Fix issue when VPS have multiples IPs and last one is not working in openmptcprouter-vps init

Fix stop proxy redirection in case if restarted and still down
Update luci-mod-network from OpenWRT
2025-03-09 15:40:03 +00:00 · 2025-03-07 17:09:49 +01:00 · 2025-03-04 16:34:32 +01:00 · 2025-03-04 15:12:55 +01:00 · 2025-02-26 11:00:37 +01:00 · 2025-02-25 19:50:04 +01:00
578 changed files with 108716 additions and 33707 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,751 +1,99 @@
-version: 2
+version: 2.1
+commands:
+  set_environment_vars:
+    steps:
+    - run:
+        command: |
+          echo "export REPO_URL=https://github.com/ysurac/openmptcprouter" >> $BASH_ENV
 jobs:
-  prepare:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: Prepare
-          command: |
-            sudo rm -rf /var/lib/apt/lists/lock
-            sudo apt-get update
-            sudo rm -rf /var/lib/apt/lists/lock
-            sudo apt-get install -yq build-essential git unzip ncurses-dev libz-dev libssl-dev python subversion gettext gawk wget curl rsync perl libelf-dev python3.5 libpython3.5-stdlib liblzma-dev
-            pyenv global 3.5.2
-
-  build_x86_64:
-    machine:
-      image: ubuntu-1604:201903-01
-
+  build:
    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: x86_64
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
+      REPO_URL: https://github.com/ysurac/openmptcprouter
+      SOURCE_NAME: ${{ steps.branch_name.outputs.SOURCE_NAME }}
+      GITHUB_WORKSPACE: ${{ steps.branch_name.outputs.WORKSPACE }}
+      OMR_FEED_URL: https://github.com/ysurac/openmptcprouter-feeds
+      OMR_TARGET: << parameters.OMR_TARGET >>
+      OMR_KERNEL: << parameters.OMR_KERNEL >>
+      OMR_HOST: ${{ secrets.OMR_HOST }}
+      OMR_PORT: ${{ secrets.OMR_PORT }}
+      SOURCE_BRANCH: ${{ steps.branch_name.outputs.SOURCE_BRANCH }}
+      SOURCE_TAG: ${{ steps.branch_name.outputs.SOURCE_TAG }}
+      ARGS: -av --delete-after
+      TARGET: deploy/release/${{steps.branch_name.outputs.SOURCE_TAG}}/${{matrix.OMR_TARGET}}
+      SOURCE: ${{ steps.branch_name.outputs.SOURCE_NAME }}
+      KEY: ${{ secrets.PRIVATE_KEY }}
+      USER: deploy
+      HOST: ${{ secrets.OMR_DEPLOY_HOST }}
+      PORT: ${{ secrets.OMR_DEPLOY_PORT }}
+    docker:
+    - image: dkrecruseastamazonawscom/circlecigolangpr:current
    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 50m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            sudo apt-get update
-            sudo apt-get install -yq libelf-dev
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 50m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_x86:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: x86
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_rpi3:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: rpi3
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_espressobin:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: espressobin
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_r2s:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: r2s
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_rpi4:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: rpi4
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_rpi2:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: rpi2
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile package/compile target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_bpi-r2:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: bpi-r2
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: |
-            sudo apt-get update
-            sudo apt-get -yq install swig2.0
-            make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_wrt3200acm:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_TARGET: wrt3200acm
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/$OMR_TARGET/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/$OMR_TARGET/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/$OMR_TARGET/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rm -rf ~/openmptcprouter/$OMR_TARGET/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-  build_wrt32:
-    machine:
-      image: ubuntu-1604:201903-01
-
-    environment:
-      - OMR_VERSION: $CIRCLE_TAG
-      - OMR_KERNEL: 5.4
-
-    working_directory: ~/
-
-    steps:
-      - run:
-          name: cache
-          command: |
-            echo "cache 107 $OMR_KERNEL $OMR_TARGET" > /tmp/cache-target
-            echo "cache 108 $OMR_KERNEL $OMR_TARGET $OMR_VERSION" > /tmp/cache-version
-
-      - restore_cache:
-          keys:
-            - cache-{{ checksum "/tmp/cache-version" }}
-            - cache-{{ checksum "/tmp/cache-target" }}
-
-      - run:
-          name: Build toolchain wrt3200acm
-          no_output_timeout: 40m
-          command: |
-            git clone https://github.com/ysurac/openmptcprouter || true
-            cd openmptcprouter
-            git checkout ${CIRCLE_BRANCH:-$CIRCLE_TAG} || true
-            git pull || true
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_TARGET="wrt3200acm"
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/wrt3200acm/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/wrt3200acm/source/key-build.pub
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-target" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build wrt3200acm
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/wrt3200acm/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy wrt3200acm
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/wrt3200acm/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/wrt3200acm
-            rm -rf ~/openmptcprouter/wrt3200acm/source/bin
-
-      - save_cache:
-          key: cache-{{ checksum "/tmp/cache-version" }}
-          paths:
-            - openmptcprouter
-
-      - run:
-          name: Build toolchain wrt32x
-          no_output_timeout: 40m
-          command: |
-            cd ~/openmptcprouter/
-            export OMR_PATH="$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_FEED_URL="$CIRCLE_REPOSITORY_URL"
-            export OMR_FEED_SRC="${CIRCLE_BRANCH:-$CIRCLE_TAG}"
-            export OMR_TARGET="wrt32x"
-            ln -s wrt3200acm wrt32x
-            pyenv global 3.5.2
-            sh build.sh prepare {tools,toolchain}/install -j2
-            echo -e "$OMR_PRIVKEY" > ~/openmptcprouter/wrt32x/source/key-build
-            echo -e "$OMR_PUBKEY" > ~/openmptcprouter/wrt32x/source/key-build.pub
-
-      - run:
-          name: Build wrt32x
-          no_output_timeout: 40m
-          command: make IGNORE_ERRORS=m -C ~/openmptcprouter/wrt32x/source package/{compile,install,index} target/compile -j2 package/compile -j2 target/install -j2
-
-      - run:
-          name: Deploy wrt32x
-          command: |
-            ssh -p ${OMR_DEPLOY_PORT:-22} deploy@$OMR_DEPLOY_HOST mkdir -p deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/$OMR_TARGET
-            rsync -av --delete-after ~/openmptcprouter/wrt32x/source/bin/ -e "ssh -q -p ${OMR_DEPLOY_PORT:-22}" deploy@$OMR_DEPLOY_HOST:deploy/${CIRCLE_BRANCH:-release}/${CIRCLE_TAG:-$OMR_KERNEL}/wrt32x
-
+    - checkout
+    - set_environment_vars
+    - run:
+        command: |
+          echo "SOURCE_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          echo "SOURCE_BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
+          echo "SOURCE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          echo "WORKSPACE=${GITHUB_WORKSPACE}" >> $GITHUB_OUTPUT
+    - run:
+        name: Prepare
+        command: |
+          sudo apt-get update
+          sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext
+          git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc-s1 libc6-dev-i386
+          subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev
+          texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake
+          libtool autopoint device-tree-compiler python3-pyelftools
+    - run:
+        name: Free disk space
+        command: |
+          df -h
+          sudo swapoff -a >/dev/null 2>&1 || true
+          sudo rm -f /swapfile >/dev/null 2>&1 || true
+          sudo apt-get autoremove -y >/dev/null 2>&1 || true
+          sudo apt-get autoclean -y >/dev/null 2>&1 || true
+          sudo rm -rf "/usr/local/share/boost" >/dev/null 2>&1 || true
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY" >/dev/null 2>&1 || true
+          sudo rm -rf /usr/share/dotnet >/dev/null 2>&1 || true
+          sudo rm -rf /usr/local/lib/android >/dev/null 2>&1 || true
+          sudo rm -rf /opt/ghc >/dev/null 2>&1 || true
+          sudo docker rmi $(docker images -qf "dangling=true") >/dev/null 2>&1 ||
+          true
+          df -h
+    - run:
+        command: |
+          git clone $REPO_URL omr
+          if [ "$SOURCE_NAME" != "develop" ]; then
+              cd omr
+              pwd
+              git fetch
+              git checkout master
+          else
+              cd omr
+              git checkout develop
+          fi
+          git pull
+          pwd
+          OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}" sh build.sh prepare
+          {tools,toolchain}/install -j$(nproc) || OMR_KERNEL="${OMR_KERNEL}" OMR_FEED_SRC="${SOURCE_NAME}"
+          sh build.sh prepare {tools,toolchain}/install -j1 V=s
+          make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index}
+          -j$(nproc) || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source package/{compile,install,index}
+          -j1 V=s
+          make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install -j$(nproc)
+          || make IGNORE_ERRORS=m -C $OMR_TARGET/$OMR_KERNEL/source target/install
+          -j1 V=s
+          mv ${OMR_TARGET}/${OMR_KERNEL}/source/bin ${GITHUB_WORKSPACE}/
+    - store_artifacts:
+        path: /home/runner/work/omr/${{ matrix.OMR_TARGET }}/${{ matrix.OMR_KERNEL
+          }}/source/bin
 workflows:
-  version: 2
-  main:
+  openmptcprouter:
    jobs:
-      - prepare:
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_x86_64:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_x86:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_rpi4:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_rpi3:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_espressobin:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_r2s:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_rpi2:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_bpi-r2:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
-      - build_wrt32:
-          requires:
-            - prepare
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only: 
-                - develop
+    - build:
+       matrix:
+         parameters:
+           OMR_TARGET: ["bpi-r1","bpi-r2","bpi-r64","rpi2","rpi4","wrt32x","espressobin","r2s","rpi3","wrt3200acm","x86","x86_64","ubnt-erx","r4s","r7800","rutx12","rutx50","r5s","qnap-301w","rpi5","z8102ax_128m"]
+           OMR_KERNEL: ["5.4","6.1","6.6"]
+       
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -8,8 +8,8 @@ jobs:
  build:
    strategy:
      matrix:
-        OMR_TARGET: [bpi-r1, bpi-r2, bpi-r64, rpi2, rpi4, wrt32x, espressobin, r2s, rpi3, wrt3200acm, x86, x86_64, ubnt-erx, r4s, r7800, rutx12, rutx50, r5s, qnap-301w, rpi5, z8102ax_128m]
-        OMR_KERNEL: [5.4, 6.1]
+        OMR_TARGET: [bpi-r1, bpi-r2, bpi-r3, bpi-r4, bpi-r4-poe, bpi-r64, rpi2, rpi4, wrt32x, espressobin, r2s, rpi3, wrt3200acm, x86, x86_64, ubnt-erx, r4s, r7800, rutx12, rutx50, r5s, qnap-301w, rpi5, z8102ax_128m, z8102ax_64m, z8102ax-emmc, gl-mt6000, gl-mt3000, gl-mt2500, r5c, z8109ax_128m]
+        OMR_KERNEL: [6.6, 6.12]
    runs-on: ubuntu-latest
    continue-on-error: true

@ -24,7 +24,11 @@ jobs:
    - name: Prepare
      run: |
        sudo apt-get update
-        sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc-s1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler python3-pyelftools
+        sudo apt-get install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc-s1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler python3-pyelftools llvm clang
+    - if: matrix.OMR_KERNEL == '6.6'
+      name: Install LLVM
+      run: |
+        sudo apt-get install llvm clang
    - name: Free disk space
      run: |
        df -h
--- a/bcm27xx-eeprom/Makefile
+++ b/bcm27xx-eeprom/Makefile
@ -1,12 +1,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=bcm27xx-eeprom
-PKG_VERSION:=v2022.04.26-138a1
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_RELEASE:=1

-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/raspberrypi/rpi-eeprom/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=7c54839e68f226c5853fb63c8a1539b729d84b2e6bac311a51766c601d10a413
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/raspberrypi/rpi-eeprom
+PKG_SOURCE_DATE:=2024-09-23
+PKG_SOURCE_VERSION:=c8fffcda5ae0f923857a73fedbeb07e81d2eb813
+PKG_MIRROR_HASH:=68d0eedd1aff573c2ea7071f89a5898292061ced96d7f98ea4a347dc16c8102c

 PKG_LICENSE:=BSD-3-Clause Custom
 PKG_LICENSE_FILES:=LICENSE
@ -18,15 +19,39 @@ include $(INCLUDE_DIR)/package.mk
 TAR_OPTIONS:=--strip-components 1 $(TAR_OPTIONS)
 TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)

-define Package/bcm27xx-eeprom
+define Package/bcm27xx-eeprom/Default
  SECTION:=utils
  CATEGORY:=Utilities
-  DEPENDS:=bcm27xx-userland +blkid +coreutils +coreutils-od +pciutils +python3-light
+endef
+
+define Package/bcm27xx-eeprom
+$(call Package/bcm27xx-eeprom/Default)
  TITLE:=BCM27xx EEPROM tools
+  DEPENDS:=bcm27xx-utils +blkid +coreutils +coreutils-od +mount-utils +pciutils +python3-light
+endef
+
+define Package/bcm2711-eeprom
+$(call Package/bcm27xx-eeprom/Default)
+  TITLE:=BCM2711 EEPROM tools
+  DEPENDS:=+bcm27xx-eeprom
+endef
+
+define Package/bcm2712-eeprom
+$(call Package/bcm27xx-eeprom/Default)
+  TITLE:=BCM2712 EEPROM tools
+  DEPENDS:=+bcm27xx-eeprom
 endef

 define Package/bcm27xx-eeprom/description
-  BCM27xx EEPROM tools.
+  BCM27xx EEPROM config and update tools.
+endef
+
+define Package/bcm2711-eeprom/description
+  BCM2711 EEPROM config and update tools.
+endef
+
+define Package/bcm2712-eeprom/description
+  BCM2712 EEPROM config and update tools.
 endef

 define Build/Compile
@ -45,15 +70,27 @@ define Package/bcm27xx-eeprom/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-config $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-digest $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/rpi-eeprom-update $(1)/usr/bin
+endef

-	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader
-	$(CP) $(PKG_BUILD_DIR)/firmware/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader
+define Package/bcm2711-eeprom/install
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2711
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2711/latest

-	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader/critical
-	$(CP) $(PKG_BUILD_DIR)/firmware/critical/ $(1)/lib/firmware/raspberrypi/bootloader/
+	$(CP) $(PKG_BUILD_DIR)/firmware-2711/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader-2711
+	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/pieeprom-2024-09-05.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
+	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/recovery.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
+	$(CP) $(PKG_BUILD_DIR)/firmware-2711/latest/vl805-000138c0.bin $(1)/lib/firmware/raspberrypi/bootloader-2711/latest
+endef

-	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader/stable
-	$(CP) $(PKG_BUILD_DIR)/firmware/stable/ $(1)/lib/firmware/raspberrypi/bootloader/
+define Package/bcm2712-eeprom/install
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2712
+	$(INSTALL_DIR) $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
+
+	$(CP) $(PKG_BUILD_DIR)/firmware-2712/release-notes.md $(1)/lib/firmware/raspberrypi/bootloader-2712
+	$(CP) $(PKG_BUILD_DIR)/firmware-2712/latest/pieeprom-2024-09-23.bin $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
+	$(CP) $(PKG_BUILD_DIR)/firmware-2712/latest/recovery.bin $(1)/lib/firmware/raspberrypi/bootloader-2712/latest
 endef

 $(eval $(call BuildPackage,bcm27xx-eeprom))
+$(eval $(call BuildPackage,bcm2711-eeprom))
+$(eval $(call BuildPackage,bcm2712-eeprom))
--- a/bcm27xx-eeprom/patches/0001-rpi-eeprom-update-OpenWrt-defaults.patch
+++ b/bcm27xx-eeprom/patches/0001-rpi-eeprom-update-OpenWrt-defaults.patch
@ -1,4 +1,4 @@
-From da37f7b051fe6833e25e78184cc9217dd4379187 Mon Sep 17 00:00:00 2001
+From a7c4e8f246dc58b4c83293b11f6443528065dc70 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Mon, 23 Mar 2020 10:10:55 +0100
 Subject: [PATCH] rpi-eeprom-update: OpenWrt defaults
@ -8,38 +8,30 @@ Content-Transfer-Encoding: 8bit

 Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
 ---
- rpi-eeprom-update         | 6 +++---
- rpi-eeprom-update-default | 5 +++--
- 2 files changed, 6 insertions(+), 5 deletions(-)
+ rpi-eeprom-update         | 4 ++--
+ rpi-eeprom-update-default | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)

 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
-@@ -24,12 +24,12 @@ else
- fi
+@@ -25,7 +25,7 @@ fi
 
 # Selects the release sub-directory
-FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-default}
-+FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-stable}
- FIRMWARE_IMAGE_DIR=${FIRMWARE_IMAGE_DIR:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}}
+ FIRMWARE_RELEASE_STATUS=${FIRMWARE_RELEASE_STATUS:-default}
 -FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-/var/lib/raspberrypi/bootloader/backup}
 +FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-${FIRMWARE_ROOT}/backup}
 ENABLE_VL805_UPDATES=${ENABLE_VL805_UPDATES:-1}
- RECOVERY_BIN=${RECOVERY_BIN:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}/recovery.bin}
- BOOTFS=${BOOTFS:-/boot}
 CM4_ENABLE_RPI_EEPROM_UPDATE=${CM4_ENABLE_RPI_EEPROM_UPDATE:-0}
 RPI_EEPROM_UPDATE_CONFIG_TOOL="${RPI_EEPROM_UPDATE_CONFIG_TOOL:-raspi-config}"
- 
 --- a/rpi-eeprom-update-default
 +++ b/rpi-eeprom-update-default
-@@ -1,8 +1,9 @@
+@@ -1,7 +1,7 @@
 
 FIRMWARE_ROOT=/lib/firmware/raspberrypi/bootloader
-FIRMWARE_RELEASE_STATUS="critical"
-+FIRMWARE_RELEASE_STATUS="stable"
- FIRMWARE_IMAGE_DIR="${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}"
+-FIRMWARE_RELEASE_STATUS="default"
 -FIRMWARE_BACKUP_DIR="/var/lib/raspberrypi/bootloader/backup"
+FIRMWARE_RELEASE_STATUS="latest"
 +FIRMWARE_BACKUP_DIR="${FIRMWARE_ROOT}/backup"
- BOOTFS=/boot
- USE_FLASHROM=0
 EEPROM_CONFIG_HOOK=
-+VCMAILBOX=/usr/bin/vcmailbox
+ 
+ # BOOTFS can be set here to override auto-detection in rpi-eeprom-update
--- a/bcm27xx-eeprom/patches/0002-rpi-eeprom-update-change-default-include-path.patch
+++ b/bcm27xx-eeprom/patches/0002-rpi-eeprom-update-change-default-include-path.patch
@ -0,0 +1,62 @@
+From fc552b1e5c503c530763e40d2b83df55c5c2e9a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
+Date: Wed, 25 Mar 2020 20:58:35 +0100
+Subject: [PATCH] rpi-eeprom-update: change default include path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+---
+ rpi-eeprom-update | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/rpi-eeprom-update
+++ b/rpi-eeprom-update
+@@ -6,8 +6,8 @@ set -e
+ 
+ script_dir=$(cd "$(dirname "$0")" && pwd)
+ 
+-if [ -f /etc/default/rpi-eeprom-update ]; then
+-   . /etc/default/rpi-eeprom-update
+if [ -f /etc/bcm27xx-eeprom.conf ]; then
+   . /etc/bcm27xx-eeprom.conf
+ fi
+ 
+ LOCAL_MODE=0
+@@ -439,7 +439,7 @@ checkDependencies() {
+       echo "Run with -h for more information."
+       echo
+       echo "To enable flashrom programming of the EEPROM"
+-      echo "Add these the following entries to /etc/default/rpi-eeprom-update"
+      echo "Add these the following entries to /etc/bcm27xx-eeprom.conf"
+       echo "RPI_EEPROM_USE_FLASHROM=1"
+       echo "CM4_ENABLE_RPI_EEPROM_UPDATE=1"
+       echo 
+@@ -526,7 +526,7 @@ The system should then boot normally.
+ 
+ If /boot does not correspond to the boot partition and this
+ is not a NOOBS system, then the mount point for BOOTFS should be defined
+-in /etc/default/rpi-eeprom-update by defining the BOOTFS variable.
+in /etc/bcm27xx-eeprom.conf by defining the BOOTFS variable.
+ 
+ A backup of the current EEPROM config file is written to ${FIRMWARE_BACKUP_DIR}
+ before applying the update.
+@@ -558,7 +558,7 @@ Options:
+    -u Install the specified VL805 (USB EEPROM) image file.
+ 
+ Environment:
+-Environment variables should be defined in /etc/default/rpi-eeprom-update
+Environment variables should be defined in /etc/bcm27xx-eeprom.conf
+ 
+ EEPROM_CONFIG_HOOK
+ 
+@@ -630,7 +630,7 @@ must first be enabled by removing ENABLE
+ via usbboot.
+ 
+ After enabling self-update set the CM4_ENABLE_RPI_EEPROM_UPDATE=1 environment
+-variable or define it in /etc/default/rpi-eeprom-update.
+variable or define it in /etc/bcm27xx-eeprom.conf.
+ 
+ N.B. If there is a power failure during SELF_UPDATE the EEPROM write may fail and
+ usbboot must be used to flash the bootloader EEPROM. SELF_UPDATE is not recommended
--- a/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-change-default-include-path.patch
+++ b/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-change-default-include-path.patch
@ -1,26 +0,0 @@
-From 6674d49dea0104031b3f54df4c7a356dc4307bb2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
-Date: Wed, 25 Mar 2020 20:58:35 +0100
-Subject: [PATCH] rpi-eeprom-update: change default include path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
---
- rpi-eeprom-update | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
--- a/rpi-eeprom-update
-+++ b/rpi-eeprom-update
-@@ -6,8 +6,8 @@ set -e
- 
- script_dir=$(cd "$(dirname "$0")" && pwd)
- 
-if [ -f /etc/default/rpi-eeprom-update ]; then
-   . /etc/default/rpi-eeprom-update
-+if [ -f /etc/bcm27xx-eeprom.conf ]; then
-+   . /etc/bcm27xx-eeprom.conf
- fi
- 
- LOCAL_MODE=0
--- a/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-chmod-silent-f-is-not-supported.patch
+++ b/bcm27xx-eeprom/patches/0003-rpi-eeprom-update-chmod-silent-f-is-not-supported.patch
@ -1,4 +1,4 @@
-From 8376ac74390af0ad736c88615e128b82a75eebc0 Mon Sep 17 00:00:00 2001
+From 62ec3384358bda60269c131d3880795bc8cdc3ce Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
 Date: Fri, 19 Feb 2021 10:54:23 +0100
 Subject: [PATCH] rpi-eeprom-update: chmod silent (-f) is not supported
@ -13,7 +13,7 @@ Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>

 --- a/rpi-eeprom-update
 +++ b/rpi-eeprom-update
-@@ -200,7 +200,7 @@ applyRecoveryUpdate()
+@@ -220,7 +220,7 @@ applyRecoveryUpdate()
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
 
         # For NFS mounts ensure that the files are readable to the TFTP user
@ -22,7 +22,7 @@ Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
                 || die "Failed to set permissions on eeprom update files"
    fi
 
-@@ -211,7 +211,7 @@ applyRecoveryUpdate()
+@@ -231,7 +231,7 @@ applyRecoveryUpdate()
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
 
         # For NFS mounts ensure that the files are readable to the TFTP user
--- a/bcm27xx-eeprom/patches/0004-rpi-eeprom-config-replace-nano-with-vi-as-default-ed.patch
+++ b/bcm27xx-eeprom/patches/0004-rpi-eeprom-config-replace-nano-with-vi-as-default-ed.patch
@ -1,6 +1,19 @@
+From 8d1e47c956ae10d1146114f7fcd4eb0d33187d08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
+Date: Tue, 16 Jan 2024 16:25:40 +0100
+Subject: [PATCH] rpi-eeprom-config: replace nano with vi as default editor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+---
+ rpi-eeprom-config | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
 --- a/rpi-eeprom-config
 +++ b/rpi-eeprom-config
-@@ -166,8 +166,8 @@ def edit_config(eeprom=None):
+@@ -186,8 +186,8 @@ def edit_config(eeprom=None):
     """
     Implements something like 'git commit' for editing EEPROM configs.
     """
@ -11,7 +24,7 @@
     if 'EDITOR' in os.environ:
         editor = os.environ['EDITOR']
 
-@@ -428,7 +428,7 @@ Operating modes:
+@@ -517,7 +517,7 @@ Operating modes:
 
    To cancel the pending update run 'sudo rpi-eeprom-update -r'
 
--- a/bcm27xx-utils/Makefile
+++ b/bcm27xx-utils/Makefile
@ -0,0 +1,66 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=bcm27xx-utils
+PKG_VERSION:=2024.10.25
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/raspberrypi/utils.git
+PKG_SOURCE_VERSION:=6a2a6becebbc38fde34a94386457ac8210f9119b
+PKG_MIRROR_HASH:=a775c7ffb9fac2d798ec8e0a4c7707eb7133cbc9c4418a1cf9434f87c42c01bb
+
+PKG_FLAGS:=nonshared
+PKG_BUILD_FLAGS:=no-lto
+
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=LICENCE
+
+CMAKE_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/bcm27xx-utils
+  SECTION:=utils
+  CATEGORY:=Utilities
+  DEPENDS:=@TARGET_bcm27xx +libfdt
+  TITLE:=BCM27xx scripts and simple applications
+  PROVIDES:=bcm27xx-userland
+endef
+
+define Package/bcm27xx-utils/description
+  BCM27xx scripts and simple applications.
+  Replaces bcm27xx-userland scripts and applications.
+endef
+
+define Package/bcm27xx-utils/install
+	$(INSTALL_DIR) $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtmerge $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtoverlay $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dtparam $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepdump $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepflash.sh $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/eepmake $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/kdtc $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/otpset $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/overlaycheck $(1)/usr/bin
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/bin/overlaycheck_exclusions.txt $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/ovmerge $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pinctrl $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/raspinfo $(1)/usr/bin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vcgencmd $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vclog $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/vcmailbox $(1)/usr/bin
+endef
+
+$(eval $(call BuildPackage,bcm27xx-utils))
--- a/bcm27xx-utils/patches/0001-raspinfo-adapt-to-OpenWrt.patch
+++ b/bcm27xx-utils/patches/0001-raspinfo-adapt-to-OpenWrt.patch
@ -0,0 +1,255 @@
+From 0db3fb3119eda8c2360454c2a01f84602a879c38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com>
+Date: Tue, 16 Jan 2024 15:32:12 +0100
+Subject: [PATCH] raspinfo: adapt to OpenWrt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+---
+ raspinfo/raspinfo | 186 ++++------------------------------------------
+ 1 file changed, 13 insertions(+), 173 deletions(-)
+
+--- a/raspinfo/raspinfo
+++ b/raspinfo/raspinfo
+@@ -1,4 +1,4 @@
+-#!/bin/bash
+#!/bin/sh
+ 
+ # Some of the regex's used in sed
+ # Catch basic IP6 address   "s/\([0-9a-fA-F]\{1,4\}:\)\{7,7\}[0-9a-fA-F]\{1,4\}/y.y.y.y.y.y.y.y/g"
+@@ -6,147 +6,6 @@
+ # IP4 d.d.d.d decimal	    "s/\([0-9]\{1,3\}\.\)\{3,3\}[0-9]\{1,3\}/x.x.x.x/g"
+ # mac address	            "s/\([0-9a-fA-F]\{2,2\}\:\)\{5,5\}[0-9a-fA-F]\{2,2\}/m.m.m.m/g"
+ 
+-
+-display_info_drm() {
+-   # If running X then can use xrandr, otherwise
+-   # dump the /sys/class entries for the displays
+-   if command -v xrandr > /dev/null &&
+-      DISPLAY=${DISPLAY:-:0} xrandr --listmonitors &>/dev/null;
+-   then
+-      echo "Running (F)KMS and X"
+-      echo
+-
+-      DISPLAY=${DISPLAY:-:0} xrandr --verbose
+-   else
+-      echo "Running (F)KMS, console"
+-      echo
+-
+-      for card in /sys/class/drm/card[0-9]-*;
+-      do
+-         echo $card
+-
+-         # if kmsprint isn't installed print basic mode info
+-         if ! command -v kmsprint > /dev/null; then
+-            if [ -f $card/modes ];
+-            then
+-               cat $card/modes
+-            else
+-               echo "No modes found"
+-            fi
+-         fi
+-
+-         if [ -f $card/edid ];
+-         then
+-            base64 $card/edid
+-         else
+-            echo "No EDID found"
+-         fi
+-         echo
+-      done
+-   fi
+-
+-   # kmsprint is more useful, but not always installed
+-   echo
+-   if command -v kmsprint > /dev/null; then
+-      kmsprint
+-      echo
+-      kmsprint -m
+-   else
+-      echo "kmsprint is not installed. Install with: sudo apt install kms++-utils"
+-   fi
+-
+-   echo
+-
+-   # dump the /sys/class entries for the displays
+-   cardfound=0
+-   for card in `seq 0 9`;
+-   do
+-      if sudo test -f "/sys/kernel/debug/dri/${card}/state";
+-      then
+-        for hdmi in 0 1;
+-        do
+-         if sudo test -f "/sys/kernel/debug/dri/${card}/hdmi${hdmi}_regs";
+-         then
+-            echo "HDMI${hdmi}: $(sudo cat /sys/kernel/debug/dri/$card/hdmi${hdmi}_regs | grep HOTPLUG)"
+-         fi
+-      done
+-      echo
+-      echo "/sys/kernel/debug/dri/$card/state:"
+-      sudo cat "/sys/kernel/debug/dri/$card/state"
+-      echo
+-      cardfound=1
+-      fi
+-   done
+-   if [ "$cardfound" == "0" ];
+-   then
+-      echo "kms state not found"
+-   fi
+-   echo
+-
+-}
+-
+-display_info_legacy() {
+-   # Legacy mode
+-   echo "Running Legacy framebuffer"
+-   echo
+-
+-   for card in `seq 0 9`;
+-   do
+-      F="/dev/fb${card}"
+-      if test -e $F;
+-      then
+-         echo Framebuffer: $F
+-         fbset -s -fb $F
+-      fi
+-   done
+-
+-   disps=`tvservice -l | awk '/Display Number/{print substr($3,1,1)}'`
+-
+-   tmp=$(mktemp)
+-
+-   for display in $disps
+-   do
+-      echo
+-      echo "Display: " $display
+-
+-      tvservice -v $display -s
+-      tvservice -v $display -n
+-      tvservice -v $display -m CEA
+-      tvservice -v $display -m DMT
+-
+-      echo
+-      tvservice -v $display -d $tmp > /dev/null
+-      base64 $tmp
+-   done
+-
+-   rm $tmp
+-}
+-
+-display_info() {
+-   # Check if we are running a KMS/DRM system
+-
+-   if [ -d "/dev/dri" ];
+-   then
+-      display_info_drm
+-   else
+-      display_info_legacy
+-   fi
+-}
+-
+-audio_info() {
+-   aplay -l
+-   echo
+-   aplay -L
+-   echo
+-   systemctl --user status pipewire.socket pipewire.service pulseaudio.service pulseaudio.socket
+-   echo
+-   if command -v pactl > /dev/null; then
+-      pactl info
+-   else
+-      echo pactl not installed
+-   fi
+-}
+-
+ OUT=raspinfo.txt
+ 
+ rm -f $OUT
+@@ -163,8 +22,6 @@ echo
+ cat /etc/os-release | head -4
+ echo
+ 
+-cat /etc/rpi-issue
+-echo
+ uname -a
+ 
+ cat /proc/cpuinfo | tail -3
+@@ -190,17 +47,6 @@ echo
+ cat /proc/swaps
+ 
+ echo
+-echo "Package version information"
+-echo "---------------------------"
+-
+-apt-cache policy raspberrypi-ui-mods | head -2
+-apt-cache policy raspberrypi-sys-mods | head -2
+-apt-cache policy openbox | head -2
+-apt-cache policy lxpanel | head -2
+-apt-cache policy pcmanfm | head -2
+-apt-cache policy rpd-plym-splash | head -2
+-
+-echo
+ echo "Networking Information"
+ echo "----------------------"
+ echo
+@@ -212,21 +58,11 @@ echo "USB Information"
+ echo "---------------"
+ echo
+ 
+-lsusb -t
+-
+-echo
+-echo "Display Information"
+-echo "-------------------"
+-echo
+-
+-display_info
+-
+-echo
+-echo "Audio Information"
+-echo "-------------------"
+-echo
+-
+-audio_info
+if command -v lsusb > /dev/null; then
+   lsusb -t
+else
+   echo usbutils not installed
+fi
+ 
+ echo
+ echo "config.txt"
+@@ -250,7 +86,7 @@ echo "-----------------"
+ echo
+ 
+ if command -v pinctrl > /dev/null; then
+-   sudo pinctrl 2>&1
+   pinctrl 2>&1
+ elif command -v raspi-gpio > /dev/null; then
+    raspi-gpio get 2>&1
+ else
+@@ -263,9 +99,9 @@ echo "------------------"
+ echo
+ 
+ if command -v vcdbg > /dev/null; then
+-   sudo vcdbg log msg 2>&1
+   vcdbg log msg 2>&1
+ elif command -v vclog > /dev/null; then
+-   sudo vclog --msg 2>&1
+   vclog --msg 2>&1
+ else
+    echo "vcdbg not found"
+ fi
+@@ -284,5 +120,9 @@ echo
+ echo "EEPROM"
+ echo "------"
+ echo
+-sudo rpi-eeprom-update
+if command -v rpi-eeprom-update > /dev/null; then
+   rpi-eeprom-update
+else
+   echo bcm27xx-eeprom not installed
+fi
+ fi
--- a/bcm27xx-utils/patches/0002-pinctrl-replace-reallocarray.patch
+++ b/bcm27xx-utils/patches/0002-pinctrl-replace-reallocarray.patch
@ -0,0 +1,11 @@
+--- a/pinctrl/pinctrl.c	2024-07-02 14:14:31.113459219 +0200
+++ b/pinctrl/pinctrl.c	2024-07-02 14:14:44.533241981 +0200
+@@ -220,7 +220,7 @@
+     if (!gpio_num_is_valid(gpio))
+         return 1;
+ 
+-    poll_gpios = reallocarray(poll_gpios, num_poll_gpios + 1,
+    poll_gpios = realloc(poll_gpios, num_poll_gpios + 1 *
+                               sizeof(*poll_gpios));
+     new_gpio = &poll_gpios[num_poll_gpios];
+     new_gpio->num = num;
--- a/cryptodev-linux/Makefile
+++ b/cryptodev-linux/Makefile
@ -15,8 +15,8 @@ PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/$(PKG_NAME)/$(PKG_NAME).git
-PKG_SOURCE_VERSION:=5e7121e45ff283d30097da381fd7e97c4bb61364
-PKG_VERSION:=1.13-$(PKG_SOURCE_VERSION)
+PKG_SOURCE_VERSION:=277d4574c10bb8e16ab6ab3f38b8e1cb6cd6c678
+PKG_VERSION:=1.14.20241010
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING

@ -29,7 +29,6 @@ define KernelPackage/cryptodev
  SUBMENU:=Cryptographic API modules
  TITLE:=Driver for cryptographic acceleration
  URL:=http://cryptodev-linux.org/
-  VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
  DEPENDS:=+kmod-crypto-authenc +kmod-crypto-hash
  FILES:=$(PKG_BUILD_DIR)/cryptodev.$(LINUX_KMOD_SUFFIX)
  AUTOLOAD:=$(call AutoLoad,50,cryptodev)
--- a/dsvpn/Makefile
+++ b/dsvpn/Makefile
@ -13,7 +13,7 @@ PKG_SOURCE_URL:=https://github.com/Ysurac/dsvpn.git
 #PKG_SOURCE_VERSION:=3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a
 PKG_SOURCE_VERSION:=4333aa705efd9c86c76809614d20dc5ebf43da7f
 PKG_NAME:=dsvpn
-PKG_VERSION:=0.1.5-$(PKG_SOURCE_VERSION)
+PKG_VERSION:=0.1.5
 PKG_RELEASE:=1
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE
--- a/dsvpn/files/init
+++ b/dsvpn/files/init
@ -31,7 +31,7 @@ validate_section() {

 version_over_5_4() {
 	MAJOR_VERSION=$(uname -r | awk -F '.' '{print $1}')
-	MINOR_VERSION=$(uname -r | awk -F '.' '{print $2}')
+	MINOR_VERSION=$(uname -r | awk -F '.' '{print $2}' | awk -F '-' '{print $1}')
 	if [ $MAJOR_VERSION -ge 5 ] && [ $MINOR_VERSION -gt 13 ] || [ $MAJOR_VERSION -gt 5 ] ; then
 		return 0
 	else
--- a/glorytun-udp/Makefile
+++ b/glorytun-udp/Makefile
@ -12,8 +12,8 @@ PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/angt/glorytun.git
 PKG_SOURCE_VERSION:=32267e86a6da05b285bb3bf2b136c105dc0af4bb
 PKG_NAME:=glorytun-udp
-PKG_VERSION:=0.3.4-$(PKG_SOURCE_VERSION)
-PKG_RELEASE:=23
+PKG_VERSION:=0.3.4
+PKG_RELEASE:=24
 PKG_LICENSE:=BSD-2-Clause
 PKG_LICENSE_FILES:=LICENSE

@ -48,7 +48,7 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) init $(1)/etc/init.d/$(PKG_NAME)
 	$(INSTALL_DIR) $(1)/etc/config
-	touch $(1)/etc/config/glorytun
+	$(INSTALL_DATA) glorytun-udp.config $(1)/etc/config/glorytun-udp
 endef

 $(eval $(call BuildPackage,$(PKG_NAME)))
--- a/luci-app-glorytun-udp/root/etc/config/glorytun-udp
+++ b/luci-app-glorytun-udp/root/etc/config/glorytun-udp
--- a/glorytun/Makefile
+++ b/glorytun/Makefile
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=glorytun
-PKG_RELEASE:=6
+PKG_RELEASE:=8
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=0c3b03cf0215e0896fd8e7e91be92efa77f6a2d1
+PKG_SOURCE_VERSION:=8aebb3efb3b108b1276aa74679e200e003f298de
 PKG_SOURCE:=glorytun-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/Ysurac/glorytun.git
-PKG_VERSION:=0.0.35-$(PKG_SOURCE_VERSION)
+PKG_VERSION:=0.0.35
 PKG_LICENSE:=BSD-2-Clause
 PKG_LICENSE_FILES:=LICENSE
 PKG_FIXUP:=autoreconf
--- a/golang/golang-build.sh
+++ b/golang/golang-build.sh
@ -120,7 +120,7 @@ build() {
 	if [ "$GO_GO_GENERATE" = 1 ]; then
 		log "Calling go generate"
 		# shellcheck disable=SC2086
-		GOOS='' GOARCH='' GO386='' GOARM='' GOMIPS='' GOMIPS64='' \
+		GOOS='' GOARCH='' GO386='' GOARM='' GOARM64='' GOMIPS='' GOMIPS64='' GORISCV64=''\
 		go generate -v $targets
 		log
 	fi
--- a/golang/golang-compiler.mk
+++ b/golang/golang-compiler.mk
@ -19,14 +19,11 @@ define GoCompiler/Default/CheckHost
 endef

 # $(1) source go root
-# $(2) destination prefix
-# $(3) go version id
-# $(4) additional environment variables (optional)
+# $(2) additional environment variables (optional)
 define GoCompiler/Default/Make
 	( \
 		cd "$(1)/src" ; \
-		$(if $(2),GOROOT_FINAL="$(2)/lib/go-$(3)") \
-		$(4) \
+		$(2) \
 		$(BASH) make.bash \
 		$(if $(findstring s,$(OPENWRT_VERBOSE)),-v) \
 		--no-banner \
@ -156,7 +153,7 @@ define GoCompiler/AddProfile

  # $$(1) additional environment variables (optional)
  define GoCompiler/$(1)/Make
-	$$(call GoCompiler/Default/Make,$(2),$(3),$(4),$$(1))
+	$$(call GoCompiler/Default/Make,$(2),$$(1))
  endef

  # $$(1) override install prefix (optional)
--- a/golang/golang-values.mk
+++ b/golang/golang-values.mk
@ -59,11 +59,13 @@ unexport \
 # Architecture-specific environment variables:
 unexport \
  GOARM \
+  GOARM64 \
  GO386 \
  GOAMD64 \
  GOMIPS \
  GOMIPS64 \
  GOPPC64 \
+  GORISCV64 \
  GOWASM

 # Environment variables for use with code coverage:
--- a/golang/golang/Makefile
+++ b/golang/golang/Makefile
@ -7,8 +7,8 @@

 include $(TOPDIR)/rules.mk

-GO_VERSION_MAJOR_MINOR:=1.22
-GO_VERSION_PATCH:=0
+GO_VERSION_MAJOR_MINOR:=1.23
+GO_VERSION_PATCH:=4

 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \

 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=4d196c3d41a0d6c1dfc64d04e3cc1f608b0c436bd87b7060ce3e23234e1f4d5c
+PKG_HASH:=ad345ac421e90814293a9699cca19dd5238251c3f687980bbcae28495b263531

 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
@ -34,7 +34,6 @@ PKG_BUILD_FLAGS:=no-mips16

 PKG_GO_PREFIX:=/usr
 PKG_GO_VERSION_ID:=$(GO_VERSION_MAJOR_MINOR)
-PKG_GO_ROOT:=$(PKG_GO_PREFIX)/lib/go-$(PKG_GO_VERSION_ID)

 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/go-$(PKG_VERSION)
 HOST_BUILD_PARALLEL:=1
@ -65,6 +64,7 @@ HOST_GO_VALID_OS_ARCH:= \
  wasip1_wasm \
  \
  freebsd_riscv64 \
+  openbsd_riscv64 \
  \
  linux_ppc64 linux_ppc64le \
  linux_mips linux_mipsle linux_mips64 linux_mips64le \
@ -394,7 +394,6 @@ define Build/Compile
 		cd "$(PKG_BUILD_DIR)/bin" ; \
 		export $(GO_PKG_TARGET_VARS) ; \
 		$(CP) go go-host ; \
-		GOROOT_FINAL="$(PKG_GO_ROOT)" \
 		GO_GCC_HELPER_CC="$(TARGET_CC)" \
 		GO_GCC_HELPER_CXX="$(TARGET_CXX)" \
 		$(PKG_GO_VARS) \
--- a/https-dns-proxy/Makefile
+++ b/https-dns-proxy/Makefile
@ -1,48 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=https-dns-proxy
-PKG_VERSION:=2021-06-03
-PKG_RELEASE:=1
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy
-PKG_SOURCE_DATE:=2021-06-03
-PKG_SOURCE_VERSION:=5651b984f770a8bcecb14aeffc224703f8f82586
-PKG_MIRROR_HASH:=b65161936269aa3117debad0fcfce157024726b78d7e7da77c226f7aa8da5b4d
-PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
-PKG_LICENSE:=MIT
-PKG_LICENSE_FILES:=LICENSE
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/cmake.mk
-
-CMAKE_OPTIONS += -DCLANG_TIDY_EXE=
-
-define Package/https-dns-proxy
-	SECTION:=net
-	CATEGORY:=Network
-	TITLE:=DNS Over HTTPS Proxy
-	URL:=https://docs.openwrt.melmac.net/https-dns-proxy/
-	DEPENDS:=+libcares +libcurl +libev +ca-bundle
-	CONFLICTS:=https_dns_proxy
-endef
-
-define Package/https-dns-proxy/description
-https-dns-proxy is a light-weight DNS<-->HTTPS, non-caching translation proxy for the RFC 8484 DoH standard.
-It receives regular (UDP) DNS requests and issues them via DoH.
-Please see https://docs.openwrt.melmac.net/https-dns-proxy/ for more information.
-endef
-
-define Package/https-dns-proxy/conffiles
-/etc/config/https-dns-proxy
-endef
-
-define Package/https-dns-proxy/install
-	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d ${1}/etc/config
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/https_dns_proxy $(1)/usr/sbin/https-dns-proxy
-	$(INSTALL_BIN) ./files/https-dns-proxy.init $(1)/etc/init.d/https-dns-proxy
-	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/https-dns-proxy
-	$(INSTALL_CONF) ./files/https-dns-proxy.config $(1)/etc/config/https-dns-proxy
-endef
-
-$(eval $(call BuildPackage,https-dns-proxy))
--- a/https-dns-proxy/files/README.md
+++ b/https-dns-proxy/files/README.md
@ -1,3 +0,0 @@
-# README
-
-README has been moved to [https://docs.openwrt.melmac.net/https-dns-proxy/](https://docs.openwrt.melmac.net/https-dns-proxy/).
--- a/https-dns-proxy/files/https-dns-proxy.config
+++ b/https-dns-proxy/files/https-dns-proxy.config
@ -1,18 +0,0 @@
-config main 'config'
-	option update_dnsmasq_config '*'
-
-config https-dns-proxy
-	option bootstrap_dns '8.8.8.8,8.8.4.4'
-	option resolver_url 'https://dns.google/dns-query'
-	option listen_addr '127.0.0.1'
-	option listen_port '5053'
-	option user 'nobody'
-	option group 'nogroup'
-
-config https-dns-proxy
-	option bootstrap_dns '1.1.1.1,1.0.0.1'
-	option resolver_url 'https://cloudflare-dns.com/dns-query'
-	option listen_addr '127.0.0.1'
-	option listen_port '5054'
-	option user 'nobody'
-	option group 'nogroup'
--- a/https-dns-proxy/files/https-dns-proxy.init
+++ b/https-dns-proxy/files/https-dns-proxy.init
@ -1,238 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright 2019-2020 Stan Grishin (stangri@melmac.net)
-# shellcheck disable=SC2039,SC3043,SC3060
-PKG_VERSION='dev-test'
-
-# shellcheck disable=SC2034
-START=80
-# shellcheck disable=SC2034
-USE_PROCD=1
-
-if type extra_command 1>/dev/null 2>&1; then
-	extra_command 'version' 'Show version information'
-else
-# shellcheck disable=SC2034
-	EXTRA_COMMANDS='version'
-fi
-
-readonly PROG=/usr/sbin/https-dns-proxy
-dnsmasqConfig=''; forceDNS=''; forceDNSPorts='';
-
-version() { echo "$PKG_VERSION"; }
-
-xappend() { param="$param $1"; }
-
-append_bool() {
-	local section="$1"
-	local option="$2"
-	local value="$3"
-	local default="$4"
-	local _loctmp
-	[ -z "$default" ] && default="0"
-	config_get_bool _loctmp "$section" "$option" "$default"
-	[ "$_loctmp" != "0" ] && xappend "$value"
-}
-
-append_parm() {
-	local section="$1"
-	local option="$2"
-	local switch="$3"
-	local default="$4"
-	local _loctmp
-	config_get _loctmp "$section" "$option" "$default"
-	[ -z "$_loctmp" ] && return 0
-	xappend "$switch $_loctmp"
-}
-
-start_instance() {
-	local cfg="$1" param listen_addr listen_port i
-	append_parm "$cfg" 'resolver_url' '-r'
-	append_parm "$cfg" 'polling_interval' '-i'
-	append_parm "$cfg" 'listen_addr' '-a' '127.0.0.1'
-	append_parm "$cfg" 'listen_port' '-p' "$p"
-	append_parm "$cfg" 'dscp_codepoint' '-c'
-	append_parm "$cfg" 'bootstrap_dns' '-b'
-	append_parm "$cfg" 'user' '-u' 'nobody'
-	append_parm "$cfg" 'group' '-g' 'nogroup'
-	append_parm "$cfg" 'proxy_server' '-t'
-	append_parm "$cfg" 'logfile' '-l'
-	append_bool "$cfg" 'use_http1' '-x'
-	config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0'
-	config_get verbosity "$cfg" 'verbosity' '0'
-
-# shellcheck disable=SC2086,SC2154
-	for i in $(seq 1 $verbosity); do
-		xappend '-v'
-	done
-# shellcheck disable=SC2154
-	if [ "$ipv6_resolvers_only" = 0 ]; then
-		xappend '-4'
-	fi
-
-	procd_open_instance
-# shellcheck disable=SC2086
-	procd_set_param command ${PROG} ${param}
-	procd_set_param stderr 1
-	procd_set_param stdout 1
-	procd_set_param respawn
-	procd_close_instance
-
-	config_get listen_addr "$cfg" 'listen_addr' '127.0.0.1'
-	config_get listen_port "$cfg" 'listen_port' "$p"
-
-	if [ "$dnsmasqConfig" = "*" ]; then
-		config_load 'dhcp'
-		config_foreach dnsmasq_add_doh_server 'dnsmasq' "${listen_addr}" "${listen_port}"
-	elif [ -n "$dnsmasqConfig" ]; then
-		for i in $dnsmasqConfig; do
-			dnsmasq_add_doh_server "@dnsmasq[${i}]" "${listen_addr}" "${listen_port}"
-		done
-	fi
-	p="$((p+1))"
-}
-
-is_force_dns_active() { iptables-save 2>/dev/null | grep -q -w -- '--dport 53'; }
-
-start_service() {
-	local p=5053 c
-	config_load 'https-dns-proxy'
-	config_get dnsmasqConfig	'config' 'update_dnsmasq_config' '*'
-	config_get_bool forceDNS	'config' 'force_dns' '1'
-	config_get forceDNSPorts	'config' 'force_dns_port' '53 853'
-	dhcp_backup 'create'
-	config_load 'https-dns-proxy'
-	config_foreach start_instance 'https-dns-proxy'
-	if [ "$forceDNS" -ne 0 ]; then
-		procd_open_instance 'main'
-		procd_set_param command /bin/true
-		procd_set_param stdout 1
-		procd_set_param stderr 1
-		procd_open_data
-		json_add_array firewall
-		for c in $forceDNSPorts; do
-			if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then
-				json_add_object ""
-				json_add_string type redirect
-				json_add_string target DNAT
-				json_add_string src lan
-				json_add_string proto "tcp udp"
-				json_add_string src_dport "$c"
-				json_add_string dest_port "$c"
-				json_add_boolean reflection 0
-				json_close_object
-			else
-				json_add_object ""
-				json_add_string type rule
-				json_add_string src lan
-				json_add_string dest "*"
-				json_add_string proto "tcp udp"
-				json_add_string dest_port "$c"
-				json_add_string target REJECT
-				json_close_object
-			fi
-		done
-		json_close_array
-		procd_close_data
-		procd_close_instance
-	fi
-	if [ -n "$(uci -q changes dhcp)" ]; then
-		uci -q commit dhcp
-		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
-	fi
-}
-
-stop_service() {
-	config_load 'https-dns-proxy'
-	config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*'
-	dhcp_backup 'restore'
-	if [ -n "$(uci -q changes dhcp)" ]; then
-		uci -q commit dhcp
-		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
-	fi
-}
-
-service_triggers() {
-	procd_add_config_trigger "config.change" "https-dns-proxy" /etc/init.d/https-dns-proxy reload
-}
-
-service_started() { procd_set_config_changed firewall; }
-service_stopped() { procd_set_config_changed firewall; }
-
-dnsmasq_add_doh_server() {
-	local cfg="$1" address="$2" port="$3"
-	case $address in
-		0.0.0.0|::ffff:0.0.0.0) address='127.0.0.1';;
-		::) address='::1';;
-	esac
-	uci -q del_list "dhcp.${cfg}.server=${address}#${port}"
-	uci -q add_list "dhcp.${cfg}.server=${address}#${port}"
-}
-
-dnsmasq_create_server_backup() {
-	local cfg="$1"
-	local i
-	uci -q get "dhcp.${cfg}" >/dev/null || return 1
-	if ! uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
-		if [ -z "$(uci -q get "dhcp.${cfg}.noresolv")" ]; then
-			uci -q set "dhcp.${cfg}.noresolv=1"
-			uci -q set "dhcp.${cfg}.doh_backup_noresolv=-1"
-		elif [ "$(uci -q get "dhcp.${cfg}.noresolv")" != "1" ]; then
-			uci -q set "dhcp.${cfg}.noresolv=1"
-			uci -q set "dhcp.${cfg}.doh_backup_noresolv=0"
-		fi
-	fi
-	if ! uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
-		if [ -z "$(uci -q get "dhcp.${cfg}.server")" ]; then
-			uci -q add_list "dhcp.${cfg}.doh_backup_server="
-		fi
-		for i in $(uci -q get "dhcp.${cfg}.server"); do
-			uci -q add_list "dhcp.${cfg}.doh_backup_server=$i"
-			if [ "$i" = "$(echo "$i" | tr -d /\#)" ]; then
-				uci -q del_list "dhcp.${cfg}.server=$i"
-			fi
-		done
-		uci -q del_list "dhcp.${cfg}.server=127.0.0.1#5353"
-	fi
-	return 0
-}
-
-dnsmasq_restore_server_backup() {
-	local cfg="$1"
-	local i
-	uci -q get "dhcp.${cfg}" >/dev/null || return 0
-	if uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
-		if [ "$(uci -q get "dhcp.${cfg}.doh_backup_noresolv")" = "0" ]; then
-			uci -q set "dhcp.${cfg}.noresolv=0"
-		else 
-			uci -q del "dhcp.${cfg}.noresolv"
-		fi
-		uci -q del "dhcp.${cfg}.doh_backup_noresolv"
-	fi
-	if uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
-		uci -q del "dhcp.${cfg}.server"
-		for i in $(uci -q get "dhcp.${cfg}.doh_backup_server"); do
-			uci -q add_list "dhcp.${cfg}.server=$i"
-		done
-	uci -q del "dhcp.${cfg}.doh_backup_server"
-	fi
-}
-
-dhcp_backup() {
-	local i
-	config_load 'dhcp'
-	case "$1" in
-		create)
-			if [ "$dnsmasqConfig" = "*" ]; then
-				config_foreach dnsmasq_create_server_backup 'dnsmasq'
-			elif [ -n "$dnsmasqConfig" ]; then
-				for i in $dnsmasqConfig; do
-					dnsmasq_create_server_backup "@dnsmasq[${i}]" || \
-						dnsmasq_create_server_backup "$i"
-				done
-			fi
-			;;
-		restore)
-			config_foreach dnsmasq_restore_server_backup 'dnsmasq'
-			;;
-	esac
-}
--- a/https-dns-proxy/test.sh
+++ b/https-dns-proxy/test.sh
@ -1,3 +0,0 @@
-#!/bin/sh
-
-/etc/init.d/"$1" version 2>&1 | grep "$2"
--- a/iperf3/Makefile
+++ b/iperf3/Makefile
@ -8,15 +8,16 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=iperf
-PKG_VERSION:=3.14
-PKG_RELEASE:=10
+PKG_VERSION:=3.18
+PKG_RELEASE:=1

-PKG_SOURCE:=$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/esnet/iperf/archive/refs/tags/
-PKG_HASH:=bbafa2c9687f0f7fe00947dc779b83c91663911e22460005c0ad4623797b3dbd
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://downloads.es.net/pub/iperf
+PKG_HASH:=c0618175514331e766522500e20c94bfb293b4424eb27d7207fb427b88d20bab

-PKG_MAINTAINER:=Yannick Chabanois <ycarus@zugaina.org>
+PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
+PKG_CPE_ID:=cpe:/a:es:iperf3

 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@ -37,24 +38,36 @@ endef
 define Package/iperf3
 $(call Package/iperf3/default)
  VARIANT:=nossl
+  DEPENDS:=+libiperf3
 endef

 define Package/iperf3-ssl
 $(call Package/iperf3/default)
  TITLE+= with iperf_auth support
  VARIANT:=ssl
-  DEPENDS:= +libopenssl
+  DEPENDS:=+libopenssl +libatomic
+  CONFLICTS:=iperf3
+endef
+
+define Package/libiperf3
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Internet Protocol bandwidth measuring library
+  URL:=https://github.com/esnet/iperf
+  DEPENDS+=+libatomic
 endef

 TARGET_CFLAGS += -D_GNU_SOURCE
-CONFIGURE_ARGS += --disable-shared
+TARGET_LDFLAGS += -latomic

 ifeq ($(BUILD_VARIANT),ssl)
-	CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr"
+	CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr" --disable-shared
 else
 	CONFIGURE_ARGS += --without-openssl
 endif

+CONFIGURE_ARGS += --without-sctp
+
 MAKE_FLAGS += noinst_PROGRAMS=

 define Package/iperf3/description
@ -63,6 +76,17 @@ define Package/iperf3/description
 characteristics.
 endef

+define Package/libiperf3/description
+ Libiperf is a library providing an API for iperf3 functionality.
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+endef
+
 # autoreconf fails if the README file isn't present
 define Build/Prepare
 	$(call Build/Prepare/Default)
@ -79,5 +103,11 @@ define Package/iperf3-ssl/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/
 endef

+define Package/libiperf3/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.so.* $(1)/usr/lib
+endef
+
 $(eval $(call BuildPackage,iperf3))
 $(eval $(call BuildPackage,iperf3-ssl))
+$(eval $(call BuildPackage,libiperf3))
--- a/iperf3/patches/010-big-endian.patch
+++ b/iperf3/patches/010-big-endian.patch
@ -0,0 +1,21 @@
+From fe09305eb6f907e4eb637b8edd0c8a986187d1dd Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Sat, 8 Jun 2024 15:23:51 -0700
+Subject: [PATCH] fix crash under big endian musl
+
+iperf_printf is using an int format here but an int64_t variable. The format only needs the first 3 digits. Cast to int to fix it.
+---
+ src/iperf_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/iperf_api.c
+++ b/src/iperf_api.c
+@@ -4137,7 +4137,7 @@ iperf_print_results(struct iperf_test *t
+                                 iperf_printf(test, report_sender_not_available_summary_format, "SUM");
+                         }
+                         else {
+-                          iperf_printf(test, report_sum_bw_retrans_format, mbuf, start_time, sender_time, ubuf, nbuf, total_retransmits, report_sender);
+                          iperf_printf(test, report_sum_bw_retrans_format, mbuf, start_time, sender_time, ubuf, nbuf, (int)total_retransmits, report_sender);
+                         }
+                 } else {
+                     /* Summary sum, TCP without retransmits. */
--- a/iperf3/patches/add-MPTCP-support.patch
+++ b/iperf3/patches/add-MPTCP-support.patch
@ -1,208 +1,266 @@
-From 26b066b9d4e92442d55950689dbd9fd101b429a7 Mon Sep 17 00:00:00 2001
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Mon, 14 Jun 2021 16:13:02 +0200
-Subject: [PATCH] Add MPTCP support with the --multipath flag
+From cf75cf46785871330717a6d2c889abeb7bbd7bfd Mon Sep 17 00:00:00 2001
+From: Geliang Tang <geliang@kernel.org>
+Date: Wed, 6 Mar 2024 11:23:33 +0800
+Subject: [PATCH] add MPTCPv1 support

-Also available with the short option '-m'.
-The MPTCP protocol is really a TCP variant, so this change
-does not implement a new 'struct protocol'. Instead it just
-extend the TCP support to optionally enable multipath.
+The Multipath TCP (MPTCP) protocol (v1 / RFC 8684) has been added in
+the upstream Linux kernel since v5.6.

-The only required dependency is IPPROTO_MPTCP definition,
-which should be provided by the netinet/in.h header.
-To keep things simple, just conditionally provide the required
-protocol, if the system header does not have it yet
+MPTCP is strongly tied to TCP, and the kernel APIs are almost the same.
+The only required dependency is the 'IPPROTO_MPTCP' protocol number
+definition, which should be provided by the netinet/in.h header if it
+is recent enough.
+
+This patch adds a new flag '-m' or '--mptcp' to support MPTCPv1. It can
+be used like this:
+
+ > iperf3 -m -s
+ > iperf3 -m -c 127.0.0.1
+
+If IPPROTO_MPTCP is not supported by the kernel being tested, it is
+normal to fail because the feature is not available and the user
+explicitly asked to use MPTCP.
+
+Closes: https://github.com/esnet/iperf/pull/1659
+Co-developed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Geliang Tang <geliang@kernel.org>
 ---
+ configure.ac       | 12 ++++++++++++
 src/iperf.h        |  1 +
 src/iperf3.1       |  4 ++++
- src/iperf_api.c    | 11 ++++++++++-
- src/iperf_locale.c |  1 +
+ src/iperf_api.c    | 19 ++++++++++++++++++-
+ src/iperf_locale.c |  3 +++
 src/iperf_tcp.c    | 18 +++++++++++++++---
- 5 files changed, 31 insertions(+), 4 deletions(-)
+ src/net.c          | 10 +++++-----
+ src/net.h          |  2 +-
+ 8 files changed, 59 insertions(+), 10 deletions(-)

+diff --git a/configure.ac b/configure.ac
+index 66c1e97a5..22c2a95cf 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -337,6 +337,18 @@ if test "x$iperf3_cv_header_tcp_info_snd_wnd" = "xyes"; then
+   AC_DEFINE([HAVE_TCP_INFO_SND_WND], [1], [Have tcpi_snd_wnd field in tcp_info.])
+ fi
+ 
+# Check for IPPROTO_MPTCP (Linux)
+AC_CACHE_CHECK([MPTCP protocol],
+[iperf3_cv_header_ipproto_mptcp],
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM([[#include <netinet/in.h>]],
+		   [[int foo = IPPROTO_MPTCP;]])],
+  iperf3_cv_header_ipproto_mptcp=yes,
+  iperf3_cv_header_ipproto_mptcp=no))
+if test "x$iperf3_cv_header_ipproto_mptcp" = "xyes"; then
+    AC_DEFINE([HAVE_IPPROTO_MPTCP], [1], [Have MPTCP protocol.])
+fi
+
+ # Check if we need -lrt for clock_gettime
+ AC_SEARCH_LIBS(clock_gettime, [rt posix4])
+ # Check for clock_gettime support
 diff --git a/src/iperf.h b/src/iperf.h
-index 3fc91d0c0..e753df944 100644
+index 202d3016f..4043031b3 100644
 --- a/src/iperf.h
 +++ b/src/iperf.h
-@@ -315,6 +315,7 @@ struct iperf_test
-     int	      udp_counters_64bit;		/* --use-64-bit-udp-counters */
-     int       forceflush; /* --forceflush - flushing output at every interval */
-     int	      multisend;
-+    int	      multipath;			/* -m option - multi-path variant */
+@@ -353,6 +353,7 @@ struct iperf_test
     int	      repeating_payload;                /* --repeating-payload */
     int       timestamps;			/* --timestamps */
     char     *timestamp_format;
+    int       mptcp;				/* -m, --mptcp */
+ 
+     char     *json_output_string; /* rendered JSON output if json_output is set */
+     /* Select related parameters */
 diff --git a/src/iperf3.1 b/src/iperf3.1
-index f5eef6eb3..205a8337e 100644
+index f8eff48d2..9e425cabc 100644
 --- a/src/iperf3.1
 +++ b/src/iperf3.1
-@@ -228,6 +228,10 @@ run in client mode, connecting to the specified server.
- By default, a test consists of sending data from the client to the
- server, unless the \-R flag is specified.
+@@ -202,6 +202,10 @@ iperf-3.17, OAEP padding is used, however this is a breaking change
+ that is not compatible with older iperf3 versions.  Use this option to
+ preserve the less secure, but more compatible, behavior.
 .TP
-+.BR -m ", " --multipath " "
-+use multipath variant for the current protocol. This only applies to
+.BR -m ", " --mptcp " "
+use mptcp variant for the current protocol. This only applies to
 +TCP and enables MPTCP usage.
 +.TP
- .BR --sctp
- use SCTP rather than TCP (FreeBSD and Linux)
- .TP
+ .BR -d ", " --debug " "
+ emit debugging output.
+ Primarily (perhaps exclusively) of use to developers.
 diff --git a/src/iperf_api.c b/src/iperf_api.c
-index f8f2321ec..bea53e397 100644
+index fa06dc830..419b48657 100644
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
-@@ -1007,7 +1007,8 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
- 	{"connect-timeout", required_argument, NULL, OPT_CONNECT_TIMEOUT},
+@@ -1149,6 +1149,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         {"idle-timeout", required_argument, NULL, OPT_IDLE_TIMEOUT},
         {"rcv-timeout", required_argument, NULL, OPT_RCV_TIMEOUT},
         {"snd-timeout", required_argument, NULL, OPT_SND_TIMEOUT},
-+        {"multipath", no_argument, NULL, 'm'},
+#if defined(HAVE_IPPROTO_MPTCP)
+        {"mptcp", no_argument, NULL, 'm'},
+#endif
         {"debug", optional_argument, NULL, 'd'},
         {"help", no_argument, NULL, 'h'},
         {NULL, 0, NULL, 0}
-@@ -1030,7 +1031,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
-     char *client_username = NULL, *client_rsa_public_key = NULL, *server_rsa_private_key = NULL;
+@@ -1174,7 +1177,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+     FILE *ptr_file;
 #endif /* HAVE_SSL */
 
 -    while ((flag = getopt_long(argc, argv, "p:f:i:D1VJvsc:ub:t:n:k:l:P:Rw:B:M:N46S:L:ZO:F:A:T:C:dI:hX:", longopts, NULL)) != -1) {
-+    while ((flag = getopt_long(argc, argv, "p:f:i:D1VJvsc:ub:t:n:k:l:P:Rw:B:mM:N46S:L:ZO:F:A:T:C:dI:hX:", longopts, NULL)) != -1) {
+    while ((flag = getopt_long(argc, argv, "p:f:i:D1VJvsc:ub:t:n:k:l:P:Rw:B:M:N46S:L:ZO:F:A:T:C:dI:mhX:", longopts, NULL)) != -1) {
         switch (flag) {
             case 'p':
 		portno = atoi(optarg);
-@@ -1103,6 +1104,10 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
- 		iperf_set_test_role(test, 'c');
- 		iperf_set_test_server_hostname(test, optarg);
-                 break;
-+            case 'm':
-+                set_protocol(test, Ptcp);
-+                test->multipath = 1;
-+                break;
-             case 'u':
-                 set_protocol(test, Pudp);
+@@ -1647,6 +1650,12 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+ 		test->settings->connect_timeout = unit_atoi(optarg);
 		client_flag = 1;
-@@ -2000,6 +2005,8 @@ send_parameters(struct iperf_test *test)
+ 		break;
+#if defined(HAVE_IPPROTO_MPTCP)
+	    case 'm':
+		set_protocol(test, Ptcp);
+		test->mptcp = 1;
+		break;
+#endif
+ 	    case 'h':
+ 		usage_long(stdout);
+ 		exit(0);
+@@ -2259,6 +2268,10 @@ send_parameters(struct iperf_test *test)
 	    cJSON_AddTrueToObject(j, "reverse");
 	if (test->bidirectional)
 	            cJSON_AddTrueToObject(j, "bidirectional");
-+	if (test->multipath)
-+	    cJSON_AddTrueToObject(j, "multipath");
+#if defined(HAVE_IPPROTO_MPTCP)
+	if (test->mptcp)
+	    cJSON_AddTrueToObject(j, "mptcp");
+#endif
 	if (test->settings->socket_bufsize)
 	    cJSON_AddNumberToObject(j, "window", test->settings->socket_bufsize);
 	if (test->settings->blksize)
-@@ -2112,6 +2119,8 @@ get_parameters(struct iperf_test *test)
+@@ -2375,6 +2388,10 @@ get_parameters(struct iperf_test *test)
 	    iperf_set_test_reverse(test, 1);
-         if ((j_p = cJSON_GetObjectItem(j, "bidirectional")) != NULL)
+         if ((j_p = iperf_cJSON_GetObjectItemType(j, "bidirectional", cJSON_True)) != NULL)
             iperf_set_test_bidirectional(test, 1);
-+	if ((j_p = cJSON_GetObjectItem(j, "multipath")) != NULL)
-+	    test->multipath = 1;
- 	if ((j_p = cJSON_GetObjectItem(j, "window")) != NULL)
+#if defined(HAVE_IPPROTO_MPTCP)
+	if ((j_p = iperf_cJSON_GetObjectItemType(j, "mptcp", cJSON_True)) != NULL)
+	    test->mptcp = 1;
+#endif
+ 	if ((j_p = iperf_cJSON_GetObjectItemType(j, "window", cJSON_Number)) != NULL)
 	    test->settings->socket_bufsize = j_p->valueint;
- 	if ((j_p = cJSON_GetObjectItem(j, "len")) != NULL)
+ 	if ((j_p = iperf_cJSON_GetObjectItemType(j, "len", cJSON_Number)) != NULL)
 diff --git a/src/iperf_locale.c b/src/iperf_locale.c
-index e1e9dc5b6..a70bd73b9 100644
+index 32883da84..f1d89e298 100644
 --- a/src/iperf_locale.c
 +++ b/src/iperf_locale.c
-@@ -146,6 +146,7 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
-                            "  --nstreams      #         number of SCTP streams\n"
- #endif /* HAVE_SCTP_H */
-                            "  -u, --udp                 use UDP rather than TCP\n"
-+                           "  -m, --multipath           use MPTCP rather than plain TCP\n"
-                            "  --connect-timeout #       timeout for control connection setup (ms)\n"
-                            "  -b, --bitrate #[KMG][/#]  target bitrate in bits/sec (0 for unlimited)\n"
-                            "                            (default %d Mbit/sec for UDP, unlimited for TCP)\n"
--- a/src/iperf_tcp.c	2023-07-07 23:47:41.000000000 +0200
-+++ b/src/iperf_tcp.c	2023-08-01 14:53:57.832072168 +0200
-@@ -44,6 +44,10 @@
- #include "net.h"
- #include "cjson.h"
- 
-+#ifndef IPPROTO_MPTCP
-+#define IPPROTO_MPTCP 262
+@@ -128,6 +128,9 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
+                            "  --snd-timeout #           timeout for unacknowledged TCP data\n"
+                            "                            (in ms, default is system settings)\n"
+ #endif /* HAVE_TCP_USER_TIMEOUT */
+#if defined(HAVE_IPPROTO_MPTCP)
+                           "  -m, --mptcp               use MPTCP rather than plain TCP\n"
 +#endif
-+
- #if defined(HAVE_FLOWLABEL)
- #include "flowlabel.h"
- #endif /* HAVE_FLOWLABEL */
-@@ -154,6 +158,7 @@
-     socklen_t optlen;
-     int saved_errno;
-     int rcvbuf_actual, sndbuf_actual;
-+    int protocol = 0;
- 
-     s = test->listener;
- 
-@@ -166,7 +171,7 @@
+                            "  -d, --debug[=#]           emit debugging output\n"
+                            "                            (optional optional \"=\" and debug level: 1-4. Default is 4 - all messages)\n"
+                            "  -v, --version             show version information and quit\n"
+diff --git a/src/iperf_tcp.c b/src/iperf_tcp.c
+index 481c09dc8..2c10d7df5 100644
+--- a/src/iperf_tcp.c
+++ b/src/iperf_tcp.c
+@@ -184,9 +184,10 @@ iperf_tcp_listen(struct iperf_test *test)
      *
      * It's not clear whether this is a requirement or a convenience.
      */
 -    if (test->no_delay || test->settings->mss || test->settings->socket_bufsize) {
-+    if (test->multipath || test->no_delay || test->settings->mss || test->settings->socket_bufsize) {
+    if (test->no_delay || test->mptcp || test->settings->mss || test->settings->socket_bufsize) {
 	struct addrinfo hints, *res;
 	char portstr[6];
+	int proto = 0;
 
-@@ -194,7 +199,10 @@
+         FD_CLR(s, &test->read_set);
+         close(s);
+@@ -212,7 +213,12 @@ iperf_tcp_listen(struct iperf_test *test)
             return -1;
         }
 
 -        if ((s = socket(res->ai_family, SOCK_STREAM, 0)) < 0) {
-+        if (test->multipath)
-+            protocol = IPPROTO_MPTCP;
+#if defined(HAVE_IPPROTO_MPTCP)
+        if (test->mptcp)
+	    proto = IPPROTO_MPTCP;
+#endif
 +
-+        if ((s = socket(res->ai_family, SOCK_STREAM, protocol)) < 0) {
+        if ((s = socket(res->ai_family, SOCK_STREAM, proto)) < 0) {
 	    freeaddrinfo(res);
             i_errno = IESTREAMLISTEN;
             return -1;
-@@ -374,8 +382,12 @@
+@@ -380,8 +386,14 @@ iperf_tcp_connect(struct iperf_test *test)
     socklen_t optlen;
     int saved_errno;
     int rcvbuf_actual, sndbuf_actual;
-+    int protocol = 0;
+    int proto = 0;
 +
-+    if (test->multipath)
-+	protocol = IPPROTO_MPTCP;
+#if defined(HAVE_IPPROTO_MPTCP)
+    if (test->mptcp)
+        proto = IPPROTO_MPTCP;
+#endif
 
 -    s = create_socket(test->settings->domain, SOCK_STREAM, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
-+    s = create_socket(test->settings->domain, SOCK_STREAM, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res, protocol);
+    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
     if (s < 0) {
 	i_errno = IESTREAMCONNECT;
 	return -1;
--- a/src/net.c	2023-08-01 14:54:14.175802546 +0200
-+++ b/src/net.c	2023-08-01 14:54:40.831362812 +0200
-@@ -121,7 +121,7 @@
+diff --git a/src/net.c b/src/net.c
+index b693ea7fb..febf20885 100644
+--- a/src/net.c
+++ b/src/net.c
+@@ -124,7 +124,7 @@ timeout_connect(int s, const struct sockaddr *name, socklen_t namelen,
 
 /* create a socket */
 int
 -create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out)
-+create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out, int protocol)
+create_socket(int domain, int type, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out)
 {
     struct addrinfo hints, *local_res = NULL, *server_res = NULL;
     int s, saved_errno;
-@@ -145,7 +145,7 @@
+@@ -133,14 +133,14 @@ create_socket(int domain, int proto, const char *local, const char *bind_dev, in
+     if (local) {
+         memset(&hints, 0, sizeof(hints));
+         hints.ai_family = domain;
+-        hints.ai_socktype = proto;
+        hints.ai_socktype = type;
+         if ((gerror = getaddrinfo(local, NULL, &hints, &local_res)) != 0)
+             return -1;
+     }
+ 
+     memset(&hints, 0, sizeof(hints));
+     hints.ai_family = domain;
+-    hints.ai_socktype = proto;
+    hints.ai_socktype = type;
+     snprintf(portstr, sizeof(portstr), "%d", port);
+     if ((gerror = getaddrinfo(server, portstr, &hints, &server_res)) != 0) {
+ 	if (local)
+@@ -148,7 +148,7 @@ create_socket(int domain, int proto, const char *local, const char *bind_dev, in
         return -1;
     }
 
 -    s = socket(server_res->ai_family, proto, 0);
-+    s = socket(server_res->ai_family, proto, protocol);
+    s = socket(server_res->ai_family, type, proto);
     if (s < 0) {
 	if (local)
 	    freeaddrinfo(local_res);
-@@ -235,7 +235,7 @@
+@@ -238,7 +238,7 @@ netdial(int domain, int proto, const char *local, const char *bind_dev, int loca
     struct addrinfo *server_res = NULL;
     int s, saved_errno;
 
 -    s = create_socket(domain, proto, local, bind_dev, local_port, server, port, &server_res);
-+    s = create_socket(domain, proto, local, bind_dev, local_port, server, port, &server_res, 0);
+    s = create_socket(domain, proto, 0, local, bind_dev, local_port, server, port, &server_res);
     if (s < 0) {
       return -1;
     }
--- a/src/net.h	2023-08-01 15:01:58.208159540 +0200
-+++ b/src/net.h	2023-08-01 15:00:46.521337885 +0200
+diff --git a/src/net.h b/src/net.h
+index 859c52cef..fb78d289b 100644
+--- a/src/net.h
+++ b/src/net.h
@@ -28,7 +28,7 @@
 #define __NET_H
 
 int timeout_connect(int s, const struct sockaddr *name, socklen_t namelen, int timeout);
 -int create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out);
-+int create_socket(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out, int protocol);
+int create_socket(int domain, int type, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, struct addrinfo **server_res_out);
 int netdial(int domain, int proto, const char *local, const char *bind_dev, int local_port, const char *server, int port, int timeout);
 int netannounce(int domain, int proto, const char *local, const char *bind_dev, int port);
 int Nread(int fd, char *buf, size_t count, int prot);
--- a/iperf3/patches/add-sock5-proxy-tcp-support.patch
+++ b/iperf3/patches/add-sock5-proxy-tcp-support.patch
@ -0,0 +1,552 @@
+From 197d8ba733f0502985abb5b0a22bf9f71c2596a7 Mon Sep 17 00:00:00 2001
+From: David Bar-On <david.cdb004@gmail.com>
+Date: Mon, 25 Mar 2024 22:11:49 +0200
+Subject: [PATCH] Add SOCKS5 Proxy support for TCP
+
+---
+ src/iperf.h            |   8 ++
+ src/iperf_api.c        | 250 ++++++++++++++++++++++++++++++++++++++++-
+ src/iperf_api.h        |  13 ++-
+ src/iperf_client_api.c |  27 ++++-
+ src/iperf_error.c      |  10 ++
+ src/iperf_locale.c     |   2 +
+ src/iperf_tcp.c        |  22 +++-
+ 7 files changed, 323 insertions(+), 9 deletions(-)
+
+diff --git a/src/iperf.h b/src/iperf.h
+index dc3c0d1df..9823dc180 100644
+--- a/src/iperf.h
+++ b/src/iperf.h
+@@ -343,6 +343,14 @@ struct iperf_test
+     int       timestamps;			/* --timestamps */
+     char     *timestamp_format;
+ 
+    char     *socks5_host;                      /* --socks5 option */
+    uint16_t  socks5_port;                      /* --socks5 option optional value */
+    char     *socks5_username;                  /* --socks5 option optional value */
+    char     *socks5_password;                  /* --socks5 option optional value */
+    char      socks5_bind_atyp;                 /* from socks5 CONNECT response ATYP */
+    char     *socks5_bind_host;                 /* from socks5 CONNECT response BIND.ADDR*/
+    uint16_t  socks5_bind_port;                 /* from socks5 CONNECT response BIND.PORT */
+
+     char     *json_output_string; /* rendered JSON output if json_output is set */
+     /* Select related parameters */
+     int       max_fd;
+diff --git a/src/iperf_api.c b/src/iperf_api.c
+index 4765d4e97..ca47f708d 100644
+--- a/src/iperf_api.c
+++ b/src/iperf_api.c
+@@ -115,7 +115,7 @@ usage()
+ void
+ usage_long(FILE *f)
+ {
+-    fprintf(f, usage_longstr, DEFAULT_NO_MSG_RCVD_TIMEOUT, UDP_RATE / (1024*1024), DEFAULT_PACING_TIMER, DURATION, DEFAULT_TCP_BLKSIZE / 1024, DEFAULT_UDP_BLKSIZE);
+    fprintf(f, usage_longstr, DEFAULT_NO_MSG_RCVD_TIMEOUT, UDP_RATE / (1024*1024), DEFAULT_PACING_TIMER, DURATION, DEFAULT_TCP_BLKSIZE / 1024, DEFAULT_UDP_BLKSIZE, SOCKS5_DEFAULT_PORT);
+ }
+ 
+ 
+@@ -1100,6 +1100,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+         {"version6", no_argument, NULL, '6'},
+         {"tos", required_argument, NULL, 'S'},
+         {"dscp", required_argument, NULL, OPT_DSCP},
+        {"socks5", required_argument, NULL, OPT_SOCKS5},
+ 	{"extra-data", required_argument, NULL, OPT_EXTRA_DATA},
+ #if defined(HAVE_FLOWLABEL)
+         {"flowlabel", required_argument, NULL, 'L'},
+@@ -1157,7 +1158,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+     char* comma;
+ #endif /* HAVE_CPU_AFFINITY */
+     char* slash;
+-    char *p, *p1;
+    char *p, *p1, *p2;
+     struct xbind_entry *xbe;
+     double farg;
+     int rcv_timeout_in = 0;
+@@ -1433,6 +1434,47 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+ 		}
+ 		client_flag = 1;
+                 break;
+	    case OPT_SOCKS5: // Format: "[username:password@]<host addr/fqdn>[:port]"
+                if (strlen(optarg) <= 0) {
+                    i_errno = IESOCKS5HOST;
+                    return -1;
+                }
+                p1 = strtok(optarg, "@"); // p1 -> user:password
+                if (p1 == NULL) {
+                    i_errno = IESOCKS5HOST;
+                    return -1;
+                }
+                p = strtok(NULL, "@"); // p -> host[:port]
+                if (p == NULL) {
+                    p = p1;
+                    p1 = NULL;
+                }
+                p2 = strtok(p, ":"); // parse host[:port]
+                if (strlen(p2) <= 0) {
+                    i_errno = IESOCKS5HOST;
+                    return -1;
+                }
+                test->socks5_host = strdup(p2);
+                p2 = strtok(NULL, ":");
+                if (p2 && strlen(p2) > 0) {
+                    test->socks5_port = atoi(p2);
+                }
+                if (p1) { // parse user:password
+                    p2 = strtok(p1, ":");
+                    if (strlen(p2) <= 0 || strlen(p2) > 255) {
+                        i_errno = IESOCKS5HOST;
+                        return -1;
+                    }
+                    test->socks5_username = strdup(p2);
+                    p2 = strtok(NULL, ":");
+                    if (!p2 || strlen(p2) <= 0 || strlen(p2) > 255) {
+                        i_errno = IESOCKS5HOST;
+                        return -1;
+                    }
+                    test->socks5_password = strdup(p2);
+                }
+		client_flag = 1;
+                break;
+ 	    case OPT_EXTRA_DATA:
+ 		test->extra_data = strdup(optarg);
+ 		client_flag = 1;
+@@ -1740,6 +1782,12 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
+         return -1;
+     }
+ 
+    // SOCKS5 Proxy is supported only for TCP
+    if(test->role == 'c' && test->socks5_host && test->protocol->id != Ptcp) {
+        i_errno = IESOCKS5RTCPONLY;
+        return -1;
+    }
+
+     if (blksize == 0) {
+ 	if (test->protocol->id == Pudp)
+ 	    blksize = 0;	/* try to dynamically determine from MSS */
+@@ -2943,6 +2991,12 @@ iperf_defaults(struct iperf_test *testp)
+     testp->stats_interval = testp->reporter_interval = 1;
+     testp->num_streams = 1;
+ 
+    testp->socks5_host = NULL;
+    testp->socks5_port = SOCKS5_DEFAULT_PORT;
+    testp->socks5_username = NULL;
+    testp->socks5_password = NULL;
+    testp->socks5_bind_host = NULL;
+
+     testp->settings->domain = AF_UNSPEC;
+     testp->settings->unit_format = 'a';
+     testp->settings->socket_bufsize = 0;    /* use autotuning */
+@@ -3100,6 +3154,14 @@ iperf_free_test(struct iperf_test *test)
+ 	free(test->remote_congestion_used);
+     if (test->timestamp_format)
+ 	free(test->timestamp_format);
+    if (test->socks5_host)
+	free(test->socks5_host);
+    if (test->socks5_username)
+	free(test->socks5_username);
+    if (test->socks5_password)
+	free(test->socks5_password);
+    if (test->socks5_bind_host)
+	free(test->socks5_bind_host);
+     if (test->omit_timer != NULL)
+ 	tmr_cancel(test->omit_timer);
+     if (test->timer != NULL)
+@@ -3289,6 +3351,23 @@ iperf_reset_test(struct iperf_test *test)
+ 	free(test->extra_data);
+ 	test->extra_data = NULL;
+     }
+    if (test->socks5_host) {
+	free(test->socks5_host);
+	test->socks5_host = NULL;
+    }
+    test->socks5_port = SOCKS5_DEFAULT_PORT;
+    if (test->socks5_username) {
+	free(test->socks5_username);
+	test->socks5_username = NULL;
+    }
+    if (test->socks5_password) {
+	free(test->socks5_password);
+	test->socks5_password = NULL;
+    }
+    if (test->socks5_bind_host) {
+	free(test->socks5_bind_host);
+	test->socks5_bind_host = NULL;
+    }
+ 
+     /* Free output line buffers, if any (on the server only) */
+     struct iperf_textline *t;
+@@ -4614,6 +4693,173 @@ iperf_add_stream(struct iperf_test *test, struct iperf_stream *sp)
+     }
+ }
+ 
+/**************************************************************************/
+
+/* iperf_socks5_handshake
+ *
+ * Handshake with a SOCKS5 Proxy per RFC1928, RFC1929
+ */
+int
+iperf_socks5_handshake(struct iperf_test *test, int s) {
+    char req[1024];
+    char res[1024];
+    char selected_mthod;
+    char *p, *p1;
+    size_t len;
+    int ret;
+    uint16_t net_order_short;
+
+    // Send method selection request [RFC1928]
+    p = req;
+    *p++ = 5; // VERSION
+    if (test->socks5_username) // Number of METHODs supported
+        *p++ = 2;
+    else
+        *p++ = 1;
+    *p++ = 0; // NO AUTHENTICATION REQUIRED
+    if (test->socks5_username) *p++ = 2; // USERNAME/PASSWORD
+    if (Nwrite(s, req, p - req, Ptcp) < 0) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Writing SOCKS5 auth methods message failed\n");
+        return -1;
+    }
+
+    // Receive selected method
+    if (Nread(s, res, 2, Ptcp) != 2) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Reading selected SOCKS5 method message failed\n");
+        return -1;
+    }
+
+    selected_mthod = res[1];
+    if (res[0] != 5 || (selected_mthod != 0 && selected_mthod != 2)) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Ilegal SOCKS5 method selection response: version=%d, auth method=%d\n", res[0], selected_mthod);
+        return -1;
+    }
+    if (test->debug) {
+        iperf_printf(test, "SOCKS5 server selected authentication method %d\n", selected_mthod);
+    }
+
+    // Send Username/Password request and receive the auth response [RFC1929]
+    if (selected_mthod == 2) {
+        p = req;
+        *p++ = 1; // VERSION
+        len = strlen(test->socks5_username);
+        *p++ = len;
+        memcpy(p, test->socks5_username, len); // USERNAME
+        p += len;
+        len = strlen(test->socks5_password);
+        *p++ = len;
+        memcpy(p, test->socks5_password, len); // PASSWORD
+        p += len;
+
+        if (Nwrite(s, req, p - req, Ptcp) < 0) {
+            i_errno = IESOCKS5HANDSHAKE;
+            iperf_err(test, "Writing SOCKS5 Username/Password request message failed\n");
+            return -1;
+        }
+
+        if ((ret = Nread(s, res, 2, Ptcp)) != 2) {
+            i_errno = IESOCKS5HANDSHAKE;
+            iperf_err(test, "Reading SOCKS5 Username/Password response failed;  Returned %d\n", ret);
+            return -1;
+        }
+        if (res[1] != 0) {
+            i_errno = IESOCKS5HANDSHAKE;
+            iperf_err(test, "SOCKS5 Username/Password failed with error %d\n", res[1]);
+            return -1;
+        }
+    }
+
+    // Send CONNECT request [RFC1928]
+    p = req;
+    *p++ = 5; // VERSION
+    *p++ = 1; // CMD = CONNECT
+    *p++ = 0; // RESERVED
+    *p++ = 3; // ATYPE = DOMAINNAME:
+    len = strlen(test->server_hostname);
+    if (len > 255) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "iperf3 host option length is limited to 255 chars when SOCKS5 is used\n");
+        return -1;
+    }
+    *p++ = len;
+    memcpy(p, test->server_hostname, len); // ADDR
+    p += len;
+    net_order_short = htons(test->server_port);
+    p1 = (char *)&net_order_short;
+    *p++ = *p1++; // PORT
+    *p++ = *p1;
+    if (Nwrite(s, req, p - req, Ptcp) < 0) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Writing SOCKS5 CONNECT message failed\n");
+        return -1;
+    }
+
+    //  Read CONNECT response [RFC1928]
+    if ((ret = Nread(s, res, 4, Ptcp)) != 4) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Reading SOCKS5 CONNECT response failed;  Returned %d\n", ret);
+        return -1;
+    }
+
+    if (res[0] != 5 || res[1] != 0 || res[2] != 0) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "SOCKS5 CONNECT failed with error %d\n", res[1]);
+        return -1;
+    }
+  
+    // Get BND.ADDR length
+    test->socks5_bind_atyp = res[3]; // ATYP
+    switch (test->socks5_bind_atyp) {
+        case 1: // IP V4 address
+            len = 4;
+            break;
+        case 3: // DOMAINNAME:
+            if ((ret = read(s, res, 1)) != 1) {
+                i_errno = IESOCKS5HANDSHAKE;
+                iperf_err(test, "Failed to read SOCKS5 CONNECT response BND.ADDR length;  Returned %d\n", ret);
+                return -1;
+            }
+            len = (unsigned char)res[0];
+            break;
+        case 4: // IP V6 address
+            len = 16;
+            break;
+        default:
+            i_errno = IESOCKS5HANDSHAKE;
+            iperf_err(test, "Illegal SOCKS5 CONNECT response ATYP %d\n", res[3]);
+            return -1;
+    }
+    // Read BND.ADDR
+    if ((ret = Nread(s, res, len, Ptcp)) != len) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Failed to read SOCKS5 detailes BND.ADDR;  Returned %d\n", ret);
+        return -1;
+    }
+    res[len] = '\0';
+    test->socks5_bind_host = strdup(res);
+    // Read BND.PORT
+    if ((ret = Nread(s, res, 2, Ptcp)) != 2) {
+        i_errno = IESOCKS5HANDSHAKE;
+        iperf_err(test, "Failed to read SOCKS5 detailes BND.PORT;  Returned %d\n", ret);
+        return -1;
+    }
+    p1 = (char *)&net_order_short;
+    *p1++ = res[0];
+    *p1 = res[1];
+    test->socks5_bind_port = ntohs(net_order_short);
+    if (test->debug) {
+        iperf_printf(test, "SOCKS5 server BIND ADDR type=%d, PORT=%d\n", test->socks5_bind_atyp, test->socks5_bind_port);
+    }
+
+    return 0;
+}
+
+/**************************************************************************/
+
+
+ /* This pair of routines gets inserted into the snd/rcv function pointers
+ ** when there's a -F flag. They handle the file stuff and call the real
+ ** snd/rcv functions, which have been saved in snd2/rcv2.
+diff --git a/src/iperf_api.h b/src/iperf_api.h
+index d2bbdfe96..01d63bf5e 100644
+--- a/src/iperf_api.h
+++ b/src/iperf_api.h
+@@ -68,6 +68,7 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t;
+ #define DEFAULT_PACING_TIMER 1000
+ #define DEFAULT_NO_MSG_RCVD_TIMEOUT 120000
+ #define MIN_NO_MSG_RCVD_TIMEOUT 100
+#define SOCKS5_DEFAULT_PORT 1080
+ 
+ #define WARN_STR_LEN 128
+ 
+@@ -100,7 +101,8 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t;
+ #define OPT_RCV_TIMEOUT 27
+ #define OPT_JSON_STREAM 28
+ #define OPT_SND_TIMEOUT 29
+ #define OPT_USE_PKCS1_PADDING 30
+#define OPT_SOCKS5 31
+ 
+ /* states */
+ #define TEST_START 1
+@@ -308,6 +310,12 @@ void      iperf_free_stream(struct iperf_stream * sp);
+  */
+ int       iperf_common_sockopts(struct iperf_test *, int s);
+ 
+/**
+ * iperf_socks5_handshake - handshake with a SOCKS5 Proxy per RFC1928, RFC1929
+ * 
+ */
+int iperf_socks5_handshake(struct iperf_test *test, int s);
+
+ int has_tcpinfo(void);
+ int has_tcpinfo_retransmits(void);
+ void save_tcpinfo(struct iperf_stream *sp, struct iperf_interval_results *irp);
+@@ -419,6 +427,8 @@ enum {
+     IESNDTIMEOUT = 33,      // Illegal message send timeout
+     IEUDPFILETRANSFER = 34, // Cannot transfer file using UDP
+     IESERVERAUTHUSERS = 35,   // Cannot access authorized users file
+    IESOCKS5HOST = 36,      // Illegal SOCKS5 host / creadentials
+    IESOCKS5RTCPONLY = 37,   // SOCKS5 Proxy is supported only for TCP
+     /* Test errors */
+     IENEWTEST = 100,        // Unable to create a new test (check perror)
+     IEINITTEST = 101,       // Test initialization failed (check perror)
+@@ -473,8 +483,9 @@ enum {
+     IEPTHREADCANCEL=151,        // Unable to cancel thread (check perror)
+     IEPTHREADJOIN=152,		// Unable to join thread (check perror)
+     IEPTHREADATTRINIT=153,      // Unable to initialize thread attribute (check perror)
+     IEPTHREADATTRDESTROY=154,      // Unable to destroy thread attribute (check perror)
+     IEPTHREADSIGMASK=155,      // Unable to initialize sub thread signal mask (check perror)
+    IESOCKS5HANDSHAKE = 156,    // SOCKS5 Handshake with the server failed
+     /* Stream errors */
+     IECREATESTREAM = 200,   // Unable to create a new stream (check herror/perror)
+     IEINITSTREAM = 201,     // Unable to initialize stream (check herror/perror)
+diff --git a/src/iperf_client_api.c b/src/iperf_client_api.c
+index 7ad4c939b..670e3521d 100644
+--- a/src/iperf_client_api.c
+++ b/src/iperf_client_api.c
+@@ -385,6 +385,8 @@ iperf_connect(struct iperf_test *test)
+ {
+     int opt;
+     socklen_t len;
+    const char *connect_server;
+    int connect_port;
+ 
+     if (NULL == test)
+     {
+@@ -397,12 +399,20 @@ iperf_connect(struct iperf_test *test)
+     make_cookie(test->cookie);
+ 
+     /* Create and connect the control channel */
+-    if (test->ctrl_sck < 0)
+-	// Create the control channel using an ephemeral port
+-	test->ctrl_sck = netdial(test->settings->domain, Ptcp, test->bind_address, test->bind_dev, 0, test->server_hostname, test->server_port, test->settings->connect_timeout);
+     if (test->ctrl_sck < 0) {
+-        i_errno = IECONNECT;
+-        return -1;
+        if (test->socks5_host) {
+            connect_server = test->socks5_host;
+            connect_port = test->socks5_port;
+        } else {
+            connect_server = test->server_hostname;
+            connect_port = test->server_port;
+        }
+	// Create the control channel using an ephemeral port
+	test->ctrl_sck = netdial(test->settings->domain, Ptcp, test->bind_address, test->bind_dev, 0, connect_server, connect_port, test->settings->connect_timeout);
+        if (test->ctrl_sck < 0) {
+            i_errno = IECONNECT;
+            return -1;
+        }
+     }
+ 
+     // set TCP_NODELAY for lower latency on control messages
+@@ -421,6 +431,13 @@ iperf_connect(struct iperf_test *test)
+     }
+ #endif /* HAVE_TCP_USER_TIMEOUT */
+ 
+    /* socks5 proxy handshake  */
+    if (test->socks5_host) {
+        if (0 != iperf_socks5_handshake(test, test->ctrl_sck)) {
+            return -1;
+        }
+    }
+
+     if (Nwrite(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
+         i_errno = IESENDCOOKIE;
+         return -1;
+diff --git a/src/iperf_error.c b/src/iperf_error.c
+index 6426554cf..a0bbb6844 100644
+--- a/src/iperf_error.c
+++ b/src/iperf_error.c
+@@ -216,6 +216,9 @@ iperf_strerror(int int_errno)
+         case IEUNIMP:
+             snprintf(errstr, len, "an option you are trying to set is not implemented yet");
+             break;
+        case IESOCKS5HOST:
+            snprintf(errstr, len, "ilegal SOCKS5 host / creadentials");
+            break;
+         case IEFILE:
+             snprintf(errstr, len, "unable to open -F file");
+             perr = 1;
+@@ -375,6 +378,9 @@ iperf_strerror(int int_errno)
+         case IEUDPFILETRANSFER:
+             snprintf(errstr, len, "cannot transfer file using UDP");
+             break;
+        case IESOCKS5RTCPONLY:
+            snprintf(errstr, len, "SOCKS5 Proxy is supported only for TCP");
+            break;
+         case IERVRSONLYRCVTIMEOUT:
+             snprintf(errstr, len, "client receive timeout is valid only in receiving mode");
+             perr = 1;
+@@ -507,6 +513,10 @@ iperf_strerror(int int_errno)
+             snprintf(errstr, len, "unable to destroy thread attributes");
+             perr = 1;
+             break;
+	case IESOCKS5HANDSHAKE:
+            snprintf(errstr, len, "socks5 Handshake with the server failed");
+            perr = 1;
+            break;
+ 	default:
+ 	    snprintf(errstr, len, "int_errno=%d", int_errno);
+ 	    perr = 1;
+diff --git a/src/iperf_locale.c b/src/iperf_locale.c
+index ae0f63a41..c8b9a71d1 100644
+--- a/src/iperf_locale.c
+++ b/src/iperf_locale.c
+@@ -194,6 +194,8 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
+                            "  --dscp N or --dscp val    set the IP dscp value, either 0-63 or symbolic.\n"
+                            "                            Numeric values can be specified in decimal,\n"
+                            "                            octal and hex (see --tos above).\n"
+                           "  --socks5 [user:password@]<proxy-host>[:port] use SOCKS5 Proxy for TCP connections,\n"
+                           "                            using no auth or user:password. Default Proxy port is %d \n"
+ #if defined(HAVE_FLOWLABEL)
+                            "  -L, --flowlabel N         set the IPv6 flow label (only supported on Linux)\n"
+ #endif /* HAVE_FLOWLABEL */
+diff --git a/src/iperf_tcp.c b/src/iperf_tcp.c
+index 184a1955e..515913581 100644
+--- a/src/iperf_tcp.c
+++ b/src/iperf_tcp.c
+@@ -375,14 +375,24 @@ iperf_tcp_connect(struct iperf_test *test)
+     socklen_t optlen;
+     int saved_errno;
+     int rcvbuf_actual, sndbuf_actual;
+     int proto = 0;
+    const char *connect_server;
+    int connect_port;
+ 
+ #if defined(HAVE_IPPROTO_MPTCP)
+     if (test->mptcp)
+         proto = IPPROTO_MPTCP;
+ #endif
+ 
+-    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, test->server_hostname, test->server_port, &server_res);
+    if (test->socks5_host) {
+        connect_server = test->socks5_host;
+        connect_port = test->socks5_port;
+    } else {
+        connect_server = test->server_hostname;
+        connect_port = test->server_port;
+    }
+
+    s = create_socket(test->settings->domain, SOCK_STREAM, proto, test->bind_address, test->bind_dev, test->bind_port, connect_server, connect_port, &server_res);
+     if (s < 0) {
+ 	i_errno = IESTREAMCONNECT;
+ 	return -1;
+@@ -571,6 +581,16 @@ iperf_tcp_connect(struct iperf_test *test)
+ 
+     freeaddrinfo(server_res);
+ 
+    /* socks5 proxy handshake  */
+    if (test->socks5_host) {
+        if (0 != iperf_socks5_handshake(test, s)) {
+            saved_errno = errno;
+            close(s);
+            errno = saved_errno;
+            return -1;
+        }
+    }
+
+     /* Send cookie for verification */
+     if (Nwrite(s, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
+ 	saved_errno = errno;
--- a/iproute2/Makefile
+++ b/iproute2/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=iproute2
-PKG_VERSION:=6.7.0
-PKG_RELEASE:=1
+PKG_VERSION:=6.12.0
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/utils/net/iproute2
-PKG_HASH:=ff942dd9828d7d1f867f61fe72ce433078c31e5d8e4a78e20f02cb5892e8841d
+PKG_HASH:=bbd141ef7b5d0127cc2152843ba61f274dc32814fa3e0f13e7d07a080bef53d9
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_DEPENDS:=iptables
 PKG_LICENSE:=GPL-2.0
@ -77,14 +77,7 @@ $(call Package/iproute2/Default)
  VARIANT:=tcfull
  PROVIDES:=tc
  ALTERNATIVES:=400:/sbin/tc:/usr/libexec/tc-full
-  DEPENDS:=+kmod-sched-core +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf +libxtables +tc-mod-iptables
-endef
-
-define Package/tc-mod-iptables
-$(call Package/iproute2/Default)
-  TITLE:=Traffic control module - iptables action
-  VARIANT:=tcfull
-  DEPENDS:=+libxtables +libbpf
+  DEPENDS:=+kmod-sched-core +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf +libxtables
 endef

 define Package/genl
@ -102,7 +95,7 @@ endef
 define Package/ss
 $(call Package/iproute2/Default)
  TITLE:=Socket statistics utility
-  DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl +kmod-netlink-diag
+  DEPENDS:=+libnl-tiny +(PACKAGE_devlink||PACKAGE_rdma):libmnl +libbpf +kmod-netlink-diag
 endef

 define Package/nstat
@ -232,11 +225,6 @@ define Package/tc-full/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tc/tc $(1)/usr/libexec/tc-full
 endef

-define Package/tc-mod-iptables/install
-	$(INSTALL_DIR) $(1)/usr/lib/tc
-	$(CP) $(PKG_BUILD_DIR)/tc/m_xt.so $(1)/usr/lib/tc
-endef
-
 define Package/genl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/genl/genl $(1)/usr/sbin/
@ -269,9 +257,6 @@ endef

 $(eval $(call BuildPackage,ip-tiny))
 $(eval $(call BuildPackage,ip-full))
-# build tc-mod-iptables before its dependents, to avoid
-# spurious rebuilds when building multiple variants.
-$(eval $(call BuildPackage,tc-mod-iptables))
 $(eval $(call BuildPackage,tc-tiny))
 $(eval $(call BuildPackage,tc-bpf))
 $(eval $(call BuildPackage,tc-full))
--- a/iproute2/patches/013-endian.h.patch
+++ b/iproute2/patches/013-endian.h.patch
@ -0,0 +1,22 @@
+From c8b3ecc22ed0edaf0259eaf7d1a5c04f300ad6e4 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Thu, 12 Dec 2024 11:24:18 -0800
+Subject: [PATCH] libnetlink: add missing endian.h
+
+Need endian.h to get htobe64 with musl.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ include/libnetlink.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/libnetlink.h
+++ b/include/libnetlink.h
+@@ -4,6 +4,7 @@
+ 
+ #include <stdio.h>
+ #include <string.h>
+#include <endian.h>
+ #include <asm/types.h>
+ #include <linux/netlink.h>
+ #include <linux/rtnetlink.h>
--- a/iproute2/patches/014-basename.patch
+++ b/iproute2/patches/014-basename.patch
@ -0,0 +1,29 @@
+From fa3949b792e275f75d7d6200dc2036ef7fff8816 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Thu, 12 Dec 2024 11:21:56 -0800
+Subject: [PATCH] rdma: add missing header for basename
+
+The function basename prototype is in libgen.h
+Fixes build on musl
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ rdma/rdma.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/rdma/rdma.h
+++ b/rdma/rdma.h
+@@ -10,11 +10,12 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <getopt.h>
+#include <time.h>
+#include <libgen.h>
+ #include <netinet/in.h>
+ #include <libmnl/libmnl.h>
+ #include <rdma/rdma_netlink.h>
+ #include <rdma/rdma_user_cm.h>
+-#include <time.h>
+ #include <net/if_arp.h>
+ 
+ #include "list.h"
--- a/iproute2/patches/015-limits.h.patch
+++ b/iproute2/patches/015-limits.h.patch
@ -0,0 +1,84 @@
+From 7e23da91fca6e5dedeb32a7d308cf20982e897c3 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Tue, 10 Dec 2024 13:38:08 -0800
+Subject: [PATCH] ip: rearrange and prune header files
+
+The recent report of issues with missing limits.h impacting musl
+suggested looking at what files are and are not included in ip code.
+
+The standard practice is to put standard headers first, then system,
+then local headers. Used iwyu to get suggestions about missing
+and extraneous headers.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ ip/iplink.c  | 13 +++++--------
+ ip/ipnetns.c | 19 +++++++++----------
+ 2 files changed, 14 insertions(+), 18 deletions(-)
+
+--- a/ip/iplink.c
+++ b/ip/iplink.c
+@@ -11,17 +11,14 @@
+ #include <fcntl.h>
+ #include <dlfcn.h>
+ #include <errno.h>
+#include <string.h>
+#include <strings.h>
+#include <limits.h>
+
+ #include <sys/socket.h>
+#include <arpa/inet.h>
+ #include <linux/if.h>
+-#include <linux/if_packet.h>
+ #include <linux/if_ether.h>
+-#include <linux/sockios.h>
+-#include <netinet/in.h>
+-#include <arpa/inet.h>
+-#include <string.h>
+-#include <sys/ioctl.h>
+-#include <stdbool.h>
+-#include <linux/mpls.h>
+ 
+ #include "rt_names.h"
+ #include "utils.h"
+--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
+@@ -1,21 +1,21 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ #define _ATFILE_SOURCE
+-#include <sys/file.h>
+-#include <sys/types.h>
+-#include <sys/stat.h>
+-#include <sys/wait.h>
+-#include <sys/inotify.h>
+-#include <sys/mount.h>
+-#include <sys/syscall.h>
+
+ #include <stdio.h>
+#include <stdint.h>
+ #include <string.h>
+-#include <sched.h>
+ #include <fcntl.h>
+ #include <dirent.h>
+ #include <errno.h>
+ #include <unistd.h>
+ #include <ctype.h>
+-#include <linux/limits.h>
+#include <limits.h>
+
+#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/inotify.h>
+#include <sys/mount.h>
+ 
+ #include <linux/net_namespace.h>
+ 
+@@ -23,7 +23,6 @@
+ #include "list.h"
+ #include "ip_common.h"
+ #include "namespace.h"
+-#include "json_print.h"
+ 
+ static int usage(void)
+ {
--- a/iproute2/patches/016-limits.h.patch
+++ b/iproute2/patches/016-limits.h.patch
@ -0,0 +1,26 @@
+From f982f30e166a02e09097de05129449031ba51f76 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Thu, 12 Dec 2024 11:29:44 -0800
+Subject: [PATCH] cg_map: use limits.h
+
+Prefer limits.h from system headers over linux/limits.h
+Fixes build with musl.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ lib/cg_map.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/cg_map.c
+++ b/lib/cg_map.c
+@@ -9,8 +9,9 @@
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdbool.h>
+#include <limits.h>
+
+ #include <linux/types.h>
+-#include <linux/limits.h>
+ #include <ftw.h>
+ 
+ #include "cg_map.h"
--- a/iproute2/patches/017-linux-limits.patch
+++ b/iproute2/patches/017-linux-limits.patch
@ -0,0 +1,178 @@
+From ac547ad027e3d4e283202ecb487cf54707234491 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Thu, 12 Dec 2024 14:15:59 -0800
+Subject: [PATCH] flower: replace XATTR_SIZE_MAX
+
+The flower tc parser was using XATTR_SIZE_MAX from linux/limits.h,
+but this constant is intended to before extended filesystem attributes
+not for TC.  Replace it with a local define.
+
+This fixes issue on systems with musl and XATTR_SIZE_MAX is not
+defined in limits.h there.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ tc/f_flower.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+--- a/tc/f_flower.c
+++ b/tc/f_flower.c
+@@ -10,7 +10,7 @@
+ #include <unistd.h>
+ #include <string.h>
+ #include <net/if.h>
+-#include <linux/limits.h>
+
+ #include <linux/if_arp.h>
+ #include <linux/if_ether.h>
+ #include <linux/ip.h>
+@@ -22,6 +22,9 @@
+ #include "tc_util.h"
+ #include "rt_names.h"
+ 
+/* maximum length of options string */
+#define FLOWER_OPTS_MAX	4096
+
+ #ifndef IPPROTO_L2TP
+ #define IPPROTO_L2TP 115
+ #endif
+@@ -1252,7 +1255,7 @@ static int flower_check_enc_opt_key(char
+ 
+ static int flower_parse_enc_opts_geneve(char *str, struct nlmsghdr *n)
+ {
+-	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
+	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
+ 	int data_len, key_len, mask_len, err;
+ 	char *token, *slash;
+ 	struct rtattr *nest;
+@@ -1265,7 +1268,7 @@ static int flower_parse_enc_opts_geneve(
+ 		if (slash)
+ 			*slash = '\0';
+ 
+-		if ((key_len + strlen(token) > XATTR_SIZE_MAX) ||
+		if ((key_len + strlen(token) > FLOWER_OPTS_MAX) ||
+ 		    flower_check_enc_opt_key(token))
+ 			return -1;
+ 
+@@ -1275,7 +1278,7 @@ static int flower_parse_enc_opts_geneve(
+ 
+ 		if (!slash) {
+ 			/* Pad out mask when not provided */
+-			if (mask_len + strlen(token) > XATTR_SIZE_MAX)
+			if (mask_len + strlen(token) > FLOWER_OPTS_MAX)
+ 				return -1;
+ 
+ 			data_len = strlen(rindex(token, ':'));
+@@ -1288,7 +1291,7 @@ static int flower_parse_enc_opts_geneve(
+ 			continue;
+ 		}
+ 
+-		if (mask_len + strlen(slash + 1) > XATTR_SIZE_MAX)
+		if (mask_len + strlen(slash + 1) > FLOWER_OPTS_MAX)
+ 			return -1;
+ 
+ 		strcpy(&mask[mask_len], slash + 1);
+@@ -1318,7 +1321,7 @@ static int flower_parse_enc_opts_geneve(
+ 
+ static int flower_parse_enc_opts_vxlan(char *str, struct nlmsghdr *n)
+ {
+-	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
+	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
+ 	struct rtattr *nest;
+ 	char *slash;
+ 	int err;
+@@ -1326,14 +1329,14 @@ static int flower_parse_enc_opts_vxlan(c
+ 	slash = strchr(str, '/');
+ 	if (slash) {
+ 		*slash++ = '\0';
+-		if (strlen(slash) > XATTR_SIZE_MAX)
+		if (strlen(slash) > FLOWER_OPTS_MAX)
+ 			return -1;
+ 		strcpy(mask, slash);
+ 	} else {
+ 		strcpy(mask, "0xffffffff");
+ 	}
+ 
+-	if (strlen(str) > XATTR_SIZE_MAX)
+	if (strlen(str) > FLOWER_OPTS_MAX)
+ 		return -1;
+ 	strcpy(key, str);
+ 
+@@ -1355,7 +1358,7 @@ static int flower_parse_enc_opts_vxlan(c
+ 
+ static int flower_parse_enc_opts_erspan(char *str, struct nlmsghdr *n)
+ {
+-	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
+	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
+ 	struct rtattr *nest;
+ 	char *slash;
+ 	int err;
+@@ -1364,7 +1367,7 @@ static int flower_parse_enc_opts_erspan(
+ 	slash = strchr(str, '/');
+ 	if (slash) {
+ 		*slash++ = '\0';
+-		if (strlen(slash) > XATTR_SIZE_MAX)
+		if (strlen(slash) > FLOWER_OPTS_MAX)
+ 			return -1;
+ 		strcpy(mask, slash);
+ 	} else {
+@@ -1376,7 +1379,7 @@ static int flower_parse_enc_opts_erspan(
+ 		strcpy(mask + index, ":0xffffffff:0xff:0xff");
+ 	}
+ 
+-	if (strlen(str) > XATTR_SIZE_MAX)
+	if (strlen(str) > FLOWER_OPTS_MAX)
+ 		return -1;
+ 	strcpy(key, str);
+ 
+@@ -1398,7 +1401,7 @@ static int flower_parse_enc_opts_erspan(
+ 
+ static int flower_parse_enc_opts_gtp(char *str, struct nlmsghdr *n)
+ {
+-	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
+	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
+ 	struct rtattr *nest;
+ 	char *slash;
+ 	int err;
+@@ -1406,13 +1409,13 @@ static int flower_parse_enc_opts_gtp(cha
+ 	slash = strchr(str, '/');
+ 	if (slash) {
+ 		*slash++ = '\0';
+-		if (strlen(slash) > XATTR_SIZE_MAX)
+		if (strlen(slash) > FLOWER_OPTS_MAX)
+ 			return -1;
+ 		strcpy(mask, slash);
+ 	} else
+ 		strcpy(mask, "ff:ff");
+ 
+-	if (strlen(str) > XATTR_SIZE_MAX)
+	if (strlen(str) > FLOWER_OPTS_MAX)
+ 		return -1;
+ 	strcpy(key, str);
+ 
+@@ -1433,7 +1436,7 @@ static int flower_parse_enc_opts_gtp(cha
+ 
+ static int flower_parse_enc_opts_pfcp(char *str, struct nlmsghdr *n)
+ {
+-	char key[XATTR_SIZE_MAX], mask[XATTR_SIZE_MAX];
+	char key[FLOWER_OPTS_MAX], mask[FLOWER_OPTS_MAX];
+ 	struct rtattr *nest;
+ 	char *slash;
+ 	int err;
+@@ -1442,14 +1445,14 @@ static int flower_parse_enc_opts_pfcp(ch
+ 	slash = strchr(str, '/');
+ 	if (slash) {
+ 		*slash++ = '\0';
+-		if (strlen(slash) > XATTR_SIZE_MAX)
+		if (strlen(slash) > FLOWER_OPTS_MAX)
+ 			return -1;
+ 		strcpy(mask, slash);
+ 	} else {
+ 		strcpy(mask, "ff:ffffffffffffffff");
+ 	}
+ 
+-	if (strlen(str) > XATTR_SIZE_MAX)
+	if (strlen(str) > FLOWER_OPTS_MAX)
+ 		return -1;
+ 	strcpy(key, str);
+ 
--- a/iproute2/patches/018-linux-limits.patch
+++ b/iproute2/patches/018-linux-limits.patch
@ -0,0 +1,37 @@
+From 458dce5d0431f0589aca1bc841904b5d1db3bbce Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Thu, 12 Dec 2024 14:18:35 -0800
+Subject: [PATCH] uapi: remove no longer used linux/limits.h
+
+Code is now using limits.h instead.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ include/uapi/linux/limits.h | 21 ---------------------
+ 1 file changed, 21 deletions(-)
+ delete mode 100644 include/uapi/linux/limits.h
+
+--- a/include/uapi/linux/limits.h
+++ /dev/null
+@@ -1,21 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+-#ifndef _LINUX_LIMITS_H
+-#define _LINUX_LIMITS_H
+-
+-#define NR_OPEN	        1024
+-
+-#define NGROUPS_MAX    65536	/* supplemental group IDs are available */
+-#define ARG_MAX       131072	/* # bytes of args + environ for exec() */
+-#define LINK_MAX         127	/* # links a file may have */
+-#define MAX_CANON        255	/* size of the canonical input queue */
+-#define MAX_INPUT        255	/* size of the type-ahead buffer */
+-#define NAME_MAX         255	/* # chars in a file name */
+-#define PATH_MAX        4096	/* # chars in a path name including nul */
+-#define PIPE_BUF        4096	/* # bytes in atomic write to a pipe */
+-#define XATTR_NAME_MAX   255	/* # chars in an extended attribute name */
+-#define XATTR_SIZE_MAX 65536	/* size of an extended attribute value (64k) */
+-#define XATTR_LIST_MAX 65536	/* size of extended attribute namelist (64k) */
+-
+-#define RTSIG_MAX	  32
+-
+-#endif
--- a/iproute2/patches/110-darwin_fixes.patch
+++ b/iproute2/patches/110-darwin_fixes.patch
@ -1,6 +1,6 @@
 --- a/netem/maketable.c
 +++ b/netem/maketable.c
-@@ -10,7 +10,9 @@
+@@ -11,7 +11,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <math.h>
@ -12,7 +12,7 @@
 #include <sys/stat.h>
 --- a/netem/normal.c
 +++ b/netem/normal.c
-@@ -8,8 +8,12 @@
+@@ -9,8 +9,12 @@
 #include <string.h>
 #include <limits.h>
 
@ -27,7 +27,7 @@
 #define TABLEFACTOR NETEM_DIST_SCALE
 --- a/netem/pareto.c
 +++ b/netem/pareto.c
-@@ -7,8 +7,12 @@
+@@ -8,8 +8,12 @@
 #include <math.h>
 #include <limits.h>
 
@ -42,7 +42,7 @@
 #define TABLESIZE	16384
 --- a/netem/paretonormal.c
 +++ b/netem/paretonormal.c
-@@ -14,10 +14,13 @@
+@@ -15,10 +15,13 @@
 #include <string.h>
 #include <math.h>
 #include <limits.h>
--- a/iproute2/patches/115-add-config-xtlibdir.patch
+++ b/iproute2/patches/115-add-config-xtlibdir.patch
@ -1,6 +1,6 @@
 --- a/tc/Makefile
 +++ b/tc/Makefile
-@@ -128,6 +128,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
+@@ -107,6 +107,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
 ifneq ($(IPT_LIB_DIR),)
 	CFLAGS += -DIPT_LIB_DIR=\"$(IPT_LIB_DIR)\"
 endif
--- a/iproute2/patches/130-no_netem_tipc_dcb_man_vdpa.patch
+++ b/iproute2/patches/130-no_netem_tipc_dcb_man_vdpa.patch
@ -1,6 +1,6 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -65,9 +65,9 @@ WFLAGS += -Wmissing-declarations -Wold-s
+@@ -69,9 +69,9 @@ WFLAGS += -Wmissing-declarations -Wold-s
 CFLAGS := $(WFLAGS) $(CCOPTS) -I../include -I../include/uapi $(DEFINES) $(CFLAGS)
 YACCFLAGS = -d -t -v
 
--- a/iproute2/patches/140-allow_pfifo_fast.patch
+++ b/iproute2/patches/140-allow_pfifo_fast.patch
@ -1,6 +1,6 @@
 --- a/tc/q_fifo.c
 +++ b/tc/q_fifo.c
-@@ -95,5 +95,6 @@ struct qdisc_util pfifo_head_drop_qdisc_
+@@ -90,5 +90,6 @@ struct qdisc_util pfifo_head_drop_qdisc_
 
 struct qdisc_util pfifo_fast_qdisc_util = {
 	.id = "pfifo_fast",
--- a/iproute2/patches/140-keep_libmnl_optional.patch
+++ b/iproute2/patches/140-keep_libmnl_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -387,7 +387,7 @@ check_selinux()
+@@ -368,7 +368,7 @@ check_tirpc()
 
 check_mnl()
 {
--- a/iproute2/patches/145-keep_libelf_optional.patch
+++ b/iproute2/patches/145-keep_libelf_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -255,7 +255,7 @@ EOF
+@@ -217,7 +217,7 @@ EOF
 
 check_elf()
 {
--- a/iproute2/patches/150-keep_libcap_optional.patch
+++ b/iproute2/patches/150-keep_libcap_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -445,7 +445,7 @@ EOF
+@@ -427,7 +427,7 @@ EOF
 
 check_cap()
 {
--- a/iproute2/patches/155-keep_tirpc_optional.patch
+++ b/iproute2/patches/155-keep_tirpc_optional.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -398,7 +398,7 @@ check_selinux()
+@@ -355,7 +355,7 @@ check_selinux()
 
 check_tirpc()
 {
--- a/iproute2/patches/170-ip_tiny.patch
+++ b/iproute2/patches/170-ip_tiny.patch
@ -30,15 +30,15 @@
 		"Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }\n"
 		"       ip [ -force ] -batch filename\n"
 +#ifndef IPROUTE2_TINY
- 		"where  OBJECT := { address | addrlabel | amt | fou | help | ila | ioam | l2tp |\n"
- 		"                   link | macsec | maddress | monitor | mptcp | mroute | mrule |\n"
+ 		"where  OBJECT := { address | addrlabel | fou | help | ila | ioam | l2tp | link |\n"
+ 		"                   macsec | maddress | monitor | mptcp | mroute | mrule |\n"
 		"                   neighbor | neighbour | netconf | netns | nexthop | ntable |\n"
- 		"                   ntbl | route | rule | sr | tap | tcpmetrics |\n"
+ 		"                   ntbl | route | rule | sr | stats | tap | tcpmetrics |\n"
 		"                   token | tunnel | tuntap | vrf | xfrm }\n"
 +#else
-+		"where  OBJECT := { address | link | maddress | monitor |\n"
+		"where  OBJECT := { address | help | link | maddress | monitor |\n"
 +		"                   neighbor | neighbour | netns | route |\n"
-+		"                   rule | token | tunnel }\n"
+		"                   rule | stats | token | tunnel }\n"
 +#endif
 		"       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n"
 		"                    -h[uman-readable] | -iec | -j[son] | -p[retty] |\n"
--- a/iproute2/patches/175-reduce-dynamic-syms.patch
+++ b/iproute2/patches/175-reduce-dynamic-syms.patch
@ -1,45 +0,0 @@
--- a/tc/Makefile
-+++ b/tc/Makefile
-@@ -114,7 +114,7 @@ LDLIBS += -L. -lm
- 
- ifeq ($(SHARED_LIBS),y)
- LDLIBS += -ldl
-LDFLAGS += -Wl,-export-dynamic
-+LDFLAGS += -Wl,--dynamic-list=dynsyms.list
- endif
- 
- TCLIB := tc_core.o
-@@ -144,7 +144,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
- all: tc $(TCSO)
- 
- tc: $(TCOBJ) $(LIBNETLINK) libtc.a
-	$(QUIET_LINK)$(CC) $^ $(LDFLAGS) $(LDLIBS) -o $@
-+	$(QUIET_LINK)$(CC) $(filter-out dynsyms.list, $^) $(LDFLAGS) $(LDLIBS) -o $@
- 
- libtc.a: $(TCLIB)
- 	$(QUIET_AR)$(AR) rcs $@ $^
-@@ -166,6 +166,7 @@ install: all
- clean:
- 	rm -f $(TCOBJ) $(TCLIB) libtc.a tc *.so emp_ematch.tab.h; \
- 	rm -f emp_ematch.tab.*
-+	rm -f dynsyms.list
- 
- q_atm.so: q_atm.c
- 	$(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic -o q_atm.so q_atm.c -latm
-@@ -205,4 +206,16 @@ static-syms.h: $(wildcard *.c)
- 		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:extern char \1[] __attribute__((weak)); if (!strcmp(sym, "\1")) return \1;:;p}' $$files ; \
- 	done > $@
- 
-+else
-+
-+tc: dynsyms.list
-+m_xt.so: dynsyms.list
-+dynsyms.list: $(wildcard *.c)
-+	files="$(filter-out $(patsubst %.so,%.c,$(TCSO)), $^)" ; \
-+	echo "{" > $@ ; \
-+	for s in `grep -B 3 '\<dlsym' $$files | sed -n '/snprintf/{s:.*"\([^"]*\)".*:\1:;s:%s::;p}'` ; do \
-+		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:\1;:;p}' $$files ; \
-+	done >> $@ ; \
-+	echo "show_stats; print_nl; print_tm; parse_rtattr; parse_rtattr_flags; get_u32; matches; addattr_l; addattr_nest; addattr_nest_end; };" >> $@
-+
- endif
--- a/iproute2/patches/180-drop_FAILED_POLICY.patch
+++ b/iproute2/patches/180-drop_FAILED_POLICY.patch
@ -11,7 +11,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY

 --- a/ip/rtm_map.c
 +++ b/ip/rtm_map.c
-@@ -54,6 +54,8 @@ char *rtnl_rtntype_n2a(int id, char *buf
+@@ -49,6 +49,8 @@ char *rtnl_rtntype_n2a(int id, char *buf
 		return "nat";
 	case RTN_XRESOLVE:
 		return "xresolve";
@ -20,7 +20,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY
 	default:
 		snprintf(buf, len, "%d", id);
 		return buf;
-@@ -89,6 +91,8 @@ int rtnl_rtntype_a2n(int *id, char *arg)
+@@ -84,6 +86,8 @@ int rtnl_rtntype_a2n(int *id, char *arg)
 		res = RTN_UNICAST;
 	else if (strcmp(arg, "throw") == 0)
 		res = RTN_THROW;
@ -31,7 +31,7 @@ Subject: [PATCH] add support for dropping with FAILED_POLICY
 		if (!end || end == arg || *end || res > 255)
 --- a/include/uapi/linux/rtnetlink.h
 +++ b/include/uapi/linux/rtnetlink.h
-@@ -256,6 +256,7 @@ enum {
+@@ -265,6 +265,7 @@ enum {
 	RTN_THROW,		/* Not in this table		*/
 	RTN_NAT,		/* Translate this address	*/
 	RTN_XRESOLVE,		/* Use external resolver	*/
--- a/iproute2/patches/190-fix-nls-rpath-link.patch
+++ b/iproute2/patches/190-fix-nls-rpath-link.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -279,7 +279,7 @@ int main(int argc, char **argv) {
+@@ -241,7 +241,7 @@ int main(int argc, char **argv) {
 }
 EOF
 
@ -9,7 +9,7 @@
     local ret=$?
 
     rm -f $TMPDIR/libbpf_test.c $TMPDIR/libbpf_test
-@@ -297,7 +297,7 @@ int main(int argc, char **argv) {
+@@ -259,7 +259,7 @@ int main(int argc, char **argv) {
 }
 EOF
 
--- a/iproute2/patches/195-build_variant_ip_tc.patch
+++ b/iproute2/patches/195-build_variant_ip_tc.patch
@ -11,7 +11,7 @@
 
 --- a/tc/Makefile
 +++ b/tc/Makefile
-@@ -140,7 +140,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
+@@ -120,7 +120,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
 	$(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic $< -o $@
 
 
@ -19,4 +19,4 @@
 +all: $(findstring tc,$(BUILD_VARIANT)) $(TCSO)
 
 tc: $(TCOBJ) $(LIBNETLINK) libtc.a
- 	$(QUIET_LINK)$(CC) $(filter-out dynsyms.list, $^) $(LDFLAGS) $(LDLIBS) -o $@
+ 	$(QUIET_LINK)$(CC) $^ $(LDFLAGS) $(LDLIBS) -o $@
--- a/iproute2/patches/200-drop_libbsd_dependency.patch
+++ b/iproute2/patches/200-drop_libbsd_dependency.patch
@ -0,0 +1,19 @@
+--- a/configure
+++ b/configure
+@@ -413,14 +413,8 @@ EOF
+     if $CC -I$INCLUDE -o $TMPDIR/strtest $TMPDIR/strtest.c >/dev/null 2>&1; then
+ 	echo "no"
+     else
+-	if ${PKG_CONFIG} libbsd --exists; then
+-		echo 'CFLAGS += -DHAVE_LIBBSD' "$(${PKG_CONFIG} libbsd --cflags)" >>$CONFIG
+-		echo 'LDLIBS +=' "$(${PKG_CONFIG} libbsd --libs)" >> $CONFIG
+-		echo "no"
+-	else
+-		echo 'CFLAGS += -DNEED_STRLCPY' >>$CONFIG
+-		echo "yes"
+-	fi
+	echo 'CFLAGS += -DNEED_STRLCPY' >>$CONFIG
+	echo "yes"
+     fi
+     rm -f $TMPDIR/strtest.c $TMPDIR/strtest
+ }
--- a/iproute2/patches/300-selinux-configurable.patch
+++ b/iproute2/patches/300-selinux-configurable.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -374,7 +374,7 @@ check_libbpf()
+@@ -342,7 +342,7 @@ check_libbpf()
 check_selinux()
 # SELinux is a compile time option in the ss utility
 {
--- a/libgpiod/Makefile
+++ b/libgpiod/Makefile
@ -0,0 +1,125 @@
+#
+# Copyright (C) 2018-2019 Michael Heimpold <mhei@heimpold.de>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libgpiod
+PKG_VERSION:=2.1.1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/
+PKG_HASH:=b21913f469d3135680d5516f00fdf9f81d5e564e19ffb690927ea7f1d7e312cb
+
+PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
+PKG_LICENSE:=LGPL-2.1-or-later
+PKG_LICENSE_FILES:=COPYING
+
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PYTHON3_PKG_BUILD:=0
+
+include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/packages/lang/python/python3-package.mk
+
+ifneq ($(CONFIG_PACKAGE_gpiod-tools),)
+CONFIGURE_ARGS += --enable-tools
+endif
+
+PYTHON3_PKG_SETUP_DIR:=bindings/python
+TARGET_CPPFLAGS+=-I$(PKG_BUILD_DIR)/include
+TARGET_LDFLAGS+=-L$(PKG_BUILD_DIR)/lib/.libs
+
+define Package/libgpiod
+  SECTION:=libs
+  CATEGORY:=Libraries
+  URL:=https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git
+  TITLE:=Library for interacting with Linux's GPIO character device
+  KCONFIG:= \
+    CONFIG_GPIO_CDEV=y
+  DEPENDS:=@GPIO_SUPPORT
+endef
+
+define Package/libgpiod/description
+  C library for interacting with the linux GPIO character device
+  (gpiod stands for GPIO device).
+endef
+
+define Package/gpiod-tools
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Tools for interacting with GPIO pins
+  DEPENDS:=+libgpiod
+endef
+
+define Package/gpiod-tools/description
+  Tools for interacting with the linux GPIO character device
+  (gpiod stands for GPIO device).
+endef
+
+define Package/python3-gpiod
+  SECTION:=lang
+  CATEGORY:=Languages
+  SUBMENU:=Python
+  TITLE:=Python bindings for libgpiod
+  URL:=https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git
+  DEPENDS:=+python3-light +libgpiod
+endef
+
+define Package/python3-gpiod/description
+  This package contains the Python bindings for libgpiod.
+endef
+
+define Build/Configure
+	$(call Build/Configure/Default)
+    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
+	$(call Py3Build/Configure)
+    endif
+endef
+
+define Build/Compile
+	$(call Build/Compile/Default)
+    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
+	$(call Py3Build/Compile)
+    endif
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/gpiod.h $(1)/usr/include/
+
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgpiod.{so*,a} $(1)/usr/lib/
+
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libgpiod.pc $(1)/usr/lib/pkgconfig/
+
+    ifneq ($(CONFIG_PACKAGE_python3-gpiod),)
+	$(INSTALL_DIR) $(1)$(PYTHON3_PKG_DIR)
+	$(CP) $(PKG_INSTALL_DIR)$(PYTHON3_PKG_DIR)/* $(1)$(PYTHON3_PKG_DIR)
+    endif
+endef
+
+define Package/libgpiod/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgpiod.so.* $(1)/usr/lib/
+endef
+
+define Package/gpiod-tools/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
+endef
+
+define Py3Package/python3-gpiod/install
+	# this empty define prevent installing tools from /usr/bin
+endef
+
+$(eval $(call BuildPackage,libgpiod))
+$(eval $(call BuildPackage,gpiod-tools))
+$(eval $(call Py3Package,python3-gpiod))
+$(eval $(call BuildPackage,python3-gpiod))
+$(eval $(call BuildPackage,python3-gpiod-src))
--- a/libmbim/Makefile
+++ b/libmbim/Makefile
@ -8,12 +8,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libmbim
-PKG_SOURCE_VERSION:=1.30.0
+PKG_VERSION:=1.31.6
+PKG_SOURCE_VERSION:=1.31.6-dev
+#PKG_SOURCE_VERSION:=1866ed53c05916c66c5d52682778a6078e5221d3
 PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
-PKG_MIRROR_HASH:=8fc4e2d78d6a1003bf89303d3ce779283b176d74e84a241ba8efb0d468605268
+#libmPKG_MIRROR_HASH:=8fc4e2d78d6a1003bf89303d3ce779283b176d74e84a241ba8efb0d468605268

 PKG_BUILD_FLAGS:=gc-sections

--- a/libqmi/Makefile
+++ b/libqmi/Makefile
@ -8,12 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libqmi
-PKG_SOURCE_VERSION:=1.34.0
+PKG_VERSION:=1.35.6
+PKG_SOURCE_VERSION:=1.35.6-dev
 PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
-PKG_MIRROR_HASH:=af3dc760d0c40ef8af1f8b424435daa12bff698ed45b1cc9a9e38ea62ed047f0
+#PKG_MIRROR_HASH:=af3dc760d0c40ef8af1f8b424435daa12bff698ed45b1cc9a9e38ea62ed047f0

 PKG_BUILD_FLAGS:=gc-sections

--- a/luci-app-firewall/Makefile
+++ b/luci-app-firewall/Makefile
@ -6,11 +6,11 @@

 include $(TOPDIR)/rules.mk

-LUCI_TITLE:=Firewall and Portforwarding application
-LUCI_DEPENDS:=+@LINUX_5_4:firewall +@(LINUX_5_15||LINUX_6_1||LINUX_6_6||LINUX_6_7):uci-firewall
+LUCI_TITLE:=Firewall and port forwarding application
+LUCI_DEPENDS:=+luci-base +uci-firewall

 PKG_LICENSE:=Apache-2.0
-PKG_VERSION:=omr-202103
+PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>

 include $(TOPDIR)/feeds/luci/luci.mk

--- a/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js
@ -6,6 +6,7 @@
 'require form';
 'require network';
 'require firewall';
+'require validation';
 'require tools.prng as random';

 var protocols = [
@ -392,12 +393,25 @@ return baseclass.extend({
 	},

 	transformHostHints: function(family, hosts) {
-		var choice_values = [], choice_labels = {};
+		var choice_values = [],
+		    choice_labels = {},
+		    ip6addrs = {},
+		    ipaddrs = {};
+
+		for (var mac in hosts) {
+			L.toArray(hosts[mac].ipaddrs || hosts[mac].ipv4).forEach(function(ip) {
+				ipaddrs[ip] = mac;
+			});
+
+			L.toArray(hosts[mac].ip6addrs || hosts[mac].ipv6).forEach(function(ip) {
+				ip6addrs[ip] = mac;
+			});
+		}

 		if (!family || family == 'ipv4') {
-			L.sortedKeys(hosts, 'ipv4', 'addr').forEach(function(mac) {
-				var val = hosts[mac].ipv4,
-				    txt = hosts[mac].name || mac;
+			L.sortedKeys(ipaddrs, null, 'addr').forEach(function(ip) {
+				var val = ip,
+				    txt = hosts[ipaddrs[ip]].name || ipaddrs[ip];

 				choice_values.push(val);
 				choice_labels[val] = E([], [ val, ' (', E('strong', {}, [txt]), ')' ]);
@ -405,9 +419,9 @@ return baseclass.extend({
 		}

 		if (!family || family == 'ipv6') {
-			L.sortedKeys(hosts, 'ipv6', 'addr').forEach(function(mac) {
-				var val = hosts[mac].ipv6,
-				    txt = hosts[mac].name || mac;
+			L.sortedKeys(ip6addrs, null, 'addr').forEach(function(ip) {
+				var val = ip,
+				    txt = hosts[ip6addrs[ip]].name || ip6addrs[ip];

 				choice_values.push(val);
 				choice_labels[val] = E([], [ val, ' (', E('strong', {}, [txt]), ')' ]);
@ -425,11 +439,27 @@ return baseclass.extend({
 		opt.addChoices(choices[0], choices[1]);
 	},

+	CBIDynamicMultiValueList: form.DynamicList.extend({
+		renderWidget: function(/* ... */) {
+			var dl = form.DynamicList.prototype.renderWidget.apply(this, arguments),
+			    inst = dom.findClassInstance(dl);
+
+			inst.addItem = function(dl, value, text, flash) {
+				var values = L.toArray(value);
+				for (var i = 0; i < values.length; i++)
+					ui.DynamicList.prototype.addItem.call(this, dl, values[i], null, true);
+			};
+
+			return dl;
+		}
+	}),
+
 	addIPOption: function(s, tab, name, label, description, family, hosts, multiple) {
-		var o = s.taboption(tab, multiple ? form.DynamicList : form.Value, name, label, description);
+		var o = s.taboption(tab, multiple ? this.CBIDynamicMultiValueList : form.Value, name, label, description);
+		var fw4 = L.hasSystemFeature('firewall4');

 		o.modalonly = true;
-		o.datatype = 'list(neg(ipmask))';
+		o.datatype = (fw4 && validation.types.iprange) ? 'list(neg(or(ipmask("true"),iprange)))' : 'list(neg(ipmask("true")))';
 		o.placeholder = multiple ? _('-- add IP --') : _('any');

 		if (family != null) {
@ -449,18 +479,20 @@ return baseclass.extend({

 	addLocalIPOption: function(s, tab, name, label, description, devices) {
 		var o = s.taboption(tab, form.Value, name, label, description);
+		var fw4 = L.hasSystemFeature('firewall4');

 		o.modalonly = true;
-		o.datatype = 'ip4addr("nomask")';
+		o.datatype = !fw4?'ip4addr("nomask")':'ipaddr("nomask")';
 		o.placeholder = _('any');

 		L.sortedKeys(devices, 'name').forEach(function(dev) {
 			var ip4addrs = devices[dev].ipaddrs;
+			var ip6addrs = devices[dev].ip6addrs;

-			if (!L.isObject(devices[dev].flags) || !Array.isArray(ip4addrs) || devices[dev].flags.loopback)
+			if (!L.isObject(devices[dev].flags) || devices[dev].flags.loopback)
 				return;

-			for (var i = 0; i < ip4addrs.length; i++) {
+			for (var i = 0; Array.isArray(ip4addrs) && i < ip4addrs.length; i++) {
 				if (!L.isObject(ip4addrs[i]) || !ip4addrs[i].address)
 					continue;

@ -468,13 +500,21 @@ return baseclass.extend({
 					ip4addrs[i].address, ' (', E('strong', {}, [dev]), ')'
 				]));
 			}
+			for (var i = 0; fw4 && Array.isArray(ip6addrs) && i < ip6addrs.length; i++) {
+				if (!L.isObject(ip6addrs[i]) || !ip6addrs[i].address)
+					continue;
+
+				o.value(ip6addrs[i].address, E([], [
+					ip6addrs[i].address, ' (', E('strong', {}, [dev]), ')'
+				]));
+			}
 		});

 		return o;
 	},

 	addMACOption: function(s, tab, name, label, description, hosts) {
-		var o = s.taboption(tab, form.DynamicList, name, label, description);
+		var o = s.taboption(tab, this.CBIDynamicMultiValueList, name, label, description);

 		o.modalonly = true;
 		o.datatype = 'list(macaddr)';
@ -482,7 +522,10 @@ return baseclass.extend({

 		L.sortedKeys(hosts).forEach(function(mac) {
 			o.value(mac, E([], [ mac, ' (', E('strong', {}, [
-				hosts[mac].name || hosts[mac].ipv4 || hosts[mac].ipv6 || '?'
+				hosts[mac].name ||
+				L.toArray(hosts[mac].ipaddrs || hosts[mac].ipv4)[0] ||
+				L.toArray(hosts[mac].ip6addrs || hosts[mac].ipv6)[0] ||
+				'?'
 			]), ')' ]));
 		});

@ -522,6 +565,9 @@ return baseclass.extend({
 				}
 			}, this));

+			if (cfgvalue == '*' || cfgvalue == 'any' || cfgvalue == 'all')
+				cfgvalue = 'all';
+
 			return cfgvalue;
 		},

@ -537,6 +583,7 @@ return baseclass.extend({
 				display_items: 10,
 				dropdown_items: -1,
 				create: true,
+				disabled: (this.readonly != null) ? this.readonly : this.map.readonly,
 				validate: function(value) {
 					var v = L.toArray(value);

@ -555,8 +602,7 @@ return baseclass.extend({
 			});

 			widget.createChoiceElement = function(sb, value) {
-				var m = value.match(/^(0x[0-9a-f]{1,2}|[0-9]{1,3})$/),
-				    p = lookupProto(lookupProto(m ? +m[1] : value)[0]);
+				var p = lookupProto(value);

 				return ui.Dropdown.prototype.createChoiceElement.call(this, sb, p[2], p[1]);
 			};
@ -566,9 +612,11 @@ return baseclass.extend({
 					var m = value.match(/^(0x[0-9a-f]{1,2}|[0-9]{1,3})$/),
 					    p = lookupProto(m ? +m[1] : value);

-					return (p[0] > -1) ? p[2] : value;
+					return (p[0] > -1) ? p[2] : p[1];
 				});

+				values.sort();
+
 				return ui.Dropdown.prototype.createItems.call(this, sb, values.join(' '));
 			};

--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/custom.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/custom.js
@ -24,7 +24,7 @@ return view.extend({
 		return E([
 			E('h2', _('Firewall - Custom Rules')),
 			E('p', {}, _('Custom rules allow you to execute arbitrary iptables commands which are not otherwise covered by the firewall framework. The commands are executed after each firewall restart, right after the default ruleset has been loaded.')),
-			E('p', {}, E('textarea', { 'style': 'width:100%', 'rows': 10 }, [ fwuser != null ? fwuser : '' ]))
+			E('p', {}, E('textarea', { 'style': 'width:100%', 'rows': 25 }, [ fwuser != null ? fwuser : '' ]))
 		]);
 	},

--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/forwards.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/forwards.js
@ -9,6 +9,8 @@
 'require tools.widgets as widgets';

 function rule_proto_txt(s, ctHelpers) {
+	var family = (uci.get('firewall', s, 'family') || '').toLowerCase().replace(/^(?:all|\*)$/, 'any');
+	var dip = uci.get('firewall', s, 'dest_ip') || '';
 	var proto = L.toArray(uci.get('firewall', s, 'proto')).filter(function(p) {
 		return (p != '*' && p != 'any' && p != 'all');
 	}).map(function(p) {
@ -20,7 +22,7 @@ function rule_proto_txt(s, ctHelpers) {
 		};
 	});

-	m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
+	var m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
 	var h = m ? {
 		val:  m[0].toUpperCase(),
 		inv:  m[1],
@ -35,7 +37,9 @@ function rule_proto_txt(s, ctHelpers) {
 		mask: m[3] ? '0x%02X'.format(+m[3]) : null
 	} : null;

-	return fwtool.fmt(_('Incoming IPv4%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except &quot;%{helper.name}&quot;">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
+	return fwtool.fmt(_('Incoming %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except &quot;%{helper.name}&quot;">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
+		ipv4: ((!family && dip.indexOf(':') == -1) || family == 'any' || (!family && !dip) || family == 'ipv4'),
+		ipv6: ((!family && dip.indexOf(':') != -1) || family == 'any' || family == 'ipv6'),
 		proto: proto,
 		helper: h,
 		mark:   f
@ -46,7 +50,7 @@ function rule_src_txt(s, hosts) {
 	var z = uci.get('firewall', s, 'src');

 	return fwtool.fmt(_('From %{src}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}%{src_mac?, MAC %{src_mac#%{next?, }<var%{item.inv? data-tooltip="Match MACs except %{item.val}%{item.hint.name? a.k.a. %{item.hint.name}}.":%{item.hint.name? data-tooltip="%{item.hint.name}"}}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
+		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_mac: fwtool.map_invert(uci.get('firewall', s, 'src_mac'), 'toUpperCase').map(function(v) { return Object.assign(v, { hint: hosts[v.val] }) }),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port'))
@ -55,7 +59,7 @@ function rule_src_txt(s, hosts) {

 function rule_dest_txt(s) {
 	return fwtool.fmt(_('To %{dest}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName(null) }, [E('em', _('this device'))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(null) }, [E('em', _('this device'))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'src_dip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'src_dport'))
 	});
@ -79,12 +83,30 @@ function rule_target_txt(s) {
 	var z = uci.get('firewall', s, 'dest');

 	return fwtool.fmt(_('<var data-tooltip="DNAT">Forward</var> to %{dest}%{dest_ip? IP <var>%{dest_ip}</var>}%{dest_port? port <var>%{dest_port}</var>}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
 		dest_ip: (uci.get('firewall', s, 'dest_ip') || '').toLowerCase(),
 		dest_port: uci.get('firewall', s, 'dest_port')
 	});
 }

+function validate_opt_family(m, section_id, opt) {
+	var dopt = m.section.getOption('dest_ip'),
+	    fmopt = m.section.getOption('family');
+
+	if (!dopt.isValid(section_id) && opt != 'dest_ip')
+		return true;
+	if (!fmopt.isValid(section_id) && opt != 'family')
+		return true;
+
+	var dip = dopt.formvalue(section_id) || '',
+	    fm = fmopt.formvalue(section_id) || '';
+
+	if (fm == '' || (fm == 'any' && dip == '') || (fm == 'ipv6' && (dip.indexOf(':') != -1 || dip == '')) || (fm == 'ipv4' && dip.indexOf(':') == -1))
+		return true;
+
+	return _('Address family, Internal IP address must match');
+}
+
 return view.extend({
 	callHostHints: rpc.declare({
 		object: 'luci-rpc',
@ -125,6 +147,7 @@ return view.extend({
 		    ctHelpers = data[1],
 		    devs = data[2],
 		    m, s, o;
+		var fw4 = L.hasSystemFeature('firewall4');

 		m = new form.Map('firewall', _('Firewall - Port Forwards'),
 			_('Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN.'));
@ -133,6 +156,7 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
+		s.cloneable = true;

 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
@ -149,9 +173,10 @@ return view.extend({
 			var config_name = this.uciconfig || this.map.config,
 			    section_id = uci.add(config_name, this.sectiontype);

+			uci.set(config_name, section_id, 'dest', 'lan');
 			uci.set(config_name, section_id, 'target', 'DNAT');

-			this.addedSection = section_id;
+			m.addedSection = section_id;
 			this.renderMoreOptionsModal(section_id);
 		};

@ -159,6 +184,32 @@ return view.extend({
 		o.placeholder = _('Unnamed forward');
 		o.modalonly = true;

+		if (fw4) {
+			o = s.taboption('general', form.ListValue, 'family', _('Restrict to address family'));
+			o.modalonly = true;
+			o.rmempty = true;
+			o.value('any', _('IPv4 and IPv6'));
+			o.value('ipv4', _('IPv4 only'));
+			o.value('ipv6', _('IPv6 only'));
+			o.value('', _('automatic'));  // infer from zone or used IP addresses
+			o.cfgvalue = function(section_id) {
+				var val = this.map.data.get(this.map.config, section_id, 'family');
+
+				if (!val)
+					return '';
+				else if (val == 'any' || val == 'all' || val == '*')
+					return 'any';
+				else if (val == 'inet' || String(val).indexOf('4') != -1)
+					return 'ipv4';
+				else if (String(val).indexOf('6') != -1)
+					return 'ipv6';
+			};
+			o.validate = function(section_id, value) {
+				fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
+				return !fw4?true:validate_opt_family(this, section_id, 'family');
+			};
+		}
+
 		o = s.option(form.DummyValue, '_match', _('Match'));
 		o.modalonly = false;
 		o.textvalue = function(s) {
@ -193,15 +244,23 @@ return view.extend({
 		o.nocreate = true;
 		o.default = 'wan';

+		o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
+		uci.sections('firewall', 'ipset', function(s) {
+			if (typeof(s.name) == 'string')
+				o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
+		});
+		o.modalonly = true;
+		o.rmempty = true;
+
 		o = fwtool.addMACOption(s, 'advanced', 'src_mac', _('Source MAC address'),
 			_('Only match incoming traffic from these MACs.'), hosts);
 		o.rmempty = true;
 		o.datatype = 'list(neg(macaddr))';

 		o = fwtool.addIPOption(s, 'advanced', 'src_ip', _('Source IP address'),
-			_('Only match incoming traffic from this IP or range.'), 'ipv4', hosts);
+			_('Only match incoming traffic from this IP or range.'), !fw4?'ipv4':'', hosts);
 		o.rmempty = true;
-		o.datatype = 'neg(ipmask4)';
+		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';

 		o = s.taboption('advanced', form.Value, 'src_port', _('Source port'),
 			_('Only match incoming traffic originating from the given source port or port range on the client host'));
@ -214,7 +273,7 @@ return view.extend({

 		o = fwtool.addLocalIPOption(s, 'advanced', 'src_dip', _('External IP address'),
 			_('Only match incoming traffic directed at the given IP address.'), devs);
-		o.datatype = 'neg(ipmask4)';
+		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
 		o.rmempty = true;

 		o = s.taboption('general', form.Value, 'src_dport', _('External port'),
@ -229,12 +288,11 @@ return view.extend({
 		o.modalonly = true;
 		o.rmempty = true;
 		o.nocreate = true;
-		o.default = 'lan';

 		o = fwtool.addIPOption(s, 'general', 'dest_ip', _('Internal IP address'),
-			_('Redirect matched incoming traffic to the specified internal host'), 'ipv4', hosts);
+			_('Redirect matched incoming traffic to the specified internal host'), !fw4?'ipv4':'', hosts);
 		o.rmempty = true;
-		o.datatype = 'ipmask4';
+		o.datatype = !fw4?'ipmask4':'ipmask';

 		o = s.taboption('general', form.Value, 'dest_port', _('Internal port'),
 			_('Redirect matched incoming traffic to the given port on the internal host'));
@ -259,6 +317,12 @@ return view.extend({
 			uci.set('firewall', section_id, 'reflection_src', (value != 'internal') ? value : null);
 		};

+		o = s.taboption('advanced', widgets.ZoneSelect, 'reflection_zone', _('Reflection zones'), _('Zones from which reflection rules shall be created. If unset, only the destination zone is used.'));
+		o.nocreate = true;
+		o.multiple = true;
+		o.modalonly = true;
+		o.depends('reflection', '1');
+
 		o = s.taboption('advanced', form.Value, 'helper', _('Match helper'), _('Match traffic using the specified connection tracking helper.'));
 		o.modalonly = true;
 		o.placeholder = _('any');
@ -281,16 +345,16 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);

-		o = s.taboption('advanced', form.Flag, 'v2ray', _('Use V2Ray'),
-			_('Forward a port (not a range) from server using V2Ray proxy (if enabled) instead of VPN'));
+		o = s.taboption('advanced', form.Flag, 'v2ray', _('Use V2Ray/XRay'),
+			_('Forward a port (not a range) from server using V2Ray/XRay proxy (if enabled) instead of VPN'));
 		o.modalonly = true;
-		o.editable = true;
-		o.depends({ src: 'vpn', '!contains': true });

-		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			_('Passes additional arguments to iptables. Use with care!'));
-		o.modalonly = true;
-		o.rmempty = true;
+		if (!L.hasSystemFeature('firewall4')) {
+			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+				_('Passes additional arguments to iptables. Use with care!'));
+			o.modalonly = true;
+			o.rmempty = true;
+		}

 		return m.render();
 	}
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/ipsets.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/ipsets.js
@ -0,0 +1,222 @@
+'use strict';
+'require view';
+'require uci';
+'require form';
+'require firewall';
+'require tools.firewall as fwtool';
+
+
+return view.extend({
+
+	load: function() {
+		return Promise.all([
+			uci.load('firewall')
+		]);
+	},
+
+	render: function(data) {
+		let m, s, o;
+
+		m = new form.Map('firewall', _('Firewall - IP sets'),
+			_('firewall4 supports referencing and creating IP sets to simplify matching of large address lists without the need to create one rule per item to match. Port ranges in ipsets are unsupported by firewall4.<br />'));
+
+		var have_fw4 = L.hasSystemFeature('firewall4');
+
+		if (have_fw4) {
+			s = m.section(form.NamedSection, 'fwver', 'fwver', '', _('Your device runs firewall4.'));
+		} else {
+			s = m.section(form.NamedSection, 'fwver', 'fwver', '', _('Your device does not run firewall4.'));
+		}
+
+
+		s = m.section(form.GridSection, 'ipset', _('IP Sets'));
+		s.addremove = true;
+		s.anonymous = true;
+		s.sortable  = true;
+		s.cloneable = true;
+		s.nodescriptions = true;
+		s.filter = function(section_id) {
+			return (section_id.startsWith('bypass') == false && section_id.startsWith('omr_dst') == false && section_id.startsWith('omr_dscp') == false);
+		};
+
+
+		/* refer to: https://ipset.netfilter.org/ipset.man.html */
+		if (have_fw4) {
+			o = s.option(form.Value, 'name', _('Name'));
+			o.optional = false;
+			o.rmempty = false;
+			o.validate = function (section_id, value) {
+				if (!/^[a-zA-Z_.][a-zA-Z0-9\/_.-]*$/.test(value))
+					return _('Invalid set name');
+
+				return true;
+			};
+		} else {
+			o = s.option(form.Value, 'name', _('Name'));
+			o.depends({ external: '' });
+			/*  Default: (none) if external is unset
+			  value of external if external is set */
+		}
+		o.placeholder = _('Unnamed set');
+
+
+		/* comment requires https://git.openwrt.org/?p=project/firewall4.git;a=commitdiff;h=39e8c70957c795bf0c12f04299170ae86c6efdf8 */
+		o = s.option(form.Value, 'comment', _('Comment'));
+		o.placeholder = _('Comment');
+		o.modalonly = true;
+		o.rmempty = true;
+
+
+		o = s.option(form.ListValue, 'family', _('Family'));
+		o.value('ipv4', _('IPv4'));
+		o.value('ipv6', _('IPv6'));
+		o.default = _('ipv4');
+
+
+		/* Direction src, dst; (Data)Types: ip, port, mac, net or set
+		   Tuples: direction_datatype e.g. src_port, dest_net */
+		o = s.option(form.DynamicList, 'match', _('Packet Field Match'),
+			_('Packet fields to match upon.<br />' +
+			  'Syntax: <em>direction_datatype</em>. e.g.: <code>src_port, dest_net</code>.<br />' +
+			  'Directions: <code>src, dst</code>. Datatypes: <code>ip, port, mac, net, set</code>.<br />' +
+			  'Direction prefixes are optional.<br />' +
+			  '*Note: datatype <code>set</code> is unsupported in fw4.'));
+		o.value('ip', _('ip: IP addr'));
+		o.value('port', _('port: Port'));
+		o.value('mac', _('mac: MAC addr'));
+		o.value('net', _('net: (sub)net'));
+		if (!have_fw4)
+			o.value('set', _('set: ipset*'));
+		o.value('src_ip', _('src_ip: Source IP'));
+		o.value('src_port', _('src_port: Source Port'));
+		o.value('src_mac', _('src_mac: Source MAC addr'));
+		o.value('src_net', _('src_net: Source (sub)net'));
+		if (!have_fw4)
+			o.value('src_set', _('src_Set: Source ipset*')); // fw4 unsupported
+		o.value('dest_ip', _('dest_ip: Destination IP'));
+		o.value('dest_port', _('dest_port: Destination Port'));
+		o.value('dest_mac', _('dest_mac: Destination MAC addr'));
+		o.value('dest_net', _('dest_net: Destination (sub)net'));
+		if (!have_fw4)
+			o.value('dest_set', _('dest_set: Destination ipset*')); // fw4 unsupported
+		o.optional = false;
+		o.rmempty = false;
+
+
+		// TODO: if/when firewall5 arrives, this 'else' check must change.
+		if (have_fw4) {
+
+			//we have fw4
+			o = s.option(form.DynamicList, 'entry', _('IPs/Networks/MACs'),
+				_('macaddr|ip[/cidr]<br />'));
+			o.datatype = 'or(ipaddr,macaddr)';
+			o.rmempty = true;
+
+
+			o = s.option(form.Value, 'maxelem', _('Max Entries'),
+				_('up to 65536 entries.'));
+			o.datatype = 'port'; //covers 16 bit size
+			o.modalonly = true;
+			o.rmempty = true;
+
+		} else {
+			// this else section is intended to handle firewall3
+
+			o = s.option(form.Value, 'external', _('Refer To External Set'));
+			/* Todo: loop to fill o.values with all other ipset names except itself */
+			o.rmempty = true;
+			o.optional = true;
+
+
+			/* 'storage' depends on fw3. It must be removed for fw4 */
+			//aka 'method' in netfilter terminology.
+			o = s.option(form.ListValue, 'storage', _('Storage Method'));
+			o.value('bitmap', _('bitmap')); //ipv4 only
+			o.value('hash', _('hash'));
+			o.value('list', _('list'));
+			o.validate = function(section_id, value) {
+				var family = this.section.formvalue(section_id, 'family');
+				if (value.match(/bitmap/) && !family.match(/ipv4/))
+					return _('bitmap is ipv4 only');
+				return true;
+			}
+
+			/* this iprange differs from netfilters range fromip-toip|ip/cidr:
+			   uci enforces a datatype = cidr in order to be able to enter
+			   an IP for all storage/data types.  */
+			o = s.option(form.Value, 'iprange', _('IP (range)'),
+				_('ip[/cidr]<br />'+
+				  'For use with Match datatypes: <code>*_ip</code>.'));
+			o.datatype = 'ipaddr';
+			o.depends({family: 'ipv4', storage: 'bitmap', match: /_ip|_mac/ });
+			o.depends({storage: 'hash', match: /_ip/ });
+
+
+			o = s.option(form.DynamicList, 'entry', _('IPs/Networks'),
+				_('ip[/cidr]<br />'));
+			o.datatype = 'or(ipaddr,macaddr)';
+			o.depends({storage: 'hash', match: /_ip|_net|_mac/ });
+
+
+			o = s.option(form.Value, 'portrange', _('Port range'),
+				_('fromport-toport'));
+			o.datatype = 'neg(portrange)';
+			o.depends({family: 'ipv4', storage: 'bitmap', match: /_port/ });
+			o.depends({family: 'ipv4', storage: 'hash', match: /_port/ });
+			o.depends({family: 'ipv6', storage: 'hash', match: /_port/ });
+
+
+			o = s.option(form.Value, 'netmask', _('Netmask'));
+			o.datatype = 'or(ip4prefix,ip6prefix)';
+			o.depends({family: 'ipv4', storage: 'bitmap', match: /_ip/ });
+			o.depends({storage: 'hash', match: /_ip/});
+
+
+			o = s.option(form.Value, 'maxelem', _('Max Length'),
+				_('up to 65536 entries.'));
+			o.datatype = 'port'; //covers 16 bit size
+			o.depends('storage', 'hash');
+			o.depends('storage', 'list');
+			o.modalonly = true;
+
+
+			o = s.option(form.Value, 'hashsize', _('Initial Hash Size'));
+			o.depends('storage', 'hash');
+			o.placeholder = _('1024');
+			o.modalonly = true;
+
+		}
+
+		o = s.option(form.FileUpload, 'loadfile', _('Include File'),
+			_('Path to file of CIDRs, subnets, host IPs, etc.<br />'));
+		o.root_directory = '/etc/luci-uploads';
+		o.enable_delete = true;
+		o.enable_upload = true;
+		o.datatype = 'file';
+		o.rmempty = true;
+
+
+		o = s.option(form.Value, 'timeout', _('Timeout'),
+			_('Unit: seconds. Default <code>0</code> means the entry is added permanently to the set.<br />' +
+			  'Max: 2147483 seconds.'));
+		o.placeholder = _('0');
+		o.modalonly = true;
+		o.rmempty = true;
+
+
+		o = s.option(form.Flag, 'counters', _('Counters'),
+			_('Enables packet and byte count tracking for the set.'));
+		o.modalonly = true;
+		o.rmempty = true;
+		o.default = false;
+
+
+		o = s.option(form.Flag, 'enabled', _('Enabled'));
+		o.default = true;
+		o.editable = true;
+		o.modalonly = false;
+
+
+		return m.render();
+	}
+});
--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
@ -22,7 +22,7 @@ function rule_proto_txt(s, ctHelpers) {
 		};
 	});

-	m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
+	var m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
 	var h = m ? {
 		val:  m[0].toUpperCase(),
 		inv:  m[1],
@ -62,7 +62,7 @@ function rule_src_txt(s, hosts) {
 	    d = (uci.get('firewall', s, 'direction') == 'in') ? uci.get('firewall', s, 'device') : null;

 	return fwtool.fmt(_('From %{src}%{src_device?, interface <var>%{src_device}</var>}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}%{src_mac?, MAC %{src_mac#%{next?, }<var%{item.inv? data-tooltip="Match MACs except %{item.val}%{item.hint.name? a.k.a. %{item.hint.name}}.":%{item.hint.name? data-tooltip="%{item.hint.name}"}}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
+		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_mac: fwtool.map_invert(uci.get('firewall', s, 'src_mac'), 'toUpperCase').map(function(v) { return Object.assign(v, { hint: hosts[v.val] }) }),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port')),
@ -75,7 +75,7 @@ function rule_dest_txt(s) {
 	    d = (uci.get('firewall', s, 'direction') == 'out') ? uci.get('firewall', s, 'device') : null;

 	return fwtool.fmt(_('To %{dest}%{dest_device?, interface <var>%{dest_device}</var>}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'dest_ip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'dest_port')),
 		dest_device: d
@ -171,12 +171,13 @@ return view.extend({
 		    m, s, o;

 		m = new form.Map('firewall', _('Firewall - Traffic Rules'),
-			_('Traffic rules define policies for packets traveling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.'));
+			_('Traffic rules define policies for packets travelling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.'));

 		s = m.section(form.GridSection, 'rule', _('Traffic Rules'));
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
+		s.cloneable = true;

 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
@ -194,13 +195,8 @@ return view.extend({
 		s.handleAdd = function(ev) {
 			var config_name = this.uciconfig || this.map.config,
 			    section_id = uci.add(config_name, this.sectiontype),
-			    opt1, opt2;
-
-			for (var i = 0; i < this.children.length; i++)
-				if (this.children[i].option == 'src')
-					opt1 = this.children[i];
-				else if (this.children[i].option == 'dest')
-					opt2 = this.children[i];
+			    opt1 = this.getOption('src'),
+			    opt2 = this.getOption('dest');

 			opt1.default = 'wan';
 			opt2.default = 'lan';
@ -237,7 +233,19 @@ return view.extend({
 		o.modalonly = false;
 		o.default = o.enabled;
 		o.editable = true;
+		o.tooltip = function(section_id) {
+			var weekdays = uci.get('firewall', section_id, 'weekdays');
+			var monthdays = uci.get('firewall', section_id, 'monthdays');
+			var start_time = uci.get('firewall', section_id, 'start_time');
+			var stop_time = uci.get('firewall', section_id, 'stop_time');
+			var start_date = uci.get('firewall', section_id, 'start_date');
+			var stop_date = uci.get('firewall', section_id, 'stop_date');

+			if (weekdays || monthdays || start_time || stop_time || start_date || stop_date )
+				return _('Time restrictions are enabled for this rule');
+
+			return null;
+		};

 		o = s.taboption('advanced', form.ListValue, 'direction', _('Match device'));
 		o.modalonly = true;
@ -288,27 +296,52 @@ return view.extend({
 		o.multiple = true;
 		o.custom = true;
 		o.cast = 'table';
-		o.placeholder = _('any');
-		o.value('', 'any');
+		o.placeholder = _('any/all');
 		o.value('address-mask-reply');
 		o.value('address-mask-request');
+		o.value('address-unreachable'); /* icmpv6 1:3 */
+		o.value('bad-header');  /* icmpv6 4:0 */
+		o.value('certification-path-solicitation-message'); /* icmpv6 148 */
+		o.value('certification-path-advertisement-message'); /* icmpv6 149 */
 		o.value('communication-prohibited');
 		o.value('destination-unreachable');
+		o.value('duplicate-address-request'); /* icmpv6 157 */
+		o.value('duplicate-address-confirmation'); /* icmpv6 158 */
 		o.value('echo-reply');
 		o.value('echo-request');
+		o.value('extended-echo-request'); /* icmpv6 160 */
+		o.value('extended-echo-reply'); /* icmpv6 161 */
+		o.value('fmipv6-message'); /* icmpv6 154 */
 		o.value('fragmentation-needed');
+		o.value('home-agent-address-discovery-reply-message'); /* icmpv6 145 */
+		o.value('home-agent-address-discovery-request-message'); /* icmpv6 144 */
 		o.value('host-precedence-violation');
 		o.value('host-prohibited');
 		o.value('host-redirect');
 		o.value('host-unknown');
 		o.value('host-unreachable');
+		o.value('ilnpv6-locator-update-message'); /* icmpv6 156 */
+		o.value('inverse-neighbour-discovery-advertisement-message'); /* icmpv6 142 */
+		o.value('inverse-neighbour-discovery-solicitation-message'); /* icmpv6 141 */
 		o.value('ip-header-bad');
+		o.value('mobile-prefix-advertisement'); /* icmpv6 147 */
+		o.value('mobile-prefix-solicitation'); /* icmpv6 146 */
+		o.value('mpl-control-message'); /* icmpv6 159 */
+		o.value('multicast-listener-query'); /* icmpv6 130 */
+		o.value('multicast-listener-report'); /* icmpv6 131 */
+		o.value('multicast-listener-done'); /* icmpv6 132 */
+		o.value('multicast-router-advertisement'); /* icmpv6 151 */
+		o.value('multicast-router-solicitation'); /* icmpv6 152 */
+		o.value('multicast-router-termination'); /* icmpv6 153 */
 		o.value('neighbour-advertisement');
 		o.value('neighbour-solicitation');
 		o.value('network-prohibited');
 		o.value('network-redirect');
 		o.value('network-unknown');
 		o.value('network-unreachable');
+		o.value('no-route'); /* icmpv6 1:0 */
+		o.value('node-info-query'); /* icmpv6 139 */
+		o.value('node-info-response'); /* icmpv6 140 */
 		o.value('packet-too-big');
 		o.value('parameter-problem');
 		o.value('port-unreachable');
@ -317,7 +350,9 @@ return view.extend({
 		o.value('redirect');
 		o.value('required-option-missing');
 		o.value('router-advertisement');
+		o.value('router-renumbering'); /* icmpv6 138 */
 		o.value('router-solicitation');
+		o.value('rpl-control-message'); /* icmpv6 155 */
 		o.value('source-quench');
 		o.value('source-route-failed');
 		o.value('time-exceeded');
@ -329,6 +364,9 @@ return view.extend({
 		o.value('TOS-network-unreachable');
 		o.value('ttl-zero-during-reassembly');
 		o.value('ttl-zero-during-transit');
+		o.value('v2-multicast-listener-report'); /* icmpv6 143 */
+		o.value('unknown-header-type'); /* icmpv6 4:1 */
+		o.value('unknown-option'); /* icmpv6 4:2 */
 		o.depends({ proto: 'icmp', '!contains': true });
 		o.depends({ proto: 'icmpv6', '!contains': true });

@ -338,6 +376,14 @@ return view.extend({
 		o.allowany = true;
 		o.allowlocal = 'src';

+		o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
+		uci.sections('firewall', 'ipset', function(s) {
+			if (typeof(s.name) == 'string')
+				o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
+		});
+		o.modalonly = true;
+		o.rmempty = true;
+
 		fwtool.addMACOption(s, 'advanced', 'src_mac', _('Source MAC address'), null, hosts);
 		fwtool.addIPOption(s, 'general', 'src_ip', _('Source address'), null, '', hosts, true);

@ -421,9 +467,11 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);

-		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			_('Passes additional arguments to iptables. Use with care!'));
-		o.modalonly = true;
+		if (!L.hasSystemFeature('firewall4')) {
+			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+				_('Passes additional arguments to iptables. Use with care!'));
+			o.modalonly = true;
+		}

 		o = s.taboption('timed', form.MultiValue, 'weekdays', _('Week Days'));
 		o.modalonly = true;
@ -452,11 +500,11 @@ return view.extend({
 		for (var i = 1; i <= 31; i++)
 			o.value(i);

-		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh.mm.ss)'));
+		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh:mm:ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';

-		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh.mm.ss)'));
+		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh:mm:ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';

--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/snats.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/snats.js
@ -9,6 +9,10 @@
 'require tools.widgets as widgets';

 function rule_proto_txt(s) {
+	var family = (uci.get('firewall', s, 'family') || '').toLowerCase().replace(/^(?:all|\*)$/, 'any');
+	var sip = uci.get('firewall', s, 'src_ip') || '';
+	var dip = uci.get('firewall', s, 'dest_ip') || '';
+	var rwip = uci.get('firewall', s, 'snat_ip') || '';
 	var proto = L.toArray(uci.get('firewall', s, 'proto')).filter(function(p) {
 		return (p != '*' && p != 'any' && p != 'all');
 	}).map(function(p) {
@ -19,7 +23,7 @@ function rule_proto_txt(s) {
 		};
 	});

-	m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
+	var m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
 	var f = m ? {
 		val:  m[0].toUpperCase().replace(/X/g, 'x'),
 		inv:  m[1],
@ -27,7 +31,9 @@ function rule_proto_txt(s) {
 		mask: m[3] ? '0x%02X'.format(+m[3]) : null
 	} : null;

-	return fwtool.fmt(_('Forwarded IPv4%{proto?, protocol %{proto#%{next?, }<var>%{item.name}</var>}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}'), {
+	return fwtool.fmt(_('Forwarded %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }<var>%{item.name}</var>}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}'), {
+		ipv4: (family == 'ipv4' || family == 'any' || (!family && sip.indexOf(':') == -1 && dip.indexOf(':') == -1 && rwip.indexOf(':') == -1)),
+		ipv6: (family == 'ipv6' || family == 'any' || (!family && (sip.indexOf(':') != -1 || dip.indexOf(':') != -1 || rwip.indexOf(':') != -1))),
 		proto: proto,
 		mark:  f
 	});
@ -37,7 +43,7 @@ function rule_src_txt(s, hosts) {
 	var z = uci.get('firewall', s, 'src');

 	return fwtool.fmt(_('From %{src}%{src_device?, interface <var>%{src_device}</var>}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		src: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName(null) }, [E('em', _('any zone'))]),
+		src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(null) }, [E('em', _('any zone'))]),
 		src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
 		src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port'))
 	});
@ -47,7 +53,7 @@ function rule_dest_txt(s) {
 	var z = uci.get('firewall', s, 'src');

 	return fwtool.fmt(_('To %{dest}%{dest_device?, via interface <var>%{dest_device}</var>}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
-		dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z || E('em', _('this device')))]),
+		dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
 		dest_ip: fwtool.map_invert(uci.get('firewall', s, 'dest_ip'), 'toLowerCase'),
 		dest_port: fwtool.map_invert(uci.get('firewall', s, 'dest_port')),
 		dest_device: uci.get('firewall', s, 'device')
@ -91,6 +97,44 @@ function rule_target_txt(s) {
 	}
 }

+function validate_opt_family(m, section_id, opt) {
+	var sopt = m.section.getOption('src_ip'),
+	    dopt = m.section.getOption('dest_ip'),
+	    rwopt = m.section.getOption('snat_ip'),
+	    fmopt = m.section.getOption('family'),
+	    tgopt = m.section.getOption('target');
+
+	if (!sopt.isValid(section_id) && opt != 'src_ip')
+		return true;
+	if (!dopt.isValid(section_id) && opt != 'dest_ip')
+		return true;
+	if (!rwopt.isValid(section_id) && opt != 'snat_ip')
+		return true;
+	if (!fmopt.isValid(section_id) && opt != 'family')
+		return true;
+	if (!tgopt.isValid(section_id) && opt != 'target')
+		return true;
+
+	var sip = sopt.formvalue(section_id) || '',
+	    dip = dopt.formvalue(section_id) || '',
+	    rwip = rwopt.formvalue(section_id) || '',
+	    fm = fmopt.formvalue(section_id) || '',
+	    tg = tgopt.formvalue(section_id);
+
+	if (fm == 'ipv6' && (sip.indexOf(':') != -1 || sip == '') && (dip.indexOf(':') != -1 || dip == '') && ((rwip.indexOf(':') != -1 && tg == 'SNAT') || rwip == ''))
+		return true;
+	if (fm == 'ipv4' && (sip.indexOf(':') == -1) && (dip.indexOf(':') == -1) && ((rwip.indexOf(':') == -1 && tg == 'SNAT') || rwip == ''))
+		return true;
+	if (fm == '' || fm == 'any') {
+		if ((sip.indexOf(':') != -1 || sip == '') && (dip.indexOf(':') != -1 || dip == '') && ((rwip.indexOf(':') != -1 && tg == 'SNAT') || rwip == ''))
+			return true;
+		if ((sip.indexOf(':') == -1) && (dip.indexOf(':') == -1) && ((rwip.indexOf(':') == -1 && tg == 'SNAT') || rwip == ''))
+			return true;
+	}
+
+	return _('Address family, source address, destination address, rewrite IP address must match');
+}
+
 return view.extend({
 	callHostHints: rpc.declare({
 		object: 'luci-rpc',
@ -123,6 +167,7 @@ return view.extend({
 		var hosts = data[0],
 		    devs = data[1],
 		    m, s, o;
+		var fw4 = L.hasSystemFeature('firewall4');

 		m = new form.Map('firewall', _('Firewall - NAT Rules'),
 			_('NAT rules allow fine grained control over the source IP to use for outbound or forwarded traffic.'));
@ -131,6 +176,7 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
+		s.cloneable = true;

 		s.tab('general', _('General Settings'));
 		s.tab('advanced', _('Advanced Settings'));
@ -166,6 +212,33 @@ return view.extend({
 		o.default = o.enabled;
 		o.editable = true;

+		if (fw4) {
+			o = s.taboption('general', form.ListValue, 'family', _('Restrict to address family'));
+			o.modalonly = true;
+			o.rmempty = true;
+			o.value('any', _('IPv4 and IPv6'));
+			o.value('ipv4', _('IPv4 only'));
+			o.value('ipv6', _('IPv6 only'));
+			o.value('', _('automatic'));  // infer from zone or used IP addresses
+			o.cfgvalue = function(section_id) {
+				var val = this.map.data.get(this.map.config, section_id, 'family');
+
+				if (!val)
+					return '';
+				else if (val == 'any' || val == 'all' || val == '*')
+					return 'any';
+				else if (val == 'inet' || String(val).indexOf('4') != -1)
+					return 'ipv4';
+				else if (String(val).indexOf('6') != -1)
+					return 'ipv6';
+			};
+			o.validate = function(section_id, value) {
+				fwtool.updateHostHints(this.map, section_id, 'src_ip', value, hosts);
+				fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
+				return !fw4?true:validate_opt_family(this, section_id, 'family');
+			};
+		}
+
 		o = s.taboption('general', fwtool.CBIProtocolSelect, 'proto', _('Protocol'));
 		o.modalonly = true;
 		o.default = 'all';
@ -178,9 +251,12 @@ return view.extend({
 		o.default = 'lan';

 		o = fwtool.addIPOption(s, 'general', 'src_ip', _('Source address'),
-			_('Match forwarded traffic from this IP or range.'), 'ipv4', hosts);
+			_('Match forwarded traffic from this IP or range.'), !fw4?'ipv4':'', hosts);
 		o.rmempty = true;
-		o.datatype = 'neg(ipmask4)';
+		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.validate = function(section_id, value) {
+			return !fw4?true:validate_opt_family(this, section_id, 'src_ip');
+		};

 		o = s.taboption('general', form.Value, 'src_port', _('Source port'),
 			_('Match forwarded traffic originating from the given source port or port range.'));
@ -192,9 +268,12 @@ return view.extend({
 		o.depends({ proto: 'udp', '!contains': true });

 		o = fwtool.addIPOption(s, 'general', 'dest_ip', _('Destination address'),
-			_('Match forwarded traffic directed at the given IP address.'), 'ipv4', hosts);
+			_('Match forwarded traffic directed at the given IP address.'), !fw4?'ipv4':'', hosts);
 		o.rmempty = true;
-		o.datatype = 'neg(ipmask4)';
+		o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
+		o.validate = function(section_id, value) {
+			return !fw4?true:validate_opt_family(this, section_id, 'dest_ip');
+		};

 		o = s.taboption('general', form.Value, 'dest_port', _('Destination port'),
 			_('Match forwarded traffic directed at the given destination port or port range.'));
@ -211,20 +290,22 @@ return view.extend({
 		o.value('SNAT', _('SNAT - Rewrite to specific source IP or port'));
 		o.value('MASQUERADE', _('MASQUERADE - Automatically rewrite to outbound interface IP'));
 		o.value('ACCEPT', _('ACCEPT - Disable address rewriting'));
+		o.validate = function(section_id, value) {
+			return !fw4?true:validate_opt_family(this, section_id, 'target');
+		};

 		o = fwtool.addLocalIPOption(s, 'general', 'snat_ip', _('Rewrite IP address'),
 			_('Rewrite matched traffic to the specified source IP address.'), devs);
 		o.placeholder = null;
 		o.depends('target', 'SNAT');
 		o.validate = function(section_id, value) {
-			var port = this.map.lookupOption('snat_port', section_id),
-			    a = this.formvalue(section_id),
-			    p = port ? port[0].formvalue(section_id) : null;
+			var a = this.formvalue(section_id),
+			    p = this.section.formvalue(section_id, 'snat_port');

 			if ((a == null || a == '') && (p == null || p == '') && value == '')
 				return _('A rewrite IP must be specified!');

-			return true;
+			return !fw4?true:validate_opt_family(this, section_id, 'snat_ip');
 		};

 		o = s.taboption('general', form.Value, 'snat_port', _('Rewrite port'),
@ -236,6 +317,17 @@ return view.extend({
 		o.depends({ proto: 'tcp', '!contains': true });
 		o.depends({ proto: 'udp', '!contains': true });

+		var have_fw4 = L.hasSystemFeature('firewall4')
+		if (!have_fw4) {
+			o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
+			uci.sections('firewall', 'ipset', function(s) {
+				if (typeof(s.name) == 'string')
+					o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
+			});
+			o.modalonly = true;
+			o.rmempty = true;
+		}
+
 		o = s.taboption('advanced', widgets.DeviceSelect, 'device', _('Outbound device'),
 			_('Matches forwarded traffic using the specified outbound network device.'));
 		o.noaliases = true;
@ -246,10 +338,12 @@ return view.extend({
 		fwtool.addLimitOption(s);
 		fwtool.addLimitBurstOption(s);

-		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
-			_('Passes additional arguments to iptables. Use with care!'));
-		o.modalonly = true;
-		o.rmempty = true;
+		if (!have_fw4) {
+			o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+				_('Passes additional arguments to iptables. Use with care!'));
+			o.modalonly = true;
+			o.rmempty = true;
+		}

 		o = s.taboption('timed', form.MultiValue, 'weekdays', _('Week Days'));
 		o.modalonly = true;
@ -278,11 +372,11 @@ return view.extend({
 		for (var i = 1; i <= 31; i++)
 			o.value(i);

-		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh.mm.ss)'));
+		o = s.taboption('timed', form.Value, 'start_time', _('Start Time (hh:mm:ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';

-		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh.mm.ss)'));
+		o = s.taboption('timed', form.Value, 'stop_time', _('Stop Time (hh:mm:ss)'));
 		o.modalonly = true;
 		o.datatype = 'timehhmmss';

--- a/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
+++ b/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
@ -33,6 +33,7 @@ return view.extend({
 		var ctHelpers = data[0],
 		    fwDefaults = data[1],
 		    m, s, o, inp, out;
+		var fw4 = L.hasSystemFeature('firewall4');

 		m = new form.Map('firewall', _('Firewall - Zone Settings'),
 			_('The firewall creates zones over your network interfaces to control network traffic flow.'));
@ -41,7 +42,20 @@ return view.extend({
 		s.anonymous = true;
 		s.addremove = false;

-		o = s.option(form.Flag, 'syn_flood', _('Enable SYN-flood protection'));
+		o = s.option(form.Flag, 'synflood_protect', _('Enable SYN-flood protection'));
+		o.cfgvalue = function(section_id) {
+			var val = uci.get('firewall', section_id, 'synflood_protect');
+			return (val != null) ? val : uci.get('firewall', section_id, 'syn_flood');
+		};
+		o.write = function(section_id, value) {
+			uci.unset('firewall', section_id, 'syn_flood');
+			uci.set('firewall', section_id, 'synflood_protect', value);
+		};
+		o.remove = function(section_id) {
+			uci.unset('firewall', section_id, 'syn_flood');
+			uci.unset('firewall', section_id, 'synflood_protect');
+		};
+
 		o = s.option(form.Flag, 'drop_invalid', _('Drop invalid packets'));

 		var p = [
@ -60,21 +74,27 @@ return view.extend({

 		if (L.hasSystemFeature('offloading')) {
 			s = m.section(form.TypedSection, 'defaults', _('Routing/NAT Offloading'),
-				_('Experimental feature. Not fully compatible with QoS/SQM.'));
+				_('Not fully compatible with QoS/SQM.'));

 			s.anonymous = true;
 			s.addremove = false;

-			o = s.option(form.Flag, 'flow_offloading',
-				_('Software flow offloading'),
-				_('Software based offloading for routing/NAT'));
-			o.optional = true;
-
-			o = s.option(form.Flag, 'flow_offloading_hw',
-				_('Hardware flow offloading'),
-				_('Requires hardware NAT support. Implemented at least for mt7621'));
-			o.optional = true;
-			o.depends('flow_offloading', '1');
+			o = s.option(form.RichListValue, "offloading_type", _("Flow offloading type"));
+			o.value('0', _("None"));
+			o.value('1', _("Software flow offloading"), _('Software based offloading for routing/NAT.'));
+			o.value('2', _("Hardware flow offloading"), _('Hardware based offloading for routing with/without NAT.') + ' ' + _(' Requires hardware NAT support.'));
+			o.optional = false;
+			o.load = function (section_id) {
+				var flow_offloading = uci.get('firewall', section_id, 'flow_offloading');
+				var flow_offloading_hw = uci.get('firewall', section_id, 'flow_offloading_hw');
+				return (flow_offloading === '1')
+					? (flow_offloading_hw === '1' ? '2' : '1')
+					: '0';
+			};
+			o.write = function(section_id, value) {
+				uci.set('firewall', section_id, 'flow_offloading', value === '0' ? null : '1');
+				uci.set('firewall', section_id, 'flow_offloading_hw', value === '2' ? '1' : null);
+			};
 		}


@ -82,6 +102,7 @@ return view.extend({
 		s.addremove = true;
 		s.anonymous = true;
 		s.sortable  = true;
+		s.nodescriptions = true;

 		s.handleRemove = function(section_id, ev) {
 			return firewall.deleteZone(section_id).then(L.bind(function() {
@ -129,7 +150,7 @@ return view.extend({
 		var p = [
 			s.taboption('general', form.ListValue, 'input', _('Input')),
 			s.taboption('general', form.ListValue, 'output', _('Output')),
-			s.taboption('general', form.ListValue, 'forward', _('Forward'))
+			s.taboption('general', form.ListValue, 'forward', _('Intra zone forward'))
 		];

 		for (var i = 0; i < p.length; i++) {
@ -143,9 +164,20 @@ return view.extend({
 		p[1].default = fwDefaults.getOutput();
 		p[2].default = fwDefaults.getForward();

-		o = s.taboption('general', form.Flag, 'masq', _('Masquerading'));
+		o = s.taboption('general', form.Flag, 'masq', _('Masquerading'),
+			_('Enable network address and port translation IPv4 (NAT4 or NAPT4) for outbound traffic on this zone. This is typically enabled on the <em>wan</em> zone.'));
 		o.editable = true;
+		o.tooltip = function(section_id) {
+			var family = uci.get('firewall', section_id, 'family')
+			var masq_src = uci.get('firewall', section_id, 'masq_src')
+			var masq_dest = uci.get('firewall', section_id, 'masq_dest')
+			if ((!family || family.indexOf('6') == -1) && (masq_src || masq_dest))
+				return _('Limited masquerading enabled');

+			return null;
+		};
+
+		/*
 		o = s.taboption('general', form.Flag, 'fullcone', _('Full Cone'));
 		o.editable = true;
 		o.depends('masq', '1');
@ -153,6 +185,7 @@ return view.extend({
 		o = s.taboption('general', form.Flag, 'fullcone6', _('Full Cone IPv6'));
 		o.editable = true;
 		o.depends('masq', '1');
+		*/

 		o = s.taboption('general', form.Flag, 'mtu_fix', _('MSS clamping'));
 		o.modalonly = true;
@ -165,21 +198,24 @@ return view.extend({
 		};
 		o.write = function(section_id, formvalue) {
 			var name = uci.get('firewall', section_id, 'name'),
-			    cfgvalue = this.cfgvalue(section_id);
+			    cfgvalue = this.cfgvalue(section_id),
+			    oldNetworks = L.toArray(cfgvalue),
+			    newNetworks = L.toArray(formvalue);

-			/*
-			if (typeof(cfgvalue) == 'string' && Array.isArray(formvalue) && (cfgvalue == formvalue.join(' ')))
+			oldNetworks.sort();
+			newNetworks.sort();
+
+			if (oldNetworks.join(' ') == newNetworks.join(' '))
 				return;
-			*/

 			var tasks = [ firewall.getZone(name) ];

 			if (Array.isArray(formvalue))
-				for (var i = 0; i < formvalue.length; i++) {
-					var netname = formvalue[i];
-					tasks.push(network.getNetwork(netname).then(function(net) {
+				for (var i = 0; i < newNetworks.length; i++) {
+					var netname = newNetworks[i];
+					tasks.push(network.getNetwork(netname).then(L.bind(function(netname, net) {
 						return net || network.addNetwork(netname, { 'proto': 'none' });
-					}));
+					}, this, netname)));
 				}

 			return Promise.all(tasks).then(function(zone_networks) {
@ -208,10 +244,24 @@ return view.extend({
 		o.multiple = true;

 		o = s.taboption('advanced', form.DynamicList, 'subnet', _('Covered subnets'), _('Use this option to classify zone traffic by source or destination subnet instead of networks or devices.'));
-		o.datatype = 'neg(cidr)';
+		o.datatype = 'neg(cidr("true"))';
 		o.modalonly = true;
 		o.multiple = true;

+		if (fw4) {
+			o = s.taboption('advanced', form.Flag, 'masq6', _('IPv6 Masquerading'),
+				_('Enable network address and port translation IPv6 (NAT6 or NAPT6) for outbound traffic on this zone.'));
+			o.modalonly = true;
+			o.tooltip = function(section_id) {
+				var family = uci.get('firewall', section_id, 'family')
+				var masq_src = uci.get('firewall', section_id, 'masq_src')
+				var masq_dest = uci.get('firewall', section_id, 'masq_dest')
+				if ((!family || family.indexOf('6') >= 0) && (masq_src || masq_dest))
+					return _('Limited masquerading enabled');
+				return null;
+			};
+		}
+
 		o = s.taboption('advanced', form.ListValue, 'family', _('Restrict to address family'));
 		o.value('', _('IPv4 and IPv6'));
 		o.value('ipv4', _('IPv4 only'));
@ -219,16 +269,24 @@ return view.extend({
 		o.modalonly = true;

 		o = s.taboption('advanced', form.DynamicList, 'masq_src', _('Restrict Masquerading to given source subnets'));
-		o.depends('family', '');
-		o.depends('family', 'ipv4');
-		o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
+		if (fw4) {
+			o.datatype = 'list(neg(or(uciname,hostname,ipmask)))';
+		} else {
+			o.depends('family', '');
+			o.depends('family', 'ipv4');
+			o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
+		}
 		o.placeholder = '0.0.0.0/0';
 		o.modalonly = true;

 		o = s.taboption('advanced', form.DynamicList, 'masq_dest', _('Restrict Masquerading to given destination subnets'));
-		o.depends('family', '');
-		o.depends('family', 'ipv4');
-		o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
+		if (fw4) {
+			o.datatype = 'list(neg(or(uciname,hostname,ipmask)))';
+		} else {
+			o.depends('family', '');
+			o.depends('family', 'ipv4');
+			o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
+		}
 		o.placeholder = '0.0.0.0/0';
 		o.modalonly = true;

@ -243,8 +301,7 @@ return view.extend({
 		o.depends('auto_helper', '0');
 		o.modalonly = true;
 		for (var i = 0; i < ctHelpers.length; i++)
-			//o.value(ctHelpers[i].name, '<span class="hide-close">%s (%s)</span><span class="hide-open">%s</span>'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase(), ctHelpers[i].name.toUpperCase()));
-			o.value(ctHelpers[i].name, '%s (%s)'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase()));
+			o.value(ctHelpers[i].name, E('<span><span class="hide-close">%s (%s)</span><span class="hide-open">%s</span></span>'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase(), ctHelpers[i].name.toUpperCase())));

 		o = s.taboption('advanced', form.Flag, 'log', _('Enable logging on this zone'));
 		o.modalonly = true;
@ -254,32 +311,34 @@ return view.extend({
 		o.placeholder = '10/minute';
 		o.modalonly = true;

-		o = s.taboption('extra', form.DummyValue, '_extrainfo');
-		o.rawhtml = true;
-		o.modalonly = true;
-		o.cfgvalue = function(section_id) {
-			return _('Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.');
-		};
+		if (!L.hasSystemFeature('firewall4')) {
+			o = s.taboption('extra', form.DummyValue, '_extrainfo');
+			o.rawhtml = true;
+			o.modalonly = true;
+			o.cfgvalue = function(section_id) {
+				return _('Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.');
+			};

-		o = s.taboption('extra', form.Value, 'extra_src', _('Extra source arguments'), _('Additional raw <em>iptables</em> arguments to classify zone source traffic, e.g. <code>-p tcp --sport 443</code> to only match inbound HTTPS traffic.'));
-		o.modalonly = true;
-		o.cfgvalue = function(section_id) {
-			return uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
-		};
-		o.write = function(section_id, value) {
-			uci.unset('firewall', section_id, 'extra');
-			uci.set('firewall', section_id, 'extra_src', value);
-		};
+			o = s.taboption('extra', form.Value, 'extra_src', _('Extra source arguments'), _('Additional raw <em>iptables</em> arguments to classify zone source traffic, e.g. <code>-p tcp --sport 443</code> to only match inbound HTTPS traffic.'));
+			o.modalonly = true;
+			o.cfgvalue = function(section_id) {
+				return uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
+			};
+			o.write = function(section_id, value) {
+				uci.unset('firewall', section_id, 'extra');
+				uci.set('firewall', section_id, 'extra_src', value);
+			};

-		o = s.taboption('extra', form.Value, 'extra_dest', _('Extra destination arguments'), _('Additional raw <em>iptables</em> arguments to classify zone destination traffic, e.g. <code>-p tcp --dport 443</code> to only match outbound HTTPS traffic.'));
-		o.modalonly = true;
-		o.cfgvalue = function(section_id) {
-			return uci.get('firewall', section_id, 'extra_dest') || uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
-		};
-		o.write = function(section_id, value) {
-			uci.unset('firewall', section_id, 'extra');
-			uci.set('firewall', section_id, 'extra_dest', value);
-		};
+			o = s.taboption('extra', form.Value, 'extra_dest', _('Extra destination arguments'), _('Additional raw <em>iptables</em> arguments to classify zone destination traffic, e.g. <code>-p tcp --dport 443</code> to only match outbound HTTPS traffic.'));
+			o.modalonly = true;
+			o.cfgvalue = function(section_id) {
+				return uci.get('firewall', section_id, 'extra_dest') || uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
+			};
+			o.write = function(section_id, value) {
+				uci.unset('firewall', section_id, 'extra');
+				uci.set('firewall', section_id, 'extra_dest', value);
+			};
+		}

 		o = s.taboption('general', form.DummyValue, '_forwardinfo');
 		o.rawhtml = true;
--- a/luci-app-firewall/po/ar/firewall.po
+++ b/luci-app-firewall/po/ar/firewall.po
--- a/luci-app-firewall/po/bg/firewall.po
+++ b/luci-app-firewall/po/bg/firewall.po
--- a/luci-app-firewall/po/bn_BD/firewall.po
+++ b/luci-app-firewall/po/bn_BD/firewall.po
--- a/luci-app-firewall/po/ca/firewall.po
+++ b/luci-app-firewall/po/ca/firewall.po
--- a/luci-app-firewall/po/cs/firewall.po
+++ b/luci-app-firewall/po/cs/firewall.po
--- a/luci-app-firewall/po/da/firewall.po
+++ b/luci-app-firewall/po/da/firewall.po
--- a/luci-app-firewall/po/de/firewall.po
+++ b/luci-app-firewall/po/de/firewall.po
--- a/luci-app-firewall/po/el/firewall.po
+++ b/luci-app-firewall/po/el/firewall.po
--- a/luci-app-firewall/po/es/firewall.po
+++ b/luci-app-firewall/po/es/firewall.po
--- a/luci-app-firewall/po/fa/firewall.po
+++ b/luci-app-firewall/po/fa/firewall.po
--- a/luci-app-firewall/po/fi/firewall.po
+++ b/luci-app-firewall/po/fi/firewall.po
--- a/luci-app-firewall/po/fr/firewall.po
+++ b/luci-app-firewall/po/fr/firewall.po
--- a/luci-app-firewall/po/ga/firewall.po
+++ b/luci-app-firewall/po/ga/firewall.po
--- a/luci-app-firewall/po/he/firewall.po
+++ b/luci-app-firewall/po/he/firewall.po
--- a/luci-app-firewall/po/hi/firewall.po
+++ b/luci-app-firewall/po/hi/firewall.po
--- a/luci-app-firewall/po/hu/firewall.po
+++ b/luci-app-firewall/po/hu/firewall.po
--- a/luci-app-firewall/po/id/firewall.po
+++ b/luci-app-firewall/po/id/firewall.po
--- a/luci-app-firewall/po/it/firewall.po
+++ b/luci-app-firewall/po/it/firewall.po
--- a/luci-app-firewall/po/ja/firewall.po
+++ b/luci-app-firewall/po/ja/firewall.po
--- a/luci-app-firewall/po/ka/firewall.po
+++ b/luci-app-firewall/po/ka/firewall.po
--- a/luci-app-firewall/po/ko/firewall.po
+++ b/luci-app-firewall/po/ko/firewall.po
--- a/luci-app-firewall/po/lt/firewall.po
+++ b/luci-app-firewall/po/lt/firewall.po
--- a/luci-app-firewall/po/mr/firewall.po
+++ b/luci-app-firewall/po/mr/firewall.po
--- a/luci-app-firewall/po/ms/firewall.po
+++ b/luci-app-firewall/po/ms/firewall.po
--- a/luci-app-firewall/po/nb_NO/firewall.po
+++ b/luci-app-firewall/po/nb_NO/firewall.po
--- a/luci-app-firewall/po/nl/firewall.po
+++ b/luci-app-firewall/po/nl/firewall.po
--- a/luci-app-firewall/po/pl/firewall.po
+++ b/luci-app-firewall/po/pl/firewall.po
--- a/luci-app-firewall/po/pt/firewall.po
+++ b/luci-app-firewall/po/pt/firewall.po
--- a/luci-app-firewall/po/pt_BR/firewall.po
+++ b/luci-app-firewall/po/pt_BR/firewall.po
--- a/luci-app-firewall/po/ro/firewall.po
+++ b/luci-app-firewall/po/ro/firewall.po
--- a/luci-app-firewall/po/ru/firewall.po
+++ b/luci-app-firewall/po/ru/firewall.po
--- a/luci-app-firewall/po/si/firewall.po
+++ b/luci-app-firewall/po/si/firewall.po
--- a/luci-app-firewall/po/sk/firewall.po
+++ b/luci-app-firewall/po/sk/firewall.po
--- a/luci-app-firewall/po/sr/firewall.po
+++ b/luci-app-firewall/po/sr/firewall.po
--- a/luci-app-firewall/po/sv/firewall.po
+++ b/luci-app-firewall/po/sv/firewall.po
--- a/luci-app-firewall/po/templates/firewall.pot
+++ b/luci-app-firewall/po/templates/firewall.pot
--- a/luci-app-firewall/po/tr/firewall.po
+++ b/luci-app-firewall/po/tr/firewall.po
--- a/Show more
+++ b/Show more