ucentral-schema: update to latest HEAD

* minor fixes to handling of boolean values Signed-off-by: John Crispin <john@phrozen.org>
proxy_arp: fix a race condition between hostapd and netifd
2025-10-31 10:28:06 +00:00 · 2021-09-08 08:22:32 +02:00 · 2021-09-02 13:55:54 +02:00
9750 changed files with 1214114 additions and 2009660 deletions
--- a/.github/actions/create-ami-from-image/action.yml
+++ b/.github/actions/create-ami-from-image/action.yml
@@ -1,39 +0,0 @@
 name: Create AMI from firmware image in S3 bucket
 inputs:
  firmware_image_name:
    description: Name of the firmware image
    required: true
  firmware_image_s3_bucket:
    description: Name of the S3 bucket where the image resides
    required: true
 runs:
  using: "composite"
  steps:
    - name: Import snapshot based on firmware image
      id: import_snapshot
      shell: bash
      run: |
        echo "import_task_id=$(aws ec2 import-snapshot --description '${{ inputs.firmware_image_name }}' --disk-container 'Format=raw,UserBucket={S3Bucket=${{ inputs.firmware_image_s3_bucket }},S3Key=${{ inputs.firmware_image_name }}}' | jq -r '.ImportTaskId')" >> $GITHUB_OUTPUT
    - name: Wait for import task to complete and get snapshot ID
      id: get_snapshot_id
      shell: bash
      run: |
        IMPORT_TASK_STATUS=""
        while [[ $IMPORT_TASK_STATUS != 'completed' ]]; do
          IMPORT_TASK_STATUS=$(aws ec2 describe-import-snapshot-tasks --import-task-ids ${{ steps.import_snapshot.outputs.import_task_id }} | jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail.Status')
          echo "Import task status is $IMPORT_TASK_STATUS, waiting for completion."
        done
        echo "id=$(aws ec2 describe-import-snapshot-tasks --import-task-ids ${{ steps.import_snapshot.outputs.import_task_id }} | jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail.SnapshotId')" >> $GITHUB_OUTPUT
    - name: Tag snapshot with image name
      shell: bash
      run: |
        aws ec2 create-tags --resources ${{ steps.get_snapshot_id.outputs.id }} --tags 'Key=Name,Value=${{ inputs.firmware_image_name }}'
    - name: Register AMI based on snapshot
      shell: bash
      run: |
        aws ec2 register-image --name '${{ inputs.firmware_image_name }}' --root-device-name /dev/xvda --block-device-mappings 'DeviceName=/dev/xvda,Ebs={SnapshotId=${{ steps.get_snapshot_id.outputs.id }}}'
--- a/.github/workflows/build-dev.yml
+++ b/.github/workflows/build-dev.yml
@@ -1,34 +1,20 @@
 name: Build OpenWrt/uCentral images
 env:
  AWS_DEFAULT_OUTPUT: json
  AWS_DEFAULT_REGION: us-east-1
  AWS_S3_BUCKET_NAME: ucentral-ap-firmware
  AWS_ACCOUNT_ID: ${{ secrets.UCENTRAL_S3_ACCOUNT_ID }}
  AWS_ACCESS_KEY_ID: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_SECRET }}
 on:
  push:
-    branches: [ main, next, staging-* ]
+    branches: [ uCentral-* ]
    tags: [ v* ]
 jobs:
  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    outputs:
      x64_vm_image_name: ${{ steps.package_and_upload_image.outputs.x64_vm_image_name }}
    strategy:
      fail-fast: false
      matrix:
-        target: [ 'cig_wf189h', 'cig_wf189w', 'cig_wf660a', 'cig_wf672', 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf189', 'cig_wf196', 'cig_wf196', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'sonicfi_rap630w-312g', 'sonicfi_rap63xc-211g', 'sonicfi_rap630c-311g', 'sonicfi_rap630w-311g', 'sonicfi_rap630w-211g', 'sonicfi_rap650c', 'sonicfi_rap7110c-341x', 'sonicfi_rap750e-h', 'sonicfi_rap750e-s', 'sonicfi_rap750w-311a', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap105', 'edgecore_eap111', 'edgecore_eap112', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap103', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4x_3', 'hfcl_ion4xi_w', 'hfcl_ion4x_w', 'indio_um-305ax', 'senao_iap4300m', 'senao_iap2300m', 'senao_jeap6500', 'udaya_a6-id2', 'udaya_a6-od2', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655', 'emplus_wap588m', 'zyxel_nwa130be', 'sercomm_ap72tip-v4' ]
+        target: ['cig_wf188', 'cig_wf194c', 'cig_wf160d', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'edgecore_ecw5410', 'edgecore_oap100', 'edgecore_ssw2ac2600', 'edgecore_spw2ac1200', 'indio_um-305ac', 'linksys_e8450-ubi', 'linksys_ea8300', 'mikrotik_nand', 'tplink_cpe210_v3', 'tplink_cpe510_v3', 'tplink_eap225_outdoor_v1', 'tplink_ec420', 'tplink_ex227', 'tplink_ex228', 'tplink_ex447', 'wallys_dr40x9' ]
    steps:
    - uses: actions/checkout@v3
-    # Clean unnecessary files to save disk space
+    steps:
-    - name: clean unncessary files to save space
+    - uses: actions/checkout@v2
      run: |
        docker rmi `docker images -q` || true
    - name: Build image for ${{ matrix.target }}
      id: build
@@ -38,12 +24,17 @@ jobs:
        make -j TARGET=${{ matrix.target }}
    - name: Package and upload image for ${{ matrix.target }}
      id: package_and_upload_image
      env:
          GH_BUILD_USERNAME: ${{ secrets.GH_BUILD_USERNAME }}
          GH_BUILD_PASSWORD: ${{ secrets.GH_BUILD_PASSWORD }}
          ARTIFACTORY_USERNAME: cicd-indoor-main
          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
          AWS_S3_BUCKET_NAME: ucentral-ap-firmware
          AWS_DEFAULT_OUTPUT: json
          AWS_DEFAULT_REGION: us-east-1
          AWS_ACCOUNT_ID: ${{ secrets.UCENTRAL_S3_ACCOUNT_ID }}
          AWS_ACCESS_KEY_ID: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_SECRET }}
      run: |
        LOWERCASE_TARGET=`echo ${{ matrix.target }} | tr '[:upper:]' '[:lower:]'`
        HASH=$(git rev-parse --short HEAD)
@@ -51,10 +42,8 @@ jobs:
        if [[ ${GITHUB_REF} == "refs/heads/"* ]]
        then
          REF=$(echo ${GITHUB_REF#refs/heads/} | tr '/' '-')
          IS_RELEASE="false"
        else
          REF=$(echo ${GITHUB_REF#refs/tags/} | tr '/' '-')
          IS_RELEASE="true"
        fi
        BASENAME="$(date +%Y%m%d)-$LOWERCASE_TARGET-$REF-$HASH"
@@ -71,36 +60,4 @@ jobs:
        [ -f openwrt/tmp/image-file ] && curl -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "latest-upgrade.json" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/latest-upgrade.json"
        [ -f openwrt/tmp/image-file ] && aws s3 cp --acl public-read --content-type "application/octet-stream" "openwrt/$(cat openwrt/tmp/image-file)" "s3://$AWS_S3_BUCKET_NAME/$IMG_NAME"
        [ -f openwrt/tmp/image-file ] && aws s3api put-object-tagging --bucket "$AWS_S3_BUCKET_NAME" --key "$IMG_NAME" --tagging "{\"TagSet\":[{\"Key\":\"release\",\"Value\":\"$IS_RELEASE\"}]}"
        [ -f openwrt/tmp/image-file ] && aws s3 cp --acl public-read --content-type "application/json" "latest-upgrade.json" "s3://$AWS_S3_BUCKET_NAME/$JSON_NAME"
        [ -f openwrt/tmp/image-file ] && aws s3api put-object-tagging --bucket "$AWS_S3_BUCKET_NAME" --key "$JSON_NAME" --tagging "{\"TagSet\":[{\"Key\":\"release\",\"Value\":\"$IS_RELEASE\"}]}"
        if [ ${{ matrix.target }} == 'x64_vm' ]; then
          echo "x64_vm_image_name=$(echo $IMG_NAME)" >> $GITHUB_OUTPUT
        fi
  trigger-testing:
    runs-on: ubuntu-22.04
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
    - name: Trigger testing of release
      uses: peter-evans/repository-dispatch@v1
      with:
        token: ${{ secrets.WLAN_TESTING_PAT }}
        repository: Telecominfraproject/wlan-testing
        event-type: new-ap-release
        client-payload: '{"ref": "${GITHUB_REF#refs/tags/}", "sha": "${{ github.sha }}"}'
  create-x64_vm-ami:
    runs-on: ubuntu-22.04
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
    - uses: actions/checkout@v3
    - name: Use create-ami-from-image composite action
      uses: ./.github/actions/create-ami-from-image
      with:
        firmware_image_name: ${{ needs.build.outputs.x64_vm_image_name }}
        firmware_image_s3_bucket: ${{ env.AWS_S3_BUCKET_NAME }}
--- a/.github/workflows/x64_vm-build-test.yml
+++ b/.github/workflows/x64_vm-build-test.yml
@@ -1,88 +0,0 @@
 name: Test x64_vm build and AMI creation
 env:
  AWS_DEFAULT_OUTPUT: json
  AWS_DEFAULT_REGION: us-east-1
  AWS_S3_BUCKET_NAME: ucentral-ap-firmware
  AWS_ACCOUNT_ID: ${{ secrets.UCENTRAL_S3_ACCOUNT_ID }}
  AWS_ACCESS_KEY_ID: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.UCENTRAL_S3_ACCESS_KEY_SECRET }}
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      x64_vm_image_name: ${{ steps.package_and_upload_image.outputs.x64_vm_image_name }}
    strategy:
      fail-fast: false
      matrix:
        target: ['x64_vm']
    steps:
    - uses: actions/checkout@v3
    - name: Build image for ${{ matrix.target }}
      id: build
      run: |
        git config --global user.email "you@example.com"
        git config --global user.name "Your Name"
        make -j TARGET=${{ matrix.target }}        make -j TARGET=${{ matrix.target }}
    - name: Package and upload image for ${{ matrix.target }}
      id: package_and_upload_image
      env:
        GH_BUILD_USERNAME: ${{ secrets.GH_BUILD_USERNAME }}
        GH_BUILD_PASSWORD: ${{ secrets.GH_BUILD_PASSWORD }}
        ARTIFACTORY_USERNAME: cicd-indoor-main
        ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
      run: |
        LOWERCASE_TARGET=`echo ${{ matrix.target }} | tr '[:upper:]' '[:lower:]'`
        HASH=$(git rev-parse --short HEAD)
        if [[ ${GITHUB_REF} == "refs/heads/"* ]]
        then
          REF=$(echo ${GITHUB_REF#refs/heads/} | tr '/' '-')
          IS_RELEASE="false"
        else
          REF=$(echo ${GITHUB_REF#refs/tags/} | tr '/' '-')
          IS_RELEASE="true"
        fi
        BASENAME="$(date +%Y%m%d)-$LOWERCASE_TARGET-$REF-$HASH"
        TAR_NAME="$BASENAME.tar.gz"
        IMG_NAME="$BASENAME-upgrade.bin";
        JSON_NAME="$BASENAME.json";
        tar cfz "$TAR_NAME" -C openwrt/bin/targets/ .
        curl -s -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "$TAR_NAME" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/"$TAR_NAME""
        IMG_NAME="$BASENAME-upgrade.bin";
        TIP_VERSION="$(grep DISTRIB_TIP= openwrt/tmp/openwrt_release | cut -d\' -f2)"
        echo -e "{\n\t\"image\":\""${IMG_NAME}"\",\n\t\"revision\": \""${TIP_VERSION}"\",\n\t\"timestamp\":\""$(date +%s)"\",\n\t\"compatible\": \""${LOWERCASE_TARGET}"\"\n}" > latest-upgrade.json
        [ -f openwrt/tmp/image-file ] && curl -s -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "openwrt/$(cat openwrt/tmp/image-file)" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/"$IMG_NAME""
        [ -f openwrt/tmp/image-file ] && curl -s -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "latest-upgrade.json" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/latest-upgrade.json"
        [ -f openwrt/tmp/image-file ] && aws s3 cp --acl public-read --content-type "application/octet-stream" "openwrt/$(cat openwrt/tmp/image-file)" "s3://$AWS_S3_BUCKET_NAME/$IMG_NAME"
        [ -f openwrt/tmp/image-file ] && aws s3api put-object-tagging --bucket "$AWS_S3_BUCKET_NAME" --key "$IMG_NAME" --tagging "{\"TagSet\":[{\"Key\":\"release\",\"Value\":\"$IS_RELEASE\"}]}"
        [ -f openwrt/tmp/image-file ] && aws s3 cp --acl public-read --content-type "application/json" "latest-upgrade.json" "s3://$AWS_S3_BUCKET_NAME/$JSON_NAME"
        [ -f openwrt/tmp/image-file ] && aws s3api put-object-tagging --bucket "$AWS_S3_BUCKET_NAME" --key "$JSON_NAME" --tagging "{\"TagSet\":[{\"Key\":\"release\",\"Value\":\"$IS_RELEASE\"}]}"
        if [[ ${{ matrix.target }} == 'x64_vm' ]]; then
            echo "x64_vm_image_name=$(echo $IMG_NAME)" >> $GITHUB_OUTPUT
        fi
  create-x64_vm-ami:
    runs-on: ubuntu-latest
    needs: build
    steps:
    - uses: actions/checkout@v3
      with:
        ref: WIFI-7206-add-workflow-to-build-virtual-ap-image
    - name: Use create-ami-from-image composite action
      uses: ./.github/actions/create-ami-from-image
      with:
        firmware_image_name: ${{ needs.build.outputs.x64_vm_image_name }}
        firmware_image_s3_bucket: ${{ env.AWS_S3_BUCKET_NAME }}
--- a/28
+++ b/28
@@ -1,28 +0,0 @@
 BSD 3-Clause License
 Copyright (c) 2024, Telecom Infra Project
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
 3. Neither the name of the copyright holder nor the names of its
   contributors may be used to endorse or promote products derived from
   this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/README.md
+++ b/README.md
@@ -1,83 +1,20 @@
-# OpenWiFi AP NOS
+# Setting up your build machine
-OpenWrt-based access point network operating system (AP NOS) for TIP OpenWiFi.
+Requires a recent linux installation. Older systems without python 3.7 will have trouble.  See this link for details: https://openwrt.org/docs/guide-developer/quickstart-build-images
 Read more at [openwifi.tip.build](https://openwifi.tip.build/).
-## Building
+Install build packages:  sudo apt install build-essential libncurses5-dev gawk git libssl-dev gettext zlib1g-dev swig unzip time rsync python3 python3-setuptools python3-yaml.
-### Setting up your build machine
+# Doing a native build on Linux
-
+First we need to clone and setup our tree. This will result in an openwrt/.
 Building requires a recent Linux installation. Older systems without Python 3.7
 will have trouble. See this guide for details:
 https://openwrt.org/docs/guide-developer/toolchain/beginners-build-guide
 Install build packages on Debian/Ubuntu (or see above guide for other systems):
 ```
-sudo apt install build-essential libncurses5-dev gawk git libssl-dev gettext zlib1g-dev swig unzip time rsync python3 python3-setuptools python3-yaml
+./setup.py --setup
 ```
-
+Next we need to select the profile and base package selection. This setup will install the feeds, packages and generate the .config file.
 ### Doing a native build on Linux
 Use `./build.sh <target>`, or follow the manual steps below:
 1. Clone and set up the tree. This will create an `openwrt/` directory.
 ```shell
 ./setup.py --setup    # for subsequent builds, use --rebase instead
 ```
 2. Select the profile and base package selection. This setup will install the
   feeds and packages and generate the `.config` file.
 ```shell
 cd openwrt
-./scripts/gen_config.py linksys_ea8300
+./scripts/gen_config.py ea8300
 ```
-
+Finally we can build the tree.
-3. Build the tree (replace `-j 8` with the number of cores to use).
+```
-```shell
+make -j X V=s
 make -j 8 V=s
 ```
 ### Build output
 The build results are located in the `openwrt/bin/` directory:
 | Type             | Path                                                 |
 | ---------------- | ---------------------------------------------------- |
 | Firmware images  | `openwrt/bin/targets/<target>/<subtarget>/`          |
 | Kernel modules   | `openwrt/bin/targets/<target>/<subtarget>/packages/` |
 | Package binaries | `openwrt/bin/packages/<platform>/<feed>/`            |
 ## Developer Notes
 ### Branching model
 - `main` - Stable dev branch
 - `next` - Integration branch
 - `staging-*` - Feature/bug branches
 - `release/v#.#.#` - Release branches (*major.minor.patch*)
 ### Repository structure
 Build files:
 - `Makefile` - Calls Docker environment per target
 - `dock-run.sh` - Dockerized build environment
 - `docker/Dockerfile` - Dockerfile for build image
 - `build.sh` - Build script
 - `setup.py` - Clone and set up the tree
 - `config.yml` - Specifies OpenWrt version and patches to apply
 Directories:
 - `feeds/` - OpenWiFi feeds
 - `patches/` - OpenWiFi patches applied during builds
 - `profiles/` - Per-target kernel configs, packages, and feeds
    - [wifi-ax](profiles/wifi-ax.yml): Wi-Fi AX packages
    - [ucentral-ap](profiles/ucentral-ap.yml): uCentral packages
    - [x64_vm](profiles/x64_vm.yml): x86-64 VM image
 ### uCentral packages
 AP-NOS packages implementing the uCentral protocol include the following
 repositories (refer to the [ucentral](feeds/ucentral/) feed for a full list):
 - ucentral-client: https://github.com/Telecominfraproject/wlan-ucentral-client
 - ucentral-schema: https://github.com/Telecominfraproject/wlan-ucentral-schema
 - ucentral-wifi: https://github.com/blogic/ucentral-wifi
--- a/backports/0001-build-build-kernel-image-before-building-modules-pac.patch
+++ b/backports/0001-build-build-kernel-image-before-building-modules-pac.patch
@@ -0,0 +1,48 @@
 From 08be0915e06fb6f2b62c022099e82bb4d849a8c6 Mon Sep 17 00:00:00 2001
 From: Felix Fietkau <nbd@nbd.name>
 Date: Thu, 22 Oct 2020 10:29:34 +0200
 Subject: [PATCH 1/9] build: build kernel image before building
 modules/packages
 This is needed for linux 5.10, where modules.builtin is generated from
 vmlinux.o
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 include/kernel-defaults.mk | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/include/kernel-defaults.mk b/include/kernel-defaults.mk
 index e5a0ba367b..b069c1e671 100644
 --- a/include/kernel-defaults.mk
 +++ b/include/kernel-defaults.mk
@@ -113,7 +113,7 @@ endef
 define Kernel/CompileModules/Default
 	rm -f $(LINUX_DIR)/vmlinux $(LINUX_DIR)/System.map
 -	+$(KERNEL_MAKE) modules
 +	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all) modules
 endef
 OBJCOPY_STRIP = -R .reginfo -R .notes -R .note -R .comment -R .mdebug -R .note.gnu.build-id
@@ -137,7 +137,7 @@ endef
 define Kernel/CompileImage/Default
 	rm -f $(TARGET_DIR)/init
 -	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all) modules
 +	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all)
 	$(call Kernel/CopyImage)
 endef
@@ -147,7 +147,7 @@ define Kernel/CompileImage/Initramfs
 	$(CP) $(GENERIC_PLATFORM_DIR)/other-files/init $(TARGET_DIR)/init
 	$(if $(SOURCE_DATE_EPOCH),touch -hcd "@$(SOURCE_DATE_EPOCH)" $(TARGET_DIR)/init)
 	rm -rf $(KERNEL_BUILD_DIR)/linux-$(LINUX_VERSION)/usr/initramfs_data.cpio*
 -	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all) modules
 +	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all)
 	$(call Kernel/CopyImage,-initramfs)
 endef
 else
 -- 
 2.25.1
--- a/backports/0002-build-fix-build-with-CONFIG_STRIP_KERNEL_EXPORTS.patch
+++ b/backports/0002-build-fix-build-with-CONFIG_STRIP_KERNEL_EXPORTS.patch
@@ -0,0 +1,46 @@
 From 6d2e2ff2778ca6360af9bf1e712d7ff276afa54b Mon Sep 17 00:00:00 2001
 From: Felix Fietkau <nbd@nbd.name>
 Date: Wed, 17 Feb 2021 13:49:14 +0100
 Subject: [PATCH 2/9] build: fix build with CONFIG_STRIP_KERNEL_EXPORTS
 Only use symtab.h on the final kernel link
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 include/kernel-defaults.mk | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/include/kernel-defaults.mk b/include/kernel-defaults.mk
 index b069c1e671..93eed54ae1 100644
 --- a/include/kernel-defaults.mk
 +++ b/include/kernel-defaults.mk
@@ -3,7 +3,7 @@
 # Copyright (C) 2006-2020 OpenWrt.org
 ifdef CONFIG_STRIP_KERNEL_EXPORTS
 -  KERNEL_MAKEOPTS += \
 +  KERNEL_MAKEOPTS_IMAGE += \
 	EXTRA_LDSFLAGS="-I$(KERNEL_BUILD_DIR) -include symtab.h"
 endif
@@ -137,7 +137,7 @@ endef
 define Kernel/CompileImage/Default
 	rm -f $(TARGET_DIR)/init
 -	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all)
 +	+$(KERNEL_MAKE) $(KERNEL_MAKEOPTS_IMAGE) $(if $(KERNELNAME),$(KERNELNAME),all)
 	$(call Kernel/CopyImage)
 endef
@@ -147,7 +147,7 @@ define Kernel/CompileImage/Initramfs
 	$(CP) $(GENERIC_PLATFORM_DIR)/other-files/init $(TARGET_DIR)/init
 	$(if $(SOURCE_DATE_EPOCH),touch -hcd "@$(SOURCE_DATE_EPOCH)" $(TARGET_DIR)/init)
 	rm -rf $(KERNEL_BUILD_DIR)/linux-$(LINUX_VERSION)/usr/initramfs_data.cpio*
 -	+$(KERNEL_MAKE) $(if $(KERNELNAME),$(KERNELNAME),all)
 +	+$(KERNEL_MAKE) $(KERNEL_MAKEOPTS_IMAGE) $(if $(KERNELNAME),$(KERNELNAME),all)
 	$(call Kernel/CopyImage,-initramfs)
 endef
 else
 -- 
 2.25.1
--- a/backports/0003-kernel-add-linux-5.10-support.patch
+++ b/backports/0003-kernel-add-linux-5.10-support.patch
--- a/backports/0004-mediatek-update-to-latest-trunk-version.patch
+++ b/backports/0004-mediatek-update-to-latest-trunk-version.patch
--- a/backports/0005-sysupgrade-nand-allow-limiting-rootfs_data-by-settin.patch
+++ b/backports/0005-sysupgrade-nand-allow-limiting-rootfs_data-by-settin.patch
@@ -0,0 +1,74 @@
 From 0a0953b5c81a2b5b366a3f0f543db71ffc81f713 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Sat, 20 Feb 2021 08:36:43 +0100
 Subject: [PATCH 5/9] sysupgrade-nand: allow limiting rootfs_data by setting
 env variable
 Check if firmware environment variable 'rootfs_data_max' exists and is
 set to a numerical value greater than 0. If so, limit rootfs_data
 volume to that size instead of using the maximum available size.
 This is useful on devices with lots of flash where users may want to
 have eg. a volume for persistent logs and statistics or for external
 applications/containers. Persistence on rootfs overlay is limited by
 the size of memory available during the sysugprade process as that
 data needs to be copied to RAM while the volume is being recreated
 during sysupgrade. Hence it is unsuitable for keeping larger amounts
 of data accross upgrade which makes additional volume(s) for
 application data desirable.
 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 ---
 package/base-files/files/lib/upgrade/nand.sh | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)
 diff --git a/package/base-files/files/lib/upgrade/nand.sh b/package/base-files/files/lib/upgrade/nand.sh
 index 5bc9ff83f9..e335d940ed 100644
 --- a/package/base-files/files/lib/upgrade/nand.sh
 +++ b/package/base-files/files/lib/upgrade/nand.sh
@@ -117,6 +117,9 @@ nand_restore_config() {
 nand_upgrade_prepare_ubi() {
 	local rootfs_length="$1"
 	local rootfs_type="$2"
 +	local rootfs_data_max="$(fw_printenv -n rootfs_data_max 2>/dev/null)"
 +	[ -n "$rootfs_data_max" ] && rootfs_data_max=$(printf %d "$rootfs_data_max")
 +
 	local kernel_length="$3"
 	local has_env="${4:-0}"
@@ -176,11 +179,11 @@ nand_upgrade_prepare_ubi() {
 	# update rootfs
 	if [ -n "$rootfs_length" ]; then
 -		local root_size_param
 +		local rootfs_size_param
 		if [ "$rootfs_type" = "ubifs" ]; then
 -			root_size_param="-m"
 +			rootfs_size_param="-m"
 		else
 -			root_size_param="-s $rootfs_length"
 +			rootfs_size_param="-s $rootfs_length"
 		fi
 		if ! ubimkvol /dev/$ubidev -N $CI_ROOTPART $rootfs_size_param; then
 			echo "cannot create rootfs volume"
@@ -190,7 +193,16 @@ nand_upgrade_prepare_ubi() {
 	# create rootfs_data for non-ubifs rootfs
 	if [ "$rootfs_type" != "ubifs" ]; then
 -		if ! ubimkvol /dev/$ubidev -N rootfs_data -m; then
 +		local availeb=$(cat /sys/devices/virtual/ubi/$ubidev/avail_eraseblocks)
 +		local ebsize=$(cat /sys/devices/virtual/ubi/$ubidev/eraseblock_size)
 +		local avail_size=$(( $availeb * $ebsize ))
 +		local rootfs_data_size_param="-m"
 +		if [ -n "$rootfs_data_max" ] &&
 +		   [ "$rootfs_data_max" != "0" ] &&
 +		   [ "$rootfs_data_max" -le "$avail_size" ]; then
 +			rootfs_data_size_param="-s $rootfs_data_max"
 +		fi
 +		if ! ubimkvol /dev/$ubidev -N rootfs_data $rootfs_data_size_param; then
 			echo "cannot initialize rootfs_data volume"
 			return 1
 		fi
 -- 
 2.25.1
--- a/backports/0006-uboot-mediatek-add-support-for-linksys-e8450.patch
+++ b/backports/0006-uboot-mediatek-add-support-for-linksys-e8450.patch
--- a/backports/0007-uboot-envtools-add-defaults-for-linksys-e8450-ubi.patch
+++ b/backports/0007-uboot-envtools-add-defaults-for-linksys-e8450-ubi.patch
@@ -0,0 +1,70 @@
 From 256daf33ec9c8cc8b094d7612ba7384db18d0a6b Mon Sep 17 00:00:00 2001
 From: Daniel Golle <daniel@makrotopia.org>
 Date: Fri, 12 Feb 2021 03:09:39 +0000
 Subject: [PATCH 04/64] uboot-envtools: add defaults for linksys-e8450-ubi
 Add U-Boot environment configuration for the Linksys E8450 (UBI) to
 allow access to the bootloader environment from OpenWrt via
 'fw_printenv' and 'fw_setenv'.
 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 ---
 package/boot/uboot-envtools/files/mediatek | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 package/boot/uboot-envtools/files/mediatek
 diff --git a/package/boot/uboot-envtools/files/mediatek b/package/boot/uboot-envtools/files/mediatek
 new file mode 100644
 index 0000000000..495a837274
 --- /dev/null
 +++ b/package/boot/uboot-envtools/files/mediatek
@@ -0,0 +1,46 @@
 +#
 +# Copyright (C) 2021 OpenWrt.org
 +#
 +
 +[ -e /etc/config/ubootenv ] && exit 0
 +
 +touch /etc/config/ubootenv
 +
 +. /lib/uboot-envtools.sh
 +. /lib/functions.sh
 +
 +board=$(board_name)
 +
 +case "$board" in
 +linksys,e8450-ubi)
 +	ubootenv_add_uci_config "/dev/ubi0_0" "0x0" "0x1f000" "0x1f000" "1"
 +	ubootenv_add_uci_config "/dev/ubi0_1" "0x0" "0x1f000" "0x1f000" "1"
 +	;;
 +bananapi,bpi-r64)
 +	. /lib/upgrade/common.sh
 +	export_bootdevice
 +	export_partdevice rootdev 0
 +	case "$rootdev" in
 +	mmc*)
 +		local envdev=/dev/$(get_partition_by_name $rootdev ubootenv)
 +		ubootenv_add_uci_config "$envdev" "0x0" "0x80000" "0x80000" "1"
 +		ubootenv_add_uci_config "$envdev" "0x80000" "0x80000" "0x80000" "1"
 +		;;
 +	*)
 +		ubootenv_add_uci_config "/dev/ubi0_0" "0x0" "0x1f000" "0x1f000" "1"
 +		ubootenv_add_uci_config "/dev/ubi0_1" "0x0" "0x1f000" "0x1f000" "1"
 +		;;
 +	esac
 +	;;
 +buffalo,wsr-2533dhp2)
 +	ubootenv_add_uci_config "/dev/mtd3" "0x0" "0x1000" "0x20000"
 +	;;
 +ubnt,unifi-6-lr-ubootmod)
 +	ubootenv_add_uci_config "/dev/mtd2" "0x0" "0x4000" "0x10000"
 +	;;
 +esac
 +
 +config_load ubootenv
 +config_foreach ubootenv_add_app_config ubootenv
 +
 +exit 0
 -- 
 2.25.1
--- a/backports/0008-realtek-update-to-latest-owrt-HEAD.patch
+++ b/backports/0008-realtek-update-to-latest-owrt-HEAD.patch
--- a/backports/0009-include-set-kernel-version.mk.patch
+++ b/backports/0009-include-set-kernel-version.mk.patch
@@ -0,0 +1,33 @@
 From 3b896a540de03ca8dfd5596881f9ec6dc15d72c9 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Wed, 7 Apr 2021 10:46:26 +0200
 Subject: [PATCH 01/32] include: set kernel-version.mk
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 include/kernel-version.mk | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/include/kernel-version.mk b/include/kernel-version.mk
 index 52e5c11d75..547f57fa11 100644
 --- a/include/kernel-version.mk
 +++ b/include/kernel-version.mk
@@ -6,9 +6,15 @@ ifdef CONFIG_TESTING_KERNEL
   KERNEL_PATCHVER:=$(KERNEL_TESTING_PATCHVER)
 endif
 +LINUX_VERSION-4.4 = .60
 +LINUX_VERSION-4.14 = .193
 LINUX_VERSION-5.4 = .111
 +LINUX_VERSION-5.10 = .27
 +LINUX_KERNEL_HASH-4.4.60 = 2cd8df6f1ac6a5329c5a286ec9b5956215977221a1b731597ed169fff74a9659
 +LINUX_KERNEL_HASH-4.14.193 = 0b0fb41d4430e1a42738b341cbfd2f41951aa5cd02acabbd53f076119c8b9f03
 LINUX_KERNEL_HASH-5.4.111 = 21626132658dc34cb41b7aa7b80ecf83751890a71ac1a63d77aea9d488271a03
 +LINUX_KERNEL_HASH-5.10.27 = d99dc9662951299c53a0a8d8c8d0a72a16ff861d20e927c0f9b14f63282d69d9
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1))))
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1)))))))
 -- 
 2.25.1
--- a/backports/0010-ar71xx-forward-port-target-to-get-routerboard-suppor.patch
+++ b/backports/0010-ar71xx-forward-port-target-to-get-routerboard-suppor.patch
--- a/backports/0011-backport-mkits.sh.patch
+++ b/backports/0011-backport-mkits.sh.patch
@@ -0,0 +1,266 @@
 From 43f832c25bb9dee1a817370ab11531e81348f177 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Sun, 9 May 2021 12:23:00 +0200
 Subject: [PATCH 42/43] backport: mkits.sh
 969083634481c3ab5fb80509f385ef10ab45b55f
 e991c1b8a2385397fc1e657ed73878938997d951
 9f714398e060c6338fbfad44cdbfa8c940dbb84b
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 include/image-commands.mk           |   2 +-
 include/image.mk                    |   2 +-
 scripts/mkits.sh                    | 101 +++++++++++++++++++++++++---
 target/linux/ipq40xx/image/Makefile |   1 +
 target/linux/ipq806x/image/Makefile |   1 +
 5 files changed, 95 insertions(+), 12 deletions(-)
 diff --git a/include/image-commands.mk b/include/image-commands.mk
 index bde6e030bc..f97d4363d1 100644
 --- a/include/image-commands.mk
 +++ b/include/image-commands.mk
@@ -204,7 +204,7 @@ define Build/fit
 		$(if $(word 3,$(1)),-r $(IMAGE_ROOTFS) -f $(subst _,$(comma),$(DEVICE_NAME))) \
 		-a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
 		$(if $(DEVICE_FDT_NUM),-n $(DEVICE_FDT_NUM)) \
 -		-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \
 +		-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \
 		-A $(LINUX_KARCH) -v $(LINUX_VERSION)
 	PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage $(if $(word 3,$(1)),-E -B 0x1000 -p 0x1000) -f $@.its $@.new
 	@mv $@.new $@
 diff --git a/include/image.mk b/include/image.mk
 index fc46012e87..7a48b789af 100644
 --- a/include/image.mk
 +++ b/include/image.mk
@@ -139,7 +139,7 @@ endef
 define Image/BuildKernel/MkFIT
 	$(TOPDIR)/scripts/mkits.sh \
 		-D $(1) -o $(KDIR)/fit-$(1).its -k $(2) $(if $(3),-d $(3)) -C $(4) -a $(5) -e $(6) \
 -		-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \
 +		-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \
 		-A $(LINUX_KARCH) -v $(LINUX_VERSION)
 	PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $(KDIR)/fit-$(1).its $(KDIR)/fit-$(1)$(7).itb
 endef
 diff --git a/scripts/mkits.sh b/scripts/mkits.sh
 index 3d68fdacbc..7533baf799 100755
 --- a/scripts/mkits.sh
 +++ b/scripts/mkits.sh
@@ -24,22 +24,29 @@ usage() {
 	printf "\n\t-a ==> set load address to 'addr' (hex)"
 	printf "\n\t-e ==> set entry point to 'entry' (hex)"
 	printf "\n\t-f ==> set device tree compatible string"
 +	printf "\n\t-i ==> include initrd Blob 'initrd'"
 	printf "\n\t-v ==> set kernel version to 'version'"
 	printf "\n\t-k ==> include kernel image 'kernel'"
 	printf "\n\t-D ==> human friendly Device Tree Blob 'name'"
 	printf "\n\t-n ==> fdt unit-address 'address'"
 	printf "\n\t-d ==> include Device Tree Blob 'dtb'"
 -	printf "\n\t-r ==> include RootFS blob"
 +	printf "\n\t-r ==> include RootFS blob 'rootfs'"
 	printf "\n\t-H ==> specify hash algo instead of SHA1"
 -	printf "\n\t-o ==> create output file 'its_file'\n"
 +	printf "\n\t-o ==> create output file 'its_file'"
 +	printf "\n\t-O ==> create config with dt overlay 'name:dtb'"
 +	printf "\n\t\t(can be specified more than once)\n"
 	exit 1
 }
 FDTNUM=1
 ROOTFSNUM=1
 +INITRDNUM=1
 HASH=sha1
 +LOADABLES=
 +DTOVERLAY=
 +DTADDR=
 -while getopts ":A:a:c:C:D:d:e:f:k:n:o:v:r:S" OPTION
 +while getopts ":A:a:c:C:D:d:e:f:i:k:n:o:O:v:r:S" OPTION
 do
 	case $OPTION in
 		A ) ARCH=$OPTARG;;
@@ -50,9 +57,11 @@ do
 		d ) DTB=$OPTARG;;
 		e ) ENTRY_ADDR=$OPTARG;;
 		f ) COMPATIBLE=$OPTARG;;
 +		i ) INITRD=$OPTARG;;
 		k ) KERNEL=$OPTARG;;
 		n ) FDTNUM=$OPTARG;;
 		o ) OUTPUT=$OPTARG;;
 +		O ) DTOVERLAY="$DTOVERLAY ${OPTARG}";;
 		r ) ROOTFS=$OPTARG;;
 		S ) HASH=$OPTARG;;
 		v ) VERSION=$OPTARG;;
@@ -74,14 +83,20 @@ if [ -n "${COMPATIBLE}" ]; then
 	COMPATIBLE_PROP="compatible = \"${COMPATIBLE}\";"
 fi
 +[ "$DTOVERLAY" ] && {
 +	dtbsize=$(wc -c "$DTB" | cut -d' ' -f1)
 +	DTADDR=$(printf "0x%08x" $(($LOAD_ADDR - $dtbsize)) )
 +}
 +
 # Conditionally create fdt information
 if [ -n "${DTB}" ]; then
 	FDT_NODE="
 -		fdt@$FDTNUM {
 +		fdt-$FDTNUM {
 			description = \"${ARCH_UPPER} OpenWrt ${DEVICE} device tree blob\";
 			${COMPATIBLE_PROP}
 			data = /incbin/(\"${DTB}\");
 			type = \"flat_dt\";
 +			${DTADDR:+load = <${DTADDR}>;}
 			arch = \"${ARCH}\";
 			compression = \"none\";
 			hash@1 {
@@ -92,13 +107,34 @@ if [ -n "${DTB}" ]; then
 			};
 		};
 "
 -	FDT_PROP="fdt = \"fdt@$FDTNUM\";"
 +	FDT_PROP="fdt = \"fdt-$FDTNUM\";"
 fi
 +if [ -n "${INITRD}" ]; then
 +	INITRD_NODE="
 +		initrd-$INITRDNUM {
 +			description = \"${ARCH_UPPER} OpenWrt ${DEVICE} initrd\";
 +			${COMPATIBLE_PROP}
 +			data = /incbin/(\"${INITRD}\");
 +			type = \"ramdisk\";
 +			arch = \"${ARCH}\";
 +			os = \"linux\";
 +			hash@1 {
 +				algo = \"crc32\";
 +			};
 +			hash@2 {
 +				algo = \"${HASH}\";
 +			};
 +		};
 +"
 +	INITRD_PROP="ramdisk=\"initrd-${INITRDNUM}\";"
 +fi
 +
 +
 if [ -n "${ROOTFS}" ]; then
 	dd if="${ROOTFS}" of="${ROOTFS}.pagesync" bs=4096 conv=sync
 	ROOTFS_NODE="
 -		rootfs@$ROOTFSNUM {
 +		rootfs-$ROOTFSNUM {
 			description = \"${ARCH_UPPER} OpenWrt ${DEVICE} rootfs\";
 			${COMPATIBLE_PROP}
 			data = /incbin/(\"${ROOTFS}.pagesync\");
@@ -113,9 +149,50 @@ if [ -n "${ROOTFS}" ]; then
 			};
 		};
 "
 -	ROOTFS_PROP="loadables = \"rootfs@${ROOTFSNUM}\";"
 +	LOADABLES="${LOADABLES:+$LOADABLES, }\"rootfs-${ROOTFSNUM}\""
 fi
 +# add DT overlay blobs
 +FDTOVERLAY_NODE=""
 +OVCONFIGS=""
 +[ "$DTOVERLAY" ] && for overlay in $DTOVERLAY ; do
 +	overlay_blob=${overlay##*:}
 +	ovname=${overlay%%:*}
 +	ovnode="fdt-$ovname"
 +	ovsize=$(wc -c "$overlay_blob" | cut -d' ' -f1)
 +	echo "$ovname ($overlay_blob) : $ovsize" >&2
 +	DTADDR=$(printf "0x%08x" $(($DTADDR - $ovsize)))
 +	FDTOVERLAY_NODE="$FDTOVERLAY_NODE
 +
 +		$ovnode {
 +			description = \"${ARCH_UPPER} OpenWrt ${DEVICE} device tree overlay $ovname\";
 +			${COMPATIBLE_PROP}
 +			data = /incbin/(\"${overlay_blob}\");
 +			type = \"flat_dt\";
 +			arch = \"${ARCH}\";
 +			load = <${DTADDR}>;
 +			compression = \"none\";
 +			hash@1 {
 +				algo = \"crc32\";
 +			};
 +			hash@2 {
 +				algo = \"${HASH}\";
 +			};
 +		};
 +"
 +	OVCONFIGS="$OVCONFIGS
 +
 +		config-$ovname {
 +			description = \"OpenWrt ${DEVICE} with $ovname\";
 +			kernel = \"kernel-1\";
 +			fdt = \"fdt-$FDTNUM\", \"$ovnode\";
 +			${LOADABLES:+loadables = ${LOADABLES};}
 +			${COMPATIBLE_PROP}
 +			${INITRD_PROP}
 +		};
 +	"
 +done
 +
 # Create a default, fully populated DTS file
 DATA="/dts-v1/;
@@ -124,7 +201,7 @@ DATA="/dts-v1/;
 	#address-cells = <1>;
 	images {
 -		kernel@1 {
 +		kernel-1 {
 			description = \"${ARCH_UPPER} OpenWrt Linux-${VERSION}\";
 			data = /incbin/(\"${KERNEL}\");
 			type = \"kernel\";
@@ -140,7 +217,9 @@ DATA="/dts-v1/;
 				algo = \"$HASH\";
 			};
 		};
 +${INITRD_NODE}
 ${FDT_NODE}
 +${FDTOVERLAY_NODE}
 ${ROOTFS_NODE}
 	};
@@ -148,11 +227,13 @@ ${ROOTFS_NODE}
 		default = \"${CONFIG}\";
 		${CONFIG} {
 			description = \"OpenWrt ${DEVICE}\";
 -			kernel = \"kernel@1\";
 +			kernel = \"kernel-1\";
 			${FDT_PROP}
 -			${ROOTFS_PROP}
 +			${LOADABLES:+loadables = ${LOADABLES};}
 			${COMPATIBLE_PROP}
 +			${INITRD_PROP}
 		};
 +		${OVCONFIGS}
 	};
 };"
 diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile
 index 2be262936f..a0d6242a28 100644
 --- a/target/linux/ipq40xx/image/Makefile
 +++ b/target/linux/ipq40xx/image/Makefile
@@ -8,6 +8,7 @@ define Device/Default
 	KERNEL_PREFIX := $$(IMAGE_PREFIX)
 	KERNEL_LOADADDR := 0x80208000
 	DEVICE_DTS = $$(SOC)-$(lastword $(subst _, ,$(1)))
 +	DEVICE_DTS_CONFIG := config@1
 	IMAGES := sysupgrade.bin
 	IMAGE/sysupgrade.bin = sysupgrade-tar | append-metadata
 	IMAGE/sysupgrade.bin/squashfs :=
 diff --git a/target/linux/ipq806x/image/Makefile b/target/linux/ipq806x/image/Makefile
 index bab1da0090..3bc60fa931 100644
 --- a/target/linux/ipq806x/image/Makefile
 +++ b/target/linux/ipq806x/image/Makefile
@@ -30,6 +30,7 @@ define Device/Default
 	KERNEL_PREFIX := $$(IMAGE_PREFIX)
 	KERNEL_LOADADDR = 0x42208000
 	DEVICE_DTS = $$(SOC)-$(lastword $(subst _, ,$(1)))
 +	DEVICE_DTS_CONFIG := config@1
 	IMAGES := sysupgrade.bin
 	IMAGE/sysupgrade.bin = sysupgrade-tar | append-metadata
 	IMAGE/sysupgrade.bin/squashfs :=
 -- 
 2.25.1
--- a/backports/0013-iw-update-to-latest-HEAD.patch
+++ b/backports/0013-iw-update-to-latest-HEAD.patch
@@ -0,0 +1,167 @@
 From 0ddce2498be815e098154867d0b18293fe613f12 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Thu, 27 May 2021 11:57:10 +0200
 Subject: [PATCH 13/13] iw: update to latest HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/network/utils/iw/Makefile             | 11 +++----
 .../utils/iw/patches/200-reduce_size.patch    | 30 +++++++++----------
 2 files changed, 21 insertions(+), 20 deletions(-)
 diff --git a/package/network/utils/iw/Makefile b/package/network/utils/iw/Makefile
 index 6db9aaf105..8e11046189 100644
 --- a/package/network/utils/iw/Makefile
 +++ b/package/network/utils/iw/Makefile
@@ -8,12 +8,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=iw
 -PKG_VERSION:=5.9
 -PKG_RELEASE:=1
 +PKG_VERSION:=5.9-8fab0c9e
 +PKG_RELEASE:=$(AUTORELEASE)
 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 -PKG_SOURCE_URL:=@KERNEL/software/network/iw
 -PKG_HASH:=293a07109aeb7e36267cf59e3ce52857e9ffae3a6666eb8ac77894b1839fe1f2
 +PKG_SOURCE_PROTO:=git
 +PKG_SOURCE_URL:=https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git
 +PKG_SOURCE_VERSION:=8fab0c9ee9db217587a58efcc37421c86edcb638
 +PKG_MIRROR_HASH:=797b322bc03952f3127ae0a7da476c14ada1bbe9a9ae234a56dd6f864c568e16
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-2.0
 diff --git a/package/network/utils/iw/patches/200-reduce_size.patch b/package/network/utils/iw/patches/200-reduce_size.patch
 index af30876012..83e11405cb 100644
 --- a/package/network/utils/iw/patches/200-reduce_size.patch
 +++ b/package/network/utils/iw/patches/200-reduce_size.patch
@@ -1,6 +1,6 @@
 --- a/event.c
 +++ b/event.c
 -@@ -944,6 +944,7 @@ static int print_event(struct nl_msg *ms
 +@@ -956,6 +956,7 @@ static int print_event(struct nl_msg *ms
  	}
  	switch (gnlh->cmd) {
@@ -8,7 +8,7 @@
  	case NL80211_CMD_NEW_WIPHY:
  		printf("renamed to %s\n", nla_get_string(tb[NL80211_ATTR_WIPHY_NAME]));
  		break;
 -@@ -979,6 +980,7 @@ static int print_event(struct nl_msg *ms
 +@@ -991,6 +992,7 @@ static int print_event(struct nl_msg *ms
  	case NL80211_CMD_SCHED_SCAN_RESULTS:
  		printf("got scheduled scan results\n");
  		break;
@@ -16,7 +16,7 @@
  	case NL80211_CMD_WIPHY_REG_CHANGE:
  	case NL80211_CMD_REG_CHANGE:
  		if (gnlh->cmd == NL80211_CMD_WIPHY_REG_CHANGE)
 -@@ -1061,6 +1063,7 @@ static int print_event(struct nl_msg *ms
 +@@ -1073,6 +1075,7 @@ static int print_event(struct nl_msg *ms
  		mac_addr_n2a(macbuf, nla_data(tb[NL80211_ATTR_MAC]));
  		printf("del station %s\n", macbuf);
  		break;
@@ -24,7 +24,7 @@
  	case NL80211_CMD_JOIN_IBSS:
  		mac_addr_n2a(macbuf, nla_data(tb[NL80211_ATTR_MAC]));
  		printf("IBSS %s joined\n", macbuf);
 -@@ -1254,9 +1257,9 @@ static int print_event(struct nl_msg *ms
 +@@ -1271,9 +1274,9 @@ static int print_event(struct nl_msg *ms
  	case NL80211_CMD_CH_SWITCH_NOTIFY:
  		parse_ch_switch_notify(tb, gnlh->cmd);
  		break;
@@ -134,7 +134,7 @@
  {
 --- a/scan.c
 +++ b/scan.c
 -@@ -1297,6 +1297,9 @@ static void print_ht_op(const uint8_t ty
 +@@ -1306,6 +1306,9 @@ static void print_ht_op(const uint8_t ty
  	printf("\t\t * secondary channel offset: %s\n",
  		ht_secondary_offset[data[1] & 0x3]);
  	printf("\t\t * STA channel width: %s\n", sta_chan_width[(data[1] & 0x4)>>2]);
@@ -144,7 +144,7 @@
  	printf("\t\t * RIFS: %d\n", (data[1] & 0x8)>>3);
  	printf("\t\t * HT protection: %s\n", protection[data[2] & 0x3]);
  	printf("\t\t * non-GF present: %d\n", (data[2] & 0x4) >> 2);
 -@@ -1707,6 +1710,14 @@ static void print_ie(const struct ie_pri
 +@@ -1716,6 +1719,14 @@ static void print_ie(const struct ie_pri
  static const struct ie_print ieprinters[] = {
  	[0] = { "SSID", print_ssid, 0, 32, BIT(PRINT_SCAN) | BIT(PRINT_LINK), },
@@ -159,7 +159,7 @@
  	[1] = { "Supported rates", print_supprates, 0, 255, BIT(PRINT_SCAN), },
  	[3] = { "DS Parameter set", print_ds, 1, 1, BIT(PRINT_SCAN), },
  	[5] = { "TIM", print_tim, 4, 255, BIT(PRINT_SCAN), },
 -@@ -1716,26 +1727,20 @@ static const struct ie_print ieprinters[
 +@@ -1725,26 +1736,20 @@ static const struct ie_print ieprinters[
  	[32] = { "Power constraint", print_powerconstraint, 1, 1, BIT(PRINT_SCAN), },
  	[35] = { "TPC report", print_tpcreport, 2, 2, BIT(PRINT_SCAN), },
  	[42] = { "ERP", print_erp, 1, 255, BIT(PRINT_SCAN), },
@@ -187,15 +187,15 @@
  };
  static void print_wifi_wpa(const uint8_t type, uint8_t len, const uint8_t *data,
 -@@ -2279,6 +2284,7 @@ void print_ies(unsigned char *ie, int ie
 +@@ -2326,6 +2331,7 @@ void print_ies(unsigned char *ie, int ie
  		    ieprinters[ie[0]].flags & BIT(ptype)) {
  			print_ie(&ieprinters[ie[0]],
  				 ie[0], ie[1], ie + 2, &ie_buffer);
 +#ifdef IW_FULL
  		} else if (ie[0] == 221 /* vendor */) {
  			print_vendor(ie[1], ie + 2, unknown, ptype);
 - 		} else if (unknown) {
 -@@ -2288,6 +2294,7 @@ void print_ies(unsigned char *ie, int ie
 + 		} else if (ie[0] == 255 /* extension */) {
 +@@ -2337,6 +2343,7 @@ void print_ies(unsigned char *ie, int ie
  			for (i=0; i<ie[1]; i++)
  				printf(" %.2x", ie[2+i]);
  			printf("\n");
@@ -203,7 +203,7 @@
  		}
  		ielen -= ie[1] + 2;
  		ie += ie[1] + 2;
 -@@ -2328,6 +2335,7 @@ static void print_capa_non_dmg(__u16 cap
 +@@ -2377,6 +2384,7 @@ static void print_capa_non_dmg(__u16 cap
  		printf(" ESS");
  	if (capa & WLAN_CAPABILITY_IBSS)
  		printf(" IBSS");
@@ -211,7 +211,7 @@
  	if (capa & WLAN_CAPABILITY_CF_POLLABLE)
  		printf(" CfPollable");
  	if (capa & WLAN_CAPABILITY_CF_POLL_REQUEST)
 -@@ -2356,6 +2364,7 @@ static void print_capa_non_dmg(__u16 cap
 +@@ -2405,6 +2413,7 @@ static void print_capa_non_dmg(__u16 cap
  		printf(" DelayedBACK");
  	if (capa & WLAN_CAPABILITY_IMM_BACK)
  		printf(" ImmediateBACK");
@@ -219,7 +219,7 @@
  }
  static int print_bss_handler(struct nl_msg *msg, void *arg)
 -@@ -2440,8 +2449,10 @@ static int print_bss_handler(struct nl_m
 +@@ -2489,8 +2498,10 @@ static int print_bss_handler(struct nl_m
  	if (bss[NL80211_BSS_FREQUENCY]) {
  		int freq = nla_get_u32(bss[NL80211_BSS_FREQUENCY]);
  		printf("\tfreq: %d\n", freq);
@@ -230,7 +230,7 @@
  	}
  	if (bss[NL80211_BSS_BEACON_INTERVAL])
  		printf("\tbeacon interval: %d TUs\n",
 -@@ -2635,6 +2646,7 @@ static int handle_stop_sched_scan(struct
 +@@ -2684,6 +2695,7 @@ static int handle_stop_sched_scan(struct
  	return 0;
  }
@@ -238,7 +238,7 @@
  COMMAND(scan, sched_start,
  	SCHED_SCAN_OPTIONS,
  	NL80211_CMD_START_SCHED_SCAN, 0, CIB_NETDEV, handle_start_sched_scan,
 -@@ -2645,3 +2657,4 @@ COMMAND(scan, sched_start,
 +@@ -2694,3 +2706,4 @@ COMMAND(scan, sched_start,
  COMMAND(scan, sched_stop, "",
  	NL80211_CMD_STOP_SCHED_SCAN, 0, CIB_NETDEV, handle_stop_sched_scan,
  	"Stop an ongoing scheduled scan.");
 -- 
 2.25.1
--- a/backports/0014-libubox-update-to-latest-HEAD.patch
+++ b/backports/0014-libubox-update-to-latest-HEAD.patch
@@ -0,0 +1,44 @@
 From 029282d8ef8e4e813817d1c7d4aeae4208bc2da5 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Tue, 18 May 2021 10:46:43 +0200
 Subject: [PATCH 01/52] libubox: update to latest HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/libs/libubox/Makefile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/package/libs/libubox/Makefile b/package/libs/libubox/Makefile
 index 4d582eacfd..33aa73eef7 100644
 --- a/package/libs/libubox/Makefile
 +++ b/package/libs/libubox/Makefile
@@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libubox
 -PKG_RELEASE=1
 +PKG_RELEASE=2
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git
 -PKG_MIRROR_HASH:=97dc4eba01cf2c5d6a6d0db3747e0cdc0d95cb87e51b3115272e7d3e69a8b255
 -PKG_SOURCE_DATE:=2020-12-12
 -PKG_SOURCE_VERSION:=357877693ca363b12e6e7e14d345639b2440cd07
 +PKG_MIRROR_HASH:=1cdb91ac0ee925f133ee9f70eac131a99def312fe7cf0aed44df84eb1762e30b
 +PKG_SOURCE_DATE:=2021-08-19
 +PKG_SOURCE_VERSION:=d716ac4bc4236031d4c3cc1ed362b502e20e3787
 PKG_ABI_VERSION:=$(call abi_version_str,$(PKG_SOURCE_DATE))
 CMAKE_INSTALL:=1
@@ -67,7 +67,7 @@ define Package/libubox-lua
 endef
 TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include
 -CMAKE_OPTIONS = \
 +CMAKE_OPTIONS += \
 	-DLUAPATH=/usr/lib/lua \
 	-DABIVERSION="$(PKG_ABI_VERSION)"
 -- 
 2.25.1
--- a/backports/0015-umdns-update-to-latest-HEAD.patch
+++ b/backports/0015-umdns-update-to-latest-HEAD.patch
@@ -0,0 +1,30 @@
 From e413c12b77acc0012a79e8981b553e35d4a2b20e Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Wed, 30 Jun 2021 14:21:23 +0200
 Subject: [PATCH] umdns: update to latest HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/network/services/umdns/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/package/network/services/umdns/Makefile b/package/network/services/umdns/Makefile
 index 9a5f46a705..908758e44b 100644
 --- a/package/network/services/umdns/Makefile
 +++ b/package/network/services/umdns/Makefile
@@ -12,9 +12,9 @@ PKG_RELEASE:=$(AUTORELEASE)
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/mdnsd.git
 PKG_SOURCE_PROTO:=git
 -PKG_SOURCE_DATE:=2021-01-26
 -PKG_SOURCE_VERSION:=78aa36b0e9808e801c527c6dc47320e593309522
 -PKG_MIRROR_HASH:=241833f2bf2f3366f356703159be386862ef747d9b253af6c13555f252cc970d
 +PKG_SOURCE_DATE:=2021-06-30
 +PKG_SOURCE_VERSION:=4a8747193ab2b8f2d68a9d26334545e19d89cbe2
 +PKG_MIRROR_HASH:=bdddec2793303e4cc1a90cb2ed2241c04fdd0a736b6c0cbbb1fab9de5527566a
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=LGPL-2.1
 -- 
 2.25.1
--- a/backports/0016-kernel-modules-move-act_gact-into-kmod-sched-core.patch
+++ b/backports/0016-kernel-modules-move-act_gact-into-kmod-sched-core.patch
@@ -0,0 +1,45 @@
 From 6c7e11cccbd28224a9a473a36df1102b4257d356 Mon Sep 17 00:00:00 2001
 From: DENG Qingfang <dqfext@gmail.com>
 Date: Fri, 9 Apr 2021 12:25:08 +0800
 Subject: [PATCH 5/6] kernel/modules: move act_gact into kmod-sched-core
 As the name suggests, act_gact has the generic actions such as dropping
 and accepting packets, so move it into kmod-sched-core.
 Signed-off-by: DENG Qingfang <dqfext@gmail.com>
 ---
 package/kernel/linux/modules/netsupport.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/package/kernel/linux/modules/netsupport.mk b/package/kernel/linux/modules/netsupport.mk
 index 9fd49c1392..4343e850e9 100644
 --- a/package/kernel/linux/modules/netsupport.mk
 +++ b/package/kernel/linux/modules/netsupport.mk
@@ -721,7 +721,7 @@ $(eval $(call KernelPackage,mppe))
 SCHED_MODULES = $(patsubst $(LINUX_DIR)/net/sched/%.ko,%,$(wildcard $(LINUX_DIR)/net/sched/*.ko))
 -SCHED_MODULES_CORE = sch_ingress sch_fq_codel sch_hfsc sch_htb sch_tbf cls_basic cls_fw cls_route cls_flow cls_tcindex cls_u32 em_u32 act_mirred act_skbedit cls_matchall
 +SCHED_MODULES_CORE = sch_ingress sch_fq_codel sch_hfsc sch_htb sch_tbf cls_basic cls_fw cls_route cls_flow cls_tcindex cls_u32 em_u32 act_gact act_mirred act_skbedit cls_matchall
 SCHED_MODULES_FILTER = $(SCHED_MODULES_CORE) act_connmark act_ctinfo sch_cake sch_netem sch_mqprio em_ipset cls_bpf cls_flower act_bpf act_vlan
 SCHED_MODULES_EXTRA = $(filter-out $(SCHED_MODULES_FILTER),$(SCHED_MODULES))
 SCHED_FILES = $(patsubst %,$(LINUX_DIR)/net/sched/%.ko,$(filter $(SCHED_MODULES_CORE),$(SCHED_MODULES)))
@@ -745,6 +745,7 @@ define KernelPackage/sched-core
 	CONFIG_NET_CLS_ROUTE4 \
 	CONFIG_NET_CLS_TCINDEX \
 	CONFIG_NET_CLS_U32 \
 +	CONFIG_NET_ACT_GACT \
 	CONFIG_NET_ACT_MIRRED \
 	CONFIG_NET_ACT_SKBEDIT \
 	CONFIG_NET_CLS_MATCHALL \
@@ -899,7 +900,6 @@ define KernelPackage/sched
 	CONFIG_NET_SCH_FQ \
 	CONFIG_NET_SCH_PIE \
 	CONFIG_NET_ACT_POLICE \
 -	CONFIG_NET_ACT_GACT \
 	CONFIG_NET_ACT_IPT \
 	CONFIG_NET_ACT_PEDIT \
 	CONFIG_NET_ACT_SIMP \
 -- 
 2.25.1
--- a/backports/0017-kernel-add-bdpu-filter-support.patch
+++ b/backports/0017-kernel-add-bdpu-filter-support.patch
@@ -0,0 +1,242 @@
 From 97fb5323a826e6b5ad89b5281c0b9d9e92bfc0b4 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Fri, 27 Aug 2021 16:52:34 +0200
 Subject: [PATCH 59/59] kernel: add bdpu filter support
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 ...l-knob-for-filtering-rx-tx-BPDU-pack.patch | 107 ++++++++++++++++++
 ...l-knob-for-filtering-rx-tx-BPDU-pack.patch | 107 ++++++++++++++++++
 2 files changed, 214 insertions(+)
 create mode 100644 target/linux/generic/pending-5.10/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
 create mode 100644 target/linux/generic/pending-5.4/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
 diff --git a/target/linux/generic/pending-5.10/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch b/target/linux/generic/pending-5.10/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
 new file mode 100644
 index 0000000000..918ae05d12
 --- /dev/null
 +++ b/target/linux/generic/pending-5.10/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
@@ -0,0 +1,107 @@
 +From: Felix Fietkau <nbd@nbd.name>
 +Date: Fri, 27 Aug 2021 12:22:32 +0200
 +Subject: [PATCH] bridge: add sysctl knob for filtering rx/tx BPDU packets on a
 + port
 +
 +Some devices (e.g. wireless APs) can't have devices behind them be part of
 +a bridge topology with redundant links, due to address limitations.
 +Additionally, broadcast traffic on these devices is somewhat expensive, due to
 +the low data rate and wakeups of clients in powersave mode.
 +This sysctl knob can be used to ensure that BPDU packets are never sent
 +or forwarded to/from these devices
 +
 +Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +---
 +
 +--- a/include/linux/if_bridge.h
 ++++ b/include/linux/if_bridge.h
 +@@ -56,6 +56,7 @@ struct br_ip_list {
 + #define BR_MRP_AWARE		BIT(17)
 + #define BR_MRP_LOST_CONT	BIT(18)
 + #define BR_MRP_LOST_IN_CONT	BIT(19)
 ++#define BR_BPDU_FILTER		BIT(20)
 + 
 + #define BR_DEFAULT_AGEING_TIME	(300 * HZ)
 + 
 +--- a/net/bridge/br_forward.c
 ++++ b/net/bridge/br_forward.c
 +@@ -191,6 +191,7 @@ out:
 + void br_flood(struct net_bridge *br, struct sk_buff *skb,
 + 	      enum br_pkt_type pkt_type, bool local_rcv, bool local_orig)
 + {
 ++	const unsigned char *dest = eth_hdr(skb)->h_dest;
 + 	struct net_bridge_port *prev = NULL;
 + 	struct net_bridge_port *p;
 + 
 +@@ -206,6 +207,10 @@ void br_flood(struct net_bridge *br, str
 + 		case BR_PKT_MULTICAST:
 + 			if (!(p->flags & BR_MCAST_FLOOD) && skb->dev != br->dev)
 + 				continue;
 ++			if ((p->flags & BR_BPDU_FILTER) &&
 ++			    unlikely(is_link_local_ether_addr(dest) &&
 ++				     dest[5] == 0))
 ++				continue;
 + 			break;
 + 		case BR_PKT_BROADCAST:
 + 			if (!(p->flags & BR_BCAST_FLOOD) && skb->dev != br->dev)
 +--- a/net/bridge/br_input.c
 ++++ b/net/bridge/br_input.c
 +@@ -305,6 +305,8 @@ static rx_handler_result_t br_handle_fra
 + 		fwd_mask |= p->group_fwd_mask;
 + 		switch (dest[5]) {
 + 		case 0x00:	/* Bridge Group Address */
 ++			if (p->flags & BR_BPDU_FILTER)
 ++				goto drop;
 + 			/* If STP is turned off,
 + 			   then must forward to keep loop detection */
 + 			if (p->br->stp_enabled == BR_NO_STP ||
 +--- a/net/bridge/br_sysfs_if.c
 ++++ b/net/bridge/br_sysfs_if.c
 +@@ -233,6 +233,7 @@ BRPORT_ATTR_FLAG(multicast_flood, BR_MCA
 + BRPORT_ATTR_FLAG(broadcast_flood, BR_BCAST_FLOOD);
 + BRPORT_ATTR_FLAG(neigh_suppress, BR_NEIGH_SUPPRESS);
 + BRPORT_ATTR_FLAG(isolated, BR_ISOLATED);
 ++BRPORT_ATTR_FLAG(bpdu_filter, BR_BPDU_FILTER);
 + 
 + #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
 + static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
 +@@ -285,6 +286,7 @@ static const struct brport_attribute *br
 + 	&brport_attr_group_fwd_mask,
 + 	&brport_attr_neigh_suppress,
 + 	&brport_attr_isolated,
 ++	&brport_attr_bpdu_filter,
 + 	&brport_attr_backup_port,
 + 	NULL
 + };
 +--- a/net/bridge/br_stp_bpdu.c
 ++++ b/net/bridge/br_stp_bpdu.c
 +@@ -80,7 +80,8 @@ void br_send_config_bpdu(struct net_brid
 + {
 + 	unsigned char buf[35];
 + 
 +-	if (p->br->stp_enabled != BR_KERNEL_STP)
 ++	if (p->br->stp_enabled != BR_KERNEL_STP ||
 ++	    (p->flags & BR_BPDU_FILTER))
 + 		return;
 + 
 + 	buf[0] = 0;
 +@@ -127,7 +128,8 @@ void br_send_tcn_bpdu(struct net_bridge_
 + {
 + 	unsigned char buf[4];
 + 
 +-	if (p->br->stp_enabled != BR_KERNEL_STP)
 ++	if (p->br->stp_enabled != BR_KERNEL_STP ||
 ++	    (p->flags & BR_BPDU_FILTER))
 + 		return;
 + 
 + 	buf[0] = 0;
 +@@ -172,6 +174,9 @@ void br_stp_rcv(const struct stp_proto *
 + 	if (!(br->dev->flags & IFF_UP))
 + 		goto out;
 + 
 ++	if (p->flags & BR_BPDU_FILTER)
 ++		goto out;
 ++
 + 	if (p->state == BR_STATE_DISABLED)
 + 		goto out;
 + 
 diff --git a/target/linux/generic/pending-5.4/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch b/target/linux/generic/pending-5.4/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
 new file mode 100644
 index 0000000000..586d264cd5
 --- /dev/null
 +++ b/target/linux/generic/pending-5.4/710-bridge-add-sysctl-knob-for-filtering-rx-tx-BPDU-pack.patch
@@ -0,0 +1,107 @@
 +From: Felix Fietkau <nbd@nbd.name>
 +Date: Fri, 27 Aug 2021 12:22:32 +0200
 +Subject: [PATCH] bridge: add sysctl knob for filtering rx/tx BPDU packets on a
 + port
 +
 +Some devices (e.g. wireless APs) can't have devices behind them be part of
 +a bridge topology with redundant links, due to address limitations.
 +Additionally, broadcast traffic on these devices is somewhat expensive, due to
 +the low data rate and wakeups of clients in powersave mode.
 +This sysctl knob can be used to ensure that BPDU packets are never sent
 +or forwarded to/from these devices
 +
 +Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +---
 +
 +--- a/include/linux/if_bridge.h
 ++++ b/include/linux/if_bridge.h
 +@@ -47,6 +47,7 @@ struct br_ip_list {
 + #define BR_BCAST_FLOOD		BIT(14)
 + #define BR_NEIGH_SUPPRESS	BIT(15)
 + #define BR_ISOLATED		BIT(16)
 ++#define BR_BPDU_FILTER		BIT(17)
 + 
 + #define BR_DEFAULT_AGEING_TIME	(300 * HZ)
 + 
 +--- a/net/bridge/br_forward.c
 ++++ b/net/bridge/br_forward.c
 +@@ -191,6 +191,7 @@ out:
 + void br_flood(struct net_bridge *br, struct sk_buff *skb,
 + 	      enum br_pkt_type pkt_type, bool local_rcv, bool local_orig)
 + {
 ++	const unsigned char *dest = eth_hdr(skb)->h_dest;
 + 	struct net_bridge_port *prev = NULL;
 + 	struct net_bridge_port *p;
 + 
 +@@ -206,6 +207,10 @@ void br_flood(struct net_bridge *br, str
 + 		case BR_PKT_MULTICAST:
 + 			if (!(p->flags & BR_MCAST_FLOOD) && skb->dev != br->dev)
 + 				continue;
 ++			if ((p->flags & BR_BPDU_FILTER) &&
 ++			    unlikely(is_link_local_ether_addr(dest) &&
 ++				     dest[5] == 0))
 ++				continue;
 + 			break;
 + 		case BR_PKT_BROADCAST:
 + 			if (!(p->flags & BR_BCAST_FLOOD) && skb->dev != br->dev)
 +--- a/net/bridge/br_input.c
 ++++ b/net/bridge/br_input.c
 +@@ -300,6 +300,8 @@ rx_handler_result_t br_handle_frame(stru
 + 		fwd_mask |= p->group_fwd_mask;
 + 		switch (dest[5]) {
 + 		case 0x00:	/* Bridge Group Address */
 ++			if (p->flags & BR_BPDU_FILTER)
 ++				goto drop;
 + 			/* If STP is turned off,
 + 			   then must forward to keep loop detection */
 + 			if (p->br->stp_enabled == BR_NO_STP ||
 +--- a/net/bridge/br_sysfs_if.c
 ++++ b/net/bridge/br_sysfs_if.c
 +@@ -233,6 +233,7 @@ BRPORT_ATTR_FLAG(multicast_flood, BR_MCA
 + BRPORT_ATTR_FLAG(broadcast_flood, BR_BCAST_FLOOD);
 + BRPORT_ATTR_FLAG(neigh_suppress, BR_NEIGH_SUPPRESS);
 + BRPORT_ATTR_FLAG(isolated, BR_ISOLATED);
 ++BRPORT_ATTR_FLAG(bpdu_filter, BR_BPDU_FILTER);
 + 
 + #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
 + static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
 +@@ -285,6 +286,7 @@ static const struct brport_attribute *br
 + 	&brport_attr_group_fwd_mask,
 + 	&brport_attr_neigh_suppress,
 + 	&brport_attr_isolated,
 ++	&brport_attr_bpdu_filter,
 + 	&brport_attr_backup_port,
 + 	NULL
 + };
 +--- a/net/bridge/br_stp_bpdu.c
 ++++ b/net/bridge/br_stp_bpdu.c
 +@@ -80,7 +80,8 @@ void br_send_config_bpdu(struct net_brid
 + {
 + 	unsigned char buf[35];
 + 
 +-	if (p->br->stp_enabled != BR_KERNEL_STP)
 ++	if (p->br->stp_enabled != BR_KERNEL_STP ||
 ++	    (p->flags & BR_BPDU_FILTER))
 + 		return;
 + 
 + 	buf[0] = 0;
 +@@ -125,7 +126,8 @@ void br_send_tcn_bpdu(struct net_bridge_
 + {
 + 	unsigned char buf[4];
 + 
 +-	if (p->br->stp_enabled != BR_KERNEL_STP)
 ++	if (p->br->stp_enabled != BR_KERNEL_STP ||
 ++	    (p->flags & BR_BPDU_FILTER))
 + 		return;
 + 
 + 	buf[0] = 0;
 +@@ -168,6 +170,9 @@ void br_stp_rcv(const struct stp_proto *
 + 	if (!(br->dev->flags & IFF_UP))
 + 		goto out;
 + 
 ++	if (p->flags & BR_BPDU_FILTER)
 ++		goto out;
 ++
 + 	if (p->state == BR_STATE_DISABLED)
 + 		goto out;
 + 
 -- 
 2.25.1
--- a/backports/0035-uhttp-update-to-latest-HEAD.patch
+++ b/backports/0035-uhttp-update-to-latest-HEAD.patch
@@ -0,0 +1,157 @@
 From patchwork Fri Aug 20 13:11:12 2021
 Content-Type: text/plain; charset="utf-8"
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 X-Patchwork-Submitter: Stijn Tintel <stijn@linux-ipv6.be>
 X-Patchwork-Id: 1519040
 X-Patchwork-Delegate: stijn@linux-ipv6.be
 Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
 X-Original-To: incoming@patchwork.ozlabs.org
 Delivered-To: patchwork-incoming@bilbo.ozlabs.org
 Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
 Authentication-Results: ozlabs.org;
 	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=r2Ly8Vhy;
 	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be
 header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8
 header.b=BipII9T0;
 	dkim-atps=neutral
 Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
 	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 	(No client certificate requested)
 	by ozlabs.org (Postfix) with ESMTPS id 4Grhsz3FQvz9s1l
 	for <incoming@patchwork.ozlabs.org>; Fri, 20 Aug 2021 23:13:59 +1000 (AEST)
 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
 	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
 	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
 	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
 	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
 	List-Owner; bh=Dxw7atu76L/aBQntt7pW1jTYPCULL0mkcY2U1BYT2sI=; b=r2Ly8VhysFZseN
 	kLaheAFj130coCdyeHSxT/951GnDDBkmyursFZAP2hBLaKv9Z+9HpHIGM3sOiNhM/zDKfabNJ/1D2
 	CV4iyPpVkhRxG9t6HPpPx94E6J5Oknl7l6eyL04DWUB28EzXcoBSMiP0zYsoOWjI8sQO8wITNp6hf
 	neAM1VlZlNb22n5/Wu5oD1RoEiMUS5GeyhU7kEFEWpC45rcpyuQdvHpPLMn5GkcqCOO6i90E7BKAK
 	ipYG2tptIjqjrmR+nC6CPRavA+hSG/o6HzDSYNJvWmgVjCc6RpN/xliN03Rum4+mbDtMEB4Wpidmj
 	FepfgPqKxWRJ0UiXBJew==;
 Received: from localhost ([::1] helo=bombadil.infradead.org)
 	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
 	id 1mH4J2-00BF23-C2; Fri, 20 Aug 2021 13:11:32 +0000
 Received: from mail.tintel.eu ([51.83.127.189])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mH4Iw-00BF1P-CR
 for openwrt-devel@lists.openwrt.org; Fri, 20 Aug 2021 13:11:30 +0000
 Received: from localhost (localhost [IPv6:::1])
 by mail.tintel.eu (Postfix) with ESMTP id 1BE4C4486AC4;
 Fri, 20 Aug 2021 15:11:14 +0200 (CEST)
 Received: from mail.tintel.eu ([IPv6:::1])
 by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10032)
 with ESMTP id npDXmiQngdDU; Fri, 20 Aug 2021 15:11:13 +0200 (CEST)
 Received: from localhost (localhost [IPv6:::1])
 by mail.tintel.eu (Postfix) with ESMTP id 5B1EC4486ACC;
 Fri, 20 Aug 2021 15:11:13 +0200 (CEST)
 DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu 5B1EC4486ACC
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be;
 s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1629465073;
 bh=3YKw9bephsRsf4MDuHSX4MioHjRWefi/5PEc54pFn4g=;
 h=From:To:Date:Message-Id:MIME-Version;
 b=BipII9T0eY8ENYqcdZ7rxKFn6rwkKKOhJ2IoeLZ1fx4lgpPuGWsZrexzqU6mYTDRa
 Aihei2/ovPeWgUDbzfjNC9hIqv0fXRaEW0sCAPZGOP6gNHWNCkJxuPqYI+4pjijRRt
 6YYC2qCi8DqzQJv7St1FqeVFoIaF8SfbniBW+1N4=
 X-Virus-Scanned: amavisd-new at mail.tintel.eu
 Received: from mail.tintel.eu ([IPv6:::1])
 by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10026)
 with ESMTP id J5m0pY66LdR7; Fri, 20 Aug 2021 15:11:13 +0200 (CEST)
 Received: from taz.sof.bg.adlevio.net (unknown [IPv6:2001:67c:21bc:20::10])
 by mail.tintel.eu (Postfix) with SMTP id 17DF94486AC4;
 Fri, 20 Aug 2021 15:11:13 +0200 (CEST)
 Received: (nullmailer pid 141125 invoked by uid 1000);
 Fri, 20 Aug 2021 13:11:12 -0000
 From: Stijn Tintel <stijn@linux-ipv6.be>
 To: openwrt-devel@lists.openwrt.org
 Cc: nbd@nbd.name
 Subject: [PATCH] uhttpd: add config option for json_script
 Date: Fri, 20 Aug 2021 16:11:12 +0300
 Message-Id: <20210820131112.141077-1-stijn@linux-ipv6.be>
 X-Mailer: git-send-email 2.31.1
 MIME-Version: 1.0
 X-Rspamd-Queue-Id: 17DF94486AC4
 X-Spamd-Result: default: False [0.00 / 15.00];
 IP_WHITELIST(0.00)[2001:67c:21bc:20::10];
 ASN(0.00)[asn:200533, ipnet:2001:67c:21bc::/48, country:BG]
 X-Rspamd-Server: skulls
 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
 X-CRM114-CacheID: sfid-20210820_061126_592239_17869382 
 X-CRM114-Status: UNSURE (   9.50  )
 X-CRM114-Notice: Please train this message.
 X-Spam-Score: 0.2 (/)
 X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Add a config option for json_script instead of
 unconditionally
 including all json files in /etc/uhttpd in every uhttpd instance. This makes
 it possible to configure a single instance with an unconditi [...]
 Content analysis details:   (0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 X-BeenThere: openwrt-devel@lists.openwrt.org
 X-Mailman-Version: 2.1.34
 Precedence: list
 List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
 List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
 List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
 List-Post: <mailto:openwrt-devel@lists.openwrt.org>
 List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
 List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
 Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
 Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org
 Add a config option for json_script instead of unconditionally including
 all json files in /etc/uhttpd in every uhttpd instance. This makes it
 possible to configure a single instance with an unconditional redirect,
 which is currently not possible as it would render all other uhttpd
 instances unusable.
 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
 ---
 package/network/services/uhttpd/Makefile          | 2 +-
 package/network/services/uhttpd/files/uhttpd.init | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
 index e7709941c2..30fd7b4259 100755
 --- a/package/network/services/uhttpd/files/uhttpd.init
 +++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -196,7 +196,8 @@ start_instance()
 		append_bool "$cfg" redirect_https "-q" 0
 	}
 -	for file in /etc/uhttpd/*.json; do
 +	config_get json_script "$cfg" json_script
 +	for file in $json_script; do
 		[ -s "$file" ] && procd_append_param command -H "$file"
 	done
--- a/backports/0036-iwinfo-update-to-latest-git-HEAD.patch
+++ b/backports/0036-iwinfo-update-to-latest-git-HEAD.patch
@@ -0,0 +1,39 @@
 From c90fec205137d8d8c1197722a39d5c700ae3f6b1 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Mon, 21 Jun 2021 12:53:28 +0200
 Subject: [PATCH 02/36] iwinfo: update to latest git HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/network/utils/iwinfo/Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/package/network/utils/iwinfo/Makefile b/package/network/utils/iwinfo/Makefile
 index 3454d615a9..b7c8370bba 100644
 --- a/package/network/utils/iwinfo/Makefile
 +++ b/package/network/utils/iwinfo/Makefile
@@ -11,9 +11,9 @@ PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/iwinfo.git
 -PKG_SOURCE_DATE:=2021-01-31
 -PKG_SOURCE_VERSION:=4a32b33e9606f1bc1125f4bc24b0581349e55f2e
 -PKG_MIRROR_HASH:=414e5d150efaadba21103e66f862be66a94dcf83c16a2850f7c05051a9b0739d
 +PKG_SOURCE_DATE:=2021-06-09
 +PKG_SOURCE_VERSION:=c0414642fead263a4a6a686ad3cb7e965ec8a23a
 +PKG_MIRROR_HASH:=c5686bbae86753c53db03a686b034bbb80d31107cc359ebd8522ea1c82db35ea
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=GPL-2.0
@@ -25,7 +25,7 @@ PKG_CONFIG_DEPENDS := \
 	CONFIG_PACKAGE_kmod-brcm-wl-mimo \
 	CONFIG_PACKAGE_kmod-cfg80211
 -IWINFO_ABI_VERSION:=20210106
 +IWINFO_ABI_VERSION:=20210430
 include $(INCLUDE_DIR)/package.mk
 -- 
 2.25.1
--- a/backports/0037-netifd-update-to-latest-HEAD.patch
+++ b/backports/0037-netifd-update-to-latest-HEAD.patch
@@ -0,0 +1,105 @@
 From a622ab0c15a2f58b724362339d6b467c02ee7576 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Thu, 27 May 2021 13:24:47 +0200
 Subject: [PATCH 01/57] netifd: update to latest HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/network/config/netifd/Makefile          | 14 +++++++++-----
 .../network/config/netifd/files/etc/udhcpc.user |  1 +
 .../config/netifd/files/lib/netifd/dhcp.script  |  3 +++
 .../netifd/patches/002-fix-dhcp-issue.patch     | 17 +++++++++++++++++
 4 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 package/network/config/netifd/files/etc/udhcpc.user
 create mode 100644 package/network/config/netifd/patches/002-fix-dhcp-issue.patch
 diff --git a/package/network/config/netifd/Makefile b/package/network/config/netifd/Makefile
 index 7061456b08..13c1d96ed7 100644
 --- a/package/network/config/netifd/Makefile
 +++ b/package/network/config/netifd/Makefile
@@ -5,16 +5,14 @@ PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git
 -PKG_SOURCE_DATE:=2021-01-09
 -PKG_SOURCE_VERSION:=c00c8335d6188daa326ecfe5a62da15a9b9987e1
 -PKG_MIRROR_HASH:=c740e51e0cec13eec336ba1c7a643db3b64a9a2235f8c1b73a566cb89e841190
 +PKG_SOURCE_DATE:=2021-09-01
 +PKG_SOURCE_VERSION:=300b1220fab38600f102bb8cfcc59a29ce41b095
 +PKG_MIRROR_HASH:=310fa90059795b1c956f9822db712ecc58bc19725b0f05f98c9e0a6824c8ca36
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=
 -PKG_BUILD_PARALLEL:=1
 -
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
@@ -25,6 +23,11 @@ define Package/netifd
   TITLE:=OpenWrt Network Interface Configuration Daemon
 endef
 +define Package/netifd/conffiles
 +/etc/udhcpc.user
 +/etc/udhcpc.user.d/
 +endef
 +
 TARGET_CFLAGS += \
 	-I$(STAGING_DIR)/usr/include/libnl-tiny \
 	-I$(STAGING_DIR)/usr/include \
@@ -40,6 +43,7 @@ define Package/netifd/install
 	$(INSTALL_DIR) $(1)/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/netifd $(1)/sbin/
 	$(CP) ./files/* $(1)/
 +	$(INSTALL_DIR) $(1)/etc/udhcpc.user.d/
 	$(CP) $(PKG_BUILD_DIR)/scripts/* $(1)/lib/netifd/
 endef
 diff --git a/package/network/config/netifd/files/etc/udhcpc.user b/package/network/config/netifd/files/etc/udhcpc.user
 new file mode 100644
 index 0000000000..78e2ba5f18
 --- /dev/null
 +++ b/package/network/config/netifd/files/etc/udhcpc.user
@@ -0,0 +1 @@
 +# This script is sourced by udhcpc's dhcp.script at every DHCP event.
 diff --git a/package/network/config/netifd/files/lib/netifd/dhcp.script b/package/network/config/netifd/files/lib/netifd/dhcp.script
 index 6585b641d6..e46005d84c 100755
 --- a/package/network/config/netifd/files/lib/netifd/dhcp.script
 +++ b/package/network/config/netifd/files/lib/netifd/dhcp.script
@@ -112,5 +112,8 @@ esac
 # user rules
 [ -f /etc/udhcpc.user ] && . /etc/udhcpc.user "$@"
 +for f in /etc/udhcpc.user.d/*; do
 +	[ -f "$f" ] && (. "$f" "$@")
 +done
 exit 0
 diff --git a/package/network/config/netifd/patches/002-fix-dhcp-issue.patch b/package/network/config/netifd/patches/002-fix-dhcp-issue.patch
 new file mode 100644
 index 0000000000..6f1d2e708e
 --- /dev/null
 +++ b/package/network/config/netifd/patches/002-fix-dhcp-issue.patch
@@ -0,0 +1,17 @@
 +Index: netifd-2019-08-05-5e02f944/interface.c
 +===================================================================
 +--- netifd-2019-08-05-5e02f944.orig/interface.c
 ++++ netifd-2019-08-05-5e02f944/interface.c
 +@@ -424,7 +424,11 @@ interface_main_dev_cb(struct device_user
 + 		interface_set_link_state(iface, false);
 + 		break;
 + 	case DEV_EVENT_TOPO_CHANGE:
 +-		interface_proto_event(iface->proto, PROTO_CMD_RENEW, false);
 ++	/* This renews the dhcp lease when the bridge adds/deletes a
 ++	 * new interface. It causes some dhcp servers to fail in
 ++	 * case where there are many interfaces being added to the
 ++	 * bridge frequently. Disabling this for now. */
 ++	/*	interface_proto_event(iface->proto, PROTO_CMD_RENEW, false); */
 + 		return;
 + 	default:
 + 		break;
 -- 
 2.25.1
--- a/backports/0038-mac80211-update-to-latest-HEAD.patch
+++ b/backports/0038-mac80211-update-to-latest-HEAD.patch
--- a/backports/0039-hostapd-upsate-to-latest-HEAD.patch
+++ b/backports/0039-hostapd-upsate-to-latest-HEAD.patch
--- a/backports/0040-mt76-update-to-latest-HEAD.patch
+++ b/backports/0040-mt76-update-to-latest-HEAD.patch
@@ -0,0 +1,51 @@
 From e01de214b2492e1b8001d6057211017b5f0f6f49 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Thu, 27 May 2021 13:25:41 +0200
 Subject: [PATCH 04/44] mt76: update to latest HEAD
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/kernel/mt76/Makefile | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
 diff --git a/package/kernel/mt76/Makefile b/package/kernel/mt76/Makefile
 index e9e95fa9b3..431c57a240 100644
 --- a/package/kernel/mt76/Makefile
 +++ b/package/kernel/mt76/Makefile
@@ -8,11 +8,12 @@ PKG_LICENSE_FILES:=
 PKG_SOURCE_URL:=https://github.com/openwrt/mt76
 PKG_SOURCE_PROTO:=git
 -PKG_SOURCE_DATE:=2021-04-11
 -PKG_SOURCE_VERSION:=bf45b30d891961dd7c4139dddb58b909ea2c2b5a
 -PKG_MIRROR_HASH:=431cecf80dafa986e805f809522721c2bb26289867d6770695d49baf8b471bea
 +PKG_SOURCE_DATE:=2021-07-15
 +PKG_SOURCE_VERSION:=bbebea7d6dc64313132226adc3f7369d36e9359d
 +PKG_MIRROR_HASH:=17cd74e72c1f6c8742b698bf6772afacc6fba71b233af8c4d59530600cf44d5b
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 +PKG_USE_NINJA:=0
 PKG_BUILD_PARALLEL:=1
 PKG_CONFIG_DEPENDS += \
@@ -155,7 +156,7 @@ define KernelPackage/mt7615-common
   $(KernelPackage/mt76-default)
   TITLE:=MediaTek MT7615 wireless driver common code
   HIDDEN:=1
 -  DEPENDS+=@PCI_SUPPORT +kmod-mt76-core +kmod-mt76-connac
 +  DEPENDS+=@PCI_SUPPORT +kmod-mt76-core +kmod-mt76-connac +kmod-hwmon-core
   FILES:= $(PKG_BUILD_DIR)/mt7615/mt7615-common.ko
 endef
@@ -213,7 +214,7 @@ endef
 define KernelPackage/mt7915e
   $(KernelPackage/mt76-default)
   TITLE:=MediaTek MT7915e wireless driver
 -  DEPENDS+=@PCI_SUPPORT +kmod-mt7615-common +@DRIVER_11AX_SUPPORT
 +  DEPENDS+=@PCI_SUPPORT +kmod-mt7615-common +kmod-hwmon-core +kmod-thermal +@DRIVER_11AX_SUPPORT
   FILES:= $(PKG_BUILD_DIR)/mt7915/mt7915e.ko
   AUTOLOAD:=$(call AutoProbe,mt7915e)
 endef
 -- 
 2.25.1
--- a/backports/0041-ar71xx-hacks.patch
+++ b/backports/0041-ar71xx-hacks.patch
@@ -0,0 +1,53 @@
 From d01d8c9e5cf7de98222860011d1d5b362bfde005 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Mon, 12 Jul 2021 13:09:25 +0200
 Subject: [PATCH 01/39] ar71xx: hacks
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/kernel/linux/modules/crypto.mk                 | 2 +-
 package/kernel/mac80211/ath.mk                         | 1 +
 target/linux/ar71xx/files/arch/mips/ath79/mach-rb91x.c | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)
 diff --git a/package/kernel/linux/modules/crypto.mk b/package/kernel/linux/modules/crypto.mk
 index 19b0d4696b..1b1c1e1a51 100644
 --- a/package/kernel/linux/modules/crypto.mk
 +++ b/package/kernel/linux/modules/crypto.mk
@@ -882,7 +882,7 @@ define KernelPackage/crypto-sha256
 	CONFIG_CRYPTO_SHA256_SSSE3
   FILES:= \
 	$(LINUX_DIR)/crypto/sha256_generic.ko \
 -	$(LINUX_DIR)/lib/crypto/libsha256.ko
 +	$(LINUX_DIR)/lib/crypto/libsha256.ko@ge4.15
   AUTOLOAD:=$(call AutoLoad,09,sha256_generic)
   $(call AddDepends/crypto)
 endef
 diff --git a/package/kernel/mac80211/ath.mk b/package/kernel/mac80211/ath.mk
 index ba03ae11a6..ad2860a98e 100644
 --- a/package/kernel/mac80211/ath.mk
 +++ b/package/kernel/mac80211/ath.mk
@@ -43,6 +43,7 @@ config-$(call config_package,ath9k) += ATH9K
 config-$(call config_package,ath9k-common) += ATH9K_COMMON
 config-$(call config_package,owl-loader) += ATH9K_PCI_NO_EEPROM
 config-$(CONFIG_TARGET_ath79) += ATH9K_AHB
 +config-$(CONFIG_TARGET_ar71xx) += ATH9K_AHB
 config-$(CONFIG_TARGET_ipq40xx) += ATH10K_AHB
 config-$(CONFIG_PCI) += ATH9K_PCI
 config-$(CONFIG_ATH_USER_REGD) += ATH_USER_REGD ATH_REG_DYNAMIC_USER_REG_HINTS
 diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb91x.c b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb91x.c
 index 9620718962..2cdf97efd6 100644
 --- a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb91x.c
 +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb91x.c
@@ -271,6 +271,8 @@ static const struct rb_board_info rb711gr100_boards[] __initconst = {
 	RB_BOARD_INFO("911G-5HPnD", 0),
 	RB_BOARD_INFO("912UAG-2HPnD", RB91X_FLAG_USB | RB91X_FLAG_PCIE),
 	RB_BOARD_INFO("912UAG-5HPnD", RB91X_FLAG_USB | RB91X_FLAG_PCIE),
 +	RB_BOARD_INFO("RB912UAG-2HPnD", RB91X_FLAG_USB | RB91X_FLAG_PCIE),
 +	RB_BOARD_INFO("RB912UAG-5HPnD", RB91X_FLAG_USB | RB91X_FLAG_PCIE),
 };
 static u32 rb711gr100_get_flags(const struct rb_info *info)
 -- 
 2.25.1
--- a/backports/0100-procd-add-uxc-support.patch
+++ b/backports/0100-procd-add-uxc-support.patch
@@ -0,0 +1,170 @@
 From 8897bab871fb43701fad786c94af5d1b1ef123ae Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Sun, 25 Jul 2021 13:32:37 +0200
 Subject: [PATCH 01/46] procd: add uxc support
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/system/procd/Makefile       | 12 ++---
 package/system/procd/files/procd.sh | 79 +++++++++++++++++++++++++++++
 package/system/procd/files/uxc.init |  4 ++
 3 files changed, 89 insertions(+), 6 deletions(-)
 diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
 index fff9faa1bf..98f1ed1775 100644
 --- a/package/system/procd/Makefile
 +++ b/package/system/procd/Makefile
@@ -12,9 +12,9 @@ PKG_RELEASE:=$(AUTORELEASE)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/procd.git
 -PKG_SOURCE_DATE:=2021-02-08
 -PKG_SOURCE_VERSION:=08938fe1cbc06eeaafa39448057368391d165272
 -PKG_MIRROR_HASH:=efc3deac56057e929789d44742858b2a16d976f6bfa0a2036e413d10afcaeee4
 +PKG_SOURCE_DATE:=2021-08-15
 +PKG_SOURCE_VERSION:=104b49d6ab25a8cf067e6d8d1f2da7defb9876d4
 +PKG_MIRROR_HASH:=d13b566a14e84f6babe8b7d3dfb88e34c3dff0e97d7770d6fe71174685bca628
 CMAKE_INSTALL:=1
 PKG_LICENSE:=GPL-2.0
@@ -32,7 +32,7 @@ include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 ifeq ($(DUMP),)
 -  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell echo $(CONFIG_TARGET_INIT_PATH) | mkhash md5)
 +  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell echo $(CONFIG_TARGET_INIT_PATH) | $(MKHASH) md5)
 endif
 CMAKE_OPTIONS += -DEARLY_PATH="$(TARGET_INIT_PATH)"
@@ -82,7 +82,7 @@ endef
 define Package/procd-seccomp
   SECTION:=base
   CATEGORY:=Base system
 -  DEPENDS:=@(arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \
 +  DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \
 	  @KERNEL_SECCOMP +libubox +libblobmsg-json
   TITLE:=OpenWrt process seccomp helper + utrace
 endef
@@ -90,7 +90,7 @@ endef
 define Package/uxc
   SECTION:=base
   CATEGORY:=Base system
 -  DEPENDS:=+procd-ujail +libubus +libubox +libblobmsg-json
 +  DEPENDS:=+procd-ujail +libubus +libubox +libblobmsg-json +blockd +rpcd
   TITLE:=OpenWrt container management
   MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
 endef
 diff --git a/package/system/procd/files/procd.sh b/package/system/procd/files/procd.sh
 index d86b7219da..3549a5a914 100644
 --- a/package/system/procd/files/procd.sh
 +++ b/package/system/procd/files/procd.sh
@@ -329,6 +329,82 @@ _procd_add_config_trigger() {
 	json_close_array
 }
 +_procd_add_mount_trigger() {
 +	json_add_array
 +	_procd_add_array_data "$1"
 +	local action="$2"
 +	local multi=0
 +	shift ; shift
 +
 +	json_add_array
 +	_procd_add_array_data "if"
 +
 +	if [ "$2" ]; then
 +		json_add_array
 +		_procd_add_array_data "or"
 +		multi=1
 +	fi
 +
 +	while [ "$1" ]; do
 +		json_add_array
 +		_procd_add_array_data "eq" "target" "$1"
 +		shift
 +		json_close_array
 +	done
 +
 +	[ $multi = 1 ] && json_close_array
 +
 +	json_add_array
 +	_procd_add_array_data "run_script" /etc/init.d/$name $action
 +	json_close_array
 +
 +	json_close_array
 +	_procd_add_timeout
 +	json_close_array
 +}
 +
 +_procd_add_action_mount_trigger() {
 +	local script=$(readlink "$initscript")
 +	local name=$(basename ${script:-$initscript})
 +	local action="$1"
 +	local mpath
 +	shift
 +
 +	_procd_open_trigger
 +	_procd_add_mount_trigger mount.add $action "$@"
 +	_procd_close_trigger
 +}
 +
 +procd_get_mountpoints() {
 +	(
 +		__procd_check_mount() {
 +			local cfg="$1"
 +			local path="${2%%/}/"
 +			local target
 +			config_get target "$cfg" target
 +			target="${target%%/}/"
 +			[ "$path" != "${path##$target}" ] && echo "${target%%/}"
 +		}
 +
 +		config_load fstab
 +		for mpath in "$@"; do
 +			config_foreach __procd_check_mount mount "$mpath"
 +		done
 +	) | sort -u
 +}
 +
 +_procd_add_restart_mount_trigger() {
 +	local mountpoints="$(procd_get_mountpoints "$@")"
 +	[ "${mountpoints//[[:space:]]}" ] &&
 +		_procd_add_action_mount_trigger restart $mountpoints
 +}
 +
 +_procd_add_reload_mount_trigger() {
 +	local mountpoints="$(procd_get_mountpoints "$@")"
 +	[ "${mountpoints//[[:space:]]}" ] &&
 +		_procd_add_action_mount_trigger reload $mountpoints
 +}
 +
 _procd_add_raw_trigger() {
 	json_add_array
 	_procd_add_array_data "$1"
@@ -560,8 +636,11 @@ _procd_wrapper \
 	procd_add_raw_trigger \
 	procd_add_config_trigger \
 	procd_add_interface_trigger \
 +	procd_add_mount_trigger \
 	procd_add_reload_trigger \
 	procd_add_reload_interface_trigger \
 +	procd_add_reload_mount_trigger \
 +	procd_add_restart_mount_trigger \
 	procd_open_trigger \
 	procd_close_trigger \
 	procd_open_instance \
 diff --git a/package/system/procd/files/uxc.init b/package/system/procd/files/uxc.init
 index 035c8b0b9e..1e75b796f8 100644
 --- a/package/system/procd/files/uxc.init
 +++ b/package/system/procd/files/uxc.init
@@ -16,3 +16,7 @@ boot() {
 	__BOOT_UXC=1
 	start
 }
 +
 +service_triggers() {
 +	procd_add_raw_trigger "mount.add" 3000 /etc/init.d/uxc boot
 +}
 -- 
 2.25.1
--- a/backports/0101-build-create-APK-files-parrallel-to-IPK.patch
+++ b/backports/0101-build-create-APK-files-parrallel-to-IPK.patch
@@ -0,0 +1,174 @@
 From 0a31ac2bfc8aa43c2a5e43eac81c4647dbf2d1b7 Mon Sep 17 00:00:00 2001
 From: Paul Spooren <mail@aparcar.org>
 Date: Fri, 2 Oct 2020 23:30:30 -1000
 Subject: [PATCH 01/45] build: create APK files parrallel to IPK
 Create APK files based on the folder and control files of IPK packages.
 Signed-off-by: Paul Spooren <mail@aparcar.org>
 ---
 include/package-ipkg.mk     | 48 +++++++++++++++++++++++++------------
 package/Makefile            |  2 ++
 package/base-files/Makefile |  4 ++++
 rules.mk                    |  2 ++
 scripts/apk-make-index.sh   | 20 ++++++++++++++++
 5 files changed, 61 insertions(+), 15 deletions(-)
 create mode 100755 scripts/apk-make-index.sh
 diff --git a/include/package-ipkg.mk b/include/package-ipkg.mk
 index c2017cd220..b0177070f8 100644
 --- a/include/package-ipkg.mk
 +++ b/include/package-ipkg.mk
@@ -102,6 +102,7 @@ ifeq ($(DUMP),)
     ABIV_$(1):=$(if $(filter-out kmod-%,$(1)),$(ABI_VERSION))
     PDIR_$(1):=$(call FeedPackageDir,$(1))
     IPKG_$(1):=$$(PDIR_$(1))/$(1)$$(ABIV_$(1))_$(VERSION)_$(PKGARCH).ipk
 +    APK_$(1):=$$(PDIR_$(1))/$(1)$$(ABIV_$(1))_$(VERSION)_$(PKGARCH).apk
     IDIR_$(1):=$(PKG_BUILD_DIR)/ipkg-$(PKGARCH)/$(1)
     KEEP_$(1):=$(strip $(call Package/$(1)/conffiles))
@@ -200,7 +201,7 @@ $(_endef)
     $(PKG_INFO_DIR)/$(1).provides $$(IPKG_$(1)): $(STAMP_BUILT) $(INCLUDE_DIR)/package-ipkg.mk
 	@rm -rf $$(IDIR_$(1)); \
 		$$(call remove_ipkg_files,$(1),$$(call opkg_package_files,$(call gen_ipkg_wildcard,$(1))))
 -	mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1))/CONTROL $(PKG_INFO_DIR)
 +	mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1)) $(PKG_INFO_DIR)
 	$(call Package/$(1)/install,$$(IDIR_$(1)))
 	$(if $(Package/$(1)/install-overlay),mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1))/rootfs-overlay)
 	$(call Package/$(1)/install-overlay,$$(IDIR_$(1))/rootfs-overlay)
@@ -226,6 +227,37 @@ $(_endef)
 		) || true \
 	)
     endif
 +
 +    ifneq ($$(KEEP_$(1)),)
 +		@( \
 +			keepfiles=""; \
 +			for x in $$(KEEP_$(1)); do \
 +				[ -f "$$(IDIR_$(1))/$$$$x" ] || keepfiles="$$$${keepfiles:+$$$$keepfiles }$$$$x"; \
 +			done; \
 +			[ -z "$$$$keepfiles" ] || { \
 +				mkdir -p $$(IDIR_$(1))/lib/upgrade/keep.d; \
 +				for x in $$$$keepfiles; do echo $$$$x >> $$(IDIR_$(1))/lib/upgrade/keep.d/$(1); done; \
 +			}; \
 +		)
 +    endif
 +
 +	$(INSTALL_DIR) $$(PDIR_$(1))
 +
 +	$(FAKEROOT) apk mkpkg \
 +	  --info "name:$(1)" \
 +	  --info "version:$(VERSION)" \
 +	  --info "description:$()" \
 +	  --info "arch:$(PKGARCH)" \
 +	  --info "license:$(LICENSE)" \
 +	  --info "origin:$(SOURCE)" \
 +	  --info "maintainer:$(MAINTAINER)" \
 +	  $$(foreach dep,$$(Package/$(1)/DEPENDS),--info "depends:$$(subst $$(comma),,$$(dep))") \
 +	  --files "$$(IDIR_$(1))" \
 +	  --output "$$(APK_$(1))" \
 +	  --sign "$(BUILD_KEY_APK_SEC)"
 +
 +	mkdir -p $$(IDIR_$(1))/CONTROL
 +
 	(cd $$(IDIR_$(1))/CONTROL; \
 		( \
 			echo "$$$$CONTROL"; \
@@ -249,20 +281,6 @@ $(_endef)
 		$($(1)_COMMANDS) \
 	)
 -    ifneq ($$(KEEP_$(1)),)
 -		@( \
 -			keepfiles=""; \
 -			for x in $$(KEEP_$(1)); do \
 -				[ -f "$$(IDIR_$(1))/$$$$x" ] || keepfiles="$$$${keepfiles:+$$$$keepfiles }$$$$x"; \
 -			done; \
 -			[ -z "$$$$keepfiles" ] || { \
 -				mkdir -p $$(IDIR_$(1))/lib/upgrade/keep.d; \
 -				for x in $$$$keepfiles; do echo $$$$x >> $$(IDIR_$(1))/lib/upgrade/keep.d/$(1); done; \
 -			}; \
 -		)
 -    endif
 -
 -	$(INSTALL_DIR) $$(PDIR_$(1))
 	$(FAKEROOT) $(SCRIPT_DIR)/ipkg-build -m "$(FILE_MODES)" $$(IDIR_$(1)) $$(PDIR_$(1))
 	@[ -f $$(IPKG_$(1)) ]
 diff --git a/package/Makefile b/package/Makefile
 index ec503dc527..18a19fff13 100644
 --- a/package/Makefile
 +++ b/package/Makefile
@@ -60,6 +60,7 @@ $(curdir)/merge-index: $(curdir)/merge
 ifndef SDK
   $(curdir)/compile: $(curdir)/system/opkg/host/compile
 +  $(patsubst %,$(curdir)/%/compile,$(filter-out %/apk/host,$($(curdir)/builddirs))): $(curdir)/system/apk/host/compile
 endif
 $(curdir)/install: $(TMP_DIR)/.build $(curdir)/merge $(if $(CONFIG_TARGET_PER_DEVICE_ROOTFS),$(curdir)/merge-index)
@@ -84,6 +85,7 @@ $(curdir)/index: FORCE
 	@for d in $(PACKAGE_SUBDIRS); do ( \
 		mkdir -p $$d; \
 		cd $$d || continue; \
 +		$(SCRIPT_DIR)/apk-make-index.sh . 2>&1; \
 		$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages.manifest; \
 		grep -vE '^(Maintainer|LicenseFiles|Source|SourceName|Require|SourceDateEpoch)' Packages.manifest > Packages; \
 		case "$$(((64 + $$(stat -L -c%s Packages)) % 128))" in 110|111) \
 diff --git a/package/base-files/Makefile b/package/base-files/Makefile
 index 8a1ddf96f5..9db4812981 100644
 --- a/package/base-files/Makefile
 +++ b/package/base-files/Makefile
@@ -107,6 +107,10 @@ ifdef CONFIG_SIGNED_PACKAGES
 	[ -s $(BUILD_KEY).ucert ] || \
 		$(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
 +	[ -s $(BUILD_KEY_APK_SEC) -a -s $(BUILD_KEY_APK_PUB) ] || \
 +		openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
 +		openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB)
 +
   endef
 ifndef CONFIG_BUILDBOT
 diff --git a/rules.mk b/rules.mk
 index f31d9bb113..de81b65d46 100644
 --- a/rules.mk
 +++ b/rules.mk
@@ -258,6 +258,8 @@ else
 endif
 BUILD_KEY=$(TOPDIR)/key-build
 +BUILD_KEY_APK_SEC=$(TOPDIR)/private-key.pem
 +BUILD_KEY_APK_PUB=$(TOPDIR)/public-key.pem
 FAKEROOT:=$(STAGING_DIR_HOST)/bin/fakeroot
 diff --git a/scripts/apk-make-index.sh b/scripts/apk-make-index.sh
 new file mode 100755
 index 0000000000..df1f1a2e2b
 --- /dev/null
 +++ b/scripts/apk-make-index.sh
@@ -0,0 +1,20 @@
 +#!/usr/bin/env bash
 +set -e
 +
 +pkg_dir=$1
 +
 +if [ -z "$pkg_dir" ] || [ ! -d "$pkg_dir" ]; then
 +	echo "Usage: apk-make-index <package_directory>" >&2
 +	exit 1
 +fi
 +
 +(
 +	cd "$pkg_dir" || exit 1
 +	GLOBIGNORE="kernel*:libc*"
 +	set -- *.apk
 +	if [ "$1" = '*.apk' ]; then
 +		echo "No APK packages found"
 +	fi
 +	apk index --output APKINDEX.tar.gz "$@"
 +	unset GLOBIGNORE
 +)
 -- 
 2.25.1
--- a/backports/0102-fstools-update-to-git-HEAD.patch
+++ b/backports/0102-fstools-update-to-git-HEAD.patch
@@ -0,0 +1,69 @@
 From 2239c3c87a723bee8efa64ecf22c61a15433517e Mon Sep 17 00:00:00 2001
 From: Daniel Golle <daniel@makrotopia.org>
 Date: Sun, 25 Jul 2021 01:20:31 +0100
 Subject: [PATCH 102/146] fstools: update to git HEAD
 bad1835 fstools: add partname volume driver
 19d7d93 libfstools: partname: several fixes
 3c38f0c libfstools: fix build with glibc
 d05ad93 libfstools: remove superflus include
 964d1e3 partname: allow skipping existing 'rootfs_data' partition
 c44b40b overlay: fix syncronizing typo
 b5397a1 fstools: block: fix segfault on mount with no target
 bd7cc8d block: use dynamically allocated target string
 6d8450e blockd: use allocated strings instead of fixed buffers
 d47909e libblkid-tiny: fix buffer overflow
 67d2297 block: match device path instead of assuming /dev/%s
 2aeba88 block: allow autofs and umount commands also on MTD/UBI
 3d40a1b blockd: add missing #define _GNU_SOURCE
 4d4dcfb blockd: detect mountpoint of /dev/mapper/*
 2f42515 block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging
 39558a1 blockd: also send ubus notification on mount hotplug
 3386b6b blockd: fix trigger name
 cdc9939 blockd: move to its own POSIX process group
 59f7c11 blockd: create mountpoint parent folder if needed
 9cc96af Revert "block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging"
 06334ac Revert "blockd: detect mountpoint of /dev/mapper/*"
 9ab3551 block: use /dev/dm-* instead of /dev/mapper/*
 5114595 block: allow remove hotplug event to arrive at blockd
 a846c6b blockd: fix length of timeout int passed to ioctl
 1d681ca block: support umount device basename
 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 ---
 package/system/fstools/Makefile          | 6 +++---
 package/system/fstools/files/blockd.init | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)
 diff --git a/package/system/fstools/Makefile b/package/system/fstools/Makefile
 index 2da508d541..b582a17bae 100644
 --- a/package/system/fstools/Makefile
 +++ b/package/system/fstools/Makefile
@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/fstools.git
 -PKG_MIRROR_HASH:=a485792d90c71cd4fb396ce97f42a57ee4d2a3d78e5f3fd0748270ffb14209e6
 -PKG_SOURCE_DATE:=2021-01-04
 -PKG_SOURCE_VERSION:=c53b18820756f6f32ad0782d3bf489422b7c4ad3
 +PKG_MIRROR_HASH:=6a457b812166e04e2244ee1be92a4957666b5d1554315c0e18db1b30376cc617
 +PKG_SOURCE_DATE:=2021-07-28
 +PKG_SOURCE_VERSION:=cc63933faedd8d4fcdabb872cf4661ac04fe4ba2
 CMAKE_INSTALL:=1
 PKG_LICENSE:=GPL-2.0
 diff --git a/package/system/fstools/files/blockd.init b/package/system/fstools/files/blockd.init
 index a4ce57d40d..bdd8bbf622 100755
 --- a/package/system/fstools/files/blockd.init
 +++ b/package/system/fstools/files/blockd.init
@@ -16,6 +16,7 @@ reload_service() {
 start_service() {
 	procd_open_instance
 	procd_set_param command "$PROG"
 +	procd_set_param watch block
 	procd_set_param respawn
 	procd_close_instance
 }
 -- 
 2.25.1
--- a/backports/0103-tools-libressl-update-to-3.3.3.patch
+++ b/backports/0103-tools-libressl-update-to-3.3.3.patch
@@ -0,0 +1,40 @@
 From c40bb49f31443d9c03043c4361e4af56e5c3eba4 Mon Sep 17 00:00:00 2001
 From: Rosen Penev <rosenp@gmail.com>
 Date: Sat, 19 Jun 2021 14:45:11 -0700
 Subject: [PATCH 103/146] tools/libressl: update to 3.3.3
 Fix wrong FPIC variable usage. Fixes compilation under sparc64 host.
 Signed-off-by: Rosen Penev <rosenp@gmail.com>
 (cherry picked from commit bf4dbbb55e2b8e23f186e1334f1e9ce6a3a8ddfe)
 ---
 tools/libressl/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/tools/libressl/Makefile b/tools/libressl/Makefile
 index 2b5a33450c..e25b5661ee 100644
 --- a/tools/libressl/Makefile
 +++ b/tools/libressl/Makefile
@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=libressl
 -PKG_VERSION:=3.3.1
 -PKG_HASH:=a6d331865e0164a13ac85a228e52517f7cf8f8488f2f95f34e7857302f97cfdb
 +PKG_VERSION:=3.3.3
 +PKG_HASH:=a471565b36ccd1a70d0bd7d37c6e95c43a26a62829b487d9d2cdebfe58be3066
 PKG_RELEASE:=1
 PKG_CPE_ID:=cpe:/a:openbsd:libressl
@@ -25,7 +25,7 @@ include $(INCLUDE_DIR)/host-build.mk
 HOSTCC := $(HOSTCC_NOCACHE)
 HOST_CONFIGURE_ARGS += --enable-static --disable-shared --disable-tests
 -HOST_CFLAGS += $(FPIC)
 +HOST_CFLAGS += $(HOST_FPIC)
 ifeq ($(GNU_HOST_NAME),x86_64-linux-gnux32)
 HOST_CONFIGURE_ARGS += --disable-asm
 -- 
 2.25.1
--- a/backports/0104-uvol-backport-package.patch
+++ b/backports/0104-uvol-backport-package.patch
--- a/backports/0105-apk-backport-package.patch
+++ b/backports/0105-apk-backport-package.patch
@@ -0,0 +1,312 @@
 From 6741963067c4be8999896a5e653dc0d72487e392 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Fri, 13 Aug 2021 08:47:11 +0200
 Subject: [PATCH 06/46] apk: backport package
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/system/apk/Makefile                   | 93 +++++++++++++++++++
 ...vel@lists.alpinelinux.org-4a6a0840.rsa.pub |  9 ++
 ...vel@lists.alpinelinux.org-5243ef4b.rsa.pub |  9 ++
 ...vel@lists.alpinelinux.org-5261cecb.rsa.pub |  9 ++
 package/system/apk/files/alpine-repositories  |  3 +
 .../apk/patches/000-Makefile-version.patch    | 11 +++
 .../patches/0001-remove-doc-generation.patch  | 21 +++++
 package/system/apk/patches/100-link.patch     | 16 ++++
 package/system/apk/patches/100-phtread.patch  | 12 +++
 ...ude-limits.h-to-fix-build-with-glibc.patch | 20 ++++
 package/system/apk/test.sh                    |  9 ++
 11 files changed, 212 insertions(+)
 create mode 100644 package/system/apk/Makefile
 create mode 100644 package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
 create mode 100644 package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
 create mode 100644 package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
 create mode 100644 package/system/apk/files/alpine-repositories
 create mode 100644 package/system/apk/patches/000-Makefile-version.patch
 create mode 100644 package/system/apk/patches/0001-remove-doc-generation.patch
 create mode 100644 package/system/apk/patches/100-link.patch
 create mode 100644 package/system/apk/patches/100-phtread.patch
 create mode 100644 package/system/apk/patches/100-tar-include-limits.h-to-fix-build-with-glibc.patch
 create mode 100644 package/system/apk/test.sh
 diff --git a/package/system/apk/Makefile b/package/system/apk/Makefile
 new file mode 100644
 index 0000000000..335f50c155
 --- /dev/null
 +++ b/package/system/apk/Makefile
@@ -0,0 +1,93 @@
 +include $(TOPDIR)/rules.mk
 +
 +PKG_NAME:=apk
 +PKG_VERSION:=3.0.0_pre0
 +
 +PKG_SOURCE_PROTO:=git
 +PKG_SOURCE_URL:=https://git.alpinelinux.org/apk-tools.git
 +PKG_SOURCE_DATE:=2021-08-17
 +PKG_SOURCE_VERSION:=a46043bcc4cc15b456ef1eac5c5f9d93bd905d53
 +PKG_MIRROR_HASH:=e16fd04b18043e78a177acd8c6958fa03fd1484b62c879c2dd0bed8ce9c50625
 +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_DATE)-$(call version_abbrev,$(PKG_SOURCE_VERSION))
 +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
 +HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_SOURCE_SUBDIR)
 +PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.xz
 +PKG_RELEASE:=r$(PKG_SOURCE_DATE)-$(call version_abbrev,$(PKG_SOURCE_VERSION))-$(AUTORELEASE)
 +
 +PKG_MAINTAINER:=Paul Spooren <mail@aparcar.org>
 +PKG_LICENSE:=GPL-2.0-only
 +PKG_LICENSE_FILES:=LICENSE
 +
 +PKG_INSTALL:=1
 +PKG_BUILD_PARALLEL:=1
 +
 +HOST_BUILD_DEPENDS:=lua/host lua-lzlib/host
 +PKG_BUILD_DEPENDS:=$(HOST_BUILD_DEPENDS)
 +
 +include $(INCLUDE_DIR)/package.mk
 +include $(INCLUDE_DIR)/host-build.mk
 +
 +define Package/apk
 +  SECTION:=utils
 +  CATEGORY:=Utilities
 +  TITLE:=apk package manager
 +  DEPENDS:=+liblua +libopenssl +zlib @!arc
 +  URL:=$(PKG_SOURCE_URL)
 +endef
 +
 +define Package/alpine-keys
 +  SECTION:=utils
 +  CATEGORY:=Utilities
 +  TITLE:=Alpine apk public signing keys
 +  DEPENDS:=apk
 +endef
 +
 +define Package/alpine-repositories
 +  SECTION:=utils
 +  CATEGORY:=Utilities
 +  TITLE:=Official Alpine repositories
 +  DEPENDS:=apk
 +endef
 +
 +MAKE_FLAGS += \
 +	LUA=$(STAGING_DIR_HOSTPKG)/bin/lua \
 +	LUA_VERSION=5.1 \
 +	LUA_PC=lua
 +
 +HOST_MAKE_FLAGS += \
 +	LUA=$(STAGING_DIR_HOSTPKG)/bin/lua \
 +	LUA_VERSION=5.1 \
 +	DESTDIR=$(STAGING_DIR_HOSTPKG) \
 +	SBINDIR=/bin \
 +	PREFIX=
 +
 +HOST_LDFLAGS+=-Wl,-rpath=$(STAGING_DIR_HOSTPKG)/lib -lpthread
 +
 +define Package/apk/install
 +	$(INSTALL_DIR) $(1)/lib/apk/db
 +
 +	$(INSTALL_DIR) $(1)/bin
 +	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/apk $(1)/bin/apk
 +
 +	$(INSTALL_DIR) $(1)/usr/lib
 +	$(CP) $(PKG_INSTALL_DIR)/lib/*.so.* $(1)/usr/lib/
 +
 +	$(INSTALL_DIR) $(1)/etc/apk/
 +	echo $(ARCH) > $(1)/etc/apk/arch
 +	touch $(1)/etc/apk/world
 +endef
 +
 +define Package/alpine-keys/install
 +	$(INSTALL_DIR) $(1)/etc/apk/keys
 +	$(INSTALL_DATA) ./files/alpine-keys/* $(1)/etc/apk/keys
 +endef
 +
 +define Package/alpine-repositories/install
 +	$(INSTALL_DIR) $(1)/etc/apk/keys
 +	$(INSTALL_DATA) ./files/alpine-repositories $(1)/etc/apk/repositories
 +endef
 +
 +$(eval $(call BuildPackage,apk))
 +$(eval $(call BuildPackage,alpine-keys))
 +$(eval $(call BuildPackage,alpine-repositories))
 +$(eval $(call HostBuild))
 diff --git a/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
 new file mode 100644
 index 0000000000..bb4bdc80fd
 --- /dev/null
 +++ b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
@@ -0,0 +1,9 @@
 +-----BEGIN PUBLIC KEY-----
 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1yHJxQgsHQREclQu4Ohe
 +qxTxd1tHcNnvnQTu/UrTky8wWvgXT+jpveroeWWnzmsYlDI93eLI2ORakxb3gA2O
 +Q0Ry4ws8vhaxLQGC74uQR5+/yYrLuTKydFzuPaS1dK19qJPXB8GMdmFOijnXX4SA
 +jixuHLe1WW7kZVtjL7nufvpXkWBGjsfrvskdNA/5MfxAeBbqPgaq0QMEfxMAn6/R
 +L5kNepi/Vr4S39Xvf2DzWkTLEK8pcnjNkt9/aafhWqFVW7m3HCAII6h/qlQNQKSo
 +GuH34Q8GsFG30izUENV9avY7hSLq7nggsvknlNBZtFUcmGoQrtx3FmyYsIC8/R+B
 +ywIDAQAB
 +-----END PUBLIC KEY-----
 diff --git a/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
 new file mode 100644
 index 0000000000..6cbfad7441
 --- /dev/null
 +++ b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
@@ -0,0 +1,9 @@
 +-----BEGIN PUBLIC KEY-----
 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNijDxJ8kloskKQpJdx+
 +mTMVFFUGDoDCbulnhZMJoKNkSuZOzBoFC94omYPtxnIcBdWBGnrm6ncbKRlR+6oy
 +DO0W7c44uHKCFGFqBhDasdI4RCYP+fcIX/lyMh6MLbOxqS22TwSLhCVjTyJeeH7K
 +aA7vqk+QSsF4TGbYzQDDpg7+6aAcNzg6InNePaywA6hbT0JXbxnDWsB+2/LLSF2G
 +mnhJlJrWB1WGjkz23ONIWk85W4S0XB/ewDefd4Ly/zyIciastA7Zqnh7p3Ody6Q0
 +sS2MJzo7p3os1smGjUF158s6m/JbVh4DN6YIsxwl2OjDOz9R0OycfJSDaBVIGZzg
 +cQIDAQAB
 +-----END PUBLIC KEY-----
 diff --git a/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
 new file mode 100644
 index 0000000000..83f0658e9c
 --- /dev/null
 +++ b/package/system/apk/files/alpine-keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
@@ -0,0 +1,9 @@
 +-----BEGIN PUBLIC KEY-----
 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlzMkl7b5PBdfMzGdCT0
 +cGloRr5xGgVmsdq5EtJvFkFAiN8Ac9MCFy/vAFmS8/7ZaGOXoCDWbYVLTLOO2qtX
 +yHRl+7fJVh2N6qrDDFPmdgCi8NaE+3rITWXGrrQ1spJ0B6HIzTDNEjRKnD4xyg4j
 +g01FMcJTU6E+V2JBY45CKN9dWr1JDM/nei/Pf0byBJlMp/mSSfjodykmz4Oe13xB
 +Ca1WTwgFykKYthoLGYrmo+LKIGpMoeEbY1kuUe04UiDe47l6Oggwnl+8XD1MeRWY
 +sWgj8sF4dTcSfCMavK4zHRFFQbGp/YFJ/Ww6U9lA3Vq0wyEI6MCMQnoSMFwrbgZw
 +wwIDAQAB
 +-----END PUBLIC KEY-----
 diff --git a/package/system/apk/files/alpine-repositories b/package/system/apk/files/alpine-repositories
 new file mode 100644
 index 0000000000..5babbb23b4
 --- /dev/null
 +++ b/package/system/apk/files/alpine-repositories
@@ -0,0 +1,3 @@
 +https://dl-cdn.alpinelinux.org/alpine/edge/main
 +https://dl-cdn.alpinelinux.org/alpine/edge/community
 +
 diff --git a/package/system/apk/patches/000-Makefile-version.patch b/package/system/apk/patches/000-Makefile-version.patch
 new file mode 100644
 index 0000000000..2e7f5b0f15
 --- /dev/null
 +++ b/package/system/apk/patches/000-Makefile-version.patch
@@ -0,0 +1,11 @@
 +--- a/Makefile
 ++++ b/Makefile
 +@@ -4,7 +4,7 @@
 + -include config.mk
 + 
 + PACKAGE := apk-tools
 +-VERSION := 2.12.0
 ++VERSION := 3.0.0_pre0
 + 
 + export VERSION
 + 
 diff --git a/package/system/apk/patches/0001-remove-doc-generation.patch b/package/system/apk/patches/0001-remove-doc-generation.patch
 new file mode 100644
 index 0000000000..dee05c56f2
 --- /dev/null
 +++ b/package/system/apk/patches/0001-remove-doc-generation.patch
@@ -0,0 +1,21 @@
 +From b05a93c48fdbb50f0c464310dc2ce45777d32ea2 Mon Sep 17 00:00:00 2001
 +From: Paul Spooren <mail@aparcar.org>
 +Date: Fri, 2 Oct 2020 14:08:52 -1000
 +Subject: [PATCH] remove doc generation
 +
 +Signed-off-by: Paul Spooren <mail@aparcar.org>
 +---
 + Makefile | 2 +-
 + 1 file changed, 1 insertion(+), 1 deletion(-)
 +
 +--- a/Makefile
 ++++ b/Makefile
 +@@ -25,7 +25,7 @@ export DESTDIR SBINDIR LIBDIR CONFDIR MA
 + ##
 + # Top-level subdirs
 + 
 +-subdirs		:= libfetch/ src/ doc/
 ++subdirs		:= libfetch/ src/
 + 
 + ##
 + # Include all rules and stuff
 diff --git a/package/system/apk/patches/100-link.patch b/package/system/apk/patches/100-link.patch
 new file mode 100644
 index 0000000000..9cae2787d9
 --- /dev/null
 +++ b/package/system/apk/patches/100-link.patch
@@ -0,0 +1,16 @@
 +diff -urN apk-2021-08-17-a46043bc.orig/src/Makefile apk-2021-08-17-a46043bc/src/Makefile
 +--- apk-2021-08-17-a46043bc.orig/src/Makefile	2021-08-17 14:21:04.117760513 +0200
 ++++ apk-2021-08-17-a46043bc/src/Makefile	2021-08-17 14:21:16.653830180 +0200
 +@@ -65,7 +65,11 @@
 + 	app_convdb.o app_convndx.o app_del.o app_dot.o app_extract.o app_fetch.o \
 + 	app_fix.o app_index.o app_info.o app_list.o app_manifest.o app_mkndx.o \
 + 	app_mkpkg.o app_policy.o app_update.o app_upgrade.o app_search.o \
 +-	app_stats.o app_verify.o app_version.o app_vertest.o applet.o
 ++	app_stats.o app_verify.o app_version.o app_vertest.o applet.o \
 ++	adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
 ++	atom.o blob.o commit.o common.o context.o crypto_openssl.o database.o hash.o \
 ++	extract.o extract_v2.o extract_v3.o io.o io_gunzip.o io_url.o tar.o \
 ++	package.o pathbuilder.o print.o solver.o trust.o version.o
 + 
 + ifeq ($(ADB),y)
 + libapk.so.$(libapk_soname)-objs += apk_adb.o
 diff --git a/package/system/apk/patches/100-phtread.patch b/package/system/apk/patches/100-phtread.patch
 new file mode 100644
 index 0000000000..c252e14dc1
 --- /dev/null
 +++ b/package/system/apk/patches/100-phtread.patch
@@ -0,0 +1,12 @@
 +diff -urN apk-2021-07-23-3d203e8f.orig/src/Makefile apk-2021-07-23-3d203e8f/src/Makefile
 +--- apk-2021-07-23-3d203e8f.orig/src/Makefile	2021-07-25 12:55:05.576564663 +0200
 ++++ apk-2021-07-23-3d203e8f/src/Makefile	2021-07-25 12:55:48.660862181 +0200
 +@@ -87,7 +87,7 @@
 + apk.static-libs		:= $(apk-static-libs)
 + LDFLAGS_apk.static	:= -static
 + LIBS_apk.static		:= -Wl,--as-needed -ldl -Wl,--no-as-needed
 +-LDFLAGS_apk		+= -L$(obj)
 ++LDFLAGS_apk		+= -L$(obj) -pthread
 + LDFLAGS_apk-test	+= -L$(obj)
 + 
 + CFLAGS_ALL		+= $(OPENSSL_CFLAGS) $(ZLIB_CFLAGS)
 diff --git a/package/system/apk/patches/100-tar-include-limits.h-to-fix-build-with-glibc.patch b/package/system/apk/patches/100-tar-include-limits.h-to-fix-build-with-glibc.patch
 new file mode 100644
 index 0000000000..43ec7d5f1a
 --- /dev/null
 +++ b/package/system/apk/patches/100-tar-include-limits.h-to-fix-build-with-glibc.patch
@@ -0,0 +1,20 @@
 +From c72ea983e287ec1d8b1f2b3aab1bf40aa7a30b03 Mon Sep 17 00:00:00 2001
 +From: Daniel Golle <daniel@makrotopia.org>
 +Date: Wed, 4 Aug 2021 21:37:40 +0100
 +Subject: [PATCH] tar: include <limits.h> to fix build with glibc
 +
 +Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 +---
 + src/tar.c | 1 +
 + 1 file changed, 1 insertion(+)
 +
 +--- a/src/tar.c
 ++++ b/src/tar.c
 +@@ -9,6 +9,7 @@
 + 
 + #include <sys/stat.h>
 + #include <sys/sysmacros.h>
 ++#include <limits.h> /* for SSIZE_MAX with glibc */
 + 
 + #include "apk_defines.h"
 + #include "apk_tar.h"
 diff --git a/package/system/apk/test.sh b/package/system/apk/test.sh
 new file mode 100644
 index 0000000000..814777fd70
 --- /dev/null
 +++ b/package/system/apk/test.sh
@@ -0,0 +1,9 @@
 +#!/bin/sh
 +
 +case "$1" in
 +    "apk")
 +        apk --version | grep "${2/-r*/}"
 +        ;;
 +    *)
 +        return 0;
 +esac
 -- 
 2.25.1
--- a/backports/0106-lua-lzlib-backport-package.patch
+++ b/backports/0106-lua-lzlib-backport-package.patch
@@ -0,0 +1,104 @@
 From 900d18f3ae2cd5bb3d8d6e2584d2280cb5302e01 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Fri, 13 Aug 2021 08:48:02 +0200
 Subject: [PATCH 106/146] lua-lzlib: backport package
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
 package/libs/lua-lzlib/Makefile               | 64 +++++++++++++++++++
 .../patches/001-allow_optim_flags.patch       | 12 ++++
 2 files changed, 76 insertions(+)
 create mode 100644 package/libs/lua-lzlib/Makefile
 create mode 100644 package/libs/lua-lzlib/patches/001-allow_optim_flags.patch
 diff --git a/package/libs/lua-lzlib/Makefile b/package/libs/lua-lzlib/Makefile
 new file mode 100644
 index 0000000000..5e0a16b135
 --- /dev/null
 +++ b/package/libs/lua-lzlib/Makefile
@@ -0,0 +1,64 @@
 +#
 +# Copyright (C) 2015 OpenWrt.org
 +#
 +# This is free software, licensed under the GNU General Public License v2.
 +# See /LICENSE for more information.
 +#
 +
 +include $(TOPDIR)/rules.mk
 +
 +PKG_NAME:=lua-lzlib
 +PKG_VERSION:=0.4.3
 +PKG_RELEASE:=1
 +PKG_MAINTAINER:=Dirk Chang <dirk@kooiot.com>
 +PKG_LICENSE:=MIT
 +
 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 +PKG_MIRROR_HASH:=b6ef5e3f04b7f2137b39931a175ee802489a2486e70537770919bcccca10e723
 +PKG_SOURCE_URL:=https://github.com/LuaDist/lzlib.git
 +PKG_SOURCE_PROTO:=git
 +PKG_SOURCE_VERSION:=79329a07d8f79c19eadd7ea2752b4c4e1574b015
 +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 +
 +HOST_BUILD_DEPENDS:=lua/host
 +
 +include $(INCLUDE_DIR)/package.mk
 +include $(INCLUDE_DIR)/host-build.mk
 +
 +define Package/lua-lzlib
 +  SUBMENU:=Lua
 +  SECTION:=lang
 +  CATEGORY:=Languages
 +  TITLE:=Lua zlib binding
 +  URL:=http://github.com/LuaDist/lzlib
 +  DEPENDS:= +lua +zlib
 +endef
 +
 +define Package/lua-lzlib/description
 +	A library to access zlib library functions and also to read/write gzip files using an interface similar to the base io package. 
 +endef
 +
 +MAKE_FLAGS += \
 +	LUA="$(STAGING_DIR)/usr" \
 +	OFLAGS="$(TARGET_CFLAGS)" \
 +
 +HOST_MAKE_FLAGS += \
 +	LUA="$(STAGING_DIR_HOSTPKG)" \
 +	OFLAGS="$(HOST_CFLAGS)" \
 +
 +define Package/lua-lzlib/install
 +	$(INSTALL_DIR) $(1)/usr/lib/lua
 +	$(INSTALL_BIN) $(PKG_BUILD_DIR)/zlib.so $(1)/usr/lib/lua/
 +
 +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/gzip.lua $(1)/usr/lib/lua/
 +endef
 +
 +define Host/Install
 +	$(INSTALL_DIR) $(STAGING_DIR_HOSTPKG)/lib/lua/5.1
 +	$(INSTALL_BIN) $(HOST_BUILD_DIR)/zlib.so $(STAGING_DIR_HOSTPKG)/lib/lua/5.1
 +
 +	$(INSTALL_DATA) $(HOST_BUILD_DIR)/gzip.lua $(STAGING_DIR_HOSTPKG)/lib/lua/5.1
 +endef
 +
 +$(eval $(call BuildPackage,lua-lzlib))
 +$(eval $(call HostBuild))
 diff --git a/package/libs/lua-lzlib/patches/001-allow_optim_flags.patch b/package/libs/lua-lzlib/patches/001-allow_optim_flags.patch
 new file mode 100644
 index 0000000000..78f981d237
 --- /dev/null
 +++ b/package/libs/lua-lzlib/patches/001-allow_optim_flags.patch
@@ -0,0 +1,12 @@
 +--- a/Makefile
 ++++ b/Makefile
 +@@ -14,7 +14,8 @@ LUABIN= $(LUA)/bin
 + ZLIB=../zlib-1.2.3
 + 
 + # no need to change anything below here
 +-CFLAGS= $(INCS) $(DEFS) $(WARN) -O0 -fPIC
 ++CFLAGS= $(INCS) $(DEFS) $(WARN) $(OFLAGS) -fPIC
 ++OFLAGS= -O0
 + WARN= -g -Werror -Wall -pedantic #-ansi
 + INCS= -I$(LUAINC) -I$(ZLIB)
 + LIBS= -L$(ZLIB) -lz -L$(LUALIB) -L$(LUABIN) #-llua51
 -- 
 2.25.1
--- a/backports/0107-lua-make-it-easier-to-detect-host-built-Lua.patch
+++ b/backports/0107-lua-make-it-easier-to-detect-host-built-Lua.patch
@@ -0,0 +1,35 @@
 From 5c8a575ec759105e63a3aad033289d124516ec69 Mon Sep 17 00:00:00 2001
 From: Daniel Golle <daniel@makrotopia.org>
 Date: Sat, 10 Jul 2021 20:21:26 +0100
 Subject: [PATCH 107/146] lua: make it easier to detect host-built Lua
 Install pkg-config file also for host-build, clean up Lua symlinks.
 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 (cherry picked from commit 315f52e0f3bfa3d65ad14ca21a696c6d31c4edcd)
 ---
 package/utils/lua/Makefile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/package/utils/lua/Makefile b/package/utils/lua/Makefile
 index a54ef7d25a..be18880cb1 100644
 --- a/package/utils/lua/Makefile
 +++ b/package/utils/lua/Makefile
@@ -134,8 +134,12 @@ define Host/Install
 		INSTALL_TOP="$(STAGING_DIR_HOSTPKG)" \
 		install
 -	$(LN) $(STAGING_DIR_HOSTPKG)/bin/lua5.1 $(STAGING_DIR_HOSTPKG)/bin/lua
 -	$(LN) $(STAGING_DIR_HOSTPKG)/bin/luac5.1 $(STAGING_DIR_HOSTPKG)/bin/luac
 +	$(INSTALL_DIR) $(STAGING_DIR_HOSTPKG)/lib/pkgconfig
 +	$(CP) $(HOST_BUILD_DIR)/etc/lua.pc $(STAGING_DIR_HOSTPKG)/lib/pkgconfig/lua5.1.pc
 +
 +	$(LN) lua5.1 $(STAGING_DIR_HOSTPKG)/bin/lua
 +	$(LN) luac5.1 $(STAGING_DIR_HOSTPKG)/bin/luac
 +	$(LN) lua5.1.pc $(STAGING_DIR_HOSTPKG)/lib/pkgconfig/lua.pc
 endef
 define Build/InstallDev
 -- 
 2.25.1
--- a/config.yml
+++ b/config.yml
@@ -1,7 +1,8 @@
 repo:  https://github.com/openwrt/openwrt.git
-branch: openwrt-24.10
+branch: openwrt-21.02
-revision: v24.10.3
+revision: 6fd65c657351908302b37447675ee352ec927d93
 output_dir: ./output
 patch_folders:
-  - patches-24.10
+  - backports/
  - patches/
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -3,7 +3,7 @@ FROM ubuntu:20.04
 RUN apt-get update \
    && DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata \
    && apt-get install -y \
-            time git-core build-essential gcc-multilib clang \
+            time git-core build-essential gcc-multilib \
            libncurses5-dev zlib1g-dev gawk flex gettext wget unzip python \
            python3 python3-pip python3-yaml libssl-dev rsync \
    && apt-get clean
--- a/feeds/bluetooth/bluetooth-6lowpand/Makefile
+++ b/feeds/bluetooth/bluetooth-6lowpand/Makefile
@@ -0,0 +1,53 @@
 #
 # Copyright (C) 2016 Nordic Semiconductor ASA.
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=bluetooth-6lowpand
 PKG_VERSION:=0.0.1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_URL:=https://github.com/NordicSemiconductor/Linux-ble-6lowpan-joiner.git
 PKG_SOURCE_VERSION:=5ce5b248846a6d4ac4a609eb0e8d023cf920b247
 PKG_SOURCE_PROTO:=git
 BLUEZ_DIR:=$(wildcard $(BUILD_DIR)/bluez-*)
 TARGET_CFLAGS += -I$(BLUEZ_DIR)
 TARGET_LDFLAGS += -L$(BLUEZ_DIR)/lib/.libs/ -L$(BLUEZ_DIR)/src/.libs/ -lshared-mainloop -lbluetooth-internal
 include $(INCLUDE_DIR)/package.mk
 define Package/bluetooth-6lowpand
  SECTION:=base
  CATEGORY:=Network
  TITLE:=Bluetooth LE 6lowpan joiner daemon
  URL:=http://www.nordicsemi.com/
  DEPENDS:=+libusb-1.0 +bluez-libs
 endef
 define Package/bluetooth-6lowpand/description
  Bluetooth Low Energy IPSP device scanner and connection daemon. 
  The Daemon can be used to whitelist certain IPSP Bluetooth LE MAC
  addresses, or autoconnect using SSID and Key derived from Wifi AP 
  setup to authenticate the devices in order to connect. Also, manual 
  configuration of software SSID and Key can be used.
 endef
 define Package/bluetooth-6lowpand/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/bluetooth_6lowpand.init $(1)/etc/init.d/bluetooth_6lowpand
 	$(INSTALL_DIR) $(1)/etc/bluetooth
 	$(INSTALL_DATA) ./files/bluetooth_6lowpand.conf $(1)/etc/bluetooth
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/bluetooth_6lowpand $(1)/usr/sbin
 endef
 $(eval $(call BuildPackage,bluetooth-6lowpand))
--- a/feeds/mediatek-sdk/mediatek/files/drivers/mtd/nmbm/nmbm-debug.inl
+++ b/feeds/mediatek-sdk/mediatek/files/drivers/mtd/nmbm/nmbm-debug.inl
--- a/feeds/bluetooth/bluetooth-6lowpand/files/bluetooth_6lowpand.init
+++ b/feeds/bluetooth/bluetooth-6lowpand/files/bluetooth_6lowpand.init
@@ -0,0 +1,24 @@
 #!/bin/sh /etc/rc.common
 START=63
 PROG=/usr/sbin/bluetooth_6lowpand
 HCICONFIG=/usr/bin/hciconfig
 start() {
 	config_load btle
 	config_get enable bluetooth_6lowpand enable 0
 	[ "$enable" -eq 1 ] || return
 	echo "start bluetooth_6lowpand"
 	sleep 1
 	echo 1 > /sys/kernel/debug/bluetooth/6lowpan_enable
 	sleep 1
 	killall bluetoothd
 	sleep 1
 	$HCICONFIG hci0 reset
 	$PROG -w 3 -t 5 -a -d
 }
 stop() {
 	echo "stop bluetooth_6lowpand"
 	killall -9 bluetooth_6lowpand
 }
--- a/feeds/bluetooth/bluez-ibeacon/Makefile
+++ b/feeds/bluetooth/bluez-ibeacon/Makefile
@@ -0,0 +1,33 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=bluez-ibeacon
 PKG_RELEASE:=1
 PKG_SOURCE_URL=https://github.com/blogic/bluez-ibeacon
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2022-10-31
 PKG_SOURCE_VERSION:=07c082bf3e139ce061ff62a42b7876860256f4ea
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=MIT
 include $(INCLUDE_DIR)/package.mk
 define Package/bluez-ibeacon
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=bluez-ibeacon
  DEPENDS:=+bluez-libs
 endef
 define Build/Compile
 	$(MAKE_VARS) $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/bluez-beacon $(MAKE_FLAGS)
 endef
 define Package/bluez-ibeacon/install
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bluez-beacon/ibeacon $(1)/usr/sbin/
 	$(INSTALL_BIN) ./files/ibeacon $(1)/etc/init.d/ibeacon
 endef
 $(eval $(call BuildPackage,bluez-ibeacon))
--- a/feeds/bluetooth/bluez-ibeacon/files/ibeacon
+++ b/feeds/bluetooth/bluez-ibeacon/files/ibeacon
@@ -0,0 +1,25 @@
 #!/bin/sh /etc/rc.common
 START=80
 USE_PROCD=1
 PROG=/usr/sbin/ibeacon
 service_triggers() {
 	procd_add_reload_trigger btle
 }
 start_service() {
 	config_load btle
 	config_get enable ibeacon enable 0
 	config_get uuid ibeacon uuid 0
 	config_get major ibeacon major 0
 	config_get minor ibeacon minor 0
 	[ "$enable" -eq 1 ] || return
 	procd_open_instance
 	procd_set_param command "$PROG" 200 "${uuid}" "${major}" "${minor}" -29
 	procd_set_param respawn
 	procd_close_instance
 }
--- a/feeds/bluetooth/ubtled/Makefile
+++ b/feeds/bluetooth/ubtled/Makefile
@@ -0,0 +1,32 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=ubtled
 PKG_RELEASE:=1
 PKG_SOURCE_URL=https://github.com/blogic/ubtled.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2022-10-31
 PKG_SOURCE_VERSION:=7e01ab86c562fc8ab3777d04e60b8dce596a4c5f
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=GPL-2.0
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 define Package/ubtled
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=OpenWrt BTLE daemon
  DEPENDS:=+libubox +libubus +bluez-libs
 endef
 define Package/ubtled/install
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/{config,init.d,uci-defaults}
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ubtled $(1)/usr/sbin/
 	$(INSTALL_BIN) ./files/ubtled.init $(1)/etc/init.d/ubtled
 	$(INSTALL_DATA) ./files/btle.config $(1)/etc/config/btle
 	$(INSTALL_DATA) ./files/99-btle $(1)/etc/uci-defaults/
 endef
 $(eval $(call BuildPackage,ubtled))
--- a/feeds/bluetooth/ubtled/files/99-btle
+++ b/feeds/bluetooth/ubtled/files/99-btle
@@ -0,0 +1,8 @@
 #!/bin/sh
 cat >> /etc/bluetooth/main.conf <<EOF
 [General]
 Name = TIP AP
 [GATT]
 [Policy]
 EOF
--- a/feeds/bluetooth/ubtled/files/btle.config
+++ b/feeds/bluetooth/ubtled/files/btle.config
@@ -0,0 +1,11 @@
 config ubtled ubtled
 	option enable		0
 config bluetooth_6lowpand bluetooth_6lowpand
 	option enable		0
 config ubtled ibeacon
 	option enable		0
 	option uuid		0
 	option major		0
 	option minor		0
--- a/feeds/bluetooth/ubtled/files/ubtled.init
+++ b/feeds/bluetooth/ubtled/files/ubtled.init
@@ -0,0 +1,24 @@
 #!/bin/sh /etc/rc.common
 START=80
 USE_PROCD=1
 PROG=/usr/sbin/ubtled
 service_triggers() {
 	procd_add_reload_trigger btle
 }
 start_service() {
 	config_load btle
 	config_get enable ubtled enable 0
 	[ "$enable" -eq 1 ] || return
 	hciconfig hci0 up
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn
 	procd_close_instance
 }
--- a/feeds/facebook/fbwifi/Makefile
+++ b/feeds/facebook/fbwifi/Makefile
@@ -0,0 +1,56 @@
 # Copyright (c) Facebook, Inc. and its affiliates.
 # All rights reserved.
 #
 # This source code is licensed under the license found in the
 # LICENSE file in the root directory of this source tree.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=fbwifi
 PKG_VERSION:=2
 PKG_RELEASE:=0
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=Simon Kinane <skinane@fb.com>
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
 include $(INCLUDE_DIR)/package.mk
 define Package/fbwifi
  SUBMENU:=Captive Portals
  SECTION:=net
  CATEGORY:=Network
  DEPENDS:=+iptables +luasec +luasocket \
 	+luci-base +libuci-lua +luaposix \
 	+luci-mod-network +luci-mod-status +luci-theme-bootstrap \
 	+lua-cjson +uhttpd
  TITLE:=Facebook Wi-Fi
  PKGARCH:=all
 endef
 define Package/fbwifi/description
  Facebook Wi-Fi, an AP authorisation solution
 endef
 define Package/fbwifi/conffiles
 /etc/config/fbwifi
 endef
 define Build/Prepare
 endef
 define Build/Configure
 endef
 define Build/Compile
 endef
 define Package/fbwifi/install
 	$(INSTALL_DIR) $(1)
 	$(CP) ./files/* $(1)/
 endef
 $(eval $(call BuildPackage,fbwifi))
--- a/feeds/facebook/fbwifi/README.md
+++ b/feeds/facebook/fbwifi/README.md
@@ -0,0 +1,55 @@
 # Facebook Wi-Fi v2.0 Reference Implementation for OpenWrt 
 ## Getting started
 Case studies for OEM customers are available at the official page of [Facebook Wi-Fi](https://www.facebook.com/facebook-wifi).
 For OEM engineers, start by reading the init script in [files/etc/init.d/fbwifi](https://github.com/facebookincubator/fbc_owrt_feed/blob/master/fbwifi/files/etc/init.d/fbwifi)
 ## Contents
 The 'files' subdirectory contains all the configuration, script and code 
 that implements the Facebook Wi-Fi v2.0 standard for OpenWrt.
 The folder structure follows *nix conventions :
 - 'etc' is the boot time scripts and configuration
 - 'usr' contains procedural scripts, lua common code module and GUI prototype for luci
 - 'www' contains the HTTP endpoints as CGI handlers 
 ```
 files/
 ├── etc
 │   ├── config
 │   │   └── fbwifi
 │   ├── hotplug.d
 │   │   └── iface
 │   │       └── 50-fbwifi
 │   ├── init.d
 │   │   └── fbwifi
 ├── usr
 │   ├── lib
 │   │   └── lua
 │   │       ├── fbwifi.lua
 │   │       └── luci
 │   │           ├── controller
 │   │           │   └── fbwifi.lua
 │   │           └── view
 │   │               └── fbwifi.htm
 │   ├── sbin
 │   │   ├── fbwifi
 │   │   ├── fbwifi_debug_dump
 │   │   ├── fbwifi_gateway_info_update
 │   │   ├── fbwifi_get_config
 │   │   └── fbwifi_validate_token_db
 │   └── share
 │       └── fbwifi
 │           ├── firewall.include
 │           └── uhttpd.json
 └── www
    └── cgi-bin
        └── fbwifi
            └── v2.0
                ├── auth
                ├── capport
                └── info
 ```
--- a/feeds/facebook/fbwifi/files/etc/config/fbwifi
+++ b/feeds/facebook/fbwifi/files/etc/config/fbwifi
@@ -0,0 +1,6 @@
 config fbwifi 'main'
 	option enabled '0'
 	option gateway_token 'FBWIFI:GATEWAY|123456789|0123456789|abcdeABCDE123456789'
 	option http_port '2060'
 	option https_port '2061'
 	option zone 'lan'
--- a/feeds/facebook/fbwifi/files/etc/hotplug.d/iface/50-fbwifi
+++ b/feeds/facebook/fbwifi/files/etc/hotplug.d/iface/50-fbwifi
@@ -0,0 +1,10 @@
 #!/bin/sh
 [ "$ACTION" = ifup ] || exit 0
 /etc/init.d/fbwifi enabled || exit 0
 ip route get fibmatch 1.1.1.1 | grep -q "$DEVICE" || exit 0
 logger -t fbwifi "Reloading fbwifi due to $ACTION of $INTERFACE ($DEVICE)"
 /etc/init.d/fbwifi restart
--- a/feeds/facebook/fbwifi/files/etc/init.d/fbwifi
+++ b/feeds/facebook/fbwifi/files/etc/init.d/fbwifi
@@ -0,0 +1,43 @@
 #!/bin/sh /etc/rc.common
 START=90
 USE_PROCD=1
 reload_service() {
 	restart
 }
 service_triggers() {
 	procd_add_reload_trigger fbwifi
 }
 start_service() {
 	config_load fbwifi
 	config_get_bool enabled 'main' 'enabled' '0'
 	[ "$enabled" -eq 0 ] && return
 	config_get http_port main http_port
 	[ -z "$http_port" ] && {
 		logger -t fbwifi "required option http_port not set"
 		exit 1
 	}
 	config_get https_port main https_port
 	[ -z "$https_port" ] && {
 		logger -t fbwifi "required option https_port not set"
 		exit 1
 	}
 	logger "[fbwifi] Enabled; starting"
 	mkdir -p /tmp/fbwifi
 	/usr/sbin/fbwifi reload
 	procd_open_instance
 	procd_set_param command /usr/sbin/fbwifi_validate_token_db
 	procd_set_param respawn 1 300 0
 	procd_close_instance
 }
--- a/feeds/facebook/fbwifi/files/usr/lib/lua/fbwifi.lua
+++ b/feeds/facebook/fbwifi/files/usr/lib/lua/fbwifi.lua
@@ -0,0 +1,153 @@
 -- FBWIFI Lua library
 -- function table
 local fbwifi = {}
 local http = require("ssl.https")
 local json = require("cjson")
 local log = require("posix.syslog")
 local uci = require("uci")
 function fbwifi.gateway_token()
 	state = uci.cursor(nil, "/var/state")
 	token = state:get("fbwifi", "main", "gateway_token")
 	if token and string.len(token) > 0 then
 		return token
 	else
 		log.syslog( log.LOG_WARNING, "[fbwifi] UCI option fbwifi.main.gateway_token is missing" )
 		return nil
 	end 
 end
 function fbwifi.validate_token( token )
 	local valid = false
 	if string.len(token or '' ) > 0 then
 	        GATEWAY_TOKEN = fbwifi.gateway_token()
 	        URL="https://api.fbwifi.com/v2.0/token"
 	        BODY="token="..token
 	        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
 	        if code==200 then
 	                valid = true
 	        else
 	                log.syslog(log.LOG_WARNING, "[fbwifi] validate_token:"..body)
 	        end
 	end
 	return valid
 end
 local mac_to_purge=''
 function remove_client_by_mac(client)
 	state = uci.cursor(nil, "/var/state")
 	for key, value in pairs(client) do
 		if
 			key == 'mac' and
 			value == mac_to_purge
 		then
 			log.syslog(log.LOG_INFO, string.format("[fbwifi] Purging DB entry %s for MAC %s", client['.name'] or 'unknown', mac_to_purge) )
 			state:delete("fbwifi", client['.name'])
 			return
 		end
 	end
 end
 function fbwifi.instate_client_rule( token, client_mac )
 	log.syslog(log.LOG_INFO, "[fbwifi] Validating client "..client_mac)
 	state = uci.cursor(nil, "/var/state")
 	state_name = "token_" .. token
 	RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
 	RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
 	local RULE
 	log.syslog(log.LOG_INFO, string.format("[fbwifi] Cleaning DB for MAC %s", client_mac) )
 	mac_to_purge = client_mac
 	state:foreach("fbwifi", "client", remove_client_by_mac)
 	log.syslog(log.LOG_INFO, string.format("[fbwifi] Adding DB entry %s for MAC %s", state_name, client_mac) )
 	state:set("fbwifi", state_name, "client")
 	state:set("fbwifi", state_name, "token", token)
 	state:set("fbwifi", state_name, "mac", client_mac)
 	state:set("fbwifi", state_name, "authenticated", "true")
 	-- verify a rule exists for the given client MAC, 
 	--   OR install it
 	RULE=string.format(RULE_COND.." || "..RULE_FMT, client_mac, "A", client_mac)
 	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Opening iptables for %s", client_mac ) )
 	res = os.execute(RULE)
 	if res ~= 0 then 
 		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
 	end
 	log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
 	state:save('fbwifi')
 end
 function fbwifi.revoke_client_rule( token )
        if (token == nil) then
                log.syslog(log.LOG_INFO, "[fbwifi] Invalidating token, but token is Nil")
                return
        end
 	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Invalidating token (%s)", token) )
 	state = uci.cursor(nil, "/var/state")
 	state_name = "token_" .. token
 	client_mac = state:get("fbwifi", state_name, "mac")
 	if client_mac then
 		RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
 		RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
 		-- verify a rule exists for the given client MAC, 
 		--  AND delete it
 		RULE=string.format(RULE_COND.." && "..RULE_FMT, client_mac, "D", client_mac)
 		res = os.execute(RULE)
 		if res ~= 0 then 
 			log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
 		end
 		log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
 		state:delete("fbwifi", state_name)
 		state:save('fbwifi')
 	else
 		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Client MAC not found in DB (%s)", state_name ) )
 	end
 end
 function fbwifi.reset()
 	local success = false
        GATEWAY_TOKEN = fbwifi.gateway_token()
        URL="https://api.fbwifi.com/v2.0/gateway/reset"
 	BODY="{}"
        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
        if code==200 then
                log.syslog(log.LOG_INFO, "[fbwifi] Reset committed")
                success = true
        else
                log.syslog(log.LOG_WARNING, "[fbwifi] Reset failed : "..body)
        end
 	return success
 end
 --
 -- Return the function table to the host script
 --
 return fbwifi
--- a/feeds/facebook/fbwifi/files/usr/lib/lua/luci/controller/fbwifi.lua
+++ b/feeds/facebook/fbwifi/files/usr/lib/lua/luci/controller/fbwifi.lua
@@ -0,0 +1,12 @@
 -- Copyright 
 -- Licensed to the public under the GNU General Public License v2.
 module("luci.controller.fbwifi", package.seeall)
 sys = require "luci.sys"
 ut = require "luci.util"
 function index()
    entry({"admin", "network", "fbwifi"}, template("fbwifi"), "Facebook Wi-Fi", 90).dependent=false
 end
--- a/feeds/facebook/fbwifi/files/usr/lib/lua/luci/view/fbwifi.htm
+++ b/feeds/facebook/fbwifi/files/usr/lib/lua/luci/view/fbwifi.htm
@@ -0,0 +1,16 @@
 <%#
 Copyright
 Licensed to the public under the GNU General Public License v2.
 -%>
 <%+header%>
 <h1>Facebook Wi-Fi</h1>
 <%
 	require("uci")
 	state = uci.cursor(nil, "/var/state")
 	url = state:get("fbwifi", "main", "captive_portal_config_url")
 %>
 <a href="<% print(url) %>">Configure FB business page</a>
 <%+footer%>
--- a/feeds/facebook/fbwifi/files/usr/sbin/fbwifi
+++ b/feeds/facebook/fbwifi/files/usr/sbin/fbwifi
@@ -0,0 +1,57 @@
 #!/bin/sh
 case "$1" in
 disable)
 	uci set fbwifi.main.enabled=0
 	uci delete firewall.fbwifi
 	uci delete uhttpd.fbwifi_redirect
 	uci delete uhttpd.main.json_script
 	uci set uhttpd.main.cert='/etc/uhttpd.crt'
 	uci set uhttpd.main.key='/etc/uhttpd.key'
 	uci set uhttpd.main.rfc1918_filter=1
 	;;
 enable)
 	uci set fbwifi.main.enabled=1
 	uci set firewall.fbwifi=include
 	uci set firewall.fbwifi.enabled=1
 	uci set firewall.fbwifi.family=ipv4
 	uci set firewall.fbwifi.path=/usr/share/fbwifi/firewall.include
 	uci set firewall.fbwifi.reload=1
 	uci set firewall.fbwifi.type=script
 	uci set uhttpd.fbwifi_redirect=uhttpd
 	uci set uhttpd.fbwifi_redirect.enabled=1
 	uci set uhttpd.fbwifi_redirect.cert='/tmp/fbwifi/https_server_cert'
 	uci set uhttpd.fbwifi_redirect.json_script='/tmp/fbwifi/uhttpd-redirect.json'
 	uci set uhttpd.fbwifi_redirect.key='/tmp/fbwifi/https_server_key'
 	uci set uhttpd.fbwifi_redirect.listen_http='0.0.0.0:2060'
 	uci set uhttpd.fbwifi_redirect.listen_https='0.0.0.0:2061'
 	uci set uhttpd.main.cert='/tmp/fbwifi/https_server_cert'
 	uci set uhttpd.main.json_script='/usr/share/fbwifi/uhttpd.json'
 	uci set uhttpd.main.key='/tmp/fbwifi/https_server_key'
 	uci set uhttpd.main.rfc1918_filter=0
 	;;
 reload)
 	/usr/sbin/fbwifi_get_config
 	login_url=$(uci -p /var/state get fbwifi.main.captive_portal_url)
 	[ -z "$login_url" ] && {
 		logger -t fbwifi "captive_portal_url not available yet"
 		exit 1
 	}
 	printf '{ "request": [ ["redirect", "%s", 302] ] }' "$login_url" > /tmp/fbwifi/uhttpd-redirect.json
 	/etc/init.d/uhttpd restart
 	exit 0
 	;;
 esac
 uci commit
 /etc/init.d/uhttpd restart
 reload_config
--- a/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_debug_dump
+++ b/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_debug_dump
@@ -0,0 +1,8 @@
 echo -e "Runtime configuration and token DB\n"
 uci -p /var/state export fbwifi
 echo -e "\nDynamic firewall flow rules\n"
 iptables -t mangle -L FBWIFI_CLIENT_TO_INTERNET
 echo -e "\nDHCP leases\n"
 cat /tmp/dhcp.leases
--- a/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_gateway_info_update
+++ b/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_gateway_info_update
@@ -0,0 +1,38 @@
 #!/usr/bin/lua
 http = require("ssl.https")
 json = require("cjson")
 log = require("posix.syslog")
 socket = require("socket")
 require("uci")
 fbwifi = require("fbwifi")
 GATEWAY_TOKEN = fbwifi.gateway_token()
 state = uci.cursor(nil, "/var/state")
 payload="name="..socket.dns.gethostname()
 function queue_ssid_update(iface)
 	bssid_file="/sys/class/net/br-"..iface["network"].."/address"
 	local file = io.open(bssid_file)
        if file then
            for line in file:lines() do
 		payload=payload.."&bssid[]="..line
            end
 	    payload=payload.."ssid[]="..iface["ssid"]
        else
 	    log.syslog(log.LOG_WARNING, "[fbwifi] Failed to find BSSID for interface br-"..iface["network"])
        end
 end
 state:foreach("wireless", "wifi-iface", queue_ssid_update)
 URL="https://api.fbwifi.com/v2.0/gateway"
 body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, payload)
 if code == 200 then 
 	log.syslog(log.LOG_INFO, "[fbwifi] gateway information updated "..body)
 	os.exit(0)
 else
 	log.syslog(log.LOG_WARNING, "[fbwifi] gateway API failed "..body)
 	os.exit(code)
 end
--- a/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_get_config
+++ b/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_get_config
@@ -0,0 +1,106 @@
 #!/usr/bin/lua
 http = require("ssl.https")
 json = require("cjson")
 require("uci")
 log = require("posix.syslog")
 fbwifi = require("fbwifi")
 GATEWAY_TOKEN = fbwifi.gateway_token()
 http_port = uci.get("fbwifi.main.http_port")
 https_port = uci.get("fbwifi.main.https_port")
 state = uci.cursor(nil, "/var/state")
 URL="https://api.fbwifi.com/v2.0/gateway"
 body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN.."&fields=config,config_version")
 if code == 200 then
 	log.syslog(log.LOG_INFO, "[fbwifi] Got gateway config ("..code..")")
 else
 	log.syslog(log.LOG_CRIT, "[fbwifi] Failed to get gateway config ("..code..")")
 	os.exit(1)
 end
 obj = json.decode(body)
 function save_cert(name, value)
 	log.syslog(log.LOG_INFO, "[fbwifi] Saving cert "..name)
 	local f = assert(io.open("/tmp/fbwifi/"..name, "w"))
 	f:write(value)
 	f:close()
 end
 function process_redirect(ix, host)
 	IP_SET = "ip addr replace dev lo "..host
 	local result = os.execute(IP_SET)
 	if result == 0 then
 		log.syslog(log.LOG_INFO, "[fbwifi] Redirect address applied "..host)
 	else
 		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to apply redirect address "..host)
 	end
 	ip = string.match(host, '([0-9\.]*)/([0-9]*)')
 	RULE_FMT="grep -q \"%s\" /etc/hosts || echo \"%s\tstar.fbwifigateway.net\" >> /etc/hosts"
 	HOSTS_RULE = string.format(RULE_FMT, ip, ip)
 	result = os.execute(HOSTS_RULE)
 	if result == 0 then
 		log.syslog(log.LOG_INFO, "[fbwifi] Cached redirect host for DNS")
 	else
 		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to amend /etc/hosts")
 		log.syslog(log.LOG_INFO, "[fbwifi] "..HOSTS_RULE)
 	end
 	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 80 -d "..ip.." -j ACCEPT # REDIRECT --to-ports "..http_port)
 	--print(result)
 	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 443 -d "..ip.."  -j ACCEPT # REDIRECT --to-ports "..https_port)
 	--print(result)
 end
 save_cert("https_server_cert", obj['config']['https_server_cert'])
 save_cert("https_server_key", obj['config']['https_server_key'])
 result = os.execute("iptables -t nat -F FBWIFI_HOST_REDIRLIST")
 --print(result)
 table.foreach(obj['config']['host_redirect_ips'], process_redirect)
 RULE_FORMAT = "iptables -t mangle -A FBWIFI_TRAFFIC_ALLOWLIST -d %s -p %s --dport %s -j MARK --set-mark 0xfb"
 function process_traffic_rule(ix, rule)
 	log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
 	if rule["protocol"] == 6 then
 		PROTO = "tcp"
 	elseif rule["protocol"] == 17 then
 		PROTO = "udp"
 	end
 	RULE = string.format(RULE_FORMAT, rule["ip"], PROTO, rule["port"])
 	local result = os.execute(RULE)
 	if result == 0 then
 		log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
 	else
 		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to install traffic rule ; "..RULE)
 	end
 end
 local cross_origin_list = {}
 function process_cross_origin_rule(ix, url)
 	log.syslog(log.LOG_INFO, "[fbwifi] Cross origin rule "..url)
 	table.insert(cross_origin_list, url)
 end
 function process_url(url_purpose, fqdn)
 	log.syslog(log.LOG_INFO, "[fbwifi] Caching "..url_purpose)
 	state:set("fbwifi", "main", url_purpose, fqdn)	
 end
 state:set("fbwifi", "main", "config")
 result = os.execute("iptables -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST ")
 --print(result)
 table.foreach(obj['config']['traffic_allowlist'], process_traffic_rule)
 table.foreach(obj['config']['cross_origin_allowlist'], process_cross_origin_rule)
 table.foreach(obj['config']['urls'], process_url)
 state:set("fbwifi", "main", "cross_origin_allow_rules", cross_origin_list)
 state:set("fbwifi", "main", "config_version", obj['config_version'])
 state:save('fbwifi')
--- a/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_validate_token_db
+++ b/feeds/facebook/fbwifi/files/usr/sbin/fbwifi_validate_token_db
@@ -0,0 +1,75 @@
 #!/usr/bin/lua
 https = require("ssl.https")
 json = require("cjson")
 log = require("posix.syslog")
 fbwifi = require("fbwifi")
 require("uci")
 state = uci.cursor(nil, "/var/state")
 GATEWAY_TOKEN = fbwifi.gateway_token()
 request = { 
 	tokens = {}, 
 	traffic_type = "total",
 	config_version = state:get("fbwifi", "main", "config_version")
 }
 function queue_token(client)
 	request.tokens[client.token]={
 		incoming = json.null,
 		outgoing = json.null,
 		connected_time_sec = json.null,
 		inactive_time_sec = json.null,
 		signal_rssi_dbm = json.null,
 		--expected_tpus_mbps = json.null,
 		is_connected = true
 	}
 end
 state:foreach("fbwifi", "client", queue_token)
 print( "\nRequest:\n"..json.encode(request) )
 URL="https://api.fbwifi.com/v2.0/tokens"
 BODY=string.format(
 	"tokens=%s&traffic_type=%s&config_version=%s",
 	json.encode(request.tokens),
 	"'total'",
 	state:get("fbwifi", "main", "config_version")
 )
 body, code, headers = https.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
 if code then
 	print( "\nResponse:\n"..body )
 end
 response = json.decode(body)
 --print(response)
 --table.foreach(response,print)
 --table.foreach(response.tokens,print)
 if response.config_valid then
 	log.syslog(log.LOG_INFO, "[fbwifi] Config validated")
 else
 	log.syslog(log.LOG_WARNING, "[fbwifi] config is stale, refreshing config")
        local result = os.execute("/usr/sbin/fbwifi reload")
        if result == 0 then
                log.syslog(log.LOG_INFO, "[fbwifi] successfully fetched and loaded new config ")
        else
                log.syslog(log.LOG_WARNING, "[fbwifi] failed to fetch and load new config, possible stale config")
        end
 end
 function process_token(token, metadata)
 	table.foreach(metadata,print)
 	if metadata.valid then
 		print("OK: "..token)	
 	else
 		print("Nok: "..token)	
 		fbwifi.revoke_client_rule( token )
 	end
 end
 table.foreach(response.tokens,process_token)
--- a/feeds/facebook/fbwifi/files/usr/share/fbwifi/firewall.include
+++ b/feeds/facebook/fbwifi/files/usr/share/fbwifi/firewall.include
@@ -0,0 +1,67 @@
 #!/bin/sh
 IPT4="/usr/sbin/iptables"
 fbwifi_http_port="$(uci get fbwifi.main.http_port)"
 [ -n "$fbwifi_http_port" ] || {
 	logger -t fbwifi "required option http_port not set"
 	exit 1
 }
 fbwifi_https_port="$(uci get fbwifi.main.https_port)"
 [ -n "$fbwifi_https_port" ] || {
 	logger -t fbwifi "required option https_port not set"
 	exit 1
 }
 fbwifi_zone="$(uci get fbwifi.main.zone)"
 [ -n "$fbwifi_zone" ] || {
 	logger -t fbwifi "required option zone  not set"
 	exit 1
 }
 fbwifi_ifaces="$(fw3 -q zone "$fbwifi_zone")"
 ## Create custom chains
 $IPT4 -t filter -N FBWIFI_FORWARD 2>/dev/null
 $IPT4 -t filter -N FBWIFI_INPUT 2>/dev/null
 $IPT4 -t mangle -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
 $IPT4 -t mangle -N FBWIFI_PREROUTING 2>/dev/null
 $IPT4 -t mangle -N FBWIFI_TRAFFIC_ALLOWLIST 2>/dev/null
 $IPT4 -t nat -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
 $IPT4 -t nat -N FBWIFI_PREROUTING 2>/dev/null
 $IPT4 -t nat -N FBWIFI_HOST_REDIRLIST 2>/dev/null
 ## Flush custom chains
 $IPT4 -t filter -F FBWIFI_FORWARD
 $IPT4 -t filter -F FBWIFI_INPUT
 $IPT4 -t mangle -F FBWIFI_CLIENT_TO_INTERNET
 $IPT4 -t mangle -F FBWIFI_PREROUTING
 $IPT4 -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST
 $IPT4 -t nat -F FBWIFI_CLIENT_TO_INTERNET
 $IPT4 -t nat -F FBWIFI_PREROUTING
 $IPT4 -t nat -F FBWIFI_HOST_REDIRLIST
 ## Populate custom chains
 $IPT4 -t filter -A FBWIFI_FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
 $IPT4 -t filter -A FBWIFI_FORWARD -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
 $IPT4 -t filter -A FBWIFI_FORWARD -j REJECT
 $IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_http_port" -m conntrack --ctstate NEW -j ACCEPT
 $IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_https_port"  -m conntrack --ctstate NEW -j ACCEPT
 $IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
 $IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_TRAFFIC_ALLOWLIST
 $IPT4 -t nat -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
 $IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
 $IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
 $IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
 $IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
 $IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-ports "$fbwifi_http_port"
 ## Hook custom chains in firewall3 chains
 $IPT4 -t filter -I "zone_${fbwifi_zone}_input" 2 -j FBWIFI_INPUT
 $IPT4 -t filter -I "zone_${fbwifi_zone}_forward" 2 -j FBWIFI_FORWARD
 $IPT4 -t nat -I "zone_${fbwifi_zone}_prerouting" 2 -j FBWIFI_PREROUTING
 # There are no firewall3 zone chains in the mangle table so we need to do this for all interfaces in the zone
 for iface in $fbwifi_ifaces; do
 	$IPT4 -t mangle -I PREROUTING -i "$iface" -j FBWIFI_PREROUTING
 done
--- a/feeds/facebook/fbwifi/files/usr/share/fbwifi/uhttpd.json
+++ b/feeds/facebook/fbwifi/files/usr/share/fbwifi/uhttpd.json
@@ -0,0 +1,8 @@
 {
  "request": [
    [ "if",
      [ "regex", "REQUEST_URI", "^/fbwifi" ],
      [ "rewrite", "/cgi-bin%REQUEST_URI%" ]
    ]
  ]
 }
--- a/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/auth
+++ b/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/auth
@@ -0,0 +1,69 @@
 #!/usr/bin/lua
 require("uci")
 log = require("posix.syslog")
 fbwifi = require("fbwifi")
 state = uci.cursor(nil, "/var/state")
 function process_cors()
 	origin = os.getenv("HTTP_ORIGIN")
 	log.syslog(log.LOG_INFO, string.format("[fbwifi] [auth] process_cors origin %s", origin or 'not found') )
 	if string.len(origin or '') > 0 then
 		allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
 		for _, value in pairs(allow_list) do
    			if value == origin then
 				log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors Appending CORS Headers to HTTP")
 				print("Access-Control-Allow-Origin: "..origin)
 				print("Vary: Origin")
 				break
 			end
 		end
 	else	
 		log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors No CORS Headers added to Response")
 	end
 end
 method = os.getenv("REQUEST_METHOD")
 if method == 'GET' then
 	log.syslog(log.LOG_INFO, "[fbwifi] [auth] GET handler")
 	print("Status: 302")
 	print("Location: "..state:get("fbwifi", "main", "landing_page_url"))
 	process_cors()
 	print ('\n')
 elseif method == 'POST' then
 	local token
 	log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler")
 	process_cors()
 	print("Status: 200")
 	form_data=io.read()
 	while form_data do
 		token = string.match(form_data, '[%d]+')
 		if string.len(token or '') > 14 then
 			client = os.getenv("REMOTE_ADDR")
 			f = io.popen("awk '/"..client.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
 			client_mac = assert(f:read('*a'))
 			if fbwifi.validate_token(token) then
                                log.syslog(log.LOG_INFO, string.format( "[fbwifi] [auth] POST handler : Validating Token (%s) for MAC (%s)", token or 'nil', client_mac or 'nil') )
 				fbwifi.instate_client_rule(token, client_mac)
 				print("\n{\"valid\":true}\n")
 			else
                                log.syslog(log.LOG_WARNING, string.format( "[fbwifi] [auth] POST handler : ! Invalid token (%s) for mac (%s) !", token or 'nil', client_mac or 'nil') )
 				fbwifi.revoke_client_rule(token)
 				print("\n{\"valid\":false}\n")
 			end
 			log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler completed")
 			return
 		end
 		form_data=io.read()
 	end
 	print ('\n')
 	log.syslog(log.LOG_WARNING, string.format("[fbwifi] [auth] POST handler : token not found" ))
 	fbwifi.revoke_client_rule(token)
 	print("\n{\"valid\":false}\n")
 end
--- a/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/capport
+++ b/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/capport
@@ -0,0 +1,41 @@
 #!/usr/bin/lua
 json = require("cjson")
 require("uci")
 state = uci.cursor(nil, "/var/state")
 client_mac = ""
 token = ""
 response = {}
 response['venue-info-url'] = state:get("fbwifi", "main", "capport_venue_info_url")
 function map_remote_mac_to_token(client)
        for key, value in pairs(client) do
                if
                        key == 'mac' and
                        value == client_mac
                then
 			token = client.token
                        return false
                end
        end
 end
 function hasValidToken(client_ip)
 	f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
 	client_mac = assert(f:read('*a'))
 	state:foreach("fbwifi", "client", map_remote_mac_to_token)
 	return 0 < string.len(token)
 end
 print("Content-type: application/captive+json; charset=utf-8\n")
 client = os.getenv("REMOTE_ADDR")
 response['captive'] = not hasValidToken(client)
 if response['captive'] then
 	response['user-portal-url'] = state:get("fbwifi", "main", "captive_portal_url")
 end
 print( json.encode(response) )
--- a/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/info
+++ b/feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/info
@@ -0,0 +1,58 @@
 #!/usr/bin/lua
 require "luci.cacheloader"
 require "luci.sgi.cgi"
 json = require("cjson")
 fbwifi = require("fbwifi")
 state = uci.cursor(nil, "/var/state")
 GATEWAY_TOKEN = fbwifi.gateway_token()
 response = { api_version = "2.0", token = json.null }
 client_mac = ""
 function process_cors()
        origin = os.getenv("HTTP_ORIGIN")
        if string.len(origin or '') > 0 then
                allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
                for _, value in pairs(allow_list) do
                        if value == origin then
                                print("Access-Control-Allow-Origin: "..origin)
                                print("Vary: Origin")
                                break
                        end
                end
        end
 end
 function map_remote_mac_to_token(client)
 	for key, value in pairs(client) do
 		if
 			key == 'mac' and
 			value == client_mac
 		then
 			response.token = client.token
 			return false -- escape outer loop
 		end
 	end
 end
 function getClientToken(client_ip)
 	f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
 	client_mac = assert(f:read('*a'))
 	state:foreach("fbwifi", "client", map_remote_mac_to_token)
 end
 function getGatewayId()
 	id = string.match(GATEWAY_TOKEN, 'FBWIFI:GATEWAY|[0-9]*|([0-9]*)')
 	return id
 end
 process_cors()
 print("Content-type: application/json; charset=utf-8\n")
 getClientToken(os.getenv("REMOTE_ADDR"))
 response.gateway_id = getGatewayId()
 print( json.encode(response) )
--- a/feeds/hostapd/hostapd/Config.in
+++ b/feeds/hostapd/hostapd/Config.in
@@ -1,108 +0,0 @@
 # wpa_supplicant config
 config WPA_RFKILL_SUPPORT
 	bool "Add rfkill support"
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
 		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
 		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
 		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
 		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
 		   PACKAGE_wpad-mesh-wolfssl || \
 		   PACKAGE_wpad-mesh-mbedtls
 	default n
 config WPA_MSG_MIN_PRIORITY
 	int "Minimum debug message priority"
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
 		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
 		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
 		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
 		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
 		   PACKAGE_wpad-mesh-wolfssl || \
 		   PACKAGE_wpad-mesh-mbedtls
 	default 3
 	help
 	  Useful values are:
 	    0 = all messages
 		1 = raw message dumps
 		2 = most debugging messages
 		3 = info messages
 		4 = warnings
 		5 = errors
 config WPA_WOLFSSL
 	bool
 	default PACKAGE_wpa-supplicant-wolfssl ||\
 	        PACKAGE_wpad-wolfssl ||\
 	        PACKAGE_wpad-basic-wolfssl || \
 	        PACKAGE_wpad-mesh-wolfssl ||\
 	        PACKAGE_eapol-test-wolfssl
 	select WOLFSSL_HAS_AES_CCM
 	select WOLFSSL_HAS_ARC4
 	select WOLFSSL_HAS_DH
 	select WOLFSSL_HAS_OCSP
 	select WOLFSSL_HAS_SESSION_TICKET
 	select WOLFSSL_HAS_WPAS
 config DRIVER_11AC_SUPPORT
 	bool
 	default n
 config DRIVER_11AX_SUPPORT
 	bool
 	default n
 	select WPA_MBO_SUPPORT
 config WPA_ENABLE_WEP
 	bool "Enable support for unsecure and obsolete WEP"
 	help
 	  Wired equivalent privacy (WEP) is an obsolete cryptographic data
 	  confidentiality algorithm that is not considered secure. It should not be used
 	  for anything anymore. The functionality needed to use WEP is available in the
 	  current hostapd release under this optional build parameter and completely
 	  removed in a future release.
 config WPA_MBO_SUPPORT
 	bool "Multi Band Operation (Agile Multiband)"
 	default PACKAGE_wpa-supplicant || \
 		PACKAGE_wpa-supplicant-openssl || \
 		PACKAGE_wpa-supplicant-wolfssl || \
 		PACKAGE_wpa-supplicant-mbedtls || \
 		PACKAGE_wpad || \
 		PACKAGE_wpad-openssl || \
 		PACKAGE_wpad-wolfssl || \
 		PACKAGE_wpad-mbedtls
 	help
 	  Multi Band Operation aka (Agile Multiband) enables features
 	  that facilitate efficient use of multiple frequency bands.
 	  Enabling MBO on an AP using RSN requires 802.11w to be enabled.
 	  Hostapd will refuse to start if MBO and RSN are enabled without 11w.
--- a/feeds/hostapd/hostapd/Makefile
+++ b/feeds/hostapd/hostapd/Makefile
@@ -1,851 +0,0 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
 # Copyright (C) 2006-2021 OpenWrt.org
 include $(TOPDIR)/rules.mk
 PKG_NAME:=hostapd
 PKG_RELEASE:=4
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2023-09-08
 PKG_SOURCE_VERSION:=e5ccbfc69ecf297590341ae8b461edba9d8e964c
 PKG_MIRROR_HASH:=4d71097b8e3b91b5c21c2bba7a1e68415bd21d972fddbffa9ef130877d81b347
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
 PKG_CPE_ID:=cpe:/a:w1.fi:hostapd
 PKG_BUILD_PARALLEL:=1
 PKG_ASLR_PIE_REGULAR:=1
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_hostapd \
 	CONFIG_PACKAGE_hostapd-basic \
 	CONFIG_PACKAGE_hostapd-mini \
 	CONFIG_WPA_RFKILL_SUPPORT \
 	CONFIG_DRIVER_11AC_SUPPORT \
 	CONFIG_DRIVER_11AX_SUPPORT \
 	CONFIG_WPA_ENABLE_WEP
 PKG_BUILD_FLAGS:=gc-sections lto
 EAPOL_TEST_PROVIDERS:=eapol-test eapol-test-openssl eapol-test-wolfssl
 SUPPLICANT_PROVIDERS:=
 HOSTAPD_PROVIDERS:=
 LOCAL_TYPE=$(strip \
 		$(if $(findstring wpad,$(BUILD_VARIANT)),wpad, \
 		$(if $(findstring supplicant,$(BUILD_VARIANT)),supplicant, \
 		hostapd \
 		)))
 LOCAL_AND_LIB_VARIANT=$(patsubst hostapd-%,%,\
 		      $(patsubst wpad-%,%,\
 		      $(patsubst supplicant-%,%,\
 		      $(BUILD_VARIANT)\
 		      )))
 LOCAL_VARIANT=$(patsubst %-internal,%,\
 	      $(patsubst %-openssl,%,\
 	      $(patsubst %-wolfssl,%,\
 	      $(patsubst %-mbedtls,%,\
 	      $(LOCAL_AND_LIB_VARIANT)\
 	      ))))
 SSL_VARIANT=$(strip \
 		$(if $(findstring openssl,$(LOCAL_AND_LIB_VARIANT)),openssl,\
 		$(if $(findstring wolfssl,$(LOCAL_AND_LIB_VARIANT)),wolfssl,\
 		$(if $(findstring mbedtls,$(LOCAL_AND_LIB_VARIANT)),mbedtls,\
 		internal\
 		))))
 CONFIG_VARIANT:=$(LOCAL_VARIANT)
 ifeq ($(LOCAL_VARIANT),mesh)
  CONFIG_VARIANT:=full
 endif
 include $(INCLUDE_DIR)/package.mk
 STAMP_CONFIGURED:=$(STAMP_CONFIGURED)_$(CONFIG_WPA_MSG_MIN_PRIORITY)
 ifneq ($(CONFIG_DRIVER_11AC_SUPPORT),)
  HOSTAPD_IEEE80211AC:=y
 endif
 ifneq ($(CONFIG_DRIVER_11AX_SUPPORT),)
  HOSTAPD_IEEE80211AX:=y
 endif
 CORE_DEPENDS = +ucode +libubus +libucode +ucode-mod-fs +ucode-mod-nl80211 +ucode-mod-rtnl +ucode-mod-ubus +ucode-mod-uloop +libblobmsg-json
 OPENSSL_DEPENDS = +PACKAGE_$(1):libopenssl +PACKAGE_$(1):libopenssl-legacy
 DRIVER_MAKEOPTS= \
 	CONFIG_ACS=y CONFIG_DRIVER_NL80211=y \
 	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
 	CONFIG_IEEE80211AX=$(HOSTAPD_IEEE80211AX) \
 	CONFIG_MBO=$(CONFIG_WPA_MBO_SUPPORT) \
 	CONFIG_UCODE=y
 ifeq ($(SSL_VARIANT),openssl)
  DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y
  TARGET_LDFLAGS += -lcrypto -lssl
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y
  endif
 endif
 ifeq ($(SSL_VARIANT),wolfssl)
  DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_SAE=y
  TARGET_LDFLAGS += -lwolfssl
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
 endif
 ifeq ($(SSL_VARIANT),mbedtls)
  DRIVER_MAKEOPTS += CONFIG_TLS=mbedtls CONFIG_SAE=y
  TARGET_LDFLAGS += -lmbedcrypto -lmbedx509 -lmbedtls
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
 endif
 ifneq ($(LOCAL_TYPE),hostapd)
  ifdef CONFIG_WPA_RFKILL_SUPPORT
    DRIVER_MAKEOPTS += NEED_RFKILL=y
  endif
 endif
 DRV_DEPENDS:=+libnl-tiny
 define Package/hostapd/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Authenticator
  URL:=http://hostap.epitest.fi/
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-r$(PKG_RELEASE))
  USERID:=network=101:network=101
  PROVIDES:=hostapd
  CONFLICTS:=$(HOSTAPD_PROVIDERS)
  HOSTAPD_PROVIDERS+=$(1)
 endef
 define Package/hostapd
 $(call Package/hostapd/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=full-internal
 endef
 define Package/hostapd/description
 This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
 Authenticator.
 endef
 define Package/hostapd-openssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 Package/hostapd-openssl/description = $(Package/hostapd/description)
 define Package/hostapd-wolfssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=full-wolfssl
  DEPENDS+=+PACKAGE_hostapd-wolfssl:libwolfssl
 endef
 Package/hostapd-wolfssl/description = $(Package/hostapd/description)
 define Package/hostapd-mbedtls
 $(call Package/hostapd/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=full-mbedtls
  DEPENDS+=+PACKAGE_hostapd-mbedtls:libmbedtls
 endef
 Package/hostapd-mbedtls/description = $(Package/hostapd/description)
 define Package/hostapd-basic
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r, 11w)
  VARIANT:=basic
 endef
 define Package/hostapd-basic/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-openssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-openssl
  DEPENDS+=+PACKAGE_hostapd-basic-openssl:libopenssl
 endef
 define Package/hostapd-basic-openssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-wolfssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-wolfssl
  DEPENDS+=+PACKAGE_hostapd-basic-wolfssl:libwolfssl
 endef
 define Package/hostapd-basic-wolfssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-mbedtls
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-mbedtls
  DEPENDS+=+PACKAGE_hostapd-basic-mbedtls:libmbedtls
 endef
 define Package/hostapd-basic-mbedtls/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-mini
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK only)
  VARIANT:=mini
 endef
 define Package/hostapd-mini/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator (WPA-PSK only).
 endef
 define Package/wpad/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Auth/Supplicant
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-r$(PKG_RELEASE))
  USERID:=network=101:network=101
  URL:=http://hostap.epitest.fi/
  PROVIDES:=hostapd wpa-supplicant
  CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
  HOSTAPD_PROVIDERS+=$(1)
  SUPPLICANT_PROVIDERS+=$(1)
 endef
 define Package/wpad
 $(call Package/wpad/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=wpad-full-internal
 endef
 define Package/wpad/description
 This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
 Authenticator and Supplicant
 endef
 define Package/wpad-openssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=wpad-full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 Package/wpad-openssl/description = $(Package/wpad/description)
 define Package/wpad-wolfssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=wpad-full-wolfssl
  DEPENDS+=+PACKAGE_wpad-wolfssl:libwolfssl
 endef
 Package/wpad-wolfssl/description = $(Package/wpad/description)
 define Package/wpad-mbedtls
 $(call Package/wpad/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=wpad-full-mbedtls
  DEPENDS+=+PACKAGE_wpad-mbedtls:libmbedtls
 endef
 Package/wpad-mbedtls/description = $(Package/wpad/description)
 define Package/wpad-basic
 $(call Package/wpad/Default,$(1))
  TITLE+= (WPA-PSK, 11r, 11w)
  VARIANT:=wpad-basic
 endef
 define Package/wpad-basic/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-openssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (OpenSSL, 11r, 11w)
  VARIANT:=wpad-basic-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpad-basic-openssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-wolfssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (wolfSSL, 11r, 11w)
  VARIANT:=wpad-basic-wolfssl
  DEPENDS+=+PACKAGE_wpad-basic-wolfssl:libwolfssl
 endef
 define Package/wpad-basic-wolfssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-mbedtls
 $(call Package/wpad/Default,$(1))
  TITLE+= (mbedTLS, 11r, 11w)
  VARIANT:=wpad-basic-mbedtls
  DEPENDS+=+PACKAGE_wpad-basic-mbedtls:libmbedtls
 endef
 define Package/wpad-basic-mbedtls/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-mini
 $(call Package/wpad/Default,$(1))
  TITLE+= (WPA-PSK only)
  VARIANT:=wpad-mini
 endef
 define Package/wpad-mini/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (WPA-PSK only).
 endef
 define Package/wpad-mesh
 $(call Package/wpad/Default,$(1))
  DEPENDS+=@(!TARGET_uml||BROKEN)
  PROVIDES+=wpa-supplicant-mesh wpad-mesh
 endef
 define Package/wpad-mesh/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (with 802.11s mesh and SAE support).
 endef
 define Package/wpad-mesh-openssl
 $(call Package/wpad-mesh,$(1))
  TITLE+= (OpenSSL, 11s, SAE)
  DEPENDS+=$(OPENSSL_DEPENDS)
  VARIANT:=wpad-mesh-openssl
 endef
 Package/wpad-mesh-openssl/description = $(Package/wpad-mesh/description)
 define Package/wpad-mesh-wolfssl
 $(call Package/wpad-mesh,$(1))
  TITLE+= (wolfSSL, 11s, SAE)
  DEPENDS+=+PACKAGE_wpad-mesh-wolfssl:libwolfssl
  VARIANT:=wpad-mesh-wolfssl
 endef
 Package/wpad-mesh-wolfssl/description = $(Package/wpad-mesh/description)
 define Package/wpad-mesh-mbedtls
 $(call Package/wpad-mesh,$(1))
  TITLE+= (mbedTLS, 11s, SAE)
  DEPENDS+=+PACKAGE_wpad-mesh-mbedtls:libmbedtls
  VARIANT:=wpad-mesh-mbedtls
 endef
 Package/wpad-mesh-mbedtls/description = $(Package/wpad-mesh/description)
 define Package/wpa-supplicant/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=WPA Supplicant
  URL:=http://hostap.epitest.fi/wpa_supplicant/
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-r$(PKG_RELEASE))
  USERID:=network=101:network=101
  PROVIDES:=wpa-supplicant
  CONFLICTS:=$(SUPPLICANT_PROVIDERS)
  SUPPLICANT_PROVIDERS+=$(1)
 endef
 define Package/wpa-supplicant
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=supplicant-full-internal
 endef
 define Package/wpa-supplicant-openssl
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=supplicant-full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpa-supplicant-wolfssl
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=supplicant-full-wolfssl
  DEPENDS+=+PACKAGE_wpa-supplicant-wolfssl:libwolfssl
 endef
 define Package/wpa-supplicant-mbedtls
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=supplicant-full-mbedtls
  DEPENDS+=+PACKAGE_wpa-supplicant-mbedtls:libmbedtls
 endef
 define Package/wpa-supplicant/config
 	source "$(SOURCE)/Config.in"
 endef
 define Package/wpa-supplicant-p2p
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (Wi-Fi P2P support)
  VARIANT:=supplicant-p2p-internal
 endef
 define Package/wpa-supplicant-mesh/Default
 $(call Package/wpa-supplicant/Default,$(1))
  DEPENDS+=@(!TARGET_uml||BROKEN)
  PROVIDES+=wpa-supplicant-mesh
 endef
 define Package/wpa-supplicant-mesh-openssl
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (OpenSSL, 11s, SAE)
  VARIANT:=supplicant-mesh-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpa-supplicant-mesh-wolfssl
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (wolfSSL, 11s, SAE)
  VARIANT:=supplicant-mesh-wolfssl
  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-wolfssl:libwolfssl
 endef
 define Package/wpa-supplicant-mesh-mbedtls
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (mbedTLS, 11s, SAE)
  VARIANT:=supplicant-mesh-mbedtls
  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-mbedtls:libmbedtls
 endef
 define Package/wpa-supplicant-basic
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (11r, 11w)
  VARIANT:=supplicant-basic
 endef
 define Package/wpa-supplicant-mini
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (minimal)
  VARIANT:=supplicant-mini
 endef
 define Package/hostapd-common
  TITLE:=hostapd/wpa_supplicant common support files
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
 endef
 define Package/hostapd-utils
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Authenticator (utils)
  URL:=http://hostap.epitest.fi/
  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(HOSTAPD_PROVIDERS),PACKAGE_$(pkg)))
  VARIANT:=*
 endef
 define Package/hostapd-utils/description
 This package contains a command line utility to control the
 IEEE 802.1x/WPA/EAP/RADIUS Authenticator.
 endef
 define Package/wpa-cli
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(SUPPLICANT_PROVIDERS),PACKAGE_$(pkg)))
  TITLE:=WPA Supplicant command line control utility
  VARIANT:=*
 endef
 define Package/eapol-test/Default
  TITLE:=802.1x auth test utility
  SECTION:=net
  SUBMENU:=WirelessAPD
  CATEGORY:=Network
  DEPENDS:=$(DRV_DEPENDS) $(CORE_DEPENDS)
 endef
 define Package/eapol-test
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=supplicant-full-internal
 endef
 define Package/eapol-test-openssl
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=supplicant-full-openssl
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(EAPOL_TEST_PROVIDERS))
  DEPENDS+=$(OPENSSL_DEPENDS)
  PROVIDES:=eapol-test
 endef
 define Package/eapol-test-wolfssl
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=supplicant-full-wolfssl
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-wolfssl ,$(EAPOL_TEST_PROVIDERS)))
  DEPENDS+=+PACKAGE_eapol-test-wolfssl:libwolfssl
  PROVIDES:=eapol-test
 endef
 define Package/eapol-test-mbedtls
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=supplicant-full-mbedtls
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-mbedtls ,$(EAPOL_TEST_PROVIDERS)))
  DEPENDS+=+PACKAGE_eapol-test-mbedtls:libmbedtls
  PROVIDES:=eapol-test
 endef
 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
  define Build/Configure/rebuild
 	$(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.a | $(XARGS) rm -f
 	rm -f $(PKG_BUILD_DIR)/hostapd/hostapd
 	rm -f $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant
 	rm -f $(PKG_BUILD_DIR)/.config_*
 	touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
  endef
 endif
 define Build/Configure
 	$(Build/Configure/rebuild)
 	$(if $(wildcard ./files/hostapd-$(CONFIG_VARIANT).config), \
 		$(CP) ./files/hostapd-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/hostapd/.config \
 	)
 	$(if $(wildcard ./files/wpa_supplicant-$(CONFIG_VARIANT).config), \
 		$(CP) ./files/wpa_supplicant-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/wpa_supplicant/.config
 	)
 endef
 TARGET_CPPFLAGS := \
 	-I$(STAGING_DIR)/usr/include/libnl-tiny \
 	-I$(PKG_BUILD_DIR)/src/crypto \
 	$(TARGET_CPPFLAGS) \
 	-DCONFIG_LIBNL20 \
 	-D_GNU_SOURCE \
 	$(if $(CONFIG_WPA_MSG_MIN_PRIORITY),-DCONFIG_MSG_MIN_PRIORITY=$(CONFIG_WPA_MSG_MIN_PRIORITY))
 TARGET_LDFLAGS += -lubox -lubus -lblobmsg_json -lucode -lm -lnl-tiny
 ifdef CONFIG_WPA_ENABLE_WEP
    DRIVER_MAKEOPTS += CONFIG_WEP=y
 endif
 define Build/RunMake
 	CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \
 	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(1) \
 		$(TARGET_CONFIGURE_OPTS) \
 		$(DRIVER_MAKEOPTS) \
 		LIBS="$(TARGET_LDFLAGS)" \
 		LIBS_c="$(TARGET_LDFLAGS_C)" \
 		AR="$(TARGET_CROSS)gcc-ar" \
 		BCHECK= \
 		$(if $(findstring s,$(OPENWRT_VERBOSE)),V=1) \
 		$(2)
 endef
 define Build/Compile/wpad
 	echo ` \
 		$(call Build/RunMake,hostapd,-s MULTICALL=1 dump_cflags); \
 		$(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \
 		sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \
 	` > $(PKG_BUILD_DIR)/.cflags
 	sed -i 's/"/\\"/g' $(PKG_BUILD_DIR)/.cflags
 	+$(call Build/RunMake,hostapd, \
 		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
 		MULTICALL=1 \
 		hostapd_cli hostapd_multi.a \
 	)
 	+$(call Build/RunMake,wpa_supplicant, \
 		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
 		MULTICALL=1 \
 		wpa_cli wpa_supplicant_multi.a \
 	)
 	+export MAKEFLAGS="$(MAKE_JOBSERVER)"; $(TARGET_CC) -o $(PKG_BUILD_DIR)/wpad \
 		$(TARGET_CFLAGS) \
 		./files/multicall.c \
 		$(PKG_BUILD_DIR)/hostapd/hostapd_multi.a \
 		$(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant_multi.a \
 		$(TARGET_LDFLAGS)
 endef
 define Build/Compile/hostapd
 	+$(call Build/RunMake,hostapd, \
 		hostapd hostapd_cli \
 	)
 endef
 define Build/Compile/supplicant
 	+$(call Build/RunMake,wpa_supplicant, \
 		wpa_cli wpa_supplicant \
 	)
 endef
 define Build/Compile/supplicant-full-internal
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-openssl
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-wolfssl
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-mbedtls
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile
 	$(Build/Compile/$(LOCAL_TYPE))
 	$(Build/Compile/$(BUILD_VARIANT))
 endef
 define Install/hostapd/full
 	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/radius
 	ln -sf hostapd $(1)/usr/sbin/hostapd-radius
 	$(INSTALL_BIN) ./files/radius.init $(1)/etc/init.d/radius
 	$(INSTALL_DATA) ./files/radius.config $(1)/etc/config/radius
 	$(INSTALL_DATA) ./files/radius.clients $(1)/etc/radius/clients
 	$(INSTALL_DATA) ./files/radius.users $(1)/etc/radius/users
 endef
 define Package/hostapd-full/conffiles
 /etc/config/radius
 /etc/radius
 endef
 ifeq ($(CONFIG_VARIANT),full)
 Package/wpad-mesh-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 endif
 define Install/hostapd
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
 	$(INSTALL_DATA) ./files/hostapd.uc $(1)/usr/share/hostap/
 	$(if $(findstring full,$(CONFIG_VARIANT)),$(Install/hostapd/full))
 endef
 define Install/supplicant
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
 	$(INSTALL_DATA) ./files/wpa_supplicant.uc $(1)/usr/share/hostap/
 endef
 define Package/hostapd-common/install
 	$(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd  $(1)/usr/share/acl.d $(1)/usr/share/hostap
 	$(INSTALL_BIN) ./files/dhcp-get-server.sh $(1)/lib/netifd/dhcp-get-server.sh
 	$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
 	$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
 	$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
 	$(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
 	$(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
 	$(INSTALL_DATA) ./files/common.uc $(1)/usr/share/hostap/
 	$(INSTALL_DATA) ./files/wdev.uc $(1)/usr/share/hostap/
 endef
 define Package/hostapd/install
 	$(call Install/hostapd,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd $(1)/usr/sbin/
 endef
 Package/hostapd-basic/install = $(Package/hostapd/install)
 Package/hostapd-basic-openssl/install = $(Package/hostapd/install)
 Package/hostapd-basic-wolfssl/install = $(Package/hostapd/install)
 Package/hostapd-basic-mbedtls/install = $(Package/hostapd/install)
 Package/hostapd-mini/install = $(Package/hostapd/install)
 Package/hostapd-openssl/install = $(Package/hostapd/install)
 Package/hostapd-wolfssl/install = $(Package/hostapd/install)
 Package/hostapd-mbedtls/install = $(Package/hostapd/install)
 ifneq ($(LOCAL_TYPE),supplicant)
  define Package/hostapd-utils/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd_cli $(1)/usr/sbin/
  endef
 endif
 define Package/wpad/install
 	$(call Install/hostapd,$(1))
 	$(call Install/supplicant,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpad $(1)/usr/sbin/
 	$(LN) wpad $(1)/usr/sbin/hostapd
 	$(LN) wpad $(1)/usr/sbin/wpa_supplicant
 endef
 Package/wpad-basic/install = $(Package/wpad/install)
 Package/wpad-basic-openssl/install = $(Package/wpad/install)
 Package/wpad-basic-wolfssl/install = $(Package/wpad/install)
 Package/wpad-basic-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mini/install = $(Package/wpad/install)
 Package/wpad-openssl/install = $(Package/wpad/install)
 Package/wpad-wolfssl/install = $(Package/wpad/install)
 Package/wpad-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mesh-openssl/install = $(Package/wpad/install)
 Package/wpad-mesh-wolfssl/install = $(Package/wpad/install)
 Package/wpad-mesh-mbedtls/install = $(Package/wpad/install)
 define Package/wpa-supplicant/install
 	$(call Install/supplicant,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant $(1)/usr/sbin/
 endef
 Package/wpa-supplicant-basic/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-wolfssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mbedtls/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-wolfssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-mbedtls/install = $(Package/wpa-supplicant/install)
 ifneq ($(LOCAL_TYPE),hostapd)
  define Package/wpa-cli/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_cli $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-internal)
  define Package/eapol-test/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-openssl)
  define Package/eapol-test-openssl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
  define Package/eapol-test-wolfssl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-mbedtls)
  define Package/eapol-test-mbedtls/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 # Build hostapd-common before its dependents, to avoid
 # spurious rebuilds when building multiple variants.
 $(eval $(call BuildPackage,hostapd-common))
 $(eval $(call BuildPackage,hostapd))
 $(eval $(call BuildPackage,hostapd-basic))
 $(eval $(call BuildPackage,hostapd-basic-openssl))
 $(eval $(call BuildPackage,hostapd-basic-wolfssl))
 $(eval $(call BuildPackage,hostapd-basic-mbedtls))
 $(eval $(call BuildPackage,hostapd-mini))
 $(eval $(call BuildPackage,hostapd-openssl))
 $(eval $(call BuildPackage,hostapd-wolfssl))
 $(eval $(call BuildPackage,hostapd-mbedtls))
 $(eval $(call BuildPackage,wpad))
 $(eval $(call BuildPackage,wpad-mesh-openssl))
 $(eval $(call BuildPackage,wpad-mesh-wolfssl))
 $(eval $(call BuildPackage,wpad-mesh-mbedtls))
 $(eval $(call BuildPackage,wpad-basic))
 $(eval $(call BuildPackage,wpad-basic-openssl))
 $(eval $(call BuildPackage,wpad-basic-wolfssl))
 $(eval $(call BuildPackage,wpad-basic-mbedtls))
 $(eval $(call BuildPackage,wpad-mini))
 $(eval $(call BuildPackage,wpad-openssl))
 $(eval $(call BuildPackage,wpad-wolfssl))
 $(eval $(call BuildPackage,wpad-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant-basic))
 $(eval $(call BuildPackage,wpa-supplicant-mini))
 $(eval $(call BuildPackage,wpa-supplicant-p2p))
 $(eval $(call BuildPackage,wpa-supplicant-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-wolfssl))
 $(eval $(call BuildPackage,wpa-supplicant-mbedtls))
 $(eval $(call BuildPackage,wpa-cli))
 $(eval $(call BuildPackage,hostapd-utils))
 $(eval $(call BuildPackage,eapol-test))
 $(eval $(call BuildPackage,eapol-test-openssl))
 $(eval $(call BuildPackage,eapol-test-wolfssl))
 $(eval $(call BuildPackage,eapol-test-mbedtls))
--- a/feeds/hostapd/hostapd/README.md
+++ b/feeds/hostapd/hostapd/README.md
@@ -1,419 +0,0 @@
 # UBUS methods - hostapd
 ## bss_mgmt_enable
 Enable 802.11k/v features.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | neighbor_report | bool | no | enable 802.11k neighbor reports |
 | beacon_report | bool | no | enable 802.11k beacon reports |
 | link_measurements | bool | no | enable 802.11k link measurements |
 | bss_transition | bool | no | enable 802.11v BSS transition support |
 ### example
 `ubus call hostapd.wl5-fb bss_mgmt_enable '{ "neighbor_report": true, "beacon_report": true, "link_measurements": true, "bss_transition": true
 }'`
 ## bss_transition_request
 Initiate an 802.11v transition request.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | disassociation_imminent | bool | no | set Disassociation Imminent bit |
 | disassociation_timer | int32 | no | disassociate client if it doesn't roam after this time |
 | validity_period | int32 | no | validity of the BSS Transition Candiate List |
 | neighbors | array | no | BSS Transition Candidate List |
 | abridged | bool | no | prefer APs in the BSS Transition Candidate List |
 | dialog_token | int32 | no | identifier for the request/report transaction |
 | mbo_reason | int32 | no | MBO Transition Reason Code Attribute |
 | cell_pref | int32 | no | MBO Cellular Data Connection Preference Attribute |
 | reassoc_delay | int32 | no | MBO Re-association retry delay |
 ### example
 `ubus call hostapd.wl5-fb bss_transition_request '{ "addr": "68:2F:67:8B:98:ED", "disassociation_imminent": false, "disassociation_timer": 0, "validity_period": 30, "neighbors": ["b6a7b9cbeebabf5900008064090603026a00"], "abridged": 1 }'`
 ## config_add
 Dynamically load a BSS configuration from a file. This is used by netifd's mac80211 support script to configure BSSes on multiple PHYs in a single hostapd instance.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | iface | string | yes | WiFi interface name |
 | config | string | yes | path to hostapd config file |
 ## config_remove
 Dynamically remove a BSS configuration.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | iface | string | yes | WiFi interface name |
 ## del_client
 Kick a client off the network.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | reason | int32 | no | 802.11 reason code |
 | deauth | bool | no | deauthenticates client instead of disassociating |
 | ban_time | int32 | no | ban client for N milliseconds |
 ### example
 `ubus call hostapd.wl5-fb del_client '{ "addr": "68:2f:67:8b:98:ed", "reason": 5, "deauth": true, "ban_time": 10000 }'`
 ## get_clients
 Show associated clients.
 ### example
 `ubus call hostapd.wl5-fb get_clients`
 ### output
 ```json
 {
        "freq": 5260,
        "clients": {
                "68:2f:67:8b:98:ed": {
                        "auth": true,
                        "assoc": true,
                        "authorized": true,
                        "preauth": false,
                        "wds": false,
                        "wmm": true,
                        "ht": true,
                        "vht": true,
                        "he": false,
                        "wps": false,
                        "mfp": true,
                        "rrm": [
                                0,
                                0,
                                0,
                                0,
                                0
                        ],
                        "extended_capabilities": [
                                0,
                                0,
                                0,
                                0,
                                0,
                                0,
                                0,
                                64
                        ],
                        "aid": 3,
                        "signature": "wifi4|probe:0,1,45,127,107,191,221(0017f2,10),221(001018,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,extcap:0000008000000040|assoc:0,1,33,36,48,45,127,191,221(0017f2,10),221(001018,2),221(0050f2,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,txpow:14f9,extcap:0000000000000040",
                        "bytes": {
                                "rx": 1933667,
                                "tx": 746805
                        },
                        "airtime": {
                                "rx": 208863,
                                "tx": 9037883
                        },
                        "packets": {
                                "rx": 3587,
                                "tx": 2185
                        },
                        "rate": {
                                "rx": 866700,
                                "tx": 866700
                        },
                        "signal": -50,
                        "capabilities": {
                                "vht": {
                                        "su_beamformee": true,
                                        "mu_beamformee": false,
                                        "mcs_map": {
                                                "rx": {
                                                        "1ss": 9,
                                                        "2ss": 9,
                                                        "3ss": 9,
                                                        "4ss": -1,
                                                        "5ss": -1,
                                                        "6ss": -1,
                                                        "7ss": -1,
                                                        "8ss": -1
                                                },
                                                "tx": {
                                                        "1ss": 9,
                                                        "2ss": 9,
                                                        "3ss": 9,
                                                        "4ss": -1,
                                                        "5ss": -1,
                                                        "6ss": -1,
                                                        "7ss": -1,
                                                        "8ss": -1
                                                }
                                        }
                                }
                        }
                }
        }
 }
 ```
 ## get_features
 Show HT/VHT support.
 ### example
 `ubus call hostapd.wl5-fb get_features`
 ### output
 ```json
 {
        "ht_supported": true,
        "vht_supported": true
 }
 ```
 ## get_status
 Get BSS status.
 ### example
 `ubus call hostapd.wl5-fb get_status`
 ### output
 ```json
 {
        "status": "ENABLED",
        "bssid": "b6:a7:b9:cb:ee:bc",
        "ssid": "fb",
        "freq": 5260,
        "channel": 52,
        "op_class": 128,
        "beacon_interval": 100,
        "phy": "wl5-lan",
        "rrm": {
                "neighbor_report_tx": 0
        },
        "wnm": {
                "bss_transition_query_rx": 0,
                "bss_transition_request_tx": 0,
                "bss_transition_response_rx": 0
        },
        "airtime": {
                "time": 259561738,
                "time_busy": 2844249,
                "utilization": 0
        },
        "dfs": {
                "cac_seconds": 60,
                "cac_active": false,
                "cac_seconds_left": 0
        }
 }
 ```
 ## link_measurement_req
 Initiate an 802.11k Link Measurement Request.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | tx-power-used | int32 | no | transmit power used to transmit the Link Measurement Request frame |
 | tx-power-max | int32 | no | upper limit of transmit power to be used by the client |
 ## list_bans
 List banned clients.
 ### example
 `ubus call hostapd.wl5-fb list_bans`
 ### output
 ```json
 {
        "clients": [
                "68:2f:67:8b:98:ed"
        ]
 }
 ```
 ## notify_response
 When enabled, hostapd will send a ubus notification and wait for a response before responding to various requests. This is used by e.g. usteer to make it possible to ignore probe requests.
 :warning: enabling this will cause hostapd to stop responding to probe requests unless a ubus subscriber responds to the ubus notifications.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | notify_response | int32 | yes | disable (0) or enable (!0) |
 ### example
 `ubus call hostapd.wl5-fb notify_response '{ "notify_response": 1 }'`
 ## reload
 Reload BSS configuration.
 :warning: this can cause problems for certain configurations:
 ```
 Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
 Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
 Mon May 16 16:09:08 2022 daemon.err hostapd: Wrong coupling between HT and VHT/HE channel setting
 ```
 ### example
 `ubus call hostapd.wl5-fb reload`
 ## rrm_beacon_req
 Send a Beacon Measurement Request to a client.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | op_class | int32 | yes | the Regulatory Class for which this Measurement Request applies |
 | channel | int32 | yes | channel to measure |
 | duration | int32 | yes | compile Beacon Measurement Report after N TU |
 | mode | int32 | yes | mode to be used for measurement (0: passive, 1: active, 2: beacon table) |
 | bssid | string | no | filter BSSes in Beacon Measurement Report by BSSID |
 | ssid | string | no | filter BSSes in Beacon Measurement Report by SSID|
 ## rrm_nr_get_own
 Show Neighbor Report Element for this BSS.
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_get_own`
 ### output
 ```json
 {
        "value": [
                "b6:a7:b9:cb:ee:bc",
                "fb",
                "b6a7b9cbeebcaf5900008095090603029b00"
        ]
 }
 ```
 ## rrm_nr_list
 Show Neighbor Report Elements for other BSSes in this ESS.
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_list`
 ### output
 ```json
 {
        "list": [
                [
                        "b6:a7:b9:cb:ee:ba",
                        "fb",
                        "b6a7b9cbeebabf5900008064090603026a00"
                ]
        ]
 }
 ```
 ## rrm_nr_set
 Set the Neighbor Report Elements. An element for the node on which this command is executed will always be added.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | list | array | yes | array of Neighbor Report Elements in the format of the rrm_nr_list output |
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_set '{ "list": [ [ "b6:a7:b9:cb:ee:ba", "fb", "b6a7b9cbeebabf5900008064090603026a00" ] ] }'`
 ## set_vendor_elements
 Configure Vendor-specific Information Elements for BSS.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | vendor_elements | string | yes | Vendor-specific Information Elements as hex string |
 ### example
 `ubus call hostapd.wl5-fb set_vendor_elements '{ "vendor_elements": "dd054857dd6662" }'`
 ## switch_chan
 Initiate a channel switch.
 :warning: trying to switch to the channel that is currently in use will fail: `Command failed: Operation not supported`
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | freq | int32 | yes | frequency in MHz to switch to |
 | bcn_count | int32 | no | count in Beacon frames (TBTT) to perform the switch |
 | center_freq1 | int32 | no | segment 0 center frequency in MHz (valid for HT and VHT) |
 | center_freq2 | int32 | no | segment 1 center frequency in MHz (valid only for 80 MHz channel width and an 80+80 channel) |
 | bandwidth | int32 | no | channel width to use |
 | sec_channel_offset| int32 | no | secondary channel offset for HT40 (0 = disabled, 1 = HT40+, -1 = HT40-) |
 | ht | bool | no | enable 802.11n |
 | vht | bool | no | enable 802.11ac |
 | he | bool | no | enable 802.11ax |
 | block_tx | bool | no | block transmission during CSA period |
 | csa_force | bool | no | restart the interface in case the CSA fails |
 ## example
 `ubus call hostapd.wl5-fb switch_chan '{ "freq": 5180, "bcn_count": 10, "center_freq1": 5210, "bandwidth": 80, "he": 1, "block_tx": 1, "csa_force": 0 }'`
 ## update_airtime
 Set dynamic airtime weight for client.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | sta | string | yes | client MAC address |
 | weight | int32 | yes | airtime weight |
 ## update_beacon
 Force beacon frame content to be updated and to start beaconing on an interface that uses start_disabled=1.
 ### example
 `ubus call hostapd.wl5-fb update_beacon`
 ## wps_status
 Get WPS status for BSS.
 ### example
 `ubus call hostapd.wl5-fb wps_status`
 ### output
 ```json
 {
        "pbc_status": "Disabled",
        "last_wps_result": "None"
 }
 ```
 ## wps_cancel
 Cancel WPS Push Button Configuration.
 ### example
 `ubus call hostapd.wl5-fb wps_cancel`
 ## wps_start
 Start WPS Push Button Configuration.
 ### example
 `ubus call hostapd.wl5-fb wps_start`
--- a/feeds/hostapd/hostapd/files/common.uc
+++ b/feeds/hostapd/hostapd/files/common.uc
@@ -1,318 +0,0 @@
 import * as nl80211 from "nl80211";
 import * as rtnl from "rtnl";
 import { readfile, glob, basename, readlink } from "fs";
 const iftypes = {
 	ap: nl80211.const.NL80211_IFTYPE_AP,
 	mesh: nl80211.const.NL80211_IFTYPE_MESH_POINT,
 	sta: nl80211.const.NL80211_IFTYPE_STATION,
 	adhoc: nl80211.const.NL80211_IFTYPE_ADHOC,
 	monitor: nl80211.const.NL80211_IFTYPE_MONITOR,
 };
 function wdev_remove(name)
 {
 	nl80211.request(nl80211.const.NL80211_CMD_DEL_INTERFACE, 0, { dev: name });
 }
 function __phy_is_fullmac(phyidx)
 {
 	let data = nl80211.request(nl80211.const.NL80211_CMD_GET_WIPHY, 0, { wiphy: phyidx });
 	return !data.software_iftypes.ap_vlan;
 }
 function phy_is_fullmac(phy)
 {
 	let phyidx = int(trim(readfile(`/sys/class/ieee80211/${phy}/index`)));
 	return __phy_is_fullmac(phyidx);
 }
 function find_reusable_wdev(phyidx)
 {
 	if (!__phy_is_fullmac(phyidx))
 		return null;
 	let data = nl80211.request(
 		nl80211.const.NL80211_CMD_GET_INTERFACE,
 		nl80211.const.NLM_F_DUMP,
 		{ wiphy: phyidx });
 	for (let res in data)
 		if (trim(readfile(`/sys/class/net/${res.ifname}/operstate`)) == "down")
 			return res.ifname;
 	return null;
 }
 function wdev_create(phy, name, data)
 {
 	let phyidx = int(readfile(`/sys/class/ieee80211/${phy}/index`));
 	wdev_remove(name);
 	if (!iftypes[data.mode])
 		return `Invalid mode: ${data.mode}`;
 	let req = {
 		wiphy: phyidx,
 		ifname: name,
 		iftype: iftypes[data.mode],
 	};
 	if (data["4addr"])
 		req["4addr"] = data["4addr"];
 	if (data.macaddr)
 		req.mac = data.macaddr;
 	nl80211.error();
 	let reuse_ifname = find_reusable_wdev(phyidx);
 	if (reuse_ifname &&
 	    (reuse_ifname == name ||
 	     rtnl.request(rtnl.const.RTM_SETLINK, 0, { dev: reuse_ifname, ifname: name}) != false))
 		nl80211.request(
 			nl80211.const.NL80211_CMD_SET_INTERFACE, 0, {
 				wiphy: phyidx,
 				dev: name,
 				iftype: iftypes[data.mode],
 			});
 	else
 		nl80211.request(
 			nl80211.const.NL80211_CMD_NEW_INTERFACE,
 			nl80211.const.NLM_F_CREATE,
 			req);
 	let error = nl80211.error();
 	if (error)
 		return error;
 	if (data.powersave != null) {
 		nl80211.request(nl80211.const.NL80211_CMD_SET_POWER_SAVE, 0,
 			{ dev: name, ps_state: data.powersave ? 1 : 0});
 	}
 	return null;
 }
 function phy_sysfs_file(phy, name)
 {
 	return trim(readfile(`/sys/class/ieee80211/${phy}/${name}`));
 }
 function macaddr_split(str)
 {
 	return map(split(str, ":"), (val) => hex(val));
 }
 function macaddr_join(addr)
 {
 	return join(":", map(addr, (val) => sprintf("%02x", val)));
 }
 function wdev_macaddr(wdev)
 {
 	return trim(readfile(`/sys/class/net/${wdev}/address`));
 }
 const phy_proto = {
 	macaddr_init: function(used, options) {
 		this.macaddr_options = options ?? {};
 		this.macaddr_list = {};
 		if (type(used) == "object")
 			for (let addr in used)
 				this.macaddr_list[addr] = used[addr];
 		else
 			for (let addr in used)
 				this.macaddr_list[addr] = -1;
 		this.for_each_wdev((wdev) => {
 			let macaddr = wdev_macaddr(wdev);
 			this.macaddr_list[macaddr] ??= -1;
 		});
 		return this.macaddr_list;
 	},
 	macaddr_generate: function(data) {
 		let phy = this.name;
 		let idx = int(data.id ?? 0);
 		let mbssid = int(data.mbssid ?? 0) > 0;
 		let num_global = int(data.num_global ?? 1);
 		let use_global = !mbssid && idx < num_global;
 		let base_addr = phy_sysfs_file(phy, "macaddress");
 		if (!base_addr)
 			return null;
 		if (!idx && !mbssid)
 			return base_addr;
 		let base_mask = phy_sysfs_file(phy, "address_mask");
 		if (!base_mask)
 			return null;
 		if (base_mask == "00:00:00:00:00:00" && idx >= num_global) {
 			let addrs = split(phy_sysfs_file(phy, "addresses"), "\n");
 			if (idx < length(addrs))
 				return addrs[idx];
 			base_mask = "ff:ff:ff:ff:ff:ff";
 		}
 		let addr = macaddr_split(base_addr);
 		let mask = macaddr_split(base_mask);
 		let type;
 		if (mbssid)
 			type = "b5";
 		else if (use_global)
 			type = "add";
 		else if (mask[0] > 0)
 			type = "b1";
 		else if (mask[5] < 0xff)
 			type = "b5";
 		else
 			type = "add";
 		switch (type) {
 		case "b1":
 			if (!(addr[0] & 2))
 				idx--;
 			addr[0] |= 2;
 			addr[0] ^= idx << 2;
 			break;
 		case "b5":
 			if (mbssid)
 				addr[0] |= 2;
 			addr[5] ^= idx;
 			break;
 		default:
 			for (let i = 5; i > 0; i--) {
 				addr[i] += idx;
 				if (addr[i] < 256)
 					break;
 				addr[i] %= 256;
 			}
 			break;
 		}
 		return macaddr_join(addr);
 	},
 	macaddr_next: function(val) {
 		let data = this.macaddr_options ?? {};
 		let list = this.macaddr_list;
 		for (let i = 0; i < 32; i++) {
 			data.id = i;
 			let mac = this.macaddr_generate(data);
 			if (!mac)
 				return null;
 			if (list[mac] != null)
 				continue;
 			list[mac] = val != null ? val : -1;
 			return mac;
 		}
 	},
 	for_each_wdev: function(cb) {
 		let wdevs = glob(`/sys/class/ieee80211/${this.name}/device/net/*`);
 		wdevs = map(wdevs, (arg) => basename(arg));
 		for (let wdev in wdevs) {
 			if (basename(readlink(`/sys/class/net/${wdev}/phy80211`)) != this.name)
 				continue;
 			cb(wdev);
 		}
 	}
 };
 function phy_open(phy)
 {
 	let phyidx = readfile(`/sys/class/ieee80211/${phy}/index`);
 	if (!phyidx)
 		return null;
 	return proto({
 		name: phy,
 		idx: int(phyidx)
 	}, phy_proto);
 }
 const vlist_proto = {
 	update: function(values, arg) {
 		let data = this.data;
 		let cb = this.cb;
 		let seq = { };
 		let new_data = {};
 		let old_data = {};
 		this.data = new_data;
 		if (type(values) == "object") {
 			for (let key in values) {
 				old_data[key] = data[key];
 				new_data[key] = values[key];
 				delete data[key];
 			}
 		} else {
 			for (let val in values) {
 				let cur_key = val[0];
 				let cur_obj = val[1];
 				old_data[cur_key] = data[cur_key];
 				new_data[cur_key] = val[1];
 				delete data[cur_key];
 			}
 		}
 		for (let key in data) {
 			cb(null, data[key], arg);
 			delete data[key];
 		}
 		for (let key in new_data)
 			cb(new_data[key], old_data[key], arg);
 	}
 };
 function is_equal(val1, val2) {
 	let t1 = type(val1);
 	if (t1 != type(val2))
 		return false;
 	if (t1 == "array") {
 		if (length(val1) != length(val2))
 			return false;
 		for (let i = 0; i < length(val1); i++)
 			if (!is_equal(val1[i], val2[i]))
 				return false;
 		return true;
 	} else if (t1 == "object") {
 		for (let key in val1)
 			if (!is_equal(val1[key], val2[key]))
 				return false;
 		for (let key in val2)
 			if (val1[key] == null)
 				return false;
 		return true;
 	} else {
 		return val1 == val2;
 	}
 }
 function vlist_new(cb) {
 	return proto({
 			cb: cb,
 			data: {}
 		}, vlist_proto);
 }
 export { wdev_remove, wdev_create, is_equal, vlist_new, phy_is_fullmac, phy_open };
--- a/feeds/hostapd/hostapd/files/dhcp-get-server.sh
+++ b/feeds/hostapd/hostapd/files/dhcp-get-server.sh
@@ -1,2 +0,0 @@
 #!/bin/sh
 [ "$1" = bound ] && echo "$serverid"
--- a/feeds/hostapd/hostapd/files/hostapd-basic.config
+++ b/feeds/hostapd/hostapd/files/hostapd-basic.config
@@ -1,404 +0,0 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 #CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Integrated EAP server
 #CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 #CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 #CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 #CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 #CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 #CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 #CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 #CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 #CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 #CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 #CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 #CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 #CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 #CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd-full.config
+++ b/feeds/hostapd/hostapd/files/hostapd-full.config
@@ -1,404 +0,0 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Integrated EAP server
 CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 #CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 #CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 CONFIG_INTERWORKING=y
 # Hotspot 2.0
 CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd-mini.config
+++ b/feeds/hostapd/hostapd/files/hostapd-mini.config
@@ -1,404 +0,0 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 #CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Integrated EAP server
 #CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 #CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 #CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 #CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 #CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 #CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 #CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 #CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 #CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 #CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 #CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 #CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 #CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 #CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 #CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 #CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd.sh
+++ b/feeds/hostapd/hostapd/files/hostapd.sh
--- a/feeds/hostapd/hostapd/files/hostapd.uc
+++ b/feeds/hostapd/hostapd/files/hostapd.uc
@@ -1,812 +0,0 @@
 let libubus = require("ubus");
 import { open, readfile } from "fs";
 import { wdev_create, wdev_remove, is_equal, vlist_new, phy_is_fullmac, phy_open } from "common";
 let ubus = libubus.connect();
 hostapd.data.config = {};
 hostapd.data.file_fields = {
 	vlan_file: true,
 	wpa_psk_file: true,
 	accept_mac_file: true,
 	deny_mac_file: true,
 	eap_user_file: true,
 	ca_cert: true,
 	server_cert: true,
 	server_cert2: true,
 	private_key: true,
 	private_key2: true,
 	dh_file: true,
 	eap_sim_db: true,
 };
 function iface_remove(cfg)
 {
 	if (!cfg || !cfg.bss || !cfg.bss[0] || !cfg.bss[0].ifname)
 		return;
 	for (let bss in cfg.bss)
 		wdev_remove(bss.ifname);
 }
 function iface_gen_config(phy, config, start_disabled)
 {
 	let str = `data:
 ${join("\n", config.radio.data)}
 channel=${config.radio.channel}
 `;
 	for (let i = 0; i < length(config.bss); i++) {
 		let bss = config.bss[i];
 		let type = i > 0 ? "bss" : "interface";
 		let nasid = bss.nasid ?? replace(bss.bssid, ":", "");
 		str += `
 ${type}=${bss.ifname}
 bssid=${bss.bssid}
 ${join("\n", bss.data)}
 nas_identifier=${nasid}
 `;
 		if (start_disabled)
 			str += `
 start_disabled=1
 `;
 	}
 	return str;
 }
 function iface_freq_info(iface, config, params)
 {
 	let freq = params.frequency;
 	if (!freq)
 		return null;
 	let sec_offset = params.sec_chan_offset;
 	if (sec_offset != -1 && sec_offset != 1)
 		sec_offset = 0;
 	let width = 0;
 	for (let line in config.radio.data) {
 		if (!sec_offset && match(line, /^ht_capab=.*HT40/)) {
 			sec_offset = null; // auto-detect
 			continue;
 		}
 		let val = match(line, /^(vht_oper_chwidth|he_oper_chwidth)=(\d+)/);
 		if (!val)
 			continue;
 		val = int(val[2]);
 		if (val > width)
 			width = val;
 	}
 	if (freq < 4000)
 		width = 0;
 	return hostapd.freq_info(freq, sec_offset, width);
 }
 function iface_add(phy, config, phy_status)
 {
 	let config_inline = iface_gen_config(phy, config, !!phy_status);
 	let bss = config.bss[0];
 	let ret = hostapd.add_iface(`bss_config=${phy}:${config_inline}`);
 	if (ret < 0)
 		return false;
 	if (!phy_status)
 		return true;
 	let iface = hostapd.interfaces[phy];
 	if (!iface)
 		return false;
 	let freq_info = iface_freq_info(iface, config, phy_status);
 	return iface.start(freq_info) >= 0;
 }
 function iface_config_macaddr_list(config)
 {
 	let macaddr_list = {};
 	for (let i = 0; i < length(config.bss); i++) {
 		let bss = config.bss[i];
 		if (!bss.default_macaddr)
 			macaddr_list[bss.bssid] = i;
 	}
 	return macaddr_list;
 }
 function iface_update_supplicant_macaddr(phy, config)
 {
 	let macaddr_list = [];
 	for (let i = 0; i < length(config.bss); i++)
 		push(macaddr_list, config.bss[i].bssid);
 	ubus.call("wpa_supplicant", "phy_set_macaddr_list", { phy: phy, macaddr: macaddr_list });
 }
 function iface_restart(phydev, config, old_config)
 {
 	let phy = phydev.name;
 	hostapd.remove_iface(phy);
 	iface_remove(old_config);
 	iface_remove(config);
 	if (!config.bss || !config.bss[0]) {
 		hostapd.printf(`No bss for phy ${phy}`);
 		return;
 	}
 	phydev.macaddr_init(iface_config_macaddr_list(config));
 	for (let i = 0; i < length(config.bss); i++) {
 		let bss = config.bss[i];
 		if (bss.default_macaddr)
 			bss.bssid = phydev.macaddr_next();
 	}
 	iface_update_supplicant_macaddr(phy, config);
 	let bss = config.bss[0];
 	let err = wdev_create(phy, bss.ifname, { mode: "ap" });
 	if (err)
 		hostapd.printf(`Failed to create ${bss.ifname} on phy ${phy}: ${err}`);
 	let ubus = hostapd.data.ubus;
 	let phy_status = ubus.call("wpa_supplicant", "phy_status", { phy: phy });
 	if (phy_status && phy_status.state == "COMPLETED") {
 		if (iface_add(phy, config, phy_status))
 			return;
 		hostapd.printf(`Failed to bring up phy ${phy} ifname=${bss.ifname} with supplicant provided frequency`);
 	}
 	ubus.call("wpa_supplicant", "phy_set_state", { phy: phy, stop: true });
 	if (!iface_add(phy, config))
 		hostapd.printf(`hostapd.add_iface failed for phy ${phy} ifname=${bss.ifname}`);
 	ubus.call("wpa_supplicant", "phy_set_state", { phy: phy, stop: false });
 }
 function array_to_obj(arr, key, start)
 {
 	let obj = {};
 	start ??= 0;
 	for (let i = start; i < length(arr); i++) {
 		let cur = arr[i];
 		obj[cur[key]] = cur;
 	}
 	return obj;
 }
 function find_array_idx(arr, key, val)
 {
 	for (let i = 0; i < length(arr); i++)
 		if (arr[i][key] == val)
 			return i;
 	return -1;
 }
 function bss_reload_psk(bss, config, old_config)
 {
 	if (is_equal(old_config.hash.wpa_psk_file, config.hash.wpa_psk_file))
 		return;
 	old_config.hash.wpa_psk_file = config.hash.wpa_psk_file;
 	if (!is_equal(old_config, config))
 		return;
 	let ret = bss.ctrl("RELOAD_WPA_PSK");
 	ret ??= "failed";
 	hostapd.printf(`Reload WPA PSK file for bss ${config.ifname}: ${ret}`);
 }
 function remove_file_fields(config)
 {
 	return filter(config, (line) => !hostapd.data.file_fields[split(line, "=")[0]]);
 }
 function bss_remove_file_fields(config)
 {
 	let new_cfg = {};
 	for (let key in config)
 		new_cfg[key] = config[key];
 	new_cfg.data = remove_file_fields(new_cfg.data);
 	new_cfg.hash = {};
 	for (let key in config.hash)
 		new_cfg.hash[key] = config.hash[key];
 	delete new_cfg.hash.wpa_psk_file;
 	delete new_cfg.hash.vlan_file;
 	return new_cfg;
 }
 function bss_config_hash(config)
 {
 	return hostapd.sha1(remove_file_fields(config) + "");
 }
 function bss_find_existing(config, prev_config, prev_hash)
 {
 	let hash = bss_config_hash(config.data);
 	for (let i = 0; i < length(prev_config.bss); i++) {
 		if (!prev_hash[i] || hash != prev_hash[i])
 			continue;
 		prev_hash[i] = null;
 		return i;
 	}
 	return -1;
 }
 function get_config_bss(config, idx)
 {
 	if (!config.bss[idx]) {
 		hostapd.printf(`Invalid bss index ${idx}`);
 		return null;
 	}
 	let ifname = config.bss[idx].ifname;
 	if (!ifname)
 		hostapd.printf(`Could not find bss ${config.bss[idx].ifname}`);
 	return hostapd.bss[ifname];
 }
 function iface_reload_config(phydev, config, old_config)
 {
 	let phy = phydev.name;
 	if (!old_config || !is_equal(old_config.radio, config.radio))
 		return false;
 	if (is_equal(old_config.bss, config.bss))
 		return true;
 	if (!old_config.bss || !old_config.bss[0])
 		return false;
 	let iface = hostapd.interfaces[phy];
 	if (!iface) {
 		hostapd.printf(`Could not find previous interface ${iface_name}`);
 		return false;
 	}
 	let iface_name = old_config.bss[0].ifname;
 	let first_bss = hostapd.bss[iface_name];
 	if (!first_bss) {
 		hostapd.printf(`Could not find bss of previous interface ${iface_name}`);
 		return false;
 	}
 	let macaddr_list = iface_config_macaddr_list(config);
 	let bss_list = [];
 	let bss_list_cfg = [];
 	let prev_bss_hash = [];
 	for (let bss in old_config.bss) {
 		let hash = bss_config_hash(bss.data);
 		push(prev_bss_hash, bss_config_hash(bss.data));
 	}
 	// Step 1: find (possibly renamed) interfaces with the same config
 	// and store them in the new order (with gaps)
 	for (let i = 0; i < length(config.bss); i++) {
 		let prev;
 		// For fullmac devices, the first interface needs to be preserved,
 		// since it's treated as the master
 		if (!i && phy_is_fullmac(phy)) {
 			prev = 0;
 			prev_bss_hash[0] = null;
 		} else {
 			prev = bss_find_existing(config.bss[i], old_config, prev_bss_hash);
 		}
 		if (prev < 0)
 			continue;
 		let cur_config = config.bss[i];
 		let prev_config = old_config.bss[prev];
 		let prev_bss = get_config_bss(old_config, prev);
 		if (!prev_bss)
 			return false;
 		// try to preserve MAC address of this BSS by reassigning another
 		// BSS if necessary
 		if (cur_config.default_macaddr &&
 		    !macaddr_list[prev_config.bssid]) {
 			macaddr_list[prev_config.bssid] = i;
 			cur_config.bssid = prev_config.bssid;
 		}
 		bss_list[i] = prev_bss;
 		bss_list_cfg[i] = old_config.bss[prev];
 	}
 	if (config.mbssid && !bss_list_cfg[0]) {
 		hostapd.printf("First BSS changed with MBSSID enabled");
 		return false;
 	}
 	// Step 2: if none were found, rename and preserve the first one
 	if (length(bss_list) == 0) {
 		// can't change the bssid of the first bss
 		if (config.bss[0].bssid != old_config.bss[0].bssid) {
 			if (!config.bss[0].default_macaddr) {
 				hostapd.printf(`BSSID of first interface changed: ${lc(old_config.bss[0].bssid)} -> ${lc(config.bss[0].bssid)}`);
 				return false;
 			}
 			config.bss[0].bssid = old_config.bss[0].bssid;
 		}
 		let prev_bss = get_config_bss(old_config, 0);
 		if (!prev_bss)
 			return false;
 		macaddr_list[config.bss[0].bssid] = 0;
 		bss_list[0] = prev_bss;
 		bss_list_cfg[0] = old_config.bss[0];
 		prev_bss_hash[0] = null;
 	}
 	// Step 3: delete all unused old interfaces
 	for (let i = 0; i < length(prev_bss_hash); i++) {
 		if (!prev_bss_hash[i])
 			continue;
 		let prev_bss = get_config_bss(old_config, i);
 		if (!prev_bss)
 			return false;
 		let ifname = old_config.bss[i].ifname;
 		hostapd.printf(`Remove bss '${ifname}' on phy '${phy}'`);
 		prev_bss.delete();
 		wdev_remove(ifname);
 	}
 	// Step 4: rename preserved interfaces, use temporary name on duplicates
 	let rename_list = [];
 	for (let i = 0; i < length(bss_list); i++) {
 		if (!bss_list[i])
 			continue;
 		let old_ifname = bss_list_cfg[i].ifname;
 		let new_ifname = config.bss[i].ifname;
 		if (old_ifname == new_ifname)
 			continue;
 		if (hostapd.bss[new_ifname]) {
 			new_ifname = "tmp_" + substr(hostapd.sha1(new_ifname), 0, 8);
 			push(rename_list, i);
 		}
 		hostapd.printf(`Rename bss ${old_ifname} to ${new_ifname}`);
 		if (!bss_list[i].rename(new_ifname)) {
 			hostapd.printf(`Failed to rename bss ${old_ifname} to ${new_ifname}`);
 			return false;
 		}
 		bss_list_cfg[i].ifname = new_ifname;
 	}
 	// Step 5: rename interfaces with temporary names
 	for (let i in rename_list) {
 		let new_ifname = config.bss[i].ifname;
 		if (!bss_list[i].rename(new_ifname)) {
 			hostapd.printf(`Failed to rename bss to ${new_ifname}`);
 			return false;
 		}
 		bss_list_cfg[i].ifname = new_ifname;
 	}
 	// Step 6: assign BSSID for newly created interfaces
 	let macaddr_data = {
 		num_global: config.num_global_macaddr ?? 1,
 		mbssid: config.mbssid ?? 0,
 	};
 	macaddr_list = phydev.macaddr_init(macaddr_list, macaddr_data);
 	for (let i = 0; i < length(config.bss); i++) {
 		if (bss_list[i])
 			continue;
 		let bsscfg = config.bss[i];
 		let mac_idx = macaddr_list[bsscfg.bssid];
 		if (mac_idx < 0)
 			macaddr_list[bsscfg.bssid] = i;
 		if (mac_idx == i)
 			continue;
 		// statically assigned bssid of the new interface is in conflict
 		// with the bssid of a reused interface. reassign the reused interface
 		if (!bsscfg.default_macaddr) {
 			// can't update bssid of the first BSS, need to restart
 			if (!mac_idx < 0)
 				return false;
 			bsscfg = config.bss[mac_idx];
 		}
 		let addr = phydev.macaddr_next(i);
 		if (!addr) {
 			hostapd.printf(`Failed to generate mac address for phy ${phy}`);
 			return false;
 		}
 		bsscfg.bssid = addr;
 	}
 	let config_inline = iface_gen_config(phy, config);
 	// Step 7: fill in the gaps with new interfaces
 	for (let i = 0; i < length(config.bss); i++) {
 		let ifname = config.bss[i].ifname;
 		let bss = bss_list[i];
 		if (bss)
 			continue;
 		hostapd.printf(`Add bss ${ifname} on phy ${phy}`);
 		bss_list[i] = iface.add_bss(config_inline, i);
 		if (!bss_list[i]) {
 			hostapd.printf(`Failed to add new bss ${ifname} on phy ${phy}`);
 			return false;
 		}
 	}
 	// Step 8: update interface bss order
 	if (!iface.set_bss_order(bss_list)) {
 		hostapd.printf(`Failed to update BSS order on phy '${phy}'`);
 		return false;
 	}
 	// Step 9: update config
 	for (let i = 0; i < length(config.bss); i++) {
 		if (!bss_list_cfg[i])
 			continue;
 		let ifname = config.bss[i].ifname;
 		let bss = bss_list[i];
 		if (is_equal(config.bss[i], bss_list_cfg[i]))
 			continue;
 		if (is_equal(bss_remove_file_fields(config.bss[i]),
 		             bss_remove_file_fields(bss_list_cfg[i]))) {
 			hostapd.printf(`Update config data files for bss ${ifname}`);
 			if (bss.set_config(config_inline, i, true) < 0) {
 				hostapd.printf(`Could not update config data files for bss ${ifname}`);
 				return false;
 			} else {
 				bss.ctrl("RELOAD_WPA_PSK");
 				continue;
 			}
 		}
 		bss_reload_psk(bss, config.bss[i], bss_list_cfg[i]);
 		if (is_equal(config.bss[i], bss_list_cfg[i]))
 			continue;
 		hostapd.printf(`Reload config for bss '${config.bss[0].ifname}' on phy '${phy}'`);
 		if (bss.set_config(config_inline, i) < 0) {
 			hostapd.printf(`Failed to set config for bss ${ifname}`);
 			return false;
 		}
 	}
 	return true;
 }
 function iface_set_config(phy, config)
 {
 	let old_config = hostapd.data.config[phy];
 	hostapd.data.config[phy] = config;
 	if (!config) {
 		hostapd.remove_iface(phy);
 		return iface_remove(old_config);
 	}
 	let phydev = phy_open(phy);
 	if (!phydev) {
 		hostapd.printf(`Failed to open phy ${phy}`);
 		return false;
 	}
 	try {
 		let ret = iface_reload_config(phydev, config, old_config);
 		if (ret) {
 			iface_update_supplicant_macaddr(phy, config);
 			hostapd.printf(`Reloaded settings for phy ${phy}`);
 			return 0;
 		}
 	} catch (e) {
 			hostapd.printf(`Error reloading config: ${e}\n${e.stacktrace[0].context}`);
 	}
 	hostapd.printf(`Restart interface for phy ${phy}`);
 	let ret = iface_restart(phydev, config, old_config);
 	return ret;
 }
 function config_add_bss(config, name)
 {
 	let bss = {
 		ifname: name,
 		data: [],
 		hash: {}
 	};
 	push(config.bss, bss);
 	return bss;
 }
 function iface_load_config(filename)
 {
 	let f = open(filename, "r");
 	if (!f)
 		return null;
 	let config = {
 		radio: {
 			data: []
 		},
 		bss: [],
 		orig_file: filename,
 	};
 	let bss;
 	let line;
 	while ((line = trim(f.read("line"))) != null) {
 		let val = split(line, "=", 2);
 		if (!val[0])
 			continue;
 		if (val[0] == "interface") {
 			bss = config_add_bss(config, val[1]);
 			break;
 		}
 		if (val[0] == "channel") {
 			config.radio.channel = val[1];
 			continue;
 		}
 		if (val[0] == "#num_global_macaddr" ||
 		    val[0] == "mbssid")
 			config[val[0]] = int(val[1]);
 		push(config.radio.data, line);
 	}
 	while ((line = trim(f.read("line"))) != null) {
 		if (line == "#default_macaddr")
 			bss.default_macaddr = true;
 		let val = split(line, "=", 2);
 		if (!val[0])
 			continue;
 		if (val[0] == "bssid") {
 			bss.bssid = lc(val[1]);
 			continue;
 		}
 		if (val[0] == "nas_identifier")
 			bss.nasid = val[1];
 		if (val[0] == "bss") {
 			bss = config_add_bss(config, val[1]);
 			continue;
 		}
 		if (hostapd.data.file_fields[val[0]])
 			bss.hash[val[0]] = hostapd.sha1(readfile(val[1]));
 		push(bss.data, line);
 	}
 	f.close();
 	return config;
 }
 function ex_wrap(func) {
 	return (req) => {
 		try {
 			let ret = func(req);
 			return ret;
 		} catch(e) {
 			hostapd.printf(`Exception in ubus function: ${e}\n${e.stacktrace[0].context}`);
 		}
 		return libubus.STATUS_UNKNOWN_ERROR;
 	};
 }
 let main_obj = {
 	reload: {
 		args: {
 			phy: "",
 		},
 		call: ex_wrap(function(req) {
 			let phy_list = req.args.phy ? [ req.args.phy ] : keys(hostapd.data.config);
 			for (let phy_name in phy_list) {
 				let phy = hostapd.data.config[phy_name];
 				let config = iface_load_config(phy.orig_file);
 				iface_set_config(phy_name, config);
 			}
 			return 0;
 		})
 	},
 	apsta_state: {
 		args: {
 			phy: "",
 			up: true,
 			frequency: 0,
 			sec_chan_offset: 0,
 			csa: true,
 			csa_count: 0,
 		},
 		call: ex_wrap(function(req) {
 			if (req.args.up == null || !req.args.phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			let phy = req.args.phy;
 			let config = hostapd.data.config[phy];
 			if (!config || !config.bss || !config.bss[0] || !config.bss[0].ifname)
 				return 0;
 			let iface = hostapd.interfaces[phy];
 			if (!iface)
 				return 0;
 			if (!req.args.up) {
 				iface.stop();
 				return 0;
 			}
 			if (!req.args.frequency)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			let freq_info = iface_freq_info(iface, config, req.args);
 			if (!freq_info)
 				return libubus.STATUS_UNKNOWN_ERROR;
 			let ret;
 			if (req.args.csa) {
 				freq_info.csa_count = req.args.csa_count ?? 10;
 				ret = iface.switch_channel(freq_info);
 			} else {
 				ret = iface.start(freq_info);
 			}
 			if (!ret)
 				return libubus.STATUS_UNKNOWN_ERROR;
 			return 0;
 		})
 	},
 	config_get_macaddr_list: {
 		args: {
 			phy: ""
 		},
 		call: ex_wrap(function(req) {
 			let phy = req.args.phy;
 			if (!phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			let ret = {
 				macaddr: [],
 			};
 			let config = hostapd.data.config[phy];
 			if (!config)
 				return ret;
 			ret.macaddr = map(config.bss, (bss) => bss.bssid);
 			return ret;
 		})
 	},
 	config_set: {
 		args: {
 			phy: "",
 			config: "",
 			prev_config: "",
 		},
 		call: ex_wrap(function(req) {
 			let phy = req.args.phy;
 			let file = req.args.config;
 			let prev_file = req.args.prev_config;
 			if (!phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			if (prev_file && !hostapd.data.config[phy]) {
 				let config = iface_load_config(prev_file);
 				if (config)
 					config.radio.data = [];
 				hostapd.data.config[phy] = config;
 			}
 			let config = iface_load_config(file);
 			hostapd.printf(`Set new config for phy ${phy}: ${file}`);
 			iface_set_config(phy, config);
 			return {
 				pid: hostapd.getpid()
 			};
 		})
 	},
 	config_add: {
 		args: {
 			iface: "",
 			config: "",
 		},
 		call: ex_wrap(function(req) {
 			if (!req.args.iface || !req.args.config)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			if (hostapd.add_iface(`bss_config=${req.args.iface}:${req.args.config}`) < 0)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			return {
 				pid: hostapd.getpid()
 			};
 		})
 	},
 	config_remove: {
 		args: {
 			iface: ""
 		},
 		call: ex_wrap(function(req) {
 			if (!req.args.iface)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			hostapd.remove_iface(req.args.iface);
 			return 0;
 		})
 	},
 };
 hostapd.data.ubus = ubus;
 hostapd.data.obj = ubus.publish("hostapd", main_obj);
 function bss_event(type, name, data) {
 	let ubus = hostapd.data.ubus;
 	data ??= {};
 	data.name = name;
 	hostapd.data.obj.notify(`bss.${type}`, data, null, null, null, -1);
 	ubus.call("service", "event", { type: `hostapd.${name}.${type}`, data: {} });
 }
 return {
 	shutdown: function() {
 		for (let phy in hostapd.data.config)
 			iface_set_config(phy, null);
 		hostapd.ubus.disconnect();
 	},
 	bss_add: function(name, obj) {
 		bss_event("add", name);
 	},
 	bss_reload: function(name, obj, reconf) {
 		bss_event("reload", name, { reconf: reconf != 0 });
 	},
 	bss_remove: function(name, obj) {
 		bss_event("remove", name);
 	}
 };
--- a/feeds/hostapd/hostapd/files/radius.clients
+++ b/feeds/hostapd/hostapd/files/radius.clients
@@ -1 +0,0 @@
 0.0.0.0/0 radius
--- a/feeds/hostapd/hostapd/files/radius.config
+++ b/feeds/hostapd/hostapd/files/radius.config
@@ -1,9 +0,0 @@
 config radius
 	option disabled '1'
 	option ca_cert '/etc/radius/ca.pem'
 	option cert '/etc/radius/cert.pem'
 	option key '/etc/radius/key.pem'
 	option users '/etc/radius/users'
 	option clients '/etc/radius/clients'
 	option auth_port '1812'
 	option acct_port '1813'
--- a/feeds/hostapd/hostapd/files/radius.init
+++ b/feeds/hostapd/hostapd/files/radius.init
@@ -1,42 +0,0 @@
 #!/bin/sh /etc/rc.common
 START=30
 USE_PROCD=1
 NAME=radius
 radius_start() {
 	local cfg="$1"
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return
 	config_get ca "$cfg" ca_cert
 	config_get key "$cfg" key
 	config_get cert "$cfg" cert
 	config_get users "$cfg" users
 	config_get clients "$cfg" clients
 	config_get auth_port "$cfg" auth_port 1812
 	config_get acct_port "$cfg" acct_port 1813
 	config_get identity "$cfg" identity "$(cat /proc/sys/kernel/hostname)"
 	procd_open_instance $cfg
 	procd_set_param command /usr/sbin/hostapd-radius \
 		-C "$ca" \
 		-c "$cert" -k "$key" \
 		-s "$clients" -u "$users" \
 		-p "$auth_port" -P "$acct_port" \
 		-i "$identity"
 	procd_close_instance
 }
 start_service() {
 	config_load radius
 	config_foreach radius_start radius
 }
 service_triggers()
 {
 	procd_add_reload_trigger "radius"
 }
--- a/feeds/hostapd/hostapd/files/radius.users
+++ b/feeds/hostapd/hostapd/files/radius.users
@@ -1,14 +0,0 @@
 {
 	"phase1": {
 		"wildcard": [
 			{
 				"name": "*",
 				"methods": [ "PEAP" ]
 			}
 		]
 	},
 	"phase2": {
 		"users": {
 		}
 	}
 }
--- a/feeds/hostapd/hostapd/files/wdev.uc
+++ b/feeds/hostapd/hostapd/files/wdev.uc
@@ -1,207 +0,0 @@
 #!/usr/bin/env ucode
 'use strict';
 import { vlist_new, is_equal, wdev_create, wdev_remove, phy_open } from "/usr/share/hostap/common.uc";
 import { readfile, writefile, basename, readlink, glob } from "fs";
 let libubus = require("ubus");
 let keep_devices = {};
 let phy = shift(ARGV);
 let command = shift(ARGV);
 let phydev;
 const mesh_params = [
 	"mesh_retry_timeout", "mesh_confirm_timeout", "mesh_holding_timeout", "mesh_max_peer_links",
 	"mesh_max_retries", "mesh_ttl", "mesh_element_ttl", "mesh_hwmp_max_preq_retries",
 	"mesh_path_refresh_time", "mesh_min_discovery_timeout", "mesh_hwmp_active_path_timeout",
 	"mesh_hwmp_preq_min_interval", "mesh_hwmp_net_diameter_traversal_time", "mesh_hwmp_rootmode",
 	"mesh_hwmp_rann_interval", "mesh_gate_announcements", "mesh_sync_offset_max_neighor",
 	"mesh_rssi_threshold", "mesh_hwmp_active_path_to_root_timeout", "mesh_hwmp_root_interval",
 	"mesh_hwmp_confirmation_interval", "mesh_awake_window", "mesh_plink_timeout",
 	"mesh_auto_open_plinks", "mesh_fwding", "mesh_power_mode"
 ];
 function iface_stop(wdev)
 {
 	if (keep_devices[wdev.ifname])
 		return;
 	wdev_remove(wdev.ifname);
 }
 function iface_start(wdev)
 {
 	let ifname = wdev.ifname;
 	if (readfile(`/sys/class/net/${ifname}/ifindex`)) {
 		system([ "ip", "link", "set", "dev", ifname, "down" ]);
 		wdev_remove(ifname);
 	}
 	let wdev_config = {};
 	for (let key in wdev)
 		wdev_config[key] = wdev[key];
 	if (!wdev_config.macaddr && wdev.mode != "monitor")
 		wdev_config.macaddr = phydev.macaddr_next();
 	wdev_create(phy, ifname, wdev_config);
 	system([ "ip", "link", "set", "dev", ifname, "up" ]);
 	if (wdev.freq)
 		system(`iw dev ${ifname} set freq ${wdev.freq} ${wdev.htmode}`);
 	if (wdev.mode == "adhoc") {
 		let cmd = ["iw", "dev", ifname, "ibss", "join", wdev.ssid, wdev.freq, wdev.htmode, "fixed-freq" ];
 		if (wdev.bssid)
 			push(cmd, wdev.bssid);
 		for (let key in [ "beacon-interval", "basic-rates", "mcast-rate", "keys" ])
 			if (wdev[key])
 				push(cmd, key, wdev[key]);
 		system(cmd);
 	} else if (wdev.mode == "mesh") {
 		let cmd = [ "iw", "dev", ifname, "mesh", "join", wdev.ssid, "freq", wdev.freq, wdev.htmode ];
 		for (let key in [ "mcast-rate", "beacon-interval" ])
 			if (wdev[key])
 				push(cmd, key, wdev[key]);
 		system(cmd);
 		cmd = ["iw", "dev", ifname, "set", "mesh_param" ];
 		let len = length(cmd);
 		for (let param in mesh_params)
 			if (wdev[param])
 				push(cmd, param, wdev[param]);
 		if (len == length(cmd))
 			return;
 		system(cmd);
 	}
 }
 function iface_cb(new_if, old_if)
 {
 	if (old_if && new_if && is_equal(old_if, new_if))
 		return;
 	if (old_if)
 		iface_stop(old_if);
 	if (new_if)
 		iface_start(new_if);
 }
 function drop_inactive(config)
 {
 	for (let key in config) {
 		if (!readfile(`/sys/class/net/${key}/ifindex`))
 			delete config[key];
 	}
 }
 function add_ifname(config)
 {
 	for (let key in config)
 		config[key].ifname = key;
 }
 function delete_ifname(config)
 {
 	for (let key in config)
 		delete config[key].ifname;
 }
 function add_existing(phy, config)
 {
 	let wdevs = glob(`/sys/class/ieee80211/${phy}/device/net/*`);
 	wdevs = map(wdevs, (arg) => basename(arg));
 	for (let wdev in wdevs) {
 		if (config[wdev])
 			continue;
 		if (basename(readlink(`/sys/class/net/${wdev}/phy80211`)) != phy)
 			continue;
 		if (trim(readfile(`/sys/class/net/${wdev}/operstate`)) == "down")
 			config[wdev] = {};
 	}
 }
 function usage()
 {
 	warn(`Usage: ${basename(sourcepath())} <phy> <command> [<arguments>]
 Commands:
 	set_config <config> [<device]...] - set phy configuration
 	get_macaddr <id>		  - get phy MAC address for vif index <id>
 `);
 	exit(1);
 }
 const commands = {
 	set_config: function(args) {
 		let statefile = `/var/run/wdev-${phy}.json`;
 		let new_config = shift(args);
 		for (let dev in ARGV)
 			keep_devices[dev] = true;
 		if (!new_config)
 			usage();
 		new_config = json(new_config);
 		if (!new_config) {
 			warn("Invalid configuration\n");
 			exit(1);
 		}
 		let old_config = readfile(statefile);
 		if (old_config)
 			old_config = json(old_config);
 		let config = vlist_new(iface_cb);
 		if (type(old_config) == "object")
 			config.data = old_config;
 		add_existing(phy, config.data);
 		add_ifname(config.data);
 		drop_inactive(config.data);
 		let ubus = libubus.connect();
 		let data = ubus.call("hostapd", "config_get_macaddr_list", { phy: phy });
 		let macaddr_list = [];
 		if (type(data) == "object" && data.macaddr)
 			macaddr_list = data.macaddr;
 		ubus.disconnect();
 		phydev.macaddr_init(macaddr_list);
 		add_ifname(new_config);
 		config.update(new_config);
 		drop_inactive(config.data);
 		delete_ifname(config.data);
 		writefile(statefile, sprintf("%J", config.data));
 	},
 	get_macaddr: function(args) {
 		let data = {};
 		for (let arg in args) {
 			arg = split(arg, "=", 2);
 			data[arg[0]] = arg[1];
 		}
 		let macaddr = phydev.macaddr_generate(data);
 		if (!macaddr) {
 			warn(`Could not get MAC address for phy ${phy}\n`);
 			exit(1);
 		}
 		print(macaddr + "\n");
 	},
 };
 if (!phy || !command | !commands[command])
 	usage();
 phydev = phy_open(phy);
 if (!phydev) {
 	warn(`PHY ${phy} does not exist\n`);
 	exit(1);
 }
 commands[command](ARGV);
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-basic.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-basic.config
@@ -1,625 +0,0 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 #CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 #CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 #CONFIG_EAP_TLS=y
 # EAL-PEAP
 #CONFIG_EAP_PEAP=y
 # EAP-TTLS
 #CONFIG_EAP_TTLS=y
 # EAP-FAST
 #CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 #CONFIG_EAP_GTC=y
 # EAP-OTP
 #CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 #CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 #CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 #CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-full.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-full.config
@@ -1,625 +0,0 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 CONFIG_EAP_TLS=y
 # EAL-PEAP
 CONFIG_EAP_PEAP=y
 # EAP-TTLS
 CONFIG_EAP_TTLS=y
 # EAP-FAST
 CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 CONFIG_EAP_GTC=y
 # EAP-OTP
 CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 #CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 CONFIG_INTERWORKING=y
 # Hotspot 2.0
 CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-mini.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-mini.config
@@ -1,625 +0,0 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 #CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 #CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 #CONFIG_EAP_TLS=y
 # EAL-PEAP
 #CONFIG_EAP_PEAP=y
 # EAP-TTLS
 #CONFIG_EAP_TTLS=y
 # EAP-FAST
 #CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 #CONFIG_EAP_GTC=y
 # EAP-OTP
 #CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 #CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 #CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 #CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 #CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-p2p.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-p2p.config
@@ -1,625 +0,0 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 CONFIG_EAP_TLS=y
 # EAL-PEAP
 CONFIG_EAP_PEAP=y
 # EAP-TTLS
 CONFIG_EAP_TTLS=y
 # EAP-FAST
 CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 CONFIG_EAP_GTC=y
 # EAP-OTP
 CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 #CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 #CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant.uc
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant.uc
@@ -1,330 +0,0 @@
 let libubus = require("ubus");
 import { open, readfile } from "fs";
 import { wdev_create, wdev_remove, is_equal, vlist_new, phy_open } from "common";
 let ubus = libubus.connect();
 wpas.data.config = {};
 wpas.data.iface_phy = {};
 wpas.data.macaddr_list = {};
 function iface_stop(iface)
 {
 	let ifname = iface.config.iface;
 	if (!iface.running)
 		return;
 	delete wpas.data.iface_phy[ifname];
 	wpas.remove_iface(ifname);
 	wdev_remove(ifname);
 	iface.running = false;
 }
 function iface_start(phydev, iface, macaddr_list)
 {
 	let phy = phydev.name;
 	if (iface.running)
 		return;
 	let ifname = iface.config.iface;
 	let wdev_config = {};
 	for (let field in iface.config)
 		wdev_config[field] = iface.config[field];
 	if (!wdev_config.macaddr)
 		wdev_config.macaddr = phydev.macaddr_next();
 	wpas.data.iface_phy[ifname] = phy;
 	wdev_remove(ifname);
 	let ret = wdev_create(phy, ifname, wdev_config);
 	if (ret)
 		wpas.printf(`Failed to create device ${ifname}: ${ret}`);
 	wpas.add_iface(iface.config);
 	iface.running = true;
 }
 function iface_cb(new_if, old_if)
 {
 	if (old_if && new_if && is_equal(old_if.config, new_if.config)) {
 		new_if.running = old_if.running;
 		return;
 	}
 	if (new_if && old_if)
 		wpas.printf(`Update configuration for interface ${old_if.config.iface}`);
 	else if (old_if)
 		wpas.printf(`Remove interface ${old_if.config.iface}`);
 	if (old_if)
 		iface_stop(old_if);
 }
 function prepare_config(config)
 {
 	config.config_data = readfile(config.config);
 	return { config: config };
 }
 function set_config(phy_name, config_list)
 {
 	let phy = wpas.data.config[phy_name];
 	if (!phy) {
 		phy = vlist_new(iface_cb, false);
 		wpas.data.config[phy_name] = phy;
 	}
 	let values = [];
 	for (let config in config_list)
 		push(values, [ config.iface, prepare_config(config) ]);
 	phy.update(values);
 }
 function start_pending(phy_name)
 {
 	let phy = wpas.data.config[phy_name];
 	let ubus = wpas.data.ubus;
 	if (!phy || !phy.data)
 		return;
 	let phydev = phy_open(phy_name);
 	if (!phydev) {
 		wpas.printf(`Could not open phy ${phy_name}`);
 		return;
 	}
 	let macaddr_list = wpas.data.macaddr_list[phy_name];
 	phydev.macaddr_init(macaddr_list);
 	for (let ifname in phy.data)
 		iface_start(phydev, phy.data[ifname]);
 }
 let main_obj = {
 	phy_set_state: {
 		args: {
 			phy: "",
 			stop: true,
 		},
 		call: function(req) {
 			if (!req.args.phy || req.args.stop == null)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			let phy = wpas.data.config[req.args.phy];
 			if (!phy)
 				return libubus.STATUS_NOT_FOUND;
 			try {
 				if (req.args.stop) {
 					for (let ifname in phy.data)
 						iface_stop(phy.data[ifname]);
 				} else {
 					start_pending(req.args.phy);
 				}
 			} catch (e) {
 				wpas.printf(`Error chaging state: ${e}\n${e.stacktrace[0].context}`);
 				return libubus.STATUS_INVALID_ARGUMENT;
 			}
 			return 0;
 		}
 	},
 	phy_set_macaddr_list: {
 		args: {
 			phy: "",
 			macaddr: [],
 		},
 		call: function(req) {
 			let phy = req.args.phy;
 			if (!phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			wpas.data.macaddr_list[phy] = req.args.macaddr;
 			return 0;
 		}
 	},
 	phy_status: {
 		args: {
 			phy: ""
 		},
 		call: function(req) {
 			if (!req.args.phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			let phy = wpas.data.config[req.args.phy];
 			if (!phy)
 				return libubus.STATUS_NOT_FOUND;
 			for (let ifname in phy.data) {
 				try {
 					let iface = wpas.interfaces[ifname];
 					if (!iface)
 						continue;
 					let status = iface.status();
 					if (!status)
 						continue;
 					if (status.state == "INTERFACE_DISABLED")
 						continue;
 					status.ifname = ifname;
 					return status;
 				} catch (e) {
 					continue;
 				}
 			}
 			return libubus.STATUS_NOT_FOUND;
 		}
 	},
 	config_set: {
 		args: {
 			phy: "",
 			config: [],
 			defer: true,
 		},
 		call: function(req) {
 			if (!req.args.phy)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			wpas.printf(`Set new config for phy ${req.args.phy}`);
 			try {
 				if (req.args.config)
 					set_config(req.args.phy, req.args.config);
 				if (!req.args.defer)
 					start_pending(req.args.phy);
 			} catch (e) {
 				wpas.printf(`Error loading config: ${e}\n${e.stacktrace[0].context}`);
 				return libubus.STATUS_INVALID_ARGUMENT;
 			}
 			return {
 				pid: wpas.getpid()
 			};
 		}
 	},
 	config_add: {
 		args: {
 			driver: "",
 			iface: "",
 			bridge: "",
 			hostapd_ctrl: "",
 			ctrl: "",
 			config: "",
 		},
 		call: function(req) {
 			if (!req.args.iface || !req.args.config)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			if (wpas.add_iface(req.args) < 0)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			return {
 				pid: wpas.getpid()
 			};
 		}
 	},
 	config_remove: {
 		args: {
 			iface: ""
 		},
 		call: function(req) {
 			if (!req.args.iface)
 				return libubus.STATUS_INVALID_ARGUMENT;
 			wpas.remove_iface(req.args.iface);
 			return 0;
 		}
 	},
 };
 wpas.data.ubus = ubus;
 wpas.data.obj = ubus.publish("wpa_supplicant", main_obj);
 function iface_event(type, name, data) {
 	let ubus = wpas.data.ubus;
 	data ??= {};
 	data.name = name;
 	wpas.data.obj.notify(`iface.${type}`, data, null, null, null, -1);
 	ubus.call("service", "event", { type: `wpa_supplicant.${name}.${type}`, data: {} });
 }
 function iface_hostapd_notify(phy, ifname, iface, state)
 {
 	let ubus = wpas.data.ubus;
 	let status = iface.status();
 	let msg = { phy: phy };
 	switch (state) {
 	case "DISCONNECTED":
 	case "AUTHENTICATING":
 	case "SCANNING":
 		msg.up = false;
 		break;
 	case "INTERFACE_DISABLED":
 	case "INACTIVE":
 		msg.up = true;
 		break;
 	case "COMPLETED":
 		msg.up = true;
 		msg.frequency = status.frequency;
 		msg.sec_chan_offset = status.sec_chan_offset;
 		break;
 	default:
 		return;
 	}
 	ubus.call("hostapd", "apsta_state", msg);
 }
 function iface_channel_switch(phy, ifname, iface, info)
 {
 	let msg = {
 		phy: phy,
 		up: true,
 		csa: true,
 		csa_count: info.csa_count ? info.csa_count - 1 : 0,
 		frequency: info.frequency,
 		sec_chan_offset: info.sec_chan_offset,
 	};
 	ubus.call("hostapd", "apsta_state", msg);
 }
 return {
 	shutdown: function() {
 		for (let phy in wpas.data.config)
 			set_config(phy, []);
 		wpas.ubus.disconnect();
 	},
 	iface_add: function(name, obj) {
 		iface_event("add", name);
 	},
 	iface_remove: function(name, obj) {
 		iface_event("remove", name);
 	},
 	state: function(ifname, iface, state) {
 		let phy = wpas.data.iface_phy[ifname];
 		if (!phy) {
 			wpas.printf(`no PHY for ifname ${ifname}`);
 			return;
 		}
 		iface_hostapd_notify(phy, ifname, iface, state);
 	},
 	event: function(ifname, iface, ev, info) {
 		let phy = wpas.data.iface_phy[ifname];
 		if (!phy) {
 			wpas.printf(`no PHY for ifname ${ifname}`);
 			return;
 		}
 		if (ev == "CH_SWITCH_STARTED")
 			iface_channel_switch(phy, ifname, iface, info);
 	}
 };
--- a/feeds/hostapd/hostapd/files/wpad.init
+++ b/feeds/hostapd/hostapd/files/wpad.init
@@ -1,43 +0,0 @@
 #!/bin/sh /etc/rc.common
 START=19
 STOP=21
 USE_PROCD=1
 NAME=wpad
 start_service() {
 	if [ -x "/usr/sbin/hostapd" ]; then
 		mkdir -p /var/run/hostapd
 		chown network:network /var/run/hostapd
 		procd_open_instance hostapd
 		procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
 		procd_set_param respawn 3600 1 0
 		procd_set_param limits core="unlimited"
 		[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
 			procd_add_jail hostapd
 			procd_set_param capabilities /etc/capabilities/wpad.json
 			procd_set_param user network
 			procd_set_param group network
 			procd_set_param no_new_privs 1
 		}
 		procd_close_instance
 	fi
 	if [ -x "/usr/sbin/wpa_supplicant" ]; then
 		mkdir -p /var/run/wpa_supplicant
 		chown network:network /var/run/wpa_supplicant
 		procd_open_instance supplicant
 		procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
 		procd_set_param respawn 3600 1 0
 		procd_set_param limits core="unlimited"
 		[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
 			procd_add_jail wpa_supplicant
 			procd_set_param capabilities /etc/capabilities/wpad.json
 			procd_set_param user network
 			procd_set_param group network
 			procd_set_param no_new_privs 1
 		}
 		procd_close_instance
 	fi
 }
--- a/feeds/hostapd/hostapd/files/wpad.json
+++ b/feeds/hostapd/hostapd/files/wpad.json
@@ -1,22 +0,0 @@
 {
 	"bounding": [
 		"CAP_NET_ADMIN",
 		"CAP_NET_RAW"
 	],
 	"effective": [
 		"CAP_NET_ADMIN",
 		"CAP_NET_RAW"
 	],
 	"ambient": [
 		"CAP_NET_ADMIN",
 		"CAP_NET_RAW"
 	],
 	"permitted": [
 		"CAP_NET_ADMIN",
 		"CAP_NET_RAW"
 	],
 	"inheritable": [
 		"CAP_NET_ADMIN",
 		"CAP_NET_RAW"
 	]
 }
--- a/feeds/hostapd/hostapd/files/wpad_acl.json
+++ b/feeds/hostapd/hostapd/files/wpad_acl.json
@@ -1,16 +0,0 @@
 {
 	"user": "network",
 	"access": {
 		"service": {
 			"methods": [ "event" ]
 		},
 		"wpa_supplicant": {
 			"methods": [ "phy_set_state", "phy_set_macaddr_list", "phy_status" ]
 		},
 		"hostapd": {
 			"methods": [ "apsta_state" ]
 		}
 	},
 	"publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
 	"send": [ "bss.*", "wps_credentials" ]
 }
--- a/feeds/hostapd/hostapd/files/wps-hotplug.sh
+++ b/feeds/hostapd/hostapd/files/wps-hotplug.sh
@@ -1,69 +0,0 @@
 #!/bin/sh
 wps_catch_credentials() {
 	local iface ifaces ifc ifname ssid encryption key radio radios
 	local found=0
 	. /usr/share/libubox/jshn.sh
 	ubus -S -t 30 listen wps_credentials | while read creds; do
 		json_init
 		json_load "$creds"
 		json_select wps_credentials || continue
 		json_get_vars ifname ssid key encryption
 		local ifcname="$ifname"
 		json_init
 		json_load "$(ubus -S call network.wireless status)"
 		json_get_keys radios
 		for radio in $radios; do
 			json_select $radio
 			json_select interfaces
 			json_get_keys ifaces
 			for ifc in $ifaces; do
 				json_select $ifc
 				json_get_vars ifname
 				[ "$ifname" = "$ifcname" ] && {
 					ubus -S call uci set "{\"config\":\"wireless\", \"type\":\"wifi-iface\",		\
 								\"match\": { \"device\": \"$radio\", \"encryption\": \"wps\" },	\
 								\"values\": { \"encryption\": \"$encryption\", 			\
 										\"ssid\": \"$ssid\", 				\
 										\"key\": \"$key\" } }"
 					ubus -S call uci commit '{"config": "wireless"}'
 					ubus -S call uci apply
 				}
 				json_select ..
 			done
 			json_select ..
 			json_select ..
 		done
 	done
 }
 if [ "$ACTION" = "released" ] && [ "$BUTTON" = "wps" ]; then
 	# If the button was pressed for 3 seconds or more, trigger WPS on
 	# wpa_supplicant only, no matter if hostapd is running or not.  If
 	# was pressed for less than 3 seconds, try triggering on
 	# hostapd. If there is no hostapd instance to trigger it on or WPS
 	# is not enabled on them, trigger it on wpa_supplicant.
 	if [ "$SEEN" -lt 3 ] ; then
 		wps_done=0
 		ubusobjs="$( ubus -S list hostapd.* )"
 		for ubusobj in $ubusobjs; do
 			ubus -S call $ubusobj wps_start && wps_done=1
 		done
 		[ $wps_done = 0 ] || return 0
 	fi
 	wps_done=0
 	ubusobjs="$( ubus -S list wpa_supplicant.* )"
 	for ubusobj in $ubusobjs; do
 		ifname="$(echo $ubusobj | cut -d'.' -f2 )"
 		multi_ap=""
 		if [ -e "/var/run/wpa_supplicant-${ifname}.conf.is_multiap" ]; then
 			ubus -S call $ubusobj wps_start '{ "multi_ap": true }' && wps_done=1
 		else
 			ubus -S call $ubusobj wps_start && wps_done=1
 		fi
 	done
 	[ $wps_done = 0 ] || wps_catch_credentials &
 fi
 return 0
--- a/feeds/hostapd/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch
+++ b/feeds/hostapd/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch
@@ -1,43 +0,0 @@
 From 21ce83b4ae2b9563175fdb4fc4312096cc399cf8 Mon Sep 17 00:00:00 2001
 From: David Bauer <mail@david-bauer.net>
 Date: Wed, 5 May 2021 00:44:34 +0200
 Subject: [PATCH] wolfssl: add RNG to EC key
 Since upstream commit 6467de5a8840 ("Randomize z ordinates in
 scalar mult when timing resistant") WolfSSL requires a RNG for
 the EC key when built hardened which is the default.
 Set the RNG for the EC key to fix connections for OWE clients.
 Signed-off-by: David Bauer <mail@david-bauer.net>
 ---
 src/crypto/crypto_wolfssl.c | 4 ++++
 1 file changed, 4 insertions(+)
 --- a/src/crypto/crypto_wolfssl.c
 +++ b/src/crypto/crypto_wolfssl.c
@@ -1340,6 +1340,7 @@ int ecc_projective_add_point(ecc_point *
 struct crypto_ec {
 	ecc_key key;
 +	WC_RNG rng;
 	mp_int a;
 	mp_int prime;
 	mp_int order;
@@ -1394,6 +1395,8 @@ struct crypto_ec * crypto_ec_init(int gr
 		return NULL;
 	if (wc_ecc_init(&e->key) != 0 ||
 +	    wc_InitRng(&e->rng) != 0 ||
 +	    wc_ecc_set_rng(&e->key, &e->rng) != 0 ||
 	    wc_ecc_set_curve(&e->key, 0, curve_id) != 0 ||
 	    mp_init(&e->a) != MP_OKAY ||
 	    mp_init(&e->prime) != MP_OKAY ||
@@ -1425,6 +1428,7 @@ void crypto_ec_deinit(struct crypto_ec*
 	mp_clear(&e->order);
 	mp_clear(&e->prime);
 	mp_clear(&e->a);
 +	wc_FreeRng(&e->rng);
 	wc_ecc_free(&e->key);
 	os_free(e);
 }
--- a/feeds/hostapd/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
+++ b/feeds/hostapd/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
@@ -1,135 +0,0 @@
 From 8de8cd8380af0c43d4fde67a668d79ef73b26b26 Mon Sep 17 00:00:00 2001
 From: Peter Oh <peter.oh@bowerswilkins.com>
 Date: Tue, 30 Jun 2020 14:18:58 +0200
 Subject: [PATCH 10/19] mesh: Allow DFS channels to be selected if dfs is
 enabled
 Note: DFS is assumed to be usable if a country code has been set
 Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
 Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
 ---
 wpa_supplicant/wpa_supplicant.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -2638,7 +2638,7 @@ static int drv_supports_vht(struct wpa_s
 }
 -static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode)
 +static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode, bool dfs_enabled)
 {
 	int i;
@@ -2647,7 +2647,10 @@ static bool ibss_mesh_is_80mhz_avail(int
 		chan = hw_get_channel_chan(mode, i, NULL);
 		if (!chan ||
 -		    chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +		    chan->flag & HOSTAPD_CHAN_DISABLED)
 +			return false;
 +		
 +		if (!dfs_enabled && chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 			return false;
 	}
@@ -2774,7 +2777,7 @@ static void ibss_mesh_select_40mhz(struc
 				   const struct wpa_ssid *ssid,
 				   struct hostapd_hw_modes *mode,
 				   struct hostapd_freq_params *freq,
 -				   int obss_scan) {
 +				   int obss_scan, bool dfs_enabled) {
 	int chan_idx;
 	struct hostapd_channel_data *pri_chan = NULL, *sec_chan = NULL;
 	int i, res;
@@ -2798,8 +2801,11 @@ static void ibss_mesh_select_40mhz(struc
 		return;
 	/* Check primary channel flags */
 -	if (pri_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +	if (pri_chan->flag & HOSTAPD_CHAN_DISABLED)
 		return;
 +	if (pri_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 +		if (!dfs_enabled)
 +			return;
 #ifdef CONFIG_HT_OVERRIDES
 	if (ssid->disable_ht40)
@@ -2825,8 +2831,11 @@ static void ibss_mesh_select_40mhz(struc
 		return;
 	/* Check secondary channel flags */
 -	if (sec_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +	if (sec_chan->flag & HOSTAPD_CHAN_DISABLED)
 		return;
 +	if (sec_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 +		if (!dfs_enabled)
 +			return;
 	if (ht40 == -1) {
 		if (!(pri_chan->flag & HOSTAPD_CHAN_HT40MINUS))
@@ -2880,7 +2889,7 @@ static bool ibss_mesh_select_80_160mhz(s
 				       const struct wpa_ssid *ssid,
 				       struct hostapd_hw_modes *mode,
 				       struct hostapd_freq_params *freq,
 -				       int ieee80211_mode, bool is_6ghz) {
 +				       int ieee80211_mode, bool is_6ghz, bool dfs_enabled) {
 	static const int bw80[] = {
 		5180, 5260, 5500, 5580, 5660, 5745, 5825,
 		5955, 6035, 6115, 6195, 6275, 6355, 6435,
@@ -2925,7 +2934,7 @@ static bool ibss_mesh_select_80_160mhz(s
 		goto skip_80mhz;
 	/* Use 40 MHz if channel not usable */
 -	if (!ibss_mesh_is_80mhz_avail(channel, mode))
 +	if (!ibss_mesh_is_80mhz_avail(channel, mode, dfs_enabled))
 		goto skip_80mhz;
 	chwidth = CONF_OPER_CHWIDTH_80MHZ;
@@ -2939,7 +2948,7 @@ static bool ibss_mesh_select_80_160mhz(s
 	if ((mode->he_capab[ieee80211_mode].phy_cap[
 		     HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] &
 	     HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G) && is_6ghz &&
 -	    ibss_mesh_is_80mhz_avail(channel + 16, mode)) {
 +	    ibss_mesh_is_80mhz_avail(channel + 16, mode, dfs_enabled)) {
 		for (j = 0; j < ARRAY_SIZE(bw160); j++) {
 			if (freq->freq == bw160[j]) {
 				chwidth = CONF_OPER_CHWIDTH_160MHZ;
@@ -2967,10 +2976,12 @@ static bool ibss_mesh_select_80_160mhz(s
 				if (!chan)
 					continue;
 -				if (chan->flag & (HOSTAPD_CHAN_DISABLED |
 -						  HOSTAPD_CHAN_NO_IR |
 -						  HOSTAPD_CHAN_RADAR))
 +				if (chan->flag & HOSTAPD_CHAN_DISABLED)
 					continue;
 +				if (chan->flag & (HOSTAPD_CHAN_RADAR |
 +						  HOSTAPD_CHAN_NO_IR))
 +					if (!dfs_enabled)
 +						continue;
 				/* Found a suitable second segment for 80+80 */
 				chwidth = CONF_OPER_CHWIDTH_80P80MHZ;
@@ -3025,6 +3036,7 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	int i, obss_scan = 1;
 	u8 channel;
 	bool is_6ghz;
 +	bool dfs_enabled = wpa_s->conf->country[0] && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_RADAR);
 	freq->freq = ssid->frequency;
@@ -3070,9 +3082,9 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	freq->channel = channel;
 	/* Setup higher BW only for 5 GHz */
 	if (mode->mode == HOSTAPD_MODE_IEEE80211A) {
 -		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan);
 +		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan, dfs_enabled);
 		if (!ibss_mesh_select_80_160mhz(wpa_s, ssid, mode, freq,
 -						ieee80211_mode, is_6ghz))
 +						ieee80211_mode, is_6ghz, dfs_enabled))
 			freq->he_enabled = freq->vht_enabled = false;
 	}
--- a/feeds/hostapd/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch
+++ b/feeds/hostapd/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch
@@ -1,81 +0,0 @@
 From fc8ea40f6130ac18d9c66797de2cf1d5af55d496 Mon Sep 17 00:00:00 2001
 From: Markus Theil <markus.theil@tu-ilmenau.de>
 Date: Tue, 30 Jun 2020 14:19:07 +0200
 Subject: [PATCH 19/19] mesh: use deterministic channel on channel switch
 This patch uses a deterministic channel on DFS channel switch
 in mesh networks. Otherwise, when switching to a usable but not
 available channel, no CSA can be sent and a random channel is choosen
 without notification of other nodes. It is then quite likely, that
 the mesh network gets disconnected.
 Fix this by using a deterministic number, based on the sha256 hash
 of the mesh ID, in order to use at least a different number in each
 mesh network.
 Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
 ---
 src/ap/dfs.c                 | 20 +++++++++++++++++++-
 src/drivers/driver_nl80211.c |  4 ++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 --- a/src/ap/dfs.c
 +++ b/src/ap/dfs.c
@@ -17,6 +17,7 @@
 #include "ap_drv_ops.h"
 #include "drivers/driver.h"
 #include "dfs.h"
 +#include "crypto/crypto.h"
 enum dfs_channel_type {
@@ -526,9 +527,14 @@ dfs_get_valid_channel(struct hostapd_ifa
 	int num_available_chandefs;
 	int chan_idx, chan_idx2;
 	int sec_chan_idx_80p80 = -1;
 +	bool is_mesh = false;
 	int i;
 	u32 _rand;
 +#ifdef CONFIG_MESH
 +	is_mesh = iface->mconf;
 +#endif
 +
 	wpa_printf(MSG_DEBUG, "DFS: Selecting random channel");
 	*secondary_channel = 0;
 	*oper_centr_freq_seg0_idx = 0;
@@ -548,8 +554,20 @@ dfs_get_valid_channel(struct hostapd_ifa
 	if (num_available_chandefs == 0)
 		return NULL;
 -	if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
 +	/* try to use deterministic channel in mesh, so that both sides
 +	 * have a chance to switch to the same channel */
 +	if (is_mesh) {
 +#ifdef CONFIG_MESH
 +		u64 hash[4];
 +		const u8 *meshid[1] = { &iface->mconf->meshid[0] };
 +		const size_t meshid_len = iface->mconf->meshid_len;
 +
 +		sha256_vector(1, meshid, &meshid_len, (u8 *)&hash[0]);
 +		_rand = hash[0] + hash[1] + hash[2] + hash[3];
 +#endif
 +	} else if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
 		return NULL;
 +
 	chan_idx = _rand % num_available_chandefs;
 	dfs_find_channel(iface, &chan, chan_idx, type);
 	if (!chan) {
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -11017,6 +11017,10 @@ static int nl80211_switch_channel(void *
 	if (ret)
 		goto error;
 +	if (drv->nlmode == NL80211_IFTYPE_MESH_POINT) {
 +		nla_put_flag(msg, NL80211_ATTR_HANDLE_DFS);
 +	}
 +
 	/* beacon_csa params */
 	beacon_csa = nla_nest_start(msg, NL80211_ATTR_CSA_IES);
 	if (!beacon_csa)
--- a/feeds/hostapd/hostapd/patches/021-fix-sta-add-after-previous-connection.patch
+++ b/feeds/hostapd/hostapd/patches/021-fix-sta-add-after-previous-connection.patch
@@ -1,26 +0,0 @@
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -4621,6 +4621,13 @@ static int add_associated_sta(struct hos
 	 * drivers to accept the STA parameter configuration. Since this is
 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
 	 * reinstallation is not a concern for this case.
 +	 *
 +	 * If the STA was associated and authorized earlier, but came for a new
 +	 * connection (!added_unassoc + !reassoc), remove the existing STA entry
 +	 * so that it can be re-added. This case is rarely seen when the AP could
 +	 * not receive the deauth/disassoc frame from the STA. And the STA comes
 +	 * back with new connection within a short period or before the inactive
 +	 * STA entry is removed from the list.
 	 */
 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
@@ -4634,7 +4641,8 @@ static int add_associated_sta(struct hos
 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
 -	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
 +	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)) ||
 +	     (!reassoc && (sta->flags & WLAN_STA_AUTHORIZED)))) {
 		hostapd_drv_sta_remove(hapd, sta->addr);
 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
 		set = 0;
--- a/feeds/hostapd/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch
+++ b/feeds/hostapd/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch
@@ -1,25 +0,0 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Thu, 8 Jul 2021 16:33:03 +0200
 Subject: [PATCH] hostapd: fix use of uninitialized stack variables
 When a CSA is performed on an 80 MHz channel, hostapd_change_config_freq
 unconditionally calls hostapd_set_oper_centr_freq_seg0/1_idx with seg0/1
 filled by ieee80211_freq_to_chan.
 However, if ieee80211_freq_to_chan fails (because the freq is 0 or invalid),
 seg0/1 remains uninitialized and filled with stack garbage, causing errors
 such as "hostapd: 80 MHz: center segment 1 configured"
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -3764,7 +3764,7 @@ static int hostapd_change_config_freq(st
 				      struct hostapd_freq_params *old_params)
 {
 	int channel;
 -	u8 seg0, seg1;
 +	u8 seg0 = 0, seg1 = 0;
 	struct hostapd_hw_modes *mode;
 	if (!params->channel) {
--- a/feeds/hostapd/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
+++ b/feeds/hostapd/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
@@ -1,275 +0,0 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Wed, 28 Jul 2021 05:49:46 +0200
 Subject: [PATCH] driver_nl80211: rewrite neigh code to not depend on
 libnl3-route
 Removes an unnecessary dependency and also makes the code smaller
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -16,9 +16,6 @@
 #include <net/if.h>
 #include <netlink/genl/genl.h>
 #include <netlink/genl/ctrl.h>
 -#ifdef CONFIG_LIBNL3_ROUTE
 -#include <netlink/route/neighbour.h>
 -#endif /* CONFIG_LIBNL3_ROUTE */
 #include <linux/rtnetlink.h>
 #include <netpacket/packet.h>
 #include <linux/errqueue.h>
@@ -5783,26 +5780,29 @@ fail:
 static void rtnl_neigh_delete_fdb_entry(struct i802_bss *bss, const u8 *addr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_addr;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->ifindex,
 +		.ndm_family = AF_BRIDGE,
 +	};
 +	struct nl_msg *msg;
 	int err;
 -	rn = rtnl_neigh_alloc();
 -	if (!rn)
 +	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return;
 -	rtnl_neigh_set_family(rn, AF_BRIDGE);
 -	rtnl_neigh_set_ifindex(rn, bss->ifindex);
 -	nl_addr = nl_addr_build(AF_BRIDGE, (void *) addr, ETH_ALEN);
 -	if (!nl_addr) {
 -		rtnl_neigh_put(rn);
 -		return;
 -	}
 -	rtnl_neigh_set_lladdr(rn, nl_addr);
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 +		goto errout;
 +
 +	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
 +		goto errout;
 +
 +	if (nl_send_auto_complete(drv->rtnl_sk, msg) < 0)
 +		goto errout;
 -	err = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
 +	err = nl_wait_for_ack(drv->rtnl_sk);
 	if (err < 0) {
 		wpa_printf(MSG_DEBUG, "nl80211: bridge FDB entry delete for "
 			   MACSTR " ifindex=%d failed: %s", MAC2STR(addr),
@@ -5812,9 +5812,8 @@ static void rtnl_neigh_delete_fdb_entry(
 			   MACSTR, MAC2STR(addr));
 	}
 -	nl_addr_put(nl_addr);
 -	rtnl_neigh_put(rn);
 -#endif /* CONFIG_LIBNL3_ROUTE */
 +errout:
 +	nlmsg_free(msg);
 }
@@ -8492,7 +8491,6 @@ static void *i802_init(struct hostapd_da
 	    (params->num_bridge == 0 || !params->bridge[0]))
 		add_ifidx(drv, br_ifindex, drv->ifindex);
 -#ifdef CONFIG_LIBNL3_ROUTE
 	if (bss->added_if_into_bridge || bss->already_in_bridge) {
 		int err;
@@ -8509,7 +8507,6 @@ static void *i802_init(struct hostapd_da
 			goto failed;
 		}
 	}
 -#endif /* CONFIG_LIBNL3_ROUTE */
 	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
 		wpa_printf(MSG_DEBUG,
@@ -11883,13 +11880,14 @@ static int wpa_driver_br_add_ip_neigh(vo
 				      const u8 *ipaddr, int prefixlen,
 				      const u8 *addr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct i802_bss *bss = priv;
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_ipaddr = NULL;
 -	struct nl_addr *nl_lladdr = NULL;
 -	int family, addrsize;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->br_ifindex,
 +	};
 +	struct nl_msg *msg;
 +	int addrsize;
 	int res;
 	if (!ipaddr || prefixlen == 0 || !addr)
@@ -11908,85 +11906,66 @@ static int wpa_driver_br_add_ip_neigh(vo
 	}
 	if (version == 4) {
 -		family = AF_INET;
 +		nhdr.ndm_family = AF_INET;
 		addrsize = 4;
 	} else if (version == 6) {
 -		family = AF_INET6;
 +		nhdr.ndm_family = AF_INET6;
 		addrsize = 16;
 	} else {
 		return -EINVAL;
 	}
 -	rn = rtnl_neigh_alloc();
 -	if (rn == NULL)
 +	msg = nlmsg_alloc_simple(RTM_NEWNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return -ENOMEM;
 -	/* set the destination ip address for neigh */
 -	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
 -	if (nl_ipaddr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
 -		res = -ENOMEM;
 +	res = -ENOMEM;
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 		goto errout;
 -	}
 -	nl_addr_set_prefixlen(nl_ipaddr, prefixlen);
 -	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
 -	if (res) {
 -		wpa_printf(MSG_DEBUG,
 -			   "nl80211: neigh set destination addr failed");
 +
 +	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
 		goto errout;
 -	}
 -	/* set the corresponding lladdr for neigh */
 -	nl_lladdr = nl_addr_build(AF_BRIDGE, (u8 *) addr, ETH_ALEN);
 -	if (nl_lladdr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: neigh set lladdr failed");
 -		res = -ENOMEM;
 +	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
 		goto errout;
 -	}
 -	rtnl_neigh_set_lladdr(rn, nl_lladdr);
 -	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
 -	rtnl_neigh_set_state(rn, NUD_PERMANENT);
 +	res = nl_send_auto_complete(drv->rtnl_sk, msg);
 +	if (res < 0)
 +		goto errout;
 -	res = rtnl_neigh_add(drv->rtnl_sk, rn, NLM_F_CREATE);
 +	res = nl_wait_for_ack(drv->rtnl_sk);
 	if (res) {
 		wpa_printf(MSG_DEBUG,
 			   "nl80211: Adding bridge ip neigh failed: %s",
 			   nl_geterror(res));
 	}
 errout:
 -	if (nl_lladdr)
 -		nl_addr_put(nl_lladdr);
 -	if (nl_ipaddr)
 -		nl_addr_put(nl_ipaddr);
 -	if (rn)
 -		rtnl_neigh_put(rn);
 +	nlmsg_free(msg);
 	return res;
 -#else /* CONFIG_LIBNL3_ROUTE */
 -	return -1;
 -#endif /* CONFIG_LIBNL3_ROUTE */
 }
 static int wpa_driver_br_delete_ip_neigh(void *priv, u8 version,
 					 const u8 *ipaddr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct i802_bss *bss = priv;
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_ipaddr;
 -	int family, addrsize;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->br_ifindex,
 +	};
 +	struct nl_msg *msg;
 +	int addrsize;
 	int res;
 	if (!ipaddr)
 		return -EINVAL;
 	if (version == 4) {
 -		family = AF_INET;
 +		nhdr.ndm_family = AF_INET;
 		addrsize = 4;
 	} else if (version == 6) {
 -		family = AF_INET6;
 +		nhdr.ndm_family = AF_INET6;
 		addrsize = 16;
 	} else {
 		return -EINVAL;
@@ -12004,41 +11983,30 @@ static int wpa_driver_br_delete_ip_neigh
 		return -1;
 	}
 -	rn = rtnl_neigh_alloc();
 -	if (rn == NULL)
 +	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return -ENOMEM;
 -	/* set the destination ip address for neigh */
 -	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
 -	if (nl_ipaddr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
 -		res = -ENOMEM;
 +	res = -ENOMEM;
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 		goto errout;
 -	}
 -	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
 -	if (res) {
 -		wpa_printf(MSG_DEBUG,
 -			   "nl80211: neigh set destination addr failed");
 +
 +	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
 		goto errout;
 -	}
 -	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
 +	res = nl_send_auto_complete(drv->rtnl_sk, msg);
 +	if (res < 0)
 +		goto errout;
 -	res = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
 +	res = nl_wait_for_ack(drv->rtnl_sk);
 	if (res) {
 		wpa_printf(MSG_DEBUG,
 			   "nl80211: Deleting bridge ip neigh failed: %s",
 			   nl_geterror(res));
 	}
 errout:
 -	if (nl_ipaddr)
 -		nl_addr_put(nl_ipaddr);
 -	if (rn)
 -		rtnl_neigh_put(rn);
 +	nlmsg_free(msg);
 	return res;
 -#else /* CONFIG_LIBNL3_ROUTE */
 -	return -1;
 -#endif /* CONFIG_LIBNL3_ROUTE */
 }
--- a/feeds/hostapd/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
+++ b/feeds/hostapd/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
@@ -1,34 +0,0 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Mon, 18 Feb 2019 12:57:11 +0100
 Subject: [PATCH] mesh: allow processing authentication frames in blocked state
 If authentication fails repeatedly e.g. because of a weak signal, the link
 can end up in blocked state. If one of the nodes tries to establish a link
 again before it is unblocked on the other side, it will block the link to
 that other side. The same happens on the other side when it unblocks the
 link. In that scenario, the link never recovers on its own.
 To fix this, allow restarting authentication even if the link is in blocked
 state, but don't initiate the attempt until the blocked period is over.
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -3020,15 +3020,6 @@ static void handle_auth(struct hostapd_d
 				       seq_ctrl);
 			return;
 		}
 -#ifdef CONFIG_MESH
 -		if ((hapd->conf->mesh & MESH_ENABLED) &&
 -		    sta->plink_state == PLINK_BLOCKED) {
 -			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
 -				   " is blocked - drop Authentication frame",
 -				   MAC2STR(sa));
 -			return;
 -		}
 -#endif /* CONFIG_MESH */
 #ifdef CONFIG_PASN
 		if (auth_alg == WLAN_AUTH_PASN &&
 		    (sta->flags & WLAN_STA_ASSOC)) {
--- a/feeds/hostapd/hostapd/patches/050-build_fix.patch
+++ b/feeds/hostapd/hostapd/patches/050-build_fix.patch
@@ -1,20 +0,0 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -324,6 +324,7 @@ ifdef CONFIG_FILS
 CFLAGS += -DCONFIG_FILS
 OBJS += ../src/ap/fils_hlp.o
 NEED_SHA384=y
 +NEED_HMAC_SHA384_KDF=y
 NEED_AES_SIV=y
 ifdef CONFIG_FILS_SK_PFS
 CFLAGS += -DCONFIG_FILS_SK_PFS
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -331,6 +331,7 @@ endif
 ifdef CONFIG_FILS
 CFLAGS += -DCONFIG_FILS
 NEED_SHA384=y
 +NEED_HMAC_SHA384_KDF=y
 NEED_AES_SIV=y
 ifdef CONFIG_FILS_SK_PFS
 CFLAGS += -DCONFIG_FILS_SK_PFS
--- a/feeds/hostapd/hostapd/patches/110-mbedtls-TLS-crypto-option-initial-port.patch
+++ b/feeds/hostapd/hostapd/patches/110-mbedtls-TLS-crypto-option-initial-port.patch
--- a/feeds/hostapd/hostapd/patches/120-mbedtls-fips186_2_prf.patch
+++ b/feeds/hostapd/hostapd/patches/120-mbedtls-fips186_2_prf.patch
@@ -1,114 +0,0 @@
 From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Tue, 19 Jul 2022 20:02:21 -0400
 Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 hostapd/Makefile            |  4 ---
 src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
 wpa_supplicant/Makefile     |  4 ---
 3 files changed, 60 insertions(+), 8 deletions(-)
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -759,10 +759,6 @@ endif
 OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 -ifdef NEED_FIPS186_2_PRF
 -OBJS += ../src/crypto/fips_prf_internal.o
 -SHA1OBJS += ../src/crypto/sha1-internal.o
 -endif
 ifeq ($(CONFIG_CRYPTO), mbedtls)
 ifdef CONFIG_DPP
 LIBS += -lmbedx509
 --- a/src/crypto/crypto_mbedtls.c
 +++ b/src/crypto/crypto_mbedtls.c
@@ -132,6 +132,12 @@
 #define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
 #endif
 +#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
 + || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
 +/* EAP_SIM=y EAP_AKA=y */
 +#define CRYPTO_MBEDTLS_FIPS186_2_PRF
 +#endif
 +
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
  || defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
 #define CRYPTO_MBEDTLS_SHA1_T_PRF
@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
 #endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
 +#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
 +
 +/* fips_prf_internal.c sha1-internal.c */
 +
 +/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
 + * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
 + * where xlen is 160 */
 +
 +int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
 +{
 +	/* FIPS 186-2 + change notice 1 */
 +
 +	mbedtls_sha1_context ctx;
 +	u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
 +	u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
 +	const u32 xstate_init[] =
 +	  { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
 +
 +	mbedtls_sha1_init(&ctx);
 +	os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
 +
 +	/* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
 +	for (; xlen >= 20; xlen -= 20) {
 +		/* XSEED_j = 0 */
 +		/* XVAL = (XKEY + XSEED_j) mod 2^b */
 +
 +		/* w_i = G(t, XVAL) */
 +		os_memcpy(xstate, xstate_init, sizeof(xstate_init));
 +		mbedtls_internal_sha1_process(&ctx, xkey);
 +
 +	  #if __BYTE_ORDER == __LITTLE_ENDIAN
 +		xstate[0] = host_to_be32(xstate[0]);
 +		xstate[1] = host_to_be32(xstate[1]);
 +		xstate[2] = host_to_be32(xstate[2]);
 +		xstate[3] = host_to_be32(xstate[3]);
 +		xstate[4] = host_to_be32(xstate[4]);
 +	  #endif
 +		os_memcpy(x, xstate, 20);
 +		if (xlen == 20) /*(done; skip prep for next loop)*/
 +			break;
 +
 +		/* XKEY = (1 + XKEY + w_i) mod 2^b */
 +		for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
 +			xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
 +		x += 20;
 +		/* x_j = w_0|w_1 (each pair of iterations through loop)*/
 +	}
 +
 +	mbedtls_sha1_free(&ctx);
 +	return 0;
 +}
 +
 +#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
 +
 #endif /* MBEDTLS_SHA1_C */
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -1174,10 +1174,6 @@ endif
 OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 -ifdef NEED_FIPS186_2_PRF
 -OBJS += ../src/crypto/fips_prf_internal.o
 -SHA1OBJS += ../src/crypto/sha1-internal.o
 -endif
 ifeq ($(CONFIG_CRYPTO), mbedtls)
 LIBS += -lmbedcrypto
 LIBS_p += -lmbedcrypto
--- a/feeds/hostapd/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch
+++ b/feeds/hostapd/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch
@@ -1,421 +0,0 @@
 From 31bd19e0e0254b910cccfd3ddc6a6a9222bbcfc0 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Sun, 9 Oct 2022 05:12:17 -0400
 Subject: [PATCH 3/7] mbedtls: annotate with TEST_FAIL() for hwsim tests
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 src/crypto/crypto_mbedtls.c | 124 ++++++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 --- a/src/crypto/crypto_mbedtls.c
 +++ b/src/crypto/crypto_mbedtls.c
@@ -280,6 +280,9 @@ __attribute_noinline__
 static int md_vector(size_t num_elem, const u8 *addr[], const size_t *len,
                      u8 *mac, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 0) != 0){
@@ -343,6 +346,9 @@ __attribute_noinline__
 static int sha384_512_vector(size_t num_elem, const u8 *addr[],
                              const size_t *len, u8 *mac, int is384)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha512_context ctx;
 	mbedtls_sha512_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -375,6 +381,9 @@ int sha384_vector(size_t num_elem, const
 #include <mbedtls/sha256.h>
 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha256_context ctx;
 	mbedtls_sha256_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -397,6 +406,9 @@ int sha256_vector(size_t num_elem, const
 #include <mbedtls/sha1.h>
 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha1_context ctx;
 	mbedtls_sha1_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -419,6 +431,9 @@ int sha1_vector(size_t num_elem, const u
 #include <mbedtls/md5.h>
 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_md5_context ctx;
 	mbedtls_md5_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -441,6 +456,9 @@ int md5_vector(size_t num_elem, const u8
 #include <mbedtls/md4.h>
 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_md4_context ctx;
 	mbedtls_md4_init(&ctx);
 	mbedtls_md4_starts_ret(&ctx);
@@ -460,6 +478,9 @@ static int hmac_vector(const u8 *key, si
                        const u8 *addr[], const size_t *len, u8 *mac,
                        mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 1) != 0){
@@ -571,6 +592,9 @@ static int hmac_kdf_expand(const u8 *prk
                            const char *label, const u8 *info, size_t info_len,
                            u8 *okm, size_t okm_len, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
   #ifdef MBEDTLS_HKDF_C
 	if (label == NULL)  /* RFC 5869 HKDF-Expand when (label == NULL) */
@@ -663,6 +687,9 @@ static int hmac_prf_bits(const u8 *key,
                          const u8 *data, size_t data_len, u8 *buf,
                          size_t buf_len_bits, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
@@ -938,6 +965,9 @@ int pbkdf2_sha1(const char *passphrase,
 static void *aes_crypt_init_mode(const u8 *key, size_t len, int mode)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
 	if (!aes)
 		return NULL;
@@ -996,6 +1026,9 @@ void aes_decrypt_deinit(void *ctx)
 /* aes-wrap.c */
 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_nist_kw_context ctx;
 	mbedtls_nist_kw_init(&ctx);
 	size_t olen;
@@ -1010,6 +1043,9 @@ int aes_wrap(const u8 *kek, size_t kek_l
 /* aes-unwrap.c */
 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 *plain)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_nist_kw_context ctx;
 	mbedtls_nist_kw_init(&ctx);
 	size_t olen;
@@ -1041,6 +1077,9 @@ int omac1_aes_vector(
     const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[],
     const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_cipher_type_t cipher_type;
 	switch (key_len) {
 	case 16: cipher_type = MBEDTLS_CIPHER_AES_128_ECB; break;
@@ -1103,6 +1142,9 @@ int omac1_aes_256(const u8 *key, const u
 /* aes-encblock.c */
 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_aes_context aes;
 	mbedtls_aes_init(&aes);
 	int ret = mbedtls_aes_setkey_enc(&aes, key, 128)
@@ -1118,6 +1160,9 @@ int aes_128_encrypt_block(const u8 *key,
 int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
 		    u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	unsigned char counter[MBEDTLS_AES_BLOCK_SIZE];
 	unsigned char stream_block[MBEDTLS_AES_BLOCK_SIZE];
 	os_memcpy(counter, nonce, MBEDTLS_AES_BLOCK_SIZE);/*(must be writable)*/
@@ -1160,11 +1205,17 @@ static int aes_128_cbc_oper(const u8 *ke
 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_ENCRYPT);
 }
 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_DECRYPT);
 }
@@ -1407,6 +1458,10 @@ int crypto_hash_finish(struct crypto_has
 	}
 	mbedtls_md_free(mctx);
 	os_free(mctx);
 +
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return 0;
 }
@@ -1421,6 +1476,9 @@ int crypto_hash_finish(struct crypto_has
 struct crypto_bignum *crypto_bignum_init(void)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
 	if (bn)
 		mbedtls_mpi_init(bn);
@@ -1429,6 +1487,9 @@ struct crypto_bignum *crypto_bignum_init
 struct crypto_bignum *crypto_bignum_init_set(const u8 *buf, size_t len)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
 	if (bn) {
 		mbedtls_mpi_init(bn);
@@ -1442,6 +1503,9 @@ struct crypto_bignum *crypto_bignum_init
 struct crypto_bignum *crypto_bignum_init_uint(unsigned int val)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
   #if 0 /*(hostap use of this interface passes int, not uint)*/
 	val = host_to_be32(val);
 	return crypto_bignum_init_set((const u8 *)&val, sizeof(val));
@@ -1467,6 +1531,9 @@ void crypto_bignum_deinit(struct crypto_
 int crypto_bignum_to_bin(const struct crypto_bignum *a,
 			 u8 *buf, size_t buflen, size_t padlen)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	size_t n = mbedtls_mpi_size((mbedtls_mpi *)a);
 	if (n < padlen)
 		n = padlen;
@@ -1477,6 +1544,9 @@ int crypto_bignum_to_bin(const struct cr
 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/*assert(r != m);*//* r must not be same as m for mbedtls_mpi_random()*/
   #if MBEDTLS_VERSION_NUMBER >= 0x021B0000 /* mbedtls 2.27.0 */
 	return mbedtls_mpi_random((mbedtls_mpi *)r, 0, (mbedtls_mpi *)m,
@@ -1513,6 +1583,9 @@ int crypto_bignum_exptmod(const struct c
 			  const struct crypto_bignum *c,
 			  struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* (check if input params match d; d is the result) */
 	/* (a == d) is ok in current mbedtls implementation */
 	if (b == d || c == d) { /*(not ok; store result in intermediate)*/
@@ -1540,6 +1613,9 @@ int crypto_bignum_inverse(const struct c
 			  const struct crypto_bignum *b,
 			  struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_inv_mod((mbedtls_mpi *)c,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b) ? -1 : 0;
@@ -1549,6 +1625,9 @@ int crypto_bignum_sub(const struct crypt
 		      const struct crypto_bignum *b,
 		      struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_sub_mpi((mbedtls_mpi *)c,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b) ? -1 : 0;
@@ -1558,6 +1637,9 @@ int crypto_bignum_div(const struct crypt
 		      const struct crypto_bignum *b,
 		      struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/*(most current use of this crypto.h interface has a == c (result),
 	 * so store result in an intermediate to avoid overwritten input)*/
 	mbedtls_mpi R;
@@ -1575,6 +1657,9 @@ int crypto_bignum_addmod(const struct cr
 			 const struct crypto_bignum *c,
 			 struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_add_mpi((mbedtls_mpi *)d,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b)
@@ -1588,6 +1673,9 @@ int crypto_bignum_mulmod(const struct cr
 			 const struct crypto_bignum *c,
 			 struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_mul_mpi((mbedtls_mpi *)d,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b)
@@ -1600,6 +1688,9 @@ int crypto_bignum_sqrmod(const struct cr
 			 const struct crypto_bignum *b,
 			 struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 1
 	return crypto_bignum_mulmod(a, a, b, c);
   #else
@@ -1650,6 +1741,9 @@ int crypto_bignum_is_odd(const struct cr
 int crypto_bignum_legendre(const struct crypto_bignum *a,
 			   const struct crypto_bignum *p)
 {
 +	if (TEST_FAIL())
 +		return -2;
 +
 	/* Security Note:
 	 * mbedtls_mpi_exp_mod() is not documented to run in constant time,
 	 * though mbedtls/library/bignum.c uses constant_time_internal.h funcs.
@@ -1702,6 +1796,9 @@ int crypto_mod_exp(const u8 *base, size_
 		   const u8 *modulus, size_t modulus_len,
 		   u8 *result, size_t *result_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result;
 	mbedtls_mpi_init(&bn_base);
 	mbedtls_mpi_init(&bn_exp);
@@ -1769,6 +1866,9 @@ static int crypto_mbedtls_dh_init_public
 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
 		   u8 *pubkey)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 0 /*(crypto_dh_init() duplicated (and identical) in crypto_*.c modules)*/
 	size_t pubkey_len, pad;
@@ -1810,6 +1910,9 @@ int crypto_dh_derive_secret(u8 generator
 			    const u8 *pubkey, size_t pubkey_len,
 			    u8 *secret, size_t *len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 0
 	if (pubkey_len > prime_len ||
 	    (pubkey_len == prime_len &&
@@ -2512,6 +2615,9 @@ const struct crypto_ec_point * crypto_ec
 struct crypto_ec_point *crypto_ec_point_init(struct crypto_ec *e)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
 	if (p != NULL)
 		mbedtls_ecp_point_init(p);
@@ -2536,6 +2642,9 @@ int crypto_ec_point_x(struct crypto_ec *
 int crypto_ec_point_to_bin(struct crypto_ec *e,
 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* crypto.h documents crypto_ec_point_to_bin() output is big-endian */
 	size_t len = CRYPTO_EC_plen(e);
 	if (x) {
@@ -2563,6 +2672,9 @@ int crypto_ec_point_to_bin(struct crypto
 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
 						  const u8 *val)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	size_t len = CRYPTO_EC_plen(e);
 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
 	u8 buf[1+MBEDTLS_MPI_MAX_SIZE*2];
@@ -2615,6 +2727,9 @@ int crypto_ec_point_add(struct crypto_ec
 			const struct crypto_ec_point *b,
 			struct crypto_ec_point *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* mbedtls does not provide an mbedtls_ecp_point add function */
 	mbedtls_mpi one;
 	mbedtls_mpi_init(&one);
@@ -2631,6 +2746,9 @@ int crypto_ec_point_mul(struct crypto_ec
 			const struct crypto_bignum *b,
 			struct crypto_ec_point *res)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_ecp_mul(
 		(mbedtls_ecp_group *)e, (mbedtls_ecp_point *)res,
 		(const mbedtls_mpi *)b, (const mbedtls_ecp_point *)p,
@@ -2639,6 +2757,9 @@ int crypto_ec_point_mul(struct crypto_ec
 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	if (mbedtls_ecp_get_type((mbedtls_ecp_group *)e)
 	    == MBEDTLS_ECP_TYPE_MONTGOMERY) {
 		/* e.g. MBEDTLS_ECP_DP_CURVE25519 and MBEDTLS_ECP_DP_CURVE448 */
@@ -2751,6 +2872,9 @@ struct crypto_bignum *
 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
 			      const struct crypto_bignum *x)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *y2 = os_malloc(sizeof(*y2));
 	if (y2 == NULL)
 		return NULL;
--- a/Show More
+++ b/Show More
		`@@ -1,2 +0,0 @@`
			`#!/bin/sh`
			`[ "$1" = bound ] && echo "$serverid"`