Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 4x GPIO-LEDs (2x wifi, 1x wps, 1x power)
* 1x GPIO-button (reset)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
  - AR8035 ethernet PHY (RGMII)
  - 10/100/1000 Mbps Ethernet
  - 802.3af POE
  - used as LAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

    setenv serverip 192.168.1.21
    setenv ipaddr 192.168.1.1
    tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

    scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

    sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Gluon image name change
=======================

The device had the image name "openmesh-mr600" in older versions of Gluon.
This had to be changed with the new name in the device trees of the ath79
device tree.

Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

    setenv serverip 192.168.1.21
    setenv ipaddr 192.168.1.1
    tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

    scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

    sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8031 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

    setenv serverip 192.168.1.21
    setenv ipaddr 192.168.1.1
    tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

    scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

    sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Regenerate network and system UCI configs on every reconfigure, switch to role-based interface configuration

modules: update modules

5971f19 cjdns: pass for some build warnings (#738)
b88e322 cjdns: fix uci-defaults (#714)
6501c70 mrd6: Makefle reordering
fb03ab0 mcproxy: include PKG_MIRROR_HASH, refresh patches
3b84442 pimbd: include PKG_MIRROR_HASH
65ae8ea minimalist-pcproxy: include PKG_MIRROR_HASH
4dfa42e mrd6: include PKG_MIRROR_HASH
fd76bed oonf-dlep-radio: refactor define Package/oonf-dlep-radio
3c70d01 oonf-dlep-radio: refactor Makefile (package versioning, downloading)
550502c oonf-dlep-proxy: add PKG_MIRROR_HASH
b99b6fa oonf-dlep-proxy: fix compilation with Ninja
e2eaefe oonf-dlep-radio: add PKG_MIRROR_HASH
0de13bc opennds: Release v9.6.0 (for 21.02)
10d3ffd olsrd: fix setting default interface config
9e2383e batman-adv: Merge bugfixes from 2022.0
bb0f31a babeld: remove unused return variable
bcc3588 babeld: add add_interface function

ac99fde54 haproxy: update to version 2.2.22
ee4267e97 tree: bump to 2.0.2
f01cf663b curl: Fix compiling curl wolfSSL IPv6 disabled
185c5e365 bind: bump to 9.18.1
919dd8013 libnetfilter-log: update to 1.0.2
8e9f10223 libxml2: update to 2.9.13
793e7ee48 auc: don't segfault on invalid URL
31e2e7ccb auc: fall back to 'sdcard' image
8999b60db auc: accept both 'y' and 'Y' as confirmation from user
1adcda368 auc: add '-n' parameter for dry-run
facfdaca2 attendedsysupgrade-common: update to 2021
aa41482d3 yq: Update to 4.22.1
8518b2d5d yq: Update to 4.21.1
f550d9066 syslog-ng: update to version 3.36.1
b2ec8c84f tvheadend: bind to LAN IP by default
e061d8eff dockerd: fix compilation with glibc
fd30ce33f docker: fix compilation with glibc
a11359b88 yggdrasil: bump to 0.4.3
1d7d46db0 i2pd: Update package
c384dbb19 i2pd: add service reload support
938187fa2 coova-chilli: remove kmod dep on binary package
109f2770a cache-domains: Fixed hotplug script not running
5562cef26 nextdns: Update to version 1.37.10
5f20a9171 golang: Update to 1.17.8
1a0cb5ce4 curl: update to 7.82.0
701ca2532 python-twisted: Update to 22.2.0
4c0748396 python-twisted: Update to 22.1.0, refresh patches
3e75dc582 mdnsresponder: Fix nullpointer dereference while parsing interface list
9722b1ec0 crowdsec-firewall-bouncer: remove crowdsec package dependency
5b51bb3a5 kcptun: bump to v20210922
81ed00124 samplicator: fix Wformat warning
da82b8c9c ocserv: updated to 1.1.6
a8b73c250 openconnect: updated to 8.20
e208f42c5 yq: Update to 4.20.2
e2bf8e1d8 MarkupSafe: update to version 2.1.0
41fe385fd domoticz: update to 2021.1
e9dee2684 minizip: update to 3.0.2
697115688 minizip: update to 3.0.1
adc6fcc88 minizip: update to 3.0.0
584c0c437 expat: import patches for CVEs
5f3226dc1 nfdump: update to 1.6.23
e7715b18b htpdate: drop www.freebsd.org from default server list
4d0e0f414 nano: update to 6.2
45009c340 unbound: update to version 1.15.0
9ba9579a1 yq: Update to 4.20.1
a5de4042c pcapplusplus: Add new package
10a805492 vnstat2: update to version 2.9
42f35cdda vnstat2: add hotplug script for adding interfaces
f8820d2ae vnstat2: fix all interfaces being monitored when none are configured
86f85cde4 vnstat2: update to version 2.8
f4a390c59 php7: update to 7.4.28
5eb97e05e php8: update to 8.0.16
b409127e6 slide-switch: Update to 0.9.7
4919a791a golang: Update to 1.17.7, refresh patch
43276c649 tvheadend: fix first-run
362c8c4df ksmbd-tools: update to 3.4.4
41ca56ff2 ksmbd-tools: Fix ksmbd service is semi-killed at system startup
c4bb2fadc ksmbd: update to 3.4.4
06ffe5c4d ksmbd: update to 3.4.2
c7e0be3a3 ksmbd: update to 3.4.1
d5f588268 dockerd: Update to 20.10.12
66dda3aa2 docker: Update to 20.10.12
845d2203b yq: Update to 4.19.1
4e8267602 dtc: drop package
845b9a1df knot: update to 3.1.6
d286939b7 knot: update to 3.1.5
38eaee347 nano: update to 6.1
0329b2c11 xray-core: Update to 1.5.3
d18542ecf ruby: update to 3.0.3
a507620a1 https-dns-proxy: init script refactoring
5dcf0b57c slide-switch: Update to 0.9.6
4bd6bc41c ffmpeg: update to version 4.3.3
ac4ecdf85 tinyionice: add package
1a40a0a0b yq: Update to 4.18.1
32e85322c yq: Update to 4.17.2
675755537 apache2: security update to version 2.4.52
74f9ae028 bind: bump to 9.18.0
b29655996 crowdsec: update from latest upstream release 1.3.0
3b28c6f38 wg-installer: use babeld add_interface function
1026a1fd4 crowdsec-firewall-bouncer: fix name in initd to start the process
9137583d3 nano: Add a plus variant with more features
2cd892879 https-dns-proxy: update to 2021-11-22-1
8d8cf2628 dawn: update to 2022-01-17
f921cc4b7 python-dns: update to version 2.1.0
df7568303 prosody: update to version 0.11.13
14b623f73 telegraf: Update package to version 1.21.3
82c35fa92 telegraf: Move config file to /etc/telegraf.conf because /etc/config is the default uci folder. Also marking it as configuration file prevents overwriting it on updates.
989aecf2b telegraf: Add package for telegraf
299684dd5 ffmpeg: update to 4.3.2
213aaa1f3 clamav: update to version 0.104.2
9c476ee99 clamav: update to 0.104.0
294196303 node: January 10th 2022 Security Releases
fc835bcaa tvheadend: fix conffiles section
48bf1a0d0 lighttpd: update to lighttpd 1.4.64 release hash
82339309f lighttpd: update to lighttpd 1.4.63 release hash
527f2b920 lighttpd: update to lighttpd 1.4.62 release hash
4f990b7cd tvheadend: fix typo in uriparser
aeb8aad5c wg-installer: fix multiple namespaces
e29f38650 php8: update to 8.0.15
d7c78f83b tvheadend: disable uriparser
c7f25b25d python3: Update to 3.9.10, refresh patches
b9bfe1ef1 wg-installer: remove unused dependency
9a836f430 wg-installer: create wireguard key if it does not exist
317ba6a43 wg-installer: install cronjob
a430932a7 wg-installer: check if a key is already inserted
0aaa90629 wg-installer: rework code
dea64c08e wg-installer: cosmetic changes

180b750c02 hostapd: add STA extended capabilities to get_clients
411c73f748 hostapd: add op-class to get_status output
e44a781e11 hostapd: add beacon_interval to get_status ubus output
95b0b8725c hostapd: remove unused mac_buff allocation
3731ffa0ee hostapd: report bssid, ssid and channel over ubus
53c60d4bfa hostapd: ubus: add notification for BSS transition response
88075c87dc hostapd: ubus: add BSS transtiton request method
b1c3539868 openssl: bump to 1.1.1n
864bba55d8 uboot-bcm4908: use "xxd" from staging_dir
92020d4242 tools: xxd: use more convenient source tarball
17e9553284 tools: add xxd (from vim)
f44f8b07b0 base-files: call "sync" after initial setup
e8a806c49e bcm4908: include U-Boot in images
45b3f2aa0f uboot-bcm4908: add package with BCM4908 U-Boot
604274c24b x86: legacy: enable pata_sis driver
13c9f1f37d bcm4908: support "rootfs_data" on U-Boot devices
e12ffac02d bcm4908: fix USB PHY support
f1e1daa6e8 u-boot.mk: add LOCALVERSION (explicitly specify OpenWrt build)
0327104686 tools/libressl: update to version 3.4.2
8ed3b5b04b tools/libressl: update to 3.4.1
2736a5df94 tools/libressl: update to 3.3.4
49b2e6365d tools/libressl: update to 3.3.3
2d69d098e0 kernel: bump 5.4 to 5.4.182
7bd583e5f3 uboot-envtools: mvebu: update uci defaults for Turris Omnia
b2896d413e ipq806x: base-files: asrock: fix bootcount include
952de38ef4 Revert "ramips: increase spi-max-frequency for ipTIME mt7620 devices"
abf8209d7f hostapd: fix radius problem due to invalid attributes
610b2cff60 ipq806x: base-files: asrock: fix bootcount include
b99d7aecc8 wolfssl: fix API breakage of SSL_get_verify_result
7612ecb201 ramips: mt7621: do memory detection on KSEG1
7fc336484b rpcd: backport 802.11ax support
d1c15c41d9 OpenWrt v21.02.2: revert to branch defaults
30e2782e06 OpenWrt v21.02.2: adjust config defaults
bf0c965af0 ramips: fix NAND flash driver ECC bit position mask
adb65008c8 kernel: backport fix for initializing skb->cb in the bridge code to 5.4
b7af850bd2 tools/mtools: update to 4.0.35
5d553d8767 tools/fakeroot: fix unresolved symbols on arm64 macOS
c8d6a7c84e tools/fakeroot: fix build on MacOS arm64
83bf22ba2e tools/fakeroot: explicitly pass CPP variable
230ec4c69c bcm4908: backport watchdog and I2C changes
87b9ba9ed9 bcm4908: backport first 5.18 DTS changes
e6a718239f bcm4908: backport bcm_sf2 patch for better LED registers support
e6aaa061d0 bcm4908: backport BCM4908 pinctrl driver
59e7ae8d65 tcpdump: Fix CVE-2018-16301
de948a0bce glibc: update to latest 2.33 HEAD
0c0db6e66b hostapd: Apply SAE/EAP-pwd side-channel attack update 2
5b13b0b02c wolfssl: update to 5.1.1-stable
7d376e6e52 libs/wolfssl: add SAN (Subject Alternative Name) support
5ea2e1d5ba wolfssl: enable ECC Curve 25519 by default
4108d02a29 ustream-ssl: update to Git version 2022-01-16
32d50a1281 mbedtls: Update to version 2.16.12
c6ddf8d502 kernel: bump 5.4 to 5.4.179
a4c0c031b8 ath79: Add support for OpenMesh OM5P-AC v2
6d266ef158 imagebuilder: fix local packages/ folder

With Babel, wired meshing cannot run on the same logical interface as
non-mesh traffic, so using VXLAN is mandatory.

fastd: add L2TP offload support

treewide: Replace xhtml content type with html, remove xhtml workaround, replace self closing tags

A section can be marked as preseved by setting the gluon_preserve option
to 1. In addition the following conditions must hold:

- The preserved section must not already exist after OpenWrt's and
  Gluons setup scripts run. Modifying existing sections is currently
  unsupported.
- Preserved sections must be named, so it can be detected whether a
  section conflicts with a preexisting one.

Allow interface names to change on updates to handle hwconfig -> DSA and
similar migrations.

On devices with only a single interface, a sysconfig single_ifname is
created instead of wan_ifname or lan_ifname to allow separate
configuration in site.conf.

With the new role-based interface configuration, it would be better to
rename the wan/wan6 interfaces to uplink/uplink6, but that would cause
unnecessary churn for the firewall configuration, so it is left for a
later update.

As all interfaces with the 'uplink' role are in the br-wan bridge, it is
not possible to assign these to the 'mesh' role independently - instead,
br-wan is added as a mesh interface as soon as a single interface has
both the 'uplink' and 'mesh' roles. The UCI section for this
configuration is now called 'mesh_uplink' instead of 'mesh_wan'.

For all interfaces that have the 'mesh', but not the 'uplink' role a
second configuration 'mesh_other' is created. If there is more than one
such interface, all these interfaces are bridged as well (creating a
bridge 'br-mesh_other'). This replaces the 'mesh_lan' section with its
optional 'br-mesh_lan' bridge, but can also include interfaces that were
not considered "LAN" when interfaces roles are modified (via site.conf
or manually).

The new configuration generates sections iface_single/lan/wan in
/etc/config/gluon. These sections usually refer to a sysconfig-controlled
interface list, but adding custom sections with verbatim interfaces names
is also possible.

Each interface section contains a list of roles. The supported roles are
'client', 'uplink' and 'mesh'. Multiple roles can be configured on the
same interface (for example the old 'mesh_on_wan' setting would become
'uplink'+'mesh').

'client' is subsumed by any other role configured on the same interface
('client'+'mesh' is equivalent to 'mesh'). This property is important, as
it allows the Wired Mesh settings in gluon-web-network to simply add and
remove the mesh role without having to care what other roles are set -
so in the default setup, this would switch between 'client' and
'client'+'mesh' for the LAN interface.

By default, the WAN interface has role 'uplink' and the LAN interface
'client'; if only a single interface exists, the roles from the WAN
interface are used by default. The default for each of the three
interfaces (WAN/LAN/single) can be changed separated in site.conf,
superseding the old mesh_on_wan, mesh_on_lan and single_as_lan settings.

Do not write files when the content is unchanged.

Avoids a few unnecessary filesystem writes when resetting ifname
sysconfigs on each upgrade.

The stdout output of gluon-web scripts is directly sent to uhttpd,
becoming a part of the HTML output or even replacing HTTP status or
headers. The output of gluon-reconfigure is not supposed to end up
there.

While we're at it, also add an exec to avoid an unnecessary shell
process.

The OpenLayers JS/CSS download URL is dead. Update it to make the map
work again:

- Update from OpenLayers 5.2.0 to 5.3.0
- Switch from the obsolete rawgit.com URL to jsdelivr.net (rawgit.com
  was only redirecting to jsdelivr.net for the last few years anyways)
- Set a fixed commit in the URL, so the URL doesn't become outdated again

Prevents spurious build failures.

- Restructure page
- Add information on how to add L2TPv3 offloading support to a build
  using configurable ciphers. The null method is not reocmmended anymore.
- Add notes and pointers regarding the gateway configuration to provide
  gateway admins with hints on how to modify their configuration to
  accommodate this new feature.
- Mention wireguard support

Based-on-patch-by: Felix Kaechele <felix@kaechele.ca>

THe "null" and "null@l2tp" methods are considered equivalent and always
added and removed together when the method list is "configurable".
"null@l2tp" is added before "null", so it is preferred when the peer
supports both.

This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's
check_site.lua, as they are not supported anymore.

x86: copy separate kernel and rootfs images to "other" directory

gluon-web: prohibit cross-origin POST requests

Update OpenWrt base, clean up patches

lint-sh fixes

Removal of more obsolete migrations, minor cleanup and improvements to lsupgrade.sh

As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.

Actually raise an error and turn it into an HTTP 400 return code when
something goes wrong, rather than ignoring the error.

We also improve the conditions under which errors are thrown before
pump() is called: We don't need to check for the multipart/form-data
content-type twice, and a POST without this content-type is now always
an error.