query_interval * HZ ))
+		q_resp_interval=$(( igmp_s_q_resp_interval * HZ / 10 ))
+		last_mem_q_int=$(( igmp_s_last_mem_q_int * HZ / 10 ))
+		fast_leave=$igmp_s_fast_leave
+		snooping_mode=$igmp_s_mode
+	elif [ "$protocol" == "mld" ]; then
+		case "$mld_s_version" in
+			[1-2])
+				version="$mld_s_version"
+				;;
+			*)
+				version="2"
+				;;
+		esac
+
+		robustness=$mld_s_robustness
+		query_interval=$(( mld_s_query_interval * HZ ))
+		q_resp_interval=$(( mld_s_q_resp_interval * HZ / 10 ))
+		last_mem_q_int=$(( mld_s_last_mem_q_int * HZ / 10 ))
+		fast_leave=$mld_s_fast_leave
+		snooping_mode=$mld_s_mode
+	fi
+
+	config_snooping_mode "$interfaces" "$snooping_mode"
+
+	[ -n "$version" ] && config_sysfs_mcast_version "$protocol" "$interfaces" "$version"
+	[ -n "$robustness" ] && config_sysfs_mcast_robustness "$interfaces" "$robustness"
+	[ -n "$query_interval" ] && config_sysfs_mcast_query_interval "$interfaces" "$query_interval"
+	[ -n "$q_resp_interval" ] && config_sysfs_mcast_q_resp_interval "$interfaces" "$q_resp_interval"
+	[ -n "$last_mem_q_int" ] && config_sysfs_mcast_last_mem_q_int "$interfaces" "$last_mem_q_int"
+	[ -n "$fast_leave" ] && config_sysfs_mcast_fastleave "$interfaces" "$fast_leave"
+}
+
+config_mcproxy() {
+	disable_snooping
+	if [ "$igmp_p_enable" == "1" ]; then
+		config_mcproxy_instance igmp "$igmp_p_version"
+	elif [ "$igmp_s_enable" == "1" ]; then
+		config_snooping igmp "$igmp_s_version"
+	fi
+
+	if [ "$mld_p_enable" == "1" ]; then
+		config_mcproxy_instance mld "$mld_p_version"
+	elif [ "$mld_s_enable" == "1" ]; then
+		config_snooping mld "$mld_s_version"
+	fi
+}
+
+setup_mcast_mode() {
+	:
+}
+
+remove_mcast_rules() {
+	config_get name "$1" name
+
+	if [ "$name" = "Allow-Multicast-UDP" ]; then
+		uci delete firewallmngr."$1"
+	fi
+}
+
+create_mcast_firewallngr_rules() {
+        local src="wan"
+        local dst="lan"
+        local dest_ip="224.0.0.0/240.0.0.0"
+        local name="Allow-Multicast-UDP"
+        local target="accept"
+	local active_chain=""
+
+	firewallmngr_get_active_chain() {
+		config_get creator "$1" creator
+		[ "$creator" = "PortMapping" ] && return
+
+		config_get enable "$1" enable
+		if [ -n "$enable" ] && [ "$enable" = "1" ]; then
+			config_get active_chain "$1" name
+		fi
+	}
+	config_load firewallmngr
+	config_foreach remove_mcast_rules rule
+
+        sec=$(uci add firewallmngr rule)
+	uci set firewallmngr."$sec".enable="1"
+	uci set firewallmngr."$sec".chain="$active_chain"
+	uci set firewallmngr."$sec".name="$name"
+	uci set firewallmngr."$sec".src="$src"
+	uci set firewallmngr."$sec".dest="$dst"
+	uci set firewallmngr."$sec".dest_ip="$dest_ip"
+	uci set firewallmngr."$sec".family="4"
+	uci set firewallmngr."$sec".proto="17"
+	uci set firewallmngr."$sec".target="$target"
+        uci rename firewallmngr."$sec"="fwmngr_rule_mcast"
+
+	uci commit firewallmngr
+}
+
+configure_mcast() {
+	create_mcast_firewallngr_rules
+	config_global_params "set_max_groups_and_sources"
+
+	read_mcast_snooping_params
+	read_mcast_proxy_params
+	config_mcproxy
+
+	if [ -z "${PROG_PARAMS}" ]; then
+		exit 0
+	fi
+}
+

obuspa/Config.in

@@ -22,6 +22,11 @@ config OBUSPA_CONTROLLER_MTP_VERIFY
 config OBUSPA_ENABLE_TEST_CONTROLLER
 	bool "Adds a test controller by default"
 	default n
+	select OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL
+
+config OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL
+	bool "Adds a test controller by default (local access only)"
+	default n
 
 config OBUSPA_MAX_CONTROLLERS_NUM
 	int "The maximum number of controllers to be supported"

obuspa/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=8.0.1.7
+PKG_VERSION:=8.0.1.11
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=0997eebe269d766eb738b80e4d5ccd40baf79090
+PKG_SOURCE_VERSION:=cfa6c48dea74707e098b09745b2c9f989accd714
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -32,7 +32,9 @@ define Package/obuspa
   SUBMENU:=TRx69
   TITLE:=USP agent
   MENU:=1
-  DEPENDS:=+libopenssl +libuci +libblobmsg-json +libcurl +libsqlite3 +libubox +libubus +libmosquitto-ssl +libwebsockets-openssl
+  DEPENDS:=+libopenssl +libuci +libblobmsg-json +libcurl +libsqlite3 +libubox +libubus +libmosquitto-ssl +libwebsockets-openssl +ca-certificates \
+		+OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL:mosquitto-ssl +OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL:mosquitto-client-ssl \
+		+OBUSPA_ENABLE_TEST_CONTROLLER:mosquitto-auth-shadow
 endef
 
 define Package/obuspa/description
@@ -127,6 +129,9 @@ define Package/obuspa/install
 	$(INSTALL_BIN) ./files/obuspa.hotplug $(1)/etc/hotplug.d/iface/21-obuspa
 	$(BBFDM_INSTALL_CORE_PLUGIN) ./files/etc/bbfdm/json/USPAgent.json $(1)
 ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER),y)
+	$(INSTALL_BIN) ./files/etc/uci-defaults/54-test-usp-remote $(1)/etc/uci-defaults/
+endif
+ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL),y)
 	$(INSTALL_BIN) ./files/etc/init.d/usptest $(1)/etc/init.d/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/55-test-usp-controller $(1)/etc/uci-defaults/
 endif

obuspa/files/etc/uci-defaults/54-test-usp-remote

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ ! -f "/etc/config/mosquitto" ]; then
+	echo "Local mosquitto broker not available"
+	return 0
+fi
+
+add_usp_test()
+{
+	uci_add mosquitto listener usptest
+	uci_set mosquitto usptest enabled 1
+	uci_set mosquitto usptest port '9001'
+	uci_set mosquitto usptest protocol 'websockets'
+	uci_set mosquitto usptest auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
+}
+
+# Install test MQTT over WS listener
+add_usp_test

obuspa/files/etc/uci-defaults/55-test-usp-controller

@@ -40,16 +40,6 @@ add_obuspa_test_controller()
 	uci_set obuspa testcontroller assigned_role_name 'full_access'
 }
 
-add_usp_test()
-{
-	uci_add mosquitto listener usptest
-	uci_set mosquitto usptest enabled 1
-	uci_set mosquitto usptest port '9001'
-	uci_set mosquitto usptest protocol 'websockets'
-	uci_set mosquitto usptest require_certificates '0'
-	uci_set mosquitto usptest auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
-}
-
 add_obuspa_config()
 {
 	uci_add mosquitto listener obuspa
@@ -60,11 +50,8 @@ add_obuspa_config()
 }
 
 # Install test usp controller config
-uci_load mosquitto
-add_usp_test
 add_obuspa_config
 
-uci_load obuspa
 add_obuspa_test_mtp
 add_obuspa_test_mqtt
 add_obuspa_test_controller

obuspa/patches/0013-mqtt-retry-param-change.patch

@@ -0,0 +1,76 @@
+diff --git a/src/core/device_mqtt.c b/src/core/device_mqtt.c
+index 7438e59..231d941 100755
+--- a/src/core/device_mqtt.c
++++ b/src/core/device_mqtt.c
+@@ -1612,14 +1612,23 @@ int NotifyChange_MQTTRequestProblemInfo(dm_req_t *req, char *value)
+ int NotifyChange_MQTTConnectRetryTime(dm_req_t *req, char *value)
+ {
+     mqtt_conn_params_t *mp;
++    bool schedule_reconnect = false;
+ 
+     // Determine mqtt client to be updated
+     mp = FindMqttParamsByInstance(inst1);
+     USP_ASSERT(mp != NULL);
+ 
+     // Set the new value.
++    if ((mp->retry.connect_retrytime != val_uint) && (mp->enable)) {
++        schedule_reconnect = true;
++    }
++
+     mp->retry.connect_retrytime = val_uint;
+ 
++    if (schedule_reconnect) {
++        ScheduleMqttReconnect(mp);
++    }
++
+     return USP_ERR_OK;
+ }
+ 
+@@ -1638,14 +1647,23 @@ int NotifyChange_MQTTConnectRetryTime(dm_req_t *req, char *value)
+ int NotifyChange_MQTTConnectRetryIntervalMultiplier(dm_req_t *req, char *value)
+ {
+     mqtt_conn_params_t *mp;
++    bool schedule_reconnect = false;
+ 
+     // Determine mqtt client to be updated
+     mp = FindMqttParamsByInstance(inst1);
+     USP_ASSERT(mp != NULL);
+ 
++    if ((mp->retry.interval_multiplier != val_int) && (mp->enable)) {
++        schedule_reconnect = true;
++    }
++
+     // Set the new value.
+     mp->retry.interval_multiplier = val_int;
+ 
++    if (schedule_reconnect) {
++        ScheduleMqttReconnect(mp);
++    }
++
+     return USP_ERR_OK;
+ }
+ 
+@@ -1664,14 +1682,23 @@ int NotifyChange_MQTTConnectRetryIntervalMultiplier(dm_req_t *req, char *value)
+ int NotifyChange_MQTTConnectRetryMaxInterval(dm_req_t *req, char *value)
+ {
+     mqtt_conn_params_t *mp;
++    bool schedule_reconnect = false;
+ 
+     // Determine mqtt client to be updated
+     mp = FindMqttParamsByInstance(inst1);
+     USP_ASSERT(mp != NULL);
+ 
++    if ((mp->retry.max_interval != val_uint) && (mp->enable)) {
++        schedule_reconnect = true;
++    }
++
+     // Set the new value.
+     mp->retry.max_interval = val_uint;
+ 
++    if (schedule_reconnect) {
++        ScheduleMqttReconnect(mp);
++    }
++
+     return USP_ERR_OK;
+ }
+ 

obuspa/patches/0014-persist-connack-clientid.patch

@@ -0,0 +1,78 @@
+--- a/src/core/mqtt.c
++++ b/src/core/mqtt.c
+@@ -55,6 +55,8 @@
+ #include "retry_wait.h"
+ #include "text_utils.h"
+ #include "msg_handler.h"
++#include "data_model.h"
++#include "usp_api.h"
+ 
+ #include <openssl/ssl.h>
+ #include <openssl/bio.h>
+@@ -2517,6 +2519,37 @@ exit:
+ 
+ /*********************************************************************//**
+ **
++** handle_db_set_client_id
++**
++** Allows the caller to set client Id in DB from the data model thread
++**
++** \param   arg1 - pointer to the client id path
++** \param   arg2 - pointer to the client id value
++**
++** \return  None
++**
++**************************************************************************/
++void handle_db_set_client_id(void *arg1, void *arg2)
++{
++    if ((arg1 == NULL) || (arg2 == NULL)) {
++        USP_SAFE_FREE(arg1);
++        USP_SAFE_FREE(arg2);
++        return;
++    }
++
++    char *param_path = (char *)arg1;
++    char *param_val = (char *)arg2;
++
++    if (USP_ERR_OK != DATA_MODEL_SetParameterInDatabase(param_path, param_val)) {
++        USP_LOG_Debug("%s: Failed to set %s=>%s from CONNACK", __FUNCTION__, param_path, param_val);
++    }
++
++    USP_SAFE_FREE(param_path);
++    USP_SAFE_FREE(param_val);
++}
++
++/*********************************************************************//**
++**
+ ** ConnectV5Callback
+ **
+ ** Called by Libmosquitto when the CONNACK packet is received on an MQTTv5 connection
+@@ -2590,8 +2623,26 @@ void ConnectV5Callback(struct mosquitto
+               &client_id_ptr, false /* skip first */) != NULL)
+         {
+             USP_LOG_Debug("%s: Received client_id: \"%s\"", __FUNCTION__, client_id_ptr);
+-            USP_SAFE_FREE(client->conn_params.client_id);
+-            client->conn_params.client_id = USP_STRDUP(client_id_ptr);
++
++            if (client->conn_params.client_id == NULL || strcmp(client->conn_params.client_id, client_id_ptr) != 0) {
++                USP_SAFE_FREE(client->conn_params.client_id);
++                client->conn_params.client_id = USP_STRDUP(client_id_ptr);
++
++                // Persist client id from CONNACK in DB
++                char buf[128] = {0}, *param_path = NULL, *param_val = NULL;
++
++                snprintf(buf, 128, "Device.MQTT.Client.%d.ClientID", instance);
++
++                param_path = USP_STRDUP(buf);
++                param_val = USP_STRDUP(client_id_ptr);
++
++                if (USP_ERR_OK != USP_PROCESS_DoWork(handle_db_set_client_id, param_path, param_val)) {
++                    USP_LOG_Debug("%s: Failed to schedule set in data model thread for client id from CONNACK", __FUNCTION__);
++                    USP_SAFE_FREE(param_path);
++                    USP_SAFE_FREE(param_val);
++                }
++            }
++
+             free(client_id_ptr);
+         }
+ 

qosmngr/Makefile

@@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=qosmngr
-PKG_VERSION:=1.0.11
+PKG_VERSION:=1.0.14
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=56829e15bdce24a3eb4f8dfa43355d4b25632c48
+PKG_SOURCE_VERSION:=c4db530aae2392f94494814eefc977118519089b
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/qosmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -36,6 +36,8 @@ define Package/qosmngr/description
 	Configures L2 QoS and collects queue statistics
 endef
 
+TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(CONFIG_BBF_VENDOR_PREFIX)\\\"
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
         $(CP) -rf ./qosmngr/* $(PKG_BUILD_DIR)/
@@ -54,6 +56,7 @@ endif
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/qosmngr $(1)/usr/sbin
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/bbf_plugin/libqos_bbf.so $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libqos_vendor_bbf.so $(1) $(PKG_NAME)
 endef
 
 $(eval $(call BuildPackage,qosmngr))

qosmngr/files/airoha/lib/qos/airoha.sh

@@ -190,11 +190,18 @@ hw_commit_all() {
             ;;
     esac
 
+    rm -f "/tmp/qos/wan_link_shape_rate"
+    rm -f "/tmp/qos/wan_link_speed"
     if [ "${glob_alg}" != "" ] ; then
         /userfs/bin/qosrule discpline $(hw_sc_alg2str ${glob_alg}) ${weight_list} \
                             uplink-bandwidth ${shape_rate:-10000000} \
                             queuemask "$(((1 << q_count) - 1))"
         echo ${mac_qos_flag} > /proc/qdma_wan/mac_qos_flag
+        if [ -n "${shape_rate}" ]; then
+            echo "${shape_rate}" > "/tmp/qos/wan_link_shape_rate"
+        else
+            /usr/sbin/qos-uplink-bandwidth
+        fi
     else
         /userfs/bin/qosrule discpline Enable 0
     fi

qosmngr/files/airoha/usr/sbin/qos-uplink-bandwidth

@@ -2,8 +2,10 @@
 
 readonly WANPORT="$(jsonfilter -i /etc/board.json -e @.network.wan.device)"
 readonly LINKSPEED_FILE="/tmp/qos/wan_link_speed"
+readonly LINKSHAPE_FILE="/tmp/qos/wan_link_shape_rate"
 
-[ "${WANPORT}" = "${PORT}" ] || exit 0
+[ -z "${PORT}" -o "${WANPORT}" = "${PORT}" ] || exit 0
+[ -f "${LINKSHAPE_FILE}" ] && exit 0
 
 LINKSPEED="$(devstatus "${WANPORT}" | jsonfilter -e '@["speed"]' | tr -d 'A-Z')"
 PREV_LINKSPEED=$(cat ${LINKSPEED_FILE} 2>/dev/null)

qosmngr/files/common/lib/qos/classify.sh

@@ -43,6 +43,7 @@ sort_classify_by_order() {
 handle_classify() {
 
     local corder_file="/tmp/qos/classify.order"
+    local interf=""
 
     while read -r line; do
         line_cid=${line#*_}
@@ -60,6 +61,19 @@ handle_classify() {
 	    handle_policer_rules $line_cid
         fi
     done < "$corder_file"
+    # Handling config for DSCP to pbit conversion:
+    # For a given port there can be 64 dscp2pbit mapping and each mapping is
+    # represented by one UCI config classify section. So there can be 64 possible
+    # config classify.
+    #
+    # For each port, traverse all config classify section and
+    # extract DSCP to P-bit conversion info.
+    # generate, dscp2pbit mapping list.
+    # Then apply dscp2pbit rule
+    for interf in $(jsonfilter -i /etc/board.json -e @.network.lan.ports[*] -e @.network.lan.device -e @.network.wan.device | xargs); do
+        handle_ebtables_dscp2pbit "$interf"
+        [ -n "$BR_RULE_DSCP2PBIT" ] && broute_apply_dscp2pbit_rule
+    done
 }
 
 # Configure classifier based on UCI subtree 'qos.classify'
@@ -107,7 +121,7 @@ setup_qos() {
         touch /tmp/qos/qos
         cp /etc/config/qos /tmp/qos/qos
     fi
-	
+
     create_ebtables_chains
     create_iptables_chains
 }

qosmngr/files/common/lib/qos/ebtables.sh

@@ -3,12 +3,23 @@
 
 BR_RULE=""
 BR6_RULE=""
+BR_RULE_DSCP2PBIT=""
+DSCP2PBIT_MAPPING=""
 
 init_broute_rule() {
     BR_RULE=""
     BR6_RULE=""
 }
 
+init_broute_dscp2pbit_rule() {
+    BR_RULE_DSCP2PBIT=""
+    DSCP2PBIT_MAPPING=""
+}
+
+broute_filter_on_l3_if() {
+    BR_RULE="$BR_RULE --logical-in $1"
+}
+
 broute_filter_on_src_if() {
     BR_RULE="$BR_RULE --in-if $1"
 }
@@ -103,7 +114,7 @@ ebt_match_ip_icmp_type() {
 ebt_match_ipv6_protocol() {
     #when ethertype is not configured by user then both proto rules of ipv4
     #and ipv6 to be installed so update BR6_RULE string as well otherwise
-    #update BR_RULE only for installation of ipv6 proto rule only.	
+    #update BR_RULE only for installation of ipv6 proto rule only.
     if [ -n "$BR6_RULE" ]; then
         BR6_RULE="$BR6_RULE --ip6-proto $1"
     else
@@ -139,14 +150,39 @@ broute_filter_on_vid() {
 }
 
 broute_append_rule() {
+    # if src_if is loopback, then add the rule to OUTPUT(qos_output) chain of nat table
+    if [ "$src_if" = "lo" ]; then
+        echo "ebtables --concurrent -t nat -A qos_output $BR_RULE" >> /tmp/qos/classify.ebtables
+        if [ -n "$BR6_RULE" ]; then
+            echo "ebtables --concurrent -t nat -A qos_output $BR6_RULE" >> /tmp/qos/classify.ebtables
+        fi
+	return
+    fi
+
+    local broute_chain="$1"
     #when ethertype is not configured by user then both proto rules of ipv4
     #and ipv6 to be installed otherwise install ipv6 proto rule only.
-    echo "ebtables --concurrent -t broute -A qos $BR_RULE" >> /tmp/qos/classify.ebtables
+    echo "ebtables --concurrent -t broute -A $broute_chain $BR_RULE" >> /tmp/qos/classify.ebtables
     if [ -n "$BR6_RULE" ]; then
-        echo "ebtables --concurrent -t broute -A qos $BR6_RULE" >> /tmp/qos/classify.ebtables
+        echo "ebtables --concurrent -t broute -A $broute_chain $BR6_RULE" >> /tmp/qos/classify.ebtables
     fi
 }
 
+broute_apply_dscp2pbit_rule() {
+    # Write dscp2pbit broute rule to classify.ebtables file
+    echo "ebtables --concurrent -t broute -A dscp2pbits -p 0x8100 $BR_RULE_DSCP2PBIT" >> /tmp/qos/classify.ebtables
+}
+
+broute_rule_set_xlate_vid_pbit() {
+    local vid_mark="$1"
+    local pcp_mark="$2"
+
+    BR_RULE="$BR_RULE -j vlantranslation"
+    [ -n "$vid_mark" ] && BR_RULE="$BR_RULE --vlanxlate-vid-set $vid_mark"
+    [ -n "$pcp_mark" ] && BR_RULE="$BR_RULE --vlanxlate-prio-set $pcp_mark"
+    BR_RULE="$BR_RULE --vlanxlate-target CONTINUE"
+}
+
 set_ip_addr()
 {
     local cid="$1"
@@ -234,12 +270,18 @@ handle_ebtables_rules() {
     local protocol=""
     local ip_version=""
 
+    config_get pcp_mark "$sid" "pcp_mark"
+    config_get dscp_filter "$sid" "dscp_filter"
+    # return if its a classfy section for DSCP to p-bit mapping
+    if [ -n "$pcp_mark" ] && [ -n "$dscp_filter" ]; then
+        return
+    fi
+
     init_broute_rule
 
     config_get src_if "$sid" "ifname"
     config_get src_mac "$sid" "src_mac"
     config_get dst_mac "$sid" "dst_mac"
-    config_get dscp_filter "$sid" "dscp_filter"
     config_get pcp_check "$sid" "pcp_check"
     config_get eth_type "$sid" "ethertype"
     config_get vid "$sid" "vid_check"
@@ -253,6 +295,13 @@ handle_ebtables_rules() {
     config_get traffic_class "$sid" "traffic_class"
     config_get protocol "$sid" "proto"
     config_get all_interfaces "$sid" "all_interfaces"
+    config_get l3_ifname "$sid" "l3_ifname"
+    config_get vid_mark "$sid" "vid_mark"
+
+    if [ -n "$l3_ifname" ]; then
+        broute_filter_on_l3_if "$l3_ifname"
+        is_l2_rule=1
+    fi
 
     if [ "$all_interfaces" == "1" ]; then
 	is_l2_rule=1
@@ -403,11 +452,83 @@ handle_ebtables_rules() {
 
     [ -n "$traffic_class" ] && broute_rule_set_traffic_class "$traffic_class"
 
-    [ -n "$BR_RULE" ] && broute_append_rule
+    if [ -n "$vid_mark" ] || [ -n "$pcp_mark" ]; then
+        broute_rule_set_xlate_vid_pbit "$vid_mark" "$pcp_mark"
+    fi
+
+    if [ -n "$BR_RULE" ]; then
+        if [ -n "$vid_mark" ] || [ -n "$pcp_mark" ]; then
+            broute_append_rule "prevlanxlate" "$src_if"
+        else
+            broute_append_rule "qos" "$src_if"
+        fi
+    fi
+}
+
+handle_ebtables_dscp2pbit() {
+    local in_if=$1
+    local dscp_filter=""
+    local pcp_mark=""
+    local ifname=""
+    local dscp2pbit_mapping_list=""
+    local corder_file="/tmp/qos/classify.order"
+
+    if [ -z "$in_if" ]; then
+        return
+    fi
+
+    init_broute_dscp2pbit_rule
+    while read -r line; do
+        line_cid=${line#*_}
+        config_get dscp_filter "$line_cid" "dscp_filter"
+        config_get pcp_mark "$line_cid" "pcp_mark"
+
+        # return if not a dscp to p-bit rule
+        if [ -z "$dscp_filter" ] || [ -z "$pcp_mark" ]; then
+            continue
+        fi
+
+        config_get ifname "$line_cid" "ifname"
+
+        # return if this config is not for the currently processing interface (in_if)
+        if [ -n "$ifname" ] && [ "$ifname" != "$in_if" ]; then
+            continue
+        fi
+
+        dscp2pbit_mapping_list="$dscp2pbit_mapping_list,$dscp_filter=$pcp_mark"
+    done < "$corder_file"
+
+    # if not dscp2pbit config found for our interface, return
+    [ -z "$dscp2pbit_mapping_list" ] && return
+
+    # remove first character(comma) from the dscp2pbit_mapping_list, not required.
+    dscp2pbit_mapping_list="${dscp2pbit_mapping_list:1}"
+
+    # construct ebtables rule:
+    BR_RULE_DSCP2PBIT=" -i $in_if -j dscp2pbit --dscp2pbit-mapping $dscp2pbit_mapping_list --dscp2pbit-target CONTINUE"
 }
 
 create_ebtables_chains() {
-    ebtables --concurrent -t broute -N qos 2> /dev/null
+
+    ebtables --concurrent -t nat -N qos_output -P RETURN 2> /dev/null
+    ret=$?
+    if [ $ret -eq 0 ]; then
+        ebtables --concurrent -t nat -A OUTPUT -j qos_output
+    else
+        ebtables --concurrent -t nat -D OUTPUT -j qos_output
+        ebtables --concurrent -t nat -A OUTPUT -j qos_output
+    fi
+
+    ebtables --concurrent -t broute -N dscp2pbits -P RETURN 2> /dev/null
+    ret=$?
+    if [ $ret -eq 0 ]; then
+        ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
+    else
+        ebtables --concurrent -t broute -D BROUTING -j dscp2pbits
+        ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
+    fi
+
+    ebtables --concurrent -t broute -N qos -P RETURN 2> /dev/null
     ret=$?
     if [ $ret -eq 0 ]; then
         ebtables --concurrent -t broute -A BROUTING -j qos
@@ -415,9 +536,22 @@ create_ebtables_chains() {
         ebtables --concurrent -t broute -D BROUTING -j qos
         ebtables --concurrent -t broute -A BROUTING -j qos
     fi
+
+    ebtables --concurrent -t broute -N prevlanxlate -P RETURN 2> /dev/null
+    ret=$?
+
+    if [ $ret -eq 0 ]; then
+        ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
+    else
+        ebtables --concurrent -t broute -D BROUTING -j prevlanxlate
+        ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
+    fi
 }
 
 flush_ebtables_chains() {
+    echo "ebtables -t nat -F qos_output" > /tmp/qos/classify.ebtables
     echo "ebtables -t broute -F qos" > /tmp/qos/classify.ebtables
+    echo "ebtables -t broute -F dscp2pbits" >> /tmp/qos/classify.ebtables
+    echo "ebtables -t broute -F prevlanxlate" >> /tmp/qos/classify.ebtables
 }
 

qosmngr/files/common/lib/qos/iptables.sh

@@ -137,6 +137,7 @@ handle_iptables_rules() {
     config_get ifname "$cid" "ifname"
     config_get all_interfaces "$cid" "all_interfaces"
     config_get icmp_type "$cid" "icmp_type"
+    config_get l3_ifname "$cid" "l3_ifname"
 
     #check version of ip
     case $src_ip$dest_ip in
@@ -154,6 +155,8 @@ handle_iptables_rules() {
     if ! [ "$all_interfaces" == "1" ]; then
 	if [ -n "$ifname" -a "$ifname" != "lo" ]; then
 	    iptables_filter_intf "$ifname"
+	elif [ -n "$l3_ifname" -a "$l3_ifname" != "lo" ]; then
+	    iptables_filter_intf "$l3_ifname"
 	fi
     fi
 

ssdpd/src/datamodel.c

@@ -14,7 +14,6 @@ struct upnpdiscovery {
 	char *uuid;
 	char *urn;
 	char *descurl;
-	struct uci_section *dmmap_sect;
 };
 
 struct upnp_device_inst {
@@ -32,7 +31,6 @@ struct upnp_device_inst {
 	char *preentation_url;
 	char *parentudn;
 	char *upc;
-	struct uci_section *dmmap_sect;
 };
 
 struct upnp_service_inst {
@@ -42,12 +40,10 @@ struct upnp_service_inst {
 	char *scpdurl;
 	char *controlurl;
 	char *eventsuburl;
-	struct uci_section *dmmap_sect;
 };
 
 struct upnp_description_file_info {
 	char *desc_url;
-	struct uci_section *dmmap_sect;
 };
 
 /*************************************************************
@@ -58,9 +54,9 @@ static int browseUPnPDiscoveryRootDeviceInst(struct dmctx *dmctx, DMNODE *parent
 	json_object *res = NULL, *root_devices = NULL, *device = NULL;
 	struct upnpdiscovery upnp_dev = {0};
 	char *descurl = NULL, *st = NULL, *usn = NULL, *inst = NULL;
-	struct uci_section *dmmap_sect = NULL;
 	char buf[512] = {0};
 	int root_inst = 0;
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "discovery", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -97,16 +93,11 @@ static int browseUPnPDiscoveryRootDeviceInst(struct dmctx *dmctx, DMNODE *parent
 		upnp_dev.st = dmstrdup(st);
 		upnp_dev.usn = dmstrdup(usn);
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_root_device", "uuid", upnp_dev.urn)) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_root_device", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "uuid", upnp_dev.urn);
-		}
-
-		upnp_dev.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_dev;
 
 		inst = handle_instance_without_section(dmctx, parent_node, ++root_inst);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_dev, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -117,8 +108,8 @@ static int browseUPnPDiscoveryDeviceInst(struct dmctx *dmctx, DMNODE *parent_nod
 	json_object *res = NULL, *devices = NULL, *device = NULL;
 	struct upnpdiscovery upnp_dev = {0};
 	char *dev_descurl = NULL, *dev_st = NULL, *dev_usn = NULL, *inst = NULL;
-	struct uci_section *dmmap_sect = NULL;
 	char buf[512] = {0};
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "discovery", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -155,16 +146,11 @@ static int browseUPnPDiscoveryDeviceInst(struct dmctx *dmctx, DMNODE *parent_nod
 		upnp_dev.st = dmstrdup(dev_st);
 		upnp_dev.usn = dmstrdup(dev_usn);
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_device", "uuid", upnp_dev.uuid)) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_device", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "uuid", upnp_dev.uuid);
-		}
-
-		upnp_dev.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_dev;
 
 		inst = handle_instance_without_section(dmctx, parent_node, i+1);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_dev, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -175,8 +161,8 @@ static int browseUPnPDiscoveryServiceInst(struct dmctx *dmctx, DMNODE *parent_no
 	json_object *res = NULL,  *services = NULL, *service = NULL;
 	struct upnpdiscovery upnp_dev = {0};
 	char *srv_descurl = NULL, *srv_st = NULL, *srv_usn = NULL, *inst = NULL;
-	struct uci_section* dmmap_sect = NULL;
 	char buf[512] = {0};
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "discovery", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -214,16 +200,11 @@ static int browseUPnPDiscoveryServiceInst(struct dmctx *dmctx, DMNODE *parent_no
 		upnp_dev.st = dmstrdup(srv_st);
 		upnp_dev.usn = dmstrdup(srv_usn);
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_service", "usn", srv_usn)) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_service", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "usn", srv_usn);
-		}
-
-		upnp_dev.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_dev;
 
 		inst = handle_instance_without_section(dmctx, parent_node, i+1);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_dev, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -234,7 +215,7 @@ static int browseUPnPDescriptionDeviceDescriptionInst(struct dmctx *dmctx, DMNOD
 	json_object *res = NULL, *descriptions = NULL, *description = NULL;
 	struct upnp_description_file_info upnp_desc = {0};
 	char *descurl = NULL, *inst = NULL;
-	struct uci_section* dmmap_sect = NULL;
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "description", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -249,15 +230,11 @@ static int browseUPnPDescriptionDeviceDescriptionInst(struct dmctx *dmctx, DMNOD
 		descurl = dmjson_get_value(description, 1, "desc_url");
 		upnp_desc.desc_url = dmstrdup(descurl);
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_description", "descurl", descurl)) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_description", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "descurl", descurl);
-		}
-		upnp_desc.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_desc;
 
 		inst = handle_instance_without_section(dmctx, parent_node, i+1);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_desc, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -268,8 +245,8 @@ static int browseUPnPDescriptionDeviceInstanceInst(struct dmctx *dmctx, DMNODE *
 	json_object *res = NULL,  *devices_instances = NULL, *device_inst = NULL;
 	struct upnp_device_inst upnp_dev_inst = {};
 	char *inst = NULL;
-	struct uci_section* dmmap_sect = NULL;
 	int i;
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "description", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -294,16 +271,11 @@ static int browseUPnPDescriptionDeviceInstanceInst(struct dmctx *dmctx, DMNODE *
 		dmasprintf(&upnp_dev_inst.udn, "%s", dmjson_get_value(device_inst, 1, "UDN"));
 		dmasprintf(&upnp_dev_inst.upc, "%s", dmjson_get_value(device_inst, 1, "UPC"));
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_device_inst", "udn", dmjson_get_value(device_inst, 1, "UDN"))) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_device_inst", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "udn", dmjson_get_value(device_inst, 1, "UDN"));
-		}
-
-		upnp_dev_inst.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_dev_inst;
 
 		inst = handle_instance_without_section(dmctx, parent_node, i+1);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_dev_inst, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -314,8 +286,8 @@ static int browseUPnPDescriptionServiceInstanceInst(struct dmctx *dmctx, DMNODE
 	json_object *res = NULL, *services_instances = NULL, *service_inst = NULL;
 	struct upnp_service_inst upnp_services_inst = {};
 	char *inst = NULL;
-	struct uci_section* dmmap_sect = NULL;
 	int i;
+	struct dm_data data = {0};
 
 	dmubus_call("upnp", "description", UBUS_ARGS{{}}, 0, &res);
 	if (res == NULL)
@@ -333,16 +305,11 @@ static int browseUPnPDescriptionServiceInstanceInst(struct dmctx *dmctx, DMNODE
 		dmasprintf(&upnp_services_inst.controlurl, "%s", dmjson_get_value(service_inst, 1, "controlURL"));
 		dmasprintf(&upnp_services_inst.eventsuburl, "%s", dmjson_get_value(service_inst, 1, "eventSubURL"));
 
-		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_upnp", "upnp_service_inst", "serviceid", dmjson_get_value(service_inst, 1, "serviceId"))) == NULL) {
-			dmuci_add_section_bbfdm("dmmap_upnp", "upnp_service_inst", &dmmap_sect);
-			dmuci_set_value_by_section_bbfdm(dmmap_sect, "serviceid", dmjson_get_value(service_inst, 1, "serviceId"));
-		}
-
-		upnp_services_inst.dmmap_sect = dmmap_sect;
+		data.additional_data = (void *)&upnp_services_inst;
 
 		inst = handle_instance_without_section(dmctx, parent_node, i+1);
 
-		if (DM_LINK_INST_OBJ(dmctx, parent_node, &upnp_services_inst, inst) == DM_STOP)
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, inst) == DM_STOP)
 			break;
 	}
 	return 0;
@@ -417,67 +384,76 @@ static int get_UPnPDiscovery_ServiceNumberOfEntries(char *refparam, struct dmctx
 /*#Device.UPnP.Discovery.RootDevice.{i}.UUID!UBUS:upnpc/discovery//devices[i-1].st*/
 static int get_UPnPDiscoveryRootDevice_UUID(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->uuid;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->uuid;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.RootDevice.{i}.USN!UBUS:upnpc/discovery//devices[i-1].usn*/
 static int get_UPnPDiscoveryRootDevice_USN(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->usn;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->usn;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.RootDevice.{i}.Location!UBUS:upnpc/discovery//devices[i-1].descurl*/
 static int get_UPnPDiscoveryRootDevice_Location(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->descurl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->descurl;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.Device.{i}.UUID!UBUS:upnpc/discovery//devices[i-1].st*/
 static int get_UPnPDiscoveryDevice_UUID(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->uuid;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->uuid;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.Device.{i}.USN!UBUS:upnpc/discovery//devices[i-1].usn*/
 static int get_UPnPDiscoveryDevice_USN(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->usn;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->usn;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.Device.{i}.Location!UBUS:upnpc/discovery//devices[i-1].descurl*/
 static int get_UPnPDiscoveryDevice_Location(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->descurl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->descurl;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.Service.{i}.USN!UBUS:upnpc/discovery//services[i-1].usn*/
 static int get_UPnPDiscoveryService_USN(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->usn;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->usn;
 	return 0;
 }
 
 /*#Device.UPnP.Discovery.Service.{i}.Location!UBUS:upnpc/discovery//services[i-1].descurl*/
 static int get_UPnPDiscoveryService_Location(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnpdiscovery *)data)->descurl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnpdiscovery *)(p->additional_data))->descurl;
 	return 0;
 }
 
 static int get_UPnPDiscoveryService_ParentDevice(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
 	char buf[256] = {0};
+	struct dm_data *p = (struct dm_data *)data;
 
-	bbfdm_get_references(ctx, MATCH_FIRST, "Device.UPnP.Discovery.Device.", "UUID", ((struct upnpdiscovery *)data)->uuid, buf, sizeof(buf));
+	bbfdm_get_references(ctx, MATCH_FIRST, "Device.UPnP.Discovery.Device.", "UUID", ((struct upnpdiscovery *)(p->additional_data))->uuid, buf, sizeof(buf));
 
 	if (!DM_STRLEN(buf))
-		bbfdm_get_references(ctx, MATCH_FIRST, "Device.UPnP.Discovery.RootDevice.", "UUID", ((struct upnpdiscovery *)data)->uuid, buf, sizeof(buf));
+		bbfdm_get_references(ctx, MATCH_FIRST, "Device.UPnP.Discovery.RootDevice.", "UUID", ((struct upnpdiscovery *)(p->additional_data))->uuid, buf, sizeof(buf));
 
 	*value = dmstrdup(buf);
 	return 0;
@@ -507,26 +483,30 @@ static int get_UPnPDescription_ServiceInstanceNumberOfEntries(char *refparam, st
 /*#Device.UPnP.Description.DeviceDescription.{i}.URLBase!UBUS:upnpc/description//descriptions[i-1].descurl*/
 static int get_UPnPDescriptionDeviceDescription_URLBase(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_description_file_info *)data)->desc_url;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_description_file_info *)(p->additional_data))->desc_url;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.UDN!UBUS:upnpc/description//devicesinstances[i-1].UDN*/
 static int get_UPnPDescriptionDeviceInstance_UDN(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->udn;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->udn;
 	return 0;
 }
 
 static int get_UPnPDescriptionDeviceInstance_ParentDevice(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	_bbfdm_get_references(ctx, "Device.UPnP.Description.DeviceInstance.", "UDN", ((struct upnp_device_inst *)data)->parentudn, value);
+	struct dm_data *p = (struct dm_data *)data;
+	_bbfdm_get_references(ctx, "Device.UPnP.Description.DeviceInstance.", "UDN", ((struct upnp_device_inst *)(p->additional_data))->parentudn, value);
 	return 0;
 }
 
 static int get_UPnPDescriptionDeviceInstance_DiscoveryDevice(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	struct upnp_device_inst *upnpdevinst = (struct upnp_device_inst *)data;
+	struct dm_data *p = (struct dm_data *)data;
+	struct upnp_device_inst *upnpdevinst = (struct upnp_device_inst *)(p->additional_data);
 
 	if (upnpdevinst->udn && upnpdevinst->udn[0]) {
 		char buf[256] = {0};
@@ -551,98 +531,112 @@ static int get_UPnPDescriptionDeviceInstance_DiscoveryDevice(char *refparam, str
 /*#Device.UPnP.Description.DeviceInstance.{i}.DeviceType!UBUS:upnpc/description//devicesinstances[i-1].deviceType*/
 static int get_UPnPDescriptionDeviceInstance_DeviceType(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->device_type;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->device_type;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.FriendlyName!UBUS:upnpc/description//devicesinstances[i-1].friendlyName*/
 static int get_UPnPDescriptionDeviceInstance_FriendlyName(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->friendly_name;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->friendly_name;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.Manufacturer!UBUS:upnpc/description//devicesinstances[i-1].manufacturer*/
 static int get_UPnPDescriptionDeviceInstance_Manufacturer(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->manufacturer;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->manufacturer;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.ManufacturerURL!UBUS:upnpc/description//devicesinstances[i-1].manufacturerURL*/
 static int get_UPnPDescriptionDeviceInstance_ManufacturerURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->manufacturer_url;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->manufacturer_url;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.ModelDescription!UBUS:upnpc/description//devicesinstances[i-1].modelDescription*/
 static int get_UPnPDescriptionDeviceInstance_ModelDescription(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->model_description;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->model_description;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.ModelName!UBUS:upnpc/description//devicesinstances[i-1].modelName*/
 static int get_UPnPDescriptionDeviceInstance_ModelName(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->model_name;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->model_name;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.ModelNumber!UBUS:upnpc/description//devicesinstances[i-1].modelNumber*/
 static int get_UPnPDescriptionDeviceInstance_ModelNumber(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->model_number;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->model_number;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.ModelURL!UBUS:upnpc/description//devicesinstances[i-1].modelURL*/
 static int get_UPnPDescriptionDeviceInstance_ModelURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->model_url;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->model_url;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.SerialNumber!UBUS:upnpc/description//devicesinstances[i-1].serialNumber*/
 static int get_UPnPDescriptionDeviceInstance_SerialNumber(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->serial_number;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->serial_number;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.UPC!UBUS:upnpc/description//devicesinstances[i-1].UPC*/
 static int get_UPnPDescriptionDeviceInstance_UPC(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->upc;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->upc;
 	return 0;
 }
 
 /*#Device.UPnP.Description.DeviceInstance.{i}.PresentationURL!UBUS:upnpc/description//devicesinstances[i-1].preentation_url*/
 static int get_UPnPDescriptionDeviceInstance_PresentationURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_device_inst *)data)->preentation_url;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_device_inst *)(p->additional_data))->preentation_url;
 	return 0;
 }
 
 static int get_UPnPDescriptionServiceInstance_ParentDevice(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	_bbfdm_get_references(ctx, "Device.UPnP.Description.DeviceInstance.", "UDN", ((struct upnp_service_inst *)data)->parentudn, value);
+	struct dm_data *p = (struct dm_data *)data;
+	_bbfdm_get_references(ctx, "Device.UPnP.Description.DeviceInstance.", "UDN", ((struct upnp_service_inst *)(p->additional_data))->parentudn, value);
 	return 0;
 }
 
 /*#Device.UPnP.Description.ServiceInstance.{i}.ServiceId!UBUS:upnpc/description//servicesinstances[i-1].serviceId*/
 static int get_UPnPDescriptionServiceInstance_ServiceId(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_service_inst *)data)->serviceid;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_service_inst *)(p->additional_data))->serviceid;
 	return 0;
 }
 
 static int get_UPnPDescriptionServiceInstance_ServiceDiscovery(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
 	char usn[512] = {0};
+	struct dm_data *p = (struct dm_data *)data;
 
-	snprintf(usn, sizeof(usn), "%s::%s", ((struct upnp_service_inst *)data)->parentudn, ((struct upnp_service_inst *)data)->servicetype);
+	snprintf(usn, sizeof(usn), "%s::%s", ((struct upnp_service_inst *)(p->additional_data))->parentudn, ((struct upnp_service_inst *)(p->additional_data))->servicetype);
 
 	_bbfdm_get_references(ctx, "Device.UPnP.Discovery.Service.", "USN", usn, value);
 	return 0;
@@ -651,28 +645,32 @@ static int get_UPnPDescriptionServiceInstance_ServiceDiscovery(char *refparam, s
 /*#Device.UPnP.Description.ServiceInstance.{i}.ServiceType!UBUS:upnpc/description//servicesinstances[i-1].serviceType*/
 static int get_UPnPDescriptionServiceInstance_ServiceType(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_service_inst *)data)->servicetype;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_service_inst *)(p->additional_data))->servicetype;
 	return 0;
 }
 
 /*#Device.UPnP.Description.ServiceInstance.{i}.SCPDURL!UBUS:upnpc/description//servicesinstances[i-1].SCPDURL*/
 static int get_UPnPDescriptionServiceInstance_SCPDURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_service_inst *)data)->scpdurl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_service_inst *)(p->additional_data))->scpdurl;
 	return 0;
 }
 
 /*#Device.UPnP.Description.ServiceInstance.{i}.ControlURL!UBUS:upnpc/description//servicesinstances[i-1].controlURL*/
 static int get_UPnPDescriptionServiceInstance_ControlURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_service_inst *)data)->controlurl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_service_inst *)(p->additional_data))->controlurl;
 	return 0;
 }
 
 /*#Device.UPnP.Description.ServiceInstance.{i}.EventSubURL!UBUS:upnpc/description//servicesinstances[i-1].eventSubURL*/
 static int get_UPnPDescriptionServiceInstance_EventSubURL(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = ((struct upnp_service_inst *)data)->eventsuburl;
+	struct dm_data *p = (struct dm_data *)data;
+	*value = ((struct upnp_service_inst *)(p->additional_data))->eventsuburl;
 	return 0;
 }
 

sshmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sshmngr
-PKG_VERSION:=1.0.2
+PKG_VERSION:=1.0.3
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/sshmngr.git
-PKG_SOURCE_VERSION:=790689b6ccc89ca90623b6b93b95ee4642cb789e
+PKG_SOURCE_VERSION:=c56a09b2ffd7b944dff4ef7c9ae3a98c68e2427f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

sulu/sulu-builder/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=3.1.60
+PKG_VERSION:=3.1.61
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu-builder.git
-PKG_SOURCE_VERSION:=51c0d46343b3b1122b4f1df73399526160f968dd
+PKG_SOURCE_VERSION:=31fecc47a3d4100e00e8545ea861bb7362938e98
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/sulu-$(PKG_VERSION)/sulu-builder-$(PKG_SOURCE_VERSION)

swmodd/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=swmodd
-PKG_VERSION:=2.5.9
+PKG_VERSION:=2.5.12
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/lcm/swmodd.git
-PKG_SOURCE_VERSION:=4d228d6be9759d285b49a20e191c6ca23ab40a51
+PKG_SOURCE_VERSION:=088ac916a87b4faf1aaafadc6ee77ae56674fd1c
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

swmodd/files/etc/config/swmodd

@@ -3,3 +3,7 @@ config globals 'globals'
         option debug '1'
         option log_level '3'
         option lan_bridge 'br-lan'
+        option root '/container'
+
+config execenv 'execenv_1'
+        option name 'oci'

swmodd/files/etc/init.d/crun

@@ -241,7 +241,7 @@ start_service() {
 
 	env=$(uci -q get swmodd.@execenv[0].name)
 	if [ -z "${root}" ] || [ -z "${bridge}" ]; then
-		log "Base bundle root[$root] or bridge[$bridge] not defined"
+		log "# Base bundle root[$root] or bridge[$bridge] not defined"
 		return 0;
 	fi
 

swmodd/files/etc/init.d/swmodd

@@ -90,16 +90,17 @@ start_service() {
 	# crun default runtime directory /run, if not present then create
 	[ ! -d "/run" ] && ln -fs /var/run /run
 
-	if [ ! -d "${root}" ]; then
-		log "# root [${root}] not present, creating ..."
-		if [ -n "${root}" ]; then
-			mkdir -p "${root}"
-		else
-			log "# Not starting, root [${root}] not defined"
-			return 1
+	if [ -L "${root}" ]; then
+		if [ ! -d "${root}" ]; then
+			mkdir -p $(realpath ${root})
 		fi
 	fi
 
+	if [ ! -d "${root}" ]; then
+		log "# Not starting, Base root [${root}] not accessible/defined"
+		return 1
+	fi
+
 	# Currently only one execenv supported
 	env_name="$(uci -q get swmodd.@execenv[0].name)"
 	if [ -z "${env_name}" ]; then

swmodd/files/etc/swmodd/run.sh

@@ -74,7 +74,7 @@ setup_container_network() {
 }
 
 run_container() {
-	local bundle name bridge
+	local bundle name bridge network
 
 	bundle="${1}"
 	name="${2}"
@@ -85,7 +85,13 @@ run_container() {
 		return 1
 	fi
 
-	setup_container_network "${name}" "${bridge}"
+	# Only do the network setup if defined in config
+	network="$(cat ${BUNDLE}/${NAME}/config.json |jq '.linux.namespaces[] |select (.type == "network")')"
+	if [ -n "${network}" ] ; then
+		setup_container_network "${name}" "${bridge}"
+	else
+		log "Network not defined in config, using host network..."
+	fi
 	
         script -q -c "crun run -b ${bundle}/${name} ${name}" /dev/null
 }
@@ -139,7 +145,6 @@ update_config_json() {
 	fi
 
 	# Update cabalities
-	log "## PERM [$PERM], Name [${NAME}] ##"
 	if [ -n "${PERM}" ]; then
 		log "Updating Permission in the json ..."
 		PERM="${PERM//,/ }"

swmodd/files/etc/uci-defaults/01-fix-bundle-path

@@ -10,32 +10,31 @@ configure_ee_path() {
 	config_get oci_bundle globals oci_bundle_root ""
 
 	mkdir -p /etc/lxc
+	if [ -n "${lxc_bundle}" ]; then
+		# if lxc_bundle_root define in swmodd, then remove it
+		name=$(echo ${lxc_bundle##/*/})
+		root=$(echo ${lxc_bundle%/$name})
+		echo "lxc.lxcpath = ${lxc_bundle}" > /etc/lxc/lxc.conf
+		uci_set swmodd globals lxc_bundle_root ""
+	fi
+
 	if [ -n "${oci_bundle}" ]; then
 		# if oci_bundle_root define in swmodd, then remove it
 		name=$(echo ${oci_bundle##/*/})
 		root=$(echo ${oci_bundle%/$name})
 		echo "lxc.lxcpath = ${oci_bundle}" > /etc/lxc/lxc.conf
-	elif [ -n "${lxc_bundle}" ]; then
-		# if lxc_bundle_root define in swmodd, then remove it
-		name=$(echo ${lxc_bundle##/*/})
-		root=$(echo ${lxc_bundle%/$name})
-		echo "lxc.lxcpath = ${lxc_bundle}" > /etc/lxc/lxc.conf
-	elif [ -f /etc/lxc/lxc.conf ]; then
-		bundle_path=$(cat /etc/lxc/lxc.conf | grep "lxc.lxcpath" | cut -d "=" -f 2 | sed 's/[[:blank:]]//g')
-		name=$(echo ${bundle_path##/*/})
-		root=$(echo ${bundle_path%/$name})
-	else
-		name="lxc"
-		root="/srv"
-		echo "lxc.lxcpath = /srv/lxc" > /etc/lxc/lxc.conf
+		uci_set swmodd globals oci_bundle_root ""
 	fi
 
-	uci_set swmodd globals oci_bundle_root ""
-	uci_set swmodd globals lxc_bundle_root ""
-
 	# configure root in globals section
-	if ! uci_get swmodd globals root >/dev/null; then
-		uci_set swmodd globals root ${root}
+	if [ -n "${root}" ]; then
+		if ! uci_get swmodd globals root >/dev/null; then
+			uci_set swmodd globals root ${root}
+		fi
+	fi
+
+	if [ -z "${name}" ]; then
+		name="oci"
 	fi
 
 	# configure execenv in swmodd

tr104/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tr104
-PKG_VERSION:=1.0.28
+PKG_VERSION:=1.0.31
 
 LOCAL_DEV:=0
 ifeq ($(LOCAL_DEV),0)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/voice/tr104.git
-PKG_SOURCE_VERSION:=8792d5bf496a4c25c31f4e84ec825b02bf097cc2
+PKG_SOURCE_VERSION:=57a713d6dbb4a39b41f0f0fd4674e7bcd3562852
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

twamp/Makefile

@@ -6,13 +6,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=twamp
-PKG_VERSION:=1.4.4
+PKG_VERSION:=1.4.5
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/twamp-light.git
-PKG_SOURCE_VERSION:=d31b2128e6ea4ab42538b88db91b2cc84091ef4d
+PKG_SOURCE_VERSION:=678a980b9433e34c3ea24af003e6ee987f2bce75
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -52,9 +52,13 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/twampd $(1)/usr/sbin/
 	$(INSTALL_DATA) ./files/etc/config/twamp $(1)/etc/config/twamp
+ifneq ($(CONFIG_FIREWALLMNGR_BACKEND_FIREWALLMNGR),y)
 	$(INSTALL_BIN) ./files/etc/init.d/twampd $(1)/etc/init.d/twampd
 	$(INSTALL_BIN) ./files/etc/firewall.twamp $(1)/etc/firewall.twamp
 	$(INSTALL_BIN) ./files/etc/uci-defaults/92-twampfirewall $(1)/etc/uci-defaults/92-twampfirewall
+else
+	$(INSTALL_BIN) ./files/etc/twamp_backend_firewallmngr/init.d/twampd $(1)/etc/init.d/twampd
+endif
 	$(INSTALL_BIN) ./files/etc/uci-defaults/93-twamp_fix_reflector $(1)/etc/uci-defaults/93-twamp_fix_reflector
 	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/libtwamp.so $(1)
 endef

twamp/files/etc/twamp_backend_firewallmngr/init.d/twampd

@@ -0,0 +1,31 @@
+#!/bin/sh /etc/rc.common
+# TWAMP Reflector software
+# Copyright (C) 2020-2022 IOPSYS Software Solutions AB
+# Author: Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+
+START=99
+STOP=10
+
+. /lib/fwmngr/fwmngr_twamp.sh
+USE_PROCD=1
+PROG="/usr/sbin/twampd"
+
+start_service() {
+	local enable=$(uci -q get twamp.twamp.enable)
+	if [ "$enable" = "1" ]; then
+		procd_open_instance
+		procd_set_param command "$PROG"
+		procd_set_param respawn "3" "7" "0"
+		procd_close_instance
+	fi
+	handle_twamp_rules
+}
+
+reload_service() {
+        stop
+        start
+}
+
+service_triggers() {
+	procd_add_reload_trigger twamp
+}

usbmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=usbmngr
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.0.3
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/usbmngr.git
-PKG_SOURCE_VERSION:=bace625f9bba99c2093982878dfe08cab2b920d4
+PKG_SOURCE_VERSION:=4f5f5dd701d40cdb134b98734db75446e5736a2e
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

userinterface/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=userinterface
-PKG_VERSION:=1.1.3
+PKG_VERSION:=1.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/userinterface.git
-PKG_SOURCE_VERSION:=07dd97620309df416ff449c64fdd73dc4c5950c1
+PKG_SOURCE_VERSION:=98f016c93c162f0f4c4854398ff5936f040e5a77
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

usp-js/Makefile

@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=usp-js
-PKG_VERSION:=1.2.5
+PKG_VERSION:=1.2.6
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/usp-js.git
@@ -23,7 +23,7 @@ define Package/usp-js
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=A JS library for USP(TR369) protocol
-  DEPENDS:=+quickjs +quickjs-websocket +@OBUSPA_ENABLE_TEST_CONTROLLER
+  DEPENDS:=+quickjs +quickjs-websocket +@OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL
   EXTRA_DEPENDS:=obuspa mosquitto-ssl
 endef
 
@@ -37,9 +37,7 @@ endef
 
 define Package/usp-js/install
 	$(INSTALL_DIR) $(1)/usr/lib/usp-js
-	$(INSTALL_DIR) $(1)/etc
 	$(CP) $(PKG_BUILD_DIR)/qjs/* $(1)/usr/lib/usp-js/
-	$(CP) ./files/etc/* $(1)/etc/
 endef
 
 $(eval $(call BuildPackage,usp-js))

usp-js/files/etc/init.d/uspjs

@@ -1,68 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=99
-STOP=01
-USE_PROCD=1
-
-log()
-{
-	echo "$*"|logger -t usp-js -p debug
-}
-
-get_oui_from_db()
-{
-	db -q get device.deviceinfo.ManufacturerOUI
-}
-
-get_serial_from_db()
-{
-	db -q get device.deviceinfo.SerialNumber
-}
-
-publish_endpoint()
-{
-	local AgentEndpointID serial oui user pass
-
-	if ! uci -q get obuspa.testmqtt; then
-		return 0;
-	fi
-
-	# return if mosquitto_pub is not present
-	if [ ! "$(command -v mosquitto_pub)" ]; then
-		log "mosquitto_pub not present can't publish EndpointID"
-		return 0;
-	fi
-
-	# Get endpoint id from obuspa config first
-	config_load obuspa
-	config_get AgentEndpointID localagent EndpointID ""
-	if [ -z "${AgentEndpointID}" ]; then
-		serial=$(get_serial_from_db)
-		oui=$(get_oui_from_db)
-		AgentEndpointID="os::${oui}-${serial//+/%2B}"
-	fi
-
-	config_get user testmqtt Username ""
-	config_get pass testmqtt Password ""
-
-	# publish Agent's EndpointID in mosquito broker for discovery by usp-js
-	# This is a work around till obuspa adds supports for mDNS discovery
-	if [ -n "${user}" ] && [ -n "${pass}" ]; then
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker with username, password"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}" -u "${user}" -P "${pass}"
-	elif [ -n "${user}" ]; then
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker with username only"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}" -u "${user}"
-	else
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}"
-	fi
-}
-
-start_service() {
-	publish_endpoint
-}
-
-service_triggers() {
-	procd_add_reload_trigger "obuspa"
-}

wifimngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifimngr
-PKG_VERSION:=17.2.7
+PKG_VERSION:=17.3.0
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=0faf8b741fb52c21dbfe63a08c811cbda8ec3cad
+PKG_SOURCE_VERSION:=a659db98e58003115bd58d614db70331e84c4ec6
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/wifimngr.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz

xmppc/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=xmppc
-PKG_VERSION:=2.2.8
+PKG_VERSION:=2.2.9
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/xmppc.git
-PKG_SOURCE_VERSION:=9757ae86d745a4b7800ba20c034f3469a320f501
+PKG_SOURCE_VERSION:=ff76b296e767a5732d7b07ad94c141a4a6e50ed5
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif