sysmngr: run reset_reason if present

(cherry picked from commit 5b5a9bb231)

Co-authored-by: Vivek Kumar Dutta <vivek.dutta@iopsys.eu>

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.18.10
+PKG_VERSION:=1.18.12
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=1a86b8a4432a2c3a9d41a9b18ccfc830bd0083cb
+PKG_SOURCE_VERSION:=adfdb54d625b952c533670f093dae008782ff56a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

decollector/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.2.2.4
+PKG_VERSION:=6.2.3.2
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=b632ef13fed94c683d65dedcbc91afdee9ee980f
+PKG_SOURCE_VERSION:=2f618a85b4d9dab443319ee355355c526f6429c9
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

dectmngr/Makefile

@@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.11
+PKG_VERSION:=3.7.12
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/dectmngr.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=815ee44808169b8e1efa2cac44bd7d238ad33cdc
+PKG_SOURCE_VERSION:=a62611a36fa85f9fba1b8ec946397dc725c57630
 PKG_MIRROR_HASH:=skip
 endif
 

dhcpmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dhcpmngr
-PKG_VERSION:=1.0.6
+PKG_VERSION:=1.1.2
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dhcpmngr.git
-PKG_SOURCE_VERSION:=986f66608959f4f589009d580b046e250d8c620d
+PKG_SOURCE_VERSION:=5787de10680719d0c4b72e1ffcfffa895d4c0571
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

dnsmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmngr
-PKG_VERSION:=1.0.18
+PKG_VERSION:=1.0.19
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/dnsmngr.git
-PKG_SOURCE_VERSION:=80fa147e6f1f0d9c1a62a62a693ff3adaef45363
+PKG_SOURCE_VERSION:=205938aa1f686d5b43460e4a17f3900ed82bd29f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

firewallmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewallmngr
-PKG_VERSION:=1.0.10
+PKG_VERSION:=1.0.12
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
-PKG_SOURCE_VERSION:=05ad0d6f7f21520eecd05429c14d1963de2a8463
+PKG_SOURCE_VERSION:=30319c67fb4db285a2bcd272b1c10bc040eecf19
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

gateway-info/files/etc/uci-defaults/86-set-gateway-device-info

@@ -110,7 +110,7 @@ configure_send_op125() {
 
 
 	if [ "${uci}" = "network" ]; then
-		new_send_opt="$sendopt $opt125"
+		[ -n "${sendopt}" ] && new_send_opt="$sendopt $opt125" || new_send_opt="$opt125"
 		uci -q set network."${intf}".sendopts="$new_send_opt"
 	else
 		new_send_opt="$sendopt$opt125"
@@ -228,7 +228,7 @@ enable_dhcp_option125() {
 
 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${wan}".reqopts="$newreqopts"
 		fi
 

hostmngr/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostmngr
-PKG_VERSION:=1.4.0
+PKG_VERSION:=1.4.2
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=230d55ae6769e1ebde02cef3f718e6c4cf1b1962
+PKG_SOURCE_VERSION:=ac50f621e19f74b7af4e4b8c1e810503507cc3dd
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/hostmngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.10.5
+PKG_VERSION:=9.10.10
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=7f4a159f6ff49584655e57bb801218eb083fba67
+PKG_SOURCE_VERSION:=63251b6c9789b1428604af0a5c1d23d32d14a8b8
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -84,6 +84,7 @@ define Package/icwmp/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/icwmpd $(1)/usr/sbin/icwmpd
 	$(INSTALL_DATA) ./files/etc/config/cwmp $(1)/etc/config/cwmp
 	$(INSTALL_BIN) ./files/etc/init.d/icwmpd $(1)/etc/init.d/icwmpd
+	$(INSTALL_BIN) ./files/etc/uci-defaults/50-cwmp-align-keep-config $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/85-cwmp-set-userid $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/90-cwmpfirewall $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/95-set-random-inform-time $(1)/etc/uci-defaults/

icwmp/files/etc/config/cwmp

@@ -42,7 +42,9 @@ config cpe 'cpe'
 	option periodic_notify_interval '10'
 	option incoming_rule 'Port_Only'
 	option active_notif_throttle '0'
-	option fw_upgrade_keep_settings '1'
+	#option KeepConfig '1'
+	#option KeepOpConf '1'
+	#option ConfigScope 'UserOnly'
 	option clock_sync_timeout '128'
 	option disable_datatype_check '0'
 	#list allowed_cr_ip '10.5.1.0/24'

icwmp/files/etc/init.d/icwmpd

@@ -97,7 +97,9 @@ validate_cpe_section()
 		'periodic_notify_enable:bool' \
 		'enable:bool:1' \
 		'periodic_notify_interval:uinteger' \
-		'fw_upgrade_keep_settings:bool'
+		'KeepConfig:bool' \
+		'KeepOpConf:bool' \
+		'ConfigScope:string'
 }
 
 validate_defaults() {
@@ -168,13 +170,21 @@ start_service() {
 
 stop_service()
 {
-	local switch_bank
+	local switch_bank KeepConfig KeepOpConf ConfigScope
 
 	copy_cwmp_varstate_files_to_etc
-	
 	switch_bank=$(uci -q -c /var/state/ get icwmp.cpe.switch_bank)
-	if [ -n "$switch_bank" ] && [ "$switch_bank" = "1" ]; then
-		[ -x /etc/sysmngr/fwbank ] && /etc/sysmngr/fwbank call copy_config
+	if [ "$switch_bank" = "1" ] && [ -x /etc/sysmngr/fwbank ]; then
+		KeepConfig="$(uci -q get cwmp.cpe.KeepConfig)"
+		KeepOpConf="$(uci -q get cwmp.cpe.KeepOpConf)"
+		ConfigScope="$(uci -q get cwmp.cpe.ConfigScope)"
+
+		json_init
+		[ -n "${KeepConfig}" ] && json_add_boolean "keep_config" "${KeepConfig}"
+		[ -n "${KeepOpConf}" ] && json_add_boolean "keep_opconf" "${KeepOpConf}"
+		[ -n "${ConfigScope}" ] && json_add_string "config_scope" "${ConfigScope}"
+
+		json_dump| /etc/sysmngr/fwbank call copy_config
 	fi
 }
 

icwmp/files/etc/uci-defaults/50-cwmp-align-keep-config

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+keep_settings="$(uci -q get cwmp.cpe.fw_upgrade_keep_settings)"
+if [ -n "${keep_settings}" ]; then
+	uci -q delete cwmp.cpe.fw_upgrade_keep_settings
+	uci -q set cwmp.cpe.KeepConfig="${keep_settings}"
+fi

ieee1905/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.38
+PKG_VERSION:=8.7.41
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=c685111f87aaca4dc17cc03b0d34e20b47c83a03
+PKG_SOURCE_VERSION:=9a61dcdd89be917a5a34caef8170074f117a53b2
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

iopsys-analytics/Makefile

@@ -34,6 +34,9 @@ define Package/$(PKG_NAME)
     +@PACKAGE_syslog-ng:SYSLOGNG_LOGROTATE              \
     +PACKAGE_fluent-bit:logrotate                       \
     +@DMCLI_REMOTE_CONNECTION
+  # tools used in development/testing
+  DEPENDS+=                                             \
+    +iperf3
 
 endef
 

libeasy/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libeasy
-PKG_VERSION:=7.5.0
+PKG_VERSION:=7.5.1
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=18f93677bb4d33ebb6249324a5043294f0eae16c
+PKG_SOURCE_VERSION:=b981f7e1bd51f66041cd0c25d15af74ae1e3bc75
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libeasy.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

libvoice-airoha/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libvoice-airoha
 PKG_RELEASE:=1
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.8
 PKG_LICENSE:=PROPRIETARY
 PKG_LICENSE_FILES:=LICENSE
 
@@ -17,7 +17,7 @@ LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=3a30086a68a3409f0396acb01380f91daabf7a2f
+PKG_SOURCE_VERSION:=9763c574ec69e2aa492db4f1296d4bcd53776fba
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha

@@ -25,6 +25,5 @@ db commit
 # configure the PCM for DECT/DCX81
 [ -f "/proc/device-tree/aliases/dcx81-uart" ] && {
     uci set dect.global.pcm_fsync='SHORT_LF'
-    uci set dect.global.pcm_slot_start='8'
     uci set dect.global.dect_channel_start='3'
 }

libwifi/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.22.4
+PKG_VERSION:=7.22.9
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=fadbe86a2ea05037ee9df6040b74bec683a6ca66
+PKG_SOURCE_VERSION:=8e6dfd1f0d0d6b5a39dbb10a5820f3b80120564b
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libwifi.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

logmngr/files/etc/init.d/logmngr

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=12
+START=09
 
 USE_PROCD=1
 

map-agent/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.4.3.5
+PKG_VERSION:=6.4.3.11
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=eeea7b39112717639046ac347e30ed0991ca490f
+PKG_SOURCE_VERSION:=9c74ba03e3f543961afe54bb08668f87f4ae169f
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause

map-agent/files/etc/init.d/mapagent

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 
-START=98
+START=97
 STOP=20
 
 USE_PROCD=1

map-controller/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.4.4
+PKG_VERSION:=6.4.4.11
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=3d10c21efbb0b0da7206435a1ecfeed107d55e83
+PKG_SOURCE_VERSION:=7e0d6921fad51c446777acf93ddb9bad87eccf76
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0

map-controller/files/etc/config/mapcontroller

@@ -13,7 +13,7 @@ config controller 'controller'
 
 config sta_steering 'sta_steering'
 	option enable_sta_steer '1'
-	option enable_bsta_steer '0'
+	option enable_bsta_steer '1'
 	option rcpi_threshold_2g '70'
 	option rcpi_threshold_5g '86'
 	option rcpi_threshold_6g '86'

map-plugins/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-plugins
-PKG_VERSION:=1.2.2
+PKG_VERSION:=1.2.7
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=03524191711a50a07b9c26f3be2c16b845140e49
+PKG_SOURCE_VERSION:=dd873ca4e2cb321302dae1955da24d1be271b2b1
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -71,5 +71,11 @@ define Build/Compile
 	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef
 
+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+        rsync -r --exclude=.* ~/git/map-plugins/ $(PKG_BUILD_DIR)/
+endef
+endif
+
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))

mosquitto-auth-plugin/Config.in

@@ -1,4 +1,4 @@
-if PACKAGE_mosquitto-auth-shadow
+if PACKAGE_mosquitto-auth-plugin
 
 config MOSQUITTO_AUTH_PAM_SUPPORT
 	bool "Enable support of Linux PAM module for Authentication"

mosquitto-auth-plugin/Makefile

@@ -13,8 +13,8 @@
 
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=mosquitto-auth-shadow
-PKG_VERSION:=1.1.0
+PKG_NAME:=mosquitto-auth-plugin
+PKG_VERSION:=1.2.0
 
 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0
@@ -24,7 +24,7 @@ PKG_CONFIG_DEPENDS:=CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/mosquitto-auth-shadow
+define Package/mosquitto-auth-plugin
   SECTION:=net
   CATEGORY:=Network
   TITLE:=mosquitto - /etc/shadow authentication plugin
@@ -32,12 +32,12 @@ define Package/mosquitto-auth-shadow
   USERID:=mosquitto=200:mosquitto=200 mosquitto=200:shadow=11
 endef
 
-define Package/mosquitto-auth-shadow/description
+define Package/mosquitto-auth-plugin/description
   Plugin for the mosquitto MQTT message broker that authenticates
   users using /etc/shadow
 endef
 
-define Package/mosquitto-auth-shadow/config
+define Package/mosquitto-auth-plugin/config
 	source "$(SOURCE)/Config.in"
 endef
 
@@ -45,10 +45,10 @@ ifeq ($(CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT),y)
 TARGET_CFLAGS+=-DENABLE_PAM_SUPPORT
 endif
 
-define Package/mosquitto-auth-shadow/install
+define Package/mosquitto-auth-plugin/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_shadow.so $(1)/usr/lib/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_plugin.so $(1)/usr/lib/
 	$(CP) ./files/* $(1)/
 endef
 
-$(eval $(call BuildPackage,mosquitto-auth-shadow))
+$(eval $(call BuildPackage,mosquitto-auth-plugin))

mosquitto-auth-plugin/src/Makefile

@@ -11,14 +11,14 @@
 #   Erik Karlsson - initial implementation
 #
 
-TARGETS = mosquitto_auth_shadow.so
+TARGETS = mosquitto_auth_plugin.so
 
 all: $(TARGETS)
 
 %.pic.o: %.c
 	$(CC) $(CFLAGS) -Wall -Werror -fPIC -c -o $@ $<
 
-mosquitto_auth_shadow.so: mosquitto_auth_shadow.pic.o
+mosquitto_auth_plugin.so: mosquitto_auth_plugin.pic.o
 	$(CC) $(LDFLAGS) -shared -o $@ $^ $(if $(filter -DENABLE_PAM_SUPPORT,$(CFLAGS)),-lpam)
 
 clean:

mosquitto-auth-plugin/src/mosquitto_auth_plugin.c

@@ -0,0 +1,616 @@
+/*
+ * Copyright (c) 2022 Genexis B.V.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Erik Karlsson - initial implementation
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <mosquitto.h>
+#include <mosquitto_broker.h>
+#include <mosquitto_plugin.h>
+
+#ifdef ENABLE_PAM_SUPPORT
+#include <security/pam_appl.h>
+#endif
+
+#define MAX_USERS 256
+#define MAX_SUBNETS_PER_USER 32
+
+typedef struct {
+	union {
+		uint32_t ipv4_network;
+		uint8_t ipv6_network[16];
+	};
+	union {
+		uint32_t ipv4_netmask;
+		uint8_t ipv6_netmask[16];
+	};
+	int is_ipv6;
+} subnet_t;
+
+typedef struct {
+	char username[64];
+	subnet_t allow_subnets[MAX_SUBNETS_PER_USER];
+	int allow_count;
+	subnet_t deny_subnets[MAX_SUBNETS_PER_USER];
+	int deny_count;
+} user_acl_t;
+
+typedef struct {
+	user_acl_t users[MAX_USERS];
+	int user_count;
+	mosquitto_plugin_id_t *identifier;
+} plugin_data_t;
+
+/* Parse CIDR notation for IPv4 or IPv6 (e.g., "192.168.1.0/24" or "2001:db8::/32") */
+static int parse_subnet(const char *cidr, subnet_t *subnet)
+{
+	char ip_str[128];
+	char *slash;
+	int prefix_len;
+	struct in_addr addr4;
+	struct in6_addr addr6;
+
+	strncpy(ip_str, cidr, sizeof(ip_str) - 1);
+	ip_str[sizeof(ip_str) - 1] = '\0';
+
+	slash = strchr(ip_str, '/');
+	if (slash != NULL) {
+		*slash = '\0';
+		prefix_len = atoi(slash + 1);
+	}
+
+	/* Try IPv4 first */
+	if (inet_pton(AF_INET, ip_str, &addr4) == 1) {
+		subnet->is_ipv6 = 0;
+		if (slash == NULL)
+			prefix_len = 32;
+		if (prefix_len < 0 || prefix_len > 32)
+			return -1;
+
+		subnet->ipv4_network = ntohl(addr4.s_addr);
+		subnet->ipv4_netmask = prefix_len == 0 ? 0 : (~0U << (32 - prefix_len));
+		subnet->ipv4_network &= subnet->ipv4_netmask;
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, ip_str, &addr6) == 1) {
+		subnet->is_ipv6 = 1;
+		if (slash == NULL)
+			prefix_len = 128;
+		if (prefix_len < 0 || prefix_len > 128)
+			return -1;
+
+		/* Copy network address */
+		memcpy(subnet->ipv6_network, addr6.s6_addr, 16);
+
+		/* Generate netmask */
+		memset(subnet->ipv6_netmask, 0, 16);
+		for (int i = 0; i < prefix_len / 8; i++)
+			subnet->ipv6_netmask[i] = 0xff;
+		if (prefix_len % 8)
+			subnet->ipv6_netmask[prefix_len / 8] = ~((1 << (8 - (prefix_len % 8))) - 1);
+
+		/* Apply netmask to network address */
+		for (int i = 0; i < 16; i++)
+			subnet->ipv6_network[i] &= subnet->ipv6_netmask[i];
+
+		return 0;
+	}
+
+	return -1;
+}
+
+/* Check if IPv4 address is in subnet */
+static int ipv4_in_subnet(uint32_t ip, const subnet_t *subnet)
+{
+	if (subnet->is_ipv6)
+		return 0;
+	return (ip & subnet->ipv4_netmask) == subnet->ipv4_network;
+}
+
+/* Check if IPv6 address is in subnet */
+static int ipv6_in_subnet(const uint8_t *ip, const subnet_t *subnet)
+{
+	if (!subnet->is_ipv6)
+		return 0;
+	for (int i = 0; i < 16; i++) {
+		if ((ip[i] & subnet->ipv6_netmask[i]) != subnet->ipv6_network[i])
+			return 0;
+	}
+	return 1;
+}
+
+/* Check if IP is in any subnet in the list */
+static int ip_in_subnet_list(const char *client_address, const subnet_t *subnets, int count)
+{
+	struct in_addr addr4;
+	struct in6_addr addr6;
+	uint32_t ipv4;
+
+	/* Try IPv4 */
+	if (inet_pton(AF_INET, client_address, &addr4) == 1) {
+		ipv4 = ntohl(addr4.s_addr);
+		for (int i = 0; i < count; i++) {
+			if (ipv4_in_subnet(ipv4, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	/* Try IPv6 */
+	if (inet_pton(AF_INET6, client_address, &addr6) == 1) {
+		for (int i = 0; i < count; i++) {
+			if (ipv6_in_subnet(addr6.s6_addr, &subnets[i]))
+				return 1;
+		}
+		return 0;
+	}
+
+	return 0;
+}
+
+/* Find or create user ACL entry */
+static user_acl_t* find_or_create_user_acl(plugin_data_t *pdata, const char *username)
+{
+	user_acl_t *user;
+
+	/* Find existing user */
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+
+	/* Create new user if not found */
+	if (pdata->user_count >= MAX_USERS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Max users exceeded");
+		return NULL;
+	}
+
+	user = &pdata->users[pdata->user_count];
+	strncpy(user->username, username, sizeof(user->username) - 1);
+	user->username[sizeof(user->username) - 1] = '\0';
+	user->allow_count = 0;
+	user->deny_count = 0;
+	pdata->user_count++;
+
+	return user;
+}
+
+/* Parse subnet ACL file with simplified format
+ * Format:
+ * # Comment lines
+ * subnet allow <username> <cidr>
+ * subnet deny <username> <cidr>
+ */
+static int load_subnet_acl_config(plugin_data_t *pdata, const char *config_file)
+{
+	FILE *fp;
+	char line[512];
+	int line_num = 0;
+
+	/* Initialize user count */
+	pdata->user_count = 0;
+
+	/* Config file is optional - if not provided, no subnet filtering */
+	if (config_file == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_INFO,
+			"subnet_acl: No subnet ACL file specified, subnet filtering disabled");
+		return 0;
+	}
+
+	/* If config file is specified but cannot be opened, this is a fatal error */
+	fp = fopen(config_file, "r");
+	if (fp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to open subnet ACL file '%s'", config_file);
+		return -1;
+	}
+
+	while (fgets(line, sizeof(line), fp) != NULL) {
+		char *token, *saveptr;
+		char *action, *username, *cidr;
+		user_acl_t *user;
+		subnet_t subnet;
+
+		line_num++;
+
+		/* Remove newline and comments */
+		line[strcspn(line, "\r\n")] = '\0';
+		char *comment = strchr(line, '#');
+		if (comment)
+			*comment = '\0';
+
+		/* Trim leading whitespace */
+		char *line_start = line;
+		while (*line_start == ' ' || *line_start == '\t')
+			line_start++;
+
+		/* Skip empty lines */
+		if (*line_start == '\0')
+			continue;
+
+		/* Parse: subnet allow|deny <username> <cidr> */
+		token = strtok_r(line_start, " \t", &saveptr);
+		if (token == NULL)
+			continue;
+
+		/* Must start with "subnet" */
+		if (strcmp(token, "subnet") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid directive '%s' at line %d (expected 'subnet')",
+				token, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get allow/deny */
+		action = strtok_r(NULL, " \t", &saveptr);
+		if (action == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing allow/deny at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		if (strcmp(action, "allow") != 0 && strcmp(action, "deny") != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid action '%s' at line %d (use 'allow' or 'deny')",
+				action, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get username */
+		username = strtok_r(NULL, " \t", &saveptr);
+		if (username == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing username at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Get CIDR */
+		cidr = strtok_r(NULL, " \t", &saveptr);
+		if (cidr == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Missing CIDR at line %d", line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Parse subnet */
+		if (parse_subnet(cidr, &subnet) != 0) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Invalid CIDR '%s' at line %d", cidr, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Find or create user */
+		user = find_or_create_user_acl(pdata, username);
+		if (user == NULL) {
+			mosquitto_log_printf(MOSQ_LOG_ERR,
+				"subnet_acl: Max users (%d) exceeded at line %d", MAX_USERS, line_num);
+			fclose(fp);
+			return -1;
+		}
+
+		/* Add to appropriate list */
+		if (strcmp(action, "allow") == 0) {
+			if (user->allow_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max allow subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->allow_subnets[user->allow_count] = subnet;
+			user->allow_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' allow subnet %s",
+				user->username, cidr);
+
+		} else { /* deny */
+			if (user->deny_count >= MAX_SUBNETS_PER_USER) {
+				mosquitto_log_printf(MOSQ_LOG_ERR,
+					"subnet_acl: Max deny subnets (%d) exceeded for user '%s' at line %d",
+					MAX_SUBNETS_PER_USER, user->username, line_num);
+				fclose(fp);
+				return -1;
+			}
+			user->deny_subnets[user->deny_count] = subnet;
+			user->deny_count++;
+
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' deny subnet %s",
+				user->username, cidr);
+		}
+	}
+
+	fclose(fp);
+
+	/* Log summary */
+	for (int i = 0; i < pdata->user_count; i++) {
+		user_acl_t *user = &pdata->users[i];
+		if (user->allow_count > 0 || user->deny_count > 0) {
+			mosquitto_log_printf(MOSQ_LOG_INFO,
+				"subnet_acl: User '%s' has %d allow and %d deny subnet rules",
+				user->username, user->allow_count, user->deny_count);
+		}
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE,
+		"subnet_acl: Loaded subnet restrictions for %d user(s)", pdata->user_count);
+
+	return 0;
+}
+
+/* Find user ACL entry */
+static const user_acl_t* find_user_acl(const plugin_data_t *pdata, const char *username)
+{
+	for (int i = 0; i < pdata->user_count; i++) {
+		if (strcmp(pdata->users[i].username, username) == 0)
+			return &pdata->users[i];
+	}
+	return NULL;
+}
+
+/* Check subnet access on authentication (connection time)
+ * Returns: MOSQ_ERR_SUCCESS if allowed, MOSQ_ERR_AUTH if denied
+ */
+static int check_subnet_on_auth(plugin_data_t *pdata, struct mosquitto_evt_basic_auth *ed)
+{
+	const user_acl_t *user_acl;
+	const char *client_address;
+
+	/* Skip if no subnet config loaded */
+	if (pdata == NULL || pdata->user_count == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Skip anonymous users */
+	if (ed->username == NULL)
+		return MOSQ_ERR_SUCCESS;
+
+	/* Find user's subnet ACL */
+	user_acl = find_user_acl(pdata, ed->username);
+
+	/* If user not in config or has no subnet rules, allow */
+	if (user_acl == NULL || (user_acl->allow_count == 0 && user_acl->deny_count == 0))
+		return MOSQ_ERR_SUCCESS;
+
+	/* Get client IP address */
+	client_address = mosquitto_client_address(ed->client);
+	if (client_address == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_WARNING,
+			"subnet_acl: Could not get client address for user '%s', denying connection",
+			ed->username);
+		return MOSQ_ERR_AUTH;
+	}
+
+	/* Check deny list first - deny takes precedence */
+	if (user_acl->deny_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->deny_subnets, user_acl->deny_count)) {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED by deny rule",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* If there are allow rules, IP must match one of them */
+	if (user_acl->allow_count > 0) {
+		if (ip_in_subnet_list(client_address, user_acl->allow_subnets, user_acl->allow_count)) {
+			mosquitto_log_printf(MOSQ_LOG_DEBUG,
+				"subnet_acl: User '%s' from %s allowed by allow rule",
+				ed->username, client_address);
+			return MOSQ_ERR_SUCCESS;
+		} else {
+			mosquitto_log_printf(MOSQ_LOG_NOTICE,
+				"subnet_acl: User '%s' from %s DENIED (not in allowed subnets)",
+				ed->username, client_address);
+			return MOSQ_ERR_AUTH;
+		}
+	}
+
+	/* No subnet rules for this user - allow */
+	return MOSQ_ERR_SUCCESS;
+}
+
+#ifdef ENABLE_PAM_SUPPORT
+static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+	int i;
+	const char *pass = (const char *)appdata_ptr;
+
+	*resp = calloc(num_msg, sizeof(struct pam_response));
+	if (*resp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
+		return PAM_BUF_ERR;
+	}
+
+	if (pass == NULL)
+		return PAM_SUCCESS;
+
+	for (i = 0; i < num_msg; ++i) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+			(*resp)[i].resp = strdup(pass);
+			if ((*resp)[i].resp == NULL) {
+				for (int j = 0; j < i ; j++)
+					free((*resp)[j].resp);
+
+				free(*resp);
+				*resp = NULL;
+				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
+				return PAM_BUF_ERR;
+			}
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct pam_conv conv;
+	int retval;
+	pam_handle_t *pamh = NULL;
+
+	conv.conv = pam_conversation;
+	conv.appdata_ptr = (void *)ed->password;
+
+	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
+		return MOSQ_ERR_AUTH;
+	}
+
+	retval = pam_authenticate(pamh, 0);
+	pam_end(pamh, retval);
+	if (retval == PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
+		return MOSQ_ERR_SUCCESS;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
+	return MOSQ_ERR_AUTH;
+}
+#else
+static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct spwd spbuf, *sp = NULL;
+	char buf[256];
+	struct crypt_data data;
+	char *hash;
+
+	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
+
+	if (sp == NULL || sp->sp_pwdp == NULL)
+		return MOSQ_ERR_AUTH;
+
+	/* Empty string as hash means password is not required */
+	if (sp->sp_pwdp[0] == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	if (ed->password == NULL)
+		return MOSQ_ERR_AUTH;
+
+	memset(&data, 0, sizeof(data));
+	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
+
+	if (hash == NULL)
+		return MOSQ_ERR_AUTH;
+
+	if (strcmp(hash, sp->sp_pwdp) == 0)
+		return MOSQ_ERR_SUCCESS;
+
+	return MOSQ_ERR_AUTH;
+}
+#endif
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+	struct mosquitto_evt_basic_auth *ed = event_data;
+	plugin_data_t *pdata = userdata;
+	int auth_result;
+
+	/* Let other plugins or broker decide about anonymous login */
+	if (ed->username == NULL)
+		return MOSQ_ERR_PLUGIN_DEFER;
+
+	/* First check username/password authentication */
+#ifdef ENABLE_PAM_SUPPORT
+	auth_result = process_pam_auth_callback(ed);
+#else
+	auth_result = process_shadow_auth_callback(ed);
+#endif
+
+	/* If authentication failed, reject immediately */
+	if (auth_result != MOSQ_ERR_SUCCESS)
+		return auth_result;
+
+	/* Authentication succeeded, now check subnet restrictions */
+	return check_subnet_on_auth(pdata, ed);
+}
+
+int mosquitto_plugin_version(int supported_version_count,
+			     const int *supported_versions)
+{
+	return 5;
+}
+
+int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
+			  void **user_data,
+			  struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata;
+	const char *config_file = NULL;
+	int rc;
+
+	/* Find subnet config file option */
+	for (int i = 0; i < opt_count; i++) {
+		if (strcmp(opts[i].key, "subnet_acl_file") == 0) {
+			config_file = opts[i].value;
+			break;
+		}
+	}
+
+	pdata = calloc(1, sizeof(plugin_data_t));
+	if (pdata == NULL)
+		return MOSQ_ERR_NOMEM;
+
+	pdata->identifier = identifier;
+
+	/* Load subnet ACL configuration */
+	if (load_subnet_acl_config(pdata, config_file) != 0) {
+		free(pdata);
+		return MOSQ_ERR_UNKNOWN;
+	}
+
+	/* Register authentication callback only - subnet check is done during auth */
+	rc = mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
+	                                 basic_auth_callback, NULL, pdata);
+	if (rc != MOSQ_ERR_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR,
+			"subnet_acl: Failed to register authentication callback");
+		free(pdata);
+		return rc;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_INFO,
+		"subnet_acl: Plugin initialized with %d user(s)", pdata->user_count);
+
+	/* Only assign user_data after all possible error paths */
+	*user_data = pdata;
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+int mosquitto_plugin_cleanup(void *user_data,
+			     struct mosquitto_opt *opts, int opt_count)
+{
+	plugin_data_t *pdata = user_data;
+
+	if (pdata) {
+		mosquitto_callback_unregister(pdata->identifier, MOSQ_EVT_BASIC_AUTH,
+		                              basic_auth_callback, NULL);
+		free(pdata);
+	}
+
+	return MOSQ_ERR_SUCCESS;
+}

mosquitto-auth-shadow/src/mosquitto_auth_shadow.c

@@ -1,153 +0,0 @@
-/*
- * Copyright (c) 2022 Genexis B.V.
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Public License 2.0 which is available at
- * https://www.eclipse.org/legal/epl-2.0/
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Contributors:
- *   Erik Karlsson - initial implementation
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <shadow.h>
-#include <crypt.h>
-#include <stdlib.h>
-#include <mosquitto.h>
-#include <mosquitto_broker.h>
-#include <mosquitto_plugin.h>
-
-#ifdef ENABLE_PAM_SUPPORT
-#include <security/pam_appl.h>
-
-static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
-{
-	int i;
-	const char *pass = (const char *)appdata_ptr;
-
-	*resp = calloc(num_msg, sizeof(struct pam_response));
-	if (*resp == NULL) {
-		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
-		return PAM_BUF_ERR;
-	}
-
-	if (pass == NULL)
-		return PAM_SUCCESS;
-
-	for (i = 0; i < num_msg; ++i) {
-		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-			(*resp)[i].resp = strdup(pass);
-			if ((*resp)[i].resp == NULL) {
-				for (int j = 0; j < i ; j++)
-					free((*resp)[j].resp);
-
-				free(*resp);
-				*resp = NULL;
-				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
-				return PAM_BUF_ERR;
-			}
-		}
-	}
-	return PAM_SUCCESS;
-}
-
-static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
-{
-	struct pam_conv conv;
-	int retval;
-	pam_handle_t *pamh = NULL;
-
-	conv.conv = pam_conversation;
-	conv.appdata_ptr = (void *)ed->password;
-
-	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
-	if (retval != PAM_SUCCESS) {
-		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
-		return MOSQ_ERR_AUTH;
-	}
-
-	retval = pam_authenticate(pamh, 0);
-	pam_end(pamh, retval);
-	if (retval == PAM_SUCCESS) {
-		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
-		return MOSQ_ERR_SUCCESS;
-	}
-
-	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
-	return MOSQ_ERR_AUTH;
-}
-#else
-static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
-{
-	struct spwd spbuf, *sp = NULL;
-	char buf[256];
-	struct crypt_data data;
-	char *hash;
-
-	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
-
-	if (sp == NULL || sp->sp_pwdp == NULL)
-		return MOSQ_ERR_AUTH;
-
-	/* Empty string as hash means password is not required */
-	if (sp->sp_pwdp[0] == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	if (ed->password == NULL)
-		return MOSQ_ERR_AUTH;
-
-	memset(&data, 0, sizeof(data));
-	hash = crypt_r(ed->password, sp->sp_pwdp, &data);
-
-	if (hash == NULL)
-		return MOSQ_ERR_AUTH;
-
-	if (strcmp(hash, sp->sp_pwdp) == 0)
-		return MOSQ_ERR_SUCCESS;
-
-	return MOSQ_ERR_AUTH;
-}
-#endif
-
-static int basic_auth_callback(int event, void *event_data, void *userdata)
-{
-	struct mosquitto_evt_basic_auth *ed = event_data;
-
-	/* Let other plugins or broker decide about anonymous login */
-	if (ed->username == NULL)
-		return MOSQ_ERR_PLUGIN_DEFER;
-
-#ifdef ENABLE_PAM_SUPPORT
-	return process_pam_auth_callback(ed);
-#else
-	return process_shadow_auth_callback(ed);
-#endif
-}
-
-int mosquitto_plugin_version(int supported_version_count,
-			     const int *supported_versions)
-{
-	return 5;
-}
-
-int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier,
-			  void **user_data,
-			  struct mosquitto_opt *opts, int opt_count)
-{
-	*user_data = identifier;
-
-	return mosquitto_callback_register(identifier, MOSQ_EVT_BASIC_AUTH,
-					   basic_auth_callback, NULL, NULL);
-}
-
-int mosquitto_plugin_cleanup(void *user_data,
-			     struct mosquitto_opt *opts, int opt_count)
-{
-	mosquitto_plugin_id_t *identifier = user_data;
-
-	return mosquitto_callback_unregister(identifier, MOSQ_EVT_BASIC_AUTH,
-					     basic_auth_callback, NULL);
-}

netmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmngr
-PKG_VERSION:=1.2.0
+PKG_VERSION:=1.2.1
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=ff08a8cc5c860056a022e5376a973dee5a323595
+PKG_SOURCE_VERSION:=1ece805d04b1d7843f57cae83f904268579ab4e6
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

netmode/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmode
-PKG_VERSION:=1.1.7
+PKG_VERSION:=1.1.8
 PKG_RELEASE:=1
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0-only

netmode/files/etc/netmodes/routed-dhcp/scripts/10-routed-dhcp

@@ -59,6 +59,8 @@ l3_network_config() {
 	uci -q set network.wan.device="$wandev"
 	uci -q set network.wan6.device="$wandev"
 
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
 		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"

netmode/files/etc/netmodes/routed-pppoe/scripts/10-routed-pppoe

@@ -57,6 +57,8 @@ l3_network_pppoe_config() {
 	uci -q set network.wan.device="$wandev"
 	uci -q set network.wan6.device="$wandev"
 
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
 		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"

netmode/files/etc/netmodes/routed-static/scripts/10-routed-static

@@ -58,6 +58,8 @@ l3_network_config() {
 	uci -q set network.wan.device="$wandev"
 	uci -q set network.wan6.device="$wandev"
 
+	uci -q set network.WAN.mtu="$NETMODE_mtu"
+
 	uci -q delete network.wan.dns
 	if [ -n "$NETMODE_dns_servers" ]; then
 		dns_servers="$(echo $NETMODE_dns_servers | tr ',' ' ')"

netmode/files/etc/netmodes/supported_modes.json

@@ -43,6 +43,12 @@
           "required": false,
           "type": "integer"
         },
+        {
+          "name": "mtu",
+          "description": "MTU",
+          "required": false,
+          "type": "integer"
+        },
         {
           "name": "dns_servers",
           "description": "DNS Servers",

netmode/files/etc/uci-defaults/40_netmode_set_default_netmode

@@ -4,13 +4,19 @@ enabled="$(uci -q get netmode.global.enabled)"
 [ "$enabled" == "1" ] || exit 0
 
 mode="$(uci -q get netmode.global.mode)"
-[ -n "$mode" ] && exit 0
+wanproto=$(uci -q get network.wan.proto)
+
+if [ -n "$mode" ]; then
+	# check if wanproto and mode aligned
+	if [ "${mode}" = "routed-${wanproto}" ]; then
+		exit 0
+	fi
+fi
 
 [ -f /etc/netmodes/supported_modes.json ] || exit 0
 
 # NetMode is enabled without a Mode being set
 # Figure out the current mode from network config
-wanproto=$(uci -q get network.wan.proto)
 curmode=""
 case "$wanproto" in
 	dhcp) curmode="routed-dhcp" ;;

netmode/files/lib/upgrade/keep.d/netmode

@@ -0,0 +1 @@
+/etc/netmodes/.last_mode

obuspa/Makefile

@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=10.0.7.5
+PKG_VERSION:=10.0.7.7
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)

obuspa/files/etc/init.d/obuspa

@@ -715,7 +715,7 @@ start_service() {
 
 	mkdir -p /tmp/obuspa/
 	config_load obuspa
-	config_get_bool enabled global enabled 0
+	config_get_bool enabled global enabled 1
 
 	procd_open_instance ${CONFIGURATION}
 	if [ "${enabled}" -eq 1 ]; then

obuspa/files/etc/uci-defaults/93-obuspa_mdns_adv

@@ -53,13 +53,7 @@ add_mdns_advertise() {
 	json_dump > /etc/umdns/obuspa_mdns.json
 }
 
-config_load obuspa
-config_get_bool enable_obuspa global enabled 1
-
-if [ "${enable_obuspa}" -eq 1 ]; then
-	role="$(get_device_role)"
-
-	if [ "${role}" == "gateway" ]; then
-		add_mdns_advertise
-	fi
+role="$(get_device_role)"
+if [ "${role}" == "gateway" ]; then
+	add_mdns_advertise
 fi

obuspa/files/etc/uci-defaults/obuspa-set-dhcp-option

@@ -19,19 +19,11 @@ get_access_role()
 
 configure_dhcp_options() {
 	local enabled inerface discovery
-	config_load obuspa
+
 	config_get_bool enabled global enabled 1
 	config_get interface global interface
 	config_get_bool discovery global dhcp_discovery 1
 
-	if [ "${enabled}" -eq 0 ]; then
-		return 0
-	fi
-
-	if [ "${discovery}" -eq 0 ]; then
-		return 0
-	fi
-
 	if [ -z "${interface}" ]; then
 		role="$(get_access_role)"
 
@@ -66,12 +58,12 @@ configure_dhcp_options() {
 
 	if [ "${proto}" = "dhcp" ]; then
 		if [ ${req125_present} -eq 0 ]; then
-			newreqopts="$reqopts 125"
+			[ -n "${reqopts}" ] && newreqopts="$reqopts 125" || newreqopts="125"
 			uci -q set network."${interface}".reqopts="$newreqopts"
 		fi
 
 		if [ ${send124_present} -eq 0 ]; then
-			newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70"
+			[ -n "${sendopts}" ] && newsendopts="${sendopts} 124:00:00:0D:E9:04:03:75:73:70" ||  newsendopts="124:00:00:0D:E9:04:03:75:73:70"
 			uci -q set network."${interface}".sendopts="$newsendopts"
 		fi
 	fi

qosmngr/files/airoha/lib/qos/airoha.sh

@@ -411,33 +411,35 @@ hw_commit_all() {
         /userfs/bin/qosrule discpline Enable 0
     fi
 
-    if [ -x /userfs/bin/blapi_cmd ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for tc in $(seq 0 7); do
-            if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
-                sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-            if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
-                [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                                                                        $1 == last+1 {last=$1;next}
-                                                                                                        {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
-                                                                                                        END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
-                sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
-                                                               $1 == last+1 {last=$1;next}
-                                                               {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
-                                                               END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
-            fi
-        done
-    fi
+    if ! strings /proc/device-tree/compatible | grep -qFx econet,en7523; then
+        if [ -x /userfs/bin/blapi_cmd ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for tc in $(seq 0 7); do
+                if [ -s "/tmp/qos/dscp_values_${tc}_4" ]; then
+                    sort -un "/tmp/qos/dscp_values_${tc}_4" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+                if [ -s "/tmp/qos/dscp_values_${tc}_6" ]; then
+                    [ -s "/tmp/qos/dscp_values_${tc}_4" ] && sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                                                            $1 == last+1 {last=$1;next}
+                                                                                                            {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0");first=$1;last=first}
+                                                                                                            END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 0")}'
+                    sort -un "/tmp/qos/dscp_values_${tc}_6" | awk 'NR==1{first=$1;last=$1;next}
+                                                                   $1 == last+1 {last=$1;next}
+                                                                   {system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1");first=$1;last=first}
+                                                                   END{system("/userfs/bin/blapi_cmd traffic set_traffic_class DSCP " first*4 " " or(last*4, 0x3) " 1")}'
+                fi
+            done
+        fi
 
-    if [ -x /userfs/bin/ifc ]; then
-        echo 1 > /proc/ifc_send_to_ppe
-        for pbit in $(seq 0 7); do
-            /userfs/bin/ifc add vip pbit $pbit
-        done
+        if [ -x /userfs/bin/ifc ]; then
+            echo 1 > /proc/ifc_send_to_ppe
+            for pbit in $(seq 0 7); do
+                /userfs/bin/ifc add vip pbit $pbit
+            done
+        fi
     fi
 
     hw_nat -! > /dev/null 2>&1

sulu/sulu-base/Makefile

@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-base
-PKG_VERSION:=5.1.1
+PKG_VERSION:=5.2.10
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu.git
-PKG_SOURCE_VERSION:=08195779cbc2d1d7410cb324b9e35692b0579a7e
+PKG_SOURCE_VERSION:=4aa93571b341c3a5da47fbb64b254f5ac602b5e8
 PKG_MIRROR_HASH:=skip
 
 SULU_MOD:=core

sulu/sulu-builder/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=5.1.1
+PKG_VERSION:=5.2.10
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/websdk/sulu-builder.git
-PKG_SOURCE_VERSION:=7f646ecf643967f4b4b2c545a31bbef0514b34bc
+PKG_SOURCE_VERSION:=ec76b7e0564b9db0ef3db50aac3110fa3b7a30af
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/sulu-$(PKG_VERSION)/sulu-builder-$(PKG_SOURCE_VERSION)
@@ -28,7 +28,7 @@ define Package/sulu/default
 	CATEGORY:=Utilities
 	SUBMENU:=SULU
 	TITLE:=SULU-CE
-	DEPENDS:=+mosquitto-auth-shadow +usermngr +userinterface +obuspa
+	DEPENDS:=+mosquitto-auth-plugin +usermngr +userinterface +obuspa
 	DEPENDS+=+@OBUSPA_LOCAL_MQTT_LISTENER
 	EXTRA_DEPENDS:=nginx
 endef
@@ -98,8 +98,12 @@ define Package/sulu/install/Default
 	$(INSTALL_DIR) $(1)/sulu/
 	$(INSTALL_DIR) $(1)/etc/sulu
 
+	$(INSTALL_DATA) ./files/maintenance.html $(1)/sulu/
+	$(LN) /tmp/sulu $(1)/sulu/connection
+
 	$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
 	$(INSTALL_DATA) ./files/etc/sulu/nginx.locations $(1)/etc/sulu/
+	$(INSTALL_BIN) ./files/etc/sulu/sulu_watcher.sh $(1)/etc/sulu/
 
 	$(INSTALL_DIR) $(1)/etc/users/roles
 	$(INSTALL_DATA) ./files/etc/users/roles/*.json $(1)/etc/users/roles/
@@ -109,6 +113,8 @@ define Package/sulu/install/Default
 ifneq ($(CONFIG_SULU_DEFAULT_UI)$(CONFIG_SULU_BUILDER_DEFAULT_UI),)
 	$(INSTALL_DATA) ./files/etc/uci-defaults/41-make-sulu-default-ui $(1)/etc/uci-defaults/
 endif
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/sulu $(1)/etc/init.d/
 endef
 
 define Package/sulu/install/Post

sulu/sulu-builder/files/etc/init.d/sulu

@@ -0,0 +1,15 @@
+#!/bin/sh /etc/rc.common
+
+START=9
+STOP=01
+
+USE_PROCD=1
+
+PROG=/etc/sulu/sulu_watcher.sh
+
+start_service()
+{
+	procd_open_instance "sulu"
+	procd_set_param command ${PROG}
+	procd_close_instance "sulu"
+}

sulu/sulu-builder/files/etc/sulu/nginx.locations

@@ -8,6 +8,10 @@ location /sitemap.xml {
 	return 200 "User-agent: *\nDisallow: /\n";
 }
 
+location /maintenance.html {
+	internal;
+}
+
 location /wss {
 	proxy_pass_request_headers      on;
 	proxy_cache        off;
@@ -16,7 +20,7 @@ location /wss {
 	proxy_set_header Connection $connection_upgrade;
 	proxy_set_header    Host               $host;
 	proxy_set_header    X-Real-IP          $remote_addr;
-	proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+	proxy_set_header    X-Forwarded-For    $remote_addr;
 	proxy_set_header    X-Forwarded-Host   $host;
 	proxy_set_header    X-Forwarded-Server $host;
 	proxy_set_header    X-Forwarded-Port   $server_port;
@@ -48,5 +52,10 @@ location / {
 	}
 	add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
 	add_header Pragma 'no-cache';
+
+	if (!-f $document_root/connection/ready) {
+		return 503;
+	}
+
 	expires 0;
 }

sulu/sulu-builder/files/etc/sulu/sulu.sh

@@ -5,8 +5,9 @@
 . /lib/functions.sh
 . /usr/share/libubox/jshn.sh
 
-RESTART_REQ=0
-_RESTART_SERVICES="0"
+SULU_CON_CONFIG="/sulu/presets/connection-config.json"
+SULU_ACL_FILE=""
+SULU_CON_ROLES=""
 
 slog() {
 	echo "$*" | logger -t sulu.sh -p debug
@@ -27,49 +28,21 @@ _get_agent_id() {
 	fi
 }
 
-_get_sulu_user_roles() {
-	roles=$(uci -q get userinterface._sulu_s.role)
-
-	for role in ${roles}; do
-		sulu_user_roles="${sulu_user_roles} ${role}"
-	done
-
-	if [ -n "${sulu_user_roles}" ]; then
-		sulu_user_roles=$(echo -e "${sulu_user_roles// /\\n}" | sort | uniq)
-	fi
-
-	echo "${sulu_user_roles}"
-}
-
-_get_sulu_root() {
-	local root
-
-	root="$(uci -q get nginx._sulu_s.root)"
-	echo "${root:-/sulu}"
-}
-
-_get_sulu_connection_config() {
-	local config
-
-	config="$(_get_sulu_root)/presets/connection-config.json"
-	echo "${config}"
-}
-
-_get_sulu_session_mode() {
-	uci -q get sulu.global.SessionMode
-}
-
 _get_sulu_acl_file() {
 	uci -q get mosquitto.sulu.acl_file
 }
 
+_sulu_conn_config_users() {
+	for user in ${SULU_CON_ROLES}; do
+		json_add_object "${user}"
+		json_add_string 'fromId' "self::sulu-${user}"
+		json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${user}/endpoint"
+		json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${user}/controller"
+		json_close_object
+	done
+}
+
 generate_sulu_conn_config() {
-	local users SCONFIG session
-
-	users="$(_get_sulu_user_roles)"
-	session="$(_get_sulu_session_mode)"
-	SCONFIG="$(_get_sulu_connection_config)"
-
 	json_init
 	json_add_string 'Current-connection' 'main'
 	json_add_object 'Connections'
@@ -79,41 +52,25 @@ generate_sulu_conn_config() {
 			json_add_string 'toId' "os::$(_get_agent_id)"
 			json_add_string 'port' "auto"
 			json_add_string 'path' "/wss"
-
-			if [ "${session}" = "Require" ]; then
-				json_add_boolean 'useSession' 1
-			fi
-
 			json_add_string 'protocol' 'autoWs'
+
 			json_add_object 'overrides'
 			{
-				for user in ${users}; do
-					json_add_object "${user}"
-					{
-						json_add_string 'fromId' "self::sulu-${user}"
-						json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${user}/endpoint"
-						json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${user}/controller"
-						json_close_object
-					}
-				done
+				_sulu_conn_config_users
 				json_close_object
 			}
 			json_close_object
 		}
 		json_close_object
 	}
-
-	json_dump >"${SCONFIG}"
+	json_dump >"${SULU_CON_CONFIG}"
 }
 
-_update_obuspa_config_rbac() {
-	local agent users session
+update_obuspa_config() {
+	local agent
 
 	agent="$(_get_agent_id)"
-	users="$(_get_sulu_user_roles)"
-	session="$(_get_sulu_session_mode)"
-
-	for user in ${users}; do
+	for user in ${SULU_CON_ROLES}; do
 		local section
 
 		# Add mqtt
@@ -123,7 +80,6 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" BrokerAddress "127.0.0.1"
 			uci_set obuspa "${section}" BrokerPort "1883"
 			uci_set obuspa "${section}" TransportProtocol "TCP/IP"
-			RESTART_REQ=1
 		fi
 
 		# Add mtp
@@ -133,7 +89,6 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" Protocol "MQTT"
 			uci_set obuspa "${section}" ResponseTopicConfigured "/usp/${agent}/${user}/endpoint"
 			uci_set obuspa "${section}" mqtt "mqtt_sulu_$user"
-			RESTART_REQ=1
 		fi
 
 		# Add controller
@@ -145,88 +100,59 @@ _update_obuspa_config_rbac() {
 			uci_set obuspa "${section}" Topic "/usp/${agent}/${user}/controller"
 			uci_set obuspa "${section}" mqtt "mqtt_sulu_$user"
 			uci_set obuspa "${section}" assigned_role_name "$user"
-			RESTART_REQ=1
-		fi
-
-		obMode="$(uci_get obuspa "${section}" SessionMode)"
-		if [ "${session}" != "${obMode}" ]; then
-			uci_set obuspa "${section}" SessionMode "${session}"
-			RESTART_REQ=1
 		fi
 	done
 }
 
-_create_mosquitto_acl() {
-	local agentid users
-	local ACL_FILE acl_users
+create_mosquitto_acl() {
+	local agentid
+	local acl_users
 
-	RESTART_REQ="0"
-
-	ACL_FILE="$(_get_sulu_acl_file)"
-	if [ -z "${ACL_FILE}" ]; then
+	SULU_ACL_FILE="$(_get_sulu_acl_file)"
+	if [ -z "${SULU_ACL_FILE}" ]; then
 		return 0
 	fi
 
-	users="$(_get_sulu_user_roles)"
-	if [ -f "${ACL_FILE}" ]; then
-		acl_users="$(awk '/^user / {print $2}' "${ACL_FILE}")"
-		for user in ${acl_users}; do
-			if ! echo "$users" | grep -qwF "$user"; then
-				rm -f "${ACL_FILE}"
-				RESTART_REQ="1"
-				break
-			fi
-		done
-	fi
-	[ -f "${ACL_FILE}" ] || touch "${ACL_FILE}"
-
+	echo > "${SULU_ACL_FILE}"
 	agentid="$(_get_agent_id)"
-	for user in ${users}; do
-		if ! grep -qxF "user $user" "${ACL_FILE}"; then
+	for user in ${SULU_CON_ROLES}; do
+		if ! grep -qxF "user $user" "${SULU_ACL_FILE}"; then
 			{
 				echo "user ${user}"
 				echo "topic read  /usp/${agentid}/${user}/controller/reply-to"
 				echo "topic write /usp/${agentid}/${user}/endpoint"
 				echo "topic read  /usp/${agentid}/${user}/controller"
 				echo ""
-			} >> "${ACL_FILE}"
-			RESTART_REQ="1"
+			} >> "${SULU_ACL_FILE}"
 		fi
 	done
+}
 
-	if [ "${_RESTART_SERVICES}" -eq "1" ] && [ "${RESTART_REQ}" -gt "0" ]; then
-		slog "Restarting mosquitto..."
-		ubus call uci commit '{"config":"mosquitto"}'
+get_sulu_roles() {
+	local sec path_prefix redirect role
+
+	sec="${1}"
+
+	config_get path_prefix "${sec}" path_prefix ""
+	config_get redirect "${sec}" redirect ""
+	config_get role "${sec}" role ""
+
+	if [ -n "${redirect}" ]; then
+		return 0
+	fi
+
+	if [ "${path_prefix}" != "/sulu" ]; then
+		return 0
+	fi
+
+	if [ -n "${role}" ]; then
+		SULU_CON_ROLES="${SULU_CON_ROLES} ${role}"
 	fi
 }
 
-update_obuspa_config() {
-	RESTART_REQ=0
-	_update_obuspa_config_rbac
-	uci_commit obuspa
+config_load userinterface
+config_foreach get_sulu_roles http_access
 
-	if [ "${_RESTART_SERVICES}" -eq "1" ] && [ "${RESTART_REQ}" -gt "0" ]; then
-		slog "Restarting obuspa..."
-		ubus call uci commit '{"config":"obuspa"}'
-	fi
-}
-
-configure_sulu() {
-	_create_mosquitto_acl
-	update_obuspa_config
-	generate_sulu_conn_config
-}
-
-while getopts ":r" opt; do
-	case ${opt} in
-	r)
-		_RESTART_SERVICES="1"
-		;;
-	*)
-		slog "Invalid option: ${OPTARG}"
-		exit 1
-		;;
-	esac
-done
-
-configure_sulu
+generate_sulu_conn_config
+create_mosquitto_acl
+update_obuspa_config

sulu/sulu-builder/files/etc/sulu/sulu_watcher.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+if ! command -v obuspa >/dev/null 2>&1; then
+	exit 0
+fi
+
+USP_PATH="/tmp/sulu/"
+
+log() {
+	logger -t sulu_watcher "$*"
+}
+
+wait_for_obuspa() {
+	while true; do
+		ENDPOINTID="$(obuspa -c get Device.LocalAgent.EndpointID |grep Device.|awk '{print $3}')"
+		sleep 2
+		if [ -n "${ENDPOINTID}" ]; then
+			break;
+		fi
+	done
+}
+
+mark_usp_ready() {
+	mkdir -p "${USP_PATH}"
+	touch ${USP_PATH}/ready
+}
+
+wait_for_obuspa
+mark_usp_ready

sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config

@@ -33,13 +33,14 @@ add_sulu_config_to_mosquitto()
 	uci_set mosquitto sulu port '9009'
 	uci_set mosquitto sulu no_remote_access '1'
 	uci_set mosquitto sulu protocol 'websockets'
-	uci_set mosquitto sulu auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
+	uci_set mosquitto sulu auth_plugin '/usr/lib/mosquitto_auth_plugin.so'
 	uci_set mosquitto sulu acl_file '/etc/sulu/mqtt.acl'
 }
 
 add_sulu_userinterface_uci()
 {
-	if [ -f "/etc/config/userinterface" ]; then
+	# check if sulu already configured
+	if ! uci show userinterface| grep -q "path_prefix='/sulu'"; then
 		uci_add userinterface http_access _sulu_s
 		uci_set userinterface _sulu_s path_prefix '/sulu'
 		uci_set userinterface _sulu_s port '8443'
@@ -48,6 +49,7 @@ add_sulu_userinterface_uci()
 		uci_set userinterface _sulu_s _nginx_ssl_certificate '/etc/nginx/conf.d/_lan.crt'
 		uci_set userinterface _sulu_s _nginx_ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
 		uci_set userinterface _sulu_s _nginx_ssl_session_cache 'none'
+		uci_set userinterface _sulu_s _nginx_error_page '503 /maintenance.html'
 		uci_set userinterface _sulu_s protocol 'HTTPS'
 		uci_set userinterface _sulu_s role 'admin user'
 

sulu/sulu-builder/files/etc/users/roles/admin.json

@@ -6,554 +6,7 @@
     "permission": [
       {
         "object": "Device.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Reboot()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SelfTestDiagnostics()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.FactoryReset()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DeviceInfo.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Time.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UPnP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Bridging.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Ethernet.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.Server.Pool.{i}.StaticAddress.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv6.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Hosts.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}ParentalControl.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}OpenVPN.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.NAT.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Firewall.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_SET",
-          "PERMIT_SUBS_VAL_CHANGE"
-        ]
-      },
-      {
-        "object": "Device.Firewall.DMZ.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PPP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Routing.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IEEE1905.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.InterfaceStack.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DynamicDNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LANConfigSecurity.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Security.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.RouterAdvertisement.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Services.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UserInterface.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PeriodicStatistics.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SoftwareModules.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.Users.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.Subscription.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.WiFi.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SSH.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LEDs.LED.{i}.CycleElement.{i}.Brightness",
-        "perm": ["PERMIT_GET", "PERMIT_SET", "PERMIT_GET_INST"]
+        "perm": ["PERMIT_ALL"]
       }
     ]
   }

sulu/sulu-builder/files/etc/users/roles/user.json

@@ -2,533 +2,19 @@
   "tr181": {
     "name": "user",
     "instance": 5,
+    "secure_role": true,
     "permission": [
       {
         "object": "Device.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
+        "perm": ["PERMIT_ALL"]
       },
       {
-        "object": "Device.Reboot()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
+        "object": "Device.Firewall.Enable",
+        "perm": ["PERMIT_GET", "PERMIT_SUBS_VAL_CHANGE", "PERMIT_OBJ_INFO"]
       },
       {
-        "object": "Device.SelfTestDiagnostics()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.FactoryReset()",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DeviceInfo.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Time.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UPnP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Bridging.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Ethernet.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv4.Server.Pool.{i}.StaticAddress.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DHCPv6.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Hosts.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}ParentalControl.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.{BBF_VENDOR_PREFIX}OpenVPN.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.NAT.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Firewall.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_SET",
-          "PERMIT_SUBS_VAL_CHANGE"
-        ]
-      },
-      {
-        "object": "Device.Firewall.DMZ.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PPP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Routing.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IEEE1905.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.InterfaceStack.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DynamicDNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LANConfigSecurity.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Security.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.RouterAdvertisement.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.Services.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.UserInterface.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.PeriodicStatistics.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SoftwareModules.",
+        "object": "Device.Firewall.Chain.*.Rule.",
         "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.Users.User.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.LocalAgent.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.Subscription.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.WiFi.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.DNS.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_ADD",
-          "PERMIT_DEL",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.IP.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_GET_INST",
-          "PERMIT_OBJ_INFO",
-          "PERMIT_CMD_INFO",
-          "PERMIT_SET",
-          "PERMIT_OPER",
-          "PERMIT_SUBS_VAL_CHANGE",
-          "PERMIT_SUBS_OBJ_ADD",
-          "PERMIT_SUBS_OBJ_DEL",
-          "PERMIT_SUBS_EVT_OPER_COMP"
-        ]
-      },
-      {
-        "object": "Device.SSH.",
-        "perm": ["PERMIT_NONE"]
-      },
-      {
-        "object": "Device.LEDs.LED.{i}.CycleElement.{i}.Brightness",
-        "perm": ["PERMIT_GET", "PERMIT_SET", "PERMIT_GET_INST"]
       }
     ]
   }

sulu/sulu-builder/files/maintenance.html

@@ -0,0 +1,248 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Router Interface Loading...</title>
+    <style>
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      body {
+        font-family:
+          -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu,
+          sans-serif;
+        background: linear-gradient(135deg, #3399ff 0%, #012669 100%);
+        height: 100vh;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        color: #fff;
+      }
+
+      .container {
+        text-align: center;
+        padding: 2rem;
+        background: rgba(255, 255, 255, 0.1);
+        border-radius: 20px;
+        backdrop-filter: blur(10px);
+        box-shadow: 0 20px 40px rgba(0, 0, 0, 0.1);
+        max-width: 400px;
+        width: 90%;
+      }
+
+      .spinner {
+        width: 60px;
+        height: 60px;
+        margin: 0 auto 2rem;
+        position: relative;
+      }
+
+      .spinner::before,
+      .spinner::after {
+        content: "";
+        position: absolute;
+        top: 0;
+        left: 0;
+        width: 100%;
+        height: 100%;
+        border-radius: 50%;
+        border: 3px solid transparent;
+        border-top-color: #fff;
+        animation: spin 1.5s ease-in-out infinite;
+      }
+
+      .spinner::after {
+        animation-delay: 0.15s;
+        border-top-color: rgba(255, 255, 255, 0.5);
+      }
+
+      @keyframes spin {
+        0% {
+          transform: rotate(0deg);
+        }
+        100% {
+          transform: rotate(360deg);
+        }
+      }
+
+      h1 {
+        font-size: 1.8rem;
+        margin-bottom: 1rem;
+        font-weight: 600;
+      }
+
+      p {
+        font-size: 1rem;
+        opacity: 0.9;
+        line-height: 1.5;
+        margin-bottom: 1rem;
+      }
+
+      .status {
+        font-size: 0.9rem;
+        opacity: 0.8;
+        margin-top: 1.5rem;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        gap: 0.5rem;
+      }
+
+      .status-dot {
+        width: 8px;
+        height: 8px;
+        background: #fff;
+        border-radius: 50%;
+        animation: pulse 1.5s ease-in-out infinite;
+      }
+
+      @keyframes pulse {
+        0%,
+        100% {
+          opacity: 0.3;
+        }
+        50% {
+          opacity: 1;
+        }
+      }
+
+      .retry-count {
+        font-size: 0.85rem;
+        opacity: 0.7;
+        margin-top: 0.5rem;
+      }
+
+      .error-message {
+        background: rgba(255, 59, 48, 0.2);
+        border: 1px solid rgba(255, 59, 48, 0.5);
+        padding: 0.75rem;
+        border-radius: 8px;
+        margin-top: 1rem;
+        font-size: 0.9rem;
+        display: none;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="spinner"></div>
+      <h1>Router Starting Up</h1>
+      <p>
+        The web interface is initializing. You'll be redirected automatically
+        once it's ready.
+      </p>
+
+      <div class="status">
+        <span class="status-dot"></span>
+        <span id="statusText">Checking availability...</span>
+      </div>
+
+      <div class="retry-count" id="retryCount"></div>
+      <div class="error-message" id="errorMessage"></div>
+    </div>
+
+    <script>
+      let retryCount = 0;
+      let checkInterval = 2000; // Start with 2 seconds
+      let maxInterval = 10000; // Max 10 seconds between checks
+      let consecutiveFailures = 0;
+      let maxConsecutiveFailures = 100; // Stop after 100 consecutive failures (~8-10 minutes)
+
+      function updateStatus(message) {
+        document.getElementById("statusText").textContent = message;
+      }
+
+      function updateRetryCount() {
+        retryCount++;
+        const retryElement = document.getElementById("retryCount");
+        retryElement.textContent = `Attempt ${retryCount}`;
+      }
+
+      function showError(message) {
+        const errorElement = document.getElementById("errorMessage");
+        errorElement.textContent = message;
+        errorElement.style.display = "block";
+      }
+
+      async function checkAvailability() {
+        updateRetryCount();
+        updateStatus("Connecting to router...");
+
+        try {
+          // Try to fetch the index page
+          const response = await fetch("/index.html", {
+            method: "HEAD", // Use HEAD to minimize bandwidth
+            cache: "no-cache",
+            mode: "no-cors", // Allow checking even with CORS restrictions
+          });
+
+          // If we get any response (even 404), the server is responding
+          // For a router, we typically want to redirect on 200 or 304
+          if (response.ok || response.status === 304) {
+            updateStatus("Router ready! Redirecting...");
+            consecutiveFailures = 0;
+
+            // Small delay for user feedback
+            setTimeout(() => {
+              window.location.reload();
+            }, 500);
+            return true;
+          } else if (response.status !== 503) {
+            // Server is responding but page not ready yet
+            updateStatus(`Server responding (${response.status}), waiting...`);
+            consecutiveFailures = 0;
+          }
+        } catch (error) {
+          // Network error - server not reachable
+          consecutiveFailures++;
+
+          if (consecutiveFailures > maxConsecutiveFailures) {
+            updateStatus("Connection timeout");
+            showError(
+              "Unable to connect to router. Please check your connection and refresh this page.",
+            );
+            return true; // Stop checking
+          }
+
+          updateStatus("Router not ready yet...");
+
+          // Implement exponential backoff
+          if (consecutiveFailures > 5) {
+            checkInterval = Math.min(checkInterval * 1.2, maxInterval);
+          }
+        }
+
+        return false;
+      }
+
+      async function startChecking() {
+        // Initial check
+        const isReady = await checkAvailability();
+        if (isReady) return;
+
+        // Continue checking
+        const intervalId = setInterval(async () => {
+          const isReady = await checkAvailability();
+          if (isReady) {
+            clearInterval(intervalId);
+          }
+        }, checkInterval);
+      }
+
+      // Start checking when page loads
+      window.addEventListener("DOMContentLoaded", () => {
+        // Small initial delay to show the UI
+        setTimeout(startChecking, 500);
+      });
+
+      // Also try to check if user clicks anywhere on the page
+      document.addEventListener("click", () => {
+        checkAvailability();
+      });
+    </script>
+  </body>
+</html>

sulu/sulu-theme-genexis/Makefile

@@ -5,11 +5,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-theme-genexis
-PKG_VERSION:=5.1.1
+PKG_VERSION:=5.2.10
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/gnx/sulu-theme-genexis
-PKG_SOURCE_VERSION:=69b72c2e589a3f73db3cb219ee7f59ab40b1bf48
+PKG_SOURCE_VERSION:=d329108aa49a0d57325cd8e639c80ba70c126f3f
 PKG_MIRROR_HASH:=skip
 
 include ../sulu-builder/sulu.mk

sysmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sysmngr
-PKG_VERSION:=1.0.30
+PKG_VERSION:=1.1.2
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/sysmngr.git
-PKG_SOURCE_VERSION:=8d150fae12ad42885c270051189572d59255244d
+PKG_SOURCE_VERSION:=42b129059007cec121c900c33ece6e40dbca7a78
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

sysmngr/files/etc/init.d/sysmngr

@@ -1,10 +1,19 @@
 #!/bin/sh /etc/rc.common
 
-START=15
+START=12
 STOP=8
 
 USE_PROCD=1
 PROG=/usr/sbin/sysmngr
+RESET_REASON="/etc/sysmngr/reset_reason"
+
+boot()
+{
+	if [ -x "${RESET_REASON}" ]; then
+		eval ${RESET_REASON}
+	fi
+	start
+}
 
 start_service()
 {

sysmngr/files/etc/sysmngr/fwbank

@@ -22,7 +22,30 @@ fwbank_get_bootbank() {
 
 case "$1" in
 	list)
-		echo '{ "dump" : {}, "set_bootbank" : {"bank":32}, "copy_config" : {}, "upgrade": {"path":"String","auto_activate":true,"bank":32,"keep_settings":true}}'
+		json_init
+		json_add_object "dump"
+		json_close_object
+
+		json_add_object "set_bootbank"
+		json_add_int "bank" 32
+		json_close_object
+
+		json_add_object "copy_config"
+		json_add_boolean "keep_settings" 1
+		json_add_boolean "keep_opconf" 1
+		json_add_string "config_scope" "String"
+		json_close_object
+
+		json_add_object "upgrade"
+		json_add_string "path" "String"
+		json_add_boolean "auto_activate" 1
+		json_add_int "bank" 32
+		json_add_boolean "keep_settings" 1
+		json_add_boolean "keep_opconf" 1
+		json_add_string "config_scope" "String"
+		json_add_boolean "reboot" 1
+		json_close_object
+		json_dump
 	;;
 	call)
 		case "$2" in
@@ -125,19 +148,44 @@ case "$1" in
 				fi
 			;;
 			copy_config)
-				if [ -z "$UPGRADE_BACKUP" ]; then
-					UPGRADE_BACKUP=/tmp/sysupgrade.tgz
+				read -r input
+				json_load "${input}"
+				json_get_var keep_settings keep_settings
+				json_get_var keep_opconf keep_opconf
+				json_get_var config_scope config_scope
+
+				# Set the default value for keep_settings
+				keep_settings=${keep_settings:-1}
+
+				if command -v "opconf_conf_handler" >/dev/null 2>&1; then
+					if ! mountpoint -q /usr_data; then
+						logger -t sysmngr.fwbank "copy_config: usr_data partition not present"
+						config_scope="All"
+					fi
+
+					arg="-k ${keep_settings}"
+					[ -n  "${keep_opconf}" ] && arg="${arg} -o ${keep_opconf}"
+					[ -n  "${config_scope}" ] && arg="${arg} -s ${config_scope}"
+
+					opconf_conf_handler ${arg}
+				else
+					# Fallback to default old behaviour in case opconf not present
+					config_scope="All"
 				fi
 
 				ret=0
+				if [ "${keep_settings}" -eq "1" ] && [ "${config_scope}" = "All" ]; then
+					if [ -z "$UPGRADE_BACKUP" ]; then
+						UPGRADE_BACKUP=/tmp/sysupgrade.tgz
+					fi
 
-				sysupgrade -b "$UPGRADE_BACKUP" || ret=1
-
-				if [ "$ret" -eq 0 ]; then
-					if command -v platform_copy_config >/dev/null 2>&1; then
-						platform_copy_config 1>&2 || ret=1
-					else
-						ret=1
+					sysupgrade -b "$UPGRADE_BACKUP" || ret=1
+					if [ "$ret" -eq 0 ]; then
+						if command -v platform_copy_config >/dev/null 2>&1; then
+							platform_copy_config 1>&2 || ret=1
+						else
+							ret=1
+						fi
 					fi
 				fi
 
@@ -157,6 +205,9 @@ case "$1" in
 				json_get_var auto_activate auto_activate
 				json_get_var bank bank
 				json_get_var keep_settings keep_settings
+				json_get_var keep_opconf keep_opconf
+				json_get_var config_scope config_scope
+				json_get_var reboot reboot
 
 				ret=0
 
@@ -180,6 +231,7 @@ case "$1" in
 
 				# Set the default value for keep_settings
 				keep_settings=${keep_settings:-1}
+				reboot=${reboot:-0}
 
 				# This ubus call does not reboot the system at any one time.
 				# Although, the newly upgraded bank is activated by default.
@@ -187,14 +239,36 @@ case "$1" in
 				# "--no-activate" otherwise.
 				sysupgrade_flag=""
 				if [ "${auto_activate}" -eq 1 ]; then
-					sysupgrade_flag="--no-reboot"
+					if [ "${reboot}" -eq 0 ]; then
+						sysupgrade_flag="--no-reboot"
+					fi
 				else
 					sysupgrade_flag="--no-activate"
 				fi
 
+				if command -v "opconf_conf_handler" >/dev/null 2>&1; then
+					if ! mountpoint -q /usr_data; then
+						logger -t sysmngr.fwbank "upgrade: usr_data partition not present"
+						config_scope="All"
+					fi
+
+					arg="-k ${keep_settings}"
+					[ -n  "${keep_opconf}" ] && arg="${arg} -o ${keep_opconf}"
+					[ -n  "${config_scope}" ] && arg="${arg} -s ${config_scope}"
+
+					opconf_conf_handler ${arg}
+				else
+					# Fallback to default old behaviour in case opconf not present
+					config_scope="All"
+				fi
+
 				# Set the flag to do not save configuration over reflash
 				if [ "${keep_settings}" -eq 0 ]; then
 					sysupgrade_flag="${sysupgrade_flag} -n"
+				elif [ "${keep_settings}" -eq 1 ]; then
+					if [ "${config_scope}" != "All" ]; then
+						sysupgrade_flag="${sysupgrade_flag} -n"
+					fi
 				fi
 
 				# Call sysupgrade synchonously. It should not time out the ubus call,

usermngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=usermngr
-PKG_VERSION:=1.4.6
+PKG_VERSION:=1.4.7
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/usermngr.git
-PKG_SOURCE_VERSION:=416c49b53ed2fbbc983f404c65b8a8ce722152bd
+PKG_SOURCE_VERSION:=62390ff8d9e1c80babf3621f8b374dcd2078ff6f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -75,6 +75,7 @@ define Package/usermngr/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DIR) $(1)/etc/users/roles
+	$(INSTALL_DIR) $(1)/etc/users/schema
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-sync-shells $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-sync-roles $(1)/etc/uci-defaults/
@@ -88,6 +89,7 @@ endif
 	$(INSTALL_BIN) ./files/etc/init.d/users $(1)/etc/init.d/users
 	$(INSTALL_BIN) ./files/etc/config/users $(1)/etc/config/users
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/usermngr $(1)/usr/sbin/usermngr
+	$(CP) ./acl.schema.json $(1)/etc/users/schema/acl.schema.json
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 endef
 

usermngr/acl.schema.json

@@ -0,0 +1,68 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "TR-181 Permissions Schema",
+  "type": "object",
+  "properties": {
+    "tr181": {
+      "type": "object",
+      "required": ["name", "instance", "secure_role", "permission"],
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Name of the TR-181 profile or configuration"
+        },
+        "instance": {
+          "type": "integer",
+          "description": "Instance identifier"
+        },
+        "secure_role": {
+          "type": "boolean",
+          "description": "Whether this role is secure"
+        },
+        "permission": {
+          "type": "array",
+          "description": "List of TR-181 permissions by object path",
+          "items": {
+            "type": "object",
+            "required": ["object", "perm"],
+            "properties": {
+              "object": {
+                "type": "string",
+                "description": "TR-181 object path or parameter name"
+              },
+              "perm": {
+                "type": "array",
+                "description": "List of permissions for the given object",
+                "items": {
+                  "type": "string",
+                  "enum": [
+                    "PERMIT_NONE",
+                    "PERMIT_ALL",
+                    "PERMIT_GET",
+                    "PERMIT_GET_INST",
+                    "PERMIT_OBJ_INFO",
+                    "PERMIT_CMD_INFO",
+                    "PERMIT_SET",
+                    "PERMIT_ADD",
+                    "PERMIT_DEL",
+                    "PERMIT_OPER",
+                    "PERMIT_SUBS_VAL_CHANGE",
+                    "PERMIT_SUBS_OBJ_ADD",
+                    "PERMIT_SUBS_OBJ_DEL",
+                    "PERMIT_SUBS_EVT_OPER_COMP"
+                  ]
+                },
+                "uniqueItems": true
+              }
+            },
+            "additionalProperties": false
+          },
+          "minItems": 1
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "required": ["tr181"],
+  "additionalProperties": false
+}

usermngr/files/etc/init.d/users

@@ -112,6 +112,8 @@ build_pam_passwdqc_line() {
 		base="$base $k=$v"
 	done
 
+	base="$base match=0"
+
 	echo "$base"
 }
 
@@ -141,7 +143,7 @@ update_password() {
 		fi
 	fi
 
-	write_line "$tmp_file" "password	[success=1 default=ignore]	pam_unix.so obscure sha512"
+	write_line "$tmp_file" "password	[success=1 default=ignore]	pam_unix.so sha512"
 	write_line "$tmp_file" ""
 	write_line "$tmp_file" "password	requisite			pam_deny.so"
 	write_line "$tmp_file" "password	required			pam_permit.so"

wifidmd/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifidmd
-PKG_VERSION:=1.4.1
+PKG_VERSION:=1.4.3
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/wifidmd.git
-PKG_SOURCE_VERSION:=006359c351be70a45f5bc1ef3d78e14e270aa7cf
+PKG_SOURCE_VERSION:=a399309c31ecadc77ec347898c99dbd70cf35d98
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

wifidmd/files/etc/wifidmd/bbf_config_reload.sh

@@ -42,23 +42,95 @@ for arg in ${input}; do
 	fi
 done
 
+
+################################################################################
+# wait_for_wifi_reload
+#
+# Description:
+#   Currently, there is no direct way to determine when WiFi reload
+#   operations have fully completed. The ubus API does not provide any
+#   event or flag indicating that WiFi services have finished reloading.
+#
+#   To work around this, we use a timing-based heuristic:
+#     - We repeatedly run `ubus call wifi status` every 1 second.
+#     - Each call is timed (using `date +%s` before and after).
+#     - Normally, this command returns almost instantly (<1s).
+#     - However, during a WiFi reload, the call may take longer
+#       (several seconds) while the subsystem is busy.
+#     - Once we detect that `ubus call wifi status` takes longer than
+#       2 seconds to return, we assume the reload has been applied
+#       and completed successfully.
+#
+#   Additional wait constraints:
+#     - Minimum wait: 5 seconds (to ensure reload started).
+#     - Maximum wait: 15 seconds (to prevent indefinite blocking).
+#     - If the threshold is not met within 15s, we log a timeout warning.
+################################################################################
+wait_for_wifi_reload() {
+	MAX_ITER=15
+	MIN_ITER=5
+	THRESH=2  # seconds
+
+	# Check if wifi ubus object exists
+	ubus -t 2 wait_for wifi >/dev/null 2>&1
+	if [ "$?" -ne 0 ]; then
+		log "wifi ubus object not available, skipping wait logic"
+		return 0
+	fi
+
+	#log "Waiting for WiFi reload (min ${MIN_ITER}s, max ${MAX_ITER}s)..."
+
+	iter=0
+	while [ "${iter}" -lt "${MAX_ITER}" ]; do
+		iter=$((iter + 1))
+		start=$(date +%s)
+		ubus call wifi status >/dev/null 2>&1
+		#rc=$?
+		end=$(date +%s)
+		elapsed=$((end - start))
+
+		#log "wait_for_wifi_reload: iter=${iter}, rc=${rc}, elapsed=${elapsed}s"
+
+		# If ubus took >2s and we've waited at least MIN_ITER → assume reload done
+		if [ "${elapsed}" -gt "${THRESH}" ] && [ "${iter}" -ge "${MIN_ITER}" ]; then
+			log "Detected long ubus response (${elapsed}s) after ${iter}s → assuming WiFi reload complete"
+			return 0
+		fi
+
+		# Sleep 1s between checks
+		if [ "${iter}" -lt "${MAX_ITER}" ]; then
+			sleep 1
+		fi
+	done
+
+	log "Timeout after ${MAX_ITER}s — WiFi reload not confirmed"
+	return 1
+}
+
 # Define function to reload mapcontroller
 reload_mapcontroller() {
 	pid=$(pidof mapcontroller)
 	if [ -n "$pid" ]; then
 		log "Reloading mapcontroller (PID: $pid)..."
 		kill -SIGHUP "$pid"
+		wait_for_wifi_reload
 	else
 		log "Warning: mapcontroller process not found"
 	fi
 }
 
+# Define function to commit wireless config
+commit_wireless_config() {
+	log "Committing wireless config..."
+	ubus call uci commit '{"config":"wireless"}'
+	wait_for_wifi_reload
+}
+
 # Apply logic based on flags
 if [ "$mapcontroller" -eq 1 ]; then
 	reload_mapcontroller
 elif [ "$wireless" -eq 1 ]; then
-	log "Committing wireless config..."
-	ubus call uci commit '{"config":"wireless"}'
+	commit_wireless_config
 else
 	log "No action needed."
 	exit 1

wifimngr/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifimngr
-PKG_VERSION:=20.1.7
+PKG_VERSION:=20.1.9
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=3ed71c1a4a46ad38dfa1088339fe92d2f2d44f41
+PKG_SOURCE_VERSION:=479e4b737d7af8ec9d1c6088f7ae42871a61c601
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/wifimngr.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip