Draft: datamodel for shell exec

Remove peripheral_manager, it is no longer used or maintainted.

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.16.8
+PKG_VERSION:=1.18.2
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=7acb5cb2f4d6a215426172ac1beed9ae4dac7b84
+PKG_SOURCE_VERSION:=786863cf0ef48dd70610598cdf8e2bbc0462a504
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -55,7 +55,7 @@ define Package/dm-service
   CATEGORY:=Utilities
   SUBMENU:=TRx69
   TITLE:=Datamodel ubus backend to expose micro-service tree
-  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +libbbfdm-ubus +bbf_configmngr
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +libbbfdm-ubus +bbf_configmngr +libeasy
 endef
 
 define Package/bbf_configmngr
@@ -183,6 +183,7 @@ define Package/bbf_configmngr/install
 
 	$(INSTALL_BIN) ./files/etc/init.d/bbf_configd $(1)/etc/init.d/bbf_configd
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utilities/files/usr/share/bbfdm/scripts/bbf_config_notify.sh $(1)/usr/share/bbfdm/scripts/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utilities/files/usr/share/bbfdm/scripts/bbf_default_reload.sh $(1)/etc/bbfdm/
 	$(INSTALL_DATA) ./files/etc/bbfdm/critical_services.json $(1)/etc/bbfdm/
 endef
 

bbfdm/files/etc/bbfdm/critical_services.json

@@ -1,23 +1,51 @@
 {
 	"usp": [
-			"firewall",
-			"network",
-			"dhcp",
-			"time",
-			"wireless",
-			"ieee1905",
-			"mapcontroller",
-			"mosquitto",
-			"nginx",
-			"netmode"
+			"/etc/config/firewall",
+			"/etc/bbfdm/dmmap/dmmap_firewall",
+			"/etc/config/network",
+			"/etc/bbfdm/dmmap/IP",
+			"/etc/bbfdm/dmmap/Ethernet",
+			"/etc/bbfdm/dmmap/GRE",
+			"/etc/bbfdm/dmmap/IPv6rd",
+			"/etc/bbfdm/dmmap/PPP",
+			"/etc/bbfdm/dmmap/Routing",
+			"/etc/config/dhcp",
+			"/etc/bbfdm/dmmap/dmmap_dhcp",
+			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
+			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
+			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/config/time",
+			"/etc/bbfdm/dmmap/dmmap_time",
+			"/etc/config/mapcontroller",
+			"/etc/config/wireless",
+			"/etc/bbfdm/dmmap/WiFi",
+			"/etc/config/ieee1905",
+			"/etc/config/mosquitto",
+			"/etc/config/nginx",
+			"/etc/config/netmode",
+			"/etc/bbfdm/dmmap/dmmap_netmode"
 	],
 	"cwmp": [
-			"firewall",
-			"network",
-			"dhcp",
-			"mapcontroller",
-			"wireless",
-			"time",
-			"netmode"
+			"/etc/config/firewall",
+			"/etc/bbfdm/dmmap/dmmap_firewall",
+			"/etc/config/network",
+			"/etc/bbfdm/dmmap/IP",
+			"/etc/bbfdm/dmmap/Ethernet",
+			"/etc/bbfdm/dmmap/GRE",
+			"/etc/bbfdm/dmmap/IPv6rd",
+			"/etc/bbfdm/dmmap/PPP",
+			"/etc/bbfdm/dmmap/Routing",
+			"/etc/config/dhcp",
+			"/etc/bbfdm/dmmap/dmmap_dhcp",
+			"/etc/bbfdm/dmmap/dmmap_dhcp_client",
+			"/etc/bbfdm/dmmap/dmmap_dhcp_relay",
+			"/etc/bbfdm/dmmap/dmmap_dhcpv6",
+			"/etc/config/mapcontroller",
+			"/etc/config/wireless",
+			"/etc/bbfdm/dmmap/WiFi",
+			"/etc/config/time",
+			"/etc/bbfdm/dmmap/dmmap_time",
+			"/etc/config/netmode",
+			"/etc/bbfdm/dmmap/dmmap_netmode"
 	]
 }

bbfdm/files/etc/init.d/bbf_configd

@@ -27,6 +27,6 @@ start_service()
 service_triggers() {
 	for config_file in /etc/config/*; do
 		config_name=$(basename "$config_file")
-		procd_add_config_trigger "config.change" "$config_name" /usr/share/bbfdm/scripts/bbf_config_notify.sh
+		procd_add_config_trigger "config.change" "$config_name" /usr/share/bbfdm/scripts/bbf_config_notify.sh "$config_name"
 	done
 }

decollector/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=decollector
-PKG_VERSION:=6.2.1.7
+PKG_VERSION:=6.2.1.12
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=ca92325ece080389ffb405c95048b64071eda653
+PKG_SOURCE_VERSION:=ce738316065e4608811312f0a254d1fee22fa343
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/decollector.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip

dectmngr/Makefile

@@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dectmngr
 PKG_RELEASE:=3
-PKG_VERSION:=3.7.10
+PKG_VERSION:=3.7.11
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/dectmngr.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=1f851980a6ba616df54f79930225f8bcd563b711
+PKG_SOURCE_VERSION:=815ee44808169b8e1efa2cac44bd7d238ad33cdc
 PKG_MIRROR_HASH:=skip
 endif
 

dmexec/Makefile

@@ -0,0 +1,44 @@
+#
+# Copyright (C) 2025 iopsys Software Solutions AB
+#
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dmexec
+PKG_VERSION:=0.0.1
+PKG_RELEASE:=1
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_LICENSE:=GPL-2.0-only
+
+include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk
+
+define Package/dmexec
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Datamodel for shell exec
+  DEPENDS:=+dm-service
+endef
+
+define Package/dmexec/description
+  datamodel extension for running shell commands.
+endef
+
+define Build/Compile
+	# pass
+endef
+
+define Package/dmexec/install
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/init.d
+
+	$(INSTALL_DATA) ./files/etc/config/dmexec $(1)/etc/config/
+	$(INSTALL_BIN) ./files/etc/init.d/dmexec $(1)/etc/init.d/
+
+	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
+	$(BBFDM_INSTALL_MS_DM) ./files/dm_exec.json $(1) $(PKG_NAME)
+endef
+
+$(eval $(call BuildPackage,dmexec))

dmexec/bbfdm_service.json

@@ -0,0 +1,16 @@
+{
+  "daemon": {
+    "enable": "1",
+    "service_name": "dmexec",
+    "unified_daemon": false,
+    "services": [
+      {
+        "parent_dm": "Device.",
+        "object": "X_GENEXIS_EU_CLI"
+      }
+    ],
+    "config": {
+      "loglevel": "7"
+    }
+  }
+}

dmexec/files/dm_exec.json

@@ -0,0 +1,81 @@
+{
+  "json_plugin_version": 2,
+  "Device.X_GENEXIS_EU_CLI.": {
+    "type": "object",
+    "protocols": [
+      "cwmp",
+      "usp"
+    ],
+    "access": false,
+    "array": false,
+    "Enable": {
+      "type": "boolean",
+      "read": true,
+      "write": true,
+      "protocols": [
+        "cwmp",
+        "usp"
+      ],
+      "mapping": [
+        {
+          "type": "uci",
+          "uci": {
+            "file": "dmexec",
+            "section": {
+              "name": "dmexec"
+            },
+            "option": {
+              "name": "enable"
+            }
+          }
+        }
+      ]
+    },
+    "REQUEST": {
+      "type": "string",
+      "read": true,
+      "write": true,
+      "protocols": [
+        "cwmp",
+        "usp"
+      ],
+      "mapping": [
+        {
+          "type": "uci",
+          "uci": {
+            "file": "dmexec",
+            "section": {
+              "name": "dmexec"
+            },
+            "option": {
+              "name": "cmd"
+            }
+          }
+        }
+      ]
+    },
+    "RESULT": {
+      "type": "string",
+      "read": true,
+      "write": false,
+      "protocols": [
+        "cwmp",
+	"usp"
+      ],
+      "mapping": [
+        {
+          "type": "uci",
+          "uci": {
+            "file": "dmexec",
+            "section": {
+              "name": "dmexec"
+            },
+            "option": {
+              "name": "result"
+            }
+          }
+        }
+      ]
+    }
+  }
+}

dmexec/files/etc/config/dmexec

@@ -0,0 +1,3 @@
+config dmexec 'dmexec'
+	option enable '0'
+

dmexec/files/etc/init.d/dmexec

@@ -0,0 +1,40 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+STOP=01
+
+USE_PROCD=1
+
+log() {
+	logger -t dmexec.init "$*"
+}
+
+start_service() {
+	procd_open_instance
+	procd_close_instance
+}
+
+reload_service() {
+	local cmd result enable
+
+	enable="$(uci -q get dmexec.dmexec.enable)"
+	enable="${enable:-0}"
+
+	if [ "${enable}" -eq "0" ]; then
+		log "dmexec is disabled"
+	fi
+
+	uci -q set dmexec.dmexec.result=""
+	cmd="$(uci -q get dmexec.dmexec.cmd)"
+	if [ -n "${cmd}" ]; then
+		log "Executing [${cmd}]"
+		result="$(eval $cmd 2>&1 |head -n 1 |head -c 256)"
+		result="${result//\'/}"
+		uci -q set dmexec.dmexec.result="${result}"
+		uci commit dmexec
+	fi
+}
+
+service_triggers() {
+	procd_add_reload_trigger dmexec
+}

dslmngr/files/airoha/sbin/xdsl_wan

@@ -60,7 +60,7 @@ create_atm_devices() {
 }
 
 configure_line() {
-	local mode profile bitswap sra us0 sesdrop sos ginp mod prof
+	local mode profile bitswap sra us0 sesdrop sos roc ginp gvector mod prof
 	local adsl1_flag=0 issue2_flag=0 Glite_flag=0 adsl2_flag=0 adsl2p_flag=0 vdsl2_flag=0
 	local pro_8a_flag=0 pro_8b_flag=0 pro_8c_flag=0 pro_8d_flag=0 pro_12a_flag=0 pro_12b_flag=0 pro_17a_flag=0 pro_30a_flag=0 pro_35b_flag=0
 
@@ -70,8 +70,9 @@ configure_line() {
 	config_get sra $1 sra "1"
 	config_get us0 $1 us0 "1"
 	config_get sos $1 sos "0"
-	config_get sos $1 roc "0"
-	config_get sos $1 ginp "0"
+	config_get roc $1 roc "0"
+	config_get ginp $1 ginp "1"
+	config_get gvector $1 gvector "1"
 
 	for mod in $mode; do
 		[ "$mod" = "gdmt" ] && adsl1_flag=1
@@ -96,6 +97,7 @@ configure_line() {
 
 	/userfs/bin/blapi_cmd xdsl set_adsl_profile "$pro_8a_flag" "$pro_8b_flag" "$pro_8c_flag" "$pro_8d_flag" "$pro_12a_flag" "$pro_12b_flag" "$pro_17a_flag" "$pro_30a_flag" "$pro_35b_flag"
 	/userfs/bin/blapi_cmd xdsl set_adsl_mode "$adsl1_flag" "$issue2_flag" "$Glite_flag" "$adsl2_flag" "$adsl2p_flag" "$vdsl2_flag"
+	/userfs/bin/blapi_cmd xdsl set_adsl_gvector "$((!gvector))"
 	/userfs/bin/blapi_cmd xdsl set_adsl_ginp "$((!ginp))"
 	/userfs/bin/blapi_cmd xdsl set_adsl_sos_roc "$((!sos))" "$((!roc))"
 	/userfs/bin/blapi_cmd xdsl set_adsl_us0 "$((!us0))"

ethmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethmngr
-PKG_VERSION:=3.0.8
+PKG_VERSION:=3.1.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/ethmngr.git
-PKG_SOURCE_VERSION:=c73e5b15718ca40b2740bbe6151dfbb2bcca16df
+PKG_SOURCE_VERSION:=da6b25430123f03a74b59369b36dc4a777207d3f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

fluent-bit/patches/0002-add_hostname_to_log_dump.patch

@@ -1,45 +0,0 @@
-diff --git a/plugins/out_file/file.c b/plugins/out_file/file.c
-index 2e47c9666..95d28e438 100644
---- a/plugins/out_file/file.c
-+++ b/plugins/out_file/file.c
-@@ -27,6 +27,7 @@
- #include <msgpack.h>
- 
- #include <stdio.h>
-+#include <unistd.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
-@@ -55,6 +56,7 @@ struct flb_file_conf {
-     int csv_column_names;
-     int mkdir;
-     struct flb_output_instance *ins;
-+    char hostname[256];
- };
- 
- static char *check_delimiter(const char *str)
-@@ -141,6 +143,9 @@ static int cb_file_init(struct flb_output_instance *ins,
-         }
-     }
- 
-+    if (gethostname(ctx->hostname, sizeof(ctx->hostname)) != 0)
-+	    snprintf(ctx->hostname, sizeof(ctx->hostname), "%s", "localhost");
-+
-     tmp = flb_output_get_property("delimiter", ins);
-     ret_str = check_delimiter(tmp);
-     if (ret_str != NULL) {
-@@ -233,12 +238,8 @@ static int template_output_write(struct flb_file_conf *ctx,
-     int i;
-     msgpack_object_kv *kv;
- 
--    /*
--     * Right now we treat "{time}" specially and fill the placeholder
--     * with the metadata timestamp (formatted as float).
--     */
--    if (!strncmp(key, "time", size)) {
--        fprintf(fp, "%f", flb_time_to_double(tm));
-+    if (!strncmp(key, "hostname", size)) {
-+        fprintf(fp, "%s", ctx->hostname);
-         return 0;
-     }
- 

fluent-bit/patches/0002-file_out_time.patch

@@ -0,0 +1,27 @@
+diff --git a/plugins/out_file/file.c b/plugins/out_file/file.c
+index 77baf6be8..04c519d5a 100644
+--- a/plugins/out_file/file.c
++++ b/plugins/out_file/file.c
+@@ -238,10 +238,20 @@ static int template_output_write(struct flb_file_conf *ctx,
+ 
+     /*
+      * Right now we treat "{time}" specially and fill the placeholder
+-     * with the metadata timestamp (formatted as float).
++     * with the metadata timestamp.
+      */
+     if (!strncmp(key, "time", size)) {
+-        fprintf(fp, "%f", flb_time_to_double(tm));
++        struct tm tm_local;
++        char buf[32];
++        if (localtime_r(&tm->tm.tv_sec, &tm_local) == NULL) {
++            flb_plg_error(ctx->ins, "localtime_r failed");
++            return -1;
++        }
++        if (strftime(buf, sizeof(buf), "%b %d %H:%M:%S", &tm_local) == 0) {
++            flb_plg_error(ctx->ins, "strftime failed");
++            return -1;
++        }
++        fputs(buf, fp);
+         return 0;
+     }
+ 

fluent-bit/patches/0005-kmsg_log.patch

@@ -1,32 +0,0 @@
-diff --git a/plugins/in_kmsg/in_kmsg.c b/plugins/in_kmsg/in_kmsg.c
-index cd5c4cd17..9524cf194 100644
---- a/plugins/in_kmsg/in_kmsg.c
-+++ b/plugins/in_kmsg/in_kmsg.c
-@@ -165,6 +165,15 @@ static inline int process_line(const char *line,
- 
-     flb_time_set(&ts, ctx->boot_time.tv_sec + tv.tv_sec, tv.tv_usec * 1000);
- 
-+    /* Format syslog timestamp: "Jul 03 10:31:53" */
-+    time_t real_time = ctx->boot_time.tv_sec + tv.tv_sec;
-+    struct tm tm_info;
-+    char syslog_ts[32];
-+
-+    localtime_r(&real_time, &tm_info);
-+    strftime(syslog_ts, sizeof(syslog_ts), "%b %d %H:%M:%S", &tm_info);
-+    int syslog_ts_len = strlen(syslog_ts);
-+
-     /* Now process the human readable message */
-     p = strchr(p, ';');
-     if (!p) {
-@@ -198,7 +207,10 @@ static inline int process_line(const char *line,
-                 FLB_LOG_EVENT_UINT64_VALUE(tv.tv_usec),
- 
-                 FLB_LOG_EVENT_CSTRING_VALUE("msg"),
--                FLB_LOG_EVENT_STRING_VALUE((char *) p, line_len - 1));
-+                FLB_LOG_EVENT_STRING_VALUE((char *) p, line_len - 1),
-+
-+                FLB_LOG_EVENT_CSTRING_VALUE("syslog_ts"),
-+                FLB_LOG_EVENT_STRING_VALUE(syslog_ts, syslog_ts_len));
-     }
- 
-     if (ret == FLB_EVENT_ENCODER_SUCCESS) {

fluent-bit/patches/0020-fix_kmsg.patch

@@ -0,0 +1,73 @@
+diff --git a/plugins/in_kmsg/in_kmsg.c b/plugins/in_kmsg/in_kmsg.c
+index cd5c4cd17..15f105451 100644
+--- a/plugins/in_kmsg/in_kmsg.c
++++ b/plugins/in_kmsg/in_kmsg.c
+@@ -36,7 +36,6 @@
+ #include <sys/stat.h>
+ #include <sys/time.h>
+ #include <inttypes.h>
+-#include <time.h>
+ 
+ #include "in_kmsg.h"
+ 
+@@ -123,12 +122,17 @@ static inline int process_line(const char *line,
+     ctx->buffer_id++;
+ 
+     errno = 0;
+-    val = strtol(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoul(p, &end, 10);
++    if ((errno == ERANGE && val == ULONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* ensure something was consumed */
++    if (end == p) {
++        goto fail;
++    }
++
+     /* Priority */
+     priority = FLB_KLOG_PRI(val);
+ 
+@@ -144,24 +148,35 @@ static inline int process_line(const char *line,
+     }
+     p++;
+ 
+-    val = strtoul(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoull(p, &end, 10);
++    if ((errno == ERANGE && val == ULLONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* make sure strtoull consumed something */
++    /* after the sequence number, the next char must be ',' */
++    if (end == p || *end != ',') {
++        goto fail;
++    }
++
+     sequence = val;
+     p = ++end;
+ 
+     /* Timestamp */
+-    val = strtoul(p, &end, 10);
+-    if ((errno == ERANGE && (val == INT_MAX || val == INT_MIN))
++    val = strtoull(p, &end, 10);
++    if ((errno == ERANGE && val == ULLONG_MAX)
+         || (errno != 0 && val == 0)) {
+         goto fail;
+     }
+ 
++    /* ensure something was consumed */
++    if (end == p) {
++        goto fail;
++    }
++
+     tv.tv_sec  = val/1000000;
+-    tv.tv_usec = val - (tv.tv_sec * 1000000);
++    tv.tv_usec = val - ((uint64_t)tv.tv_sec * 1000000);
+ 
+     flb_time_set(&ts, ctx->boot_time.tv_sec + tv.tv_sec, tv.tv_usec * 1000);
+ 

gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user

@@ -40,22 +40,22 @@ get_vivsoi() {
 
 	#hex-string 2 character=1 Byte
 	# length in hex string will be twice of actual Byte length
-	[ "$len" -gt "8" ] || return
+	[ "${len}" -gt 8 ] || return
 
 	data="${opt125}"
 	rem_len="${len}"
-	while [ $rem_len -gt 0 ]; do
+	while [ "${rem_len}" -gt 0 ]; do
 		ent_id=${data:0:8}
 		ent_id=$(printf "%d\n" "0x$ent_id")
 
-		if [ $ent_id -ne  3561 ]; then
+		if [ "${ent_id}" -ne  3561 ]; then
 			len_val=${data:8:2}
 			data_len=$(printf "%d\n" "0x$len_val")
 			# add 4 byte for ent_id and 1 byte for len
 			data_len=$(( data_len * 2 + 10 ))
 			# move ahead data to next enterprise id
 			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - $data_len ))
+			rem_len=$(( rem_len - data_len ))
 			continue
 		fi
 
@@ -66,7 +66,7 @@ get_vivsoi() {
 		data_len=$(( data_len * 2 + 10 ))
 
 		opt_len=$(printf "%d\n" "0x$len_val")
-		[ $opt_len -eq 0 ] && return
+		[ "${opt_len}" -eq 0 ] && return
 
 		# populate the option data of enterprise id
 		sub_data_len=$(( opt_len * 2))
@@ -74,7 +74,7 @@ get_vivsoi() {
 		sub_data=${data:10:"${sub_data_len}"}
 
 		# parsing of suboption of option 125
-		while [ $sub_data_len -gt 0 ]; do
+		while [ "${sub_data_len}" -gt 0 ]; do
 			# get the suboption id
 			sub_opt_id=${sub_data:0:2}
 			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
@@ -85,20 +85,20 @@ get_vivsoi() {
 			sub_opt_len=$(( sub_opt_len * 2 ))
 
 			# get the value of sub option starting 4 means starting after length
-			sub_opt_val=${sub_data:4:${sub_opt_len}}
+			sub_opt_val=${sub_data:4:"${sub_opt_len}"}
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
 				"4")
-				OUI=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				OUI=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 				"5")
-				SERIAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				SERIAL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 				"6")
-				CLASS=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				CLASS=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				GW_DISCOVERED=1
 				;;
 			esac
@@ -110,7 +110,7 @@ get_vivsoi() {
 			sub_data_len=$((sub_data_len - sub_opt_end))
 
 			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+			sub_data=${sub_data:"${sub_opt_end}":"${sub_data_len}"}
 		done
 
 		# move ahead data to next enterprise id
@@ -131,15 +131,13 @@ send_host_query() {
 		sleep 5
 
 		json_load "$(ubus call umdns browse)"
-		json_select discovered_services
-		if [ "${?}" -ne 0 ]; then
+		if ! json_select discovered_services; then
 			json_cleanup
 			loop=$(( loop - 1 ))
 			continue
 		fi
 
-		json_select _usp-agt-mqtt._tcp
-		if [ "${?}" -ne 0 ]; then
+		if ! json_select _usp-agt-mqtt._tcp; then
 			json_cleanup
 			loop=$(( loop - 1 ))
 			continue
@@ -156,7 +154,7 @@ send_host_query() {
 
 	json_get_keys keys
 	for key in $keys; do
-		json_select $key
+		json_select "${key}"
 		json_get_var _host host ""
 
 		if [ -z "${_host}" ] || [[ "${sent_host}" =~ " ${_host}" ]]; then
@@ -166,9 +164,10 @@ send_host_query() {
 
 		sent_host="${sent_host} ${_host}"
 		cmd="ubus call umdns query '{\"question\":\"$_host\",\"interface\":\"$intf\"}'"
-		eval $cmd
+		sh -c "${cmd}"
 		resp=0
 		json_select ..
+		sleep 2 # umdns query sometime takes time to resolve so adding some sleep
 	done
 
 	json_cleanup
@@ -185,32 +184,29 @@ get_usp_agent_id() {
 	fi
 
 	json_load "$(ubus call umdns browse)"
-	json_select discovered_services
-	if [ "${?}" -ne 0 ]; then
+	if ! json_select discovered_services; then
 		json_cleanup
-		echo ${ID}
+		echo "${ID}"
 		return 0
 	fi
 
-	json_select _usp-agt-mqtt._tcp
-	if [ "${?}" -ne 0 ]; then
+	if ! json_select _usp-agt-mqtt._tcp; then
 		json_cleanup
-		echo ${ID}
+		echo "${ID}"
 		return 0
 	fi
 
 	json_get_keys keys
 	for key in $keys; do
-		json_select $key
-		json_select $family
-		if [ "${?}" -ne 0 ]; then
+		json_select "${key}"
+		if ! json_select "${family}"; then
 			json_select ..
 			continue
 		fi
 
 		json_get_keys ips
 		for ip in $ips; do
-			json_get_var ip_val $ip
+			json_get_var ip_val "${ip}"
 			if [ "${ip_val}" != "${dhcp_ip}" ]; then
 				continue
 			fi
@@ -219,8 +215,8 @@ get_usp_agent_id() {
 			json_select txt
 			json_get_keys txts
 			for _txt in $txts; do
-				json_get_var text_val $_txt
-				if [[ "${text_val:0:3}" == "ID=" ]]; then
+				json_get_var text_val "${_txt}"
+				if [[ "${text_val:0:3}" = "ID=" ]]; then
 					ID="${text_val:3}"
 					break
 				fi
@@ -238,16 +234,16 @@ get_usp_agent_id() {
 	done
 
 	json_cleanup
-	echo ${ID}
+	echo "${ID}"
 }
 
 get_mac_address() {
 	ip="${1}"
 	device="${2}"
 
-	mac="$(cat /proc/net/arp | grep $ip | awk '{print $4}')"
+	mac=$(grep "${ip}" /proc/net/arp | awk '{print $4}')
 	if [ -z "${mac}" ]; then
-		arp_resp="$(arping -b -f -c 5 -I $device $ip | grep 'Unicast reply from' | awk '{print $5}')"
+		arp_resp=$(arping -b -f -c 5 -I "${device}" "${ip}" | grep 'Unicast reply from' | awk '{print $5}')
 		if [ -n "${arp_resp}" ]; then
 			mac=${arp_resp:1:-1}
 		fi
@@ -260,7 +256,7 @@ send_unknown_gw_event() {
 	mac="${1}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.unknown '{\"hwaddr\":\"$mac\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 send_cwmp_gw_event() {
@@ -269,14 +265,14 @@ send_cwmp_gw_event() {
 	serial="${3}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.cwmp '{\"oui\":\"$oui\",\"class\":\"$class\",\"serial\":\"$serial\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 send_usp_gw_event() {
 	endpoint="${1}"
 
 	cmd="ubus -t 5 send gateway-info.gateway.usp '{\"endpoint\":\"$endpoint\"}'"
-	eval $cmd
+	sh -c "${cmd}"
 }
 
 config_load gateway
@@ -287,13 +283,13 @@ if [ "${enable}" -eq 0 ]; then
 	return 0
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
-	if [ "${1}" == "deconfig" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
+	if [ "${1}" = "deconfig" ]; then
 		rm -rf /var/state/gwinfo
 		return 0
 	fi
 
-	json_load "$(ifstatus ${INTERFACE})"
+	json_load "$(ifstatus "${INTERFACE}")"
 	json_get_var dev_name device ""
 	json_select data
 	json_get_var dhcp_ip dhcpserver ""
@@ -303,7 +299,7 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		return 0
 	fi
 
-	MAC="$(get_mac_address $dhcp_ip $dev_name)"
+	MAC=$(get_mac_address "${dhcp_ip}" "${dev_name}")
 
 	mkdir -p /var/state
 	touch /var/state/gwinfo
@@ -326,8 +322,8 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		return 0
 	fi
 
-	len=$(printf "$opt125"|wc -c)
-	get_vivsoi "$opt125" "$len"
+	len=$(echo -n "${opt125}" | wc -c)
+	get_vivsoi "${opt125}" "${len}"
 
 	if [ "${GW_DISCOVERED}" -eq 0 ]; then
 		send_unknown_gw_event "${MAC}"
@@ -341,19 +337,18 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 	uci -q -c /var/state commit gwinfo
 
 	# Check for USP parameters
-	ubus -t 15 wait_for umdns
-	if [ "${?}" -ne 0 ]; then
+	if ! ubus -t 15 wait_for umdns; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0
 	fi
 
-	resp=$(send_host_query $dev_name)
+	resp=$(send_host_query "${dev_name}")
 	if [ "${resp}" -ne 0 ]; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0
 	fi
 
-	ID="$(get_usp_agent_id $dhcp_ip)"
+	ID=$(get_usp_agent_id "${dhcp_ip}")
 	if [ -z "${ID}" ]; then
 		send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}"
 		return 0

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.9.10
+PKG_VERSION:=9.10.1
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=1a842e0a3836f616973e6a92f0b0b6ca82ec39bb
+PKG_SOURCE_VERSION:=c4b0fa4272ab44a8c78462d5cc8df6501acbeb55
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

icwmp/files/etc/config/cwmp

@@ -28,9 +28,9 @@ config cpe 'cpe'
 	option log_severity 'WARNING'
 	option log_file_name '/var/log/icwmpd.log'
 	option log_max_size '102400'
+	option bind_retries '5'
 	option userid '' #$OUI-$SER
 	option passwd ''
-	option port '7547'
 	option provisioning_code ''
 	option amd_version '5'
 	# compression possible configs: InstanceNumber, InstanceAlias

icwmp/files/etc/icwmpd/firewall.cwmp

@@ -133,9 +133,56 @@ add_firewall_rule() {
 	fi
 }
 
+remove_port_protection() {
+	local enabled chain rule rule_num
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "$1" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		while rule=$(iptables -w -t nat -nL "$chain" --line-numbers | grep -m 1 -w CWMP_Port_protection); do
+			rule_num=${rule%%[$' \t']*}
+			iptables -w -t nat -D "$chain" "$rule_num"
+		done
+	fi
+}
+
+cleanup_port_protection() {
+	config_load firewall
+	config_foreach remove_port_protection zone masq
+}
+
+install_port_protection() {
+	local PORT="${3}"
+	local enabled zonename chain
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "${1}" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		iptables -w -t nat -I "$chain" -p tcp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+		iptables -w -t nat -I "$chain" -p udp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+	fi
+}
+
+add_port_protection() {
+	config_load firewall
+	config_foreach install_port_protection zone masq "${1}"
+}
+
 configure_connection_req_rules() {
 	app="${1}"
 
+	cleanup_port_protection
+
 	wan="$(uci -q get cwmp.cpe.default_wan_interface)"
 	wan="${wan:-wan}"
 
@@ -175,8 +222,11 @@ configure_connection_req_rules() {
 		fi
 	fi
 
-	port=$(uci -q get cwmp.cpe.port)
-	port="${port:-7547}"
+	port=$(uci -q -c /var/state get icwmp.cpe.port)
+	if [ -z "${port}" ]; then
+		log "cwmp cpe port not configured"
+		exit 0
+	fi
 
 	ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
 	if [ -n "${ipaddr}" ]; then
@@ -197,6 +247,8 @@ configure_connection_req_rules() {
 		# Close the ACS port at Lan side
 		close_downstream_acs_port "${lan}" "${port}"
 	fi
+
+	add_port_protection "${port}"
 }
 
 load_zone_names

icwmp/files/etc/uci-defaults/90-cwmpfirewall

@@ -5,7 +5,6 @@ uci -q batch <<-EOT
         set firewall.cwmp=include
         set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp
         set firewall.cwmp.reload=1
-        commit firewall
 EOT
 
 exit 0

icwmp/files/etc/udhcpc.user.d/udhcpc_icwmp_opt43.user

@@ -16,12 +16,12 @@ get_opt43() {
 	local opt43="$1"
 	local len="$2"
 
-	[ "$len" -gt "2" ] || return
+	[ "${len}" -gt 2 ] || return
 
 	first_byte=${opt43:0:2}
 	first_byte=$(printf "%d\n" "0x$first_byte")
 
-	if [ $len -ge 4 ] && [ $first_byte -ge 1 ] && [ $first_byte -le 4 ]; then
+	if [ "${len}" -ge 4 ] && [ "${first_byte}" -ge 1 ] && [ "${first_byte}" -le 4 ]; then
 		# it is in encapsulated form
 		# opt43 encapsulated vendor-specific option has data in below format
 		#  Code   Len   Data item        Code   Len   Data item        Code
@@ -35,7 +35,7 @@ get_opt43() {
 		data="${opt43}"
 		rem_len="${len}"
 		# parsing of suboption of option 43
-		while [ $rem_len -gt 0 ]; do
+		while [ "${rem_len}" -gt 0 ]; do
 			# get the suboption id
 			sub_opt_id=${data:0:2}
 			sub_opt_id=$(printf "%d\n" "0x$sub_opt_id")
@@ -50,13 +50,13 @@ get_opt43() {
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
-				"1") DHCP_ACS_URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"1") DHCP_ACS_URL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"2") DHCP_PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"2") DHCP_PROV_CODE=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"3") MIN_WAIT_INVL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"3") MIN_WAIT_INVL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
-				"4") INVL_MULTIPLIER=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+				"4") INVL_MULTIPLIER=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 				;;
 			esac
 
@@ -70,7 +70,7 @@ get_opt43() {
 			rem_len=$((rem_len - sub_opt_end))
 		done
 	else
-		DHCP_ACS_URL=$(echo -n $opt43 | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+		DHCP_ACS_URL=$(echo -n "${opt43}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 	fi
 }
 
@@ -92,9 +92,9 @@ if [ "$discovery_enable" = "0" ]; then
 	return 0
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
 	if [ -n "$opt43" ]; then
-		len=$(printf "$opt43"|wc -c)
+		len=$(echo -n "$opt43"|wc -c)
 		get_opt43 "$opt43" "$len"
 	fi
 

ieee1905/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ieee1905
-PKG_VERSION:=8.7.33
+PKG_VERSION:=8.7.37
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=cb5b8f76c854b89607cd1750d3a4052ecd71ac9d
+PKG_SOURCE_VERSION:=c711e1e132478d6443ffb5aad15d12b90f0d59b5
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/ieee1905.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip

iopsys-analytics/Makefile

@@ -33,6 +33,7 @@ define Package/$(PKG_NAME)
   DEPENDS+=                                             \
     +@PACKAGE_syslog-ng:SYSLOGNG_LOGROTATE              \
     +PACKAGE_fluent-bit:logrotate                       \
+    +@DMCLI_REMOTE_CONNECTION
 
 endef
 

libdsl/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libdsl
-PKG_VERSION:=7.3.0
+PKG_VERSION:=7.3.2
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libdsl.git
-PKG_SOURCE_VERSION:=2a7a49fac35c3d8078ffe051594c0425d355cacd
+PKG_SOURCE_VERSION:=1aa9c40f9503311652e562617b1e15533257adcc
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif

libeasy/Makefile

@@ -1,32 +1,28 @@
 #
-# Copyright (C) 2020-2023 Iopsys
+# Copyright (C) 2025 Genexis Sweden AB
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libeasy
-PKG_VERSION:=7.4.6
+PKG_VERSION:=7.5.0
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=ca7b20068c9d373e41045a2e899a9c697576262c
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libeasy.git
-PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
+PKG_SOURCE_VERSION:=18f93677bb4d33ebb6249324a5043294f0eae16c
+PKG_SOURCE_URL:=https://dev.iopsys.eu/hal/libeasy.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
 endif
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=LGPL-2.1-only
-PKG_LICENSE_FILES:=LICENSE
+PKG_LICENSE_FILES:=
+PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@genexis.eu>
 
 include $(INCLUDE_DIR)/package.mk
-
-TARGET_CFLAGS += \
-	-I$(STAGING_DIR)/usr/include \
-	-I$(STAGING_DIR)/usr/include/openssl \
-	-I$(STAGING_DIR)/usr/include/libnl3
+include $(INCLUDE_DIR)/cmake.mk
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -34,9 +30,6 @@ define Build/Prepare
 endef
 endif
 
-MAKE_FLAGS += \
-	CFLAGS="$(TARGET_CFLAGS) -Wall"
-
 define Package/libeasy
   SECTION:=libs
   CATEGORY:=Libraries
@@ -47,7 +40,7 @@ define Package/libeasy
 endef
 
 define Package/libeasy/description
-  Library provides common utility functions
+  This package provides libeasy.so for common utility functions.
 endef
 
 define Build/InstallDev/libeasy
@@ -67,6 +60,7 @@ define Build/InstallDev/libeasy
 endef
 
 define Build/InstallDev
+	$(call Build/InstallDev/cmake,$(1))
 	$(call Build/InstallDev/libeasy,$(1),$(2))
 endef
 

libwifi/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libwifi
-PKG_VERSION:=7.13.7
+PKG_VERSION:=7.14.0
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=65a7cd643c07e3f0a11d5b20225d4d87b8646513
+PKG_SOURCE_VERSION:=b4b8f524a93d03fd1f89d4c32b8eaca90d9ccc1a
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git
 PKG_MAINTAINER:=Anjan Chanda <anjan.chanda@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
@@ -22,6 +22,7 @@ PKG_LICENSE:=LGPL-2.1-only
 PKG_LICENSE_FILES:=LICENSE
 
 include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
 
 ifeq ($(CONFIG_TARGET_brcmbca),y)
   TARGET_PLATFORM=BROADCOM
@@ -42,10 +43,14 @@ else ifeq ($(CONFIG_TARGET_armvirt),y)
 else ifeq ($(CONFIG_TARGET_airoha),y)
   TARGET_PLATFORM=ECONET
   TARGET_WIFI_TYPE=MEDIATEK
-  TARGET_CFLAGS +=-DIOPSYS_ECONET
+  TARGET_CFLAGS +=-DIOPSYS_ECONET -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
   ifeq ($(CONFIG_TARGET_airoha_an7581),y)
     TARGET_CFLAGS +=-DCONFIG_MTK
   endif
+else ifeq ($(CONFIG_TARGET_mediatek),y)
+  TARGET_PLATFORM=MEDIATEK
+  TARGET_WIFI_TYPE=MEDIATEK
+  TARGET_CFLAGS +=-DCONFIG_MTK -I$(LINUX_DIR)/include/uapi/linux/mtk_nl80211_inc
 else ifeq ($(CONFIG_TARGET_ipq95xx),y)
   TARGET_PLATFORM=IPQ95XX
   TARGET_WIFI_TYPE=QUALCOMM

linux-pam/Makefile

@@ -31,8 +31,8 @@ MESON_ARGS += \
 
 define Package/linux-pam/install
 	$(INSTALL_DIR) $(1)/usr/lib/security
-	$(INSTALL_DIR) $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./linux_pam.init $(1)/etc/init.d/linux_pam
 endef
 
 $(eval $(call BuildPackage,linux-pam))

linux-pam/files/pam_faillock.uci_default

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-create_faillock_files()
-{
-	# also create files needed by pam_faillock
-	touch /var/log/faillock
-	chmod 700 /var/log/faillock
-	touch /var/log/btmp
-	chmod 700 /var/log/btmp
-}
-
-update_pam_common_auth()
-{
-	local file="/etc/pam.d/common-auth"
-	local deny=6
-	local unlock_time=300
-
-	# update pam_unix.so line
-	sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file"
-
-	# Insert pam_faillock lines before and after pam_unix.so
-	sed -i -E "/pam_unix.so nullok_secure/i auth     required       pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
-	sed -i -E "/pam_unix.so nullok_secure/a auth     [default=die]  pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
-}
-
-update_pam_common_account()
-{
-	# update account file
-	sed -i "/pam_unix.so/ i account  required       pam_faillock.so" /etc/pam.d/common-account
-}
-
-if [ -f "/usr/lib/security/pam_faillock.so" ]; then
-	update_pam_common_auth
-	update_pam_common_account
-	create_faillock_files
-fi
-
-if [ -f /etc/config/sshd ]; then
-	uci -q set sshd.@sshd[0].UsePAM=1
-	uci commit sshd
-fi
-
-exit 0

linux-pam/linux_pam.init

@@ -0,0 +1,18 @@
+#!/bin/sh /etc/rc.common
+
+START=11
+STOP=90
+USE_PROCD=1
+
+create_faillock_files()
+{
+	# also create files needed by pam_faillock
+	touch /var/log/faillock
+	chmod 700 /var/log/faillock
+	touch /var/log/btmp
+	chmod 700 /var/log/btmp
+}
+
+boot() {
+	create_faillock_files
+}

logmngr/Config.in

@@ -1,4 +1,5 @@
 if PACKAGE_logmngr
+
 choice
 	prompt "Select backend for syslog management"
 	default LOGMNGR_BACKEND_FLUENTBIT
@@ -31,4 +32,5 @@ config LOGMNGR_VENDOR_LOG_FILE
 	default y
 	help
 		It adds support for Device.DeviceInfo.VendorLogFile. Object.
+
 endif

logmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=logmngr
-PKG_VERSION:=1.0.17
+PKG_VERSION:=1.1.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/system/logmngr.git
-PKG_SOURCE_VERSION:=ad2636c642d56967e78c0c84bf82cb0e2b6311f2
+PKG_SOURCE_VERSION:=62441fdfe14a39bff8fff7c62307bd7b54d7240f
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -52,29 +52,35 @@ endif
 
 define Package/logmngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/logmngr.init $(1)/etc/init.d/logmngr
-
+	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) ./files/10-logmngr_config_generate $(1)/etc/uci-defaults/
 
+	$(INSTALL_BIN) ./files/etc/init.d/logmngr $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/etc/config/logmngr $(1)/etc/config/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/10-logmngr_config_migrate $(1)/etc/uci-defaults/
+
+	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1) core 10
+
+	# Install logmngr service backend
 	$(INSTALL_DIR) $(1)/lib/logmngr
 ifeq ($(CONFIG_LOGMNGR_BACKEND_FLUENTBIT),y)
-	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
 	$(INSTALL_DIR) $(1)/sbin
 	$(INSTALL_BIN) ./files/logread $(1)/sbin/
-endif
-ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
+	$(INSTALL_DATA) ./files/lib/logmngr/fluent-bit.sh $(1)/lib/logmngr/
+else ifeq ($(CONFIG_LOGMNGR_BACKEND_SYSLOG_NG),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/syslog-ng.sh $(1)/lib/logmngr/
 endif
-	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfsyslog.so $(1) core 10
+
 ifeq ($(CONFIG_LOGMNGR_LOGROTATE),y)
-	$(INSTALL_BIN) ./files/11-logmngr_logrotate_config_generate $(1)/etc/uci-defaults/
 	$(INSTALL_DATA) ./files/lib/logmngr/logrotate.sh $(1)/lib/logmngr/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/11-logmngr_logrotate_syslog $(1)/etc/uci-defaults/
 	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbflogrotate.so $(1) sysmngr 11
 endif
+
 ifeq ($(CONFIG_LOGMNGR_VENDOR_LOG_FILE),y)
 	$(BBFDM_INSTALL_MS_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbfvendorlog.so $(1) sysmngr 12
 endif
+
 endef
 
 $(eval $(call BuildPackage,logmngr))

logmngr/files/10-logmngr_config_generate

@@ -1,26 +0,0 @@
-#!/bin/sh
-
-if uci -q get logmngr.@globals[0] >/dev/null; then
-	# return if there is any valid content
-	exit 0
-else
-	rm -f /etc/config/logmngr
-fi
-
-touch /etc/config/logmngr
-
-uci set logmngr.globals=globals
-uci set logmngr.globals.enable=1
-
-uci set logmngr.a1=action
-uci set logmngr.a1.name="ac1"
-
-uci set logmngr.lf1=log_file
-uci set logmngr.lf1.enable=1
-uci set logmngr.lf1.action="ac1"
-uci set logmngr.lf1.file="/var/log/messages"
-
-uci set logmngr.lr1=log_remote
-uci set logmngr.lr1.enable=0
-uci set logmngr.lr1.action="ac1"
-uci set logmngr.lr1.port="514"

logmngr/files/etc/config/logmngr

@@ -0,0 +1,26 @@
+config globals 'globals'
+	option enable '1'
+
+config source 'default_source'
+	option name 'default_source'
+	option system_messages '1'
+	option kernel_messages '1'
+
+config template 'default_template'
+	option name 'default_template'
+	option expression '{time} {hostname} {ident}: {message}'
+
+config action 'default_action'
+	option name 'default_action'
+	list source 'default_source'
+	option template 'default_template'
+
+config log_file 'lf1'
+	option enable '1'
+	option action 'default_action'
+	option file '/var/log/messages'
+
+config log_remote 'lr1'
+	option enable '0'
+	option action 'default_action'
+	option port '514'

logmngr/files/etc/uci-defaults/10-logmngr_config_migrate

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# check if this is a new type UCI or old type UCI
+if ! uci -q get logmngr.default_source > /dev/null; then
+	uci -q set logmngr.default_source=source
+	uci -q set logmngr.default_source.name='default_source'
+	uci -q set logmngr.default_source.system_messages='1'
+	uci -q set logmngr.default_source.kernel_messages='1'
+fi
+
+if ! uci -q get logmngr.default_template > /dev/null; then
+	uci -q set logmngr.default_template=template
+	uci -q set logmngr.default_template.name='default_template'
+	uci -q set logmngr.default_template.expression='{time} {hostname} {ident}: {message}'
+fi
+
+if uci -q get logmngr.a1 >/dev/null; then
+	uci -q rename logmngr.a1='default_action'
+	uci -q set logmngr.default_action.name='default_action'
+	uci -q set logmngr.default_action.template='default_template'
+
+	uci -q delete logmngr.default_action.source
+	uci -q add_list logmngr.default_action.source='default_source'
+fi
+
+if uci -q get logmngr.lf1 >/dev/null; then
+	uci -q rename logmngr.lf1='default_logfile'
+	uci -q set logmngr.default_logfile.action='default_action'
+fi
+
+if uci -q get logmngr.lr1 >/dev/null; then
+	uci -q rename logmngr.lr1='default_logremote'
+	uci -q set logmngr.default_logremote.action='default_action'
+fi
+
+exit 0

logmngr/files/etc/uci-defaults/11-logmngr_logrotate_syslog

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Adds a default log rotate policy if none exists
-if uci -q get logmngr.@log_rotate[0] >/dev/null; then
+if uci -q get logmngr.lro1 >/dev/null; then
 	# return if there is any valid content
 	exit 0
 fi

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -6,6 +6,37 @@
 CONF_FILE=/etc/fluent-bit/fluent-bit.conf
 TMP_CONF_FILE=/tmp/fluent-bit/fluent-bit.conf
 FLUENT_BIT_CONF_DIR=/etc/fluent-bit/conf.d
+PROCESSED_SYSLOG_TAGS=""
+PROCESSED_KMSG_TAGS=""
+
+# check if syslog source section is already processed
+# and add it to the list of processed source sections
+syslog_tag_already_processed() {
+	local tag="$1"
+
+	for t in $PROCESSED_SYSLOG_TAGS; do
+		[ "$t" = "$tag" ] && return 0
+	done
+
+	PROCESSED_SYSLOG_TAGS="$tag $PROCESSED_SYSLOG_TAGS"
+
+	return 1
+}
+
+# check if kmsg source section is already processed
+# and add it to the list of processed source sections
+# two separate functions used because we want to populate
+# appropriate PROCESSED variable
+kmsg_tag_already_processed() {
+	local tag="$1"
+	for t in $PROCESSED_KMSG_TAGS; do
+		[ "$t" = "$tag" ] && return 0
+	done
+
+	PROCESSED_KMSG_TAGS="$tag $PROCESSED_KMSG_TAGS"
+
+	return 1
+}
 
 append_conf() {
 	echo "$*" >> ${TMP_CONF_FILE}
@@ -20,219 +51,275 @@ create_config_file() {
 	# also, if no file is found then fluent-bit aborts
 	# so only add include if any file is present in the FLUENT_BIT_CONF_DIR
 	if [ -d "$FLUENT_BIT_CONF_DIR" ] && [ "$(ls -A "$FLUENT_BIT_CONF_DIR")" ]; then
-		echo "@INCLUDE ${FLUENT_BIT_CONF_DIR}/*" >> ${TMP_CONF_FILE}
+		append_conf "@INCLUDE ${FLUENT_BIT_CONF_DIR}/*"
 	fi
-	echo "" >> ${TMP_CONF_FILE}
+	append_conf ""
 }
 
 create_service_section() {
 	# the service section of the fluent-bit.conf file has hardcoded values,
 	# no need to lookup any uci section to configure this section
-	echo "[SERVICE]" >> ${TMP_CONF_FILE}
-	echo "    flush        1" >> ${TMP_CONF_FILE}
-	echo "    daemon       off" >> ${TMP_CONF_FILE}
-	echo "    log_level    info" >> ${TMP_CONF_FILE}
-	echo "    coro_stack_size    24576" >> ${TMP_CONF_FILE}
-	echo "    parsers_file /etc/fluent-bit/parsers.conf" >> ${TMP_CONF_FILE}
-	echo "    hot_reload        on" >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+	append_conf "[SERVICE]"
+	append_conf "    flush        1"
+	append_conf "    daemon       off"
+	append_conf "    log_level    info"
+	append_conf "    coro_stack_size    24576"
+	append_conf "    parsers_file /etc/fluent-bit/parsers.conf"
+	append_conf "    hot_reload        on"
+	append_conf ""
+}
 
-	# Generate default input for kmsg
-	echo "[INPUT]" >> ${TMP_CONF_FILE}
-	echo "    name       kmsg" >> ${TMP_CONF_FILE}
-	echo "    Tag        KMSG"  >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+create_default_filters() {
+	append_conf "[FILTER]"
+	append_conf "    name            modify"
+	append_conf "    match           KM*"
+	append_conf "    add             ident   kernel"
+	append_conf "    rename          msg     message"
+	append_conf ""
 
-	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
-	echo "    name         file" >> ${TMP_CONF_FILE}
-	echo "    match        KMSG" >> ${TMP_CONF_FILE}
-	echo "    file         /var/log/messages" >> ${TMP_CONF_FILE}
-	echo "    format       template" >> ${TMP_CONF_FILE}
-	echo "    template     {syslog_ts} {hostname} kernel: {msg}" >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+	append_conf "[FILTER]"
+	append_conf "    name            sysinfo"
+	append_conf "    match           *"
+	append_conf "    hostname_key    hostname"
+	append_conf ""
 }
 
 create_input_section() {
 	local tag="$1"
 
-	# the input in our case is always syslog, hence, this section of the
-	# fluent-bit.conf file has hardcoded values as well that do not depend
-	# on any uci value
-	echo "[INPUT]" >> ${TMP_CONF_FILE}
-	echo "    name        syslog" >> ${TMP_CONF_FILE}
-	echo "    tag         $tag" >> ${TMP_CONF_FILE}
-	echo "    path        /dev/log" >> ${TMP_CONF_FILE}
-	echo "" >> ${TMP_CONF_FILE}
+	[ -z "$tag" ] && return
+
+	# check if this source section has already been processed
+	syslog_tag_already_processed "$tag" && return
+
+	append_conf "[INPUT]"
+	append_conf "    name        syslog"
+	append_conf "    tag         $tag"
+	append_conf "    path        /dev/log"
+	append_conf ""
 }
 
-generate_facility_regex() {
-	local facility_level=$1
-	local pri=0
+populate_allowed_logs() {
+	local facility_level sev_level
+	local section="$1"
 
-	if [ "$facility_level" == "24" ]; then
-		# value 24 means all facility level, which is as good as not
-		# generating a filter section, so return
-		return
-	fi
+	[ -z "$section" ] && return
 
-	# facility_level is a list value, hence, generate regex for
-	# each value
-	IFS=" "
-	for val in $facility_level; do
-		# as per rfc 5424 and 3164, pri in syslog msg is
-		# facility*8+severity. Severity value can range from 0-7 hence
-		# generate regex for each.
-		for sval in 0 1 2 3 4 5 6 7; do
-			pri=`expr $val \* 8 + $sval`
-			echo "    regex        pri $pri" >> ${TMP_CONF_FILE}
-		done
-	done
-}
+	# reset
+	match_pattern=""
+	facilities=""
+	all_facilities=0
+	kern_facility=0
+	severities=""
+	sev_compare=1
+	sev_action=0
 
-generate_severity_regex() {
-	local sev_level="$1"
-	local sev_compare="$2"
-	local sev_action="$3"
+	# read config
+	config_get match_pattern $section pattern_match
 
-	local pri=0
-	local param="exclude"
-
-	if [ "$sev_action" == "0" ]; then
-		param="regex"
-	fi
-
-	local fval=0
-	if [ "$sev_compare" == "0" ]; then
-		# generate regex for all facility values, with severity=sev_level
-		while [ $fval -le 23 ] ; do
-			pri=`expr $fval \* 8 + $sev_level`
-			echo "    $param        pri $pri" >> ${TMP_CONF_FILE}
-			fval=$((fval + 1))
-		done
-	elif [ "$sev_compare" == "1" ]; then
-		# generate regex for all severity value greater than or equal to
-		# sev_level. please, lower value have higher precedence, so sev_level
-		# 0 which is emergency has higher precedence than error which is 3
-		while [ $fval -le 23 ] ; do
-			sval=0
-			while [ $sev_level -ge $sval ]; do
-				pri=`expr $fval \* 8 + $sval`
-				echo "    $param        pri $pri" >> ${TMP_CONF_FILE}
-				sval=$((sval + 1))
-			done
-			fval=$((fval + 1))
-		done
-	fi
-}
-
-handle_filter_conf() {
-	local section="$1" # config filter
-	local filter_name="$2"
-	local name
-
-	# no need to proceed if name of filter section is not one of the values
-	# listed in option filter in config action section
-	config_get name $section name
-	if [ "$name" != "$filter_name" ]; then
-		return
-	fi
-
-	# as per data model, at a time either facility_level or severity_level can
-	# be specified along with pattern_match. hence, first process and generate
-	# regex for pattern_match which is common in both condition. Next, we will
-	# process facility_level and return if facility level is defined and not
-	# process severity related params at all.
-
-	local pattern_match
-	config_get pattern_match $section pattern_match
-	if [ -n "$pattern_match" ]; then
-		echo "    regex        $pattern_match" >> ${TMP_CONF_FILE}
-	fi
-
-	local facility_level
 	config_get facility_level $section facility_level
-
-	if [ -n "$facility_level" ]; then
-		generate_facility_regex $facility_level
-		# return from here since if facility_level is defined, then no
-		# need to process severity_level
-		return
-	fi
-
-	local sev_level
-	local sev_compare
-	local sev_action
 	config_get sev_level $section severity_level
+	config_get sev_compare $section severity_compare 1
+	config_get sev_action $section severity_action 0
 
-	if [ -n "$sev_level" ]; then
-		# value 1 of severity compare corresponds to data model
-		# and system default which is EqualorHigher
-		config_get sev_compare $section severity_compare 1
-		# value 0 of severity action corresponds to data model
-		# and system default that is log
-		config_get sev_action $section severity_action 0
+	# normalize facilities
+	if [ -n "$facility_level" ]; then
+		for f in $facility_level; do
+			if [ "$f" = "24" ]; then
+				all_facilities=1
+				# xargs is used to convert from new line separated numbers to space separated numbers
+				facilities="$(seq 0 23 | xargs)"
+				break
+			fi
 
-		generate_severity_regex $sev_level $sev_compare $sev_action
+			if [ "$f" = "0" ]; then
+				kern_facility=1
+			fi
+		done
+
+		if [ "$all_facilities" -eq 0 ]; then
+			facilities="$facility_level"
+		fi
+	else
+		# default to "all facilities" when unset
+        	all_facilities=1
+	        facilities="$(seq 0 23 | xargs)"
 	fi
+
+	# normalize severities
+	case "$sev_level" in
+		8)  	# all severities
+			severities="$(seq 0 7 | xargs)"
+			;;
+		9)  	# none
+			severities="none"
+			;;
+		"") 	# unset, treat as "all"
+			severities="$(seq 0 7 | xargs)"
+			;;
+		*)
+			if [ "$sev_compare" = "0" ]; then
+				# equal
+				severities="$sev_level"
+			else
+				# equl or higher
+				severities="$(seq 0 $sev_level | xargs)"
+			fi
+			;;
+	esac
 }
 
 create_filter_section() {
-	local match="$1"
+	local match_regex="$1"
+	local pattern="$2"
 
-	echo "[FILTER]" >> ${TMP_CONF_FILE}
-	echo "    name        grep" >> ${TMP_CONF_FILE}
-	echo "    match       $match" >> ${TMP_CONF_FILE}
-	echo "    logical_op  or" >> ${TMP_CONF_FILE} # handle multiple filters
+	[ -z "$match_regex" ] && return
+
+	append_conf "[FILTER]"
+	append_conf "    name        grep"
+	append_conf "    match_regex       $match_regex"
+
+	# we need "logical_op or" only in non-pattern sections
+	if [ "$pattern" = "0" ]; then
+		append_conf "    logical_op  or" # handle multiple filters
+	fi
 }
 
-handle_filter_ref() {
-	local filter_name="$1"
-	config_foreach handle_filter_conf filter "$filter_name"
+create_kmsg_input_section() {
+	local tag="$1"
+	local max_sev=7
+
+	[ -z "$tag" ] && return
+	kmsg_tag_already_processed "$tag" && return
+
+	if [ -c "/dev/kmsg" ]; then
+		append_conf "[INPUT]"
+		append_conf "    name       kmsg"
+		append_conf "    tag        $tag"
+
+		# check kern facility (0)
+		if [ "$all_facilities" -eq 1 ] || [ "$kern_facility" -eq 1 ]; then
+			if [ "$severities" != "none" ]; then
+				# severity filtering
+				# only EqualOrHigher is supported by Prio_Level
+				# and only Log action is supported
+				# so set Prio_Level = max severity
+				if [ "$sev_action" = "0" ] && [ "$sev_compare" = "1" ]; then
+					if [ -n "$severities" ]; then
+						max_sev=$(echo $severities | tr ' ' '\n' | sort -n | tail -1)
+					fi
+
+					append_conf "    prio_level $max_sev"
+				fi
+			fi
+		fi
+
+		append_conf ""
+
+		# if severities is none, or
+		# if kern facility has been excluded
+		# then we need to stop kernel logs
+		# sev_action and sev_compare is being checked because we don't want to work with rules that exclude logs
+		if [ "$severities" = "none" ] || { [ "$kern_facility" -eq 0 ] && [ "$all_facilities" -eq 0 ] && [ "$sev_action" = "0" ] && [ "$sev_compare" = "1" ]; }; then
+			# block all
+			# create a filter section that matches on KM* tag
+			# and excludes all messages
+			create_filter_section "KM*" "0"
+			append_conf "    exclude    message ^.*$"
+			append_conf ""
+		fi
+	fi
+}
+
+generate_syslog_filter() {
+	local param="regex"
+
+	[ "$sev_action" = "1" ] && param="exclude"
+
+	# start adding the fluent-bit filter section
+	create_filter_section "SL*" "0"
+
+	if [ "$severities" = "none" ]; then
+		append_conf "    exclude    pri ^.*$"
+		return
+	fi
+
+	for fval in $facilities; do
+		for sval in $severities; do
+			local pri=$((fval * 8 + sval))
+			append_conf "    $param        pri ^${pri}$"
+		done
+	done
+
+	append_conf ""
+}
+
+generate_pattern_filter() {
+	local match_regex="$1"
+	local match_pattern="$2"
+
+	[ -z "$match_regex" ] && return
+	[ -z "$match_pattern" ] && return
+
+	# start adding the fluent-bit filter section
+	create_filter_section "$match_regex" "1"
+	append_conf "    regex        message $match_pattern"
+	append_conf ""
 }
 
 handle_log_file() {
 	local section="$1" # out_file section
-	local match="$2"
+	local linker="$2"
+	local match_regex="$3"
+	local template="$4"
 	local action_ref
 
 	config_get action_ref $section action
-	if [ "$action_ref" != "$match" ]; then
+	if [ "$action_ref" != "$linker" ]; then
 		return
 	fi
 
 	local enabled
-	config_get enabled $section enable
-	if [ "$enabled" == 0 ]; then
+	config_get_bool enabled $section enable
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 
 	local file
 	config_get file $section file
-	if [ -z "$file" ]; then
+	if [ -z "$file" ] || [ -z "$match_regex" ]; then
 		return
 	fi
 
-	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
-	echo "    name         file" >> ${TMP_CONF_FILE}
-	echo "    match        $match" >> ${TMP_CONF_FILE}
-	echo "    file         $file" >> ${TMP_CONF_FILE}
-	echo "    format       template" >> ${TMP_CONF_FILE}
-	echo "    template     {time} {hostname} {ident}: {message}" >> ${TMP_CONF_FILE}
+	append_conf "[OUTPUT]"
+	append_conf "    name         file"
+	append_conf "    workers      2"
+	append_conf "    match_regex  $match_regex"
+	append_conf "    file         $file"
+
+
+	if [ -n "$template" ]; then
+		append_conf "    format       template"
+		append_conf "    template     ${template}"
+	fi
+
+	append_conf ""
 }
 
 handle_log_remote() {
 	local section="$1"
-	local match="$2"
+	local linker="$2"
+	local match_regex="$3"
 	local action_ref
 
 	config_get action_ref $section action
-	if [ "$action_ref" != "$match" ]; then
+	if [ "$action_ref" != "$linker" ]; then
 		return
 	fi
 
 	local enabled
-	config_get enabled $section enable
-	if [ "$enabled" == 0 ]; then
+	config_get_bool enabled $section enable
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 
@@ -242,83 +329,167 @@ handle_log_remote() {
 		return
 	fi
 
-	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
-	echo "    name         syslog" >> ${TMP_CONF_FILE}
-	echo "    match        $match" >> ${TMP_CONF_FILE}
-	echo "    host         $address" >> ${TMP_CONF_FILE}
+	append_conf "[OUTPUT]"
+	append_conf "    name         syslog"
+	append_conf "    match_regex  $match_regex"
+	append_conf "    host         $address"
 	append_conf "    syslog_appname_key   ident"
 	append_conf "    syslog_procid_key    pid"
 	append_conf "    syslog_message_key   message"
-
-	local hostname="$(uci -q get 'system.@system[0].hostname')"
-	if [ -n "${hostname}" ]; then
-		append_conf "    syslog_hostname_preset    ${hostname}"
-	fi
+	append_conf "    syslog_hostname_key  hostname"
 
 	local proto # holds value tcp or udp
 	config_get proto ${section} proto
 	if [ -n "$proto" ]; then
 		if [ "$proto" == "tls" ]; then
-			echo "    mode         tcp" >> ${TMP_CONF_FILE}
-			echo "    tls          on" >> ${TMP_CONF_FILE}
+			append_conf "    mode         tcp"
+			append_conf "    tls          on"
 		else
-			echo "    mode         $proto" >> ${TMP_CONF_FILE}
+			append_conf "    mode         $proto"
 		fi
 	fi
 
 	local port
 	config_get port $section port
 	if [ -n "$port" ]; then
-		echo "    port         $port" >> ${TMP_CONF_FILE}
+		append_conf "    port         $port"
 	fi
 
 	local cert
 	local peer_verify
 	config_get cert $section cert
 	if [ -n "$cert" ]; then
-		echo "    tls.crt_file $cert" >> ${TMP_CONF_FILE}
+		append_conf "    tls.crt_file $cert"
 
-		config_get peer_verify $section peer_verify
-		if [ "$peer_verify" == "1" ]; then
-			echo "    tls.verify     on" >> ${TMP_CONF_FILE}
+		config_get_bool peer_verify $section peer_verify
+		if [ "$peer_verify" = "1" ]; then
+			append_conf "    tls.verify     on"
 		fi
 	fi
+	append_conf ""
+}
+
+resolve_source_section() {
+	local src_section="$1"
+	local linker="$2"
+	local src_name syslog_en kernel_en
+
+	config_get src_name "$src_section" name
+	[ "$src_name" = "$linker" ] || return
+
+	config_get_bool syslog_en "$src_section" system_messages 1
+	config_get_bool kernel_en "$src_section" kernel_messages 1
+
+	# create an input section using /dev/log or kmsg
+	# and store the tag in a variable
+	# so that later a regex can be made to match this tag
+	# which will be used in output section
+	if [ "$syslog_en" = "1" ]; then
+		source_tag_syslog="SL$src_name"
+		create_input_section "$source_tag_syslog"
+	fi
+
+	if [ "$kernel_en" = "1" ]; then
+		source_tag_kmsg="KM$src_name"
+		create_kmsg_input_section "$source_tag_kmsg"
+	fi
+}
+
+# get the value of option expression from the relevant section
+resolve_template_section() {
+	local tmpl_section="$1"
+	local tmpl_name
+
+	config_get tmpl_name "$tmpl_section" name
+	[ "$tmpl_name" = "$template_ref" ] || return
+
+	config_get template_expr "$tmpl_section" expression
+
+	[ -n "$template_expr" ] && echo "$template_expr"
+}
+
+# loop over template sections and get the value of option expression from the relevant section
+get_template_expression() {
+	local template_ref="$1"
+	[ -n "$template_ref" ] && config_foreach resolve_template_section template
+}
+
+# build a regex that will match all the tags supplied to this function
+build_match_regex() {
+	local tags="$1"
+	local first=1
+	local regex="^("
+	for tag in $tags; do
+		[ "$first" -eq 1 ] && first=0 || regex="$regex|"
+		regex="$regex$tag"
+	done
+	regex="$regex)\$"
+	echo "$regex"
+}
+
+handle_filter_conf() {
+	local section="$1" # config filter
+	local filter_name="$2"
+	local name
+
+	config_get name $section name
+	[ "$name" = "$filter_name" ] || return
+
+	populate_allowed_logs "$filter_name"
 }
 
 handle_action() {
-	local section="$1"
+	local tag_regex filter source_ref template_ref source_sec log_template finst
+	local action_section="$1"
+	local source_tag_syslog source_tag_kmsg
 
-	local filter
-	config_get filter $section filter
+	# shared variables set by populate_allowed_logs
+	match_pattern=""
+	facilities=""
+	all_facilities=0
+	kern_facility=1
+	severities=""
+	sev_compare=1
+	sev_action=0
 
-	# use config action option name as tag for input
-	local tag
-	config_get tag $section name
-	if [ -z "$tag" ]; then
-		return
-	fi
+	config_get action_name "$action_section" name
+	config_get filter "$action_section" filter
+	config_get source_ref "$action_section" source
+	config_get template_ref "$action_section" template
 
-	create_input_section $tag
+	[ -z "$action_name" ] && return
+	[ -z "$source_ref" ] && return
+
+	# read filter section and populate relevant variables
+	# these variables will be used by create_kmsg_input_section
+	# generate_syslog_filter, and generate_pattern_filter functions
 	if [ -n "$filter" ]; then
-		# the only fluentbit filter that is useful for the datamodel is
-		# grep. Also, fluentbit does not seem to handle multiple instances
-		# of FILTER of same kind. Hence, each filter section corresponding
-		# to an action entry in the uci would translate for us into a set of
-		# regex/exclude values instead of individual FILTER section per uci
-		# section filter is a list, treat according
-		create_filter_section $tag
-
-		IFS=" "
 		for finst in $filter; do
-			handle_filter_ref $finst
+			config_foreach handle_filter_conf filter "$finst"
 		done
 	fi
 
-	# handle output, each action can be associated with a out_log and out_syslog
+	# Resolve referenced source sections
+	for source_sec in $source_ref; do
+		config_foreach resolve_source_section source "$source_sec"
+	done
+
+	# build a regex that will match all the sources for this action
+	tag_regex=$(build_match_regex "$source_tag_syslog $source_tag_kmsg")
+
+	if [ -n "$filter" ]; then
+		generate_pattern_filter "$tag_regex" "$match_pattern"
+		generate_syslog_filter
+	fi
+
+	# get the template expression if any is present
+	log_template="$(get_template_expression "$template_ref")"
+
+	# handle output, each action can be associated with an out_log and out_syslog
 	# section so figure out if any out_log or out_syslog section is associated
 	# with this and action and setup output accordingly.
-	config_foreach handle_log_file log_file "$tag"
-	config_foreach handle_log_remote log_remote "$tag"
+	config_foreach handle_log_file log_file "$action_name" "$tag_regex" "$log_template"
+	config_foreach handle_log_remote log_remote "$action_name" "$tag_regex"
 }
 
 handle_action_section() {
@@ -334,13 +505,14 @@ logmngr_init() {
 
 	create_config_file
 	create_service_section
+	create_default_filters
 	handle_action_section
 
 	if [ -f /lib/logmngr/logrotate.sh ]; then
 		logrotate_init
 	fi
 
-	if [ "$enabled" == "0" ]; then
+	if [ "$enabled" = "0" ]; then
 		return
 	fi
 

map-agent/Config.in

@@ -59,8 +59,12 @@ config AGENT_CHECK_PARTIAL_WIFI_RELOAD
 	bool "Option that allow SSID/PSK simple reload"
 	default y
 
-config DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER
-	bool "Let dynbhd through AP-Autoconfiguration Search and DHCP Discovery determine the controller or agent role"
+config DYNBH
+	bool "Enable map-agent dynamic Ethernet backhaul management"
+	default n
+
+config DYNBH_DYNAMICALLY_PERSIST_CONTROLLER
+	bool "Let map-agent through AP-Autoconfiguration Search and DHCP Discovery determine the controller or agent role"
 
 config AGENT_UNASSOC_STA_CONT_MONITOR
 	bool "Enable continuos monitoring of unassociated clients"

map-agent/Makefile

@@ -5,9 +5,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-agent
-PKG_VERSION:=6.3.6.7
+PKG_VERSION:=6.4.1.11
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=f611be0c05e3f4fb3d35a5a1ad51f5a4ad6406ca
+PKG_SOURCE_VERSION:=671bb0e693adbeb3e06b967350ce7f96ee91321b
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@iopsys.eu>
 
 PKG_LICENSE:=BSD-3-Clause
@@ -37,23 +37,10 @@ ifeq ($(CONFIG_AGENT_USE_LIBDPP),y)
   TARGET_CFLAGS += -DUSE_LIBDPP
 endif
 
-define Package/dynbhd
-  SECTION:=utils
-  CATEGORY:=Utilities
-  TITLE:=Dynamic Backhaul Daemon
-  DEPENDS:=+libwifi +libuci +libubox +ubus +libeasy +libieee1905 +ieee1905 \
-	  +ieee1905-map-plugin +map-agent
-endef
-
-
 define Package/map-agent/description
  This package implements EasyMesh R2 compliant WiFi Agent.
 endef
 
-define Package/dynbhd/description
- Dyanmic LAN/WAN port detection and loop avoidance.
-endef
-
 define Package/map-agent/config
 	source "$(SOURCE)/Config.in"
 endef
@@ -111,7 +98,11 @@ ifeq ($(CONFIG_AGENT_CHECK_PARTIAL_WIFI_RELOAD),y)
 TARGET_CFLAGS += -DCHECK_PARTIAL_WIFI_RELOAD
 endif
 
-ifeq ($(CONFIG_DYNBHD_DYNAMICALLY_PERSIST_CONTROLLER),y)
+ifeq ($(CONFIG_DYNBH),y)
+TARGET_CFLAGS += -DDYNBH
+endif
+
+ifeq ($(CONFIG_DYNBH_DYNAMICALLY_PERSIST_CONTROLLER),y)
 TARGET_CFLAGS += -DPERSIST_CONTROLLER
 endif
 
@@ -124,6 +115,10 @@ MAKE_PATH:=src
 define Package/map-agent/install
 	$(INSTALL_DIR) $(1)/etc
 	$(CP) ./files/* $(1)/
+ifeq ($(CONFIG_DYNBH),y)
+	$(RM) $(1)/etc/hotplug.d/ethernet/map-dynamic-backhaul
+	$(RM) $(1)/etc/hotplug.d/ethernet/map-topology-discovery
+endif
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_DIR) $(1)/lib/wifi
@@ -131,15 +126,6 @@ define Package/map-agent/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/mapagent $(1)/usr/sbin/
 endef
 
-define Package/dynbhd/install
-	$(INSTALL_DIR) $(1)/etc
-	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_DIR) $(1)/lib/wifi/dynbhd
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/ethernet
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/dynbhd $(1)/usr/sbin/dynbhd
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/api $(1)/lib/wifi/dynbhd/api
-#	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dynbh/map-dynamic-backhaul $(1)/etc/hotplug.d/ethernet/map-dynamic-backhaul
-endef
 
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
@@ -148,4 +134,3 @@ endef
 endif
 
 $(eval $(call BuildPackage,map-agent))
-$(eval $(call BuildPackage,dynbhd))

map-agent/files/etc/config/mapagent

@@ -17,7 +17,7 @@ config dynamic_backhaul
 	option missing_bh_reconfig_timer '1800'
 
 config controller_select
-	option id 'auto'
+	option mode 'auto'
 	option probe_int '20'
 	option retry_int '9'
 	option autostart '1'

map-agent/files/etc/hotplug.d/ethernet/map-dynamic-backhaul

@@ -27,11 +27,6 @@ done
 al_brnet="${al_bridge:3}"
 [ "$(uci -q get network.${al_brnet}.proto)" == "dhcp" ] || exit 0
 
-############## Dynamic Backhaul Daemon ##############
-if [ -n "$(which dynbhd)" ]; then
-	exit 0
-fi
-########################################################
 
 ################ Dedicated ETH WAN Port ################
 wanport="$(jsonfilter -i /etc/board.json -e @.network.wan.device)"
@@ -95,7 +90,8 @@ if [ "$LINK" = "up" ]; then
 	config_foreach remove_from_bridge bsta
 	config_foreach update_bstas bsta down
 
-	/lib/wifi/multiap set_uplink "eth" "$PORT"
+	hwaddr="$(ifconfig $PORT | grep -i hwaddr | awk '{print $5}' | awk '{print tolower($0)}')"
+	/lib/wifi/multiap set_uplink "eth" "$PORT" "$hwaddr"
 else
 	/lib/wifi/multiap unset_uplink "eth"
 	#rm -f "$map_bh_file"

map-agent/files/etc/init.d/mapagent

@@ -7,20 +7,6 @@ USE_PROCD=1
 
 IS_CFG_VALID=1
 
-MAP_DEV="map_dev"
-MAP_IF="map"
-
-
-start_dynbhd_service() {
-	rm -f /var/run/multiap/multiap.backhaul
-	procd_open_instance
-	procd_set_param command "/usr/sbin/dynbhd"
-	procd_set_param respawn
-#	procd_set_param stdout 1
-#	procd_set_param stderr 1
-	procd_close_instance
-}
-
 validate_agent_section() {
 	uci_validate_section mapagent agent "agent" \
 		'enabled:bool:true' \
@@ -51,7 +37,7 @@ validate_cs_section() {
 
 	uci_validate_section mapagent $section "${section}" \
 		'local:bool:false' \
-		'id:string' \
+		'mode:string' \
 		'probe_int:range(0,1000):20' \
 		'retry_int:range(0,255):3' \
 		'autostart:bool:false'
@@ -179,17 +165,6 @@ create_dir() {
 }
 
 start_service() {
-	if [ -f /usr/sbin/dynbhd ]; then
-		# Start dynbhd only if the device is operating in extender/repeater mode
-		al_bridge="$(uci -q get mapagent.agent.al_bridge)"
-		if [ "${al_bridge:0:3}" = "br-" ]; then
-			al_brnet="${al_bridge:3}"
-			if [ "$(uci -q get network.${al_brnet}.proto)" == "dhcp" ]; then
-				start_dynbhd_service
-			fi
-		fi
-	fi
-
 	config_load "mapagent"
 	validate_agent_config || return 1;
 

map-agent/files/etc/uci-defaults/994-map-set-cntlr-sel-mode

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+adapt_cntlr_sel() {
+	local section=$1
+        id=$(uci -q get mapagent.@controller_select[0].id)
+
+        uci -q del mapagent.@controller_select[0].id
+
+        # re-apply any custom value
+        [ -z "${id}" ] || uci -q set mapagent.@controller_select[0].mode="${id}"
+}
+
+adapt_cntlr_sel

map-agent/files/lib/multiap/map_genconfig

@@ -10,6 +10,11 @@ network_mode="$(fw_printenv -n netmode)" # default is layer3
 multiap_mode="$(fw_printenv -n multiap_mode)" # default is full
 disable_mlo="$(fw_printenv -n disable_mlo)"
 
+is_logan() {
+	[ -d /sys/module/mt_wifi ] && return 0
+	return 1
+}
+
 is_airoha() {
 	[ -f /proc/device-tree/compatible ] || return
 	strings /proc/device-tree/compatible | grep -qE '^(econet,|airoha,)'; return
@@ -67,45 +72,44 @@ generate_multiap_config() {
 		device="$dev"
 
 		ifprefix_radio=""
-		if is_airoha; then
+		if is_logan; then
+			uci set mapagent.agent.mld_prefix="bss"
+			ifname_sta=""
+			case "$band" in
+				2g)
+					ifprefix="ra%"
+					ifname="ra0"
+					ifname_bh="ra1"
+					ifname_sta="apcli0"
+				;;
+				5g)
+					ifprefix="rai%"
+					ifname="rai0"
+					ifname_bh="rai1"
+					ifname_sta="apclii0"
+				;;
+				6g)
+					ifprefix="rax%"
+					ifname="rax0"
+					ifname_bh="rax1"
+					ifname_sta="apclix0"
+				;;
+			esac
+			ifprefix_radio="${ifprefix}"
+			if [ "${network_mode}" == "extender" ]; then
+				ifname="${ifname_sta}"
+			fi
+
+			[ "$disable_mlo" == "1" ] || {
+				uci set wireless.$dev.mlo="1"
+				uci set wireless.$dev.mlo_capable="1"
+			}
+		elif is_airoha; then
 			if [ -d "/sys/module/mt76" ]; then
 				ifprefix="wlan%_%"
 				ifname="wlan${devidx}_0"
 				ifname_bh="wlan${devidx}_1"
-			else
-				uci set mapagent.agent.mld_prefix="bss"
-				ifname_sta=""
-				case "$band" in
-					2g)
-						ifprefix="ra%"
-						ifname="ra0"
-						ifname_bh="ra1"
-						ifname_sta="apcli0"
-					;;
-					5g)
-						ifprefix="rai%"
-						ifname="rai0"
-						ifname_bh="rai1"
-						ifname_sta="apclii0"
-					;;
-					6g)
-						ifprefix="rax%"
-						ifname="rax0"
-						ifname_bh="rax1"
-						ifname_sta="apclix0"
-					;;
-				esac
-				ifprefix_radio="${ifprefix}"
-				if [ "${network_mode}" == "extender" ]; then
-					ifname="${ifname_sta}"
-				fi
-
-				[ "$disable_mlo" == "1" ] || {
-					uci set wireless.$dev.mlo="1"
-					uci set wireless.$dev.mlo_capable="1"
-				}
 			fi
-
 			uci set wireless.$dev.channels="$channels"
 			uci commit wireless
 		elif is_broadcom; then
@@ -258,6 +262,6 @@ map_genconf () {
 				config_foreach mapcontroller_remove_mld_id ap
 			}
 		fi
-		uci -q commit mapcontroller
+		ubus -t 5 call uci commit '{"config":"mapcontroller"}'
 	fi
 }

map-controller/Makefile

@@ -6,9 +6,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-controller
-PKG_VERSION:=6.4.0.12
+PKG_VERSION:=6.4.2.6
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=ae10f447f8d83ed6b98d2b82da2dda64be2c3183
+PKG_SOURCE_VERSION:=5e93ea36c4fb93dd473b233b098ecacf6395a20c
 PKG_MAINTAINER:=Jakob Olsson <jakob.olsson@genexis.eu>
 
 LOCAL_DEV=0

map-controller/files/etc/config/mapcontroller

@@ -2,13 +2,13 @@ config controller 'controller'
 	option enabled '1'	# may be modified by other package start-up scripts (i.e. map-agent)
 	option profile '3'
 	option registrar '2 5 6'
-	option debug '0'
+	option debug '2'
 	option bcn_metrics_max_num '10'
 	option initial_channel_scan '0'
 	option enable_ts '0'
 	option primary_vid '1'
 	option primary_pcp '0'
-	option stale_sta_timeout '30d'
+	option stale_sta_timeout '20d'
 	option de_collect_interval '60'
 
 config sta_steering

map-plugins/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=map-plugins
-PKG_VERSION:=0.0.4
+PKG_VERSION:=1.0.31
 
 LOCAL_DEV=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=74bf151851112ecee731d447af016c8dc668adcf
+PKG_SOURCE_VERSION:=565cade8fe08807b345404c567243fbdfdcb96c8
 PKG_SOURCE_URL:=https://dev.iopsys.eu/multi-ap/map-plugins.git
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz
 PKG_MIRROR_HASH:=skip
@@ -31,7 +31,8 @@ MAKE_FLAGS += \
 	CFLAGS="$(TARGET_CFLAGS) -Wall"
 
 plugins := \
-	$(if $(CONFIG_PACKAGE_map-plugins-steer-rate),steer-rate)
+	$(if $(CONFIG_PACKAGE_map-plugins-steer-rate),steer-rate)   \
+	$(if $(CONFIG_PACKAGE_map-plugins-bsteer),bsteer)
 
 ppkg:=$(patsubst plugins/%.mk,map-plugins-%,$(wildcard plugins/*.mk))
 
@@ -52,7 +53,7 @@ define Package/map-plugins
 endef
 
 define Package/map-plugins/description
-	Provides extra Multi-AP services viz. steering, channel-planning etc.
+	Provides extra Multi-AP services viz. steering, channel-planning, self-organizing network etc.
 endef
 
 define Package/map-plugins/install
@@ -60,9 +61,8 @@ define Package/map-plugins/install
 endef
 
 define Build/Compile
-	$(foreach p,$(ppkg),$(call Build/Compile/$(p),$(1)))
+	$(foreach p,$(plugins),$(call Build/Compile/map-plugins-$(p), $(1)))
 endef
 
-
 $(eval $(call BuildPackage,map-plugins))
 $(eval $(foreach p,$(ppkg),$(call BuildPackage,$(p))))

map-plugins/plugins/bsteer.mk

@@ -0,0 +1,20 @@
+define Package/map-plugins-bsteer
+	$(call Package/map-plugins/Default)
+	TITLE:=Wi-Fi backhaul steering plugin based on maximizing backhaul throughput
+	DEPENDS= +libubox +libuci +libubus +libeasy +libnl-genl \
+		 +libjson-c +libblobmsg-json +map-controller \
+		 +map-plugins
+endef
+
+define Package/map-plugins-bsteer/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/lib/mapcontroller
+	$(CP) $(PKG_BUILD_DIR)/steer/bsteer/bsteer.so $(1)/usr/lib/mapcontroller/bsteer.so
+endef
+
+define Build/Compile/map-plugins-bsteer
+	$(MAKE) -C $(PKG_BUILD_DIR)/steer/bsteer \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDFLAGS="$(TARGET_LDFLAGS)";
+endef

map-plugins/plugins/steer-rate.mk

@@ -16,5 +16,5 @@ define Build/Compile/map-plugins-steer-rate
 	$(MAKE) -C $(PKG_BUILD_DIR)/steer/rate \
 		CC="$(TARGET_CC)" \
 		CFLAGS="$(TARGET_CFLAGS)" \
-		LDFLAGS="$(TARGET_LDFLAGS)"
+		LDFLAGS="$(TARGET_LDFLAGS)";
 endef

mosquitto-auth-shadow/Config.in

@@ -0,0 +1,7 @@
+if PACKAGE_mosquitto-auth-shadow
+
+config MOSQUITTO_AUTH_PAM_SUPPORT
+	bool "Enable support of Linux PAM module for Authentication"
+	default y
+
+endif

mosquitto-auth-shadow/Makefile

@@ -14,12 +14,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mosquitto-auth-shadow
-PKG_VERSION:=1.0.1
+PKG_VERSION:=1.1.0
 
 PKG_MAINTAINER:=Erik Karlsson <erik.karlsson@genexis.eu>
 PKG_LICENSE:=EPL-2.0
 
 PKG_BUILD_PARALLEL:=1
+PKG_CONFIG_DEPENDS:=CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -27,7 +28,7 @@ define Package/mosquitto-auth-shadow
   SECTION:=net
   CATEGORY:=Network
   TITLE:=mosquitto - /etc/shadow authentication plugin
-  DEPENDS:=+mosquitto-ssl
+  DEPENDS:=+mosquitto-ssl +MOSQUITTO_AUTH_PAM_SUPPORT:libpam
   USERID:=mosquitto=200:mosquitto=200 mosquitto=200:shadow=11
 endef
 
@@ -36,6 +37,14 @@ define Package/mosquitto-auth-shadow/description
   users using /etc/shadow
 endef
 
+define Package/mosquitto-auth-shadow/config
+	source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(CONFIG_MOSQUITTO_AUTH_PAM_SUPPORT),y)
+TARGET_CFLAGS+=-DENABLE_PAM_SUPPORT
+endif
+
 define Package/mosquitto-auth-shadow/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mosquitto_auth_shadow.so $(1)/usr/lib/

mosquitto-auth-shadow/src/Makefile

@@ -19,7 +19,7 @@ all: $(TARGETS)
 	$(CC) $(CFLAGS) -Wall -Werror -fPIC -c -o $@ $<
 
 mosquitto_auth_shadow.so: mosquitto_auth_shadow.pic.o
-	$(CC) $(LDFLAGS) -shared -o $@ $^
+	$(CC) $(LDFLAGS) -shared -o $@ $^ $(if $(filter -DENABLE_PAM_SUPPORT,$(CFLAGS)),-lpam)
 
 clean:
 	rm -f *.o $(TARGETS)

mosquitto-auth-shadow/src/mosquitto_auth_shadow.c

@@ -15,22 +15,78 @@
 #include <string.h>
 #include <shadow.h>
 #include <crypt.h>
+#include <stdlib.h>
 #include <mosquitto.h>
 #include <mosquitto_broker.h>
 #include <mosquitto_plugin.h>
 
-static int basic_auth_callback(int event, void *event_data, void *userdata)
+#ifdef ENABLE_PAM_SUPPORT
+#include <security/pam_appl.h>
+
+static int pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+	int i;
+	const char *pass = (const char *)appdata_ptr;
+
+	*resp = calloc(num_msg, sizeof(struct pam_response));
+	if (*resp == NULL) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed to allocate buffer for validation");
+		return PAM_BUF_ERR;
+	}
+
+	if (pass == NULL)
+		return PAM_SUCCESS;
+
+	for (i = 0; i < num_msg; ++i) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+			(*resp)[i].resp = strdup(pass);
+			if ((*resp)[i].resp == NULL) {
+				for (int j = 0; j < i ; j++)
+					free((*resp)[j].resp);
+
+				free(*resp);
+				*resp = NULL;
+				mosquitto_log_printf(MOSQ_LOG_ERR, "pam failed in strdup");
+				return PAM_BUF_ERR;
+			}
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+static int process_pam_auth_callback(struct mosquitto_evt_basic_auth *ed)
+{
+	struct pam_conv conv;
+	int retval;
+	pam_handle_t *pamh = NULL;
+
+	conv.conv = pam_conversation;
+	conv.appdata_ptr = (void *)ed->password;
+
+	retval = pam_start("mosquitto", ed->username, &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_ERR, "pam start failed: %s", pam_strerror(pamh, retval));
+		return MOSQ_ERR_AUTH;
+	}
+
+	retval = pam_authenticate(pamh, 0);
+	pam_end(pamh, retval);
+	if (retval == PAM_SUCCESS) {
+		mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] logged in", ed->username);
+		return MOSQ_ERR_SUCCESS;
+	}
+
+	mosquitto_log_printf(MOSQ_LOG_NOTICE, "pam user [%s] failed authentication, err [%s]", ed->username, pam_strerror(pamh, retval));
+	return MOSQ_ERR_AUTH;
+}
+#else
+static int process_shadow_auth_callback(struct mosquitto_evt_basic_auth *ed)
 {
-	struct mosquitto_evt_basic_auth *ed = event_data;
 	struct spwd spbuf, *sp = NULL;
 	char buf[256];
 	struct crypt_data data;
 	char *hash;
 
-	/* Let other plugins or broker decide about anonymous login */
-	if (ed->username == NULL)
-		return MOSQ_ERR_PLUGIN_DEFER;
-
 	getspnam_r(ed->username, &spbuf, buf, sizeof(buf), &sp);
 
 	if (sp == NULL || sp->sp_pwdp == NULL)
@@ -54,6 +110,22 @@ static int basic_auth_callback(int event, void *event_data, void *userdata)
 
 	return MOSQ_ERR_AUTH;
 }
+#endif
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+	struct mosquitto_evt_basic_auth *ed = event_data;
+
+	/* Let other plugins or broker decide about anonymous login */
+	if (ed->username == NULL)
+		return MOSQ_ERR_PLUGIN_DEFER;
+
+#ifdef ENABLE_PAM_SUPPORT
+	return process_pam_auth_callback(ed);
+#else
+	return process_shadow_auth_callback(ed);
+#endif
+}
 
 int mosquitto_plugin_version(int supported_version_count,
 			     const int *supported_versions)

netmngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmngr
-PKG_VERSION:=1.1.8
+PKG_VERSION:=1.2.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/netmngr.git
-PKG_SOURCE_VERSION:=6310f32b80f8abeccbf99ad55ce88792b19342d6
+PKG_SOURCE_VERSION:=ff08a8cc5c860056a022e5376a973dee5a323595
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

netmode/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netmode
-PKG_VERSION:=1.1.5
+PKG_VERSION:=1.1.7
 PKG_RELEASE:=1
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0-only
@@ -18,6 +18,7 @@ include $(TOPDIR)/feeds/iopsys/bbfdm/bbfdm.mk
 define Package/netmode
   CATEGORY:=Utilities
   TITLE:=Network Modes and Utils
+  DEPENDS:=+dm-service
 endef
 
 define Package/netmode/description

netmode/files/datamodel.json

@@ -58,7 +58,7 @@
 							"name": "mode"
 						}
 					},
-					"linker_obj": "Device.{BBF_VENDOR_PREFIX}NetMode.SupportedModes.[Name==@key]."
+					"linker_obj": "Device.{BBF_VENDOR_PREFIX}NetMode.SupportedModes.*.Name"
 				}
 			]
 		},

obuspa/Config.in

@@ -19,13 +19,8 @@ config OBUSPA_CONTROLLER_MTP_VERIFY
 	bool "Enable verification of controller MTP before processing the message"
 	default n
 
-config OBUSPA_ENABLE_TEST_CONTROLLER
-	bool "Adds a test controller by default"
-	default n
-	select OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL
-
-config OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL
-	bool "Adds a test controller by default (local access only)"
+config OBUSPA_LOCAL_MQTT_LISTENER
+	bool "Configures local mqtt broker for local usp connections"
 	default n
 
 config OBUSPA_MAX_CONTROLLERS_NUM

obuspa/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=obuspa
-PKG_VERSION:=10.0.4.1
+PKG_VERSION:=10.0.7.4
 
-LOCAL_DEV:=1
+LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git
-PKG_SOURCE_VERSION:=6b888812299de0d836a8dcf33bc899ec8ff16030
+PKG_SOURCE_VERSION:=84d5ae575134d501b8ca171a5a65c6f410f01d08
 PKG_MAINTAINER:=Vivek Dutta <vivek.dutta@iopsys.eu>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
@@ -33,9 +33,8 @@ define Package/obuspa
   TITLE:=USP agent
   MENU:=1
   DEPENDS:=+libopenssl +libuci +libblobmsg-json +libcurl +libsqlite3 +libubox +libubus +libmosquitto-ssl +libwebsockets-openssl +ca-certificates \
-		+OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL:mosquitto-ssl +OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL:mosquitto-client-ssl \
-		+OBUSPA_ENABLE_TEST_CONTROLLER:mosquitto-auth-shadow +libjson-c
-  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +bbfdmd
+		+OBUSPA_LOCAL_MQTT_LISTENER:mosquitto-ssl +libjson-c
+  DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service
 endef
 
 define Package/obuspa/description
@@ -132,27 +131,23 @@ define Package/obuspa/install
 	$(INSTALL_DATA) ./files/etc/users/roles/*.json $(1)/etc/users/roles/
 	$(INSTALL_DATA) ./files/etc/obuspa/usp_utils.sh $(1)/etc/obuspa/
 	echo "$(VENDOR_PREFIX)" > $(1)/etc/obuspa/vendor_prefix
-	$(INSTALL_BIN) ./files/etc/uci-defaults/01-fix-upgrade-uci $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/60-generate-ctrust-defaults $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/obuspa-set-dhcp-option $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/92-obuspa_firewall $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/93-obuspa_mdns_adv $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/94-obuspa_set_credential $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/01-fix-upgrade-uci $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/60-generate-ctrust-defaults $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/obuspa-set-dhcp-option $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/92-obuspa_firewall $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/93-obuspa_mdns_adv $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/94-obuspa_set_credential $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/firewall.usp $(1)/etc/
-	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user
+	$(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(1)/etc/udhcpc.user.d/
 ifeq ($(CONFIG_OBUSPA_CWMP_DATAMODEL_SUPPORT),y)
 	$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/libuspagentdm.so $(1) $(PKG_NAME)
 endif
-ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER),y)
-	$(INSTALL_BIN) ./files/etc/uci-defaults/54-test-usp-remote $(1)/etc/uci-defaults/
-endif
-ifeq ($(CONFIG_OBUSPA_ENABLE_TEST_CONTROLLER_LOCAL),y)
-	$(INSTALL_BIN) ./files/etc/init.d/usptest $(1)/etc/init.d/
-	$(INSTALL_BIN) ./files/etc/uci-defaults/55-test-usp-controller $(1)/etc/uci-defaults/
+ifeq ($(CONFIG_OBUSPA_LOCAL_MQTT_LISTENER),y)
+	$(INSTALL_DATA) ./files/etc/uci-defaults/55-obuspa-local-mqtt-usp-connection $(1)/etc/uci-defaults/
 endif
 ifeq ($(CONFIG_OBUSPA_OVERRIDE_CT_ROLE),y)
-	$(INSTALL_BIN) ./files/etc/uci-defaults/61-override-ct-roles $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/61-override-ct-roles $(1)/etc/uci-defaults/
 endif
 endef
 

obuspa/files/etc/init.d/obuspa

@@ -13,7 +13,6 @@ KEEP_FILE="/lib/upgrade/keep.d/obuspa"
 RESET_FILE="/tmp/obuspa/fw_defaults"
 SQL_DB_FILE="/tmp/obuspa/usp.db"
 DB_DUMP="/tmp/obuspa/usp.dump_$(date +%s)"
-CTRUST_ROLE_MAP="/tmp/obuspa/usp.role.map"
 
 BASEPATH=""
 INSTANCE_COUNT=0
@@ -284,14 +283,6 @@ update_dual_stack_pref()
 	db_set Internal.DualStackPreference "${1}"
 }
 
-create_ctrust_role_map()
-{
-	echo ""> ${CTRUST_ROLE_MAP}
-	for file in $(ls -1 /etc/users/roles/*.json); do
-		cat ${file} |jq -r '.tr181| [.instance, .name]|@tsv' >> ${CTRUST_ROLE_MAP}
-	done
-}
-
 get_role_index()
 {
 	local name drole
@@ -315,9 +306,14 @@ get_role_index()
 	fi
 
 	# Get if from CTRUST file first if present, then from dbdump and then use default Untrusted role
-	if [ -f "${CTRUST_ROLE_MAP}" ]; then
-		rindex="$(grep "${name}" ${CTRUST_ROLE_MAP} |cut -f 1)"
-		echo "Device.LocalAgent.ControllerTrust.Role.${rindex}"
+	if [ -f "${CTRUST_RESET_FILE}" ]; then
+		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${CTRUST_RESET_FILE} |grep $name)"
+		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
+		echo "$val"
+	elif [ -f "${DB_DUMP}" ]; then
+		val="$(grep "Device.LocalAgent.ControllerTrust.Role.\d.Name" ${DB_DUMP} |grep $name)"
+		val="$(echo ${val/.Name /,}|cut -d, -f 1)"
+		echo "$val"
 	else
 		log "Not able to get role ${name}, use Untrusted role"
 		echo "${drole}"
@@ -973,7 +969,7 @@ db_init()
 
 	# Dump datamodel parameters from DB
 	if [ -f "${SQL_DB_FILE}" ]; then
-		return 0
+		dump_db
 	fi
 
 	# In case of Reboot or service restart update the uci
@@ -1000,7 +996,6 @@ db_init()
 	config_load $CONFIGURATION
 	config_get dualstack_pref global dualstack_pref "IPv6"
 
-	create_ctrust_role_map
 	global_init
 	config_foreach configure_localagent localagent
 	global_init
@@ -1027,8 +1022,9 @@ db_init()
 		mv ${DB_DUMP} ${RESET_FILE}
 	fi
 
-	if [ -f "${CTRUST_ROLE_MAP}" ]; then
-		rm ${CTRUST_ROLE_MAP}
+	if [ -f "${CTRUST_RESET_FILE}" ]; then
+		cat ${CTRUST_RESET_FILE} >> ${RESET_FILE}
+		rm ${CTRUST_RESET_FILE}
 	fi
 }
 

obuspa/files/etc/init.d/usptest

@@ -1,75 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=99
-STOP=01
-USE_PROCD=1
-
-log()
-{
-	echo "$*"|logger -t usptest -p debug
-}
-
-get_oui_from_db()
-{
-	db -q get device.deviceinfo.ManufacturerOUI
-}
-
-get_serial_from_db()
-{
-	db -q get device.deviceinfo.SerialNumber
-}
-
-publish_endpoint()
-{
-	local AgentEndpointID serial oui user pass
-
-	if ! uci -q get obuspa.testmqtt; then
-		return 0;
-	fi
-
-	# return if mosquitto_pub is not present
-	if [ ! "$(command -v mosquitto_pub)" ]; then
-		log "mosquitto_pub not present can't publish EndpointID"
-		return 0;
-	fi
-
-	sleep 2
-	# Get endpoint id from obuspa config first
-	config_load obuspa
-	config_get AgentEndpointID localagent EndpointID ""
-	if [ -z "${AgentEndpointID}" ]; then
-		serial=$(get_serial_from_db)
-		oui=$(get_oui_from_db)
-		AgentEndpointID="os::${oui}-${serial//+/%2B}"
-	fi
-
-	config_get user testmqtt Username ""
-	config_get pass testmqtt Password ""
-
-	# publish Agent's EndpointID in mosquito broker for discovery by usp-js
-	# This is a work around till obuspa adds supports for mDNS discovery
-	if [ -n "${user}" ] && [ -n "${pass}" ]; then
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker with username, password"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}" -u "${user}" -P "${pass}"
-	elif [ -n "${user}" ]; then
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker with username only"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}" -u "${user}"
-	else
-		log "Publishing EndpointID ${AgentEndpointID} to local mqtt broker"
-		mosquitto_pub -r -t "obuspa/EndpointID" -m "${AgentEndpointID}"
-	fi
-}
-
-start_service() {
-	procd_open_instance usptest
-	publish_endpoint
-	procd_close_instance
-}
-
-reload_service() {
-	publish_endpoint
-}
-
-service_triggers() {
-	procd_add_reload_trigger "mosquitto" "obuspa"
-}

obuspa/files/etc/uci-defaults/54-test-usp-remote

@@ -1,20 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-if [ ! -f "/etc/config/mosquitto" ]; then
-	echo "Local mosquitto broker not available"
-	return 0
-fi
-
-add_usp_test()
-{
-	uci_add mosquitto listener usptest
-	uci_set mosquitto usptest enabled 1
-	uci_set mosquitto usptest port '9004'
-	uci_set mosquitto usptest protocol 'websockets'
-	uci_set mosquitto usptest auth_plugin '/usr/lib/mosquitto_auth_shadow.so'
-}
-
-# Install test MQTT over WS listener
-add_usp_test

obuspa/files/etc/uci-defaults/55-obuspa-local-mqtt-usp-connection

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+if [ ! -f "/etc/config/mosquitto" ]; then
+	echo "Local mosquitto broker not available"
+	return 0
+fi
+
+add_mqtt_obuspa_listener()
+{
+	uci_add mosquitto listener obuspa
+	uci_set mosquitto obuspa enabled 1
+	uci_set mosquitto obuspa port '1883'
+	uci_set mosquitto obuspa no_remote_access '1'
+	uci_set mosquitto obuspa allow_anonymous '1'
+}
+
+# Add mosquitto listener for obuspa connection
+# apps/controller should add controller definitions separately
+add_mqtt_obuspa_listener

obuspa/files/etc/uci-defaults/55-test-usp-controller

@@ -1,57 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-if [ ! -f "/etc/config/obuspa" ]; then
-	echo "Local obuspa not available"
-	return 0
-fi
-
-if [ ! -f "/etc/config/mosquitto" ]; then
-	echo "Local mosquitto broker not available"
-	return 0
-fi
-
-add_obuspa_test_mtp()
-{
-	uci_add obuspa mtp test_mtp
-	uci_set obuspa test_mtp Protocol 'MQTT'
-	uci_set obuspa test_mtp ResponseTopicConfigured '/usp/endpoint'
-	uci_set obuspa test_mtp mqtt 'testmqtt'
-}
-
-add_obuspa_test_mqtt()
-{
-	# Adds Device.MQTT.Client.
-	uci_add obuspa mqtt testmqtt
-	uci_set obuspa testmqtt BrokerAddress '127.0.0.1'
-	uci_set obuspa testmqtt BrokerPort '1883'
-	uci_set obuspa testmqtt TransportProtocol 'TCP/IP'
-}
-
-add_obuspa_test_controller()
-{
-	# Adds Device.LocalAgent.Controller.
-	uci_add obuspa controller testcontroller
-	uci_set obuspa testcontroller EndpointID 'proto::interop-usp-controller'
-	uci_set obuspa testcontroller Protocol 'MQTT'
-	uci_set obuspa testcontroller Topic '/usp/controller'
-	uci_set obuspa testcontroller mqtt 'testmqtt'
-	uci_set obuspa testcontroller assigned_role_name 'full_access'
-}
-
-add_obuspa_config()
-{
-	uci_add mosquitto listener obuspa
-	uci_set mosquitto obuspa enabled 1
-	uci_set mosquitto obuspa port '1883'
-	uci_set mosquitto obuspa no_remote_access '1'
-	uci_set mosquitto obuspa allow_anonymous '1'
-}
-
-# Install test usp controller config
-add_obuspa_config
-
-add_obuspa_test_mtp
-add_obuspa_test_mqtt
-add_obuspa_test_controller

obuspa/files/etc/uci-defaults/60-generate-ctrust-defaults

@@ -10,8 +10,8 @@ if [ -n "${rfile}" ]; then
 	uci -q set obuspa.global.role_file=""
 fi
 
-#if [ ! -f "${db_file}" ]; then
-	#configure_ctrust_role
-#fi
+if [ ! -f "${db_file}" ]; then
+	configure_ctrust_role
+fi
 
 exit 0

obuspa/files/etc/uci-defaults/61-override-ct-roles

@@ -3,6 +3,6 @@
 . /lib/functions.sh
 . /etc/obuspa/usp_utils.sh
 
-#configure_ctrust_role
+configure_ctrust_role
 
 exit 0

obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user

@@ -57,18 +57,18 @@ get_vivsoi() {
 
 	data="${opt125}"
 	rem_len="${len}"
-	while [ $rem_len -gt 0 ]; do
+	while [ "${rem_len}" -gt 0 ]; do
 		ent_id=${data:0:8}
 		ent_id=$(printf "%d\n" "0x$ent_id")
 
-		if [ $ent_id -ne  3561 ]; then
+		if [ "${ent_id}" -ne  3561 ]; then
 			len_val=${data:8:2}
 			data_len=$(printf "%d\n" "0x$len_val")
 			# add 4 byte for ent_id and 1 byte for len
 			data_len=$(( data_len * 2 + 10 ))
 			# move ahead data to next enterprise id
 			data=${data:"${data_len}":"${rem_len}"}
-			rem_len=$(( rem_len - $data_len ))
+			rem_len=$(( rem_len - data_len ))
 			continue
 		fi
 
@@ -79,7 +79,7 @@ get_vivsoi() {
 		data_len=$(( data_len * 2 + 10 ))
 
 		opt_len=$(printf "%d\n" "0x$len_val")
-		[ $opt_len -eq 0 ] && return
+		[ "${opt_len}" -eq 0 ] && return
 
 		# populate the option data of enterprise id
 		sub_data_len=$(( opt_len * 2))
@@ -98,28 +98,28 @@ get_vivsoi() {
 			sub_opt_len=$(( sub_opt_len * 2 ))
 
 			# get the value of sub option starting 4 means starting after length
-			sub_opt_val=${sub_data:4:${sub_opt_len}}
+			sub_opt_val=${sub_data:4:"${sub_opt_len}"}
 
 			# assign the value found in sub option
 			case "${sub_opt_id}" in
 				"25")
-					URL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					URL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"26")
-					PROV_CODE=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					PROV_CODE=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"27")
-					RETRY_MIN_INTERVAL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					RETRY_MIN_INTERVAL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"28")
-					RETRY_INTERVAL_MUL=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					RETRY_INTERVAL_MUL=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 				"29")
-					ENDPOINT_ID=$(echo -n $sub_opt_val | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
+					ENDPOINT_ID=$(echo -n "${sub_opt_val}" | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo '')
 					CONTROLLER_DISCOVERED=1
 				;;
 			esac
@@ -131,7 +131,7 @@ get_vivsoi() {
 			sub_data_len=$((sub_data_len - sub_opt_end))
 
 			# fetch next sub option hex string
-			sub_data=${sub_data:${sub_opt_end}:${sub_data_len}}
+			sub_data=${sub_data:"${sub_opt_end}":"${sub_data_len}"}
 		done
 
 		# move ahead data to next enterprise id
@@ -146,7 +146,7 @@ get_access_role()
 
 	lan_proto="$(uci -q get network.lan.proto)"
 
-	if [ "${lan_proto}" == "dhcp" ]; then
+	if [ "${lan_proto}" = "dhcp" ]; then
 		mode="extender"
 	else
 		mode="full_access"
@@ -174,7 +174,7 @@ config_get_bool enable_obuspa global enabled 1
 config_get wan_intf global interface
 config_get_bool dhcp_discovery global dhcp_discovery 1
 
-if [ "$enable_obuspa" = "0" ] || [ "$dhcp_discovery" = "0" ]; then
+if [ "${enable_obuspa}" -eq 0 ] || [ "${dhcp_discovery}" -eq 0 ]; then
 	return 0
 fi
 
@@ -190,9 +190,9 @@ if [ -z "${wan_intf}" ]; then
 	fi
 fi
 
-if [ "${wan_intf}" == "${INTERFACE}" ]; then
+if [ "${wan_intf}" = "${INTERFACE}" ]; then
 	if [ -n "$opt125" ]; then
-		len=$(printf "$opt125"|wc -c)
+		len=$(echo -n "${opt125}"|wc -c)
 		get_vivsoi "$opt125" "$len"
 	fi
 
@@ -228,10 +228,10 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 				;;
 			*)
 				# This is an FQDN, perform DNS query
-				nslookup $URL > /tmp/fqdn_ip
-				nslookup -type=ptr $URL > /tmp/fqdn_ptr
-				nslookup -type=srv $URL > /tmp/fqdn_srv
-				nslookup -type=txt $URL > /tmp/fqdn_srv
+				nslookup "${URL}" > /tmp/fqdn_ip
+				nslookup -type=ptr "${URL}" > /tmp/fqdn_ptr
+				nslookup -type=srv "${URL}" > /tmp/fqdn_srv
+				nslookup -type=txt "${URL}" > /tmp/fqdn_srv
 
 				# TODO extend to collect information from dns-sd records
 				;;
@@ -247,16 +247,16 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		fi
 	fi
 
-	if [ "${proto}" == "mqtt" ] || [ "${proto}" == "mqtts" ]; then
+	if [ "${proto}" = "mqtt" ] || [ "${proto}" = "mqtts" ]; then
 		offered_proto="MQTT"
-		if [ "${proto}" == "mqtt" ]; then
+		if [ "${proto}" = "mqtt" ]; then
 			mtp_encrypt="TCP/IP"
 		else
 			mtp_encrypt="TLS"
 		fi
-	elif [ "${proto}" == "ws" ] || [ "${proto}" == "wss" ]; then
+	elif [ "${proto}" = "ws" ] || [ "${proto}" = "wss" ]; then
 		offered_proto="WebSocket"
-		if [ "${proto}" == "wss" ]; then
+		if [ "${proto}" = "wss" ]; then
 			mtp_encrypt="1"
 		else
 			mtp_encrypt="0"
@@ -265,7 +265,7 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 
 	controllers=$(uci -q show obuspa | grep "=controller" | cut -d'=' -f1 | cut -d'.' -f2)
 	for controller in $controllers; do
-		dhcp_disc=$(uci -q get obuspa.$controller.dhcp_discovered)
+		dhcp_disc=$(uci -q get obuspa."${controller}".dhcp_discovered)
 		if [ "${dhcp_disc}" -eq 1 ]; then
 			dhcp_controller="${controller}"
 			break
@@ -273,27 +273,27 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 	done
 
 	if [ -n "${dhcp_controller}" ]; then
-		cont_proto="$(uci -q get obuspa.$dhcp_controller.Protocol)"
-		if [ "${cont_proto}" == "MQTT" ]; then
-			dhcp_mqtt="$(uci -q get obuspa.$dhcp_controller.mqtt)"
+		cont_proto=$(uci -q get obuspa."${dhcp_controller}".Protocol)
+		if [ "${cont_proto}" = "MQTT" ]; then
+			dhcp_mqtt=$(uci -q get obuspa."${dhcp_controller}".mqtt)
 
 			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
 			for mtp in $mtps; do
-				mtp_mqtt="$(uci -q get obuspa.$mtp.mqtt)"
-				if [ "${mtp_mqtt}" == "${dhcp_mqtt}" ]; then
+				mtp_mqtt=$(uci -q get obuspa."${mtp}".mqtt)
+				if [ "${mtp_mqtt}" = "${dhcp_mqtt}" ]; then
 					dhcp_mtp="${mtp}"
 					break
 				fi
 			done
-		elif [ "${cont_proto}" == "WebSocket" ]; then
-			cont_port="$(uci -q get obuspa.$dhcp_controller.Port)"
-			cont_encr="$(uci -q get obuspa.$dhcp_controller.EnableEncryption)"
+		elif [ "${cont_proto}" = "WebSocket" ]; then
+			cont_port=$(uci -q get obuspa."${dhcp_controller}".Port)
+			cont_encr=$(uci -q get obuspa."${dhcp_controller}".EnableEncryption)
 
 			mtps=$(uci -q show obuspa | grep "=mtp" | cut -d'=' -f1 | cut -d'.' -f2)
 			for mtp in $mtps; do
-				mtp_port="$(uci -q get obuspa.$mtp.Port)"
-				mtp_encr="$(uci -q get obuspa.$mtp.EnableEncryption)"
-				if [ "${mtp_port}" == "${cont_port}" ] && [ "${mtp_encr}" == "${cont_encr}" ]; then
+				mtp_port=$(uci -q get obuspa."${mtp}".Port)
+				mtp_encr=$(uci -q get obuspa."${mtp}".EnableEncryption)
+				if [ "${mtp_port}" = "${cont_port}" ] && [ "${mtp_encr}" = "${cont_encr}" ]; then
 					dhcp_mtp="${mtp}"
 					break
 				fi
@@ -306,43 +306,43 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 
 	if [ -n "${dhcp_controller}" ]; then
 		## Handling of controller section
-		ct_endpoint=$(uci -q get obuspa.$dhcp_controller.EndpointID)
-		ct_proto=$(uci -q get obuspa.$dhcp_controller.Protocol)
-		ct_prov=$(uci -q get obuspa.$dhcp_controller.ProvisioningCode)
+		ct_endpoint=$(uci -q get obuspa."${dhcp_controller}".EndpointID)
+		ct_proto=$(uci -q get obuspa."${dhcp_controller}".Protocol)
+		ct_prov=$(uci -q get obuspa."${dhcp_controller}".ProvisioningCode)
 
 		if [ "${ct_proto}" = "MQTT" ]; then
-			ct_topic=$(uci -q get obuspa.$dhcp_controller.Topic)
+			ct_topic=$(uci -q get obuspa."${dhcp_controller}".Topic)
 		else
-			ct_topic=$(uci -q get obuspa.$dhcp_controller.Path)
+			ct_topic=$(uci -q get obuspa."${dhcp_controller}".Path)
 		fi
 
 		if [ -n "${ENDPOINT_ID}" ] && [ "${ct_endpoint}" != "${ENDPOINT_ID}" ]; then
-			uci -q set obuspa.$dhcp_controller.EndpointID="${ENDPOINT_ID}"
+			uci -q set obuspa."${dhcp_controller}".EndpointID="${ENDPOINT_ID}"
 			uci_change=1
 		fi
 
 		if [ -n "${offered_proto}" ] && [ "${ct_proto}" != "${offered_proto}" ]; then
-			uci -q set obuspa.$dhcp_controller.Protocol="${offered_proto}"
+			uci -q set obuspa."${dhcp_controller}".Protocol="${offered_proto}"
 			if [ "${offered_proto}" != "MQTT" ]; then
-				uci -q set obuspa.$dhcp_controller.mqtt=""
-				uci -q set obuspa.$dhcp_controller.Topic=""
-				uci -q set obuspa.$dhcp_controller.Host="${ip}"
-				uci -q set obuspa.$dhcp_controller.Port="${port}"
-				uci -q set obuspa.$dhcp_controller.Path="${ct_topic}"
-				uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+				uci -q delete obuspa."${dhcp_controller}".mqtt
+				uci -q delete obuspa."${dhcp_controller}".Topic
+				uci -q set obuspa."${dhcp_controller}".Host="${ip}"
+				uci -q set obuspa."${dhcp_controller}".Port="${port}"
+				uci -q set obuspa."${dhcp_controller}".Path="${ct_topic}"
+				uci -q set obuspa."${dhcp_controller}".EnableEncryption="${mtp_encrypt}"
 			else
-				uci -q set obuspa.$dhcp_controller.EnableEncryption=""
-				uci -q set obuspa.$dhcp_controller.Path=""
-				uci -q set obuspa.$dhcp_controller.Host=""
-				uci -q set obuspa.$dhcp_controller.Port=""
+				uci -q delete obuspa."${dhcp_controller}".EnableEncryption
+				uci -q delete obuspa."${dhcp_controller}".Path
+				uci -q delete obuspa."${dhcp_controller}".Host
+				uci -q delete obuspa."${dhcp_controller}".Port
 
 				if [ -z "${dhcp_mqtt}" ]; then
-					uci -q set obuspa.$dhcp_controller.mqtt='dhcpmqtt'
+					uci -q set obuspa."${dhcp_controller}".mqtt='dhcpmqtt'
 				else
-					uci -q set obuspa.$dhcp_controller.mqtt="${dhcp_mqtt}"
+					uci -q set obuspa."${dhcp_controller}".mqtt="${dhcp_mqtt}"
 				fi
 
-				uci -q set obuspa.$dhcp_controller.Topic="${ct_topic}"
+				uci -q set obuspa."${dhcp_controller}".Topic="${ct_topic}"
 			fi
 
 			proto_changed=1
@@ -355,38 +355,38 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 				protocol="${offered_proto}"
 			fi
 
-			if [ "${protocol}" == "MQTT" ]; then
-				uci -q set obuspa.$dhcp_controller.Topic="${topic}"
+			if [ "${protocol}" = "MQTT" ]; then
+				uci -q set obuspa."${dhcp_controller}".Topic="${topic}"
 			else
-				uci -q set obuspa.$dhcp_controller.Path="${topic}"
+				uci -q set obuspa."${dhcp_controller}".Path="${topic}"
 			fi
 
 			uci_change=1
 		fi
 
 		if [ -n "${PROV_CODE}" ] && [ "${ct_prov}" != "${PROV_CODE}" ]; then
-			uci -q set obuspa.$dhcp_controller.ProvisioningCode="${PROV_CODE}"
+			uci -q set obuspa."${dhcp_controller}".ProvisioningCode="${PROV_CODE}"
 			uci_change=1
 		fi
 
 		if [ "${proto_changed}" -eq 1 ]; then
-			if [ "${offered_proto}" == "WebSocket" ]; then
+			if [ "${offered_proto}" = "WebSocket" ]; then
 				if [ -n "${dhcp_mqtt}" ]; then
-					uci -q del obuspa.$dhcp_mqtt
+					uci -q delete obuspa."${dhcp_mqtt}"
 				fi
 
 				if [ -z "${dhcp_mtp}" ]; then
 					sec=$(uci -q add obuspa mtp)
 					uci -q rename obuspa."${sec}"='dhcpmtp'
 					dhcp_mtp="dhcpmtp"
-					uci -q set obuspa.$dhcp_mtp.Enable='1'
+					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
 
-				uci -q set obuspa.$dhcp_mtp.mqtt=''
-				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured=''
-				uci -q set obuspa.$dhcp_mtp.Protocol='WebSocket'
-				uci -q set obuspa.$dhcp_mtp.Port="${port}"
-				uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
+				uci -q set obuspa."${dhcp_mtp}".mqtt=''
+				uci -q set obuspa."${dhcp_mtp}".ResponseTopicConfigured=''
+				uci -q set obuspa."${dhcp_mtp}".Protocol='WebSocket'
+				uci -q set obuspa."${dhcp_mtp}".Port="${port}"
+				uci -q set obuspa."${dhcp_mtp}".EnableEncryption="${mtp_encrypt}"
 
 				uci_change=1
 			else
@@ -397,78 +397,78 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 					sec=$(uci -q add obuspa mqtt)
 					uci -q rename obuspa."${sec}"='dhcpmqtt'
 					dhcp_mqtt="dhcpmqtt"
-					uci -q set obuspa.$dhcp_mqtt.Enable='1'
-					uci -q set obuspa.$dhcp_mqtt.Username="${user}"
-					uci -q set obuspa.$dhcp_mqtt.Password="${pass}"
+					uci -q set obuspa."${dhcp_mqtt}".Enable='1'
+					uci -q set obuspa."${dhcp_mqtt}".Username="${user}"
+					uci -q set obuspa."${dhcp_mqtt}".Password="${pass}"
 				fi
 
-				uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
-				uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
-				uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
-				uci -q set obuspa.$dhcp_mqtt.ProtocolVersion='5.0'
+				uci -q set obuspa."${dhcp_mqtt}".BrokerAddress="${ip}"
+				uci -q set obuspa."${dhcp_mqtt}".BrokerPort="${port}"
+				uci -q set obuspa."${dhcp_mqtt}".TransportProtocol="${mtp_encrypt}"
+				uci -q set obuspa."${dhcp_mqtt}".ProtocolVersion='5.0'
 
 				if [ -z "${dhcp_mtp}" ]; then
 					sec=$(uci -q add obuspa mtp)
 					uci -q rename obuspa."${sec}"='dhcpmtp'
 					dhcp_mtp="dhcpmtp"
-					uci -q set obuspa.$dhcp_mtp.Enable='1'
+					uci -q set obuspa."${dhcp_mtp}".Enable='1'
 				fi
 
 				agent_topic=$(get_agent_topic)
-				uci -q set obuspa.$dhcp_mtp.Port=""
-				uci -q set obuspa.$dhcp_mtp.EnableEncryption=""
-				uci -q set obuspa.$dhcp_mtp.Protocol='MQTT'
-				uci -q set obuspa.$dhcp_mtp.ResponseTopicConfigured="${agent_topic}"
-				uci -q set obuspa.$dhcp_mtp.mqtt="${dhcp_mqtt}"
+				uci -q delete obuspa."${dhcp_mtp}".Port
+				uci -q delete obuspa."${dhcp_mtp}".EnableEncryption
+				uci -q set obuspa."${dhcp_mtp}".Protocol='MQTT'
+				uci -q set obuspa."${dhcp_mtp}".ResponseTopicConfigured="${agent_topic}"
+				uci -q set obuspa."${dhcp_mtp}".mqtt="${dhcp_mqtt}"
 
 				uci_change=1
 			fi
 		else
-			if [ "${ct_proto}" == "WebSocket" ]; then
-				conf_ip="$(uci -q get obuspa.$dhcp_controller.Host)"
-				conf_port="$(uci -q get obuspa.$dhcp_mtp.Port)"
-				conf_encr="$(uci -q get obuspa.$dhcp_mtp.EnableEncryption)"
+			if [ "${ct_proto}" = "WebSocket" ]; then
+				conf_ip="$(uci -q get obuspa."${dhcp_controller}".Host)"
+				conf_port="$(uci -q get obuspa."${dhcp_mtp}".Port)"
+				conf_encr="$(uci -q get obuspa."${dhcp_mtp}".EnableEncryption)"
 
 				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
-					uci -q set obuspa.$dhcp_controller.Host="${ip}"
+					uci -q set obuspa."${dhcp_controller}".Host="${ip}"
 					uci_change=1
 				fi
 
 				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
-					uci -q set obuspa.$dhcp_mtp.Port="${port}"
-					uci -q set obuspa.$dhcp_controller.Port="${port}"
+					uci -q set obuspa."${dhcp_mtp}".Port="${port}"
+					uci -q set obuspa."${dhcp_controller}".Port="${port}"
 					uci_change=1
 				fi
 
 				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
-					uci -q set obuspa.$dhcp_mtp.EnableEncryption="${mtp_encrypt}"
-					uci -q set obuspa.$dhcp_controller.EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_mtp}".EnableEncryption="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_controller}".EnableEncryption="${mtp_encrypt}"
 					uci_change=1
 				fi
 			else
-				conf_ip="$(uci -q get obuspa.$dhcp_mqtt.BrokerAddress)"
-				conf_port="$(uci -q get obuspa.$dhcp_mqtt.BrokerPort)"
-				conf_encr="$(uci -q get obuspa.$dhcp_mqtt.TransportProtocol)"
+				conf_ip=$(uci -q get obuspa."${dhcp_mqtt}".BrokerAddress)
+				conf_port=$(uci -q get obuspa."${dhcp_mqtt}".BrokerPort)
+				conf_encr=$(uci -q get obuspa."${dhcp_mqtt}".TransportProtocol)
 
 				if [ -n "${port}" ] && [ "${conf_port}" != "${port}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.BrokerPort="${port}"
+					uci -q set obuspa."${dhcp_mqtt}".BrokerPort="${port}"
 					uci_change=1
 				fi
 
 				if [ -n "${mtp_encrypt}" ] && [ "${conf_encr}" != "${mtp_encrypt}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.TransportProtocol="${mtp_encrypt}"
+					uci -q set obuspa."${dhcp_mqtt}".TransportProtocol="${mtp_encrypt}"
 					uci_change=1
 				fi
 
 				if [ -n "${ip}" ] && [ "${conf_ip}" != "${ip}" ]; then
-					uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}"
+					uci -q set obuspa."${dhcp_mqtt}".BrokerAddress="${ip}"
 					uci_change=1
 				fi
 			fi
 		fi
 	else
-		uci -q del obuspa.dhcpmtp
-		uci -q del obuspa.dhcpmqtt
+		uci -q delete obuspa.dhcpmtp
+		uci -q delete obuspa.dhcpmqtt
 
 		sec=$(uci -q add obuspa controller)
 		uci -q rename obuspa."${sec}"='dhcpcontroller'
@@ -480,7 +480,7 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then
 		uci -q set obuspa.dhcpcontroller.Enable='1'
 
 		if [ -n "${offered_proto}" ]; then
-			if [ "${offered_proto}" == "MQTT" ]; then
+			if [ "${offered_proto}" = "MQTT" ]; then
 				user="$(uci -q get obuspa.global.username)"
 				pass="$(uci -q get obuspa.global.password)"
 

obuspa/files/etc/users/roles/02_untrusted.json

@@ -1,35 +0,0 @@
-{
-  "tr181": {
-    "name": "Untrusted",
-    "instance": 2,
-    "permission": [
-      {
-        "object": "Device.",
-        "perm": [
-          "PERMIT_NONE"
-        ]
-      },
-      {
-        "object": "Device.DeviceInfo.",
-        "perm": [
-          "PERMIT_GET",
-          "PERMIT_OBJ_INFO"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.ControllerTrust.RequestChallenge()",
-        "perm": [
-          "PERMIT_OPER",
-          "PERMIT_CMD_INFO"
-        ]
-      },
-      {
-        "object": "Device.LocalAgent.ControllerTrust.RequestChallenge()",
-        "perm": [
-          "PERMIT_OPER",
-          "PERMIT_CMD_INFO"
-        ]
-      }
-    ]
-  }
-}

obuspa/files/etc/users/roles/untrusted.json

@@ -0,0 +1,6 @@
+{
+  "tr181": {
+    "name": "Untrusted",
+    "instance": 2
+  }
+}

obuspa/patches/0002-fix_e2e_session_init.patch

@@ -1,8 +1,8 @@
-Index: obuspa-10.0.4.0/src/core/device_controller.c
+Index: obuspa-10.0.5.0/src/core/device_controller.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/device_controller.c
-+++ obuspa-10.0.4.0/src/core/device_controller.c
-@@ -4214,6 +4214,14 @@ int ProcessControllerAdded(int cont_inst
+--- obuspa-10.0.5.0.orig/src/core/device_controller.c
++++ obuspa-10.0.5.0/src/core/device_controller.c
+@@ -4223,6 +4223,14 @@ int ProcessControllerAdded(int cont_inst
          goto exit;
      }
  
@@ -17,7 +17,7 @@ Index: obuspa-10.0.4.0/src/core/device_controller.c
      // Exit if unable to get the object instance numbers present in this controller's MTP table
      USP_SNPRINTF(path, sizeof(path), "%s.%d.MTP", device_cont_root, cont_instance);
      err = DATA_MODEL_GetInstances(path, &iv);
-@@ -4255,14 +4263,6 @@ int ProcessControllerAdded(int cont_inst
+@@ -4264,14 +4272,6 @@ int ProcessControllerAdded(int cont_inst
      DEVICE_MQTT_UpdateControllerTopics();
  #endif
  

obuspa/patches/0006-contains-expression.patch

@@ -1,7 +1,7 @@
-Index: obuspa-10.0.4.0/src/core/expr_vector.c
+Index: obuspa-10.0.5.0/src/core/expr_vector.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/expr_vector.c
-+++ obuspa-10.0.4.0/src/core/expr_vector.c
+--- obuspa-10.0.5.0.orig/src/core/expr_vector.c
++++ obuspa-10.0.5.0/src/core/expr_vector.c
 @@ -59,6 +59,7 @@ char *expr_op_2_str[kExprOp_Max] =
      "<",  // kExprOp_LessThan
      ">",  // kExprOp_GreaterThan
@@ -26,10 +26,10 @@ Index: obuspa-10.0.4.0/src/core/expr_vector.c
  
      // Exit if found the "<" operator
      op = strchr(buf, '<');
-Index: obuspa-10.0.4.0/src/core/path_resolver.c
+Index: obuspa-10.0.5.0/src/core/path_resolver.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/path_resolver.c
-+++ obuspa-10.0.4.0/src/core/path_resolver.c
+--- obuspa-10.0.5.0.orig/src/core/path_resolver.c
++++ obuspa-10.0.5.0/src/core/path_resolver.c
 @@ -1088,7 +1088,7 @@ int ResolveUniqueKey(char *resolved, cha
      char temp[MAX_DM_PATH];
      bool is_match;
@@ -38,7 +38,7 @@ Index: obuspa-10.0.4.0/src/core/path_resolver.c
 +    expr_op_t valid_ops[] = {kExprOp_Equal, kExprOp_NotEqual, kExprOp_LessThanOrEqual, kExprOp_GreaterThanOrEqual, kExprOp_LessThan, kExprOp_GreaterThan, kExprOp_Contains};
  
      // Exit if unable to find the end of the unique key
-     p = strchr(unresolved, ']');
+     p = TEXT_UTILS_StrStr(unresolved, "]");
 @@ -1754,6 +1754,67 @@ int DoUniqueKeysMatch(int index, search_
          }
          USP_ASSERT(gge->value != NULL);     // GROUP_GET_VECTOR_GetValues() should have set an error message if the vendor hook didn't set a value for the parameter
@@ -107,10 +107,10 @@ Index: obuspa-10.0.4.0/src/core/path_resolver.c
          // Determine the function to call to perform the comparison
          if (type_flags & (DM_INT | DM_UINT | DM_ULONG | DM_LONG | DM_DECIMAL))
          {
-Index: obuspa-10.0.4.0/src/include/usp_api.h
+Index: obuspa-10.0.5.0/src/include/usp_api.h
 ===================================================================
---- obuspa-10.0.4.0.orig/src/include/usp_api.h
-+++ obuspa-10.0.4.0/src/include/usp_api.h
+--- obuspa-10.0.5.0.orig/src/include/usp_api.h
++++ obuspa-10.0.5.0/src/include/usp_api.h
 @@ -106,6 +106,7 @@ typedef enum
      kExprOp_LessThan,               // '<'
      kExprOp_GreaterThan,            // '>'

obuspa/patches/1000-SecuredRole-bbfdm.patch

@@ -1,40 +1,40 @@
-Index: obuspa-10.0.4.0/src/core/device.h
+Index: obuspa-10.0.5.0/src/core/device.h
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/device.h
-+++ obuspa-10.0.4.0/src/core/device.h
-@@ -310,6 +310,8 @@ void DEVICE_CTRUST_ApplyPermissionsToSub
+--- obuspa-10.0.5.0.orig/src/core/device.h
++++ obuspa-10.0.5.0/src/core/device.h
+@@ -311,6 +311,9 @@ int DEVICE_CTRUST_InstSelToRoleInstance(
  char *DEVICE_CTRUST_InstSelToPermTarget(int role_index, void *is, int *perm_instance);
  int DEVICE_CTRUST_SetRoleParameter(int instance, char *param_name, char *new_value);
  int DEVICE_CTRUST_SetPermissionParameter(int instance1, int instance2, char *param_name, char *new_value);
++
 +bool DEVICE_CTRUST_IsControllerSecured(void);
 +
+ int DEVICE_CTRUST_DumpPermissionSelectors(int role_instance, char *path);
  int DEVICE_REQUEST_Init(void);
  int DEVICE_REQUEST_Add(char *path, char *command_key, int *instance);
- void DEVICE_REQUEST_OperationComplete(int instance, int err_code, char *err_msg, kv_vector_t *output_args);
-Index: obuspa-10.0.4.0/src/core/device_ctrust.c
+Index: obuspa-10.0.5.0/src/core/device_ctrust.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/device_ctrust.c
-+++ obuspa-10.0.4.0/src/core/device_ctrust.c
-@@ -236,6 +236,7 @@ credential_t *FindCredentialByCertInstan
+--- obuspa-10.0.5.0.orig/src/core/device_ctrust.c
++++ obuspa-10.0.5.0/src/core/device_ctrust.c
+@@ -246,6 +246,7 @@ credential_t *FindCredentialByCertInstan
  int Get_CredentialRole(dm_req_t *req, char *buf, int len);
  int Get_CredentialCertificate(dm_req_t *req, char *buf, int len);
  int Get_CredentialNumEntries(dm_req_t *req, char *buf, int len);
 +int Validate_SecuredRoles(dm_req_t *req, char *value);
+ void ApplySearchExpressionPermissions(char *path, inst_sel_t *sel);
+ bool ValidateDataModelPathSegment(char *segment, bool is_last, char *path);
+ 
+@@ -293,6 +294,9 @@ int DEVICE_CTRUST_Init(void)
+     // Create a timer which will be used to apply all modified permissions to the data model, after processing a USP Message
+     SYNC_TIMER_Add(ApplyModifiedPermissions, 0, END_OF_TIME);
  
- #ifndef REMOVE_DEVICE_SECURITY
- int InitChallengeTable();
-@@ -355,6 +356,10 @@ int DEVICE_CTRUST_Init(void)
-                         challenge_response_input_args, NUM_ELEM(challenge_response_input_args),
-                         NULL, 0);
- #endif
-+
 +    // Register Device.LocalAgent.ControllerTrust.SecuredRoles parameter
 +    err |= USP_REGISTER_DBParam_ReadWrite(DEVICE_CTRUST_ROOT ".SecuredRoles", "", Validate_SecuredRoles, NULL, DM_STRING);
 +
-     // Exit if any errors occurred
-     if (err != USP_ERR_OK)
-     {
-@@ -2939,3 +2944,139 @@ exit:
+     // Register parameters implemented by this component
+     // Device.LocalAgent.ControllerTrust.Role.{i}
+     err |= USP_REGISTER_Object(DEVICE_ROLE_ROOT, ValidateAdd_CTrustRole, NULL, Notify_CTrustRoleAdded,
+@@ -3533,3 +3537,139 @@ exit:
      return err;
  }
  #endif // REMOVE_DEVICE_SECURITY

obuspa/patches/1000-suppress-logs.patch

@@ -1,8 +1,8 @@
-Index: obuspa-10.0.0.2/src/core/cli_server.c
+Index: obuspa-10.0.7.0/src/core/cli_server.c
 ===================================================================
---- obuspa-10.0.0.2.orig/src/core/cli_server.c
-+++ obuspa-10.0.0.2/src/core/cli_server.c
-@@ -724,10 +724,6 @@ int ExecuteCli_Get(str_vector_t *args)
+--- obuspa-10.0.7.0.orig/src/core/cli_server.c
++++ obuspa-10.0.7.0/src/core/cli_server.c
+@@ -726,10 +726,6 @@ int ExecuteCli_Get(str_vector_t *args)
              USP_ASSERT(gge->value != NULL);
              SendCliResponse("%s => %s\n", gge->path, gge->value);
          }
@@ -13,11 +13,11 @@ Index: obuspa-10.0.0.2/src/core/cli_server.c
      }
  
      GROUP_GET_VECTOR_Destroy(&ggv);
-Index: obuspa-10.0.0.2/src/core/data_model.c
+Index: obuspa-10.0.7.0/src/core/data_model.c
 ===================================================================
---- obuspa-10.0.0.2.orig/src/core/data_model.c
-+++ obuspa-10.0.0.2/src/core/data_model.c
-@@ -1321,7 +1321,7 @@ int DATA_MODEL_NotifyInstanceAdded(char
+--- obuspa-10.0.7.0.orig/src/core/data_model.c
++++ obuspa-10.0.7.0/src/core/data_model.c
+@@ -1398,7 +1398,7 @@ int DATA_MODEL_NotifyInstanceAdded(char
      // Exit if instance already exists - nothing to do
      if (exists)
      {
@@ -26,7 +26,7 @@ Index: obuspa-10.0.0.2/src/core/data_model.c
          return USP_ERR_CREATION_FAILURE;
      }
  
-@@ -1409,7 +1409,7 @@ int DATA_MODEL_NotifyInstanceDeleted(cha
+@@ -1486,7 +1486,7 @@ int DATA_MODEL_NotifyInstanceDeleted(cha
      // Exit if instance does not exist - nothing to do
      if (exists == false)
      {
@@ -35,11 +35,11 @@ Index: obuspa-10.0.0.2/src/core/data_model.c
          return USP_ERR_OBJECT_DOES_NOT_EXIST;
      }
  
-diff --git a/src/core/mqtt.c b/src/core/mqtt.c
-index 388697a..444b4da 100644
---- a/src/core/mqtt.c
-+++ b/src/core/mqtt.c
-@@ -4020,7 +4020,7 @@ void MessageV5Callback(struct mosquitto *mosq, void *userdata, const struct mosq
+Index: obuspa-10.0.7.0/src/core/mqtt.c
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/mqtt.c
++++ obuspa-10.0.7.0/src/core/mqtt.c
+@@ -4070,7 +4070,7 @@ void MessageV5Callback(struct mosquitto
      if (mosquitto_property_read_string(props, RESPONSE_TOPIC,
              &response_info_ptr, false) == NULL)
      {

obuspa/patches/1001-use-datamodel-caching.patch

@@ -4,11 +4,11 @@ Date:   Wed Apr 30 17:18:27 2025 +0530
 
     1001-use-datamodel-caching.patch
 
-diff --git a/src/core/cli_server.c b/src/core/cli_server.c
-index da61c6f..abac7cb 100644
---- a/src/core/cli_server.c
-+++ b/src/core/cli_server.c
-@@ -511,6 +511,7 @@ int CLI_SERVER_ExecuteCliCommand(char *cmd_line)
+Index: obuspa-10.0.7.0/src/core/cli_server.c
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/cli_server.c
++++ obuspa-10.0.7.0/src/core/cli_server.c
+@@ -513,6 +513,7 @@ int CLI_SERVER_ExecuteCliCommand(char *c
          SendCliResponse("WARNING: Discarding unused args: %s\n", args.vector[cli_cmd->max_args+1]);
      }
  
@@ -16,7 +16,7 @@ index da61c6f..abac7cb 100644
      // Process command
      err = cli_cmd->exec_cmd(&args);
      print_help = false;
-@@ -670,6 +671,11 @@ int ExecuteCli_Version(str_vector_t *args)
+@@ -672,6 +673,11 @@ int ExecuteCli_Version(str_vector_t *arg
  int ExecuteCli_Get(str_vector_t *args)
  {
      combined_role_t *combined_role;
@@ -28,22 +28,22 @@ index da61c6f..abac7cb 100644
  #ifndef REMOVE_USP_BROKER
      char *arg1;
  
-diff --git a/src/core/data_model.h b/src/core/data_model.h
-index 7564127..2736d7c 100755
---- a/src/core/data_model.h
-+++ b/src/core/data_model.h
-@@ -405,5 +405,6 @@ int DM_PRIV_ReRegister_DBParam_Default(char *path, char *value);
+Index: obuspa-10.0.7.0/src/core/data_model.h
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/data_model.h
++++ obuspa-10.0.7.0/src/core/data_model.h
+@@ -417,5 +417,6 @@ int DM_PRIV_ReRegister_DBParam_Default(c
  bool DM_PRIV_IsChildNodeOf(dm_node_t *node, dm_node_t *parent_node);
  void DM_PRIV_GetAllEventsAndCommands(dm_node_t *node, str_vector_t *events, str_vector_t *commands);
  
 +int vendor_create_dm_cache(char *paths[], int num_paths);
  #endif
  
-diff --git a/src/core/handle_get.c b/src/core/handle_get.c
-index d9d3e9e..c263978 100644
---- a/src/core/handle_get.c
-+++ b/src/core/handle_get.c
-@@ -129,6 +129,7 @@ void MSG_HANDLER_HandleGet(Usp__Msg *usp, char *controller_endpoint, mtp_conn_t
+Index: obuspa-10.0.7.0/src/core/handle_get.c
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/handle_get.c
++++ obuspa-10.0.7.0/src/core/handle_get.c
+@@ -129,6 +129,7 @@ void MSG_HANDLER_HandleGet(Usp__Msg *usp
          goto exit;
      }
  
@@ -51,11 +51,11 @@ index d9d3e9e..c263978 100644
      // Calculate the number of hierarchical levels to traverse in the data model when performing partial path resolution
      // NOTE: protocol buffer has depth as an unsigned quantity, but internally we use a signed number, so limit range to that of a signed number
      depth = usp->body->request->get->max_depth;
-diff --git a/src/core/msg_handler.c b/src/core/msg_handler.c
-index 647591d..b7498d8 100755
---- a/src/core/msg_handler.c
-+++ b/src/core/msg_handler.c
-@@ -863,6 +863,8 @@ int HandleUspMessage(Usp__Msg *usp, char *endpoint_id, mtp_conn_t *mtpc)
+Index: obuspa-10.0.7.0/src/core/msg_handler.c
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/msg_handler.c
++++ obuspa-10.0.7.0/src/core/msg_handler.c
+@@ -987,6 +987,8 @@ int HandleUspMessage(Usp__Msg *usp, char
                  MSG_HANDLER_UspMsgTypeToString(usp->header->msg_type),
                  iso8601_cur_time(buf, sizeof(buf)) );
  

obuspa/patches/1003-ct-full-access-rename.patch

@@ -1,8 +1,8 @@
-Index: obuspa-10.0.0.2/src/core/data_model.c
+Index: obuspa-10.0.7.0/src/core/data_model.c
 ===================================================================
---- obuspa-10.0.0.2.orig/src/core/data_model.c
-+++ obuspa-10.0.0.2/src/core/data_model.c
-@@ -5347,7 +5347,7 @@ int RegisterDefaultControllerTrust(void)
+--- obuspa-10.0.7.0.orig/src/core/data_model.c
++++ obuspa-10.0.7.0/src/core/data_model.c
+@@ -5519,7 +5519,7 @@ int RegisterDefaultControllerTrust(void)
      int err = USP_ERR_OK;
  
      // Register 'Full Access' role

obuspa/patches/2001-validate-controller-mtp.patch

@@ -1,8 +1,8 @@
-Index: obuspa-10.0.4.0/src/core/device.h
+Index: obuspa-10.0.6.0/src/core/device.h
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/device.h
-+++ obuspa-10.0.4.0/src/core/device.h
-@@ -352,6 +352,10 @@ void DEVICE_CONTROLLER_SetInheritedRole(
+--- obuspa-10.0.6.0.orig/src/core/device.h
++++ obuspa-10.0.6.0/src/core/device.h
+@@ -355,6 +355,10 @@ void DEVICE_CONTROLLER_SetInheritedRole(
  int DEVICE_CONTROLLER_CountEnabledWebsockClientConnections(void);
  #endif
  
@@ -13,11 +13,11 @@ Index: obuspa-10.0.4.0/src/core/device.h
  #ifndef REMOVE_USP_BROKER
  int DEVICE_SUBSCRIPTION_RouteNotification(Usp__Msg *usp, int instance, char *subscribed_path);
  bool DEVICE_SUBSCRIPTION_MarkVendorLayerSubs(int broker_instance, subs_notify_t notify_type, char *path, int group_id);
-Index: obuspa-10.0.4.0/src/core/device_controller.c
+Index: obuspa-10.0.6.0/src/core/device_controller.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/device_controller.c
-+++ obuspa-10.0.4.0/src/core/device_controller.c
-@@ -968,6 +968,78 @@ int DEVICE_CONTROLLER_QueueBinaryMessage
+--- obuspa-10.0.6.0.orig/src/core/device_controller.c
++++ obuspa-10.0.6.0/src/core/device_controller.c
+@@ -969,6 +969,78 @@ int DEVICE_CONTROLLER_QueueBinaryMessage
      return USP_ERR_OK;
  }
  
@@ -96,11 +96,11 @@ Index: obuspa-10.0.4.0/src/core/device_controller.c
  /*********************************************************************//**
  **
  ** DEVICE_CONTROLLER_IsMTPConfigured
-Index: obuspa-10.0.4.0/src/core/msg_handler.c
+Index: obuspa-10.0.6.0/src/core/msg_handler.c
 ===================================================================
---- obuspa-10.0.4.0.orig/src/core/msg_handler.c
-+++ obuspa-10.0.4.0/src/core/msg_handler.c
-@@ -1220,6 +1220,15 @@ int ValidateUspRecord(UspRecord__Record
+--- obuspa-10.0.6.0.orig/src/core/msg_handler.c
++++ obuspa-10.0.6.0/src/core/msg_handler.c
+@@ -1344,6 +1344,15 @@ int ValidateUspRecord(UspRecord__Record
      usp_service_instance = USP_BROKER_GetUspServiceInstance(rec->from_id, 0);
  #endif
  

obuspa/patches/2002-max_controllers.patch

@@ -1,8 +1,8 @@
-Index: obuspa-10.0.0.1/src/core/mqtt.c
+Index: obuspa-10.0.6.0/src/core/mqtt.c
 ===================================================================
---- obuspa-10.0.0.1.orig/src/core/mqtt.c
-+++ obuspa-10.0.0.1/src/core/mqtt.c
-@@ -259,6 +259,8 @@ void MqttSubscriptionDestroy(mqtt_subscr
+--- obuspa-10.0.6.0.orig/src/core/mqtt.c
++++ obuspa-10.0.6.0/src/core/mqtt.c
+@@ -265,6 +265,8 @@ void SaveMqttPublishErrMsg(const char *f
  #define DEFINE_MQTT_TrustCertVerifyCallbackIndex(index) \
  int MQTT_TrustCertVerifyCallback_##index (int preverify_ok, X509_STORE_CTX *x509_ctx) \
  {\
@@ -11,7 +11,7 @@ Index: obuspa-10.0.0.1/src/core/mqtt.c
      return DEVICE_SECURITY_TrustCertVerifyCallbackWithCertChain(preverify_ok, x509_ctx, &mqtt_clients[index].cert_chain);\
  }
  
-@@ -269,6 +271,11 @@ DEFINE_MQTT_TrustCertVerifyCallbackIndex
+@@ -275,6 +277,11 @@ DEFINE_MQTT_TrustCertVerifyCallbackIndex
  DEFINE_MQTT_TrustCertVerifyCallbackIndex(2);
  DEFINE_MQTT_TrustCertVerifyCallbackIndex(3);
  DEFINE_MQTT_TrustCertVerifyCallbackIndex(4);
@@ -23,7 +23,7 @@ Index: obuspa-10.0.0.1/src/core/mqtt.c
  // Add more, with incrementing indexes here, if you change MAX_MQTT_CLIENTS
  
  //------------------------------------------------------------------------------------
-@@ -279,10 +286,15 @@ ssl_verify_callback_t* mqtt_verify_callb
+@@ -285,10 +292,15 @@ ssl_verify_callback_t* mqtt_verify_callb
      MQTT_TrustCertVerifyCallbackIndex(2),
      MQTT_TrustCertVerifyCallbackIndex(3),
      MQTT_TrustCertVerifyCallbackIndex(4),

obuspa/patches/2004-mqtt-dualstack-fallback.patch

@@ -1,7 +1,7 @@
-diff --git a/src/core/mqtt.c b/src/core/mqtt.c
-index 70978501b1..96119fe080 100644
---- a/src/core/mqtt.c
-+++ b/src/core/mqtt.c
+Index: obuspa-10.0.7.0/src/core/mqtt.c
+===================================================================
+--- obuspa-10.0.7.0.orig/src/core/mqtt.c
++++ obuspa-10.0.7.0/src/core/mqtt.c
 @@ -53,6 +53,7 @@
  #include <openssl/bio.h>
  #include <openssl/err.h>
@@ -10,7 +10,7 @@ index 70978501b1..96119fe080 100644
  #include <mosquitto.h>
  
  #include "mqtt.h"
-@@ -201,8 +202,9 @@ int EnableMosquitto(mqtt_client_t *client);
+@@ -206,8 +207,9 @@ int EnableMosquitto(mqtt_client_t *clien
  void SetupCallbacks(mqtt_client_t *client);
  void QueueUspConnectRecord_MQTT(mqtt_client_t *client, mtp_send_item_t *msi, char *controller_topic, time_t expiry_time);
  int SendQueueHead(mqtt_client_t *client);
@@ -21,7 +21,7 @@ index 70978501b1..96119fe080 100644
  int ConnectSetEncryption(mqtt_client_t *client);
  void ConnectCallback(struct mosquitto *mosq, void *userdata, int result);
  void ConnectV5Callback(struct mosquitto *mosq, void *userdata, int result, int flags, const mosquitto_property *props);
-@@ -245,7 +247,7 @@ void HandleMqttReconnect(mqtt_client_t *client);
+@@ -250,7 +252,7 @@ void HandleMqttReconnect(mqtt_client_t *
  void HandleMqttReconnectAfterDisconnect(mqtt_client_t *client);
  void HandleMqttDisconnect(mqtt_client_t *client);
  void DisconnectIfAllSubscriptionsFailed(mqtt_client_t *client);
@@ -30,7 +30,7 @@ index 70978501b1..96119fe080 100644
  void RemoveMqttQueueItem(mqtt_client_t *client, mqtt_send_item_t *queued_msg);
  void RemoveExpiredMqttMessages(mqtt_client_t *client);
  void ParseSubscribeTopicsFromConnack(mqtt_client_t *client, mosquitto_property *prop);
-@@ -2350,6 +2352,143 @@ int SendQueueHead(mqtt_client_t *client)
+@@ -2380,6 +2382,143 @@ int SendQueueHead(mqtt_client_t *client)
      return err;
  }
  
@@ -174,7 +174,7 @@ index 70978501b1..96119fe080 100644
  /*********************************************************************//**
  **
  ** IsMqttBrokerUp
-@@ -2364,109 +2503,92 @@ int SendQueueHead(mqtt_client_t *client)
+@@ -2394,109 +2533,92 @@ int SendQueueHead(mqtt_client_t *client)
  ** \return  true if the MQTT Broker is up, false otherwise
  **
  **************************************************************************/
@@ -343,7 +343,7 @@ index 70978501b1..96119fe080 100644
      }
  
      return result;
-@@ -2487,18 +2609,20 @@ void Connect(mqtt_client_t *client)
+@@ -2517,18 +2639,20 @@ void Connect(mqtt_client_t *client)
  {
      int err = USP_ERR_OK;
      bool is_up;
@@ -367,7 +367,7 @@ index 70978501b1..96119fe080 100644
  
      // Exit if failed to connect
      if (err != USP_ERR_OK)
-@@ -2531,7 +2655,7 @@ exit:
+@@ -2561,7 +2685,7 @@ exit:
  ** \return  USP_ERR_INTERNAL_ERROR if failed to connect (and should retry)
  **
  **************************************************************************/
@@ -376,7 +376,7 @@ index 70978501b1..96119fe080 100644
  {
      int version;
      mosquitto_property *proplist = NULL;
-@@ -2601,19 +2725,19 @@ int PerformMqttClientConnect(mqtt_client_t *client)
+@@ -2631,19 +2755,19 @@ int PerformMqttClientConnect(mqtt_client
      // We do this to prevent the data model thread from potentially being blocked, whilst the connect call is taking place
      OS_UTILS_UnlockMutex(&mqtt_access_mutex);
  

packet-capture-diagnostics/files/scripts/packetcapture

@@ -97,15 +97,13 @@ packet_capture_launch() {
 	fi
 
 	if [ -n "${interface}" ]; then
-		intf=$(ifstatus "${interface}" | jq ".l3_device")
+		intf=$(ifstatus "${interface}" | jsonfilter -e '$.l3_device')
 
 		if [ -z "${intf}" ]; then
 			# Error
 			packet_capture_error "Error_Internal" "${proto}"
 			return
 		fi
-
-		intf=$(eval echo "${intf}")
 	fi
 
 	cmd="timeout ${duration} tcpdump -w ${filename}"

parental-control/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=parental-control
-PKG_VERSION:=1.2.1
+PKG_VERSION:=1.3.2
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/network/parental-control.git
-PKG_SOURCE_VERSION:=120dbcd6508b817d2ce3d579a1bfbd5bfd1a44cb
+PKG_SOURCE_VERSION:=7ae6eaa6cc946ed05693bc84c61edbb16b1727bd
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -81,19 +81,20 @@ define Package/parental-control/install
 
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/etc/uci-defaults/95-firewall_parentalcontrol.ucidefaults $(1)/etc/uci-defaults/
-	$(INSTALL_DATA) ./files/etc/uci-defaults/95-migrate_urlfilter.ucidefaults $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/35-migrate_urlfilter.ucidefaults $(1)/etc/uci-defaults/
 
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 	$(INSTALL_DATA) ./files/lib/upgrade/keep.d/parentalcontrol $(1)/lib/upgrade/keep.d/parentalcontrol
 
 	$(BBFDM_REGISTER_SERVICES) -v ${VENDOR_PREFIX} ./bbfdm_service.json $(1) parentalcontrol
 
+	$(INSTALL_DATA) ./files/etc/uci-defaults/40-parental_control_update_bundle_path $(1)/etc/uci-defaults/
 ifeq ($(CONFIG_PARENTAL_CONTROL_URLFILTERING),y)
-	$(INSTALL_DATA) ./files/etc/uci-defaults/55-add-default-bundles $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/50-parental_control_add_bundles $(1)/etc/uci-defaults/
 	$(CP) ./files/urlbundle_override.json $(1)/etc/parentalcontrol/
 else
 	$(BBFDM_INSTALL_MS_PLUGIN) -v ${VENDOR_PREFIX} ./files/urlbundle_override.json $(1) parentalcontrol
-	$(INSTALL_DATA) ./files/etc/uci-defaults/50-parental_control_urlfilter $(1)/etc/uci-defaults/
+	$(INSTALL_DATA) ./files/etc/uci-defaults/50-parental_control_disable_urlfilter $(1)/etc/uci-defaults/
 endif
 endef
 

parental-control/files/etc/config/parentalcontrol

@@ -1,4 +1,3 @@
 config globals 'globals'
-    option enable '0'
+    option enable '1'
     option loglevel '3'
-    option urlfilter '1'

parental-control/files/etc/firewall.parentalcontrol

@@ -5,19 +5,16 @@
 enabled="$(uci -q get parentalcontrol.globals.enable)"
 urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
 
-# if parentalcontrol is  enabled, add the rules, else remove them
+# if parentalcontrol is enabled, add the rules, else remove them
 if [ "${enabled}" -eq "1" ]; then
+	# this is for internet_access and profile_bedtime_schedule sections
+	add_internet_schedule_rules
 	# this is for urlfilter daemon
-	add_iptables_nfqueue_rules
 	if [ "${urlfilter}" -eq "1" ]; then
-		# this for internet_access and profile_bedtime_schedule sections
-		add_internet_schedule_rules
+		add_iptables_nfqueue_rules
 	fi
 else
-	# remove urlfilter daemon rules
+	# remove internet_access and profile_bedtime_schedule rules
+	remove_internet_schedule_rules
 	remove_iptables_nfqueue_rules
-	if [ "${urlfilter}" -eq "1" ]; then
-		# remove internet_access and profile_bedtime_schedule rules
-		remove_internet_schedule_rules
-	fi
 fi

parental-control/files/etc/init.d/parentalcontrol

@@ -44,9 +44,11 @@ configure_fw_rules() {
 		else
 			# Now flush the existing connections, otherwise,
 			# URL filtering cannot be performed on already open sites.
-			if [ -n "$(which conntrack)" ]; then
-				sleep 5
-				conntrack -F
+			if which hw_nat > /dev/null 2>&1; then
+				hw_nat -! > /dev/null 2>&1
+			fi
+			if which conntrack > /dev/null 2>&1; then
+				flush_conntrack_for_hosts
 			fi
 
 			# this is for urlfilter daemon
@@ -83,14 +85,13 @@ start_service() {
 	config_load parentalcontrol
 	validate_global_section
 
-	[ -n "${bundle_path}" ] && mkdir -p ${bundle_path}
-
-	# add default bundles
-	process_default_bundles
 	# add firewall rules
 	configure_fw_rules
 
 	if [ "${urlfilter}" -eq "1" ]; then
+		# add default bundles
+		[ -n "${bundle_path}" ] && mkdir -p ${bundle_path}
+		process_default_bundles
 		enable_urlfilter_dm
 	else
 		disable_urlfilter_dm
@@ -100,7 +101,7 @@ start_service() {
 	# then /tmp/dhcp.leases will be empty until clients try to get a lease,
 	# in that case, hostnames will not be processed by the daemon,
 	# for this we copy /tmp/dhcp.leases to /etc/parentalcontrol/dhcp.leases
-	# which will be persistent acrros reboots and upgrade where settings are kept
+	# which will be persistent across reboots and upgrade (with keep settings)
 	# and will be used as a backup in case /tmp/dhcp.leases is empty
 	copy_dhcp_leases
 

parental-control/files/etc/uci-defaults/35-migrate_urlfilter.ucidefaults

@@ -2,6 +2,8 @@
 
 . /lib/functions.sh
 
+[ ! -f "/etc/config/urlfilter" ] && exit 0
+
 # Convert URL filter to parental control format
 urlfilter_config="/etc/config/urlfilter"
 parentalcontrol_config="/etc/config/parentalcontrol"

parental-control/files/etc/uci-defaults/40-parental_control_update_bundle_path

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+[ ! -f "/etc/config/parentalcontrol" ] && exit 0
+
+APPS_DIR="/apps"
+
+check_mounted_app_partition() {
+	local free
+
+	if [ ! -d "${APPS_DIR}" ]; then
+		return 1
+	fi
+
+	# Check free space in disk
+	free="$(df -P "${APPS_DIR}"|tail -n 1|awk '{print $4}')"
+
+	# disable if free storage is less then 300M
+	if [ "${free}" -lt 307200 ]; then
+		return 1
+	fi
+
+	return 0
+}
+
+
+if check_mounted_app_partition; then
+	uci -q set parentalcontrol.globals.bundle_path="${APPS_DIR}/parentalcontrol"
+
+	# configure the urlfilter if not configured
+	urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
+	if [ -z "${urlfilter}" ]; then
+		uci -q set parentalcontrol.globals.urlfilter='1'
+	fi
+else
+	uci -q set parentalcontrol.globals.urlfilter='0'
+fi
+
+exit 0

parental-control/files/etc/uci-defaults/50-parental_control_add_bundles

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+[ ! -f "/etc/config/parentalcontrol" ] && exit 0
+
+COUNT=1
+
+add_urlbundle()
+{
+	local name url
+
+	url="${1}"; shift
+	name="$*"
+
+	uci -q set parentalcontrol.urlbundle_${COUNT}=urlbundle
+	uci -q set parentalcontrol.urlbundle_${COUNT}.name="${name}"
+	uci -q set parentalcontrol.urlbundle_${COUNT}.download_url="${url}"
+
+	COUNT="$((COUNT+1))"
+}
+
+urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
+if [ "${urlfilter}" -eq "1" ]; then
+	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt" "Abuse"
+	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt" "Ads"
+	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt" "Crypto"
+	add_urlbundle "https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt" "Drugs"
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt' "Everything else"
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt' 'Facebook/Instagram'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt' 'Fraud'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt' 'Gambling'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt' 'Malware'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt' 'Phishing'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt' 'Piracy'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt' 'Porn'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt' 'Ransomware'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt' 'Redirect'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt' 'Scam'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt' 'TikTok'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt' 'Torrent'
+	add_urlbundle 'https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt' 'Tracking'
+fi
+
+exit 0

parental-control/files/etc/uci-defaults/50-parental_control_disable_urlfilter

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+[ ! -f "/etc/config/parentalcontrol" ] && exit 0
+
+uci -q set parentalcontrol.globals.urlfilter='0'
+
+_delete_urlbundle() {
+	uci_remove parentalcontrol "${1}"
+}
+
+config_load "parentalcontrol"
+config_foreach _delete_urlbundle urlbundle

parental-control/files/etc/uci-defaults/50-parental_control_urlfilter

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-. /lib/functions.sh
-
-[ ! -f "/etc/config/parentalcontrol" ] && exit 0
-
-uci -q set parentalcontrol.globals.urlfilter='0'

parental-control/files/etc/uci-defaults/55-add-default-bundles

@@ -1,40 +0,0 @@
-#!/bin/sh
-
-COUNT=1
-
-add_urlbundle()
-{
-	local enabled name url
-
-	enabled="${1}"; shift
-	url="${1}"; shift
-	name="${@}"
-
-	uci -q set parentalcontrol.urlbundle_${COUNT}=urlbundle
-	uci -q set parentalcontrol.urlbundle_${COUNT}.enable="${enabled}"
-	uci -q set parentalcontrol.urlbundle_${COUNT}.name="${name}"
-	uci -q set parentalcontrol.urlbundle_${COUNT}.download_url="${url}"
-
-	COUNT="$((COUNT+1))"
-}
-
-add_urlbundle "0" "https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt" "Abuse"
-add_urlbundle "0" "https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt" "Ads"
-add_urlbundle "0" "https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt" "Crypto"
-add_urlbundle "1" "https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt" "Drugs"
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt' "Everything else"
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt' 'Facebook/Instagram'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt' 'Fraud'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt' 'Gambling'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt' 'Malware'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt' 'Phishing'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt' 'Piracy'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt' 'Porn'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt' 'Ransomware'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt' 'Redirect'
-add_urlbundle "1" 'https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt' 'Scam'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt' 'TikTok'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt' 'Torrent'
-add_urlbundle "0" 'https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt' 'Tracking'
-
-exit 0

parental-control/files/lib/parentalcontrol/parentalcontrol.sh

@@ -13,7 +13,10 @@ IP_RULE=""
 ACL_FILE=""
 parentalcontrol_ipv4_forward=""
 parentalcontrol_ipv6_forward=""
-default_bundle_dir="/tmp/parentalcontrol/default/"
+
+bundle_path="$(uci -q get parentalcontrol.globals.bundle_path)"
+
+default_bundle_dir="${bundle_path}/default/"
 bundle_archive="/etc/parentalcontrol/urlbundles.tar.xz"
 
 log() {
@@ -255,7 +258,9 @@ handle_schedule() {
 			schedule_added="1"
 		fi
 
-		target="ACCEPT"
+		# internet_access has been updated to be internet_break
+		# so drop traffic during the schedule, and allow outside the schedule
+		target="DROP"
 
 		config_get local_start_time "$schedule_section" "start_time" "00:00"
 		config_get duration "$schedule_section" "duration"
@@ -362,11 +367,6 @@ handle_internet_break() {
 			config_load "schedules"
 			config_foreach handle_schedule schedule "schedule" "$schedule_ref"
 		fi
-
-		# for access rule to work, need to have default drop rule as last rule
-		if [ "$schedule_added" = "1" ]; then
-			add_access_rule "$ACCESS_RULE" "" "" "" "DROP"
-		fi
 	done
 }
 
@@ -438,15 +438,31 @@ add_internet_schedule_rules() {
 }
 
 add_iptables_nfqueue_rules() {
-	iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
-	if [ "$?" -ne 0 ]; then
-		# setup netfilter queue 0, use queue bypass so that if no application is
-		# listening to this queue then traffic is unaffected.
-		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+	local filter_used
 
-		iptables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+	# Check if urlfilter used
+	if ! uci show parentalcontrol | grep -q profile_urlfilter; then
+		return
+	fi
+
+	# IPv4 rules
+	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
+	if [ "$?" -ne 0 ]; then
+		# capture DNS responses (UDP/TCP sport 53) in FORWARD
+		iptables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# INPUT: DNS replies to router, skip loopback
+		iptables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# OUTPUT: DNS replies from router, skip loopback
+		iptables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS flows for urlfilter
+		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -454,14 +470,24 @@ add_iptables_nfqueue_rules() {
 		ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 	fi
 
-	ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
+	# IPv6 rules
+	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
 	if [ "$?" -ne 0 ]; then
-		#ip6table rules
-		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# capture DNS responses (UDP/TCP sport 53) in FORWARD
+		ip6tables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# INPUT: DNS replies to router, skip loopback
+		ip6tables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# OUTPUT: DNS replies from router, skip loopback
+		ip6tables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS flows for urlfilter
+		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -471,26 +497,38 @@ add_iptables_nfqueue_rules() {
 }
 
 remove_iptables_nfqueue_rules() {
-	iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
+	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
 	if [ "$?" -eq 0 ]; then
-		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# DNS response rules
+		iptables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
 
-		iptables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# HTTP/HTTPS
+		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 	fi
-	ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		#ip6table rules
-		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
+	if [ "$?" -eq 0 ]; then
+		# DNS response rules
+		ip6tables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS
+		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
@@ -513,6 +551,62 @@ remove_internet_schedule_rules() {
 	fi
 }
 
+# Global array for resolved IPs
+URLFILTER_IPS=""
+
+# Resolve hostname or MAC to IP from lease_file
+get_host_ip() {
+	local host="$1"
+	local ip
+	local lease_file="/tmp/dhcp.leases"
+
+	[ -f "$lease_file" ] || lease_file="/etc/parentalcontrol/dhcp.leases"
+	[ -f "$lease_file" ] || { log "Error: get_host_ip(): No DHCP lease file found."; return 1; }
+
+	# try DHCP lease lookup
+	ip="$(awk -v h="$host" '
+	{
+		mac=$2; ipaddr=$3; name=$4
+		if (h == name || h == mac) { print ipaddr; exit }
+	}' "$lease_file")"
+
+	[ -n "$ip" ] && URLFILTER_IPS="$URLFILTER_IPS $ip"
+}
+
+# Process each profile section
+resolve_profile_hosts() {
+	local section="$1"
+	local hostlist
+
+	config_get hostlist "$section" host
+	[ -z "$hostlist" ] && return
+
+	for h in $hostlist; do
+		get_host_ip "$h"
+	done
+}
+
+# Main function to collect IPs and delete conntrack entries
+flush_conntrack_for_hosts() {
+	URLFILTER_IPS=""
+	local count max
+
+	config_foreach resolve_profile_hosts profile
+
+	URLFILTER_IPS="$(echo "$URLFILTER_IPS" | tr ' ' '\n' | sort -u | xargs)"
+	for ip in $URLFILTER_IPS; do
+		count=0
+		max=1000
+		while conntrack -D -s "$ip" >/dev/null 2>&1; do
+			count=$((count+1))
+			if [ $count -ge $max ]; then
+				log "Warning: Forced to stop conntrack delete after $max deletions for $ip (possible loop)"
+				break
+			fi
+		done
+	done
+}
+
 OVERRIDE_JSON="/etc/parentalcontrol/urlbundle_override.json"
 DM_PLUGIN_PATH="/usr/share/bbfdm/micro_services/parentalcontrol/urlbundle_override.json"
 

parental-control/files/lib/parentalcontrol/sync_bundles.sh

@@ -3,12 +3,31 @@
 . /lib/functions.sh
 
 LOCKFILE="/tmp/sync_bundles.lock"
+log_level="$(uci -q get parentalcontrol.globals.loglevel)"
+log_level="${log_level:-1}"
+DEBUG=0
+
+log_err() {
+	logger -t urlfilter.sync -p error "$*"
+	if [ "${DEBUG}" -eq "1" ]; then
+		echo "#ERR# $* #" >/dev/console
+	fi
+}
+
+log_info() {
+	if [ "${log_level}" -gt 3 ]; then
+		logger -t urlfilter.sync -p info "$*"
+	fi
+	if [ "${DEBUG}" -eq "1" ]; then
+		echo "#INFO# $* #" >/dev/console
+	fi
+}
 
 # this script handles syncing bundles
 # if its a remote file, then it would be downloaded and placed in bundle_dir
 bundle_path="$(uci -q get parentalcontrol.globals.bundle_path)"
 if [ -z "${bundle_path}" ]; then
-	bundle_path="/tmp/parentalcontrol"
+	return 0
 fi
 
 stringstore_dir="${bundle_path}/stringstore"
@@ -38,15 +57,15 @@ update_bundle_file_from_url() {
 
 	available_memory=$(df "$bundle_dir" | tail -n 1 | awk '{print $(NF-2)}') # Available memory in 1K blocks
 	local needed_blocks=$((bundle_file_size / 1024)) # Convert bundle_file_size to 1K blocks
-	local max_size=$((10 * 1024 * 1024)) # 10MB in bytes
+	local max_size=$((50 * 1024 * 1024)) # 50MB in bytes
 
 	if [ "$available_memory" -le "$needed_blocks" ]; then
-		logger -p info "Error: Not enough disk space for bundle: ${bundle_name}"
+		log_info "Error: Not enough disk space for bundle: ${bundle_name}"
 		return 1
 	fi
 
 	if [ "$bundle_file_size" -gt "$max_size" ]; then
-		logger -p info "update_bundle_file_from_url: Error: File size for ${bundle_name} exceeds 10MB"
+		log_info "update_bundle_file_from_url: Error: File size for ${bundle_name} exceeds 10MB"
 		return 1
 	fi
 
@@ -57,7 +76,7 @@ update_bundle_file_from_url() {
 	else
 		# Random delay (0-5s) before starting the download
 		local delay=$((RANDOM % 6))
-		logger -p info "update_bundle_file_from_url: Waiting ${delay}s before downloading..."
+		log_info "update_bundle_file_from_url: Waiting ${delay}s before downloading..."
 		sleep "$delay"
 
 		# Retry logic with exponential backoff
@@ -65,12 +84,11 @@ update_bundle_file_from_url() {
 		local attempt=1
 		local success=0
 		while [ $attempt -le 3 ]; do
-			curl -s -o "$temp_file" "$download_url"
-			if [ $? -eq 0 ]; then
+			if curl -s -o "$temp_file" "$download_url"; then
 				success=1
 				break
 			else
-				logger -p info "update_bundle_file_from_url: Download failed. Retrying $attempt ..."
+				log_info "update_bundle_file_from_url: Download failed. Retrying $attempt ..."
 				local backoff=$(( (2 ** attempt) + (RANDOM % 3) )) # Exponential backoff + 0-2s jitter
 				sleep "$backoff"
 			fi
@@ -78,7 +96,7 @@ update_bundle_file_from_url() {
 		done
 
 		if [ $success -ne 1 ]; then
-			logger -p info "update_bundle_file_from_url: Failed to download bundle: ${bundle_name}"
+			log_info "update_bundle_file_from_url: Failed to download bundle: ${bundle_name}"
 			rm -f "$temp_file"
 			return 1
 		fi
@@ -89,7 +107,7 @@ update_bundle_file_from_url() {
 	local final_path="${bundle_dir}/${bundle_file_name}"
 	if [[ "$file_path" =~ \.xz$ ]]; then
 		if ! xz -dc "$file_path" > "$final_path"; then
-			logger -p info "update_bundle_file_from_url: Decompression failed."
+			log_info "update_bundle_file_from_url: Decompression failed."
 			rm -f "$final_path"
 			rm -f "$file_path"
 			return 1
@@ -98,7 +116,7 @@ update_bundle_file_from_url() {
 		rm -f "$file_path"
 	elif [[ "$file_path" =~ \.gz$ ]]; then
 		if ! gzip -dc "$file_path" > "$final_path"; then
-			logger -p info "update_bundle_file_from_url: Decompression failed."
+			log_info "update_bundle_file_from_url: Decompression failed."
 			rm -f "$final_path"
 			rm -f "$file_path"
 			return 1
@@ -134,7 +152,6 @@ handle_download_url() {
 	local file_name="${sanitized_url##*/}" # Get everything after the last '/'
 
 	local bundle_file_name="${file_name}.urlbundle"
-	local unprocessed_file=0
 	local file_path="${sanitized_url#file://}"
 
 	if echo "$sanitized_url" | grep -qE "^https?://|^file://"; then
@@ -153,7 +170,7 @@ handle_download_url() {
 		fi
 
 		if [ -n "$previous_bundle_size" ] && [ "$bundle_file_size" -eq "$previous_bundle_size" ]; then
-			return
+			return 0
 		fi
 
 		if echo "$sanitized_url" | grep -q "^file://" && ! echo "$sanitized_url" | grep -Eq "\.(xz|gz)$"; then
@@ -161,7 +178,7 @@ handle_download_url() {
 			sed -i "/^${bundle_file_name} /d" "$bundle_sizes"
 			echo "$bundle_file_name $bundle_file_size" >> "$bundle_sizes"
 			ubus send "parentalcontrol.bundle.update" "{\"bundle_file_path\":\"${file_path}\",\"bundle_name\":\"${bundle_name}\"}"
-			return
+			return 0
 		fi
 
 		# Remove existing entries
@@ -173,11 +190,9 @@ handle_download_url() {
 		update_bundle_file_from_url "$sanitized_url" "$bundle_file_name" "$bundle_file_size" "$bundle_name" "$file_name"
 		return $?
 	else
-		logger -p info "Error: Unsupported URL format for ${bundle_file_name}"
+		log_info "Error: Unsupported URL format for ${bundle_file_name}"
 		return 1
 	fi
-
-	return 0
 }
 
 cleanup_bundle_files() {
@@ -189,7 +204,7 @@ cleanup_bundle_files() {
 	get_download_url() {
 		local section="$1"
 		config_get url "$section" download_url
-		config_get_bool enable "$1" enable 0
+		config_get_bool enable "$1" enable 1
 
 		if [ "${enable}" -eq 0 ]; then
 			# bundle is disabled
@@ -222,46 +237,56 @@ cleanup_bundle_files() {
 	done
 }
 
+cleanup_bundle_sizes() {
+	downloaded_bundle_names="$(cat "$bundle_sizes" | cut -d '.' -f 1)"
+
+	for name in $downloaded_bundle_names; do
+		if ls ${stringstore_dir}/${name}* 2>&1 | grep -qF '.store'; then
+			if ls ${stringstore_dir}/${name}* 2>&1 | grep -q cmph; then
+				continue
+			fi
+		fi
+
+		sed -i "/$name/d" "$bundle_sizes"
+	done
+}
+
 # Main handler for all profile URL bundles
 handle_filter_for_bundles() {
 	local urlfilter
 
 	urlfilter="$(uci -q get parentalcontrol.globals.urlfilter)"
+	# if urlfilter is not enabled, then return
 	if [ "${urlfilter}" -ne "1" ]; then
-		logger -p info "urlbundle not supported"
-		return
-	fi
-
-	ubus -t 20 wait_for bbfdm.parentalcontrol
-
-	if [ "$?" -ne 0 ]; then
-		logger -p error "bbfdm.parentalcontrol object not found"
-		return
+		log_info "urlfilter feature not enabled"
+		return 0
 	fi
 
 	initialize_environment
 
 	cleanup_bundle_files "$bundle_dir"
 	cleanup_bundle_files "$stringstore_dir"
+	cleanup_bundle_sizes
 
 	config_load parentalcontrol
 
 	config_get_bool enable globals enable 0
 	if [ "${enable}" -eq 0 ]; then
+		log_info "parental-control feature not enabled"
 		# Parental control is disabled
 		return 0
 	fi
 
-	local profile enable bundles bundle_name download_url
-
 	check_bundle_exists() {
-		local cfg="$1"
+		local enable download_url name cfg
+
+		cfg="$1"
 		config_get name "$cfg" name
-		config_get_bool enable "$cfg" enable 0
+		config_get_bool enable "$cfg" enable 1
 		config_get download_url "$cfg" download_url
 
 		if [ "${enable}" -eq 0 ]; then
-			# bundle is disabled
+			log_info "Skipping bundle ${name} not enabled"
 			return 0
 		fi
 
@@ -282,6 +307,6 @@ handle_filter_for_bundles() {
 # Open file descriptor 200 for locking
 exec 200>"$LOCKFILE"
 # Try to acquire an exclusive lock; exit if another instance is running
-flock -n 200 || { logger -p info "sync_bundles.sh is already running, exiting."; exit 1; }
+flock -n 200 || { log_info "sync_bundles.sh is already running, exiting."; exit 1; }
 
 handle_filter_for_bundles

passwdqc/Makefile

@@ -39,9 +39,6 @@ define Package/$(PKG_NAME)/install
 
 	$(INSTALL_DIR) $(1)/usr/lib/security
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/pam_passwdqc.so $(1)/usr/lib/security/
-
-	$(INSTALL_DIR) $(1)/etc/uci-defaults/
-	$(INSTALL_BIN) ./files/passwdqc.uci_default $(1)/etc/uci-defaults/99-add_passwdqc_pam
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))

passwdqc/files/passwdqc.uci_default

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-CONFIG_FILE="/etc/pam.d/common-password"
-# for some reason setting to 8 makes passwdqc accept minimum 12 letter password with this configuration
-# if we set it to 12 then we need atleast 16 characters and so on
-# passphrase = 0 means no space separated words
-# rest can be figured out from passwdqc man page
-MODULE_LINE="password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=20 passphrase=0 retry=3 enforce=everyone"
-
-# Ensure the file exists before modifying
-[ -f "$CONFIG_FILE" ] || exit 0
-
-# Check if pam_passwdqc is already in the file
-if ! grep -q "pam_passwdqc.so" "$CONFIG_FILE"; then
-    # Insert before pam_unix.so
-    sed -i "/pam_unix.so/ i\\$MODULE_LINE" "$CONFIG_FILE"
-fi
-
-exit 0

periodicstats/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=periodicstats
-PKG_VERSION:=1.5.18
+PKG_VERSION:=1.6.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/periodicstats.git
-PKG_SOURCE_VERSION:=2772d77bd477adfdf513499fda11397107996d21
+PKG_SOURCE_VERSION:=63c65f55d00442f5bc1f5a3100abf94e52cd0075
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

peripheral_manager/Makefile

@@ -1,60 +0,0 @@
-#
-# Copyright (C) 2019 iopsys
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-
-PKG_NAME:=peripheral_manager
-PKG_VERSION:=1.0.6
-PKG_RELEASE:=1
-
-PKG_SOURCE_VERSION:=21522c2003b8c61904acc61ff97e54fc9b0c3c92
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/peripheral-manager
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MIRROR_HASH:=skip
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-
-PKG_LICENSE:=GPLv2
-PKG_LICENSE_FILES:=LICENSE
-
-# support parallel build
-PKG_BUILD_PARALLEL:=1
-
-# run install target when cross compiling. basically, make install DESTDIR=$(PKG_INSTALL_DIR)
-# this way we don't need to pick out the resulting files from the build dir.
-PKG_INSTALL:=1
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/cmake.mk
-
-define Package/peripheral_manager
-	CATEGORY:=Utilities
-	TITLE:=Application deamon for handling of peripheral
-	URL:=
-	DEPENDS:=+libuci +libubus +libblobmsg-json
-endef
-
-define Package/peripheral_manager/description
-	Application handling peripheral
-endef
-
-CMAKE_OPTIONS +=  \
-		-DCMAKE_BUILD_TYPE:String="Release" \
-
-define Package/peripheral_manager/install
-	$(CP) ./files/* $(1)/
-	$(INSTALL_DIR) $(1)/etc/
-	$(INSTALL_DIR) $(1)/etc/init.d/
-	$(INSTALL_DIR) $(1)/sbin
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/peripheral_manager $(1)/sbin/
-#	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gpio_test $(1)/sbin/
-endef
-
-$(eval $(call BuildPackage,peripheral_manager))

peripheral_manager/files/etc/init.d/ledmngr

@@ -1,62 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=20
-USE_PROCD=1
-
-setled() {
-	local enable
-	local brightness
-
-	config_get_bool enable $1 enable 1
-	config_get brightness $1 brightness 100
-	ubus call led.$1 set "{\"enable\":$enable,\"brightness\":$brightness}"
-}
-
-start_service() {
-	local enable
-
-	config_load leds
-	config_foreach setled led
-	config_get_bool enable leds enable 1
-
-	if [ "$enable" == "0" ]; then
-		ubus call leds set  '{"state" : "alloff"}'
-	else
-		ubus call leds set  '{"state" : "normal"}'
-	fi
-}
-
-boot() {
-	local led ledname
-
-	ubus list led* >/dev/null || sleep 1
-	ubus list led* >/dev/null || sleep 1
-
-	[ -f /etc/config/leds ] || touch /etc/config/leds
-
-	if ! uci -q get leds.leds >/dev/null; then
-		uci set leds.leds=leds
-		uci set leds.leds.enable=1
-	fi
-
-	for led in $(ubus list led.*); do
-		ledname=${led:4}
-		case $ledname in
-			*phy*) continue ;;
-		esac
-		if ! uci -q  get leds.$ledname >/dev/null; then
-			uci set leds.$ledname=led
-			uci set leds.$ledname.enable=1
-		fi
-	done
-
-	uci commit leds
-
-	start
-}
-
-service_triggers()
-{
-	procd_add_reload_trigger "leds"
-}
-

peripheral_manager/files/etc/init.d/peripheral_manager

@@ -1,25 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=12
-STOP=89
-
-USE_PROCD=1
-NAME=peripheral_manager
-PROG=/sbin/peripheral_manager
-
-start_service() {
-	procd_open_instance
-	procd_set_param command "$PROG" -f
-	procd_set_param respawn
-	procd_close_instance
-}
-
-service_running() {
-	ubus -t 2 wait_for led.status
-	ubus call led.status set '{"state":"notice"}'
-	ubus -t 2 wait_for buttons
-}
-
-stop_service() {
-    ubus call leds set '{"state":"alloff"}'
-}

peripheral_manager/files/sbin/ledctl

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-usage () {
-	echo "Usage: ledctl [normal|test|allon|alloff|production]"
-	exit 1
-}
-
-[ $# -ne 1 ] && usage
-ledstate=$(echo $1 | tr 'A-Z' 'a-z')
-
-case $ledstate in
-	normal|test|allon|alloff|production)
-		ubus call leds set "{\"state\" : \"$ledstate\"}"
-	;;
-	*)
-		usage
-	;;
-esac
-