2025-03-09 15:40:03 +00:00
903 changed files with 66043 additions and 165628 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,99 +1,751 @@
-version: 2.1
+version: 2
 commands:
  set_environment_vars:
    steps:
    - run:
        command: |
          echo "export REPO_URL=https://github.com/ysurac/openmptcprouter" >> $BASH_ENV
 jobs:
-  build:
+  prepare:
-    environment:
+    machine:
-      REPO_URL: https://github.com/ysurac/openmptcprouter
+      image: ubuntu-1604:201903-01
-      SOURCE_NAME: ${{ steps.branch_name.outputs.SOURCE_NAME }}
+
-      GITHUB_WORKSPACE: ${{ steps.branch_name.outputs.WORKSPACE }}
+    working_directory: ~/
-      OMR_FEED_URL: https://github.com/ysurac/openmptcprouter-feeds
+
      OMR_TARGET: << parameters.OMR_TARGET >>
      OMR_KERNEL: << parameters.OMR_KERNEL >>
      OMR_HOST: ${{ secrets.OMR_HOST }}
      OMR_PORT: ${{ secrets.OMR_PORT }}
      SOURCE_BRANCH: ${{ steps.branch_name.outputs.SOURCE_BRANCH }}
      SOURCE_TAG: ${{ steps.branch_name.outputs.SOURCE_TAG }}
      ARGS: -av --delete-after
      TARGET: deploy/release/${{steps.branch_name.outputs.SOURCE_TAG}}/${{matrix.OMR_TARGET}}
      SOURCE: ${{ steps.branch_name.outputs.SOURCE_NAME }}
      KEY: ${{ secrets.PRIVATE_KEY }}
      USER: deploy
      HOST: ${{ secrets.OMR_DEPLOY_HOST }}
      PORT: ${{ secrets.OMR_DEPLOY_PORT }}
    docker:
    - image: dkrecruseastamazonawscom/circlecigolangpr:current
    steps:
-    - checkout
+      - run:
-    - set_environment_vars
+          name: Prepare
-    - run:
+          command: |
-        command: |
+            sudo rm -rf /var/lib/apt/lists/lock
-          echo "SOURCE_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+            sudo apt-get update
-          echo "SOURCE_BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
+            sudo rm -rf /var/lib/apt/lists/lock
-          echo "SOURCE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+            sudo apt-get install -yq build-essential git unzip ncurses-dev libz-dev libssl-dev python subversion gettext gawk wget curl rsync perl libelf-dev python3.5 libpython3.5-stdlib liblzma-dev
-          echo "WORKSPACE=${GITHUB_WORKSPACE}" >> $GITHUB_OUTPUT
+            pyenv global 3.5.2
-    - run:
+
-        name: Prepare
+  build_x86_64:
-        command: |
+    machine:
-          sudo apt-get update
+      image: ubuntu-1604:201903-01
-          sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext
+
-          git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc-s1 libc6-dev-i386
+    environment:
-          subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev
+      - OMR_VERSION: $CIRCLE_TAG
-          texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake
+      - OMR_TARGET: x86_64
-          libtool autopoint device-tree-compiler python3-pyelftools
+      - OMR_KERNEL: 5.4
-    - run:
+
-        name: Free disk space
+    working_directory: ~/
-        command: |
+
-          df -h
+    steps:
-          sudo swapoff -a >/dev/null 2>&1 || true
+      - run:
-          sudo rm -f /swapfile >/dev/null 2>&1 || true
+          name: cache
-          sudo apt-get autoremove -y >/dev/null 2>&1 || true
+          command: |
-          sudo apt-get autoclean -y >/dev/null 2>&1 || true
+            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-          sudo rm -rf "/usr/local/share/boost" >/dev/null 2>&1 || true
+            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY" >/dev/null 2>&1 || true
+
-          sudo rm -rf /usr/share/dotnet >/dev/null 2>&1 || true
+      - restore_cache:
-          sudo rm -rf /usr/local/lib/android >/dev/null 2>&1 || true
+          keys:
-          sudo rm -rf /opt/ghc >/dev/null 2>&1 || true
+            - cache-{{ checksum "/tmp/cache-version" }}
-          sudo docker rmi $(docker images -qf "dangling=true") >/dev/null 2>&1 ||
+            - cache-{{ checksum "/tmp/cache-target" }}
-          true
+
-          df -h
+      - run:
-    - run:
+          name: Build toolchain
-        command: |
+          no_output_timeout: 50m
-          git clone $REPO_URL omr
+          command: |
-          if [ "$SOURCE_NAME" != "develop" ]; then
+            git clone https://github.com/ysurac/openmptcprouter || true
-              cd omr
+            cd openmptcprouter
-              pwd
+            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-              git fetch
+            git pull || true
-              git checkout master
+            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-          else
+            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-              cd omr
+            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-              git checkout develop
+            sudo apt-get update
-          fi
+            sudo apt-get install -yq libelf-dev
-          git pull
+            pyenv global 3.5.2
-          pwd
+            sh build.sh prepare {tools,toolchain}/install -j2
-          OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}" sh build.sh prepare
+            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-          {tools,toolchain}/install -j$(nproc) || OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}"
+            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-          sh build.sh prepare {tools,toolchain}/install -j1 V=s
+
-          make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index}
+      - save_cache:
-          -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index}
+          key: cache-{{ checksum "/tmp/cache-target" }}
-          -j1 V=s
+          paths:
-          make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install -j$(nproc)
+            - openmptcprouter
-          || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install
+
-          -j1 V=s
+      - run:
-          mv ${OMR_TARGET}/${OMR_KERNEL}/source/bin ${GITHUB_WORKSPACE}/
+          name: Build
-    - store_artifacts:
+          no_output_timeout: 50m
-        path: /home/runner/work/omr/${{ matrix.OMR_TARGET }}/${{ matrix.OMR_KERNEL
+          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/install -j2
-          }}/source/bin
+
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_x86:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: x86
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_rpi3:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: rpi3
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_espressobin:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: espressobin
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_r2s:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: r2s
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_rpi4:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: rpi4
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_rpi2:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: rpi2
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile package/compile target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_bpi-r2:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: bpi-r2
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: |
            sudo apt-get update
            sudo apt-get -yq install swig2.0
            make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_wrt3200acm:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_TARGET: wrt3200acm
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
  build_wrt32:
    machine:
      image: ubuntu-1604:201903-01
    environment:
      - OMR_VERSION: $CIRCLE_TAG
      - OMR_KERNEL: 5.4
    working_directory: ~/
    steps:
      - run:
          name: cache
          command: |
            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
      - restore_cache:
          keys:
            - cache-{{ checksum "/tmp/cache-version" }}
            - cache-{{ checksum "/tmp/cache-target" }}
      - run:
          name: Build toolchain wrt3200acm
          no_output_timeout: 40m
          command: |
            git clone https://github.com/ysurac/openmptcprouter || true
            cd openmptcprouter
            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
            git pull || true
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_TARGET="wrt3200acm"
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/wrt3200acm/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/wrt3200acm/source/key-build.pub
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-target" }}
          paths:
            - openmptcprouter
      - run:
          name: Build wrt3200acm
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/wrt3200acm/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy wrt3200acm
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/wrt3200acm/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/wrt3200acm
            rm -rf ~/openmptcprouter/wrt3200acm/source/bin
      - save_cache:
          key: cache-{{ checksum "/tmp/cache-version" }}
          paths:
            - openmptcprouter
      - run:
          name: Build toolchain wrt32x
          no_output_timeout: 40m
          command: |
            cd ~/openmptcprouter/
            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
            export OMR_TARGET="wrt32x"
            ln -s wrt3200acm wrt32x
            pyenv global 3.5.2
            sh build.sh prepare {tools,toolchain}/install -j2
            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/wrt32x/source/key-build
            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/wrt32x/source/key-build.pub
      - run:
          name: Build wrt32x
          no_output_timeout: 40m
          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/wrt32x/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
      - run:
          name: Deploy wrt32x
          command: |
            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
            rsync -av --delete-after ~/openmptcprouter/wrt32x/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/wrt32x
 workflows:
-  openmptcprouter:
+  version: 2
  main:
    jobs:
-    - build:
+      - prepare:
-       matrix:
+          filters:
-         parameters:
+            tags:
-           OMR_TARGET: ["bpi-r1","bpi-r2","bpi-r64","rpi2","rpi4","wrt32x","espressobin","r2s","rpi3","wrt3200acm","x86","x86_64","ubnt-erx","r4s","r7800","rutx12","rutx50","r5s","qnap-301w","rpi5","z8102ax_128m"]
+              only: /.*/
-           OMR_KERNEL: ["5.4","6.1","6.6"]
+            branches:
-       
+              only: 
                - develop
      - build_x86_64:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_x86:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_rpi4:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_rpi3:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_espressobin:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_r2s:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_rpi2:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_bpi-r2:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
      - build_wrt32:
          requires:
            - prepare
          filters:
            tags:
              only: /.*/
            branches:
              only: 
                - develop
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -8,8 +8,8 @@ jobs:
  build:
    strategy:
      matrix:
-        OMR_TARGET: [bpi-r1, bpi-r2, bpi-r3, bpi-r4, bpi-r4-poe, bpi-r64, rpi2, rpi4, wrt32x, espressobin, r2s, rpi3, wrt3200acm, x86, x86_64, ubnt-erx, r4s, r7800, rutx12, rutx50, r5s, qnap-301w, rpi5, z8102ax_128m, z8102ax_64m, z8102ax-emmc, gl-mt6000, gl-mt3000, gl-mt2500, r5c, z8109ax_128m]
+        OMR_TARGET: [bpi-r1, bpi-r2, bpi-r64, rpi2, rpi4, wrt32x, espressobin, r2s, rpi3, wrt3200acm, x86, x86_64, ubnt-erx, r4s, r7800]
-        OMR_KERNEL: [6.6, 6.12]
+        OMR_KERNEL: [5.4, 5.15]
    runs-on: ubuntu-latest
    continue-on-error: true
@ -17,18 +17,14 @@ jobs:
    - name: Branch name
      id: branch_name
      run: |
-        echo "SOURCE_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+        echo ::set-output name=SOURCE_NAME::${GITHUB_REF#refs/*/}
-        echo "SOURCE_BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
+        echo ::set-output name=SOURCE_BRANCH::${GITHUB_REF#refs/heads/}
-        echo "SOURCE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        echo ::set-output name=SOURCE_TAG::${GITHUB_REF#refs/tags/}
-        echo "WORKSPACE=${GITHUB_WORKSPACE}" >> $GITHUB_OUTPUT
+        echo ::set-output name=WORKSPACE::${GITHUB_WORKSPACE}
    - name: Prepare
      run: |
        sudo apt-get update
-        sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc-s1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler python3-pyelftools llvm clang
+        sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler
    - if: matrix.OMR_KERNEL == '6.6'
      name: Install LLVM
      run: |
        sudo apt-get install llvm clang
    - name: Free disk space
      run: |
        df -h
@ -38,9 +34,6 @@ jobs:
        sudo apt-get autoclean -y >/dev/null 2>&1 || true
        sudo rm -rf "/usr/local/share/boost" >/dev/null 2>&1 || true
        sudo rm -rf "$AGENT_TOOLSDIRECTORY" >/dev/null 2>&1 || true
        sudo rm -rf /usr/share/dotnet >/dev/null 2>&1 || true
        sudo rm -rf /usr/local/lib/android >/dev/null 2>&1 || true
        sudo rm -rf /opt/ghc >/dev/null 2>&1 || true
        sudo docker rmi $(docker images -qf "dangling=true") >/dev/null 2>&1 || true
        df -h
    - name: Clone source code
@ -73,28 +66,25 @@ jobs:
        OMR_PORT: ${{ secrets.OMR_PORT }}
      run: |
        OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}" sh build.sh prepare {tools,toolchain}/install -j$(nproc) || OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}" sh build.sh prepare {tools,toolchain}/install -j1 V=s
-        #echo -e "${{ secrets.OMR_PRIVKEY }}" > $OMR_TARGET/$OMR_KERNEL/source/key-build
+        #echo -e "${{ secrets.OMR_PRIVKEY }}" > $OMR_TARGET/source/key-build
-        #echo -e "${{ secrets.OMR_PUBKEY }}" > $OMR_TARGET/$OMR_KERNEL/source/key-build.pub
+        #echo -e "${{ secrets.OMR_PUBKEY }}" > $OMR_TARGET/source/key-build.pub
    - name: Build packages
      working-directory: ../../omr
      env:
        OMR_TARGET: ${{ matrix.OMR_TARGET }}
        OMR_KERNEL: ${{ matrix.OMR_KERNEL }}
      run: |
-        make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index} -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index} -j1 V=s
+        make IGNORE_ERRORS=m -C $OMR_TARGET/source package/{compile,install,index} -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/source package/{compile,install,index} -j1 V=s
    - name: Build image
      working-directory: ../../omr
      env:
        OMR_TARGET: ${{ matrix.OMR_TARGET }}
        OMR_KERNEL: ${{ matrix.OMR_KERNEL }}
      run: |
-        make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install -j1 V=s
+        make IGNORE_ERRORS=m -C $OMR_TARGET/source target/install -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/source target/install -j1 V=s
    - name: Upload artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v2
      with:
        name: ${{ matrix.OMR_TARGET }}
-        path: /home/runner/work/omr/${{ matrix.OMR_TARGET }}/${{ matrix.OMR_KERNEL }}/source/bin
+        path: /home/runner/work/omr/${{ matrix.OMR_TARGET }}/source/bin
        overwrite: true
    - if: steps.branch_name.outputs.SOURCE_BRANCH == ''
      name: Deploy - Create directory
      uses: ysurac/ssh-action@master
@ -129,10 +119,9 @@ jobs:
      working-directory: ../../omr
      env:
        OMR_TARGET: ${{ matrix.OMR_TARGET }}
        OMR_KERNEL: ${{ matrix.OMR_KERNEL }}
        GITHUB_WORKSPACE: ${{ steps.branch_name.outputs.WORKSPACE }}
      run: |
-        mv ${OMR_TARGET}/${OMR_KERNEL}/source/bin ${GITHUB_WORKSPACE}/
+        mv ${OMR_TARGET}/source/bin ${GITHUB_WORKSPACE}/
    - if: steps.branch_name.outputs.SOURCE_BRANCH == ''
      name: Deploy - Upload via rsync
      uses: ysurac/action-rsync@master
--- a/aquantia/Makefile
+++ b/aquantia/Makefile
@ -0,0 +1,41 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=kmod-aquantia
 PKG_VERSION:=1.0
 PKG_RELEASE:=1
 include $(INCLUDE_DIR)/kernel.mk
 include $(INCLUDE_DIR)/package.mk
 define KernelPackage/phy-aquantia
  SUBMENU:=Network Devices
  TITLE:=aQuantia device support
  DEPENDS:=@PCI_SUPPORT @TARGET_x86_64 +kmod-i2c-core +kmod-i2c-algo-bit +kmod-ptp +kmod-hwmon-core +kmod-libphy
  KCONFIG:=CONFIG_AQUANTIA_PHY
  HIDDEN:=1
  FILES:=$(LINUX_DIR)/drivers/net/phy/aquantia.ko
  AUTOLOAD:=$(call AutoProbe,aquantia)
 endef
 define KernelPackage/phy-aquantia/description
 Kernel modules for aQuantia Ethernet adapters.
 endef
 define KernelPackage/atlantic
  SUBMENU:=Network Devices
  TITLE:=aQuantia AQtion(tm) Support
  DEPENDS:=@PCI_SUPPORT @TARGET_x86_64 +kmod-i2c-core +kmod-i2c-algo-bit +kmod-ptp +kmod-phy-aquantia
  KCONFIG:=CONFIG_AQTION
  FILES:=$(LINUX_DIR)/drivers/net/ethernet/aquantia/atlantic/atlantic.ko
  AUTOLOAD:=$(call AutoProbe,atlantic)
 endef
 define KernelPackage/atlantic/description
 Kernel modules for the aQuantia AQtion(tm) Ethernet card
 endef
 define Build/Compile
 endef
 $(eval $(call KernelPackage,phy-aquantia))
 $(eval $(call KernelPackage,atlantic))
--- a/atinout/Makefile
+++ b/atinout/Makefile
@ -1,57 +0,0 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=atinout
 PKG_VERSION=0.9.1
 PKG_MAINTAINER:=Konstantine Shevlakov <shevlakov@132lan.ru>
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=LICENSE
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/beralt/atinout.git
 PKG_SOURCE_VERSION:=4013e8db4cd140c1df24bb90f929efeb9b61b238
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
 include $(INCLUDE_DIR)/package.mk
 define Package/$(PKG_NAME)
 	SECTION:=net
 	CATEGORY:=Network
 	SUBMENU:=Telephony
 	TITLE:=Send AT commands to a modem
 	URL:=http://atinout.sourceforge.net/
 	MAINTAINER:=Adrian Guenter <a@gntr.me>
 endef
 define Package/$(PKG_NAME)/description
 	Atinout is a program that will execute AT commands in sequence and
 	capture the response from the modem.
 endef
 CONFIGURE_VARS += \
  CC="$(TARGET_CC)" \
  CXX="$(TARGET_CC) +.c++" \
  CFLAGS="$(TARGET_CFLAGS) -Wall -DVERSION=\"\\\"$(PKG_VERSION)\\\"\"" \
  LDFLAGS="$(TARGET_LDFLAGS)"
 define Build/Configure
 	$(call Build/Configure/Default,--with-linux-headers=$(LINUX_DIR))
 endef
 define Build/Compile
 	@echo -e "\n=== Build/Compile ==="
 	$(CONFIGURE_VARS) $(MAKE) -C $(PKG_BUILD_DIR) \
 		all \
 endef
 define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/$(PKG_NAME) $(1)/usr/bin/$(PKG_NAME)
 endef
 $(eval $(call BuildPackage,$(PKG_NAME)))
--- a/bcm27xx-eeprom/Makefile
+++ b/bcm27xx-eeprom/Makefile
@ -1,13 +1,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=bcm27xx-eeprom
-PKG_RELEASE:=1
+PKG_VERSION:=47976e4409c6999a8e211976c75c60a97c90275c
 PKG_RELEASE:=4
-PKG_SOURCE_PROTO:=git
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/raspberrypi/rpi-eeprom
+PKG_SOURCE_URL:=https://codeload.github.com/raspberrypi/rpi-eeprom/tar.gz/$(PKG_VERSION)?
-PKG_SOURCE_DATE:=2024-09-23
+PKG_HASH:=skip
 PKG_SOURCE_VERSION:=c8fffcda5ae0f923857a73fedbeb07e81d2eb813
 PKG_MIRROR_HASH:=68d0eedd1aff573c2ea7071f89a5898292061ced96d7f98ea4a347dc16c8102c
 PKG_LICENSE:=BSD-3-Clause Custom
 PKG_LICENSE_FILES:=LICENSE
@ -19,39 +18,15 @@ include $(INCLUDE_DIR)/package.mk
 TAR_OPTIONS:=--strip-components 1 $(TAR_OPTIONS)
 TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)
-define Package/bcm27xx-eeprom/Default
+define Package/bcm27xx-eeprom
  SECTION:=utils
  CATEGORY:=Utilities
-endef
+  DEPENDS:=bcm27xx-userland +blkid +pciutils +python3-light +coreutils +coreutils-od
 define Package/bcm27xx-eeprom
 $(call Package/bcm27xx-eeprom/Default)
  TITLE:=BCM27xx EEPROM tools
  DEPENDS:=bcm27xx-utils +blkid +coreutils +coreutils-od +mount-utils +pciutils +python3-light
 endef
 define Package/bcm2711-eeprom
 $(call Package/bcm27xx-eeprom/Default)
  TITLE:=BCM2711 EEPROM tools
  DEPENDS:=+bcm27xx-eeprom
 endef
 define Package/bcm2712-eeprom
 $(call Package/bcm27xx-eeprom/Default)
  TITLE:=BCM2712 EEPROM tools
  DEPENDS:=+bcm27xx-eeprom
 endef
 define Package/bcm27xx-eeprom/description
-  BCM27xx EEPROM config and update tools.
+  BCM27xx EEPROM tools.
 endef
 define Package/bcm2711-eeprom/description
  BCM2711 EEPROM config and update tools.
 endef
 define Package/bcm2712-eeprom/description
  BCM2712 EEPROM config and update tools.
 endef
 define Build/Compile
@ -68,29 +43,16 @@ define Package/bcm27xx-eeprom/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-config $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-digest $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-update $(1)/usr/bin
 endef
-define Package/bcm2711-eeprom/install
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader
-	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2711
+	$(CP) $(PKG_BUILD_DIR)/firmware/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader
 	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
-	$(CP) $(PKG_BUILD_DIR)/firmware-2711/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader-2711
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader/critical
-	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/pieeprom-2024-09-05.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
+	$(CP) $(PKG_BUILD_DIR)/firmware/critical/ $(1)/lib/firmware/raspberrypi/bootloader/
 	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/recovery.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
 	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/vl805-000138c0.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
 endef
-define Package/bcm2712-eeprom/install
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader/stable
-	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2712
+	$(CP) $(PKG_BUILD_DIR)/firmware/stable/ $(1)/lib/firmware/raspberrypi/bootloader/
 	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
 	$(CP) $(PKG_BUILD_DIR)/firmware-2712/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader-2712
 	$(CP) $(PKG_BUILD_DIR)/firmware-2712/latest/pieeprom-2024-09-23.bin $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
 	$(CP) $(PKG_BUILD_DIR)/firmware-2712/latest/recovery.bin $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
 endef
 $(eval $(call BuildPackage,bcm27xx-eeprom))
 $(eval $(call BuildPackage,bcm2711-eeprom))
 $(eval $(call BuildPackage,bcm2712-eeprom))
--- a/bcm27xx-eeprom/patches/0001-rpi-eeprom-update-OpenWrt-defaults.patch
+++ b/bcm27xx-eeprom/patches/0001-rpi-eeprom-update-OpenWrt-defaults.patch
@ -1,4 +1,4 @@
-From a7c4e8f246dc58b4c83293b11f6443528065dc70 Mon Sep 17 00:00:00 2001
+From da37f7b051fe6833e25e78184cc9217dd4379187 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Mon, 23 Mar 2020 10:10:55 +0100
 Subject: [PATCH] rpi-eeprom-update: OpenWrt defaults
@ -8,30 +8,38 @@ Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
- rpi-eeprom-update         | 4 ++--
+ rpi-eeprom-update         | 6 +++---
- rpi-eeprom-update-default | 4 ++--
+ rpi-eeprom-update-default | 5 +++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
+ 2 files changed, 6 insertions(+), 5 deletions(-)
 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
-@@ -25,7 +25,7 @@ fi
+@@ -24,12 +24,12 @@ else
 fi
 # Selects the release sub-directory
- FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-default}
+-FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-default}
 +FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-stable}
 FIRMWARE_IMAGE_DIR=${FIRMWARE_IMAGE_DIR:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}}
 -FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-/var/lib/raspberrypi/bootloader/backup}
 +FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-${FIRMWARE_ROOT}/backup}
 ENABLE_VL805_UPDATES=${ENABLE_VL805_UPDATES:-1}
 RECOVERY_BIN=${RECOVERY_BIN:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}/recovery.bin}
 BOOTFS=${BOOTFS:-/boot}
 CM4_ENABLE_RPI_EEPROM_UPDATE=${CM4_ENABLE_RPI_EEPROM_UPDATE:-0}
 RPI_EEPROM_UPDATE_CONFIG_TOOL="${RPI_EEPROM_UPDATE_CONFIG_TOOL:-raspi-config}"
 --- a/rpi-eeprom-update-default
 +++ b/rpi-eeprom-update-default
-@@ -1,7 +1,7 @@
+@@ -1,8 +1,9 @@
 FIRMWARE_ROOT=/lib/firmware/raspberrypi/bootloader
-FIRMWARE_RELEASE_STATUS="default"
+-FIRMWARE_RELEASE_STATUS="critical"
 +FIRMWARE_RELEASE_STATUS="stable"
 FIRMWARE_IMAGE_DIR="${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}"
 -FIRMWARE_BACKUP_DIR="/var/lib/raspberrypi/bootloader/backup"
 +FIRMWARE_RELEASE_STATUS="latest"
 +FIRMWARE_BACKUP_DIR="${FIRMWARE_ROOT}/backup"
 BOOTFS=/boot
 USE_FLASHROM=0
 EEPROM_CONFIG_HOOK=
- 
+VCMAILBOX=/usr/bin/vcmailbox
 # BOOTFS can be set here to override auto-detection in rpi-eeprom-update
--- a/bcm27xx-eeprom/patches/0002-rpi-eeprom-update-change-default-include-path.patch
+++ b/bcm27xx-eeprom/patches/0002-rpi-eeprom-update-change-default-include-path.patch
@ -1,62 +0,0 @@
 From fc552b1e5c503c530763e40d2b83df55c5c2e9a3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Wed, 25 Mar 2020 20:58:35 +0100
 Subject: [PATCH] rpi-eeprom-update: change default include path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
 rpi-eeprom-update | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
@@ -6,8 +6,8 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 -if [ -f /etc/default/rpi-eeprom-update ]; then
 -   . /etc/default/rpi-eeprom-update
 +if [ -f /etc/bcm27xx-eeprom.conf ]; then
 +   . /etc/bcm27xx-eeprom.conf
 fi
 LOCAL_MODE=0
@@ -439,7 +439,7 @@ checkDependencies() {
       echo "Run with -h for more information."
       echo
       echo "To enable flashrom programming of the EEPROM"
 -      echo "Add these the following entries to /etc/default/rpi-eeprom-update"
 +      echo "Add these the following entries to /etc/bcm27xx-eeprom.conf"
       echo "RPI_EEPROM_USE_FLASHROM=1"
       echo "CM4_ENABLE_RPI_EEPROM_UPDATE=1"
       echo 
@@ -526,7 +526,7 @@ The system should then boot normally.
 If /boot does not correspond to the boot partition and this
 is not a NOOBS system, then the mount point for BOOTFS should be defined
 -in /etc/default/rpi-eeprom-update by defining the BOOTFS variable.
 +in /etc/bcm27xx-eeprom.conf by defining the BOOTFS variable.
 A backup of the current EEPROM config file is written to ${FIRMWARE_BACKUP_DIR}
 before applying the update.
@@ -558,7 +558,7 @@ Options:
    -u Install the specified VL805 (USB EEPROM) image file.
 Environment:
 -Environment variables should be defined in /etc/default/rpi-eeprom-update
 +Environment variables should be defined in /etc/bcm27xx-eeprom.conf
 EEPROM_CONFIG_HOOK
@@ -630,7 +630,7 @@ must first be enabled by removing ENABLE
 via usbboot.
 After enabling self-update set the CM4_ENABLE_RPI_EEPROM_UPDATE=1 environment
 -variable or define it in /etc/default/rpi-eeprom-update.
 +variable or define it in /etc/bcm27xx-eeprom.conf.
 N.B. If there is a power failure during SELF_UPDATE the EEPROM write may fail and
 usbboot must be used to flash the bootloader EEPROM. SELF_UPDATE is not recommended
--- a/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-change-default-include-path.patch
+++ b/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-change-default-include-path.patch
@ -0,0 +1,26 @@
 From 6674d49dea0104031b3f54df4c7a356dc4307bb2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Wed, 25 Mar 2020 20:58:35 +0100
 Subject: [PATCH] rpi-eeprom-update: change default include path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
 rpi-eeprom-update | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
@@ -6,8 +6,8 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 -if [ -f /etc/default/rpi-eeprom-update ]; then
 -   . /etc/default/rpi-eeprom-update
 +if [ -f /etc/bcm27xx-eeprom.conf ]; then
 +   . /etc/bcm27xx-eeprom.conf
 fi
 LOCAL_MODE=0
--- a/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-chmod-silent-f-is-not-supported.patch
+++ b/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-chmod-silent-f-is-not-supported.patch
@ -1,33 +0,0 @@
 From 62ec3384358bda60269c131d3880795bc8cdc3ce Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Fri, 19 Feb 2021 10:54:23 +0100
 Subject: [PATCH] rpi-eeprom-update: chmod silent (-f) is not supported
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
 rpi-eeprom-update | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
@@ -220,7 +220,7 @@ applyRecoveryUpdate()
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
         # For NFS mounts ensure that the files are readable to the TFTP user
 -        chmod -f go+r "${BOOTFS}/pieeprom.upd" "${BOOTFS}/pieeprom.sig" \
 +        chmod go+r "${BOOTFS}/pieeprom.upd" "${BOOTFS}/pieeprom.sig" \
                 || die "Failed to set permissions on eeprom update files"
    fi
@@ -231,7 +231,7 @@ applyRecoveryUpdate()
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
         # For NFS mounts ensure that the files are readable to the TFTP user
 -        chmod -f go+r "${BOOTFS}/vl805.bin" "${BOOTFS}/vl805.sig" \
 +        chmod go+r "${BOOTFS}/vl805.bin" "${BOOTFS}/vl805.sig" \
                 || die "Failed to set permissions on eeprom update files"
    fi
--- a/bcm27xx-eeprom/patches/0004-rpi-eeprom-config-replace-nano-with-vi-as-default-ed.patch
+++ b/bcm27xx-eeprom/patches/0004-rpi-eeprom-config-replace-nano-with-vi-as-default-ed.patch
@ -1,35 +0,0 @@
 From 8d1e47c956ae10d1146114f7fcd4eb0d33187d08 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Tue, 16 Jan 2024 16:25:40 +0100
 Subject: [PATCH] rpi-eeprom-config: replace nano with vi as default editor
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
 rpi-eeprom-config | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 --- a/rpi-eeprom-config
 +++ b/rpi-eeprom-config
@@ -186,8 +186,8 @@ def edit_config(eeprom=None):
     """
     Implements something like 'git commit' for editing EEPROM configs.
     """
 -    # Default to nano if $EDITOR is not defined.
 -    editor = 'nano'
 +    # Default to vi if $EDITOR is not defined.
 +    editor = 'vi'
     if 'EDITOR' in os.environ:
         editor = os.environ['EDITOR']
@@ -517,7 +517,7 @@ Operating modes:
    To cancel the pending update run 'sudo rpi-eeprom-update -r'
 -   The default text editor is nano and may be overridden by setting the 'EDITOR'
 +   The default text editor is vi and may be overridden by setting the 'EDITOR'
    environment variable and passing '-E' to 'sudo' to preserve the environment.
 6. Signing the bootloader config file.
--- a/bcm27xx-eeprom/patches/0004-rpi-eeprom-update-remove-chmod.patch
+++ b/bcm27xx-eeprom/patches/0004-rpi-eeprom-update-remove-chmod.patch
@ -0,0 +1,24 @@
 --- a/rpi-eeprom-update	2020-11-05 21:58:02.247836497 +0100
 +++ b/rpi-eeprom-update	2020-11-05 21:58:36.911266307 +0100
@@ -212,8 +212,8 @@
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
         # For NFS mounts ensure that the files are readable to the TFTP user
 -        chmod -f go+r "${BOOTFS}/pieeprom.upd" "${BOOTFS}/pieeprom.sig" \
 -                || die "Failed to set permissions on eeprom update files"
 +        #chmod -f go+r "${BOOTFS}/pieeprom.upd" "${BOOTFS}/pieeprom.sig" \
 +        #        || die "Failed to set permissions on eeprom update files"
    fi
    if [ -n "${VL805_UPDATE_IMAGE}" ]; then
@@ -224,8 +224,8 @@
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
         # For NFS mounts ensure that the files are readable to the TFTP user
 -        chmod -f go+r "${BOOTFS}/vl805.bin" "${BOOTFS}/vl805.sig" \
 -                || die "Failed to set permissions on eeprom update files"
 +        #chmod -f go+r "${BOOTFS}/vl805.bin" "${BOOTFS}/vl805.sig" \
 +        #        || die "Failed to set permissions on eeprom update files"
    fi
    cp -f "${RECOVERY_BIN}" "${BOOTFS}/recovery.bin" \
--- a/bcm27xx-utils/Makefile
+++ b/bcm27xx-utils/Makefile
@ -1,66 +0,0 @@
 # SPDX-License-Identifier: GPL-2.0-only
 include $(TOPDIR)/rules.mk
 PKG_NAME:=bcm27xx-utils
 PKG_VERSION:=2024.10.25
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/raspberrypi/utils.git
 PKG_SOURCE_VERSION:=6a2a6becebbc38fde34a94386457ac8210f9119b
 PKG_MIRROR_HASH:=a775c7ffb9fac2d798ec8e0a4c7707eb7133cbc9c4418a1cf9434f87c42c01bb
 PKG_FLAGS:=nonshared
 PKG_BUILD_FLAGS:=no-lto
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENCE
 CMAKE_INSTALL:=1
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 define Package/bcm27xx-utils
  SECTION:=utils
  CATEGORY:=Utilities
  DEPENDS:=@TARGET_bcm27xx +libfdt
  TITLE:=BCM27xx scripts and simple applications
  PROVIDES:=bcm27xx-userland
 endef
 define Package/bcm27xx-utils/description
  BCM27xx scripts and simple applications.
  Replaces bcm27xx-userland scripts and applications.
 endef
 define Package/bcm27xx-utils/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtmerge $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtoverlay $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtparam $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepdump $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepflash.sh $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepmake $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/kdtc $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/otpset $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/overlaycheck $(1)/usr/bin
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/bin/overlaycheck_exclusions.txt $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ovmerge $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pinctrl $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/raspinfo $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vcgencmd $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vclog $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vcmailbox $(1)/usr/bin
 endef
 $(eval $(call BuildPackage,bcm27xx-utils))
--- a/bcm27xx-utils/patches/0001-raspinfo-adapt-to-OpenWrt.patch
+++ b/bcm27xx-utils/patches/0001-raspinfo-adapt-to-OpenWrt.patch
@ -1,255 +0,0 @@
 From 0db3fb3119eda8c2360454c2a01f84602a879c38 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Tue, 16 Jan 2024 15:32:12 +0100
 Subject: [PATCH] raspinfo: adapt to OpenWrt
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
 raspinfo/raspinfo | 186 ++++------------------------------------------
 1 file changed, 13 insertions(+), 173 deletions(-)
 --- a/raspinfo/raspinfo
 +++ b/raspinfo/raspinfo
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
 # Some of the regex's used in sed
 # Catch basic IP6 address   "s/\([0-9a-fA-F]\{1,4\}:\)\{7,7\}[0-9a-fA-F]\{1,4\}/y.y.y.y.y.y.y.y/g"
@@ -6,147 +6,6 @@
 # IP4 d.d.d.d decimal	    "s/\([0-9]\{1,3\}\.\)\{3,3\}[0-9]\{1,3\}/x.x.x.x/g"
 # mac address	            "s/\([0-9a-fA-F]\{2,2\}\:\)\{5,5\}[0-9a-fA-F]\{2,2\}/m.m.m.m/g"
 -
 -display_info_drm() {
 -   # If running X then can use xrandr, otherwise
 -   # dump the /sys/class entries for the displays
 -   if command -v xrandr > /dev/null &&
 -      DISPLAY=${DISPLAY:-:0} xrandr --listmonitors &>/dev/null;
 -   then
 -      echo "Running (F)KMS and X"
 -      echo
 -
 -      DISPLAY=${DISPLAY:-:0} xrandr --verbose
 -   else
 -      echo "Running (F)KMS, console"
 -      echo
 -
 -      for card in /sys/class/drm/card[0-9]-*;
 -      do
 -         echo $card
 -
 -         # if kmsprint isn't installed print basic mode info
 -         if ! command -v kmsprint > /dev/null; then
 -            if [ -f $card/modes ];
 -            then
 -               cat $card/modes
 -            else
 -               echo "No modes found"
 -            fi
 -         fi
 -
 -         if [ -f $card/edid ];
 -         then
 -            base64 $card/edid
 -         else
 -            echo "No EDID found"
 -         fi
 -         echo
 -      done
 -   fi
 -
 -   # kmsprint is more useful, but not always installed
 -   echo
 -   if command -v kmsprint > /dev/null; then
 -      kmsprint
 -      echo
 -      kmsprint -m
 -   else
 -      echo "kmsprint is not installed. Install with: sudo apt install kms++-utils"
 -   fi
 -
 -   echo
 -
 -   # dump the /sys/class entries for the displays
 -   cardfound=0
 -   for card in `seq 0 9`;
 -   do
 -      if sudo test -f "/sys/kernel/debug/dri/${card}/state";
 -      then
 -        for hdmi in 0 1;
 -        do
 -         if sudo test -f "/sys/kernel/debug/dri/${card}/hdmi${hdmi}_regs";
 -         then
 -            echo "HDMI${hdmi}: $(sudo cat /sys/kernel/debug/dri/$card/hdmi${hdmi}_regs | grep HOTPLUG)"
 -         fi
 -      done
 -      echo
 -      echo "/sys/kernel/debug/dri/$card/state:"
 -      sudo cat "/sys/kernel/debug/dri/$card/state"
 -      echo
 -      cardfound=1
 -      fi
 -   done
 -   if [ "$cardfound" == "0" ];
 -   then
 -      echo "kms state not found"
 -   fi
 -   echo
 -
 -}
 -
 -display_info_legacy() {
 -   # Legacy mode
 -   echo "Running Legacy framebuffer"
 -   echo
 -
 -   for card in `seq 0 9`;
 -   do
 -      F="/dev/fb${card}"
 -      if test -e $F;
 -      then
 -         echo Framebuffer: $F
 -         fbset -s -fb $F
 -      fi
 -   done
 -
 -   disps=`tvservice -l | awk '/Display Number/{print substr($3,1,1)}'`
 -
 -   tmp=$(mktemp)
 -
 -   for display in $disps
 -   do
 -      echo
 -      echo "Display: " $display
 -
 -      tvservice -v $display -s
 -      tvservice -v $display -n
 -      tvservice -v $display -m CEA
 -      tvservice -v $display -m DMT
 -
 -      echo
 -      tvservice -v $display -d $tmp > /dev/null
 -      base64 $tmp
 -   done
 -
 -   rm $tmp
 -}
 -
 -display_info() {
 -   # Check if we are running a KMS/DRM system
 -
 -   if [ -d "/dev/dri" ];
 -   then
 -      display_info_drm
 -   else
 -      display_info_legacy
 -   fi
 -}
 -
 -audio_info() {
 -   aplay -l
 -   echo
 -   aplay -L
 -   echo
 -   systemctl --user status pipewire.socket pipewire.service pulseaudio.service pulseaudio.socket
 -   echo
 -   if command -v pactl > /dev/null; then
 -      pactl info
 -   else
 -      echo pactl not installed
 -   fi
 -}
 -
 OUT=raspinfo.txt
 rm -f $OUT
@@ -163,8 +22,6 @@ echo
 cat /etc/os-release | head -4
 echo
 -cat /etc/rpi-issue
 -echo
 uname -a
 cat /proc/cpuinfo | tail -3
@@ -190,17 +47,6 @@ echo
 cat /proc/swaps
 echo
 -echo "Package version information"
 -echo "---------------------------"
 -
 -apt-cache policy raspberrypi-ui-mods | head -2
 -apt-cache policy raspberrypi-sys-mods | head -2
 -apt-cache policy openbox | head -2
 -apt-cache policy lxpanel | head -2
 -apt-cache policy pcmanfm | head -2
 -apt-cache policy rpd-plym-splash | head -2
 -
 -echo
 echo "Networking Information"
 echo "----------------------"
 echo
@@ -212,21 +58,11 @@ echo "USB Information"
 echo "---------------"
 echo
 -lsusb -t
 -
 -echo
 -echo "Display Information"
 -echo "-------------------"
 -echo
 -
 -display_info
 -
 -echo
 -echo "Audio Information"
 -echo "-------------------"
 -echo
 -
 -audio_info
 +if command -v lsusb > /dev/null; then
 +   lsusb -t
 +else
 +   echo usbutils not installed
 +fi
 echo
 echo "config.txt"
@@ -250,7 +86,7 @@ echo "-----------------"
 echo
 if command -v pinctrl > /dev/null; then
 -   sudo pinctrl 2>&1
 +   pinctrl 2>&1
 elif command -v raspi-gpio > /dev/null; then
    raspi-gpio get 2>&1
 else
@@ -263,9 +99,9 @@ echo "------------------"
 echo
 if command -v vcdbg > /dev/null; then
 -   sudo vcdbg log msg 2>&1
 +   vcdbg log msg 2>&1
 elif command -v vclog > /dev/null; then
 -   sudo vclog --msg 2>&1
 +   vclog --msg 2>&1
 else
    echo "vcdbg not found"
 fi
@@ -284,5 +120,9 @@ echo
 echo "EEPROM"
 echo "------"
 echo
 -sudo rpi-eeprom-update
 +if command -v rpi-eeprom-update > /dev/null; then
 +   rpi-eeprom-update
 +else
 +   echo bcm27xx-eeprom not installed
 +fi
 fi
--- a/bcm27xx-utils/patches/0002-pinctrl-replace-reallocarray.patch
+++ b/bcm27xx-utils/patches/0002-pinctrl-replace-reallocarray.patch
@ -1,11 +0,0 @@
 --- a/pinctrl/pinctrl.c	2024-07-02 14:14:31.113459219 +0200
 +++ b/pinctrl/pinctrl.c	2024-07-02 14:14:44.533241981 +0200
@@ -220,7 +220,7 @@
     if (!gpio_num_is_valid(gpio))
         return 1;
 -    poll_gpios = reallocarray(poll_gpios, num_poll_gpios + 1,
 +    poll_gpios = realloc(poll_gpios, num_poll_gpios + 1 *
                               sizeof(*poll_gpios));
     new_gpio = &poll_gpios[num_poll_gpios];
     new_gpio->num = num;
--- a/contributors/bdaylik.md
+++ b/contributors/bdaylik.md
@ -1,9 +0,0 @@
 2024-03-22
 I hereby agree to the terms of the "OpenMPTCProuter Individual Contributor License Agreement", with MD5 checksum bc827a07eb93611d793ddb7c75083c00.
 I furthermore declare that I am authorized and able to make this agreement and sign this declaration.
 Signed,
 Baris Daylik https://github.com/bdaylik
--- a/contributors/flesser.md
+++ b/contributors/flesser.md
@ -1,9 +0,0 @@
 2022-05-20
 I hereby agree to the terms of the "OpenMPTCProuter Individual Contributor License Agreement", with MD5 checksum bc827a07eb93611d793ddb7c75083c00.
 I furthermore declare that I am authorized and able to make this agreement and sign this declaration.
 Signed,
 Florian Karuhtz https://github.com/flesser
--- a/contributors/ta264.md
+++ b/contributors/ta264.md
@ -1,9 +0,0 @@
 2022-08-26
 I hereby agree to the terms of the "OpenMPTCProuter Individual Contributor License Agreement", with MD5 checksum bc827a07eb93611d793ddb7c75083c00.
 I furthermore declare that I am authorized and able to make this agreement and sign this declaration.
 Signed,
 ta264 https://github.com/ta264
--- a/contributors/yostyle.md
+++ b/contributors/yostyle.md
@ -1,9 +0,0 @@
 2023-05-23
 I hereby agree to the terms of the "OpenMPTCProuter Individual Contributor License Agreement", with MD5 checksum bc827a07eb93611d793ddb7c75083c00.
 I furthermore declare that I am authorized and able to make this agreement and sign this declaration.
 Signed,
 Yoan Pintas https://github.com/yostyle
--- a/cryptodev-linux/Makefile
+++ b/cryptodev-linux/Makefile
@ -1,6 +1,5 @@
 #
 # Copyright (C) 2014 OpenWrt.org
 # Copyright (C) 2023 Yannick Chabanois (Ycarus) for OpenMPTCProuter
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -11,17 +10,18 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=cryptodev-linux
 PKG_VERSION:=1.12
 PKG_RELEASE:=1
-PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://codeload.github.com/$(PKG_NAME)/$(PKG_NAME)/tar.gz/$(PKG_NAME)-$(PKG_VERSION)?
-PKG_SOURCE_URL:=https://github.com/$(PKG_NAME)/$(PKG_NAME).git
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_VERSION:=277d4574c10bb8e16ab6ab3f38b8e1cb6cd6c678
+PKG_HASH:=f51c2254749233b1b1d7ec9445158bd709f124f88e1c650fe2faac83c3a81938
 PKG_VERSION:=1.14.20241010
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
-PKG_MAINTAINER:=Yannick Chabanois <contact@openmptcprouter.com>
+PKG_MAINTAINER:=Ansuel Smith <ansuelsmth@gmail.com>
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION)
 include $(INCLUDE_DIR)/package.mk
@ -29,6 +29,7 @@ define KernelPackage/cryptodev
  SUBMENU:=Cryptographic API modules
  TITLE:=Driver for cryptographic acceleration
  URL:=http://cryptodev-linux.org/
  VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
  DEPENDS:=+kmod-crypto-authenc +kmod-crypto-hash
  FILES:=$(PKG_BUILD_DIR)/cryptodev.$(LINUX_KMOD_SUFFIX)
  AUTOLOAD:=$(call AutoLoad,50,cryptodev)
--- a/dsvpn/Makefile
+++ b/dsvpn/Makefile
@ -8,15 +8,11 @@
 include $(TOPDIR)/rules.mk
 PKG_SOURCE_PROTO:=git
-#PKG_SOURCE_URL:=https://github.com/jedisct1/dsvpn.git
+PKG_SOURCE_URL:=https://github.com/jedisct1/dsvpn.git
-PKG_SOURCE_URL:=https://github.com/Ysurac/dsvpn.git
+PKG_SOURCE_VERSION:=3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a
 #PKG_SOURCE_VERSION:=3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a
 PKG_SOURCE_VERSION:=4333aa705efd9c86c76809614d20dc5ebf43da7f
 PKG_NAME:=dsvpn
-PKG_VERSION:=0.1.5
+PKG_VERSION:=0.1.4-$(PKG_SOURCE_VERSION)
 PKG_RELEASE:=1
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
 include $(INCLUDE_DIR)/package.mk
--- a/dsvpn/files/init
+++ b/dsvpn/files/init
@ -31,7 +31,7 @@ validate_section() {
 version_over_5_4() {
 	MAJOR_VERSION=$(uname -r | awk -F '.' '{print $1}')
-	MINOR_VERSION=$(uname -r | awk -F '.' '{print $2}' | awk -F '-' '{print $1}')
+	MINOR_VERSION=$(uname -r | awk -F '.' '{print $2}')
 	if [ $MAJOR_VERSION -ge 5 ] && [ $MINOR_VERSION -gt 13 ] || [ $MAJOR_VERSION -gt 5 ] ; then
 		return 0
 	else
--- a/dsvpn/patches/nofirewall.patch
+++ b/dsvpn/patches/nofirewall.patch
@ -0,0 +1,65 @@
 --- a/src/os.c	2019-12-06 19:49:50.323898270 +0100
 +++ b/src/os.c	2019-12-06 19:54:20.987206244 +0100
@@ -445,24 +445,28 @@
 #ifdef __linux__
         static const char
             *set_cmds[] =
 -                { "sysctl net.ipv4.ip_forward=1",
 -                  "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
 +                { "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
                   "ip -6 addr add $LOCAL_TUN_IP6 peer $REMOTE_TUN_IP6/96 dev $IF_NAME",
                   "ip link set dev $IF_NAME up",
 +#ifndef NO_DEFAULT_FIREWALL
 +                  "sysctl net.ipv4.ip_forward=1",
                   "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                   "--src-type LOCAL -j DROP",
                   "iptables -t nat -A POSTROUTING -o $EXT_IF_NAME -s $REMOTE_TUN_IP -j MASQUERADE",
                   "iptables -t filter -A FORWARD -i $EXT_IF_NAME -o $IF_NAME -m state --state "
                   "RELATED,ESTABLISHED -j ACCEPT",
                   "iptables -t filter -A FORWARD -i $IF_NAME -o $EXT_IF_NAME -j ACCEPT",
 +#endif
                   NULL },
             *unset_cmds[] = {
 +#ifndef NO_DEFAULT_FIREWALL
                 "iptables -t nat -D POSTROUTING -o $EXT_IF_NAME -s $REMOTE_TUN_IP -j MASQUERADE",
                 "iptables -t filter -D FORWARD -i $EXT_IF_NAME -o $IF_NAME -m state --state "
                 "RELATED,ESTABLISHED -j ACCEPT",
                 "iptables -t filter -D FORWARD -i $IF_NAME -o $EXT_IF_NAME -j ACCEPT",
                 "iptables -t raw -D PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                 "--src-type LOCAL -j DROP",
 +#endif
                 NULL
             };
 #elif defined(__APPLE__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
@@ -503,12 +507,17 @@
 #elif defined(__linux__)
         static const char
             *set_cmds[] =
 -                { "sysctl net.ipv4.tcp_congestion_control=bbr",
 +                { 
 +#ifndef NO_DEFAULT_CONGESTION
 +                  "sysctl net.ipv4.tcp_congestion_control=bbr",
 +#endif
                   "ip link set dev $IF_NAME up",
 -                  "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
 -                  "--src-type LOCAL -j DROP",
                   "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
                   "ip -6 addr add $LOCAL_TUN_IP6 peer $REMOTE_TUN_IP6/96 dev $IF_NAME",
 +#ifndef NO_DEFAULT_FIREWALL
 +                  "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
 +                  "--src-type LOCAL -j DROP",
 +#endif
 #ifndef NO_DEFAULT_ROUTES
                   "ip route add default dev $IF_NAME table 42069",
                   "ip -6 route add default dev $IF_NAME table 42069",
@@ -525,8 +534,10 @@
                 "ip rule delete table main suppress_prefixlength 0",
                 "ip -6 rule delete table main suppress_prefixlength 0",
 #endif
 +#ifndef NO_DEFAULT_FIREWALL
                 "iptables -t raw -D PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                 "--src-type LOCAL -j DROP",
 +#endif
                 NULL
             };
 #else
--- a/fast-classifier/Makefile
+++ b/fast-classifier/Makefile
@ -1,65 +1,48 @@
 #
 # Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
 # Permission to use, copy, modify, and/or distribute this software for
 # any purpose with or without fee is hereby granted, provided that the
 # above copyright notice and this permission notice appear in all copies.
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #
 include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=fast-classifier
-PKG_RELEASE:=6
+PKG_RELEASE:=1
 PKG_CONFIG_DEPENDS := CONFIG_IPV6
 include $(INCLUDE_DIR)/package.mk
-define KernelPackage/fast-classifier/Default
+define KernelPackage/$(PKG_NAME)/Default
  SECTION:=kernel
  CATEGORY:=Kernel modules
  SUBMENU:=Network Support
-  DEPENDS:=@KERNEL_5_4 +kmod-ipt-conntrack +kmod-shortcut-fe
+  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
  TITLE:=Kernel driver for FAST Classifier
  FILES:=$(PKG_BUILD_DIR)/fast-classifier.ko
-  KCONFIG:= \
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y CONFIG_NF_CONNTRACK_MARK=y
-	   CONFIG_NF_CONNTRACK_EVENTS=y \
+  PROVIDES:=$(PKG_NAME)
 	   CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y \
 	   CONFIG_NF_CONNTRACK_MARK=y \
 	   CONFIG_XFRM=y
  CONFLICTS:=kmod-shortcut-fe-drv kmod-shortcut-fe-cm
 endef
-define KernelPackage/fast-classifier
+define KernelPackage/$(PKG_NAME)
-  $(call KernelPackage/fast-classifier/Default)
+  $(call KernelPackage/$(PKG_NAME)/Default)
 endef
-define KernelPackage/fast-classifier-noload
+define KernelPackage/$(PKG_NAME)-noload
-  $(call KernelPackage/fast-classifier/Default)
+  $(call KernelPackage/$(PKG_NAME)/Default)
 endef
-define KernelPackage/fast-classifier/Default/description
+define KernelPackage/$(PKG_NAME)/Default/description
 FAST Classifier talks to SFE to make decisions about offloading connections
 endef
-define KernelPackage/fast-classifier/description
+define KernelPackage/$(PKG_NAME)/description
-$(call KernelPackage/fast-classifier/Default/description)
+$(call KernelPackage/$(PKG_NAME)/Default/description)
 endef
-define KernelPackage/fast-classifier-noload/description
+define KernelPackage/$(PKG_NAME)-noload/description
-$(call KernelPackage/fast-classifier/Default/description)
+$(call KernelPackage/$(PKG_NAME)/Default/description)
-This package does not load fast-classifier at boot by default
+This package does not load $(PKG_NAME) at boot by default
 endef
 define Package/fast-classifier-example
  TITLE:=Example user space program for fast-classifier
-  DEPENDS:=@KERNEL_5_4 +libnl +kmod-fast-classifier
+  DEPENDS:=+libnl +kmod-fast-classifier
 endef
 define Package/fast-classifier-example/description
@ -67,16 +50,15 @@ Example user space program that communicates with fast
 classifier kernel module
 endef
-HAVE_ECM:=$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-standard)
+SFE_MAKE_OPTS:=SFE_SUPPORT_IPV6=$(if $(CONFIG_IPV6),y,n)
 define Build/Compile/kmod
-	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
+	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" $(SFE_MAKE_OPTS) \
 		$(KERNEL_MAKE_FLAGS) \
 		$(PKG_MAKE_FLAGS) \
 		M="$(PKG_BUILD_DIR)" \
 		CONFIG_FAST_CLASSIFIER=m \
-		EXTRA_CFLAGS+="-DSFE_SUPPORT_IPV6" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
 		$(if $(HAVE_ECM),EXTRA_CFLAGS+="-DCONFIG_SFE_ECM" CONFIG_SFE_ECM=y,) \
 		modules
 endef
@ -99,11 +81,12 @@ define Build/InstallDev
 	$(CP) $(PKG_BUILD_DIR)/fast-classifier.h $(1)/usr/include/
 endef
 define Package/fast-classifier-example/install
 	$(INSTALL_DIR) $(1)/sbin
 	$(CP) $(PKG_BUILD_DIR)/userspace_fast_classifier $(1)/sbin/
 endef
-$(eval $(call KernelPackage,fast-classifier))
+$(eval $(call KernelPackage,$(PKG_NAME)))
-#$(eval $(call KernelPackage,fast-classifier-noload))
+$(eval $(call KernelPackage,$(PKG_NAME)-noload))
 #$(eval $(call BuildPackage,fast-classifier-example))
--- a/fast-classifier/src/fast-classifier.c
+++ b/fast-classifier/src/fast-classifier.c
@ -36,9 +36,9 @@
 #include <linux/hashtable.h>
 #include <linux/version.h>
-#include <sfe_backport.h>
+#include "sfe_backport.h"
-#include <sfe.h>
+#include "sfe.h"
-#include <sfe_cm.h>
+#include "sfe_cm.h"
 #include "fast-classifier.h"
 typedef enum fast_classifier_exception {
@ -451,10 +451,6 @@ static u32 fc_conn_hash(sfe_ip_addr_t *saddr, sfe_ip_addr_t *daddr,
 */
 static int fast_classifier_update_protocol(struct sfe_connection_create *p_sic, struct nf_conn *ct)
 {
  #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
    struct net *net=NULL ;
    struct nf_tcp_net *tn=NULL;
 	#endif
 	switch (p_sic->protocol) {
 	case IPPROTO_TCP:
 		p_sic->src_td_window_scale = ct->proto.tcp.seen[0].td_scale;
@ -465,14 +461,8 @@ static int fast_classifier_update_protocol(struct sfe_connection_create *p_sic,
 		p_sic->dest_td_max_window = ct->proto.tcp.seen[1].td_maxwin;
 		p_sic->dest_td_end = ct->proto.tcp.seen[1].td_end;
 		p_sic->dest_td_max_end = ct->proto.tcp.seen[1].td_maxend;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
+
-	net = nf_ct_net(ct);
+		if (nf_ct_tcp_no_window_check
 	tn = nf_tcp_pernet(net);
 	if ((tn&&tn->tcp_no_window_check)
 #else
 	if (nf_ct_tcp_no_window_check
 #endif
 		    || (ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
 		    || (ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
 			p_sic->flags |= SFE_CREATE_FLAG_NO_SEQ_CHECK;
@ -1754,11 +1744,8 @@ static int __init fast_classifier_init(void)
 {
 	struct fast_classifier *sc = &__sc;
 	int result = -1;
 #ifdef CONFIG_SFE_ECM
 	int (*fast_recv)(struct sk_buff *skb);
 #endif
-	printk(KERN_ALERT "fast-classifier: starting up\n");
+	printk(KERN_ALERT "fast-classifier (PBR safe v2.1.4a): starting up\n");
 	DEBUG_INFO("SFE CM init\n");
 	hash_init(fc_conn_ht);
@ -1823,7 +1810,6 @@ static int __init fast_classifier_init(void)
 		goto exit3;
 	}
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 	/*
 	 * Register a notifier hook to get fast notifications of expired connections.
 	 */
@ -1831,14 +1817,12 @@ static int __init fast_classifier_init(void)
 	result = nf_conntrack_register_chain_notifier(&init_net, &fast_classifier_conntrack_notifier);
 #else
 	result = nf_conntrack_register_notifier(&init_net, &fast_classifier_conntrack_notifier);
 #endif
 	if (result < 0) {
 		DEBUG_ERROR("can't register nf notifier hook: %d\n", result);
 		goto exit4;
 	}
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
 	result = genl_register_family(&fast_classifier_gnl_family);
 	if (result) {
@ -1881,16 +1865,7 @@ static int __init fast_classifier_init(void)
 	/*
 	 * Hook the receive path in the network stack.
 	 */
 #ifdef CONFIG_SFE_ECM
 	rcu_read_lock();
 	fast_recv = rcu_dereference(athrs_fast_nat_recv);
 	rcu_read_unlock();
 	if (!fast_recv) {
 		BUG_ON(athrs_fast_nat_recv);
 	}
 #else
 	BUG_ON(athrs_fast_nat_recv);
 #endif
 	RCU_INIT_POINTER(athrs_fast_nat_recv, fast_classifier_recv);
 	/*
@ -1999,4 +1974,3 @@ module_exit(fast_classifier_exit)
 MODULE_DESCRIPTION("Shortcut Forwarding Engine - Connection Manager");
 MODULE_LICENSE("Dual BSD/GPL");
--- a/fast-classifier/src/sfe.h
+++ b/fast-classifier/src/sfe.h
@ -0,0 +1,114 @@
 /*
 * sfe.h
 *	Shortcut forwarding engine.
 *
 * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /*
 * The following are debug macros used throughout the SFE.
 *
 * The DEBUG_LEVEL enables the followings based on its value,
 * when dynamic debug option is disabled.
 *
 * 0 = OFF
 * 1 = ASSERTS / ERRORS
 * 2 = 1 + WARN
 * 3 = 2 + INFO
 * 4 = 3 + TRACE
 */
 #define DEBUG_LEVEL 2
 #if (DEBUG_LEVEL < 1)
 #define DEBUG_ASSERT(s, ...)
 #define DEBUG_ERROR(s, ...)
 #else
 #define DEBUG_ASSERT(c, s, ...) if (!(c)) { pr_emerg("ASSERT: %s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__); BUG(); }
 #define DEBUG_ERROR(s, ...) pr_err("%s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #endif
 #if defined(CONFIG_DYNAMIC_DEBUG)
 /*
 * Compile messages for dynamic enable/disable
 */
 #define DEBUG_WARN(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #define DEBUG_INFO(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #define DEBUG_TRACE(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #else
 /*
 * Statically compile messages at different levels
 */
 #if (DEBUG_LEVEL < 2)
 #define DEBUG_WARN(s, ...)
 #else
 #define DEBUG_WARN(s, ...) pr_warn("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #endif
 #if (DEBUG_LEVEL < 3)
 #define DEBUG_INFO(s, ...)
 #else
 #define DEBUG_INFO(s, ...) pr_notice("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #endif
 #if (DEBUG_LEVEL < 4)
 #define DEBUG_TRACE(s, ...)
 #else
 #define DEBUG_TRACE(s, ...) pr_info("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
 #endif
 #endif
 #ifdef CONFIG_NF_FLOW_COOKIE
 typedef int (*flow_cookie_set_func_t)(u32 protocol, __be32 src_ip, __be16 src_port,
 				      __be32 dst_ip, __be16 dst_port, u16 flow_cookie);
 /*
 * sfe_register_flow_cookie_cb
 *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
 *
 * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
 * can use this function to configure flow cookie for a flow.
 * return: 0, success; !=0, fail
 */
 int sfe_register_flow_cookie_cb(flow_cookie_set_func_t cb);
 /*
 * sfe_unregister_flow_cookie_cb
 *	unregister function which is used to configure flow cookie for a flow
 *
 * return: 0, success; !=0, fail
 */
 int sfe_unregister_flow_cookie_cb(flow_cookie_set_func_t cb);
 typedef int (*sfe_ipv6_flow_cookie_set_func_t)(u32 protocol, __be32 src_ip[4], __be16 src_port,
 						__be32 dst_ip[4], __be16 dst_port, u16 flow_cookie);
 /*
 * sfe_ipv6_register_flow_cookie_cb
 *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
 *
 * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
 * can use this function to configure flow cookie for a flow.
 * return: 0, success; !=0, fail
 */
 int sfe_ipv6_register_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
 /*
 * sfe_ipv6_unregister_flow_cookie_cb
 *	unregister function which is used to configure flow cookie for a flow
 *
 * return: 0, success; !=0, fail
 */
 int sfe_ipv6_unregister_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
 #endif /*CONFIG_NF_FLOW_COOKIE*/
--- a/fast-classifier/src/sfe_backport.h
+++ b/fast-classifier/src/sfe_backport.h
@ -0,0 +1,195 @@
 /*
 * sfe_backport.h
 *	Shortcut forwarding engine compatible header file.
 *
 * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include <linux/version.h>
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
 #include <net/netfilter/nf_conntrack_timeout.h>
 #else
 enum udp_conntrack {
 	UDP_CT_UNREPLIED,
 	UDP_CT_REPLIED,
 	UDP_CT_MAX
 };
 static inline unsigned int *
 nf_ct_timeout_lookup(struct net *net, struct nf_conn *ct,
 		     struct nf_conntrack_l4proto *l4proto)
 {
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 	struct nf_conn_timeout *timeout_ext;
 	unsigned int *timeouts;
 	timeout_ext = nf_ct_timeout_find(ct);
 	if (timeout_ext)
 		timeouts = NF_CT_TIMEOUT_EXT_DATA(timeout_ext);
 	else
 		timeouts = l4proto->get_timeouts(net);
 	return timeouts;
 #else
 	return l4proto->get_timeouts(net);
 #endif /*CONFIG_NF_CONNTRACK_TIMEOUT*/
 }
 #endif /*KERNEL_VERSION(3, 7, 0)*/
 #endif /*KERNEL_VERSION(3, 4, 0)*/
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
 #define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 static unsigned int FN_NAME(void *priv, \
 			    struct sk_buff *SKB, \
 			    const struct nf_hook_state *state)
 #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
 #define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 static unsigned int FN_NAME(const struct nf_hook_ops *OPS, \
 			    struct sk_buff *SKB, \
 			    const struct net_device *UNUSED, \
 			    const struct net_device *OUT, \
 			    int (*OKFN)(struct sk_buff *))
 #else
 #define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 static unsigned int FN_NAME(unsigned int HOOKNUM, \
 			    struct sk_buff *SKB, \
 			    const struct net_device *UNUSED, \
 			    const struct net_device *OUT, \
 			    int (*OKFN)(struct sk_buff *))
 #endif
 #define sfe_cm_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 	sfe_define_post_routing_hook(__sfe_cm_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
 #define sfe_cm_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 	sfe_define_post_routing_hook(__sfe_cm_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
 #define fast_classifier_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 	sfe_define_post_routing_hook(__fast_classifier_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
 #define fast_classifier_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
 	sfe_define_post_routing_hook(__fast_classifier_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
 #define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
 	{						\
 		.hook = fn,				\
 		.pf = NFPROTO_IPV4,			\
 		.hooknum = NF_INET_POST_ROUTING,	\
 		.priority = NF_IP_PRI_NAT_SRC + 1,	\
 	}
 #else
 #define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
 	{						\
 		.hook = fn,				\
 		.owner = THIS_MODULE,			\
 		.pf = NFPROTO_IPV4,			\
 		.hooknum = NF_INET_POST_ROUTING,	\
 		.priority = NF_IP_PRI_NAT_SRC + 1,	\
 	}
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
 #define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
 	{						\
 		.hook = fn,				\
 		.pf = NFPROTO_IPV6,			\
 		.hooknum = NF_INET_POST_ROUTING,	\
 		.priority = NF_IP_PRI_NAT_SRC + 1,	\
 	}
 #else
 #define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
 	{						\
 		.hook = fn,				\
 		.owner = THIS_MODULE,			\
 		.pf = NFPROTO_IPV6,			\
 		.hooknum = NF_INET_POST_ROUTING,	\
 		.priority = NF_IP6_PRI_NAT_SRC + 1,	\
 	}
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0))
 #define SFE_NF_CT_DEFAULT_ZONE (&nf_ct_zone_dflt)
 #else
 #define SFE_NF_CT_DEFAULT_ZONE NF_CT_DEFAULT_ZONE
 #endif
 /*
 * sfe_dev_get_master
 * 	get master of bridge port, and hold it
 */
 static inline struct net_device *sfe_dev_get_master(struct net_device *dev)
 {
 	struct net_device *master;
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
 	rcu_read_lock();
 	master = netdev_master_upper_dev_get_rcu(dev);
 	if (master)
 		dev_hold(master);
 	rcu_read_unlock();
 #else
 	master = dev->master;
 	if (master)
 		dev_hold(master);
 #endif
 	return master;
 }
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
 #define SFE_DEV_EVENT_PTR(PTR) netdev_notifier_info_to_dev(PTR)
 #else
 #define SFE_DEV_EVENT_PTR(PTR) (struct net_device *)(PTR)
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
 #define SFE_NF_CONN_ACCT(NM) struct nf_conn_acct *NM
 #else
 #define SFE_NF_CONN_ACCT(NM) struct nf_conn_counter *NM
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
 #define SFE_ACCT_COUNTER(NM) ((NM)->counter)
 #else
 #define SFE_ACCT_COUNTER(NM) (NM)
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
 #define sfe_hash_for_each_possible(name, obj, node, member, key) \
 	hash_for_each_possible(name, obj, member, key)
 #else
 #define sfe_hash_for_each_possible(name, obj, node, member, key) \
 	hash_for_each_possible(name, obj, node, member, key)
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
 #define sfe_hash_for_each(name, bkt, node, obj, member) \
 	hash_for_each(name, bkt, obj, member)
 #else
 #define sfe_hash_for_each(name, bkt, node, obj, member) \
 	hash_for_each(name, bkt, node, obj, member)
 #endif
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
 #define sfe_dst_get_neighbour(dst, daddr) dst_neigh_lookup(dst, daddr)
 #else
 static inline struct neighbour *
 sfe_dst_get_neighbour(struct dst_entry *dst, void *daddr)
 {
 	struct neighbour *neigh = dst_get_neighbour_noref(dst);
 	if (neigh)
 		neigh_hold(neigh);
 	return neigh;
 }
 #endif
--- a/fast-classifier/src/sfe_cm.h
+++ b/fast-classifier/src/sfe_cm.h
@ -0,0 +1,259 @@
 /*
 * sfe_cm.h
 *	Shortcut forwarding engine.
 *
 * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /*
 * connection flags.
 */
 #define SFE_CREATE_FLAG_NO_SEQ_CHECK BIT(0)
 					/* Indicates that we should not check sequence numbers */
 #define SFE_CREATE_FLAG_REMARK_PRIORITY BIT(1)
 					/* Indicates that we should remark priority of skb */
 #define SFE_CREATE_FLAG_REMARK_DSCP BIT(2)
 					/* Indicates that we should remark DSCP of packet */
 /*
 * IPv6 address structure
 */
 struct sfe_ipv6_addr {
 	__be32 addr[4];
 };
 typedef union {
 	__be32			ip;
 	struct sfe_ipv6_addr	ip6[1];
 } sfe_ip_addr_t;
 /*
 * connection creation structure.
 */
 struct sfe_connection_create {
 	int protocol;
 	struct net_device *src_dev;
 	struct net_device *dest_dev;
 	u32 flags;
 	u32 src_mtu;
 	u32 dest_mtu;
 	sfe_ip_addr_t src_ip;
 	sfe_ip_addr_t src_ip_xlate;
 	sfe_ip_addr_t dest_ip;
 	sfe_ip_addr_t dest_ip_xlate;
 	__be16 src_port;
 	__be16 src_port_xlate;
 	__be16 dest_port;
 	__be16 dest_port_xlate;
 	u8 src_mac[ETH_ALEN];
 	u8 src_mac_xlate[ETH_ALEN];
 	u8 dest_mac[ETH_ALEN];
 	u8 dest_mac_xlate[ETH_ALEN];
 	u8 src_td_window_scale;
 	u32 src_td_max_window;
 	u32 src_td_end;
 	u32 src_td_max_end;
 	u8 dest_td_window_scale;
 	u32 dest_td_max_window;
 	u32 dest_td_end;
 	u32 dest_td_max_end;
 	u32 mark;
 #ifdef CONFIG_XFRM
 	u32 original_accel;
 	u32 reply_accel;
 #endif
 	u32 src_priority;
 	u32 dest_priority;
 	u32 src_dscp;
 	u32 dest_dscp;
 };
 /*
 * connection destruction structure.
 */
 struct sfe_connection_destroy {
 	int protocol;
 	sfe_ip_addr_t src_ip;
 	sfe_ip_addr_t dest_ip;
 	__be16 src_port;
 	__be16 dest_port;
 };
 typedef enum sfe_sync_reason {
 	SFE_SYNC_REASON_STATS,	/* Sync is to synchronize stats */
 	SFE_SYNC_REASON_FLUSH,	/* Sync is to flush a entry */
 	SFE_SYNC_REASON_DESTROY	/* Sync is to destroy a entry(requested by connection manager) */
 } sfe_sync_reason_t;
 /*
 * Structure used to sync connection stats/state back within the system.
 *
 * NOTE: The addresses here are NON-NAT addresses, i.e. the true endpoint addressing.
 * 'src' is the creator of the connection.
 */
 struct sfe_connection_sync {
 	struct net_device *src_dev;
 	struct net_device *dest_dev;
 	int is_v6;			/* Is it for ipv6? */
 	int protocol;			/* IP protocol number (IPPROTO_...) */
 	sfe_ip_addr_t src_ip;		/* Non-NAT source address, i.e. the creator of the connection */
 	sfe_ip_addr_t src_ip_xlate;	/* NATed source address */
 	__be16 src_port;		/* Non-NAT source port */
 	__be16 src_port_xlate;		/* NATed source port */
 	sfe_ip_addr_t dest_ip;		/* Non-NAT destination address, i.e. to whom the connection was created */
 	sfe_ip_addr_t dest_ip_xlate;	/* NATed destination address */
 	__be16 dest_port;		/* Non-NAT destination port */
 	__be16 dest_port_xlate;		/* NATed destination port */
 	u32 src_td_max_window;
 	u32 src_td_end;
 	u32 src_td_max_end;
 	u64 src_packet_count;
 	u64 src_byte_count;
 	u32 src_new_packet_count;
 	u32 src_new_byte_count;
 	u32 dest_td_max_window;
 	u32 dest_td_end;
 	u32 dest_td_max_end;
 	u64 dest_packet_count;
 	u64 dest_byte_count;
 	u32 dest_new_packet_count;
 	u32 dest_new_byte_count;
 	u32 reason;		/* reason for stats sync message, i.e. destroy, flush, period sync */
 	u64 delta_jiffies;		/* Time to be added to the current timeout to keep the connection alive */
 };
 /*
 * connection mark structure
 */
 struct sfe_connection_mark {
 	int protocol;
 	sfe_ip_addr_t src_ip;
 	sfe_ip_addr_t dest_ip;
 	__be16 src_port;
 	__be16 dest_port;
 	u32 mark;
 };
 /*
 * Expose the hook for the receive processing.
 */
 extern int (*athrs_fast_nat_recv)(struct sk_buff *skb);
 /*
 * Expose what should be a static flag in the TCP connection tracker.
 */
 extern int nf_ct_tcp_no_window_check;
 /*
 * This callback will be called in a timer
 * at 100 times per second to sync stats back to
 * Linux connection track.
 *
 * A RCU lock is taken to prevent this callback
 * from unregistering.
 */
 typedef void (*sfe_sync_rule_callback_t)(struct sfe_connection_sync *);
 /*
 * IPv4 APIs used by connection manager
 */
 int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb);
 int sfe_ipv4_create_rule(struct sfe_connection_create *sic);
 void sfe_ipv4_destroy_rule(struct sfe_connection_destroy *sid);
 void sfe_ipv4_destroy_all_rules_for_dev(struct net_device *dev);
 void sfe_ipv4_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
 void sfe_ipv4_update_rule(struct sfe_connection_create *sic);
 void sfe_ipv4_mark_rule(struct sfe_connection_mark *mark);
 #ifdef SFE_SUPPORT_IPV6
 /*
 * IPv6 APIs used by connection manager
 */
 int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb);
 int sfe_ipv6_create_rule(struct sfe_connection_create *sic);
 void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid);
 void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev);
 void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
 void sfe_ipv6_update_rule(struct sfe_connection_create *sic);
 void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark);
 #else
 static inline int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb)
 {
 	return 0;
 }
 static inline int sfe_ipv6_create_rule(struct sfe_connection_create *sic)
 {
 	return 0;
 }
 static inline void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid)
 {
 	return;
 }
 static inline void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev)
 {
 	return;
 }
 static inline void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback)
 {
 	return;
 }
 static inline void sfe_ipv6_update_rule(struct sfe_connection_create *sic)
 {
 	return;
 }
 static inline void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark)
 {
 	return;
 }
 #endif
 /*
 * sfe_ipv6_addr_equal()
 *	compare ipv6 address
 *
 * return: 1, equal; 0, no equal
 */
 static inline int sfe_ipv6_addr_equal(struct sfe_ipv6_addr *a,
 				      struct sfe_ipv6_addr *b)
 {
 	return a->addr[0] == b->addr[0] &&
 	       a->addr[1] == b->addr[1] &&
 	       a->addr[2] == b->addr[2] &&
 	       a->addr[3] == b->addr[3];
 }
 /*
 * sfe_ipv4_addr_equal()
 *	compare ipv4 address
 *
 * return: 1, equal; 0, no equal
 */
 #define sfe_ipv4_addr_equal(a, b) ((u32)(a) == (u32)(b))
 /*
 * sfe_addr_equal()
 *	compare ipv4 or ipv6 address
 *
 * return: 1, equal; 0, no equal
 */
 static inline int sfe_addr_equal(sfe_ip_addr_t *a,
 				 sfe_ip_addr_t *b, int is_v4)
 {
 	return is_v4 ? sfe_ipv4_addr_equal(a->ip, b->ip) : sfe_ipv6_addr_equal(a->ip6, b->ip6);
 }
--- a/fullconenat/Makefile
+++ b/fullconenat/Makefile
@ -1,62 +0,0 @@
 #
 # Copyright (C) 2022 Chion Tang <tech@chionlab.moe>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=fullconenat
 PKG_RELEASE:=9
 PKG_SOURCE_DATE:=2022-02-13
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/llccd/netfilter-full-cone-nat.git
 PKG_SOURCE_VERSION:=108a36cbdca17e68c9e6e7fd5e26156a88f738e8
 PKG_MIRROR_HASH:=00d749235271dee194dcd23c22e6e85207ea90192a62a110b2af0b4e4de1971f
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Chion Tang <tech@chionlab.moe>
 include $(INCLUDE_DIR)/kernel.mk
 include $(INCLUDE_DIR)/package.mk
 define Package/iptables-mod-fullconenat
  SUBMENU:=Firewall
  SECTION:=net
  CATEGORY:=Network
  TITLE:=FULLCONENAT iptables extension
  DEPENDS:=+iptables +kmod-ipt-fullconenat @LINUX_5_4
 endef
 define Package/iptables-mod-fullconenat/install
 	$(INSTALL_DIR) $(1)/usr/lib/iptables
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables
 endef
 define KernelPackage/ipt-fullconenat
  SUBMENU:=Netfilter Extensions
  TITLE:=FULLCONENAT netfilter module
  DEPENDS:=+kmod-nf-ipt +kmod-nf-nat @LINUX_5_4
  KCONFIG:=  \
 	CONFIG_NF_CONNTRACK_EVENTS=y \
 	CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
  FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko
 endef
 include $(INCLUDE_DIR)/kernel-defaults.mk
 define Build/Compile
 	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
 		CROSS_COMPILE="$(TARGET_CROSS)" \
 		ARCH="$(LINUX_KARCH)" \
 		M="$(PKG_BUILD_DIR)" \
 		EXTRA_CFLAGS="$(BUILDFLAGS)" \
 		modules
 	$(call Build/Compile/Default)
 endef
 $(eval $(call KernelPackage,ipt-fullconenat))
 $(eval $(call BuildPackage,iptables-mod-fullconenat))
--- a/fullconenat/patches/001-fix-init-Repeat-definition.patch
+++ b/fullconenat/patches/001-fix-init-Repeat-definition.patch
@ -1,20 +0,0 @@
 --- a/libip6t_FULLCONENAT.c
 +++ b/libip6t_FULLCONENAT.c
@@ -214,6 +214,7 @@ static struct xtables_target fullconenat_tg_reg = {
 	.x6_options	= FULLCONENAT_opts,
 };
 +#define _init __attribute__((constructor)) _INIT
 void _init(void)
 {
 	xtables_register_target(&fullconenat_tg_reg);
 --- a/libipt_FULLCONENAT.c
 +++ b/libipt_FULLCONENAT.c
@@ -235,6 +235,7 @@ static struct xtables_target fullconenat_tg_reg = {
 	.x6_options	= FULLCONENAT_opts,
 };
 +#define _init __attribute__((constructor)) _INIT
 void _init(void)
 {
 	xtables_register_target(&fullconenat_tg_reg);
--- a/fullconenat/patches/001-linux-6.1-support.patch
+++ b/fullconenat/patches/001-linux-6.1-support.patch
@ -1,26 +0,0 @@
 --- a/xt_FULLCONENAT.c
 +++ b/xt_FULLCONENAT.c
@@ -325,7 +325,11 @@
     /* for now we do the same thing for both --random and --random-fully */
     /* select a random starting point */
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
 +    start = (uint16_t)(get_random_u32() % (u32)range_size);
 +#else
     start = (uint16_t)(prandom_u32() % (u32)range_size);
 +#endif
   } else {
     if ((original_port >= min && original_port <= min + range_size - 1)
@@ -995,7 +999,11 @@
     /* for now we do the same thing for both --random and --random-fully */
     /* select a random starting point */
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
 +    start = (uint16_t)(get_random_u32() % (u32)range_size);
 +#else
     start = (uint16_t)(prandom_u32() % (u32)range_size);
 +#endif
   } else {
     if ((original_port >= min && original_port <= min + range_size - 1)
--- a/fullconenat/src/Makefile
+++ b/fullconenat/src/Makefile
@ -1,6 +0,0 @@
 libipt_FULLCONENAT.so: libipt_FULLCONENAT.o
 	$(CC) -shared -lxtables -o $@ $^;
 libipt_FULLCONENAT.o: libipt_FULLCONENAT.c
 	$(CC) ${CFLAGS} -fPIC -D_INIT=$*_init -c -o $@ $<;
 obj-m += xt_FULLCONENAT.o
--- a/glorytun-udp/Makefile
+++ b/glorytun-udp/Makefile
@ -12,10 +12,8 @@ PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/angt/glorytun.git
 PKG_SOURCE_VERSION:=32267e86a6da05b285bb3bf2b136c105dc0af4bb
 PKG_NAME:=glorytun-udp
-PKG_VERSION:=0.3.4
+PKG_VERSION:=0.3.4-$(PKG_SOURCE_VERSION)
-PKG_RELEASE:=24
+PKG_RELEASE:=23
 PKG_LICENSE:=BSD-2-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_FIXUP:=autoreconf
@ -48,7 +46,7 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) init $(1)/etc/init.d/$(PKG_NAME)
 	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_DATA) glorytun-udp.config $(1)/etc/config/glorytun-udp
+	touch $(1)/etc/config/glorytun
 endef
 $(eval $(call BuildPackage,$(PKG_NAME)))
--- a/glorytun-udp/init
+++ b/glorytun-udp/init
@ -56,8 +56,6 @@ start_instance() {
 	_log "starting ${PROG_NAME} ${1} instance $*"
 	host=$(resolveip $host)
 	if [ "$mode" = "to" ]; then
 		bind="bind from addr :: port 5000 to addr $host port $port"
 	else
@ -81,7 +79,7 @@ start_instance() {
 	procd_close_instance
-	#tc qdisc replace dev ${dev} root cake
+	tc qdisc replace dev ${dev} root cake
 	#ip link set $dev txqlen 100
 	#config_load network
--- a/glorytun/Makefile
+++ b/glorytun/Makefile
@ -9,14 +9,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=glorytun
-PKG_RELEASE:=8
+PKG_RELEASE:=6
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=8aebb3efb3b108b1276aa74679e200e003f298de
+PKG_SOURCE_VERSION:=6d58536f4232fea8eaa10fb60aace8ba11f29ed6
 PKG_SOURCE:=glorytun-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/Ysurac/glorytun.git
-PKG_VERSION:=0.0.35
+PKG_VERSION:=0.0.35-$(PKG_SOURCE_VERSION)
-PKG_LICENSE:=BSD-2-Clause
+
 PKG_LICENSE_FILES:=LICENSE
 PKG_FIXUP:=autoreconf
 include $(INCLUDE_DIR)/package.mk
--- a/glorytun/init
+++ b/glorytun/init
@ -79,10 +79,10 @@ start_instance() {
 	[ "${multiqueue}" = "1" ] && procd_append_param command multiqueue
 	procd_append_param command \
-		retry count -1 const 5000000 \
+		retry count -1 const 500000 \
 		timeout ${timeout} \
 		keepalive count 5 idle 20 interval 2 \
-		buffer-size 65536
+		buffer-size 32768
 	procd_set_param respawn 0 30 0
 	procd_set_param file /tmp/${PROG_NAME}-${1}.key
--- a/golang-protobuf/Makefile
+++ b/golang-protobuf/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019-2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
+# Copyright (C) 2019 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -12,8 +12,8 @@ PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/golang/protobuf.git
-PKG_SOURCE_VERSION:=5d5e8c018a13017f9d5b8bf4fad64aaa42a87308
+PKG_SOURCE_VERSION:=347cf4a86c1cb8d262994d8ef5924d4576c5b331
-PKG_SOURCE_DATE:=20210916
+PKG_SOURCE_DATE:=20190109
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/golang/golang-build.sh
+++ b/golang/golang-build.sh
@ -1,10 +1,4 @@
 #!/bin/sh
 #
 # Copyright (C) 2020, 2022 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 nl="
 "
@ -62,7 +56,7 @@ configure() {
 	if [ "$GO_INSTALL_ALL" != 1 ]; then
 		code="$(printf '%s\n' "$files" | grep '\.\(c\|cc\|cpp\|go\|h\|hh\|hpp\|proto\|s\)$')"
 		testdata="$(printf '%s\n' "$files" | grep '/testdata/')"
-		gomod="$(printf '%s\n' "$files" | grep '/go\.\(mod\|sum\|work\)$')"
+		gomod="$(printf '%s\n' "$files" | grep '/go\.\(mod\|sum\)$')"
 		for pattern in $GO_INSTALL_EXTRA; do
 			extra="$(printf '%s\n' "$extra"; printf '%s\n' "$files" | grep -e "$pattern")"
@ -120,7 +114,7 @@ build() {
 	if [ "$GO_GO_GENERATE" = 1 ]; then
 		log "Calling go generate"
 		# shellcheck disable=SC2086
-		GOOS='' GOARCH='' GO386='' GOARM='' GOARM64='' GOMIPS='' GOMIPS64='' GORISCV64=''\
+		GOOS='' GOARCH='' GO386='' GOARM='' GOMIPS='' GOMIPS64='' \
 		go generate -v $targets
 		log
 	fi
--- a/golang/golang-compiler.mk
+++ b/golang/golang-compiler.mk
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2018, 2020-2021, 2023 Jeffery To
+# Copyright (C) 2018, 2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -19,15 +19,15 @@ define GoCompiler/Default/CheckHost
 endef
 # $(1) source go root
-# $(2) additional environment variables (optional)
+# $(2) destination prefix
 # $(3) go version id
 # $(4) additional environment variables (optional)
 define GoCompiler/Default/Make
 	( \
 		cd "$(1)/src" ; \
-		$(2) \
+		$(if $(2),GOROOT_FINAL="$(2)/lib/go-$(3)") \
-		$(BASH) make.bash \
+		$(4) \
-		$(if $(findstring s,$(OPENWRT_VERBOSE)),-v) \
+		$(BASH) make.bash --no-banner ; \
 		--no-banner \
 		; \
 	)
 endef
@ -57,10 +57,9 @@ define GoCompiler/Default/Install/Bin
 	$(call GoCompiler/Default/Install/install-share-data,$(1),$(2),$(3),api)
 	$(INSTALL_DATA) -p "$(1)/go.env" "$(2)/lib/go-$(3)/"
 	$(INSTALL_DATA) -p "$(1)/VERSION" "$(2)/lib/go-$(3)/"
-	for file in CONTRIBUTING.md LICENSE PATENTS README.md SECURITY.md; do \
+	for file in AUTHORS CONTRIBUTING.md CONTRIBUTORS LICENSE PATENTS README.md SECURITY.md; do \
 		if [ -f "$(1)/$$$$file" ]; then \
 			$(INSTALL_DATA) -p "$(1)/$$$$file" "$(2)/share/go-$(3)/" ; \
 		fi ; \
@ -74,10 +73,8 @@ define GoCompiler/Default/Install/Bin
 	$(INSTALL_BIN) -p "$(1)/bin/$(4)"/* "$(2)/lib/go-$(3)/bin/"
  endif
-	if [ -d "$(1)/pkg/$(4)$(if $(5),_$(5))" ]; then \
+	$(INSTALL_DIR) "$(2)/lib/go-$(3)/pkg"
-		$(INSTALL_DIR) "$(2)/lib/go-$(3)/pkg" ; \
+	$(CP) "$(1)/pkg/$(4)$(if $(5),_$(5))" "$(2)/lib/go-$(3)/pkg/"
 		$(CP) "$(1)/pkg/$(4)$(if $(5),_$(5))" "$(2)/lib/go-$(3)/pkg/" ; \
 	fi
 	$(INSTALL_DIR) "$(2)/lib/go-$(3)/pkg/tool/$(4)"
 	$(INSTALL_BIN) -p "$(1)/pkg/tool/$(4)"/* "$(2)/lib/go-$(3)/pkg/tool/$(4)/"
@ -98,6 +95,8 @@ define GoCompiler/Default/Install/Doc
 	$(call GoCompiler/Default/Install/make-dirs,$(2),$(3))
 	$(call GoCompiler/Default/Install/install-share-data,$(1),$(2),$(3),doc)
 	$(call GoCompiler/Default/Install/install-share-data,$(1),$(2),$(3),favicon.ico)
 	$(call GoCompiler/Default/Install/install-share-data,$(1),$(2),$(3),robots.txt)
 endef
 # $(1) source go root
@ -153,7 +152,7 @@ define GoCompiler/AddProfile
  # $$(1) additional environment variables (optional)
  define GoCompiler/$(1)/Make
-	$$(call GoCompiler/Default/Make,$(2),$$(1))
+	$$(call GoCompiler/Default/Make,$(2),$(3),$(4),$$(1))
  endef
  # $$(1) override install prefix (optional)
--- a/golang/golang-golang-x-crypto/Makefile
+++ b/golang/golang-golang-x-crypto/Makefile
@ -0,0 +1,47 @@
 #
 # Copyright (C) 2018 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=golang-golang-x-crypto
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/golang/crypto.git
 PKG_SOURCE_VERSION:=4def268fd1a49955bfb3dda92fe3db4f924f2285
 PKG_SOURCE_DATE:=20190701
 #PKG_MIRROR_HASH:=80b16b203736ac56883d0610edbc5981eb78f15b7b35d11b5ca639f7c3814214
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 GO_PKG:=golang.org/x/crypto
 GO_PKG_SOURCE_ONLY:=1
 include $(INCLUDE_DIR)/package.mk
 include ../golang-package.mk
 define Package/golang-golang-x-crypto-dev
 $(call GoPackage/GoSubMenu)
  TITLE:=Go supplementary cryptography libraries
  URL:=https://godoc.org/golang.org/x/crypto
  DEPENDS:=$(GO_ARCH_DEPENDS) \
    +golang-golang-x-net-dev \
    +golang-golang-x-sys-dev
  PKGARCH:=all
 endef
 define Package/golang-golang-x-crypto-dev/description
 Supplementary Go cryptography libraries.
 endef
 $(eval $(call GoSrcPackage,golang-golang-x-crypto-dev))
 $(eval $(call BuildPackage,golang-golang-x-crypto-dev))
--- a/golang/golang-golang-x-net/Makefile
+++ b/golang/golang-golang-x-net/Makefile
@ -0,0 +1,58 @@
 #
 # Copyright (C) 2018 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=golang-golang-x-net
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/golang/net.git
 PKG_SOURCE_VERSION:=afe8f62b1d6bbd81f31868121a50b06d8188e1f9
 PKG_SOURCE_DATE:=20180620
 PKG_MIRROR_HASH:=9a8bb3bf21ea60121d7e87f1bd1af9effbdcd908f758be99457653172d13eb1e
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 GO_PKG:=golang.org/x/net
 # exclude http2/h2i to break circular dependency with golang-golang-x-crypto-dev
 # since there are no other binaries, can skip compilation
 GO_PKG_SOURCE_ONLY:=1
 include $(INCLUDE_DIR)/package.mk
 include ../golang-package.mk
 define Package/golang-golang-x-net-dev
 $(call GoPackage/GoSubMenu)
  TITLE:=Go supplementary network libraries
  URL:=https://godoc.org/golang.org/x/net
  DEPENDS:=$(GO_ARCH_DEPENDS) +golang-golang-x-text-dev
  PKGARCH:=all
 endef
 define Package/golang-golang-x-net-dev/description
 Supplementary Go networking libraries.
 endef
 # http2/testdata/draft-ietf-httpbis-http2.xml is a non-free document
 # http2/z_spec_test.go uses http2/testdata/draft-ietf-httpbis-http2.xml
 define Package/golang-golang-x-net-dev/install
 	$(call GoPackage/Package/Install/Src,$(1))
 	rm -f $(1)$(GO_PKG_PATH)/src/$(GO_PKG)/http2/testdata/draft-ietf-httpbis-http2.xml
 	rmdir $(1)$(GO_PKG_PATH)/src/$(GO_PKG)/http2/testdata/
 	rm -f $(1)$(GO_PKG_PATH)/src/$(GO_PKG)/http2/z_spec_test.go
 endef
 $(eval $(call GoSrcPackage,golang-golang-x-net-dev))
 $(eval $(call BuildPackage,golang-golang-x-net-dev))
--- a/golang/golang-golang-x-sys/Makefile
+++ b/golang/golang-golang-x-sys/Makefile
@ -0,0 +1,46 @@
 #
 # Copyright (C) 2018 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=golang-golang-x-sys
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/golang/sys.git
 PKG_SOURCE_VERSION:=63fc586f45fe72d95d5240a5d5eb95e6503907d3
 PKG_SOURCE_DATE:=20180621
 PKG_MIRROR_HASH:=3afe7936fb9fb291ef9b9cfa88f51576cdc19abbd34240232ce284958ac7dbaf
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 GO_PKG:=golang.org/x/sys
 GO_PKG_SOURCE_ONLY:=1
 include $(INCLUDE_DIR)/package.mk
 include ../golang-package.mk
 define Package/golang-golang-x-sys-dev
 $(call GoPackage/GoSubMenu)
  TITLE:=Go packages for interaction with the OS
  URL:=https://godoc.org/golang.org/x/sys
  DEPENDS:=$(GO_ARCH_DEPENDS)
  PKGARCH:=all
 endef
 define Package/golang-golang-x-sys-dev/description
 Supplementary Go packages for low-level interactions with the operating
 system.
 endef
 $(eval $(call GoSrcPackage,golang-golang-x-sys-dev))
 $(eval $(call BuildPackage,golang-golang-x-sys-dev))
--- a/golang/golang-golang-x-text/Makefile
+++ b/golang/golang-golang-x-text/Makefile
@ -0,0 +1,47 @@
 #
 # Copyright (C) 2018 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=golang-golang-x-text
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/golang/text.git
 PKG_SOURCE_VERSION:=5cec4b58c438bd98288aeb248bab2c1840713d21
 PKG_SOURCE_DATE:=20180520
 PKG_MIRROR_HASH:=6c541a59f32f57afa54a2216045ddf16a077f8fe2e823fbbe77723eca04ddddb
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 GO_PKG:=golang.org/x/text
 # exclude gotext (and message/pipeline) to avoid dependency on golang.org/x/tools
 # since there are no other binaries, can skip compilation
 GO_PKG_SOURCE_ONLY:=1
 include $(INCLUDE_DIR)/package.mk
 include ../golang-package.mk
 define Package/golang-golang-x-text-dev
 $(call GoPackage/GoSubMenu)
  TITLE:=Go text processing support
  URL:=https://godoc.org/golang.org/x/text
  DEPENDS:=$(GO_ARCH_DEPENDS)
  PKGARCH:=all
 endef
 define Package/golang-golang-x-text-dev/description
 Supplementary Go libraries for text processing, many involving Unicode.
 endef
 $(eval $(call GoSrcPackage,golang-golang-x-text-dev))
 $(eval $(call BuildPackage,golang-golang-x-text-dev))
--- a/golang/golang-host-build.mk
+++ b/golang/golang-host-build.mk
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020, 2022 Jeffery To
+# Copyright (C) 2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -107,10 +107,10 @@ GO_HOST_CUSTOM_LDFLAGS= \
 GO_HOST_INSTALL_ARGS= \
 	-v \
 	-ldflags "all=$(GO_HOST_DEFAULT_LDFLAGS)" \
-	$(if $(GO_HOST_ENABLE_PIE),-buildmode pie) \
+	$(if $(filter $(GO_HOST_ENABLE_PIE),1),-buildmode pie) \
-	$(if $(strip $(GO_HOST_GCFLAGS)),-gcflags "$(GO_HOST_GCFLAGS)") \
+	$(if $(GO_HOST_GCFLAGS),-gcflags "$(GO_HOST_GCFLAGS)") \
-	$(if $(strip $(GO_HOST_CUSTOM_LDFLAGS)),-ldflags "$(GO_HOST_CUSTOM_LDFLAGS) $(GO_HOST_DEFAULT_LDFLAGS)") \
+	$(if $(GO_HOST_CUSTOM_LDFLAGS),-ldflags "$(GO_HOST_CUSTOM_LDFLAGS) $(GO_HOST_DEFAULT_LDFLAGS)") \
-	$(if $(strip $(GO_HOST_TAGS)),-tags "$(GO_HOST_TAGS)")
+	$(if $(GO_HOST_TAGS),-tags "$(GO_HOST_TAGS)")
 define GoHost/Host/Configure
 	$(GO_GENERAL_BUILD_CONFIG_VARS) \
--- a/golang/golang-package.mk
+++ b/golang/golang-package.mk
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2018-2022 Jeffery To
+# Copyright (C) 2018-2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -32,7 +32,7 @@ include $(GO_INCLUDE_DIR)/golang-values.mk
 #
 #   * Files in any 'testdata' directory
 #
-#   * go.mod, go.sum and go.work, in any directory
+#   * go.mod and go.sum, in any directory
 #
 #   e.g. GO_PKG_INSTALL_EXTRA:=example.toml marshal_test.toml
 #
@ -198,11 +198,9 @@ GO_PKG_TARGET_VARS= \
 	GOOS="$(GO_OS)" \
 	GOARCH="$(GO_ARCH)" \
 	GO386="$(GO_386)" \
 	GOAMD64="$(GO_AMD64)" \
 	GOARM="$(GO_ARM)" \
 	GOMIPS="$(GO_MIPS)" \
 	GOMIPS64="$(GO_MIPS64)" \
 	GOPPC64="$(GO_PPC64)" \
 	CGO_ENABLED=1 \
 	CC="$(TARGET_CC)" \
 	CXX="$(TARGET_CXX)" \
@ -215,8 +213,7 @@ GO_PKG_BUILD_VARS= \
 	GOPATH="$(GO_PKG_BUILD_DIR)" \
 	GOCACHE="$(GO_BUILD_CACHE_DIR)" \
 	GOMODCACHE="$(GO_MOD_CACHE_DIR)" \
-	GOENV=off \
+	GOENV=off
 	GOTOOLCHAIN=local
 GO_PKG_VARS= \
 	$(GO_PKG_TARGET_VARS) \
@ -239,18 +236,17 @@ GO_PKG_CUSTOM_LDFLAGS= \
 GO_PKG_INSTALL_ARGS= \
 	-v \
 	-buildvcs=false \
 	-trimpath \
 	-ldflags "all=$(GO_PKG_DEFAULT_LDFLAGS)" \
-	$(if $(strip $(GO_PKG_DEFAULT_GCFLAGS)),-gcflags "all=$(GO_PKG_DEFAULT_GCFLAGS)") \
+	$(if $(GO_PKG_DEFAULT_GCFLAGS),-gcflags "all=$(GO_PKG_DEFAULT_GCFLAGS)") \
-	$(if $(strip $(GO_PKG_DEFAULT_ASMFLAGS)),-asmflags "all=$(GO_PKG_DEFAULT_ASMFLAGS)") \
+	$(if $(GO_PKG_DEFAULT_ASMFLAGS),-asmflags "all=$(GO_PKG_DEFAULT_ASMFLAGS)") \
-	$(if $(GO_PKG_ENABLE_PIE),-buildmode pie) \
+	$(if $(filter $(GO_PKG_ENABLE_PIE),1),-buildmode pie) \
 	$(if $(filter $(GO_ARCH),arm),-installsuffix "v$(GO_ARM)") \
 	$(if $(filter $(GO_ARCH),mips mipsle),-installsuffix "$(GO_MIPS)") \
 	$(if $(filter $(GO_ARCH),mips64 mips64le),-installsuffix "$(GO_MIPS64)") \
-	$(if $(strip $(GO_PKG_GCFLAGS)),-gcflags "$(GO_PKG_GCFLAGS) $(GO_PKG_DEFAULT_GCFLAGS)") \
+	$(if $(GO_PKG_GCFLAGS),-gcflags "$(GO_PKG_GCFLAGS) $(GO_PKG_DEFAULT_GCFLAGS)") \
-	$(if $(strip $(GO_PKG_CUSTOM_LDFLAGS)),-ldflags "$(GO_PKG_CUSTOM_LDFLAGS) $(GO_PKG_DEFAULT_LDFLAGS)") \
+	$(if $(GO_PKG_CUSTOM_LDFLAGS),-ldflags "$(GO_PKG_CUSTOM_LDFLAGS) $(GO_PKG_DEFAULT_LDFLAGS)") \
-	$(if $(strip $(GO_PKG_TAGS)),-tags "$(GO_PKG_TAGS)")
+	$(if $(GO_PKG_TAGS),-tags "$(GO_PKG_TAGS)")
 define GoPackage/Build/Configure
 	$(GO_GENERAL_BUILD_CONFIG_VARS) \
@ -318,3 +314,14 @@ define GoSrcPackage
    Package/$(1)/install=$$(call GoPackage/Package/Install/Src,$$(1))
  endif
 endef
 # Deprecated variables - these will be removed after the next OpenWrt release
 GO_PKG_PATH=$(GO_PKG_BUILD_DEPENDS_PATH)
 GO_PKG_WORK_DIR=$(PKG_BUILD_DIR)/$(GO_PKG_WORK_DIR_NAME)
 GO_PKG_CACHE_DIR=$(GO_BUILD_CACHE_DIR)
 GO_PKG_DEFAULT_VARS=$(GO_PKG_VARS)
 GoPackage/Environment=$(GO_PKG_VARS)
 GoPackage/is_dir_not_empty=$$$$($(FIND) "$(1)" -maxdepth 0 -type d \! -empty 2>/dev/null)
 GoPackage/has_binaries=$(call GoPackage/is_dir_not_empty,$(GO_PKG_BUILD_BIN_DIR))
 # End of deprecated variables
--- a/golang/golang-values.mk
+++ b/golang/golang-values.mk
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2018-2023 Jeffery To
+# Copyright (C) 2018, 2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -29,9 +29,7 @@ unexport \
  GOOS \
  GOPATH \
  GOROOT \
-  GOTOOLCHAIN \
+  GOTMPDIR
  GOTMPDIR \
  GOWORK
 # Unmodified:
 #   GOINSECURE
 #   GOPRIVATE
@ -59,19 +57,11 @@ unexport \
 # Architecture-specific environment variables:
 unexport \
  GOARM \
  GOARM64 \
  GO386 \
  GOAMD64 \
  GOMIPS \
  GOMIPS64 \
  GOPPC64 \
  GORISCV64 \
  GOWASM
 # Environment variables for use with code coverage:
 unexport \
  GOCOVERDIR
 # Special-purpose environment variables:
 unexport \
  GCCGOTOOLDIR \
@ -84,7 +74,6 @@ unexport \
 # From https://pkg.go.dev/runtime#hdr-Environment_Variables
 unexport \
  GOGC \
  GOMEMLIMIT \
  GOMAXPROCS \
  GORACE \
  GOTRACEBACK
@ -97,12 +86,13 @@ unexport \
 #   CC_FOR_${GOOS}_${GOARCH}
 #   CXX_FOR_${GOOS}_${GOARCH}
-# From https://go.dev/doc/install/source#environment
+# From https://golang.org/doc/install/source#environment
 unexport \
  GOHOSTOS \
-  GOHOSTARCH
+  GOHOSTARCH \
  GOPPC64
-# From https://go.dev/src/make.bash
+# From https://golang.org/src/make.bash
 unexport \
  GO_GCFLAGS \
  GO_LDFLAGS \
@ -111,16 +101,16 @@ unexport \
  GOBUILDTIMELOGFILE \
  GOROOT_BOOTSTRAP
-# From https://go.dev/doc/go1.9#parallel-compile
+# From https://golang.org/doc/go1.9#parallel-compile
 unexport \
  GO19CONCURRENTCOMPILATION
-# From https://go.dev/src/cmd/dist/build.go
+# From https://golang.org/src/cmd/dist/build.go
 unexport \
  BOOT_GO_GCFLAGS \
  BOOT_GO_LDFLAGS
-# From https://go.dev/src/cmd/dist/buildtool.go
+# From https://golang.org/src/cmd/dist/buildtool.go
 unexport \
  GOBOOTSTRAP_TOOLEXEC
@ -162,9 +152,6 @@ ifeq ($(GO_ARCH),386)
  # -fno-plt: causes "unexpected GOT reloc for non-dynamic symbol" errors
  GO_CFLAGS_TO_REMOVE:=-fno-plt
 else ifeq ($(GO_ARCH),amd64)
  GO_AMD64:=v1
 else ifeq ($(GO_ARCH),arm)
  GO_TARGET_FPU:=$(word 2,$(subst +,$(space),$(call qstrip,$(CONFIG_CPU_TYPE))))
@ -196,24 +183,22 @@ else ifneq ($(filter $(GO_ARCH),mips64 mips64le),)
    GO_MIPS64:=softfloat
  endif
 else ifeq ($(GO_ARCH),ppc64)
  GO_PPC64:=power8
 endif
 # Target Go
-GO_ARCH_DEPENDS:=@(aarch64||arm||i386||i686||mips||mips64||mips64el||mipsel||powerpc64||riscv64||x86_64)
+GO_ARCH_DEPENDS:=@(aarch64||arm||i386||i686||mips||mips64||mips64el||mipsel||powerpc64||x86_64)
 # ASLR/PIE
-# From https://go.dev/src/internal/platform/supported.go
+# From https://golang.org/src/cmd/internal/sys/supported.go
 GO_PIE_SUPPORTED_OS_ARCH:= \
  android_386  android_amd64  android_arm  android_arm64 \
  linux_386    linux_amd64    linux_arm    linux_arm64 \
-  windows_386  windows_amd64  windows_arm  windows_arm64 \
+  \
  windows_386  windows_amd64  windows_arm \
  \
  darwin_amd64 darwin_arm64 \
  ios_amd64    ios_arm64 \
@ -222,10 +207,10 @@ GO_PIE_SUPPORTED_OS_ARCH:= \
  \
  aix_ppc64 \
  \
-  linux_loong64 linux_ppc64le linux_riscv64 linux_s390x
+  linux_ppc64le linux_riscv64 linux_s390x
-# From https://go.dev/src/cmd/go/internal/work/init.go
+# From https://golang.org/src/cmd/go/internal/work/init.go
-go_pie_install_suffix=$(if $(filter $(1),aix_ppc64 windows_386 windows_amd64 windows_arm windows_arm64),,shared)
+go_pie_install_suffix=$(if $(filter $(1),aix_ppc64 windows_386 windows_amd64 windows_arm),,shared)
 ifneq ($(filter $(GO_HOST_OS_ARCH),$(GO_PIE_SUPPORTED_OS_ARCH)),)
  GO_HOST_PIE_SUPPORTED:=1
--- a/golang/golang/Config.in
+++ b/golang/golang/Config.in
@ -17,7 +17,7 @@ config GOLANG_BUILD_CACHE_DIR
 	default ""
 	help
 	  Store the Go build cache in this directory.
-	  If not set, uses '$(TMP_DIR)/go-build'.
+	  If not set, uses './.go-build'.
 config GOLANG_MOD_CACHE_WORLD_READABLE
 	bool "Ensure Go module cache is world-readable"
--- a/golang/golang/Makefile
+++ b/golang/golang/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2018-2023 Jeffery To
+# Copyright (C) 2018, 2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -7,8 +7,8 @@
 include $(TOPDIR)/rules.mk
-GO_VERSION_MAJOR_MINOR:=1.23
+GO_VERSION_MAJOR_MINOR:=1.17
-GO_VERSION_PATCH:=4
+GO_VERSION_PATCH:=3
 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \
 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=ad345ac421e90814293a9699cca19dd5238251c3f687980bbcae28495b263531
+PKG_HASH:=705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@ -30,10 +30,11 @@ PKG_CPE_ID:=cpe:/a:golang:go
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_DIR:=$(BUILD_DIR)/go-$(PKG_VERSION)
 PKG_BUILD_PARALLEL:=1
-PKG_BUILD_FLAGS:=no-mips16
+PKG_USE_MIPS16:=0
 PKG_GO_PREFIX:=/usr
 PKG_GO_VERSION_ID:=$(GO_VERSION_MAJOR_MINOR)
 PKG_GO_ROOT:=$(PKG_GO_PREFIX)/lib/go-$(PKG_GO_VERSION_ID)
 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/go-$(PKG_VERSION)
 HOST_BUILD_PARALLEL:=1
@ -61,14 +62,10 @@ HOST_GO_VALID_OS_ARCH:= \
  \
  aix_ppc64 \
  js_wasm \
  wasip1_wasm \
  \
  freebsd_riscv64 \
  openbsd_riscv64 \
  \
  linux_ppc64 linux_ppc64le \
  linux_mips linux_mipsle linux_mips64 linux_mips64le \
-  linux_loong64 linux_riscv64 linux_s390x \
+  linux_riscv64 linux_s390x \
  \
  openbsd_mips64
@ -89,18 +86,6 @@ BOOTSTRAP_GO_VALID_OS_ARCH:= \
                 solaris_amd64 \
  windows_386    windows_amd64
 BOOTSTRAP_1_17_SOURCE:=go1.17.13.src.tar.gz
 BOOTSTRAP_1_17_SOURCE_URL:=$(GO_SOURCE_URLS)
 BOOTSTRAP_1_17_HASH:=a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd
 BOOTSTRAP_1_17_BUILD_DIR:=$(HOST_BUILD_DIR)/.go_bootstrap_1.17
 BOOTSTRAP_1_20_SOURCE:=go1.20.6.src.tar.gz
 BOOTSTRAP_1_20_SOURCE_URL:=$(GO_SOURCE_URLS)
 BOOTSTRAP_1_20_HASH:=62ee5bc6fb55b8bae8f705e0cb8df86d6453626b4ecf93279e2867092e0b7f70
 BOOTSTRAP_1_20_BUILD_DIR:=$(HOST_BUILD_DIR)/.go_bootstrap_1.20
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/package.mk
 include ../golang-compiler.mk
@ -109,8 +94,6 @@ include ../golang-package.mk
 PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
 HOST_UNPACK:=$(HOST_TAR) -C "$(HOST_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
 BOOTSTRAP_UNPACK:=$(HOST_TAR) -C "$(BOOTSTRAP_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(BOOTSTRAP_SOURCE)"
 BOOTSTRAP_1_17_UNPACK:=$(HOST_TAR) -C "$(BOOTSTRAP_1_17_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(BOOTSTRAP_1_17_SOURCE)"
 BOOTSTRAP_1_20_UNPACK:=$(HOST_TAR) -C "$(BOOTSTRAP_1_20_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(BOOTSTRAP_1_20_SOURCE)"
 # don't strip ELF executables in test data
 RSTRIP:=:
@ -123,7 +106,7 @@ endif
 define Package/golang/Default
 $(call GoPackage/GoSubMenu)
  TITLE:=Go programming language
-  URL:=https://go.dev/
+  URL:=https://golang.org/
  DEPENDS:=$(GO_ARCH_DEPENDS)
 endef
@ -198,7 +181,8 @@ ifeq ($(BOOTSTRAP_ROOT_DIR),)
  $(eval $(call Download,golang-bootstrap))
  define Bootstrap/Prepare
-	mkdir -p "$(BOOTSTRAP_BUILD_DIR)" && $(BOOTSTRAP_UNPACK) ;
+	mkdir -p "$(BOOTSTRAP_BUILD_DIR)"
 	$(BOOTSTRAP_UNPACK)
  endef
  Hooks/HostPrepare/Post+=Bootstrap/Prepare
@ -206,39 +190,6 @@ ifeq ($(BOOTSTRAP_ROOT_DIR),)
 endif
 # Bootstrap 1.17
 define Download/golang-bootstrap-1.17
  FILE:=$(BOOTSTRAP_1_17_SOURCE)
  URL:=$(BOOTSTRAP_1_17_SOURCE_URL)
  HASH:=$(BOOTSTRAP_1_17_HASH)
 endef
 $(eval $(call Download,golang-bootstrap-1.17))
 define Bootstrap-1.17/Prepare
 	mkdir -p "$(BOOTSTRAP_1_17_BUILD_DIR)" && $(BOOTSTRAP_1_17_UNPACK) ;
 endef
 Hooks/HostPrepare/Post+=Bootstrap-1.17/Prepare
 $(eval $(call GoCompiler/AddProfile,Bootstrap-1.17,$(BOOTSTRAP_1_17_BUILD_DIR),,bootstrap-1.17,$(GO_HOST_OS_ARCH)))
 # Bootstrap 1.20
 define Download/golang-bootstrap-1.20
  FILE:=$(BOOTSTRAP_1_20_SOURCE)
  URL:=$(BOOTSTRAP_1_20_SOURCE_URL)
  HASH:=$(BOOTSTRAP_1_20_HASH)
 endef
 $(eval $(call Download,golang-bootstrap-1.20))
 define Bootstrap-1.20/Prepare
 	mkdir -p "$(BOOTSTRAP_1_20_BUILD_DIR)" && $(BOOTSTRAP_1_20_UNPACK) ;
 endef
 Hooks/HostPrepare/Post+=Bootstrap-1.20/Prepare
 $(eval $(call GoCompiler/AddProfile,Bootstrap-1.20,$(BOOTSTRAP_1_20_BUILD_DIR),,bootstrap-1.20,$(GO_HOST_OS_ARCH)))
 # Host
 ifeq ($(GO_HOST_PIE_SUPPORTED),1)
@ -251,36 +202,23 @@ endif
 $(eval $(call GoCompiler/AddProfile,Host,$(HOST_BUILD_DIR),$(HOST_GO_PREFIX),$(HOST_GO_VERSION_ID),$(GO_HOST_OS_ARCH),$(HOST_GO_INSTALL_SUFFIX)))
 HOST_GO_VARS= \
 	GOHOSTARCH="$(GO_HOST_ARCH)" \
 	GOCACHE="$(GO_BUILD_CACHE_DIR)" \
 	GOENV=off \
 	CC="$(HOSTCC_NOCACHE)" \
 	CXX="$(HOSTCXX_NOCACHE)"
-define Host/Configure
+define Host/Compile
 	$(call GoCompiler/Bootstrap/CheckHost,$(BOOTSTRAP_GO_VALID_OS_ARCH))
 	$(call GoCompiler/Host/CheckHost,$(HOST_GO_VALID_OS_ARCH))
 	mkdir -p "$(GO_BUILD_CACHE_DIR)"
 endef
 define Host/Compile
 	$(call GoCompiler/Bootstrap/Make, \
 		$(HOST_GO_VARS) \
 	)
 	$(call GoCompiler/Bootstrap-1.17/Make, \
 		GOROOT_BOOTSTRAP="$(BOOTSTRAP_ROOT_DIR)" \
 		$(HOST_GO_VARS) \
 	)
 	$(call GoCompiler/Bootstrap-1.20/Make, \
 		GOROOT_BOOTSTRAP="$(BOOTSTRAP_1_17_BUILD_DIR)" \
 		$(HOST_GO_VARS) \
 	)
 	$(call GoCompiler/Host/Make, \
-		GOROOT_BOOTSTRAP="$(BOOTSTRAP_1_20_BUILD_DIR)" \
+		GOROOT_BOOTSTRAP="$(BOOTSTRAP_ROOT_DIR)" \
 		$(if $(HOST_GO_ENABLE_PIE),GO_LDFLAGS="-buildmode pie") \
 		$(HOST_GO_VARS) \
 	)
@ -324,16 +262,14 @@ $(eval $(call GoCompiler/AddProfile,Package,$(PKG_BUILD_DIR),$(PKG_GO_PREFIX),$(
 PKG_GO_ZBOOTSTRAP_MODS:= \
 	s/defaultGO386 = `[^`]*`/defaultGO386 = `$(or $(GO_386),sse2)`/; \
-	s/defaultGOAMD64 = `[^`]*`/defaultGOAMD64 = `$(or $(GO_AMD64),v1)`/; \
+	s/defaultGOARM = `[^`]*`/defaultGOARM = `$(or $(GO_ARM),5)`/; \
 	s/defaultGOARM = `[^`]*`/defaultGOARM = `$(or $(GO_ARM),7)`/; \
 	s/defaultGOMIPS = `[^`]*`/defaultGOMIPS = `$(or $(GO_MIPS),hardfloat)`/; \
 	s/defaultGOMIPS64 = `[^`]*`/defaultGOMIPS64 = `$(or $(GO_MIPS64),hardfloat)`/; \
-	s/defaultGOPPC64 = `[^`]*`/defaultGOPPC64 = `$(or $(GO_PPC64),power8)`/;
+	s/defaultGOPPC64 = `[^`]*`/defaultGOPPC64 = `power8`/;
 PKG_GO_ZBOOTSTRAP_PATH:=$(PKG_BUILD_DIR)/src/internal/buildcfg/zbootstrap.go
 PKG_GO_VARS= \
 	GOHOSTARCH="$(GO_HOST_ARCH)" \
 	GOCACHE="$(GO_BUILD_CACHE_DIR)" \
 	GOENV=off \
 	GO_GCC_HELPER_PATH="$$$$PATH" \
@ -354,19 +290,18 @@ PKG_GO_LDFLAGS= \
 	-extldflags '$(patsubst -z%,-Wl$(comma)-z$(comma)%,$(TARGET_LDFLAGS))' \
 	$(if $(CONFIG_NO_STRIP)$(CONFIG_DEBUG),,-s -w)
 # setting -trimpath is not necessary here because the paths inside the
 # compiler binary are relative to GOROOT_FINAL (PKG_GO_ROOT), which is
 # static / not dependent on the build environment
 PKG_GO_INSTALL_ARGS= \
 	-buildvcs=false \
 	-trimpath \
 	-ldflags "all=$(PKG_GO_LDFLAGS)" \
 	$(if $(PKG_GO_GCFLAGS),-gcflags "all=$(PKG_GO_GCFLAGS)") \
 	$(if $(PKG_GO_ASMFLAGS),-asmflags "all=$(PKG_GO_ASMFLAGS)") \
 	$(if $(filter $(GO_PKG_ENABLE_PIE),1),-buildmode pie)
 define Build/Configure
 	mkdir -p "$(GO_BUILD_CACHE_DIR)"
 endef
 define Build/Compile
 	mkdir -p "$(GO_BUILD_CACHE_DIR)"
 	@echo "Building target Go first stage"
 	$(call GoCompiler/Package/Make, \
@ -394,6 +329,7 @@ define Build/Compile
 		cd "$(PKG_BUILD_DIR)/bin" ; \
 		export $(GO_PKG_TARGET_VARS) ; \
 		$(CP) go go-host ; \
 		GOROOT_FINAL="$(PKG_GO_ROOT)" \
 		GO_GCC_HELPER_CC="$(TARGET_CC)" \
 		GO_GCC_HELPER_CXX="$(TARGET_CXX)" \
 		$(PKG_GO_VARS) \
--- a/golang/golang/files/go-gcc-helper
+++ b/golang/golang/files/go-gcc-helper
@ -1,10 +1,4 @@
 #!/bin/sh
 #
 # Copyright (C) 2018, 2020 Jeffery To
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 me=go-gcc-helper
 name="${0##*/}"
--- a/golang/golang/test.sh
+++ b/golang/golang/test.sh
@ -1,5 +0,0 @@
 #!/bin/sh
 [ "$1" = golang ] || exit 0
 go version | grep -F " go$PKG_VERSION "
--- a/grpcurl/Makefile
+++ b/grpcurl/Makefile
@ -1,60 +0,0 @@
 #
 # Copyright (C) 2022 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=grpcurl
 PKG_VERSION:=1.8.6
 PKG_RELEASE:=1
 PKG_SOURCE:=v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/fullstorydev/grpcurl/archive/refs/tags/
 PKG_HASH:=18b457f644baabeef0de350596dd8d23563586ee94a3ed3cb290063e097ab934
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
 PKG_MAINTAINER:=Yannick Chabanois <ycarus@zugaina.org>
 PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 PKG_USE_MIPS16:=0
 GO_PKG:=github.com/fullstorydev/grpcurl
 GO_PKG_BUILD_PKG:=github.com/fullstorydev/grpcurl/cmd/grpcurl
 GO_PKG_LDFLAGS_X:= \
    $(GO_PKG)/constant.Version=$(PKG_VERSION) \
    $(GO_PKG)/constant.Commit=v$(PKG_VERSION)
 GO_PKG_LDFLAGS:=-s -w
 GO_PKG_TAGS:=master
 include $(INCLUDE_DIR)/package.mk
 include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk
 define Package/grpcurl
  TITLE:=grpcurl is a command-line tool that lets you interact with gRPC servers
  URL:=https://github.com/fullstorydev/grpcurl
  SECTION:=net
  CATEGORY:=Network
  DEPENDS:=$(GO_ARCH_DEPENDS) +protobuf
 endef
 define Package/grpcurl/description
  grpcurl is a command-line tool that lets you interact with gRPC servers. It's basically curl for gRPC servers.
  The main purpose for this tool is to invoke RPC methods on a gRPC server from the command-line. gRPC servers use a binary encoding on the wire (protocol buffers, or "protobufs" for short). So they are basically impossible to interact with using regular curl (and older versions of curl that do not support HTTP/2 are of course non-starters). This program accepts messages using JSON encoding, which is much more friendly for both humans and scripts.
 endef
 define Package/v2ray-core/install
 	$(call GoPackage/Package/Install/Bin,$(PKG_INSTALL_DIR))
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/grpcurl $(1)/usr/bin
 endef
 $(eval $(call GoBinPackage,grpcurl))
 $(eval $(call BuildPackage,grpcurl))
--- a/https-dns-proxy/Makefile
+++ b/https-dns-proxy/Makefile
@ -0,0 +1,48 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=https-dns-proxy
 PKG_VERSION:=2021-06-03
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy
 PKG_SOURCE_DATE:=2021-06-03
 PKG_SOURCE_VERSION:=5651b984f770a8bcecb14aeffc224703f8f82586
 PKG_MIRROR_HASH:=b65161936269aa3117debad0fcfce157024726b78d7e7da77c226f7aa8da5b4d
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 CMAKE_OPTIONS += -DCLANG_TIDY_EXE=
 define Package/https-dns-proxy
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=DNS Over HTTPS Proxy
 	URL:=https://docs.openwrt.melmac.net/https-dns-proxy/
 	DEPENDS:=+libcares +libcurl +libev +ca-bundle
 	CONFLICTS:=https_dns_proxy
 endef
 define Package/https-dns-proxy/description
 https-dns-proxy is a light-weight DNS<-->HTTPS, non-caching translation proxy for the RFC 8484 DoH standard.
 It receives regular (UDP) DNS requests and issues them via DoH.
 Please see https://docs.openwrt.melmac.net/https-dns-proxy/ for more information.
 endef
 define Package/https-dns-proxy/conffiles
 /etc/config/https-dns-proxy
 endef
 define Package/https-dns-proxy/install
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d ${1}/etc/config
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/https_dns_proxy $(1)/usr/sbin/https-dns-proxy
 	$(INSTALL_BIN) ./files/https-dns-proxy.init $(1)/etc/init.d/https-dns-proxy
 	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/https-dns-proxy
 	$(INSTALL_CONF) ./files/https-dns-proxy.config $(1)/etc/config/https-dns-proxy
 endef
 $(eval $(call BuildPackage,https-dns-proxy))
--- a/https-dns-proxy/files/README.md
+++ b/https-dns-proxy/files/README.md
@ -0,0 +1,3 @@
 # README
 README has been moved to [https://docs.openwrt.melmac.net/https-dns-proxy/](https://docs.openwrt.melmac.net/https-dns-proxy/).
--- a/https-dns-proxy/files/https-dns-proxy.config
+++ b/https-dns-proxy/files/https-dns-proxy.config
@ -0,0 +1,18 @@
 config main 'config'
 	option update_dnsmasq_config '*'
 config https-dns-proxy
 	option bootstrap_dns '8.8.8.8,8.8.4.4'
 	option resolver_url 'https://dns.google/dns-query'
 	option listen_addr '127.0.0.1'
 	option listen_port '5053'
 	option user 'nobody'
 	option group 'nogroup'
 config https-dns-proxy
 	option bootstrap_dns '1.1.1.1,1.0.0.1'
 	option resolver_url 'https://cloudflare-dns.com/dns-query'
 	option listen_addr '127.0.0.1'
 	option listen_port '5054'
 	option user 'nobody'
 	option group 'nogroup'
--- a/https-dns-proxy/files/https-dns-proxy.init
+++ b/https-dns-proxy/files/https-dns-proxy.init
@ -0,0 +1,237 @@
 #!/bin/sh /etc/rc.common
 # Copyright 2019-2020 Stan Grishin (stangri@melmac.net)
 # shellcheck disable=SC2039,SC3043,SC3060
 PKG_VERSION='dev-test'
 # shellcheck disable=SC2034
 START=80
 # shellcheck disable=SC2034
 USE_PROCD=1
 if type extra_command 1>/dev/null 2>&1; then
 	extra_command 'version' 'Show version information'
 else
 # shellcheck disable=SC2034
 	EXTRA_COMMANDS='version'
 fi
 readonly PROG=/usr/sbin/https-dns-proxy
 dnsmasqConfig=''; forceDNS=''; forceDNSPorts='';
 version() { echo "$PKG_VERSION"; }
 xappend() { param="$param $1"; }
 append_bool() {
 	local section="$1"
 	local option="$2"
 	local value="$3"
 	local default="$4"
 	local _loctmp
 	[ -z "$default" ] && default="0"
 	config_get_bool _loctmp "$section" "$option" "$default"
 	[ "$_loctmp" != "0" ] && xappend "$value"
 }
 append_parm() {
 	local section="$1"
 	local option="$2"
 	local switch="$3"
 	local default="$4"
 	local _loctmp
 	config_get _loctmp "$section" "$option" "$default"
 	[ -z "$_loctmp" ] && return 0
 	xappend "$switch $_loctmp"
 }
 start_instance() {
 	local cfg="$1" param listen_addr listen_port i
 	append_parm "$cfg" 'resolver_url' '-r'
 	append_parm "$cfg" 'polling_interval' '-i'
 	append_parm "$cfg" 'listen_addr' '-a' '127.0.0.1'
 	append_parm "$cfg" 'listen_port' '-p' "$p"
 	append_parm "$cfg" 'dscp_codepoint' '-c'
 	append_parm "$cfg" 'bootstrap_dns' '-b'
 	append_parm "$cfg" 'user' '-u' 'nobody'
 	append_parm "$cfg" 'group' '-g' 'nogroup'
 	append_parm "$cfg" 'proxy_server' '-t'
 	append_parm "$cfg" 'logfile' '-l'
 	append_bool "$cfg" 'use_http1' '-x'
 	config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0'
 	config_get verbosity "$cfg" 'verbosity' '0'
 # shellcheck disable=SC2086,SC2154
 	for i in $(seq 1 $verbosity); do
 		xappend '-v'
 	done
 # shellcheck disable=SC2154
 	if [ "$ipv6_resolvers_only" = 0 ]; then
 		xappend '-4'
 	fi
 	procd_open_instance
 # shellcheck disable=SC2086
 	procd_set_param command ${PROG} ${param}
 	procd_set_param stderr 1
 	procd_set_param stdout 1
 	procd_set_param respawn
 	procd_close_instance
 	config_get listen_addr "$cfg" 'listen_addr' '127.0.0.1'
 	config_get listen_port "$cfg" 'listen_port' "$p"
 	if [ "$dnsmasqConfig" = "*" ]; then
 		config_load 'dhcp'
 		config_foreach dnsmasq_add_doh_server 'dnsmasq' "${listen_addr}" "${listen_port}"
 	elif [ -n "$dnsmasqConfig" ]; then
 		for i in $dnsmasqConfig; do
 			dnsmasq_add_doh_server "@dnsmasq[${i}]" "${listen_addr}" "${listen_port}"
 		done
 	fi
 	p="$((p+1))"
 }
 is_force_dns_active() { iptables-save | grep -q -w -- '--dport 53'; }
 start_service() {
 	local p=5053 c
 	config_load 'https-dns-proxy'
 	config_get dnsmasqConfig	'config' 'update_dnsmasq_config' '*'
 	config_get_bool forceDNS	'config' 'force_dns' '1'
 	config_get forceDNSPorts	'config' 'force_dns_port' '53 853'
 	dhcp_backup 'create'
 	config_load 'https-dns-proxy'
 	config_foreach start_instance 'https-dns-proxy'
 	if [ "$forceDNS" -ne 0 ]; then
 		procd_open_instance 'main'
 		procd_set_param command /bin/true
 		procd_set_param stdout 1
 		procd_set_param stderr 1
 		procd_open_data
 		json_add_array firewall
 		for c in $forceDNSPorts; do
 			if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then
 				json_add_object ""
 				json_add_string type redirect
 				json_add_string target DNAT
 				json_add_string src lan
 				json_add_string proto "tcp udp"
 				json_add_string src_dport "$c"
 				json_add_string dest_port "$c"
 				json_add_boolean reflection 0
 				json_close_object
 			else
 				json_add_object ""
 				json_add_string type rule
 				json_add_string src lan
 				json_add_string dest "*"
 				json_add_string proto "tcp udp"
 				json_add_string dest_port "$c"
 				json_add_string target REJECT
 				json_close_object
 			fi
 		done
 		json_close_array
 		procd_close_data
 		procd_close_instance
 	fi
 	if [ -n "$(uci -q changes dhcp)" ]; then
 		uci -q commit dhcp
 		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
 	fi
 }
 stop_service() {
 	config_load 'https-dns-proxy'
 	config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*'
 	dhcp_backup 'restore'
 	if [ -n "$(uci -q changes dhcp)" ]; then
 		uci -q commit dhcp
 		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
 	fi
 }
 service_triggers() {
 	procd_add_config_trigger "config.change" "https-dns-proxy" /etc/init.d/https-dns-proxy reload
 }
 service_started() { procd_set_config_changed firewall; }
 service_stopped() { procd_set_config_changed firewall; }
 dnsmasq_add_doh_server() {
 	local cfg="$1" address="$2" port="$3"
 	case $address in
 		0.0.0.0|::ffff:0.0.0.0) address='127.0.0.1';;
 		::) address='::1';;
 	esac
 	uci -q del_list "dhcp.${cfg}.server=${address}#${port}"
 	uci -q add_list "dhcp.${cfg}.server=${address}#${port}"
 }
 dnsmasq_create_server_backup() {
 	local cfg="$1"
 	local i
 	uci -q get "dhcp.${cfg}" >/dev/null || return 1
 	if ! uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
 		if [ -z "$(uci -q get "dhcp.${cfg}.noresolv")" ]; then
 			uci -q set "dhcp.${cfg}.noresolv=1"
 			uci -q set "dhcp.${cfg}.doh_backup_noresolv=-1"
 		elif [ "$(uci -q get "dhcp.${cfg}.noresolv")" != "1" ]; then
 			uci -q set "dhcp.${cfg}.noresolv=1"
 			uci -q set "dhcp.${cfg}.doh_backup_noresolv=0"
 		fi
 	fi
 	if ! uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
 		if [ -z "$(uci -q get "dhcp.${cfg}.server")" ]; then
 			uci -q add_list "dhcp.${cfg}.doh_backup_server="
 		fi
 		for i in $(uci -q get "dhcp.${cfg}.server"); do
 			uci -q add_list "dhcp.${cfg}.doh_backup_server=$i"
 			if [ "$i" = "$(echo "$i" | tr -d /\#)" ]; then
 				uci -q del_list "dhcp.${cfg}.server=$i"
 			fi
 		done
 	fi
 	return 0
 }
 dnsmasq_restore_server_backup() {
 	local cfg="$1"
 	local i
 	uci -q get "dhcp.${cfg}" >/dev/null || return 0
 	if uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
 		if [ "$(uci -q get "dhcp.${cfg}.doh_backup_noresolv")" = "0" ]; then
 			uci -q set "dhcp.${cfg}.noresolv=0"
 		else 
 			uci -q del "dhcp.${cfg}.noresolv"
 		fi
 		uci -q del "dhcp.${cfg}.doh_backup_noresolv"
 	fi
 	if uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
 		uci -q del "dhcp.${cfg}.server"
 		for i in $(uci -q get "dhcp.${cfg}.doh_backup_server"); do
 			uci -q add_list "dhcp.${cfg}.server=$i"
 		done
 	uci -q del "dhcp.${cfg}.doh_backup_server"
 	fi
 }
 dhcp_backup() {
 	local i
 	config_load 'dhcp'
 	case "$1" in
 		create)
 			if [ "$dnsmasqConfig" = "*" ]; then
 				config_foreach dnsmasq_create_server_backup 'dnsmasq'
 			elif [ -n "$dnsmasqConfig" ]; then
 				for i in $dnsmasqConfig; do
 					dnsmasq_create_server_backup "@dnsmasq[${i}]" || \
 						dnsmasq_create_server_backup "$i"
 				done
 			fi
 			;;
 		restore)
 			config_foreach dnsmasq_restore_server_backup 'dnsmasq'
 			;;
 	esac
 }
--- a/https-dns-proxy/test.sh
+++ b/https-dns-proxy/test.sh
@ -0,0 +1,3 @@
 #!/bin/sh
 /etc/init.d/"$1" version 2>&1 | grep "$2"
--- a/ipcalc/Makefile
+++ b/ipcalc/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2018-2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
+# Copyright (C) 2018-2019 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -10,12 +10,11 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=ipcalc
 PKG_RELEASE:=1
-PKG_SOURCE_URL:=https://gitlab.com/ipcalc/ipcalc.git
+PKG_SOURCE_URL:=https://github.com/nmav/ipcalc.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=d8a2fe29a89f0f9f0d44a7b15e260c74f0e8388b
+PKG_SOURCE_VERSION:=e9f88461f2585575d12fc95f5eeb9996b863f5af
 PKG_MAINTAINER:=Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILE:=COPYING
 include $(INCLUDE_DIR)/package.mk
--- a/iperf3/Makefile
+++ b/iperf3/Makefile
@ -8,16 +8,15 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=iperf
-PKG_VERSION:=3.18
+PKG_VERSION:=3.11
-PKG_RELEASE:=1
+PKG_RELEASE:=10
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE:=$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://downloads.es.net/pub/iperf
+PKG_SOURCE_URL:=https://github.com/esnet/iperf/archive/refs/tags/
-PKG_HASH:=c0618175514331e766522500e20c94bfb293b4424eb27d7207fb427b88d20bab
+PKG_HASH:=96e909c0d3ab6034c52328c2954fb3934aaff349395c4bc2611dcd50e6b89875
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
 PKG_CPE_ID:=cpe:/a:es:iperf3
 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@ -38,36 +37,24 @@ endef
 define Package/iperf3
 $(call Package/iperf3/default)
  VARIANT:=nossl
  DEPENDS:=+libiperf3
 endef
 define Package/iperf3-ssl
 $(call Package/iperf3/default)
  TITLE+= with iperf_auth support
  VARIANT:=ssl
-  DEPENDS:=+libopenssl +libatomic
+  DEPENDS:= +libopenssl
  CONFLICTS:=iperf3
 endef
 define Package/libiperf3
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=Internet Protocol bandwidth measuring library
  URL:=https://github.com/esnet/iperf
  DEPENDS+=+libatomic
 endef
 TARGET_CFLAGS += -D_GNU_SOURCE
-TARGET_LDFLAGS += -latomic
+CONFIGURE_ARGS += --disable-shared
 ifeq ($(BUILD_VARIANT),ssl)
-	CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr" --disable-shared
+	CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr"
 else
 	CONFIGURE_ARGS += --without-openssl
 endif
 CONFIGURE_ARGS += --without-sctp
 MAKE_FLAGS += noinst_PROGRAMS=
 define Package/iperf3/description
@ -76,17 +63,6 @@ define Package/iperf3/description
 characteristics.
 endef
 define Package/libiperf3/description
 Libiperf is a library providing an API for iperf3 functionality.
 endef
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(INSTALL_DIR) $(1)/usr/include
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.* $(1)/usr/lib/
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
 endef
 # autoreconf fails if the README file isn't present
 define Build/Prepare
 	$(call Build/Prepare/Default)
@ -103,11 +79,5 @@ define Package/iperf3-ssl/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/
 endef
 define Package/libiperf3/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.so.* $(1)/usr/lib
 endef
 $(eval $(call BuildPackage,iperf3))
 $(eval $(call BuildPackage,iperf3-ssl))
 $(eval $(call BuildPackage,libiperf3))
--- a/iperf3/patches/010-big-endian.patch
+++ b/iperf3/patches/010-big-endian.patch
@ -1,21 +0,0 @@
 From fe09305eb6f907e4eb637b8edd0c8a986187d1dd Mon Sep 17 00:00:00 2001
 From: Rosen Penev <rosenp@gmail.com>
 Date: Sat, 8 Jun 2024 15:23:51 -0700
 Subject: [PATCH] fix crash under big endian musl
 iperf_printf is using an int format here but an int64_t variable. The format only needs the first 3 digits. Cast to int to fix it.
 ---
 src/iperf_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
@@ -4137,7 +4137,7 @@ iperf_print_results(struct iperf_test *t
                                 iperf_printf(test, report_sender_not_available_summary_format, "SUM");
                         }
                         else {
 -                          iperf_printf(test, report_sum_bw_retrans_format, mbuf, start_time, sender_time, ubuf, nbuf, total_retransmits, report_sender);
 +                          iperf_printf(test, report_sum_bw_retrans_format, mbuf, start_time, sender_time, ubuf, nbuf, (int)total_retransmits, report_sender);
                         }
                 } else {
                     /* Summary sum, TCP without retransmits. */
--- a/iperf3/patches/add-MPTCP-support.patch
+++ b/iperf3/patches/add-MPTCP-support.patch
@ -1,266 +0,0 @@
 From cf75cf46785871330717a6d2c889abeb7bbd7bfd Mon Sep 17 00:00:00 2001
 From: Geliang Tang <geliang@kernel.org>
 Date: Wed, 6 Mar 2024 11:23:33 +0800
 Subject: [PATCH] add MPTCPv1 support
 The Multipath TCP (MPTCP) protocol (v1 / RFC 8684) has been added in
 the upstream Linux kernel since v5.6.
 MPTCP is strongly tied to TCP, and the kernel APIs are almost the same.
 The only required dependency is the 'IPPROTO_MPTCP' protocol number
 definition, which should be provided by the netinet/in.h header if it
 is recent enough.
 This patch adds a new flag '-m' or '--mptcp' to support MPTCPv1. It can
 be used like this:
 > iperf3 -m -s
 > iperf3 -m -c 127.0.0.1
 If IPPROTO_MPTCP is not supported by the kernel being tested, it is
 normal to fail because the feature is not available and the user
 explicitly asked to use MPTCP.
 Closes: https://github.com/esnet/iperf/pull/1659
 Co-developed-by: Paolo Abeni <pabeni@redhat.com>
 Signed-off-by: Geliang Tang <geliang@kernel.org>
 ---
 configure.ac       | 12 ++++++++++++
 src/iperf.h        |  1 +
 src/iperf3.1       |  4 ++++
 src/iperf_api.c    | 19 ++++++++++++++++++-
 src/iperf_locale.c |  3 +++
 src/iperf_tcp.c    | 18 +++++++++++++++---
 src/net.c          | 10 +++++-----
 src/net.h          |  2 +-
 8 files changed, 59 insertions(+), 10 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 66c1e97a5..22c2a95cf 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -337,6 +337,18 @@ if test "x$iperf3_cv_header_tcp_info_snd_wnd" = "xyes"; then
   AC_DEFINE([HAVE_TCP_INFO_SND_WND], [1], [Have tcpi_snd_wnd field in tcp_info.])
 fi
 +# Check for IPPROTO_MPTCP (Linux)
 +AC_CACHE_CHECK([MPTCP protocol],
 +[iperf3_cv_header_ipproto_mptcp],
 +AC_COMPILE_IFELSE(
 +  [AC_LANG_PROGRAM([[#include <netinet/in.h>]],
 +		   [[int foo = IPPROTO_MPTCP;]])],
 +  iperf3_cv_header_ipproto_mptcp=yes,
 +  iperf3_cv_header_ipproto_mptcp=no))
 +if test "x$iperf3_cv_header_ipproto_mptcp" = "xyes"; then
 +    AC_DEFINE([HAVE_IPPROTO_MPTCP], [1], [Have MPTCP protocol.])
 +fi
 +
 # Check if we need -lrt for clock_gettime
 AC_SEARCH_LIBS(clock_gettime, [rt posix4])
 # Check for clock_gettime support
 diff --git a/src/iperf.h b/src/iperf.h
 index 202d3016f..4043031b3 100644
 --- a/src/iperf.h
 +++ b/src/iperf.h
@@ -353,6 +353,7 @@ struct iperf_test
     int	      repeating_payload;                /* --repeating-payload */
     int       timestamps;			/* --timestamps */
     char     *timestamp_format;
 +    int       mptcp;				/* -m, --mptcp */
     char     *json_output_string; /* rendered JSON output if json_output is set */
     /* Select related parameters */
 diff --git a/src/iperf3.1 b/src/iperf3.1
 index f8eff48d2..9e425cabc 100644
 --- a/src/iperf3.1
 +++ b/src/iperf3.1
@@ -202,6 +202,10 @@ iperf-3.17, OAEP padding is used, however this is a breaking change
 that is not compatible with older iperf3 versions.  Use this option to
 preserve the less secure, but more compatible, behavior.
 .TP
 +.BR -m ", " --mptcp " "
 +use mptcp variant for the current protocol. This only applies to
 +TCP and enables MPTCP usage.
 +.TP
 .BR -d ", " --debug " "
 emit debugging output.
 Primarily (perhaps exclusively) of use to developers.
 diff --git a/src/iperf_api.c b/src/iperf_api.c
 index fa06dc830..419b48657 100644
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
@@ -1149,6 +1149,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         {"idle-timeout", required_argument, NULL, OPT_IDLE_TIMEOUT},
         {"rcv-timeout", required_argument, NULL, OPT_RCV_TIMEOUT},
         {"snd-timeout", required_argument, NULL, OPT_SND_TIMEOUT},
 +#if defined(HAVE_IPPROTO_MPTCP)
 +        {"mptcp", no_argument, NULL, 'm'},
 +#endif
         {"debug", optional_argument, NULL, 'd'},
         {"help", no_argument, NULL, 'h'},
         {NULL, 0, NULL, 0}
@@ -1174,7 +1177,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
     FILE *ptr_file;
 #endif /* HAVE_SSL */
 -    while ((flag = getopt_long(argc, argv, "p:f:i:D1VJvsc:ub:t:n:k:l:P:Rw:B:M:N46S:L:ZO:F:A:T:C:dI:hX:", longopts, NULL)) != -1) {
 +    while ((flag = getopt_long(argc, argv, "p:f:i:D1VJvsc:ub:t:n:k:l:P:Rw:B:M:N46S:L:ZO:F:A:T:C:dI:mhX:", longopts, NULL)) != -1) {
         switch (flag) {
             case 'p':
 		portno = atoi(optarg);
@@ -1647,6 +1650,12 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
 		test->settings->connect_timeout = unit_atoi(optarg);
 		client_flag = 1;
 		break;
 +#if defined(HAVE_IPPROTO_MPTCP)
 +	    case 'm':
 +		set_protocol(test, Ptcp);
 +		test->mptcp = 1;
 +		break;
 +#endif
 	    case 'h':
 		usage_long(stdout);
 		exit(0);
@@ -2259,6 +2268,10 @@ send_parameters(struct iperf_test *test)
 	    cJSON_AddTrueToObject(j, "reverse");
 	if (test->bidirectional)
 	            cJSON_AddTrueToObject(j, "bidirectional");
 +#if defined(HAVE_IPPROTO_MPTCP)
 +	if (test->mptcp)
 +	    cJSON_AddTrueToObject(j, "mptcp");
 +#endif
 	if (test->settings->socket_bufsize)
 	    cJSON_AddNumberToObject(j, "window", test->settings->socket_bufsize);
 	if (test->settings->blksize)
@@ -2375,6 +2388,10 @@ get_parameters(struct iperf_test *test)
 	    iperf_set_test_reverse(test, 1);
         if ((j_p = iperf_cJSON_GetObjectItemType(j, "bidirectional", cJSON_True)) != NULL)
             iperf_set_test_bidirectional(test, 1);
 +#if defined(HAVE_IPPROTO_MPTCP)
 +	if ((j_p = iperf_cJSON_GetObjectItemType(j, "mptcp", cJSON_True)) != NULL)
 +	    test->mptcp = 1;
 +#endif
 	if ((j_p = iperf_cJSON_GetObjectItemType(j, "window", cJSON_Number)) != NULL)
 	    test->settings->socket_bufsize = j_p->valueint;
 	if ((j_p = iperf_cJSON_GetObjectItemType(j, "len", cJSON_Number)) != NULL)
 diff --git a/src/iperf_locale.c b/src/iperf_locale.c
 index 32883da84..f1d89e298 100644
 --- a/src/iperf_locale.c
 +++ b/src/iperf_locale.c
@@ -128,6 +128,9 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
                            "  --snd-timeout #           timeout for unacknowledged TCP data\n"
                            "                            (in ms, default is system settings)\n"
 #endif /* HAVE_TCP_USER_TIMEOUT */
 +#if defined(HAVE_IPPROTO_MPTCP)
 +                           "  -m, --mptcp               use MPTCP rather than plain TCP\n"
 +#endif
                            "  -d, --debug[=#]           emit debugging output\n"
                            "                            (optional optional \"=\" and debug level: 1-4. Default is 4 - all messages)\n"
                            "  -v, --version             show version information and quit\n"
 diff --git a/src/iperf_tcp.c b/src/iperf_tcp.c
 index 481c09dc8..2c10d7df5 100644
 --- a/src/iperf_tcp.c
 +++ b/src/iperf_tcp.c
@@ -184,9 +184,10 @@ iperf_tcp_listen(struct iperf_test *test)
      *
      * It's not clear whether this is a requirement or a convenience.
      */
 -    if (test->no_delay || test->settings->mss || test->settings->socket_bufsize) {
 +    if (test->no_delay || test->mptcp || test->settings->mss || test->settings->socket_bufsize) {
 	struct addrinfo hints, *res;
 	char portstr[6];
 +	int proto = 0;
         FD_CLR(s, &test->read_set);
         close(s);
@@ -212,7 +213,12 @@ iperf_tcp_listen(struct iperf_test *test)
             return -1;
         }
 -        if ((s = socket(res->ai_family, SOCK_STREAM, 0)) < 0) {
 +#if defined(HAVE_IPPROTO_MPTCP)
 +        if (test->mptcp)
 +	    proto = IPPROTO_MPTCP;
 +#endif
 +
 +        if ((s = socket(res->ai_family, SOCK_STREAM, proto)) < 0) {
 	    freeaddrinfo(res);
             i_errno = IESTREAMLISTEN;
             return -1;
@@ -380,8 +386,14 @@ iperf_tcp_connect(struct iperf_test *test)
     socklen_t optlen;
     int saved_errno;
     int rcvbuf_actual, sndbuf_actual;
 +    int proto = 0;
 +
 +#if defined(HAVE_IPPROTO_MPTCP)
 +    if (test->mptcp)
 +        proto = IPPROTO_MPTCP;
 +#endif
 -    s = create_socket(test->settings->domain, SOCK_STREAM, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
 +    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
     if (s < 0) {
 	i_errno = IESTREAMCONNECT;
 	return -1;
 diff --git a/src/net.c b/src/net.c
 index b693ea7fb..febf20885 100644
 --- a/src/net.c
 +++ b/src/net.c
@@ -124,7 +124,7 @@ timeout_connect(int s, const struct sockaddr *name, socklen_t namelen,
 /* create a socket */
 int
 -create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out)
 +create_socket(int domain, int type, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out)
 {
     struct addrinfo hints, *local_res = NULL, *server_res = NULL;
     int s, saved_errno;
@@ -133,14 +133,14 @@ create_socket(int domain, int proto, const char *local, const char *bind_dev, in
     if (local) {
         memset(&hints, 0, sizeof(hints));
         hints.ai_family = domain;
 -        hints.ai_socktype = proto;
 +        hints.ai_socktype = type;
         if ((gerror = getaddrinfo(local, NULL, &hints, &local_res)) != 0)
             return -1;
     }
     memset(&hints, 0, sizeof(hints));
     hints.ai_family = domain;
 -    hints.ai_socktype = proto;
 +    hints.ai_socktype = type;
     snprintf(portstr, sizeof(portstr), "%d", port);
     if ((gerror = getaddrinfo(server, portstr, &hints, &server_res)) != 0) {
 	if (local)
@@ -148,7 +148,7 @@ create_socket(int domain, int proto, const char *local, const char *bind_dev, in
         return -1;
     }
 -    s = socket(server_res->ai_family, proto, 0);
 +    s = socket(server_res->ai_family, type, proto);
     if (s < 0) {
 	if (local)
 	    freeaddrinfo(local_res);
@@ -238,7 +238,7 @@ netdial(int domain, int proto, const char *local, const char *bind_dev, int loca
     struct addrinfo *server_res = NULL;
     int s, saved_errno;
 -    s = create_socket(domain, proto, local, bind_dev, local_port, server, port, &server_res);
 +    s = create_socket(domain, proto, 0, local, bind_dev, local_port, server, port, &server_res);
     if (s < 0) {
       return -1;
     }
 diff --git a/src/net.h b/src/net.h
 index 859c52cef..fb78d289b 100644
 --- a/src/net.h
 +++ b/src/net.h
@@ -28,7 +28,7 @@
 #define __NET_H
 int timeout_connect(int s, const struct sockaddr *name, socklen_t namelen, int timeout);
 -int create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out);
 +int create_socket(int domain, int type, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out);
 int netdial(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, int timeout);
 int netannounce(int domain, int proto, const char *local, const char *bind_dev, int port);
 int Nread(int fd, char *buf, size_t count, int prot);
--- a/iperf3/patches/add-sock5-proxy-tcp-support.patch
+++ b/iperf3/patches/add-sock5-proxy-tcp-support.patch
@ -1,552 +0,0 @@
 From 197d8ba733f0502985abb5b0a22bf9f71c2596a7 Mon Sep 17 00:00:00 2001
 From: David Bar-On <david.cdb004@gmail.com>
 Date: Mon, 25 Mar 2024 22:11:49 +0200
 Subject: [PATCH] Add SOCKS5 Proxy support for TCP
 ---
 src/iperf.h            |   8 ++
 src/iperf_api.c        | 250 ++++++++++++++++++++++++++++++++++++++++-
 src/iperf_api.h        |  13 ++-
 src/iperf_client_api.c |  27 ++++-
 src/iperf_error.c      |  10 ++
 src/iperf_locale.c     |   2 +
 src/iperf_tcp.c        |  22 +++-
 7 files changed, 323 insertions(+), 9 deletions(-)
 diff --git a/src/iperf.h b/src/iperf.h
 index dc3c0d1df..9823dc180 100644
 --- a/src/iperf.h
 +++ b/src/iperf.h
@@ -343,6 +343,14 @@ struct iperf_test
     int       timestamps;			/* --timestamps */
     char     *timestamp_format;
 +    char     *socks5_host;                      /* --socks5 option */
 +    uint16_t  socks5_port;                      /* --socks5 option optional value */
 +    char     *socks5_username;                  /* --socks5 option optional value */
 +    char     *socks5_password;                  /* --socks5 option optional value */
 +    char      socks5_bind_atyp;                 /* from socks5 CONNECT response ATYP */
 +    char     *socks5_bind_host;                 /* from socks5 CONNECT response BIND.ADDR*/
 +    uint16_t  socks5_bind_port;                 /* from socks5 CONNECT response BIND.PORT */
 +
     char     *json_output_string; /* rendered JSON output if json_output is set */
     /* Select related parameters */
     int       max_fd;
 diff --git a/src/iperf_api.c b/src/iperf_api.c
 index 4765d4e97..ca47f708d 100644
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
@@ -115,7 +115,7 @@ usage()
 void
 usage_long(FILE *f)
 {
 -    fprintf(f, usage_longstr, DEFAULT_NO_MSG_RCVD_TIMEOUT, UDP_RATE / (1024*1024), DEFAULT_PACING_TIMER, DURATION, DEFAULT_TCP_BLKSIZE / 1024, DEFAULT_UDP_BLKSIZE);
 +    fprintf(f, usage_longstr, DEFAULT_NO_MSG_RCVD_TIMEOUT, UDP_RATE / (1024*1024), DEFAULT_PACING_TIMER, DURATION, DEFAULT_TCP_BLKSIZE / 1024, DEFAULT_UDP_BLKSIZE, SOCKS5_DEFAULT_PORT);
 }
@@ -1100,6 +1100,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         {"version6", no_argument, NULL, '6'},
         {"tos", required_argument, NULL, 'S'},
         {"dscp", required_argument, NULL, OPT_DSCP},
 +        {"socks5", required_argument, NULL, OPT_SOCKS5},
 	{"extra-data", required_argument, NULL, OPT_EXTRA_DATA},
 #if defined(HAVE_FLOWLABEL)
         {"flowlabel", required_argument, NULL, 'L'},
@@ -1157,7 +1158,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
     char* comma;
 #endif /* HAVE_CPU_AFFINITY */
     char* slash;
 -    char *p, *p1;
 +    char *p, *p1, *p2;
     struct xbind_entry *xbe;
     double farg;
     int rcv_timeout_in = 0;
@@ -1433,6 +1434,47 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
 		}
 		client_flag = 1;
                 break;
 +	    case OPT_SOCKS5: // Format: "[username:password@]<host addr/fqdn>[:port]"
 +                if (strlen(optarg) <= 0) {
 +                    i_errno = IESOCKS5HOST;
 +                    return -1;
 +                }
 +                p1 = strtok(optarg, "@"); // p1 -> user:password
 +                if (p1 == NULL) {
 +                    i_errno = IESOCKS5HOST;
 +                    return -1;
 +                }
 +                p = strtok(NULL, "@"); // p -> host[:port]
 +                if (p == NULL) {
 +                    p = p1;
 +                    p1 = NULL;
 +                }
 +                p2 = strtok(p, ":"); // parse host[:port]
 +                if (strlen(p2) <= 0) {
 +                    i_errno = IESOCKS5HOST;
 +                    return -1;
 +                }
 +                test->socks5_host = strdup(p2);
 +                p2 = strtok(NULL, ":");
 +                if (p2 && strlen(p2) > 0) {
 +                    test->socks5_port = atoi(p2);
 +                }
 +                if (p1) { // parse user:password
 +                    p2 = strtok(p1, ":");
 +                    if (strlen(p2) <= 0 || strlen(p2) > 255) {
 +                        i_errno = IESOCKS5HOST;
 +                        return -1;
 +                    }
 +                    test->socks5_username = strdup(p2);
 +                    p2 = strtok(NULL, ":");
 +                    if (!p2 || strlen(p2) <= 0 || strlen(p2) > 255) {
 +                        i_errno = IESOCKS5HOST;
 +                        return -1;
 +                    }
 +                    test->socks5_password = strdup(p2);
 +                }
 +		client_flag = 1;
 +                break;
 	    case OPT_EXTRA_DATA:
 		test->extra_data = strdup(optarg);
 		client_flag = 1;
@@ -1740,6 +1782,12 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         return -1;
     }
 +    // SOCKS5 Proxy is supported only for TCP
 +    if(test->role == 'c' && test->socks5_host && test->protocol->id != Ptcp) {
 +        i_errno = IESOCKS5RTCPONLY;
 +        return -1;
 +    }
 +
     if (blksize == 0) {
 	if (test->protocol->id == Pudp)
 	    blksize = 0;	/* try to dynamically determine from MSS */
@@ -2943,6 +2991,12 @@ iperf_defaults(struct iperf_test *testp)
     testp->stats_interval = testp->reporter_interval = 1;
     testp->num_streams = 1;
 +    testp->socks5_host = NULL;
 +    testp->socks5_port = SOCKS5_DEFAULT_PORT;
 +    testp->socks5_username = NULL;
 +    testp->socks5_password = NULL;
 +    testp->socks5_bind_host = NULL;
 +
     testp->settings->domain = AF_UNSPEC;
     testp->settings->unit_format = 'a';
     testp->settings->socket_bufsize = 0;    /* use autotuning */
@@ -3100,6 +3154,14 @@ iperf_free_test(struct iperf_test *test)
 	free(test->remote_congestion_used);
     if (test->timestamp_format)
 	free(test->timestamp_format);
 +    if (test->socks5_host)
 +	free(test->socks5_host);
 +    if (test->socks5_username)
 +	free(test->socks5_username);
 +    if (test->socks5_password)
 +	free(test->socks5_password);
 +    if (test->socks5_bind_host)
 +	free(test->socks5_bind_host);
     if (test->omit_timer != NULL)
 	tmr_cancel(test->omit_timer);
     if (test->timer != NULL)
@@ -3289,6 +3351,23 @@ iperf_reset_test(struct iperf_test *test)
 	free(test->extra_data);
 	test->extra_data = NULL;
     }
 +    if (test->socks5_host) {
 +	free(test->socks5_host);
 +	test->socks5_host = NULL;
 +    }
 +    test->socks5_port = SOCKS5_DEFAULT_PORT;
 +    if (test->socks5_username) {
 +	free(test->socks5_username);
 +	test->socks5_username = NULL;
 +    }
 +    if (test->socks5_password) {
 +	free(test->socks5_password);
 +	test->socks5_password = NULL;
 +    }
 +    if (test->socks5_bind_host) {
 +	free(test->socks5_bind_host);
 +	test->socks5_bind_host = NULL;
 +    }
     /* Free output line buffers, if any (on the server only) */
     struct iperf_textline *t;
@@ -4614,6 +4693,173 @@ iperf_add_stream(struct iperf_test *test, struct iperf_stream *sp)
     }
 }
 +/**************************************************************************/
 +
 +/* iperf_socks5_handshake
 + *
 + * Handshake with a SOCKS5 Proxy per RFC1928, RFC1929
 + */
 +int
 +iperf_socks5_handshake(struct iperf_test *test, int s) {
 +    char req[1024];
 +    char res[1024];
 +    char selected_mthod;
 +    char *p, *p1;
 +    size_t len;
 +    int ret;
 +    uint16_t net_order_short;
 +
 +    // Send method selection request [RFC1928]
 +    p = req;
 +    *p++ = 5; // VERSION
 +    if (test->socks5_username) // Number of METHODs supported
 +        *p++ = 2;
 +    else
 +        *p++ = 1;
 +    *p++ = 0; // NO AUTHENTICATION REQUIRED
 +    if (test->socks5_username) *p++ = 2; // USERNAME/PASSWORD
 +    if (Nwrite(s, req, p - req, Ptcp) < 0) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Writing SOCKS5 auth methods message failed\n");
 +        return -1;
 +    }
 +
 +    // Receive selected method
 +    if (Nread(s, res, 2, Ptcp) != 2) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Reading selected SOCKS5 method message failed\n");
 +        return -1;
 +    }
 +
 +    selected_mthod = res[1];
 +    if (res[0] != 5 || (selected_mthod != 0 && selected_mthod != 2)) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Ilegal SOCKS5 method selection response: version=%d, auth method=%d\n", res[0], selected_mthod);
 +        return -1;
 +    }
 +    if (test->debug) {
 +        iperf_printf(test, "SOCKS5 server selected authentication method %d\n", selected_mthod);
 +    }
 +
 +    // Send Username/Password request and receive the auth response [RFC1929]
 +    if (selected_mthod == 2) {
 +        p = req;
 +        *p++ = 1; // VERSION
 +        len = strlen(test->socks5_username);
 +        *p++ = len;
 +        memcpy(p, test->socks5_username, len); // USERNAME
 +        p += len;
 +        len = strlen(test->socks5_password);
 +        *p++ = len;
 +        memcpy(p, test->socks5_password, len); // PASSWORD
 +        p += len;
 +
 +        if (Nwrite(s, req, p - req, Ptcp) < 0) {
 +            i_errno = IESOCKS5HANDSHAKE;
 +            iperf_err(test, "Writing SOCKS5 Username/Password request message failed\n");
 +            return -1;
 +        }
 +
 +        if ((ret = Nread(s, res, 2, Ptcp)) != 2) {
 +            i_errno = IESOCKS5HANDSHAKE;
 +            iperf_err(test, "Reading SOCKS5 Username/Password response failed;  Returned %d\n", ret);
 +            return -1;
 +        }
 +        if (res[1] != 0) {
 +            i_errno = IESOCKS5HANDSHAKE;
 +            iperf_err(test, "SOCKS5 Username/Password failed with error %d\n", res[1]);
 +            return -1;
 +        }
 +    }
 +
 +    // Send CONNECT request [RFC1928]
 +    p = req;
 +    *p++ = 5; // VERSION
 +    *p++ = 1; // CMD = CONNECT
 +    *p++ = 0; // RESERVED
 +    *p++ = 3; // ATYPE = DOMAINNAME:
 +    len = strlen(test->server_hostname);
 +    if (len > 255) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "iperf3 host option length is limited to 255 chars when SOCKS5 is used\n");
 +        return -1;
 +    }
 +    *p++ = len;
 +    memcpy(p, test->server_hostname, len); // ADDR
 +    p += len;
 +    net_order_short = htons(test->server_port);
 +    p1 = (char *)&net_order_short;
 +    *p++ = *p1++; // PORT
 +    *p++ = *p1;
 +    if (Nwrite(s, req, p - req, Ptcp) < 0) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Writing SOCKS5 CONNECT message failed\n");
 +        return -1;
 +    }
 +
 +    //  Read CONNECT response [RFC1928]
 +    if ((ret = Nread(s, res, 4, Ptcp)) != 4) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Reading SOCKS5 CONNECT response failed;  Returned %d\n", ret);
 +        return -1;
 +    }
 +
 +    if (res[0] != 5 || res[1] != 0 || res[2] != 0) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "SOCKS5 CONNECT failed with error %d\n", res[1]);
 +        return -1;
 +    }
 +  
 +    // Get BND.ADDR length
 +    test->socks5_bind_atyp = res[3]; // ATYP
 +    switch (test->socks5_bind_atyp) {
 +        case 1: // IP V4 address
 +            len = 4;
 +            break;
 +        case 3: // DOMAINNAME:
 +            if ((ret = read(s, res, 1)) != 1) {
 +                i_errno = IESOCKS5HANDSHAKE;
 +                iperf_err(test, "Failed to read SOCKS5 CONNECT response BND.ADDR length;  Returned %d\n", ret);
 +                return -1;
 +            }
 +            len = (unsigned char)res[0];
 +            break;
 +        case 4: // IP V6 address
 +            len = 16;
 +            break;
 +        default:
 +            i_errno = IESOCKS5HANDSHAKE;
 +            iperf_err(test, "Illegal SOCKS5 CONNECT response ATYP %d\n", res[3]);
 +            return -1;
 +    }
 +    // Read BND.ADDR
 +    if ((ret = Nread(s, res, len, Ptcp)) != len) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Failed to read SOCKS5 detailes BND.ADDR;  Returned %d\n", ret);
 +        return -1;
 +    }
 +    res[len] = '\0';
 +    test->socks5_bind_host = strdup(res);
 +    // Read BND.PORT
 +    if ((ret = Nread(s, res, 2, Ptcp)) != 2) {
 +        i_errno = IESOCKS5HANDSHAKE;
 +        iperf_err(test, "Failed to read SOCKS5 detailes BND.PORT;  Returned %d\n", ret);
 +        return -1;
 +    }
 +    p1 = (char *)&net_order_short;
 +    *p1++ = res[0];
 +    *p1 = res[1];
 +    test->socks5_bind_port = ntohs(net_order_short);
 +    if (test->debug) {
 +        iperf_printf(test, "SOCKS5 server BIND ADDR type=%d, PORT=%d\n", test->socks5_bind_atyp, test->socks5_bind_port);
 +    }
 +
 +    return 0;
 +}
 +
 +/**************************************************************************/
 +
 +
 /* This pair of routines gets inserted into the snd/rcv function pointers
 ** when there's a -F flag. They handle the file stuff and call the real
 ** snd/rcv functions, which have been saved in snd2/rcv2.
 diff --git a/src/iperf_api.h b/src/iperf_api.h
 index d2bbdfe96..01d63bf5e 100644
 --- a/src/iperf_api.h
 +++ b/src/iperf_api.h
@@ -68,6 +68,7 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t;
 #define DEFAULT_PACING_TIMER 1000
 #define DEFAULT_NO_MSG_RCVD_TIMEOUT 120000
 #define MIN_NO_MSG_RCVD_TIMEOUT 100
 +#define SOCKS5_DEFAULT_PORT 1080
 #define WARN_STR_LEN 128
@@ -100,7 +101,8 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t;
 #define OPT_RCV_TIMEOUT 27
 #define OPT_JSON_STREAM 28
 #define OPT_SND_TIMEOUT 29
 #define OPT_USE_PKCS1_PADDING 30
 +#define OPT_SOCKS5 31
 /* states */
 #define TEST_START 1
@@ -308,6 +310,12 @@ void      iperf_free_stream(struct iperf_stream * sp);
  */
 int       iperf_common_sockopts(struct iperf_test *, int s);
 +/**
 + * iperf_socks5_handshake - handshake with a SOCKS5 Proxy per RFC1928, RFC1929
 + * 
 + */
 +int iperf_socks5_handshake(struct iperf_test *test, int s);
 +
 int has_tcpinfo(void);
 int has_tcpinfo_retransmits(void);
 void save_tcpinfo(struct iperf_stream *sp, struct iperf_interval_results *irp);
@@ -419,6 +427,8 @@ enum {
     IESNDTIMEOUT = 33,      // Illegal message send timeout
     IEUDPFILETRANSFER = 34, // Cannot transfer file using UDP
     IESERVERAUTHUSERS = 35,   // Cannot access authorized users file
 +    IESOCKS5HOST = 36,      // Illegal SOCKS5 host / creadentials
 +    IESOCKS5RTCPONLY = 37,   // SOCKS5 Proxy is supported only for TCP
     /* Test errors */
     IENEWTEST = 100,        // Unable to create a new test (check perror)
     IEINITTEST = 101,       // Test initialization failed (check perror)
@@ -473,8 +483,9 @@ enum {
     IEPTHREADCANCEL=151,        // Unable to cancel thread (check perror)
     IEPTHREADJOIN=152,		// Unable to join thread (check perror)
     IEPTHREADATTRINIT=153,      // Unable to initialize thread attribute (check perror)
     IEPTHREADATTRDESTROY=154,      // Unable to destroy thread attribute (check perror)
     IEPTHREADSIGMASK=155,      // Unable to initialize sub thread signal mask (check perror)
 +    IESOCKS5HANDSHAKE = 156,    // SOCKS5 Handshake with the server failed
     /* Stream errors */
     IECREATESTREAM = 200,   // Unable to create a new stream (check herror/perror)
     IEINITSTREAM = 201,     // Unable to initialize stream (check herror/perror)
 diff --git a/src/iperf_client_api.c b/src/iperf_client_api.c
 index 7ad4c939b..670e3521d 100644
 --- a/src/iperf_client_api.c
 +++ b/src/iperf_client_api.c
@@ -385,6 +385,8 @@ iperf_connect(struct iperf_test *test)
 {
     int opt;
     socklen_t len;
 +    const char *connect_server;
 +    int connect_port;
     if (NULL == test)
     {
@@ -397,12 +399,20 @@ iperf_connect(struct iperf_test *test)
     make_cookie(test->cookie);
     /* Create and connect the control channel */
 -    if (test->ctrl_sck < 0)
 -	// Create the control channel using an ephemeral port
 -	test->ctrl_sck = netdial(test->settings->domain, Ptcp, test->bind_address, test->bind_dev, 0, test->server_hostname, test->server_port, test->settings->connect_timeout);
     if (test->ctrl_sck < 0) {
 -        i_errno = IECONNECT;
 -        return -1;
 +        if (test->socks5_host) {
 +            connect_server = test->socks5_host;
 +            connect_port = test->socks5_port;
 +        } else {
 +            connect_server = test->server_hostname;
 +            connect_port = test->server_port;
 +        }
 +	// Create the control channel using an ephemeral port
 +	test->ctrl_sck = netdial(test->settings->domain, Ptcp, test->bind_address, test->bind_dev, 0, connect_server, connect_port, test->settings->connect_timeout);
 +        if (test->ctrl_sck < 0) {
 +            i_errno = IECONNECT;
 +            return -1;
 +        }
     }
     // set TCP_NODELAY for lower latency on control messages
@@ -421,6 +431,13 @@ iperf_connect(struct iperf_test *test)
     }
 #endif /* HAVE_TCP_USER_TIMEOUT */
 +    /* socks5 proxy handshake  */
 +    if (test->socks5_host) {
 +        if (0 != iperf_socks5_handshake(test, test->ctrl_sck)) {
 +            return -1;
 +        }
 +    }
 +
     if (Nwrite(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
         i_errno = IESENDCOOKIE;
         return -1;
 diff --git a/src/iperf_error.c b/src/iperf_error.c
 index 6426554cf..a0bbb6844 100644
 --- a/src/iperf_error.c
 +++ b/src/iperf_error.c
@@ -216,6 +216,9 @@ iperf_strerror(int int_errno)
         case IEUNIMP:
             snprintf(errstr, len, "an option you are trying to set is not implemented yet");
             break;
 +        case IESOCKS5HOST:
 +            snprintf(errstr, len, "ilegal SOCKS5 host / creadentials");
 +            break;
         case IEFILE:
             snprintf(errstr, len, "unable to open -F file");
             perr = 1;
@@ -375,6 +378,9 @@ iperf_strerror(int int_errno)
         case IEUDPFILETRANSFER:
             snprintf(errstr, len, "cannot transfer file using UDP");
             break;
 +        case IESOCKS5RTCPONLY:
 +            snprintf(errstr, len, "SOCKS5 Proxy is supported only for TCP");
 +            break;
         case IERVRSONLYRCVTIMEOUT:
             snprintf(errstr, len, "client receive timeout is valid only in receiving mode");
             perr = 1;
@@ -507,6 +513,10 @@ iperf_strerror(int int_errno)
             snprintf(errstr, len, "unable to destroy thread attributes");
             perr = 1;
             break;
 +	case IESOCKS5HANDSHAKE:
 +            snprintf(errstr, len, "socks5 Handshake with the server failed");
 +            perr = 1;
 +            break;
 	default:
 	    snprintf(errstr, len, "int_errno=%d", int_errno);
 	    perr = 1;
 diff --git a/src/iperf_locale.c b/src/iperf_locale.c
 index ae0f63a41..c8b9a71d1 100644
 --- a/src/iperf_locale.c
 +++ b/src/iperf_locale.c
@@ -194,6 +194,8 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
                            "  --dscp N or --dscp val    set the IP dscp value, either 0-63 or symbolic.\n"
                            "                            Numeric values can be specified in decimal,\n"
                            "                            octal and hex (see --tos above).\n"
 +                           "  --socks5 [user:password@]<proxy-host>[:port] use SOCKS5 Proxy for TCP connections,\n"
 +                           "                            using no auth or user:password. Default Proxy port is %d \n"
 #if defined(HAVE_FLOWLABEL)
                            "  -L, --flowlabel N         set the IPv6 flow label (only supported on Linux)\n"
 #endif /* HAVE_FLOWLABEL */
 diff --git a/src/iperf_tcp.c b/src/iperf_tcp.c
 index 184a1955e..515913581 100644
 --- a/src/iperf_tcp.c
 +++ b/src/iperf_tcp.c
@@ -375,14 +375,24 @@ iperf_tcp_connect(struct iperf_test *test)
     socklen_t optlen;
     int saved_errno;
     int rcvbuf_actual, sndbuf_actual;
     int proto = 0;
 +    const char *connect_server;
 +    int connect_port;
 #if defined(HAVE_IPPROTO_MPTCP)
     if (test->mptcp)
         proto = IPPROTO_MPTCP;
 #endif
 -    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
 +    if (test->socks5_host) {
 +        connect_server = test->socks5_host;
 +        connect_port = test->socks5_port;
 +    } else {
 +        connect_server = test->server_hostname;
 +        connect_port = test->server_port;
 +    }
 +
 +    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, connect_server, connect_port, &server_res);
     if (s < 0) {
 	i_errno = IESTREAMCONNECT;
 	return -1;
@@ -571,6 +581,16 @@ iperf_tcp_connect(struct iperf_test *test)
     freeaddrinfo(server_res);
 +    /* socks5 proxy handshake  */
 +    if (test->socks5_host) {
 +        if (0 != iperf_socks5_handshake(test, s)) {
 +            saved_errno = errno;
 +            close(s);
 +            errno = saved_errno;
 +            return -1;
 +        }
 +    }
 +
     /* Send cookie for verification */
     if (Nwrite(s, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
 	saved_errno = errno;
--- a/iperf3/patches/remove-in6_flowlabel_req.patch
+++ b/iperf3/patches/remove-in6_flowlabel_req.patch
@ -0,0 +1,25 @@
 --- a/src/flowlabel.h	2021-06-24 13:26:33.142463630 +0200
 +++ b/src/flowlabel.h	2021-06-24 13:27:45.669235179 +0200
@@ -37,21 +37,21 @@
    conflicts with "netinet/in.h" .
 */
 -#ifndef __ANDROID__
 +#ifndef _LINUX_IN6_H
 struct in6_flowlabel_req
 {
     struct in6_addr flr_dst;
     __u32   flr_label;
     __u8    flr_action;
     __u8    flr_share;
     __u16   flr_flags;
     __u16   flr_expires;
     __u16   flr_linger;
     __u32   __flr_pad;
     /* Options in format of IPV6_PKTOPTIONS */
 };
 #endif
 #define IPV6_FL_A_GET           0
 #define IPV6_FL_A_PUT           1
 #define IPV6_FL_A_RENEW         2
--- a/iproute2/Makefile
+++ b/iproute2/Makefile
@ -8,19 +8,18 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=iproute2
-PKG_VERSION:=6.12.0
+PKG_RELEASE:=$(AUTORELEASE)
-PKG_RELEASE:=2
+
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=git://git.kernel.org/pub/scm/network/iproute2/iproute2.git
 PKG_SOURCE_VERSION:=29da83f89f6e1fe528c59131a01f5d43bcd0a000
 PKG_VERSION:=5.16.0-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/utils/net/iproute2
 PKG_HASH:=bbd141ef7b5d0127cc2152843ba61f274dc32814fa3e0f13e7d07a080bef53d9
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_DEPENDS:=iptables
 PKG_LICENSE:=GPL-2.0
 PKG_CPE_ID:=cpe:/a:iproute2_project:iproute2
 PKG_BUILD_FLAGS:=gc-sections lto
 include $(INCLUDE_DIR)/kernel.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/nls.mk
@ -59,16 +58,7 @@ $(call Package/iproute2/Default)
  DEFAULT_VARIANT:=1
  PROVIDES:=tc
  ALTERNATIVES:=200:/sbin/tc:/usr/libexec/tc-tiny
-  DEPENDS:=+kmod-sched-core +(PACKAGE_devlink||PACKAGE_rdma):libmnl
+  DEPENDS:=+kmod-sched-core +libxtables +tc-mod-iptables +(PACKAGE_devlink||PACKAGE_rdma):libmnl
 endef
 define Package/tc-bpf
 $(call Package/iproute2/Default)
  TITLE:=Traffic control utility (bpf)
  VARIANT:=tcbpf
  PROVIDES:=tc
  ALTERNATIVES:=300:/sbin/tc:/usr/libexec/tc-bpf
  DEPENDS:=+kmod-sched-core +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf
 endef
 define Package/tc-full
@ -76,8 +66,14 @@ $(call Package/iproute2/Default)
  TITLE:=Traffic control utility (full)
  VARIANT:=tcfull
  PROVIDES:=tc
-  ALTERNATIVES:=400:/sbin/tc:/usr/libexec/tc-full
+  ALTERNATIVES:=300:/sbin/tc:/usr/libexec/tc-full
-  DEPENDS:=+kmod-sched-core +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf +libxtables
+  DEPENDS:=+kmod-sched-core +libxtables +tc-mod-iptables +libbpf +(PACKAGE_devlink||PACKAGE_rdma):libmnl
 endef
 define Package/tc-mod-iptables
 $(call Package/iproute2/Default)
  TITLE:=Traffic control module - iptables action
  DEPENDS:=+libxtables
 endef
 define Package/genl
@ -95,7 +91,7 @@ endef
 define Package/ss
 $(call Package/iproute2/Default)
  TITLE:=Socket statistics utility
-  DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf +kmod-netlink-diag
+  DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl +kmod-netlink-diag
 endef
 define Package/nstat
@ -128,29 +124,13 @@ endif
 ifeq ($(BUILD_VARIANT),tctiny)
  LIBBPF_FORCE:=off
 endif
 ifeq ($(BUILD_VARIANT),tcbpf)
  HAVE_ELF:=y
  LIBBPF_FORCE:=on
  SHARED_LIBS:=y
 endif
 ifeq ($(BUILD_VARIANT),tcfull)
  #enable iptables/xtables requirement only if tciptables variant is selected
  TC_CONFIG_XT:=y
  TC_CONFIG_XT_OLD:=y
  TC_CONFIG_XT_OLD_H:=y
  TC_CONFIG_IPSET:=y
  HAVE_ELF:=y
  LIBBPF_FORCE:=on
  SHARED_LIBS:=y
 else
  #disable iptables requirement by default
  TC_CONFIG_XT:=n
  TC_CONFIG_XT_OLD:=n
  TC_CONFIG_XT_OLD_H:=n
  TC_CONFIG_IPSET:=n
 endif
 ifdef CONFIG_PACKAGE_devlink
@ -166,11 +146,12 @@ define Build/Configure
 		> $(PKG_BUILD_DIR)/include/SNAPSHOT.h
 endef
-TARGET_LDFLAGS += -Wl,--as-needed
+TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
 TARGET_LDFLAGS += -Wl,--gc-sections -Wl,--as-needed
 TARGET_CPPFLAGS += -I$(STAGING_DIR)/usr/include/libnl-tiny
 MAKE_FLAGS += \
-	KERNEL_INCLUDE="$(LINUX_DIR)/include/uapi" \
+	KERNEL_INCLUDE="$(LINUX_DIR)/user_headers/include" \
 	SHARED_LIBS=$(SHARED_LIBS) \
 	IP_CONFIG_TINY=$(IP_CONFIG_TINY) \
 	BUILD_VARIANT=$(BUILD_VARIANT) \
@ -178,13 +159,8 @@ MAKE_FLAGS += \
 	HAVE_ELF=$(HAVE_ELF) \
 	HAVE_MNL=$(HAVE_MNL) \
 	HAVE_CAP=$(HAVE_CAP) \
 	HAVE_TIRPC=n \
 	IPT_LIB_DIR=/usr/lib/iptables \
 	XT_LIB_DIR=/usr/lib/iptables \
 	TC_CONFIG_XT=$(TC_CONFIG_XT) \
 	TC_CONFIG_XT_OLD=$(TC_CONFIG_XT_OLD) \
 	TC_CONFIG_XT_OLD_H=$(TC_CONFIG_XT_OLD_H) \
 	TC_CONFIG_IPSET=$(TC_CONFIG_IPSET) \
 	FPIC="$(FPIC)" \
 	$(if $(findstring c,$(OPENWRT_VERBOSE)),V=1,V='')
@ -215,16 +191,16 @@ define Package/tc-tiny/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tc/tc $(1)/usr/libexec/tc-tiny
 endef
 define Package/tc-bpf/install
 	$(INSTALL_DIR) $(1)/usr/libexec
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tc/tc $(1)/usr/libexec/tc-bpf
 endef
 define Package/tc-full/install
 	$(INSTALL_DIR) $(1)/usr/libexec
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tc/tc $(1)/usr/libexec/tc-full
 endef
 define Package/tc-mod-iptables/install
 	$(INSTALL_DIR) $(1)/usr/lib/tc
 	$(CP) $(PKG_BUILD_DIR)/tc/m_xt.so $(1)/usr/lib/tc
 endef
 define Package/genl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/genl/genl $(1)/usr/sbin/
@ -255,10 +231,12 @@ define Package/rdma/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rdma/rdma $(1)/usr/sbin/
 endef
-$(eval $(call BuildPackage,ip-tiny))
+#$(eval $(call BuildPackage,ip-tiny))
 $(eval $(call BuildPackage,ip-full))
-$(eval $(call BuildPackage,tc-tiny))
+# build tc-mod-iptables before its dependents, to avoid
-$(eval $(call BuildPackage,tc-bpf))
+# spurious rebuilds when building multiple variants.
 $(eval $(call BuildPackage,tc-mod-iptables))
 #$(eval $(call BuildPackage,tc-tiny))
 $(eval $(call BuildPackage,tc-full))
 $(eval $(call BuildPackage,genl))
 $(eval $(call BuildPackage,ip-bridge))
--- a/iproute2/patches/013-endian.h.patch
+++ b/iproute2/patches/013-endian.h.patch
@ -1,22 +0,0 @@
 From c8b3ecc22ed0edaf0259eaf7d1a5c04f300ad6e4 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Thu, 12 Dec 2024 11:24:18 -0800
 Subject: [PATCH] libnetlink: add missing endian.h
 Need endian.h to get htobe64 with musl.
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 include/libnetlink.h | 1 +
 1 file changed, 1 insertion(+)
 --- a/include/libnetlink.h
 +++ b/include/libnetlink.h
@@ -4,6 +4,7 @@
 #include <stdio.h>
 #include <string.h>
 +#include <endian.h>
 #include <asm/types.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
--- a/iproute2/patches/014-basename.patch
+++ b/iproute2/patches/014-basename.patch
@ -1,29 +0,0 @@
 From fa3949b792e275f75d7d6200dc2036ef7fff8816 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Thu, 12 Dec 2024 11:21:56 -0800
 Subject: [PATCH] rdma: add missing header for basename
 The function basename prototype is in libgen.h
 Fixes build on musl
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 rdma/rdma.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 --- a/rdma/rdma.h
 +++ b/rdma/rdma.h
@@ -10,11 +10,12 @@
 #include <string.h>
 #include <errno.h>
 #include <getopt.h>
 +#include <time.h>
 +#include <libgen.h>
 #include <netinet/in.h>
 #include <libmnl/libmnl.h>
 #include <rdma/rdma_netlink.h>
 #include <rdma/rdma_user_cm.h>
 -#include <time.h>
 #include <net/if_arp.h>
 #include "list.h"
--- a/iproute2/patches/015-limits.h.patch
+++ b/iproute2/patches/015-limits.h.patch
@ -1,84 +0,0 @@
 From 7e23da91fca6e5dedeb32a7d308cf20982e897c3 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Tue, 10 Dec 2024 13:38:08 -0800
 Subject: [PATCH] ip: rearrange and prune header files
 The recent report of issues with missing limits.h impacting musl
 suggested looking at what files are and are not included in ip code.
 The standard practice is to put standard headers first, then system,
 then local headers. Used iwyu to get suggestions about missing
 and extraneous headers.
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 ip/iplink.c  | 13 +++++--------
 ip/ipnetns.c | 19 +++++++++----------
 2 files changed, 14 insertions(+), 18 deletions(-)
 --- a/ip/iplink.c
 +++ b/ip/iplink.c
@@ -11,17 +11,14 @@
 #include <fcntl.h>
 #include <dlfcn.h>
 #include <errno.h>
 +#include <string.h>
 +#include <strings.h>
 +#include <limits.h>
 +
 #include <sys/socket.h>
 +#include <arpa/inet.h>
 #include <linux/if.h>
 -#include <linux/if_packet.h>
 #include <linux/if_ether.h>
 -#include <linux/sockios.h>
 -#include <netinet/in.h>
 -#include <arpa/inet.h>
 -#include <string.h>
 -#include <sys/ioctl.h>
 -#include <stdbool.h>
 -#include <linux/mpls.h>
 #include "rt_names.h"
 #include "utils.h"
 --- a/ip/ipnetns.c
 +++ b/ip/ipnetns.c
@@ -1,21 +1,21 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #define _ATFILE_SOURCE
 -#include <sys/file.h>
 -#include <sys/types.h>
 -#include <sys/stat.h>
 -#include <sys/wait.h>
 -#include <sys/inotify.h>
 -#include <sys/mount.h>
 -#include <sys/syscall.h>
 +
 #include <stdio.h>
 +#include <stdint.h>
 #include <string.h>
 -#include <sched.h>
 #include <fcntl.h>
 #include <dirent.h>
 #include <errno.h>
 #include <unistd.h>
 #include <ctype.h>
 -#include <linux/limits.h>
 +#include <limits.h>
 +
 +#include <sys/file.h>
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include <sys/inotify.h>
 +#include <sys/mount.h>
 #include <linux/net_namespace.h>
@@ -23,7 +23,6 @@
 #include "list.h"
 #include "ip_common.h"
 #include "namespace.h"
 -#include "json_print.h"
 static int usage(void)
 {
--- a/iproute2/patches/016-limits.h.patch
+++ b/iproute2/patches/016-limits.h.patch
@ -1,26 +0,0 @@
 From f982f30e166a02e09097de05129449031ba51f76 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Thu, 12 Dec 2024 11:29:44 -0800
 Subject: [PATCH] cg_map: use limits.h
 Prefer limits.h from system headers over linux/limits.h
 Fixes build with musl.
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 lib/cg_map.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 --- a/lib/cg_map.c
 +++ b/lib/cg_map.c
@@ -9,8 +9,9 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdbool.h>
 +#include <limits.h>
 +
 #include <linux/types.h>
 -#include <linux/limits.h>
 #include <ftw.h>
 #include "cg_map.h"
--- a/iproute2/patches/017-linux-limits.patch
+++ b/iproute2/patches/017-linux-limits.patch
@ -1,178 +0,0 @@
 From ac547ad027e3d4e283202ecb487cf54707234491 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Thu, 12 Dec 2024 14:15:59 -0800
 Subject: [PATCH] flower: replace XATTR_SIZE_MAX
 The flower tc parser was using XATTR_SIZE_MAX from linux/limits.h,
 but this constant is intended to before extended filesystem attributes
 not for TC.  Replace it with a local define.
 This fixes issue on systems with musl and XATTR_SIZE_MAX is not
 defined in limits.h there.
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 tc/f_flower.c | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)
 --- a/tc/f_flower.c
 +++ b/tc/f_flower.c
@@ -10,7 +10,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <net/if.h>
 -#include <linux/limits.h>
 +
 #include <linux/if_arp.h>
 #include <linux/if_ether.h>
 #include <linux/ip.h>
@@ -22,6 +22,9 @@
 #include "tc_util.h"
 #include "rt_names.h"
 +/* maximum length of options string */
 +#define FLOWER_OPTS_MAX	4096
 +
 #ifndef IPPROTO_L2TP
 #define IPPROTO_L2TP 115
 #endif
@@ -1252,7 +1255,7 @@ static int flower_check_enc_opt_key(char
 static int flower_parse_enc_opts_geneve(char *str, struct nlmsghdr *n)
 {
 -	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
 +	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
 	int data_len, key_len, mask_len, err;
 	char *token, *slash;
 	struct rtattr *nest;
@@ -1265,7 +1268,7 @@ static int flower_parse_enc_opts_geneve(
 		if (slash)
 			*slash = '\0';
 -		if ((key_len + strlen(token) > XATTR_SIZE_MAX) ||
 +		if ((key_len + strlen(token) > FLOWER_OPTS_MAX) ||
 		    flower_check_enc_opt_key(token))
 			return -1;
@@ -1275,7 +1278,7 @@ static int flower_parse_enc_opts_geneve(
 		if (!slash) {
 			/* Pad out mask when not provided */
 -			if (mask_len + strlen(token) > XATTR_SIZE_MAX)
 +			if (mask_len + strlen(token) > FLOWER_OPTS_MAX)
 				return -1;
 			data_len = strlen(rindex(token, ':'));
@@ -1288,7 +1291,7 @@ static int flower_parse_enc_opts_geneve(
 			continue;
 		}
 -		if (mask_len + strlen(slash + 1) > XATTR_SIZE_MAX)
 +		if (mask_len + strlen(slash + 1) > FLOWER_OPTS_MAX)
 			return -1;
 		strcpy(&mask[mask_len], slash + 1);
@@ -1318,7 +1321,7 @@ static int flower_parse_enc_opts_geneve(
 static int flower_parse_enc_opts_vxlan(char *str, struct nlmsghdr *n)
 {
 -	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
 +	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
 	struct rtattr *nest;
 	char *slash;
 	int err;
@@ -1326,14 +1329,14 @@ static int flower_parse_enc_opts_vxlan(c
 	slash = strchr(str, '/');
 	if (slash) {
 		*slash++ = '\0';
 -		if (strlen(slash) > XATTR_SIZE_MAX)
 +		if (strlen(slash) > FLOWER_OPTS_MAX)
 			return -1;
 		strcpy(mask, slash);
 	} else {
 		strcpy(mask, "0xffffffff");
 	}
 -	if (strlen(str) > XATTR_SIZE_MAX)
 +	if (strlen(str) > FLOWER_OPTS_MAX)
 		return -1;
 	strcpy(key, str);
@@ -1355,7 +1358,7 @@ static int flower_parse_enc_opts_vxlan(c
 static int flower_parse_enc_opts_erspan(char *str, struct nlmsghdr *n)
 {
 -	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
 +	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
 	struct rtattr *nest;
 	char *slash;
 	int err;
@@ -1364,7 +1367,7 @@ static int flower_parse_enc_opts_erspan(
 	slash = strchr(str, '/');
 	if (slash) {
 		*slash++ = '\0';
 -		if (strlen(slash) > XATTR_SIZE_MAX)
 +		if (strlen(slash) > FLOWER_OPTS_MAX)
 			return -1;
 		strcpy(mask, slash);
 	} else {
@@ -1376,7 +1379,7 @@ static int flower_parse_enc_opts_erspan(
 		strcpy(mask + index, ":0xffffffff:0xff:0xff");
 	}
 -	if (strlen(str) > XATTR_SIZE_MAX)
 +	if (strlen(str) > FLOWER_OPTS_MAX)
 		return -1;
 	strcpy(key, str);
@@ -1398,7 +1401,7 @@ static int flower_parse_enc_opts_erspan(
 static int flower_parse_enc_opts_gtp(char *str, struct nlmsghdr *n)
 {
 -	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
 +	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
 	struct rtattr *nest;
 	char *slash;
 	int err;
@@ -1406,13 +1409,13 @@ static int flower_parse_enc_opts_gtp(cha
 	slash = strchr(str, '/');
 	if (slash) {
 		*slash++ = '\0';
 -		if (strlen(slash) > XATTR_SIZE_MAX)
 +		if (strlen(slash) > FLOWER_OPTS_MAX)
 			return -1;
 		strcpy(mask, slash);
 	} else
 		strcpy(mask, "ff:ff");
 -	if (strlen(str) > XATTR_SIZE_MAX)
 +	if (strlen(str) > FLOWER_OPTS_MAX)
 		return -1;
 	strcpy(key, str);
@@ -1433,7 +1436,7 @@ static int flower_parse_enc_opts_gtp(cha
 static int flower_parse_enc_opts_pfcp(char *str, struct nlmsghdr *n)
 {
 -	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
 +	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
 	struct rtattr *nest;
 	char *slash;
 	int err;
@@ -1442,14 +1445,14 @@ static int flower_parse_enc_opts_pfcp(ch
 	slash = strchr(str, '/');
 	if (slash) {
 		*slash++ = '\0';
 -		if (strlen(slash) > XATTR_SIZE_MAX)
 +		if (strlen(slash) > FLOWER_OPTS_MAX)
 			return -1;
 		strcpy(mask, slash);
 	} else {
 		strcpy(mask, "ff:ffffffffffffffff");
 	}
 -	if (strlen(str) > XATTR_SIZE_MAX)
 +	if (strlen(str) > FLOWER_OPTS_MAX)
 		return -1;
 	strcpy(key, str);
--- a/iproute2/patches/018-linux-limits.patch
+++ b/iproute2/patches/018-linux-limits.patch
@ -1,37 +0,0 @@
 From 458dce5d0431f0589aca1bc841904b5d1db3bbce Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen@networkplumber.org>
 Date: Thu, 12 Dec 2024 14:18:35 -0800
 Subject: [PATCH] uapi: remove no longer used linux/limits.h
 Code is now using limits.h instead.
 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 include/uapi/linux/limits.h | 21 ---------------------
 1 file changed, 21 deletions(-)
 delete mode 100644 include/uapi/linux/limits.h
 --- a/include/uapi/linux/limits.h
 +++ /dev/null
@@ -1,21 +0,0 @@
 -/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 -#ifndef _LINUX_LIMITS_H
 -#define _LINUX_LIMITS_H
 -
 -#define NR_OPEN	        1024
 -
 -#define NGROUPS_MAX    65536	/* supplemental group IDs are available */
 -#define ARG_MAX       131072	/* # bytes of args + environ for exec() */
 -#define LINK_MAX         127	/* # links a file may have */
 -#define MAX_CANON        255	/* size of the canonical input queue */
 -#define MAX_INPUT        255	/* size of the type-ahead buffer */
 -#define NAME_MAX         255	/* # chars in a file name */
 -#define PATH_MAX        4096	/* # chars in a path name including nul */
 -#define PIPE_BUF        4096	/* # bytes in atomic write to a pipe */
 -#define XATTR_NAME_MAX   255	/* # chars in an extended attribute name */
 -#define XATTR_SIZE_MAX 65536	/* size of an extended attribute value (64k) */
 -#define XATTR_LIST_MAX 65536	/* size of extended attribute namelist (64k) */
 -
 -#define RTSIG_MAX	  32
 -
 -#endif
--- a/iproute2/patches/100-configure.patch
+++ b/iproute2/patches/100-configure.patch
@ -0,0 +1,12 @@
 --- a/configure
 +++ b/configure
@@ -34,7 +34,8 @@ int main(int argc, char **argv) {
 }
 EOF
 -    if $CC -I$INCLUDE -o $TMPDIR/atmtest $TMPDIR/atmtest.c -latm >/dev/null 2>&1; then
 +# OpenWrt: disable ATM support even if present on host system
 +    if [ 1 -eq 0 ]; then
 	echo "TC_CONFIG_ATM:=y" >>$CONFIG
 	echo yes
     else
--- a/iproute2/patches/110-darwin_fixes.patch
+++ b/iproute2/patches/110-darwin_fixes.patch
@ -1,6 +1,6 @@
 --- a/netem/maketable.c
 +++ b/netem/maketable.c
-@@ -11,7 +11,9 @@
+@@ -10,7 +10,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <math.h>
@ -12,7 +12,7 @@
 #include <sys/stat.h>
 --- a/netem/normal.c
 +++ b/netem/normal.c
-@@ -9,8 +9,12 @@
+@@ -8,8 +8,12 @@
 #include <string.h>
 #include <limits.h>
@ -27,7 +27,7 @@
 #define TABLEFACTOR NETEM_DIST_SCALE
 --- a/netem/pareto.c
 +++ b/netem/pareto.c
-@@ -8,8 +8,12 @@
+@@ -7,8 +7,12 @@
 #include <math.h>
 #include <limits.h>
@ -42,7 +42,7 @@
 #define TABLESIZE	16384
 --- a/netem/paretonormal.c
 +++ b/netem/paretonormal.c
-@@ -15,10 +15,13 @@
+@@ -14,10 +14,13 @@
 #include <string.h>
 #include <math.h>
 #include <limits.h>
--- a/iproute2/patches/115-add-config-xtlibdir.patch
+++ b/iproute2/patches/115-add-config-xtlibdir.patch
@ -1,6 +1,6 @@
 --- a/tc/Makefile
 +++ b/tc/Makefile
-@@ -107,6 +107,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
+@@ -128,6 +128,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
 ifneq ($(IPT_LIB_DIR),)
 	CFLAGS += -DIPT_LIB_DIR=\"$(IPT_LIB_DIR)\"
 endif
--- a/iproute2/patches/130-no_netem_tipc_dcb_man_vdpa.patch
+++ b/iproute2/patches/130-no_netem_tipc_dcb_man_vdpa.patch
@ -1,14 +1,11 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -69,9 +69,9 @@ WFLAGS += -Wmissing-declarations -Wold-s
+@@ -55,7 +55,7 @@ WFLAGS += -Wmissing-declarations -Wold-s
 CFLAGS := $(WFLAGS) $(CCOPTS) -I../include -I../include/uapi $(DEFINES) $(CFLAGS)
 YACCFLAGS = -d -t -v
-SUBDIRS=lib ip tc bridge misc netem genl man
+-SUBDIRS=lib ip tc bridge misc netem genl tipc devlink rdma dcb man vdpa
-+SUBDIRS=lib ip tc bridge misc genl
+SUBDIRS=lib ip tc bridge misc genl devlink rdma
 ifeq ($(HAVE_MNL),y)
 -SUBDIRS += tipc devlink rdma dcb vdpa
 +SUBDIRS += devlink rdma
 endif
 LIBNETLINK=../lib/libutil.a ../lib/libnetlink.a
 LDLIBS += $(LIBNETLINK)
--- a/iproute2/patches/140-allow_pfifo_fast.patch
+++ b/iproute2/patches/140-allow_pfifo_fast.patch
@ -1,6 +1,6 @@
 --- a/tc/q_fifo.c
 +++ b/tc/q_fifo.c
-@@ -90,5 +90,6 @@ struct qdisc_util pfifo_head_drop_qdisc_
+@@ -95,5 +95,6 @@ struct qdisc_util pfifo_head_drop_qdisc_
 struct qdisc_util pfifo_fast_qdisc_util = {
 	.id = "pfifo_fast",
--- a/iproute2/patches/140-keep_libmnl_optional.patch
+++ b/iproute2/patches/140-keep_libmnl_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -368,7 +368,7 @@ check_tirpc()
+@@ -387,7 +387,7 @@ check_selinux()
 check_mnl()
 {
--- a/iproute2/patches/145-keep_libelf_optional.patch
+++ b/iproute2/patches/145-keep_libelf_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -217,7 +217,7 @@ EOF
+@@ -255,7 +255,7 @@ EOF
 check_elf()
 {
--- a/iproute2/patches/150-keep_libcap_optional.patch
+++ b/iproute2/patches/150-keep_libcap_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -427,7 +427,7 @@ EOF
+@@ -445,7 +445,7 @@ EOF
 check_cap()
 {
--- a/iproute2/patches/155-keep_tirpc_optional.patch
+++ b/iproute2/patches/155-keep_tirpc_optional.patch
@ -1,11 +0,0 @@
 --- a/configure
 +++ b/configure
@@ -355,7 +355,7 @@ check_selinux()
 check_tirpc()
 {
 -	if ${PKG_CONFIG} libtirpc --exists; then
 +	if [ "${HAVE_TIRPC}" = "y" ] && ${PKG_CONFIG} libtirpc --exists; then
 		echo "HAVE_RPC:=y" >>$CONFIG
 		echo "yes"
--- a/iproute2/patches/170-ip_tiny.patch
+++ b/iproute2/patches/170-ip_tiny.patch
@ -1,108 +0,0 @@
 --- a/ip/Makefile
 +++ b/ip/Makefile
@@ -19,6 +19,13 @@ RTMONOBJ=rtmon.o
 include ../config.mk
 +STATIC_SYM_FILTER:=
 +ifeq ($(IP_CONFIG_TINY),y)
 +  STATIC_SYM_FILTER:=iplink_can.c iplink_ipoib.c iplink_vxlan.c
 +  CFLAGS += -DIPROUTE2_TINY
 +endif
 +STATIC_SYM_SOURCES:=$(filter-out $(STATIC_SYM_FILTER),$(wildcard *.c))
 +
 ALLOBJ=$(IPOBJ) $(RTMONOBJ)
 SCRIPTS=routel
 TARGETS=ip rtmon
@@ -48,7 +55,7 @@ else
 ip: static-syms.o
 static-syms.o: static-syms.h
 -static-syms.h: $(wildcard *.c)
 +static-syms.h: $(STATIC_SYM_SOURCES)
 	files="$^" ; \
 	for s in `grep -B 3 '\<dlsym' $$files | sed -n '/snprintf/{s:.*"\([^"]*\)".*:\1:;s:%s::;p}'` ; do \
 		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:extern char \1[] __attribute__((weak)); if (!strcmp(sym, "\1")) return \1;:;p}' $$files ; \
 --- a/ip/ip.c
 +++ b/ip/ip.c
@@ -61,11 +61,17 @@ static void usage(void)
 	fprintf(stderr,
 		"Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }\n"
 		"       ip [ -force ] -batch filename\n"
 +#ifndef IPROUTE2_TINY
 		"where  OBJECT := { address | addrlabel | fou | help | ila | ioam | l2tp | link |\n"
 		"                   macsec | maddress | monitor | mptcp | mroute | mrule |\n"
 		"                   neighbor | neighbour | netconf | netns | nexthop | ntable |\n"
 		"                   ntbl | route | rule | sr | stats | tap | tcpmetrics |\n"
 		"                   token | tunnel | tuntap | vrf | xfrm }\n"
 +#else
 +		"where  OBJECT := { address | help | link | maddress | monitor |\n"
 +		"                   neighbor | neighbour | netns | route |\n"
 +		"                   rule | stats | token | tunnel }\n"
 +#endif
 		"       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n"
 		"                    -h[uman-readable] | -iec | -j[son] | -p[retty] |\n"
 		"                    -f[amily] { inet | inet6 | mpls | bridge | link } |\n"
@@ -88,37 +94,49 @@ static const struct cmd {
 	int (*func)(int argc, char **argv);
 } cmds[] = {
 	{ "address",	do_ipaddr },
 +#ifndef IPROUTE2_TINY
 	{ "addrlabel",	do_ipaddrlabel },
 +#endif
 	{ "maddress",	do_multiaddr },
 	{ "route",	do_iproute },
 	{ "rule",	do_iprule },
 	{ "neighbor",	do_ipneigh },
 	{ "neighbour",	do_ipneigh },
 +#ifndef IPROUTE2_TINY
 	{ "ntable",	do_ipntable },
 	{ "ntbl",	do_ipntable },
 +#endif
 	{ "link",	do_iplink },
 +#ifndef IPROUTE2_TINY
 	{ "l2tp",	do_ipl2tp },
 	{ "fou",	do_ipfou },
 	{ "ila",	do_ipila },
 	{ "macsec",	do_ipmacsec },
 +#endif
 	{ "tunnel",	do_iptunnel },
 	{ "tunl",	do_iptunnel },
 +#ifndef IPROUTE2_TINY
 	{ "tuntap",	do_iptuntap },
 	{ "tap",	do_iptuntap },
 	{ "token",	do_iptoken },
 	{ "tcpmetrics",	do_tcp_metrics },
 	{ "tcp_metrics", do_tcp_metrics },
 +#endif
 	{ "monitor",	do_ipmonitor },
 +#ifndef IPROUTE2_TINY
 	{ "xfrm",	do_xfrm },
 	{ "mroute",	do_multiroute },
 	{ "mrule",	do_multirule },
 +#endif
 	{ "netns",	do_netns },
 +#ifndef IPROUTE2_TINY
 	{ "netconf",	do_ipnetconf },
 	{ "vrf",	do_ipvrf},
 	{ "sr",		do_seg6 },
 	{ "nexthop",	do_ipnh },
 	{ "mptcp",	do_mptcp },
 	{ "ioam",	do_ioam6 },
 +#endif
 	{ "help",	do_help },
 	{ "stats",	do_ipstats },
 	{ 0 }
 --- a/lib/Makefile
 +++ b/lib/Makefile
@@ -3,6 +3,10 @@ include ../config.mk
 CFLAGS += $(FPIC)
 +ifeq ($(IP_CONFIG_TINY),y)
 +  CFLAGS += -DIPROUTE2_TINY
 +endif
 +
 UTILOBJ = utils.o utils_math.o rt_names.o ll_map.o ll_types.o ll_proto.o ll_addr.o \
 	inet_proto.o namespace.o json_writer.o json_print.o json_print_math.o \
 	names.o color.o bpf_legacy.o bpf_glue.o exec.o fs.o cg_map.o ppp_proto.o
--- a/iproute2/patches/175-reduce-dynamic-syms.patch
+++ b/iproute2/patches/175-reduce-dynamic-syms.patch
@ -0,0 +1,45 @@
 --- a/tc/Makefile
 +++ b/tc/Makefile
@@ -114,7 +114,7 @@ LDLIBS += -L. -lm
 ifeq ($(SHARED_LIBS),y)
 LDLIBS += -ldl
 -LDFLAGS += -Wl,-export-dynamic
 +LDFLAGS += -Wl,--dynamic-list=dynsyms.list
 endif
 TCLIB := tc_core.o
@@ -144,7 +144,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
 all: tc $(TCSO)
 tc: $(TCOBJ) $(LIBNETLINK) libtc.a
 -	$(QUIET_LINK)$(CC) $^ $(LDFLAGS) $(LDLIBS) -o $@
 +	$(QUIET_LINK)$(CC) $(filter-out dynsyms.list, $^) $(LDFLAGS) $(LDLIBS) -o $@
 libtc.a: $(TCLIB)
 	$(QUIET_AR)$(AR) rcs $@ $^
@@ -166,6 +166,7 @@ install: all
 clean:
 	rm -f $(TCOBJ) $(TCLIB) libtc.a tc *.so emp_ematch.tab.h; \
 	rm -f emp_ematch.tab.*
 +	rm -f dynsyms.list
 q_atm.so: q_atm.c
 	$(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic -o q_atm.so q_atm.c -latm
@@ -205,4 +206,16 @@ static-syms.h: $(wildcard *.c)
 		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:extern char \1[] __attribute__((weak)); if (!strcmp(sym, "\1")) return \1;:;p}' $$files ; \
 	done > $@
 +else
 +
 +tc: dynsyms.list
 +m_xt.so: dynsyms.list
 +dynsyms.list: $(wildcard *.c)
 +	files="$(filter-out $(patsubst %.so,%.c,$(TCSO)), $^)" ; \
 +	echo "{" > $@ ; \
 +	for s in `grep -B 3 '\<dlsym' $$files | sed -n '/snprintf/{s:.*"\([^"]*\)".*:\1:;s:%s::;p}'` ; do \
 +		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:\1;:;p}' $$files ; \
 +	done >> $@ ; \
 +	echo "show_stats; print_nl; print_tm; parse_rtattr; parse_rtattr_flags; get_u32; matches; addattr_l; addattr_nest; addattr_nest_end; };" >> $@
 +
 endif
--- a/iproute2/patches/180-drop_FAILED_POLICY.patch
+++ b/iproute2/patches/180-drop_FAILED_POLICY.patch
@ -11,7 +11,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY
 --- a/ip/rtm_map.c
 +++ b/ip/rtm_map.c
-@@ -49,6 +49,8 @@ char *rtnl_rtntype_n2a(int id, char *buf
+@@ -54,6 +54,8 @@ char *rtnl_rtntype_n2a(int id, char *buf
 		return "nat";
 	case RTN_XRESOLVE:
 		return "xresolve";
@ -20,7 +20,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY
 	default:
 		snprintf(buf, len, "%d", id);
 		return buf;
-@@ -84,6 +86,8 @@ int rtnl_rtntype_a2n(int *id, char *arg)
+@@ -89,6 +91,8 @@ int rtnl_rtntype_a2n(int *id, char *arg)
 		res = RTN_UNICAST;
 	else if (strcmp(arg, "throw") == 0)
 		res = RTN_THROW;
@ -31,7 +31,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY
 		if (!end || end == arg || *end || res > 255)
 --- a/include/uapi/linux/rtnetlink.h
 +++ b/include/uapi/linux/rtnetlink.h
-@@ -265,6 +265,7 @@ enum {
+@@ -256,6 +256,7 @@ enum {
 	RTN_THROW,		/* Not in this table		*/
 	RTN_NAT,		/* Translate this address	*/
 	RTN_XRESOLVE,		/* Use external resolver	*/
--- a/iproute2/patches/190-fix-nls-rpath-link.patch
+++ b/iproute2/patches/190-fix-nls-rpath-link.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -241,7 +241,7 @@ int main(int argc, char **argv) {
+@@ -279,7 +279,7 @@ int main(int argc, char **argv) {
 }
 EOF
@ -9,7 +9,7 @@
     local ret=$?
     rm -f $TMPDIR/libbpf_test.c $TMPDIR/libbpf_test
-@@ -259,7 +259,7 @@ int main(int argc, char **argv) {
+@@ -297,7 +297,7 @@ int main(int argc, char **argv) {
 }
 EOF
--- a/iproute2/patches/195-build_variant_ip_tc.patch
+++ b/iproute2/patches/195-build_variant_ip_tc.patch
@ -1,22 +0,0 @@
 --- a/ip/Makefile
 +++ b/ip/Makefile
@@ -28,7 +28,7 @@ STATIC_SYM_SOURCES:=$(filter-out $(STATI
 ALLOBJ=$(IPOBJ) $(RTMONOBJ)
 SCRIPTS=routel
 -TARGETS=ip rtmon
 +TARGETS=$(findstring ip,$(BUILD_VARIANT)) rtmon
 all: $(TARGETS) $(SCRIPTS)
 --- a/tc/Makefile
 +++ b/tc/Makefile
@@ -120,7 +120,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
 	$(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic $< -o $@
 -all: tc $(TCSO)
 +all: $(findstring tc,$(BUILD_VARIANT)) $(TCSO)
 tc: $(TCOBJ) $(LIBNETLINK) libtc.a
 	$(QUIET_LINK)$(CC) $^ $(LDFLAGS) $(LDLIBS) -o $@
--- a/iproute2/patches/200-drop_libbsd_dependency.patch
+++ b/iproute2/patches/200-drop_libbsd_dependency.patch
@ -1,12 +1,12 @@
 --- a/configure
 +++ b/configure
-@@ -413,14 +413,8 @@ EOF
+@@ -431,14 +431,8 @@ EOF
     if $CC -I$INCLUDE -o $TMPDIR/strtest $TMPDIR/strtest.c >/dev/null 2>&1; then
 	echo "no"
     else
 -	if ${PKG_CONFIG} libbsd --exists; then
-		echo 'CFLAGS += -DHAVE_LIBBSD' "$(${PKG_CONFIG} libbsd --cflags)" >>$CONFIG
+-		echo 'CFLAGS += -DHAVE_LIBBSD' `${PKG_CONFIG} libbsd --cflags` >>$CONFIG
-		echo 'LDLIBS +=' "$(${PKG_CONFIG} libbsd --libs)" >> $CONFIG
+-		echo 'LDLIBS +=' `${PKG_CONFIG} libbsd --libs` >> $CONFIG
 -		echo "no"
 -	else
 -		echo 'CFLAGS += -DNEED_STRLCPY' >>$CONFIG
--- a/iproute2/patches/300-selinux-configurable.patch
+++ b/iproute2/patches/300-selinux-configurable.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -342,7 +342,7 @@ check_libbpf()
+@@ -374,7 +374,7 @@ check_libbpf()
 check_selinux()
 # SELinux is a compile time option in the ss utility
 {
--- a/libgpiod/Makefile
+++ b/libgpiod/Makefile
@ -1,125 +0,0 @@
 #
 # Copyright (C) 2018-2019 Michael Heimpold <mhei@heimpold.de>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libgpiod
 PKG_VERSION:=2.1.1
 PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/
 PKG_HASH:=b21913f469d3135680d5516f00fdf9f81d5e564e19ffb690927ea7f1d7e312cb
 PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
 PKG_LICENSE:=LGPL-2.1-or-later
 PKG_LICENSE_FILES:=COPYING
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 PYTHON3_PKG_BUILD:=0
 include $(INCLUDE_DIR)/package.mk
 include $(TOPDIR)/feeds/packages/lang/python/python3-package.mk
 ifneq ($(CONFIG_PACKAGE_gpiod-tools),)
 CONFIGURE_ARGS += --enable-tools
 endif
 PYTHON3_PKG_SETUP_DIR:=bindings/python
 TARGET_CPPFLAGS+=-I$(PKG_BUILD_DIR)/include
 TARGET_LDFLAGS+=-L$(PKG_BUILD_DIR)/lib/.libs
 define Package/libgpiod
  SECTION:=libs
  CATEGORY:=Libraries
  URL:=https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git
  TITLE:=Library for interacting with Linux's GPIO character device
  KCONFIG:= \
    CONFIG_GPIO_CDEV=y
  DEPENDS:=@GPIO_SUPPORT
 endef
 define Package/libgpiod/description
  C library for interacting with the linux GPIO character device
  (gpiod stands for GPIO device).
 endef
 define Package/gpiod-tools
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=Tools for interacting with GPIO pins
  DEPENDS:=+libgpiod
 endef
 define Package/gpiod-tools/description
  Tools for interacting with the linux GPIO character device
  (gpiod stands for GPIO device).
 endef
 define Package/python3-gpiod
  SECTION:=lang
  CATEGORY:=Languages
  SUBMENU:=Python
  TITLE:=Python bindings for libgpiod
  URL:=https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git
  DEPENDS:=+python3-light +libgpiod
 endef
 define Package/python3-gpiod/description
  This package contains the Python bindings for libgpiod.
 endef
 define Build/Configure
 	$(call Build/Configure/Default)
    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
 	$(call Py3Build/Configure)
    endif
 endef
 define Build/Compile
 	$(call Build/Compile/Default)
    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
 	$(call Py3Build/Compile)
    endif
 endef
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/gpiod.h $(1)/usr/include/
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgpiod.{so*,a} $(1)/usr/lib/
 	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libgpiod.pc $(1)/usr/lib/pkgconfig/
    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
 	$(INSTALL_DIR) $(1)$(PYTHON3_PKG_DIR)
 	$(CP) $(PKG_INSTALL_DIR)$(PYTHON3_PKG_DIR)/* $(1)$(PYTHON3_PKG_DIR)
    endif
 endef
 define Package/libgpiod/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgpiod.so.* $(1)/usr/lib/
 endef
 define Package/gpiod-tools/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
 endef
 define Py3Package/python3-gpiod/install
 	# this empty define prevent installing tools from /usr/bin
 endef
 $(eval $(call BuildPackage,libgpiod))
 $(eval $(call BuildPackage,gpiod-tools))
 $(eval $(call Py3Package,python3-gpiod))
 $(eval $(call BuildPackage,python3-gpiod))
 $(eval $(call BuildPackage,python3-gpiod-src))
--- a/libmbim/Makefile
+++ b/libmbim/Makefile
@ -8,30 +8,28 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libmbim
-PKG_VERSION:=1.31.6
+PKG_VERSION:=1.26.0
-PKG_SOURCE_VERSION:=1.31.6-dev
+PKG_RELEASE:=$(AUTORELEASE)
 #PKG_SOURCE_VERSION:=1866ed53c05916c66c5d52682778a6078e5221d3
 PKG_RELEASE:=1
-PKG_SOURCE_PROTO:=git
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
+PKG_SOURCE_URL:=https://www.freedesktop.org/software/libmbim
-#libmPKG_MIRROR_HASH:=8fc4e2d78d6a1003bf89303d3ce779283b176d74e84a241ba8efb0d468605268
+PKG_HASH:=1e1f0926b22c77210442129eca689722ecf324ab9c9abf421a5c989f46e813cf
 PKG_BUILD_FLAGS:=gc-sections
 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/nls.mk
 include $(INCLUDE_DIR)/meson.mk
-TARGET_CFLAGS += -fno-merge-all-constants -fmerge-constants
+CONFIGURE_ARGS += \
-
+	--disable-static \
-MESON_ARGS += \
+	--disable-gtk-doc \
-	-Dintrospection=false \
+	--disable-gtk-doc-html \
-	-Dman=false \
+	--disable-gtk-doc-pdf \
-	-Dbash_completion=false \
+	--disable-silent-rules \
-	-Db_lto=true
+	--enable-more-warnings=yes
 define Package/libmbim
  SECTION:=libs
@ -58,6 +56,10 @@ define Package/mbim-utils
  LICENSE_FILES:=COPYING
 endef
 CONFIGURE_ARGS += \
 	--without-udev \
 	--without-udev-base-dir
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
 	$(CP) \
@ -76,15 +78,11 @@ define Build/InstallDev
 endef
 define Package/libmbim/install
-	$(INSTALL_DIR) \
+	$(INSTALL_DIR) $(1)/usr/lib
 		$(1)/usr/lib \
 		$(1)/usr/libexec
 	$(CP) \
 		$(PKG_INSTALL_DIR)/usr/lib/libmbim*.so.* \
 		$(1)/usr/lib/
-
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/mbim-proxy $(1)/usr/lib/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/libexec/mbim-proxy $(1)/usr/libexec/
 endef
 define Package/mbim-utils/install
--- a/libqmi/Config.in
+++ b/libqmi/Config.in
@ -13,19 +13,4 @@ config LIBQMI_WITH_QRTR_GLIB
 	help
 	  Compile libqmi with QRTR support
 choice
 	prompt "Select QMI message collection to build"
 	default LIBQMI_COLLECTION_BASIC
 	config LIBQMI_COLLECTION_MINIMAL
 		depends on !MODEMMANAGER_WITH_QMI
 		bool "minimal"
 	config LIBQMI_COLLECTION_BASIC
 		bool "basic (default)"
 	config LIBQMI_COLLECTION_FULL
 		bool "full"
 endchoice
 endmenu
--- a/libqmi/Makefile
+++ b/libqmi/Makefile
@ -8,23 +8,20 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libqmi
-PKG_VERSION:=1.35.6
+PKG_VERSION:=1.30.2
-PKG_SOURCE_VERSION:=1.35.6-dev
+PKG_RELEASE:=$(AUTORELEASE)
 PKG_RELEASE:=1
-PKG_SOURCE_PROTO:=git
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
+PKG_SOURCE_URL:=https://www.freedesktop.org/software/libqmi
-#PKG_MIRROR_HASH:=af3dc760d0c40ef8af1f8b424435daa12bff698ed45b1cc9a9e38ea62ed047f0
+PKG_HASH:=be01ece0ea2c2194cbea5744bf5aaf06c04ba5fb7ec7887a13116c76d114fedd
 PKG_BUILD_FLAGS:=gc-sections
 PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/nls.mk
 include $(INCLUDE_DIR)/meson.mk
 TARGET_CFLAGS += -fno-merge-all-constants -fmerge-constants
 define Package/libqmi/config
  source "$(SOURCE)/Config.in"
@ -62,16 +59,28 @@ define Package/libqmi-utils/description
  Utils to talk to QMI enabled modems
 endef
-MESON_ARGS += \
+CONFIGURE_ARGS += \
-	-Dudev=false \
+	--disable-static \
-	-Dintrospection=false \
+	--disable-gtk-doc \
-	-Dman=false \
+	--disable-gtk-doc-html \
-	-Dbash_completion=false \
+	--disable-gtk-doc-pdf \
-	-Db_lto=true \
+	--disable-silent-rules \
-	-Dmbim_qmux=$(if $(CONFIG_LIBQMI_WITH_MBIM_QMUX),true,false) \
+	--enable-firmware-update \
-	-Dqrtr=$(if $(CONFIG_LIBQMI_WITH_QRTR_GLIB),true,false) \
+	--enable-more-warnings=yes \
-	-Dcollection=$(if $(CONFIG_LIBQMI_COLLECTION_MINIMAL),minimal\
+	--without-udev \
-		    ,$(if $(CONFIG_LIBQMI_COLLECTION_BASIC),basic,full))
+	--without-udev-base-dir
 ifeq ($(CONFIG_LIBQMI_WITH_MBIM_QMUX),y)
 	CONFIGURE_ARGS += --enable-mbim-qmux
 else
 	CONFIGURE_ARGS += --disable-mbim-qmux
 endif
 ifeq ($(CONFIG_LIBQMI_WITH_QRTR_GLIB),y)
 	CONFIGURE_ARGS += --enable-qrtr
 else
 	CONFIGURE_ARGS += --disable-qrtr
 endif
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
@ -91,15 +100,12 @@ define Build/InstallDev
 endef
 define Package/libqmi/install
-	$(INSTALL_DIR) \
+	$(INSTALL_DIR) $(1)/usr/lib
 		$(1)/usr/lib \
 		$(1)/usr/libexec
 	$(CP) \
 		$(PKG_INSTALL_DIR)/usr/lib/libqmi*.so.* \
 		$(1)/usr/lib/
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/libexec/qmi-proxy $(1)/usr/libexec/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/qmi-proxy $(1)/usr/lib/
 endef
 define Package/qmi-utils/install
--- a/luci-app-firewall/Makefile
+++ b/luci-app-firewall/Makefile
@ -6,11 +6,11 @@
 include $(TOPDIR)/rules.mk
-LUCI_TITLE:=Firewall and port forwarding application
+LUCI_TITLE:=Firewall and Portforwarding application
-LUCI_DEPENDS:=+luci-base +uci-firewall
+LUCI_DEPENDS:=+firewall
 PKG_LICENSE:=Apache-2.0
-PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
+PKG_VERSION:=omr-202103
 include $(TOPDIR)/feeds/luci/luci.mk
--- a/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js
@ -6,7 +6,6 @@
 'require form';
 'require network';
 'require firewall';
 'require validation';
 'require tools.prng as random';
 var protocols = [
@ -393,25 +392,12 @@ return baseclass.extend({
 	},
 	transformHostHints: function(family, hosts) {
-		var choice_values = [],
+		var choice_values = [], choice_labels = {};
 		    choice_labels = {},
 		    ip6addrs = {},
 		    ipaddrs = {};
 		for (var mac in hosts) {
 			L.toArray(hosts[mac].ipaddrs || hosts[mac].ipv4).forEach(function(ip) {
 				ipaddrs[ip] = mac;
 			});
 			L.toArray(hosts[mac].ip6addrs || hosts[mac].ipv6).forEach(function(ip) {
 				ip6addrs[ip] = mac;
 			});
 		}
 		if (!family || family == 'ipv4') {
-			L.sortedKeys(ipaddrs, null, 'addr').forEach(function(ip) {
+			L.sortedKeys(hosts, 'ipv4', 'addr').forEach(function(mac) {
-				var val = ip,
+				var val = hosts[mac].ipv4,
-				    txt = hosts[ipaddrs[ip]].name || ipaddrs[ip];
+				    txt = hosts[mac].name || mac;
 				choice_values.push(val);
 				choice_labels[val] = E([], [ val, ' (', E('strong', {}, [txt]), ')' ]);
@ -419,9 +405,9 @@ return baseclass.extend({
 		}
 		if (!family || family == 'ipv6') {
-			L.sortedKeys(ip6addrs, null, 'addr').forEach(function(ip) {
+			L.sortedKeys(hosts, 'ipv6', 'addr').forEach(function(mac) {
-				var val = ip,
+				var val = hosts[mac].ipv6,
-				    txt = hosts[ip6addrs[ip]].name || ip6addrs[ip];
+				    txt = hosts[mac].name || mac;
 				choice_values.push(val);
 				choice_labels[val] = E([], [ val, ' (', E('strong', {}, [txt]), ')' ]);
@ -439,27 +425,11 @@ return baseclass.extend({
 		opt.addChoices(choices[0], choices[1]);
 	},
 	CBIDynamicMultiValueList: form.DynamicList.extend({
 		renderWidget: function(/* ... */) {
 			var dl = form.DynamicList.prototype.renderWidget.apply(this, arguments),
 			    inst = dom.findClassInstance(dl);
 			inst.addItem = function(dl, value, text, flash) {
 				var values = L.toArray(value);
 				for (var i = 0; i < values.length; i++)
 					ui.DynamicList.prototype.addItem.call(this, dl, values[i], null, true);
 			};
 			return dl;
 		}
 	}),
 	addIPOption: function(s, tab, name, label, description, family, hosts, multiple) {
-		var o = s.taboption(tab, multiple ? this.CBIDynamicMultiValueList : form.Value, name, label, description);
+		var o = s.taboption(tab, multiple ? form.DynamicList : form.Value, name, label, description);
 		var fw4 = L.hasSystemFeature('firewall4');
 		o.modalonly = true;
-		o.datatype = (fw4 && validation.types.iprange) ? 'list(neg(or(ipmask("true"),iprange)))' : 'list(neg(ipmask("true")))';
+		o.datatype = 'list(neg(ipmask))';
 		o.placeholder = multiple ? _('-- add IP --') : _('any');
 		if (family != null) {
@ -479,20 +449,18 @@ return baseclass.extend({
 	addLocalIPOption: function(s, tab, name, label, description, devices) {
 		var o = s.taboption(tab, form.Value, name, label, description);
 		var fw4 = L.hasSystemFeature('firewall4');
 		o.modalonly = true;
-		o.datatype = !fw4?'ip4addr("nomask")':'ipaddr("nomask")';
+		o.datatype = 'ip4addr("nomask")';
 		o.placeholder = _('any');
 		L.sortedKeys(devices, 'name').forEach(function(dev) {
 			var ip4addrs = devices[dev].ipaddrs;
 			var ip6addrs = devices[dev].ip6addrs;
-			if (!L.isObject(devices[dev].flags) || devices[dev].flags.loopback)
+			if (!L.isObject(devices[dev].flags) || !Array.isArray(ip4addrs) || devices[dev].flags.loopback)
 				return;
-			for (var i = 0; Array.isArray(ip4addrs) && i < ip4addrs.length; i++) {
+			for (var i = 0; i < ip4addrs.length; i++) {
 				if (!L.isObject(ip4addrs[i]) || !ip4addrs[i].address)
 					continue;
@ -500,21 +468,13 @@ return baseclass.extend({
 					ip4addrs[i].address, ' (', E('strong', {}, [dev]), ')'
 				]));
 			}
 			for (var i = 0; fw4 && Array.isArray(ip6addrs) && i < ip6addrs.length; i++) {
 				if (!L.isObject(ip6addrs[i]) || !ip6addrs[i].address)
 					continue;
 				o.value(ip6addrs[i].address, E([], [
 					ip6addrs[i].address, ' (', E('strong', {}, [dev]), ')'
 				]));
 			}
 		});
 		return o;
 	},
 	addMACOption: function(s, tab, name, label, description, hosts) {
-		var o = s.taboption(tab, this.CBIDynamicMultiValueList, name, label, description);
+		var o = s.taboption(tab, form.DynamicList, name, label, description);
 		o.modalonly = true;
 		o.datatype = 'list(macaddr)';
@ -522,10 +482,7 @@ return baseclass.extend({
 		L.sortedKeys(hosts).forEach(function(mac) {
 			o.value(mac, E([], [ mac, ' (', E('strong', {}, [
-				hosts[mac].name ||
+				hosts[mac].name || hosts[mac].ipv4 || hosts[mac].ipv6 || '?'
 				L.toArray(hosts[mac].ipaddrs || hosts[mac].ipv4)[0] ||
 				L.toArray(hosts[mac].ip6addrs || hosts[mac].ipv6)[0] ||
 				'?'
 			]), ')' ]));
 		});
@ -565,9 +522,6 @@ return baseclass.extend({
 				}
 			}, this));
 			if (cfgvalue == '*' || cfgvalue == 'any' || cfgvalue == 'all')
 				cfgvalue = 'all';
 			return cfgvalue;
 		},
@ -583,7 +537,6 @@ return baseclass.extend({
 				display_items: 10,
 				dropdown_items: -1,
 				create: true,
 				disabled: (this.readonly != null) ? this.readonly : this.map.readonly,
 				validate: function(value) {
 					var v = L.toArray(value);
@ -602,7 +555,8 @@ return baseclass.extend({
 			});
 			widget.createChoiceElement = function(sb, value) {
-				var p = lookupProto(value);
+				var m = value.match(/^(0x[0-9a-f]{1,2}|[0-9]{1,3})$/),
 				    p = lookupProto(lookupProto(m ? +m[1] : value)[0]);
 				return ui.Dropdown.prototype.createChoiceElement.call(this, sb, p[2], p[1]);
 			};
@ -612,11 +566,9 @@ return baseclass.extend({
 					var m = value.match(/^(0x[0-9a-f]{1,2}|[0-9]{1,3})$/),
 					    p = lookupProto(m ? +m[1] : value);
-					return (p[0] > -1) ? p[2] : p[1];
+					return (p[0] > -1) ? p[2] : value;
 				});
 				values.sort();
 				return ui.Dropdown.prototype.createItems.call(this, sb, values.join(' '));
 			};
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/custom.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/custom.js
@ -24,7 +24,7 @@ return view.extend({
 		return E([
 			E('h2', _('Firewall - Custom Rules')),
 			E('p', {}, _('Custom rules allow you to execute arbitrary iptables commands which are not otherwise covered by the firewall framework. The commands are executed after each firewall restart, right after the default ruleset has been loaded.')),
-			E('p', {}, E('textarea', { 'style': 'width:100%', 'rows': 25 }, [ fwuser != null ? fwuser : '' ]))
+			E('p', {}, E('textarea', { 'style': 'width:100%', 'rows': 10 }, [ fwuser != null ? fwuser : '' ]))
 		]);
 	},
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/forwards.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/forwards.js
@ -9,8 +9,6 @@
 'require tools.widgets as widgets';
 function rule_proto_txt(s, ctHelpers) {
 	var family = (uci.get('firewall', s, 'family') || '').toLowerCase().replace(/^(?:all|\*)$/, 'any');
 	var dip = uci.get('firewall', s, 'dest_ip') || '';
 	var proto = L.toArray(uci.get('firewall', s, 'proto')).filter(function(p) {
 		return (p != '*' && p != 'any' && p != 'all');
 	}).map(function(p) {
@ -22,7 +20,7 @@ function rule_proto_txt(s, ctHelpers) {
 		};
 	});
-	var m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
+	m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
 	var h = m ? {
 		val:  m[0].toUpperCase(),
 		inv:  m[1],
@ -37,9 +35,7 @@ function rule_proto_txt(s, ctHelpers) {
 		mask: m[3] ? '0x%02X'.format(+m[3]) : null
 	} : null;
-	return fwtool.fmt(_('Incoming %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except &quot;%{helper.name}&quot;">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
+	return fwtool.fmt(_('Incoming IPv4%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except &quot;%{helper.name}&quot;">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
 		ipv4: ((!family && dip.indexOf(':') == -1) || family == 'any' || (!family && !dip) || family == 'ipv4'),
 		ipv6: ((!family && dip.indexOf(':') != -1) || family == 'any' || family == 'ipv6'),
 		proto: proto,
 		helper: h,
 		mark:   f
@ -50,7 +46,7 @@ function rule_src_txt(s, hosts) {
 	var z = uci.get('firewall', s, 'src');
 	return fwtool.fmt(_('From %{src}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}%{src_mac?, MAC %{src_mac#%{next?, }<var%{item.inv? data-tooltip="Match MACs except %{item.val}%{item.hint.name? a.k.a. %{item.hint.name}}.":%{item.hint.name? data-tooltip="%{item.hint.name}"}}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_mac: fwtool.map_invert(uci.get('firewall', s, 'src_mac'), 'toUpperCase').map(function(v) { return Object.assign(v, { hint: hosts[v.val] }) }),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port'))
@ -59,7 +55,7 @@ function rule_src_txt(s, hosts) {
 function rule_dest_txt(s) {
 	return fwtool.fmt(_('To %{dest}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(null) }, [E('em', _('this device'))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName(null) }, [E('em', _('this device'))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'src_dip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'src_dport'))
 	});
@ -83,30 +79,12 @@ function rule_target_txt(s) {
 	var z = uci.get('firewall', s, 'dest');
 	return fwtool.fmt(_('<var data-tooltip="DNAT">Forward</var> to %{dest}%{dest_ip? IP <var>%{dest_ip}</var>}%{dest_port? port <var>%{dest_port}</var>}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
 		dest_ip: (uci.get('firewall', s, 'dest_ip') || '').toLowerCase(),
 		dest_port: uci.get('firewall', s, 'dest_port')
 	});
 }
 function validate_opt_family(m, section_id, opt) {
 	var dopt = m.section.getOption('dest_ip'),
 	    fmopt = m.section.getOption('family');
 	if (!dopt.isValid(section_id) && opt != 'dest_ip')
 		return true;
 	if (!fmopt.isValid(section_id) && opt != 'family')
 		return true;
 	var dip = dopt.formvalue(section_id) || '',
 	    fm = fmopt.formvalue(section_id) || '';
 	if (fm == '' || (fm == 'any' && dip == '') || (fm == 'ipv6' && (dip.indexOf(':') != -1 || dip == '')) || (fm == 'ipv4' && dip.indexOf(':') == -1))
 		return true;
 	return _('Address family, Internal IP address must match');
 }
 return view.extend({
 	callHostHints: rpc.declare({
 		object: 'luci-rpc',
@ -147,7 +125,6 @@ return view.extend({
 		    ctHelpers = data[1],
 		    devs = data[2],
 		    m, s, o;
 		var fw4 = L.hasSystemFeature('firewall4');
 		m = new form.Map('firewall', _('Firewall - Port Forwards'),
 			_('Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN.'));
@ -156,7 +133,6 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
 		s.cloneable = true;
 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
@ -173,10 +149,9 @@ return view.extend({
 			var config_name = this.uciconfig || this.map.config,
 			    section_id = uci.add(config_name, this.sectiontype);
 			uci.set(config_name, section_id, 'dest', 'lan');
 			uci.set(config_name, section_id, 'target', 'DNAT');
-			m.addedSection = section_id;
+			this.addedSection = section_id;
 			this.renderMoreOptionsModal(section_id);
 		};
@ -184,32 +159,6 @@ return view.extend({
 		o.placeholder = _('Unnamed forward');
 		o.modalonly = true;
 		if (fw4) {
 			o = s.taboption('general', form.ListValue, 'family', _('Restrict to address family'));
 			o.modalonly = true;
 			o.rmempty = true;
 			o.value('any', _('IPv4 and IPv6'));
 			o.value('ipv4', _('IPv4 only'));
 			o.value('ipv6', _('IPv6 only'));
 			o.value('', _('automatic'));  // infer from zone or used IP addresses
 			o.cfgvalue = function(section_id) {
 				var val = this.map.data.get(this.map.config, section_id, 'family');
 				if (!val)
 					return '';
 				else if (val == 'any' || val == 'all' || val == '*')
 					return 'any';
 				else if (val == 'inet' || String(val).indexOf('4') != -1)
 					return 'ipv4';
 				else if (String(val).indexOf('6') != -1)
 					return 'ipv6';
 			};
 			o.validate = function(section_id, value) {
 				fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
 				return !fw4?true:validate_opt_family(this, section_id, 'family');
 			};
 		}
 		o = s.option(form.DummyValue, '_match', _('Match'));
 		o.modalonly = false;
 		o.textvalue = function(s) {
@ -244,23 +193,15 @@ return view.extend({
 		o.nocreate = true;
 		o.default = 'wan';
 		o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
 		uci.sections('firewall', 'ipset', function(s) {
 			if (typeof(s.name) == 'string')
 				o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
 		});
 		o.modalonly = true;
 		o.rmempty = true;
 		o = fwtool.addMACOption(s, 'advanced', 'src_mac', _('Source MAC address'),
 			_('Only match incoming traffic from these MACs.'), hosts);
 		o.rmempty = true;
 		o.datatype = 'list(neg(macaddr))';
 		o = fwtool.addIPOption(s, 'advanced', 'src_ip', _('Source IP address'),
-			_('Only match incoming traffic from this IP or range.'), !fw4?'ipv4':'', hosts);
+			_('Only match incoming traffic from this IP or range.'), 'ipv4', hosts);
 		o.rmempty = true;
-		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.datatype = 'neg(ipmask4)';
 		o = s.taboption('advanced', form.Value, 'src_port', _('Source port'),
 			_('Only match incoming traffic originating from the given source port or port range on the client host'));
@ -273,7 +214,7 @@ return view.extend({
 		o = fwtool.addLocalIPOption(s, 'advanced', 'src_dip', _('External IP address'),
 			_('Only match incoming traffic directed at the given IP address.'), devs);
-		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.datatype = 'neg(ipmask4)';
 		o.rmempty = true;
 		o = s.taboption('general', form.Value, 'src_dport', _('External port'),
@ -288,11 +229,12 @@ return view.extend({
 		o.modalonly = true;
 		o.rmempty = true;
 		o.nocreate = true;
 		o.default = 'lan';
 		o = fwtool.addIPOption(s, 'general', 'dest_ip', _('Internal IP address'),
-			_('Redirect matched incoming traffic to the specified internal host'), !fw4?'ipv4':'', hosts);
+			_('Redirect matched incoming traffic to the specified internal host'), 'ipv4', hosts);
 		o.rmempty = true;
-		o.datatype = !fw4?'ipmask4':'ipmask';
+		o.datatype = 'ipmask4';
 		o = s.taboption('general', form.Value, 'dest_port', _('Internal port'),
 			_('Redirect matched incoming traffic to the given port on the internal host'));
@ -317,12 +259,6 @@ return view.extend({
 			uci.set('firewall', section_id, 'reflection_src', (value != 'internal') ? value : null);
 		};
 		o = s.taboption('advanced', widgets.ZoneSelect, 'reflection_zone', _('Reflection zones'), _('Zones from which reflection rules shall be created. If unset, only the destination zone is used.'));
 		o.nocreate = true;
 		o.multiple = true;
 		o.modalonly = true;
 		o.depends('reflection', '1');
 		o = s.taboption('advanced', form.Value, 'helper', _('Match helper'), _('Match traffic using the specified connection tracking helper.'));
 		o.modalonly = true;
 		o.placeholder = _('any');
@ -345,16 +281,16 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);
-		o = s.taboption('advanced', form.Flag, 'v2ray', _('Use V2Ray/XRay'),
+		o = s.taboption('advanced', form.Flag, 'v2ray', _('Use V2Ray'),
-			_('Forward a port (not a range) from server using V2Ray/XRay proxy (if enabled) instead of VPN'));
+			_('Forward a port (not a range) from server using V2Ray proxy (if enabled) instead of VPN'));
 		o.modalonly = true;
 		o.editable = true;
 		o.depends({ src: 'vpn', '!contains': true });
-		if (!L.hasSystemFeature('firewall4')) {
+		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+			_('Passes additional arguments to iptables. Use with care!'));
-				_('Passes additional arguments to iptables. Use with care!'));
+		o.modalonly = true;
-			o.modalonly = true;
+		o.rmempty = true;
 			o.rmempty = true;
 		}
 		return m.render();
 	}
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/ipsets.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/ipsets.js
@ -1,222 +0,0 @@
 'use strict';
 'require view';
 'require uci';
 'require form';
 'require firewall';
 'require tools.firewall as fwtool';
 return view.extend({
 	load: function() {
 		return Promise.all([
 			uci.load('firewall')
 		]);
 	},
 	render: function(data) {
 		let m, s, o;
 		m = new form.Map('firewall', _('Firewall - IP sets'),
 			_('firewall4 supports referencing and creating IP sets to simplify matching of large address lists without the need to create one rule per item to match. Port ranges in ipsets are unsupported by firewall4.<br />'));
 		var have_fw4 = L.hasSystemFeature('firewall4');
 		if (have_fw4) {
 			s = m.section(form.NamedSection, 'fwver', 'fwver', '', _('Your device runs firewall4.'));
 		} else {
 			s = m.section(form.NamedSection, 'fwver', 'fwver', '', _('Your device does not run firewall4.'));
 		}
 		s = m.section(form.GridSection, 'ipset', _('IP Sets'));
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
 		s.cloneable = true;
 		s.nodescriptions = true;
 		s.filter = function(section_id) {
 			return (section_id.startsWith('bypass') == false && section_id.startsWith('omr_dst') == false && section_id.startsWith('omr_dscp') == false);
 		};
 		/* refer to: https://ipset.netfilter.org/ipset.man.html */
 		if (have_fw4) {
 			o = s.option(form.Value, 'name', _('Name'));
 			o.optional = false;
 			o.rmempty = false;
 			o.validate = function (section_id, value) {
 				if (!/^[a-zA-Z_.][a-zA-Z0-9\/_.-]*$/.test(value))
 					return _('Invalid set name');
 				return true;
 			};
 		} else {
 			o = s.option(form.Value, 'name', _('Name'));
 			o.depends({ external: '' });
 			/*  Default: (none) if external is unset
 			  value of external if external is set */
 		}
 		o.placeholder = _('Unnamed set');
 		/* comment requires https://git.openwrt.org/?p=project/firewall4.git;a=commitdiff;h=39e8c70957c795bf0c12f04299170ae86c6efdf8 */
 		o = s.option(form.Value, 'comment', _('Comment'));
 		o.placeholder = _('Comment');
 		o.modalonly = true;
 		o.rmempty = true;
 		o = s.option(form.ListValue, 'family', _('Family'));
 		o.value('ipv4', _('IPv4'));
 		o.value('ipv6', _('IPv6'));
 		o.default = _('ipv4');
 		/* Direction src, dst; (Data)Types: ip, port, mac, net or set
 		   Tuples: direction_datatype e.g. src_port, dest_net */
 		o = s.option(form.DynamicList, 'match', _('Packet Field Match'),
 			_('Packet fields to match upon.<br />' +
 			  'Syntax: <em>direction_datatype</em>. e.g.: <code>src_port, dest_net</code>.<br />' +
 			  'Directions: <code>src, dst</code>. Datatypes: <code>ip, port, mac, net, set</code>.<br />' +
 			  'Direction prefixes are optional.<br />' +
 			  '*Note: datatype <code>set</code> is unsupported in fw4.'));
 		o.value('ip', _('ip: IP addr'));
 		o.value('port', _('port: Port'));
 		o.value('mac', _('mac: MAC addr'));
 		o.value('net', _('net: (sub)net'));
 		if (!have_fw4)
 			o.value('set', _('set: ipset*'));
 		o.value('src_ip', _('src_ip: Source IP'));
 		o.value('src_port', _('src_port: Source Port'));
 		o.value('src_mac', _('src_mac: Source MAC addr'));
 		o.value('src_net', _('src_net: Source (sub)net'));
 		if (!have_fw4)
 			o.value('src_set', _('src_Set: Source ipset*')); // fw4 unsupported
 		o.value('dest_ip', _('dest_ip: Destination IP'));
 		o.value('dest_port', _('dest_port: Destination Port'));
 		o.value('dest_mac', _('dest_mac: Destination MAC addr'));
 		o.value('dest_net', _('dest_net: Destination (sub)net'));
 		if (!have_fw4)
 			o.value('dest_set', _('dest_set: Destination ipset*')); // fw4 unsupported
 		o.optional = false;
 		o.rmempty = false;
 		// TODO: if/when firewall5 arrives, this 'else' check must change.
 		if (have_fw4) {
 			//we have fw4
 			o = s.option(form.DynamicList, 'entry', _('IPs/Networks/MACs'),
 				_('macaddr|ip[/cidr]<br />'));
 			o.datatype = 'or(ipaddr,macaddr)';
 			o.rmempty = true;
 			o = s.option(form.Value, 'maxelem', _('Max Entries'),
 				_('up to 65536 entries.'));
 			o.datatype = 'port'; //covers 16 bit size
 			o.modalonly = true;
 			o.rmempty = true;
 		} else {
 			// this else section is intended to handle firewall3
 			o = s.option(form.Value, 'external', _('Refer To External Set'));
 			/* Todo: loop to fill o.values with all other ipset names except itself */
 			o.rmempty = true;
 			o.optional = true;
 			/* 'storage' depends on fw3. It must be removed for fw4 */
 			//aka 'method' in netfilter terminology.
 			o = s.option(form.ListValue, 'storage', _('Storage Method'));
 			o.value('bitmap', _('bitmap')); //ipv4 only
 			o.value('hash', _('hash'));
 			o.value('list', _('list'));
 			o.validate = function(section_id, value) {
 				var family = this.section.formvalue(section_id, 'family');
 				if (value.match(/bitmap/) && !family.match(/ipv4/))
 					return _('bitmap is ipv4 only');
 				return true;
 			}
 			/* this iprange differs from netfilters range fromip-toip|ip/cidr:
 			   uci enforces a datatype = cidr in order to be able to enter
 			   an IP for all storage/data types.  */
 			o = s.option(form.Value, 'iprange', _('IP (range)'),
 				_('ip[/cidr]<br />'+
 				  'For use with Match datatypes: <code>*_ip</code>.'));
 			o.datatype = 'ipaddr';
 			o.depends({family: 'ipv4', storage: 'bitmap', match: /_ip|_mac/ });
 			o.depends({storage: 'hash', match: /_ip/ });
 			o = s.option(form.DynamicList, 'entry', _('IPs/Networks'),
 				_('ip[/cidr]<br />'));
 			o.datatype = 'or(ipaddr,macaddr)';
 			o.depends({storage: 'hash', match: /_ip|_net|_mac/ });
 			o = s.option(form.Value, 'portrange', _('Port range'),
 				_('fromport-toport'));
 			o.datatype = 'neg(portrange)';
 			o.depends({family: 'ipv4', storage: 'bitmap', match: /_port/ });
 			o.depends({family: 'ipv4', storage: 'hash', match: /_port/ });
 			o.depends({family: 'ipv6', storage: 'hash', match: /_port/ });
 			o = s.option(form.Value, 'netmask', _('Netmask'));
 			o.datatype = 'or(ip4prefix,ip6prefix)';
 			o.depends({family: 'ipv4', storage: 'bitmap', match: /_ip/ });
 			o.depends({storage: 'hash', match: /_ip/});
 			o = s.option(form.Value, 'maxelem', _('Max Length'),
 				_('up to 65536 entries.'));
 			o.datatype = 'port'; //covers 16 bit size
 			o.depends('storage', 'hash');
 			o.depends('storage', 'list');
 			o.modalonly = true;
 			o = s.option(form.Value, 'hashsize', _('Initial Hash Size'));
 			o.depends('storage', 'hash');
 			o.placeholder = _('1024');
 			o.modalonly = true;
 		}
 		o = s.option(form.FileUpload, 'loadfile', _('Include File'),
 			_('Path to file of CIDRs, subnets, host IPs, etc.<br />'));
 		o.root_directory = '/etc/luci-uploads';
 		o.enable_delete = true;
 		o.enable_upload = true;
 		o.datatype = 'file';
 		o.rmempty = true;
 		o = s.option(form.Value, 'timeout', _('Timeout'),
 			_('Unit: seconds. Default <code>0</code> means the entry is added permanently to the set.<br />' +
 			  'Max: 2147483 seconds.'));
 		o.placeholder = _('0');
 		o.modalonly = true;
 		o.rmempty = true;
 		o = s.option(form.Flag, 'counters', _('Counters'),
 			_('Enables packet and byte count tracking for the set.'));
 		o.modalonly = true;
 		o.rmempty = true;
 		o.default = false;
 		o = s.option(form.Flag, 'enabled', _('Enabled'));
 		o.default = true;
 		o.editable = true;
 		o.modalonly = false;
 		return m.render();
 	}
 });
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
@ -22,7 +22,7 @@ function rule_proto_txt(s, ctHelpers) {
 		};
 	});
-	var m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
+	m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
 	var h = m ? {
 		val:  m[0].toUpperCase(),
 		inv:  m[1],
@ -62,7 +62,7 @@ function rule_src_txt(s, hosts) {
 	    d = (uci.get('firewall', s, 'direction') == 'in') ? uci.get('firewall', s, 'device') : null;
 	return fwtool.fmt(_('From %{src}%{src_device?, interface <var>%{src_device}</var>}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}%{src_mac?, MAC %{src_mac#%{next?, }<var%{item.inv? data-tooltip="Match MACs except %{item.val}%{item.hint.name? a.k.a. %{item.hint.name}}.":%{item.hint.name? data-tooltip="%{item.hint.name}"}}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_mac: fwtool.map_invert(uci.get('firewall', s, 'src_mac'), 'toUpperCase').map(function(v) { return Object.assign(v, { hint: hosts[v.val] }) }),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port')),
@ -75,7 +75,7 @@ function rule_dest_txt(s) {
 	    d = (uci.get('firewall', s, 'direction') == 'out') ? uci.get('firewall', s, 'device') : null;
 	return fwtool.fmt(_('To %{dest}%{dest_device?, interface <var>%{dest_device}</var>}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'dest_ip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'dest_port')),
 		dest_device: d
@ -171,21 +171,19 @@ return view.extend({
 		    m, s, o;
 		m = new form.Map('firewall', _('Firewall - Traffic Rules'),
-			_('Traffic rules define policies for packets travelling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.'));
+			_('Traffic rules define policies for packets traveling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.'));
 		s = m.section(form.GridSection, 'rule', _('Traffic Rules'));
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
 		s.cloneable = true;
 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
 		s.tab('timed', _('Time Restrictions'));
 		s.filter = function(section_id) {
-			//return (uci.get('firewall', section_id, 'target') != 'SNAT');
+			return (uci.get('firewall', section_id, 'target') != 'SNAT');
 			return (uci.get('firewall', section_id, 'target') != 'SNAT' && section_id.startsWith('omr_dst') == false && section_id.startsWith('omr_dscp') == false);
 		};
 		s.sectiontitle = function(section_id) {
@ -195,8 +193,13 @@ return view.extend({
 		s.handleAdd = function(ev) {
 			var config_name = this.uciconfig || this.map.config,
 			    section_id = uci.add(config_name, this.sectiontype),
-			    opt1 = this.getOption('src'),
+			    opt1, opt2;
-			    opt2 = this.getOption('dest');
+
 			for (var i = 0; i < this.children.length; i++)
 				if (this.children[i].option == 'src')
 					opt1 = this.children[i];
 				else if (this.children[i].option == 'dest')
 					opt2 = this.children[i];
 			opt1.default = 'wan';
 			opt2.default = 'lan';
@ -233,19 +236,7 @@ return view.extend({
 		o.modalonly = false;
 		o.default = o.enabled;
 		o.editable = true;
 		o.tooltip = function(section_id) {
 			var weekdays = uci.get('firewall', section_id, 'weekdays');
 			var monthdays = uci.get('firewall', section_id, 'monthdays');
 			var start_time = uci.get('firewall', section_id, 'start_time');
 			var stop_time = uci.get('firewall', section_id, 'stop_time');
 			var start_date = uci.get('firewall', section_id, 'start_date');
 			var stop_date = uci.get('firewall', section_id, 'stop_date');
 			if (weekdays || monthdays || start_time || stop_time || start_date || stop_date )
 				return _('Time restrictions are enabled for this rule');
 			return null;
 		};
 		o = s.taboption('advanced', form.ListValue, 'direction', _('Match device'));
 		o.modalonly = true;
@ -296,52 +287,27 @@ return view.extend({
 		o.multiple = true;
 		o.custom = true;
 		o.cast = 'table';
-		o.placeholder = _('any/all');
+		o.placeholder = _('any');
 		o.value('', 'any');
 		o.value('address-mask-reply');
 		o.value('address-mask-request');
 		o.value('address-unreachable'); /* icmpv6 1:3 */
 		o.value('bad-header');  /* icmpv6 4:0 */
 		o.value('certification-path-solicitation-message'); /* icmpv6 148 */
 		o.value('certification-path-advertisement-message'); /* icmpv6 149 */
 		o.value('communication-prohibited');
 		o.value('destination-unreachable');
 		o.value('duplicate-address-request'); /* icmpv6 157 */
 		o.value('duplicate-address-confirmation'); /* icmpv6 158 */
 		o.value('echo-reply');
 		o.value('echo-request');
 		o.value('extended-echo-request'); /* icmpv6 160 */
 		o.value('extended-echo-reply'); /* icmpv6 161 */
 		o.value('fmipv6-message'); /* icmpv6 154 */
 		o.value('fragmentation-needed');
 		o.value('home-agent-address-discovery-reply-message'); /* icmpv6 145 */
 		o.value('home-agent-address-discovery-request-message'); /* icmpv6 144 */
 		o.value('host-precedence-violation');
 		o.value('host-prohibited');
 		o.value('host-redirect');
 		o.value('host-unknown');
 		o.value('host-unreachable');
 		o.value('ilnpv6-locator-update-message'); /* icmpv6 156 */
 		o.value('inverse-neighbour-discovery-advertisement-message'); /* icmpv6 142 */
 		o.value('inverse-neighbour-discovery-solicitation-message'); /* icmpv6 141 */
 		o.value('ip-header-bad');
 		o.value('mobile-prefix-advertisement'); /* icmpv6 147 */
 		o.value('mobile-prefix-solicitation'); /* icmpv6 146 */
 		o.value('mpl-control-message'); /* icmpv6 159 */
 		o.value('multicast-listener-query'); /* icmpv6 130 */
 		o.value('multicast-listener-report'); /* icmpv6 131 */
 		o.value('multicast-listener-done'); /* icmpv6 132 */
 		o.value('multicast-router-advertisement'); /* icmpv6 151 */
 		o.value('multicast-router-solicitation'); /* icmpv6 152 */
 		o.value('multicast-router-termination'); /* icmpv6 153 */
 		o.value('neighbour-advertisement');
 		o.value('neighbour-solicitation');
 		o.value('network-prohibited');
 		o.value('network-redirect');
 		o.value('network-unknown');
 		o.value('network-unreachable');
 		o.value('no-route'); /* icmpv6 1:0 */
 		o.value('node-info-query'); /* icmpv6 139 */
 		o.value('node-info-response'); /* icmpv6 140 */
 		o.value('packet-too-big');
 		o.value('parameter-problem');
 		o.value('port-unreachable');
@ -350,9 +316,7 @@ return view.extend({
 		o.value('redirect');
 		o.value('required-option-missing');
 		o.value('router-advertisement');
 		o.value('router-renumbering'); /* icmpv6 138 */
 		o.value('router-solicitation');
 		o.value('rpl-control-message'); /* icmpv6 155 */
 		o.value('source-quench');
 		o.value('source-route-failed');
 		o.value('time-exceeded');
@ -364,9 +328,6 @@ return view.extend({
 		o.value('TOS-network-unreachable');
 		o.value('ttl-zero-during-reassembly');
 		o.value('ttl-zero-during-transit');
 		o.value('v2-multicast-listener-report'); /* icmpv6 143 */
 		o.value('unknown-header-type'); /* icmpv6 4:1 */
 		o.value('unknown-option'); /* icmpv6 4:2 */
 		o.depends({ proto: 'icmp', '!contains': true });
 		o.depends({ proto: 'icmpv6', '!contains': true });
@ -376,14 +337,6 @@ return view.extend({
 		o.allowany = true;
 		o.allowlocal = 'src';
 		o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
 		uci.sections('firewall', 'ipset', function(s) {
 			if (typeof(s.name) == 'string')
 				o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
 		});
 		o.modalonly = true;
 		o.rmempty = true;
 		fwtool.addMACOption(s, 'advanced', 'src_mac', _('Source MAC address'), null, hosts);
 		fwtool.addIPOption(s, 'general', 'src_ip', _('Source address'), null, '', hosts, true);
@ -467,11 +420,9 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);
-		if (!L.hasSystemFeature('firewall4')) {
+		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+			_('Passes additional arguments to iptables. Use with care!'));
-				_('Passes additional arguments to iptables. Use with care!'));
+		o.modalonly = true;
 			o.modalonly = true;
 		}
 		o = s.taboption('timed', form.MultiValue, 'weekdays', _('Week Days'));
 		o.modalonly = true;
@ -500,11 +451,11 @@ return view.extend({
 		for (var i = 1; i <= 31; i++)
 			o.value(i);
-		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh:mm:ss)'));
+		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh.mm.ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';
-		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh:mm:ss)'));
+		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh.mm.ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/snats.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/snats.js
@ -9,10 +9,6 @@
 'require tools.widgets as widgets';
 function rule_proto_txt(s) {
 	var family = (uci.get('firewall', s, 'family') || '').toLowerCase().replace(/^(?:all|\*)$/, 'any');
 	var sip = uci.get('firewall', s, 'src_ip') || '';
 	var dip = uci.get('firewall', s, 'dest_ip') || '';
 	var rwip = uci.get('firewall', s, 'snat_ip') || '';
 	var proto = L.toArray(uci.get('firewall', s, 'proto')).filter(function(p) {
 		return (p != '*' && p != 'any' && p != 'all');
 	}).map(function(p) {
@ -23,7 +19,7 @@ function rule_proto_txt(s) {
 		};
 	});
-	var m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
+	m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
 	var f = m ? {
 		val:  m[0].toUpperCase().replace(/X/g, 'x'),
 		inv:  m[1],
@ -31,9 +27,7 @@ function rule_proto_txt(s) {
 		mask: m[3] ? '0x%02X'.format(+m[3]) : null
 	} : null;
-	return fwtool.fmt(_('Forwarded %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }<var>%{item.name}</var>}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}'), {
+	return fwtool.fmt(_('Forwarded IPv4%{proto?, protocol %{proto#%{next?, }<var>%{item.name}</var>}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}'), {
 		ipv4: (family == 'ipv4' || family == 'any' || (!family && sip.indexOf(':') == -1 && dip.indexOf(':') == -1 && rwip.indexOf(':') == -1)),
 		ipv6: (family == 'ipv6' || family == 'any' || (!family && (sip.indexOf(':') != -1 || dip.indexOf(':') != -1 || rwip.indexOf(':') != -1))),
 		proto: proto,
 		mark:  f
 	});
@ -43,7 +37,7 @@ function rule_src_txt(s, hosts) {
 	var z = uci.get('firewall', s, 'src');
 	return fwtool.fmt(_('From %{src}%{src_device?, interface <var>%{src_device}</var>}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(null) }, [E('em', _('any zone'))]),
+		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName(null) }, [E('em', _('any zone'))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port'))
 	});
@ -53,7 +47,7 @@ function rule_dest_txt(s) {
 	var z = uci.get('firewall', s, 'src');
 	return fwtool.fmt(_('To %{dest}%{dest_device?, via interface <var>%{dest_device}</var>}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'dest_ip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'dest_port')),
 		dest_device: uci.get('firewall', s, 'device')
@ -97,44 +91,6 @@ function rule_target_txt(s) {
 	}
 }
 function validate_opt_family(m, section_id, opt) {
 	var sopt = m.section.getOption('src_ip'),
 	    dopt = m.section.getOption('dest_ip'),
 	    rwopt = m.section.getOption('snat_ip'),
 	    fmopt = m.section.getOption('family'),
 	    tgopt = m.section.getOption('target');
 	if (!sopt.isValid(section_id) && opt != 'src_ip')
 		return true;
 	if (!dopt.isValid(section_id) && opt != 'dest_ip')
 		return true;
 	if (!rwopt.isValid(section_id) && opt != 'snat_ip')
 		return true;
 	if (!fmopt.isValid(section_id) && opt != 'family')
 		return true;
 	if (!tgopt.isValid(section_id) && opt != 'target')
 		return true;
 	var sip = sopt.formvalue(section_id) || '',
 	    dip = dopt.formvalue(section_id) || '',
 	    rwip = rwopt.formvalue(section_id) || '',
 	    fm = fmopt.formvalue(section_id) || '',
 	    tg = tgopt.formvalue(section_id);
 	if (fm == 'ipv6' && (sip.indexOf(':') != -1 || sip == '') && (dip.indexOf(':') != -1 || dip == '') && ((rwip.indexOf(':') != -1 && tg == 'SNAT') || rwip == ''))
 		return true;
 	if (fm == 'ipv4' && (sip.indexOf(':') == -1) && (dip.indexOf(':') == -1) && ((rwip.indexOf(':') == -1 && tg == 'SNAT') || rwip == ''))
 		return true;
 	if (fm == '' || fm == 'any') {
 		if ((sip.indexOf(':') != -1 || sip == '') && (dip.indexOf(':') != -1 || dip == '') && ((rwip.indexOf(':') != -1 && tg == 'SNAT') || rwip == ''))
 			return true;
 		if ((sip.indexOf(':') == -1) && (dip.indexOf(':') == -1) && ((rwip.indexOf(':') == -1 && tg == 'SNAT') || rwip == ''))
 			return true;
 	}
 	return _('Address family, source address, destination address, rewrite IP address must match');
 }
 return view.extend({
 	callHostHints: rpc.declare({
 		object: 'luci-rpc',
@ -167,7 +123,6 @@ return view.extend({
 		var hosts = data[0],
 		    devs = data[1],
 		    m, s, o;
 		var fw4 = L.hasSystemFeature('firewall4');
 		m = new form.Map('firewall', _('Firewall - NAT Rules'),
 			_('NAT rules allow fine grained control over the source IP to use for outbound or forwarded traffic.'));
@ -176,7 +131,6 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
 		s.cloneable = true;
 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
@ -212,33 +166,6 @@ return view.extend({
 		o.default = o.enabled;
 		o.editable = true;
 		if (fw4) {
 			o = s.taboption('general', form.ListValue, 'family', _('Restrict to address family'));
 			o.modalonly = true;
 			o.rmempty = true;
 			o.value('any', _('IPv4 and IPv6'));
 			o.value('ipv4', _('IPv4 only'));
 			o.value('ipv6', _('IPv6 only'));
 			o.value('', _('automatic'));  // infer from zone or used IP addresses
 			o.cfgvalue = function(section_id) {
 				var val = this.map.data.get(this.map.config, section_id, 'family');
 				if (!val)
 					return '';
 				else if (val == 'any' || val == 'all' || val == '*')
 					return 'any';
 				else if (val == 'inet' || String(val).indexOf('4') != -1)
 					return 'ipv4';
 				else if (String(val).indexOf('6') != -1)
 					return 'ipv6';
 			};
 			o.validate = function(section_id, value) {
 				fwtool.updateHostHints(this.map, section_id, 'src_ip', value, hosts);
 				fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
 				return !fw4?true:validate_opt_family(this, section_id, 'family');
 			};
 		}
 		o = s.taboption('general', fwtool.CBIProtocolSelect, 'proto', _('Protocol'));
 		o.modalonly = true;
 		o.default = 'all';
@ -251,12 +178,9 @@ return view.extend({
 		o.default = 'lan';
 		o = fwtool.addIPOption(s, 'general', 'src_ip', _('Source address'),
-			_('Match forwarded traffic from this IP or range.'), !fw4?'ipv4':'', hosts);
+			_('Match forwarded traffic from this IP or range.'), 'ipv4', hosts);
 		o.rmempty = true;
-		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.datatype = 'neg(ipmask4)';
 		o.validate = function(section_id, value) {
 			return !fw4?true:validate_opt_family(this, section_id, 'src_ip');
 		};
 		o = s.taboption('general', form.Value, 'src_port', _('Source port'),
 			_('Match forwarded traffic originating from the given source port or port range.'));
@ -268,12 +192,9 @@ return view.extend({
 		o.depends({ proto: 'udp', '!contains': true });
 		o = fwtool.addIPOption(s, 'general', 'dest_ip', _('Destination address'),
-			_('Match forwarded traffic directed at the given IP address.'), !fw4?'ipv4':'', hosts);
+			_('Match forwarded traffic directed at the given IP address.'), 'ipv4', hosts);
 		o.rmempty = true;
-		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.datatype = 'neg(ipmask4)';
 		o.validate = function(section_id, value) {
 			return !fw4?true:validate_opt_family(this, section_id, 'dest_ip');
 		};
 		o = s.taboption('general', form.Value, 'dest_port', _('Destination port'),
 			_('Match forwarded traffic directed at the given destination port or port range.'));
@ -290,22 +211,20 @@ return view.extend({
 		o.value('SNAT', _('SNAT - Rewrite to specific source IP or port'));
 		o.value('MASQUERADE', _('MASQUERADE - Automatically rewrite to outbound interface IP'));
 		o.value('ACCEPT', _('ACCEPT - Disable address rewriting'));
 		o.validate = function(section_id, value) {
 			return !fw4?true:validate_opt_family(this, section_id, 'target');
 		};
 		o = fwtool.addLocalIPOption(s, 'general', 'snat_ip', _('Rewrite IP address'),
 			_('Rewrite matched traffic to the specified source IP address.'), devs);
 		o.placeholder = null;
 		o.depends('target', 'SNAT');
 		o.validate = function(section_id, value) {
-			var a = this.formvalue(section_id),
+			var port = this.map.lookupOption('snat_port', section_id),
-			    p = this.section.formvalue(section_id, 'snat_port');
+			    a = this.formvalue(section_id),
 			    p = port ? port[0].formvalue(section_id) : null;
 			if ((a == null || a == '') && (p == null || p == '') && value == '')
 				return _('A rewrite IP must be specified!');
-			return !fw4?true:validate_opt_family(this, section_id, 'snat_ip');
+			return true;
 		};
 		o = s.taboption('general', form.Value, 'snat_port', _('Rewrite port'),
@ -317,17 +236,6 @@ return view.extend({
 		o.depends({ proto: 'tcp', '!contains': true });
 		o.depends({ proto: 'udp', '!contains': true });
 		var have_fw4 = L.hasSystemFeature('firewall4')
 		if (!have_fw4) {
 			o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
 			uci.sections('firewall', 'ipset', function(s) {
 				if (typeof(s.name) == 'string')
 					o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
 			});
 			o.modalonly = true;
 			o.rmempty = true;
 		}
 		o = s.taboption('advanced', widgets.DeviceSelect, 'device', _('Outbound device'),
 			_('Matches forwarded traffic using the specified outbound network device.'));
 		o.noaliases = true;
@ -338,12 +246,10 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);
-		if (!have_fw4) {
+		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+			_('Passes additional arguments to iptables. Use with care!'));
-				_('Passes additional arguments to iptables. Use with care!'));
+		o.modalonly = true;
-			o.modalonly = true;
+		o.rmempty = true;
 			o.rmempty = true;
 		}
 		o = s.taboption('timed', form.MultiValue, 'weekdays', _('Week Days'));
 		o.modalonly = true;
@ -372,11 +278,11 @@ return view.extend({
 		for (var i = 1; i <= 31; i++)
 			o.value(i);
-		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh:mm:ss)'));
+		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh.mm.ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';
-		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh:mm:ss)'));
+		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh.mm.ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
@ -33,7 +33,6 @@ return view.extend({
 		var ctHelpers = data[0],
 		    fwDefaults = data[1],
 		    m, s, o, inp, out;
 		var fw4 = L.hasSystemFeature('firewall4');
 		m = new form.Map('firewall', _('Firewall - Zone Settings'),
 			_('The firewall creates zones over your network interfaces to control network traffic flow.'));
@ -42,20 +41,7 @@ return view.extend({
 		s.anonymous = true;
 		s.addremove = false;
-		o = s.option(form.Flag, 'synflood_protect', _('Enable SYN-flood protection'));
+		o = s.option(form.Flag, 'syn_flood', _('Enable SYN-flood protection'));
 		o.cfgvalue = function(section_id) {
 			var val = uci.get('firewall', section_id, 'synflood_protect');
 			return (val != null) ? val : uci.get('firewall', section_id, 'syn_flood');
 		};
 		o.write = function(section_id, value) {
 			uci.unset('firewall', section_id, 'syn_flood');
 			uci.set('firewall', section_id, 'synflood_protect', value);
 		};
 		o.remove = function(section_id) {
 			uci.unset('firewall', section_id, 'syn_flood');
 			uci.unset('firewall', section_id, 'synflood_protect');
 		};
 		o = s.option(form.Flag, 'drop_invalid', _('Drop invalid packets'));
 		var p = [
@ -74,27 +60,21 @@ return view.extend({
 		if (L.hasSystemFeature('offloading')) {
 			s = m.section(form.TypedSection, 'defaults', _('Routing/NAT Offloading'),
-				_('Not fully compatible with QoS/SQM.'));
+				_('Experimental feature. Not fully compatible with QoS/SQM.'));
 			s.anonymous = true;
 			s.addremove = false;
-			o = s.option(form.RichListValue, "offloading_type", _("Flow offloading type"));
+			o = s.option(form.Flag, 'flow_offloading',
-			o.value('0', _("None"));
+				_('Software flow offloading'),
-			o.value('1', _("Software flow offloading"), _('Software based offloading for routing/NAT.'));
+				_('Software based offloading for routing/NAT'));
-			o.value('2', _("Hardware flow offloading"), _('Hardware based offloading for routing with/without NAT.') + ' ' + _(' Requires hardware NAT support.'));
+			o.optional = true;
-			o.optional = false;
+
-			o.load = function (section_id) {
+			o = s.option(form.Flag, 'flow_offloading_hw',
-				var flow_offloading = uci.get('firewall', section_id, 'flow_offloading');
+				_('Hardware flow offloading'),
-				var flow_offloading_hw = uci.get('firewall', section_id, 'flow_offloading_hw');
+				_('Requires hardware NAT support. Implemented at least for mt7621'));
-				return (flow_offloading === '1')
+			o.optional = true;
-					? (flow_offloading_hw === '1' ? '2' : '1')
+			o.depends('flow_offloading', '1');
 					: '0';
 			};
 			o.write = function(section_id, value) {
 				uci.set('firewall', section_id, 'flow_offloading', value === '0' ? null : '1');
 				uci.set('firewall', section_id, 'flow_offloading_hw', value === '2' ? '1' : null);
 			};
 		}
@ -102,7 +82,6 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
 		s.nodescriptions = true;
 		s.handleRemove = function(section_id, ev) {
 			return firewall.deleteZone(section_id).then(L.bind(function() {
@ -150,7 +129,7 @@ return view.extend({
 		var p = [
 			s.taboption('general', form.ListValue, 'input', _('Input')),
 			s.taboption('general', form.ListValue, 'output', _('Output')),
-			s.taboption('general', form.ListValue, 'forward', _('Intra zone forward'))
+			s.taboption('general', form.ListValue, 'forward', _('Forward'))
 		];
 		for (var i = 0; i < p.length; i++) {
@ -164,29 +143,13 @@ return view.extend({
 		p[1].default = fwDefaults.getOutput();
 		p[2].default = fwDefaults.getForward();
-		o = s.taboption('general', form.Flag, 'masq', _('Masquerading'),
+		o = s.taboption('general', form.Flag, 'masq', _('Masquerading'));
 			_('Enable network address and port translation IPv4 (NAT4 or NAPT4) for outbound traffic on this zone. This is typically enabled on the <em>wan</em> zone.'));
 		o.editable = true;
 		o.tooltip = function(section_id) {
 			var family = uci.get('firewall', section_id, 'family')
 			var masq_src = uci.get('firewall', section_id, 'masq_src')
 			var masq_dest = uci.get('firewall', section_id, 'masq_dest')
 			if ((!family || family.indexOf('6') == -1) && (masq_src || masq_dest))
 				return _('Limited masquerading enabled');
 			return null;
 		};
 		/*
 		o = s.taboption('general', form.Flag, 'fullcone', _('Full Cone'));
 		o.editable = true;
 		o.depends('masq', '1');
 		o = s.taboption('general', form.Flag, 'fullcone6', _('Full Cone IPv6'));
 		o.editable = true;
 		o.depends('masq', '1');
 		*/
 		o = s.taboption('general', form.Flag, 'mtu_fix', _('MSS clamping'));
 		o.modalonly = true;
@ -198,24 +161,21 @@ return view.extend({
 		};
 		o.write = function(section_id, formvalue) {
 			var name = uci.get('firewall', section_id, 'name'),
-			    cfgvalue = this.cfgvalue(section_id),
+			    cfgvalue = this.cfgvalue(section_id);
 			    oldNetworks = L.toArray(cfgvalue),
 			    newNetworks = L.toArray(formvalue);
-			oldNetworks.sort();
+			/*
-			newNetworks.sort();
+			if (typeof(cfgvalue) == 'string' && Array.isArray(formvalue) && (cfgvalue == formvalue.join(' ')))
 			if (oldNetworks.join(' ') == newNetworks.join(' '))
 				return;
 			*/
 			var tasks = [ firewall.getZone(name) ];
 			if (Array.isArray(formvalue))
-				for (var i = 0; i < newNetworks.length; i++) {
+				for (var i = 0; i < formvalue.length; i++) {
-					var netname = newNetworks[i];
+					var netname = formvalue[i];
-					tasks.push(network.getNetwork(netname).then(L.bind(function(netname, net) {
+					tasks.push(network.getNetwork(netname).then(function(net) {
 						return net || network.addNetwork(netname, { 'proto': 'none' });
-					}, this, netname)));
+					}));
 				}
 			return Promise.all(tasks).then(function(zone_networks) {
@ -244,24 +204,10 @@ return view.extend({
 		o.multiple = true;
 		o = s.taboption('advanced', form.DynamicList, 'subnet', _('Covered subnets'), _('Use this option to classify zone traffic by source or destination subnet instead of networks or devices.'));
-		o.datatype = 'neg(cidr("true"))';
+		o.datatype = 'neg(cidr)';
 		o.modalonly = true;
 		o.multiple = true;
 		if (fw4) {
 			o = s.taboption('advanced', form.Flag, 'masq6', _('IPv6 Masquerading'),
 				_('Enable network address and port translation IPv6 (NAT6 or NAPT6) for outbound traffic on this zone.'));
 			o.modalonly = true;
 			o.tooltip = function(section_id) {
 				var family = uci.get('firewall', section_id, 'family')
 				var masq_src = uci.get('firewall', section_id, 'masq_src')
 				var masq_dest = uci.get('firewall', section_id, 'masq_dest')
 				if ((!family || family.indexOf('6') >= 0) && (masq_src || masq_dest))
 					return _('Limited masquerading enabled');
 				return null;
 			};
 		}
 		o = s.taboption('advanced', form.ListValue, 'family', _('Restrict to address family'));
 		o.value('', _('IPv4 and IPv6'));
 		o.value('ipv4', _('IPv4 only'));
@ -269,24 +215,16 @@ return view.extend({
 		o.modalonly = true;
 		o = s.taboption('advanced', form.DynamicList, 'masq_src', _('Restrict Masquerading to given source subnets'));
-		if (fw4) {
+		o.depends('family', '');
-			o.datatype = 'list(neg(or(uciname,hostname,ipmask)))';
+		o.depends('family', 'ipv4');
-		} else {
+		o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
 			o.depends('family', '');
 			o.depends('family', 'ipv4');
 			o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
 		}
 		o.placeholder = '0.0.0.0/0';
 		o.modalonly = true;
 		o = s.taboption('advanced', form.DynamicList, 'masq_dest', _('Restrict Masquerading to given destination subnets'));
-		if (fw4) {
+		o.depends('family', '');
-			o.datatype = 'list(neg(or(uciname,hostname,ipmask)))';
+		o.depends('family', 'ipv4');
-		} else {
+		o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
 			o.depends('family', '');
 			o.depends('family', 'ipv4');
 			o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
 		}
 		o.placeholder = '0.0.0.0/0';
 		o.modalonly = true;
@ -301,7 +239,8 @@ return view.extend({
 		o.depends('auto_helper', '0');
 		o.modalonly = true;
 		for (var i = 0; i < ctHelpers.length; i++)
-			o.value(ctHelpers[i].name, E('<span><span class="hide-close">%s (%s)</span><span class="hide-open">%s</span></span>'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase(), ctHelpers[i].name.toUpperCase())));
+			//o.value(ctHelpers[i].name, '<span class="hide-close">%s (%s)</span><span class="hide-open">%s</span>'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase(), ctHelpers[i].name.toUpperCase()));
 			o.value(ctHelpers[i].name, '%s (%s)'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase()));
 		o = s.taboption('advanced', form.Flag, 'log', _('Enable logging on this zone'));
 		o.modalonly = true;
@ -311,34 +250,32 @@ return view.extend({
 		o.placeholder = '10/minute';
 		o.modalonly = true;
-		if (!L.hasSystemFeature('firewall4')) {
+		o = s.taboption('extra', form.DummyValue, '_extrainfo');
-			o = s.taboption('extra', form.DummyValue, '_extrainfo');
+		o.rawhtml = true;
-			o.rawhtml = true;
+		o.modalonly = true;
-			o.modalonly = true;
+		o.cfgvalue = function(section_id) {
-			o.cfgvalue = function(section_id) {
+			return _('Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.');
-				return _('Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.');
+		};
 			};
-			o = s.taboption('extra', form.Value, 'extra_src', _('Extra source arguments'), _('Additional raw <em>iptables</em> arguments to classify zone source traffic, e.g. <code>-p tcp --sport 443</code> to only match inbound HTTPS traffic.'));
+		o = s.taboption('extra', form.Value, 'extra_src', _('Extra source arguments'), _('Additional raw <em>iptables</em> arguments to classify zone source traffic, e.g. <code>-p tcp --sport 443</code> to only match inbound HTTPS traffic.'));
-			o.modalonly = true;
+		o.modalonly = true;
-			o.cfgvalue = function(section_id) {
+		o.cfgvalue = function(section_id) {
-				return uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
+			return uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
-			};
+		};
-			o.write = function(section_id, value) {
+		o.write = function(section_id, value) {
-				uci.unset('firewall', section_id, 'extra');
+			uci.unset('firewall', section_id, 'extra');
-				uci.set('firewall', section_id, 'extra_src', value);
+			uci.set('firewall', section_id, 'extra_src', value);
-			};
+		};
-			o = s.taboption('extra', form.Value, 'extra_dest', _('Extra destination arguments'), _('Additional raw <em>iptables</em> arguments to classify zone destination traffic, e.g. <code>-p tcp --dport 443</code> to only match outbound HTTPS traffic.'));
+		o = s.taboption('extra', form.Value, 'extra_dest', _('Extra destination arguments'), _('Additional raw <em>iptables</em> arguments to classify zone destination traffic, e.g. <code>-p tcp --dport 443</code> to only match outbound HTTPS traffic.'));
-			o.modalonly = true;
+		o.modalonly = true;
-			o.cfgvalue = function(section_id) {
+		o.cfgvalue = function(section_id) {
-				return uci.get('firewall', section_id, 'extra_dest') || uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
+			return uci.get('firewall', section_id, 'extra_dest') || uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
-			};
+		};
-			o.write = function(section_id, value) {
+		o.write = function(section_id, value) {
-				uci.unset('firewall', section_id, 'extra');
+			uci.unset('firewall', section_id, 'extra');
-				uci.set('firewall', section_id, 'extra_dest', value);
+			uci.set('firewall', section_id, 'extra_dest', value);
-			};
+		};
 		}
 		o = s.taboption('general', form.DummyValue, '_forwardinfo');
 		o.rawhtml = true;
--- a/luci-app-firewall/po/ar/firewall.po
+++ b/luci-app-firewall/po/ar/firewall.po
--- a/luci-app-firewall/po/bg/firewall.po
+++ b/luci-app-firewall/po/bg/firewall.po
--- a/luci-app-firewall/po/bn_BD/firewall.po
+++ b/luci-app-firewall/po/bn_BD/firewall.po
--- a/luci-app-firewall/po/ca/firewall.po
+++ b/luci-app-firewall/po/ca/firewall.po
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,3 @@`
							`# README`

							`README has been moved to [https://docs.openwrt.melmac.net/https-dns-proxy/](https://docs.openwrt.melmac.net/https-dns-proxy/).`
		`@ -0,0 +1,3 @@`
							`#!/bin/sh`

							`/etc/init.d/"$1" version 2>&1 \| grep "$2"`