netmode: set default netmode

and improve other modes

bridgemngr/Makefile

@@ -5,14 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bridgemngr
-PKG_VERSION:=1.0.17
+PKG_VERSION:=1.0.18.2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/bridgemngr
-PKG_SOURCE_VERSION:=36e6e8319a95dad3bccfe9f2d8a298b39c6ce86b
+PKG_SOURCE_VERSION:=71ed529be038392071b0399bcfe9d46e89d3cb46
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

dslmngr/files/airoha/sbin/xdsl_wan

@@ -5,6 +5,8 @@ source "/lib/functions/network.sh"
 source "/lib/functions/system.sh"
 
 PREVLINK=""
+LINK=""
+LINKSPEED=""
 PREVWANMODE=""
 WANMODE=""
 CONFIGURED=0
@@ -150,6 +152,12 @@ while [ true ]; do
 
 	if [ "$LINK" != "$PREVLINK" -a \( "$LINK" = "down" -o "$LINK" = "up" \) ]; then
 		if [ "$LINK" = "down" ]; then
+			if [ ! -s /tmp/qos/wan_link_shape_rate ]; then
+				rm -rf /tmp/qos/wan_link_shape_rate
+				rm -rf /tmp/qos/wan_link_speed
+				/usr/sbin/qos-uplink-bandwidth
+			fi
+
 			[ "$CONFIGURED" -eq 0 ] && configure_lines # Needs to be done once the slave SoC is in down state and we've not been able to auto-sync.
 			if [ -n "$WANMODE" ]; then
 				if [ "$WANMODE" = "PTM" ]; then
@@ -226,6 +234,26 @@ while [ true ]; do
 
 			call_wan_hotplug "up" "$WANPORT"
 			PREVWANMODE="$WANMODE"
+
+			if [ ! -s /tmp/qos/wan_link_shape_rate ]; then
+				LINKSPEED="$(awk '/far-end interleaved channel bit rate/{print $6}' /proc/tc3162/adsl_stats)"
+				LINKSPEED=$((LINKSPEED))
+				if [ "$LINKSPEED" -eq 0 ]; then
+					LINKSPEED="$(awk '/far-end fast channel bit rate/{print $6}' /proc/tc3162/adsl_stats)"
+					LINKSPEED=$((LINKSPEED))
+				fi
+
+				if [ "$LINKSPEED" -ne 0 ]; then
+					mkdir -p /tmp/qos
+					touch /tmp/qos/wan_link_shape_rate
+
+					/userfs/bin/qosrule discpline Rate uplink-bandwidth ${LINKSPEED}
+					hw_nat -! > /dev/null 2>&1
+				else
+					rm -rf /tmp/qos/wan_link_speed
+					/usr/sbin/qos-uplink-bandwidth
+				fi
+			fi
 		fi
 
 		# Toggle link state

firewallmngr/Config.in

@@ -8,5 +8,11 @@ config FIREWALLMNGR_PORT_TRIGGER
 	help
 	   Set this option to include support for PortTrigger object.
 
+config FIREWALLMNGR_NAT_INTERFACE_SETTING
+	bool "Include Device.NAT.InterfaceSetting"
+	default y
+	help
+	   Set this option to include support for NAT InterfaceSetting object.
+
 endmenu
 endif

firewallmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.9
+PKG_VERSION:=1.0.9.2
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=77ad8425b73a3ac63f6160dc217635394ac87907
+PKG_SOURCE_VERSION:=fdabd33cf42ac02adadbdf43bd8bf86a62d7d1e3
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -52,6 +52,10 @@ ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
 	TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER
 endif
 
+ifeq ($(CONFIG_FIREWALLMNGR_NAT_INTERFACE_SETTING),y)
+	TARGET_CFLAGS += -DINCLUDE_NAT_IF_SETTING
+endif
+
 define Package/firewallmngr/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults

fluent-bit/Makefile

@@ -5,15 +5,16 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fluent-bit
-PKG_VERSION:=4.0.2
+PKG_VERSION:=4.0.4
 PKG_RELEASE:=$(AUTORELEASE)
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/fluent/fluent-bit.git
+PKG_SOURCE_VERSION=v$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL_FILE:=v$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/fluent/fluent-bit/archive/refs/tags/
-PKG_HASH:=aa0577ba7251081c8d5398b2a905b5b0585bb657ca13b39a5e12931437516f08
+PKG_MIRROR_HASH:=skip
 endif
 
 PKG_LICENSE:=Apache-2.0
@@ -65,9 +66,9 @@ CMAKE_OPTIONS += \
 	-DFLB_IN_DISK=Yes \
 	-DFLB_IN_EXEC=Yes \
 	-DFLB_IN_HEAD=Yes \
+	-DFLB_IN_KMSG=Yes \
 	-DFLB_IN_TAIL=Yes \
 	-DFLB_IN_FORWARD=No \
-	-DFLB_IN_KMSG=No \
 	-DFLB_IN_PROC=No \
 	-DFLB_IN_RANDOM=No \
 	-DFLB_IN_SERIAL=No \

fluent-bit/files/fluent-bit.conf

@@ -9,6 +9,10 @@
     tag             syslog
     path            /dev/log
 
+[INPUT]
+    name            kmsg
+    tag             kernel
+
 [OUTPUT]
     name            null
     match           *

fluent-bit/patches/0002-add_hostname_to_log_dump.patch

@@ -1,45 +0,0 @@
-diff --git a/plugins/out_file/file.c b/plugins/out_file/file.c
-index 2e47c9666..95d28e438 100644
---- a/plugins/out_file/file.c
-+++ b/plugins/out_file/file.c
-@@ -27,6 +27,7 @@
- #include <msgpack.h>
- 
- #include <stdio.h>
-+#include <unistd.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
-@@ -55,6 +56,7 @@ struct flb_file_conf {
-     int csv_column_names;
-     int mkdir;
-     struct flb_output_instance *ins;
-+    char hostname[256];
- };
- 
- static char *check_delimiter(const char *str)
-@@ -141,6 +143,9 @@ static int cb_file_init(struct flb_output_instance *ins,
-         }
-     }
- 
-+    if (gethostname(ctx->hostname, sizeof(ctx->hostname)) != 0)
-+	    snprintf(ctx->hostname, sizeof(ctx->hostname), "%s", "localhost");
-+
-     tmp = flb_output_get_property("delimiter", ins);
-     ret_str = check_delimiter(tmp);
-     if (ret_str != NULL) {
-@@ -233,12 +238,8 @@ static int template_output_write(struct flb_file_conf *ctx,
-     int i;
-     msgpack_object_kv *kv;
- 
--    /*
--     * Right now we treat "{time}" specially and fill the placeholder
--     * with the metadata timestamp (formatted as float).
--     */
--    if (!strncmp(key, "time", size)) {
--        fprintf(fp, "%f", flb_time_to_double(tm));
-+    if (!strncmp(key, "hostname", size)) {
-+        fprintf(fp, "%s", ctx->hostname);
-         return 0;
-     }
- 

fluent-bit/patches/0002-file_out_time.patch

@@ -0,0 +1,27 @@
+diff --git a/plugins/out_file/file.c b/plugins/out_file/file.c
+index 77baf6be8..04c519d5a 100644
+--- a/plugins/out_file/file.c
++++ b/plugins/out_file/file.c
+@@ -238,10 +238,20 @@ static int template_output_write(struct flb_file_conf *ctx,
+ 
+     /*
+      * Right now we treat "{time}" specially and fill the placeholder
+-     * with the metadata timestamp (formatted as float).
++     * with the metadata timestamp.
+      */
+     if (!strncmp(key, "time", size)) {
+-        fprintf(fp, "%f", flb_time_to_double(tm));
++        struct tm tm_local;
++        char buf[32];
++        if (localtime_r(&tm->tm.tv_sec, &tm_local) == NULL) {
++            flb_plg_error(ctx->ins, "localtime_r failed");
++            return -1;
++        }
++        if (strftime(buf, sizeof(buf), "%b %d %H:%M:%S", &tm_local) == 0) {
++            flb_plg_error(ctx->ins, "strftime failed");
++            return -1;
++        }
++        fputs(buf, fp);
+         return 0;
+     }
+ 

fluent-bit/patches/0020-fix_kmsg.patch

@@ -0,0 +1,73 @@
+diff --git a/plugins/in_kmsg/in_kmsg.c b/plugins/in_kmsg/in_kmsg.c
+index cd5c4cd17..15f105451 100644
+--- a/plugins/in_kmsg/in_kmsg.c
++++ b/plugins/in_kmsg/in_kmsg.c
+@@ -36,7 +36,6 @@
+ #include <sys/stat.h>
+ #include <sys/time.h>
+ #include <inttypes.h>
+-#include <time.h>
+ 
+ #include "in_kmsg.h"
+ 
+@@ -123,12 +122,17 @@ static inline int process_line(const char *line,
+     ctx->buffer_id++;
+ 
+     errno = 0;
+-    val = strtol(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoul(p, &end, 10);
++    if ((errno == ERANGE && val == ULONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* ensure something was consumed */
++    if (end == p) {
++        goto fail;
++    }
++
+     /* Priority */
+     priority = FLB_KLOG_PRI(val);
+ 
+@@ -144,24 +148,35 @@ static inline int process_line(const char *line,
+     }
+     p++;
+ 
+-    val = strtoul(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoull(p, &end, 10);
++    if ((errno == ERANGE && val == ULLONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* make sure strtoull consumed something */
++    /* after the sequence number, the next char must be ',' */
++    if (end == p || *end != ',') {
++        goto fail;
++    }
++
+     sequence = val;
+     p = ++end;
+ 
+     /* Timestamp */
+-    val = strtoul(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoull(p, &end, 10);
++    if ((errno == ERANGE && val == ULLONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* ensure something was consumed */
++    if (end == p) {
++        goto fail;
++    }
++
+     tv.tv_sec  = val/1000000;
+-    tv.tv_usec = val - (tv.tv_sec * 1000000);
++    tv.tv_usec = val - ((uint64_t)tv.tv_sec * 1000000);
+ 
+     flb_time_set(&ts, ctx->boot_time.tv_sec + tv.tv_sec, tv.tv_usec * 1000);
+ 

hostmngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostmngr
-PKG_VERSION:=1.3.2
+PKG_VERSION:=1.3.3
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=775964f1c4a2fa57bfdf56b6bebebad211483234
+PKG_SOURCE_VERSION:=fee5bd0067fc1f30498bc2b81e893d170796b459
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.9.9.2
+PKG_VERSION:=9.9.9.5
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=10750ecdf2bebaee464417df309445a20f361841
+PKG_SOURCE_VERSION:=f3d5843c54a4c1c3e74629f0953a3bf144c2fa8e
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libwifi/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.13.5
+PKG_VERSION:=7.13.7
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=32bd594f6bb4b46de5d57b4865e16f5fbe8c7b72
+PKG_SOURCE_VERSION:=0b3cc45334c167d164c2c79e82522f13698abf92
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
@@ -61,7 +61,7 @@ else
 endif
 
 ifneq ($(CONFIG_PACKAGE_kmod-mt7915e_en7523),)
-  TARGET_CFLAGS=-DMT7915_VENDOR_EXT
+  TARGET_CFLAGS +=-DMT7915_VENDOR_EXT
 endif
 
 PKG_BUILD_DEPENDS:=PACKAGE_kmod-mt7915e_en7523:mt76_en7523

linux-pam/Makefile

@@ -31,8 +31,8 @@ MESON_ARGS += \
 
 define Package/linux-pam/install
 	$(INSTALL_DIR) $(1)/usr/lib/security
-	$(INSTALL_DIR) $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./linux_pam.init $(1)/etc/init.d/linux_pam
 endef
 
 $(eval $(call BuildPackage,linux-pam))

linux-pam/files/pam_faillock.uci_default

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-create_faillock_files()
-{
-	# also create files needed by pam_faillock
-	touch /var/log/faillock
-	chmod 700 /var/log/faillock
-	touch /var/log/btmp
-	chmod 700 /var/log/btmp
-}
-
-update_pam_common_auth()
-{
-	local file="/etc/pam.d/common-auth"
-	local deny=6
-	local unlock_time=300
-
-	# update pam_unix.so line
-	sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file"
-
-	# Insert pam_faillock lines before and after pam_unix.so
-	sed -i -E "/pam_unix.so nullok_secure/i auth     required       pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
-	sed -i -E "/pam_unix.so nullok_secure/a auth     [default=die]  pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
-}
-
-update_pam_common_account()
-{
-	# update account file
-	sed -i "/pam_unix.so/ i account  required       pam_faillock.so" /etc/pam.d/common-account
-}
-
-if [ -f "/usr/lib/security/pam_faillock.so" ]; then
-	update_pam_common_auth
-	update_pam_common_account
-	create_faillock_files
-fi
-
-if [ -f /etc/config/sshd ]; then
-	uci -q set sshd.@sshd[0].UsePAM=1
-	uci commit sshd
-fi
-
-exit 0

linux-pam/linux_pam.init

@@ -0,0 +1,18 @@
+#!/bin/sh /etc/rc.common
+
+START=11
+STOP=90
+USE_PROCD=1
+
+create_faillock_files()
+{
+	# also create files needed by pam_faillock
+	touch /var/log/faillock
+	chmod 700 /var/log/faillock
+	touch /var/log/btmp
+	chmod 700 /var/log/btmp
+}
+
+boot() {
+	create_faillock_files
+}

logmngr/Config.in

@@ -1,4 +1,5 @@
 if PACKAGE_logmngr
+
 choice
 	prompt "Select backend for syslog management"
 	default LOGMNGR_BACKEND_FLUENTBIT
@@ -31,4 +32,5 @@ config LOGMNGR_VENDOR_LOG_FILE
 	default y
 	help
 		It adds support for Device.DeviceInfo.VendorLogFile. Object.
+
 endif

logmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=logmngr
-PKG_VERSION:=1.0.17
+PKG_VERSION:=1.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/logmngr.git
-PKG_SOURCE_VERSION:=ad2636c642d56967e78c0c84bf82cb0e2b6311f2
+PKG_SOURCE_VERSION:=62441fdfe14a39bff8fff7c62307bd7b54d7240f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -29,7 +29,6 @@ define Package/logmngr
  CATEGORY:=Utilities
  TITLE:=Logging Manager
  DEPENDS:=+LOGMNGR_BACKEND_FLUENTBIT:fluent-bit
- DEPENDS+=+@LOGMNGR_BACKEND_FLUENTBIT:BUSYBOX_CONFIG_KLOGD
  DEPENDS+=+LOGMNGR_BACKEND_SYSLOG_NG:syslog-ng
  DEPENDS+=+LOGMNGR_LOGROTATE:logrotate
  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
@@ -53,31 +52,35 @@ endif
 
 define Package/logmngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/logmngr.init $(1)/etc/init.d/logmngr
-
+	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) ./files/10-logmngr_config_generate $(1)/etc/uci-defaults/
 
+	$(INSTALL_BIN) ./files/etc/init.d/logmngr $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/etc/config/logmngr $(1)/etc/config/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/10-logmngr_config_migrate $(1)/etc/uci-defaults/
+
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1) core 10
+
+	# Install logmngr service backend
 	$(INSTALL_DIR) $(1)/lib/logmngr
 ifeq ($(CONFIG_LOGMNGR_BACKEND_FLUENTBIT),y)
-	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
-	$(INSTALL_DIR) $(1)/usr/libexec
-	$(INSTALL_BIN) ./files/logmngr-klogd $(1)/usr/libexec/
 	$(INSTALL_DIR) $(1)/sbin
 	$(INSTALL_BIN) ./files/logread $(1)/sbin/
-endif
-ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
+	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
+else ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/syslog-ng.sh $(1)/lib/logmngr/
 endif
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1) core 10
+
 ifeq ($(CONFIG_LOGMNGR_LOGROTATE),y)
-	$(INSTALL_BIN) ./files/11-logmngr_logrotate_config_generate $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/lib/logmngr/logrotate.sh $(1)/lib/logmngr/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/11-logmngr_logrotate_syslog $(1)/etc/uci-defaults/
 	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbflogrotate.so $(1) sysmngr 11
 endif
+
 ifeq ($(CONFIG_LOGMNGR_VENDOR_LOG_FILE),y)
 	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfvendorlog.so $(1) sysmngr 12
 endif
+
 endef
 
 $(eval $(call BuildPackage,logmngr))

logmngr/files/10-logmngr_config_generate

@@ -1,26 +0,0 @@
-#!/bin/sh
-
-if uci -q get logmngr.@globals[0] >/dev/null; then
-	# return if there is any valid content
-	exit 0
-else
-	rm -f /etc/config/logmngr
-fi
-
-touch /etc/config/logmngr
-
-uci set logmngr.globals=globals
-uci set logmngr.globals.enable=1
-
-uci set logmngr.a1=action
-uci set logmngr.a1.name="ac1"
-
-uci set logmngr.lf1=log_file
-uci set logmngr.lf1.enable=1
-uci set logmngr.lf1.action="ac1"
-uci set logmngr.lf1.file="/var/log/messages"
-
-uci set logmngr.lr1=log_remote
-uci set logmngr.lr1.enable=0
-uci set logmngr.lr1.action="ac1"
-uci set logmngr.lr1.port="514"

logmngr/files/etc/config/logmngr

@@ -0,0 +1,26 @@
+config globals 'globals'
+	option enable '1'
+
+config source 'default_source'
+	option name 'default_source'
+	option system_messages '1'
+	option kernel_messages '1'
+
+config template 'default_template'
+	option name 'default_template'
+	option expression '{time} {hostname} {ident}[{pid}]: {message}'
+
+config action 'default_action'
+	option name 'default_action'
+	list source 'default_source'
+	option template 'default_template'
+
+config log_file 'lf1'
+	option enable '1'
+	option action 'default_action'
+	option file '/var/log/messages'
+
+config log_remote 'lr1'
+	option enable '0'
+	option action 'default_action'
+	option port '514'

logmngr/files/etc/uci-defaults/10-logmngr_config_migrate

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# check if this is a new type UCI or old type UCI
+if ! uci -q get logmngr.default_source > /dev/null; then
+	uci -q set logmngr.default_source=source
+	uci -q set logmngr.default_source.name='default_source'
+	uci -q set logmngr.default_source.system_messages='1'
+	uci -q set logmngr.default_source.kernel_messages='1'
+fi
+
+if ! uci -q get logmngr.default_template > /dev/null; then
+	uci -q set logmngr.default_template=template
+	uci -q set logmngr.default_template.name='default_template'
+	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}[{pid}]: {message}'
+fi
+
+if uci -q get logmngr.a1 >/dev/null; then
+	uci -q rename logmngr.a1='default_action'
+	uci -q set logmngr.default_action.name='default_action'
+	uci -q set logmngr.default_action.template='default_template'
+
+	uci -q delete logmngr.default_action.source
+	uci -q add_list logmngr.default_action.source='default_source'
+fi
+
+if uci -q get logmngr.lf1 >/dev/null; then
+	uci -q rename logmngr.lf1='default_logfile'
+	uci -q set logmngr.default_logfile.action='default_action'
+fi
+
+if uci -q get logmngr.lr1 >/dev/null; then
+	uci -q rename logmngr.lr1='default_logremote'
+	uci -q set logmngr.default_logremote.action='default_action'
+fi
+
+exit 0

logmngr/files/etc/uci-defaults/11-logmngr_logrotate_syslog

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Adds a default log rotate policy if none exists
-if uci -q get logmngr.@log_rotate[0] >/dev/null; then
+if uci -q get logmngr.lro1 >/dev/null; then
 	# return if there is any valid content
 	exit 0
 fi

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -6,6 +6,37 @@
 CONF_FILE=/etc/fluent-bit/fluent-bit.conf
 TMP_CONF_FILE=/tmp/fluent-bit/fluent-bit.conf
 FLUENT_BIT_CONF_DIR=/etc/fluent-bit/conf.d
+PROCESSED_SYSLOG_TAGS=""
+PROCESSED_KMSG_TAGS=""
+
+# check if syslog source section is already processed
+# and add it to the list of processed source sections
+syslog_tag_already_processed() {
+	local tag="$1"
+
+	for t in $PROCESSED_SYSLOG_TAGS; do
+		[ "$t" = "$tag" ] && return 0
+	done
+
+	PROCESSED_SYSLOG_TAGS="$tag $PROCESSED_SYSLOG_TAGS"
+
+	return 1
+}
+
+# check if kmsg source section is already processed
+# and add it to the list of processed source sections
+# two separate functions used because we want to populate
+# appropriate PROCESSED variable
+kmsg_tag_already_processed() {
+	local tag="$1"
+	for t in $PROCESSED_KMSG_TAGS; do
+		[ "$t" = "$tag" ] && return 0
+	done
+
+	PROCESSED_KMSG_TAGS="$tag $PROCESSED_KMSG_TAGS"
+
+	return 1
+}
 
 append_conf() {
 	echo "$*" >> ${TMP_CONF_FILE}
@@ -20,205 +51,276 @@ create_config_file() {
 	# also, if no file is found then fluent-bit aborts
 	# so only add include if any file is present in the FLUENT_BIT_CONF_DIR
 	if [ -d "$FLUENT_BIT_CONF_DIR" ] && [ "$(ls -A "$FLUENT_BIT_CONF_DIR")" ]; then
-		echo "@INCLUDE ${FLUENT_BIT_CONF_DIR}/*" >> ${TMP_CONF_FILE}
+		append_conf "@INCLUDE ${FLUENT_BIT_CONF_DIR}/*"
 	fi
-	echo "" >> ${TMP_CONF_FILE}
+	append_conf ""
 }
 
 create_service_section() {
 	# the service section of the fluent-bit.conf file has hardcoded values,
 	# no need to lookup any uci section to configure this section
-	echo "[SERVICE]" >> ${TMP_CONF_FILE}
-	echo "    flush        1" >> ${TMP_CONF_FILE}
-	echo "    daemon       off" >> ${TMP_CONF_FILE}
-	echo "    log_level    info" >> ${TMP_CONF_FILE}
-	echo "    coro_stack_size    24576" >> ${TMP_CONF_FILE}
-	echo "    parsers_file /etc/fluent-bit/parsers.conf" >> ${TMP_CONF_FILE}
-	echo "    hot_reload        on" >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+	append_conf "[SERVICE]"
+	append_conf "    flush        1"
+	append_conf "    daemon       off"
+	append_conf "    log_level    info"
+	append_conf "    coro_stack_size    24576"
+	append_conf "    parsers_file /etc/fluent-bit/parsers.conf"
+	append_conf "    hot_reload        on"
+	append_conf ""
+}
+
+create_default_filters() {
+	append_conf "[FILTER]"
+	append_conf "    name            modify"
+	append_conf "    match           KM*"
+	append_conf "    add             ident   kernel"
+	append_conf "    rename          msg     message"
+	append_conf ""
+
+	append_conf "[FILTER]"
+	append_conf "    name            sysinfo"
+	append_conf "    match           *"
+	append_conf "    hostname_key    hostname"
+	append_conf ""
 }
 
 create_input_section() {
 	local tag="$1"
 
-	# the input in our case is always syslog, hence, this section of the
-	# fluent-bit.conf file has hardcoded values as well that do not depend
-	# on any uci value
-	echo "[INPUT]" >> ${TMP_CONF_FILE}
-	echo "    name        syslog" >> ${TMP_CONF_FILE}
-	echo "    tag         $tag" >> ${TMP_CONF_FILE}
-	echo "    path        /dev/log" >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+	[ -z "$tag" ] && return
+
+	# check if this source section has already been processed
+	syslog_tag_already_processed "$tag" && return
+
+	append_conf "[INPUT]"
+	append_conf "    name        syslog"
+	append_conf "    unix_perm   0666"
+	append_conf "    tag         $tag"
+	append_conf "    path        /dev/log"
+	append_conf ""
 }
 
-generate_facility_regex() {
-	local facility_level=$1
-	local pri=0
+populate_allowed_logs() {
+	local facility_level sev_level
+	local section="$1"
 
-	if [ "$facility_level" == "24" ]; then
-		# value 24 means all facility level, which is as good as not
-		# generating a filter section, so return
-		return
-	fi
+	[ -z "$section" ] && return
 
-	# facility_level is a list value, hence, generate regex for
-	# each value
-	IFS=" "
-	for val in $facility_level; do
-		# as per rfc 5424 and 3164, pri in syslog msg is
-		# facility*8+severity. Severity value can range from 0-7 hence
-		# generate regex for each.
-		for sval in 0 1 2 3 4 5 6 7; do
-			pri=`expr $val \* 8 + $sval`
-			echo "    regex        pri $pri" >> ${TMP_CONF_FILE}
-		done
-	done
-}
+	# reset
+	match_pattern=""
+	facilities=""
+	all_facilities=0
+	kern_facility=0
+	severities=""
+	sev_compare=1
+	sev_action=0
 
-generate_severity_regex() {
-	local sev_level="$1"
-	local sev_compare="$2"
-	local sev_action="$3"
+	# read config
+	config_get match_pattern $section pattern_match
 
-	local pri=0
-	local param="exclude"
-
-	if [ "$sev_action" == "0" ]; then
-		param="regex"
-	fi
-
-	local fval=0
-	if [ "$sev_compare" == "0" ]; then
-		# generate regex for all facility values, with severity=sev_level
-		while [ $fval -le 23 ] ; do
-			pri=`expr $fval \* 8 + $sev_level`
-			echo "    $param        pri $pri" >> ${TMP_CONF_FILE}
-			fval=$((fval + 1))
-		done
-	elif [ "$sev_compare" == "1" ]; then
-		# generate regex for all severity value greater than or equal to
-		# sev_level. please, lower value have higher precedence, so sev_level
-		# 0 which is emergency has higher precedence than error which is 3
-		while [ $fval -le 23 ] ; do
-			sval=0
-			while [ $sev_level -ge $sval ]; do
-				pri=`expr $fval \* 8 + $sval`
-				echo "    $param        pri $pri" >> ${TMP_CONF_FILE}
-				sval=$((sval + 1))
-			done
-			fval=$((fval + 1))
-		done
-	fi
-}
-
-handle_filter_conf() {
-	local section="$1" # config filter
-	local filter_name="$2"
-	local name
-
-	# no need to proceed if name of filter section is not one of the values
-	# listed in option filter in config action section
-	config_get name $section name
-	if [ "$name" != "$filter_name" ]; then
-		return
-	fi
-
-	# as per data model, at a time either facility_level or severity_level can
-	# be specified along with pattern_match. hence, first process and generate
-	# regex for pattern_match which is common in both condition. Next, we will
-	# process facility_level and return if facility level is defined and not
-	# process severity related params at all.
-
-	local pattern_match
-	config_get pattern_match $section pattern_match
-	if [ -n "$pattern_match" ]; then
-		echo "    regex        $pattern_match" >> ${TMP_CONF_FILE}
-	fi
-
-	local facility_level
 	config_get facility_level $section facility_level
-
-	if [ -n "$facility_level" ]; then
-		generate_facility_regex $facility_level
-		# return from here since if facility_level is defined, then no
-		# need to process severity_level
-		return
-	fi
-
-	local sev_level
-	local sev_compare
-	local sev_action
 	config_get sev_level $section severity_level
+	config_get sev_compare $section severity_compare 1
+	config_get sev_action $section severity_action 0
 
-	if [ -n "$sev_level" ]; then
-		# value 1 of severity compare corresponds to data model
-		# and system default which is EqualorHigher
-		config_get sev_compare $section severity_compare 1
-		# value 0 of severity action corresponds to data model
-		# and system default that is log
-		config_get sev_action $section severity_action 0
+	# normalize facilities
+	if [ -n "$facility_level" ]; then
+		for f in $facility_level; do
+			if [ "$f" = "24" ]; then
+				all_facilities=1
+				# xargs is used to convert from new line separated numbers to space separated numbers
+				facilities="$(seq 0 23 | xargs)"
+				break
+			fi
 
-		generate_severity_regex $sev_level $sev_compare $sev_action
+			if [ "$f" = "0" ]; then
+				kern_facility=1
+			fi
+		done
+
+		if [ "$all_facilities" -eq 0 ]; then
+			facilities="$facility_level"
+		fi
+	else
+		# default to "all facilities" when unset
+        	all_facilities=1
+	        facilities="$(seq 0 23 | xargs)"
 	fi
+
+	# normalize severities
+	case "$sev_level" in
+		8)  	# all severities
+			severities="$(seq 0 7 | xargs)"
+			;;
+		9)  	# none
+			severities="none"
+			;;
+		"") 	# unset, treat as "all"
+			severities="$(seq 0 7 | xargs)"
+			;;
+		*)
+			if [ "$sev_compare" = "0" ]; then
+				# equal
+				severities="$sev_level"
+			else
+				# equl or higher
+				severities="$(seq 0 $sev_level | xargs)"
+			fi
+			;;
+	esac
 }
 
 create_filter_section() {
-	local match="$1"
+	local match_regex="$1"
+	local pattern="$2"
 
-	echo "[FILTER]" >> ${TMP_CONF_FILE}
-	echo "    name        grep" >> ${TMP_CONF_FILE}
-	echo "    match       $match" >> ${TMP_CONF_FILE}
-	echo "    logical_op  or" >> ${TMP_CONF_FILE} # handle multiple filters
+	[ -z "$match_regex" ] && return
+
+	append_conf "[FILTER]"
+	append_conf "    name        grep"
+	append_conf "    match_regex       $match_regex"
+
+	# we need "logical_op or" only in non-pattern sections
+	if [ "$pattern" = "0" ]; then
+		append_conf "    logical_op  or" # handle multiple filters
+	fi
 }
 
-handle_filter_ref() {
-	local filter_name="$1"
-	config_foreach handle_filter_conf filter "$filter_name"
+create_kmsg_input_section() {
+	local tag="$1"
+	local max_sev=7
+
+	[ -z "$tag" ] && return
+	kmsg_tag_already_processed "$tag" && return
+
+	if [ -c "/dev/kmsg" ]; then
+		append_conf "[INPUT]"
+		append_conf "    name       kmsg"
+		append_conf "    tag        $tag"
+
+		# check kern facility (0)
+		if [ "$all_facilities" -eq 1 ] || [ "$kern_facility" -eq 1 ]; then
+			if [ "$severities" != "none" ]; then
+				# severity filtering
+				# only EqualOrHigher is supported by Prio_Level
+				# and only Log action is supported
+				# so set Prio_Level = max severity
+				if [ "$sev_action" = "0" ] && [ "$sev_compare" = "1" ]; then
+					if [ -n "$severities" ]; then
+						max_sev=$(echo $severities | tr ' ' '\n' | sort -n | tail -1)
+					fi
+
+					append_conf "    prio_level $max_sev"
+				fi
+			fi
+		fi
+
+		append_conf ""
+
+		# if severities is none, or
+		# if kern facility has been excluded
+		# then we need to stop kernel logs
+		# sev_action and sev_compare is being checked because we don't want to work with rules that exclude logs
+		if [ "$severities" = "none" ] || { [ "$kern_facility" -eq 0 ] && [ "$all_facilities" -eq 0 ] && [ "$sev_action" = "0" ] && [ "$sev_compare" = "1" ]; }; then
+			# block all
+			# create a filter section that matches on KM* tag
+			# and excludes all messages
+			create_filter_section "KM*" "0"
+			append_conf "    exclude    message ^.*$"
+			append_conf ""
+		fi
+	fi
+}
+
+generate_syslog_filter() {
+	local param="regex"
+
+	[ "$sev_action" = "1" ] && param="exclude"
+
+	# start adding the fluent-bit filter section
+	create_filter_section "SL*" "0"
+
+	if [ "$severities" = "none" ]; then
+		append_conf "    exclude    pri ^.*$"
+		return
+	fi
+
+	for fval in $facilities; do
+		for sval in $severities; do
+			local pri=$((fval * 8 + sval))
+			append_conf "    $param        pri ^${pri}$"
+		done
+	done
+
+	append_conf ""
+}
+
+generate_pattern_filter() {
+	local match_regex="$1"
+	local match_pattern="$2"
+
+	[ -z "$match_regex" ] && return
+	[ -z "$match_pattern" ] && return
+
+	# start adding the fluent-bit filter section
+	create_filter_section "$match_regex" "1"
+	append_conf "    regex        message $match_pattern"
+	append_conf ""
 }
 
 handle_log_file() {
 	local section="$1" # out_file section
-	local match="$2"
+	local linker="$2"
+	local match_regex="$3"
+	local template="$4"
 	local action_ref
 
 	config_get action_ref $section action
-	if [ "$action_ref" != "$match" ]; then
+	if [ "$action_ref" != "$linker" ]; then
 		return
 	fi
 
 	local enabled
-	config_get enabled $section enable
-	if [ "$enabled" == 0 ]; then
+	config_get_bool enabled $section enable
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 
 	local file
 	config_get file $section file
-	if [ -z "$file" ]; then
+	if [ -z "$file" ] || [ -z "$match_regex" ]; then
 		return
 	fi
 
-	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
-	echo "    name         file" >> ${TMP_CONF_FILE}
-	echo "    match        $match" >> ${TMP_CONF_FILE}
-	echo "    file         $file" >> ${TMP_CONF_FILE}
-	echo "    format       template" >> ${TMP_CONF_FILE}
-	echo "    template     {time} {hostname} {ident}: {message}" >> ${TMP_CONF_FILE}
+	append_conf "[OUTPUT]"
+	append_conf "    name         file"
+	append_conf "    workers      2"
+	append_conf "    match_regex  $match_regex"
+	append_conf "    file         $file"
+
+
+	if [ -n "$template" ]; then
+		append_conf "    format       template"
+		append_conf "    template     ${template}"
+	fi
+
+	append_conf ""
 }
 
 handle_log_remote() {
 	local section="$1"
-	local match="$2"
+	local linker="$2"
+	local match_regex="$3"
 	local action_ref
 
 	config_get action_ref $section action
-	if [ "$action_ref" != "$match" ]; then
+	if [ "$action_ref" != "$linker" ]; then
 		return
 	fi
 
 	local enabled
-	config_get enabled $section enable
-	if [ "$enabled" == 0 ]; then
+	config_get_bool enabled $section enable
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 
@@ -228,83 +330,167 @@ handle_log_remote() {
 		return
 	fi
 
-	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
-	echo "    name         syslog" >> ${TMP_CONF_FILE}
-	echo "    match        $match" >> ${TMP_CONF_FILE}
-	echo "    host         $address" >> ${TMP_CONF_FILE}
+	append_conf "[OUTPUT]"
+	append_conf "    name         syslog"
+	append_conf "    match_regex  $match_regex"
+	append_conf "    host         $address"
 	append_conf "    syslog_appname_key   ident"
 	append_conf "    syslog_procid_key    pid"
 	append_conf "    syslog_message_key   message"
-
-	local hostname="$(uci -q get 'system.@system[0].hostname')"
-	if [ -n "${hostname}" ]; then
-		append_conf "    syslog_hostname_preset    ${hostname}"
-	fi
+	append_conf "    syslog_hostname_key  hostname"
 
 	local proto # holds value tcp or udp
 	config_get proto ${section} proto
 	if [ -n "$proto" ]; then
 		if [ "$proto" == "tls" ]; then
-			echo "    mode         tcp" >> ${TMP_CONF_FILE}
-			echo "    tls          on" >> ${TMP_CONF_FILE}
+			append_conf "    mode         tcp"
+			append_conf "    tls          on"
 		else
-			echo "    mode         $proto" >> ${TMP_CONF_FILE}
+			append_conf "    mode         $proto"
 		fi
 	fi
 
 	local port
 	config_get port $section port
 	if [ -n "$port" ]; then
-		echo "    port         $port" >> ${TMP_CONF_FILE}
+		append_conf "    port         $port"
 	fi
 
 	local cert
 	local peer_verify
 	config_get cert $section cert
 	if [ -n "$cert" ]; then
-		echo "    tls.crt_file $cert" >> ${TMP_CONF_FILE}
+		append_conf "    tls.crt_file $cert"
 
-		config_get peer_verify $section peer_verify
-		if [ "$peer_verify" == "1" ]; then
-			echo "    tls.verify     on" >> ${TMP_CONF_FILE}
+		config_get_bool peer_verify $section peer_verify
+		if [ "$peer_verify" = "1" ]; then
+			append_conf "    tls.verify     on"
 		fi
 	fi
+	append_conf ""
+}
+
+resolve_source_section() {
+	local src_section="$1"
+	local linker="$2"
+	local src_name syslog_en kernel_en
+
+	config_get src_name "$src_section" name
+	[ "$src_name" = "$linker" ] || return
+
+	config_get_bool syslog_en "$src_section" system_messages 1
+	config_get_bool kernel_en "$src_section" kernel_messages 1
+
+	# create an input section using /dev/log or kmsg
+	# and store the tag in a variable
+	# so that later a regex can be made to match this tag
+	# which will be used in output section
+	if [ "$syslog_en" = "1" ]; then
+		source_tag_syslog="SL$src_name"
+		create_input_section "$source_tag_syslog"
+	fi
+
+	if [ "$kernel_en" = "1" ]; then
+		source_tag_kmsg="KM$src_name"
+		create_kmsg_input_section "$source_tag_kmsg"
+	fi
+}
+
+# get the value of option expression from the relevant section
+resolve_template_section() {
+	local tmpl_section="$1"
+	local tmpl_name
+
+	config_get tmpl_name "$tmpl_section" name
+	[ "$tmpl_name" = "$template_ref" ] || return
+
+	config_get template_expr "$tmpl_section" expression
+
+	[ -n "$template_expr" ] && echo "$template_expr"
+}
+
+# loop over template sections and get the value of option expression from the relevant section
+get_template_expression() {
+	local template_ref="$1"
+	[ -n "$template_ref" ] && config_foreach resolve_template_section template
+}
+
+# build a regex that will match all the tags supplied to this function
+build_match_regex() {
+	local tags="$1"
+	local first=1
+	local regex="^("
+	for tag in $tags; do
+		[ "$first" -eq 1 ] && first=0 || regex="$regex|"
+		regex="$regex$tag"
+	done
+	regex="$regex)\$"
+	echo "$regex"
+}
+
+handle_filter_conf() {
+	local section="$1" # config filter
+	local filter_name="$2"
+	local name
+
+	config_get name $section name
+	[ "$name" = "$filter_name" ] || return
+
+	populate_allowed_logs "$filter_name"
 }
 
 handle_action() {
-	local section="$1"
+	local tag_regex filter source_ref template_ref source_sec log_template finst
+	local action_section="$1"
+	local source_tag_syslog source_tag_kmsg
 
-	local filter
-	config_get filter $section filter
+	# shared variables set by populate_allowed_logs
+	match_pattern=""
+	facilities=""
+	all_facilities=0
+	kern_facility=1
+	severities=""
+	sev_compare=1
+	sev_action=0
 
-	# use config action option name as tag for input
-	local tag
-	config_get tag $section name
-	if [ -z "$tag" ]; then
-		return
-	fi
+	config_get action_name "$action_section" name
+	config_get filter "$action_section" filter
+	config_get source_ref "$action_section" source
+	config_get template_ref "$action_section" template
 
-	create_input_section $tag
+	[ -z "$action_name" ] && return
+	[ -z "$source_ref" ] && return
+
+	# read filter section and populate relevant variables
+	# these variables will be used by create_kmsg_input_section
+	# generate_syslog_filter, and generate_pattern_filter functions
 	if [ -n "$filter" ]; then
-		# the only fluentbit filter that is useful for the datamodel is
-		# grep. Also, fluentbit does not seem to handle multiple instances
-		# of FILTER of same kind. Hence, each filter section corresponding
-		# to an action entry in the uci would translate for us into a set of
-		# regex/exclude values instead of individual FILTER section per uci
-		# section filter is a list, treat according
-		create_filter_section $tag
-
-		IFS=" "
 		for finst in $filter; do
-			handle_filter_ref $finst
+			config_foreach handle_filter_conf filter "$finst"
 		done
 	fi
 
-	# handle output, each action can be associated with a out_log and out_syslog
+	# Resolve referenced source sections
+	for source_sec in $source_ref; do
+		config_foreach resolve_source_section source "$source_sec"
+	done
+
+	# build a regex that will match all the sources for this action
+	tag_regex=$(build_match_regex "$source_tag_syslog $source_tag_kmsg")
+
+	if [ -n "$filter" ]; then
+		generate_pattern_filter "$tag_regex" "$match_pattern"
+		generate_syslog_filter
+	fi
+
+	# get the template expression if any is present
+	log_template="$(get_template_expression "$template_ref")"
+
+	# handle output, each action can be associated with an out_log and out_syslog
 	# section so figure out if any out_log or out_syslog section is associated
 	# with this and action and setup output accordingly.
-	config_foreach handle_log_file log_file "$tag"
-	config_foreach handle_log_remote log_remote "$tag"
+	config_foreach handle_log_file log_file "$action_name" "$tag_regex" "$log_template"
+	config_foreach handle_log_remote log_remote "$action_name" "$tag_regex"
 }
 
 handle_action_section() {
@@ -320,13 +506,14 @@ logmngr_init() {
 
 	create_config_file
 	create_service_section
+	create_default_filters
 	handle_action_section
 
 	if [ -f /lib/logmngr/logrotate.sh ]; then
 		logrotate_init
 	fi
 
-	if [ "$enabled" == "0" ]; then
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 
@@ -340,9 +527,4 @@ logmngr_init() {
 	fi
 	procd_set_param respawn
 	procd_close_instance
-
-	procd_open_instance klogd
-	procd_set_param command /usr/libexec/logmngr-klogd
-	procd_set_param respawn
-	procd_close_instance
 }

logmngr/files/logmngr-klogd

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-until [ -S /dev/log ]; do
-	sleep 1
-done
-
-exec /sbin/klogd -n

map-agent/Config.in

@@ -55,6 +55,10 @@ config AGENT_OPER_CHANNEL_CHANGE_RELAY_MCAST
 config AGENT_USE_LIBDPP
 	bool "Depend on libdpp for DPP EasyConnect"
 
+config AGENT_ZEROTOUCH_DPP
+	bool "Enable Zero-touch DPP bootstrapping. Depends on libztdpp.so"
+	default n
+
 config AGENT_CHECK_PARTIAL_WIFI_RELOAD
 	bool "Option that allow SSID/PSK simple reload"
 	default y

map-agent/Makefile

@@ -1,13 +1,14 @@
 #
-# Copyright (C) 2020-2023 IOPSYS Software Solutions AB
+# Copyright (C) 2020-2024 IOPSYS Software Solutions AB
+# Copyright (C) 2025 Genexis Sweden AB
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.3.6.14
+PKG_VERSION:=6.3.7.0
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=d5dbeb93a1acb0a61ed2b476510b95abe99cc873
+PKG_SOURCE_VERSION:=ab9fa6ffc6978c84ab9a3b410d31c71c3b185430
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause
@@ -26,7 +27,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/map-agent
   SECTION:=utils
   CATEGORY:=Utilities
-  TITLE:=WiFi multi-AP Agent (EasyMesh R2)
+  TITLE:=Wi-Fi Multi-AP Agent (EasyMesh R6)
   DEPENDS:=+libwifi +libuci +libubox +ubus +libeasy +libieee1905 +ieee1905 \
 	   +ieee1905-map-plugin +ip-bridge +AGENT_USE_LIBDPP:libdpp \
 	   +uuidgen +openssl-util +!TARGET_brcmbca:ebtables-legacy \
@@ -45,9 +46,12 @@ define Package/dynbhd
 	  +ieee1905-map-plugin +map-agent
 endef
 
+ifeq ($(CONFIG_AGENT_ZEROTOUCH_DPP),y)
+  TARGET_CFLAGS += -DZEROTOUCH_DPP
+endif
 
 define Package/map-agent/description
- This package implements EasyMesh R2 compliant WiFi Agent.
+  This package provides EasyMesh R6 compliant Wi-Fi Multi-AP Agent.
 endef
 
 define Package/dynbhd/description

map-agent/files/lib/multiap/map_genconfig

@@ -44,19 +44,16 @@ generate_multiap_config() {
 			2g)
 				mode_band=2
 				priority=2
-				dpp_chan="81/1"
 				channels="1 6 11"
 			;;
 			5g)
 				mode_band=5
 				priority=1
-				dpp_chan="128/36"
 				channels="36-64 100-112"
 			;;
 			6g)
 				mode_band=6
 				priority=0
-				dpp_chan="133/49"
 			;;
 		esac
 
@@ -158,13 +155,17 @@ generate_multiap_config() {
 				uci set mapagent.@bsta[-1].band="$mode_band"
 				uci set mapagent.@bsta[-1].priority="$priority"
 
-				#uci add mapagent dpp_uri
-				#uci set mapagent.@dpp_uri[-1].type="qrcode"
-				#uci set mapagent.@dpp_uri[-1].device="$device"
-				#uci set mapagent.@dpp_uri[-1].ifname="$ifname"
-				#uci set mapagent.@dpp_uri[-1].band="$mode_band"
-				#uci set mapagent.@dpp_uri[-1].chirp_interval="10"
-				#uci add_list mapagent.@dpp_uri[-1].dpp_chan="$dpp_chan"
+				# add dpp_chirp section for 2.4GHz bSTA
+				if [ $mode_band -eq 2 ]; then
+					uci add mapagent dpp_chirp
+					uci set mapagent.@dpp_chirp[-1].type="qrcode"
+					uci set mapagent.@dpp_chirp[-1].device="$device"
+					uci set mapagent.@dpp_chirp[-1].ifname="$ifname"
+					uci set mapagent.@dpp_chirp[-1].band="$mode_band"
+					for channel in $channels; do
+						uci add_list mapagent.@dpp_chirp[-1].channel="$channel"
+					done
+				fi
 
 				if [ $generate_wireless_sta_config -eq 1 ]; then
 					secname="default_sta_${device}"

map-controller/Config.in

@@ -39,6 +39,10 @@ config CONTROLLER_EASYMESH_VENDOR_EXT_OUI
 config CONTROLLER_USE_LIBDPP
 	bool "Depend on libdpp for DPP EasyConnect"
 
+config CONTROLLER_ZEROTOUCH_DPP
+	bool "Enable Zero-touch DPP bootstrapping via passphrase."
+	default n
+
 config CONTROLLER_PROPAGATE_PROBE_REQ
 	depends on CONTROLLER_EASYMESH_VENDOR_EXT
 	bool "Enable publishing probe requests vendor specific messages as UBUS events"

map-controller/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.0.14
+PKG_VERSION:=6.4.4.0
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=28981d46cfff30516d478da700ae9d710247cabe
+PKG_SOURCE_VERSION:=d2e91ca156dbe0b44f0fc551b0a353137343fdf1
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0
@@ -36,6 +36,9 @@ ifeq ($(CONFIG_CONTROLLER_USE_LIBDPP),y)
   TARGET_CFLAGS += -DUSE_LIBDPP
 endif
 
+ifeq ($(CONFIG_CONTROLLER_ZEROTOUCH_DPP),y)
+  TARGET_CFLAGS += -DZEROTOUCH_DPP
+endif
 
 define Package/map-controller/description
  This package provides WiFi MultiAP Controller as per the EasyMesh-R2 specs.
@@ -81,6 +84,7 @@ define Build/InstallDev
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_commands_impl.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_commands.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/cntlr_apis.h $(1)/usr/include/map-controller
+	$(CP) $(PKG_BUILD_DIR)/src/cntlr_plugin.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/wifi_opclass.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/steer_module.h $(1)/usr/include/map-controller
 	$(CP) $(PKG_BUILD_DIR)/src/timer.h $(1)/usr/include/map-controller

map-controller/files/etc/config/mapcontroller

@@ -10,8 +10,9 @@ config controller 'controller'
 	option primary_pcp '0'
 	option stale_sta_timeout '30d'
 	option de_collect_interval '60'
+	list plugin 'zerotouch'
 
-config sta_steering
+config sta_steering 'sta_steering'
 	option enable_sta_steer '1'
 	option enable_bsta_steer '0'
 	option rcpi_threshold_2g '70'
@@ -23,8 +24,10 @@ config sta_steering
 	option plugins_enabled '1'
 	option plugins_policy 'any'
 	list plugins 'rcpi'
+	list plugins 'rate'
+	list plugins 'bsteer'
 
-config channel_plan
+config channel_plan 'channel_plan'
 	option preclear_dfs '0'
 	option acs '0'
 

map-controller/files/etc/uci-defaults/99-mapcntlr-uci-rename-singletons

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+cfg=mapcontroller
+
+# singleton sections
+sections="channel_plan sta_steering"
+
+for sec in $sections; do
+    # find unnamed section of given type, only index 0
+    s=$(uci show $cfg | grep -oE "@${sec}\[0\]" | sort -u)
+    [ "$s" = "" ] && continue
+
+    uci rename $cfg.$s=$sec
+done
+
+uci commit $cfg

map-plugins/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-plugins
-PKG_VERSION:=0.0.4
+PKG_VERSION:=1.1.2
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=74bf151851112ecee731d447af016c8dc668adcf
+PKG_SOURCE_VERSION:=a76610182366cf05ed7e8f5fbac26890b709eeb4
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -27,11 +27,18 @@ include $(INCLUDE_DIR)/package.mk
 
 include $(wildcard plugins/*.mk)
 
+TARGET_CFLAGS += \
+	-I$(STAGING_DIR)/usr/include \
+	-I$(STAGING_DIR)/usr/include/libnl3 \
+	-D_GNU_SOURCE
+
 MAKE_FLAGS += \
 	CFLAGS="$(TARGET_CFLAGS) -Wall"
 
 plugins := \
-	$(if $(CONFIG_PACKAGE_map-plugins-steer-rate),steer-rate)
+	$(if $(CONFIG_PACKAGE_map-plugins-steer-rate),steer-rate)   \
+	$(if $(CONFIG_PACKAGE_map-plugins-bsteer),bsteer) \
+	$(if $(CONFIG_PACKAGE_map-plugins-zero-touch),zero-touch)
 
 ppkg:=$(patsubst plugins/%.mk,map-plugins-%,$(wildcard plugins/*.mk))
 
@@ -52,7 +59,7 @@ define Package/map-plugins
 endef
 
 define Package/map-plugins/description
-	Provides extra Multi-AP services viz. steering, channel-planning etc.
+	Provides extra Multi-AP services viz. steering, channel-planning, self-organizing network etc.
 endef
 
 define Package/map-plugins/install
@@ -60,9 +67,8 @@ define Package/map-plugins/install
 endef
 
 define Build/Compile
-	$(foreach p,$(ppkg),$(call Build/Compile/$(p),$(1)))
+	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef
 
-
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))

map-plugins/plugins/bsteer.mk

@@ -0,0 +1,20 @@
+define Package/map-plugins-bsteer
+	$(call Package/map-plugins/Default)
+	TITLE:=Wi-Fi backhaul steering plugin based on maximizing backhaul throughput
+	DEPENDS= +libubox +libuci +libubus +libeasy +libnl-genl \
+		 +libjson-c +libblobmsg-json +map-controller \
+		 +map-plugins
+endef
+
+define Package/map-plugins-bsteer/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/lib/mapcontroller
+	$(CP) $(PKG_BUILD_DIR)/steer/bsteer/bsteer.so $(1)/usr/lib/mapcontroller/bsteer.so
+endef
+
+define Build/Compile/map-plugins-bsteer
+	$(MAKE) -C $(PKG_BUILD_DIR)/steer/bsteer \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDFLAGS="$(TARGET_LDFLAGS)";
+endef

map-plugins/plugins/steer-rate.mk

@@ -16,5 +16,5 @@ define Build/Compile/map-plugins-steer-rate
 	$(MAKE) -C $(PKG_BUILD_DIR)/steer/rate \
 		CC="$(TARGET_CC)" \
 		CFLAGS="$(TARGET_CFLAGS)" \
-		LDFLAGS="$(TARGET_LDFLAGS)"
+		LDFLAGS="$(TARGET_LDFLAGS)";
 endef

map-plugins/plugins/zero-touch.mk

@@ -0,0 +1,22 @@
+define Package/map-plugins-zero-touch
+	$(call Package/map-plugins/Default)
+	TITLE:=Full Zero-touch bootstrapping of Wi-Fi Repeater device(s)
+	DEPENDS= +libubox +libuci +libubus +libeasy +libnl-genl \
+		 +libjson-c +libblobmsg-json +map-controller \
+		 +map-plugins
+endef
+
+define Package/map-plugins-zero-touch/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/lib/mapcontroller
+	$(CP) $(PKG_BUILD_DIR)/zero-touch/zerotouch.so $(1)/usr/lib/mapcontroller/zerotouch.so
+	$(CP) $(PKG_BUILD_DIR)/zero-touch/libztdpp.so $(1)/usr/lib/libztdpp.so
+
+endef
+
+define Build/Compile/map-plugins-zero-touch
+	$(MAKE) -C $(PKG_BUILD_DIR)/zero-touch \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDFLAGS="$(TARGET_LDFLAGS)";
+endef

mosquitto-auth-shadow/Config.in

@@ -0,0 +1,7 @@
+if PACKAGE_mosquitto-auth-shadow
+
+config MOSQUITTO_AUTH_PAM_SUPPORT
+	bool "Enable support of Linux PAM module for Authentication"
+	default y
+
+endif

mosquitto-auth-shadow/Makefile

@@ -14,12 +14,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mosquitto-auth-shadow
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.1.0
 
 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0
 
 PKG_BUILD_PARALLEL:=1
+PKG_CONFIG_DEPENDS:=CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -27,7 +28,7 @@ define Package/mosquitto-auth-shadow
   SECTION:=net
   CATEGORY:=Network
   TITLE:=mosquitto - /etc/shadow authentication plugin
-  DEPENDS:=+mosquitto-ssl
+  DEPENDS:=+mosquitto-ssl +MOSQUITTO_AUTH_PAM_SUPPORT:libpam
   USERID:=mosquitto=200:mosquitto=200 mosquitto=200:shadow=11
 endef
 
@@ -36,6 +37,14 @@ define Package/mosquitto-auth-shadow/description
   users using /etc/shadow
 endef
 
+define Package/mosquitto-auth-shadow/config
+	source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT),y)
+TARGET_CFLAGS+=-DENABLE_PAM_SUPPORT
+endif
+
 define Package/mosquitto-auth-shadow/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_shadow.so $(1)/usr/lib/

mosquitto-auth-shadow/src/Makefile

@@ -19,7 +19,7 @@ all: $(TARGETS)
 	$(CC) $(CFLAGS) -Wall -Werror -fPIC -c -o $@ $<
 
 mosquitto_auth_shadow.so: mosquitto_auth_shadow.pic.o
-	$(CC) $(LDFLAGS) -shared -o $@ $^
+	$(CC) $(LDFLAGS) -shared -o $@ $^ $(if $(filter -DENABLE_PAM_SUPPORT,$(CFLAGS)),-lpam)
 
 clean:
 	rm -f *.o $(TARGETS)

mosquitto-auth-shadow/src/mosquitto_auth_shadow.c

@@ -15,22 +15,78 @@
 #include <string.h>
 #include <shadow.h>
 #include <crypt.h>
+#include <stdlib.h>
 #include <mosquitto.h>
 #include <mosquitto_broker.h>
 #include <mosquitto_plugin.h>
 
-static int basic_auth_callback(int event, void *event_data, void *userdata)
+#ifdef ENABLE_PAM_SUPPORT
+#include <security/pam_appl.h>
+
+static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+	int i;
+	const char *pass = (const char *)appdata_ptr;
+
+	*resp = calloc(num_msg, sizeof(struct pam_response));
+	if (*resp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
+		return PAM_BUF_ERR;
+	}
+
+	if (pass == NULL)
+		return PAM_SUCCESS;
+
+	for (i = 0; i < num_msg; ++i) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+			(*resp)[i].resp = strdup(pass);
+			if ((*resp)[i].resp == NULL) {
+				for (int j = 0; j < i ; j++)
+					free((*resp)[j].resp);
+
+				free(*resp);
+				*resp = NULL;
+				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
+				return PAM_BUF_ERR;
+			}
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct pam_conv conv;
+	int retval;
+	pam_handle_t *pamh = NULL;
+
+	conv.conv = pam_conversation;
+	conv.appdata_ptr = (void *)ed->password;
+
+	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
+		return MOSQ_ERR_AUTH;
+	}
+
+	retval = pam_authenticate(pamh, 0);
+	pam_end(pamh, retval);
+	if (retval == PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
+		return MOSQ_ERR_SUCCESS;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
+	return MOSQ_ERR_AUTH;
+}
+#else
+static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
 {
-	struct mosquitto_evt_basic_auth *ed = event_data;
 	struct spwd spbuf, *sp = NULL;
 	char buf[256];
 	struct crypt_data data;
 	char *hash;
 
-	/* Let other plugins or broker decide about anonymous login */
-	if (ed->username == NULL)
-		return MOSQ_ERR_PLUGIN_DEFER;
-
 	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
 
 	if (sp == NULL || sp->sp_pwdp == NULL)
@@ -54,6 +110,22 @@ static int basic_auth_callback(int event, void *event_data, void *userdata)
 
 	return MOSQ_ERR_AUTH;
 }
+#endif
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+	struct mosquitto_evt_basic_auth *ed = event_data;
+
+	/* Let other plugins or broker decide about anonymous login */
+	if (ed->username == NULL)
+		return MOSQ_ERR_PLUGIN_DEFER;
+
+#ifdef ENABLE_PAM_SUPPORT
+	return process_pam_auth_callback(ed);
+#else
+	return process_shadow_auth_callback(ed);
+#endif
+}
 
 int mosquitto_plugin_version(int supported_version_count,
 			     const int *supported_versions)

netmode/files/etc/netmodes/routed-dhcp/scripts/10-routed-dhcp

@@ -17,6 +17,8 @@ l3_mcast_config() {
 l3_network_config() {
 	logger -s -p user.info -t "netmode" "Generating L3 network configuration"
 
+	wandev="$(uci -q get network.WAN.ifname)"
+
 	# Configure L3 Network Mode
 	uci -q set network.lan=interface
 	uci -q set network.lan.device='br-lan'
@@ -36,11 +38,35 @@ l3_network_config() {
 	uci -q delete network.wan.disabled
 	uci -q delete network.wan.username
 	uci -q delete network.wan.password
+	uci -q delete network.wan.ipaddr
+	uci -q delete network.wan.gateway
+	uci -q delete network.wan.netmask
 
 	uci -q set network.wan6=interface
 	uci -q set network.wan6.proto='dhcpv6'
 	uci -q delete network.wan6.disabled
 
+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
 	uci -q delete network.br_lan.ports
 	uci -q set network.br_lan.bridge_empty='1'
 
@@ -61,12 +87,6 @@ l3_network_config() {
 			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
 		fi
 		json_select ..
-		json_select wan 2>/dev/null
-		json_get_var device device
-		if [ -n "$device" ]; then
-			uci -q set network.wan.device="$device"
-			uci -q set network.wan6.device="$device"
-		fi
 		json_cleanup
 	fi
 

netmode/files/etc/netmodes/routed-pppoe/scripts/10-routed-pppoe

@@ -17,6 +17,8 @@ l3_mcast_config() {
 l3_network_pppoe_config() {
 	logger -s -p user.info -t "netmode" "Generating L3 network configuration"
 
+	wandev="$(uci -q get network.WAN.ifname)"
+
 	# Configure L3 Network Mode
 	uci -q set network.lan=interface
 	uci -q set network.lan.device='br-lan'
@@ -36,9 +38,33 @@ l3_network_pppoe_config() {
 	uci -q set network.wan.username="$NETMODE_username"
 	uci -q set network.wan.password="$NETMODE_password"
 	uci -q delete network.wan.disabled
+	uci -q delete network.wan.ipaddr
+	uci -q delete network.wan.gateway
+	uci -q delete network.wan.netmask
 
 	uci -q set network.wan6.disabled='1'
 
+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
 	uci -q delete network.br_lan.ports
 	uci -q set network.br_lan.bridge_empty='1'
 
@@ -59,12 +85,6 @@ l3_network_pppoe_config() {
 			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
 		fi
 		json_select ..
-		json_select wan 2>/dev/null
-		json_get_var device device
-		if [ -n "$device" ]; then
-			uci -q set network.wan.device="$device"
-			uci -q set network.wan6.device="$device"
-		fi
 		json_cleanup
 	fi
 

netmode/files/etc/netmodes/routed-static/scripts/10-routed-static

@@ -0,0 +1,127 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /usr/share/libubox/jshn.sh
+
+source "/etc/device_info"
+
+l3_mcast_config() {
+	# configure L3 mcast config
+	logger -s -p user.info -t "netmode" "Generating L3 mcast configuration"
+
+	rm -f /etc/config/mcast
+	sh /rom/etc/uci-defaults/61-mcast_config_generate
+	uci -q commit mcast
+}
+
+l3_network_config() {
+	logger -s -p user.info -t "netmode" "Generating L3 network configuration"
+
+	wandev="$(uci -q get network.WAN.ifname)"
+
+	# Configure L3 Network Mode
+	uci -q set network.lan=interface
+	uci -q set network.lan.device='br-lan'
+	uci -q set network.lan.proto='static'
+	uci -q set network.lan.ipaddr='192.168.1.1'
+	uci -q set network.lan.netmask='255.255.255.0'
+	uci -q set network.lan.ip6assign='60'
+	uci -q delete network.lan.vendorid
+	uci -q delete network.lan.clientid
+	uci -q delete network.lan.reqopts
+	uci -q delete network.lan.sendopts
+
+	uci -q delete network.lan6	
+
+	uci -q set network.wan=interface
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan.proto='static'
+	uci -q set network.wan.ipaddr="$NETMODE_ipaddr"
+	uci -q set network.wan.gateway="$NETMODE_gateway"
+	uci -q set network.wan.netmask="$NETMODE_netmask"
+	uci -q delete network.wan.disabled
+	uci -q delete network.wan.username
+	uci -q delete network.wan.password
+
+	uci -q set network.wan6.disabled='1'
+
+	if [ -n "$wandev" ] && echo "$NETMODE_vlanid" | grep -Eq '^[0-9]+$' && [ "$NETMODE_vlanid" -ge 1 ]; then
+		uci -q set network.vlan_${NETMODE_vlanid}=device
+		uci -q set network.vlan_${NETMODE_vlanid}.type="8021q"
+		uci -q set network.vlan_${NETMODE_vlanid}.name="$wandev.$NETMODE_vlanid"
+		uci -q set network.vlan_${NETMODE_vlanid}.ifname="$wandev"
+		uci -q set network.vlan_${NETMODE_vlanid}.vid=$NETMODE_vlanid
+
+		wandev="$wandev.$NETMODE_vlanid"
+	fi
+
+	uci -q set network.wan.device="$wandev"
+	uci -q set network.wan6.device="$wandev"
+
+	uci -q delete network.wan.dns
+	if [ -n "$NETMODE_dns_servers" ]; then
+		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"
+		for server in $dns_servers; do
+		    uci -q add_list network.wan.dns=$server
+		done
+	fi
+
+	uci -q delete network.br_lan.ports
+	uci -q set network.br_lan.bridge_empty='1'
+
+	add_port_to_br_lan() {
+		port="$1"
+		[ -n "$port" -a -d /sys/class/net/$port ] || continue
+		uci add_list network.br_lan.ports="$port"
+	}
+
+	if [ -f /etc/board.json ]; then
+		json_load_file /etc/board.json
+		json_select network
+		json_select lan
+		if json_is_a ports array; then
+			json_for_each_item add_port_to_br_lan ports
+		else
+			json_get_var device device
+			[ -n "$device" ] && uci add_list network.br_lan.ports="$device"
+		fi
+		json_select ..
+		json_cleanup
+	fi
+
+	uci -q commit network
+
+	# Enable DHCP Server
+	uci -q set dhcp.lan.ignore=0
+	uci -q set dhcp.wan.ignore=1
+	uci -q commit dhcp
+	/etc/init.d/odhcpd enable
+
+	# Enable SSDPD
+	uci -q set ssdpd.ssdp.enabled="1"
+	uci -q commit ssdpd
+
+	# Update CWMP Agent WAN Interface
+	uci -q set cwmp.cpe.default_wan_interface="wan"
+	uci -q commit cwmp
+
+	# Update gateway WAN Interface
+	uci -q set gateway.global.wan_interface="wan"
+	uci -q commit gateway
+
+	# Enable firewall
+	uci -q set firewall.globals.enabled="1"
+	uci -q commit firewall
+}
+
+l3_network_config
+l3_mcast_config
+
+# If device is already boot-up, assume netmode changed during runtime
+if [ -f /var/run/boot_complete ]; then
+	/etc/init.d/odhcpd restart 2>/dev/null
+	for config in network dhcp ssdpd cwmp gateway firewall mcast; do
+		ubus call uci commit "{\"config\":\"$config\"}"
+		sleep 1
+	done
+fi

netmode/files/etc/netmodes/supported_modes.json

@@ -3,25 +3,90 @@
   "supported_modes": [
     {
       "name": "routed-dhcp",
-      "description": "WAN with DHCP proto (Layer 3)"
+      "description": "DHCP",
+      "supported_args": [
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
+        }
+      ]
     },
     {
       "name": "routed-pppoe",
-      "description": "WAN with PPPoE (Layer 3)",
+      "description": "PPPoE",
       "supported_args": [
         {
           "name": "username",
-          "description": "PPPoE username",
+          "description": "PPPoE Username",
           "required": true,
-	  "type": "string",
+          "type": "string",
           "#value": "TestUser"
         },
         {
           "name": "password",
-          "description": "PPPoE password",
+          "description": "PPPoE Password",
           "required": true,
-	  "type": "string",
+          "type": "string",
           "#value": "TestPassword"
+        },
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "name": "routed-static",
+      "description": "Static",
+      "supported_args": [
+        {
+          "name": "ipaddr",
+          "description": "IP Address",
+          "required": true,
+          "type": "string",
+          "#value": "93.21.0.104"
+        },
+        {
+          "name": "netmask",
+          "description": "Subnet Mask",
+          "required": true,
+          "type": "string",
+          "#value": "255.255.255.0"
+        },
+        {
+          "name": "gateway",
+          "description": "Default Gateway",
+          "required": true,
+          "type": "string",
+          "#value": "93.21.0.1"
+        },
+        {
+          "name": "vlanid",
+          "description": "VLAN ID",
+          "required": false,
+          "type": "integer"
+        },
+        {
+          "name": "dns_servers",
+          "description": "DNS Servers",
+          "required": false,
+          "type": "string"
         }
       ]
     }

netmode/files/etc/uci-defaults/40_netmode_set_default_netmode

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+enabled="$(uci -q get netmode.global.enabled)"
+[ "$enabled" == "1" ] || exit 0
+
+mode="$(uci -q get netmode.global.mode)"
+[ -n "$mode" ] && exit 0
+
+[ -f /etc/netmodes/supported_modes.json ] || exit 0
+
+# NetMode is enabled without a Mode being set
+# Figure out the current mode from network config
+wanproto=$(uci -q get network.wan.proto)
+curmode=""
+case "$wanproto" in
+	dhcp) curmode="routed-dhcp" ;;
+	pppoe) curmode="routed-pppoe" ;;
+	static) curmode="routed-static" ;;
+esac
+
+found=0
+for md in $(jsonfilter -i /etc/netmodes/supported_modes.json -e "@.supported_modes.*.name"); do
+	[ "$md" == "$curmode" ] && found=1
+done
+
+if [ $found -eq 1 ]; then
+	uci -q set netmode.global.mode="$curmode"
+	echo "$curmode" > /etc/netmodes/.last_mode
+fi

obuspa/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=10.0.0.16
+PKG_VERSION:=10.0.0.17
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=479ffb3582aa245a84829502d9412ca2539eefca
+PKG_SOURCE_VERSION:=8f0f8cfc2c4048bfed674163030d0b06f96f2da1
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -32,8 +32,9 @@ define Package/obuspa
   SUBMENU:=TRx69
   TITLE:=USP agent
   MENU:=1
-  DEPENDS:=+libopenssl +libuci +libblobmsg-json +libcurl +libsqlite3 +libubox +libubus +libmosquitto-ssl +libwebsockets-openssl +ca-certificates \
-		+OBUSPA_LOCAL_MQTT_LISTENER:mosquitto-ssl +libjson-c
+  DEPENDS:=+libopenssl +libcurl +libsqlite3 +libmosquitto-ssl +libwebsockets-openssl
+  DEPENDS+=+libjson-c +libubox +libubus +libuci +libblobmsg-json
+  DEPENDS+=+ca-certificates +OBUSPA_LOCAL_MQTT_LISTENER:mosquitto-ssl
   DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef
 

obuspa/files/etc/init.d/obuspa

@@ -6,19 +6,18 @@ USE_PROCD=1
 
 PROG=/usr/sbin/obuspa
 CONFIGURATION=obuspa
-
 ENV_PROFILE="/root/.profile"
 KEEP_FILE="/lib/upgrade/keep.d/obuspa"
 
 RESET_FILE="/tmp/obuspa/fw_defaults"
-SQL_DB_FILE="/tmp/obuspa/usp.db"
-DB_DUMP="/tmp/obuspa/usp.dump_$(date +%s)"
+
+OBUSPA_BOOT_MARKER="/etc/obuspa/.boot"
 
 BASEPATH=""
 INSTANCE_COUNT=0
+CLIENT_ID_PREFIX=""
 
 . /lib/functions/network.sh
-. /usr/share/libubox/jshn.sh
 . /etc/obuspa/usp_utils.sh
 
 global_init()
@@ -30,6 +29,7 @@ global_init()
 log()
 {
 	echo "$*"|logger -t obuspa.init -p debug
+	echo "$*" >/dev/console
 }
 
 db_set_reset_file()
@@ -47,37 +47,9 @@ db_set_reset_file()
 	fi
 }
 
-db_set_sql()
-{
-	local param value
-
-	param="${1}"
-	shift
-	value="$*"
-
-	if [ -n "${param}" ] && [ -n "${value}" ]; then
-		if grep -q "${param} " ${DB_DUMP}; then
-			value="${value//\//\\/}"
-			sed -i "s/${param} .*/${param} \"${value}\"/g" ${DB_DUMP}
-		else
-			echo "${param} \"${value}\"" >> ${DB_DUMP}
-		fi
-	fi
-}
-
 db_set()
 {
-	# if sql db dump file present, update it
-	if [ -f "${DB_DUMP}" ]; then
-		db_set_sql "$@"
-	else
-		db_set_reset_file "$@"
-	fi
-}
-
-dump_db()
-{
-	${PROG} -v0 -f ${SQL_DB_FILE} -c show database |grep "^Internal.\|^Device."|sed '{s/=> /"/g;s/$/"/g}' | sort  > ${DB_DUMP}
+	db_set_reset_file "$@"
 }
 
 # if db present then check if it matches with existing instances
@@ -92,21 +64,6 @@ get_base_path()
 	path=""
 	count=0
 
-	if [ -f "${DB_DUMP}" ]; then
-		path=$(grep -E "${refpath}\d+.Alias \"${value}\"" ${DB_DUMP})
-		path=${path%.*}
-		if [ -z "${path}" ]; then
-			path=$(grep -oE "${refpath}\d+" ${DB_DUMP} |sort -r|head -n 1)
-			if [ -n "${path}" ]; then
-				count=${path##*.}
-				count=$(( count + 1 ))
-			else
-				count=1
-			fi
-			path="${refpath}${count}"
-		fi
-	fi
-
 	if [ -z "${path}" ]; then
 		INSTANCE_COUNT=$(( INSTANCE_COUNT + 1 ))
 		path="${refpath}${INSTANCE_COUNT}"
@@ -122,9 +79,7 @@ get_refrence_path()
 	value="${2}"
 	path=""
 
-	if [ -f "${DB_DUMP}" ]; then
-		path=$(grep -E "${dmref}\d+.Alias " ${DB_DUMP}|grep -w "${value}")
-	elif [ -f "${RESET_FILE}" ]; then
+	if [ -f "${RESET_FILE}" ]; then
 		path=$(grep -E "${dmref}\d+.Alias " ${RESET_FILE}|grep -w "${value}")
 	fi
 	path=${path%.*}
@@ -136,7 +91,7 @@ update_keep()
 	file=${1}
 
 	if [ -z "${file}" ]; then
-		return;
+		return 0
 	fi
 
 	if [ ! -f "${KEEP_FILE}" ]; then
@@ -263,7 +218,7 @@ configure_localagent()
 
 	validate_localagent_section "${1}" || {
 		log "Validation of localagent section failed"
-		return 0;
+		return 0
 	}
 
 	db_set Device.LocalAgent.EndpointID "${EndpointID}"
@@ -271,7 +226,7 @@ configure_localagent()
 
 update_reset_reason()
 {
-	[ -f "/tmp/reset_reason" ] || return 0;
+	[ -f "/tmp/reset_reason" ] || return 0
 
 	if grep -qwi "defaultreset" /tmp/reset_reason; then
 		db_set Internal.Reboot.Cause "FactoryReset"
@@ -310,10 +265,6 @@ get_role_index()
 		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${CTRUST_RESET_FILE} |grep $name)"
 		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
 		echo "$val"
-	elif [ -f "${DB_DUMP}" ]; then
-		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${DB_DUMP} |grep $name)"
-		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
-		echo "$val"
 	else
 		log "Not able to get role ${name}, use Untrusted role"
 		echo "${drole}"
@@ -331,19 +282,19 @@ configure_controller()
 	sec="${1}"
 	validate_controller_section "${1}" || {
 		log "Validation of controller section failed"
-		return 1;
+		return 1
 	}
 
 	sec="${sec/controller_/cpe-}"
 	get_base_path "Device.LocalAgent.Controller." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi
 
 	if [ -z "${Protocol}" ]; then
 		log "controller:: Protocol cannot be empty"
-		return 1;
+		return 1
 	fi
 
 	dm_ref=""
@@ -439,14 +390,14 @@ configure_subscription()
 	sec="${1}"
 	validate_subscription_section "${1}" || {
 		log "Validation of subscription section failed"
-		return 1;
+		return 1
 	}
 
 	sec="${sec/sub_/cpe-}"
 	get_base_path "Device.LocalAgent.Subscription." "sub_${1}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi
 
 	if [ -n "${controller}" ]; then
@@ -483,12 +434,12 @@ configure_challenges()
 	get_base_path "Device.LocalAgent.ControllerTrust.Challenge." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi
 
 	if [ -z "${role_name}" ] && [ -z "${Role}" ]; then
-		log "Either role_name or Role must defined for a challenge";
-		return 1;
+		log "Either role_name or Role must defined for a challenge"
+		return 1
 	fi
 
 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -515,18 +466,18 @@ configure_mtp() {
 	sec="${1}"
 	validate_mtp_section "${1}" || {
 		log "Validation of mtp section failed"
-		return 1;
+		return 1
 	}
 	sec="${sec/mtp_/cpe-}"
 	get_base_path "Device.LocalAgent.MTP." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi
 
 	if [ -z "${Protocol}" ]; then
 		log "Protocol not defined for the mtp[${1}] section"
-		return 1;
+		return 1
 	fi
 
 	dm_ref=""
@@ -584,14 +535,14 @@ configure_stomp_connection() {
 	sec="${1}"
 	validate_stomp_connection_section "${1}" || {
 		log "Validation of stomp section failed"
-		return 1;
+		return 1
 	}
 
 	sec="${sec/stomp_/cpe-}"
 	get_base_path "Device.STOMP.Connection." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
 	fi
 
 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -614,14 +565,18 @@ configure_mqtt_client() {
 	sec="${1}"
 	validate_mqtt_client_section "${1}" || {
 		log "Validation of mqtt section failed"
-		return 1;
+		return 1
 	}
 
 	sec="${sec/mqtt_/cpe-}"
 	get_base_path "Device.MQTT.Client." "${sec}"
 	if [ -z "${BASEPATH}" ]; then
 		log "Failed to get path [$BASEPATH]"
-		return 1;
+		return 1
+	fi
+
+	if [ -z "${ClientID}" ]; then
+		ClientID="${CLIENT_ID_PREFIX}-${sec}"
 	fi
 
 	db_set "${BASEPATH}.Alias" "${sec}"
@@ -648,6 +603,9 @@ configure_obuspa() {
 	fi
 
 	if [ -n "${log_level}" ]; then
+		if [ "${log_level}" -gt "4" ]; then
+			log_level="4"
+		fi
 		procd_append_param command -v "${log_level}"
 	fi
 
@@ -676,13 +634,13 @@ configure_obuspa() {
 
 	if [ -n "${db_file}" ]; then
 		update_keep "${db_file}"
-		procd_append_param command -f "${SQL_DB_FILE}"
+		procd_append_param command -f "${db_file}"
+		if [ -f "${db_file}-journal" ]; then
+			log "SQL Journal detected ..."
+		fi
 	fi
 
 	if [ -f "${RESET_FILE}" ]; then
-		if [ -f "${SQL_DB_FILE}" ]; then
-			mv ${SQL_DB_FILE} ${SQL_DB_FILE}.old
-		fi
 		procd_append_param command -r ${RESET_FILE}
 	fi
 
@@ -701,301 +659,34 @@ configure_obuspa() {
 	fi
 }
 
-get_instances_from_db_dump()
-{
-	local obj inst
-
-	obj="${1}\d+"
-	if [ ! -f "${DB_DUMP}" ]; then
-		echo ""
-		return 0;
-	fi
-
-	inst="$(grep -oE "${obj}" "${DB_DUMP}"|uniq)"
-	echo "$inst"
-}
-
-get_param_value_from_dump()
-{
-	local param value
-
-	param="${1}"
-
-	if [ -z "${param}" ] || [ ! -f "${DB_DUMP}" ]; then
-		log "error getting param"
-		echo ""
-		return 0
-	fi
-
-	value="$(grep "^${param} " ${DB_DUMP}|awk '{print $2}')"
-
-	echo "${value//\"/}"
-}
-
-update_uci_sec()
-{
-	local sec tmp
-
-	sec="${1}"
-	stype="${2}"
-	if [ -z "$sec" ] || [ -z "$stype" ]; then
-		log "No section name, error"
-		return 0
-	fi
-
-	tmp="$(uci_get obuspa "${sec}")"
-	if [ "$tmp" != "$stype" ]; then
-		uci_add obuspa "${stype}" "${sec}"
-	fi
-}
-
-sync_db_controller()
-{
-	local cntrs copts sec pvalue protocol
-
-	copts="Enable EndpointID PeriodicNotifInterval"
-	popts="Destination Topic Host Port Path EnableEncryption"
-
-	cntrs="$(get_instances_from_db_dump Device.LocalAgent.Controller.)"
-	for cntr in $cntrs; do
-		sec="$(get_param_value_from_dump "${cntr}".Alias)"
-		sec="${sec/cpe-/controller_}"
-		sec="${sec/-/_}"
-
-		update_uci_sec "${sec}" controller
-		for param in ${copts}; do
-			pvalue="$(get_param_value_from_dump "${cntr}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-
-		protocol="$(get_param_value_from_dump "${cntr}".MTP.1.Protocol)"
-		if [ -z "${protocol}" ]; then
-			break;
-		fi
-		uci_set obuspa "${sec}" "Protocol" "${protocol}"
-		for param in ${popts}; do
-			pvalue="$(get_param_value_from_dump "${cntr}".MTP.1."${protocol}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-	done
-}
-
-sync_db_localagent_mtp()
-{
-	local mtps opts popts sec pvalue protocol
-
-	opts="Enable"
-	popts="ResponseTopicConfigured Destination Port Path EnableEncryption PublishQoS"
-
-	mtps="$(get_instances_from_db_dump Device.LocalAgent.MTP.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/mtp_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" mtp
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-
-		protocol="$(get_param_value_from_dump "${inst}".Protocol)"
-		if [ -z "${protocol}" ]; then
-			break;
-		fi
-		uci_set obuspa "${sec}" "Protocol" "${protocol}"
-		for param in ${popts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${protocol}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-	done
-}
-
-
-sync_db_mqtt_client()
-{
-	local mtps copts sec pvalue protocol
-
-	opts="Enable BrokerAddress BrokerPort Username ProtocolVersion TransportProtocol ClientID"
-
-	mtps="$(get_instances_from_db_dump Device.MQTT.Client.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/mqtt_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" mqtt
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-	done
-}
-
-sync_db_stomp_connection()
-{
-	local mtps copts sec pvalue protocol
-
-	opts="Enable Host Port Username EnableEncryption EnableHeartbeats VirtualHost"
-
-	mtps="$(get_instances_from_db_dump Device.STOMP.Connection.)"
-	for inst in $mtps; do
-		sec="$(get_param_value_from_dump "${inst}".Alias)"
-		sec="${sec/cpe-/stomp_}"
-		sec="${sec/-/_}"
-		update_uci_sec "${sec}" stomp
-		for param in ${opts}; do
-			pvalue="$(get_param_value_from_dump "${inst}"."${param}")"
-			uci_set obuspa "${sec}" "${param}" "${pvalue}"
-		done
-		uci_set obuspa "${sec}" "_sync" "1"
-	done
-}
-
-sync_update_sec()
-{
-	local _sync
-	config_get _sync "${1}" _sync ""
-	if [ -z "${_sync}" ]; then
-		uci_remove obuspa "${1}"
-		log "Deleting obuspa.${1} section ..."
-	else
-		uci_remove obuspa "${1}" _sync
-	fi
-}
-
-sync_uci_with_db()
-{
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	config_load obuspa
-	sync_db_controller
-	sync_db_localagent_mtp
-	sync_db_mqtt_client
-	sync_db_stomp_connection
-	uci_commit obuspa
-
-	config_load obuspa
-	config_foreach sync_update_sec controller
-	config_foreach sync_update_sec mtp
-	config_foreach sync_update_sec mqtt
-	config_foreach sync_update_sec stomp
-	uci_commit obuspa
-}
-
-delete_sql_db_entry_with_pattern()
-{
-	local params pattern
-
-	pattern="${1}"
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	if [ "${#pattern}" -lt 7 ]; then
-		return 0;
-	fi
-
-	#log "Deleting with pattern [${pattern}] from ${DB_DUMP}"
-	sed -i "/${pattern}/d" ${DB_DUMP}
-}
-
-check_n_delete_db()
-{
-	local sec t r path
-
-	sec="${1}"
-	if uci -q get obuspa."${sec}" >/dev/null 2>&1; then
-		return 0
-	fi
-
-	t="${2}"
-	r="${3}"
-	sec="${sec/${t}_/cpe-}"
-
-	path=$(grep -E "${r}\d+.Alias \"${sec}\"" ${DB_DUMP})
-	path=${path%.*}
-
-	delete_sql_db_entry_with_pattern "${path}"
-}
-
-workaround_remove_download_pattern()
-{
-	local inst
-
-	inst="$(cat ${DB_DUMP} |grep -E "Device.DeviceInfo.FirmwareImage.\d.Download()"|grep -oE "Device.LocalAgent.Request.\d.")"
-
-	if [ -n "${inst}" ]; then
-		log "Workaround to remove the old download Request [$inst]"
-		delete_sql_db_entry_with_pattern "${inst}"
-	fi
-}
-
-reverse_update_db_with_uci()
-{
-	if [ ! -f "${DB_DUMP}" ]; then
-		return 0;
-	fi
-
-	export UCI_CONFIG_DIR="/tmp/obuspa"
-	config_load obuspa
-	config_foreach check_n_delete_db controller controller "Device.LocalAgent.Controller."
-	config_foreach check_n_delete_db mtp mtp "Device.LocalAgent.MTP."
-	config_foreach check_n_delete_db mqtt mqtt "Device.MQTT.Client."
-	config_foreach check_n_delete_db stomp stomp "Device.STOMP.Connection."
-	unset UCI_CONFIG_DIR
-}
-
 # Create factory reset file
 db_init()
 {
-	local reason role_file
+	local reason
 
 	reason="${1}"
-	mkdir -p /tmp/obuspa/
-
-	# Load configuration
-	config_load $CONFIGURATION
-	config_get SQL_DB_FILE global db_file "/tmp/obuspa/usp.db"
-	config_get role_file global role_file ""
-
-	if [ -f "${SQL_DB_FILE}.old" ] && [ ! -f "${SQL_DB_FILE}" ]; then
-		log "Copying old db, since new db not present ..."
-		mv ${SQL_DB_FILE}.old ${SQL_DB_FILE}
+	# remove usp.db, in case of reload
+	if [ -f "${OBUSPA_BOOT_MARKER}" ] && [ "${reason}" = "update" ]; then
+		log "Deleting ${OBUSPA_BOOT_MARKER} to enforce values from uci ...."
+		rm -f "${OBUSPA_BOOT_MARKER}"
 	fi
 
-	# Dump datamodel parameters from DB
-	if [ -f "${SQL_DB_FILE}" ]; then
-		dump_db
-	fi
-
-	# In case of Reboot or service restart update the uci
-        # from usp.db file
-	if [ -f "${DB_DUMP}" ] && [ "${reason}" != "update" ]; then
-		# Only do this if db have reasonable data
-		val="$(awk 'END{print NR}' ${DB_DUMP})"
-		if [ "$val" -gt 15 ]; then
-			log "Syncing obuspa uci with usp.db ...."
-			sync_uci_with_db
-		fi
-	fi
-
-	# remove entries from db if deleted from uci, only in case of reload
-	if [ -f "${DB_DUMP}" ] && [ "${reason}" = "update" ] && [ -f "/tmp/obuspa/obuspa" ]; then
-		log "Deleting entries from usp.db if uci not present ...."
-		reverse_update_db_with_uci
+	if [ -f "${OBUSPA_BOOT_MARKER}" ]; then
+		return 0
 	fi
 
 	# Remove reset file if present
-	[ -f "${RESET_FILE}" ] && mv ${RESET_FILE} ${RESET_FILE}.old
+	[ -f "${RESET_FILE}" ] && rm ${RESET_FILE}
+
+	CLIENT_ID_PREFIX="$(db -q get device.deviceinfo.ManufacturerOUI)"
+	CLIENT_ID_PREFIX="${CLIENT_ID_PREFIX}-$(db -q get device.deviceinfo.SerialNumber)"
+	CLIENT_ID_PREFIX="${CLIENT_ID_PREFIX//+/%2b}"
 
 	#log "Create reset file ...."
 	config_load $CONFIGURATION
 	config_get dualstack_pref global dualstack_pref "IPv6"
 
+	log "Enforce uci values, no boot marker"
 	global_init
 	config_foreach configure_localagent localagent
 	global_init
@@ -1011,21 +702,12 @@ db_init()
 	global_init
 	config_foreach configure_challenges challenge
 
+	# enforce ctrust only on upgrades, not on reloads
+	if [ -f "${CTRUST_RESET_FILE}" ] && [ -z "${reason}" ]; then
+		cat ${CTRUST_RESET_FILE} >> ${RESET_FILE}
+	fi
 	update_reset_reason
 	update_dual_stack_pref "${dualstack_pref}"
-
-	uci_commit ${CONFIGURATION}
-
-	cp /etc/config/obuspa /tmp/obuspa/
-	if [ -f "${DB_DUMP}" ]; then
-		workaround_remove_download_pattern
-		mv ${DB_DUMP} ${RESET_FILE}
-	fi
-
-	if [ -f "${CTRUST_RESET_FILE}" ]; then
-		cat ${CTRUST_RESET_FILE} >> ${RESET_FILE}
-		rm ${CTRUST_RESET_FILE}
-	fi
 }
 
 start_service() {
@@ -1037,21 +719,18 @@ start_service() {
 
 	procd_open_instance ${CONFIGURATION}
 	if [ "${enabled}" -eq 1 ]; then
-		db_init "${1}"
 		procd_set_param command ${PROG}
+		db_init "${1}"
 		configure_obuspa
 		procd_set_param respawn \
 			"${respawn_threshold:-10}" \
 			"${respawn_timeout:-10}" "${respawn_retry:-5}"
-		#procd_set_param limits core="unlimited"
 	fi
 	procd_close_instance ${CONFIGURATION}
 }
 
 stop_service() {
-	if command -v timeout >/dev/null 2>&1; then
-		timeout 5 ${PROG} -c stop
-	fi
+	${PROG} -c stop
 }
 
 reload_service() {
@@ -1060,5 +739,6 @@ reload_service() {
 }
 
 service_triggers() {
+	export PROCD_RELOAD_DELAY=3000
 	procd_add_reload_trigger "obuspa"
 }

obuspa/files/etc/obuspa/usp_utils.sh

@@ -1,10 +1,12 @@
 #!/bin/sh
 
-CTRUST_RESET_FILE="/tmp/obuspa/ctrust_reset"
+CTRUST_RESET_FILE="/etc/obuspa/ctrust_reset"
 VENDOR_PREFIX_FILE="/etc/obuspa/vendor_prefix"
 FW_DEFAULT_ROLE_DIR="/etc/users/roles"
 SECURE_ROLES=""
 
+CTRUST_RESET_FILE_TEMP="/tmp/obuspa/ctrust_reset"
+
 mkdir -p /tmp/obuspa/
 
 # include jshn.sh
@@ -23,9 +25,9 @@ db_add()
 	value="$*"
 
 	if [ -n "${param}" ] && [ -n "${value}" ]; then
-		echo "${param} \"${value}\"">>${CTRUST_RESET_FILE}
+		echo "${param} \"${value}\"">>${CTRUST_RESET_FILE_TEMP}
 	else
-		echo >>${CTRUST_RESET_FILE}
+		echo >>${CTRUST_RESET_FILE_TEMP}
 	fi
 }
 
@@ -252,7 +254,10 @@ configure_ctrust_role()
 	if [ -n "${SECURE_ROLES}" ]; then
 		db_add Device.LocalAgent.ControllerTrust.SecuredRoles "${SECURE_ROLES}"
 	fi
+
+	if [ -f "${CTRUST_RESET_FILE_TEMP}" ]; then
+		mv -f "${CTRUST_RESET_FILE_TEMP}" "${CTRUST_RESET_FILE}"
+	fi
 }
 
 # configure_ctrust_role "${@}"
-

obuspa/files/etc/uci-defaults/61-override-ct-roles

@@ -4,5 +4,3 @@
 . /etc/obuspa/usp_utils.sh
 
 configure_ctrust_role
-
-exit 0

obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user

@@ -8,6 +8,7 @@ RETRY_MIN_INTERVAL="5"
 RETRY_INTERVAL_MUL="2000"
 ENDPOINT_ID=""
 CONTROLLER_DISCOVERED=0
+OBUSPA_BOOT_MARKER="/etc/obuspa/.boot"
 
 log()
 {
@@ -57,18 +58,18 @@ get_vivsoi() {
 
 	data="${opt125}"
 	rem_len="${len}"
-	while [ $rem_len -gt 0 ]; do
+	while [ "${rem_len}" -gt 0 ]; do
 		ent_id=${data:0:8}
 		ent_id=$(printf "%d\n" "0x$ent_id")
 
-		if [ $ent_id -ne  3561 ]; then
+		if [ "${ent_id}" -ne  3561 ]; then
 			len_val=${data:8:2}
 			data_len=$(printf "%d\n" "0x$len_val")
 			# add 4 byte for ent_id and 1 byte for len
 			data_len=$(( data_len * 2 + 10 ))
 			# move ahead data to next enterprise id
 			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - $data_len ))
+			rem_len=$(( rem_len - data_len ))
 			continue
 		fi
 
@@ -79,7 +80,7 @@ get_vivsoi() {
 		data_len=$(( data_len * 2 + 10 ))
 
 		opt_len=$(printf "%d\n" "0x$len_val")
-		[ $opt_len -eq 0 ] && return
+		[ "${opt_len}" -eq 0 ] && return
 
 		# populate the option data of enterprise id
 		sub_data_len=$(( opt_len * 2))
@@ -98,28 +99,28 @@ get_vivsoi() {
 			sub_opt_len=$(( sub_opt_len * 2 ))
 
 			# get the value of sub option starting 4 means starting after length
-			sub_opt_val=${sub_data:4:${sub_opt_len}}
+			sub_opt_val=${sub_data:4:"${sub_opt_len}"}
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
 				"25")
-					URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					URL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"26")
-					PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					PROV_CODE=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"27")
-					RETRY_MIN_INTERVAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					RETRY_MIN_INTERVAL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"28")
-					RETRY_INTERVAL_MUL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					RETRY_INTERVAL_MUL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"29")
-					ENDPOINT_ID=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					ENDPOINT_ID=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 			esac
@@ -131,7 +132,7 @@ get_vivsoi() {
 			sub_data_len=$((sub_data_len - sub_opt_end))
 
 			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+			sub_data=${sub_data:"${sub_opt_end}":"${sub_data_len}"}
 		done
 
 		# move ahead data to next enterprise id
@@ -146,7 +147,7 @@ get_access_role()
 
 	lan_proto="$(uci -q get network.lan.proto)"
 
-	if [ "${lan_proto}" == "dhcp" ]; then
+	if [ "${lan_proto}" = "dhcp" ]; then
 		mode="extender"
 	else
 		mode="full_access"
@@ -174,7 +175,7 @@ config_get_bool enable_obuspa global enabled 1
 config_get wan_intf global interface
 config_get_bool dhcp_discovery global dhcp_discovery 1
 
-if [ "$enable_obuspa" = "0" ] || [ "$dhcp_discovery" = "0" ]; then
+if [ "${enable_obuspa}" -eq 0 ] || [ "${dhcp_discovery}" -eq 0 ]; then
 	return 0
 fi
 
@@ -190,9 +191,9 @@ if [ -z "${wan_intf}" ]; then
 	fi
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
 	if [ -n "$opt125" ]; then
-		len=$(printf "$opt125"|wc -c)
+		len=$(echo -n "${opt125}"|wc -c)
 		get_vivsoi "$opt125" "$len"
 	fi
 
@@ -228,10 +229,10 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 				;;
 			*)
 				# This is an FQDN, perform DNS query
-				nslookup $URL > /tmp/fqdn_ip
-				nslookup -type=ptr $URL > /tmp/fqdn_ptr
-				nslookup -type=srv $URL > /tmp/fqdn_srv
-				nslookup -type=txt $URL > /tmp/fqdn_srv
+				nslookup "${URL}" > /tmp/fqdn_ip
+				nslookup -type=ptr "${URL}" > /tmp/fqdn_ptr
+				nslookup -type=srv "${URL}" > /tmp/fqdn_srv
+				nslookup -type=txt "${URL}" > /tmp/fqdn_srv
 
 				# TODO extend to collect information from dns-sd records
 				;;
@@ -247,16 +248,16 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		fi
 	fi
 
-	if [ "${proto}" == "mqtt" ] || [ "${proto}" == "mqtts" ]; then
+	if [ "${proto}" = "mqtt" ] || [ "${proto}" = "mqtts" ]; then
 		offered_proto="MQTT"
-		if [ "${proto}" == "mqtt" ]; then
+		if [ "${proto}" = "mqtt" ]; then
 			mtp_encrypt="TCP/IP"
 		else
 			mtp_encrypt="TLS"
 		fi
-	elif [ "${proto}" == "ws" ] || [ "${proto}" == "wss" ]; then
+	elif [ "${proto}" = "ws" ] || [ "${proto}" = "wss" ]; then
 		offered_proto="WebSocket"
-		if [ "${proto}" == "wss" ]; then
+		if [ "${proto}" = "wss" ]; then
 			mtp_encrypt="1"
 		else
 			mtp_encrypt="0"
@@ -265,35 +266,46 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 
 	controllers=$(uci -q show obuspa | grep "=controller" | cut -d'=' -f1 | cut -d'.' -f2)
 	for controller in $controllers; do
-		dhcp_disc=$(uci -q get obuspa.$controller.dhcp_discovered)
+		dhcp_disc=$(uci -q get obuspa."${controller}".dhcp_discovered)
 		if [ "${dhcp_disc}" -eq 1 ]; then
 			dhcp_controller="${controller}"
 			break
 		fi
 	done
 
+	# Check if any of the existing controller section matches with the endpointid
+	if [ -z "${dhcp_controller}" ] && [ -n "${ENDPOINT_ID}" ]; then
+		for controller in $controllers; do
+			endpointid=$(uci -q get obuspa."${controller}".EndpointID)
+			if [ "${endpointid}" = "${ENDPOINT_ID}" ]; then
+				dhcp_controller="${controller}"
+				break
+			fi
+		done
+	fi
+
 	if [ -n "${dhcp_controller}" ]; then
-		cont_proto="$(uci -q get obuspa.$dhcp_controller.Protocol)"
-		if [ "${cont_proto}" == "MQTT" ]; then
-			dhcp_mqtt="$(uci -q get obuspa.$dhcp_controller.mqtt)"
+		cont_proto=$(uci -q get obuspa."${dhcp_controller}".Protocol)
+		if [ "${cont_proto}" = "MQTT" ]; then
+			dhcp_mqtt=$(uci -q get obuspa."${dhcp_controller}".mqtt)
 
 			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
 			for mtp in $mtps; do
-				mtp_mqtt="$(uci -q get obuspa.$mtp.mqtt)"
-				if [ "${mtp_mqtt}" == "${dhcp_mqtt}" ]; then
+				mtp_mqtt=$(uci -q get obuspa."${mtp}".mqtt)
+				if [ "${mtp_mqtt}" = "${dhcp_mqtt}" ]; then
 					dhcp_mtp="${mtp}"
 					break
 				fi
 			done
-		elif [ "${cont_proto}" == "WebSocket" ]; then
-			cont_port="$(uci -q get obuspa.$dhcp_controller.Port)"
-			cont_encr="$(uci -q get obuspa.$dhcp_controller.EnableEncryption)"
+		elif [ "${cont_proto}" = "WebSocket" ]; then
+			cont_port=$(uci -q get obuspa."${dhcp_controller}".Port)
+			cont_encr=$(uci -q get obuspa."${dhcp_controller}".EnableEncryption)
 
 			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
 			for mtp in $mtps; do
-				mtp_port="$(uci -q get obuspa.$mtp.Port)"
-				mtp_encr="$(uci -q get obuspa.$mtp.EnableEncryption)"
-				if [ "${mtp_port}" == "${cont_port}" ] && [ "${mtp_encr}" == "${cont_encr}" ]; then
+				mtp_port=$(uci -q get obuspa."${mtp}".Port)
+				mtp_encr=$(uci -q get obuspa."${mtp}".EnableEncryption)
+				if [ "${mtp_port}" = "${cont_port}" ] && [ "${mtp_encr}" = "${cont_encr}" ]; then
 					dhcp_mtp="${mtp}"
 					break
 				fi
@@ -306,43 +318,43 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 
 	if [ -n "${dhcp_controller}" ]; then
 		## Handling of controller section
-		ct_endpoint=$(uci -q get obuspa.$dhcp_controller.EndpointID)
-		ct_proto=$(uci -q get obuspa.$dhcp_controller.Protocol)
-		ct_prov=$(uci -q get obuspa.$dhcp_controller.ProvisioningCode)
+		ct_endpoint=$(uci -q get obuspa."${dhcp_controller}".EndpointID)
+		ct_proto=$(uci -q get obuspa."${dhcp_controller}".Protocol)
+		ct_prov=$(uci -q get obuspa."${dhcp_controller}".ProvisioningCode)
 
 		if [ "${ct_proto}" = "MQTT" ]; then
-			ct_topic=$(uci -q get obuspa.$dhcp_controller.Topic)
+			ct_topic=$(uci -q get obuspa."${dhcp_controller}".Topic)
 		else
-			ct_topic=$(uci -q get obuspa.$dhcp_controller.Path)
+			ct_topic=$(uci -q get obuspa."${dhcp_controller}".Path)
 		fi
 
 		if [ -n "${ENDPOINT_ID}" ] && [ "${ct_endpoint}" != "${ENDPOINT_ID}" ]; then
-			uci -q set obuspa.$dhcp_controller.EndpointID="${ENDPOINT_ID}"
+			uci -q set obuspa."${dhcp_controller}".EndpointID="${ENDPOINT_ID}"
 			uci_change=1
 		fi
 
 		if [ -n "${offered_proto}" ] && [ "${ct_proto}" != "${offered_proto}" ]; then
-			uci -q set obuspa.$dhcp_controller.Protocol="${offered_proto}"
+			uci -q set obuspa."${dhcp_controller}".Protocol="${offered_proto}"
 			if [ "${offered_proto}" != "MQTT" ]; then
-				uci -q set obuspa.$dhcp_controller.mqtt=""
-				uci -q set obuspa.$dhcp_controller.Topic=""
-				uci -q set obuspa.$dhcp_controller.Host="${ip}"
-				uci -q set obuspa.$dhcp_controller.Port="${port}"
-				uci -q set obuspa.$dhcp_controller.Path="${ct_topic}"
-				uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+				uci -q delete obuspa."${dhcp_controller}".mqtt
+				uci -q delete obuspa."${dhcp_controller}".Topic
+				uci -q set obuspa."${dhcp_controller}".Host="${ip}"
+				uci -q set obuspa."${dhcp_controller}".Port="${port}"
+				uci -q set obuspa."${dhcp_controller}".Path="${ct_topic}"
+				uci -q set obuspa."${dhcp_controller}".EnableEncryption="${mtp_encrypt}"
 			else
-				uci -q set obuspa.$dhcp_controller.EnableEncryption=""
-				uci -q set obuspa.$dhcp_controller.Path=""
-				uci -q set obuspa.$dhcp_controller.Host=""
-				uci -q set obuspa.$dhcp_controller.Port=""
+				uci -q delete obuspa."${dhcp_controller}".EnableEncryption
+				uci -q delete obuspa."${dhcp_controller}".Path
+				uci -q delete obuspa."${dhcp_controller}".Host
+				uci -q delete obuspa."${dhcp_controller}".Port
 
 				if [ -z "${dhcp_mqtt}" ]; then
-					uci -q set obuspa.$dhcp_controller.mqtt='dhcpmqtt'
+					uci -q set obuspa."${dhcp_controller}".mqtt='dhcpmqtt'
 				else
-					uci -q set obuspa.$dhcp_controller.mqtt="${dhcp_mqtt}"
+					uci -q set obuspa."${dhcp_controller}".mqtt="${dhcp_mqtt}"
 				fi
 
-				uci -q set obuspa.$dhcp_controller.Topic="${ct_topic}"
+				uci -q set obuspa."${dhcp_controller}".Topic="${ct_topic}"
 			fi
 
 			proto_changed=1
@@ -355,38 +367,37 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 				protocol="${offered_proto}"
 			fi
 
-			if [ "${protocol}" == "MQTT" ]; then
-				uci -q set obuspa.$dhcp_controller.Topic="${topic}"
+			if [ "${protocol}" = "MQTT" ]; then
+				uci -q set obuspa."${dhcp_controller}".Topic="${topic}"
 			else
-				uci -q set obuspa.$dhcp_controller.Path="${topic}"
+				uci -q set obuspa."${dhcp_controller}".Path="${topic}"
 			fi
 
 			uci_change=1
 		fi
 
 		if [ -n "${PROV_CODE}" ] && [ "${ct_prov}" != "${PROV_CODE}" ]; then
-			uci -q set obuspa.$dhcp_controller.ProvisioningCode="${PROV_CODE}"
+			uci -q set obuspa."${dhcp_controller}".ProvisioningCode="${PROV_CODE}"
 			uci_change=1
 		fi
 
 		if [ "${proto_changed}" -eq 1 ]; then
-			if [ "${offered_proto}" == "WebSocket" ]; then
+			if [ "${offered_proto}" = "WebSocket" ]; then
 				if [ -n "${dhcp_mqtt}" ]; then
-					uci -q del obuspa.$dhcp_mqtt
+					uci -q delete obuspa."${dhcp_mqtt}"
 				fi
 
 				if [ -z "${dhcp_mtp}" ]; then
-					sec=$(uci -q add obuspa mtp)
-					uci -q rename obuspa."${sec}"='dhcpmtp'
+					uci -q set obuspa.dhcpmtp="mtp"
 					dhcp_mtp="dhcpmtp"
-					uci -q set obuspa.$dhcp_mtp.Enable='1'
+					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
 
-				uci -q set obuspa.$dhcp_mtp.mqtt=''
-				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured=''
-				uci -q set obuspa.$dhcp_mtp.Protocol='WebSocket'
-				uci -q set obuspa.$dhcp_mtp.Port="${port}"
-				uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
+				uci -q set obuspa."${dhcp_mtp}".mqtt=''
+				uci -q set obuspa."${dhcp_mtp}".ResponseTopicConfigured=''
+				uci -q set obuspa."${dhcp_mtp}".Protocol='WebSocket'
+				uci -q set obuspa."${dhcp_mtp}".Port="${port}"
+				uci -q set obuspa."${dhcp_mtp}".EnableEncryption="${mtp_encrypt}"
 
 				uci_change=1
 			else
@@ -394,137 +405,135 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 					user="$(uci -q get obuspa.global.username)"
 					pass="$(uci -q get obuspa.global.password)"
 
-					sec=$(uci -q add obuspa mqtt)
-					uci -q rename obuspa."${sec}"='dhcpmqtt'
+					uci -q set obuspa.dhcpmqtt="mqtt"
 					dhcp_mqtt="dhcpmqtt"
-					uci -q set obuspa.$dhcp_mqtt.Enable='1'
-					uci -q set obuspa.$dhcp_mqtt.Username="${user}"
-					uci -q set obuspa.$dhcp_mqtt.Password="${pass}"
+					uci -q set obuspa."${dhcp_mqtt}".Enable='1'
+					uci -q set obuspa."${dhcp_mqtt}".Username="${user}"
+					uci -q set obuspa."${dhcp_mqtt}".Password="${pass}"
 				fi
 
-				uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
-				uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
-				uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
-				uci -q set obuspa.$dhcp_mqtt.ProtocolVersion='5.0'
+				uci -q set obuspa."${dhcp_mqtt}".BrokerAddress="${ip}"
+				uci -q set obuspa."${dhcp_mqtt}".BrokerPort="${port}"
+				uci -q set obuspa."${dhcp_mqtt}".TransportProtocol="${mtp_encrypt}"
+				uci -q set obuspa."${dhcp_mqtt}".ProtocolVersion='5.0'
 
 				if [ -z "${dhcp_mtp}" ]; then
-					sec=$(uci -q add obuspa mtp)
-					uci -q rename obuspa."${sec}"='dhcpmtp'
+					uci -q set obuspa.dhcpmtp="mtp"
 					dhcp_mtp="dhcpmtp"
-					uci -q set obuspa.$dhcp_mtp.Enable='1'
+					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
 
 				agent_topic=$(get_agent_topic)
-				uci -q set obuspa.$dhcp_mtp.Port=""
-				uci -q set obuspa.$dhcp_mtp.EnableEncryption=""
-				uci -q set obuspa.$dhcp_mtp.Protocol='MQTT'
-				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured="${agent_topic}"
-				uci -q set obuspa.$dhcp_mtp.mqtt="${dhcp_mqtt}"
+				uci -q delete obuspa."${dhcp_mtp}".Port
+				uci -q delete obuspa."${dhcp_mtp}".EnableEncryption
+				uci -q set obuspa."${dhcp_mtp}".Protocol='MQTT'
+				uci -q set obuspa."${dhcp_mtp}".ResponseTopicConfigured="${agent_topic}"
+				uci -q set obuspa."${dhcp_mtp}".mqtt="${dhcp_mqtt}"
 
 				uci_change=1
 			fi
 		else
-			if [ "${ct_proto}" == "WebSocket" ]; then
-				conf_ip="$(uci -q get obuspa.$dhcp_controller.Host)"
-				conf_port="$(uci -q get obuspa.$dhcp_mtp.Port)"
-				conf_encr="$(uci -q get obuspa.$dhcp_mtp.EnableEncryption)"
+			if [ "${ct_proto}" = "WebSocket" ]; then
+				conf_ip="$(uci -q get obuspa."${dhcp_controller}".Host)"
+				conf_port="$(uci -q get obuspa."${dhcp_mtp}".Port)"
+				conf_encr="$(uci -q get obuspa."${dhcp_mtp}".EnableEncryption)"
 
 				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
-					uci -q set obuspa.$dhcp_controller.Host="${ip}"
+					uci -q set obuspa."${dhcp_controller}".Host="${ip}"
 					uci_change=1
 				fi
 
 				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
-					uci -q set obuspa.$dhcp_mtp.Port="${port}"
-					uci -q set obuspa.$dhcp_controller.Port="${port}"
+					uci -q set obuspa."${dhcp_mtp}".Port="${port}"
+					uci -q set obuspa."${dhcp_controller}".Port="${port}"
 					uci_change=1
 				fi
 
 				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
-					uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
-					uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_mtp}".EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_controller}".EnableEncryption="${mtp_encrypt}"
 					uci_change=1
 				fi
 			else
-				conf_ip="$(uci -q get obuspa.$dhcp_mqtt.BrokerAddress)"
-				conf_port="$(uci -q get obuspa.$dhcp_mqtt.BrokerPort)"
-				conf_encr="$(uci -q get obuspa.$dhcp_mqtt.TransportProtocol)"
+				conf_ip=$(uci -q get obuspa."${dhcp_mqtt}".BrokerAddress)
+				conf_port=$(uci -q get obuspa."${dhcp_mqtt}".BrokerPort)
+				conf_encr=$(uci -q get obuspa."${dhcp_mqtt}".TransportProtocol)
 
 				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
+					uci -q set obuspa."${dhcp_mqtt}".BrokerPort="${port}"
 					uci_change=1
 				fi
 
 				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_mqtt}".TransportProtocol="${mtp_encrypt}"
 					uci_change=1
 				fi
 
 				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
+					uci -q set obuspa."${dhcp_mqtt}".BrokerAddress="${ip}"
 					uci_change=1
 				fi
 			fi
 		fi
 	else
-		uci -q del obuspa.dhcpmtp
-		uci -q del obuspa.dhcpmqtt
+		# Only setup a new controller, only if mandatory param present
+		if [ -n "${ENDPOINT_ID}" ] && [ -n "${URL}" ]; then
+			uci -q delete obuspa.dhcpmtp
+			uci -q delete obuspa.dhcpmqtt
 
-		sec=$(uci -q add obuspa controller)
-		uci -q rename obuspa."${sec}"='dhcpcontroller'
-		uci -q set obuspa.dhcpcontroller.dhcp_discovered="1"
-		uci -q set obuspa.dhcpcontroller.EndpointID="${ENDPOINT_ID}"
-		uci -q set obuspa.dhcpcontroller.ProvisioningCode="${PROV_CODE}"
-		uci -q set obuspa.dhcpcontroller.Protocol="${offered_proto}"
-		uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
-		uci -q set obuspa.dhcpcontroller.Enable='1'
+			uci -q set obuspa.dhcpcontroller="controller"
+			uci -q set obuspa.dhcpcontroller.dhcp_discovered="1"
+			uci -q set obuspa.dhcpcontroller.EndpointID="${ENDPOINT_ID}"
+			uci -q set obuspa.dhcpcontroller.ProvisioningCode="${PROV_CODE}"
+			uci -q set obuspa.dhcpcontroller.Protocol="${offered_proto}"
+			uci -q set obuspa.dhcpcontroller.assigned_role_name="$(get_access_role)"
+			uci -q set obuspa.dhcpcontroller.Enable='1'
 
-		if [ -n "${offered_proto}" ]; then
-			if [ "${offered_proto}" == "MQTT" ]; then
-				user="$(uci -q get obuspa.global.username)"
-				pass="$(uci -q get obuspa.global.password)"
+			if [ -n "${offered_proto}" ]; then
+				if [ "${offered_proto}" = "MQTT" ]; then
+					user="$(uci -q get obuspa.global.username)"
+					pass="$(uci -q get obuspa.global.password)"
 
-				uci -q set obuspa.dhcpcontroller.Topic="${topic}"
-				uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'
+					uci -q set obuspa.dhcpcontroller.Topic="${topic}"
+					uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt'
 
-				sec=$(uci -q add obuspa mqtt)
-				uci -q rename obuspa."${sec}"='dhcpmqtt'
-				uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
-				uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
-				uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}"
-				uci -q set obuspa.dhcpmqtt.Enable='1'
-				uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
-				uci -q set obuspa.dhcpmqtt.Username="${user}"
-				uci -q set obuspa.dhcpmqtt.Password="${pass}"
+					uci -q set obuspa.dhcpmqtt="mqtt"
+					uci -q set obuspa.dhcpmqtt.BrokerAddress="${ip}"
+					uci -q set obuspa.dhcpmqtt.BrokerPort="${port}"
+					uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}"
+					uci -q set obuspa.dhcpmqtt.Enable='1'
+					uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0'
+					uci -q set obuspa.dhcpmqtt.Username="${user}"
+					uci -q set obuspa.dhcpmqtt.Password="${pass}"
 
 
-				agent_topic=$(get_agent_topic)
-				sec=$(uci -q add obuspa mtp)
-				uci -q rename obuspa."${sec}"='dhcpmtp'
-				uci -q set obuspa.dhcpmtp.Protocol='MQTT'
-				uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
-				uci -q set obuspa.dhcpmtp.Enable='1'
-				uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
-			else
-				uci -q set obuspa.dhcpcontroller.Path="${topic}"
-				uci -q set obuspa.dhcpcontroller.Host="${ip}"
-				uci -q set obuspa.dhcpcontroller.Port="${port}"
-				uci -q set obuspa.dhcpcontroller.EnableEncryption="${mtp_encrypt}"
+					agent_topic=$(get_agent_topic)
+					uci -q set obuspa.dhcpmtp="mtp"
+					uci -q set obuspa.dhcpmtp.Protocol='MQTT'
+					uci -q set obuspa.dhcpmtp.ResponseTopicConfigured="${agent_topic}"
+					uci -q set obuspa.dhcpmtp.Enable='1'
+					uci -q set obuspa.dhcpmtp.mqtt='dhcpmqtt'
+				else
+					uci -q set obuspa.dhcpcontroller.Path="${topic}"
+					uci -q set obuspa.dhcpcontroller.Host="${ip}"
+					uci -q set obuspa.dhcpcontroller.Port="${port}"
+					uci -q set obuspa.dhcpcontroller.EnableEncryption="${mtp_encrypt}"
 
-				sec=$(uci -q add obuspa mtp)
-				uci -q rename obuspa."${sec}"='dhcpmtp'
-
-				uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
-				uci -q set obuspa.dhcpmtp.Port="${port}"
-				uci -q set obuspa.dhcpmtp.Enable='1'
-				uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa.dhcpmtp="mtp"
+					uci -q set obuspa.dhcpmtp.Protocol='WebSocket'
+					uci -q set obuspa.dhcpmtp.Port="${port}"
+					uci -q set obuspa.dhcpmtp.Enable='1'
+					uci -q set obuspa.dhcpmtp.EnableEncryption="${mtp_encrypt}"
+				fi
 			fi
+			uci_change=1
 		fi
-
-		uci_change=1
 	fi
 
 	if [ ${uci_change} -eq 1 ]; then
+		if [ -f "${OBUSPA_BOOT_MARKER}" ]; then
+			rm -f "${OBUSPA_BOOT_MARKER}"
+		fi
 		log "# Reloading obuspa as dhcp config changed"
 		ubus call uci commit '{"config":"obuspa"}'
 	fi

obuspa/patches/2005-set-sql-journal-mode.patch

@@ -0,0 +1,28 @@
+diff --git a/src/core/database.c b/src/core/database.c
+index 7ad9dae..edebd7c 100644
+--- a/src/core/database.c
++++ b/src/core/database.c
+@@ -955,6 +955,7 @@ void DATABASE_Dump(void)
+ int OpenUspDatabase(char *db_file)
+ {
+     int err;
++    char *err_msg = 0;
+ 
+     // Exit if unable to open the database
+     err = sqlite3_open(db_file, &db_handle);
+@@ -965,6 +966,15 @@ int OpenUspDatabase(char *db_file)
+         return USP_ERR_INTERNAL_ERROR;
+     }
+ 
++    // Execute the PRAGMA statement
++    const char *sql = "PRAGMA journal_mode = MEMORY;";
++    err = sqlite3_exec(db_handle, sql, 0, 0, &err_msg);
++    if (err != SQLITE_OK) {
++        USP_LOG_Error("%s: Failed to set journal_mode: %s", __func__, err_msg);
++        sqlite3_free(err_msg);
++        return USP_ERR_INTERNAL_ERROR;
++    }
++
+     // Exit if unable to create the data model parameter table (if it does not already exist)
+     #define CREATE_TABLE_STR "create table if not exists data_model (hash integer, instances text, value text, primary key (hash, instances));"
+     err = sqlite3_exec(db_handle, CREATE_TABLE_STR, NULL, NULL, NULL);

obuspa/patches/2006-force-db-update.patch

@@ -0,0 +1,23 @@
+diff --git a/src/core/database.c b/src/core/database.c
+index 7ad9dae..0bf9c90 100644
+--- a/src/core/database.c
++++ b/src/core/database.c
+@@ -1479,3 +1479,7 @@ int GetAllEntriesForParameter(db_hash_t hash, kv_vector_t *kvv)
+     return result;
+ }
+ 
++void DATABASE_force_reset_file()
++{
++    schedule_factory_reset_init = true;
++}
+diff --git a/src/core/database.h b/src/core/database.h
+index c88cf3a..376aa7a 100644
+--- a/src/core/database.h
++++ b/src/core/database.h
+@@ -67,5 +67,6 @@ void DATABASE_Dump(void);
+ int DATABASE_ReadDataModelInstanceNumbers(bool remove_unknown_params);
+ db_hash_t DATABASE_GetMigratedHash(db_hash_t hash);
+ 
++void DATABASE_force_reset_file();
+ #endif
+ 

parental-control/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=parental-control
-PKG_VERSION:=1.3.1
+PKG_VERSION:=1.4.1
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/parental-control.git
-PKG_SOURCE_VERSION:=b1e5b3f81f08271bdaf9cb4bda8a7696a27be3c6
+PKG_SOURCE_VERSION:=bd852e8b0a6528893917fb89e2ea27a8920f6280
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

parental-control/files/etc/init.d/parentalcontrol

@@ -12,7 +12,9 @@ validate_global_section() {
 	uci_validate_section parentalcontrol globals globals \
 	    'enable:bool:1' \
 	    'loglevel:uinteger:3' \
+	    'queue_num:uinteger:53' \
 	    'bundle_path:string' \
+	    'default_wan_interface:string:wan' \
 	    'urlfilter:bool'
 }
 
@@ -24,11 +26,12 @@ remove_fw_rules() {
 }
 
 configure_fw_rules() {
-	local enable urlfilter
+	local enable urlfilter queue_num
 
 	config_load parentalcontrol
 	config_get_bool enable globals enable 0
 	config_get_bool urlfilter globals urlfilter 0
+	config_get queue_num globals queue_num 53
 
 	remove_fw_rules
 
@@ -37,6 +40,11 @@ configure_fw_rules() {
 		return 0
 	fi
 
+	if [ "${queue_num}" -lt 0 ] || [ "${queue_num}" -gt 65535 ]; then
+	        log "ERROR: queue_num not in 0-65535"
+		return 1
+	fi
+
 	if [ "${urlfilter}" -eq "1" ]; then
 		if [ ! -f "${OVERRIDE_JSON}" ]; then
 			# throw error
@@ -48,11 +56,11 @@ configure_fw_rules() {
 				hw_nat -! > /dev/null 2>&1
 			fi
 			if which conntrack > /dev/null 2>&1; then
-				conntrack -F > /dev/null 2>&1
+				flush_conntrack_for_hosts
 			fi
 
 			# this is for urlfilter daemon
-			add_iptables_nfqueue_rules
+			add_iptables_nfqueue_rules "$queue_num"
 		fi
 	fi
 
@@ -107,7 +115,7 @@ start_service() {
 
 	procd_open_instance "parentalcontrol"
 	procd_set_param command nice -n 10 "${PROG}"  # Lower priority
-	procd_append_param command -l ${loglevel}
+	procd_append_param command -l "${loglevel}"
 	procd_set_param respawn
 	procd_close_instance
 }
@@ -120,11 +128,19 @@ stop_service() {
 }
 
 reload_service() {
+	local arg="$1"
+
 	ret=$(ubus call service list '{"name":"parentalcontrol"}' | jsonfilter -qe '@.parentalcontrol.instances.parentalcontrol.running')
 	if [ "$ret" != "true" ]; then
 		stop
 		start
 	else
+		if [ "$arg" = "network" ]; then
+			pidof_sync="$(pidof sync_bundles.sh)"
+			[ -n "$pidof_sync" ] && kill "$pidof_sync"
+			sleep 5
+		fi
+
 		configure_fw_rules
 		copy_dhcp_leases
 		ubus send parentalcontrol.reload
@@ -132,6 +148,19 @@ reload_service() {
 }
 
 service_triggers() {
+	local enable urlfilter default_wan_interface
+
+	validate_global_section || {
+		return 1
+	}
+
+	if [ "${urlfilter}" = "1" ] && [ "$enable" = "1" ] && [ -n "$default_wan_interface" ]; then
+		log "Adding interface trigger for $default_wan_interface"
+		procd_open_trigger
+		procd_add_interface_trigger "interface.*.up" "$default_wan_interface" /etc/init.d/parentalcontrol reload "network"
+		procd_close_trigger
+	fi
+
 	procd_add_reload_trigger "parentalcontrol"
 	procd_add_reload_trigger "schedules"
 }

parental-control/files/lib/parentalcontrol/parentalcontrol.sh

@@ -438,102 +438,118 @@ add_internet_schedule_rules() {
 }
 
 add_iptables_nfqueue_rules() {
-	local filter_used
+    local queue_num="$1"
 
-	# Check if urlfilter used
-	if ! uci show parentalcontrol | grep -q profile_urlfilter; then
-		return
-	fi
+    # Check if urlfilter used
+    if ! uci show parentalcontrol | grep -q profile_urlfilter; then
+        return
+    fi
 
-	# IPv4 rules
-	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -ne 0 ]; then
-		# capture DNS responses (UDP/TCP sport 53) in FORWARD
-		iptables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv4
+    # FORWARD
+    if ! iptables -w -nL | grep -q "URLFILTER_FORWARD"; then
+        iptables -w -N URLFILTER_FORWARD
+        iptables -w -I FORWARD 1 -j URLFILTER_FORWARD
 
-		# INPUT: DNS replies to router, skip loopback
-		iptables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+        # capture DNS responses (sport 53)
+        iptables -w -A URLFILTER_FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_FORWARD -p udp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
 
-		# OUTPUT: DNS replies from router, skip loopback
-		iptables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+        # HTTP/HTTPS flows
+        iptables -w -A URLFILTER_FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
 
-		# HTTP/HTTPS flows for urlfilter
-		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    # INPUT
+    if ! iptables -w -nL | grep -q "URLFILTER_INPUT"; then
+        iptables -w -N URLFILTER_INPUT
+        iptables -w -I INPUT 1 -j URLFILTER_INPUT
 
-		# disable acceleration for https packet so that they can be read by urlfilter
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+        iptables -w -A URLFILTER_INPUT -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_INPUT -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
 
-	# IPv6 rules
-	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -ne 0 ]; then
-		# capture DNS responses (UDP/TCP sport 53) in FORWARD
-		ip6tables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+    # OUTPUT
+    if ! iptables -w -nL | grep -q "URLFILTER_OUTPUT"; then
+        iptables -w -N URLFILTER_OUTPUT
+        iptables -w -I OUTPUT 1 -j URLFILTER_OUTPUT
 
-		# INPUT: DNS replies to router, skip loopback
-		ip6tables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+        iptables -w -A URLFILTER_OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        iptables -w -A URLFILTER_OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
 
-		# OUTPUT: DNS replies from router, skip loopback
-		ip6tables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+    # ebtables bypass for IPv4
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 6  --ip-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 6  --ip-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53    -j SKIPLOG 2>/dev/null
 
-		# HTTP/HTTPS flows for urlfilter
-		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv6
+    # FORWARD
+    if ! ip6tables -w -nL | grep -q "URLFILTER_FORWARD6"; then
+        ip6tables -w -N URLFILTER_FORWARD6
+        ip6tables -w -I FORWARD 1 -j URLFILTER_FORWARD6
 
-		# disable acceleration for https packet so that they can be read by urlfilter
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+        ip6tables -w -A URLFILTER_FORWARD6 -p tcp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_FORWARD6 -p udp --sport 53 -j NFQUEUE --queue-num $queue_num --queue-bypass
+
+        ip6tables -w -A URLFILTER_FORWARD6 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_FORWARD6 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # INPUT
+    if ! ip6tables -w -nL | grep -q "URLFILTER_INPUT6"; then
+        ip6tables -w -N URLFILTER_INPUT6
+        ip6tables -w -I INPUT 1 -j URLFILTER_INPUT6
+
+        ip6tables -w -A URLFILTER_INPUT6 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_INPUT6 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # OUTPUT
+    if ! ip6tables -w -nL | grep -q "URLFILTER_OUTPUT6"; then
+        ip6tables -w -N URLFILTER_OUTPUT6
+        ip6tables -w -I OUTPUT 1 -j URLFILTER_OUTPUT6
+
+        ip6tables -w -A URLFILTER_OUTPUT6 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+        ip6tables -w -A URLFILTER_OUTPUT6 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num $queue_num --queue-bypass
+    fi
+
+    # ebtables bypass for IPv6
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6  --ip6-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6  --ip6-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53    -j SKIPLOG 2>/dev/null
 }
 
 remove_iptables_nfqueue_rules() {
-	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		# DNS response rules
-		iptables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+    # IPv4
+    for chain in URLFILTER_FORWARD URLFILTER_INPUT URLFILTER_OUTPUT; do
+        if iptables -w -nL | grep -q "$chain"; then
+            iptables -w -D FORWARD -j $chain 2>/dev/null
+            iptables -w -D INPUT   -j $chain 2>/dev/null
+            iptables -w -D OUTPUT  -j $chain 2>/dev/null
+            iptables -w -F $chain
+            iptables -w -X $chain
+        fi
+    done
 
-		# HTTP/HTTPS
-		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 6  --ip-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 6  --ip-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53    -j SKIPLOG 2>/dev/null
 
-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+    # IPv6
+    for chain in URLFILTER_FORWARD6 URLFILTER_INPUT6 URLFILTER_OUTPUT6; do
+        if ip6tables -w -nL | grep -q "$chain"; then
+            ip6tables -w -D FORWARD -j $chain 2>/dev/null
+            ip6tables -w -D INPUT   -j $chain 2>/dev/null
+            ip6tables -w -D OUTPUT  -j $chain 2>/dev/null
+            ip6tables -w -F $chain
+            ip6tables -w -X $chain
+        fi
+    done
 
-	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		# DNS response rules
-		ip6tables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
-
-		# HTTP/HTTPS
-		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
-
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
-	fi
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6  --ip6-destination-port 443 -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6  --ip6-source-port 53    -j SKIPLOG 2>/dev/null
+    ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53    -j SKIPLOG 2>/dev/null
 }
 
 remove_internet_schedule_rules() {
@@ -551,6 +567,62 @@ remove_internet_schedule_rules() {
 	fi
 }
 
+# Global array for resolved IPs
+URLFILTER_IPS=""
+
+# Resolve hostname or MAC to IP from lease_file
+get_host_ip() {
+	local host="$1"
+	local ip
+	local lease_file="/tmp/dhcp.leases"
+
+	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
+	[ -f "$lease_file" ] || { log "Error: get_host_ip(): No DHCP lease file found."; return 1; }
+
+	# try DHCP lease lookup
+	ip="$(awk -v h="$host" '
+	{
+		mac=$2; ipaddr=$3; name=$4
+		if (h == name || h == mac) { print ipaddr; exit }
+	}' "$lease_file")"
+
+	[ -n "$ip" ] && URLFILTER_IPS="$URLFILTER_IPS $ip"
+}
+
+# Process each profile section
+resolve_profile_hosts() {
+	local section="$1"
+	local hostlist
+
+	config_get hostlist "$section" host
+	[ -z "$hostlist" ] && return
+
+	for h in $hostlist; do
+		get_host_ip "$h"
+	done
+}
+
+# Main function to collect IPs and delete conntrack entries
+flush_conntrack_for_hosts() {
+	URLFILTER_IPS=""
+	local count max
+
+	config_foreach resolve_profile_hosts profile
+
+	URLFILTER_IPS="$(echo "$URLFILTER_IPS" | tr ' ' '\n' | sort -u | xargs)"
+	for ip in $URLFILTER_IPS; do
+		count=0
+		max=1000
+		while conntrack -D -s "$ip" >/dev/null 2>&1; do
+			count=$((count+1))
+			if [ $count -ge $max ]; then
+				log "Warning: Forced to stop conntrack delete after $max deletions for $ip (possible loop)"
+				break
+			fi
+		done
+	done
+}
+
 OVERRIDE_JSON="/etc/parentalcontrol/urlbundle_override.json"
 DM_PLUGIN_PATH="/usr/share/bbfdm/micro_services/parentalcontrol/urlbundle_override.json"
 

parental-control/files/lib/parentalcontrol/sync_bundles.sh

@@ -161,7 +161,23 @@ handle_download_url() {
 		# If the URL is HTTP, fetch the file size
 		local bundle_file_size
 		if echo "$sanitized_url" | grep -qE "^https?://"; then
-			bundle_file_size="$(curl -I "$sanitized_url" 2>&1 | grep -i 'content-length' | cut -d: -f2 | xargs)"
+			bundle_file_header="$(curl -Is --max-time 30 "$sanitized_url" 2>/var/log/urlfilter_curl_err.log)"
+			curl_rc=$?
+
+			case $curl_rc in
+				0)
+					# Success
+					;;
+				6|7|28|35|52|55|56)
+					log_info "handle_download_url: URL not reachable (curl rc=$curl_rc): ${sanitized_url}"
+					return 1
+					;;
+				*)
+					log_info "handle_download_url: unexpected curl rc=$curl_rc for ${sanitized_url}"
+					;;
+			esac
+
+			bundle_file_size="$(echo "$bundle_file_header" | grep -i 'content-length' | cut -d: -f2 | xargs)"
 			[ -z "$bundle_file_size" ] && bundle_file_size=0
 		else
 			# If it's a file:// URL, get the file size from the filesystem

passwdqc/Makefile

@@ -30,7 +30,7 @@ define Build/Compile
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		CC="$(TARGET_CC)" \
 		LDFLAGS="$(TARGET_LDFLAGS)" \
-		pam_wrapped
+		all_wrapped
 endef
 
 define Package/$(PKG_NAME)/install
@@ -40,8 +40,8 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/lib/security
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/pam_passwdqc.so $(1)/usr/lib/security/
 
-	$(INSTALL_DIR) $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/passwdqc.uci_default $(1)/etc/uci-defaults/99-add_passwdqc_pam
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/pwqcheck $(1)/usr/sbin/
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))

passwdqc/files/passwdqc.uci_default

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-CONFIG_FILE="/etc/pam.d/common-password"
-# for some reason setting to 8 makes passwdqc accept minimum 12 letter password with this configuration
-# if we set it to 12 then we need atleast 16 characters and so on
-# passphrase = 0 means no space separated words
-# rest can be figured out from passwdqc man page
-MODULE_LINE="password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=20 passphrase=0 retry=3 enforce=everyone"
-
-# Ensure the file exists before modifying
-[ -f "$CONFIG_FILE" ] || exit 0
-
-# Check if pam_passwdqc is already in the file
-if ! grep -q "pam_passwdqc.so" "$CONFIG_FILE"; then
-    # Insert before pam_unix.so
-    sed -i "/pam_unix.so/ i\\$MODULE_LINE" "$CONFIG_FILE"
-fi
-
-exit 0

qosmngr/files/airoha/lib/qos/airoha.sh

@@ -434,4 +434,6 @@ hw_commit_all() {
             /userfs/bin/ifc add vip pbit $pbit
         done
     fi
+
+    hw_nat -! > /dev/null 2>&1
 }

qosmngr/files/airoha/lib/qos/qos.sh

@@ -22,6 +22,10 @@ ip_rule_get_converted_tos() {
 	echo $con_tos
 }
 
+flush_hw_nat() {
+	hw_nat -! > /dev/null 2>&1
+}
+
 configure_qos() {
     # queue configuration is being done after shaper configuration,
     # If port shapingrate configuration on DISC device is called after queue configuration then
@@ -33,8 +37,9 @@ configure_qos() {
     configure_policer
     configure_classify
     if [ -f "/tmp/qos/classify.ebtables" ]; then
-	    sh /tmp/qos/classify.ebtables
+        sh /tmp/qos/classify.ebtables
     fi
+    flush_hw_nat
 }
 
 reload_qos() {
@@ -65,6 +70,7 @@ reload_qos() {
             ;;
     esac
     hw_commit_all
+    flush_hw_nat
 }
 
 reload_qos_service() {

qosmngr/files/airoha/usr/sbin/qos-uplink-bandwidth

@@ -14,11 +14,13 @@ PREV_LINKSPEED=$(cat ${LINKSPEED_FILE} 2>/dev/null)
 [ -z "${PREV_LINKSPEED}" ] && PREV_LINKSPEED=0
 
 if [ $((LINKSPEED)) -ne $((PREV_LINKSPEED)) -a $((LINKSPEED)) -ne 0 ]; then
-	if [ $((LINKSPEED)) -ge 10000 ]; then
+	if [ $((LINKSPEED)) -ge 100 ]; then
 		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000*999/1000))
 	else
-		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000))
+		/userfs/bin/qosrule discpline Rate uplink-bandwidth $((LINKSPEED*1000*990/1000))
 	fi
 	mkdir -p "/tmp/qos"
 	echo ${LINKSPEED} > ${LINKSPEED_FILE}
+
+	hw_nat -! > /dev/null 2>&1
 fi

sshmngr/Config.in

@@ -1,7 +1,7 @@
 if PACKAGE_sshmngr
 choice
 	prompt "Select backend for SSH management"
-	default SSHMNGR_BACKEND_OPENSSH
+	default SSHMNGR_BACKEND_OPENSSH_PAM
 	depends on PACKAGE_sshmngr
 	help
 		Select which backend daemon to use for SSH

sulu/sulu-base/Makefile

@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-base
-PKG_VERSION:=5.0.4
+PKG_VERSION:=5.1.8
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu.git
-PKG_SOURCE_VERSION:=47f52fb0fe4a9824590c8be9ee7b8985631c39cf
+PKG_SOURCE_VERSION:=24cb862a27b4282668b434044a20fdc2c437316b
 PKG_MIRROR_HASH:=skip
 
 SULU_MOD:=core

sulu/sulu-builder/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=5.1.0
+PKG_VERSION:=5.1.8
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu-builder.git
-PKG_SOURCE_VERSION:=ef5345ea0275e632f021dfcf3b62c8d09fbb5800
+PKG_SOURCE_VERSION:=89f778534565e4ee9cea80fe881e9739c83d4c57
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/sulu-$(PKG_VERSION)/sulu-builder-$(PKG_SOURCE_VERSION)
@@ -28,7 +28,7 @@ define Package/sulu/default
 	CATEGORY:=Utilities
 	SUBMENU:=SULU
 	TITLE:=SULU-CE
-	DEPENDS:=+mosquitto-auth-shadow +usermngr +userinterface +obuspa
+	DEPENDS:=+mosquitto-auth-shadow +usermngr +userinterface +obuspa +sulu-vendorext
 	DEPENDS+=+@OBUSPA_LOCAL_MQTT_LISTENER
 	EXTRA_DEPENDS:=nginx
 endef
@@ -98,8 +98,12 @@ define Package/sulu/install/Default
 	$(INSTALL_DIR) $(1)/sulu/
 	$(INSTALL_DIR) $(1)/etc/sulu
 
+	$(INSTALL_DATA) ./files/maintenance.html $(1)/sulu/
+	$(LN) /tmp/sulu $(1)/sulu/connection
+
 	$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
 	$(INSTALL_DATA) ./files/etc/sulu/nginx.locations $(1)/etc/sulu/
+	$(INSTALL_BIN) ./files/etc/sulu/sulu_watcher.sh $(1)/etc/sulu/
 
 	$(INSTALL_DIR) $(1)/etc/users/roles
 	$(INSTALL_DATA) ./files/etc/users/roles/*.json $(1)/etc/users/roles/
@@ -109,6 +113,8 @@ define Package/sulu/install/Default
 ifneq ($(CONFIG_SULU_DEFAULT_UI)$(CONFIG_SULU_BUILDER_DEFAULT_UI),)
 	$(INSTALL_DATA) ./files/etc/uci-defaults/41-make-sulu-default-ui $(1)/etc/uci-defaults/
 endif
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/sulu $(1)/etc/init.d/
 endef
 
 define Package/sulu/install/Post

sulu/sulu-builder/files/etc/init.d/sulu

@@ -0,0 +1,15 @@
+#!/bin/sh /etc/rc.common
+
+START=9
+STOP=01
+
+USE_PROCD=1
+
+PROG=/etc/sulu/sulu_watcher.sh
+
+start_service()
+{
+	procd_open_instance "sulu"
+	procd_set_param command ${PROG}
+	procd_close_instance "sulu"
+}

sulu/sulu-builder/files/etc/sulu/nginx.locations

@@ -8,6 +8,10 @@ location /sitemap.xml {
 	return 200 "User-agent: *\nDisallow: /\n";
 }
 
+location /maintenance.html {
+	internal;
+}
+
 location /wss {
 	proxy_pass_request_headers      on;
 	proxy_cache        off;
@@ -46,7 +50,10 @@ location / {
 		add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,Content-Type,Range' always;
 		add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
 	}
-	add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-	add_header Pragma 'no-cache';
+
+	if (!-f $document_root/connection/ready) {
+		return 503;
+	}
+
 	expires 0;
 }

sulu/sulu-builder/files/etc/sulu/sulu.sh

@@ -4,7 +4,6 @@
 
 . /lib/functions.sh
 . /usr/share/libubox/jshn.sh
-#. /lib/functions/iopsys-environment.sh
 
 RESTART_REQ=0
 _RESTART_SERVICES="0"
@@ -170,18 +169,20 @@ _create_mosquitto_acl() {
 
 	users="$(_get_sulu_user_roles)"
 	if [ -f "${ACL_FILE}" ]; then
-		acl_users="$(awk '/^user/ {print $2}' "${ACL_FILE}")"
-		for user in ${users}; do
-			if ! grep -q "$user" "${acl_users}"; then
+		acl_users="$(awk '/^user / {print $2}' "${ACL_FILE}")"
+		for user in ${acl_users}; do
+			if ! echo "$users" | grep -qwF "$user"; then
 				rm -f "${ACL_FILE}"
+				RESTART_REQ="1"
+				break
 			fi
 		done
 	fi
-	touch "${ACL_FILE}"
+	[ -f "${ACL_FILE}" ] || touch "${ACL_FILE}"
 
 	agentid="$(_get_agent_id)"
 	for user in ${users}; do
-		if ! grep -q "user $user" "${ACL_FILE}"; then
+		if ! grep -qxF "user $user" "${ACL_FILE}"; then
 			{
 				echo "user ${user}"
 				echo "topic read  /usp/${agentid}/${user}/controller/reply-to"
@@ -200,9 +201,7 @@ _create_mosquitto_acl() {
 }
 
 update_obuspa_config() {
-
 	RESTART_REQ=0
-	uci_load obuspa
 	_update_obuspa_config_rbac
 	uci_commit obuspa
 
@@ -218,7 +217,7 @@ configure_sulu() {
 	generate_sulu_conn_config
 }
 
-while getopts ":rq" opt; do
+while getopts ":r" opt; do
 	case ${opt} in
 	r)
 		_RESTART_SERVICES="1"

sulu/sulu-builder/files/etc/sulu/sulu_watcher.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+if ! command -v obuspa >/dev/null 2>&1; then
+	exit 0
+fi
+
+USP_PATH="/tmp/sulu/"
+
+log() {
+	logger -t sulu_watcher "$*"
+}
+
+wait_for_obuspa() {
+	while true; do
+		ENDPOINTID="$(obuspa -c get Device.LocalAgent.EndpointID |grep Device.|awk '{print $3}')"
+		sleep 2
+		if [ -n "${ENDPOINTID}" ]; then
+			break;
+		fi
+	done
+}
+
+mark_usp_ready() {
+	mkdir -p "${USP_PATH}"
+	touch ${USP_PATH}/ready
+}
+
+wait_for_obuspa
+mark_usp_ready

sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config

@@ -1,15 +1,16 @@
 #!/bin/sh
 
+. /lib/functions.sh
 UCI_TEMPLATE="/etc/nginx/uci.conf.template"
 
 if [ ! -f "/etc/config/mosquitto" ]; then
-	echo "Local mosquitto broker not available"
-	return 0
+	logger -t sulu.ucidefault "Local mosquitto broker not available"
+	return 1
 fi
 
 if [ ! -f "${UCI_TEMPLATE}" ]; then
-	echo "nginx utils not installed, sulu can't run"
-	return 0
+	logger -t sulu.ucidefault "nginx utils not installed, sulu can't run"
+	return 1
 fi
 
 update_nginx_uci_template()
@@ -19,7 +20,7 @@ update_nginx_uci_template()
 	port="$(uci -q get mosquitto.sulu.port)"
 	port="${port:-9009}"
 
-	if ! grep -q "upstream websocket" ${UCI_TEMPLATE}; then
+	if ! grep -w "upstream websocket" ${UCI_TEMPLATE} | grep -wq "127.0.0.1:${port}"; then
 		sed -i '/#UCI_HTTP_CONFIG$/i\   map $http_upgrade $connection_upgrade { default upgrade; "" close; }' ${UCI_TEMPLATE}
 		sed -i "/#UCI_HTTP_CONFIG$/i\   upstream websocket { server 127.0.0.1:${port}; }" ${UCI_TEMPLATE}
 	fi
@@ -27,36 +28,30 @@ update_nginx_uci_template()
 
 add_sulu_config_to_mosquitto()
 {
-	if ! uci_get mosquitto sulu >/dev/null 2>&1; then
-		uci_add mosquitto listener sulu
-		uci_set mosquitto sulu enabled 1
-		uci_set mosquitto sulu port '9009'
-		uci_set mosquitto sulu no_remote_access '1'
-		uci_set mosquitto sulu protocol 'websockets'
-		uci_set mosquitto sulu auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
-		uci_set mosquitto sulu acl_file '/etc/sulu/mqtt.acl'
-	fi
+	uci_add mosquitto listener sulu
+	uci_set mosquitto sulu enabled 1
+	uci_set mosquitto sulu port '9009'
+	uci_set mosquitto sulu no_remote_access '1'
+	uci_set mosquitto sulu protocol 'websockets'
+	uci_set mosquitto sulu auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
+	uci_set mosquitto sulu acl_file '/etc/sulu/mqtt.acl'
 }
 
 add_sulu_userinterface_uci()
 {
-	uci_load userinterface
-
-	if ! uci_get userinterface _sulu_s >/dev/null 2>&1; then
+	if [ -f "/etc/config/userinterface" ]; then
 		uci_add userinterface http_access _sulu_s
 		uci_set userinterface _sulu_s path_prefix '/sulu'
 		uci_set userinterface _sulu_s port '8443'
-		uci_add_list userinterface _sulu_s _nginx_include '/etc/sulu/nginx.locations'
+		uci_set userinterface _sulu_s _nginx_include '/etc/sulu/nginx.locations'
 		uci_set userinterface _sulu_s _nginx_uci_manage_ssl 'self-signed'
 		uci_set userinterface _sulu_s _nginx_ssl_certificate '/etc/nginx/conf.d/_lan.crt'
 		uci_set userinterface _sulu_s _nginx_ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
 		uci_set userinterface _sulu_s _nginx_ssl_session_cache 'none'
+		uci_set userinterface _sulu_s _nginx_error_page '503 /maintenance.html'
 		uci_set userinterface _sulu_s protocol 'HTTPS'
-		uci_add_list userinterface _sulu_s role 'admin'
-		uci_add_list userinterface _sulu_s role 'user'
-	fi
+		uci_set userinterface _sulu_s role 'admin user'
 
-	if ! uci_get userinterface _suluredirect >/dev/null 2>&1; then
 		uci_add userinterface http_access _suluredirect
 		uci_set userinterface _suluredirect redirect '_sulu_s'
 		uci_set userinterface _suluredirect protocol 'HTTP'

sulu/sulu-builder/files/etc/uci-defaults/41-make-sulu-default-ui

@@ -2,23 +2,16 @@
 
 . /lib/functions.sh
 
-uci_load nginx
-# this is to make sure to not mess up existing config
-if uci_get nginx _sulu_s >/dev/null 2>&1; then
-  exit 0
-fi
-
 update_default_nginx_listner() {
-
-  if [ ! -f /etc/config/nginx ]; then
-    return
+  if [ ! -f "/etc/config/nginx" ]; then
+    return 0
   fi
 
   if ! uci_get nginx _lan >/dev/null 2>&1; then
-    return
+    return 0
   fi
 
-  if ! opkg list-installed |grep -q "luci "; then
+  if ! opkg list-installed | grep -q "^luci "; then
     echo "Luci not installed, removing luci config"
     uci_remove nginx _lan
     uci_remove nginx _redirect2ssl
@@ -28,7 +21,7 @@ update_default_nginx_listner() {
     uci_add_list nginx _lan listen "[::]:8443 ssl default_server"
 
     if ! uci_get nginx _redirect2ssl >/dev/null 2>&1; then
-        return
+        return 0
     fi
 
     uci_remove nginx _redirect2ssl listen
@@ -39,17 +32,19 @@ update_default_nginx_listner() {
 }
 
 move_sulu_to_443_and_80() {
-  uci_load userinterface
-  if [ ! -f /etc/config/userinterface ]; then
-    return
+  if ! config_load userinterface; then
+    return 0
   fi
 
   set_port() {
-    local protocol
+    local protocol port
+
     config_get protocol "$1" protocol
-    if [ "$protocol" == "HTTPS" ]; then
+    config_get port "$1" port
+
+    if [ "$protocol" == "HTTPS" ] && [ "${port}" -eq "8443" ]; then
       uci_set userinterface "$1" port "443"
-    elif [ "$protocol" == "HTTP" ]; then
+    elif [ "$protocol" == "HTTP" ] && [ "${port}" -eq "8080" ]; then
       uci_set userinterface "$1" port "80"
     fi
   }

sulu/sulu-builder/files/etc/users/roles/admin.json

@@ -6,554 +6,7 @@
     "permission": [
       {
         "object": "Device.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Reboot()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SelfTestDiagnostics()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.FactoryReset()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DeviceInfo.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Time.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UPnP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Bridging.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Ethernet.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.Server.Pool.{i}.StaticAddress.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv6.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Hosts.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}ParentalControl.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}OpenVPN.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.NAT.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Firewall.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_SET",
-          "PERMIT_SUBS_VAL_CHANGE"
-        ]
-      },
-      {
-        "object": "Device.Firewall.DMZ.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PPP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Routing.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IEEE1905.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.InterfaceStack.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DynamicDNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LANConfigSecurity.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Security.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.RouterAdvertisement.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Services.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UserInterface.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PeriodicStatistics.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SoftwareModules.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.Users.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.Subscription.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.WiFi.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SSH.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LEDs.LED.{i}.CycleElement.{i}.Brightness",
-        "perm": ["PERMIT_GET", "PERMIT_SET", "PERMIT_GET_INST"]
+        "perm": ["PERMIT_ALL"]
       }
     ]
   }

sulu/sulu-builder/files/etc/users/roles/user.json

@@ -2,533 +2,11 @@
   "tr181": {
     "name": "user",
     "instance": 5,
+    "secure_role": true,
     "permission": [
       {
         "object": "Device.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Reboot()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SelfTestDiagnostics()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.FactoryReset()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DeviceInfo.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Time.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UPnP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Bridging.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Ethernet.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.Server.Pool.{i}.StaticAddress.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv6.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Hosts.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}ParentalControl.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}OpenVPN.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.NAT.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Firewall.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_SET",
-          "PERMIT_SUBS_VAL_CHANGE"
-        ]
-      },
-      {
-        "object": "Device.Firewall.DMZ.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PPP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Routing.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IEEE1905.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.InterfaceStack.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DynamicDNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LANConfigSecurity.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Security.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.RouterAdvertisement.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Services.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UserInterface.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PeriodicStatistics.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SoftwareModules.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.Users.User.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.LocalAgent.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.Subscription.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.WiFi.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SSH.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.LEDs.LED.{i}.CycleElement.{i}.Brightness",
-        "perm": ["PERMIT_GET", "PERMIT_SET", "PERMIT_GET_INST"]
+        "perm": ["PERMIT_ALL"]
       }
     ]
   }

sulu/sulu-builder/files/maintenance.html

@@ -0,0 +1,248 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Router Interface Loading...</title>
+    <style>
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      body {
+        font-family:
+          -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu,
+          sans-serif;
+        background: linear-gradient(135deg, #3399ff 0%, #012669 100%);
+        height: 100vh;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        color: #fff;
+      }
+
+      .container {
+        text-align: center;
+        padding: 2rem;
+        background: rgba(255, 255, 255, 0.1);
+        border-radius: 20px;
+        backdrop-filter: blur(10px);
+        box-shadow: 0 20px 40px rgba(0, 0, 0, 0.1);
+        max-width: 400px;
+        width: 90%;
+      }
+
+      .spinner {
+        width: 60px;
+        height: 60px;
+        margin: 0 auto 2rem;
+        position: relative;
+      }
+
+      .spinner::before,
+      .spinner::after {
+        content: "";
+        position: absolute;
+        top: 0;
+        left: 0;
+        width: 100%;
+        height: 100%;
+        border-radius: 50%;
+        border: 3px solid transparent;
+        border-top-color: #fff;
+        animation: spin 1.5s ease-in-out infinite;
+      }
+
+      .spinner::after {
+        animation-delay: 0.15s;
+        border-top-color: rgba(255, 255, 255, 0.5);
+      }
+
+      @keyframes spin {
+        0% {
+          transform: rotate(0deg);
+        }
+        100% {
+          transform: rotate(360deg);
+        }
+      }
+
+      h1 {
+        font-size: 1.8rem;
+        margin-bottom: 1rem;
+        font-weight: 600;
+      }
+
+      p {
+        font-size: 1rem;
+        opacity: 0.9;
+        line-height: 1.5;
+        margin-bottom: 1rem;
+      }
+
+      .status {
+        font-size: 0.9rem;
+        opacity: 0.8;
+        margin-top: 1.5rem;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        gap: 0.5rem;
+      }
+
+      .status-dot {
+        width: 8px;
+        height: 8px;
+        background: #fff;
+        border-radius: 50%;
+        animation: pulse 1.5s ease-in-out infinite;
+      }
+
+      @keyframes pulse {
+        0%,
+        100% {
+          opacity: 0.3;
+        }
+        50% {
+          opacity: 1;
+        }
+      }
+
+      .retry-count {
+        font-size: 0.85rem;
+        opacity: 0.7;
+        margin-top: 0.5rem;
+      }
+
+      .error-message {
+        background: rgba(255, 59, 48, 0.2);
+        border: 1px solid rgba(255, 59, 48, 0.5);
+        padding: 0.75rem;
+        border-radius: 8px;
+        margin-top: 1rem;
+        font-size: 0.9rem;
+        display: none;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="spinner"></div>
+      <h1>Router Starting Up</h1>
+      <p>
+        The web interface is initializing. You'll be redirected automatically
+        once it's ready.
+      </p>
+
+      <div class="status">
+        <span class="status-dot"></span>
+        <span id="statusText">Checking availability...</span>
+      </div>
+
+      <div class="retry-count" id="retryCount"></div>
+      <div class="error-message" id="errorMessage"></div>
+    </div>
+
+    <script>
+      let retryCount = 0;
+      let checkInterval = 2000; // Start with 2 seconds
+      let maxInterval = 10000; // Max 10 seconds between checks
+      let consecutiveFailures = 0;
+      let maxConsecutiveFailures = 100; // Stop after 100 consecutive failures (~8-10 minutes)
+
+      function updateStatus(message) {
+        document.getElementById("statusText").textContent = message;
+      }
+
+      function updateRetryCount() {
+        retryCount++;
+        const retryElement = document.getElementById("retryCount");
+        retryElement.textContent = `Attempt ${retryCount}`;
+      }
+
+      function showError(message) {
+        const errorElement = document.getElementById("errorMessage");
+        errorElement.textContent = message;
+        errorElement.style.display = "block";
+      }
+
+      async function checkAvailability() {
+        updateRetryCount();
+        updateStatus("Connecting to router...");
+
+        try {
+          // Try to fetch the index page
+          const response = await fetch("/index.html", {
+            method: "HEAD", // Use HEAD to minimize bandwidth
+            cache: "no-cache",
+            mode: "no-cors", // Allow checking even with CORS restrictions
+          });
+
+          // If we get any response (even 404), the server is responding
+          // For a router, we typically want to redirect on 200 or 304
+          if (response.ok || response.status === 304) {
+            updateStatus("Router ready! Redirecting...");
+            consecutiveFailures = 0;
+
+            // Small delay for user feedback
+            setTimeout(() => {
+              window.location.reload();
+            }, 500);
+            return true;
+          } else if (response.status !== 503) {
+            // Server is responding but page not ready yet
+            updateStatus(`Server responding (${response.status}), waiting...`);
+            consecutiveFailures = 0;
+          }
+        } catch (error) {
+          // Network error - server not reachable
+          consecutiveFailures++;
+
+          if (consecutiveFailures > maxConsecutiveFailures) {
+            updateStatus("Connection timeout");
+            showError(
+              "Unable to connect to router. Please check your connection and refresh this page.",
+            );
+            return true; // Stop checking
+          }
+
+          updateStatus("Router not ready yet...");
+
+          // Implement exponential backoff
+          if (consecutiveFailures > 5) {
+            checkInterval = Math.min(checkInterval * 1.2, maxInterval);
+          }
+        }
+
+        return false;
+      }
+
+      async function startChecking() {
+        // Initial check
+        const isReady = await checkAvailability();
+        if (isReady) return;
+
+        // Continue checking
+        const intervalId = setInterval(async () => {
+          const isReady = await checkAvailability();
+          if (isReady) {
+            clearInterval(intervalId);
+          }
+        }, checkInterval);
+      }
+
+      // Start checking when page loads
+      window.addEventListener("DOMContentLoaded", () => {
+        // Small initial delay to show the UI
+        setTimeout(startChecking, 500);
+      });
+
+      // Also try to check if user clicks anywhere on the page
+      document.addEventListener("click", () => {
+        checkAvailability();
+      });
+    </script>
+  </body>
+</html>

sulu/sulu-theme-genexis/Makefile

@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-theme-genexis
-PKG_VERSION:=5.0.3
+PKG_VERSION:=5.1.8
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/sulu-theme-genexis
-PKG_SOURCE_VERSION:=69b72c2e589a3f73db3cb219ee7f59ab40b1bf48
+PKG_SOURCE_VERSION:=d329108aa49a0d57325cd8e639c80ba70c126f3f
 PKG_MIRROR_HASH:=skip
 
 include ../sulu-builder/sulu.mk

sulu/sulu-vendorext/Makefile

@@ -0,0 +1,34 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=sulu-vendorext
+PKG_VERSION:=0.0.4
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=none
+
+include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk
+
+
+define Package/sulu-vendorext
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Adds sulu-vendorext extensions
+endef
+
+define Build/Compile
+endef
+
+define Package/sulu-vendorext/install
+	$(BBFDM_INSTALL_MS_PLUGIN) ./extn/X_GENEXIS_EU.json $(1) sysmngr
+	$(BBFDM_INSTALL_MS_PLUGIN) ./extn/X_GENEXIS_EU_wan.json $(1) sysmngr
+
+	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) suluvendorext
+	$(BBFDM_INSTALL_MS_DM) ./extn/X_IOWRT_EU_MAPController.json $(1) suluvendorext
+
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,sulu-vendorext))

sulu/sulu-vendorext/bbfdm_service.json

@@ -0,0 +1,16 @@
+{
+  "daemon": {
+    "enable": "1",
+    "service_name": "suluvendorext",
+    "unified_daemon": false,
+    "services": [
+      {
+        "parent_dm": "Device.",
+        "object": "X_IOWRT_EU_MAPController"
+      }
+    ],
+    "config": {
+      "loglevel": "3"
+    }
+  }
+}

sulu/sulu-vendorext/extn/X_GENEXIS_EU.json

@@ -0,0 +1,140 @@
+{
+        "Device.DeviceInfo.X_GENEXIS_EU.": {
+                "type": "object",
+                "version": "1.00",
+                "protocols": [
+                        "cwmp",
+                        "usp"
+                ],
+                "access": false,
+                "array": false,
+                "is_primary_node": {
+                        "type": "boolean",
+                        "version": "1.00",
+                        "read": true,
+                        "write": false,
+                        "protocols": [
+                                "cwmp",
+                                "usp"
+                        ],
+                        "mapping": [
+                                {
+                                        "type": "uci",
+                                        "uci": {
+                                                "file": "heimgard",
+                                                "section": {
+                                                        "name": "routeragent"
+                                                },
+                                                "option": {
+                                                        "name": "is_master"
+                                                }
+                                        }
+                                }
+                        ]
+                },
+                "meshmode": {
+                        "type": "string",
+                        "version": "1.00",
+                        "read": true,
+                        "write": true,
+                        "protocols": [
+                                "cwmp",
+                                "usp"
+                        ],
+                        "mapping": [
+                                {
+                                        "rpc": "get",
+                                        "type": "ubus",
+                                        "ubus": {
+                                                "object": "meshmode",
+                                                "method": "status",
+                                                "key": "mode"
+                                        }
+                                },
+                                {
+                                        "rpc": "set",
+                                        "type": "ubus",
+                                        "ubus": {
+                                                "object": "meshmode",
+                                                "method": "change_meshmode",
+                                                "args": {
+                                                        "mode": "@Value"
+                                                }
+                                        }
+                                }
+                        ]
+                },
+                "wizardHasBeenUsed": {
+                        "type": "boolean",
+                        "version": "1.00",
+                        "read": true,
+                        "write": true,
+                        "protocols": [
+                                "cwmp",
+                                "usp"
+                        ],
+                        "mapping": [
+                                {
+                                        "type": "uci",
+                                        "uci": {
+                                                "file": "heimgard",
+                                                "section": {
+                                                        "name": "settings"
+                                                },
+                                                "option": {
+                                                        "name": "wizard_executed"
+                                                }
+                                        }
+                                }
+                        ]
+                },
+                "LocalTimeZone": {
+                        "type": "string",
+                        "version": "1.00",
+                        "read": true,
+                        "write": true,
+                        "protocols": [
+                                "cwmp",
+                                "usp"
+                        ],
+                        "mapping": [
+                                {
+                                        "type": "uci",
+                                        "uci": {
+                                                "file": "system",
+                                                "section": {
+                                                        "name": "@system[0]"
+                                                },
+                                                "option": {
+                                                        "name": "timezone"
+                                                }
+                                        }
+                                }
+                        ]
+                },
+                "LocalTimeZoneName": {
+                        "type": "string",
+                        "version": "1.00",
+                        "read": true,
+                        "write": true,
+                        "protocols": [
+                                "cwmp",
+                                "usp"
+                        ],
+                        "mapping": [
+                                {
+                                        "type": "uci",
+                                        "uci": {
+                                                "file": "system",
+                                                "section": {
+                                                        "name": "@system[0]"
+                                                },
+                                                "option": {
+                                                        "name": "zonename"
+                                                }
+                                        }
+                                }
+                        ]
+                }
+        }
+}

sulu/sulu-vendorext/extn/X_GENEXIS_EU_wan.json

@@ -0,0 +1,487 @@
+{
+    "Device.DeviceInfo.X_GENEXIS_EU.Wan.": {
+        "type": "object",
+        "version": "1.00",
+        "protocols": [
+            "cwmp",
+            "usp"
+        ],
+        "access": false,
+        "array": false,
+        "proto": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "proto"
+                        },
+                        "key": "proto"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "proto",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "ipaddr": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "status",
+                        "args": {},
+                        "key": "ipaddr"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "ipaddr"
+                        }
+                    }
+                }
+            ]
+        },
+        "netmask": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "status",
+                        "args": {},
+                        "key": "netmask"
+                    }
+                },
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "netmask"
+                        }
+                    }
+                }
+            ]
+        },
+        "gateway": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "status",
+                        "args": {},
+                        "key": "gateway"
+                    }
+                },
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "gateway"
+                        }
+                    }
+                }
+            ]
+        },
+        "peerdns": {
+            "type": "boolean",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "peerdns"
+                        }
+                    }
+                }
+            ]
+        },
+        "dns": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "dns"
+                        }
+                    }
+                }
+            ]
+        },
+        "hostname": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "hostname"
+                        }
+                    }
+                }
+            ]
+        },
+        "NAT": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "firewall",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "masq"
+                        }
+                    }
+                }
+            ]
+        },
+        "mtu": {
+            "type": "unsignedInt",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "type": "uci",
+                    "uci": {
+                        "file": "network",
+                        "section": {
+                            "name": "wan"
+                        },
+                        "option": {
+                            "name": "mtu"
+                        }
+                    }
+                }
+            ]
+        },
+        "vid": {
+            "type": "unsignedInt",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "vid"
+                        },
+                        "key": "vid"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "vid",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "username": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "username"
+                        },
+                        "key": "username"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "username",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "password": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "password"
+                        },
+                        "key": "password"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "password",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "service": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "service"
+                        },
+                        "key": "service"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "service",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "ac": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "ac"
+                        }
+                    },
+                    "key": "ac"
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "ac",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        },
+        "keepalive": {
+            "type": "string",
+            "version": "1.00",
+            "read": true,
+            "write": true,
+            "protocols": [
+                "cwmp",
+                "usp"
+            ],
+            "mapping": [
+                {
+                    "rpc": "get",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "get",
+                        "args": {
+                            "param": "keepalive"
+                        },
+                        "key": "keepalive"
+                    }
+                },
+                {
+                    "rpc": "set",
+                    "type": "ubus",
+                    "ubus": {
+                        "object": "genexis.wan",
+                        "method": "set",
+                        "args": {
+                            "param": "keepalive",
+                            "value": "@Value"
+                        }
+                    }
+                }
+            ]
+        }
+    }
+}

sulu/sulu-vendorext/extn/X_IOWRT_EU_MAPController.json

@@ -0,0 +1,206 @@
+{
+  "json_plugin_version": 2,
+  "Device.X_IOWRT_EU_MAPController.": {
+    "type": "object",
+    "protocols": [
+      "usp"
+    ],
+    "access": false,
+    "array": false,
+    "Device.X_IOWRT_EU_MAPController.Controller.": {
+      "type": "object",
+      "protocols": [
+        "usp"
+      ],
+      "access": false,
+      "array": false,
+      "dependency": "file:/etc/config/mapcontroller",
+      "Enable": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "default": true,
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "controller"
+              },
+              "option": {
+                "name": "enabled"
+              }
+            }
+          }
+        ]
+      },
+      "ChannelPlan": {
+        "type": "unsignedInt",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "controller"
+              },
+              "option": {
+                "name": "channel_plan_interval"
+              }
+            }
+          }
+        ]
+      },
+      "AllowBackgroundDFS": {
+        "type": "unsignedInt",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "controller"
+              },
+              "option": {
+                "name": "bgdfs_interval"
+              }
+            }
+          }
+        ]
+      },
+      "TrafficSeparation": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "controller"
+              },
+              "option": {
+                "name": "traffic_separation"
+              }
+            }
+          }
+        ]
+      },
+      "InitialChannelScan": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "controller"
+              },
+              "option": {
+                "name": "initial_scan"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "Device.X_IOWRT_EU_MAPController.STASteering.": {
+      "type": "object",
+      "protocols": [
+        "usp"
+      ],
+      "access": false,
+      "array": false,
+      "dependency": "file:/etc/config/mapcontroller",
+      "STASteering": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "sta_steering"
+              },
+              "option": {
+                "name": "enable_sta_steer"
+              }
+            }
+          }
+        ]
+      },
+      "BackhaulSTASteering": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "sta_steering"
+              },
+              "option": {
+                "name": "enable_bsta_steer"
+              }
+            }
+          }
+        ]
+      },
+      "BandSteering": {
+        "type": "boolean",
+        "read": true,
+        "write": true,
+        "protocols": [
+          "usp"
+        ],
+        "mapping": [
+          {
+            "type": "uci",
+            "uci": {
+              "file": "mapcontroller",
+              "section": {
+                "name": "sta_steering"
+              },
+              "option": {
+                "name": "bandsteer"
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}

sulu/sulu-vendorext/files/etc/config/heimgard

@@ -0,0 +1,36 @@
+config ota 'ota'
+  # Allow firmware upgrades, defaults true
+  option firmware 'true'
+  # Allow download of arbituary files
+  option file_download 'true'
+  # Allow to download software packages
+  option software 'false'
+  # Allow to download personalization files (isp/customer settings)
+  option customer_settings 'false'
+  option mirror_url '$fwenv$upgrade_ota_url|https://upgradeserver$'
+  option crontab_entry "$(date +%M) * * * *"
+  list softwarelist 'ping_container'
+  list softwarelist 'pingcom_ota'
+  option interval 'nightly'
+  option registry_service_enabled '$fwenv$registry_service_enabled|1$'
+  option registry_service_url '$fwenv$registry_service_url|https://registry.hc-apis.com$'
+  option verbose_level '6'
+
+config routeragent 'routeragent'
+  option is_master 'false'
+  option onboarded 'false'
+
+config containers 'containers'
+  list 'cnt_list' 'f-secure'
+  list 'cnt_list' 'lxc_hello_world'
+
+config services 'state'
+  option mwan3 'disable'
+ 
+config links 'help_support'
+	option support_link 'https://genexis.eu/solutions/support-services/'
+	option faq_link ''
+	option contact_link 'https://genexis.eu/contact'
+	option contact_phone ''
+	option livechat_link ''
+	option contact_times 'Monday – Friday from 09:00 – 17:00'

sulu/sulu-vendorext/files/etc/init.d/sulu_widgets

@@ -0,0 +1,63 @@
+#!/bin/sh /etc/rc.common
+#
+# This script will hide sulu widgets depending on router mode.
+# This is achieved by creating a widget-presets.json file
+# overriding the visibilityControl for each hidden widget.
+#
+# Note: widget names must be unique!
+#
+
+START=61
+
+HIDDEN_WIDGETS_PPPOE=""
+HIDDEN_WIDGETS_BRIDGE="wan-dash wan heimgard-dhcp heimgard-static-lease heimgard-firewall heimgard-internet-access heimgard-upnp"
+HIDDEN_WIDGETS_ROUTER=""
+
+output_file="/sulu/widget-presets/widget-presets.json"
+
+start() {
+	local mode hidden_widgets
+
+	mode=$(ubus call meshmode status | jsonfilter -e '@.mode')
+
+	case "$mode" in
+		pppoe)
+			hidden_widgets=$HIDDEN_WIDGETS_PPPOE
+		;;
+		bridge)
+			hidden_widgets=$HIDDEN_WIDGETS_BRIDGE
+		;;
+		router)
+			hidden_widgets=$HIDDEN_WIDGETS_ROUTER
+		;;
+		default)
+			logger -t "Sulu widgets" "Unable to determine device mode"
+			return 1
+		;;
+	esac
+
+	output_dir=$(dirname "$output_file")
+	if [ ! -d "$output_dir" ]; then
+		mkdir -p "$output_dir"
+	fi
+
+	echo "{" > "$output_file"
+
+	first=1
+	for widget in $hidden_widgets; do
+		if [ $first -eq 0 ]; then
+			echo "  ," >> "$output_file"
+		fi
+		first=0
+
+		echo '  "'$widget'": {' >> "$output_file"
+		echo '    "visibilityControl": "hide"' >> "$output_file"
+		echo '  }' >> "$output_file"
+	done
+
+	echo "}" >> "$output_file"
+}
+
+reload() {
+        start
+}

sulu/sulu-vendorext/files/lib/sulu_functions.sh

@@ -0,0 +1,198 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3043,SC3043
+
+. /usr/share/libubox/jshn.sh
+. /lib/functions/network.sh
+
+persistent_file="/tmp/sulu.json"
+
+init_json() {
+	json_init
+	[ -f "${persistent_file}" ] && json_load_file "${persistent_file}"
+	json_add_int "schema_version" "1"
+	if ! json_select "network" >/dev/null; then
+		json_add_object "network"
+	fi
+
+	if ! json_select "wan" >/dev/null; then
+		local current_dev=""
+		local current_proto=""
+		local current_vid=""
+		local current_mtu=""
+		local current_username=""
+		local current_password=""
+		local default_gw_interface=""
+		# Load current settings
+		network_find_wan default_gw_interface
+		[ -z "${default_gw_interface}" ] && default_gw_interface="wan"
+		current_dev="$(uci -q get network."${default_gw_interface}".device)"
+		current_proto="$(uci -q get network."${default_gw_interface}".proto || echo "dhcp")"
+		current_vid="$(uci -q get network."${current_dev}".vid)"
+		current_mtu="$(uci -q get network."${default_gw_interface}".mtu)"
+		if [ "pppoe" = "${current_proto}" ]; then
+			current_username="$(uci -q get network."${default_gw_interface}".username)"
+			current_password="$(uci -q get network."${default_gw_interface}".password)"
+		fi
+		json_add_array "wan"
+		json_add_object
+		json_add_string "name" "wan"
+		json_add_string "proto" "${current_proto}"
+		[ -n "${current_vid}" ] && json_add_int "vlan_id" "${current_vid}"
+		[ -n "${current_mtu}" ] && json_add_int "mtu" "${current_mtu}"
+		[ -n "${current_username}" ] && json_add_string "username" "${current_username}"
+		[ -n "${current_password}" ] && json_add_string "password" "${current_password}"
+		json_close_object
+	fi
+	json_close_object
+	json_close_object
+	if ! json_select "netmode" >/dev/null; then
+		json_add_object "netmode"
+	fi
+	json_close_object
+}
+
+save_and_exit() {
+	json_dump >"${persistent_file}"
+	exit 0
+}
+
+save_userconf() {
+	json_dump >"${persistent_file}"
+	# reload opconf to apply changes from persistent file, discarding output
+	opconf "${persistent_file}" > /dev/null 2>&1
+	# Commit network changes
+	ubus call uci commit '{"config": "network"}'
+}
+
+# Create skeleton file if it doesn't exists after that load in $persistent_file
+init_json
+
+go_L2() {
+	logger -s -p user.info -t "netmode" "User has manually chosen L2; switching to Layer2 mode"
+	local old_cb
+	json_set_namespace set_wan_param old_cb
+	init_json
+	json_select "netmode"
+	json_add_string "current" "layer2"
+	json_select ..
+	save_userconf
+	json_set_namespace old_cb
+}
+
+# Set netmode in uboot to correct mode, remove marker so network config is regenerated and reboot
+go_L3() {
+	logger -p user.info -t "netmode" "User has manually chosen L3; switching to Layer3/Full mode"
+	local old_cb
+	json_set_namespace set_wan_param old_cb
+	init_json
+	json_select "network"
+	json_select "wan"
+	if ! json_is_a 1 object; then
+		json_add_object
+	else
+		json_select 1
+	fi
+	json_add_string "name" "wan"
+	json_add_string "proto" "dhcp"
+	json_add_int "vlan_id" 0
+	json_close_object
+	json_select ..
+	json_select ..
+	json_select "netmode"
+	json_add_string "current" "layer3"
+	json_select ..
+	save_userconf
+	json_set_namespace old_cb
+}
+
+go_pppoe() {
+	local username="${1}"
+	local password="${2}"
+	local enable_vid="${3:-1}"
+	local vid="${4:-0}"
+	local mtu="${5:-1500}"
+	local old_cb
+	json_set_namespace set_wan_param old_cb
+	init_json
+	logger -p user.info -t "netmode" "User has manually chosen pppoe; switching to pppoe mode"
+	logger -p user.info -t "netmode" "params - username:${username} password:${password} enable:${enable_vid} vid:${vid} mtu:${mtu}"
+	json_select "network"
+	json_select "wan"
+	if ! json_is_a 1 object; then
+		json_add_object
+	else
+		json_select 1
+	fi
+	json_add_string "name" "wan"
+	json_add_string "proto" "pppoe"
+	json_add_int "vlan_id" "${vid}"
+	json_add_string "username" "${username}"
+	json_add_string "password" "${password}"
+	json_add_int "mtu" "${mtu}"
+	json_close_object
+	json_select ..
+	json_select ..
+	json_select "netmode"
+	json_add_string "current" "pppoe"
+	save_userconf
+	json_set_namespace old_cb
+}
+
+# shellcheck disable=SC3043
+set_wan_param() {
+	local name="${1:?}"
+	local value="${2:?}"
+	# shellcheck disable=SC2034
+	local old_cb
+	json_set_namespace set_wan_param old_cb
+	init_json
+	json_select "network"
+	json_select "wan"
+	if ! json_is_a 1 object; then
+		json_add_object
+	else
+		json_select 1
+	fi
+	json_add_string "name" "wan"
+	case "${name}" in
+	proto | username | password)
+		json_add_string "${name}" "${value}"
+		;;
+	vid | vland_id)
+		json_add_int "vlan_id" "${value}"
+		;;
+	mtu)
+		json_add_int "mtu" "${value}"
+		;;
+	*)
+		logger "sulu_functions: Unkown name '${name}' in set_wan_param"
+		;;
+	esac
+	json_close_object
+	json_select ..
+	json_select ..
+	logger -s "sulu_functions Name: '${name}'='${value}'"
+	save_userconf
+	json_set_namespace old_cb
+}
+# shellcheck disable=SC3043
+# Parses all jsons in /opconf, returns active variable_name
+get_wan_value() {
+	local variable_name="${1:?}"
+	local value_from_opconf=""
+	local final_config=""
+	local json_file=""
+
+	case "${variable_name}" in
+	"vid")
+		variable_name="vlan_id"
+		;;
+	*) ;;
+	esac
+
+	for json_file in /opconf/*.json ${persistent_file}; do
+		value_from_opconf="$(jsonfilter -e "@.network.wan[@.name='wan'].${variable_name}" <"${json_file}")"
+		[ -n "${value_from_opconf}" ] && final_config="${value_from_opconf}"
+	done
+	echo "${final_config}"
+}

sulu/sulu-vendorext/files/usr/libexec/rpcd/genexis.wan

@@ -0,0 +1,110 @@
+#!/bin/sh
+# shellcheck disable=SC3043,SC1091,SC2140
+. /usr/share/libubox/jshn.sh
+. /lib/functions/network.sh
+. /lib/sulu_functions.sh
+
+cidr_to_netmask() {
+    value=$((0xffffffff ^ ((1 << (32 - $1)) - 1)))
+    echo "$(((value >> 24) & 0xff)).$(((value >> 16) & 0xff)).$(((value >> 8) & 0xff)).$((value & 0xff))"
+}
+
+# setValue() - Set the value of the given WAN parameter.
+#
+# Args:
+#  $1 - The parameter name.
+#  $2 - The new value of the parameter.
+#
+# Notes:
+#  If the parameter name is "vid", the value of the "vid" option is read from
+#  the appropriate section (based on the value of the "device" option in the
+#  "network.wan" section). Otherwise, the value of the parameter is read from
+#  the "network.wan" section.
+#
+#  If the parameter name is "vid", it is checked if the value is 0, 1 or empty.
+#  If so, it does not create a new vlan interface. Otherwise, it creates a new
+#  vlan interface with the given vid.
+setValue() {
+    local paramName="${1}"
+    local paramValue="${2}"
+    local default_gw_interface=""
+    network_find_wan default_gw_interface
+    if [ -z "${default_gw_interface}" ]; then
+        default_gw_interface=wan
+    fi
+    case "$paramName" in
+    "vid")
+        set_wan_param "vid" "$paramValue"
+        ;;
+    "username")
+        set_wan_param "username" "$paramValue"
+        ;;
+    "password")
+		set_wan_param "password" "$paramValue"
+        ;;
+    "mtu")
+		set_wan_param "mtu" "$paramValue"
+        ;;
+     "proto")
+		set_wan_param "proto" "${paramValue}"
+        touch /tmp/netmode_changed
+        ;;
+    *)
+        ;;
+    esac
+}
+
+case "$1" in
+list)
+    json_init
+    json_add_object "status"
+    json_close_object
+    json_add_object "get"
+    json_add_string "param" ""
+    json_close_object
+    json_add_object "set"
+    json_add_string "param" ""
+    json_close_object
+    json_dump
+
+    ;;
+call)
+    case "$2" in
+    status)
+        network_find_wan default_gw_interface
+        wan_json="$(ubus call network.interface."${default_gw_interface}" status)"
+        ipaddr="$(echo "$wan_json" | jsonfilter -e '@["ipv4-address"][0].address')"
+        netmask="$(echo "$wan_json" | jsonfilter -e '@["ipv4-address"][0].mask')"
+        gateway="$(echo "$wan_json" | jsonfilter -e '@["route"][0].nexthop')"
+        if [ -n "$netmask" ]; then
+            netmask=$(cidr_to_netmask "$netmask")
+        fi
+        json_init
+        json_add_string ipaddr "$ipaddr"
+        json_add_string netmask "$netmask"
+        json_add_string gateway "$gateway"
+        json_dump
+        ;;
+    get)
+        read -r input
+        _param=$(echo "$input" | jsonfilter -e '@.param')
+        value="$(get_wan_value "$_param")"
+
+        json_init
+        json_add_string "$_param" "${value}"
+        json_dump
+        ;;
+
+    set)
+        read -r input
+        _param="$(echo "$input" | jsonfilter -e '@.param')"
+        value="$(echo "$input" | jsonfilter -e '@.value')"
+        logger -t "genexis.wan" "_param: ${_param} value: ${value}"
+        json_init
+        reply="$(set_wan_param "$_param" "$value")"
+        json_add_string "status" "${reply}"
+        json_dump
+        ;;
+    esac
+    ;;
+esac

sulu/sulu-vendorext/files/usr/libexec/rpcd/meshmode

@@ -0,0 +1,93 @@
+#!/bin/sh
+# shellcheck disable=SC3043,SC1091
+. /usr/share/libubox/jshn.sh
+. /lib/sulu_functions.sh
+
+init_json
+
+get_netmode() {
+	local _netmode
+	if [ -f "${persistent_file}" ]; then
+		json_init
+		json_load_file "${persistent_file}"
+		if json_select netmode; then
+			json_get_var _netmode current "unknown"
+			json_select ..
+		fi
+	else
+		_netmode="unknown"
+	fi
+
+	case "${_netmode}" in
+	extender | layer2)
+		echo "bridge"
+		;;
+	layer3)
+		echo "router"
+		;;
+	pppoe)
+		echo "pppoe"
+		;;
+	*)
+		ifstatus wan >/dev/null 2>&1 && echo "router" || echo "unknown"
+		;;
+	esac
+}
+
+netmode="$(get_netmode)"
+
+case "$1" in
+list)
+	echo '{ "status" : {}, "change_meshmode" : {"mode":"String"}}'
+	;;
+call)
+	mode=""
+	case "$2" in
+	status)
+		if [ -z "${netmode}" ]; then
+			echo "{\"status\":\"Mode unknown\"}"
+		else
+			echo "{\"mode\":\"${netmode}\"}"
+		fi
+		;;
+	change_meshmode)
+		# Read the JSON object provided for the arguments
+		read -r input
+
+		json_load "${input}"
+
+		json_get_var mode mode
+
+		if [ "${mode}" = "${netmode}" ] && [ "${mode}" != "pppoe" ] && [ ! -f /tmp/netmode_changed ]; then
+			echo '{"status":"no_change"}' && return
+		fi
+
+		if [ "${mode}" = "bridge" ]; then
+			echo '{"status": "ok"}'
+			go_L2
+		elif [ "${mode}" = "router" ]; then
+			echo '{"status": "ok"}'
+			go_L3
+		elif [ "${mode}" = "pppoe" ]; then
+			username="$(get_wan_value "username")"
+			password="$(get_wan_value "password")"
+			vid="$(get_wan_value "vlan_id")"
+			mtu="$(get_wan_value "mtu")"
+
+			enable=0
+			if [ "${vid}" -gt 0 ]; then
+				enable=1
+			fi
+
+			echo '{"status": "ok"}'
+			logger "'${username}' '${password}' '${enable}' '${vid}' '${mtu}'"
+			go_pppoe "${username}" "${password}" "${enable}" "${vid}" "${mtu}"
+		else
+			echo '{"status":"Wrong value"}'
+		fi
+		;;
+	*) ;;
+	esac
+	;;
+*) ;;
+esac

timemngr/files/etc/uci-defaults/96-system-ntp-migrate

@@ -85,6 +85,7 @@ migrate_timemngr_config() {
 	fi
 
 	uci -q delete system.ntp
+	return 0
 }
 
 migrate_timemngr_config

tr104/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tr104
-PKG_VERSION:=1.0.37.1
+PKG_VERSION:=1.0.37.2
 
 LOCAL_DEV:=0
 ifeq ($(LOCAL_DEV),0)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/voice/tr104.git
-PKG_SOURCE_VERSION:=bc1595a611540cdce7f0bef098b2fb1152e227ad
+PKG_SOURCE_VERSION:=eb8f4878451318bcfcba5716282e72d5a84adae6
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

tr143/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tr143
-PKG_VERSION:=1.1.3
+PKG_VERSION:=1.1.3.2
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/tr143d.git
-PKG_SOURCE_VERSION:=33ad5cb86a09800510eb7faefc3edf30b56be41a
+PKG_SOURCE_VERSION:=54c76c7afd4eb45d929f3512e96f572f2ad4e2ea
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

userinterface/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=userinterface
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.9
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/userinterface.git
-PKG_SOURCE_VERSION:=02bedd40e083cc456b2abed8f711b45c93061815
+PKG_SOURCE_VERSION:=a5970a83b8ac79c4577edc6a994b850cdbe1c82f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -28,7 +28,7 @@ define Package/userinterface
   SUBMENU:=TRx69
   TITLE:=Package to add Device.UserInterface. datamodel support using bbfdm
   DEPENDS:=+USERINTERFACE_HTTPACCESS_BACKEND_NGINX:nginx
-  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
+  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +libeasy
   MENU:=1
 endef
 

usermngr/Config.in

@@ -0,0 +1,21 @@
+if PACKAGE_usermngr
+
+config USERMNGR_SECURITY_HARDENING
+	bool "Security hardening mechanisms"
+	default y
+	help
+	   Enable this option to use PAM based faillock, passwdqc, faildelay for security hardening.
+
+config USERMNGR_ENABLE_AUTH_VENDOR_EXT
+	depends on USERMNGR_SECURITY_HARDENING
+	bool "Exposes vendor datamodel extensions for AuthenticationPolicy"
+	default y
+	help
+	   Enable this option to expose TR181 vendor extensions for AuthenticationPolicy.
+
+config USERMNGR_VENDOR_PREFIX
+	depends on USERMNGR_ENABLE_AUTH_VENDOR_EXT
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+
+endif

usermngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=usermngr
-PKG_VERSION:=1.3.10
+PKG_VERSION:=1.4.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/usermngr.git
-PKG_SOURCE_VERSION:=37db3e216e508b19228479f39b935caa61815d06
+PKG_SOURCE_VERSION:=defe0165931a1cee032ff2bd9e9911a4f1874e18
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -28,9 +28,14 @@ define Package/usermngr
   SECTION:=utils
   CATEGORY:=Utilities
   SUBMENU:=TRx69
-  DEPENDS:= +shadow-utils +libopenssl +libuci +libubox +ubus
+  DEPENDS:=+shadow-utils +libopenssl +libuci +libubox +ubus
   DEPENDS+=+libbbfdm-api +libbbfdm-ubus +bbfdmd
   DEPENDS+=+@BUSYBOX_CONFIG_ADDUSER +@BUSYBOX_CONFIG_DELUSER +@BUSYBOX_CONFIG_ADDGROUP +@BUSYBOX_CONFIG_DELGROUP +shadow-usermod
+  DEPENDS+=+@BUSYBOX_CONFIG_CMP
+  DEPENDS+=+@USERMNGR_SECURITY_HARDENING:SHADOW_UTILS_USE_PAM
+  DEPENDS+=+@USERMNGR_SECURITY_HARDENING:BUSYBOX_CONFIG_PAM
+  DEPENDS+=+USERMNGR_SECURITY_HARDENING:linux-pam
+  DEPENDS+=+USERMNGR_SECURITY_HARDENING:passwdqc
   TITLE:=Package to add Device.Users. datamodel support
 endef
 
@@ -38,12 +43,32 @@ define Package/usermngr/description
   Package to add Device.Users. datamodel support
 endef
 
+define Package/$(PKG_NAME)/config
+        source "$(SOURCE)/Config.in"
+endef
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
 	$(CP) -rf ~/git/usermngr/* $(PKG_BUILD_DIR)/
 endef
 endif
 
+ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y)
+MAKE_FLAGS += USERMNGR_SECURITY_HARDENING=y
+endif
+
+ifeq ($(CONFIG_USERMNGR_ENABLE_AUTH_VENDOR_EXT),y)
+MAKE_FLAGS += USERMNGR_ENABLE_AUTH_VENDOR_EXT=y
+endif
+
+ifeq ($(CONFIG_USERMNGR_VENDOR_PREFIX),"")
+VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX)
+else
+VENDOR_PREFIX = $(CONFIG_USERMNGR_VENDOR_PREFIX)
+endif
+
+TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(VENDOR_PREFIX)\\\"
+
 define Package/usermngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/config
@@ -52,6 +77,13 @@ define Package/usermngr/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-sync-shells $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-sync-roles $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y)
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-security-hardening $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-set-ssh-pam $(1)/etc/uci-defaults/
+else
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-disabled-security $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-unset-ssh-pam $(1)/etc/uci-defaults/
+endif
 	$(INSTALL_BIN) ./files/etc/init.d/users $(1)/etc/init.d/users
 	$(INSTALL_BIN) ./files/etc/config/users $(1)/etc/config/users
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/usermngr $(1)/usr/sbin/usermngr

usermngr/files/etc/init.d/users

@@ -6,11 +6,189 @@ USE_PROCD=1
 
 PROG=/usr/sbin/usermngr
 
+# List of required .so files
+REQUIRED_MODULES="
+/usr/lib/security/pam_faildelay.so
+/usr/lib/security/pam_faillock.so
+/usr/lib/security/pam_unix.so
+/usr/lib/security/pam_deny.so
+/usr/lib/security/pam_permit.so
+/usr/lib/security/pam_passwdqc.so
+"
+
+check_required_modules() {
+	for mod in $REQUIRED_MODULES; do
+		if [ ! -f "$mod" ]; then
+			logger -p err -t usermngr "ERROR: Cannot setup security policy, missing PAM module: $mod"
+			return 1
+		fi
+	done
+
+	return 0
+}
+
+write_line() {
+	local filepath="$1"
+	local line="$2"
+
+	echo "$line" >> "$filepath"
+}
+
+compare_and_replace() {
+	local src dst
+	src="$1"
+	dst="$2"
+
+	if [ ! -f "$dst" ] || ! cmp -s "$src" "$dst"; then
+		cp "$src" "$dst"
+		logger -t pam_policy_setup "Updated $dst"
+	fi
+}
+
+update_auth() {
+	# Write /etc/pam.d/common-auth
+	local tmp_file pam_file
+	tmp_file="/tmp/common-auth"
+	pam_file="/etc/pam.d/common-auth"
+
+	local auth_enabled="${1}"
+	local enabled="${2}"
+
+	local faildelay="$(uci -q get users.authentication_policy.fail_delay)"
+	local faillock_lockout_time="$(uci -q get users.authentication_policy.faillock_lockout_time)"
+	local faillock_attempts="$(uci -q get users.authentication_policy.faillock_attempts)"
+
+	[ -n "$faildelay" ] || faildelay=3
+	[ -n "$faillock_attempts" ] || faillock_attempts=6
+	[ -n "$faillock_lockout_time" ] || faillock_lockout_time=300
+
+	# Convert seconds to microseconds for pam_faildelay
+	local faildelay_usec=$((faildelay * 1000000))
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+		write_line "$tmp_file" "auth	optional	pam_faildelay.so delay=$faildelay_usec"
+		write_line "$tmp_file" "auth	required	pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+	fi
+
+	write_line "$tmp_file" "auth	sufficient	pam_unix.so nullok_secure"
+
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+		write_line "$tmp_file" "auth	[default=die]	pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
+		write_line "$tmp_file" ""
+	fi
+
+	write_line "$tmp_file" "auth	requisite	pam_deny.so"
+	write_line "$tmp_file" "auth	required	pam_permit.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+build_pam_passwdqc_line() {
+	local base="password requisite pam_passwdqc.so"
+	local k v line
+
+	for line in $(uci show users.passwdqc 2>/dev/null); do
+		case "$line" in
+			users.passwdqc=*) continue ;;
+			users.passwdqc.enabled=*) continue ;;
+		esac
+
+		k="${line%%=*}"
+		k="${k#users.passwdqc.}"
+		v="${line#*=}"
+		v="${v%\'}"
+		v="${v#\'}"
+		base="$base $k=$v"
+	done
+
+	echo "$base"
+}
+
+# NOTE:
+# for some reason setting min 8 makes passwdqc accept minimum 12 letter password with this configuration
+# if we set it to 12 then we need atleast 16 characters and so on
+# passphrase = 0 means no space separated words
+# passphrase = N means the number of words required for a passphrase or 0 to disable the support for user-chosen passphrases.
+# rest can be figured out from passwdqc man page
+update_password() {
+	local tmp_file pam_file enabled line
+	tmp_file="/tmp/common-password"
+	pam_file="/etc/pam.d/common-password"
+
+	local auth_enabled="${1}"
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	# Check if section exists
+	if uci -q get users.passwdqc >/dev/null 2>&1; then
+		# if enabled is not present it is assumed to be 0
+		enabled=$(uci -q get users.passwdqc.enabled || echo "0")
+		if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+			line="$(build_pam_passwdqc_line)"
+			write_line "$tmp_file" "$line"
+		fi
+	fi
+
+	write_line "$tmp_file" "password	[success=1 default=ignore]	pam_unix.so obscure sha512"
+	write_line "$tmp_file" ""
+	write_line "$tmp_file" "password	requisite			pam_deny.so"
+	write_line "$tmp_file" "password	required			pam_permit.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+update_account() {
+	# Write /etc/pam.d/common-account
+	local tmp_file pam_file
+	tmp_file="/tmp/common-account"
+	pam_file="/etc/pam.d/common-account"
+
+	local auth_enabled="${1}"
+	local enabled="${2}"
+
+	rm -f "$tmp_file"
+	touch "$tmp_file"
+
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
+		write_line "$tmp_file" "account 	required       		pam_faillock.so"
+	fi
+
+	write_line "$tmp_file" "account		[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so"
+	write_line "$tmp_file" ""
+	write_line "$tmp_file" "account		requisite		pam_deny.so"
+	write_line "$tmp_file" "account		required		pam_permit.so"
+
+	compare_and_replace "$tmp_file" "$pam_file"
+}
+
+handle_security_policy() {
+	local auth_enabled enabled
+
+	# Read UCI values
+	auth_enabled="$(uci -q get users.users.auth_policy_enable || echo 0)"
+	enabled="$(uci -q get users.authentication_policy.enabled || echo 0)"
+
+	# if any .so files are missing, then we cannot setup security
+	if ! check_required_modules; then
+		return
+	fi
+
+	update_auth "${auth_enabled}" "${enabled}"
+	update_account "${auth_enabled}" "${enabled}"
+	update_password "${auth_enabled}"
+}
+
 start_service() {
 	local loglevel
 
 	loglevel="$(uci -q get users.users.loglevel)"
 
+	handle_security_policy
+
 	procd_open_instance usermngr
 	procd_set_param command $PROG
 
@@ -28,6 +206,7 @@ reload_service() {
 		stop
 		start
 	else
+		handle_security_policy
 		ubus send usermngr.reload
 	fi
 

usermngr/files/etc/uci-defaults/91-disabled-security

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Remove auth_policy_enable from global
+if uci -q get users.users; then
+	uci -q set users.users.auth_policy_enable=''
+else
+	uci -q set users.users='users'
+fi
+
+# Remove authentication_policy section
+uci -q del users.authentication_policy
+
+# Remove passwdqc section
+uci -q del users.passwdqc
+
+exit 0

usermngr/files/etc/uci-defaults/91-security-hardening

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Create global section
+if ! uci -q get users.users; then
+	uci -q set users.users='users'
+fi
+
+uci -q set users.users.auth_policy_enable='1'
+
+# Create default authentication_policy section if missing
+if ! uci -q get users.authentication_policy; then
+	uci -q set users.authentication_policy='authentication_policy'
+	uci -q set users.authentication_policy.enabled='1'
+	uci -q set users.authentication_policy.fail_delay='3'
+	uci -q set users.authentication_policy.faillock_attempts='6'
+	uci -q set users.authentication_policy.faillock_lockout_time='300'
+fi
+
+# Create default passwdqc section if missing
+if ! uci -q get users.passwdqc; then
+	uci -q set users.passwdqc='passwdqc'
+	uci -q set users.passwdqc.enabled='1'
+	uci -q set users.passwdqc.min='disabled,disabled,disabled,8,8'
+	uci -q set users.passwdqc.max='20'
+	uci -q set users.passwdqc.passphrase='0'
+	uci -q set users.passwdqc.retry='3'
+	uci -q set users.passwdqc.enforce='everyone'
+fi
+
+exit 0

usermngr/files/etc/uci-defaults/91-set-ssh-pam

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=1
+fi
+
+exit 0

usermngr/files/etc/uci-defaults/91-unset-ssh-pam

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=0
+fi
+
+exit 0
+

wifidmd/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifidmd
-PKG_VERSION:=1.1.33.2
+PKG_VERSION:=1.1.33.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/wifidmd.git
-PKG_SOURCE_VERSION:=900fdca6e18dce382c99fbfcbca81b7e90cc5598
+PKG_SOURCE_VERSION:=9fe191bb4b8c442668ad98c9b2119274f513ea5d
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

wifimngr/Config.in

@@ -4,7 +4,7 @@ menu "Configurations"
 
 config WIFIMNGR_CACHE_SCANRESULTS
 	bool "Cache scan results"
-	default y
+	default n
 
 endmenu
 endif

wifimngr/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifimngr
-PKG_VERSION:=17.7.6
+PKG_VERSION:=17.7.8
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=e16058225dc5e9fb819029fff48cb3a5cc658a98
+PKG_SOURCE_VERSION:=f0c953cfbfbde7fc0a2b37378de3417412418791
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/wifimngr.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@genexis.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz