Merge pull request #480 from Telecominfraproject/main

Various updates

.github/workflows/build-dev.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: ['actiontec_web7200', 'cig_wf188n', 'cig_wf194c', 'cig_wf194c4', 'cig_wf196', 'cig_wf610d', 'cig_wf808', 'cybertan_eww622-a1', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'edgecore_ecw5410', 'edgecore_oap100', 'edgecore_ssw2ac2600', 'edgecore_spw2ac1200', 'edgecore_spw2ac1200-lan-poe', 'hfcl_ion4', 'hfcl_ion4xe', 'hfcl_ion4xi', 'indio_um-305ac', 'indio_um-305ax', 'indio_um-325ac', 'indio_um-510ac-v3', 'indio_um-550ac', 'linksys_ea6350-v4', 'linksys_e8450-ubi', 'linksys_ea8300', 'tp-link_ec420-g1', 'tplink_ex227', 'tplink_ex228', 'tplink_ex447', 'udaya_a5-id2', 'wallys_dr40x9', 'x64_vm' ]
+        target: ['actiontec_web7200', 'cig_wf188n', 'cig_wf196', 'cig_wf610d', 'cig_wf808', 'cybertan_eww622-a1', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'edgecore_ecw5410', 'edgecore_oap100', 'edgecore_ssw2ac2600', 'edgecore_spw2ac1200', 'edgecore_spw2ac1200-lan-poe', 'hfcl_ion4', 'hfcl_ion4xe', 'hfcl_ion4xi', 'indio_um-305ac', 'indio_um-305ax', 'indio_um-325ac', 'indio_um-510ac-v3', 'indio_um-550ac', 'linksys_ea6350-v4', 'linksys_e8450-ubi', 'linksys_ea8300', 'meshpp_s618_cp03', 'meshpp_s618_cp01', 'udaya_a5-id2', 'wallys_dr40x9', 'wallys_dr6018', 'x64_vm' ]
 
     steps:
     - uses: actions/checkout@v2

feeds/facebook/fbwifi/Makefile

@@ -1,77 +0,0 @@
-# Copyright (c) Facebook, Inc. and its affiliates.
-# All rights reserved.
-#
-# This source code is licensed under the license found in the
-# LICENSE file in the root directory of this source tree.
-#
-
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=fbwifi
-PKG_VERSION:=2
-PKG_RELEASE:=0
-PKG_LICENSE:=GPL-2.0
-
-PKG_MAINTAINER:=Simon Kinane <skinane@fb.com>
-
-PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/fbwifi
-  SUBMENU:=Captive Portals
-  SECTION:=net
-  CATEGORY:=Network
-  DEPENDS:=+iptables +luasec +luasocket \
-	+libuci-lua +luaposix \
-	+lua-cjson +uhttpd
-  TITLE:=Facebook Wi-Fi
-  PKGARCH:=all
-endef
-
-define Package/fbwifi/description
-  Facebook Wi-Fi, an AP authorisation solution
-endef
-
-
-define Package/luci-app-fbwifi
-  SUBMENU:=3. Applications
-  SECTION:=luci
-  CATEGORY:=LuCI
-  TITLE:=LuCI support for Facebook Wi-Fi
-  DEPENDS:= \
-	+fbwifi \
-	+luci-base +luci-mod-network +luci-mod-status +luci-theme-bootstrap
-endef
-
-define Package/luci-app-fbwifi/description
-  LuCI support for Facebook Wi-Fi
-endef
-
-
-define Package/fbwifi/conffiles
-/etc/config/fbwifi
-endef
-
-define Build/Prepare
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/fbwifi/install
-	$(INSTALL_DIR) $(1)
-	$(CP) ./files/fbwifi/* $(1)/
-endef
-
-define Package/luci-app-fbwifi/install
-	$(INSTALL_DIR) $(1)
-	$(CP) ./files/luci-app-fbwifi/* $(1)
-endef
-
-$(eval $(call BuildPackage,fbwifi))
-$(eval $(call BuildPackage,luci-app-fbwifi))

feeds/facebook/fbwifi/README.md

@@ -1,22 +0,0 @@
-# Facebook Wi-Fi v2.0 Reference Implementation for OpenWrt 
-
-## Getting started
-
-Case studies for OEM customers are available at the official page of [Facebook Wi-Fi](https://www.facebook.com/facebook-wifi).
-
-For OEM engineers, start by reading the init script in [files/etc/init.d/fbwifi](https://github.com/facebookincubator/fbc_owrt_feed/blob/master/fbwifi/files/etc/init.d/fbwifi)
-
-To enable Facebook Wi-Fi, configure the gateway_token in `/etc/config/fbwifi`, and run `fbwifi enable`.
-To disable Facebook Wi-Fi, run `fbwifi disable`.
-
-## Contents
-
-The 'files' subdirectory contains two subdirectories, one for the fbwifi
-package that implements the Facebook Wi-Fi v2.0 standard for OpenWrt, and
-another one containing a LuCI application to configure Facebook Wi-Fi.
-
-The folder structures follow *nix conventions:
-- 'etc' is the boot time scripts and configuration
-- 'usr' contains procedural scripts, lua common code module and GUI prototype for luci
-- 'www' contains the HTTP endpoints as CGI handlers 
-

feeds/facebook/fbwifi/files/fbwifi/etc/config/fbwifi

@@ -1,6 +0,0 @@
-config fbwifi 'main'
-	option enabled '0'
-	option gateway_token 'FBWIFI:GATEWAY|123456789|0123456789|abcdeABCDE123456789'
-	option http_port '2060'
-	option https_port '2061'
-	option zone 'lan'

feeds/facebook/fbwifi/files/fbwifi/etc/hotplug.d/iface/50-fbwifi

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-[ "$ACTION" = ifup ] || exit 0
-
-/etc/init.d/fbwifi enabled || exit 0
-
-ip route get fibmatch 1.1.1.1 | grep -q "$DEVICE" || exit 0
-
-logger -t fbwifi "Reloading fbwifi due to $ACTION of $INTERFACE ($DEVICE)"
-/etc/init.d/fbwifi restart

feeds/facebook/fbwifi/files/fbwifi/etc/init.d/fbwifi

@@ -1,43 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=90
-
-USE_PROCD=1
-
-reload_service() {
-	restart
-}
-
-service_triggers() {
-	procd_add_reload_trigger fbwifi
-}
-
-start_service() {
-
-	config_load fbwifi
-	config_get_bool enabled 'main' 'enabled' '0'
-	[ "$enabled" -eq 0 ] && return
-
-	config_get http_port main http_port
-	[ -z "$http_port" ] && {
-		logger -t fbwifi "required option http_port not set"
-		exit 1
-	}
-
-	config_get https_port main https_port
-	[ -z "$https_port" ] && {
-		logger -t fbwifi "required option https_port not set"
-		exit 1
-	}
-
-	logger "[fbwifi] Enabled; starting"
-
-	mkdir -p /tmp/fbwifi
-
-	/usr/sbin/fbwifi reload
-
-	procd_open_instance
-	procd_set_param command /usr/sbin/fbwifi_validate_token_db
-	procd_set_param respawn 1 300 0
-	procd_close_instance
-}

feeds/facebook/fbwifi/files/fbwifi/usr/lib/lua/fbwifi.lua

@@ -1,156 +0,0 @@
--- SPDX-License-Identifier: GPL-2.0-only
--- Copyright (c) Facebook, Inc. and its affiliates.
---
--- FBWIFI Lua library
--- function table
-local fbwifi = {}
-
-local http = require("ssl.https")
-local json = require("cjson")
-local log = require("posix.syslog")
-local uci = require("uci")
-
-function fbwifi.gateway_token()
-	token = uci.get("fbwifi.main.gateway_token")
-	if token and string.len(token) > 0 then
-		return token
-	else
-		log.syslog( log.LOG_WARNING, "[fbwifi] UCI option fbwifi.main.gateway_token is missing" )
-		return nil
-	end 
-end
-
-function fbwifi.validate_token( token )
-
-	local valid = false
-
-	if string.len(token or '' ) > 0 then
-
-	        GATEWAY_TOKEN = fbwifi.gateway_token()
-
-	        URL="https://api.fbwifi.com/v2.0/token"
-	        BODY="token="..token
-	        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
-
-	        if code==200 then
-	                valid = true
-	        else
-	                log.syslog(log.LOG_WARNING, "[fbwifi] validate_token:"..body)
-	        end
-
-	end
-
-	return valid
-end
-
-local mac_to_purge=''
-function remove_client_by_mac(client)
-	state = uci.cursor("/var/state", "/tmp/fbwifi")
-
-	for key, value in pairs(client) do
-		if
-			key == 'mac' and
-			value == mac_to_purge
-		then
-			log.syslog(log.LOG_INFO, string.format("[fbwifi] Purging DB entry %s for MAC %s", client['.name'] or 'unknown', mac_to_purge) )
-			state:delete("fbwifi", client['.name'])
-			return
-		end
-	end
-end
-
-function fbwifi.instate_client_rule( token, client_mac )
-
-	log.syslog(log.LOG_INFO, "[fbwifi] Validating client "..client_mac)
-
-	state = uci.cursor("/var/state", "/tmp/fbwifi")
-	state_name = "token_" .. token
-
-	RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
-	RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
-	local RULE
-
-	log.syslog(log.LOG_INFO, string.format("[fbwifi] Cleaning DB for MAC %s", client_mac) )
-	mac_to_purge = client_mac
-	state:foreach("fbwifi", "client", remove_client_by_mac)
-	
-		
-	log.syslog(log.LOG_INFO, string.format("[fbwifi] Adding DB entry %s for MAC %s", state_name, client_mac) )
-	state:set("fbwifi", state_name, "client")
-	state:set("fbwifi", state_name, "token", token)
-	state:set("fbwifi", state_name, "mac", client_mac)
-	state:set("fbwifi", state_name, "authenticated", "true")
-				
-	-- verify a rule exists for the given client MAC, 
-	--   OR install it
-	RULE=string.format(RULE_COND.." || "..RULE_FMT, client_mac, "A", client_mac)
-
-	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Opening iptables for %s", client_mac ) )
-	res = os.execute(RULE)
-	if res ~= 0 then 
-		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
-	end
-	log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
-
-	state:save('fbwifi')
-	state:commit('fbwifi')
-end
-
-function fbwifi.revoke_client_rule( token )
-        
-        if (token == nil) then
-                log.syslog(log.LOG_INFO, "[fbwifi] Invalidating token, but token is Nil")
-                return
-        end
-
-	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Invalidating token (%s)", token) )
-
-	state = uci.cursor("/var/state", "/tmp/fbwifi")
-	state_name = "token_" .. token
-	
-	client_mac = state:get("fbwifi", state_name, "mac")
-
-	if client_mac then
-		RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
-		RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
-
-		-- verify a rule exists for the given client MAC, 
-		--  AND delete it
-		RULE=string.format(RULE_COND.." && "..RULE_FMT, client_mac, "D", client_mac)
-
-		res = os.execute(RULE)
-		if res ~= 0 then 
-			log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
-		end
-		log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
-
-		state:delete("fbwifi", state_name)
-		state:save('fbwifi')
-		state:commit('fbwifi')
-	else
-		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Client MAC not found in DB (%s)", state_name ) )
-	end
-end
-
-function fbwifi.reset()
-
-	local success = false
-        GATEWAY_TOKEN = fbwifi.gateway_token()
-        URL="https://api.fbwifi.com/v2.0/gateway/reset"
-	BODY="{}"
-        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
-
-        if code==200 then
-                log.syslog(log.LOG_INFO, "[fbwifi] Reset committed")
-                success = true
-        else
-                log.syslog(log.LOG_WARNING, "[fbwifi] Reset failed : "..body)
-        end
-
-	return success
-end
-
---
--- Return the function table to the host script
---
-return fbwifi

feeds/facebook/fbwifi/files/fbwifi/usr/sbin/fbwifi

@@ -1,58 +0,0 @@
-#!/bin/sh
-
-case "$1" in
-disable)
-	uci set fbwifi.main.enabled=0
-
-	uci delete firewall.fbwifi
-
-	uci delete uhttpd.fbwifi_redirect
-
-	uci delete uhttpd.main.json_script
-	uci set uhttpd.main.cert='/etc/uhttpd.crt'
-	uci set uhttpd.main.key='/etc/uhttpd.key'
-	uci set uhttpd.main.rfc1918_filter=1
-	;;
-enable)
-	uci set fbwifi.main.enabled=1
-
-	uci set firewall.fbwifi=include
-	uci set firewall.fbwifi.enabled=1
-	uci set firewall.fbwifi.family=ipv4
-	uci set firewall.fbwifi.path=/usr/share/fbwifi/firewall.include
-	uci set firewall.fbwifi.reload=1
-	uci set firewall.fbwifi.type=script
-
-	uci set uhttpd.fbwifi_redirect=uhttpd
-	uci set uhttpd.fbwifi_redirect.enabled=1
-	uci set uhttpd.fbwifi_redirect.cert='/tmp/fbwifi/https_server_cert'
-	uci set uhttpd.fbwifi_redirect.home='/dev/null'
-	uci set uhttpd.fbwifi_redirect.json_script='/tmp/fbwifi/uhttpd-redirect.json'
-	uci set uhttpd.fbwifi_redirect.key='/tmp/fbwifi/https_server_key'
-	uci set uhttpd.fbwifi_redirect.listen_http='0.0.0.0:2060'
-	uci set uhttpd.fbwifi_redirect.listen_https='0.0.0.0:2061'
-
-	uci set uhttpd.main.cert='/tmp/fbwifi/https_server_cert'
-	uci set uhttpd.main.json_script='/usr/share/fbwifi/uhttpd.json'
-	uci set uhttpd.main.key='/tmp/fbwifi/https_server_key'
-	uci set uhttpd.main.rfc1918_filter=0
-	;;
-reload)
-	/usr/sbin/fbwifi_get_config
-
-	login_url=$(uci -c /var/state get fbwifi.main.captive_portal_url)
-	[ -z "$login_url" ] && {
-		logger -t fbwifi "captive_portal_url not available yet"
-		exit 1
-	}
-	printf '{ "request": [ ["redirect", "%s", 302] ] }' "$login_url" > /tmp/fbwifi/uhttpd-redirect.json
-
-	/etc/init.d/uhttpd restart
-
-	exit 0
-	;;
-esac
-
-uci commit
-/etc/init.d/uhttpd restart
-reload_config

feeds/facebook/fbwifi/files/fbwifi/usr/sbin/fbwifi_debug_dump

@@ -1,8 +0,0 @@
-echo -e "Runtime configuration and token DB\n"
-uci -c /var/state export fbwifi
-
-echo -e "\nDynamic firewall flow rules\n"
-iptables -t mangle -L FBWIFI_CLIENT_TO_INTERNET
-
-echo -e "\nDHCP leases\n"
-cat /tmp/dhcp.leases

feeds/facebook/fbwifi/files/fbwifi/usr/sbin/fbwifi_gateway_info_update

@@ -1,39 +0,0 @@
-#!/usr/bin/lua
-
-http = require("ssl.https")
-json = require("cjson")
-log = require("posix.syslog")
-socket = require("socket")
-require("uci")
-fbwifi = require("fbwifi")
-
-GATEWAY_TOKEN = fbwifi.gateway_token()
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-
-payload="name="..socket.dns.gethostname()
-
-function queue_ssid_update(iface)
-	bssid_file="/sys/class/net/br-"..iface["network"].."/address"
-	local file = io.open(bssid_file)
-        if file then
-            for line in file:lines() do
-		payload=payload.."&bssid[]="..line
-            end
-	    file:close()
-	    payload=payload.."ssid[]="..iface["ssid"]
-        else
-	    log.syslog(log.LOG_WARNING, "[fbwifi] Failed to find BSSID for interface br-"..iface["network"])
-        end
-end
-
-state:foreach("wireless", "wifi-iface", queue_ssid_update)
-
-URL="https://api.fbwifi.com/v2.0/gateway"
-body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, payload)
-if code == 200 then 
-	log.syslog(log.LOG_INFO, "[fbwifi] gateway information updated "..body)
-	os.exit(0)
-else
-	log.syslog(log.LOG_WARNING, "[fbwifi] gateway API failed "..body)
-	os.exit(code)
-end

feeds/facebook/fbwifi/files/fbwifi/usr/sbin/fbwifi_get_config

@@ -1,111 +0,0 @@
-#!/usr/bin/lua
-http = require("ssl.https")
-json = require("cjson")
-require("uci")
-log = require("posix.syslog")
-fbwifi = require("fbwifi")
-
-GATEWAY_TOKEN = fbwifi.gateway_token()
-
-http_port = uci.get("fbwifi.main.http_port")
-https_port = uci.get("fbwifi.main.https_port")
-
-statefile = assert(io.open("/var/state/fbwifi", "a"), "could not create state file")
-statefile:close()
-
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-
-URL="https://api.fbwifi.com/v2.0/gateway"
-body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN.."&fields=config,config_version")
-
-if code == 200 then
-	log.syslog(log.LOG_INFO, "[fbwifi] Got gateway config ("..code..")")
-else
-	log.syslog(log.LOG_CRIT, "[fbwifi] Failed to get gateway config ("..code..")")
-	os.exit(1)
-end
-
-obj = json.decode(body)
-
-function save_cert(name, value)
-	log.syslog(log.LOG_INFO, "[fbwifi] Saving cert "..name)
-	local f = assert(io.open("/tmp/fbwifi/"..name, "w"))
-	f:write(value)
-	f:close()
-end
-
-function process_redirect(ix, host)
-	IP_SET = "ip addr replace dev lo "..host
-	local result = os.execute(IP_SET)
-	if result == 0 then
-		log.syslog(log.LOG_INFO, "[fbwifi] Redirect address applied "..host)
-	else
-		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to apply redirect address "..host)
-	end
-
-	ip = string.match(host, '([0-9\.]*)/([0-9]*)')
-	RULE_FMT="grep -q \"%s\" /etc/hosts || echo \"%s\tstar.fbwifigateway.net\" >> /etc/hosts"
-	HOSTS_RULE = string.format(RULE_FMT, ip, ip)
-	result = os.execute(HOSTS_RULE)
-	if result == 0 then
-		log.syslog(log.LOG_INFO, "[fbwifi] Cached redirect host for DNS")
-	else
-		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to amend /etc/hosts")
-		log.syslog(log.LOG_INFO, "[fbwifi] "..HOSTS_RULE)
-	end
-
-	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 80 -d "..ip.." -j ACCEPT # REDIRECT --to-ports "..http_port)
-	--print(result)
-	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 443 -d "..ip.."  -j ACCEPT # REDIRECT --to-ports "..https_port)
-	--print(result)
-end
-
-save_cert("https_server_cert", obj['config']['https_server_cert'])
-save_cert("https_server_key", obj['config']['https_server_key'])
-
-result = os.execute("iptables -t nat -F FBWIFI_HOST_REDIRLIST")
---print(result)
-table.foreach(obj['config']['host_redirect_ips'], process_redirect)
-
-RULE_FORMAT = "iptables -t mangle -A FBWIFI_TRAFFIC_ALLOWLIST -d %s -p %s --dport %s -j MARK --set-mark 0xfb"
-function process_traffic_rule(ix, rule)
-	log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
-	
-	if rule["protocol"] == 6 then
-		PROTO = "tcp"
-	elseif rule["protocol"] == 17 then
-		PROTO = "udp"
-	end
-	RULE = string.format(RULE_FORMAT, rule["ip"], PROTO, rule["port"])
-	local result = os.execute(RULE)
-	if result == 0 then
-		log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
-	else
-		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to install traffic rule ; "..RULE)
-	end
-end
-
-local cross_origin_list = {}
-function process_cross_origin_rule(ix, url)
-	log.syslog(log.LOG_INFO, "[fbwifi] Cross origin rule "..url)
-	table.insert(cross_origin_list, url)
-end
-
-function process_url(url_purpose, fqdn)
-	log.syslog(log.LOG_INFO, "[fbwifi] Caching "..url_purpose)
-	state:set("fbwifi", "main", url_purpose, fqdn)	
-end
-
-state:set("fbwifi", "main", "config")
-
-result = os.execute("iptables -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST ")
---print(result)
-table.foreach(obj['config']['traffic_allowlist'], process_traffic_rule)
-table.foreach(obj['config']['cross_origin_allowlist'], process_cross_origin_rule)
-table.foreach(obj['config']['urls'], process_url)
-
-state:set("fbwifi", "main", "cross_origin_allow_rules", cross_origin_list)
-state:set("fbwifi", "main", "config_version", obj['config_version'])
-
-state:save('fbwifi')
-state:commit('fbwifi')

feeds/facebook/fbwifi/files/fbwifi/usr/sbin/fbwifi_validate_token_db

@@ -1,75 +0,0 @@
-#!/usr/bin/lua
-
-https = require("ssl.https")
-json = require("cjson")
-log = require("posix.syslog")
-fbwifi = require("fbwifi")
-require("uci")
-
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-GATEWAY_TOKEN = fbwifi.gateway_token()
-
-request = { 
-	tokens = {}, 
-	traffic_type = "total",
-	config_version = state:get("fbwifi", "main", "config_version")
-}
-
-function queue_token(client)
-
-	request.tokens[client.token]={
-		incoming = json.null,
-		outgoing = json.null,
-		connected_time_sec = json.null,
-		inactive_time_sec = json.null,
-		signal_rssi_dbm = json.null,
-		--expected_tpus_mbps = json.null,
-		is_connected = true
-	}
-
-end
-
-state:foreach("fbwifi", "client", queue_token)
-print( "\nRequest:\n"..json.encode(request) )
-
-URL="https://api.fbwifi.com/v2.0/tokens"
-BODY=string.format(
-	"tokens=%s&traffic_type=%s&config_version=%s",
-	json.encode(request.tokens),
-	"total",
-	state:get("fbwifi", "main", "config_version")
-)
-
-body, code, headers = https.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
-
-if code then
-	print( "\nResponse:\n"..body )
-end
-
-response = json.decode(body)
---print(response)
---table.foreach(response,print)
---table.foreach(response.tokens,print)
-
-if response.config_valid then
-	log.syslog(log.LOG_INFO, "[fbwifi] Config validated")
-else
-	log.syslog(log.LOG_WARNING, "[fbwifi] config is stale, refreshing config")
-        local result = os.execute("/usr/sbin/fbwifi reload")
-        if result == 0 then
-                log.syslog(log.LOG_INFO, "[fbwifi] successfully fetched and loaded new config ")
-        else
-                log.syslog(log.LOG_WARNING, "[fbwifi] failed to fetch and load new config, possible stale config")
-        end
-end
-
-function process_token(token, metadata)
-	table.foreach(metadata,print)
-	if metadata.valid then
-		print("OK: "..token)	
-	else
-		print("Nok: "..token)	
-		fbwifi.revoke_client_rule( token )
-	end
-end
-table.foreach(response.tokens,process_token)

feeds/facebook/fbwifi/files/fbwifi/usr/share/fbwifi/firewall.include

@@ -1,75 +0,0 @@
-#!/bin/sh
-
-# SPDX-License-Identifier: GPL-2.0-only
-# Copyright (c) Facebook, Inc. and its affiliates.
-
-IPT4="/usr/sbin/iptables"
-
-set -- --wait 1 --wait-interval 100
-
-fbwifi_http_port="$(uci get fbwifi.main.http_port)"
-[ -n "$fbwifi_http_port" ] || {
-	logger -t fbwifi "required option http_port not set"
-	exit 1
-}
-
-fbwifi_https_port="$(uci get fbwifi.main.https_port)"
-[ -n "$fbwifi_https_port" ] || {
-	logger -t fbwifi "required option https_port not set"
-	exit 1
-}
-
-fbwifi_zone="$(uci get fbwifi.main.zone)"
-[ -n "$fbwifi_zone" ] || {
-	logger -t fbwifi "required option zone  not set"
-	exit 1
-}
-
-fbwifi_ifaces="$(fw3 -q zone "$fbwifi_zone")"
-
-## Create custom chains
-"$IPT4" "$@" -t filter -N FBWIFI_FORWARD 2>/dev/null
-"$IPT4" "$@" -t filter -N FBWIFI_INPUT 2>/dev/null
-"$IPT4" "$@" -t mangle -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
-"$IPT4" "$@" -t mangle -N FBWIFI_PREROUTING 2>/dev/null
-"$IPT4" "$@" -t mangle -N FBWIFI_TRAFFIC_ALLOWLIST 2>/dev/null
-"$IPT4" "$@" -t nat -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
-"$IPT4" "$@" -t nat -N FBWIFI_PREROUTING 2>/dev/null
-"$IPT4" "$@" -t nat -N FBWIFI_HOST_REDIRLIST 2>/dev/null
-
-## Flush custom chains
-"$IPT4" "$@" -t filter -F FBWIFI_FORWARD
-"$IPT4" "$@" -t filter -F FBWIFI_INPUT
-"$IPT4" "$@" -t mangle -F FBWIFI_CLIENT_TO_INTERNET
-"$IPT4" "$@" -t mangle -F FBWIFI_PREROUTING
-"$IPT4" "$@" -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST
-"$IPT4" "$@" -t nat -F FBWIFI_CLIENT_TO_INTERNET
-"$IPT4" "$@" -t nat -F FBWIFI_PREROUTING
-"$IPT4" "$@" -t nat -F FBWIFI_HOST_REDIRLIST
-
-## Populate custom chains
-"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
-"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -j REJECT
-"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_http_port" -m conntrack --ctstate NEW -j ACCEPT
-"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_https_port"  -m conntrack --ctstate NEW -j ACCEPT
-"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-"$IPT4" "$@" -t mangle -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
-"$IPT4" "$@" -t mangle -A FBWIFI_PREROUTING -j FBWIFI_TRAFFIC_ALLOWLIST
-"$IPT4" "$@" -t nat -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p udp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p udp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
-"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-ports "$fbwifi_http_port"
-
-## Hook custom chains in firewall3 chains
-"$IPT4" "$@" -t filter -I "zone_${fbwifi_zone}_input" 2 -j FBWIFI_INPUT
-"$IPT4" "$@" -t filter -I "zone_${fbwifi_zone}_forward" 2 -j FBWIFI_FORWARD
-"$IPT4" "$@" -t nat -I "zone_${fbwifi_zone}_prerouting" 2 -j FBWIFI_PREROUTING
-# There are no firewall3 zone chains in the mangle table so we need to do this for all interfaces in the zone
-for iface in $fbwifi_ifaces; do
-	"$IPT4" "$@" -t mangle -I PREROUTING -i "$iface" -j FBWIFI_PREROUTING
-done

feeds/facebook/fbwifi/files/fbwifi/usr/share/fbwifi/uhttpd.json

@@ -1,8 +0,0 @@
-{
-  "request": [
-    [ "if",
-      [ "regex", "REQUEST_URI", "^/fbwifi" ],
-      [ "rewrite", "/cgi-bin%REQUEST_URI%" ]
-    ]
-  ]
-}

feeds/facebook/fbwifi/files/fbwifi/www/cgi-bin/fbwifi/v2.0/auth

@@ -1,70 +0,0 @@
-#!/usr/bin/lua
-require("uci")
-log = require("posix.syslog")
-fbwifi = require("fbwifi")
-
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-function process_cors()
-	origin = os.getenv("HTTP_ORIGIN")
-	log.syslog(log.LOG_INFO, string.format("[fbwifi] [auth] process_cors origin %s", origin or 'not found') )
-	if string.len(origin or '') > 0 then
-		allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
-		for _, value in pairs(allow_list) do
-    			if value == origin then
-				log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors Appending CORS Headers to HTTP")
-				print("Access-Control-Allow-Origin: "..origin)
-				print("Vary: Origin")
-				break
-			end
-		end
-	else	
-		log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors No CORS Headers added to Response")
-	end
-end
-
-method = os.getenv("REQUEST_METHOD")
-if method == 'GET' then
-	log.syslog(log.LOG_INFO, "[fbwifi] [auth] GET handler")
-	print("Status: 302 Found")
-	print("Location: "..state:get("fbwifi", "main", "landing_page_url"))
-	process_cors()
-	print ('\n')
-
-elseif method == 'POST' then
-	local token
-	
-	log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler")
-	process_cors()
-	print("Status: 200 OK")
-
-	form_data=io.read()
-	while form_data do
-		token = string.match(form_data, '[%d]+')
-		if string.len(token or '') > 14 then
-
-			client = os.getenv("REMOTE_ADDR")
-			f = io.popen("awk '/"..client..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
-			client_mac = assert(f:read('*a'))
-			f:close()
-
-			if fbwifi.validate_token(token) then
-                                log.syslog(log.LOG_INFO, string.format( "[fbwifi] [auth] POST handler : Validating Token (%s) for MAC (%s)", token or 'nil', client_mac or 'nil') )
-				fbwifi.instate_client_rule(token, client_mac)
-				print("\n{\"valid\":true}\n")
-			else
-                                log.syslog(log.LOG_WARNING, string.format( "[fbwifi] [auth] POST handler : ! Invalid token (%s) for mac (%s) !", token or 'nil', client_mac or 'nil') )
-				fbwifi.revoke_client_rule(token)
-				print("\n{\"valid\":false}\n")
-			end
-			log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler completed")
-			return
-		end
-
-		form_data=io.read()
-	end
-	print ('\n')
-
-	log.syslog(log.LOG_WARNING, string.format("[fbwifi] [auth] POST handler : token not found" ))
-	fbwifi.revoke_client_rule(token)
-	print("\n{\"valid\":false}\n")
-end

feeds/facebook/fbwifi/files/fbwifi/www/cgi-bin/fbwifi/v2.0/capport

@@ -1,42 +0,0 @@
-#!/usr/bin/lua
-json = require("cjson")
-require("uci")
-
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-client_mac = ""
-token = ""
-
-response = {}
-response['venue-info-url'] = state:get("fbwifi", "main", "capport_venue_info_url")
-
-function map_remote_mac_to_token(client)
-        for key, value in pairs(client) do
-                if
-                        key == 'mac' and
-                        value == client_mac
-                then
-			token = client.token
-                        return false
-                end
-        end
-end
-
-function hasValidToken(client_ip)
-	f = io.popen("awk '/"..client_ip..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
-	client_mac = assert(f:read('*a'))
-	f:close()
-	state:foreach("fbwifi", "client", map_remote_mac_to_token)
-
-	return 0 < string.len(token)
-end
-
-print("Content-type: application/captive+json; charset=utf-8\n")
-
-client = os.getenv("REMOTE_ADDR")
-response['captive'] = not hasValidToken(client)
-
-if response['captive'] then
-	response['user-portal-url'] = state:get("fbwifi", "main", "captive_portal_url")
-end
-
-print( json.encode(response) )

feeds/facebook/fbwifi/files/fbwifi/www/cgi-bin/fbwifi/v2.0/info

@@ -1,57 +0,0 @@
-#!/usr/bin/lua
-json = require("cjson")
-fbwifi = require("fbwifi")
-
-state = uci.cursor("/var/state", "/tmp/fbwifi")
-GATEWAY_TOKEN = fbwifi.gateway_token()
-
-response = { api_version = "2.0", token = json.null }
-client_mac = ""
-
-function process_cors()
-        origin = os.getenv("HTTP_ORIGIN")
-        if string.len(origin or '') > 0 then
-                allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
-                for _, value in pairs(allow_list) do
-                        if value == origin then
-                                print("Access-Control-Allow-Origin: "..origin)
-                                print("Vary: Origin")
-                                break
-                        end
-                end
-        end
-end
-
-function map_remote_mac_to_token(client)
-
-	for key, value in pairs(client) do
-		if
-			key == 'mac' and
-			value == client_mac
-		then
-			response.token = client.token
-			return false -- escape outer loop
-		end
-	end
-end
-
-function getClientToken(client_ip)
-	f = io.popen("awk '/"..client_ip..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
-	client_mac = assert(f:read('*a'))
-	f:close()
-
-	state:foreach("fbwifi", "client", map_remote_mac_to_token)
-end
-
-function getGatewayId()
-	id = string.match(GATEWAY_TOKEN, 'FBWIFI:GATEWAY|[0-9]*|([0-9]*)')
-	return id
-end
-
-process_cors()
-print("Content-type: application/json; charset=utf-8\n")
-
-getClientToken(os.getenv("REMOTE_ADDR"))
-response.gateway_id = getGatewayId()
-
-print( json.encode(response) )

feeds/facebook/fbwifi/files/luci-app-fbwifi/usr/lib/lua/luci/controller/fbwifi.lua

@@ -1,12 +0,0 @@
--- SPDX-License-Identifier: GPL-2.0-only
--- Copyright (c) Facebook, Inc. and its affiliates.
-
-module("luci.controller.fbwifi", package.seeall)
-
-sys = require "luci.sys"
-ut = require "luci.util"
-
-function index()
-    entry({"admin", "network", "fbwifi"}, template("fbwifi"), "Facebook Wi-Fi", 90).dependent=false
-end
-

feeds/facebook/fbwifi/files/luci-app-fbwifi/usr/lib/lua/luci/view/fbwifi.htm

@@ -1,16 +0,0 @@
-<%#
- Copyright
- Licensed to the public under the GNU General Public License v2.
--%>
-
-<%+header%>
-
-<h1>Facebook Wi-Fi</h1>
-<%
-	require("uci")
-	state = uci.cursor("/var/state", "/tmp/fbwifi")
-	url = state:get("fbwifi", "main", "captive_portal_config_url")
-%>
-<a href="<% print(url) %>">Configure FB business page</a>
-
-<%+footer%>

feeds/ipq807x/ipq807x/base-files/etc/board.d/02_network

@@ -31,10 +31,15 @@ qcom_setup_interfaces()
 	cig,wf194c|\
 	cig,wf194c4|\
 	edgecore,eap106|\
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
 	qcom,ipq5018-mp03.3|\
 	yuncore,ax840|\
 	motorola,q14|\
-	sercomm,wallaby)
+	sercomm,wallaby|\
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2)
 		ucidef_set_interface_lan "eth0"
 		ucidef_set_interface_wan "eth1"
 		;;
@@ -56,7 +61,9 @@ qcom_setup_interfaces()
 		ucidef_set_interface_wan "eth4"
 		;;
 	wallys,dr6018-v4|\
-	glinet,ax1800)
+	glinet,ax1800|\
+	meshpp,s618-cp03|\
+	meshpp,s618-cp01)
 		ucidef_set_interface_lan "eth1 eth2 eth3 eth4"
 		ucidef_set_interface_wan "eth0"
 		;;
@@ -95,6 +102,13 @@ qcom_setup_macs()
 		ucidef_set_network_device_mac eth1 $lan_mac
 		ucidef_set_label_macaddr $wan_mac
 		;;
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
+	yuncore,ax840)
+		wan_mac=$(cat /sys/class/net/eth1/address)
+		lan_mac=$(macaddr_add "$wan_mac" 1)
+		;;
 	*)
 		wan_mac=$(cat /sys/class/net/eth0/address)
 		lan_mac=$(macaddr_add "$wan_mac" 1)

feeds/ipq807x/ipq807x/base-files/etc/hotplug.d/firmware/10-ath11k-caldata

@@ -49,6 +49,15 @@ ath11k_generate_macs_ion4x() {
 	echo -ne \\x${wifimac2//:/\\x} >> /lib/firmware/ath11k-macs
 }
 
+ath11k_generate_macs_pax1800() {
+	touch /lib/firmware/ath11k-macs
+	eth=$(cat /sys/class/net/eth0/address)
+	mac1=$(macaddr_add $eth 10)
+	mac2=$(macaddr_add $eth 2)
+	echo -ne \\x${mac1//:/\\x} >> /lib/firmware/ath11k-macs
+	echo -ne \\x${mac2//:/\\x} >> /lib/firmware/ath11k-macs
+}
+
 caldata_die() {
         echo "caldata: " "$*"
         exit 1
@@ -77,6 +86,9 @@ case "$FIRMWARE" in
 	cig,wf196|\
 	edgecore,eap102 |\
 	edgecore,eap106 |\
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
 	qcom,ipq807x-hk01|\
 	qcom,ipq807x-hk14|\
 	tplink,ex227|\
@@ -96,9 +108,14 @@ case "$FIRMWARE" in
 	hfcl,ion4xe|\
 	wallys,dr6018|\
 	wallys,dr6018-v4|\
+	meshpp,ipq6018-cp01|\
+	meshpp,ipq6018-cp03|\
+	qcom,ipq6018-cp03|\
 	qcom,ipq6018-cp01|\
 	xiaomi,ax1800|\
-	glinet,ax1800)
+	glinet,ax1800|\
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2)
                 caldata_extract "0:ART" 0x1000 0x20000  
 		;;
 	esac
@@ -131,6 +148,7 @@ ath11k/qcn6122/hw1.0/caldata_2.bin)
 ath11k/QCN9074/hw1.0/caldata_1.bin)
 	case "$board" in
 	cig,wf196|\
+	wallys,dr6018-v4|\
 	cybertan,eww622-a1|\
 	qcom,ipq5018-mp03.1|\
 	qcom,ipq807x-hk14)
@@ -155,8 +173,12 @@ ath11k-macs)
 	edgecore,eap101)
 		ath11k_generate_macs_eap101
 		;;
+	yuncore,ax840|\
 	edgecore,eap102|\
 	edgecore,eap106|\
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
 	cig,wf188n)
 		ath11k_generate_macs
 		;;
@@ -164,6 +186,10 @@ ath11k-macs)
 	cig,wf194c)
 		ath11k_generate_macs_wf194
 		;;
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2)
+		ath11k_generate_macs_pax1800
+		;;
 	esac
 	;;
 *)

feeds/ipq807x/ipq807x/base-files/lib/upgrade/dualboot_datachk.sh

@@ -0,0 +1,126 @@
+# The U-Boot loader with the datachk patchset for dualbooting requires image
+# sizes and checksums to be provided in the U-Boot environment.
+# The devices come with 2 main partitions - while one is active
+# sysupgrade will flash the other. The boot order is changed to boot the
+# newly flashed partition. If the new partition can't be booted due to
+# upgrade failures the previously used partition is loaded.
+
+platform_post_upgrade_sanity_check()
+{
+	local part_name=$1
+	local inactive_mtd=$2
+	local cfg_md5=$3
+	local part_offset=$4
+	local part_size=$5
+
+	md5_part_disk=$(dd if=/dev/${inactive_mtd} bs=$((64*1024)) skip=$((part_offset / (64*1024))) count=$((part_size / (64*1024))) 2>&- | md5sum | awk '{print $1}')
+
+	if [ "${cfg_md5}" != "${md5_part_disk}" ]; then
+	      echo "post-flashing checksum mismatch: ${part_name}" >&2
+	      echo "${cfg_md5} != ${md5_part_disk}"
+	      return 1
+	fi
+
+	return 0
+}
+
+platform_do_upgrade_dualboot_datachk() {
+	local tar_file="$1"
+	local restore_backup
+	local primary_kernel_mtd
+
+	local setenv_script="/tmp/fw_env_upgrade"
+
+	local kernel_mtd="$(find_mtd_index $PART_NAME)"
+	local kernel_offset="$(cat /sys/class/mtd/mtd${kernel_mtd}/offset)"
+	local total_size="$(cat /sys/class/mtd/mtd${kernel_mtd}/size)"
+
+	# detect to which flash region the new image is written to.
+	#
+	# 1. check what is the mtd index for the first flash region on this
+	#    device
+	# 2. check if the target partition ("inactive") has the mtd index of
+	#    the first flash region
+	#
+	#    - when it is: the new bootseq will be 1,2 and the first region is
+	#      modified
+	#    - when it isnt: bootseq will be 2,1 and the second region is
+	#      modified
+	#
+	# The detection has to be done via the hardcoded mtd partition because
+	# the current boot might be done with the fallback region. Let us
+	# assume that the current bootseq is 1,2. The bootloader detected that
+	# the image in flash region 1 is corrupt and thus switches to flash
+	# region 2. The bootseq in the u-boot-env is now still the same and
+	# the sysupgrade code can now only rely on the actual mtd indexes and
+	# not the bootseq variable to detect the currently booted flash
+	# region/image.
+	#
+	# In the above example, an implementation which uses bootseq ("1,2") to
+	# detect the currently booted image would assume that region 1 is booted
+	# and then overwrite the variables for the wrong flash region (aka the
+	# one which isn't modified). This could result in a device which doesn't
+	# boot anymore to Linux until it was reflashed with ap51-flash.
+	local next_boot_part="1"
+	case "$(board_name)" in
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2)
+		primary_kernel_mtd=9
+		;;
+	*)
+		echo "failed to detect primary kernel mtd partition for board"
+		return 1
+		;;
+	esac
+	[ "$kernel_mtd" = "$primary_kernel_mtd" ] || next_boot_part="2"
+
+	local board_dir=$(tar tf $tar_file | grep -m 1 '^sysupgrade-.*/$')
+	board_dir=${board_dir%/}
+
+	local kernel_length=$(tar xf $tar_file ${board_dir}/kernel -O | wc -c)
+	local rootfs_length=$(tar xf $tar_file ${board_dir}/root -O | wc -c)
+	# rootfs without EOF marker
+	rootfs_length=$((rootfs_length-4))
+
+	local kernel_md5=$(tar xf $tar_file ${board_dir}/kernel -O | md5sum); kernel_md5="${kernel_md5%% *}"
+	# md5 checksum of rootfs with EOF marker
+	local rootfs_md5=$(tar xf $tar_file ${board_dir}/root -O | dd bs=1 count=$rootfs_length | md5sum); rootfs_md5="${rootfs_md5%% *}"
+
+	#
+	# add tar support to get_image() to use default_do_upgrade() instead?
+	#
+
+	# take care of restoring a saved config
+	[ -n "$UPGRADE_BACKUP" ] && restore_backup="${MTD_CONFIG_ARGS} -j ${UPGRADE_BACKUP}"
+
+	mtd -q erase inactive
+	tar xf $tar_file ${board_dir}/root -O | mtd -n -p $kernel_length $restore_backup write - $PART_NAME
+	tar xf $tar_file ${board_dir}/kernel -O | mtd -n write - $PART_NAME
+
+	platform_post_upgrade_sanity_check "kernel" "mtd${kernel_mtd}" $kernel_md5 0 $kernel_length || return 1
+	platform_post_upgrade_sanity_check "rootfs" "mtd${kernel_mtd}" $rootfs_md5 $kernel_length $rootfs_length || return 1
+
+	# prepare new u-boot env
+	if [ "$next_boot_part" = "1" ]; then
+		echo "bootseq 1,2" > $setenv_script
+	else
+		echo "bootseq 2,1" > $setenv_script
+	fi
+
+	printf "kernel_size_%i 0x%08x\n" $next_boot_part $kernel_length >> $setenv_script
+	printf "vmlinux_start_addr 0x%08x\n" ${kernel_offset} >> $setenv_script
+	printf "vmlinux_size 0x%08x\n" ${kernel_length} >> $setenv_script
+	printf "vmlinux_checksum %s\n" ${kernel_md5} >> $setenv_script
+
+	printf "rootfs_size_%i 0x%08x\n" $next_boot_part $((total_size-kernel_length)) >> $setenv_script
+	printf "rootfs_start_addr 0x%08x\n" $((kernel_offset+kernel_length)) >> $setenv_script
+	printf "rootfs_size 0x%08x\n" ${rootfs_length} >> $setenv_script
+	printf "rootfs_checksum %s\n" ${rootfs_md5} >> $setenv_script
+
+	# store u-boot env changes
+	mkdir -p /var/lock
+	fw_setenv -s $setenv_script || {
+		echo "failed to update U-Boot environment"
+		return 1
+	}
+}

feeds/ipq807x/ipq807x/base-files/lib/upgrade/platform.sh

@@ -1,7 +1,8 @@
 . /lib/functions/system.sh
 
-RAMFS_COPY_BIN='fw_printenv fw_setenv'
-RAMFS_COPY_DATA='/etc/fw_env.config /var/lock/fw_printenv.lock'
+
+RAMFS_COPY_BIN='fw_setenv'
+RAMFS_COPY_DATA='/etc/fw_env.config /var/lock/fw_printenv.lock /tmp/downgrade'
 
 qca_do_upgrade() {
         local tar_file="$1"
@@ -75,6 +76,9 @@ platform_check_image() {
 	cybertan,eww622-a1|\
 	glinet,ax1800|\
 	glinet,axt1800|\
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
 	wallys,dr6018|\
 	wallys,dr6018-v4|\
 	edgecore,eap101|\
@@ -83,6 +87,8 @@ platform_check_image() {
 	edgecore,eap106|\
 	hfcl,ion4xi|\
 	hfcl,ion4xe|\
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2|\
 	tplink,ex227|\
 	tplink,ex447|\
 	yuncore,ax840|\
@@ -115,9 +121,11 @@ platform_do_upgrade() {
 	cig,wf194c4|\
 	cig,wf196|\
 	cybertan,eww622-a1|\
-	edgecore,eap104|\
 	glinet,ax1800|\
 	glinet,axt1800|\
+	indio,um-310ax-v1|\
+	indio,um-510axp-v1|\
+	indio,um-510axm-v1|\
 	qcom,ipq6018-cp01|\
 	qcom,ipq807x-hk01|\
 	qcom,ipq807x-hk14|\
@@ -126,7 +134,9 @@ platform_do_upgrade() {
 	wallys,dr6018-v4|\
 	yuncore,ax840|\
 	tplink,ex447|\
-	tplink,ex227)	
+	tplink,ex227|\
+	meshpp,s618-cp03|\
+	meshpp,s618-cp01)
 		nand_upgrade_tar "$1"
 		;;
 	hfcl,ion4xi|\
@@ -140,6 +150,7 @@ platform_do_upgrade() {
 		fi
 		nand_upgrade_tar "$1"
 		;;
+	edgecore,eap104|\
 	edgecore,eap106)
 		CI_UBIPART="rootfs1"
 		[ "$(find_mtd_chardev rootfs)" ] && CI_UBIPART="rootfs"
@@ -150,7 +161,11 @@ platform_do_upgrade() {
 		if [ "$(find_mtd_chardev rootfs)" ]; then
 			CI_UBIPART="rootfs"
 		else
-			if grep -q rootfs1 /proc/cmdline; then
+			if [ -e /tmp/downgrade ]; then
+				CI_UBIPART="rootfs1"
+				fw_setenv active 1 || exit 1
+				fw_setenv upgrade_available 0 || exit 1
+			elif grep -q rootfs1 /proc/cmdline; then
 				CI_UBIPART="rootfs2"
 				fw_setenv active 2 || exit 1
 			else
@@ -160,5 +175,10 @@ platform_do_upgrade() {
 		fi
 		nand_upgrade_tar "$1"
 		;;
+	plasmacloud,pax1800-v1|\
+	plasmacloud,pax1800-v2)
+		PART_NAME="inactive"
+		platform_do_upgrade_dualboot_datachk "$1"
+		;;
 	esac
 }

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-indio-um-310ax-v1.dts

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-indio-um-310ax-v1.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-indio-um-510axm-v1.dts

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-indio-um-510axm-v1.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-indio-um-510axp-v1.dts

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-indio-um-510axp-v1.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-meshpp-s618-cp01.dts

@@ -0,0 +1,2 @@
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-meshpp-s618-cp01.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-meshpp-s618-cp03.dts

@@ -0,0 +1,2 @@
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-meshpp-s618-cp03.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-pax1800-v1.dts

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-pax1800-v1.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm/boot/dts/qcom-ipq6018-pax1800-v2.dts

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "../../../arm64/boot/dts/qcom/qcom-ipq6018-pax1800-v2.dts"
+#include "qcom-ipq6018.dtsi"

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-indio-um-310ax-v1.dts

@@ -0,0 +1,379 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+/dts-v1/;
+
+#include "qcom-ipq6018.dtsi"
+#include "qcom-ipq6018-rpm-regulator.dtsi"
+#include "qcom-ipq6018-cpr-regulator.dtsi"
+#include "qcom-ipq6018-cp-cpu.dtsi"
+#include <dt-bindings/input/input.h>
+#include <dt-bindings/gpio/gpio.h>
+
+/ {
+	model = "Indio UM-310AX V1";
+	compatible = "indio,um-310ax-v1", "qcom,ipq6018-cp03", "qcom,ipq6018";
+
+	#address-cells = <0x2>;
+	#size-cells = <0x2>;
+	interrupt-parent = <&intc>;
+
+	aliases {
+		/* Aliases as required by u-boot to patch MAC addresses */
+		ethernet0 = "/soc/dp2";
+		ethernet1 = "/soc/dp1";
+
+		serial0 = &blsp1_uart3;
+		serial1 = &blsp1_uart2;
+
+		led-boot = &led_system;
+		led-failsafe = &led_system;
+		led-running = &led_system;
+		led-upgrade = &led_system;
+	};
+
+	chosen {
+		bootargs = "console=ttyMSM0,115200,n8 rw init=/init";
+		bootargs-append = " swiotlb=1 coherent_pool=2M";
+	};
+
+/* TZAPP is enabled only in default memory profile */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+	reserved-memory {
+		tzapp:tzapp@49B00000 {	/* TZAPPS */
+			no-map;
+			reg = <0x0 0x49B00000 0x0 0x00600000>;
+		};
+	};
+#endif
+};
+
+&tlmm {
+	uart_pins: uart_pins {
+		mux {
+			pins = "gpio44", "gpio45";
+			function = "blsp2_uart";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	spi_0_pins: spi_0_pins {
+		mux {
+			pins = "gpio38", "gpio39", "gpio40", "gpio41";
+			function = "blsp0_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	qpic_pins: qpic_pins {
+		data_0 {
+			pins = "gpio15";
+			function = "qpic_pad0";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_1 {
+			pins = "gpio12";
+			function = "qpic_pad1";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_2 {
+			pins = "gpio13";
+			function = "qpic_pad2";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_3 {
+			pins = "gpio14";
+			function = "qpic_pad3";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_4 {
+			pins = "gpio5";
+			function = "qpic_pad4";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_5 {
+			pins = "gpio6";
+			function = "qpic_pad5";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_6 {
+			pins = "gpio7";
+			function = "qpic_pad6";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_7 {
+			pins = "gpio8";
+			function = "qpic_pad7";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		qpic_pad {
+			pins = "gpio1",  "gpio3",  "gpio4",
+			       "gpio10", "gpio11", "gpio17";
+			function = "qpic_pad";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	button_pins: button_pins {
+		rst_button {
+			pins = "gpio19";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+	};
+
+	mdio_pins: mdio_pinmux {
+		mux_0 {
+			pins = "gpio64";
+			function = "mdc";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_1 {
+			pins = "gpio65";
+			function = "mdio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_2 {
+			pins = "gpio75";
+			function = "gpio";
+			bias-pull-up;
+		};
+	};
+
+	modem_power_pins {
+		mux {
+			pins = "gpio27";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+			output-high;
+		};
+	};
+
+	leds_pins: leds_pins {
+		led_blue {
+			pins = "gpio35";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_green {
+			pins = "gpio37";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_red {
+			pins = "gpio32";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+	};
+};
+
+&soc {
+	mdio: mdio@90000 {
+		status = "ok";
+
+		pinctrl-0 = <&mdio_pins>;
+		pinctrl-names = "default";
+		phy-reset-gpio = <&tlmm 75 0>;
+
+		ethernet-phy@0 {
+			reg = <0x03>;
+		};
+
+		ethernet-phy@1 {
+			reg = <0x04>;
+		};
+	};
+
+	ess-switch@3a000000 {
+		switch_cpu_bmp =   <0x01>; /* cpu port bitmap */
+		switch_lan_bmp =   <0x10>; /* lan port bitmap */
+		switch_wan_bmp =   <0x20>; /* wan port bitmap */
+		switch_inner_bmp = <0x80>; /*inner port bitmap*/
+		switch_mac_mode =  <0x00>; /* mac mode for uniphy instance0*/
+		switch_mac_mode1 = <0xff>; /* mac mode for uniphy instance1*/
+		switch_mac_mode2 = <0xff>; /* mac mode for uniphy instance2*/
+
+		qcom,port_phyinfo {
+			port@3 {
+				port_id = <0x04>;
+				phy_address = <0x03>;
+			};
+
+			port@4 {
+				port_id = <0x05>;
+				phy_address = <0x04>;
+			};
+		};
+	};
+
+	dp1 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x04>;
+		reg = <0x3a001600 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x03>;
+		phy-mode = "sgmii";
+	};
+
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x05>;
+		reg = <0x3a001800 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x04>;
+		phy-mode = "sgmii";
+	};
+
+	gpio_keys {
+		compatible = "gpio-keys";
+
+		pinctrl-0 = <&button_pins>;
+		pinctrl-names = "default";
+
+		reset {
+			label = "reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&tlmm 19 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		pinctrl-0 = <&leds_pins>;
+		pinctrl-names = "default";
+
+		led_system: system {
+			label = "green:system";
+			gpio = <&tlmm 37 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan2g {
+			label = "blue:wlan2g";
+			gpio = <&tlmm 35 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan5g {
+			label = "red:wlan5g";
+			gpio = <&tlmm 32 GPIO_ACTIVE_HIGH>;
+		};
+	};
+};
+
+&blsp1_uart3 {
+	pinctrl-0 = <&uart_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&spi_0 {
+	pinctrl-0 = <&spi_0_pins>;
+	pinctrl-names = "default";
+	cs-select = <0>;
+	status = "ok";
+
+	m25p80@0 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0>;
+		compatible = "n25q128a11";
+		linux,modalias = "m25p80", "n25q128a11";
+		spi-max-frequency = <50000000>;
+		use-default-sizes;
+	};
+};
+
+&qpic_bam {
+	status = "ok";
+};
+
+&nand {
+	pinctrl-0 = <&qpic_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&nss_crypto {
+	status = "ok";
+};
+
+&cpu0_opp_table {
+	compatible = "operating-points-v2";
+	opp-shared;
+
+	opp03 {
+		opp-hz = /bits/ 64 <1200000000>;
+		opp-microvolt = <3>;
+		clock-latency-ns = <200000>;
+	};
+
+	/delete-node/ opp04;
+	/delete-node/ opp05;
+	/delete-node/ opp06;
+};
+
+/* TZAPP is enabled in default memory profile only */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+&qseecom {
+	mem-start = <0x49B00000>;
+	mem-size = <0x600000>;
+	status = "ok";
+};
+#endif
+
+&ssphy_0 {
+	status = "ok";
+};
+
+&qusb_phy_0 {
+	status = "ok";
+};
+
+&qusb_phy_1 {
+	status = "ok";
+};
+
+&usb2 {
+	status = "ok";
+};
+
+&usb3 {
+	status = "ok";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-indio-um-510axm-v1.dts

@@ -0,0 +1,379 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+/dts-v1/;
+
+#include "qcom-ipq6018.dtsi"
+#include "qcom-ipq6018-rpm-regulator.dtsi"
+#include "qcom-ipq6018-cpr-regulator.dtsi"
+#include "qcom-ipq6018-cp-cpu.dtsi"
+#include <dt-bindings/input/input.h>
+#include <dt-bindings/gpio/gpio.h>
+
+/ {
+	model = "Indio UM-510AXM V1";
+	compatible = "indio,um-510axm-v1", "qcom,ipq6018-cp03", "qcom,ipq6018";
+
+	#address-cells = <0x2>;
+	#size-cells = <0x2>;
+	interrupt-parent = <&intc>;
+
+	aliases {
+		/* Aliases as required by u-boot to patch MAC addresses */
+		ethernet0 = "/soc/dp2";
+		ethernet1 = "/soc/dp1";
+
+		serial0 = &blsp1_uart3;
+		serial1 = &blsp1_uart2;
+
+		led-boot = &led_system;
+		led-failsafe = &led_system;
+		led-running = &led_system;
+		led-upgrade = &led_system;
+	};
+
+	chosen {
+		bootargs = "console=ttyMSM0,115200,n8 rw init=/init";
+		bootargs-append = " swiotlb=1 coherent_pool=2M";
+	};
+
+/* TZAPP is enabled only in default memory profile */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+	reserved-memory {
+		tzapp:tzapp@49B00000 {	/* TZAPPS */
+			no-map;
+			reg = <0x0 0x49B00000 0x0 0x00600000>;
+		};
+	};
+#endif
+};
+
+&tlmm {
+	uart_pins: uart_pins {
+		mux {
+			pins = "gpio44", "gpio45";
+			function = "blsp2_uart";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	spi_0_pins: spi_0_pins {
+		mux {
+			pins = "gpio38", "gpio39", "gpio40", "gpio41";
+			function = "blsp0_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	qpic_pins: qpic_pins {
+		data_0 {
+			pins = "gpio15";
+			function = "qpic_pad0";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_1 {
+			pins = "gpio12";
+			function = "qpic_pad1";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_2 {
+			pins = "gpio13";
+			function = "qpic_pad2";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_3 {
+			pins = "gpio14";
+			function = "qpic_pad3";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_4 {
+			pins = "gpio5";
+			function = "qpic_pad4";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_5 {
+			pins = "gpio6";
+			function = "qpic_pad5";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_6 {
+			pins = "gpio7";
+			function = "qpic_pad6";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_7 {
+			pins = "gpio8";
+			function = "qpic_pad7";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		qpic_pad {
+			pins = "gpio1",  "gpio3",  "gpio4",
+			       "gpio10", "gpio11", "gpio17";
+			function = "qpic_pad";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	button_pins: button_pins {
+		rst_button {
+			pins = "gpio19";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+	};
+
+	mdio_pins: mdio_pinmux {
+		mux_0 {
+			pins = "gpio64";
+			function = "mdc";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_1 {
+			pins = "gpio65";
+			function = "mdio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_2 {
+			pins = "gpio75";
+			function = "gpio";
+			bias-pull-up;
+		};
+	};
+
+	modem_power_pins {
+		mux {
+			pins = "gpio27";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+			output-high;
+		};
+	};
+
+	leds_pins: leds_pins {
+		led_blue {
+			pins = "gpio35";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_green {
+			pins = "gpio37";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_red {
+			pins = "gpio32";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+	};
+};
+
+&soc {
+	mdio: mdio@90000 {
+		status = "ok";
+
+		pinctrl-0 = <&mdio_pins>;
+		pinctrl-names = "default";
+		phy-reset-gpio = <&tlmm 75 0>;
+
+		ethernet-phy@0 {
+			reg = <0x03>;
+		};
+
+		ethernet-phy@1 {
+			reg = <0x04>;
+		};
+	};
+
+	ess-switch@3a000000 {
+		switch_cpu_bmp =   <0x01>; /* cpu port bitmap */
+		switch_lan_bmp =   <0x10>; /* lan port bitmap */
+		switch_wan_bmp =   <0x20>; /* wan port bitmap */
+		switch_inner_bmp = <0x80>; /*inner port bitmap*/
+		switch_mac_mode =  <0x00>; /* mac mode for uniphy instance0*/
+		switch_mac_mode1 = <0xff>; /* mac mode for uniphy instance1*/
+		switch_mac_mode2 = <0xff>; /* mac mode for uniphy instance2*/
+
+		qcom,port_phyinfo {
+			port@3 {
+				port_id = <0x04>;
+				phy_address = <0x03>;
+			};
+
+			port@4 {
+				port_id = <0x05>;
+				phy_address = <0x04>;
+			};
+		};
+	};
+
+	dp1 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x04>;
+		reg = <0x3a001600 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x03>;
+		phy-mode = "sgmii";
+	};
+
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x05>;
+		reg = <0x3a001800 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x04>;
+		phy-mode = "sgmii";
+	};
+
+	gpio_keys {
+		compatible = "gpio-keys";
+
+		pinctrl-0 = <&button_pins>;
+		pinctrl-names = "default";
+
+		reset {
+			label = "reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&tlmm 19 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		pinctrl-0 = <&leds_pins>;
+		pinctrl-names = "default";
+
+		led_system: system {
+			label = "green:system";
+			gpio = <&tlmm 37 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan2g {
+			label = "blue:wlan2g";
+			gpio = <&tlmm 35 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan5g {
+			label = "red:wlan5g";
+			gpio = <&tlmm 32 GPIO_ACTIVE_HIGH>;
+		};
+	};
+};
+
+&blsp1_uart3 {
+	pinctrl-0 = <&uart_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&spi_0 {
+	pinctrl-0 = <&spi_0_pins>;
+	pinctrl-names = "default";
+	cs-select = <0>;
+	status = "ok";
+
+	m25p80@0 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0>;
+		compatible = "n25q128a11";
+		linux,modalias = "m25p80", "n25q128a11";
+		spi-max-frequency = <50000000>;
+		use-default-sizes;
+	};
+};
+
+&qpic_bam {
+	status = "ok";
+};
+
+&nand {
+	pinctrl-0 = <&qpic_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&nss_crypto {
+	status = "ok";
+};
+
+&cpu0_opp_table {
+	compatible = "operating-points-v2";
+	opp-shared;
+
+	opp03 {
+		opp-hz = /bits/ 64 <1200000000>;
+		opp-microvolt = <3>;
+		clock-latency-ns = <200000>;
+	};
+
+	/delete-node/ opp04;
+	/delete-node/ opp05;
+	/delete-node/ opp06;
+};
+
+/* TZAPP is enabled in default memory profile only */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+&qseecom {
+	mem-start = <0x49B00000>;
+	mem-size = <0x600000>;
+	status = "ok";
+};
+#endif
+
+&ssphy_0 {
+	status = "ok";
+};
+
+&qusb_phy_0 {
+	status = "ok";
+};
+
+&qusb_phy_1 {
+	status = "ok";
+};
+
+&usb2 {
+	status = "ok";
+};
+
+&usb3 {
+	status = "ok";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-indio-um-510axp-v1.dts

@@ -0,0 +1,379 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+/dts-v1/;
+
+#include "qcom-ipq6018.dtsi"
+#include "qcom-ipq6018-rpm-regulator.dtsi"
+#include "qcom-ipq6018-cpr-regulator.dtsi"
+#include "qcom-ipq6018-cp-cpu.dtsi"
+#include <dt-bindings/input/input.h>
+#include <dt-bindings/gpio/gpio.h>
+
+/ {
+	model = "Indio UM-510AXP V1";
+	compatible = "indio,um-510axp-v1", "qcom,ipq6018-cp03", "qcom,ipq6018";
+
+	#address-cells = <0x2>;
+	#size-cells = <0x2>;
+	interrupt-parent = <&intc>;
+
+	aliases {
+		/* Aliases as required by u-boot to patch MAC addresses */
+		ethernet0 = "/soc/dp2";
+		ethernet1 = "/soc/dp1";
+
+		serial0 = &blsp1_uart3;
+		serial1 = &blsp1_uart2;
+
+		led-boot = &led_system;
+		led-failsafe = &led_system;
+		led-running = &led_system;
+		led-upgrade = &led_system;
+	};
+
+	chosen {
+		bootargs = "console=ttyMSM0,115200,n8 rw init=/init";
+		bootargs-append = " swiotlb=1 coherent_pool=2M";
+	};
+
+/* TZAPP is enabled only in default memory profile */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+	reserved-memory {
+		tzapp:tzapp@49B00000 {	/* TZAPPS */
+			no-map;
+			reg = <0x0 0x49B00000 0x0 0x00600000>;
+		};
+	};
+#endif
+};
+
+&tlmm {
+	uart_pins: uart_pins {
+		mux {
+			pins = "gpio44", "gpio45";
+			function = "blsp2_uart";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	spi_0_pins: spi_0_pins {
+		mux {
+			pins = "gpio38", "gpio39", "gpio40", "gpio41";
+			function = "blsp0_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	qpic_pins: qpic_pins {
+		data_0 {
+			pins = "gpio15";
+			function = "qpic_pad0";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_1 {
+			pins = "gpio12";
+			function = "qpic_pad1";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_2 {
+			pins = "gpio13";
+			function = "qpic_pad2";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_3 {
+			pins = "gpio14";
+			function = "qpic_pad3";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_4 {
+			pins = "gpio5";
+			function = "qpic_pad4";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_5 {
+			pins = "gpio6";
+			function = "qpic_pad5";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_6 {
+			pins = "gpio7";
+			function = "qpic_pad6";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		data_7 {
+			pins = "gpio8";
+			function = "qpic_pad7";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		qpic_pad {
+			pins = "gpio1",  "gpio3",  "gpio4",
+			       "gpio10", "gpio11", "gpio17";
+			function = "qpic_pad";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	button_pins: button_pins {
+		rst_button {
+			pins = "gpio19";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+	};
+
+	mdio_pins: mdio_pinmux {
+		mux_0 {
+			pins = "gpio64";
+			function = "mdc";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_1 {
+			pins = "gpio65";
+			function = "mdio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_2 {
+			pins = "gpio75";
+			function = "gpio";
+			bias-pull-up;
+		};
+	};
+
+	modem_power_pins {
+		mux {
+			pins = "gpio27";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+			output-high;
+		};
+	};
+
+	leds_pins: leds_pins {
+		led_blue {
+			pins = "gpio35";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_green {
+			pins = "gpio37";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+
+		led_red {
+			pins = "gpio32";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+	};
+};
+
+&soc {
+	mdio: mdio@90000 {
+		status = "ok";
+
+		pinctrl-0 = <&mdio_pins>;
+		pinctrl-names = "default";
+		phy-reset-gpio = <&tlmm 75 0>;
+
+		ethernet-phy@0 {
+			reg = <0x03>;
+		};
+
+		ethernet-phy@1 {
+			reg = <0x04>;
+		};
+	};
+
+	ess-switch@3a000000 {
+		switch_cpu_bmp =   <0x01>; /* cpu port bitmap */
+		switch_lan_bmp =   <0x10>; /* lan port bitmap */
+		switch_wan_bmp =   <0x20>; /* wan port bitmap */
+		switch_inner_bmp = <0x80>; /*inner port bitmap*/
+		switch_mac_mode =  <0x00>; /* mac mode for uniphy instance0*/
+		switch_mac_mode1 = <0xff>; /* mac mode for uniphy instance1*/
+		switch_mac_mode2 = <0xff>; /* mac mode for uniphy instance2*/
+
+		qcom,port_phyinfo {
+			port@3 {
+				port_id = <0x04>;
+				phy_address = <0x03>;
+			};
+
+			port@4 {
+				port_id = <0x05>;
+				phy_address = <0x04>;
+			};
+		};
+	};
+
+	dp1 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x04>;
+		reg = <0x3a001600 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x03>;
+		phy-mode = "sgmii";
+	};
+
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x05>;
+		reg = <0x3a001800 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x04>;
+		phy-mode = "sgmii";
+	};
+
+	gpio_keys {
+		compatible = "gpio-keys";
+
+		pinctrl-0 = <&button_pins>;
+		pinctrl-names = "default";
+
+		reset {
+			label = "reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&tlmm 19 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		pinctrl-0 = <&leds_pins>;
+		pinctrl-names = "default";
+
+		led_system: system {
+			label = "green:system";
+			gpio = <&tlmm 37 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan2g {
+			label = "blue:wlan2g";
+			gpio = <&tlmm 35 GPIO_ACTIVE_HIGH>;
+		};
+
+		wlan5g {
+			label = "red:wlan5g";
+			gpio = <&tlmm 32 GPIO_ACTIVE_HIGH>;
+		};
+	};
+};
+
+&blsp1_uart3 {
+	pinctrl-0 = <&uart_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&spi_0 {
+	pinctrl-0 = <&spi_0_pins>;
+	pinctrl-names = "default";
+	cs-select = <0>;
+	status = "ok";
+
+	m25p80@0 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0>;
+		compatible = "n25q128a11";
+		linux,modalias = "m25p80", "n25q128a11";
+		spi-max-frequency = <50000000>;
+		use-default-sizes;
+	};
+};
+
+&qpic_bam {
+	status = "ok";
+};
+
+&nand {
+	pinctrl-0 = <&qpic_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&nss_crypto {
+	status = "ok";
+};
+
+&cpu0_opp_table {
+	compatible = "operating-points-v2";
+	opp-shared;
+
+	opp03 {
+		opp-hz = /bits/ 64 <1200000000>;
+		opp-microvolt = <3>;
+		clock-latency-ns = <200000>;
+	};
+
+	/delete-node/ opp04;
+	/delete-node/ opp05;
+	/delete-node/ opp06;
+};
+
+/* TZAPP is enabled in default memory profile only */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+&qseecom {
+	mem-start = <0x49B00000>;
+	mem-size = <0x600000>;
+	status = "ok";
+};
+#endif
+
+&ssphy_0 {
+	status = "ok";
+};
+
+&qusb_phy_0 {
+	status = "ok";
+};
+
+&qusb_phy_1 {
+	status = "ok";
+};
+
+&usb2 {
+	status = "ok";
+};
+
+&usb3 {
+	status = "ok";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-meshpp-s618-cp01.dts

@@ -0,0 +1,23 @@
+/dts-v1/;
+/*
+ * Copyright (c) 2022, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018-meshpp-s618.dtsi"
+
+/ {
+	model = "MeshPlusPlus, Inc. S618 CP01";
+	compatible = "meshpp,s618-cp01", "qcom,ipq6018-cp01", "qcom,ipq6018";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-meshpp-s618-cp03.dts

@@ -0,0 +1,23 @@
+/dts-v1/;
+/*
+ * Copyright (c) 2022, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018-meshpp-s618.dtsi"
+
+/ {
+	model = "MeshPlusPlus, Inc. S618 CP01";
+	compatible = "meshpp,s618-cp03", "qcom,ipq6018-cp03", "qcom,ipq6018";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-meshpp-s618.dtsi

@@ -0,0 +1,789 @@
+/*
+ * Copyright (c) 2022, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018.dtsi"
+#include <dt-bindings/input/input.h>
+
+/ {
+	#address-cells = <0x2>;
+	#size-cells = <0x2>;
+	interrupt-parent = <&intc>;
+	qcom,msm-id = <0x1A5 0x0>;
+
+	aliases {
+		ethernet0 = "/soc/dp1";
+		ethernet1 = "/soc/dp2";
+		ethernet2 = "/soc/dp3";
+		ethernet3 = "/soc/dp4";
+		ethernet4 = "/soc/dp5";
+
+		led-boot = &led_green;
+		led-running = &led_blue;
+		led-upgrade = &led_red;
+	};
+
+	chosen {
+		bootargs = "console=ttyMSM0,115200,n8 rw init=/init";
+
+#ifdef __IPQ_MEM_PROFILE_256_MB__
+                bootargs-append = " console=ttyMSM0,115200n8 panic=10 ubi.mtd=nand root=mtd:ubi_rootfs rootfstype=squashfs swiotlb=1 rootwait";
+#else
+                bootargs-append = " console=ttyMSM0,115200n8 panic=10 ubi.mtd=nand root=mtd:ubi_rootfs rootfstype=squashfs swiotlb=1 coherent_pool=2M rootwait";
+#endif
+	};
+
+
+	/*
+	 * +=========+==============+========================+
+	 * |        |              |                         |
+	 * | Region | Start Offset |          Size           |
+	 * |        |              |                         |
+	 * +--------+--------------+-------------------------+
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * | Linux  |  0x41000000  |         139MB           |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * +--------+--------------+-------------------------+
+	 * | TZ App |  0x49B00000  |           6MB           |
+	 * +--------+--------------+-------------------------+
+	 *
+	 * From the available 145 MB for Linux in the first 256 MB,
+	 * we are reserving 6 MB for TZAPP.
+	 *
+	 * Refer arch/arm64/boot/dts/qcom/qcom-ipq6018-memory.dtsi
+	 * for memory layout.
+	 */
+
+/* TZAPP is enabled only in default memory profile */
+	reserved-memory {
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+		tzapp:tzapp@49B00000 {	/* TZAPPS */
+			no-map;
+			reg = <0x0 0x49B00000 0x0 0x00600000>;
+		};
+#endif
+		qcn9000_pcie0@50200000 {
+			no-map;
+			reg = <0x0 0x50200000 0x0 0x03700000>;
+		};
+
+		mhi_region0: dma_pool0@53900000 {
+			compatible = "shared-dma-pool";
+			no-map;
+			reg = <0x0 0x53900000 0x0 0x01800000>;
+		};
+	};
+};
+
+&tlmm {
+	pinctrl-0 = <&sd_ldo_pins &generic_gpios &pcie_pins>;
+	pinctrl-names = "default";
+
+	uart_pins: uart_pins {
+		mux {
+			pins = "gpio44", "gpio45";
+			function = "blsp2_uart";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	sd_ldo_pins: sd_ldo_pins {
+		mux {
+			pins = "gpio66";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-disable;
+			output-low;
+		};
+	};
+
+	spi_0_pins: spi_0_pins {
+		mux {
+			pins = "gpio38", "gpio39", "gpio40", "gpio41";
+			function = "blsp0_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	spi_1_pins: spi_1_pins {
+		mux {
+			pins = "gpio69", "gpio71", "gpio72";
+			function = "blsp1_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+		spi_cs {
+			pins = "gpio70";
+			function = "blsp1_spi";
+			drive-strength = <8>;
+			bias-disable;
+		};
+		quartz_interrupt {
+			pins = "gpio78";
+			function = "gpio";
+			input;
+			bias-disable;
+		};
+		quartz_reset {
+			pins = "gpio79";
+			function = "gpio";
+			output-low;
+			bias-disable;
+		};
+	};
+
+	button_pins: button_pins {
+		switch_button {
+			pins = "gpio9";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+		reset_button {
+			pins = "gpio19";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+	};
+
+	mdio_pins: mdio_pinmux {
+		mux_0 {
+			pins = "gpio64";
+			function = "mdc";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+		mux_1 {
+			pins = "gpio65";
+			function = "mdio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+		mux_2 {
+			pins = "gpio75";
+			function = "gpio";
+			bias-pull-up;
+		};
+		mux_3 {
+			pins = "gpio77";
+			function = "gpio";
+			bias-pull-up;
+		};
+	};
+
+	leds_pins: leds_pins {
+		led_5g {
+			pins = "gpio35";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+		led_2g {
+			pins = "gpio37";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		m2_1_regulator {
+			pins = "gpio29";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		m2_1_pwr_en {
+			pins = "gpio49";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		m2_1_reset_n {
+			pins = "gpio32";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		led_red: red {
+			pins = "gpio50";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		led_green: green {
+			pins = "gpio54";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+
+		led_blue: blue {
+			pins = "gpio57";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	sd_pins: sd_pins {
+		mux_1 {
+			pins = "gpio62";
+			function = "sd_card";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+
+		mux_2 {
+			pins = "gpio23";
+			function = "gpio";
+			drive_strength = <8>;
+			bias-disable;
+			output-high;
+		};
+	};
+
+	extcon_usb_pins: extcon_usb_pins {
+		mux {
+			pins = "gpio26";
+			function = "gpio";
+			drive-strength = <2>;
+			bias-pull-down;
+		};
+	};
+
+	generic_gpios: generic_gpios {
+		gpio42 {
+			pins = "gpio42";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-disable;
+			output-high;
+		};
+	};
+
+	pcie_pins: pcie_pins {
+		pcie0_enable {
+			pins = "gpio34";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-disable;
+			output-high;
+		};
+	};
+
+        i2c_2_pins: i2c_2_pins {
+                mux {
+                        pins = "gpio55", "gpio56";
+                        function = "gpio";
+                        drive-strength = <16>;
+                        bias-pull-up;
+                        input-enable;
+                };
+
+                mux_2 {
+                        pins = "gpio48";
+                        function = "gpio";
+                        drive_strength = <16>;
+                        output-high;
+                };
+
+                mux_3 {
+                        pins = "gpio73";
+                        function = "gpio";
+                        drive-stength = <16>;
+                        output-low;
+                };
+        };
+};
+
+&soc {
+	extcon_usb: extcon_usb {
+		pinctrl-0 = <&extcon_usb_pins>;
+		pinctrl-names = "default";
+		id-gpio = <&tlmm 26 GPIO_ACTIVE_LOW>;
+		status = "ok";
+	};
+
+	mdio0: mdio@90000 {
+		pinctrl-0 = <&mdio_pins>;
+		pinctrl-names = "default";
+		phy-reset-gpio = <&tlmm 75 0 &tlmm 77 1>;
+		status = "ok";
+		phy0: ethernet-phy@0 {
+			reg = <0>;
+		};
+		phy1: ethernet-phy@1 {
+			reg = <1>;
+		};
+		phy2: ethernet-phy@2 {
+			reg = <2>;
+		};
+                phy3: ethernet-phy@3 {
+                        reg = <3>;
+                };
+                phy4: ethernet-phy@4 {
+                        reg = <4>;
+                };
+	};
+
+	ess0: ess-switch@3a000000 {
+		switch_cpu_bmp = <0x1>;  /* cpu port bitmap */
+		switch_lan_bmp = <0x1e>; /* lan port bitmap */
+		switch_wan_bmp = <0x20>; /* wan port bitmap */
+		switch_inner_bmp = <0xc0>; /*inner port bitmap*/
+		switch_mac_mode = <0x0>; /* mac mode for uniphy instance0*/
+		switch_mac_mode1 = <0xff>; /* mac mode for uniphy instance1*/
+		switch_mac_mode2 = <0xff>; /* mac mode for uniphy instance2*/
+		qcom,port_phyinfo {
+			port@0 {
+				port_id = <1>;
+				phy_address = <0>;
+			};
+			port@1 {
+				port_id = <2>;
+				phy_address = <1>;
+			};
+			port@2 {
+				port_id = <3>;
+				phy_address = <2>;
+			};
+			port@3 {
+				port_id = <4>;
+				phy_address = <3>;
+			};
+			port@4 {
+				port_id = <5>;
+				phy_address = <4>;
+			};
+		};
+	};
+
+	dp1 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <1>;
+		reg = <0x3a001000 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <0>;
+		phy-mode = "sgmii";
+	};
+
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <2>;
+		reg = <0x3a001200 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <1>;
+		phy-mode = "sgmii";
+	};
+
+	dp3 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <3>;
+		reg = <0x3a001400 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <2>;
+		phy-mode = "sgmii";
+	};
+
+	dp4 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <4>;
+		reg = <0x3a001600 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <3>;
+		phy-mode = "sgmii";
+	};
+
+	dp5 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <5>;
+		reg = <0x3a001800 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <4>;
+		phy-mode = "sgmii";
+	};
+
+	leds {
+		compatible = "gpio-leds";
+		pinctrl-0 = <&leds_pins>;
+		pinctrl-names = "default";
+
+		led@29 {
+			label = "m2_1_regulator";
+			gpios = <&tlmm 29 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "none";
+			default-state = "on";
+		};
+
+		led@49 {
+			label = "m2_1_pwr_en";
+			gpios = <&tlmm 49 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "none";
+			default-state = "on";
+		};
+
+		led@32 {
+			label = "m2_1_reset_n";
+			gpios = <&tlmm 32 GPIO_ACTIVE_LOW>;
+			linux,default-trigger = "none";
+			default-state = "off";
+		};
+
+		led@50 {
+			label = "red";
+			gpios = <&tlmm 50 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "none";
+			default-state = "on";
+		};
+
+		led@54 {
+			label = "green";
+			gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "none";
+			default-state = "on";
+		};
+
+		led@57 {
+			label = "blue";
+			gpios = <&tlmm 57 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "none";
+			default-state = "off";
+		};
+	};
+
+	gpio_keys {
+		compatible = "gpio-keys";
+		pinctrl-0 = <&button_pins>;
+		pinctrl-names = "default";
+
+		switch {
+			label = "switch";
+			linux,code = <KEY_WPS_BUTTON>;
+			gpios = <&tlmm 9 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+		reset {
+			label = "reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&tlmm 18 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+	};
+
+	i2c_2: i2c@0 { /* i2c gpio */
+		pinctrl-0 = <&i2c_2_pins>;
+	        pinctrl-names = "default";
+		compatible = "i2c-gpio";
+		gpios = <&tlmm 56 0>, <&tlmm 55 0>;
+		i2c-gpio,scl-open-drain;
+		i2c-gpio,delay-us = <7>;
+		#address-cells = <1>;
+		#size-cells = <0>;
+		status = "ok";
+	};
+
+	wifi3: wifi3@f00000 {
+		qcom,wlan-ramdump-dynamic = <0x400000>;
+		mhi,max-channels = <30>;
+		mhi,timeout = <10000>;
+		#address-cells = <1>;
+		#size-cells = <0>;
+		qrtr_node_id = <0x20>;
+		qca,auto-restart;
+#ifdef __IPQ_MEM_PROFILE_512_MB__
+
+	      /* QCN9000 tgt-mem-mode=1 layout - 30MB
+	       * +=========+==============+=========+
+	       * |  Region | Start Offset |   Size  |
+	       * +---------+--------------+---------+
+	       * | BASE    |  0x4E400000  |   20MB  |
+	       * +---------+--------------+---------+
+	       * | M3 Dump |  0x4F800000  |   1MB   |
+	       * +---------+--------------+---------+
+	       * |  Caldb  |  0x4FA00000  |   8MB   |
+	       * +==================================+
+	       */
+
+		base-addr = <0x4E400000>;
+		m3-dump-addr = <0x4F800000>;
+		qcom,caldb-addr = <0x4FA00000>;
+#else
+
+	      /* QCN9000 tgt-mem-mode=0 layout - 55MB
+	       * +=========+==============+=========+
+	       * |  Region | Start Offset |   Size  |
+	       * +---------+--------------+---------+
+	       * | BASE    |  0x50200000  |   45MB  |
+	       * +---------+--------------+---------+
+	       * | M3 Dump |  0x52F00000  |   1MB   |
+	       * +---------+--------------+---------+
+	       * |  Caldb  |  0x53100000  |   8MB   |
+	       * +==================================+
+	       */
+
+		base-addr = <0x50200000>;
+		m3-dump-addr = <0x52F00000>;
+		qcom,caldb-addr = <0x53100000>;
+#endif
+		status = "ok";
+
+		mhi_channels {
+			mhi_chan@0 {
+				reg = <0>;
+				label = "LOOPBACK";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <1>;
+				mhi,data-type = <0>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+			};
+
+			mhi_chan@1 {
+				reg = <1>;
+				label = "LOOPBACK";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <2>;
+				mhi,data-type = <0>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+			};
+
+			mhi_chan@4 {
+				reg = <4>;
+				label = "DIAG";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <1>;
+				mhi,data-type = <0>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+			};
+
+			mhi_chan@5 {
+				reg = <5>;
+				label = "DIAG";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <2>;
+				mhi,data-type = <0>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+			};
+
+			mhi_chan@20 {
+				reg = <20>;
+				label = "IPCR";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <1>;
+				mhi,data-type = <1>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+				mhi,auto-start;
+			};
+
+			mhi_chan@21 {
+				reg = <21>;
+				label = "IPCR";
+				mhi,num-elements = <32>;
+				mhi,event-ring = <1>;
+				mhi,chan-dir = <2>;
+				mhi,data-type = <0>;
+				mhi,doorbell-mode = <2>;
+				mhi,ee = <0x14>;
+				mhi,auto-queue;
+				mhi,auto-start;
+			};
+		};
+
+		mhi_events {
+			mhi_event@0 {
+				mhi,num-elements = <32>;
+				mhi,intmod = <1>;
+				mhi,msi = <1>;
+				mhi,priority = <1>;
+				mhi,brstmode = <2>;
+				mhi,data-type = <1>;
+			};
+
+			mhi_event@1 {
+				mhi,num-elements = <256>;
+				mhi,intmod = <1>;
+				mhi,msi = <2>;
+				mhi,priority = <1>;
+				mhi,brstmode = <2>;
+			};
+		};
+
+		mhi_devices {
+			mhi_qrtr {
+				mhi,chan = "IPCR";
+				qcom,net-id = <0>;
+			};
+		};
+	};
+};
+
+&blsp1_uart3 {
+	pinctrl-0 = <&uart_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&qpic_bam {
+	status = "ok";
+};
+
+&ssphy_0 {
+	status = "ok";
+};
+
+&qusb_phy_0 {
+	status = "ok";
+};
+
+&qusb_phy_1 {
+	status = "ok";
+};
+
+&usb2 {
+	status = "ok";
+};
+
+&usb3 {
+	status = "ok";
+};
+
+&nss_crypto {
+	status = "ok";
+};
+
+&CPU0 {
+	operating-points = <
+		/* kHz   uV (fixed) */
+		864000   1100000
+		1056000  1100000
+		1200000  1100000
+		1608000  1100000
+	>;
+	clock-latency = <200000>;
+};
+
+&CPU1 {
+	operating-points = <
+		/* kHz   uV (fixed) */
+		864000   1100000
+		1056000  1100000
+		1200000  1100000
+		1608000  1100000
+	>;
+	clock-latency = <200000>;
+};
+
+&CPU2 {
+	operating-points = <
+		/* kHz   uV (fixed) */
+		864000   1100000
+		1056000  1100000
+		1200000  1100000
+		1608000  1100000
+	>;
+	clock-latency = <200000>;
+};
+
+&CPU3 {
+	operating-points = <
+		/* kHz   uV (fixed) */
+		864000   1100000
+		1056000  1100000
+		1200000  1100000
+		1608000  1100000
+	>;
+	clock-latency = <200000>;
+};
+
+&wifi0 {
+        qcom,board_id = <0x10>;
+        status = "ok";
+};
+
+&pcie0 {
+	status = "ok";
+
+	pcie0_rp {
+		reg = <0 0 0 0 0>;
+		status = "ok";
+
+		mhi_0: qcom,mhi@0 {
+			reg = <0 0 0 0 0 >;
+			qrtr_instance_id = <0x20>;
+			qcom,board_id = <0xa4>;
+#if !defined(__IPQ_MEM_PROFILE_256_MB__)
+			memory-region = <&mhi_region0>;
+#endif
+		};
+	};
+};
+
+&pcie_phy {
+        status = "ok";
+};
+
+&spi_0 {
+	pinctrl-0 = <&spi_0_pins>;
+	pinctrl-names = "default";
+	cs-select = <0>;
+	status = "ok";
+
+	m25p80@0 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0>;
+		compatible = "n25q128a11";
+		linux,modalias = "m25p80", "n25q128a11";
+		spi-max-frequency = <50000000>;
+		use-default-sizes;
+	};
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-pax1800-v1.dts

@@ -0,0 +1,23 @@
+/dts-v1/;
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018-pax1800.dtsi"
+
+/ {
+	model = "Plasma Cloud PAX1800 v1";
+	compatible = "plasmacloud,pax1800-v1", "qcom,ipq6018-cp03", "qcom,ipq6018";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-pax1800-v2.dts

@@ -0,0 +1,23 @@
+/dts-v1/;
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018-pax1800.dtsi"
+
+/ {
+	model = "Plasma Cloud PAX1800 v2";
+	compatible = "plasmacloud,pax1800-v2", "qcom,ipq6018-cp03", "qcom,ipq6018";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-pax1800.dtsi

@@ -0,0 +1,315 @@
+/*
+ * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "qcom-ipq6018.dtsi"
+#include "qcom-ipq6018-rpm-regulator.dtsi"
+#include "qcom-ipq6018-cpr-regulator.dtsi"
+#include "qcom-ipq6018-cp-cpu.dtsi"
+#include <dt-bindings/input/input.h>
+
+/ {
+	#address-cells = <0x2>;
+	#size-cells = <0x2>;
+
+	interrupt-parent = <&intc>;
+	qcom,msm-id = <0x1A5 0x0>;
+
+	chosen {
+		bootargs = "console=ttyMSM0,115200,n8 rw init=/init";
+		bootargs-append = " swiotlb=1 coherent_pool=2M";
+	};
+
+	aliases {
+		serial0 = &blsp1_uart3;
+		/*
+		 * Aliases as required by u-boot
+		 * to patch MAC addresses
+		 */
+		ethernet0 = "/soc/dp1";
+		ethernet1 = "/soc/dp2";
+
+		led-boot = &led_status_green;
+		led-failsafe = &led_status_green;
+		led-running = &led_status_green;
+		led-upgrade = &led_status_green;
+		led-uplink = &led_status_blue;
+	};
+
+	gpio_keys {
+		compatible = "gpio-keys";
+		pinctrl-0 = <&button_pins>;
+		pinctrl-names = "default";
+
+		reset {
+			label = "reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&tlmm 24 GPIO_ACTIVE_LOW>;
+			linux,input-type = <1>;
+			debounce-interval = <60>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+		pinctrl-0 = <&leds_pins>;
+		pinctrl-names = "default";
+
+		status_red {
+			label = "red:status";
+			gpios = <&tlmm 25 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "default-off";
+		};
+
+		led_status_green: status_green {
+			label = "green:status";
+			gpios = <&tlmm 35 GPIO_ACTIVE_HIGH>;
+		};
+
+		led_status_blue: status_blue {
+			label = "blue:status";
+			gpios = <&tlmm 37 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "default-off";
+		};
+	};
+
+	watchdog {
+		compatible = "linux,wdt-gpio";
+		pinctrl-0 = <&watchdog_pins>;
+		pinctrl-names = "default";
+		gpios = <&tlmm 67 GPIO_ACTIVE_LOW>;
+		hw_algo = "toggle";
+		hw_margin_ms = <2000>;
+		always-running;
+	};
+
+	/*
+	 * +=========+==============+========================+
+	 * |        |              |                         |
+	 * | Region | Start Offset |          Size           |
+	 * |        |              |                         |
+	 * +--------+--------------+-------------------------+
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * | Linux  |  0x41000000  |         139MB           |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * |        |              |                         |
+	 * +--------+--------------+-------------------------+
+	 * | TZ App |  0x49B00000  |           6MB           |
+	 * +--------+--------------+-------------------------+
+	 *
+	 * From the available 145 MB for Linux in the first 256 MB,
+	 * we are reserving 6 MB for TZAPP.
+	 *
+	 * Refer arch/arm64/boot/dts/qcom/qcom-ipq6018-memory.dtsi
+	 * for memory layout.
+	 */
+
+/* TZAPP is enabled only in default memory profile */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+	reserved-memory {
+		tzapp:tzapp@49B00000 {	/* TZAPPS */
+			no-map;
+			reg = <0x0 0x49B00000 0x0 0x00600000>;
+		};
+	};
+#endif
+};
+
+&tlmm {
+	uart_pins: uart_pins {
+		mux {
+			pins = "gpio44", "gpio45";
+			function = "blsp2_uart";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	spi_0_pins: spi_0_pins {
+		mux {
+			pins = "gpio38", "gpio39", "gpio40", "gpio41";
+			function = "blsp0_spi";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	button_pins: button_pins {
+		reset_button {
+			pins = "gpio24";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+	};
+
+	mdio_pins: mdio_pinmux {
+		mux_0 {
+			pins = "gpio64";
+			function = "mdc";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+		mux_1 {
+			pins = "gpio65";
+			function = "mdio";
+			drive-strength = <8>;
+			bias-pull-up;
+		};
+		mux_2 {
+			pins = "gpio75";
+			function = "gpio";
+			bias-pull-up;
+		};
+	};
+
+	leds_pins: led_pinmux {
+		led_power_green {
+			pins = "gpio25";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+		led_power_blue {
+			pins = "gpio35";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+		led_power_red {
+			pins = "gpio37";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+		};
+	};
+
+	watchdog_pins: watchdog_pinmux {
+		mux {
+			pins = "gpio67";
+			function = "gpio";
+			bias-none;
+			output-low;
+		};
+	};
+};
+
+&soc {
+	mdio@90000 {
+		pinctrl-0 = <&mdio_pins>;
+		pinctrl-names = "default";
+		phy-reset-gpio = <&tlmm 75 0>;
+		status = "ok";
+		phy0: ethernet-phy@0 {
+			reg = <3>;
+		};
+		phy1: ethernet-phy@1 {
+			reg = <4>;
+		};
+	};
+
+	ess-switch@3a000000 {
+		switch_cpu_bmp = <0x1>;  /* cpu port bitmap */
+		switch_lan_bmp = <0x08>; /* lan port bitmap */
+		switch_wan_bmp = <0x10>; /* wan port bitmap */
+		switch_inner_bmp = <0xc0>; /*inner port bitmap*/
+		switch_mac_mode = <0x0>; /* mac mode for uniphy instance0*/
+		switch_mac_mode1 = <0xff>; /* mac mode for uniphy instance1*/
+		switch_mac_mode2 = <0xff>; /* mac mode for uniphy instance2*/
+		qcom,port_phyinfo {
+			port@3 {
+				port_id = <3>;
+				phy_address = <4>;
+			};
+			port@4 {
+				port_id = <4>;
+				phy_address = <3>;
+			};
+		};
+	};
+
+	dp1 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <3>;
+		reg = <0x3a001400 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <4>;
+		phy-mode = "sgmii";
+	};
+
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <4>;
+		reg = <0x3a001600 0x200>;
+		qcom,mactype = <0>;
+		local-mac-address = [000000000000];
+		qcom,link-poll = <1>;
+		qcom,phy-mdio-addr = <3>;
+		phy-mode = "sgmii";
+	};
+};
+
+&blsp1_uart3 {
+	pinctrl-0 = <&uart_pins>;
+	pinctrl-names = "default";
+	status = "ok";
+};
+
+&spi_0 {
+	pinctrl-0 = <&spi_0_pins>;
+	pinctrl-names = "default";
+	cs-select = <0>;
+	status = "ok";
+
+	m25p80@0 {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0>;
+		compatible = "n25q128a11";
+		linux,modalias = "m25p80", "n25q128a11";
+		spi-max-frequency = <50000000>;
+		use-default-sizes;
+	};
+};
+
+&qpic_bam {
+	status = "ok";
+};
+
+&nss_crypto {
+	status = "ok";
+};
+
+/* TZAPP is enabled in default memory profile only */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
+&qseecom {
+	mem-start = <0x49B00000>;
+	mem-size = <0x600000>;
+	status = "ok";
+};
+#endif
+
+&wifi0 {
+	status = "okay";
+	qcom,ath11k-calibration-variant = "PlasmaCloud-PAX1800";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-wallys-dr6018-v4.dts

@@ -82,14 +82,24 @@
 	 */
 
 /* TZAPP is enabled only in default memory profile */
-#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
 	reserved-memory {
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
 		tzapp:tzapp@49B00000 {	/* TZAPPS */
 			no-map;
 			reg = <0x0 0x49B00000 0x0 0x00600000>;
 		};
-	};
 #endif
+		qcn9000_pcie0@50200000 {
+			no-map;
+			reg = <0x0 0x50200000 0x0 0x02D00000>;
+		};
+
+		mhi_region0: dma_pool0@52f00000 {
+			compatible = "shared-dma-pool";
+			no-map;
+			reg = <0x0 0x52F00000 0x0 0x01800000>;
+		};
+	};
 };
 
 &tlmm {
@@ -490,3 +500,49 @@
 	//vqmmc-supply = <&ipq6018_l2_corner>;
 	status = "ok";
 };
+
+&wifi1 {
+	base-addr = <0x50200000>;
+	m3-dump-addr = <0x52500000>;
+	etr-addr = <0x52600000>;
+	caldb-addr = <0x52700000>;
+	hremote-size = <0x2300000>;
+	tgt-mem-mode = <0x0>;
+	board_id = <0xa4>;
+	caldb-size = <0x800000>;
+	status = "ok";
+};
+
+&pcie0 {
+	status = "ok";
+	interrupts = <0 52 0>, <0 416 0>, <0 417 0>,
+                     <0 418 0>, <0 419 0>, <0 420 0>,
+                     <0 421 0>, <0 422 0>, <0 423 0>,
+                     <0 424 0>, <0 425 0>, <0 426 0>,
+                     <0 427 0>, <0 428 0>, <0 429 0>,
+                     <0 430 0>, <0 431 0>;
+
+        interrupt-names = "msi", "msi_0", "msi_1",
+                          "msi_2", "msi_3", "msi_4",
+                          "msi_5", "msi_6", "msi_7",
+                          "msi_8", "msi_9", "msi_10",
+                          "msi_11", "msi_12", "msi_13",
+                          "msi_14", "msi_15";
+
+        qcom,msi-gicm-addr = <0x0B00A040>;
+        qcom,msi-gicm-base = <0x1c0>;
+};
+
+&pcie0_rp {
+        status = "ok";
+
+        mhi_0: qcom,mhi@0 {
+                reg = <0 0 0 0 0 >;
+                qrtr_instance_id = <0x20>;
+                memory-region = <&mhi_region0>;
+        };
+};
+
+&pcie_phy {
+        status = "ok";
+};

feeds/ipq807x/ipq807x/files/arch/arm64/boot/dts/qcom/qcom-ipq6018-yuncore-ax840.dts

@@ -35,12 +35,15 @@
 		bootargs-append = " swiotlb=1 coherent_pool=2M";
 	};
 
+/* TZAPP is enabled only in default memory profile */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
 	reserved-memory {
 		tzapp:tzapp@49B00000 {	/* TZAPPS */
 			no-map;
 			reg = <0x0 0x49B00000 0x0 0x00600000>;
 		};
 	};
+#endif
 };
 
 &tlmm {
@@ -159,6 +162,16 @@
 		};
 	};
 
+	modem_power_pins {
+		mux {
+			pins = "gpio27";
+			function = "gpio";
+			drive-strength = <8>;
+			bias-pull-down;
+			output-high;
+		};
+	};
+
 	leds_pins: leds_pins {
 		led_blue {
 			pins = "gpio35";
@@ -223,18 +236,6 @@
 	};
 
 	dp1 {
-		device_type = "network";
-		compatible = "qcom,nss-dp";
-		qcom,id = <0x05>;
-		reg = <0x3a001800 0x200>;
-		qcom,mactype = <0x00>;
-		local-mac-address = [00 00 00 00 00 00];
-		qcom,link-poll = <0x01>;
-		qcom,phy-mdio-addr = <0x04>;
-		phy-mode = "sgmii";
-	};
-
-	dp2 {
 		device_type = "network";
 		compatible = "qcom,nss-dp";
 		qcom,id = <0x04>;
@@ -246,6 +247,18 @@
 		phy-mode = "sgmii";
 	};
 
+	dp2 {
+		device_type = "network";
+		compatible = "qcom,nss-dp";
+		qcom,id = <0x05>;
+		reg = <0x3a001800 0x200>;
+		qcom,mactype = <0x00>;
+		local-mac-address = [00 00 00 00 00 00];
+		qcom,link-poll = <0x01>;
+		qcom,phy-mdio-addr = <0x04>;
+		phy-mode = "sgmii";
+	};
+
 	gpio_keys {
 		compatible = "gpio-keys";
 
@@ -268,17 +281,17 @@
 		pinctrl-names = "default";
 
 		led_system: system {
-			label = "ax860:green:system";
+			label = "green:system";
 			gpio = <&tlmm 37 GPIO_ACTIVE_HIGH>;
 		};
 
 		wlan2g {
-			label = "ax860:blue:wlan2g";
+			label = "blue:wlan2g";
 			gpio = <&tlmm 35 GPIO_ACTIVE_HIGH>;
 		};
 
 		wlan5g {
-			label = "ax860:red:wlan5g";
+			label = "red:wlan5g";
 			gpio = <&tlmm 32 GPIO_ACTIVE_HIGH>;
 		};
 	};
@@ -336,8 +349,31 @@
 	/delete-node/ opp06;
 };
 
+/* TZAPP is enabled in default memory profile only */
+#if !defined(__IPQ_MEM_PROFILE_256_MB__) && !defined(__IPQ_MEM_PROFILE_512_MB__)
 &qseecom {
 	mem-start = <0x49B00000>;
 	mem-size = <0x600000>;
 	status = "ok";
 };
+#endif
+
+&ssphy_0 {
+	status = "ok";
+};
+
+&qusb_phy_0 {
+	status = "ok";
+};
+
+&qusb_phy_1 {
+	status = "ok";
+};
+
+&usb2 {
+	status = "ok";
+};
+
+&usb3 {
+	status = "ok";
+};

feeds/ipq807x/ipq807x/image/ipq60xx.mk

@@ -1,5 +1,7 @@
 KERNEL_LOADADDR := 0x41008000
 
+DEVICE_VARS += CE_TYPE
+
 define Device/cig_wf188n
   DEVICE_TITLE := Cigtech WF-188n
   DEVICE_DTS := qcom-ipq6018-cig-wf188n
@@ -23,7 +25,7 @@ define Device/hfcl_ion4xi
   DEVICE_DTS := qcom-ipq6018-hfcl-ion4xi
   DEVICE_DTS_CONFIG := config@cp01-c1
   SUPPORTED_DEVICES := hfcl,ion4xi
-  DEVICE_PACKAGES := ath11k-wifi-qcom-ipq6018 uboot-envtools
+  DEVICE_PACKAGES := ath11k-wifi-hfcl-ion4xi uboot-envtools
 endef
 TARGET_DEVICES += hfcl_ion4xi
 
@@ -36,6 +38,33 @@ define Device/edgecore_eap101
 endef
 TARGET_DEVICES += edgecore_eap101
 
+define Device/indio_um-310ax-v1
+  DEVICE_TITLE := Indio UM-310AX V1
+  DEVICE_DTS := qcom-ipq6018-indio-um-310ax-v1
+  DEVICE_DTS_CONFIG := config@cp03-c1
+  SUPPORTED_DEVICES := indio,um-310ax-v1
+  DEVICE_PACKAGES := ath11k-wifi-indio-um-310ax-v1 uboot-env
+endef
+TARGET_DEVICES += indio_um-310ax-v1
+
+define Device/indio_um-510axp-v1
+  DEVICE_TITLE := Indio UM-510AXP V1
+  DEVICE_DTS := qcom-ipq6018-indio-um-510axp-v1
+  DEVICE_DTS_CONFIG := config@cp03-c1
+  SUPPORTED_DEVICES := indio,um-510axp-v1
+  DEVICE_PACKAGES := ath11k-wifi-indio-um-510axp-v1 uboot-env
+endef
+TARGET_DEVICES += indio_um-510axp-v1
+
+define Device/indio_um-510axm-v1
+  DEVICE_TITLE := Indio UM-510AXM V1
+  DEVICE_DTS := qcom-ipq6018-indio-um-510axm-v1
+  DEVICE_DTS_CONFIG := config@cp03-c1
+  SUPPORTED_DEVICES := indio,um-510axm-v1
+  DEVICE_PACKAGES := ath11k-wifi-indio-um-510axm-v1 uboot-env
+endef
+TARGET_DEVICES += indio_um-510axm-v1
+
 define Device/wallys_dr6018
   DEVICE_TITLE := Wallys DR6018
   DEVICE_DTS := qcom-ipq6018-wallys-dr6018
@@ -50,7 +79,7 @@ define Device/wallys_dr6018_v4
   DEVICE_DTS := qcom-ipq6018-wallys-dr6018-v4
   DEVICE_DTS_CONFIG := config@cp01-c4
   SUPPORTED_DEVICES := wallys,dr6018-v4
-  DEVICE_PACKAGES := ath11k-wifi-wallys-dr6018-v4 uboot-envtools
+  DEVICE_PACKAGES := ath11k-wifi-wallys-dr6018-v4 uboot-envtools ath11k-firmware-qcn9000
 endef
 TARGET_DEVICES += wallys_dr6018_v4
 
@@ -88,3 +117,53 @@ define Device/yuncore_ax840
   DEVICE_PACKAGES := ath11k-wifi-yuncore-ax840 uboot-env
 endef
 TARGET_DEVICES += yuncore_ax840
+
+define Device/plasmacloud_common_64k
+  DEVICE_PACKAGES := uboot-envtools
+  CE_TYPE :=
+  BLOCKSIZE := 64k
+  IMAGES := sysupgrade.tar factory.bin
+  IMAGE/factory.bin := append-rootfs | pad-rootfs | openmesh-image ce_type=$$$$(CE_TYPE)
+  IMAGE/sysupgrade.tar := append-rootfs | pad-rootfs | sysupgrade-tar rootfs=$$$$@ | append-metadata
+  KERNEL += | pad-to $$(BLOCKSIZE)
+endef
+
+define Device/plasmacloud_pax1800-v1
+  $(Device/plasmacloud_common_64k)
+  DEVICE_TITLE := Plasma Cloud PAX1800 v1
+  DEVICE_DTS := qcom-ipq6018-pax1800-v1
+  SUPPORTED_DEVICES := plasmacloud,pax1800-v1
+  DEVICE_DTS_CONFIG := config@cp03-c1
+  CE_TYPE := PAX1800
+  DEVICE_PACKAGES += ath11k-wifi-plasmacloud-pax1800
+endef
+TARGET_DEVICES += plasmacloud_pax1800-v1
+
+define Device/plasmacloud_pax1800-v2
+  $(Device/plasmacloud_common_64k)
+  DEVICE_TITLE := Plasma Cloud PAX1800 v2
+  DEVICE_DTS := qcom-ipq6018-pax1800-v2
+  SUPPORTED_DEVICES := plasmacloud,pax1800-v2
+  DEVICE_DTS_CONFIG := config@plasmacloud.pax1800v2
+  CE_TYPE := PAX1800v2
+  DEVICE_PACKAGES += ath11k-wifi-plasmacloud-pax1800
+endef
+TARGET_DEVICES += plasmacloud_pax1800-v2
+
+define Device/meshpp_s618_cp03
+  DEVICE_TITLE := S618 cp03
+  DEVICE_DTS := qcom-ipq6018-meshpp-s618-cp03
+  SUPPORTED_DEVICES := meshpp,s618-cp03
+  DEVICE_DTS_CONFIG := config@cp03-c1
+  DEVICE_PACKAGES := ath11k-wifi-meshpp-s618 -kmod-usb-dwc3-of-simple kmod-usb-dwc3-qcom kmod-usb3
+endef
+TARGET_DEVICES += meshpp_s618_cp03
+
+define Device/meshpp_s618_cp01
+  DEVICE_TITLE := S618 cp01
+  DEVICE_DTS := qcom-ipq6018-meshpp-s618-cp01
+  SUPPORTED_DEVICES := meshpp,s618-cp01
+  DEVICE_DTS_CONFIG := config@cp01-c1
+  DEVICE_PACKAGES := ath11k-wifi-meshpp-s618 -kmod-usb-dwc3-of-simple kmod-usb-dwc3-qcom kmod-usb3
+endef
+TARGET_DEVICES += meshpp_s618_cp01

feeds/ipq807x/ipq807x/patches/200-bpf_backport.patch

@@ -32856,7 +32856,7 @@
 +
 +	new_range = dst_reg->off;
 +	if (range_right_open)
-+		new_range--;
++		new_range++;
 +
 +	/* Examples for register markings:
 +	 *

feeds/ipq807x/ipq807x/patches/224-clear-skbuffs-cb-for-incoming-packets.patch

@@ -0,0 +1,30 @@
+From a0d398a7373b395a2cbdc865815560671d1e8a08 Mon Sep 17 00:00:00 2001
+From: Venkat Chimata <venkata@shasta.cloud>
+Date: Fri, 12 Aug 2022 15:42:40 +0530
+Subject: [PATCH] sk_buff's cb should be cleared in the entry point for both
+ incoming and outgoing packets at each layer. At bridge, it is already handled
+ in the outgoing path, but not in the incoming path. We have seen cases where
+ proxyarp_replied was 1 on sk_buffs coming from the WLAN driver and they were
+ getting dropped in forwarding path.
+
+Signed-off-by: Venkat Chimata <venkata@shasta.cloud>
+---
+ net/bridge/br_input.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index e6b745b7..09cd5b72 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -282,6 +282,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
+ 	if (!skb)
+ 		return RX_HANDLER_CONSUMED;
+ 
++	memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
++
+ 	p = br_port_get_rcu(skb->dev);
+ 
+ 	if (unlikely(is_link_local_ether_addr(dest))) {
+-- 
+2.34.1
+

feeds/ipq807x/ipq807x/patches/230-ipv4-route-Ignore-output-interface-in-FIB-lookup-for.patch

@@ -0,0 +1,72 @@
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 4 Aug 2020 07:53:42 +0200
+Subject: [PATCH] ipv4: route: Ignore output interface in FIB lookup for PMTU
+ route
+
+Currently, processes sending traffic to a local bridge with an
+encapsulation device as a port don't get ICMP errors if they exceed
+the PMTU of the encapsulated link.
+
+David Ahern suggested this as a hack, but it actually looks like
+the correct solution: when we update the PMTU for a given destination
+by means of updating or creating a route exception, the encapsulation
+might trigger this because of PMTU discovery happening either on the
+encapsulation device itself, or its lower layer. This happens on
+bridged encapsulations only.
+
+The output interface shouldn't matter, because we already have a
+valid destination. Drop the output interface restriction from the
+associated route lookup.
+
+For UDP tunnels, we will now have a route exception created for the
+encapsulation itself, with a MTU value reflecting its headroom, which
+allows a bridge forwarding IP packets originated locally to deliver
+errors back to the sending socket.
+
+The behaviour is now consistent with IPv6 and verified with selftests
+pmtu_ipv{4,6}_br_{geneve,vxlan}{4,6}_exception introduced later in
+this series.
+
+v2:
+- reset output interface only for bridge ports (David Ahern)
+- add and use netif_is_any_bridge_port() helper (David Ahern)
+
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -4015,6 +4015,16 @@ static inline bool netif_is_ovs_master(c
+ 	return dev->priv_flags & IFF_OPENVSWITCH;
+ }
+ 
++static inline bool netif_is_ovs_port(const struct net_device *dev)
++{
++	return dev->priv_flags & IFF_OVS_DATAPATH;
++}
++
++static inline bool netif_is_any_bridge_port(const struct net_device *dev)
++{
++	return netif_is_bridge_port(dev) || netif_is_ovs_port(dev);
++}
++
+ static inline bool netif_is_ifb_dev(const struct net_device *dev)
+ {
+ 	return dev->priv_flags_ext & IFF_EXT_IFB;
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1004,6 +1004,11 @@ static void ip_rt_update_pmtu(struct dst
+ 	struct flowi4 fl4;
+ 
+ 	ip_rt_build_flow_key(&fl4, sk, skb);
++
++	/* Don't make lookup fail for bridged encapsulations */
++	if (skb && netif_is_any_bridge_port(skb->dev))
++		fl4.flowi4_oif = 0;
++
+ 	__ip_rt_update_pmtu(rt, &fl4, mtu);
+ }
+ 

feeds/ipq807x/ipq807x/patches/231-icmp-add-helpers-to-recognize-ICMP-error-packets.patch

@@ -0,0 +1,57 @@
+From: Matteo Croce <mcroce@redhat.com>
+Date: Sat, 2 Nov 2019 01:12:03 +0100
+Subject: [PATCH] icmp: add helpers to recognize ICMP error packets
+
+Add two helper functions, one for IPv4 and one for IPv6, to recognize
+the ICMP packets which are error responses.
+This packets are special because they have as payload the original
+header of the packet which generated it (RFC 792 says at least 8 bytes,
+but Linux actually includes much more than that).
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/include/linux/icmp.h
++++ b/include/linux/icmp.h
+@@ -24,4 +24,19 @@ static inline struct icmphdr *icmp_hdr(c
+ {
+ 	return (struct icmphdr *)skb_transport_header(skb);
+ }
++
++static inline bool icmp_is_err(int type)
++{
++	switch (type) {
++	case ICMP_DEST_UNREACH:
++	case ICMP_SOURCE_QUENCH:
++	case ICMP_REDIRECT:
++	case ICMP_TIME_EXCEEDED:
++	case ICMP_PARAMETERPROB:
++		return true;
++	}
++
++	return false;
++}
++
+ #endif	/* _LINUX_ICMP_H */
+--- a/include/linux/icmpv6.h
++++ b/include/linux/icmpv6.h
+@@ -42,4 +42,18 @@ extern void				icmpv6_flow_init(struct s
+ 							 const struct in6_addr *saddr,
+ 							 const struct in6_addr *daddr,
+ 							 int oif);
++
++static inline bool icmpv6_is_err(int type)
++{
++	switch (type) {
++	case ICMPV6_DEST_UNREACH:
++	case ICMPV6_PKT_TOOBIG:
++	case ICMPV6_TIME_EXCEED:
++	case ICMPV6_PARAMPROB:
++		return true;
++	}
++
++	return false;
++}
++
+ #endif

feeds/ipq807x/ipq807x/patches/232-tunnels-PMTU-discovery-support-for-directly-bridged-.patch

@@ -0,0 +1,360 @@
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 4 Aug 2020 07:53:43 +0200
+Subject: [PATCH] tunnels: PMTU discovery support for directly bridged IP
+ packets
+
+It's currently possible to bridge Ethernet tunnels carrying IP
+packets directly to external interfaces without assigning them
+addresses and routes on the bridged network itself: this is the case
+for UDP tunnels bridged with a standard bridge or by Open vSwitch.
+
+PMTU discovery is currently broken with those configurations, because
+the encapsulation effectively decreases the MTU of the link, and
+while we are able to account for this using PMTU discovery on the
+lower layer, we don't have a way to relay ICMP or ICMPv6 messages
+needed by the sender, because we don't have valid routes to it.
+
+On the other hand, as a tunnel endpoint, we can't fragment packets
+as a general approach: this is for instance clearly forbidden for
+VXLAN by RFC 7348, section 4.3:
+
+   VTEPs MUST NOT fragment VXLAN packets.  Intermediate routers may
+   fragment encapsulated VXLAN packets due to the larger frame size.
+   The destination VTEP MAY silently discard such VXLAN fragments.
+
+The same paragraph recommends that the MTU over the physical network
+accomodates for encapsulations, but this isn't a practical option for
+complex topologies, especially for typical Open vSwitch use cases.
+
+Further, it states that:
+
+   Other techniques like Path MTU discovery (see [RFC1191] and
+   [RFC1981]) MAY be used to address this requirement as well.
+
+Now, PMTU discovery already works for routed interfaces, we get
+route exceptions created by the encapsulation device as they receive
+ICMP Fragmentation Needed and ICMPv6 Packet Too Big messages, and
+we already rebuild those messages with the appropriate MTU and route
+them back to the sender.
+
+Add the missing bits for bridged cases:
+
+- checks in skb_tunnel_check_pmtu() to understand if it's appropriate
+  to trigger a reply according to RFC 1122 section 3.2.2 for ICMP and
+  RFC 4443 section 2.4 for ICMPv6. This function is already called by
+  UDP tunnels
+
+- a new function generating those ICMP or ICMPv6 replies. We can't
+  reuse icmp_send() and icmp6_send() as we don't see the sender as a
+  valid destination. This doesn't need to be generic, as we don't
+  cover any other type of ICMP errors given that we only provide an
+  encapsulation function to the sender
+
+While at it, make the MTU check in skb_tunnel_check_pmtu() accurate:
+we might receive GSO buffers here, and the passed headroom already
+includes the inner MAC length, so we don't have to account for it
+a second time (that would imply three MAC headers on the wire, but
+there are just two).
+
+This issue became visible while bridging IPv6 packets with 4500 bytes
+of payload over GENEVE using IPv4 with a PMTU of 4000. Given the 50
+bytes of encapsulation headroom, we would advertise MTU as 3950, and
+we would reject fragmented IPv6 datagrams of 3958 bytes size on the
+wire. We're exclusively dealing with network MTU here, though, so we
+could get Ethernet frames up to 3964 octets in that case.
+
+v2:
+- moved skb_tunnel_check_pmtu() to ip_tunnel_core.c (David Ahern)
+- split IPv4/IPv6 functions (David Ahern)
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -279,6 +279,8 @@ int iptunnel_xmit(struct sock *sk, struc
+ 		  u8 tos, u8 ttl, __be16 df, bool xnet);
+ struct metadata_dst *iptunnel_metadata_reply(struct metadata_dst *md,
+ 					     gfp_t flags);
++int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst,
++			  int headroom, bool reply);
+ 
+ struct sk_buff *iptunnel_handle_offloads(struct sk_buff *skb, bool gre_csum,
+ 					 int gso_type_mask);
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -204,6 +204,252 @@ error:
+ }
+ EXPORT_SYMBOL_GPL(iptunnel_handle_offloads);
+ 
++/**
++ * iptunnel_pmtud_build_icmp() - Build ICMP error message for PMTUD
++ * @skb:	Original packet with L2 header
++ * @mtu:	MTU value for ICMP error
++ *
++ * Return: length on success, negative error code if message couldn't be built.
++ */
++static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
++{
++	const struct iphdr *iph = ip_hdr(skb);
++	struct icmphdr *icmph;
++	struct iphdr *niph;
++	struct ethhdr eh;
++	int len, err;
++
++	if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)))
++		return -EINVAL;
++
++	skb_copy_bits(skb, skb_mac_header(skb) - skb->data, &eh, ETH_HLEN);
++	pskb_pull(skb, ETH_HLEN);
++	skb_reset_network_header(skb);
++
++	err = pskb_trim(skb, 576 - sizeof(*niph) - sizeof(*icmph));
++	if (err)
++		return err;
++
++	len = skb->len + sizeof(*icmph);
++	err = skb_cow(skb, sizeof(*niph) + sizeof(*icmph) + ETH_HLEN);
++	if (err)
++		return err;
++
++	icmph = (struct icmphdr *)skb_push(skb, sizeof(*icmph));
++	*icmph = (struct icmphdr) {
++		.type			= ICMP_DEST_UNREACH,
++		.code			= ICMP_FRAG_NEEDED,
++		.checksum		= 0,
++		.un.frag.__unused	= 0,
++		.un.frag.mtu		= ntohs(mtu),
++	};
++	icmph->checksum = ip_compute_csum(icmph, len);
++	skb_reset_transport_header(skb);
++
++	niph = (struct iphdr *)skb_push(skb, sizeof(*niph));
++	*niph = (struct iphdr) {
++		.ihl			= sizeof(*niph) / 4u,
++		.version 		= 4,
++		.tos 			= 0,
++		.tot_len		= htons(len + sizeof(*niph)),
++		.id			= 0,
++		.frag_off		= htons(IP_DF),
++		.ttl			= iph->ttl,
++		.protocol		= IPPROTO_ICMP,
++		.saddr			= iph->daddr,
++		.daddr			= iph->saddr,
++	};
++	ip_send_check(niph);
++	skb_reset_network_header(skb);
++
++	skb->ip_summed = CHECKSUM_NONE;
++
++	eth_header(skb, skb->dev, htons(eh.h_proto), eh.h_source, eh.h_dest, 0);
++	skb_reset_mac_header(skb);
++
++	return skb->len;
++}
++
++/**
++ * iptunnel_pmtud_check_icmp() - Trigger ICMP reply if needed and allowed
++ * @skb:	Buffer being sent by encapsulation, L2 headers expected
++ * @mtu:	Network MTU for path
++ *
++ * Return: 0 for no ICMP reply, length if built, negative value on error.
++ */
++static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
++{
++	const struct icmphdr *icmph = icmp_hdr(skb);
++	const struct iphdr *iph = ip_hdr(skb);
++
++	if (mtu <= 576 || iph->frag_off != htons(IP_DF))
++		return 0;
++
++	if (ipv4_is_lbcast(iph->daddr)  || ipv4_is_multicast(iph->daddr) ||
++	    ipv4_is_zeronet(iph->saddr) || ipv4_is_loopback(iph->saddr)  ||
++	    ipv4_is_lbcast(iph->saddr)  || ipv4_is_multicast(iph->saddr))
++		return 0;
++
++	if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
++		return 0;
++
++	return iptunnel_pmtud_build_icmp(skb, mtu);
++}
++
++#if IS_ENABLED(CONFIG_IPV6)
++/**
++ * iptunnel_pmtud_build_icmpv6() - Build ICMPv6 error message for PMTUD
++ * @skb:	Original packet with L2 header
++ * @mtu:	MTU value for ICMPv6 error
++ *
++ * Return: length on success, negative error code if message couldn't be built.
++ */
++static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
++{
++	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
++	struct icmp6hdr *icmp6h;
++	struct ipv6hdr *nip6h;
++	struct ethhdr eh;
++	int len, err;
++	__wsum csum;
++
++	if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)))
++		return -EINVAL;
++
++	skb_copy_bits(skb, skb_mac_header(skb) - skb->data, &eh, ETH_HLEN);
++	pskb_pull(skb, ETH_HLEN);
++	skb_reset_network_header(skb);
++
++	err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
++	if (err)
++		return err;
++
++	len = skb->len + sizeof(*icmp6h);
++	err = skb_cow(skb, sizeof(*nip6h) + sizeof(*icmp6h) + ETH_HLEN);
++	if (err)
++		return err;
++
++	icmp6h = (struct icmp6hdr *)skb_push(skb, sizeof(*icmp6h));
++	*icmp6h = (struct icmp6hdr) {
++		.icmp6_type		= ICMPV6_PKT_TOOBIG,
++		.icmp6_code		= 0,
++		.icmp6_cksum		= 0,
++		.icmp6_mtu		= htonl(mtu),
++	};
++	skb_reset_transport_header(skb);
++
++	nip6h = (struct ipv6hdr *)skb_push(skb, sizeof(*nip6h));
++	*nip6h = (struct ipv6hdr) {
++		.priority		= 0,
++		.version		= 6,
++		.flow_lbl		= { 0 },
++		.payload_len		= htons(len),
++		.nexthdr		= IPPROTO_ICMPV6,
++		.hop_limit		= ip6h->hop_limit,
++		.saddr			= ip6h->daddr,
++		.daddr			= ip6h->saddr,
++	};
++	skb_reset_network_header(skb);
++
++	csum = csum_partial(icmp6h, len, 0);
++	icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len,
++					      IPPROTO_ICMPV6, csum);
++
++	skb->ip_summed = CHECKSUM_NONE;
++
++	eth_header(skb, skb->dev, htons(eh.h_proto), eh.h_source, eh.h_dest, 0);
++	skb_reset_mac_header(skb);
++
++	return skb->len;
++}
++
++/**
++ * iptunnel_pmtud_check_icmpv6() - Trigger ICMPv6 reply if needed and allowed
++ * @skb:	Buffer being sent by encapsulation, L2 headers expected
++ * @mtu:	Network MTU for path
++ *
++ * Return: 0 for no ICMPv6 reply, length if built, negative value on error.
++ */
++static int iptunnel_pmtud_check_icmpv6(struct sk_buff *skb, int mtu)
++{
++	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
++	int stype = ipv6_addr_type(&ip6h->saddr);
++	u8 proto = ip6h->nexthdr;
++	__be16 frag_off;
++	int offset;
++
++	if (mtu <= IPV6_MIN_MTU)
++		return 0;
++
++	if (stype == IPV6_ADDR_ANY || stype == IPV6_ADDR_MULTICAST ||
++	    stype == IPV6_ADDR_LOOPBACK)
++		return 0;
++
++	offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &proto,
++				  &frag_off);
++	if (offset < 0 || (frag_off & htons(~0x7)))
++		return 0;
++
++	if (proto == IPPROTO_ICMPV6) {
++		struct icmp6hdr *icmp6h;
++
++		if (!pskb_may_pull(skb, skb_network_header(skb) +
++					offset + 1 - skb->data))
++			return 0;
++
++		icmp6h = (struct icmp6hdr *)(skb_network_header(skb) + offset);
++		if (icmpv6_is_err(icmp6h->icmp6_type) ||
++		    icmp6h->icmp6_type == NDISC_REDIRECT)
++			return 0;
++	}
++
++	return iptunnel_pmtud_build_icmpv6(skb, mtu);
++}
++#endif /* IS_ENABLED(CONFIG_IPV6) */
++
++/**
++ * skb_tunnel_check_pmtu() - Check, update PMTU and trigger ICMP reply as needed
++ * @skb:	Buffer being sent by encapsulation, L2 headers expected
++ * @encap_dst:	Destination for tunnel encapsulation (outer IP)
++ * @headroom:	Encapsulation header size, bytes
++ * @reply:	Build matching ICMP or ICMPv6 message as a result
++ *
++ * L2 tunnel implementations that can carry IP and can be directly bridged
++ * (currently UDP tunnels) can't always rely on IP forwarding paths to handle
++ * PMTU discovery. In the bridged case, ICMP or ICMPv6 messages need to be built
++ * based on payload and sent back by the encapsulation itself.
++ *
++ * For routable interfaces, we just need to update the PMTU for the destination.
++ *
++ * Return: 0 if ICMP error not needed, length if built, negative value on error
++ */
++int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst,
++			  int headroom, bool reply)
++{
++	struct dst_entry *dst = skb_dst(skb);
++	u32 mtu = dst_mtu(encap_dst) - headroom;
++
++	if ((skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) ||
++	    (!skb_is_gso(skb) && (skb->len - skb_mac_header_len(skb)) <= mtu))
++		return 0;
++
++	if (dst && dst->ops->update_pmtu)
++		dst->ops->update_pmtu(dst, NULL, skb, mtu);
++
++	if (!reply || skb->pkt_type == PACKET_HOST)
++		return 0;
++
++	if (skb->protocol == htons(ETH_P_IP))
++		return iptunnel_pmtud_check_icmp(skb, mtu);
++
++#if IS_ENABLED(CONFIG_IPV6)
++	if (skb->protocol == htons(ETH_P_IPV6))
++		return iptunnel_pmtud_check_icmpv6(skb, mtu);
++#endif
++	return 0;
++}
++EXPORT_SYMBOL(skb_tunnel_check_pmtu);
++
+ /* Often modified stats are per cpu, other are shared (netdev->stats) */
+ struct rtnl_link_stats64 *ip_tunnel_get_stats64(struct net_device *dev,
+ 						struct rtnl_link_stats64 *tot)
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2076,6 +2076,8 @@ static void vxlan_xmit_one(struct sk_buf
+ 		/* Reset the skb_iif to Tunnels interface index */
+ 		skb->skb_iif = dev->ifindex;
+ 
++		skb_tunnel_check_pmtu(skb, &rt->dst, VXLAN_HEADROOM, false);
++
+ 		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ 		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
+ 		err = vxlan_xmit_skb(rt, sk, skb, fl4.saddr,
+@@ -2141,6 +2143,8 @@ static void vxlan_xmit_one(struct sk_buf
+ 				flags |= VXLAN_F_UDP_ZERO_CSUM6_TX;
+ 		}
+ 
++		skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM, false);
++
+ 		ttl = ttl ? : ip6_dst_hoplimit(ndst);
+ 		err = vxlan6_xmit_skb(ndst, sk, skb, dev, &saddr, &dst->sin6.sin6_addr,
+ 				      0, ttl, src_port, dst_port, htonl(vni << 8), md,

feeds/ipq807x/ipq807x/patches/233-vxlan-simplify-RTF_LOCAL-handling.patch

@@ -0,0 +1,114 @@
+From: pravin shelar <pshelar@ovn.org>
+Date: Sun, 13 Nov 2016 20:43:56 -0800
+Subject: [PATCH] vxlan: simplify RTF_LOCAL handling.
+
+Avoid code duplicate code for handling RTF_LOCAL routes.
+
+Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
+Acked-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1946,6 +1946,40 @@ static void vxlan_encap_bypass(struct sk
+ 	}
+ }
+ 
++static int encap_bypass_if_local(struct sk_buff *skb, struct net_device *dev,
++				 struct vxlan_dev *vxlan, union vxlan_addr *daddr,
++				 __be32 dst_port, __be32 vni, struct dst_entry *dst,
++				 u32 rt_flags)
++{
++#if IS_ENABLED(CONFIG_IPV6)
++	/* IPv6 rt-flags are checked against RTF_LOCAL, but the value of
++	 * RTF_LOCAL is equal to RTCF_LOCAL. So to keep code simple
++	 * we can use RTCF_LOCAL which works for ipv4 and ipv6 route entry.
++	 */
++	BUILD_BUG_ON(RTCF_LOCAL != RTF_LOCAL);
++#endif
++	/* Bypass encapsulation if the destination is local */
++	if (rt_flags & RTCF_LOCAL &&
++	    !(rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))) {
++		struct vxlan_dev *dst_vxlan;
++
++		dst_release(dst);
++		dst_vxlan = vxlan_find_vni(vxlan->net, vni,
++					   daddr->sa.sa_family, dst_port,
++					   vxlan->flags);
++		if (!dst_vxlan) {
++			dev->stats.tx_errors++;
++			kfree_skb(skb);
++
++			return -ENOENT;
++		}
++		vxlan_encap_bypass(skb, vxlan, dst_vxlan);
++		return 1;
++	}
++
++	return 0;
++}
++
+ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
+ 			   struct vxlan_rdst *rdst, bool did_rsc)
+ {
+@@ -2059,18 +2093,12 @@ static void vxlan_xmit_one(struct sk_buf
+ 		}
+ 
+ 		/* Bypass encapsulation if the destination is local */
+-		if (rt->rt_flags & RTCF_LOCAL &&
+-		    !(rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))) {
+-			struct vxlan_dev *dst_vxlan;
+-
+-			ip_rt_put(rt);
+-			dst_vxlan = vxlan_find_vni(vxlan->net, vni,
+-						   dst->sa.sa_family, dst_port,
+-						   vxlan->flags);
+-			if (!dst_vxlan)
+-				goto tx_error;
+-			vxlan_encap_bypass(skb, vxlan, dst_vxlan);
+-			return;
++		if (!info) {
++			err = encap_bypass_if_local(skb, dev, vxlan, dst,
++						    dst_port, vni, &rt->dst,
++						    rt->rt_flags);
++			if (err)
++				return;
+ 		}
+ 
+ 		/* Reset the skb_iif to Tunnels interface index */
+@@ -2096,7 +2124,6 @@ static void vxlan_xmit_one(struct sk_buf
+ 	} else {
+ 		struct dst_entry *ndst;
+ 		struct in6_addr saddr;
+-		u32 rt6i_flags;
+ 
+ 		if (!vxlan->vn6_sock)
+ 			goto drop;
+@@ -2121,19 +2148,14 @@ static void vxlan_xmit_one(struct sk_buf
+ 		}
+ 
+ 		/* Bypass encapsulation if the destination is local */
+-		rt6i_flags = ((struct rt6_info *)ndst)->rt6i_flags;
+-		if (rt6i_flags & RTF_LOCAL &&
+-		    !(rt6i_flags & (RTCF_BROADCAST | RTCF_MULTICAST))) {
+-			struct vxlan_dev *dst_vxlan;
++		if (!info) {
++			u32 rt6i_flags = ((struct rt6_info *)ndst)->rt6i_flags;
+ 
+-			dst_release(ndst);
+-			dst_vxlan = vxlan_find_vni(vxlan->net, vni,
+-						   dst->sa.sa_family, dst_port,
+-						   vxlan->flags);
+-			if (!dst_vxlan)
+-				goto tx_error;
+-			vxlan_encap_bypass(skb, vxlan, dst_vxlan);
+-			return;
++			err = encap_bypass_if_local(skb, dev, vxlan, dst,
++						    dst_port, vni, ndst,
++						    rt6i_flags);
++			if (err)
++				return;
+ 		}
+ 
+ 		if (info) {

feeds/ipq807x/ipq807x/patches/234-vxlan-Support-for-PMTU-discovery-on-directly-bridged.patch

@@ -0,0 +1,140 @@
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 4 Aug 2020 07:53:44 +0200
+Subject: [PATCH] vxlan: Support for PMTU discovery on directly bridged links
+
+If the interface is a bridge or Open vSwitch port, and we can't
+forward a packet because it exceeds the local PMTU estimate,
+trigger an ICMP or ICMPv6 reply to the sender, using the same
+interface to forward it back.
+
+If metadata collection is enabled, reverse destination and source
+addresses, so that Open vSwitch is able to match this packet against
+the existing, reverse flow.
+
+v2: Use netif_is_any_bridge_port() (David Ahern)
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1903,7 +1903,7 @@ static struct dst_entry *vxlan6_get_rout
+ 
+ /* Bypass encapsulation if the destination is local */
+ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan,
+-			       struct vxlan_dev *dst_vxlan)
++			       struct vxlan_dev *dst_vxlan, bool snoop)
+ {
+ 	struct pcpu_sw_netstats *tx_stats, *rx_stats;
+ 	union vxlan_addr loopback;
+@@ -1928,7 +1928,7 @@ static void vxlan_encap_bypass(struct sk
+ #endif
+ 	}
+ 
+-	if (dst_vxlan->flags & VXLAN_F_LEARN)
++	if ((dst_vxlan->flags & VXLAN_F_LEARN) && snoop)
+ 		vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source);
+ 
+ 	u64_stats_update_begin(&tx_stats->syncp);
+@@ -1973,7 +1973,7 @@ static int encap_bypass_if_local(struct
+ 
+ 			return -ENOENT;
+ 		}
+-		vxlan_encap_bypass(skb, vxlan, dst_vxlan);
++		vxlan_encap_bypass(skb, vxlan, dst_vxlan, true);
+ 		return 1;
+ 	}
+ 
+@@ -1990,7 +1990,7 @@ static void vxlan_xmit_one(struct sk_buf
+ 	const struct iphdr *old_iph;
+ 	struct flowi4 fl4;
+ 	union vxlan_addr *dst;
+-	union vxlan_addr remote_ip;
++	union vxlan_addr remote_ip, local_ip;
+ 	struct vxlan_metadata _md;
+ 	struct vxlan_metadata *md = &_md;
+ 	__be16 src_port = 0, dst_port;
+@@ -2006,6 +2006,7 @@ static void vxlan_xmit_one(struct sk_buf
+ 		dst_port = rdst->remote_port ? rdst->remote_port : vxlan->cfg.dst_port;
+ 		vni = rdst->remote_vni;
+ 		dst = &rdst->remote_ip;
++		local_ip = vxlan->cfg.saddr;
+ 	} else {
+ 		if (!info) {
+ 			WARN_ONCE(1, "%s: Missing encapsulation instructions\n",
+@@ -2015,17 +2016,20 @@ static void vxlan_xmit_one(struct sk_buf
+ 		dst_port = info->key.tp_dst ? : vxlan->cfg.dst_port;
+ 		vni = be64_to_cpu(info->key.tun_id);
+ 		remote_ip.sa.sa_family = ip_tunnel_info_af(info);
+-		if (remote_ip.sa.sa_family == AF_INET)
++		if (remote_ip.sa.sa_family == AF_INET) {
+ 			remote_ip.sin.sin_addr.s_addr = info->key.u.ipv4.dst;
+-		else
++			local_ip.sin.sin_addr.s_addr = info->key.u.ipv4.src;
++		} else {
+ 			remote_ip.sin6.sin6_addr = info->key.u.ipv6.dst;
++			local_ip.sin6.sin6_addr = info->key.u.ipv6.src;
++		}
+ 		dst = &remote_ip;
+ 	}
+ 
+ 	if (vxlan_addr_any(dst)) {
+ 		if (did_rsc) {
+ 			/* short-circuited back to local bridge */
+-			vxlan_encap_bypass(skb, vxlan, vxlan);
++			vxlan_encap_bypass(skb, vxlan, vxlan, true);
+ 			return;
+ 		}
+ 		goto drop;
+@@ -2104,7 +2108,23 @@ static void vxlan_xmit_one(struct sk_buf
+ 		/* Reset the skb_iif to Tunnels interface index */
+ 		skb->skb_iif = dev->ifindex;
+ 
+-		skb_tunnel_check_pmtu(skb, &rt->dst, VXLAN_HEADROOM, false);
++		err = skb_tunnel_check_pmtu(skb, &rt->dst, VXLAN_HEADROOM,
++					    netif_is_any_bridge_port(dev));
++		if (err < 0) {
++			goto tx_error;
++		} else if (err) {
++			if (info) {
++				struct in_addr src, dst;
++
++				src = remote_ip.sin.sin_addr;
++				dst = local_ip.sin.sin_addr;
++				info->key.u.ipv4.src = src.s_addr;
++				info->key.u.ipv4.dst = dst.s_addr;
++			}
++			vxlan_encap_bypass(skb, vxlan, vxlan, false);
++			ip_rt_put(rt);
++			return;
++		}
+ 
+ 		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ 		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
+@@ -2165,7 +2185,24 @@ static void vxlan_xmit_one(struct sk_buf
+ 				flags |= VXLAN_F_UDP_ZERO_CSUM6_TX;
+ 		}
+ 
+-		skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM, false);
++		err = skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM,
++					    netif_is_any_bridge_port(dev));
++		if (err < 0) {
++			goto tx_error;
++		} else if (err) {
++			if (info) {
++				struct in6_addr src, dst;
++
++				src = remote_ip.sin6.sin6_addr;
++				dst = local_ip.sin6.sin6_addr;
++				info->key.u.ipv6.src = src;
++				info->key.u.ipv6.dst = dst;
++			}
++
++			vxlan_encap_bypass(skb, vxlan, vxlan, false);
++			ip_rt_put(rt);
++			return;
++		}
+ 
+ 		ttl = ttl ? : ip6_dst_hoplimit(ndst);
+ 		err = vxlan6_xmit_skb(ndst, sk, skb, dev, &saddr, &dst->sin6.sin6_addr,

feeds/ipq807x/ipq807x/patches/235-generic-Fix-per-interface-nf_call_iptables-setting.patch

@@ -0,0 +1,234 @@
+From: Sven Eckelmann <sven@open-mesh.com>
+Date: Wed, 2 Sep 2015 19:47:43 +0200
+Subject: generic: Fix per interface nf_call_iptables setting
+
+commit r30917 ("kernel: bypass all netfilter hooks if the sysctls for that
+functionality have been disabled - eliminates the overhead of enabling
+CONFIG_BRIDGE_NETFILTER in the kernel config") introduced an optimization
+which should reduce/eliminate the overhead for traffic send over bridges on
+kernels compiled with CONFIG_BRIDGE_NETFILTER=y. But this optimization
+breaks the nf_call_iptables per bridge setting which is more fine grained
+than the global sysctl net.bridge.bridge-nf-call-iptables setting.
+
+A test reflecting a real world setup was created to identify if this really
+eliminates the overhead and if per-bridge nf_call_iptables could be used in
+some setups to increase the throughput. A Qualcomm Atheros QCA9558 based
+system with one ethernet and an ath9k wifi 3x3 in HT40 mode was used.
+Cables from the AP to the wifi station were used to reduce interference
+problems during the tests.
+
+The wlan interface was put in one bridge interface called br-wlan. This
+bridge usually contains some more wlan interfaces. The eth0 was put in a
+second bridge called br-lan. This usually contains some other privileged
+wlan or mesh interfaces. Routing was added between br-lan and br-wlan.
+
+Three kernels were tested:
+
+ * (default) OpenWrt kernel for this device
+ * (brfilter-global) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y
+ * (brfilter-local)  OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y and
+    without 644-bridge_optimize_netfilter_hooks.patch
+
+The changes to the the netfilter settings of the bridge were done via:
+
+ * (brfilter-global) /sbin/sysctl -w net.bridge.bridge-nf-call-iptables=1
+ * (brfilter-lobal) echo 1 > /sys/class/net/br-lan/bridge/nf_call_iptables
+   and/or echo 1 > /sys/class/net/br-wan/bridge/nf_call_iptables
+
+A station connected to the wlan0 (AP) interface was used to send traffic to
+a PC connected via ethernet. iperf with 3 concurrent transmissions was used
+to generate the traffic.
+
+| kernel          | br-nf-* global | nf-call* iface | download | upload   |
+|-----------------|----------------|----------------|----------|----------|
+| default         | 0              | -              |      209 |      268 |
+| brfilter-global | 0              | -              |      185 |      243 |
+| brfilter-local  | 0              | -              |      187 |      243 |
+| brfilter-local  | 0              | br-lan         |      157 |      226 |
+| brfilter-local  | 0              | br-lan br-wlan |      139 |      161 |
+| brfilter-global | 1              | -              |      136 |      162 |
+
+Download/upload results in Mibit/s
+
+It can be seen that the patch doesn't eliminate the overhead. It can also
+be seen that the throughput of brfilter-global and brfilter-local with
+disabled filtering is the roughly the same. Also the throughput for
+brfilter-global and brfilter-local for enabled filtering on all bridges is
+roughly the same.
+
+But also the brfilter-local throughput is higher when only br-lan requires
+the filtering. This setting would not be possible with
+644-bridge_optimize_netfilter_hooks.patch applied and thus can only be
+compared with brfilter-global and filtering enabled for all interfaces.
+
+Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
+
+Forwarded: https://patchwork.ozlabs.org/patch/513592/
+Applied-Upstream: https://dev.openwrt.org/changeset/46835
+
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -69,7 +69,7 @@ EXPORT_SYMBOL_GPL(br_dev_queue_push_xmit
+ 
+ int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+-	return BR_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING,
++	return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING,
+ 		       net, sk, skb, NULL, skb->dev,
+ 		       br_dev_queue_push_xmit);
+ 
+@@ -97,7 +97,7 @@ static void __br_deliver(const struct ne
+ 		return;
+ 	}
+ 
+-	BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
++	NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
+ 		dev_net(skb->dev), NULL, skb,NULL, skb->dev,
+ 		br_forward_finish);
+ }
+@@ -121,7 +121,7 @@ static void __br_forward(const struct ne
+ 	skb->dev = to->dev;
+ 	skb_forward_csum(skb);
+ 
+-	BR_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,
++	NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,
+ 		dev_net(indev), NULL, skb, indev, skb->dev,
+ 		br_forward_finish);
+ }
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -70,7 +70,7 @@ int br_pass_frame_up(struct sk_buff *skb
+ 	if (!skb)
+ 		return NET_RX_DROP;
+ 
+-	return BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
++	return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
+ 		       dev_net(indev), NULL, skb, indev, NULL,
+ 		       br_netif_receive_skb);
+ }
+@@ -320,7 +320,7 @@ rx_handler_result_t br_handle_frame(stru
+ 		}
+ 
+ 		/* Deliver packet to local host only */
+-		if (BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
++		if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
+ 			    dev_net(skb->dev), NULL, skb, skb->dev, NULL,
+ 			    br_handle_local_finish)) {
+ 			return RX_HANDLER_CONSUMED; /* consumed by filter */
+@@ -337,7 +337,7 @@ forward:
+ 			if (ether_addr_equal(p->br->dev->dev_addr, dest))
+ 				skb->pkt_type = PACKET_HOST;
+ 
+-			if (BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, dev_net(skb->dev), NULL,
++			if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, dev_net(skb->dev), NULL,
+ 				skb, skb->dev, NULL, br_handle_local_finish))
+ 				break;
+ 
+@@ -361,7 +361,7 @@ forward:
+ 		if (ether_addr_equal(p->br->dev->dev_addr, dest))
+ 			skb->pkt_type = PACKET_HOST;
+ 
+-		BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
++		NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
+ 			dev_net(skb->dev), NULL, skb, skb->dev, NULL,
+ 			br_handle_frame_finish);
+ 		break;
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -856,7 +856,7 @@ static void __br_multicast_send_query(st
+ 
+ 	if (port) {
+ 		skb->dev = port->dev;
+-		BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
++		NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
+ 			dev_net(port->dev), NULL, skb, NULL, skb->dev,
+ 			br_dev_queue_push_xmit);
+ 	} else {
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -72,15 +72,6 @@ static int brnf_pass_vlan_indev __read_m
+ #define IS_ARP(skb) \
+ 	(!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
+ 
+-int brnf_call_ebtables __read_mostly;
+-EXPORT_SYMBOL_GPL(brnf_call_ebtables);
+-
+-bool br_netfilter_run_hooks(void)
+-{
+-	return brnf_call_iptables | brnf_call_ip6tables | brnf_call_arptables |
+-		brnf_call_ebtables | brnf_call_custom;
+-}
+-
+ static inline __be16 vlan_proto(const struct sk_buff *skb)
+ {
+ 	if (skb_vlan_tag_present(skb))
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -909,29 +909,15 @@ extern const struct nf_br_ops __rcu *nf_
+ 
+ /* br_netfilter.c */
+ #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+-extern int brnf_call_ebtables;
+ int br_nf_core_init(void);
+ void br_nf_core_fini(void);
+ void br_netfilter_rtable_init(struct net_bridge *);
+-bool br_netfilter_run_hooks(void);
+ #else
+ static inline int br_nf_core_init(void) { return 0; }
+ static inline void br_nf_core_fini(void) {}
+ #define br_netfilter_rtable_init(x)
+-#define br_netfilter_run_hooks()	false
+ #endif
+ 
+-static inline int
+-BR_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
+-	struct sk_buff *skb, struct net_device *in, struct net_device *out,
+-	int (*okfn)(struct net *, struct sock *, struct sk_buff *))
+-{
+-	if (!br_netfilter_run_hooks())
+-		return okfn(net, sk, skb);
+-
+-	return NF_HOOK(pf, hook, net, sk, skb, in, out, okfn);
+-}
+-
+ /* br_stp.c */
+ void br_log_state(const struct net_bridge_port *p);
+ void br_set_state(struct net_bridge_port *p, unsigned int state);
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -60,7 +60,7 @@ static void br_send_bpdu(struct net_brid
+ 
+ 	skb_reset_mac_header(skb);
+ 
+-	BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
++	NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
+ 		dev_net(p->dev), NULL, skb, NULL, skb->dev,
+ 		br_send_bpdu_finish);
+ }
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2416,13 +2416,11 @@ static int __init ebtables_init(void)
+ 	}
+ 
+ 	printk(KERN_INFO "Ebtables v2.0 registered\n");
+-	brnf_call_ebtables = 1;
+ 	return 0;
+ }
+ 
+ static void __exit ebtables_fini(void)
+ {
+-	brnf_call_ebtables = 0;
+ 	nf_unregister_sockopt(&ebt_sockopts);
+ 	xt_unregister_target(&ebt_standard_target);
+ 	printk(KERN_INFO "Ebtables v2.0 unregistered\n");
+--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+@@ -310,7 +310,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buf
+ 		 * nf_bridge will be set and nf_bridge->physoutdev is not null,
+ 		 * We can assume that it is not expecting NAT operation.
+ 		 *
+-		 * when BR_HOOK is enabled, multicast packets will reach
++		 * when NF_HOOK is enabled, multicast packets will reach
+ 		 * postrouting twice,the first time is when it is forwarded
+ 		 * between ports of a bridge, the second time is that it is
+ 		 * forwarded to upstream port.

feeds/ipq807x/xtables-addons/Makefile

@@ -0,0 +1,179 @@
+#
+# Copyright (C) 2009-2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=xtables-addons
+PKG_VERSION:=2.14
+PKG_RELEASE:=8
+PKG_HASH:=d215a9a8b8e66aae04b982fa2e1228e8a71e7dfe42320df99e34e5000cbdf152
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=@SF/xtables-addons
+PKG_BUILD_DEPENDS:=iptables
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PKG_CHECK_FORMAT_SECURITY:=0
+
+PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
+PKG_LICENSE:=GPL-2.0
+
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/xtables-addons
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  TITLE:=Extensions not distributed in the main Xtables
+  URL:=http://xtables-addons.sourceforge.net/
+endef
+
+# uses GNU configure
+
+CONFIGURE_ARGS+= \
+	--with-kbuild="$(LINUX_DIR)" \
+	--with-xtlibdir="/usr/lib/iptables"
+
+ifdef CONFIG_EXTERNAL_TOOLCHAIN
+MAKE_FLAGS:= \
+	$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
+	DEPMOD="/bin/true"
+
+MAKE_INSTALL_FLAGS:= \
+	$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
+	DEPMOD="/bin/true"
+else
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+		$(KERNEL_MAKE_FLAGS) \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		DEPMOD="/bin/true" \
+		all
+endef
+
+define Build/Install
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		$(KERNEL_MAKE_FLAGS) \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		DEPMOD="/bin/true" \
+		install
+endef
+endif
+
+# 1: extension/module suffix used in package name
+# 2: extension/module display name used in package title/description
+# 3: list of extensions to package
+# 4: list of modules to package
+# 5: module load priority
+# 6: module depends
+define BuildTemplate
+
+ ifneq ($(3),)
+  define Package/iptables-mod-$(1)
+    $$(call Package/xtables-addons)
+    CATEGORY:=Network
+    TITLE:=$(2) iptables extension
+    DEPENDS:=iptables $(if $(4),+kmod-ipt-$(1))
+  endef
+
+  define Package/iptables-mod-$(1)/install
+	$(INSTALL_DIR) $$(1)/usr/lib/iptables
+	for m in $(3); do \
+		$(CP) \
+			$(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so \
+			$$(1)/usr/lib/iptables/ ; \
+	done
+  endef
+
+  $$(eval $$(call BuildPackage,iptables-mod-$(1)))
+ endif
+
+ ifneq ($(4),)
+  define KernelPackage/ipt-$(1)
+    SUBMENU:=Netfilter Extensions
+    TITLE:=$(2) netfilter module
+    DEPENDS:=+kmod-ipt-core $(5)
+    FILES:=$(foreach mod,$(4),$(PKG_BUILD_DIR)/extensions/$(mod).$(LINUX_KMOD_SUFFIX))
+    AUTOLOAD:=$(call AutoProbe,$(notdir $(4)))
+  endef
+
+  $$(eval $$(call KernelPackage,ipt-$(1)))
+ endif
+
+endef
+
+
+define Package/iptaccount
+  $(call Package/xtables-addons)
+  CATEGORY:=Network
+  TITLE:=iptables-mod-account control utility
+  DEPENDS:=iptables +iptables-mod-account
+endef
+
+define Package/iptaccount/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) \
+		$(PKG_INSTALL_DIR)/usr/lib/libxt_ACCOUNT_cl.so* \
+		$(1)/usr/lib/
+	$(CP) \
+		$(PKG_INSTALL_DIR)/usr/sbin/iptaccount \
+		$(1)/usr/sbin/
+endef
+
+
+define Package/iptgeoip
+  $(call Package/xtables-addons)
+  CATEGORY:=Network
+  TITLE:=iptables-mod-geoip support scripts for MaxMind GeoIP databases
+  # we could also use wget-nossl but that's more complicated than our
+  # syntax of dependencies permits...
+  DEPENDS:=iptables +iptables-mod-geoip \
+		+perl +perlbase-getopt +perlbase-io +perl-text-csv_xs \
+		+!BUSYBOX_CONFIG_WGET:wget +!BUSYBOX_CONFIG_GZIP:gzip +!BUSYBOX_CONFIG_UNZIP:unzip
+endef
+
+define Package/iptgeoip/install
+	$(INSTALL_DIR) $(1)/usr/lib/xtables-addons
+	$(CP) \
+		$(PKG_INSTALL_DIR)/usr/lib/xtables-addons/xt_geoip_{build,dl} \
+		$(1)/usr/lib/xtables-addons/
+	$(INSTALL_DIR) $(1)/usr/share/xt_geoip
+endef
+
+
+#$(eval $(call BuildTemplate,SUFFIX,DESCRIPTION,EXTENSION,MODULE,PRIORITY,DEPENDS))
+
+$(eval $(call BuildTemplate,compat-xtables,API compatibilty layer,,compat_xtables,+IPV6:kmod-ip6tables))
+$(eval $(call BuildTemplate,nathelper-rtsp,RTSP Conntrack and NAT,,rtsp/nf_conntrack_rtsp rtsp/nf_nat_rtsp,+kmod-ipt-conntrack-extra +kmod-ipt-nat))
+
+$(eval $(call BuildTemplate,account,ACCOUNT,xt_ACCOUNT,ACCOUNT/xt_ACCOUNT,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,chaos,CHAOS,xt_CHAOS,xt_CHAOS,+kmod-ipt-compat-xtables +kmod-ipt-delude +kmod-ipt-tarpit))
+$(eval $(call BuildTemplate,condition,Condition,xt_condition,xt_condition,))
+$(eval $(call BuildTemplate,delude,DELUDE,xt_DELUDE,xt_DELUDE,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,dhcpmac,DHCPMAC,xt_DHCPMAC,xt_DHCPMAC,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,dnetmap,DNETMAP,xt_DNETMAP,xt_DNETMAP,+kmod-ipt-compat-xtables +kmod-ipt-nat))
+$(eval $(call BuildTemplate,fuzzy,fuzzy,xt_fuzzy,xt_fuzzy,))
+$(eval $(call BuildTemplate,geoip,geoip,xt_geoip,xt_geoip,))
+$(eval $(call BuildTemplate,iface,iface,xt_iface,xt_iface,))
+$(eval $(call BuildTemplate,ipmark,IPMARK,xt_IPMARK,xt_IPMARK,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,ipp2p,IPP2P,xt_ipp2p,xt_ipp2p,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,ipv4options,ipv4options,xt_ipv4options,xt_ipv4options,))
+$(eval $(call BuildTemplate,length2,length2,xt_length2,xt_length2,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,logmark,LOGMARK,xt_LOGMARK,xt_LOGMARK,+kmod-ipt-compat-xtables))
+$(eval $(call BuildTemplate,lscan,lscan,xt_lscan,xt_lscan,))
+$(eval $(call BuildTemplate,lua,Lua PacketScript,xt_LUA,LUA/xt_LUA,+kmod-ipt-conntrack-extra))
+$(eval $(call BuildTemplate,psd,psd,xt_psd,xt_psd,))
+$(eval $(call BuildTemplate,quota2,quota2,xt_quota2,xt_quota2,))
+$(eval $(call BuildTemplate,sysrq,SYSRQ,xt_SYSRQ,xt_SYSRQ,+kmod-ipt-compat-xtables +kmod-crypto-hash))
+$(eval $(call BuildTemplate,tarpit,TARPIT,xt_TARPIT,xt_TARPIT,+kmod-ipt-compat-xtables))
+
+$(eval $(call BuildPackage,iptaccount))
+$(eval $(call BuildPackage,iptgeoip))

feeds/ipq807x/xtables-addons/patches/001-fix-kernel-version-detection.patch

@@ -0,0 +1,11 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -44,7 +44,7 @@ regular_CFLAGS="-Wall -Waggregate-return
+ 
+ if test -n "$kbuilddir"; then
+ 	AC_MSG_CHECKING([kernel version that we will build against])
+-	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease | $AWK -v 'FS=[[^0-9.]]' '{print $1; exit}')"
++	krel="$(make -sC "$kbuilddir" M=$PWD kernelversion | $AWK -v 'FS=[[^0-9.]]' '{print $1; exit}')"
+ 	save_IFS="$IFS"
+ 	IFS='.'
+ 	set x $krel

feeds/ipq807x/xtables-addons/patches/002-build-support-for-Linux-4.15.patch

@@ -0,0 +1,50 @@
+From 2b76b68c65c97fc11409088c3c30993324df8500 Mon Sep 17 00:00:00 2001
+From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+Date: Thu, 4 Jan 2018 18:50:50 +0100
+Subject: [PATCH] build: support for Linux 4.15
+
+Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+---
+ extensions/pknock/xt_pknock.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c
+index 6fbdea4..31d4bc8 100644
+--- a/extensions/pknock/xt_pknock.c
++++ b/extensions/pknock/xt_pknock.c
+@@ -358,10 +358,20 @@ has_logged_during_this_minute(const struct peer *peer)
+  * @r: rule
+  */
+ static void
+-peer_gc(unsigned long r)
++peer_gc(
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++	struct timer_list *tl
++#else
++	unsigned long r
++#endif
++)
+ {
+ 	unsigned int i;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++	struct xt_pknock_rule *rule = from_timer(rule, tl, timer);
++#else
+ 	struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r;
++#endif
+ 	struct peer *peer;
+ 	struct list_head *pos, *n;
+ 
+@@ -469,9 +479,13 @@ add_rule(struct xt_pknock_mtinfo *info)
+ 	if (rule->peer_head == NULL)
+ 		goto out;
+ 
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++	timer_setup(&rule->timer, peer_gc, 0);
++#else
+ 	init_timer(&rule->timer);
+ 	rule->timer.function	= peer_gc;
+ 	rule->timer.data	= (unsigned long)rule;
++#endif
+ 
+ 	rule->status_proc = proc_create_data(info->rule_name, 0, pde,
+ 	                    &pknock_proc_ops, rule);

feeds/ipq807x/xtables-addons/patches/003-build-add-support-for-Linux-4.18.patch

@@ -0,0 +1,25 @@
+From 3ea761a1ed338241fbc79bef8e433307e108b6cd Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 14 Aug 2018 14:29:30 +0200
+Subject: [PATCH] build: add support for Linux 4.18
+
+---
+ extensions/xt_DNETMAP.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c
+index 1b415c3..de7d4ec 100644
+--- a/extensions/xt_DNETMAP.c
++++ b/extensions/xt_DNETMAP.c
+@@ -367,7 +367,11 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
+ 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
+ 	const struct nf_nat_range *mr = &tginfo->prefix;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0)
++	struct nf_nat_range2 newrange;
++#else
+ 	struct nf_nat_range newrange;
++#endif
+ 	struct dnetmap_entry *e;
+ 	struct dnetmap_prefix *p;
+ 	__s32 jttl;

feeds/ipq807x/xtables-addons/patches/201-fix-lua-packetscript.patch

@@ -0,0 +1,127 @@
+--- a/extensions/LUA/xt_LUA_target.c
++++ b/extensions/LUA/xt_LUA_target.c
+@@ -19,7 +19,7 @@
+ #include <linux/kernel.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
+-#include <asm/uaccess.h>
++#include <linux/uaccess.h>
+ #include <net/ip.h>
+ #include <linux/netfilter/x_tables.h>
+ #include "xt_LUA.h"
+@@ -64,10 +64,10 @@ uint32_t  lua_state_refs[LUA_STATE_ARRAY
+  * XT_CONTINUE inside the *register_lua_packet_lib* function.
+  */
+ 
+-spinlock_t lock = SPIN_LOCK_UNLOCKED;
++DEFINE_SPINLOCK(lock);
+ 
+ static uint32_t 
+-lua_tg(struct sk_buff *pskb, const struct xt_target_param *par)
++lua_tg(struct sk_buff *pskb, const struct xt_action_param *par)
+ {
+ 	uint32_t  verdict;
+ 	lua_packet_segment *p;
+@@ -88,11 +88,11 @@ lua_tg(struct sk_buff *pskb, const struc
+ 	/* push the lua_packet_segment as a parameter */
+ 	p = (lua_packet_segment *)lua_newuserdata(L, sizeof(lua_packet_segment));
+ 	if (pskb->mac_header)
+-		p->start = pskb->mac_header;
++		p->start = skb_mac_header(pskb);
+ 	else if (pskb->network_header)
+-		p->start = pskb->network_header;
++		p->start = skb_network_header(pskb);
+ 	else if (pskb->transport_header)
+-		p->start = pskb->transport_header;
++		p->start = skb_transport_header(pskb);
+ 	p->offset = 0;
+ 	p->length = (unsigned long)pskb->tail - (unsigned long)p->start;
+ 	p->changes = NULL;
+@@ -208,16 +208,16 @@ static bool load_script_into_state(uint3
+  * some workqueue initialization. So far this is done each time this function
+  * is called, subject to change.
+  */
+-static bool
++static int
+ lua_tg_checkentry(const struct xt_tgchk_param *par)
+ {
+ 	const struct xt_lua_tginfo *info = par->targinfo;
+ 
+ 	if (load_script_into_state(info->state_id, info->script_size, (char *)info->buf)) {
+ 		lua_state_refs[info->state_id]++;
+-		return true;
++		return 0;
+ 	}
+-	return false;
++	return -EINVAL;
+ }
+ 
+ /*::*
+--- a/extensions/LUA/lua/llimits.h
++++ b/extensions/LUA/lua/llimits.h
+@@ -8,7 +8,6 @@
+ #define llimits_h
+ 
+ #include <stddef.h>
+-#include <limits.h>
+ 
+ #include "lua.h"
+ 
+--- a/extensions/LUA/lua/lapi.c
++++ b/extensions/LUA/lua/lapi.c
+@@ -4,9 +4,6 @@
+ ** See Copyright Notice in lua.h
+ */
+ 
+-#include <stdarg.h>
+-#include <math.h>
+-#include <assert.h>
+ #include <string.h>
+ 
+ #define lapi_c
+--- a/extensions/LUA/lua/ltable.c
++++ b/extensions/LUA/lua/ltable.c
+@@ -18,7 +18,6 @@
+ ** Hence even when the load factor reaches 100%, performance remains good.
+ */
+ 
+-#include <math.h>
+ #include <string.h>
+ 
+ #define ltable_c
+--- a/extensions/LUA/lua/luaconf.h
++++ b/extensions/LUA/lua/luaconf.h
+@@ -13,8 +13,12 @@
+ #if !defined(__KERNEL__)
+ #include <limits.h>
+ #else
++#include <linux/kernel.h>
++
++#undef UCHAR_MAX
++#undef BUFSIZ
++#undef NO_FPU
+ #define UCHAR_MAX	255
+-#define SHRT_MAX        32767
+ #define BUFSIZ 		8192
+ #define NO_FPU
+ #endif
+@@ -637,6 +641,8 @@ union luai_Cast { double l_d; long l_l;
+ */
+ #if defined(__KERNEL__)
+ #undef LUA_USE_ULONGJMP
++#define setjmp __builtin_setjmp
++#define longjmp __builtin_longjmp
+ #endif
+ 
+ #if defined(__cplusplus)
+--- a/extensions/LUA/lua/llex.h
++++ b/extensions/LUA/lua/llex.h
+@@ -10,6 +10,8 @@
+ #include "lobject.h"
+ #include "lzio.h"
+ 
++/* prevent conflict with definition from asm/current.h */
++#undef current
+ 
+ #define FIRST_RESERVED	257
+ 

feeds/ipq807x/xtables-addons/patches/300-geoip-endian-detection.patch

@@ -0,0 +1,18 @@
+--- a/extensions/libxt_geoip.c
++++ b/extensions/libxt_geoip.c
+@@ -59,13 +59,13 @@ geoip_get_subnets(const char *code, uint
+ 
+ 	/* Use simple integer vector files */
+ 	if (nfproto == NFPROTO_IPV6) {
+-#if __BYTE_ORDER == _BIG_ENDIAN
++#if BYTE_ORDER == BIG_ENDIAN
+ 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv6", code);
+ #else
+ 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv6", code);
+ #endif
+ 	} else {
+-#if __BYTE_ORDER == _BIG_ENDIAN
++#if BYTE_ORDER == BIG_ENDIAN
+ 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv4", code);
+ #else
+ 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv4", code);

feeds/openflow/openvswitch/Config.in

@@ -1,8 +0,0 @@
-menu "Configuration"
-	depends on PACKAGE_openvswitch
-
-	config	OPENVSWITCH_WITH_LIBUNBOUND
-		bool
-		default y
-		prompt "Build with libunbound library."
-endmenu

feeds/openflow/openvswitch/Makefile

@@ -1,282 +0,0 @@
-#
-# Copyright (C) 2013 Julius Schulz-Zander <julius@net.t-labs.tu-berlin.de>
-# Copyright (C) 2014-2017 OpenWrt.org
-# Copyright (C) 2018-2020 Yousong Zhou <yszhou4tech@gmail.com>
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-include ./openvswitch.mk
-
-# Checklist on version bump
-#
-#  - Check acinclude.m4 for range of supported kernel versions: "but version newer than .* is not supported"
-#  - Check and update kmod dependencies when necessary (runtime module load check in the least)
-#
-PKG_NAME:=openvswitch
-PKG_VERSION:=$(ovs_version)
-PKG_RELEASE:=10
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://www.openvswitch.org/releases/
-PKG_HASH:=5c7baed537364d43af36c15dde298c95d35cb2cb3204b4d3fe9b0fc73c97f16d
-
-PKG_LICENSE:=Apache-2.0
-PKG_LICENSE_FILES:=LICENSE
-PKG_CPE_ID:=cpe:/a:openvswitch:openvswitch
-
-PKG_BUILD_DIR:=$(ovs_builddir)
-PKG_BUILD_DEPENDS+=python3/host python-six/host
-PKG_USE_MIPS16:=0
-PKG_BUILD_PARALLEL:=1
-PKG_FIXUP:=autoreconf
-PKG_INSTALL:=1
-PYTHON3_PKG_BUILD:=0
-
-PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>
-
-include $(INCLUDE_DIR)/package.mk
-include $(TOPDIR)/feeds/packages/lang/python/python3-host.mk
-include $(TOPDIR)/feeds/packages/lang/python/python3-package.mk
-
-define Package/openvswitch/config
-source "$(SOURCE)/Config.in"
-endef
-
-ovs_kmod_packages:=
-ovs_kmod_intree_kernel_patchver_min:=3.10
-ovs_kmod_intree_kernel_patchver_max:=5.5
-ovs_kmod_intree_not_supported:=$(strip $(call kernel_patchver_lt,$(ovs_kmod_intree_kernel_patchver_min))$(call kernel_patchver_gt,$(ovs_kmod_intree_kernel_patchver_max)))
-ovs_kmod_intree_dir:=$(PKG_BUILD_DIR)/datapath/linux
-ovs_kmod_upstream_dir:=$(LINUX_DIR)/net/openvswitch
-ovs_kmod_package_name=$(if $(filter openvswitch,$(1)),openvswitch,$(1))
-ovs_kmod_is_intree=$(filter %-intree,$(1))
-ovs_kmod_upstream_name=kmod-$(call ovs_kmod_package_name,$(patsubst %-intree,%,$(1)))
-ovs_kmod_package_provides=$(call ovs_kmod_upstream_name,$(1))
-define OvsKmodPackageTemplate
-ifeq ($(if $(call ovs_kmod_is_intree,$(1)),$(ovs_kmod_intree_not_supported)),)
-  define KernelPackage/$(call ovs_kmod_package_name,$(1))
-     SECTION:=kernel
-     CATEGORY:=Kernel modules
-     SUBMENU:=Network Support
-     TITLE:=$(ovs_kmod_$(1)_title)
-     DEPENDS:=$(ovs_kmod_$(1)_depends) $(if $(call ovs_kmod_is_intree,$(1)),@IPV6 @DEVEL)
-     PROVIDES:=$(call ovs_kmod_package_provides,$(1))
-     KCONFIG:=$(ovs_kmod_$(1)_kconfig)
-     FILES:=$(ovs_kmod_$(1)_files)
-     AUTOLOAD:=$(call AutoProbe,$(foreach m,$(ovs_kmod_$(1)_files),$(notdir $(patsubst %.ko,%,$(basename $(m))))))
-  endef
-
-  ovs_kmod_packages+=$(call ovs_kmod_package_name,$(1))
-endif
-endef
-
-ovs_kmod_openvswitch_title:=Open vSwitch kernel datapath (upstream)
-ovs_kmod_openvswitch_kconfig:=CONFIG_OPENVSWITCH
-ovs_kmod_openvswitch_depends:=\
-	  +kmod-lib-crc32c \
-	  +kmod-nf-nat \
-	  +IPV6:kmod-nf-nat6 \
-	  +kmod-nf-conntrack \
-	  +IPV6:kmod-nf-conntrack6 \
-	  +kmod-nsh \
-	  +kmod-ipt-conntrack-extra \
-
-ovs_kmod_openvswitch_files:=$(ovs_kmod_upstream_dir)/openvswitch.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch))
-
-ovs_kmod_openvswitch-gre_title:=Open vSwitch GRE tunneling support (upstream)
-ovs_kmod_openvswitch-gre_kconfig:= CONFIG_OPENVSWITCH_GRE
-ovs_kmod_openvswitch-gre_depends:= +kmod-openvswitch +kmod-gre
-ovs_kmod_openvswitch-gre_files:= $(ovs_kmod_upstream_dir)/vport-gre.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-gre))
-
-ovs_kmod_openvswitch-vxlan_title:=Open vSwitch VXLAN tunneling support (upstream)
-ovs_kmod_openvswitch-vxlan_kconfig:= CONFIG_OPENVSWITCH_VXLAN
-ovs_kmod_openvswitch-vxlan_depends:= +kmod-openvswitch +kmod-vxlan
-ovs_kmod_openvswitch-vxlan_files:= $(ovs_kmod_upstream_dir)/vport-vxlan.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-vxlan))
-
-ovs_kmod_openvswitch-geneve_title:=Open vSwitch Geneve tunneling support (upstream)
-ovs_kmod_openvswitch-geneve_kconfig:= CONFIG_OPENVSWITCH_GENEVE
-ovs_kmod_openvswitch-geneve_depends:= +kmod-openvswitch +kmod-geneve
-ovs_kmod_openvswitch-geneve_files:= $(ovs_kmod_upstream_dir)/vport-geneve.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-geneve))
-
-# NOTE depends
-#
-#  - kmod-ipt-conntrack-extra: required for nf_conncount.ko
-#
-ovs_kmod_openvswitch-intree_title:=Open vSwitch kernel datapath (in tree)
-ovs_kmod_openvswitch-intree_depends:=\
-	  +kmod-lib-crc32c \
-	  +kmod-nf-nat \
-	  +IPV6:kmod-nf-nat6 \
-	  +kmod-nf-conntrack \
-	  +kmod-udptunnel4 \
-	  +kmod-ipt-conntrack-extra \
-
-ovs_kmod_openvswitch-intree_files:= $(ovs_kmod_intree_dir)/openvswitch.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-intree))
-
-ovs_kmod_openvswitch-gre-intree_title:=Open vSwitch GRE tunneling support (in tree)
-ovs_kmod_openvswitch-gre-intree_depends:= +kmod-openvswitch-intree +kmod-gre
-ovs_kmod_openvswitch-gre-intree_files:= $(ovs_kmod_intree_dir)/vport-gre.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-gre-intree))
-
-ovs_kmod_openvswitch-vxlan-intree_title:=Open vSwitch VXLAN tunneling support (in tree)
-ovs_kmod_openvswitch-vxlan-intree_depends:= +kmod-openvswitch-intree +kmod-vxlan
-ovs_kmod_openvswitch-vxlan-intree_files:= $(ovs_kmod_intree_dir)/vport-vxlan.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-vxlan-intree))
-
-ovs_kmod_openvswitch-geneve-intree_title:=Open vSwitch Geneve tunneling support (in tree)
-ovs_kmod_openvswitch-geneve-intree_depends:= +kmod-openvswitch-intree +kmod-geneve
-ovs_kmod_openvswitch-geneve-intree_files:= $(ovs_kmod_intree_dir)/vport-geneve.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-geneve-intree))
-
-ovs_kmod_openvswitch-stt-intree_title:=Open vSwitch STT tunneling support (in tree)
-ovs_kmod_openvswitch-stt-intree_depends:= +kmod-openvswitch-intree
-ovs_kmod_openvswitch-stt-intree_files:= $(ovs_kmod_intree_dir)/vport-stt.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-stt-intree))
-
-ovs_kmod_openvswitch-lisp-intree_title:=Open vSwitch LISP tunneling support (in tree)
-ovs_kmod_openvswitch-lisp-intree_depends:= +kmod-openvswitch-intree
-ovs_kmod_openvswitch-lisp-intree_files:= $(ovs_kmod_intree_dir)/vport-lisp.ko
-$(eval $(call OvsKmodPackageTemplate,openvswitch-lisp-intree))
-
-# Dependency review
-#
-#	for f in sbin/*;   do echo $f; readelf -d $f | grep -i shared; done
-#	for f in bin/*;    do echo $f; readelf -d $f | grep -i shared; done
-#	for f in lib/*.so; do echo $f; readelf -d $f | grep -i shared; done
-#
-ovs_libopenvswitch_title:=Open vSwitch (libopenvswitch.so)
-ovs_libopenvswitch_hidden:=1
-ovs_libopenvswitch_depends:=+libopenssl +!(arc||arceb):libunwind
-ovs_libopenvswitch_depends+=+libatomic
-ifeq ($(CONFIG_OPENVSWITCH_WITH_LIBUNBOUND),y)
-ovs_libopenvswitch_depends+=+libunbound
-endif
-ovs_libopenvswitch_files:=usr/lib/libopenvswitch*.so*
-$(eval $(call OvsPackageTemplate,libopenvswitch))
-
-
-ovs_libofproto_title:=Open vSwitch (libofproto.so libsflow.so)
-ovs_libofproto_hidden:=1
-ovs_libofproto_depends+=+libatomic
-ovs_libofproto_files:=usr/lib/libofproto*.so* usr/lib/libsflow*.so*
-$(eval $(call OvsPackageTemplate,libofproto))
-
-
-ovs_libovsdb_title:=Open vSwitch (libovsdb.so)
-ovs_libovsdb_hidden:=1
-ovs_libovsdb_depends+=+libatomic
-ovs_libovsdb_files:=usr/lib/libovsdb*.so*
-$(eval $(call OvsPackageTemplate,libovsdb))
-
-
-ovs_vswitchd_title:=Open vSwitch (ovs-vswitchd)
-ovs_vswitchd_hidden:=1
-ovs_vswitchd_depends:=+openvswitch-libopenvswitch +openvswitch-libofproto
-ovs_vswitchd_depends+=+libatomic
-ovs_vswitchd_files:=usr/sbin/ovs-vswitchd
-$(eval $(call OvsPackageTemplate,vswitchd))
-
-
-ovs_ovsdb_title:=Open vSwitch (ovsdb-server)
-ovs_ovsdb_hidden:=1
-ovs_ovsdb_depends:=+openvswitch-libopenvswitch +openvswitch-libovsdb
-ovs_ovsdb_depends+=+libatomic
-ovs_ovsdb_files:=usr/sbin/ovsdb-server
-$(eval $(call OvsPackageTemplate,ovsdb))
-
-
-ovs_common_title:=Open vSwitch (common files)
-ovs_common_hidden:=1
-ovs_common_depends:=+openvswitch-libopenvswitch +openvswitch-libofproto +openvswitch-libovsdb
-ovs_common_depends+=+libatomic
-ovs_common_files:= \
-	usr/share/openvswitch/scripts/ovs-lib \
-	usr/share/openvswitch/scripts/ovs-ctl \
-	usr/share/openvswitch/scripts/ovs-kmod-ctl \
-	usr/share/openvswitch/scripts/ovs-save \
-	$(foreach b,ovs-appctl ovs-dpctl ovs-ofctl ovs-vsctl ovsdb-client ovsdb-tool,usr/bin/$(b))
-define ovs_common_install
-	$$(INSTALL_DIR) $$(1)/etc/openvswitch
-	$$(INSTALL_DIR) $$(1)/etc/init.d
-	$$(INSTALL_BIN) ./files/openvswitch.init $$(1)/etc/init.d/openvswitch
-	$$(INSTALL_DIR) $$(1)/etc/config
-	$$(INSTALL_DATA) ./files/openvswitch.config $$(1)/etc/config/openvswitch
-	$$(INSTALL_DIR) $$(1)/usr/share/openvswitch/scripts
-	$$(INSTALL_BIN) ./files/ovs-ctl-wrapper $$(1)/usr/share/openvswitch/scripts/
-	$$(LN) /usr/share/openvswitch/scripts/ovs-ctl-wrapper $$(1)/usr/bin/ovs-ctl
-	$$(LN) /usr/share/openvswitch/scripts/ovs-ctl-wrapper $$(1)/usr/bin/ovs-kmod-ctl
-endef
-define Package/openvswitch-common/conffiles
-/etc/config/openvswitch
-/etc/openvswitch
-endef
-$(eval $(call OvsPackageTemplate,common))
-
-
-# coreutils-sleep is required by ovs-lib for sleeping a fraction of second
-#
-# uuidgen is required for generating system-id
-ovs_openvswitch_title:=Open vSwitch
-ovs_openvswitch_hidden:=
-ovs_openvswitch_depends:=+coreutils +coreutils-sleep +uuidgen \
-	+openvswitch-common +openvswitch-vswitchd +openvswitch-ovsdb +kmod-openvswitch
-ovs_openvswitch_depends+=+libatomic
-ovs_openvswitch_files:= usr/share/openvswitch/vswitch.ovsschema
-$(eval $(call OvsPackageTemplate,openvswitch))
-
-
-ovs_python3_title:=Open vSwitch (Python3 library)
-ovs_python3_hidden:=
-ovs_python3_depends:=+PACKAGE_openvswitch-python3:python3 +PACKAGE_openvswitch-python3:python3-six
-define ovs_python3_install
-	$$(INSTALL_DIR) $$(1)$$(PYTHON3_PKG_DIR)
-	$$(CP) $$(PKG_INSTALL_DIR)/usr/share/openvswitch/python/ovs $$(1)$$(PYTHON3_PKG_DIR)
-endef
-$(eval $(call OvsPackageTemplate,python3))
-
-
-CONFIGURE_ARGS+= \
-	--enable-ndebug \
-	--enable-shared \
-	--disable-libcapng \
-	--disable-silent-rules \
-
-CONFIGURE_VARS += \
-	$(if $(CONFIG_OPENVSWITCH_WITH_LIBUNBOUND),,ac_cv_lib_unbound_ub_ctx_create=no) \
-	ovs_cv_flake8=no \
-	ovs_cv_python3=$(PYTHON3) \
-	ovs_cv_python3_host=$(HOST_PYTHON3_BIN) \
-	SPHINXBUILD=none \
-	KARCH=$(LINUX_KARCH) \
-
-ovs_intree_kmod_configs:=CONFIG_PACKAGE_kmod-openvswitch-intree
-ovs_intree_kmod_enabled:=$(strip $(foreach c,$(ovs_intree_kmod_configs),$($(c))))
-PKG_CONFIG_DEPENDS+=$(ovs_intree_kmod_configs)
-ifneq ($(ovs_intree_kmod_enabled),)
-  ifeq ($(ovs_kmod_intree_not_supported),)
-    CONFIGURE_ARGS += --with-linux=$(LINUX_DIR)
-  else
-    $(warning XXX: openvswitch: intree kmods selected but not supported)
-  endif
-endif
-
-TARGET_CFLAGS += -flto -std=gnu99
-MAKE_VARS += PYTHONPATH="$(HOST_PYTHON3PATH)"
-
-export OVS_KERNEL_MAKE_FLAGS=$(KERNEL_MAKE_FLAGS)
-
-override CONFIG_AUTOREMOVE=
-
-$(foreach p,$(ovs_kmod_packages),\
-  $(eval $(call KernelPackage,$(p)))\
-)
-$(foreach p,$(ovs_packages),\
-  $(eval $(call BuildPackage,$(p)))\
-)

feeds/openflow/openvswitch/README.md

@@ -1,106 +0,0 @@
-# Which packages to install
-
-Install `openvswitch` if you need OpenFlow virtual switch function.  It
-contains ovs-vswitchd, ovsdb-server and helper utilities such as ovs-vsctl,
-ovs-ofctl, ovs-ctl etc.
-
-Linux kernel datapath module openvswitch.ko will also be installed along with
-package `openvswitch`.  Tunnel encap support for gre, geneve, vxlan can be
-included by installing `kmod-openvswitch-{gre,geneve,vxlan}` respectively
-
-For OVN deployment
-
-- Install `openvswitch-ovn-north` for ovs-northd, ovsdb-server, ovn helper utitlies
-- Install `openvswitch-ovn-host` for ovn-controller and `openvswitch`
-
-# How to use them
-
-Open vSwitch provides a few very useful helper script in
-`/usr/share/openvswitch/scripts/`.  A simple initscript is provided.  It's
-mainly a wrapper around `ovs-ctl` and `ovn-ctl` with simple knobs from
-`/etc/config/openvswitch`.  Procd is not used here.
-
-	/etc/init.d/openvswitch start
-	/etc/init.d/openvswitch stop
-	/etc/init.d/openvswitch stop north
-	/etc/init.d/openvswitch restart ovs
-	/etc/init.d/openvswitch status
-
-Use `ovs-ctl` and `ovn-ctl` directly for more functionalities
-
-# Open vSwitch in-tree Linux datapath modules
-
-The Open vSwitch build system uses regexp and conditional-compilation
-heuristics to support building the shipped kernel module source code against a
-wide range of kernels, as of openvswitch-2.10, the list is supposed to include
-vanilla linux 3.10 to 4.15, plus a few distro kernels.
-
-It may NOT work
-
- - Sometimes the code does not compile
- - Sometimes the code compiles but insmod will fail
- - Sometimes modules are loaded okay but actually does not function right
-
-For these reasons, the in-tree datapath modules are NOT visible/enabled by
-default.
-
-Building and using in-tree datapath modules requires some level of devel
-abilities to proceed.  You are expected to configure build options and build
-the code on your own
-
-E.g. pair openvswitch userspace with in-tree datapath module
-
-	CONFIG_DEVEL=y
-	CONFIG_PACKAGE_openvswitch=y
-	# CONFIG_PACKAGE_kmod-openvswitch is not set
-	CONFIG_PACKAGE_kmod-openvswitch-intree=y
-
-E.g. replace in-tree datapath module with upstream version
-
-	opkg remove --force-depends kmod-openvswitch-intree
-	opkg install kmod-openvswitch
-	ovs-ctl force-reload-kmod
-
-# UCI configuration options
-
-There are 5 config section types in package openvswitch:
-ovs ovn_northd, ovn_controller & ovs_bridge.
-
-Each of these supports a disabled option, which should be 
-set to 0 to launch the respective daemons.
-
-The ovs section section also supports the options below, to configure a set of
-SSL CA, certificate and private key. After adding these to Open vSwitch, you
-may specify ssl: connection methods for e.g. the OpenFlow controller. Note that
-Open vSwitch only reads these files during startup, so it needs to be restarted
-after adding or changing these options.
-
-| Name     | Type    | Required | Default | Description                       |
-|----------|---------|----------|---------|-----------------------------------|
-| disabled | boolean | no       | 0       | If set to 1, do not configure SSL |
-| ca       | string  | no       | (none)  | Path to CA certificate            |
-| cert     | string  | no       | (none)  | Path to certificate               |
-| key      | string  | no       | (none)  | Path to private key               |
-
-The ovs_bridge section also supports the options below,
-for initialising a virtual bridge with an OpenFlow controller.
-
-| Name          | Type    | Required | Default                        | Description                                                |
-|---------------|---------|----------|--------------------------------|------------------------------------------------------------|
-| disabled      | boolean | no       | 0                              | If set to true, disable initialisation of the named bridge |
-| name          | string  | no       | Inherits UCI config block name | The name of the switch in the OVS daemon                   |
-| controller    | string  | no       | (none)                         | The endpoint of an OpenFlow controller for this bridge     |
-| datapath_id   | string  | no       | (none)                         | The OpenFlow datapath ID for this bridge                   |
-| datapath_desc | string  | no       | (none)                         | The OpenFlow datapath description for this bridge          |
-| fail_mode     | string  | no       | standalone                     | The bridge failure mode                                    |
-
-The ovs_port section can be used to add ports to a bridge. It supports the options below.
-
-| Name     | Type    | Required | Default | Description
-| ---------|---------|----------|---------|------------------------------------------------|
-| disabled | boolean | no       | 0       | If set to 1, do not add the port to the bridge |
-| bridge   | string  | yes      | (none)  | Name of the bridge to add the port to          |
-| port     | string  | yes      | (none)  | Name of the port to add to the bridge          |
-| ofport   | integer | no       | (none)  | OpenFlow port number to be used by the port    |
-| tag      | integer | no       | (none)  | 802.1Q VLAN tag to set on the port             |
-| type     | string  | no       | (none)  | Port type, e.g. internal, erspan, type, ...    |

feeds/openflow/openvswitch/files/openvswitch.config

@@ -1,27 +0,0 @@
-config ovs ovs
-	option disabled 1
-	option ca '/etc/openvswitch/example_ca.crt'
-	option cert '/etc/openvswitch/example_cert.crt'
-	option key '/etc/openvswitch/example_key.crt'
-
-config ovn_northd north
-	option disabled 1
-
-config ovn_controller controller
-	option disabled 1
-
-config ovs_bridge
-	option disabled 1
-	option name 'my-bridge'
-	option controller 'tcp:192.168.0.1'
-	option datapath_desc ''
-	option datapath_id ''
-	option fail_mode 'standalone'
-
-config ovs_port
-	option disabled 1
-	option bridge 'my-bridge'
-	option port 'ovs-port1'
-	option ofport '1'
-	option tag '123'
-	option type 'internal'

feeds/openflow/openvswitch/files/openvswitch.init

@@ -1,281 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2013 Julius Schulz-Zander <julius@net.t-labs.tu-berlin.de>
-# Copyright (C) 2014-2017 OpenWrt.org
-# Copyright (C) 2018 Yousong Zhou <yszhou4tech@gmail.com>
-# Copyright (C) 2021 Felix Fietkau <nbd@nbd.name>
-
-. /lib/functions/procd.sh
-START=15
-
-basescript=$(readlink "$initscript")
-
-ovs_ctl="/usr/share/openvswitch/scripts/ovs-ctl"; [ -x "$ovs_ctl" ] || ovs_ctl=:
-ovn_ctl="/usr/share/ovn/scripts/ovn-ctl"; [ -x "$ovn_ctl" ] || ovn_ctl=:
-
-extra_command "status" "Get status information"
-
-service_triggers() {
-	procd_add_reload_trigger openvswitch
-}
-
-init_triggers() {
-	procd_open_service "$(basename ${basescript:-$initscript})" "$initscript"
-	procd_close_service set
-}
-
-start() {
-	init_triggers
-	ovs_action start "$@"
-}
-
-reload() {
-	start
-}
-
-running() {
-	return 0
-}
-
-stop() {
-	procd_kill "$(basename ${basescript:-$initscript})"
-	ovs_action stop "$@"
-}
-
-restart() {
-	init_triggers
-	ovs_action restart "$@"
-}
-
-status() {
-	ovs_action status "$@"
-}
-
-ovs_action_cfgs=
-ovs_action() {
-	local action="$1"; shift
-	local cfgtype
-
-	ovs_action_cfgs="$*"
-	config_load openvswitch
-	for cfgtype in ovs ovn_northd ovn_controller; do
-		config_foreach "ovs_xx" "$cfgtype" "$action" "$cfgtype"
-	done
-
-	case "$action" in
-		restart|start)
-			config_foreach ovs_bridge_init "ovs_bridge"
-			;;
-	esac
-
-}
-
-ovs_xx() {
-	local cfg="$1"
-	local action="$2"
-	local cfgtype="$3"
-	local disabled
-
-	if [ -n "$ovs_action_cfgs" ] && ! list_contains "ovs_action_cfgs" "$cfg"; then
-		return
-	fi
-	case "$action" in
-		status|stop) ;;
-		*)
-			config_get_bool disabled "$cfg" disabled 0
-			[ "$disabled" == "0" ] || return
-			;;
-	esac
-
-	case "$cfgtype" in
-		ovs)
-			"$ovs_ctl" "$action" \
-				--system-id=random 1000>&-
-			ovs_set_ssl
-			;;
-		ovn_*)
-			"$ovn_ctl" "${action}_${cfgtype#ovn_}"
-			;;
-	esac
-}
-
-ovs_bridge_parse_port() {
-	case "$1" in
-		*:*)
-			port="${1%%:*}"
-			type="${1#*:}"
-		;;
-		*)
-			port="$1"
-			type=""
-		;;
-	esac
-}
-
-ovs_bridge_port_add() {
-	[ -n "$1" ] || return
-
-	ovs_bridge_parse_port "$1"
-	cur_type="$(ovs-vsctl get interface "$port" type 2>/dev/null)"
-	[ "$?" = 0 ] && {
-		[ "$type" = "$cur_type" ] || ovs-vsctl del-port "$port"
-	}
-
-	ovs-vsctl --may-exist add-port "$name" "$port" ${type:+ -- set interface "$port" type="$type"}
-	ovs_bridge_port_up "$port"
-	__port_list="$__port_list ${port} "
-}
-
-ovs_bridge_port_add_complex() {
-	local cfg="$1"
-	local cur_bridge="$2"
-
-	local bridge disabled ofport port tag type
-	local cur_tag cur_type del_port
-
-	config_get_bool disabled "$cfg" disabled 0
-	[ "$disabled" = "0" ] || return
-
-	config_get bridge "$cfg" bridge
-	[ "$bridge" = "$cur_bridge" ] || return
-	ovs-vsctl br-exists "$bridge" || return
-
-	config_get port "$cfg" port
-	[ -n "$port" ] || return
-
-	config_get ofport "$cfg" ofport
-
-	config_get tag "$cfg" tag
-	if [ -n "$tag" ]; then
-		if cur_tag="$(ovs-vsctl get port "$port" tag 2>/dev/null)"; then
-			[ "$tag" = "$cur_tag" ] || del_port=1
-		fi
-	fi
-
-	config_get type "$cfg" type
-	if [ -n "$type" ]; then
-		if cur_type="$(ovs-vsctl get interface "$port" type 2>/dev/null)"; then
-			[ "$type" = "$cur_type" ] || del_port=1
-		fi
-	fi
-
-	[ "${del_port:-0}" -eq 1 ] && ovs-vsctl --if-exists del-port "$bridge" "$port"
-
-	ovs-vsctl --may-exist add-port "$bridge" "$port" ${tag:+tag="$tag"} \
-		${ofport:+ -- set interface "$port" ofport_request="$ofport"} \
-		${type:+ -- set interface "$port" type="$type"}
-	ovs_bridge_port_up "$port"
-	__port_list="$__port_list ${port} "
-}
-
-ovs_bridge_port_cleanup() {
-	for port in `ovs-vsctl list-ports "$name"`; do
-		case "$__port_list" in
-			*" $port "*);;
-			*) ovs-vsctl del-port "$port";;
-		esac
-	done
-}
-
-ovs_bridge_port_up() {
-	local port="$1"
-
-	ip link set dev "$port" up
-}
-
-ovs_bridge_validate_datapath_id() {
-	local dpid="$1"
-
-	if expr "$dpid" : '[[:xdigit:]]\{16\}$' > /dev/null; then
-		return 0
-	elif expr "$dpid" : '0x[[:xdigit:]]\{1,16\}$' > /dev/null; then
-		return 0
-	else
-		logger -t openvswitch "invalid datapath_id: $dpid"
-		return 1
-	fi
-}
-
-ovs_bridge_validate_datapath_desc() {
-	local dpdesc="$1"
-
-	if [ "$(echo $dpdesc | wc -c)" -le 255 ]; then
-		return 0
-	else
-		logger -t openvswitch "invalid datapath_desc: $dpdesc"
-		return 1
-	fi
-}
-
-ovs_bridge_validate_fail_mode() {
-	local fail_mode="$1"
-
-	case "$fail_mode" in
-		secure|standalone)
-			return 0
-			;;
-		*)
-			logger -t openvswitch "invalid fail_mode: $fail_mode"
-			return 1
-			;;
-	esac
-}
-
-ovs_bridge_init() {
-	local cfg="$1"
-
-	local disabled
-	local name
-	local controller
-	local datapath_id
-
-	config_get_bool disabled "$cfg" disabled 0
-	[ "$disabled" == "0" ] || return
-
-	config_get name "$cfg" name $cfg
-	ovs-vsctl --may-exist add-br "$name"
-
-	config_get datapath_id "$cfg" datapath_id
-	[ -n "$datapath_id" ] && {
-		ovs_bridge_validate_datapath_id "$datapath_id" && {
-			ovs-vsctl --if-exists set bridge "$name" other-config:datapath-id="$datapath_id"
-		}
-	}
-
-	config_get datapath_desc "$cfg" datapath_desc
-	[ -n "$datapath_desc" ] && {
-		ovs_bridge_validate_datapath_desc "$datapath_desc" && {
-			ovs-vsctl --if-exists set bridge "$name" other-config:dp-desc="$datapath_desc"
-		}
-	}
-
-	config_get fail_mode "$cfg" fail_mode
-	[ -n "$fail_mode" ] && {
-		ovs_bridge_validate_fail_mode "$fail_mode" && {
-			ovs-vsctl set-fail-mode "$name" "$fail_mode" 2> /dev/null
-		} || {
-			ovs-vsctl del-fail-mode "$name" 2> /dev/null
-		}
-	} || {
-		ovs-vsctl del-fail-mode "$name" 2> /dev/null
-	}
-
-	config_list_foreach "$cfg" "ports" ovs_bridge_port_add
-	config_foreach ovs_bridge_port_add_complex ovs_port "$name"
-	config_get_bool drop "$cfg" "drop_unknown_ports" 0
-	[ "$drop" == 1 ] && ovs_bridge_port_cleanup
-
-	config_get controller "$cfg" controller
-	[ -n "$controller" ] && \
-		ovs-vsctl set-controller "$name" "$controller"
-}
-
-ovs_set_ssl() {
-	local ca="$(uci -q get openvswitch.ovs.ca)"
-	[ -f "$ca" ] || return
-	local cert="$(uci get openvswitch.ovs.cert)"
-	[ -f "$cert" ] || return
-	local key="$(uci get openvswitch.ovs.key)"
-	[ -f "$key" ] || return
-
-	ovs-vsctl set-ssl "$key" "$cert" "$ca"
-}

feeds/openflow/openvswitch/files/ovs-ctl-wrapper

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-s=/usr/share/openvswitch/scripts
-case "$0" in
-	*ovs-ctl) "$s/ovs-ctl" "$@" ;;
-	*ovs-kmod-ctl) "$s/ovs-kmod-ctl" "$@" ;;
-	*ovn-ctl) "/usr/share/ovn/scripts/ovn-ctl" "$@" ;;
-	*) exit 1;;
-esac

feeds/openflow/openvswitch/openvswitch.mk

@@ -1,36 +0,0 @@
-# Copyright (C) 2020 Yousong Zhou <yszhou4tech@gmail.com>
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-
-# Versions
-
-ovs_version:=2.15.1
-ovs_builddir=$(KERNEL_BUILD_DIR)/openvswitch-$(ovs_version)
-
-# Shared vars, macros
-
-ovs_packages:=
-
-ovs_package_name=$(if $(filter openvswitch,$(1)),openvswitch,openvswitch-$(1))
-define OvsPackageTemplate
-  define Package/$(call ovs_package_name,$(1))
-     SECTION:=net
-     SUBMENU:=Open vSwitch
-     CATEGORY:=Network
-     URL:=https://www.openvswitch.org
-     TITLE:=$(ovs_$(1)_title)
-     HIDDEN:=$(ovs_$(1)_hidden)
-     DEPENDS:=$(ovs_$(1)_depends)
-  endef
-
-  define Package/$(call ovs_package_name,$(1))/install
-	$(foreach f,$(ovs_$(1)_files),
-		$(INSTALL_DIR) $$(1)/$(dir $(f))
-		$(CP) $(PKG_INSTALL_DIR)/$(f) $$(1)/$(dir $(f))
-	)
-	$(ovs_$(1)_install)
-  endef
-
-  ovs_packages+=$(call ovs_package_name,$(1))
-endef

feeds/openflow/openvswitch/patches/0001-netdev-linux-Let-interface-flag-survive-internal-por.patch

@@ -1,35 +0,0 @@
-From 974dc36a87274d7bae13e7dddd3364fecf5b3e7c Mon Sep 17 00:00:00 2001
-From: Helmut Schaa <helmut.schaa@googlemail.com>
-Date: Wed, 8 Jan 2014 13:48:49 +0100
-Subject: [PATCH] netdev-linux: Let interface flag survive internal port setup
-
-Due to a race condition when bringing up an internal port on Linux
-some interface flags (e.g. IFF_MULTICAST) are falsely reset. This
-happens because netlink events may be processed after the according
-netdev has been brought up (which sets interface flags).
-
-Fix this by reading the interface flags just before updating them
-if they have not been updated by from the kernel yet.
-
-Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
----
- lib/netdev-linux.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/lib/netdev-linux.c
-+++ b/lib/netdev-linux.c
-@@ -3469,7 +3469,13 @@ update_flags(struct netdev_linux *netdev
-     unsigned int old_flags, new_flags;
-     int error = 0;
- 
--    old_flags = netdev->ifi_flags;
-+    if (!(netdev->cache_valid & VALID_DRVINFO)) {
-+        /* Most likely the debvice flags are not in sync yet, fetch them now */
-+        get_flags(&netdev->up, &old_flags);
-+    } else {
-+        old_flags = netdev->ifi_flags;
-+    }
-+
-     *old_flagsp = iff_to_nd_flags(old_flags);
-     new_flags = (old_flags & ~nd_to_iff_flags(off)) | nd_to_iff_flags(on);
-     if (new_flags != old_flags) {

feeds/openflow/openvswitch/patches/0002-python-separate-host-target-python-for-cross-compile.patch

@@ -1,33 +0,0 @@
-From 54484e79aca0981ebc42ddc68487e6531da9b59d Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Fri, 20 Mar 2020 15:11:31 +0800
-Subject: [PATCH] python: separate host/target python for cross-compile
-
-Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
----
- Makefile.am       | 2 +-
- m4/openvswitch.m4 | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -60,7 +60,7 @@ endif
- # foo/__init__.pyc will cause Python to ignore foo.py.
- run_python = \
- 	PYTHONPATH=$(top_srcdir)/python$(psep)$$PYTHONPATH \
--	PYTHONDONTWRITEBYTECODE=yes $(PYTHON3)
-+	PYTHONDONTWRITEBYTECODE=yes $(PYTHON3_HOST)
- 
- ALL_LOCAL =
- BUILT_SOURCES =
---- a/m4/openvswitch.m4
-+++ b/m4/openvswitch.m4
-@@ -372,6 +372,8 @@ else:
-      AC_MSG_ERROR([Python 3.4 or later is required but not found in $PATH, please install it or set $PYTHON3 to point to it])
-    fi
-    AC_ARG_VAR([PYTHON3])
-+   PYTHON3_HOST=$ovs_cv_python3_host
-+   AM_MISSING_PROG([PYTHON3_HOST], [python3])
-    PYTHON3=$ovs_cv_python3])
- 
- dnl Checks for flake8.

feeds/openflow/openvswitch/patches/0003-ovs-lib-fix-install_dir.patch

@@ -1,26 +0,0 @@
-From 444991b95ed25d58c3cd1646fa823620380b6ce6 Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Wed, 14 Mar 2018 16:44:13 +0800
-Subject: [PATCH] ovs-lib: fix install_dir()
-
-The command "install" is not available in OpenWrt by default
-
-Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
----
- utilities/ovs-lib.in | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/utilities/ovs-lib.in
-+++ b/utilities/ovs-lib.in
-@@ -159,7 +159,10 @@ install_dir () {
-     [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
- 
-     if test ! -d "$DIR"; then
--        install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
-+        mkdir -p "$DIR"
-+        chmod "$INSTALL_MODE" "$DIR"
-+        chown "$INSTALL_USER" "$DIR"
-+        chgrp "$INSTALL_GROUP" "$DIR"
-         restorecon "$DIR" >/dev/null 2>&1
-     fi
- }

feeds/openflow/openvswitch/patches/0004-build-trim-build.patch

@@ -1,25 +0,0 @@
-From 31514742de07d595ac23c2b0abf0e092f8b26140 Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <zhouyousong@yunionyun.com>
-Date: Tue, 21 Aug 2018 13:02:21 +0000
-Subject: [PATCH] build: trim build
-
-Signed-off-by: Yousong Zhou <zhouyousong@yunionyun.com>
----
- Makefile.am | 2 --
- 1 file changed, 2 deletions(-)
-
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -477,12 +477,10 @@ dist-docs:
- 	VERSION=$(VERSION) MAKE='$(MAKE)' $(srcdir)/build-aux/dist-docs $(srcdir) $(docs)
- .PHONY: dist-docs
- 
--include Documentation/automake.mk
- include m4/automake.mk
- include lib/automake.mk
- include ofproto/automake.mk
- include utilities/automake.mk
--include tests/automake.mk
- include include/automake.mk
- include third-party/automake.mk
- include debian/automake.mk

feeds/openflow/openvswitch/patches/0006-datapath-allow-passing-additional-OVS_KERNEL_MAKE_FL.patch

@@ -1,23 +0,0 @@
-From 1df5a0eaf78e93e21d21f1438afbe5fa8a37ea61 Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Tue, 26 May 2020 22:45:53 +0800
-Subject: [PATCH] datapath: allow passing additional $(OVS_KERNEL_MAKE_FLAGS)
-
-This can be useful for passing args like -iremap for reproducible builds
-
-Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
----
- datapath/linux/Makefile.main.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/datapath/linux/Makefile.main.in
-+++ b/datapath/linux/Makefile.main.in
-@@ -68,7 +68,7 @@ ifeq (,$(wildcard $(CONFIG_FILE)))
- endif
- 
- default:
--	$(MAKE) -C $(KSRC) $(if @KARCH@,ARCH=@KARCH@) M=$(builddir) modules
-+	$(MAKE) -C $(KSRC) $(OVS_KERNEL_MAKE_FLAGS) $(if @KARCH@,ARCH=@KARCH@) M=$(builddir) modules
- 
- modules_install:
- 	$(MAKE) -C $(KSRC) $(if @KARCH@,ARCH=@KARCH@) M=$(builddir) modules_install

feeds/openflow/openvswitch/patches/0007-build-only-link-libopenvswitch-with-libunwind-libunb.patch

@@ -1,54 +0,0 @@
-From e81ccb671014db62bf622cd8f960d7930d27d9dc Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Wed, 29 Jul 2020 17:29:14 +0800
-Subject: [PATCH] build: only link libopenvswitch with libunwind, libunbound
-
-Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
----
- lib/automake.mk          | 2 ++
- lib/libopenvswitch.pc.in | 2 +-
- m4/openvswitch.m4        | 6 ++++--
- 3 files changed, 7 insertions(+), 3 deletions(-)
-
---- a/lib/automake.mk
-+++ b/lib/automake.mk
-@@ -10,6 +10,8 @@ lib_LTLIBRARIES += lib/libopenvswitch.la
- lib_libopenvswitch_la_LIBADD = $(SSL_LIBS)
- lib_libopenvswitch_la_LIBADD += $(CAPNG_LDADD)
- lib_libopenvswitch_la_LIBADD += $(LIBBPF_LDADD)
-+lib_libopenvswitch_la_LIBADD += $(LIBUNBOUND_LDADD)
-+lib_libopenvswitch_la_LIBADD += $(LIBUNWIND_LDADD)
- 
- 
- if WIN32
---- a/lib/libopenvswitch.pc.in
-+++ b/lib/libopenvswitch.pc.in
-@@ -7,5 +7,5 @@ Name: libopenvswitch
- Description: Open vSwitch library
- Version: @VERSION@
- Libs: -L${libdir} -lopenvswitch
--Libs.private: @LIBS@
-+Libs.private: @LIBS@ @SSL_LIBS@ @CAPNG_LDADD@ @LIBBPF_LDADD@ @LIBUNBOUND_LDADD@ @LIBUNWIND_LDADD@
- Cflags: -I${includedir}/openvswitch
---- a/m4/openvswitch.m4
-+++ b/m4/openvswitch.m4
-@@ -646,7 +646,8 @@ AC_DEFUN([OVS_CHECK_UNBOUND],
-   [AC_CHECK_LIB(unbound, ub_ctx_create, [HAVE_UNBOUND=yes], [HAVE_UNBOUND=no])
-    if test "$HAVE_UNBOUND" = yes; then
-      AC_DEFINE([HAVE_UNBOUND], [1], [Define to 1 if unbound is detected.])
--     LIBS="$LIBS -lunbound"
-+     LIBUNBOUND_LDADD="-lunbound"
-+     AC_SUBST(LIBUNBOUND_LDADD)
-    fi
-    AM_CONDITIONAL([HAVE_UNBOUND], [test "$HAVE_UNBOUND" = yes])
-    AC_SUBST([HAVE_UNBOUND])])
-@@ -658,7 +659,8 @@ AC_DEFUN([OVS_CHECK_UNWIND],
-    [HAVE_UNWIND=no])
-    if test "$HAVE_UNWIND" = yes; then
-      AC_DEFINE([HAVE_UNWIND], [1], [Define to 1 if unwind is detected.])
--     LIBS="$LIBS -lunwind"
-+     LIBUNWIND_LDADD="-lunwind"
-+     AC_SUBST(LIBUNWIND_LDADD)
-    fi
-    AM_CONDITIONAL([HAVE_UNWIND], [test "$HAVE_UNWIND" = yes])
-    AC_SUBST([HAVE_UNWIND])])

feeds/tip/firstcontact/files/usr/share/ucentral/firstcontact.uc

@@ -7,13 +7,30 @@ if (!fd) {
 devid = fd.read("all");
 fd.close();
 
-ret = system(sprintf('/usr/sbin/firstcontact -i %s', devid));
+let config = {};
 
-if (ret) {
-	warn("firstcontact failed to contact redirector\n");
-	exit(1);
+function store_config(path) {
+	let cursor = uci.cursor(path);
+	let redir = split(config.Redirector, ":");
+
+	cursor.load("ucentral");
+	cursor.set("ucentral", "config", "server", redir[0]);
+	cursor.set("ucentral", "config", "port", redir[1] || 15002);
+	cursor.commit();
 }
 
+ret = system(sprintf('/usr/sbin/firstcontact -i %s', devid));
+if (ret) {
+	warn("firstcontact failed to contact redirector, check DHCP option\n");
+	let fd = fs.open("/tmp/capwap/dhcp_opt.txt", "r");
+	if (!fd) {
+		warn("No redirector found\n");
+		exit(1);
+	} else {
+		config.Redirector = fd.read("all");
+		fd.close();
+	}
+} else {
 	let redirector = { };
 	let fd = fs.open("/etc/ucentral/redirector.json", "r");
 	if (fd) {
@@ -29,25 +46,15 @@ if (fd) {
 			exit(1);
 		}
 	}
-let config = {};
 
 	for (let r in redirector.fields)
 		if (r.name && r.value)
 			config[r.name] = r.value;
 	if (!config.Redirector) {
 		warn("Reply is missing Redirector field\n");
-
 		exit(1);
 	}
 
-function store_config(path) {
-	let cursor = uci.cursor(path);
-	let redir = split(config.Redirector, ":");
-
-	cursor.load("ucentral");
-	cursor.set("ucentral", "config", "server", redir[0]);
-	cursor.set("ucentral", "config", "port", redir[1] || 15002);
-	cursor.commit();
 }
 
 store_config();

feeds/ucentral/dynamic-vlan/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=dynamic-vlan
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/blogic/dynamic-vlan.git
-PKG_MIRROR_HASH:=448890cdf182bd1b47edffca242e607594d0d17f6f5017a6fd021aab79f3c351
+PKG_MIRROR_HASH:=2129d5e4b397afad76825a042dab6fb57c63e57c686d354f3d0d77a5754ab760
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-06-04
-PKG_SOURCE_VERSION:=55d78d3e7215b601084980d922349bcfdcf9cf20
+PKG_SOURCE_VERSION:=7202189d1b710c52f8ddc3c7040821708c3f438b
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause

feeds/ucentral/dynamic-vlan/files/dynamic-vlan

@@ -7,8 +7,12 @@ PROG=/usr/sbin/dynamic-vlan
 
 start_service() {
 	wan=$(cat /etc/board.json | jsonfilter -e '@.network.wan.device')
+	[ -z "$wan" ] && eval $(jsonfilter -i /etc/board.json -e 'wan=@.network.wan.ports.*')
 	procd_open_instance
-	procd_set_param command "$PROG" $wan
+	procd_set_param command "$PROG"
+	for w in $wan; do
+		procd_append_param command $w
+	done
 	procd_set_param respawn
 	procd_close_instance
 }

feeds/ucentral/ieee8021x/Makefile

@@ -7,10 +7,10 @@ PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 
 PKG_SOURCE_URL=https://github.com/blogic/ieee8021x.git
-PKG_MIRROR_HASH:=7e14e320714b4759f5c393f90165a69d133633612b57d408b3ab6535710bf53c
+PKG_MIRROR_HASH:=5a47c355366fb7cfaa0d622c4ea1fa6a867b0fb30e624343727d5f8722c79f7b
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-04-12
-PKG_SOURCE_VERSION:=c1f36559dc0ed2deeac0531a3d5854f1955ae928
+PKG_SOURCE_VERSION:=c526967cbc14ba5528c817d5f6115156c2da94b9
 
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk

feeds/ucentral/qosify/Makefile

@@ -11,9 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=qosify
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/qosify.git
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2022-03-06
-PKG_SOURCE_VERSION:=f13b67c9a786567df240a8f3f608e2724ddaadba
-PKG_MIRROR_HASH:=3d8629e711e46a6be79a46a6394165fd1761687f24b8ed954dc4f16f177cd90f
+PKG_SOURCE_DATE:=2022-09-26
+PKG_SOURCE_VERSION:=9c625ae96f2d204f7417d6c9b7092b9e4ac653a8
+PKG_MIRROR_HASH:=f7cd52b6749d0dc81d6d710ee5f85597a3ff084a78e2622336c16dc138fdc854
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_LICENSE:=GPL-2.0
@@ -31,9 +31,17 @@ define Package/qosify
   SECTION:=utils
   CATEGORY:=Base system
   TITLE:=A simple QoS solution based eBPF + CAKE
-  DEPENDS:=+libbpf +libubox +libubus +kmod-sched-cake +kmod-sched-bpf +kmod-ifb +tc-full $(BPF_DEPENDS)
+  DEPENDS:=+libbpf +libubox +libubus +libnl-tiny +kmod-sched-cake +kmod-sched-bpf +kmod-ifb +tc $(BPF_DEPENDS)
 endef
 
+TARGET_CFLAGS += \
+	-Wno-error=deprecated-declarations \
+	-I$(STAGING_DIR)/usr/include/libnl-tiny \
+	-I$(STAGING_DIR)/usr/include
+
+CMAKE_OPTIONS += \
+	-DLIBNL_LIBS=-lnl-tiny
+
 define Build/Compile
 	$(call CompileBPF,$(PKG_BUILD_DIR)/qosify-bpf.c)
 	$(Build/Compile/Default)

feeds/ucentral/radius-gw-proxy/src/main.c

@@ -23,6 +23,7 @@
 
 #define RAD_PROX_BUFLEN		(4 * 1024)
 
+#define TLV_NAS_IP		4
 #define TLV_PROXY_STATE		33
 
 struct radius_socket {
@@ -57,6 +58,7 @@ struct radius_proxy_state {
 
 static struct radius_socket *sock_auth;
 static struct radius_socket *sock_acct;
+static struct radius_socket *sock_dae;
 
 static int
 avl_memcmp(const void *k1, const void *k2, void *ptr)
@@ -134,6 +136,9 @@ radius_forward_gw(char *buf, enum socket_type type)
 	case RADIUS_ACCT:
 		blobmsg_add_string(&b, "radius", "acct");
 		break;
+	case RADIUS_DAS:
+		blobmsg_add_string(&b, "radius", "coa");
+		break;
 	default:
 		return;
 	}
@@ -154,6 +159,7 @@ radius_parse(char *buf, int len, int port, enum socket_type type, int tx)
 	char proxy_state_str[256] = {};
 	void *avp = hdr->avp;
 	int len_orig = ntohs(hdr->len);
+	uint8_t localhost[] = { 0x7f, 0, 0, 1 };
 
 	if (len_orig != len) {
 		ULOG_ERR("invalid header length, %d %d\n", len_orig, len);
@@ -175,11 +181,32 @@ radius_parse(char *buf, int len, int port, enum socket_type type, int tx)
 		if (tlv->id == TLV_PROXY_STATE)
 			proxy_state = tlv;
 
+		if (type == RADIUS_DAS && tlv->id == TLV_NAS_IP && tlv->len == 6)
+			memcpy(tlv->data, &localhost, 4);
+
 		printf("\tID:%d, len:%d\n", tlv->id, tlv->len);
 		avp += tlv->len;
 		len -= tlv->len;
 	}
 
+	if (type == RADIUS_DAS) {
+		if (tx) {
+			radius_forward_gw(buf, type);
+		} else {
+			struct sockaddr_in dest;
+
+			memset(&dest, 0, sizeof(dest));
+			dest.sin_family = AF_INET;
+			dest.sin_port = htons(3799);
+			inet_pton(AF_INET, "127.0.0.1", &(dest.sin_addr.s_addr));
+
+			if (sendto(sock_dae->fd.fd, buf, len_orig,
+				   MSG_DONTWAIT, (struct sockaddr*)&dest, sizeof(dest)) < 0)
+				ULOG_ERR("failed to deliver DAS frame to localhost\n");
+		}
+		return 0;
+	}
+
 	if (!proxy_state) {
 		ULOG_ERR("no proxy_state found\n");
 		return -1;
@@ -326,6 +353,7 @@ int main(int argc, char **argv)
 
 	sock_auth = sock_open("1812", RADIUS_AUTH);
 	sock_acct = sock_open("1813", RADIUS_ACCT);
+	sock_dae = sock_open("3379", RADIUS_DAS);
 
 	uloop_run();
 	uloop_end();

feeds/ucentral/radius-gw-proxy/src/ubus.c

@@ -40,6 +40,8 @@ static int ubus_frame_cb(struct ubus_context *ctx,
 		type = RADIUS_AUTH;
 	else if (!strcmp(radius, "acct"))
 		type = RADIUS_ACCT;
+	else if (!strcmp(radius, "coa"))
+		type = RADIUS_DAS;
 	else
 		return UBUS_STATUS_INVALID_ARGUMENT;
 

feeds/ucentral/ratelimit/files/usr/bin/ratelimit

@@ -28,15 +28,13 @@ delclient() {
 	local mac=$2
 	local id=$3
 	
-	logger "ratelimit: delete old client entries"
+	logger "ratelimit: delete old client entries $1 $2"
 
-	[ -z "$id" ] && id=$(get_id ${mac//:})
+	id=$(get_id ${mac//:})
 
 	TC filter del dev $iface protocol all parent 1: prio 1 u32 match ether dst $mac flowid 1:$id
-	TC class del dev $iface parent 1:1 classid 1:$id
 	
 	TC filter del dev $ifb protocol all parent 1: prio 1 u32 match ether src $mac flowid 1:$id
-	TC class del dev $ifb parent 1:1 classid 1:$id
 }
 
 ingress=0
@@ -72,7 +70,7 @@ addclient() {
 
 	local id=$(get_id ${mac//:})
 
-	logger "ratelimit: add new client entries for $2 $egress $ingress"
+	logger "ratelimit: add new client entries for $1 $2 $egress $ingress"
 
 	TC class add dev $iface parent 1:1 classid 1:$id htb rate 1mbit ceil ${egress}mbit burst 2k prio 1
 	TC qdisc add dev $iface parent 1:$id handle $id: sfq perturb 10

feeds/ucentral/spotfilter/Makefile

@@ -0,0 +1,57 @@
+#
+# Copyright (C) 2021 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=spotfilter
+PKG_VERSION:=1
+
+PKG_LICENSE:=GPL-2.0
+PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+
+PKG_BUILD_DEPENDS:=bpf-headers
+PKG_FLAGS:=nonshared
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+include $(INCLUDE_DIR)/bpf.mk
+include $(INCLUDE_DIR)/nls.mk
+
+define Package/spotfilter
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Network filter for hotspot services
+  DEPENDS:=+libbpf +libubox +libubus +libnl-tiny +kmod-sched-cake +kmod-sched-bpf $(BPF_DEPENDS)
+endef
+
+TARGET_CFLAGS += \
+	-Wno-error=deprecated-declarations \
+	-I$(STAGING_DIR)/usr/include/libnl-tiny \
+	-I$(STAGING_DIR)/usr/include -g3
+
+CMAKE_OPTIONS += \
+	-DLIBNL_LIBS=-lnl-tiny
+
+define Build/Compile
+	$(call CompileBPF,$(PKG_BUILD_DIR)/spotfilter-bpf.c)
+	$(Build/Compile/Default)
+endef
+
+define Package/spotfilter/install
+	$(INSTALL_DIR) \
+		$(1)/etc/hotplug.d/net \
+		$(1)/etc/init.d \
+		$(1)/lib/bpf \
+		$(1)/usr/sbin
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/spotfilter-bpf.o $(1)/lib/bpf
+	$(INSTALL_BIN) ./files/spotfilter.init $(1)/etc/init.d/spotfilter
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/spotfilter $(1)/usr/sbin/
+	$(INSTALL_DATA) ./files/spotfilter.hotplug $(1)/etc/hotplug.d/net/10-spotfilter
+endef
+
+$(eval $(call BuildPackage,spotfilter))

feeds/ucentral/spotfilter/files/spotfilter.hotplug

@@ -0,0 +1,2 @@
+#!/bin/sh
+ubus call spotfilter check_devices

feeds/ucentral/spotfilter/files/spotfilter.init

@@ -0,0 +1,23 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2021 OpenWrt.org
+
+START=18
+
+USE_PROCD=1
+PROG=/usr/sbin/spotfilter
+
+reload_service() {
+	ubus call spotfilter interface_add "$(cat /tmp/spotfilter.json)"
+}
+
+start_service() {
+	procd_open_instance
+	procd_set_param command "$PROG"
+	procd_set_param respawn
+	procd_close_instance
+}
+
+service_started() {
+	ubus -t 10 wait_for spotfilter
+	[ $? = 0 ] && reload_service
+}

feeds/ucentral/spotfilter/src/CMakeLists.txt

@@ -0,0 +1,24 @@
+cmake_minimum_required(VERSION 3.10)
+
+PROJECT(spotfilter C)
+
+ADD_DEFINITIONS(-Os -Wall -Wno-unknown-warning-option -Wno-array-bounds -Wno-format-truncation -Werror --std=gnu99)
+
+SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+
+IF (NOT DEFINED LIBNL_LIBS)
+	include(FindPkgConfig)
+	pkg_search_module(LIBNL libnl-3.0 libnl-3 libnl nl-3 nl)
+	IF (LIBNL_FOUND)
+		include_directories(${LIBNL_INCLUDE_DIRS})
+		SET(LIBNL_LIBS ${LIBNL_LIBRARIES})
+	ENDIF()
+ENDIF()
+
+find_library(bpf NAMES bpf)
+ADD_EXECUTABLE(spotfilter main.c bpf.c ubus.c rtnl.c interface.c snoop.c client.c dhcpv4.c icmpv6.c nl80211.c)
+TARGET_LINK_LIBRARIES(spotfilter ${bpf} ubox ubus ${LIBNL_LIBS})
+
+INSTALL(TARGETS spotfilter
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)

feeds/ucentral/spotfilter/src/bpf.c

@@ -0,0 +1,196 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <arpa/inet.h>
+#include <glob.h>
+#include <unistd.h>
+
+#include "spotfilter.h"
+
+static int spotfilter_bpf_pr(enum libbpf_print_level level, const char *format,
+		     va_list args)
+{
+	return vfprintf(stderr, format, args);
+}
+
+static void
+spotfilter_fill_rodata(struct bpf_object *obj, struct spotfilter_bpf_config *val)
+{
+	struct bpf_map *map = NULL;
+
+	while ((map = bpf_object__next_map(obj, map)) != NULL) {
+		if (!strstr(bpf_map__name(map), ".rodata"))
+			continue;
+
+		bpf_map__set_initial_value(map, val, sizeof(*val));
+	}
+}
+
+static void spotfilter_init_env(void)
+{
+	struct rlimit limit = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	setrlimit(RLIMIT_MEMLOCK, &limit);
+}
+
+int spotfilter_bpf_load(struct interface *iface)
+{
+	DECLARE_LIBBPF_OPTS(bpf_object_open_opts, opts);
+	struct spotfilter_bpf_config config = {
+		.snoop_ifindex = spotfilter_ifb_ifindex
+	};
+	struct bpf_program *prog_i, *prog_e;
+	struct bpf_object *obj;
+	int err;
+
+	libbpf_set_print(spotfilter_bpf_pr);
+
+	spotfilter_init_env();
+
+	obj = bpf_object__open_file(SPOTFILTER_PROG_PATH, &opts);
+	err = libbpf_get_error(obj);
+	if (err) {
+		perror("bpf_object__open_file");
+		return -1;
+	}
+
+	prog_i = bpf_object__find_program_by_name(obj, "spotfilter_in");
+	if (!prog_i) {
+		fprintf(stderr, "Can't find ingress classifier\n");
+		goto error;
+	}
+
+	prog_e = bpf_object__find_program_by_name(obj, "spotfilter_out");
+	if (!prog_e) {
+		fprintf(stderr, "Can't find egress classifier\n");
+		goto error;
+	}
+
+	bpf_program__set_type(prog_i, BPF_PROG_TYPE_SCHED_CLS);
+	bpf_program__set_type(prog_e, BPF_PROG_TYPE_SCHED_CLS);
+
+	spotfilter_fill_rodata(obj, &config);
+
+	err = bpf_object__load(obj);
+	if (err) {
+		perror("bpf_object__load");
+		goto error;
+	}
+
+	iface->bpf.prog_ingress = bpf_program__fd(prog_i);
+	iface->bpf.prog_egress = bpf_program__fd(prog_e);
+	if ((iface->bpf.map_class = bpf_object__find_map_fd_by_name(obj, "class")) < 0 ||
+	    (iface->bpf.map_client = bpf_object__find_map_fd_by_name(obj, "client")) < 0 ||
+	    (iface->bpf.map_whitelist_v4 = bpf_object__find_map_fd_by_name(obj, "whitelist_ipv4")) < 0 ||
+	    (iface->bpf.map_whitelist_v6 = bpf_object__find_map_fd_by_name(obj, "whitelist_ipv6")) < 0) {
+		perror("bpf_object__find_map_fd_by_name");
+		goto error;
+	}
+	iface->bpf.obj = obj;
+
+	return 0;
+
+error:
+	bpf_object__close(obj);
+	return -1;
+}
+
+int spotfilter_bpf_get_client(struct interface *iface,
+			      const struct spotfilter_client_key *key,
+			      struct spotfilter_client_data *data)
+{
+	return bpf_map_lookup_elem(iface->bpf.map_client, key, data);
+}
+
+int spotfilter_bpf_set_client(struct interface *iface,
+			      const struct spotfilter_client_key *key,
+			      const struct spotfilter_client_data *data)
+{
+	if (!data)
+		return bpf_map_delete_elem(iface->bpf.map_client, key);
+
+	return bpf_map_update_elem(iface->bpf.map_client, key, data, BPF_ANY);
+}
+
+static void
+__spotfilter_bpf_set_device(struct interface *iface, int ifindex, bool egress, bool enabled)
+{
+	DECLARE_LIBBPF_OPTS(bpf_tc_hook, hook,
+			    .attach_point = egress ? BPF_TC_EGRESS : BPF_TC_INGRESS,
+			    .ifindex = ifindex);
+	DECLARE_LIBBPF_OPTS(bpf_tc_opts, attach_tc,
+			    .handle = 1,
+			    .priority = SPOTFILTER_PRIO_BASE);
+
+	if (!enabled) {
+		bpf_tc_detach(&hook, &attach_tc);
+		return;
+	}
+
+	if (egress)
+		attach_tc.prog_fd = iface->bpf.prog_egress;
+	else
+		attach_tc.prog_fd = iface->bpf.prog_ingress;
+
+	bpf_tc_hook_create(&hook);
+	bpf_tc_attach(&hook, &attach_tc);
+}
+
+void spotfilter_bpf_set_device(struct interface *iface, int ifindex, bool enabled)
+{
+	if (enabled)
+		spotfilter_bpf_set_device(iface, ifindex, false);
+
+	__spotfilter_bpf_set_device(iface, ifindex, true, enabled);
+	__spotfilter_bpf_set_device(iface, ifindex, false, enabled);
+}
+
+void spotfilter_bpf_update_class(struct interface *iface, uint32_t index)
+{
+	bpf_map_update_elem(iface->bpf.map_class, &index, &iface->cdata[index], BPF_ANY);
+}
+
+bool spotfilter_bpf_whitelist_seen(struct interface *iface, const void *addr, bool ipv6)
+{
+	int fd = ipv6 ? iface->bpf.map_whitelist_v6 : iface->bpf.map_whitelist_v4;
+	struct spotfilter_whitelist_entry e;
+
+	bpf_map_lookup_elem(fd, addr, &e);
+	if (!e.seen)
+	    return false;
+
+	e.seen = 0;
+	bpf_map_update_elem(fd, addr, &e, BPF_ANY);
+
+	return true;
+}
+
+void spotfilter_bpf_set_whitelist(struct interface *iface, const void *addr,
+				  bool ipv6, const uint8_t *state)
+{
+	int fd = ipv6 ? iface->bpf.map_whitelist_v6 : iface->bpf.map_whitelist_v4;
+	struct spotfilter_whitelist_entry e = {};
+
+	if (!state) {
+		bpf_map_delete_elem(fd, addr);
+		return;
+	}
+
+	e.val = *state;
+	bpf_map_update_elem(fd, addr, &e, BPF_ANY);
+}
+
+void spotfilter_bpf_free(struct interface *iface)
+{
+	if (!iface->bpf.obj)
+		return;
+
+	bpf_object__close(iface->bpf.obj);
+	iface->bpf.obj = NULL;
+}

feeds/ucentral/spotfilter/src/bpf.h

@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __SPOTFILTER_BPF_H
+#define __SPOTFILTER_BPF_H
+
+struct interface;
+
+int spotfilter_bpf_load(struct interface *iface);
+void spotfilter_bpf_free(struct interface *iface);
+void spotfilter_bpf_set_device(struct interface *iface, int ifindex, bool enabled);
+void spotfilter_bpf_update_class(struct interface *iface, uint32_t index);
+int spotfilter_bpf_get_client(struct interface *iface,
+			      const struct spotfilter_client_key *key,
+			      struct spotfilter_client_data *data);
+int spotfilter_bpf_set_client(struct interface *iface,
+			      const struct spotfilter_client_key *key,
+			      const struct spotfilter_client_data *data);
+void spotfilter_bpf_set_whitelist(struct interface *iface, const void *addr,
+				  bool ipv6, const uint8_t *state);
+bool spotfilter_bpf_whitelist_seen(struct interface *iface, const void *addr, bool ipv6);
+
+#endif

feeds/ucentral/spotfilter/src/bpf_skb_utils.h

@@ -0,0 +1,173 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __BPF_SKB_UTILS_H
+#define __BPF_SKB_UTILS_H
+
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/if_ether.h>
+#include <uapi/linux/ip.h>
+#include <uapi/linux/ipv6.h>
+#include <linux/ip.h>
+#include <net/ipv6.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+struct skb_parser_info {
+	struct __sk_buff *skb;
+	__u32 offset;
+	int proto;
+};
+
+static __always_inline void *__skb_data(struct __sk_buff *skb)
+{
+	return (void *)(long)READ_ONCE(skb->data);
+}
+
+static __always_inline void *
+skb_ptr(struct __sk_buff *skb, __u32 offset, __u32 len)
+{
+	void *ptr = __skb_data(skb) + offset;
+	void *end = (void *)(long)(skb->data_end);
+
+	if (ptr + len >= end)
+		return NULL;
+
+	return ptr;
+}
+
+static __always_inline void *
+skb_info_ptr(struct skb_parser_info *info, __u32 len)
+{
+	__u32 offset = info->offset;
+	return skb_ptr(info->skb, offset, len);
+}
+
+static __always_inline void
+skb_parse_init(struct skb_parser_info *info, struct __sk_buff *skb)
+{
+	*info = (struct skb_parser_info){
+		.skb = skb
+	};
+}
+
+static __always_inline struct ethhdr *
+skb_parse_ethernet(struct skb_parser_info *info)
+{
+	struct ethhdr *eth;
+	int len;
+
+	len = sizeof(*eth) + 2 * sizeof(struct vlan_hdr) + sizeof(struct ipv6hdr);
+	if (len > info->skb->len)
+		len = info->skb->len;
+	bpf_skb_pull_data(info->skb, len);
+
+	eth = skb_info_ptr(info, sizeof(*eth));
+	if (!eth)
+		return NULL;
+
+	info->proto = eth->h_proto;
+	info->offset += sizeof(*eth);
+
+	return eth;
+}
+
+static __always_inline struct vlan_hdr *
+skb_parse_vlan(struct skb_parser_info *info)
+{
+	struct vlan_hdr *vlh;
+
+	if (info->proto != bpf_htons(ETH_P_8021Q) &&
+	    info->proto != bpf_htons(ETH_P_8021AD))
+		return NULL;
+
+	vlh = skb_info_ptr(info, sizeof(*vlh));
+	if (!vlh)
+		return NULL;
+
+	info->proto = vlh->h_vlan_encapsulated_proto;
+	info->offset += sizeof(*vlh);
+
+	return vlh;
+}
+
+static __always_inline struct iphdr *
+skb_parse_ipv4(struct skb_parser_info *info, int min_l4_bytes)
+{
+	struct iphdr *iph;
+	int proto, hdr_len;
+	__u32 pull_len;
+
+	if (info->proto != bpf_htons(ETH_P_IP))
+		return NULL;
+
+	iph = skb_info_ptr(info, sizeof(*iph));
+	if (!iph)
+		return NULL;
+
+	hdr_len = iph->ihl * 4;
+	if (hdr_len < sizeof(*iph))
+		return NULL;
+
+	pull_len = info->offset + hdr_len + min_l4_bytes;
+	if (pull_len > info->skb->len)
+		pull_len = info->skb->len;
+
+	if (bpf_skb_pull_data(info->skb, pull_len))
+		return NULL;
+
+	iph = skb_info_ptr(info, sizeof(*iph));
+	if (!iph)
+		return NULL;
+
+	info->proto = iph->protocol;
+	info->offset += hdr_len;
+
+	return iph;
+}
+
+static __always_inline struct ipv6hdr *
+skb_parse_ipv6(struct skb_parser_info *info, int max_l4_bytes)
+{
+	struct ipv6hdr *ip6h;
+	__u32 pull_len;
+
+	if (info->proto != bpf_htons(ETH_P_IPV6))
+		return NULL;
+
+	pull_len = info->offset + sizeof(*ip6h) + max_l4_bytes;
+	if (pull_len > info->skb->len)
+		pull_len = info->skb->len;
+
+	if (bpf_skb_pull_data(info->skb, pull_len))
+		return NULL;
+
+	ip6h = skb_info_ptr(info, sizeof(*ip6h));
+	if (!ip6h)
+		return NULL;
+
+	info->proto = READ_ONCE(ip6h->nexthdr);
+	info->offset += sizeof(*ip6h);
+
+	return ip6h;
+}
+
+static __always_inline struct tcphdr *
+skb_parse_tcp(struct skb_parser_info *info)
+{
+	struct tcphdr *tcph;
+
+	if (info->proto != IPPROTO_TCP)
+		return NULL;
+
+	tcph = skb_info_ptr(info, sizeof(*tcph));
+	if (!tcph)
+		return NULL;
+
+	info->offset += tcph->doff * 4;
+
+	return tcph;
+}
+
+#endif

feeds/ucentral/spotfilter/src/client.c

@@ -0,0 +1,203 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <netinet/if_ether.h>
+#include <libubox/uloop.h>
+#include <libubox/avl-cmp.h>
+#include "spotfilter.h"
+
+#define CACHE_TIMEOUT 10
+
+struct cache_entry {
+	struct avl_node node;
+	uint8_t macaddr[ETH_ALEN];
+	uint32_t ip4addr;
+	uint32_t ip6addr[4];
+	uint32_t time;
+};
+
+static int avl_mac_cmp(const void *k1, const void *k2, void *priv)
+{
+	return memcmp(k1, k2, ETH_ALEN);
+}
+
+static AVL_TREE(cache, avl_mac_cmp, false, NULL);
+
+static uint32_t client_gettime(void)
+{
+	struct timespec ts;
+
+	clock_gettime(CLOCK_MONOTONIC, &ts);
+
+	return ts.tv_sec;
+}
+
+static void client_gc(struct uloop_timeout *t)
+{
+	struct cache_entry *c, *tmp;
+	uint32_t now = client_gettime();
+
+	avl_for_each_element_safe(&cache, c, node, tmp) {
+		uint32_t diff;
+
+		diff = now - c->time;
+		if (diff < CACHE_TIMEOUT)
+			continue;
+
+		avl_delete(&cache, &c->node);
+		free(c);
+	}
+
+	if (!avl_is_empty(&cache))
+		uloop_timeout_set(t, 1000);
+}
+
+void client_init_interface(struct interface *iface)
+{
+	avl_init(&iface->clients, avl_mac_cmp, false, NULL);
+	avl_init(&iface->client_ids, avl_strcmp, false, NULL);
+}
+
+static void __client_free(struct interface *iface, struct client *cl)
+{
+	if (cl->id_node.key)
+		avl_delete(&iface->client_ids, &cl->id_node);
+	avl_delete(&iface->clients, &cl->node);
+	kvlist_free(&cl->kvdata);
+	spotfilter_bpf_set_client(iface, &cl->key, NULL);
+	free(cl);
+}
+
+void client_free(struct interface *iface, struct client *cl)
+{
+	spotfilter_ubus_notify(iface, cl, "client_delete");
+	__client_free(iface, cl);
+}
+
+static void client_set_id(struct interface *iface, struct client *cl, const char *id)
+{
+	if (id == cl->id_node.key)
+		return;
+
+	if (id && cl->id_node.key && !strcmp(id, cl->id_node.key))
+		return;
+
+	if (cl->id_node.key) {
+		avl_delete(&iface->client_ids, &cl->id_node);
+		free((void *) cl->id_node.key);
+		cl->id_node.key = NULL;
+	}
+
+	if (!id)
+		return;
+
+	cl->id_node.key = strdup(id);
+	avl_insert(&iface->client_ids, &cl->id_node);
+}
+
+int client_set(struct interface *iface, const void *addr, const char *id,
+	       int state, int dns_state, int accounting, struct blob_attr *data)
+{
+	struct cache_entry *c;
+	struct blob_attr *cur;
+	struct client *cl;
+	bool new_client = false;
+	int rem;
+
+	cl = avl_find_element(&iface->clients, addr, cl, node);
+	if (!cl) {
+		cl = calloc(1, sizeof(*cl));
+		cl->node.key = &cl->key.addr;
+		memcpy(cl->key.addr, addr, ETH_ALEN);
+		avl_insert(&iface->clients, &cl->node);
+		cl->data.cur_class = iface->default_class;
+		cl->data.dns_class = iface->default_dns_class;
+		kvlist_init(&cl->kvdata, kvlist_blob_len);
+		new_client = true;
+	}
+
+	client_set_id(iface, cl, id);
+	if (!new_client)
+		spotfilter_bpf_get_client(iface, &cl->key, &cl->data);
+
+	c = avl_find_element(&cache, addr, c, node);
+	if (c) {
+		if (!cl->data.ip4addr)
+			cl->data.ip4addr = c->ip4addr;
+		if (!cl->data.ip6addr[0])
+			memcpy(cl->data.ip6addr, c->ip6addr, sizeof(cl->data.ip6addr));
+	}
+
+	if (state >= SPOTFILTER_NUM_CLASS || dns_state >= SPOTFILTER_NUM_CLASS) {
+		if (new_client)
+			__client_free(iface, cl);
+
+		return -1;
+	}
+
+	blobmsg_for_each_attr(cur, data, rem) {
+		if (!blobmsg_check_attr(cur, true))
+			continue;
+
+		kvlist_set(&cl->kvdata, blobmsg_name(cur), cur);
+	}
+	if (state >= 0)
+		cl->data.cur_class = state;
+	if (dns_state >= 0)
+		cl->data.dns_class = dns_state;
+	if (accounting >= 0)
+		cl->data.flags = accounting;
+	spotfilter_bpf_set_client(iface, &cl->key, &cl->data);
+
+	if (new_client)
+		spotfilter_ubus_notify(iface, cl, "client_add");
+
+	return 0;
+}
+
+void client_set_ipaddr(const void *mac, const void *addr, bool ipv6)
+{
+	static struct uloop_timeout gc_timer = {
+		.cb = client_gc
+	};
+	struct interface *iface;
+	struct cache_entry *c;
+	struct client *cl;
+
+	c = avl_find_element(&cache, mac, c, node);
+	if (!c) {
+		c = calloc(1, sizeof(*c));
+		memcpy(c->macaddr, mac, ETH_ALEN);
+		c->node.key = c->macaddr;
+		avl_insert(&cache, &c->node);
+		if (!gc_timer.pending)
+			uloop_timeout_set(&gc_timer, CACHE_TIMEOUT * 1000);
+	}
+
+	if (!ipv6 && !c->ip4addr)
+		memcpy(&c->ip4addr, addr, sizeof(c->ip4addr));
+	else if (ipv6 && !c->ip6addr[0])
+		memcpy(&c->ip6addr, addr, sizeof(c->ip6addr));
+	else
+		return;
+
+	c->time = client_gettime();
+
+	avl_for_each_element(&interfaces, iface, node) {
+		cl = avl_find_element(&iface->clients, mac, cl, node);
+		if (!cl)
+			continue;
+
+		spotfilter_bpf_get_client(iface, &cl->key, &cl->data);
+
+		if (!ipv6 && !cl->data.ip4addr)
+			memcpy(&cl->data.ip4addr, addr, sizeof(cl->data.ip4addr));
+		else if (ipv6 && !cl->data.ip6addr[0])
+			memcpy(&cl->data.ip6addr, addr, sizeof(cl->data.ip6addr));
+		else
+			continue;
+
+		spotfilter_bpf_set_client(iface, &cl->key, &cl->data);
+	}
+}

feeds/ucentral/spotfilter/src/client.h

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __SPOTFILTER_CLIENT_H
+#define __SPOTFILTER_CLIENT_H
+
+#include <netinet/if_ether.h>
+#include <libubox/kvlist.h>
+
+struct client {
+	struct avl_node node;
+	struct avl_node id_node;
+
+	struct kvlist kvdata;
+	int idle;
+
+	struct spotfilter_client_key key;
+	struct spotfilter_client_data data;
+};
+
+int client_set(struct interface *iface, const void *addr, const char *id,
+	       int state, int dns_state, int accounting, struct blob_attr *data);
+void client_free(struct interface *iface, struct client *cl);
+void client_set_ipaddr(const void *mac, const void *addr, bool ipv6);
+void client_init_interface(struct interface *iface);
+
+#endif

feeds/ucentral/spotfilter/src/dhcpv4.c

@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include "spotfilter.h"
+
+enum dhcpv4_msg {
+	DHCPV4_MSG_DISCOVER = 1,
+	DHCPV4_MSG_OFFER = 2,
+	DHCPV4_MSG_REQUEST = 3,
+	DHCPV4_MSG_DECLINE = 4,
+	DHCPV4_MSG_ACK = 5,
+	DHCPV4_MSG_NAK = 6,
+	DHCPV4_MSG_RELEASE = 7,
+	DHCPV4_MSG_INFORM = 8,
+	DHCPV4_MSG_FORCERENEW = 9,
+};
+
+enum dhcpv4_opt {
+	DHCPV4_OPT_PAD = 0,
+	DHCPV4_OPT_NETMASK = 1,
+	DHCPV4_OPT_ROUTER = 3,
+	DHCPV4_OPT_DNSSERVER = 6,
+	DHCPV4_OPT_DOMAIN = 15,
+	DHCPV4_OPT_MTU = 26,
+	DHCPV4_OPT_BROADCAST = 28,
+	DHCPV4_OPT_NTPSERVER = 42,
+	DHCPV4_OPT_LEASETIME = 51,
+	DHCPV4_OPT_MESSAGE = 53,
+	DHCPV4_OPT_SERVERID = 54,
+	DHCPV4_OPT_REQOPTS = 55,
+	DHCPV4_OPT_RENEW = 58,
+	DHCPV4_OPT_REBIND = 59,
+	DHCPV4_OPT_IPADDRESS = 50,
+	DHCPV4_OPT_MSG_TYPE = 53,
+	DHCPV4_OPT_HOSTNAME = 12,
+	DHCPV4_OPT_REQUEST = 17,
+	DHCPV4_OPT_USER_CLASS = 77,
+	DHCPV4_OPT_AUTHENTICATION = 90,
+	DHCPV4_OPT_SEARCH_DOMAIN = 119,
+	DHCPV4_OPT_FORCERENEW_NONCE_CAPABLE = 145,
+	DHCPV4_OPT_END = 255,
+};
+
+struct dhcpv4_message {
+	uint8_t op;
+	uint8_t htype;
+	uint8_t hlen;
+	uint8_t hops;
+	uint32_t xid;
+	uint16_t secs;
+	uint16_t flags;
+	struct in_addr ciaddr;
+	struct in_addr yiaddr;
+	struct in_addr siaddr;
+	struct in_addr giaddr;
+	uint8_t chaddr[16];
+	char sname[64];
+	char file[128];
+	uint32_t magic;
+	uint8_t options[];
+} __attribute__((packed));
+
+#define DHCPV4_MAGIC 0x63825363
+
+struct dhcpv4_option {
+	uint8_t type;
+	uint8_t len;
+	uint8_t data[];
+};
+
+#define dhcpv4_for_each_option(opt, start, end)				\
+	for (opt = (const struct dhcpv4_option *)(start);		\
+	     &opt[1] <= (const struct dhcpv4_option *)(end) &&		\
+	     &opt->data[opt->len] <= (const uint8_t *)(end);		\
+	     opt = (const struct dhcpv4_option *)&opt->data[opt->len])
+
+void spotfilter_recv_dhcpv4(const void *msgdata, int len, const void *eth_addr)
+{
+	const struct dhcpv4_message *msg = msgdata;
+	const struct dhcpv4_option *opt;
+	uint8_t bcast_addr[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+	int op = -1;
+
+	if (ntohl(msg->magic) != DHCPV4_MAGIC)
+		return;
+
+	if (msg->op != 2 || msg->htype != 1 || msg->hlen != 6)
+		return;
+
+	if (memcmp(eth_addr, bcast_addr, ETH_ALEN) != 0 &&
+	    memcmp(eth_addr, msg->chaddr, ETH_ALEN) != 0)
+		return;
+
+	dhcpv4_for_each_option(opt, msg->options, msgdata + len) {
+		switch (opt->type) {
+		case DHCPV4_OPT_MESSAGE:
+			if (opt->len != 1)
+				break;
+
+			op = opt->data[0];
+			break;
+		}
+	}
+
+	if (op != DHCPV4_MSG_ACK)
+		return;
+
+	client_set_ipaddr(msg->chaddr, (uint32_t *)&msg->yiaddr, false);
+}
+

feeds/ucentral/spotfilter/src/example.json

@@ -0,0 +1,36 @@
+{
+	"name": "hotspot",
+	"devices": [ "wlan1" ],
+	"config": {
+		"class": [
+			{
+				"index": 0
+			},
+			{
+				"index": 1,
+				"device_macaddr": "br-test"
+			},
+			{
+				"index": 2,
+				"macaddr": "00:11:22:33:44:55"
+			},
+			{
+				"index": 3,
+				"fwmark": 1,
+				"fwmark_mask": 127
+			},
+			{
+				"index": 4,
+				"redirect": "up0v2"
+			}
+		],
+		"default_class": 1,
+		"default_dns_class": 0,
+		"whitelist": [
+			{
+				"class": 0,
+				"hosts": [ "*.google.de", "*.google.com" ]
+			}
+		]
+	}
+}

feeds/ucentral/spotfilter/src/icmpv6.c

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <netinet/icmp6.h>
+#include "spotfilter.h"
+
+struct icmpv6_opt {
+	uint8_t type;
+	uint8_t len;
+	uint8_t data[6];
+};
+
+#define icmpv6_for_each_option(opt, start, end)					\
+	for (opt = (const struct icmpv6_opt*)(start);				\
+	     (const void *)(opt + 1) <= (const void *)(end) && opt->len > 0 &&	\
+	     (const void *)(opt + opt->len) <= (const void *)(end); opt += opt->len)
+
+void spotfilter_recv_icmpv6(const void *data, int len, const uint8_t *src, const uint8_t *dest)
+{
+	const struct nd_neighbor_advert *nd = data;
+	const struct icmp6_hdr *hdr = data;
+	const struct icmpv6_opt *opt;
+
+	if (len < sizeof(*nd) || hdr->icmp6_code)
+		return;
+
+	if (hdr->icmp6_type != ND_NEIGHBOR_ADVERT)
+		return;
+
+	icmpv6_for_each_option(opt, &nd[1], data + len) {
+		if (opt->type != ND_OPT_TARGET_LINKADDR || opt->len != 1)
+			continue;
+
+		if (memcmp(opt->data, src, ETH_ALEN))
+			return;
+	}
+
+	if ((nd->nd_na_target.s6_addr[0] & 0xe0) != 0x20)
+		return;
+
+	if (opt != (const struct icmpv6_opt *)(data + len))
+		return;
+
+	client_set_ipaddr(src, &nd->nd_na_target, true);
+}

feeds/ucentral/spotfilter/src/interface.c

@@ -0,0 +1,369 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/ether.h>
+#include <net/if.h>
+
+#include <libubox/avl-cmp.h>
+
+#include "spotfilter.h"
+
+AVL_TREE(interfaces, avl_strcmp, false, NULL);
+
+void interface_free(struct interface *iface)
+{
+	struct client *cl, *tmp;
+
+	spotfilter_dns_free(iface);
+
+	vlist_flush_all(&iface->devices);
+
+	avl_for_each_element_safe(&iface->clients, cl, node, tmp)
+		client_free(iface, cl);
+
+	spotfilter_bpf_free(iface);
+
+	avl_delete(&interfaces, &iface->node);
+	free(iface->config);
+	free(iface);
+}
+
+static inline const char *
+device_name(struct device *dev)
+{
+	return dev->node.avl.key;
+}
+
+static void
+interface_check_device(struct interface *iface, struct device *dev)
+{
+	int old_ifindex = dev->ifindex;
+
+	dev->ifindex = if_nametoindex(device_name(dev));
+	if (dev->ifindex != old_ifindex)
+		spotfilter_bpf_set_device(iface, dev->ifindex, true);
+}
+
+static void
+device_update_cb(struct vlist_tree *tree,
+		 struct vlist_node *node_new,
+		 struct vlist_node *node_old)
+{
+	struct interface *iface = container_of(tree, struct interface, devices);
+	struct device *dev_new = container_of_safe(node_new, struct device, node);
+	struct device *dev_old = container_of_safe(node_old, struct device, node);
+
+	if (dev_new) {
+		if (dev_old)
+			dev_new->ifindex = dev_old->ifindex;
+		interface_check_device(iface, dev_new);
+	}
+
+	if (dev_old) {
+		if (!dev_new && dev_old->ifindex)
+			spotfilter_bpf_set_device(iface, dev_old->ifindex, false);
+		free(dev_old);
+	}
+}
+
+static int
+interface_parse_class(struct spotfilter_bpf_class *cdata, struct blob_attr *attr)
+{
+	enum {
+		CLASS_ATTR_INDEX,
+		CLASS_ATTR_DEV_MAC,
+		CLASS_ATTR_MAC,
+		CLASS_ATTR_REDIRECT,
+		CLASS_ATTR_FWMARK,
+		CLASS_ATTR_FWMARK_MASK,
+		__CLASS_ATTR_MAX,
+	};
+	static const struct blobmsg_policy policy[__CLASS_ATTR_MAX] = {
+		[CLASS_ATTR_INDEX] = { "index", BLOBMSG_TYPE_INT32 },
+		[CLASS_ATTR_DEV_MAC] = { "device_macaddr", BLOBMSG_TYPE_STRING },
+		[CLASS_ATTR_MAC] = { "macaddr", BLOBMSG_TYPE_STRING },
+		[CLASS_ATTR_REDIRECT] = { "redirect", BLOBMSG_TYPE_STRING },
+		[CLASS_ATTR_FWMARK] = { "fwmark", BLOBMSG_TYPE_INT32 },
+		[CLASS_ATTR_FWMARK_MASK] = { "fwmark_mask", BLOBMSG_TYPE_INT32 },
+	};
+	struct blob_attr *tb[__CLASS_ATTR_MAX];
+	struct blob_attr *cur;
+	unsigned int index;
+
+	if (blobmsg_type(attr) != BLOBMSG_TYPE_TABLE)
+		return -1;
+
+	blobmsg_parse(policy, __CLASS_ATTR_MAX, tb,
+		      blobmsg_data(attr), blobmsg_len(attr));
+
+	if ((cur = tb[CLASS_ATTR_INDEX]) != NULL)
+		index = blobmsg_get_u32(cur);
+	else
+		return -1;
+
+	if (index >= SPOTFILTER_NUM_CLASS)
+		return -1;
+
+	if ((cur = tb[CLASS_ATTR_MAC]) != NULL) {
+		void *addr;
+
+		addr = ether_aton(blobmsg_get_string(cur));
+		if (!addr)
+			goto invalid;
+
+		memcpy(cdata->dest_mac, addr, sizeof(cdata->dest_mac));
+		cdata->actions |= SPOTFILTER_ACTION_SET_DEST_MAC;
+	} else if ((cur = tb[CLASS_ATTR_DEV_MAC]) != NULL) {
+		const char *name = blobmsg_get_string(cur);
+		struct ifreq ifr = {};
+		int sock;
+		int ret;
+
+		if (strlen(name) > IFNAMSIZ)
+			goto invalid;
+
+		strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
+
+		sock = socket(AF_INET, SOCK_DGRAM, 0);
+		ret = ioctl(sock, SIOCGIFHWADDR, &ifr);
+		if (ret < 0)
+			perror("ioctl");
+		close(sock);
+
+		if (ret < 0)
+			goto invalid;
+
+		if (ifr.ifr_hwaddr.sa_family != ARPHRD_ETHER)
+			goto invalid;
+
+		memcpy(cdata->dest_mac, ifr.ifr_hwaddr.sa_data, sizeof(cdata->dest_mac));
+		cdata->actions |= SPOTFILTER_ACTION_SET_DEST_MAC;
+	}
+
+	if ((cur = tb[CLASS_ATTR_REDIRECT]) != NULL) {
+		unsigned int ifindex = if_nametoindex(blobmsg_get_string(cur));
+
+		if (!ifindex)
+			goto invalid;
+
+		cdata->redirect_ifindex = ifindex;
+		cdata->actions |= SPOTFILTER_ACTION_REDIRECT;
+	}
+
+	if ((cur = tb[CLASS_ATTR_FWMARK_MASK]) != NULL)
+		cdata->fwmark_mask = blobmsg_get_u32(cur);
+	else
+		cdata->fwmark_mask = ~0;
+
+	if ((cur = tb[CLASS_ATTR_FWMARK]) != NULL) {
+		cdata->fwmark_val = blobmsg_get_u32(cur);
+		cdata->actions |= SPOTFILTER_ACTION_FWMARK;
+	}
+
+	cdata->actions |= SPOTFILTER_ACTION_VALID;
+	return index;
+
+invalid:
+	cdata->actions = 0;
+	return index;
+}
+
+static bool
+__interface_check_whitelist(struct blob_attr *attr)
+{
+	enum {
+		WL_ATTR_CLASS,
+		WL_ATTR_HOSTS,
+		__WL_ATTR_MAX
+	};
+	static const struct blobmsg_policy policy[__WL_ATTR_MAX] = {
+		[WL_ATTR_CLASS] = { "class", BLOBMSG_TYPE_INT32 },
+		[WL_ATTR_HOSTS] = { "hosts", BLOBMSG_TYPE_ARRAY },
+	};
+	struct blob_attr *tb[__WL_ATTR_MAX];
+
+	blobmsg_parse(policy, __WL_ATTR_MAX, tb, blobmsg_data(attr), blobmsg_len(attr));
+
+	if (!tb[WL_ATTR_CLASS] || !tb[WL_ATTR_HOSTS])
+		return false;
+
+	return blobmsg_check_array(tb[WL_ATTR_HOSTS], BLOBMSG_TYPE_STRING) >= 0;
+}
+
+static bool
+interface_check_whitelist(struct blob_attr *attr)
+{
+	struct blob_attr *cur;
+	int rem;
+
+	if (blobmsg_check_array(attr, BLOBMSG_TYPE_TABLE) <= 0)
+		return false;
+
+	blobmsg_for_each_attr(cur, attr, rem) {
+		if (!__interface_check_whitelist(cur))
+			return false;
+	}
+
+	return true;
+}
+
+static void
+interface_set_config(struct interface *iface, bool iface_init)
+{
+	enum {
+		CONFIG_ATTR_CLASS,
+		CONFIG_ATTR_WHITELIST,
+		CONFIG_ATTR_ACTIVE_TIMEOUT,
+		CONFIG_ATTR_CLIENT_AUTOCREATE,
+		CONFIG_ATTR_CLIENT_AUTOREMOVE,
+		CONFIG_ATTR_CLIENT_TIMEOUT,
+		CONFIG_ATTR_DEFAULT_CLASS,
+		CONFIG_ATTR_DEFAULT_DNS_CLASS,
+		__CONFIG_ATTR_MAX,
+	};
+	static const struct blobmsg_policy policy[__CONFIG_ATTR_MAX] = {
+		[CONFIG_ATTR_CLASS] = { "class", BLOBMSG_TYPE_ARRAY },
+		[CONFIG_ATTR_WHITELIST] = { "whitelist", BLOBMSG_TYPE_ARRAY },
+		[CONFIG_ATTR_ACTIVE_TIMEOUT] = { "active_timeout", BLOBMSG_TYPE_INT32 },
+		[CONFIG_ATTR_CLIENT_TIMEOUT] = { "client_timeout", BLOBMSG_TYPE_INT32 },
+		[CONFIG_ATTR_CLIENT_AUTOCREATE] = { "client_autocreate", BLOBMSG_TYPE_BOOL },
+		[CONFIG_ATTR_CLIENT_AUTOREMOVE] = { "client_autoremove", BLOBMSG_TYPE_BOOL },
+		[CONFIG_ATTR_DEFAULT_CLASS] = { "default_class", BLOBMSG_TYPE_INT32 },
+		[CONFIG_ATTR_DEFAULT_DNS_CLASS] = { "default_dns_class", BLOBMSG_TYPE_INT32 },
+	};
+	struct blob_attr *tb[__CONFIG_ATTR_MAX];
+	struct blob_attr *cur;
+	uint32_t class_mask = 0;
+	int i, rem;
+
+	blobmsg_parse(policy, __CONFIG_ATTR_MAX, tb,
+		      blobmsg_data(iface->config), blobmsg_len(iface->config));
+
+	if ((cur = tb[CONFIG_ATTR_DEFAULT_CLASS]) != NULL &&
+	    blobmsg_get_u32(cur) < SPOTFILTER_NUM_CLASS)
+		iface->default_class = blobmsg_get_u32(cur);
+	else
+		iface->default_class = 0;
+
+	if ((cur = tb[CONFIG_ATTR_DEFAULT_DNS_CLASS]) != NULL &&
+	    blobmsg_get_u32(cur) < SPOTFILTER_NUM_CLASS)
+		iface->default_dns_class = blobmsg_get_u32(cur);
+	else
+		iface->default_dns_class = 0;
+
+	if ((cur = tb[CONFIG_ATTR_WHITELIST]) != NULL && interface_check_whitelist(cur))
+		iface->whitelist = cur;
+	else
+		iface->whitelist = NULL;
+
+	if ((cur = tb[CONFIG_ATTR_ACTIVE_TIMEOUT]) != NULL)
+		iface->active_timeout = blobmsg_get_u32(cur);
+	else
+		iface->active_timeout = 300;
+
+	if ((cur = tb[CONFIG_ATTR_CLIENT_TIMEOUT]) != NULL)
+		iface->client_timeout = blobmsg_get_u32(cur);
+	else
+		iface->client_timeout = 30;
+
+	if ((cur = tb[CONFIG_ATTR_CLIENT_AUTOCREATE]) != NULL)
+		iface->client_autocreate = blobmsg_get_u8(cur);
+	else
+		iface->client_autocreate = true;
+
+	if ((cur = tb[CONFIG_ATTR_CLIENT_AUTOREMOVE]) != NULL)
+		iface->client_autoremove = blobmsg_get_u8(cur);
+	else
+		iface->client_autoremove = true;
+
+	blobmsg_for_each_attr(cur, tb[CONFIG_ATTR_CLASS], rem) {
+		struct spotfilter_bpf_class cdata = {};
+		int index;
+
+		index = interface_parse_class(&cdata, cur);
+		if (index < 0)
+			continue;
+
+		if (iface_init ||
+		    memcmp(&iface->cdata[index], &cdata, sizeof(cdata)) != 0) {
+			memcpy(&iface->cdata[index], &cdata, sizeof(cdata));
+			spotfilter_bpf_update_class(iface, index);
+		}
+
+		class_mask |= 1 << index;
+	}
+
+	for (i = 0; i < SPOTFILTER_NUM_CLASS; i++) {
+		if (class_mask & (1 << i))
+			continue;
+
+		memset(&iface->cdata[i], 0, sizeof(iface->cdata[i]));
+		spotfilter_bpf_update_class(iface, i);
+	}
+}
+
+void interface_check_devices(void)
+{
+	struct interface *iface;
+	struct device *dev;
+
+	avl_for_each_element(&interfaces, iface, node) {
+		interface_set_config(iface, false);
+
+		vlist_for_each_element(&iface->devices, dev, node)
+			interface_check_device(iface, dev);
+	}
+}
+
+void interface_add(const char *name, struct blob_attr *config,
+		   struct blob_attr *devices)
+{
+	struct interface *iface;
+	struct blob_attr *cur;
+	char *name_buf;
+	bool iface_init = false;
+	int rem;
+
+	iface = avl_find_element(&interfaces, name, iface, node);
+	if (!iface) {
+		iface = calloc_a(sizeof(*iface), &name_buf, strlen(name) + 1);
+		iface->node.key = strcpy(name_buf, name);
+		vlist_init(&iface->devices, avl_strcmp, device_update_cb);
+		client_init_interface(iface);
+		spotfilter_dns_init(iface);
+
+		if (spotfilter_bpf_load(iface)) {
+			free(iface);
+			return;
+		}
+
+		avl_insert(&interfaces, &iface->node);
+		iface_init = true;
+	}
+
+	if (config && !blob_attr_equal(iface->config, config)) {
+		free(iface->config);
+		iface->config = blob_memdup(config);
+		interface_set_config(iface, iface_init);
+	}
+
+	blobmsg_for_each_attr(cur, devices, rem) {
+		struct device *dev;
+		const char *name = blobmsg_get_string(cur);
+
+		dev = calloc_a(sizeof(*dev), &name_buf, strlen(name) + 1);
+		vlist_add(&iface->devices, &dev->node, strcpy(name_buf, name));
+	}
+}
+
+void interface_done(void)
+{
+	struct interface *iface, *tmp;
+
+	avl_for_each_element_safe(&interfaces, iface, node, tmp)
+		interface_free(iface);
+}

feeds/ucentral/spotfilter/src/interface.h

@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __SPOTFILTER_INTERFACE_H
+#define __SPOTFILTER_INTERFACE_H
+
+#include <libubox/vlist.h>
+#include <libubox/blobmsg.h>
+#include <libubox/uloop.h>
+
+struct bpf_object;
+
+struct interface {
+	struct avl_node node;
+
+	struct blob_attr *config;
+	struct blob_attr *whitelist;
+
+	struct avl_tree cname_cache;
+	struct avl_tree addr_map;
+
+	struct uloop_timeout addr_gc;
+	uint32_t next_gc;
+
+	uint32_t active_timeout;
+
+	uint8_t default_class;
+	uint8_t default_dns_class;
+
+	bool client_autocreate;
+	bool client_autoremove;
+	int client_timeout;
+
+	struct {
+		struct bpf_object *obj;
+
+		int prog_ingress;
+		int prog_egress;
+		int map_class;
+		int map_client;
+		int map_whitelist_v4;
+		int map_whitelist_v6;
+	} bpf;
+
+	struct spotfilter_bpf_class cdata[SPOTFILTER_NUM_CLASS];
+
+	struct vlist_tree devices;
+
+	struct avl_tree clients;
+	struct avl_tree client_ids;
+};
+
+struct device {
+	struct vlist_node node;
+
+	int ifindex;
+};
+
+extern struct avl_tree interfaces;
+
+static inline const char *interface_name(struct interface *iface)
+{
+	return iface->node.key;
+}
+
+void interface_add(const char *name, struct blob_attr *config,
+		   struct blob_attr *devices);
+void interface_free(struct interface *iface);
+void interface_check_devices(void);
+void interface_done(void);
+
+#endif

feeds/ucentral/spotfilter/src/main.c

@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <sys/wait.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdint.h>
+
+#include <libubox/uloop.h>
+
+#include "spotfilter.h"
+
+int spotfilter_run_cmd(char *cmd, bool ignore_error)
+{
+	char *argv[] = { "sh", "-c", cmd, NULL };
+	bool first = true;
+	int status = -1;
+	char buf[512];
+	int fds[2];
+	FILE *f;
+	int pid;
+
+	if (pipe(fds))
+		return -1;
+
+	pid = fork();
+	if (!pid) {
+		close(fds[0]);
+		if (fds[1] != STDOUT_FILENO)
+			dup2(fds[1], STDOUT_FILENO);
+		if (fds[1] != STDERR_FILENO)
+			dup2(fds[1], STDERR_FILENO);
+		if (fds[1] > STDERR_FILENO)
+			close(fds[1]);
+		execv("/bin/sh", argv);
+		exit(1);
+	}
+
+	if (pid < 0)
+		return -1;
+
+	close(fds[1]);
+	f = fdopen(fds[0], "r");
+	if (!f) {
+		close(fds[0]);
+		goto out;
+	}
+
+	while (fgets(buf, sizeof(buf), f) != NULL) {
+		if (!strlen(buf))
+			break;
+		if (ignore_error)
+			continue;
+		if (first) {
+			ULOG_WARN("Command: %s\n", cmd);
+			first = false;
+		}
+		ULOG_WARN("%s%s", buf, strchr(buf, '\n') ? "" : "\n");
+	}
+
+	fclose(f);
+
+out:
+	while (waitpid(pid, &status, 0) < 0)
+		if (errno != EINTR)
+			break;
+
+	return status;
+}
+
+static int usage(const char *progname)
+{
+	fprintf(stderr, "Usage: %s [options]\n"
+		"Options:\n"
+		"\n", progname);
+
+	return 1;
+}
+
+int main(int argc, char **argv)
+{
+	int ret = 2;
+	int ch;
+
+	while ((ch = getopt(argc, argv, "")) != -1) {
+		switch (ch) {
+		default:
+			return usage(argv[0]);
+		}
+	}
+
+	ulog_open(ULOG_SYSLOG, LOG_DAEMON, "spotfilter");
+	uloop_init();
+
+	if (rtnl_init())
+		return 1;
+
+	if (spotfilter_nl80211_init())
+		return 1;
+
+	if (spotfilter_dev_init())
+		return 1;
+
+	if (spotfilter_ubus_init())
+		goto out;
+
+	ret = 0;
+	uloop_run();
+
+	spotfilter_ubus_stop();
+
+out:
+	interface_done();
+	spotfilter_dev_done();
+	spotfilter_nl80211_done();
+	uloop_done();
+
+	return ret;
+}

feeds/ucentral/spotfilter/src/nl80211.c

@@ -0,0 +1,276 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#define _GNU_SOURCE
+#include <linux/netlink.h>
+
+#include <netlink/genl/genl.h>
+#include <netlink/genl/family.h>
+#include <netlink/genl/ctrl.h>
+#include <netlink/msg.h>
+#include <netlink/attr.h>
+
+#include <linux/nl80211.h>
+
+#include <errno.h>
+
+#include <libubox/uloop.h>
+
+#include "spotfilter.h"
+
+static struct nl_sock *genl;
+static struct nl_cb *genl_cb;
+static struct uloop_fd genl_fd;
+static struct uloop_timeout update_timer;
+static int nl80211_id;
+
+static int error_handler(struct sockaddr_nl *nla, struct nlmsgerr *err,
+			 void *arg)
+{
+	int *ret = arg;
+	*ret = err->error;
+	return NL_STOP;
+}
+
+static int ack_handler(struct nl_msg *msg, void *arg)
+{
+	int *ret = arg;
+	*ret = 0;
+	return NL_STOP;
+}
+
+struct handler_args {
+	const char *group;
+	int id;
+};
+
+static int family_handler(struct nl_msg *msg, void *arg)
+{
+	struct handler_args *grp = arg;
+	struct nlattr *tb[CTRL_ATTR_MAX + 1];
+	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
+	struct nlattr *mcgrp;
+	int rem_mcgrp;
+
+	nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
+		  genlmsg_attrlen(gnlh, 0), NULL);
+
+	if (!tb[CTRL_ATTR_MCAST_GROUPS])
+		return NL_SKIP;
+
+	nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
+		struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
+
+		nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
+			  nla_data(mcgrp), nla_len(mcgrp), NULL);
+
+		if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
+		    !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
+			continue;
+		if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
+			    grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
+			continue;
+		grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
+		break;
+	}
+
+	return NL_SKIP;
+}
+
+static int nl_get_multicast_id(struct nl_sock *sock, const char *family, const char *group)
+{
+	struct nl_msg *msg;
+	struct nl_cb *cb;
+	struct handler_args grp = {
+		.group = group,
+		.id = -ENOENT,
+	};
+	int ret, ctrlid;
+
+	msg = nlmsg_alloc();
+	if (!msg)
+		return -ENOMEM;
+
+	cb = nl_cb_alloc(NL_CB_DEFAULT);
+	if (!cb) {
+		ret = -ENOMEM;
+		goto out_fail_cb;
+	}
+
+	ctrlid = genl_ctrl_resolve(sock, "nlctrl");
+
+	genlmsg_put(msg, 0, 0, ctrlid, 0,
+		    0, CTRL_CMD_GETFAMILY, 0);
+
+	ret = -ENOBUFS;
+	NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
+
+	ret = nl_send_auto_complete(sock, msg);
+	if (ret < 0)
+		goto out;
+
+	ret = 1;
+
+	nl_cb_err(cb, NL_CB_CUSTOM, error_handler, &ret);
+	nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, ack_handler, &ret);
+	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, family_handler, &grp);
+
+	while (ret > 0)
+		nl_recvmsgs(sock, cb);
+
+	if (ret == 0)
+		ret = grp.id;
+ nla_put_failure:
+ out:
+	nl_cb_put(cb);
+ out_fail_cb:
+	nlmsg_free(msg);
+	return ret;
+}
+
+static void
+nl80211_sock_cb(struct uloop_fd *fd, unsigned int events)
+{
+	nl_recvmsgs(genl, genl_cb);
+}
+
+static void
+nl80211_device_update(struct interface *iface, struct device *dev)
+{
+	struct nl_msg *msg;
+
+	msg = nlmsg_alloc();
+	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, nl80211_id, 0, NLM_F_DUMP,
+		    NL80211_CMD_GET_STATION, 0);
+	nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
+
+	nl_send_auto_complete(genl, msg);
+	nlmsg_free(msg);
+}
+
+static void
+nl80211_interface_update(struct interface *iface)
+{
+	struct client *cl, *tmp;
+	struct device *dev;
+
+	if (!iface->client_autoremove)
+		return;
+
+	avl_for_each_element_safe(&iface->clients, cl, node, tmp) {
+		if (cl->idle++ < iface->client_timeout)
+			continue;
+
+		client_free(iface, cl);
+	}
+
+	vlist_for_each_element(&iface->devices, dev, node)
+		nl80211_device_update(iface, dev);
+}
+
+static void spotfilter_nl80211_update(struct uloop_timeout *t)
+{
+	struct interface *iface;
+
+	avl_for_each_element(&interfaces, iface, node)
+		nl80211_interface_update(iface);
+
+	uloop_timeout_set(t, 1000);
+}
+
+static int no_seq_check(struct nl_msg *msg, void *arg)
+{
+	return NL_OK;
+}
+
+static int valid_msg(struct nl_msg *msg, void *arg)
+{
+	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
+	struct nlattr *tb[NL80211_ATTR_MAX + 1];
+	struct interface *iface;
+	struct device *dev;
+	struct client *cl;
+	const void *addr;
+	int ifindex;
+
+	nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
+		  genlmsg_attrlen(gnlh, 0), NULL);
+
+	if (gnlh->cmd != NL80211_CMD_NEW_STATION)
+		return NL_SKIP;
+
+	if (!tb[NL80211_ATTR_IFINDEX] || !tb[NL80211_ATTR_MAC])
+		return NL_SKIP;
+
+	ifindex = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
+	addr = nla_data(tb[NL80211_ATTR_MAC]);
+
+	avl_for_each_element(&interfaces, iface, node)
+		vlist_for_each_element(&iface->devices, dev, node)
+			if (dev->ifindex == ifindex)
+				goto found;
+
+	return NL_SKIP;
+
+found:
+	cl = avl_find_element(&iface->clients, addr, cl, node);
+	if (cl)
+		cl->idle = 0;
+	else if (iface->client_autocreate)
+		client_set(iface, addr, NULL, -1, -1, -1, NULL);
+
+	return NL_SKIP;
+}
+
+int spotfilter_nl80211_init(void)
+{
+	int id;
+
+	genl = nl_socket_alloc();
+	if (!genl)
+		return -1;
+
+	nl_socket_set_buffer_size(genl, 16384, 16384);
+	if (genl_connect(genl))
+		goto error;
+
+	nl80211_id = genl_ctrl_resolve(genl, "nl80211");
+	if (nl80211_id < 0)
+		goto error;
+
+	id = nl_get_multicast_id(genl, "nl80211", "mlme");
+	if (id < 0)
+		goto error;
+
+	if (nl_socket_add_membership(genl, id) < 0)
+		goto error;
+
+	genl_cb = nl_cb_alloc(NL_CB_DEFAULT);
+	nl_cb_set(genl_cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, no_seq_check, NULL);
+	nl_cb_set(genl_cb, NL_CB_VALID, NL_CB_CUSTOM, valid_msg, NULL);
+
+	genl_fd.fd = nl_socket_get_fd(genl);
+	genl_fd.cb = nl80211_sock_cb;
+	uloop_fd_add(&genl_fd, ULOOP_READ);
+
+	update_timer.cb = spotfilter_nl80211_update;
+	uloop_timeout_set(&update_timer, 1);
+
+	return 0;
+
+error:
+	spotfilter_nl80211_done();
+	return -1;
+}
+
+void spotfilter_nl80211_done(void)
+{
+	if (!genl)
+		return;
+
+	uloop_timeout_cancel(&update_timer);
+	uloop_fd_delete(&genl_fd);
+	nl_socket_free(genl);
+	genl = NULL;
+}

feeds/ucentral/spotfilter/src/rtnl.c

@@ -0,0 +1,99 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netlink/msg.h>
+#include <netlink/attr.h>
+#include <netlink/socket.h>
+#include <linux/rtnetlink.h>
+#include "spotfilter.h"
+
+static struct nl_sock *rtnl;
+bool rtnl_ignore_errors;
+
+static int
+spotfilter_nl_error_cb(struct sockaddr_nl *nla, struct nlmsgerr *err,
+		   void *arg)
+{
+	struct nlmsghdr *nlh = (struct nlmsghdr *) err - 1;
+	struct nlattr *tb[NLMSGERR_ATTR_MAX + 1];
+	struct nlattr *attrs;
+	int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
+	int len = nlh->nlmsg_len;
+	const char *errstr = "(unknown)";
+
+	if (rtnl_ignore_errors)
+		return NL_STOP;
+
+	if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
+		return NL_STOP;
+
+	if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
+		ack_len += err->msg.nlmsg_len - sizeof(*nlh);
+
+	attrs = (void *) ((unsigned char *) nlh + ack_len);
+	len -= ack_len;
+
+	nla_parse(tb, NLMSGERR_ATTR_MAX, attrs, len, NULL);
+	if (tb[NLMSGERR_ATTR_MSG])
+		errstr = nla_data(tb[NLMSGERR_ATTR_MSG]);
+
+	fprintf(stderr, "Netlink error(%d): %s\n", err->error, errstr);
+
+	return NL_STOP;
+}
+
+int rtnl_call(struct nl_msg *msg)
+{
+	int ret;
+
+	ret = nl_send_auto_complete(rtnl, msg);
+	nlmsg_free(msg);
+
+	if (ret < 0)
+		return ret;
+
+	return nl_wait_for_ack(rtnl);
+}
+
+int rtnl_fd(void)
+{
+	return nl_socket_get_fd(rtnl);
+}
+
+int rtnl_init(void)
+{
+	int fd, opt;
+
+	if (rtnl)
+		return 0;
+
+	rtnl = nl_socket_alloc();
+	if (!rtnl)
+		return -1;
+
+	if (nl_connect(rtnl, NETLINK_ROUTE))
+		goto free;
+
+	nl_socket_disable_seq_check(rtnl);
+	nl_socket_set_buffer_size(rtnl, 65536, 0);
+	nl_cb_err(nl_socket_get_cb(rtnl), NL_CB_CUSTOM, spotfilter_nl_error_cb, NULL);
+
+	fd = nl_socket_get_fd(rtnl);
+
+	opt = 1;
+	setsockopt(fd, SOL_NETLINK, NETLINK_EXT_ACK, &opt, sizeof(opt));
+
+	opt = 1;
+	setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &opt, sizeof(opt));
+
+	return 0;
+
+free:
+	nl_socket_free(rtnl);
+	rtnl = NULL;
+	return -1;
+}

feeds/ucentral/spotfilter/src/snoop.c

@@ -0,0 +1,626 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#include <netinet/if_ether.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <netpacket/packet.h>
+#include <net/if.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <fnmatch.h>
+#include <resolv.h>
+
+#include <libubox/uloop.h>
+
+#include "spotfilter.h"
+
+#define FLAG_RESPONSE		0x8000
+#define FLAG_OPCODE		0x7800
+#define FLAG_AUTHORATIVE	0x0400
+#define FLAG_RCODE		0x000f
+
+#define TYPE_A			0x0001
+#define TYPE_CNAME		0x0005
+#define TYPE_PTR		0x000c
+#define TYPE_TXT		0x0010
+#define TYPE_AAAA		0x001c
+#define TYPE_SRV		0x0021
+#define TYPE_ANY		0x00ff
+
+#define IS_COMPRESSED(x)	((x & 0xc0) == 0xc0)
+
+#define CLASS_FLUSH		0x8000
+#define CLASS_UNICAST		0x8000
+#define CLASS_IN		0x0001
+
+#define MAX_NAME_LEN            256
+#define MAX_DATA_LEN            8096
+
+int spotfilter_ifb_ifindex;
+static struct uloop_fd ufd;
+static struct uloop_timeout cname_gc_timer;
+
+struct vlan_hdr {
+	uint16_t tci;
+	uint16_t proto;
+};
+
+struct packet {
+	void *head;
+	void *buffer;
+	unsigned int len;
+};
+
+struct dns_header {
+	uint16_t id;
+	uint16_t flags;
+	uint16_t questions;
+	uint16_t answers;
+	uint16_t authority;
+	uint16_t additional;
+} __packed;
+
+struct dns_question {
+	uint16_t type;
+	uint16_t class;
+} __packed;
+
+struct dns_answer {
+	uint16_t type;
+	uint16_t class;
+	uint32_t ttl;
+	uint16_t rdlength;
+} __packed;
+
+struct addr_entry_data {
+	union {
+		struct {
+			uint32_t _pad;
+			uint32_t ip4addr;
+		};
+		uint32_t ip6addr[4];
+	};
+	uint32_t timeout;
+};
+
+struct addr_entry {
+	struct avl_node node;
+	struct addr_entry_data data;
+};
+
+struct cname_entry {
+	struct avl_node node;
+	uint8_t class;
+	uint8_t age;
+};
+
+static uint32_t spotfilter_gettime(void)
+{
+	struct timespec ts;
+
+	clock_gettime(CLOCK_MONOTONIC, &ts);
+
+	return ts.tv_sec;
+}
+
+
+static void *
+pkt_peek(struct packet *pkt, unsigned int len)
+{
+	if (len > pkt->len)
+		return NULL;
+
+	return pkt->buffer;
+}
+
+
+static void *
+pkt_pull(struct packet *pkt, unsigned int len)
+{
+	void *ret = pkt_peek(pkt, len);
+
+	if (!ret)
+		return NULL;
+
+	pkt->buffer += len;
+	pkt->len -= len;
+
+	return ret;
+}
+
+static bool
+proto_is_vlan(uint16_t proto)
+{
+	return proto == ETH_P_8021Q || proto == ETH_P_8021AD;
+}
+
+static int pkt_pull_name(struct packet *pkt, const void *hdr, char *dest)
+{
+	int len;
+
+	if (dest)
+		len = dn_expand(hdr, pkt->buffer + pkt->len, pkt->buffer,
+				(void *)dest, MAX_NAME_LEN);
+	else
+		len = dn_skipname(pkt->buffer, pkt->buffer + pkt->len - 1);
+
+	if (len < 0 || !pkt_pull(pkt, len))
+		return -1;
+
+	return 0;
+}
+
+static void
+cname_cache_set(struct interface *iface, const char *name, int class)
+{
+	struct cname_entry *e;
+
+	if (class < 0)
+		return;
+
+	e = avl_find_element(&iface->cname_cache, name, e, node);
+	if (!e) {
+		char *name_buf;
+
+		e = calloc_a(sizeof(*e), &name_buf, strlen(name) + 1);
+		e->node.key = strcpy(name_buf, name);
+		avl_insert(&iface->cname_cache, &e->node);
+	}
+
+	e->age = 0;
+	e->class = (uint8_t)class;
+}
+
+static int
+cname_cache_get(struct interface *iface, const char *name, int *class)
+{
+	struct cname_entry *e;
+
+	e = avl_find_element(&iface->cname_cache, name, e, node);
+	if (!e)
+		return -1;
+
+	if (*class < 0)
+		*class = e->class;
+
+	return 0;
+}
+
+static bool
+__spotfilter_dns_whitelist_lookup(struct blob_attr *attr, const char *name, int *class)
+{
+	enum {
+		WL_ATTR_CLASS,
+		WL_ATTR_HOSTS,
+		__WL_ATTR_MAX
+	};
+	static const struct blobmsg_policy policy[__WL_ATTR_MAX] = {
+		[WL_ATTR_CLASS] = { "class", BLOBMSG_TYPE_INT32 },
+		[WL_ATTR_HOSTS] = { "hosts", BLOBMSG_TYPE_ARRAY },
+	};
+	struct blob_attr *tb[__WL_ATTR_MAX];
+	struct blob_attr *cur;
+	int rem;
+
+	blobmsg_parse(policy, __WL_ATTR_MAX, tb, blobmsg_data(attr), blobmsg_len(attr));
+
+	if (!tb[WL_ATTR_CLASS] || !tb[WL_ATTR_HOSTS])
+		return false;
+
+	blobmsg_for_each_attr(cur, tb[WL_ATTR_HOSTS], rem) {
+		if (fnmatch(blobmsg_get_string(cur), name, 0))
+			continue;
+
+		*class = blobmsg_get_u32(tb[WL_ATTR_CLASS]);
+		return true;
+	}
+
+	return false;
+}
+
+static void
+spotfilter_dns_whitelist_lookup(struct interface *iface, const char *name, int *class)
+{
+	struct blob_attr *cur;
+	int rem;
+
+	if (!iface->whitelist)
+		return;
+
+	blobmsg_for_each_attr(cur, iface->whitelist, rem) {
+		if (__spotfilter_dns_whitelist_lookup(cur, name, class))
+			return;
+	}
+}
+
+static void
+spotfilter_dns_whitelist_map_add(struct interface *iface, const struct addr_entry_data *data,
+				 bool ipv6, int class)
+{
+	struct addr_entry *e;
+	uint8_t val = (uint8_t)class;
+	int32_t delta;
+
+	if (class < 0)
+		return;
+
+	e = avl_find_element(&iface->addr_map, data, e, node);
+	if (!e) {
+		e = calloc(1, sizeof(*e));
+		memcpy(&e->data, data, sizeof(e->data));
+		e->node.key = &e->data;
+		avl_insert(&iface->addr_map, &e->node);
+	}
+
+	spotfilter_bpf_set_whitelist(iface, ipv6 ? data->ip6addr : &data->ip4addr, ipv6, &val);
+	e->data.timeout = spotfilter_gettime() + data->timeout;
+
+	delta = e->data.timeout - iface->next_gc;
+	if (iface->next_gc && delta < 0)
+		uloop_timeout_set(&iface->addr_gc, data->timeout);
+}
+
+static int
+dns_parse_question(struct interface *iface, struct packet *pkt, const void *hdr, int *class)
+{
+	char qname[MAX_NAME_LEN];
+
+	if (pkt_pull_name(pkt, hdr, qname) ||
+	    !pkt_pull(pkt, sizeof(struct dns_question)))
+		return -1;
+
+	cname_cache_get(iface, qname, class);
+	spotfilter_dns_whitelist_lookup(iface, qname, class);
+
+	return 0;
+}
+
+static int
+dns_parse_answer(struct interface *iface, struct packet *pkt, void *hdr, int *class)
+{
+	char cname[MAX_NAME_LEN];
+	struct dns_answer *a;
+	struct addr_entry_data data = {};
+	bool ipv6 = false;
+	void *rdata;
+	int len;
+
+	if (pkt_pull_name(pkt, hdr, NULL))
+		return -1;
+
+	a = pkt_pull(pkt, sizeof(*a));
+	if (!a)
+		return -1;
+
+	len = be16_to_cpu(a->rdlength);
+	rdata = pkt_pull(pkt, len);
+	if (!rdata)
+		return -1;
+
+	switch (be16_to_cpu(a->type)) {
+	case TYPE_CNAME:
+		if (dn_expand(hdr, pkt->buffer + pkt->len, rdata,
+			      cname, sizeof(cname)) < 0)
+			return -1;
+
+		spotfilter_dns_whitelist_lookup(iface, cname, class);
+		cname_cache_set(iface, cname, *class);
+		return 0;
+	case TYPE_A:
+		memcpy(&data.ip4addr, rdata, 4);
+		if (!data.ip4addr)
+			return 0;
+		break;
+	case TYPE_AAAA:
+		ipv6 = true;
+		memcpy(&data.ip6addr, rdata, 16);
+		if (!data.ip6addr[0])
+			return 0;
+		break;
+	default:
+		return 0;
+	}
+
+	if (class < 0)
+	    return 0;
+
+	data.timeout = be32_to_cpu(a->ttl);
+	spotfilter_dns_whitelist_map_add(iface, &data, ipv6, *class);
+
+	return 0;
+}
+
+static void
+spotfilter_dns_iface_recv(struct interface *iface, struct packet *pkt)
+{
+	struct dns_header *h;
+	int class = -1;
+	int i;
+
+	h = pkt_pull(pkt, sizeof(*h));
+	if (!h)
+		return;
+
+	if ((h->flags & cpu_to_be16(FLAG_RESPONSE | FLAG_OPCODE | FLAG_RCODE)) !=
+	    cpu_to_be16(FLAG_RESPONSE))
+		return;
+
+	if (h->questions != cpu_to_be16(1))
+		return;
+
+	if (dns_parse_question(iface, pkt, h, &class))
+		return;
+
+	for (i = 0; i < be16_to_cpu(h->answers); i++)
+		if (dns_parse_answer(iface, pkt, h, &class))
+			return;
+}
+
+static void
+spotfilter_dns_recv(struct packet *pkt)
+{
+	struct interface *iface;
+
+	avl_for_each_element(&interfaces, iface, node) {
+		struct packet tmp_pkt = *pkt;
+
+		spotfilter_dns_iface_recv(iface, &tmp_pkt);
+	}
+}
+
+static void
+spotfilter_parse_udp_v4(struct packet *pkt, uint16_t src_port, uint16_t dst_port)
+{
+	struct ethhdr *eth = pkt->head;
+
+	if (src_port != 67 || dst_port != 68)
+		return;
+
+	spotfilter_recv_dhcpv4(pkt->buffer, pkt->len, eth->h_dest);
+}
+
+static void
+spotfilter_packet_cb(struct packet *pkt)
+{
+	uint16_t proto, src_port, dst_port;
+	struct ethhdr *eth;
+	struct ip6_hdr *ip6;
+	struct ip *ip;
+	struct udphdr *udp;
+	bool ipv4;
+
+	eth = pkt_pull(pkt, sizeof(*eth));
+	if (!eth)
+		return;
+
+	proto = be16_to_cpu(eth->h_proto);
+	if (proto_is_vlan(proto)) {
+		struct vlan_hdr *vlan;
+
+		vlan = pkt_pull(pkt, sizeof(*vlan));
+		if (!vlan)
+			return;
+
+		proto = be16_to_cpu(vlan->proto);
+	}
+
+	switch (proto) {
+	case ETH_P_IP:
+		ip = pkt_peek(pkt, sizeof(struct ip));
+		if (!ip)
+			return;
+
+		if (!pkt_pull(pkt, ip->ip_hl * 4))
+			return;
+
+		proto = ip->ip_p;
+		ipv4 = true;
+		break;
+	case ETH_P_IPV6:
+		ip6 = pkt_pull(pkt, sizeof(*ip6));
+		if (!ip6)
+			return;
+
+		proto = ip6->ip6_nxt;
+		if (proto == IPPROTO_ICMPV6) {
+			if (ip6->ip6_hlim != 255)
+				return;
+
+			spotfilter_recv_icmpv6(pkt->buffer, pkt->len, eth->h_source, eth->h_dest);
+			return;
+		}
+		break;
+	default:
+		return;
+	}
+
+	if (proto != IPPROTO_UDP)
+		return;
+
+	udp = pkt_pull(pkt, sizeof(struct udphdr));
+	if (!udp)
+		return;
+
+	src_port = ntohs(udp->uh_sport);
+	dst_port = ntohs(udp->uh_dport);
+
+	if (ipv4)
+		spotfilter_parse_udp_v4(pkt, src_port, dst_port);
+
+	if (src_port == 53)
+		spotfilter_dns_recv(pkt);
+}
+
+static void
+spotfilter_socket_cb(struct uloop_fd *fd, unsigned int events)
+{
+	static uint8_t buf[8192];
+	struct packet pkt = {
+		.head = buf,
+		.buffer = buf,
+	};
+	int len;
+
+retry:
+	len = recvfrom(fd->fd, buf, sizeof(buf), MSG_DONTWAIT, NULL, NULL);
+	if (len < 0) {
+		if (errno == EINTR)
+			goto retry;
+		return;
+	}
+
+	if (!len)
+		return;
+
+	pkt.len = len;
+	spotfilter_packet_cb(&pkt);
+}
+
+static int
+spotfilter_open_socket(void)
+{
+	struct sockaddr_ll sll = {
+		.sll_family = AF_PACKET,
+		.sll_protocol = htons(ETH_P_ALL),
+	};
+	int sock;
+
+	sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+	if (sock == -1) {
+		ULOG_ERR("failed to create raw socket: %s\n", strerror(errno));
+		return -1;
+	}
+
+	sll.sll_ifindex = if_nametoindex(SPOTFILTER_IFB_NAME);
+	if (bind(sock, (struct sockaddr *)&sll, sizeof(sll))) {
+		ULOG_ERR("failed to bind socket to "SPOTFILTER_IFB_NAME": %s\n",
+			 strerror(errno));
+		goto error;
+	}
+
+	fcntl(sock, F_SETFL, fcntl(sock, F_GETFL) | O_NONBLOCK);
+
+	ufd.fd = sock;
+	ufd.cb = spotfilter_socket_cb;
+	uloop_fd_add(&ufd, ULOOP_READ);
+
+	return 0;
+
+error:
+	close(sock);
+	return -1;
+}
+
+
+static void
+spotfilter_addr_gc(struct uloop_timeout *t)
+{
+	struct interface *iface = container_of(t, struct interface, addr_gc);
+	struct addr_entry *e, *tmp;
+	uint32_t now = spotfilter_gettime();
+	int32_t timeout = 0;
+
+	iface->next_gc = 0;
+	avl_for_each_element_safe(&iface->addr_map, e, node, tmp) {
+		const void *addr = e->data.ip6addr[0] ? &e->data.ip6addr[0] : &e->data.ip4addr;
+		bool ipv6 = !!e->data.ip6addr[0];
+		int32_t cur_timeout;
+
+		cur_timeout = e->data.timeout - now;
+		if (cur_timeout <= 0) {
+			if (!spotfilter_bpf_whitelist_seen(iface, addr, ipv6)) {
+				spotfilter_bpf_set_whitelist(iface, addr, ipv6, NULL);
+				avl_delete(&iface->addr_map, &e->node);
+				free(e);
+				continue;
+			}
+
+			e->data.timeout = now + iface->active_timeout;
+		}
+
+		if (!timeout || cur_timeout < timeout) {
+			timeout = cur_timeout;
+			iface->next_gc = e->data.timeout;
+		}
+	}
+
+	if (!timeout)
+		return;
+
+	uloop_timeout_set(&iface->addr_gc, timeout * 1000);
+}
+
+static void
+spotfilter_cname_cache_gc(struct uloop_timeout *timeout)
+{
+	struct interface *iface;
+	struct cname_entry *e, *tmp;
+
+	avl_for_each_element(&interfaces, iface, node) {
+		avl_for_each_element_safe(&iface->cname_cache, e, node, tmp) {
+			if (e->age++ < 5)
+				continue;
+
+			avl_delete(&iface->cname_cache, &e->node);
+			free(e);
+		}
+	}
+
+	uloop_timeout_set(timeout, 1000);
+}
+
+static int avl_addr_cmp(const void *k1, const void *k2, void *ptr)
+{
+	return memcmp(k1, k2, 16);
+}
+
+
+void spotfilter_dns_init(struct interface *iface)
+{
+	avl_init(&iface->cname_cache, avl_strcmp, false, NULL);
+	avl_init(&iface->addr_map, avl_addr_cmp, false, NULL);
+	iface->addr_gc.cb = spotfilter_addr_gc;
+}
+
+void spotfilter_dns_free(struct interface *iface)
+{
+	struct cname_entry *e, *tmp;
+
+	avl_remove_all_elements(&iface->cname_cache, e, node, tmp)
+		free(e);
+}
+
+int spotfilter_dev_init(void)
+{
+	cname_gc_timer.cb = spotfilter_cname_cache_gc;
+	spotfilter_cname_cache_gc(&cname_gc_timer);
+
+	spotfilter_dev_done();
+
+	if (spotfilter_run_cmd("ip link add "SPOTFILTER_IFB_NAME" type ifb", false) ||
+	    spotfilter_run_cmd("ip link set dev "SPOTFILTER_IFB_NAME" up", false) ||
+	    spotfilter_open_socket())
+		return -1;
+
+	spotfilter_ifb_ifindex = if_nametoindex(SPOTFILTER_IFB_NAME);
+
+	return 0;
+}
+
+void spotfilter_dev_done(void)
+{
+	if (ufd.registered) {
+		uloop_fd_delete(&ufd);
+		close(ufd.fd);
+	}
+
+	spotfilter_run_cmd("ip link del "SPOTFILTER_IFB_NAME, true);
+}

feeds/ucentral/spotfilter/src/spotfilter-bpf.c

@@ -0,0 +1,287 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#define KBUILD_MODNAME "foo"
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/if_ether.h>
+#include <uapi/linux/if_packet.h>
+#include <uapi/linux/ip.h>
+#include <uapi/linux/ipv6.h>
+#include <uapi/linux/in.h>
+#include <uapi/linux/tcp.h>
+#include <uapi/linux/udp.h>
+#include <uapi/linux/icmpv6.h>
+#include <uapi/linux/filter.h>
+#include <uapi/linux/pkt_cls.h>
+#include <linux/ip.h>
+#include <net/ipv6.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+#include "bpf_skb_utils.h"
+#include "spotfilter-bpf.h"
+
+static const volatile struct spotfilter_bpf_config config = {};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(key_size, sizeof(uint32_t));
+	__type(value, struct spotfilter_bpf_class);
+	__uint(max_entries, SPOTFILTER_NUM_CLASS);
+} class SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(key_size, sizeof(struct spotfilter_client_key));
+	__type(value, struct spotfilter_client_data);
+	__uint(max_entries, 1000);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+} client SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(key_size, sizeof(struct in_addr));
+	__type(value, struct spotfilter_whitelist_entry);
+	__uint(max_entries, 10000);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+} whitelist_ipv4 SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(key_size, sizeof(struct in6_addr));
+	__type(value, struct spotfilter_whitelist_entry);
+	__uint(max_entries, 10000);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+} whitelist_ipv6 SEC(".maps");
+
+static bool
+is_dhcpv4_port(uint16_t port)
+{
+	return port == bpf_htons(67) || port == bpf_htons(68);
+}
+
+static __always_inline bool
+check_ipv4_control(struct skb_parser_info *info)
+{
+	struct udphdr *udph;
+
+	if (info->proto != IPPROTO_UDP)
+		return false;
+
+	udph = skb_info_ptr(info, sizeof(*udph));
+	if (!udph)
+		return false;
+
+	return is_dhcpv4_port(udph->source) && is_dhcpv4_port(udph->dest);
+}
+
+static bool
+is_dhcpv6_port(uint16_t port)
+{
+	return port == bpf_htons(546) || port == bpf_htons(547);
+}
+
+static bool
+is_icmpv6_control(uint8_t type)
+{
+	switch (type) {
+	case ICMPV6_PKT_TOOBIG:
+	case NDISC_ROUTER_SOLICITATION:
+	case NDISC_ROUTER_ADVERTISEMENT:
+	case NDISC_NEIGHBOUR_SOLICITATION:
+	case NDISC_NEIGHBOUR_ADVERTISEMENT:
+	case NDISC_REDIRECT:
+	case ICMPV6_MGM_QUERY:
+	case ICMPV6_MGM_REPORT:
+		return true;
+	default:
+		return false;
+	}
+}
+
+static __always_inline bool
+check_ipv6_control(struct skb_parser_info *info)
+{
+	if (info->proto == IPPROTO_UDP) {
+		struct udphdr *udph;
+
+		udph = skb_info_ptr(info, sizeof(*udph));
+		if (!udph)
+			return false;
+
+		return is_dhcpv6_port(udph->source) && is_dhcpv6_port(udph->dest);
+	}
+
+	if (info->proto == IPPROTO_ICMPV6) {
+		struct icmp6hdr *icmp6h;
+
+		icmp6h = skb_info_ptr(info, sizeof(*icmp6h));
+		if (!icmp6h)
+			return false;
+
+		return is_icmpv6_control(icmp6h->icmp6_type);
+	}
+
+	return false;
+}
+
+static __always_inline bool
+check_dns(struct skb_parser_info *info, bool ingress)
+{
+	struct udphdr *udph;
+
+	if (info->proto != IPPROTO_UDP)
+		return false;
+
+	udph = skb_info_ptr(info, sizeof(*udph));
+	if (!udph)
+		return false;
+
+	if (ingress)
+		return udph->dest == bpf_htons(53);
+
+	return udph->source == bpf_htons(53);
+}
+
+SEC("tc/egress")
+int spotfilter_out(struct __sk_buff *skb)
+{
+	struct spotfilter_client_data *cl;
+	struct skb_parser_info info;
+	struct ethhdr *eth;
+	bool is_control = false;
+	bool is_dns = false;
+
+	skb_parse_init(&info, skb);
+	eth = skb_parse_ethernet(&info);
+	if (!eth)
+		return TC_ACT_UNSPEC;
+
+	cl = bpf_map_lookup_elem(&client, eth->h_dest);
+	if (cl) {
+		if (cl->flags & SPOTFILTER_CLIENT_F_ACCT_DL)
+			cl->bytes_dl += skb->len;
+	}
+
+	skb_parse_vlan(&info);
+	if (skb_parse_ipv4(&info, sizeof(struct udphdr))) {
+		is_control = check_ipv4_control(&info);
+		is_dns = check_dns(&info, false);
+	} else if (skb_parse_ipv6(&info, sizeof(struct icmp6hdr))) {
+		is_control = check_ipv6_control(&info);
+		is_dns = check_dns(&info, false);
+	} else {
+		return TC_ACT_UNSPEC;
+	}
+
+	if (is_control || is_dns)
+		bpf_clone_redirect(skb, config.snoop_ifindex, BPF_F_INGRESS);
+
+	return TC_ACT_UNSPEC;
+}
+
+SEC("tc/ingress")
+int spotfilter_in(struct __sk_buff *skb)
+{
+	struct spotfilter_client_data *cl, cldata = {};
+	struct spotfilter_bpf_class *c, cdata;
+	struct skb_parser_info info;
+	struct ipv6hdr *ip6h;
+	struct ethhdr *eth;
+	struct iphdr *iph;
+	bool addr_match = false;
+	bool is_control = false;
+	bool has_vlan = false;
+	bool is_dns = false;
+	struct spotfilter_whitelist_entry *wl_val = NULL;
+	uint32_t cur_class;
+
+	skb_parse_init(&info, skb);
+	eth = skb_parse_ethernet(&info);
+	if (!eth)
+		return TC_ACT_UNSPEC;
+
+	cl = bpf_map_lookup_elem(&client, eth->h_source);
+	if (cl) {
+		cldata = *cl;
+		if (cl->flags & SPOTFILTER_CLIENT_F_ACCT_UL)
+			cl->bytes_ul += skb->len;
+	}
+
+	has_vlan = !!skb_parse_vlan(&info);
+	if ((iph = skb_parse_ipv4(&info, sizeof(struct udphdr))) != NULL) {
+		addr_match = iph->saddr == cldata.ip4addr;
+		is_control = check_ipv4_control(&info);
+		is_dns = check_dns(&info, true);
+
+		if (!is_control)
+			wl_val = bpf_map_lookup_elem(&whitelist_ipv4, &iph->daddr);
+	} else if ((ip6h = skb_parse_ipv6(&info, sizeof(struct icmp6hdr))) != NULL) {
+		addr_match = ipv6_addr_equal(&ip6h->saddr, (struct in6_addr *)&cldata.ip6addr);
+		if ((ip6h->saddr.s6_addr[0] & 0xe0) != 0x20)
+			addr_match = true;
+		is_control = check_ipv6_control(&info);
+		is_dns = check_dns(&info, true);
+
+		if (!is_control)
+			wl_val = bpf_map_lookup_elem(&whitelist_ipv6, &ip6h->daddr);
+	} else {
+			return TC_ACT_UNSPEC;
+	}
+
+	if (wl_val) {
+		cldata.cur_class = wl_val->val;
+		cldata.dns_class = wl_val->val;
+		wl_val->seen = 1;
+	}
+
+	if (is_control) {
+		bpf_clone_redirect(skb, config.snoop_ifindex, BPF_F_INGRESS);
+		return TC_ACT_UNSPEC;
+	}
+
+	if (!addr_match) {
+		if (!is_control)
+			return TC_ACT_SHOT;
+
+		memset(&cldata, 0, sizeof(cldata));
+	}
+
+	cur_class = is_dns ? cldata.dns_class : cldata.cur_class;
+	c = bpf_map_lookup_elem(&class, &cur_class);
+	if (c)
+		cdata = *c;
+	else
+		return TC_ACT_UNSPEC;
+
+	if (!(cdata.actions & SPOTFILTER_ACTION_VALID))
+		return TC_ACT_SHOT;
+
+	if (cdata.actions & SPOTFILTER_ACTION_SET_DEST_MAC) {
+		eth = skb_ptr(skb, 0, sizeof(*eth));
+		if (!eth)
+			return TC_ACT_UNSPEC;
+
+		memcpy(eth->h_dest, cdata.dest_mac, ETH_ALEN);
+	}
+
+	if (cdata.actions & SPOTFILTER_ACTION_FWMARK)
+		skb->mark = (skb->mark & ~cdata.fwmark_mask) | cdata.fwmark_val;
+
+	if (cdata.actions & SPOTFILTER_ACTION_REDIRECT) {
+		if (cdata.actions & SPOTFILTER_ACTION_REDIRECT_VLAN) {
+			if (has_vlan && bpf_skb_vlan_pop(skb))
+				return -1;
+
+			if (cdata.redirect_vlan_proto &&
+				bpf_skb_vlan_push(skb, cdata.redirect_vlan_proto, cdata.redirect_vlan))
+				return -1;
+		}
+
+		return bpf_redirect(cdata.redirect_ifindex, 0);
+	}
+
+	return TC_ACT_UNSPEC;
+}
+
+char _license[] SEC("license") = "GPL";

feeds/ucentral/spotfilter/src/spotfilter-bpf.h

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __BPF_SPOTFILTER_H
+#define __BPF_SPOTFILTER_H
+
+struct spotfilter_client_key {
+	uint8_t addr[6];
+};
+
+#define SPOTFILTER_CLIENT_F_ACCT_UL	(1 << 0)
+#define SPOTFILTER_CLIENT_F_ACCT_DL	(1 << 1)
+
+struct spotfilter_client_data {
+	uint32_t ip4addr;
+	uint32_t ip6addr[4];
+	uint8_t cur_class;
+	uint8_t dns_class;
+	uint8_t flags;
+
+	uint64_t bytes_ul;
+	uint64_t bytes_dl;
+};
+
+struct spotfilter_bpf_config {
+	uint32_t snoop_ifindex;
+};
+
+struct spotfilter_whitelist_entry {
+	uint8_t val;
+	uint8_t seen;
+};
+
+#define SPOTFILTER_NUM_CLASS 16
+
+#define SPOTFILTER_ACTION_FWMARK	(1 << 0)
+#define SPOTFILTER_ACTION_REDIRECT	(1 << 1)
+#define SPOTFILTER_ACTION_REDIRECT_VLAN	(1 << 2)
+#define SPOTFILTER_ACTION_SET_DEST_MAC	(1 << 3)
+
+#define SPOTFILTER_ACTION_VALID		(1 << 15)
+
+
+struct spotfilter_bpf_class {
+	uint16_t actions;
+	uint8_t dest_mac[6];
+
+	uint32_t fwmark_val;
+	uint32_t fwmark_mask;
+
+	uint32_t redirect_ifindex;
+	uint16_t redirect_vlan;
+	uint16_t redirect_vlan_proto;
+};
+
+#endif

feeds/ucentral/spotfilter/src/spotfilter.h

@@ -0,0 +1,59 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 Felix Fietkau <nbd@nbd.name>
+ */
+#ifndef __SPOTFILTER_H
+#define __SPOTFILTER_H
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <regex.h>
+
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+
+#include <libubox/utils.h>
+#include <libubox/avl.h>
+#include <libubox/vlist.h>
+#include <libubox/blobmsg.h>
+#include <libubox/ulog.h>
+
+#include <netinet/in.h>
+
+#include "spotfilter-bpf.h"
+#include "interface.h"
+#include "bpf.h"
+#include "client.h"
+
+#define SPOTFILTER_IFB_NAME	"spotfilter-ifb"
+
+#define SPOTFILTER_PROG_PATH	"/lib/bpf/spotfilter-bpf.o"
+
+#define SPOTFILTER_PRIO_BASE	0x120
+
+extern int spotfilter_ifb_ifindex;
+struct nl_msg;
+
+int rtnl_init(void);
+int rtnl_fd(void);
+int rtnl_call(struct nl_msg *msg);
+
+int spotfilter_run_cmd(char *cmd, bool ignore_error);
+
+int spotfilter_ubus_init(void);
+void spotfilter_ubus_stop(void);
+void spotfilter_ubus_notify(struct interface *iface, struct client *cl, const char *type);
+
+int spotfilter_dev_init(void);
+void spotfilter_dev_done(void);
+
+void spotfilter_dns_init(struct interface *iface);
+void spotfilter_dns_free(struct interface *iface);
+
+void spotfilter_recv_dhcpv4(const void *msg, int len, const void *eth_addr);
+void spotfilter_recv_icmpv6(const void *data, int len, const uint8_t *src, const uint8_t *dest);
+
+int spotfilter_nl80211_init(void);
+void spotfilter_nl80211_done(void);
+
+#endif