diff --git a/package/gluon-client-bridge/Makefile b/package/gluon-client-bridge/Makefile
index ccf1bcd8b344c5451c403a792863ba6b06476b12..19a0e3a4cd09cd1ad8102682cd8a1278fadff469 100644
--- a/package/gluon-client-bridge/Makefile
+++ b/package/gluon-client-bridge/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-client-bridge
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Provides a bridge and a wireless interface for clients to connect to
-  DEPENDS:=+gluon-core +kmod-veth
+  DEPENDS:=+gluon-core +kmod-veth +@GLUON_SPECIALIZE_KERNEL:KERNEL_VETH
 endef
 
 $(eval $(call BuildPackageGluon,gluon-client-bridge))
diff --git a/package/gluon-core/Config.in b/package/gluon-core/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..9def3c299cfa7cb1a0149dd19548fcbbadfdec25
--- /dev/null
+++ b/package/gluon-core/Config.in
@@ -0,0 +1,338 @@
+config KERNEL_NET_IP_TUNNEL
+	bool
+
+config KERNEL_NET_UDP_TUNNEL
+	bool
+
+config KERNEL_VXLAN
+	bool
+	select KERNEL_NET_IP_TUNNEL
+	select KERNEL_NET_UDP_TUNNEL
+
+config KERNEL_VETH
+	bool
+
+
+# for fastd
+
+config KERNEL_TUN
+	bool
+
+
+# for tunneldigger
+
+config KERNEL_L2TP_V3
+	bool
+
+config KERNEL_L2TP_IP
+	bool
+
+config KERNEL_L2TP_ETH
+	bool
+
+config KERNEL_L2TP
+	bool
+	select KERNEL_L2TP_V3
+	select KERNEL_L2TP_IP
+	select KERNEL_L2TP_ETH
+
+
+# for simple-tc
+
+config KERNEL_NET_SCHED
+	bool
+
+config KERNEL_NET_CLS
+	bool
+	select KERNEL_NET_SCHED
+
+config KERNEL_NET_CLS_ACT
+	bool
+	select KERNEL_NET_CLS
+
+config KERNEL_NET_CLS_BASIC
+	bool
+	select KERNEL_NET_CLS
+
+config KERNEL_NET_SCH_TBF
+	bool
+	select KERNEL_NET_SCHED
+
+config KERNEL_NET_SCH_INGRESS
+	bool
+	select KERNEL_NET_CLS_ACT
+
+
+# for batman-adv
+
+config KERNEL_DUMMY
+	bool
+
+config KERNEL_CRC16
+	bool
+
+config KERNEL_LIBCRC32C
+	bool
+
+
+# Netfilter modules used by ebtables and fw3
+
+config KERNEL_NETFILTER
+	bool
+
+config KERNEL_NETFILTER_ADVANCED
+	bool
+	select KERNEL_NETFILTER
+
+config KERNEL_NETFILTER_XTABLES
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_BRIDGE_NF_EBTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_BRIDGE_EBT_T_FILTER
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_T_NAT
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_ARP
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_IP
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_IP6
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_LIMIT
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_MARK
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_MARK_T
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+
+# Not all of the following modules are really required for Gluon, but fw3 pulls
+# them in, so we add them to the kernel config to reduce the number of loaded
+# modules
+
+# kmod-nf-conntrack
+
+config KERNEL_NF_CONNTRACK
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_NF_CONNTRACK_RTCACHE
+	bool
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NF_CONNTRACK_IPV4
+	bool
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-nf-conntrack6
+
+config KERNEL_NF_CONNTRACK_IPV6
+	bool
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-nf-ipt
+
+config KERNEL_NF_REJECT_IPV4
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_IP_NF_IPTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_REJECT_IPV4
+
+
+# kmod-nf-ipt6
+
+config KERNEL_NF_REJECT_IPV6
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_IP6_NF_IPTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_REJECT_IPV6
+
+
+# kmod-nf-nat
+
+config KERNEL_NF_NAT
+	bool
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NF_NAT_REDIRECT
+	bool
+	select KERNEL_NF_NAT
+
+config KERNEL_NF_NAT_IPV4
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+	select KERNEL_NF_NAT
+
+config KERNEL_NF_NAT_MASQUERADE_IPV4
+	bool
+	select KERNEL_NF_NAT_IPV4
+
+
+# kmod-ipt-core
+
+config KERNEL_IP_NF_FILTER
+	bool
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_MANGLE
+	bool
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_TARGET_REJECT
+	bool
+	select KERNEL_IP_NF_FILTER
+
+config KERNEL_NETFILTER_XT_MATCH_LIMIT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_MAC
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_MULTIPORT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_COMMENT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_TIME
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MARK
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_TARGET_LOG
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_TARGET_TCPMSS
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+# kmod-ip6tables
+
+config KERNEL_IP6_NF_FILTER
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+config KERNEL_IP6_NF_MANGLE
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+config KERNEL_IP6_NF_TARGET_REJECT
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+
+# kmod-ipt-conntrack
+
+config KERNEL_NETFILTER_XT_MATCH_STATE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NETFILTER_XT_MATCH_CONNTRACK
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-ipt-nat
+
+config KERNEL_IP_NF_NAT
+	bool
+	select KERNEL_NF_NAT
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_TARGET_MASQUERADE
+	bool
+	select KERNEL_NF_NAT_MASQUERADE_IPV4
+	select KERNEL_IP_NF_NAT
+
+config KERNEL_IP_NF_TARGET_REDIRECT
+	bool
+	select KERNEL_NF_NAT
+	select KERNEL_IP_NF_NAT
+
+
+# kmod-ipt-extra
+
+config KERNEL_NETFILTER_XT_MATCH_ADDRTYPE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_OWNER
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_PKTTYPE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_QUOTA
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+
+config GLUON_SPECIALIZE_KERNEL
+	bool "Specialize kernel for Gluon"
+	select KERNEL_VXLAN
+	select KERNEL_NF_CONNTRACK_RTCACHE
+	select KERNEL_NF_CONNTRACK_IPV4
+	select KERNEL_NF_CONNTRACK_IPV6
+	select KERNEL_IP_NF_IPTABLES
+	select KERNEL_IP6_NF_IPTABLES
+	select KERNEL_NF_NAT_REDIRECT
+	select KERNEL_NF_NAT_IPV4
+	select KERNEL_NF_NAT_MASQUERADE_IPV4
+	select KERNEL_IP_NF_FILTER
+	select KERNEL_IP_NF_MANGLE
+	select KERNEL_IP_NF_TARGET_REJECT
+	select KERNEL_IP6_NF_FILTER
+	select KERNEL_IP6_NF_MANGLE
+	select KERNEL_IP6_NF_TARGET_REJECT
+	select KERNEL_NETFILTER_XT_MATCH_LIMIT
+	select KERNEL_NETFILTER_XT_MATCH_MAC
+	select KERNEL_NETFILTER_XT_MATCH_MULTIPORT
+	select KERNEL_NETFILTER_XT_MATCH_COMMENT
+	select KERNEL_NETFILTER_XT_MATCH_TIME
+	select KERNEL_NETFILTER_XT_MARK
+	select KERNEL_NETFILTER_XT_TARGET_LOG
+	select KERNEL_NETFILTER_XT_TARGET_TCPMSS
+	select KERNEL_NETFILTER_XT_MATCH_STATE
+	select KERNEL_NETFILTER_XT_MATCH_CONNTRACK
+	select KERNEL_IP_NF_NAT
+	select KERNEL_IP_NF_TARGET_MASQUERADE
+	select KERNEL_IP_NF_TARGET_REDIRECT
diff --git a/package/gluon-core/Makefile b/package/gluon-core/Makefile
index 39218d667d91c324253fa89219d86cf7f523af84..f220b9f463cf5a6005a60d5ad5d37462c5a2ed4a 100644
--- a/package/gluon-core/Makefile
+++ b/package/gluon-core/Makefile
@@ -23,6 +23,10 @@ define Package/gluon-core/description
 	Gluon community wifi mesh firmware framework: core
 endef
 
+define Package/gluon-core/config
+        source "$(SOURCE)/Config.in"
+endef
+
 define Package/gluon-core/install
 	$(Gluon/Build/Install)
 
diff --git a/package/gluon-ebtables-limit-arp/Makefile b/package/gluon-ebtables-limit-arp/Makefile
index 4562c62788c6e4b513c957ebf165b30bf28e9929..a356b832bbf47ab8c11e9bf8174ee22f253da354 100644
--- a/package/gluon-ebtables-limit-arp/Makefile
+++ b/package/gluon-ebtables-limit-arp/Makefile
@@ -10,7 +10,10 @@ define Package/gluon-ebtables-limit-arp
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Ebtables limiter for ARP packets
-  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
+  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_LIMIT \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK_T
 endef
 
 define Package/gluon-ebtables-limit-arp/description
diff --git a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c b/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
index cbb6faf21fcc76bc841e5600596594bfba4da0d9..9c764006d6247a7ebe90d178fecac7128409aea6 100644
--- a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
+++ b/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
@@ -18,7 +18,7 @@
 
 #define BATCTL_DC "/usr/sbin/batctl dc -H -n"
 #define BATCTL_TL "/usr/sbin/batctl tl -H -n"
-#define EBTABLES "/usr/sbin/ebtables --concurrent"
+#define EBTABLES "/usr/sbin/ebtables-tiny"
 
 #define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)]))
 
diff --git a/package/gluon-ebtables/Makefile b/package/gluon-ebtables/Makefile
index f5ee0e38a796aa3035f3c5a4b0d9b8addd0cb9e1..3a2fffdc763eae25a041aaf760b6cfaf44e4c2c7 100644
--- a/package/gluon-ebtables/Makefile
+++ b/package/gluon-ebtables/Makefile
@@ -4,13 +4,23 @@ PKG_NAME:=gluon-ebtables
 PKG_VERSION:=1
 PKG_RELEASE:=1
 
+PKG_CONFIG_DEPENDS := CONFIG_GLUON_SPECIALIZE_KERNEL
+
 include ../gluon.mk
 
 define Package/gluon-ebtables
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 +kmod-ipt-core
+  DEPENDS:=+gluon-core +ebtables-tiny \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_FILTER \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_NAT \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_ARP \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP6 \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv4 \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv6
 endef
 
 define Package/gluon-ebtables/description
diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
index 40c9e061c85be9484963b302da94ae03927c6e2b..60add180f687ec08c91272d373bb9bd5c97d7b1e 100755
--- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
@@ -7,13 +7,13 @@
 # rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
 #
 # Removing all rules:
-# $ ./firewall-ebtables stop
+# $ /etc/init.d/gluon-ebtables stop
 # Inserting all rules:
-# $ ./firewall-ebtables start
+# $ /etc/init.d/gluon-ebtables start
 # Inserting a specific rule file:
-# $ ./firewall-ebtables start /lib/gluon/ebtables/100-mcast-chain
+# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
 # Removing a specific rule file:
-# $ ./firewall-ebtables stop /lib/gluon/ebtables/100-mcast-chain
+# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
 
 
 START=19
@@ -51,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables --concurrent -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables --concurrent -t " .. table .. "  -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		# Contains /var/lib/ebtables/lock for '--concurrent'
 		[ ! -d "/var/lib/ebtables" ] && \
@@ -68,8 +68,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables --concurrent -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables --concurrent -t " .. table .. " -X " .. name'
+		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'
diff --git a/package/gluon-mesh-batman-adv/Makefile b/package/gluon-mesh-batman-adv/Makefile
index 22355798b5d289d5cb29f0ee0526297ca4f7a1d6..a8c4801ddfe39416618ac1536789b8d54f7475e1 100644
--- a/package/gluon-mesh-batman-adv/Makefile
+++ b/package/gluon-mesh-batman-adv/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-batman-adv/common
   SECTION:=gluon
   CATEGORY:=Gluon
   PROVIDES:=gluon-mesh-batman-adv
-  DEPENDS:=+gluon-core +libgluonutil +gluon-client-bridge +gluon-ebtables +firewall +libiwinfo +kmod-dummy +libnl-tiny +libbatadv
+  DEPENDS:=+gluon-core +libgluonutil +gluon-client-bridge +gluon-ebtables +firewall +libiwinfo +kmod-dummy +libnl-tiny +libbatadv +@GLUON_SPECIALIZE_KERNEL:KERNEL_DUMMY +@GLUON_SPECIALIZE_KERNEL:KERNEL_CRC16 +@GLUON_SPECIALIZE_KERNEL:KERNEL_LIBCRC32C
 endef
 
 define Package/gluon-mesh-batman-adv-14
diff --git a/package/gluon-mesh-vpn-core/Makefile b/package/gluon-mesh-vpn-core/Makefile
index 263ec217347ac9e0788a6c7e316156b30b408263..885905738ef72a803d0f4d096a53af9c08c8945e 100644
--- a/package/gluon-mesh-vpn-core/Makefile
+++ b/package/gluon-mesh-vpn-core/Makefile
@@ -9,7 +9,14 @@ define Package/gluon-mesh-vpn-core
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_ADDRTYPE \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_OWNER \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_PKTTYPE \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_QUOTA \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_CLS_BASIC \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_TBF \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_INGRESS
   USERID:=:gluon-mesh-vpn=800
 endef
 
diff --git a/package/gluon-mesh-vpn-fastd/Makefile b/package/gluon-mesh-vpn-fastd/Makefile
index 50b35e5acc3a5d4981af58d7754fd5c3136996ed..477cd48e8e9bd6cfa10fb69ce344b366b43a1b3f 100644
--- a/package/gluon-mesh-vpn-fastd/Makefile
+++ b/package/gluon-mesh-vpn-fastd/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-vpn-fastd
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for connecting meshes via fastd
-  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd +@GLUON_SPECIALIZE_KERNEL:KERNEL_TUN
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd))
diff --git a/package/gluon-mesh-vpn-tunneldigger/Makefile b/package/gluon-mesh-vpn-tunneldigger/Makefile
index 8b8099b147746f36b0edd595d11d7bfd67237db5..d463db414208bd94019ac59b05fba3a5303c71ab 100644
--- a/package/gluon-mesh-vpn-tunneldigger/Makefile
+++ b/package/gluon-mesh-vpn-tunneldigger/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-vpn-tunneldigger
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for connecting meshes via tunneltigger/L2TPv3 pseudowire
-  DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger
+  DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-vpn-tunneldigger))
diff --git a/package/gluon-radv-filterd/src/gluon-radv-filterd.c b/package/gluon-radv-filterd/src/gluon-radv-filterd.c
index 990885ea889196b1a0df414382a871066bf74e20..5fcab43925b3c4aba1d60cbd4b46ab9521067bb0 100644
--- a/package/gluon-radv-filterd/src/gluon-radv-filterd.c
+++ b/package/gluon-radv-filterd/src/gluon-radv-filterd.c
@@ -168,11 +168,11 @@ static void cleanup(void) {
 	if (G.chain) {
 		/* Reset chain to accept everything again */
 		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
-				{ "ebtables", "--concurrent", "-F", G.chain, NULL }))
+				{ "ebtables-tiny", "-F", G.chain, NULL }))
 			DEBUG_MSG("warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
 
 		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
-				{ "ebtables", "--concurrent", "-A", G.chain, "-j", "ACCEPT", NULL }))
+				{ "ebtables-tiny", "-A", G.chain, "-j", "ACCEPT", NULL }))
 			DEBUG_MSG("warning: adding new rule to ebtables chain %s failed", G.chain);
 	}
 }
@@ -720,10 +720,10 @@ static void update_ebtables(void) {
 	G.best_router = router;
 
 	if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
-			{ "ebtables", "--concurrent", "-F", G.chain, NULL }))
+			{ "ebtables-tiny", "-F", G.chain, NULL }))
 		error_message(0, 0, "warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
 	else if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
-			{ "ebtables", "--concurrent", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
+			{ "ebtables-tiny", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
 		error_message(0, 0, "warning: adding new rule to ebtables chain %s failed", G.chain);
 }
 
diff --git a/package/gluon-radv-filterd/src/respondd.c b/package/gluon-radv-filterd/src/respondd.c
index 7e65a3d951d9f1210b26420f341f938087dba588..8c2c7eb428f13180182f8ee2542f5778411a8c27 100644
--- a/package/gluon-radv-filterd/src/respondd.c
+++ b/package/gluon-radv-filterd/src/respondd.c
@@ -8,7 +8,7 @@
 #include "mac.h"
 
 static struct json_object * get_radv_filter() {
-	FILE *f = popen("exec ebtables --concurrent -L RADV_FILTER", "r");
+	FILE *f = popen("exec ebtables-tiny -L RADV_FILTER", "r");
 	char *line = NULL;
 	size_t len = 0;
 	struct ether_addr mac = {};
diff --git a/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6f9d915fb50bdef7f031520900ca2cee9e42161f
--- /dev/null
+++ b/patches/lede/0074-kernel-change-dependency-of-kmod-ebtables-on-kmod-ebtables-to-selecting.patch
@@ -0,0 +1,23 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 18:51:57 +0200
+Subject: kernel: change dependency of kmod-ebtables-* on kmod-ebtables to selecting
+
+Non-selecting dependencies easily lead to Kconfig failures due to recursive
+dependencies. We hit such an issue in Gluon; the easiest fix is to make
+the dependency selecting.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index bb882363f3df4df733424ca6bba72badc96f06f8..c1d08a54037e6b33834566dac58308f64a427ecd 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -707,7 +707,7 @@ $(eval $(call KernelPackage,ebtables))
+ 
+ define AddDepends/ebtables
+   SUBMENU:=$(NF_MENU)
+-  DEPENDS+=kmod-ebtables $(1)
++  DEPENDS+= +kmod-ebtables $(1)
+ endef
+ 
+ 
diff --git a/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c08c7819179d2bf63b2add139159f92c7a8290b8
--- /dev/null
+++ b/patches/lede/0075-kernel-unhide-kmod-br-netfilter.patch
@@ -0,0 +1,21 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 18:56:53 +0200
+Subject: kernel: unhide kmod-br-netfilter
+
+kmod-br-netfilter is not only a support module, but can be useful on its
+own, using the net.bridge.bridge-nf-call-* sysctls.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index c1d08a54037e6b33834566dac58308f64a427ecd..275147b8757a42c00de14502a072c8384a0526ab 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -672,7 +672,6 @@ $(eval $(call KernelPackage,arptables))
+ define KernelPackage/br-netfilter
+   SUBMENU:=$(NF_MENU)
+   TITLE:=Bridge netfilter support modules
+-  HIDDEN:=1
+   DEPENDS:=+kmod-ipt-core +kmod-bridge
+   FILES:=$(LINUX_DIR)/net/bridge/br_netfilter.ko
+   KCONFIG:=CONFIG_BRIDGE_NETFILTER
diff --git a/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch
new file mode 100644
index 0000000000000000000000000000000000000000..472fe77c11ad476f45ef9d3a2e99269f26ac46e7
--- /dev/null
+++ b/patches/lede/0076-kernel-kmod-ebtables-do-not-depend-on-kmod-br-netfilter.patch
@@ -0,0 +1,22 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 19:01:56 +0200
+Subject: kernel: kmod-ebtables: do not depend on kmod-br-netfilter
+
+While ebtables can be combined with br-netfilter, there is no good reason
+to make it a dependency.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 275147b8757a42c00de14502a072c8384a0526ab..34eefcd892b9e8b3157603fa47578d0afc65dc4b 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -689,7 +689,7 @@ $(eval $(call KernelPackage,br-netfilter))
+ define KernelPackage/ebtables
+   SUBMENU:=$(NF_MENU)
+   TITLE:=Bridge firewalling modules
+-  DEPENDS:=+kmod-ipt-core +kmod-bridge +kmod-br-netfilter
++  DEPENDS:=+kmod-ipt-core +kmod-bridge
+   FILES:=$(foreach mod,$(EBTABLES-m),$(LINUX_DIR)/net/$(mod).ko)
+   KCONFIG:=$(KCONFIG_EBTABLES)
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(EBTABLES-m)))
diff --git a/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8d6c61d7baaa3b9747526bcbf569176bc4295a48
--- /dev/null
+++ b/patches/lede/0077-iptables-split-physdev-match-out-as-a-separate-package.patch
@@ -0,0 +1,114 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 9 Apr 2018 19:41:26 +0200
+Subject: iptables: split physdev match out as a separate package
+
+Split physdev match out of ipt-extra to allow installing ipt-extra without
+pulling in br-netfilter.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/include/netfilter.mk b/include/netfilter.mk
+index 39c8e7c90fab2ba14cd75c80d1e357dd23ae6a1b..79ae3d5343ed77b559f50f40bb8a73a33dd13314 100644
+--- a/include/netfilter.mk
++++ b/include/netfilter.mk
+@@ -89,12 +89,14 @@ $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_CO
+ 
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE, $(if $(NF_KMOD),$(P_XT)xt_addrtype,$(P_XT)ipt_addrtype)))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_OWNER, $(P_XT)xt_owner))
+-$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PKTTYPE, $(P_XT)xt_pkttype))
+ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota))
+ 
+ #$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE))
+ 
++# physdev
++
++$(eval $(call nf_add,IPT_PHYSDEV,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev))
+ 
+ # filter
+ 
+@@ -347,6 +349,7 @@ IPT_BUILTIN += $(NF_CONNTRACK6-y)
+ IPT_BUILTIN += $(IPT_CONNTRACK-y)
+ IPT_BUILTIN += $(IPT_CONNTRACK_EXTRA-y)
+ IPT_BUILTIN += $(IPT_EXTRA-y)
++IPT_BUILTIN += $(IPT_PHYSDEV-y)
+ IPT_BUILTIN += $(IPT_FILTER-y)
+ IPT_BUILTIN += $(IPT_IPOPT-y)
+ IPT_BUILTIN += $(IPT_IPRANGE-y)
+diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
+index 34eefcd892b9e8b3157603fa47578d0afc65dc4b..a71904673ae53bffcc9fd88291520aacb4a4f8d7 100644
+--- a/package/kernel/linux/modules/netfilter.mk
++++ b/package/kernel/linux/modules/netfilter.mk
+@@ -604,7 +604,7 @@ define KernelPackage/ipt-extra
+   KCONFIG:=$(KCONFIG_IPT_EXTRA)
+   FILES:=$(foreach mod,$(IPT_EXTRA-m),$(LINUX_DIR)/net/$(mod).ko)
+   AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_EXTRA-m)))
+-  $(call AddDepends/ipt,+kmod-br-netfilter)
++  $(call AddDepends/ipt)
+ endef
+ 
+ define KernelPackage/ipt-extra/description
+@@ -612,7 +612,6 @@ define KernelPackage/ipt-extra/description
+  Includes:
+  - addrtype
+  - owner
+- - physdev (if bridge support was enabled in kernel)
+  - pkttype
+  - quota
+ endef
+@@ -620,6 +619,21 @@ endef
+ $(eval $(call KernelPackage,ipt-extra))
+ 
+ 
++define KernelPackage/ipt-physdev
++  TITLE:=physdev module
++  KCONFIG:=$(KCONFIG_IPT_PHYSDEV)
++  FILES:=$(foreach mod,$(IPT_PHYSDEV-m),$(LINUX_DIR)/net/$(mod).ko)
++  AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_PHYSDEV-m)))
++  $(call AddDepends/ipt,+kmod-br-netfilter)
++endef
++
++define KernelPackage/ipt-physdev/description
++ The iptables physdev kernel module
++endef
++
++$(eval $(call KernelPackage,ipt-physdev))
++
++
+ define KernelPackage/ip6tables
+   SUBMENU:=$(NF_MENU)
+   TITLE:=IPv6 modules
+diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
+index 9761ed1820b5c092292d25aef28f8f9a8ffa91a6..af5ed8c6245a9d52f5aea695e71b08ac6f3e6eca 100644
+--- a/package/network/utils/iptables/Makefile
++++ b/package/network/utils/iptables/Makefile
+@@ -321,12 +321,20 @@ Other extra iptables extensions.
+   - addrtype
+   - condition
+   - owner
+-  - physdev (if ebtables is enabled)
+   - pkttype
+   - quota
+ 
+ endef
+ 
++define Package/iptables-mod-physdev
++$(call Package/iptables/Module, +kmod-ipt-physdev)
++  TITLE:=physdev iptables extension
++endef
++
++define Package/iptables-mod-physdev/description
++The iptables physdev match.
++endef
++
+ define Package/iptables-mod-led
+ $(call Package/iptables/Module, +kmod-ipt-led)
+   TITLE:=LED trigger iptables extension
+@@ -561,6 +569,7 @@ endef
+ $(eval $(call BuildPackage,iptables))
+ $(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+ $(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
++$(eval $(call BuildPlugin,iptables-mod-physdev,$(IPT_PHYSDEV-m)))
+ $(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m)))
+ $(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+ $(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
diff --git a/patches/lede/0078-ar71xx-increase-kernel-partition-size-for-UniFi-AP-Pro-and-Outdoor.patch b/patches/lede/0078-ar71xx-increase-kernel-partition-size-for-UniFi-AP-Pro-and-Outdoor.patch
new file mode 100644
index 0000000000000000000000000000000000000000..57d72f8ab85ed41441674eaef66b30c0c4fca44b
--- /dev/null
+++ b/patches/lede/0078-ar71xx-increase-kernel-partition-size-for-UniFi-AP-Pro-and-Outdoor.patch
@@ -0,0 +1,24 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 15:19:52 +0200
+Subject: ar71xx: increase kernel partition size for UniFi AP Pro and Outdoor+
+
+Tested on UAP Outdoor+.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/target/linux/ar71xx/image/ubnt.mk b/target/linux/ar71xx/image/ubnt.mk
+index 65ed708459e7e6026713437430fc248c692cd070..ef50aa99541b8220eac71b2f1b1a33419fdab987 100644
+--- a/target/linux/ar71xx/image/ubnt.mk
++++ b/target/linux/ar71xx/image/ubnt.mk
+@@ -253,9 +253,9 @@ TARGET_DEVICES += ubnt-rs ubnt-rspro ubnt-ls-sr71
+ 
+ define Device/ubnt-uap-pro
+   DEVICE_TITLE := Ubiquiti UAP Pro
+-  KERNEL_SIZE := 1536k
++  KERNEL_SIZE := 1792k
+   IMAGE_SIZE := 15744k
+-  MTDPARTS := spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1536k(kernel),14208k(rootfs),256k(cfg)ro,64k(EEPROM)ro,15744k@0x50000(firmware)
++  MTDPARTS := spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1792k(kernel),13952k(rootfs),256k(cfg)ro,64k(EEPROM)ro,15744k@0x50000(firmware)
+   UBNT_TYPE := BZ
+   UBNT_CHIP := ar934x
+   BOARDNAME := UAP-PRO
diff --git a/patches/lede/0079-firmware-utils-tplink-safeloader-move-CPE-WBS-210-510-version-metainfo-to-the-end.patch b/patches/lede/0079-firmware-utils-tplink-safeloader-move-CPE-WBS-210-510-version-metainfo-to-the-end.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dbe58d7b9ce080b0318dde727db921bff4882aae
--- /dev/null
+++ b/patches/lede/0079-firmware-utils-tplink-safeloader-move-CPE-WBS-210-510-version-metainfo-to-the-end.patch
@@ -0,0 +1,109 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 17:26:34 +0200
+Subject: firmware-utils: tplink-safeloader: move CPE/WBS 210/510 version metainfo to the end
+
+Having the metainfo between kernel and rootfs prevents us from resizing
+the kernel partition as necessary.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/tools/firmware-utils/src/tplink-safeloader.c b/tools/firmware-utils/src/tplink-safeloader.c
+index 11ff2e56e19ec3780f988baf7257810530165b23..2a2329d1f188ea8520b6a4aeef25937e05d48a06 100644
+--- a/tools/firmware-utils/src/tplink-safeloader.c
++++ b/tools/firmware-utils/src/tplink-safeloader.c
+@@ -139,10 +139,10 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x170000},
+-			{"soft-version", 0x1b0000, 0x00100},
+-			{"support-list", 0x1b1000, 0x00400},
+-			{"file-system", 0x1c0000, 0x600000},
++			{"os-image", 0x40000, 0x180000},
++			{"file-system", 0x1c0000, 0x5f0000},
++			{"soft-version", 0x7b0000, 0x00100},
++			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+ 			{"default-config", 0x7d0000, 0x10000},
+ 			{"log", 0x7e0000, 0x10000},
+@@ -151,7 +151,7 @@ static struct device_info boards[] = {
+ 		},
+ 
+ 		.first_sysupgrade_partition = "os-image",
+-		.last_sysupgrade_partition = "file-system",
++		.last_sysupgrade_partition = "support-list",
+ 	},
+ 
+ 	/** Firmware layout for the CPE510/520 */
+@@ -177,10 +177,10 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x170000},
+-			{"soft-version", 0x1b0000, 0x00100},
+-			{"support-list", 0x1b1000, 0x00400},
+-			{"file-system", 0x1c0000, 0x600000},
++			{"os-image", 0x40000, 0x180000},
++			{"file-system", 0x1c0000, 0x5f0000},
++			{"soft-version", 0x7b0000, 0x00100},
++			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+ 			{"default-config", 0x7d0000, 0x10000},
+ 			{"log", 0x7e0000, 0x10000},
+@@ -189,7 +189,7 @@ static struct device_info boards[] = {
+ 		},
+ 
+ 		.first_sysupgrade_partition = "os-image",
+-		.last_sysupgrade_partition = "file-system",
++		.last_sysupgrade_partition = "support-list",
+ 	},
+ 
+ 	{
+@@ -209,10 +209,10 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x170000},
+-			{"soft-version", 0x1b0000, 0x00100},
+-			{"support-list", 0x1b1000, 0x00400},
+-			{"file-system", 0x1c0000, 0x600000},
++			{"os-image", 0x40000, 0x180000},
++			{"file-system", 0x1c0000, 0x5f0000},
++			{"soft-version", 0x7b0000, 0x00100},
++			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+ 			{"default-config", 0x7d0000, 0x10000},
+ 			{"log", 0x7e0000, 0x10000},
+@@ -221,7 +221,7 @@ static struct device_info boards[] = {
+ 		},
+ 
+ 		.first_sysupgrade_partition = "os-image",
+-		.last_sysupgrade_partition = "file-system",
++		.last_sysupgrade_partition = "support-list",
+ 	},
+ 
+ 	{
+@@ -241,10 +241,10 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x170000},
+-			{"soft-version", 0x1b0000, 0x00100},
+-			{"support-list", 0x1b1000, 0x00400},
+-			{"file-system", 0x1c0000, 0x600000},
++			{"os-image", 0x40000, 0x180000},
++			{"file-system", 0x1c0000, 0x5f0000},
++			{"soft-version", 0x7b0000, 0x00100},
++			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+ 			{"default-config", 0x7d0000, 0x10000},
+ 			{"log", 0x7e0000, 0x10000},
+@@ -253,7 +253,7 @@ static struct device_info boards[] = {
+ 		},
+ 
+ 		.first_sysupgrade_partition = "os-image",
+-		.last_sysupgrade_partition = "file-system",
++		.last_sysupgrade_partition = "support-list",
+ 	},
+ 
+ 	/** Firmware layout for the C2600 */
diff --git a/patches/lede/0080-ar71xx-increase-kernel-partition-size-for-CPE-WBS-210-510.patch b/patches/lede/0080-ar71xx-increase-kernel-partition-size-for-CPE-WBS-210-510.patch
new file mode 100644
index 0000000000000000000000000000000000000000..839e6753729b8b58e871cbbbac9c02e62cebc58f
--- /dev/null
+++ b/patches/lede/0080-ar71xx-increase-kernel-partition-size-for-CPE-WBS-210-510.patch
@@ -0,0 +1,67 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 18:14:41 +0200
+Subject: ar71xx: increase kernel partition size for CPE/WBS 210/510
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/target/linux/ar71xx/image/tp-link.mk b/target/linux/ar71xx/image/tp-link.mk
+index be7e846c88f9ebbb8a4e4840e690d7864386bf64..1a6e58fca882fc9d122c184ee8167537751acf25 100644
+--- a/target/linux/ar71xx/image/tp-link.mk
++++ b/target/linux/ar71xx/image/tp-link.mk
+@@ -167,7 +167,7 @@ TARGET_DEVICES += archer-c60-v1
+ define Device/cpe510-520
+   DEVICE_TITLE := TP-LINK CPE510/520
+   DEVICE_PACKAGES := rssileds
+-  MTDPARTS := spi0.0:128k(u-boot)ro,64k(pation-table)ro,64k(product-info)ro,1536k(kernel),6144k(rootfs),192k(config)ro,64k(ART)ro,7680k@0x40000(firmware)
++  MTDPARTS := spi0.0:128k(u-boot)ro,64k(partition-table)ro,64k(product-info)ro,1792k(kernel),5888k(rootfs),192k(config)ro,64k(ART)ro,7680k@0x40000(firmware)
+   IMAGE_SIZE := 7680k
+   BOARDNAME := CPE510
+   TPLINK_BOARD_NAME := CPE510
+diff --git a/tools/firmware-utils/src/tplink-safeloader.c b/tools/firmware-utils/src/tplink-safeloader.c
+index 2a2329d1f188ea8520b6a4aeef25937e05d48a06..ba86c71d870c8f38abb92c657c3656086a7782be 100644
+--- a/tools/firmware-utils/src/tplink-safeloader.c
++++ b/tools/firmware-utils/src/tplink-safeloader.c
+@@ -139,8 +139,8 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x180000},
+-			{"file-system", 0x1c0000, 0x5f0000},
++			{"os-image", 0x40000, 0x1c0000},
++			{"file-system", 0x200000, 0x5b0000},
+ 			{"soft-version", 0x7b0000, 0x00100},
+ 			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+@@ -177,8 +177,8 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x180000},
+-			{"file-system", 0x1c0000, 0x5f0000},
++			{"os-image", 0x40000, 0x1c0000},
++			{"file-system", 0x200000, 0x5b0000},
+ 			{"soft-version", 0x7b0000, 0x00100},
+ 			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+@@ -209,8 +209,8 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x180000},
+-			{"file-system", 0x1c0000, 0x5f0000},
++			{"os-image", 0x40000, 0x1c0000},
++			{"file-system", 0x200000, 0x5b0000},
+ 			{"soft-version", 0x7b0000, 0x00100},
+ 			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
+@@ -241,8 +241,8 @@ static struct device_info boards[] = {
+ 			{"default-mac", 0x30000, 0x00020},
+ 			{"product-info", 0x31100, 0x00100},
+ 			{"signature", 0x32000, 0x00400},
+-			{"os-image", 0x40000, 0x180000},
+-			{"file-system", 0x1c0000, 0x5f0000},
++			{"os-image", 0x40000, 0x1c0000},
++			{"file-system", 0x200000, 0x5b0000},
+ 			{"soft-version", 0x7b0000, 0x00100},
+ 			{"support-list", 0x7b1000, 0x00400},
+ 			{"user-config", 0x7c0000, 0x10000},
diff --git a/patches/lede/0081-ar71xx-increase-kernel-partition-size-for-TP-Link-RE450-v1.patch b/patches/lede/0081-ar71xx-increase-kernel-partition-size-for-TP-Link-RE450-v1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e03db780a8ab6ed962acae2083bd699d307111fb
--- /dev/null
+++ b/patches/lede/0081-ar71xx-increase-kernel-partition-size-for-TP-Link-RE450-v1.patch
@@ -0,0 +1,41 @@
+From: Piotr Dymacz <pepe2k@gmail.com>
+Date: Mon, 6 Nov 2017 23:17:24 +0100
+Subject: ar71xx: increase kernel partition size for TP-Link RE450 v1
+
+This increases kernel partition size and fixes rootfs (file-system)
+partition size on TP-Link RE450 v1. Also, while we are at it, switch
+from statically defined kernel and rootfs partitions in kernel cmdline
+to "tplink-fw" mtd splitter.
+
+Fixes: FS#1072.
+
+Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
+
+diff --git a/target/linux/ar71xx/image/tp-link.mk b/target/linux/ar71xx/image/tp-link.mk
+index 1a6e58fca882fc9d122c184ee8167537751acf25..60dfe0e3edafcadad4ddc08be7645b49f269907c 100644
+--- a/target/linux/ar71xx/image/tp-link.mk
++++ b/target/linux/ar71xx/image/tp-link.mk
+@@ -207,7 +207,7 @@ TARGET_DEVICES += cpe210-220 cpe510-520 wbs210 wbs510
+ define Device/re450
+   DEVICE_TITLE := TP-LINK RE450
+   DEVICE_PACKAGES := kmod-ath10k ath10k-firmware-qca988x
+-  MTDPARTS := spi0.0:128k(u-boot)ro,1344k(kernel),4672k(rootfs),64k(pation-table)ro,64k(product-info)ro,1856k(config)ro,64k(art)ro,6016k@0x20000(firmware)
++  MTDPARTS := spi0.0:128k(u-boot)ro,6016k(firmware),64k(partition-table)ro,64k(product-info)ro,1856k(config)ro,64k(art)ro
+   IMAGE_SIZE := 7936k
+   BOARDNAME := RE450
+   TPLINK_BOARD_NAME := RE450
+diff --git a/tools/firmware-utils/src/tplink-safeloader.c b/tools/firmware-utils/src/tplink-safeloader.c
+index ba86c71d870c8f38abb92c657c3656086a7782be..23b69f3bd0eb66aca650eb2ffd7d5cd2a7cb5194 100644
+--- a/tools/firmware-utils/src/tplink-safeloader.c
++++ b/tools/firmware-utils/src/tplink-safeloader.c
+@@ -689,8 +689,8 @@ static struct device_info boards[] = {
+ 		*/
+ 		.partitions = {
+ 			{"fs-uboot", 0x00000, 0x20000},
+-			{"os-image", 0x20000, 0x150000},
+-			{"file-system", 0x170000, 0x4a0000},
++			{"os-image", 0x20000, 0x180000},
++			{"file-system", 0x1a0000, 0x460000},
+ 			{"partition-table", 0x600000, 0x02000},
+ 			{"default-mac", 0x610000, 0x00020},
+ 			{"pin", 0x610100, 0x00020},
diff --git a/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch b/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c8c4fcc9d1ccc12f9b92196ee4def9ec5ac350aa
--- /dev/null
+++ b/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch
@@ -0,0 +1,37 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 09:03:52 +0200
+Subject: include/kernel.mk: build kmod packages with empty FILES
+
+kmod packages without FILES did not have an install step defined, leading
+to no package being built. This affected netfilter/iptables packages, which
+filter out builtin modules from FILES.
+
+Not building a package that it is selected in .config is problematic, as
+the generated empty package may be necessary to satisfy dependencies.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/include/kernel.mk b/include/kernel.mk
+index b1d0e8d927cb462b486cfd645d68963f1b6ab8ff..d8d457fe7a5d3584d8aa4e27430da84533c85ed0 100644
+--- a/include/kernel.mk
++++ b/include/kernel.mk
+@@ -194,8 +194,7 @@ $(call KernelPackage/$(1)/config)
+   $(call KernelPackage/depends)
+ 
+   ifneq ($(if $(filter-out %=y %=n %=m,$(KCONFIG)),$(filter m y,$(foreach c,$(filter-out %=y %=n %=m,$(KCONFIG)),$($(c)))),.),)
+-    ifneq ($(strip $(FILES)),)
+-      define Package/kmod-$(1)/install
++    define Package/kmod-$(1)/install
+ 		  @for mod in $$(call version_filter,$$(FILES)); do \
+ 			if grep -q "$$$$$$$${mod##$(LINUX_DIR)/}" "$(LINUX_DIR)/modules.builtin"; then \
+ 				echo "NOTICE: module '$$$$$$$$mod' is built-in."; \
+@@ -209,8 +208,7 @@ $(call KernelPackage/$(1)/config)
+ 		  done;
+ 		  $(call ModuleAutoLoad,$(1),$$(1),$(AUTOLOAD))
+ 		  $(call KernelPackage/$(1)/install,$$(1))
+-      endef
+-    endif
++    endef
+   $(if $(CONFIG_PACKAGE_kmod-$(1)),
+     else
+       compile: $(1)-disabled
diff --git a/targets/ar71xx-generic b/targets/ar71xx-generic
index f9906f7acc0e6dc58ac3b4cf798cf9eaf9567100..525e441a74ac2082552abb81ea3840a59b35d4c2 100644
--- a/targets/ar71xx-generic
+++ b/targets/ar71xx-generic
@@ -1,3 +1,5 @@
+config 'CONFIG_GLUON_SPECIALIZE_KERNEL=y'
+
 ATH10K_PACKAGES='-kmod-ath10k kmod-ath10k-ct'
 ATH10K_PACKAGES_QCA9887=
 if [ "$GLUON_WLAN_MESH" = 'ibss' ]; then
diff --git a/targets/ar71xx-mikrotik b/targets/ar71xx-mikrotik
index 9d0f5442be36855f94f4c510a73e08aba729989b..56ac8159675628d4dd66f8a1727cef5471c346e4 100644
--- a/targets/ar71xx-mikrotik
+++ b/targets/ar71xx-mikrotik
@@ -1,3 +1,5 @@
+config 'CONFIG_GLUON_SPECIALIZE_KERNEL=y'
+
 # Enable ath5k in addition to ath9k
 # ath5k cards are commonly used with Mikrotik hardware
 packages 'kmod-ath5k'
diff --git a/targets/ar71xx-nand b/targets/ar71xx-nand
index 02961b3a8953c334f18e5002f443de0f84aa2f6a..019ca78661ed05cd5986c722cff7737ae71f1ee5 100644
--- a/targets/ar71xx-nand
+++ b/targets/ar71xx-nand
@@ -1,3 +1,5 @@
+config 'CONFIG_GLUON_SPECIALIZE_KERNEL=y'
+
 factory -ubi-factory .img
 sysupgrade -squashfs-sysupgrade .tar
 
diff --git a/targets/ar71xx-tiny b/targets/ar71xx-tiny
index 79d2a9fe79f6c69f63ae9337b6e8707e270cd440..fd779d77d7d9342430038a511f5f13c4385a9a5f 100644
--- a/targets/ar71xx-tiny
+++ b/targets/ar71xx-tiny
@@ -1,3 +1,5 @@
+config 'CONFIG_GLUON_SPECIALIZE_KERNEL=y'
+
 no_opkg
 packages '-uboot-envtools' '-kmod-usb-core' '-kmod-usb-ohci' '-kmod-usb2' '-kmod-usb-ledtrig-usbport'