CHANGELOG

===========================
FreshTomato-MIPS Changelog
===========================
(for full changelog, see: https://github.com/FreshTomato-Project/freshtomato-mips/blob/mips-master/CHANGELOG)



2026.1          2026.02.15
---------------------------

- Note: Many CVE fixes and improvements, updating is strongly recommended!
- Warning: due to naming changes for some nvram variables in release 2026.1 (in subsequent releases, thanks to @lancethepants this is no longer necessary), OpenVPN users should:
  1. clear nvram during the update or
  2. use this script: https://gist.github.com/pedro0311/674f2e19691106417a989a43bf27b0a4 - read the inside HOWTO first!

- snmp: update to 5.9.5.2
- ebtables: updates from upstream
- libsodium: update to 1.0.21
- irqbalance: update to 1.9.5
- libsodium: update to latest 1.0.21-stable
- sqlite: update to 3.51.2
- dnsmasq: update to v2.93test4
- openssl: update to 3.0.19
- meson: update to 1.10.1
- libcap-ng: update to 0.9
- libpng: update to 1.6.54
- busybox: updates from upstream
- usb-modeswitch: update to 2.6.2
- usb-modeswitch: update data package to 20251207
- uqmi: update to 7914da43 (2025-07-29) snapshot
- libubox: update to 7928f17 (2025-12-08) snapshot
- expat: update to 2.7.4
- GUI: basic-ipv6.asp - Add option to enable/disable rapid-commit (Case: DHCPv6 PD)
- GUI: Status: Device List: fix sort by Lease Time
- GUI: Bandwidth: Real-Time: prevent bandwidth spikes on interface counter resets
- GUI: IP Traffic: Real-Time: prevent bandwidth spikes on interface counter resets
- GUI: Administration: Upgrade: display current filename used to flash the router
- GUI: USB and NAS: File Sharing: use drop-down list for 'Samba protocol version' instead of check boxes
- build: embed firmware filename into image
- build: OpenVPN: rename nvram variables to free up some space there - the reduction in nvram usage is 1140 bytes (for ARM)
- avahi/mDNS: fix start of avahi-daemon because of stupid typo in Makefile
- avahi/mDNS: fix problems with avahi-daemon once more (on ARM only)
- apcupsd: only install apcupsd with other files if TCONFIG_UPS is selected
- stubby: fix DNSSEC trust anchor bootstrapping by using static root trust anchors instead of Zero-config DNSSEC
- snmpd: save pid to file
- snmp: also stop snmpd during upgrade
- ntpd: increase limits (Max Memory & Max Processes)
- DDNS: mdu.c: get_address(): add IPv6 support, refactor
- DDNS: mdu.c: enhance _http_req() with full IPv6 support and safety fixes
- DDNS: mdu.c: update_cloudflare(): fix memory leak and improve Cloudflare DNS record handling
- Bandwidth/IP Traffic: fix calculation on real-time chart
- Bandwidth/IP Traffic: add interactive range selection to bandwidth charts
- Update defaults.c disable telnet enable at startup
- mwwatchdog: improve script robustness
- mwwatchdog: cktracert(): fix rx_bytes overflow in traffic detection (busybox int32 limit)
- OpenVPN Client: separate the VPN tunnel check from the normal watchdog, as the former does not work with all configurations
- openssl-1.1: add fix for: CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795 and CVE-2026-22796
- IPv6 (DHCPv6 with PD): add option to adjust Identity Association for Non-temporary Addresses ID and Identity Association for Prefix Delegation ID
- IPv6 (DHCPv6-PD): add default route ::/ with gateway if provided by the user (Metric 8192)
- Use snprintf for buffer safety in connect_pppol2tp
- httpd: bwm.c: use uint64_t for tx/rx in asp_iptmon(); cosmetic
- httpd: usb.c: fix critical bugs in asp_usbdevices()
- porthealth: add port health service
- nginx: delay on startup with user-defined delay
- cstats: refactor: replace string literals with path constants
- cstats: improve buffer validation (snprintf)
- cstats: use safe/proper daemonization
- cstats: use direct compression to .gz file
- cstats: introduce MAX_NODES for memory protection and add free_all_nodes() to clean up tree memory on --new and shutdown
- cstats: improve buffer handling (strlcpy/strlcat)
- cstats: use zlib if available
- rstats: fix memory management issue - free only on successful allocation
- rstats: refactor: replace string literals with path constants
- rstats: improve buffer validation (snprintf); cosmetic
- rstats: use memcpy instead of for loop
- rstats: use memmove instead of memcpy
- rstats: use zlib if available
- rstats: prepare for 64 bit counters
- rstats: user safe/proper daemonization
- rstats: improve buffer handling (strlcpy/strlcat)
- rstats: add 24-hour history persistence to custom paths
- rc: ddns.c: fix typo in update() function
- rc: ppp.c: function ipup_main() - use safe_getenv()
- rc: dhcp.c: function dhcpc_event_main() - check ifname before using it (NULL)
- rc: dhcp.c: function dhcpc_event_main() and bound() - speed up (again) if the correct prefix (ifname) is found
- rc: interface.c: function route_manip() - check pointer before using it (NULL)
- rc: snmp.c: use serialize_restart() to start/stop daemon, always remove pid file on stop
- rc: nginx.c: always remove child pid on nginx stop; cosmetic
- rc: mysql.c: use _exit() instead of exit() to terminate the child
- rc: nginx.c: use _exit() instead of exit() to terminate the child
- rc: transmission.c: use _exit() instead of exit() to terminate the child
- shared: misc.c: refactor connect_timeout()
- shared: files.c: increase file path buffer size in f_write_procsysnet()
- www: vpn-[client|wireguard].asp: fix note about Kill Switch
- www: status-devices.asp: fix javascript error when image is built without Network Discovery
- www: tomato.js: anon_update(): use target="_blank" instead of class="new_window" because on some pages eventHandler() is not added in init()
- www: admin-[bwm|iptraffic].asp: avoid reloading the page while saving
- www: nas-usb.asp: avoid reloading the page while saving; cosmetic
- www: tomato.js: wikiLink(): add title to links
- www: advanced-adblock-v2.asp: initialize variables before use, reset them when they are no longer needed, do not allow re-query when the previous one is still active
- www: add grid backup and restore functionality to selected pages
- www: tomato.js - allows for placeholder to work on password fields
- Linksys E1000 v1.0: fix port order (close #34)


2025.5          2025.12.21
---------------------------

- Warning: due to changes in the naming of some nvram variables, users of PPTP Client should review their settings.

- kernel RT-N/RT-AC: enable NETFILTER_NETLINK_QUEUE (Netfilter NFQUEUE over NFNETLINK) (close #40)
- openssl: update to 3.0.18
- tor: update to 0.4.8.21
- php: update to 8.3.28
- nginx: update to 1.29.4
- sqlite: update to 3.51.1
- adminer: update to adminneo-5.2.1
- libcurl: update to 8.17.0
- nano: update to 8.7
- dnsmasq: update to v2.92rc3
- libpng: update to 1.6.53
- tinc: update to 1.1pre18-242-g940d15c4
- meson: update to 1.10.0
- dropbear: update to 2025.89
- libjpeg-turbo: update to 3.1.3
- libatomic_ops: update to 7.10.0
- GUI: Port Forwarding: Basic: fix sort by Int Address
- GUI: Admin: SNMP: add 'Name' and 'Description' fields (close #25)
- GUI: status-overview.asp - Only displaying unsecured WiFi warning in AP mode
- Add Bridge Gateway Isolation + UI (IPv4 only atm), IPv6 bridge isolation, and IPv6-aware advanced-access.asp
- Improved IPv6 support
- IPv6 (DHCPv6 with PD): add option to adjust Identity Association for Non-temporary Addresses ID and Identity Association for Prefix Delegation ID
- Add autoconf-archive to installation command
- build: e2fsprogs: tune recipe, add patch to make libmagic optional
- build: also install ebtables-restore
- build: add update overlay
- adblock: delay start by 10 seconds on router restart/reboot
- mymotd: add date of build and by who
- Kill-Switch: introduce and use a helper script to add FQDNs to the firewall if they're not added immediately on FW restart
- openssl-1.1: add fix for CVE-2025-9230
- openvpn: vpnrouting.sh: do not restart routing here, it will be reloaded anyway when restarting the firewall
- OpenVPN/kill-switch/adblock-v2/mwwatchdog: add to nvram and use default IP (Cloudflare) for connection checking
- httpd: upgrade.c: only copy needed images on upgrade
- others: switch4g: refactoring, simplifying and shortening taking into account the specifics of sh in busybox
- others: switch3g: refactoring, simplifying and shortening taking into account the specifics of sh in busybox
- others: mwwatchdog: refactoring, simplifying and shortening taking into account the specifics of sh in busybox
- others: mwwatchdog: fix operator precedence bug that could add cron job when mwan_cktime=0
- rc: fix modprobe ip_set order
- rc: move BUF_SIZE definition to shared.h
- rc: dnsmasq.c: fix DNSSEC regression (in 2025.4): "Revert use SIGHUP instead of mistakenly used SIGINT in reload_dnsmasq()"
- rc: firewall.c: increase hitcount limit for remote GUI access
- rc: network.c: do_static_routes(): fix typo
- rc: openvpn.c: fix buffer size in ovpn_setup_watchdog()
- rc: openvpn.c: add error handling for fopen(), fappend(), opendir() and chdir(); more logging
- rc: openvpn.c: do not remove OVPN_DNS_DIR directory when client stops
- rc: openvpn.c: add error message when tunnel interface cannot be created
- rc: openvpn.c: fix interface name in ovpn_setup_watchdog()
- rc: openvpn.c: fix off-by-one error in start_ovpn_eas()
- rc: rc.c: add more logging
- rc: rc.c: kill_switch(): do not add rules if given WAN is disabled
- rc: rc.c: kill_switch(): make the function independent of run_vpn_firewall_scripts()
- rc: rc.c: kill_switch(): validate IPv4 or IPv4 range before adding it; also (finally) fix adding IPv4 range as "From Source IP" type
- rc: rc.c: kill_switch(): integrate with firewall to eliminate leaks
- rc: rc.c: fix to ipv6_enabled()
- rc: wan.c: move start_adblock() down
- rom: update mullvad.net DOH servers
- rom: update CA bundle to 2025-12-02
- rom: add new dnsmasq anchor
- shared: misc.c: iterate over MWAN_MAX to get WAN string/number
- shared: misc.c: get rid of TCONFIG_MULTIWAN and iterate over MWAN_MAX/BRIDGE_COUNT
- shared: misc.c: increase ifnames buffer size depending on bridge count
- www: add to the header of each page information about a new firmware version ready for download
- www: convert spin icon from gif to svg
- www: use only one asp script to manage upgrade/reboot/restoring defaults
- www: admin-snmp.asp: remove whitespaces from 'Allowed Remote IP Address'
- www: admin-snmp.asp: better handle 'Allowed Remote IP Address'
- www: basic-ipv6.asp: adjust/extend Commit b49bf16 (Improved IPv6 support) and remove IAID configuration option again
- www: saved.asp: get rid of unnecessary waiting when saving configuration on Admin -> Access when the httpd daemon starts up faster than the countdown indicates
- www: about.asp: reorganize page
- www: tomato.js: fix adding range of IPs
- www: tomato.js: searchOUI: use '--no-check-certificate' in wget if the image is built without stubby
- www: advanced-mac.asp fixed typo LLA vs. LAA button and notes
- www: vpn-client.asp: never hide Routing Policy table
- Linksys E3000: fix port order (close #26)


2025.4          2025.10.05
---------------------------

- Warning: due to changes in the naming of some nvram variables, users of BW Limiter and tftp in dnsmasq should review their settings.

- libcurl: update to 8.16.0
- sqlite: update to 3.50.4
- dnsmasq: update to v2.92test21
- nginx: update to 1.29.1
- meson: update to 1.9.1
- libsodium: update to latest 1.0.20-stable
- libffi: update to 3.5.2
- nano: update to 8.6
- adminer: update to adminneo 5.1.1
- libjpeg-turbo: update to 3.1.2
- libxml2: update to 2.15.0
- expat: update to 2.7.3
- GUI: Advanced: DHCP/DNS/TFTP: add a field to enter custom configuration for stubby
- GUI: Correction to menu references
- GUI: Administration: CIFS Client: fix refreshing 'Total / Free Size'
- GUI: Advanced: VLAN: fix link in Notes
- GUI: Advanced: VLAN: fix link in 'unknown_router' section
- build: remove no more needed (and icomplete implemented) TCONFIG_SSH
- build: Makefile: convert expat recipe to cmake
- build: Makefile: tune avahi recipe
- avahi: backport CVE fixes from upstream and use clean sources
- bwlimit: change the names of variables to make them more similar to existing ones and easier to manage
- dnsmasq: change the name of dnsmasq tftp variable to make it more similar to existing ones and easier to manage
- dnsmasq: restore use of check_services() to check if dnsmasq is up (disabled in commit 20c8d42)
- httpd: ddns.c: code shrink
- httpd: httpd.c: define MAX_CONN_ACCEPT and MAX_CONN_TIMEOUT and tune them
- httpd: httpd.c: use global int_1 variable; use proper socklen_t data type
- httpd: httpd.c: use SO_KEEPALIVE instead of TCP_NODELAY for setsockopt()
- httpd: httpd.c: rewrite match() function to be fully non-recursive
- httpd: httpd.c: add syslog logout succesful message and tune failed message
- httpd: misc.c: iterate over BRIDGE_COUNT for ether-wake
- httpd: tomato.c: get rid of TCONFIG_MULTIWAN, use MWAN_MAX instead. Also use BRIDGE_COUNT to enumerate lan variables
- httpd: nvram.c: use static buffer for asp_jsdefaults()
- httpd: iperf.c: sanitize hostname more precisely (see commit 13924eb)
- httpd: nvram.c: iterate over MWAN_MAX and BRIDGE_COUNT to get values from other wans/lans
- httpd: misc.c: iterate over MWAN_MAX in asp_dns()
- httpd: misc.c: iterate over MWAN_MAX in asp_wanup()
- httpd: misc.c: iterate over MWAN_MAX in asp_link_uptime()
- httpd: dhcp.c: iterate over MWAN_MAX in asp_dhcpc_time()
- httpd: misc.c: iterate over MWAN_MAX in asp_wanstatus(); some code cleaning
- httpd: comment out asp_jiffies()
- miniupnpd: win10 & 11 workaround (help version IGD v1 in IGD v2 mode) - show forwarded ports at Windows GUI (again)
- ntpd: use ulimit to run ntpd with high nice and limited memory to eliminate denial of service attack
- OpenVPN Client: add Routing Policy Prioritization
- OpenVPN: handle dnsmasq ipset file correctly
- openssl: backport fix for OpenSSL 3.0.17 regression
- rc: get rid of TCONFIG_MULTIWAN, iterate over MWAN_MAX instead; part 3
- rc: use only one anon enum policy definition for both OpenVPN and Wireguard
- rc: firewall.c: use buffer for wanX name - reduce code size
- rc: dhcp.c: code shrink
- rc: network.c: fix two typos
- rc: move dnsmasq stuff to outer file
- rc/shared: introduce and use gen_urandom() function
- rc: firewall.c: iterate over BRIDGE_COUNT in filter6_input(void)
- rc: firewall.c: move run_pptpd_firewall_script() to the front
- rc: introduce and use restart_firewall() function. Move restart_firewall() to the end in exec_service()
- rc: openvpn.c: iterate over BRIDGE_COUNT for br_ipaddr/br_netmask
- rc: network.c: iterate over BRIDGE_COUNT for /etc/hosts
- rc: network.c: iterate over BRIDGE_COUNT and MWAN_MAX in do_static_routes()
- rc: dhcp.c: iterate over BRIDGE_COUNT in start_dhcp6c()
- rc: dhcp.c: update start_dhcp6c() for BRIDGE_COUNT values > 4 (up to 32)
- rc: roamast.c: add check for upper threshold (new --> 25000 Kbps) idle rate roaming assistent
- rc: dnsmasq.c: use SIGHUP instead of mistakenly used SIGINT in reload_dnsmasq()
- rc: openvpn.c: simplify write_ovpn_resolv() function
- rc: pptp_client.c: simplify write_pptpc_resolv() function
- rc: protect firewall scripts with simple_lock()/simple_unlock(), do the same for vpnrouting.sh
- rc: services.c: fix build break on MIPS (close #13)
- rom: update CA bundle to 2025-08-12
- shared: strings.c: update trimstr() function
- shared: defaults.c: get rid of TCONFIG_MULTIWAN, use MWAN_MAX instead. Also use BRIDGE_COUNT to enumerate lan variables
- tomato.css - improved to print and printscreen in dark-mode
- www: use global C variable definitions required by javascript, instead of locally defined ones
- www: admin-tomatoanon.asp: add a note
- Revert "www: vpn-client.asp: only add routing value in Routing Policy mode, otherwise remove all data from the routing table"
- www: vpn-client.asp: do not restart client if only the 'Enable On Start' option was changed
- www: vpn-server.asp: do not restart server if only the 'Enable On Start' option was changed
- www: fix compilation (navi) without PPTPD
- www: vpn-client.asp: check if we need to restart firewall in special cases even if client is down; clean-up
- www: advanced-dhcpdns.asp: Adjust String.trim() usage
- www: ipt-[daily|monthly].asp: iterate over MAX_BRIDGE_ID in redraw()
- www: qos-graphs.asp: iterate over MAXWAN_NUM to get irates/orates; also small changes in httpd/ctnf.c (asp_qrate) to get an array
- www: rename isup.jsz to isup.jsx to protect its content by http_id
- switch4g: fix kernel module load order (and don't change it in the future...)
- switch4g: slightly improve the conditions when checking the interface/IP


2025.3          2025.07.18
---------------------------

- dnsmasq: update to v2.92test16
- libcurl: update to 8.14.1
- expat: update to 2.7.1
- nano: update to 8.5
- dropbear: update to 2025.88
- libsodium: update to latest 1.0.20-stable
- meson: update to 1.8.2
- nginx: update to 1.29.0
- xl2tpd: update to 1.3.19
- libzip: update to 1.11.4
- adminer: update to 5.0.0
- uqmi: update to 71f9c94 (2025-05-31) snapshot
- libjpeg-turbo: update to 3.1.1
- libogg: update to 1.3.6
- libpng: update to 1.6.50
- sqlite: update to 3.50.2
- openssl: update to 3.0.17
- nettle: update to 3.10.2
- spawn-fcgi: update to 1.6.6
- build: Makefile: do not add symlinks for scp and dbclient to dropbearmulti if they are not compiled in
- GUI: advanced-vlan.asp - Header correction
- GUI: Advanced: VLAN: fix link in Notes
- GUI: basic-time.asp - NTP Client added 4th placeholder field for Custom upstream server
- GUI: VPN: add title's icons for VPN services
- GUI: Status-devices - SVG icons
- GUI: Status: Logs: add dedicated svg icons for Advanced themes
- GUI: status-overview: improve ethstate if WAN port is moved to primary LAN
- GUI: status-devices.asp: improving filtering of devices
- adblock-v2: do not add the contents of the nvram mwan_ckdst variable to the whitelist (close #45)
- fix an issue with CPU Usage NaN% in Status Overview page (A Walkthrough) ARM Asus RT-AC3200
- httpd: iptraffic.c: printf for unsgined int should use %u
- httpd: openvpn.c: fix client config generation
- httpd: log.c: fix truncation of last char in GUI -> Status -> Web Usage
- httpd: get rid of TCONFIG_MULTIWAN, iterate over MWAN_MAX instead
- rc: openvpn.c: tune watchdog so that it can also detect unresponsive OpenVPN client(s)
- rc: network.c: refactor do_static_routes() function - use iteration
- rc: firewall.c: iterate over MWAN_MAX to create MASQUERADE FW entries in nat_table()
- rc: get rid of TCONFIG_MULTIWAN, iterate over MWAN_MAX instead
- rom: update CA bundle to 2025-05-20
- switch4g: qmi: increase SIM power-cycle timeouts
- switch4g: qmi: fix network registration loop
- tomatoanon: make 'TomatoAnon' and 'Update Notification System' independent; reorganize GUI
- tomatoanon: use github as a source for FT versions if possible
- udpxy: Fixed typo in last commit (fix from the upstream)
- www: do not use 'eval' if possible
- www: status-devices.asp: Add option to hide WAN devices
- www: tidy up the Start/Stop buttons and the status of services
- www: bwlimit.asp: iterate over MAX_BRIDGE_ID to create bridge classes
- www: tomato.css: fix Ports State vertical alignment
- www: add icon to status of services
- vpnrouting.sh: tune how to restart dnsmasq
- vpnrouting.sh: move the contents of initTable() to startRouting() at the very beginning, expand list of default gateways, rename ID to FWMARK
- vpnrouting.sh: further routing improvements based on @eibgrad 's work


2025.2          2025.03.20
---------------------------

- Note: Mainly a bugfix release due to a serious bug in dnsmasq causing a SIGSEGV (segmentation violation) in some cases: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=9af15871e6ef0ac845412e9a6c3ecfb0849374c8

- dnsmasq: update to 2.91rc6 remove patch 300, fix already in upstream
- dropbear: update to 2025.87
- adminer: update to 4.17.2
- expat: update to 2.7.0
- build: disable Wi-Fi during upgrade for routers with wl_high (USBAP) module to make it work correctly, and add a warning about using only cable connection during this process (close #5)
- discovery.sh: fix wan scanning when IPv6 is enabled
- libshared: Default DSCP fix to off. Looks like comcast fixed this issue back in 2023
- rom: update CA bundle to 2025-02-25
- www: do not use 'eval' if possible


2025.1          2025.02.27
---------------------------

- dnsmasq: update to v2.91rc5
- nano: update to 8.3
- pppd: update to 2.5.2
- nettle: update to 3.10.1
- libexif: update to 0.6.25
- libiconv: update to 1.18
- libpng: update to 1.6.47
- libsodium: update to latest 1.0.20-stable
- libzip: update to 1.11.3
- meson: update to 1.7.0
- sqlite: update to 3.48.0
- adminer: update to 4.14
- openssl-3.0: update to 3.0.16
- nginx: update to 1.27.4
- libcurl: update to 8.12.0
- libffi: update to 3.4.7
- flac: update to 1.5.0
- libxml2: update to 2.13.6
- libatomic_ops: update to 7.8.2
- discovery.sh: update to v2.64
- rom: update CA bundle to 2024-12-31
- GUI: Basic: DDNS: hide 'Custom IP address' when 'IP address -> Custom IP Address...' is set but given Service is disabled
- busybox: enable lsof applet
- dnsmasq: fixes in dnsmasq Tomato-helper patch
- mdu: the eNom service has its cert fixed
- mdu: fix memory leak in curl_dump_cb() callback function
- mdu: make update_cloudflare() work again
- openssl-1.1: add fix for CVE-2024-9143
- openssl-1.1: add fix for CVE-2024-13176
- others: fix export PATH
- shared: process.c: check for zombie in pidof()
- shared: process.c: enhance pidof() matching
- rc: samba.c: do not remove samba config directory on stop/restart (prevents inability to add additional users)
- rc: ddns.c: fix path to IP cache file
- tomatoanon: update url to https://anon.freshtomato.org
- UPnP IGD & PCP: Add Expires to port forward listing
- USB: disable USB 3.0 by default and add 2.4G interference warning when enabling
- www: tomato.js: add button case to createFieldTable() function
- www: tomato.css: fix ports images on advanced vlan page
- www: add link to '/' in header that point to Status -> Overview


2024.5          2024.12.24
---------------------------

- Note: mainly a bug fix release

- nginx: update to 1.27.3
- sqlite: update to 3.47.2
- dnsmasq: update to v2.91test2
- libcurl: update to 8.11.1
- meson: update to 1.6.1
- libjpeg-turbo: update to 3.1.0
- rom: update CA bundle to 2024-11-26
- GUI: QoS: Basic Settings: fix displaying warnings on Advanced themes
- busybox: revert changes to ntpd applet in 1.37.0 (ntpd server returns bogus data), added as a patch
- miniupnpd: Init IPv6 firewall correctly and compile daemon with IGDv2 but disable it at runtime
- miniupnpd: restart daemon if IPv6 address changes OR new (Case DHCPv6)
- pppd: use pptp plugin maintaned by openwrt team instead of the one from accel-pptp


2024.4          2024.11.26
---------------------------

- busybox: update to 1.37.0
- php: update to 8.3.13
- nginx: update to 1.27.2
- sqlite: update to 3.47.0
- expat: update to 2.6.4
- dnsmasq: update to f006be7 (2024.10.04) snapshot
- libsodium: update to latest 1.0.20-stable
- nano: update to 8.2
- openssl-3.0: update to 3.0.15
- libcurl: update to 8.11.0
- rom: update CA bundle to 2024-09-24
- libjson-c: update to 0.18-20240915
- libjpeg-turbo: update to 3.0.4
- meson: update to 1.6.0
- libxml2: update to 2.13.5
- libpng: update to 1.6.44
- libzip: update to 1.11.2
- libubox: update to eb9bcb6 (2024-03-29) snapshot
- uqmi: update to 28b48a1 (2024-08-25) snapshot
- haveged: update to 1.9.19
- dropbear: update to 2024.86
- rp-pppoe: update to 4.0 
- pppd: update to 2.5.1
- build: always install librt
- build: Makefile: openvpn: fix plugin support
- build: Makefile: tune e2fsprogs recipe
- build: Makefile: openvpn do not disable debug if TOMATO_EXPERIMENTAL flag is set
- build: Makefile: fix miniupnpd recipe for MIPS branch
- build: Makefile: set default mode for C/C++ depending on toolchain
- build: introduce EXTRA_CXXFLAGS
- GUI: Dynamic menu and Misc category
- GUI: basic-network.asp align table style for enable/disabled options (like the VLAN page)
- GUI: advanced-wlanvifs.asp - align table style for Enabled/Disabled options
- GUI: vpn-tinc.asp - align table style for Enable/Disable options
- GUI: status-data.jsx - tweaked thresholds for Amber and Red as they triggered too early
- GUI: Basic: DDNS: add form for custom interface name for "External IP Checker" in case of non-WAN mode (fix ARM #337)
- GUI: VPN: OpenVPN server: add ability to generate 2048 byte Diffie-Hellman parameters
- GUI: VPN: OpenVPN server: add support for ECDH key generation
- GUI: VPN: OpenVPN server: set ECDH key generation as default
- GUI: VPN: OpenVPN *: fix issue with (re)starting clients/servers when saving a page but clients/servers are down
- GUI: Port Forwarding: Basic: use ajax to refresh info on page
- GUI: Port Forwarding: Basic IPv6: use ajax to refresh info on page
- GUI: Basic: IPv6: use ajax to refresh info on page
- GUI: Administration: CIFS Client: use ajax to refresh info on page
- GUI: Port Forwarding: DMZ: use ajax to refresh info on page
- GUI: Misc: Access Restriction: use ajax to refresh info on page
- GUI: QoS: Classification: use ajax to refresh info on page
- GUI: Administration: JFFS: use ajax to refresh info on page; also some fixes
- GUI: Improve UPnP IGD & PCP/NAT-PMP
- accel-pptp: add support for pppd 2.5.x
- dnsmasq: update DNS records after pruning DHCP leases (added as a patch)
- httpd: add rel version to each .css script call
- libncurses: update recipe, add patches from openwrt
- minidlna: add patches from debian
- mwwatchdog - remove console warning when mwwatchdog_debug is set to NULL
- openvpn: enable (back) management on AIO or ARM images
- openvpn: show data & control channel handshakes only above log level 3 (verb 3); added as a patch
- pppd: remove patch 390 (MIPS only) as librt is now always added to the target
- pptpd: do not build plugins; tune recipe
- rc: transmission.c: correctly remove the blocklist directory on startup. Also tune tcp_adv_win_scale
- rom: openssl.cnf: add default commonName
- samba3: move recipes to router/Makefile and tune them
- samba: add clean sources of 3.6.25 and one patch instead
- switch4g: add weird PIN_STATUS because sometimes it happens
- transmission: patches: revert commit 66dbc261 (add ARC4 implementation inside transmission, disable it in openssl)
- www: tomato.css: define size of Ethernet Ports State (fix ARM #311)
- vpnrouting.sh: do not use nslookup
- vpnrouting.sh: fix order in stopRouting()


2024.3          2024.08.04
---------------------------

- libjpeg-turbo: update to 3.0.3
- libxml2: update to 2.13.3
- sqlite: update to 3.46.0
- libcurl: update to 8.9.1
- libsodium: update to latest 1.0.20-stable
- nginx: update to 1.27.0
- pptpd: update to 1.5.0
- openssl-3.0: update to 3.0.14
- meson: update to 1.5.1
- openvpn-2.5: update to 2.5.11
- wolfssl: update to 5.7.2-stable
- nano: update to 8.1
- nettle: update to 3.10
- miniupnpd: update to 2.3.7
- lz4: update to 1.10.0
- dnscrypt-proxy: update to latest git (security fix, fix usage with latest libsodium, ref: https://github.com/dyne/dnscrypt-proxy)
- openssl-1.1: add fixes for: kcs1-implicit-rejection, CVE-2024-2511, CVE-2024-4741, CVE-2024-5535
- adminer: update to 4.8.4
- build: add OpenSSL 3.0.13 to the tree
- build: add OpenSSL 3.0.x recipes, add patches and update needed scripts
- build: switch to openssl-3.0 only for AIO targets (RT-AC)
- build: add wolfSSL 5.7.0 to the tree
- build: wolfSSL: add recipe, needed patches and configuration
- build: add wolfssl support for mssl
- build: add wolfssl support for httpd
- build: add wolfssl support for mdu
- build: add wolfssl support for openvpn
- build: add wolfssl support for libcurl
- build: add wolfssl support for transmission
- build: add wolfssl support for nginx
- build: openvpn_plugin_auth_nvram: add wolfssl support
- build: update libfoo.pl and Makefile to latest OpenSSL 3.0.x; also adapt libfoo.pl to be one version for ARM and MIPS - use it also on ARM
- build: Makefile: libnfnetlink: is only needed when target is built with CONNTRACK_TOOLS
- build: Makefile/www: tune openssl options
- build: Makefile: libevent: we don't need ssl here, so let's remove it from the recipe
- build: Makefile: libcurl: use default value for 'with-random'
- build: Makefile: libzip: do not add insecure support for in-php AES zip encryption
- build: Makefile: openssl: always compile with no-cms
- build: Makefile: openssl: always compile with no-ec2m
- build: Makefile: openvpn: disable unit tests (2.5, 2.6), add lz4 flags (2.5)
- build: Makefile: openvpn (2.5, 2.6): enable smaller executable size (disable OCC, usage message, and verb 4 parm list) for non-AIO MIPS targets
- build: openvpn (all): do not compile with lzo support (security)
- build: Makefile: php: remove curl support
- build: Makefile: tincd is now built using the shared liblz4 library
- build: Makefile: transmission: add gnu99 std to CFLAGS
- build: Makefile: do not compile lz4 for the smallest targets
- build: Makefile: use cmake in libxml2 recipe
- build: Makefile: libevent: only install shared library if target built with BBT or TOR
- build: remove DONT_OPTIMIZE_SIZE for target Mega-VPN
- build: remove DONT_OPTIMIZE_SIZE for target Mega-VPN (RT-AC)
- build: remove openvpn 2.4 from the tree - MiniVPN is now compiled with openvpn 2.5
- build: stubby: fix log level (see: https://www.linksysinfo.org/index.php?threads/stubby-doesnt-log.78729/)
- build: transmission: patches: add ARC4 implementation inside transmission, disable it in openssl
- build: transmission: patches: disable webseeding, it causes 100% CPU usage in certain situations; apply DSCP to UDP sockets too - backport patch from the upstream
- build: wolfssl: add patch to fix compilation of 5.7.2 on MIPS
- build: fix compilation of php7 when libxml2 is installed on host
- GUI: advanced-ctnf.asp: refined page layout [rs232]
- GUI: Basic: DDNS: move Service dropdown to top
- GUI: Basic: Network: only display the wireless connection (WAN) types that are available for a given branch (fix ARM #328)
- GUI: basic-network.asp: fix saving in case wl radio order is not ascending (ex. normal order wl0, wl1, wl2, ... ) [Version 2] [M_ars]
- GUI: Basic: Time: layout improvement and some renaming [rs232]
- GUI: QoS: Classification: Display warning on the qos-classify page if classification has been nvram disabled, where QoS is enabled and set to HTB mode [rs232]
- GUI: Status: Overview: fix Signal Quality icon in wireless client mode
- GUI: Tools: Wireless Survey: Discouraging certain WiFi security protocols [rs232]
- GUI: Tools: Wireless Survey: Changed default table sorting by RSSI Descending (strongest to weakest) [rs232]
- GUI: Tools: Wireless Survey: Added SNR (Signal to Noise) to the table [rs232]
- GUI: Tools: Wireless Survey: added filter by frequency [rs232]
- adblock-v2: add internet connectivity test as a running condition [rs232]
- adblock-v2: use Internet test target from nvram mwan_chdst content if this contains any usable FQDN; if not default to google.com [rs232]
- adblock-v2: skip Internet test if no lists are defined (covers the case where domains are only defined locally) [rs232]
- adblock-v2: further improvement to the Internet test: running condition: also check if at least one list is enabled [rs232]
- httpd: openvpn.c: initialize buffer before use; also log static/dhparam key creation
- nvram_ops: add centralised console font & background color definition [rs232]
- nvram_ops: added ${reset} and corrected typo [rs232]
- rc: ddns.c: enable DDNS client 3 & 4
- rc: init.c: WNDR3400v2/v3 edit [txnative]
- rc: init.c: E3200 edit [txnative]
- rc: init.c: F9K1102 Edit/Remove [txnative]
- rc: network.c: set the wireless virtual interface hwaddr according to nvram and wait up to 100 ms to check the result [M_ars]
- rc: nginx.c: fix permissions for socket in case when run as 'nobody'
- rc: nocat.c: touch lease file if it doesn't exist yet
- rc: nocat.c: Use BRIDGE_COUNT to iterate through the lans [lancethepants]
- rc: service.c: miniupnpd: follow changes in config naming, also change default upnp_ssdp_interval to 900s
- rc: services.c: stop_services(): do not stop ntpd during router restart/upgrade
- rom: remove authorityKeyIdentifier from the Server cert generation [lancethepants]
- rom: also remove authorityKeyIdentifier for usr_cert [lancethepants]
- rom: update CA bundle to 2024-07-02
- transmission: dht: fix incorrect handling of want in find_closest_nodes
- www: add rel version to each .js script call
- www: add rel version to each .jsz script call
- www: add rel version to each .css script call
- www: advanced-ctnf.asp: fix appearance on advanced themes
- www: basic-ddns.asp: fix availability of external IP checker when using WET/Media Bridge/etc WAN mode
- www: tomato.css: tweaks centrally indent 1 & 2 (no need to add manually indent: 2 to every page now) and adds options for indent 3 & 4 [rs232]
- www: Makefile: fix display of QR Code when image is build without wireguard


2024.2          2024.05.19
---------------------------

- toolchain: add support for *at functions (haveged)
- toolchain: correct build script and replace ctype.h file with correct one after building toolchain
- toolchain: fix build break on Debian 11/12
- toolchain: build with MIPSR2 optimization for RT-N and RT-AC branch
- toolchain: update with latest changes to build scripts/options (MIPSR2 optimization)
- zlib: update to 1.3.1
- libcurl: update to 8.7.1
- libpng: update to 1.6.43
- libxml2: update to 2.12.6
- tinc: update to d9e42fa (2024-04-07) snapshot
- dnsmasq: update to b8ff4bb (2024-02-22) snapshot
- expat: update to 2.6.2
- busybox: updates from the upstream
- spawn-fcgi: update to 1.6.5
- nginx: update to 1.26.0
- meson: update to 1.4.0
- openvpn-2.5: update to 2.5.10
- tor: update to 0.4.7.16 - the last one that actually compiles on our ancient toolset
- sqlite: update to 3.45.3
- miniupnpd: update to 2.3.6
- dropbear: update to 2024.85
- libsodium: update to latest 1.0.19-stable
- libzip: update to 1.10.1
- libatomic_ops: update to 7.4.20
- build: Makefile: tune libcurl recipe (remove not used stuff - smaller size)
- build: Makefile: tune apcupsd recipe (smaller size)
- build: Makefile: mysql: at last build it with system zlib; do not waste time for mysql-test, support-files, sql-bench and man subdirs
- build: Makefile: minidlna: disable NLS support
- build: Makefile: clean more targets before every compilation
- build: Makefile: fix ntfs-3g recipe after latest changes to toolchain
- build: add haveged-1.9.18 to the tree
- build: add haveged to all MIPS RT-AC routers
- build: add haveged to RT-N66U and WNR3500Lv2 for RT-N branch
- build: add haveged to some Linksys E-Series targets with 60KB nvram
- build: add haveged to 32KB nvram Mega-VPN & AIO target at RT-N branch
- build: switch to php-7.2.34; use libzip for php compilation
- build: Makefile: php: do not build opcache module
- build: Makefile: php: do not build phpdbg module
- build: add TOR again to the o (Custom) target
- build: Update Dockerfile to Debian 12
- GUI: Administration: Admin Access: exclude ports 80 and 443 for remote GUI access for security reasons
- GUI: Administration: Admin Access: fix preparing url of redirect page in case of remote connection
- GUI: admin-access.asp - Add option to enable/disable httpd listening on IPv6 and VLAN interfaces
- GUI: basic-network.asp - fix saving in case wl radio order is not ascending (ex. normal order wl0, wl1, wl2, ... )
- GUI: tools-survey.asp - fix Wireless Site Survey if SSID contains a single quote (fix ARM #323)
- GUI: VPN: OpenVPN Client: add note about strict Kill Switch
- GUI: Status: Overview: fix Watchdog status display
- GUI: USB and NAS: Media Server: fix behaviour of the LAN boxes
- busybox: always add flock applet
- busybox: remove patch 160 because of updated toolchain (commit fc6df68)
- DHCPC: optionally prevent classless routes. Since this is used for iptv it cannot be disabled by default; recommended to turn it off when not using iptv, see CVE-2024-3661
- getdns: fix for broken trust anchor files are silently ignored
- openssl-1.1: add patches for CVE-2023-5678 and CVE-2024-0727
- php-7.2.34: add openwrt patches
- udpxy: Fixed uninitialized source address 
- DDNS: multiWAN aware (fix ARM #65)
- ddns: increase the number of errors allowed before entering standby from 3 to 10
- discobery.sh: supports for any CIDR (no dependency to /24 any more) - network and broadcast IPs are now always excluded from the polling - works when brX IP address is not the first in the subnet
- httpd: config.c: do not close temp file created by mkstemp before using it
- httpd: upgrade.c: use mkstemp instead of dangerous mktemp; check for available memory first; correct argument in waitpid(); fix a few other issues
- httpd: etherstates - detect port info in one sscanf
- httpd: httpd.c - fix/add IPv6 listeners for MultiLAN setups (do not try to add IPv4 listeners twice)
- httpd: devlist.c: Loop through dhcp enabled interfaces using BRIDGE_COUNT
- httpd: wl.c - Add central channel for future updates to the GUI Wireless Survey
- httpd: wl.c - Add 802.11N+AC BSS capabilities for future updates to the GUI Wireless Survey
- mdu: in case of curl, also use a while loop to use more than one IP checker during a failed host check
- mdu: use getaddrinfo instead of the deprecated gethostbyname when building without libcurl
- mdu: also test for IP change if "Force next update" is checked
- mdu: support special case, when ifname is set to 'none' or proto is 'disabled' - use default WAN
- mdu: remove ieserver.net from the list of available services (down)
- mdu: remove DyNS from the list of available services (down)
- nvram: fix behavior of 'convert' option
- ntpd: try to monitor and restart it when it dies or doesn't start at all
- others: sysinfo: fix WL adapter name for 3rd wireless
- others: improve cru locking to prevent concurrent updates
- others: switch4: fix PIN status recognition on some modems
- others: switch4g: correct checking of CPIN status
- others: switch3g: fix PIN checker
- patches: nginx: fix little endian recognition, solve other issues
- rc: always enable 3G modem support and remove that option from the GUI
- rc: arpbind.c: stop_arpbind(): Skip header of /proc/net/arp
- rc: buttons.c: Limit WLAN button maximum duration to 120 seconds
- rc: bwlimit.c: refactor code to loop using BRIDGE_COUNT
- rc: firewall.c: fix remote administration (www/ssh) when DMZ is enabled 
- rc: firewall.c: Use BRIDGE_COUNT to iterate throuh interfaces
- rc: ftpd.c: close fp before bailing when f fails to open
- rc: init.c: do not run remove_usb_module() [remove_usb_all_modules() now] on halt/reboot; some changes in order of removed services
- rc: init.c: current all parameters are no longer needed for both WNDR3400v2/v3 models, they lower wifi performance
- rc: nfs.c: Also free(buf) when returning on failed fopen
- rc: nginx.c: always try to kill php-cgi at nginx stop
- rc: openvpn.c: start_ovpn_client(): Initialize route_mode variable
- rc: services.c: start_ipv6_tunnel(): Fix undefined behavior in snprintf
- rc: services.s: use get_wanface() to properly check WAN ifaces in generate_mdns_config()
- rc: services.c: block Apple private relay
- rc: tor.c: refactor code to loop using BRIDGE_COUNT
- rc: usb.c: do not run remove_usb_modem_modules() by default - it may cause kernel panic (at least on MIPS RT-AC), enable it by setting 'remove_modem_modules' nvram variable
- rc: wan.c: restart DDNS not only on primary WAN
- rom: update CA bundle to 2024-03-11
- www: advanced-vlan.asp: wipe out relevant fields for inactive or just disabled WAN - needed in various places for the proper operation of FW
- www: advanced-vlan.asp: after editing, just reset mwan_num to 1 to avoid problems
- www: basic-time.asp: Show ntp info
- www: qos-{ctrate,qos-detailed}: Additional filter options
- www: tools-survey.asp - v1.01 - 11/05/24 - rs232 
- Asus RT-N12 HP: fix saving country/rev selection starting with release 2022.4/5 (GUI: advanced-wireless.asp)


2024.1          2024.02.14
---------------------------

- dnsmasq: update to aa9e965 (2024-01-21) snapshot
- libcurl: update to 8.5.0
- libcap-ng: update to 0.8.4
- libpng: update to 1.6.41
- libjpeg-turbo: update to 3.0.2
- libid3tag: update to 0.16.3
- dropbear: update to 41a6abc (2023-12-31) snapshot
- miniupnpd: update to 2.3.4
- ntfs-3g: update to 75dcdc2 (2023-06-13) snapshot
- busybox: updates from the upstream
- wsdd2: update from the upstream
- uqmi: update to c3488b8 (2024-01-16) snapshot
- sqlite: update to 3.45.1
- libxml2: update to 2.12.4
- libsodium: update to latest 1.0.19-stable
- wireguard-tools: update to 1.0.20210914
- libubox: update to 6339204 (2023-12-18) snapshot
- build: Makefile: fix libcurl issue with http auth
- build: Makefile: fix compilation on Debian 12
- build: kernel: fix kernel warnings at generated shared_ksyms.c
- build: Makefile: on %-clean, do not forget to remove staged dirs
- GUI: advanced-wireless.asp - add Inactivity Timer option for Media Bridge Mode (60 up to 3600 sec)
- GUI: VPN: Tinc: tune a little status page
- mwwatchdog: tune cktracert() checker once again - it needs max hop value set to ~10
- rc: snmpd.c: log start/stop events
- switch4g/wwansignal: add timeouts to uqmi calls
- www: tomato.js: restore compatibility with older browsers
- www: tools-shell.asp: switch to our addEvent() function for better compatibility


2023.5          2023.12.21
---------------------------

- iperf: update to 3.15
- openssl-1.1: update to 1.1.1w
- libcurl: update to 8.4.0
- dnsmasq: update to 63ba726 (2023-12-03) snapshot
- libsodium: update to latest 1.0.19-stable
- sqlite: update to 3.44.2
- libjpeg-turbo: update to 3.0.1
- nginx: update to 1.25.3
- uqmi: update to eea2924 (2023-10-28) snapshot
- openvpn: update to 2.6.8
- irqbalance: update to 1.9.3
- libxml2: update to 2.11.6
- build: advanced themes for router with 4MB flash is just too much - shrink e1000v2i (Linksys E1000v2-v2.1/Cisco M10v2 MiniIPv6) and e1200v1i (Linksys E1200v1 MiniIPv6) targets
- build: libfoo.pl: fix path to libjpeg library
- build: Makefile: do not waste time installing libatomic_ops
- build: Makefile: use custom build without OpenVPN for n60 (Tenda N60) target (fixes #96 ARM)
- build: Makefile: align the images filename for each release to contain the relevant ARM version in the filename
- build: Makefile: split into different files for easier maintenance; tune a little versioning
- build: Makefile: compile rp-pppoe and pppd with -Os (for small images) or -O2 flag (other images like VPN, AIO, AIO_Lite, Mega)
- build: Makefile: fix pcre-install recipe
- build: Makefile: fix php recipe - build it with our pcre and also correct libjpeg-turbo support
- build: Makefile: compile smaller initial files
- busybox: add lsof applet to images
- dropbear: fix CVE-2023-36328
- GUI: basic-network.asp - allow Group Key Renewal from 0 (disabled) up to 30 days (2592000 sec)
- GUI: Status: Device List: add Wake on LAN for Media icon
- GUI: add an optional 'toggle to dark' switch
- GUI: Advanced: Routing: allow to add 'default' as a Destination (fix #301 ARM)
- GUI: Status: Overview: count reclaimable slab memory as a free memory (according to 'free')
- GUI: Port Forwarding: Basic/Basic IPv6/Triggered: fix tables width in Advanced themes and some html/css inconsistency; cosmetic
- GUI: Port Forwarding: Basic: sort "Src Address" and Int Address" columns by text like on Basic IPv6
- httpd: openvpn.c: remove the status from the generated OpenVPN client configuration - this may cause problems in some cases
- Media Bridge Mode (SDK6/SDK7/SDK714): reinitialize wl radio in case of connectivity loss (v2)
- nvram: add possibility to convert config backup file to readable nvram text file
- others: mwwatchdog: tune cktracert() a little
- rc: services.c: start rstats/cstats later and stop them earlier (should fix #213 ARM)
- rc/httpd: use tomato_version variable instead of nvram 'os_version'
- rc: Drastically improve slow boot times caused by USB mass storage
- rom: update CA bundle to 2023-12-12
- switch4g: add more complex PIN check for QMI modems; also some more fixes
- switch4g: do not use setpin.gcom script from gcom (comgt) package
- wanuptime: improve buffer validation (snprintf/strlcpy)
- WET / Media Bridge Mode: allow to use/enable Debug Mode for dnsmasq (via advanced-dhcpdns.asp)
- WET / Media Bridge Mode: allow to use/enable Adblock feature
- www: status-data.jsx: fix a small bug in displaying DNS addresses
- www: admin-iptraffic.asp: restart the firewall when enabling/disabling cstats
- www: status-data.jsx: DNS: make message about used DNS more precise


2023.4          2023.09.10
---------------------------

- libsodium: update to latest 1.0.18-stable
- minidlna: update to 1.3.3
- libcurl: update to 8.2.1
- tor: update to 0.4.7.14
- iperf: update to 3.14
- libjpeg-turbo: update to 3.0.0
- rom: update CA bundle to 2023-08-22
- gmp: update to 6.3.0
- libjson-c: update to 0.17-20230812
- nginx: update to 1.25.2
- sqlite: update to 3.43.0
- libxml2: update to 2.11.5
- openssl: update to 1.1.1v
- zlib: update to 1.3
- libpng: update to 1.6.40
- snmp: update to 5.9.4
- flac: update to 1.4.3
- dnsmasq: update to 3b5ddf3 (2023-09-02) snapshot
- ffmepg: update to 0.11.5 (resolves ARM #239)
- others: switch4g: extend waiting time for modem switching and its redetection
- Wireless Survey: optimize code for wl survey (GUI: tools-survey) - Part 2
- build: Makefile: compile Tenda N60 (n60) without PROXY enabled to save space
- build: get rid of pdureader - full of bugs, it's enough that comgt has its issues
- build: Makefile: adding F9K1102-init target
- build: Makefile: compile rp-pppoe and pppd with -Os flag only if we need smaller image (ie. for 4MB routers)
- build: Makefile: compile openssl-1.1 with -Os flag only if we need smaller images (example for 4 or 8 MByte routers) - arm branch/mips MEGA & AIO will use O3
- Adblock (DNS filtering): remove default domain blacklist URLs and save NVRAM space for all routers (no matter if 32, 64 or 128 KB)
- dnsmasq: set the default maximum DNS UDP packet size to 1232
- IPv6: show option6 dns-server (RDNSS) (GUI: advanced-dhcpdns.asp)
- Media Bridge Mode (SDK6/SDK7/SDK714): add ARPING (default 180 sec cycle) and improve stability
- mdu: fix Cloudflare DDNS when using curl
- QoS: remove default Outbound Direction configuration and save NVRAM space for all routers (no matter if 32, 64 or 128 KB)
- GUI: Administration: Access: move "Remote Web Port Protection" to "Admin Restrictions" section; also enable it by default
- GUI: Administration: Bandwidth Monitoring: add current date/router model/FW version to backup file
- GUI: Administration: IP Traffic Monitoring: add current date/router model/FW version to backup file
- GUI: Advanced: DHCP/DNS/TFTP: Add option to Show/Hide Stubby's resolvers
- GUI: Advanced: DHCP/DNS/TFTP: hide 'IPv6 DNS Server' forms when IPv6 is disabled
- GUI: Advanced: DHCP/DNS/TFTP: hide the rest of IPv6 options if IPv6 is disabled
- GUI: Status: Overview: add current operator to WWAN Modem Status also for QMI modems
- GUI: Advanced: DHCP/DNS/TFTP: hide "DHCP IPv6 lease time" options in case DHCPv6 PD
- GUI: USB and NAS: Media Server: fix correct port in status window link when using minidlna with random port
- GUI: Status: Overview: do not display days if they are equal to zero
- GUI: basic-ddns.asp - provide an additional variable for the IPv6 address in custom URLs for DDNS
- Revert "rc: services.c: start_ntpd(): run ntpd at high priority"
- httpd: improve buffer validation (strlcpy)
- httpd: iperf.c: sanitize host name
- others: wwansignal: start querying the modem only if the DIAGS file exists (it means that modem is detected with diags and probably already connected)
- others: switch4g: fix listing TTYs in QMI mode
- others: use shorter /dev/null redirection
- others: rename watchdog script to mwwatchdog to avoid confusion with the busybox applet
- rc: dhcp.c - adjust/improve bound event and avoid memory sharing issues
- rc: ftpd.c: Change the default ftpd admin login to 'root' to be consistent with the default router login
- rc: dhcp.c - adjust renew event and do not restart dnsmasq for WAN side route changes (resolves ARM #287)
- rc: init.c: remove "os_name" from nvram
- rc: ppp.c - adjust/improve code to avoid memory sharing issues
- rc: services.c: dnscrypt-proxy: in case of EDNS packet size is set lower than 1252 in dnsmasq, set it also here
- rc: services.c: we don't need extra logging when minidlna logs to syslog
- rc: wan.c - adjust/improve code to avoid memory sharing issues (+add some more comments)
- rom: Makefile: Escape single quotes (') in dnscrypt-resolvers.csv
- switch4g: move cdc_ether module to the end of the list 
- wsdd2: Update patch with new location of smb.conf
- WWAN: improve display of SINR values for QMI modems
- www: advanced-dhcpdns.asp: remove dupe from Notes section
- www: advanced-vlan-r1.asp: add modification to enable Native VLAN support (allow one untagged vlan per port) by default
- www: tomato.js: allow to use onclick in elements (appended after verifyFields() essentially) created by the createFieldsTable() function
- Netgear WNDR3400v3: adjust default values for wl_txq_thresh, et_txq_thresh and wl_rpcq_rxthresh (--> explicitly for WiFi modules)
- Netgear WNDR3400v2: adjust default values for wl_txq_thresh, et_txq_thresh and wl_rpcq_rxthresh (--> explicitly for WiFi modules)
- Linksys E3200: adjust default values for wl_txq_thresh, et_txq_thresh and wl_rpcq_rxthresh (--> not explicitly for WiFi modules)
- Belkin F9K1102(v3): adjust default values for wl_txq_thresh, et_txq_thresh and wl_rpcq_rxthresh (--> explicitly for WiFi modules)


2023.3          2023.06.25
---------------------------

- busybox: update to 1.36.1
- libcurl: update to 8.1.2
- sqlite: update to 3.42.0
- libxml2: update to 2.11.4
- nginx: update to 1.25.1
- openssl-1.1: update to 1.1.1u
- libsodium: update to latest 1.0.18-stable
- libubox: update to 75a3b87 (2023-05-23) snapshot
- dnsmasq: update to 9bbf098 (2023-05-26) snapshot
- nettle: update to 3.9.1
- util-linux: update to 2.39
- libusb: update to d5bb64b (2020-01-24) snapshot
- adblock v2: update to 2.72b
- dhcp6c: add signal handling of SIGINT and fflush
- getdns/stubby: fix the IP of one of the OpenDNS servers
- stubby: add getdnsapi.net DNS to the resolver list
- stubby: remove Surfnet/Sinodun DNS from the list - it doesn't work anymore
- rstats (Bandwidth Monitoring): add rstats nvram variables only if feature is enabled (clean-up nvram at boot/re-boot)
- cstats (IP Traffic Monitoring): add cstats nvram variables only if feature is enabled (clean-up nvram at boot/re-boot)
- FTP Server: add ftp nvram variables only if feature is enabled (clean-up nvram at boot/re-boot)
- SNMP: add snmp nvram variables only if feature is enabled (clean-up nvram at boot/re-boot)
- UPnP: add upnp nvram variables only if feature is enabled (clean-up nvram at boot/re-boot)
- httpd: improve buffer handling
- httpd: increase buffer for get_wl_tempsense(); also use proper site_t buffer in snprintf
- shared/rc/httpd: improve buffer validation (strlcat_r)
- bsd/eapd/wlconf: fix build break (strlcat_r)
- mdu: fix compilation in case if built without libcurl; avoid compiler warnings
- mdu: fix segfault in curl_headers() when adding more than one header at a time
- mdu: add addtional headers for wget()
- mdu: fix basic auth in update_wget() when built with libcurl
- mdu: mdu.c: improve buffer handling
- mdu: allow the user to specify a custom polling period for External IP address checker
- mdu: rewrite the part responsible for obtaining the external IP address
- GUI: Basic: DHCP Reservation: properly initialize 'Static lease time' on page load
- GUI: admin-iptraffic.asp - add note about IPv4 only (no support for IPv6)
- GUI: advanced-wireless.asp - add Optimized for Xbox option 
- GUI: Advanced: DHCP/DNS/TFTP: allow to ignore DHCP requests from unknown devices on each bridge individually
- GUI: Basic: Network: fix visibility of 'AP MAC Address to connect' option
- GUI: bwlimit.asp - add checks for Multi-LAN setups
- GUI: Basic: DDNS Client: use ajax to refresh info on page
- GUI: VPN Tunneling: OpenVPN Client: Routing Policy: add more thorough domain validation
- shared: misc.c: get_dns(): really add received DNS servers to the static DNS server list
- Revert "rp-pppoe: update to 3c0f6c02 (2023-02-08) snapshot"
- rc: init.c: fix restart of some services when using SIGHUP on init (resolves #284)
- rc: transmission.c: fix port forwarding for IPv6
- rc: wan.c: fix restart of some services in WET mode (resolves #91)
- rc: do not waste time and resources if IPv6 is disabled
- rc: jffs2.c - do not delete (automatically) jffs if mounting fails (show error only)
- rc: ddns.c: distinguish addrcache and dump file depending on the unit number
- rc: ftpd.c: fix bug where in some cases FW rules to open WAN port were not removed
- rc: nginx.c: fix bug where in some cases FW rule to open WAN port was not removed
- rc: mysql.c: Fix copying adminer.php to nginx_docroot
- rom: update CA bundle to 2023-05-30
- WL (SDK6 and up!): show & provide all valid WiFi 5 (AC / 80 MHz) control channels (lower-lower [LL], lower-upper [LU], upper-lower [UL], upper-upper [UU])


2023.2          2023.03.18
---------------------------

- WL Client / Media Bridge / Wireless Ethernet Bridge: add AP MAC (xx:xx:xx:xx:xx:xx) to scan and join (--> try to connect to that specific MAC with SSID "ABCDEF")
- libcurl: update to 7.88.1
- libjpeg-turbo: update to 2.1.5.1
- libsodium: update to latest 1.0.18-stable
- miniupnpd: update to 2.3.3
- rp-pppoe: update to 3c0f6c02 (2023-02-08) snapshot
- sqlite: update to 3.41.1
- e2fsprogs: update to 1.47.0
- openvpn-2.5: update to 2.5.9
- dnscrypt-proxy: update resolvers csv file
- rom: update CA bundle to 2023-01-10
- dnsmasq: add safe-mode + TFTP
- build: scripts: added PATH directive to avoid conflicts with entware/optware
- build: sync to MIPS RT-N/AC & ARM branch (WL Client / Media Bridge / Wireless Ethernet Bridge: add AP MAC (xx:xx:xx:xx:xx:xx) to scan and join)
- GUI: vpn-server.asp: corrected "Uncrypted" for "Unencrypted"
- GUI: VPN Tunneling: add Wireguard page (for now only with link to the wiki howto)
- GUI: DHCP / DNS / TFTP: clean-up
- Revert "GUI: add new default theme"
- others: entware-install-MIPS.sh: use the full path when calling programs
- rc: fix logdrop bevaviour (if enabled)
- rc: init.c: wndr3400v2/v3 add missing QTD params
- rc: transmission.c: fix port forwarding (UDP)
- rc: transmission.c: revert changes from 4c4f653 - everything works just fine
- rc: wan.c: fix commit 80a7e66
- shared: led.c: wndr3400v2 set active high for AOSS


2023.1          2023.02.17
---------------------------

- busybox: update to 1.36.0
- libpng: update to 1.6.39
- libsodium: update to latest 1.0.18-stable
- nano: update to 7.2
- tor: update to 0.4.7.13
- nginx: update to 1.23.3
- ffmpeg: update to 0.7.17
- libjpeg-turbo: add clean sources of 2.1.4
- dropbear: updates from the upstream
- sqlite: update to 3.40.1
- pppd: update to 2.4.9
- adblock: update to 2.71e
- libcurl: update to 7.87.0
- getdns: update to 1.7.3; refresh patches
- libubox: update to eac92a4 (2023-01-03) snapshot
- miniupnpd: update to 2.3.2; refresh patches
- libncurses: update to 6.4
- dnsmasq: update to 2.89
- openssl-1.1: update to 1.1.1t
- build: remove no more needed jpeg package from the tree
- GUI: add "Scroll to bottom" also at the bottom of the status-log page
- GUI: adjusting "Refresh Every" to "One off"
- GUI: Advanced: Firewall: add note about custom config file for igmpproxy
- GUI: advanced-wireless.asp - remove afterburner option (for SDK6 and up!)
- GUI: USB and NAS: BitTorrent Client: extend character limit on the input field for blocklist url to 256
- GUI: USB and NAS: Media Server: fixes/improvements
- GUI: USB and NAS: File Sharing: use checkboxes to select interfaces; also change location of samba configuration file (/etc/samba/smb.conf)
- minidlna: use syslog instead of a log file; added as a patch
- others: Makefile: also add ntp2ip script when image is built with dnscrypt-proxy but without stubby (resolves #90)
- rc: openvpn.c: remove ignoring directives for IPv6 for OpenVPN client
- rc: samba.c: correct 'server string'
- rc: services.c: start_media_server(): correct friendly_name, album_art_names; add model_name
- rc: service.c: start_upnp(): correct friendly_name
- rc: transmission.c: only add bind to generated config if it's not already added in custom config
- www: tomato.js: allow the hostname to be all digits as per RFC
- www: add new favicon (thanks @rs232)
- init.c: E2500 update/modify nvram defaults


2022.7          2022.12.20
---------------------------

Note: the upgrade is highly recommended for users using Routing Policy in the OpenVPN client due to a major issue related to it.

- busybox: update to 1.35.0
- dropbear: update to 2022.83
- tor: update to 0.4.7.11
- zlib: update to 1.2.13
- xl2tpd: update to 1.3.18
- sqlite: update to 3.40.0
- libpng: update to 1.6.38
- nano: update to 7.0
- minidlna: update to 1.3.2; refresh patches, remove no more needed
- dnsmasq: update to v2.88
- build: Makefile: fix compilation in case if minidlna is built as static
- GUI: Status: Overview: fix Signal Quality icon in wireless client mode when RSSI is equal zero
- GUI: Basic: Time: add option to serve also NTP on the WAN
- GUI: VPN Tunneling: Tinc Daemon: better format Tinc output in Advanced themes
- GUI: Administration: TomatoAnon: grammar fix
- GUI: Status: Device List: add frequency to Moise Floor interfaces list
- busybox: awk: fix use after free (CVE-2022-30065)
- dropbear: disable DSS key support
- dropbear: use Os flag for Libtommath and smallest targets
- e2fsprogs: add two patches from openwrt
- httpd/mssl: add support of elliptic curves in mssl_cert_key_match
- httpd: switch self-signed certificate from RSA to ECC
- rc: adjust start/stop of miniupnpd
- rc: adjust/add stop for miniupnp in case of single-wan
- rc: firewall: move ftpd FW rules (remote access/ftplimit) to ftpd.c script
- rc: interface.c: log errors only on failed interface addition
- rc: nocat.c: only run start_wan() if nocat was really started
- rc: openvpn.c: check first if firewall script is executable
- rc: openvpn.c: workaround for problems when adding iptables rules
- rc: rc.c: run_del_firewall_script(): correct temp file permissions
- rc: services.c: start_igmp_proxy(): drop privileges after startup
- rc: services.c: improve buffer handling
- rc: services.c: exec_service: do not re-use buffer
- rc: services.c: do_service(): increase waiting time (from 15 to 20 secs), because almost all services are now serialized when started/stopped; more verbose logging
- rc: services: move ftpd support to outer file
- rc: wan.c: restarting httpd service here is completely redundant
- rc: telssh.c: avoid problems while starting/stopping in the GUI (and also in other cases)
- stubby: add Mullvad DNS to the list
- router: shared: cache the model detection result for safe multiple use
- Wireless Ethernet Bridge: fix Boot-Loop for MIPS RT-AC branch router/images


2022.6          2022.11.06
---------------------------

- toolchain: fix support for realpath() - allow a NULL argument; causing segfault in ie. nano 
- libcurl: update to 7.86.0
- nano: update to 6.4
- nettle: update to 3.8.1
- sqlite: update to 3.39.4
- tor: update to 0.4.7.10
- dnsmasq: update to 2.87 final
- tinc: update to the latest commit. 4c6a9a9; update to meson build system. Add lz4 support to tinc
- dnscrypt-proxy: update resolvers csv file
- getdns: update to 1.7.2
- openssl-1.1: update to 1.1.1s
- igmpproxy: update to 0.4
- libsodium: update to latest version of 1.0.18-stable
- nginx: update to 1.23.2
- ntfs-3g: update to 2022.10.3
- miniupnpd: update to 2.3.1
- openvpn: update to 2.5.8
- flac: update to 1.4.2
- libxml2: update to 2.10.3
- libcurl: update CA certificate bundle as of 2022-10-11
- meson: add clean source for version 0.63.0
- lz4: add clean source for version 1.9.3
- lz4: update to 1.9.4
- zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)
- zlib: backport null dereference fix
- nocat: import some patches found in debian
- build: sync up DockerFile to current build process
- build: Makefile: clean-up Linksys E-Series with 64k Nvram/8MB Flash (E800/E900/E1200v2/E1500) - two targets possible now (VPN & Max image)
- build: Makefile: add back original target recipe, make help for wndr3400 v2/v3
- build: Makefile: edit e3200 target recipe and make help menu. - changing from mega-vpn to vpn
- build: samba3: update Makefile; due to the recent changes to the toolchain, we now have realpath() with support for NULL argument. So change that option
- GUI: advanced-misc.asp - Make it possible to save settings without rebooting
- GUI: Wireless Survey: check for Channel Spec BW 160 / 8080 MHz (SDK6 and up)
- GUI: VPN Tunneling: Tinc Daemon: fix javascript error
- GUI: NAS: Media Server: fix allowed port range
- GUI: Basic: Network: remove unnecessary javascript alert
- GUI: move IPSec Passthrough from Firewall to Conntrack/Netfilter
- GUI: Advanced: Routing: increase route metric limit from 10 to 4294967295
- GUI: Status: Overview: add link to DHCP/DNS page when using stubby/dnscrypt-proxy
- GUI: basic-ddns.asp - do not show the DDNS password 
- GUI: Asus RT-N16: fix saving country/rev selection starting with release 2022.4/5 (GUI: advanced-wireless.asp)
- GUI: basic-network.asp - Option: Automatic IP --> give some more Infos to the FT user about changing IP address (DHCP client on/off)
- GUI: fix start/stop button behaviour, when there is an error in config file
- GUI: add new default theme
- GUI: USB and NAS: Media Server: fix the operation of the 'Rescan on the next run' button
- GUI: Administration: Admin Access: add 'Notes' section about dropbear additional configuration files
- GUI: Status: Overview: add current operator to WWAN Modem Status
- Access Point Mode / WET / Media Bridge Mode: Allow to obtain a LAN IP via DHCP
- firewall: check GUI IPSec config first (small fix for operator priority)
- httpd: misc.c: asp_notice(): sanitize file name
- httpd: log.c: wo_viewlog(): sanitize search string more aggressively
- IPv6: add/use function to extract prefix from configured IPv6 address
- nvram: remove no more needed variables (dhcp_start, dhcp_num)
- Revert "GUI: Advanced: DHCP / DNS Client: remove 'Reduce packet size' option - no more available in udhcpc from busybox"; 'Reduce packet size' option is available via patch!
- rc: firewall: move nginx FW rules (remote access) to nginx.c script
- rc: openvpn.c: rewrite openvpn FW rules
- rc: tinc.c: rewrite tinc FW rules
- rc: transmission.c: rewrite transmission FW rules and watchdog script
- rc: mysql: rewrite, to get rid of shell scripts
- rc: pptpd.c: rewrite pptpd FW rules
- rc/shared: introduce and use killall_and_waitpid()
- rc: tune stop_stubby function
- rc: fix call to restart_nas_services() - to restart it needs stop/start, not only start
- watchdog: use 1.1.1.1 as a 2nd target instead of microsoft.com
- www: tools-qr.asp: fix bug when certain characters are in ssid or PSK
- www: status-log.asp: add maxlength to find input element
- Netgear WNDR3400 v2/v3: skip enable switch leds at bcmrobo
- Linksys E3200: modify init (default) values
- WNDR3400v2 / WNDR3400v3: modify init (default) values
- Share Max N300 (F7D3301/F7D7301) v1 and Share N300 (F7D3302/F7D7302) v1: fix saving country/rev selection starting with release 2022.4/5 (GUI: advanced-wireless.asp)
- F9K1102: init.c: modify variables, parameters same as E3200


2022.5          2022.08.06
---------------------------

Note: mainly bugfixes release.

- nginx: update to 1.23.1
- sqlite: update to 3.39.2
- libcurl: update CA certificate bundle as of 2022-07-19
- build: dhcpv6: add #ifdef to have one version for ARM and MIPS
- build: Makefile: remove IPSEC support from 'm' (Max) target to save some space
- GUI: fix copy-paste for advanced-dhcpdns.asp
- GUI: Advanced: DHCP/DNS: 'Solve .onion' checkbox should be available regardless of tor status
- GUI: basic-ipv6.asp - fix problems with saving IPv6 setting
- GUI: Advanced: DHCP/DNS: rename option
- dhcpv6: Improve log messages when a REPLY message arrives. The old ones were confusing
- dhcpv6: Add a new script event "EXIT", which is invoked when dhcp6c exits


2022.4          2022.07.31
---------------------------

Note: because of changes in GUI, clean your browser cache and/or use Ctrl+F5 (FF) to avoid artifacts.

- toolchain: hndtools-mipsel-uclibc update; uClibc 0.9.30.1 with CVE-2022-30295 and CVE-2016-6264 fixes
- toolchain: add support for be64toh/htobe64 (iperf); ULLONG_MAX/LLONG_MAX/LLONG_MIN defs were unavailable for compiler (e2fsprogs)
- libcurl: update to 7.84.0
- libxml2: update to 2.9.14
- libiconv: update to 1.17
- flac: update to 1.3.4
- openvpn: update to 2.5.7
- ntfs-3g: update to 2022.5.17
- libsodium: update to 1.0.18-stable
- nettle: update to 3.8
- tor: update to 0.4.7.8
- zlib: update to 1.2.12 (add two fixes from the develop tree)
- libubox: update to d2223ef (2022-05-15) snapshot
- uqmi: update to 56cb2d4 (2022-05-04) snapshot
- openssl-1.1: update to 1.1.1q
- sqlite: update to 3.39.0
- nginx: update to 1.23.0
- dnsmasq: update to 2022.07.07 (20b4a4e) snapshot
- build: Makefile: Asus RT-N53: this model only supports 100Mbps WAN/LAN, so remove bcmnat from recipe
- build: Makefile: Linksys E2500: this model only supports 100Mbps WAN/LAN, so remove bcmnat from recipe
- build: Makefile: Netgear WNDR3400v2/v3: this model only supports 100Mbps WAN/LAN, so remove bcmnat from recipe
- build: Makefile: sync Asus RT-N53 and Linksys E2500v2 targets (almost the same)
- build: router: Makefile: also install zlib when samba is added to the (not AIO) image - fix build break
- build: only include adblock when image is built with TCONFIG_HTTPS (all (or most) servers from the adblock list are now redirecting to https, so wget can't download them without OpenSSL)
- build: Makefile: WNDR3400V2/V3: change NVRAM size to 32K (issue with 5GHz WL driver and disappearing settings) - workaround for #82
- GUI: Administration: Configuration: fix date in the filename of saved config file
- GUI: Administration: NFS Server: correct link to the NFS website
- GUI: Advanced: Firewall: change link for Efficient Multicast Forwarding option
- GUI: Advanced: Tor: add daemon status, add start/stop button
- GUI: advanced-wireless.asp - make it possible to select country rev also for newer SDK5 wl driver 5.100.x and up
- GUI: advanced-wireless.asp - Set bss_maxassoc same as global max clients
- GUI: advanced-wireless.asp - adjust/improve saving country/rev selection
- GUI: Status: Logs: implement maximum filter level
- GUI: Status: Overview: clearly explain what the WL enable/disable buttons are for
- GUI: status-overview.asp - Show WL Radio Temperatures (if available) for MIPS Router (SDK5 RT-N and up)
- GUI: Tools: Wireless Survey: add a note for ARM routers, that WL survey doesn't work when WL filter is turned on in 'permit only' mode
- GUI: USB and NAS: FTP/Samba/FTPD/BT: add daemon status, add re-start button (unify to nginx/mysql page)
- GUI: VPN Tunneling: OpenVPN Client: also allow range of IP addresses as a source IP
- GUI: fix backup filename date
- adblock: convert all lists to https; additionally add Steven Black list
- apcupsd: add PCNET and SNMP support in AIO targets; allow to use custom config
- dhcpv6: Add a no release option '-n'. This prevents a release signal from being sent to the ISP causing a new PD or address to be allocated
- dhcpv6: Remove the PID file just before dhcp6c actually exits
- dhcpv6: Add a signal handler for SIGUSR1 to forcibly exit without releasing the obtained addresses
- dhcpv6: Set a DHCPv6 state keyword to an environment variable "REASON"
- dhcpv6: reload config on SIGHUP
- dropbear: add login limits
- dropbear: fix MAX_UNAUTH_CLIENTS regression - fix from the upstream
- dropbear: patches: add DEFAULT_ROOT_PATH
- httpd: misc.c: use utf8 in asp_rrule()
- IPv6: add DUID type selection (currently only DUID-LL (default) OR DUID-LLT)
- IPv6: extend GUI status page (status-overview.asp) - show DUID
- IPv6: add GUI option (basic-ipv6.asp) to start DHCP6 Client in debug mode (only for RT-N+ router)
- IPv6: add GUI option (basic-ipv6.asp) for DHCP6 client to prevent prefix/address release on exit
- IPv6: check environment variable "REASON" which is passed to the client script when receiving a REPLY message (only for DEBUG currently)
- JFFS: do not start if router model is unknown 
- others: linkagg: fix warning messages, cosmetic
- rc: serialize (re-)starts from GUI, avoid zombies
- rc: do not (re)start services during upgrade/reboot
- rc: firewall: add IPv4 IPSEC passthrough
- rc: gpio.c - extend gpio poll up to 32 pins
- rc: openvpn.c: also abort when can not create tap/tun interface
- rc: openvpn.c: fix parsing of pidof result in watchdog script
- rc: services.c: start_ntpd(): correct verbose option
- rc: services.c: start_ntpd(): run ntpd at high priority
- rc: services: move samba support to outer file
- rc: transmission: rewrite, to get rid of shell scripts
- router: httpd: wl.c - adjust and correct scan params for wireless survey (GUI: tools-survey)
- shared: wlscan.h - increase buffer for wireless survey (SDK6 and up)
- stubby: add Cisco Umbrella/OpenDNS DoT Servers to Stubby Options
- SDK5: USB AP Router: adjust loading USB driver
- SDK5: use wl driver USB AP 5.110.27.20012 (March 2018)
- wireless ethernet bridge AND media bridge mode: use dnsmasq (provide DNS service)
- Wireless Survey: rework / optimize code for wl survey (GUI: tools-survey) 
- Wireless Survey: optimize code for wl survey (GUI: tools-survey) and keep wl up while using survey tool (SDK5 RT-N and up)
- www: tomato.js: fix id in TomatoGrid.prototype.createEditor


2022.3          2022.05.12
---------------------------

- SDK6 (mips RT-AC branch): allow upgrade from AsusWRT to FreshTomato via GUI
- dnsmasq: update to 2022-03-31 (03345ec) snaphot (fix for CVE-2022-0934)
- libcurl: update to 7.83.0
- sqlite: update to 3.38.5
- ebtables: fix the 'static' build target (update from upstream)
- libsodium: update to latest 1.0.18-stable
- libnfnetlink: update to 1.0.2
- libmnl: update to 1.0.5
- wsdd2: update to 1.8.7
- libjson-c: update to 0.16-20220414
- nano: update to 6.3
- openssl-1.1: update to 1.1.1o
- tor: update to 0.4.7.7
- libcurl: update CA certificate bundle as of 2022-04-26
- build: Makefile: only build an image for RT-N18U in NOSMP version
- GUI: fix display of 'beta' tag on Advanced themes
- GUI: Administration: Admin Access: update links to TTB themes list and gallery
- GUI: Advanced: DHCP/DNS: add the choice of EDNS packet size - default: 1280, no change (resolves #214)
- GUI: Web Server: add buttons for nginx/MySQL that open their interfaces in the new tab/page
- GUI: VPN Tunneling: Tinc Daemon: fix javascript error
- GUI: VPN Tunneling: Tinc Daemon: fix version number display
- README: add info about github mirror
- httpd: cgi.c: use logmsg()
- httpd: cgi.c: improve buffer handling
- httpd: cgi.c: fix for CVE-2022-28664 (TALOS-2022-1509): FreshTomato httpd unescape memory corruption vulnerability
- mssl: disable TLS 1.0 & 1.1 support for images with OpenSSL 1.1
- rc: network.c - fix IPv6 forwarding in case of 4 LANs (resolves #216)
- watchdog: fix regex which trigger dhcpFix
- E4200v1 / Belkin F9K1102 (v1/v3): remove band selection (2,4 GHz OR 5 GHz) for second radio module at the GUI (basic-network)


2022.2          2022.04.07
---------------------------

Note: mainly bugfixes release.

- SDK5: update bcmrobo
- openvpn: update to 2.5.6
- openvpn-2.4: update to 2.4.12
- openssl-1.1: update to 1.1.1n
- sqlite: update to 3.38.2
- dropbear: update to 2022.82
- uqmi: update to 2022.03.12 (44dd095) snapshot
- libcurl: update CA certificate bundle as of 2022-03-29
- build: prevent php and miniupnpd from picking up build system libraries
- GUI: Advanced: Routing: fix adding new entries in Static Routing Table
- GUI: Advanced: Virtual Wireless: add a warning in the Notes section to not use 'virtual interfaces' on interface in Wireless Ethernet Bridge or Media Bridge modes due to possible problems
- GUI: Advanced: Virtual Wireless: also add frequency to interface drop down list when editing
- GUI: Basic: Network: fix javascript error
- GUI: Basic: Network: also set wanX_proto to 'disabled' if given WAN is (set to) inactive
- GUI: Wake on LAN/Menu: use one notation for consistency
- GUI: Web Server: MySQL Server: add daemon status, add start/stop button (unify to nginx page)s
- others: btcheck: fix regex for checking if transmission-daemon is up (it never worked...)
- others: mycheck: simplify regex for checking if mysqld is up
- others: switch4g: simplify regex for checking if uqmi is up
- others: switch4g: only use nvram commit if it's needed
- others: watchdog: simplify regex and fix how mwanroute is called (detach)
- others: watchdog: fix regex for checking if orphaned connect-on-demand listen process is up (it never worked...)
- others: watchdog: fix for LTE proto
- others: wwansignal: simplify regex for checking if uqmi is up
- patches: dropbear: removed algos/keys not supported by old openssl
- rc: nginx: align the way how it's called to other services (note: name of the service has changed from 'enginex'/'nginxfp' to 'nginx'/'nginxgui')
- rc: use nvram variables instead of globals to skip some steps during upgrade/reboot procedure; also include watchdog in that process
- rc: some fixes regarding MultiWAN + add more debug log
- rc: tinc.c: add/fix watchdog
- shared: defaults.c: initialize wanX_proto (except the 1st one) as 'disabled'
- www: tomato.js: improve error handling in displayOUI()
- Belkin F9K1102 (v1/v3): adjust LED table
- Belkin F9K1102 (v1/v3): skip enable switch leds at bcmrobo
- Belkin F9K1102 (v1/v3): restore all buttons (Reset & WPS)


2022.1          2022.03.13
---------------------------

Note: DDNS Cloudflare now is using only the new method for auth - please update your settings.
Note2: to use a new WL feature (WL roaming assistant), clean install is needed.

- kernel: USB: serial: option: add support for Novatel USB730L enterprise mode
- kernel: HID: ignore Novatel USB730L modem
- kernel: drivers: net: usb: update ipheth module
- kernel: drivers: net: usb: ipheth: fix iOS14 tethering issues
- Revert "kernel: make xt_recent built-in instead of module"
- nginx: update to 1.21.6
- tor: update to 0.4.6.10
- e2fsprogs: update to 1.46.5
- sqlite: update to 3.38.0
- miniupnpd: update to 2.3.0
- avahi: update to 0.8
- libubox: update to f2d6752 (2022-02-11) snapshot
- uqmi: update to 2022.02.02 (f254fc5) snapshot
- libcurl: update to 7.82.0
- libsodium: update to latest 1.0.18-stable
- libxml2: update to 2.9.13
- nano: update to 6.2
- xl2tpd: update to 1.3.17
- dnsmasq: update to 2022.02.25 (4732aa6) snapshot
- libcurl: update CA certificate bundle as of 2022-02-01
- build: always add libutil to the image
- build: router: Makefile: correct when installation of zlib and sqlite is needed
- build: router: Makefile: openvpn doesn't use zlib at all...
- build: router: Makefile: explicitly specify when zlib should be added to the image
- build: Makefile: add SNMP to e2500 target; rename description to 'Custom' because it isn't really 'Max' image (resolves #77)
- build: Makefile: build dnsmasq with DUMPFILE option for ARM routers
- GUI: advanced-mac.asp - fix saving default WAN mac addr (starting with FT 2021-8 / latest VLAN-fixes)
- GUI: (css): fix grayed out elements that cannot be modified
- GUI: advanced-misc.asp: add confirmation before rebooting the router
- GUI: add notes on pages where functionality is disabled when CTF/Broadcom FastNAT is turned on; also disable automagically QoS and BWL when CTF is enabled or BWL when Broadcom FastNAT is enabled; add notes that using QoS or Access Restriction disables Broadcom FastNAT module
- GUI: tools-wol.asp: fix typo
- GUI: advanced-mac.asp - align default wireless mac addr to wlconf setup AND FreshTomato initial mac setup (note: repair GUI wl mac setup --> GUI default and initial mac are the same now)
- GUI: Advanced: Firewall: fix IGMP proxy custom configuration textarea bahaviour
- GUI: Advanced: Routing: correct display of interfaces in Static Routing Table
- GUI: Admin: Debugging: improvements to the Debugging page
- GUI: status-overview - improve ethstate if WAN port is moved to primary LAN (part 2)
- GUI: Advanced: Firewall: add 'Allow DHCP responses' option; also correct name of nvram variable/value
- GUI: Advanced: Firewall: add smart MTU black hole detection and enable it by default
- GUI: VPN Tunneling: OpenVPN Server Configuration: enlarge 'Common Name' text area to 30 chars
- GUI: change the menu labels: WOL -> WoL, Trace -> Traceroute, IPerf -> iPerf
- GUI: IP Traffic: Last 24 Hours: fix initialization of 'IPs currently on graphic' dropdown list when loading the page
- GUI: admin-access.asp: add option to enable/disable the brute force mitigation rule on port defined for GUI remote access
- GUI: USB and NAS: BitTorrent Client: correct drop down list description
- GUI: Basic: Network: fix problems with Wireless Client mode (again)
- GUI: Basic: Network: hide 'Wireless Client Mode' drop down list when given WAN is disabled
- GUI: Advanced: DHCP / DNS Client: remove 'Reduce packet size' option - no more available in udhcpc from busybox
- GUI: Administration: Admin Access: correct display order of 'Allow Remote Upgrade'
- GUI: Administration: Admin Access: change regex for 'Authorized Keys' to allow also pasting keys that start, for example, with some command
- GUI: add as an Admin option: unmount JFFS automatically as part of the upgrade process
- GUI: Overview: Device List: fix some potential problems
- GUI: Basic: Network: fix more issues when switching i.e. from 2 WANs to 1 WAN
- Add ability to run custom script with start and stop of QoS: /etc/wan_qos.custom start|stop wannum
- IPv6: rc: services.c - add check for SLAAC and/or DHCPv6 before using global address and not link-local address for IPv6 DNS
- OpenVPN: do not add 'duplicate-cn' to server config automatically
- PPTP Server: bypass CTF (if enabled)
- WL: add roaming assistant (see GUI advanced-wireless.asp) as an option (note: disabled by default)
- adblock: filter also ipv6 addresses
- avahi: cleanup: ensure entries are dead for at least 1s (fix from the upstream)
- avahi: fixed dns_sd segfaults, initialization issues, and added NDEBUGs (fix from the upstream)
- avahi: use monotonic timer when possible (fix from the upstream)
- avahi: use internal type for timers (fix from the upstream)
- avahi: do not disable timeout cleanup on watch cleanup (fix from the upstream)
- getdns/stubby: rdata not correctly written for validation for certain RR types (fix from the upstream)
- httpd: openvpn.c: add "route <netaddr> <netmask>" directive to downloaded OpenVPN config file when static keys are in use (because the route cannot be pushed from the "server" when using static keys)
- httpd: check key and cert pair, if they are mismatched, regenerate key and cert
- mdu: cloudflare: use new API token instead of email/globalAPIkey for auth
- multiwan/watchdog: fix even more issues including lack of default route when all WANs are down - now in such cases, default route is added to the WAN with the heighest weight
- nginx: change default server name to 'FreshTomato'
- rc: buttons.c - increase button sample time (now 500 ms) and improve robustness
- rc: dhcpc-event: fix selection of the correct prefix for two consecutive WANs
- rc: firewall.c: check more variables before applying FW rules (in some cases, there was no firewall at all)
- snmp: add patch to change snmp interface cache timeout to 1 second for realtime monitoring
- usbmodeswitch: fix for Novatel USB730L modem
- www: tomato.js: add placeholder support for <textarea> and <input>
- Belkin F5D / F7D Series: adjust wl mac setup and wl default config to arm branch (note: erase all data in NVRAM memory (thorough) to get the new setup/config)
- Netgear R6300 V1 / WNDR4500 V1 & V2: adjust wl mac setup and wl default config to arm branch (note: erase all data in NVRAM memory (thorough) to get the new setup/config)
- DIR-865L: adjust wl mac setup and wl default config to arm branch (note: erase all data in NVRAM memory (thorough) to get the new setup/config)
- RT-N66U / RT-AC66U: adjust wl mac setup and wl default config to arm branch (note: erase all data in NVRAM memory (thorough) to get the new setup/config)


2021.8          2021.12.25
---------------------------

- kernel: fix from upstream for CVE-2019-11478 (tcp: tcp_fragment() should apply sane memory limits)
- kernel: tcp: refine memory limit test in tcp_fragment()
- kernel: [SCSI] sd: Use SCSI read/write(16) with > 32-bit LBA drives
- kernel: [SCSI] sd: revive sd_index_lock
- kernel: Validate size of EFI GUID partition entries
- kernel: netfilter: ipt_account: make allocation dynamic to save on stack usage
- tor: update to 0.4.6.8
- nano: update to 6.0
- libncurses: update to 6.3
- libsodium: update to latest version of 1.0.18-stable
- nginx: update to 1.21.4
- util-linux: update to 2.37.2
- mysql: update to 5.5.62
- libexif: update to 0.6.24
- libcurl: update to 7.80.0
- sqlite: update to 3.37.0
- openssl-1.1: update to 1.1.1m
- openvpn: update to 2.5.5
- libcurl: update CA certificate bundle as of 2021-10-26
- build: Makefile: rp-pppoe: remove debugging information, add -Wall instead
- build: Makefile: libsodium: add CFLAGS/LDFLAGS to recipe
- build: Makefile: pass EXTRACFLAGS also to openssl/mysql/php, ensure that optimization is complete
- build: libsodium: build as static library
- build: busybox: compile with CONFIG_FEATURE_WGET_LONG_OPTIONS enabled
- build: use --no-check-certificate for wget in scripts only when CA cert is not installed
- build: router: Makefile: transmission: do not try to built with libiconv
- build: router: Makefile: add appropriate flags when building packages to prevent use of incorrect or old headers/libraries (fixes #174)
- build: Makefile: F9K1102: this model only supports 100Mbps WAN/LAN, so remove bcmnat from recipe
- GUI / httpd: misc.c - speed up status-overview (part 2)
- GUI: fix the display of SMS and signal level (RSSI) in some cases
- GUI: Status: Logs: escape HTML characters in log entries (closes #72)
- GUI: Basic: DHCP Reservation: do not allow duplicate IP - causes dnsmasq fail to start
- GUI: Basic: DHCP Reservation: allow 'dot' to be used in DHCP reservation hostname - useful for setting static records for external hosts
- GUI: Advanced: DHCP/DNS: dnscrypt-proxy: add dynamically to the page drop-down list of resolvers, so it's now possible to use alternative/downloaded file (/etc/dnscrypt-resolvers-alt.csv); also add DNSSEC and NOLOGS info to the list
- GUI: Advanced: Wireless: fix default value for WMM (closes #49)
- GUI: status-overview - improve ethstate if WAN port is moved to primary LAN
- GUI: status-overview - repair/show correct wireless infos (only for some Router like R6400, DIR868L ...)
- GUI: basic-network - add more options for wireless mode (AC-Only, N/AC Mixed)
- GUI: Status: Device List: change name and title of the button for 'DHCP Reservation'
- dhcpv6: remove debug info - save some space; remove unneeded file
- dropbear: build back (again) with "Remote Forwarding" support (only for server) - closes #70
- httpd: misc.c: fix condition for recognition when the JFFS2 partition is mounted (only for RT-AC branch)
- mdu: use 'PUT' instead of 'POST' for cloudfare to update DNS record (closes #141)
- nginx: compile with ngx_http_realip_module enabled
- patches: getnds/stubby: also add tls_ca_file to yml quote check (broken in 0.4.0)
- pdureader: avoid SIGSEGV caused by improper gcom (comgt) response
- rc: pbr.c: replace depreciated gethostbyname() with getaddrinfo()
- rc: pptp_client.c: replace depreciated gethostbyname() with getaddrinfo()
- rc: do not stop ntpd on WAN stop - only stop it on stop_services()
- rc: init.c: F9K1102: improve mac address detection and some wireless stability; 5GHz so far for version 3 working, version 1 maybe good as well
- rc: mwan.c: fix multiWAN routing
- rc: network.c - repair/improve function for wireless restart/start (only)
- rc: nginx.c: fix php config file
- rc: nginx: make h5ai support optional - it breaks autoindex if enabled but not used
- rc: services.c: dnsmasq: replace Asus patched max EDNS packet size with proper config file setting
- rc: services.c: also prevent Windows' DDR (Designated Discovery of Resolver) when blocking auto DoH promotion
- rc: services.c: do not add 'trust-anchors.conf' to dnsmasq config file when built without DNSSEC
- SDK (RT-N and RT-AC): bcmrobo.c - stay closer to arm branch (only cosmetic)
- SDK6 (RT-AC): bcmrobo.c - include Jumbo Frame support
- VLAN (MIPS RT-N and RT-AC): repair vlan setup/config and adjust to FT logic (ID mapping)
- VLAN (MIPS RT-N and RT-AC): extend/fix vlan setups
- VLAN (MIPS RT-N): distinguish VLAN logic for Gigabit-Ethernet (align to arm) and Fast-Ethernet (align to RT)
- vsftpd: remove legacy capability warning (added as a patch)
- vsftpd: restore OpenSSL-1.0 support (added as a patch)


2021.7          2021.10.15
---------------------------

Note: mainly bugfixes release.

- busybox: update to 1.34.1 (add workaround for build break of 'touch' applet)
- libcurl: update CA certificate bundle as of 2021-09-30
- dnscrypt-proxy: update resolvers csv file
- build: bcmnvram.h: correct nvram_match/nvram_invmatch definition
- GUI: correct display (center) of some checkbox in tables
- GUI: Status: Overview: display 'Click to view SMS' link also for hw-ether (MIPS) module modem type
- GUI: Status: Overview: fix minor problem with reported multiWAN status
- GUI: Status: Overview: fix javascript error caused by the lack of 'wanX_ifnames' nvram values
- GUI: add blinking to Time status when it's unavailable
- httpd: openvpn.c: fix adding correct keys for client config file
- rc: dhcp.c: buffer overflow protection (snprintf) + cosmetic
- rc: dhcp.c: start_dhcpc(): use _eval() with pid to start udhcpc
- rc: firewall.c: change condition for source in 'Intercept NTP/DNS client traffic' FW rules
- rc: services.c: add 'force' to dnsmasq dhcp-option 42
- rc: service: start_ntpd(): fix start of ntpd when more arguments are given
- www: admin-config.asp: also replace '/' to '_' in filename
- www: tomato.js: fix createFieldTable() function


2021.6          2021.10.12
---------------------------

Note1: because of changes in GUI, clean your browser cache and/or use Ctrl+F5 (FF) to avoid artifacts.
Note2: because of changes in nvram variables, check your settings on 'Advanced -> DHCP/DNS -> Client (WAN)' page.

- kernel: ipv6: send NEWLINK on RA managed/otherconf changes (fix from upstream https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a394eef562d781f37a50d99cf1dfe596dc1ed96d)
- kernel: ipv6: send only one NEWLINK when RA causes changes (fix from upstream https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2053aeb69a53224717296db31b13d5b45b4f1a0e)
- openssl-1.1: update to 1.1.1l
- e2fsprogs: update to 1.46.4
- nginx: update to 1.21.3
- ntfs-3g: update to 2021.8.22
- tor: update to 0.4.6.7
- miniupnpd: update to 2.2.3
- dnsmasq: update to 2.86 
- libcurl: update to 7.79.1
- libexif: update to 0.6.23
- openvpn: update to 2.5.4
- Add Media Bridge Mode (for SDK6 and up)
- WL SDK (RT-N branch and up): turn On wl setting STBC RX 
- build: Makefile: disable BCMNAT module for dir865le target - it doesn't work anyway, for RT-AC branch
- build: Makefile: nettle: compile with --disable-fat
- build: Makefile: dnsmasq: switch to nettle for crypto backend
- build: allow to build dnssec and stubby independently
- build: remove DNSSEC for 'e', 'c', 'd', 'b' and 'm' (VPN, BTgui-VPN, Nocat-VPN, Big-VPN, Max) targets to save space because of recent changes in dnsmasq (nettle for crypto backend); on the other hand, stubby can also handle DNSSEC
- build: remove DNSSEC for 'f5d', 'f7d', 'wndr64-vpn', 'rtn53', 'e2500', 'wndr3400v2-vpn' and 'n60' targets to save space because of recent changes in dnsmasq (nettle for crypto backend); on the other hand, stubby can also handle DNSSEC
- GUI: Administration: Access: show 'Allow Remote Upgrade' regardless of 'Remote Access' state
- GUI: Status: Device List: fix javascript error in targets without network discovery helper
- GUI: Status: Overview: add missing space between unit and flash size/cpu clock
- GUI: OpenVPN Server: fix the case in which after removing the CA key in GUI, re-generating keys will use its old version from nvram
- GUI: OpenVPN Server: fix generation of the correct CA Key previously caused clients errors. In order to work properly, the key must be generated again both for the server and client(s).
- GUI: Status: Overview: fix toggle of WAN and Virtual Wireless nodes
- GUI: Improvements to Advanced MAC page
- GUI: add WiFi QR Code generator to 'z' (AIO) targets
- GUI: Admin: Logging: add minimum log level watched for syslogd
- GUI: Admin: Debugging: rename console log level into Kernel printk log level (it has better meaning); add a reboot after changing log level, since we setup klogd only at init, so it is required to reboot; add Notes
- GUI: add new, improved log viewer
- GUI: Basic: Network: fix javascript freezing when more than 1 WAN has been set
- GUI: Status: Overview: fix WL label issue on some routers
- GUI: Advanced: DHCP/DNS: move some options from Client to Server section
- GUI: Admin: Configuration: add current date to backup file
- GUI: Status: Overview: add MultiWAN Status and button to force watchdog check manually
- adblock: remove inactive list (http://www.malwaredomainlist.com/hostslist/hosts.txt)
- adblock: correct url of DOH servers list
- ebtables: libebtc: fix malloc usage (fix from upstream)
- httpd: log.c: fix a bug not showing all logs when external log is configured
- OpenVPN: Server: add generated keys for client also to .ovpn configuration file
- Revert "rc: do not restart nas services/wsdd2 on WAN up"
- rc: network.c - repair function restart_wl() and do not start radio join (again) 
- rc: services.c: start_ntpd(): eval() will wait until process quits, so use _eval() with pid; otherwise, start_ntpd() never returns
- watchdog/multiwan: fix a whole bunch of problems
- www: at.css: add icons to Connect/Disconnect buttons for Advanced themes


2021.5          2021.08.14
---------------------------

Note: because of changes in GUI, clean your browser cache and/or use Ctrl+F5 (FF) to avoid artifacts.

- Add mDNS (Avahi) support (https://github.com/lathiat/avahi)
- Wireless Client Mode: repair that operation mode for SDK6 and up (unfortunately, it doesn't work yet for RT-AC)
- openvpn: update to 2.5.3
- getdns/stubby: update to 1.7.0/0.4.0
- ntfs-3g: update to 2021.04.05 (added handling of Windows 8/Windows 10 file systems)
- tor: update to 0.4.6.6
- tinc: update to 1.1pre18
- nano: update to 5.8
- sqlite: update to 3.36.0
- pcre: update to 8.45
- nginx: update to 1.21.1
- iperf: update to 3.10
- nettle: update to 3.7.3
- libogg: update to 1.3.5
- libpng: update to 1.6.37
- libvorbis: update to 1.3.7
- e2fsprogs: update to 1.46.3
- libcurl: update to 7.78.0
- wsdd2: update to 1.8.6
- vsftpd: update to 3.0.5
- libcurl: update CA certificate bundle as of 2021-07-05
- GUI: Admin: Access: tweaks Web Admin panel, reorder (thanks @rs232)
- GUI: advanced-wireless - adjust name/label for wl country "GB" to GREAT BRITAIN
- GUI: Advanced: Miscellaneous: update note about Broadcom FastNAT checkbox
- GUI: Advanced: Virtual Wireless: add Interface status in Details table
- GUI: Basic: Network: allow 0.0.0.0 as a valid address (in special cases) for all bridges
- GUI: NAS: File Sharing: limit samba workgroup name to 15 chars
- GUI: Tools: WOL: also show in the table devices from other than primary bridge
- GUI: Status: Device List: fix some issues with disconnected WL devices
- GUI: Status: Device List: fix some issues with WDS devices
- GUI: Status: Device List: improve IPv6 support
- GUI: Status: Device List: add images to Noise Floor level
- GUI: Status: Device List: add additional confirmation when deleting lease
- GUI: Status: Device List: display Virtual Wireless Interface reference within parentheses like bridges and vlans
- GUI: Status: Overview: do not display any virtual interface linked to the chip/frequency that is disabled
- GUI: Status: Overview: add a graphic bars to CQI1 and CQI2 LTE strenght indicator
- GUI: Status: Overview: switch 'Free' to 'Used', change order
- GUI: Status: Overview: add progress bars (thanks @rs232)
- GUI: fix a bug when scaling size is less than 10KB
- Fix container build on updated Debian 10
- busybox: add CONFIG_DIFF for 'AIO' and 'Mega-VPN' targets
- httpd: buffer overflow protection (snprintf)
- httpd: make asp_lanip() multi-lan aware
- rstats: make it multiwan aware for daily/weekly/monthly history
- tinc: run firewall rules after bringing up the vpn. If adding custom routes into the firewall rules, the interface needs to pre-exist
- transmission: fix when runned without auth
- TTB: v1.02/v3.02 change default URLs and add URL redundancy/randomisation; thanks to @rs232
- rc: do not restart nas services/wsdd2 on WAN up (fixed in recent wsdd2 update)
- rc: init.c: set unique machine-id during init
- rc: mwan.c: don't log multiwan status update continually
- rc: nginx.c: add svg/svgz support
- rc: nginx.c: add h5ai support (https://larsjung.de/h5ai/)
- rc: transmission.c: TCP buffers tune, lost in one of the previous commits
- rc: services.c: add logging when starting/stopping httpd
- rc: services.c: avahi: improve generated config


2021.4          2021.06.17
---------------------------

- SDK6 MIPS (for RT-AC branch / router): fix router reboots, when connected to wifi
- nginx: update to 1.21.0
- libcurl: update to 7.77.0
- snmp: update to 5.9.1
- build: Belkin F9K1102 (v1/v3): avoid using/watching reset button (gpio 3) and use wps button (gpio 7) at tomato level for reset purpose
- QoS: fix IPP2P/Layer7/DSCP RETURN being absolutely blank in iptables
- libcurl: update CA certificate bundle as of 2021-05-25
- httpd: devlist.c: fix display of devices in wds mode
- others: mymotd: code improvements, thanks to @WildFireSG
- rc: firewall.c: fix removing ipt_web/xt_web module
- rc: restrict: disable web for ip6tables in ARM branch
- rc: init.c: clarify the supported model name as 'WRT310 v2'
- rc: services.c: fix problems with upgrade/restore defaults/etc on routers built with USBAP
- shared: id.c: fix detection of Tenda W1800R 
- www: fix problems when image is built without advanced themes


2021.3          2021.06.05
--------------------------

- kernel: squashfs: update to compile on Artix
- SDK5: align wl driver version for USB AP router (and revert back wl driver for eth1); Note: patch only for USB AP Router like f9k, rtn53, e3200, ...
- busybox: update to 1.33.1
- tor: update to 0.4.5.8
- sqlite: update to 3.35.5
- dnsmasq: update to 2021.04.10 (3573ca0) snapshot
- openvpn: update to 2.5.2
- openvpn-2.4: update to 2.4.11
- libcurl: update to 7.76.1
- nettle: update to 3.7.2
- nginx: update to 1.19.10
- tinc: update to d100eb0 (2021.04.15) snaphot
- nano: update to 5.7
- rp-pppoe: update to 3.15
- miniupnpd: update to 2.2.2
- adminer: update to 4.8.1-mysql-en
- libxml2: update to 2.9.12
- iperf2: update to 3.9
- minidlna: update to 1.3.0
- vsftpd: update to 3.0.4
- libcurl: update CA certificate bundle as of 2021-04-13
- getdns: fixes from upstream
- ebtables: fixes from upstream
- build: E4200v1: apply FT wireless default setup after nvram reset
- build: E4200v1: add ethernet LED fix (moved from arm branch)
- build: Belkin F9K1102 (v1/v3): adjust nvram size to 32K
- build: add DNSSEC to 'e', 'c', 'd', 'b' and 'm' (VPN, BTgui-VPN, Nocat-VPN, Big-VPN, Max) images, but optimize more aggressively dropbear and igmpproxy
- build: add DNSSEC to 'f5d', 'f7d', 'wndr64-vpn', 'rtn53', 'e2500', 'wndr3400v2-vpn' and 'n60' images, but optimize more aggressively dropbear and igmpproxy
- build: Makefile: tor: compile without zstd and systemd
- build: Makefile: nano: add -fsi to autoreconf
- build: Makefile: use 'printf' command instead of 'echo', fix formatting
- build: common.mak: add (export) PKG_CONFIG_DIR/PKG_CONFIG_LIBDIR/PKG_CONFIG_SYSROOT_DIR env variables
- GUI: update all icons; thanks to @rs232
- GUI improvements: add interface/bridge info to the device list page and other changes; fixes #106
- GUI: Admin: Bandwidth Monitoring: fix the availability of some forms when enabling/disabling
- GUI: Advanced: DHCP/DNS: exclude ipv6 only servers if ipv6 not enabled
- GUI: Advanced: DHCP/DNS: when built with stubby add option to choose between dnsmasq and stubby for DNSSEC validation
- GUI: Advanced: DHCP/DNS: add option to force minimum acceptable TLS version to 1.3 for Stubby (required OpenSSL >= 1.1.1)
- GUI: Advanced: DHCP/DNS: fix visibility of 'DNSSEC validation method' radio group
- GUI: Advanced: DHCP/DNS: Add option to generate a name for DHCP clients which do not otherwise have one; useful for e.g. Device List page
- GUI: Advanced: DHCP/DNS: always show the 'Prevent client auto DoH' option regardless of whether the image is built with or without Stubby
- GUI: Advanced: DHCP/DNS: make 'dnsmasq custom configuration' textarea automatically stretched vertically
- GUI: Bandwidth: Last 24 Hours: fix bridge naming
- GUI: Bandwidth: WAN Bandwidth - Daily: flip from/to dates
- GUI: Basic: DHCP Reservation: do not allow multiple hostnames for a device when only associate to a MAC address (causing dnsmasq failed to start)
- GUI: basic-ipv6.asp - hide option tun mtu for case 6RD Relay (not used)
- GUI: basic-ipv6.asp - show option tun ttl for case 6rd from DHCPv4 (Option 212)
- GUI: DHCP Reservation: allow definition of hostnames for devices without static DHCP assignment (resolves #127)
- GUI: Display NETGEAR CFE version on status page
- GUI: status-devices.asp - extend IPv6 support
- GUI: Status: Device List: add network discovery helper; thanks to @rs232 for the bash script and the idea
- GUI: Status: Overview: fix displaying of static DNS when in AP mode
- GUI: Tools: Wireless Site Survey: add/change OUI search like this one on Device List page. Also, calculate the signal quality as on that page
- GUI: Virtual Wireless: add frequency to interface drop down list
- Adblock: add DoH servers to Adblock blacklist (disabled)
- BWL: add the ability to enable/disable rule and enter the description
- BWL: fix bwlimit filter conflicts due to priority value
- busybox: build with CONFIG_FEATURE_TOP_INTERACTIVE
- dnsmasq: patches: fix patch 110 - compilation error when building an image without openssl1.1 support
- cstats: replace date check with nvram ntp check instead
- dropbear: fix start of dropbear
- flac: do not build docs, test and utility
- httpd: devlist.c: also add hostname to devlist()
- IPv6: for case DHCPv6 PD use IPv6 preferred lifetime provided by your ISP/Server for LAN0-3 (IPv6 lease time); Note: get back IPv6 connectivity faster with IPv6 addr/prefix changes. (Some ISPs provide really very low lifetimes)
- IPv6: for case DHCPv6 PD use first ethernet for DUID-LL (LLT) (and not ifb0); fixes #113; DUID used by a client or server should not change over time, therefore we use eth0 (constant) now
- IPv6: help IPv6 and advertise the link MTU in router advertisement messages
- miniupnpd: patches: remove SO_REUSEPORT option for SSDP - causing build error
- OpenVPN: Server: fix generating keys
- OpenVPN: implement kill-switch for routing policy
- pppd: make PPPoE work again and adjust the commit (applied in code) from upstream "pppd: linux: use monotonic time if possible" (but only for FreshTomato MIPS branches)
- PPPoE: Allow MTU up to 1500 for ISPs that support RFC 4638; Note: Jumbo frame needs to be enabled and supported (Gigabit-LAN) for the router. Clamping can be disabled manually via nvram value "tcp_clamp_disable"
- QoS: extend qos_irates and qos_orates nvram variables to 256 characters for multiwan images
- rstats: replace date check with nvram ntp check instead
- rstats: remove old history format
- stubby: only include IPv6 resolvers if needed
- transmission: add missing file in prepackaged source build for tr 3.00
- TTB: increase the time interval when trying to download the theme to 5 minutes when there are network problems
- vsftpd: add fix for CVE-2015-1419
- httpd: httpd.c: use logmsg(); add 'X-Frame-Options' in httpd response headers for better protection; more verbose logging; code improvements
- httpd: upgrade.c: erase flash file when it's not needed anymore to release more memory; clearly specify the directory from which the (www) files used later are copied - also in some color schemes .png files are needed; a few minor changes in .asp file
- httpd: wl.c - align country list code/way and sync mips branches to newer SDK6 arm code
- rc: introduce new functions that remove kernel modules (grouped by type), used when disabling/removing USB support or on reboot/upgrade the router
- rc: add g_upgrade global variable - used to skip several unnecessary delay and redundant steps during upgrade procedure
- rc: do not stop inactive services, also mute unwanted log messages about it
- rc: dhcpd: discard old format of dhcpd_static
- rc: dnsmasq: add the ability to forward local domain queries to upstream DNS (default disabled)
- rc: firewall: rate limit ipv6 ping when allow ping request disabled
- rc: init.c: try to write all pending modifications/cache data before reboot
- rc: init.c: give at least 30 secs instead of only 20 secs before enforcing a system reset during reboot
- rc: init.c: kill all instances of pppd/xl2tpd on reboot/halt
- rc: services.c: dnsmasq: disable negative caching
- rc: transmission.c: fix issue while stopping daemon (resolves #131)
- samba: enable pthread
- shared: id.c: cosmetic for RT-AC67U detection details/infos
- switch3g: add search for every possible visible usb device as a last resort when vendor/product is not available
- switch4g: add search for every possible visible usb device as a last resort when vendor/product is not available
- www: advanced-dhcpdns.asp: fix javascript error in case when the image is built without IPv6 support
- www: basic-static.asp: abandon the old nvram dhcpd_static format; Note: the allowed notation of the IP address also changes (one octet => full IP), ie "200" => "192.168.1.200" (to be synced with other places), so if using the old one, re-enter reservations again
- www: basic-network.asp: fix page when WL module is removed
- www: bwm.c: extend allowed size of restored cstats/rstats backup file
- www: at*.css: align "About" description to the left
- www: tomato.js: fix problems with refresh time, when using more than one refresher
- www: wireless.jsx: fix the radio frequency display (2.4 / 5GHz) for dual-band WL devices
- www: small fixes for older browsers


2021.2          2021.03.28
--------------------------

- e2fsprogs: update to 1.46.2
- nano: update to 5.6.1
- nginx: update to 1.19.7
- openssl: update to 1.1.1k
- openvpn: update to 2.5.1
- pppd: update to 2.4.8
- tor: update to 0.4.5.6
- sqlite: update to 3.34.01
- libcurl: update CA certificate bundle as of 2021-01-19
- build: Makefile: remove CIFS and NTFS from 'n60' (Tenda N60) target - image was still too big
- GUI: Admin: Logging: add 'Drop duplicates' option
- GUI: Admin: Debugging: add the ability to disable cache in the httpd daemon
- GUI: Advanced: DHCP/DNS: add warning to dnscrypt-proxy/Stubby priority option regarding possible DNS leak
- GUI: Advanced: Wireless: remove 'AP Isolation' option because it's already on 'Virtual Wireless' page (where it's also possible to use this option with virtual interfaces)
- GUI: Advanced: VLAN: improvement to the page
- GUI: Advanced: VLAN: add marking that the given WL is turned off
- GUI: Advanced: VLAN: use the same port order as on Overview page
- GUI: Advanced: VLAN: add correct port order for Linksys WRT160Nv3
- GUI: Basic: Network: disable DNS and set to Auto if dnscrypt/Stubby with No-Resolv is enabled (except for static proto); fix variable in for loop
- GUI: basic-network.asp - in case wan disabled (for ex. wireless bridge) make sure to use static dns
- GUI: Basic: Network: fix LTE/3G fields checker (this mode can only be set to one WAN)
- GUI: Basic: Network: fix problems with Wireless Client mode
- GUI: Status: Overview: correct Connect/Disconnect buttons behaviour
- GUI: Status: Overview: correctly display used DNS
- GUI: change default colours of all speed graphs to Blue & Orange
- GUI: modification to QoS and Bandwidth/IP-Traffic pages
- GUI: update signal bar and ethernet images; thanks to @rs232
- GUI: change of naming convention for WANs and LANs; also for WLs
- adblock: fix the issue when only a custom black list is added (without any URL defined), dnsmasq restarts every 5 minutes
- busybox: ntpd: fix the case where two replies received at once and first one causes a step; fix from upstream
- busybox: enable CONFIG_FEATURE_SYSLOGD_DUP
- busybox: ntpd: add -t switch to disable rfc4330 cross-check, parameters tuning
- busybox: use CLOCK_MONOTONIC instead of gettimeofday
- dhcp6c: use monotonic time if possible
- ebtables: libebtc: Open the lockfile with O_CLOEXEC; fix from upstream
- httpd: some changes to gencert.sh and httpd.c
- httpd: add IP when logging bad password attempt; fix incorrect sizeof() in strlcpy() (line 820+)
- openvpn: vpnrouting.sh: fix removal of firewall rules
- pppd: use monotonic time if possible
- rp-pppoe: use monotonic time if possible, added as a patch
- rc: openvpn.c: don't allow duplicate-cn while in non-exclusive config-dir mode
- rc: openvpn.c: only add 'username-as-common-name' to server config if user/pass auth only is checked
- rc: further tweaks to ntpd handling on wanup
- rc: services.c: also restart httpd on ntp sync
- rc: adjust new ntpd handling for case wan disabled (time was not working after boot up; bridge mode and AP only)
- stubby: update resolvers file
- stubby: add location of alternative configuration file (/etc/stubby/stubby.alt) to bypass stubby UI configuration; fixes #108
- tomatoanon: fix script
- watchdog: fix problems with DHCP on multiwan
- watchdog: also use temporary added route for WAN check in case of failover
- www: advanced-dhcpdns.asp: fix javascript error on images without OpenVPN
- www: .asp: fix potential problem with _service input field
- www: basic-time.asp: fix potential problem with _service input field; display Router Time (almost) in real time
- www: add Status_Router.asp with current IP (only WAN) for ddclient; use '-use=linksys-wrt854g' as a supported router (https://sourceforge.net/p/ddclient/git/ci/master/tree/ddclient)
- www: always use advanced-vlan.asp as a link to Advanced -> VLAN page
- IPv6: adjust linux setup and make it more stable
- wndr3400v2 (and wndr3400v3) : rework button and led setup (v2)
- wndr3400v2 / wndr3400v3: turn LED_AOSS (WPS LED) back ON if used for feedback (WPS Button); Check Startup LED setting (bit 2 used for LED_AOSS)


2021.1          2021.02.20
--------------------------

- kernel/iptables/toolchain: support --set-mark mark[/mask] on MIPS routers
- kernel RTAC/toolchain: support --set-mark mark[/mask] on MIPS routers
- kernel/others: include bonding module and link aggregation script in 'o' and 'z' (Mega-VPN, AIO) images
- busybox: update to 1.32.1
- nano: update to 5.5
- igmpproxy: update to 0.3
- nettle: update to 3.7
- nginx: update to 1.19.6
- miniupnpd: update to 2.2.1
- dnsmasq: update to 2.84
- tor: update to 0.4.4.7
- adminer: update to 4.8.0
- e2fsprogs: update to 1.46.1
- build: docker: add docker image for building
- build: fix compilation with NO_FTP symbol
- build: Makefile: remove KEYGEN (TLS keys generator in GUI for VPN Server) for target b, e, c and d (Big-VPN, VPN, BTgui-VPN and Nocat-VPN) to save some space
- build: Makefile: changes to RT-N targets; Tenda N60: (-) KEYGEN, NOCAT; Tenda N6: (-) KEYGEN; Belkin F5D: (-) MEDIA SERVER; (+) STUBBY; Belkin F7D: (-) MEDIA SERVER; (+) PPTPD, STUBBY; Belkin F9K: (-) KEYGEN
- build: Makefile: tor: add option OPENSSL_NO_ENGINE when needed
- Update GUI optimization tools
- GUI: move stubby, dnscrypt-proxy and some other options to Advanced -> DHCP/DNS
- GUI: use Advanced/VLAN instead of Basic/Network for WAN bridging; - the old method only caused bugs in the GUI and confusion
- GUI: Status: Overview: corrections and fixes; - display more info in real-time; - in case of Wireless Client mode, stick to Signal Quality (like on Device List page), not SNR (signal value to the noise value)
- GUI: change default colours of speed graphs to Blue & Orange
- GUI: Bandwidth & IP Traffic - make it possible to show (save) values up to 500 Mbit/s (for last 24 hours, Daily, ...)
- GUI: advanced-dhcpdns.asp - add Fast RA mode option
- GUI: Web Server: Nginx & PHP: use ajax to Start/Stop button
- GUI: Status: Overview: use ajax for all buttons
- GUI: Admin Access: use ajax for Start/Stop sshd and telnetd buttons
- GUI: Advanced: Firewall: add the ability to configure udpxy upstream interface
- GUI: USB and NAS: Media Server: use ajax for all buttons
- GUI: VPN Tunneling: Tinc: use ajax for all buttons
- GUI: VPN Tunneling: PPTP Client: use ajax for Start/Stop button
- GUI: Port Forwarding: UPnP/NAT-PMP: use ajax for all buttons
- GUI: VPN Tunneling: OpenVPN Client: use ajax for all buttons; also refresh status tile automatically
- GUI: VPN Tunneling: OpenVPN Server: use ajax for all buttons; also refresh status tile automatically
- GUI: Tunneling: OpenVPN Server: allow empty string as a static key in case it's located elsewhere
- GUI: Tunneling: OpenVPN Server: add auth file (if needed) for generated client configuration; fix client number in generated certificate; some code improvements
- GUI: remove unneeded footer messages when using Start/Stop/etc. buttons
- DDNS: add Duck DNS support
- Major QoS improvements. Harmonize all uses of firewall marks between VPN, wan PBR, BWLimit and QoS
- miniupnpd: only build miniupnpd exe; also build with HAVE_IP_MREQN
- multiwan: reduce and flush the route cache to ensure a more synchronous load-balancing across multiwan
- multiwan: also allow to init state file with value "1" instead of "0" - it could speed up connection process in some cases
- multiwan: improvements for GUI and connection time; - show real WAN status on Status->Overview page; - time needed to connect WANs (traffic) has been reduced twice
- busybox: enable CONFIG_FEATURE_SWAPONOFF_LABEL
- iproute2: tc: add mask support
- openvpn: masquerade all client outbound traffic regardless of source subnet
- openvpn: ignore unsupported ipv6 push configurations for ovpn client
- QoS: re-enable View Details without having to enable QoS itself; - it works actually only on MIPS routers; - in ARM: TBD (now need to enable/disable QoS for it to work)
- SNMP: tune recipe: add 2 more modules, set default snmp level to 2, set enable-mfd-rewrites
- stubby: add full GUI support; based on @RMerlin work (thanks!)
- stubby: tweak config: tls_query_padding_blocksize and idle_timeout
- rc: log when calling a nonexistent service
- rc: add logger to QoS and BW Limiter
- rc: restart nas services/wsdd2 on WAN up; - temp workaround for issue with wsdd2
- rc: bwlimit.c: add start/stop options and in only one exe file (like in QoS)
- rc: firewall.c: tune some params in NAT performance tweaks
- rc: interface.c: add possibility to set mtu in _ifconfig()
- rc: misc.c - adjust killall_tk_period_wait() (100 ms instead of 1 sec)
- rc: network.c: adjust and update host DHCP relay code (sync with ARM)
- rc: openvpn.c: enable multihome for UDP servers when in multiwan mode (required as the router has multiple interfaces and we don't bind to a specific one)
- rc: openvpn.c: fix firewall rules for ovpn server when [udp/tcp]4/6 is selected
- rc: openvpn.c: another attempt to obtain an automatic restart after the client/server dies
- rc: services.c: name of the service could be "jffs" or "jffs2"
- rc: wan.c: do not send user/password when empty in PPP3G proto
- IPv6: rc: services.c - use global address and not link-local address for DNS 
- rc: do not restart WAN for changes on BW Limiter page when nocat is disabled
- rc: remove redundant parameter from start_wan() and start_wan_if() functions
- rc/shared: move killall_tk_period_wait() and kill_pidfile_s() to libshared
- www: Makefile: disable html-minifier for asp files, because the html code is currently optimized and using minifier only unnecessarily increases build time without noticeably reducing the size of (some) files
- www: advanced-dhcpdns.asp: fix javascript error in VPN builds
- www: advanced-dhcpdns.asp: fix javascript error if image built without dnscrypt-proxy
- www: restrict-edit.asp: change wait time to 3 secs; cosmetic
- www: tomato.js: fix wrongly treated input delay value in TomatoRefresh.initPage
- www: qos-settings.asp: restart BW Limiter automatically when disabling QoS, also show/hide notice when needed


2020.8          2020.12.19
--------------------------

- kernel: net_sched: fix datalen for ematch
- openvpn: update to 2.5.0
- openvpn-2.4: update to 2.4.10
- nano: update to 5.4
- nginx: update to 1.19.5
- dropbear: update to 2020.81
- xl2tpd: update to 1.3.16 
- busybox: update to 1.31.1
- tor: update to 0.4.4.6
- SNMP: update to 5.9; clean sources, add patches instead 
- igmpproxy: update to 78eda58 (2020-09-05) snapshot; reduce size for the smallest targets
- udpxy: update to 1.0-25.1
- miniupnpd: update to 2.2.0
- adminer: update to 4.7.8
- gmp: update to 6.2.1
- openssl-1.1: update to 1.1.1i
- sqlite: update to 3.34.0
- uqmi: update to 2020.11.22 (0a19b5b) snapshot
- wsdd2: update to 2020.11.19 (e0cf50d) snapshot
- libcurl: update CA certificate bundle as of 2020-10-14
- build: add D-Link DIR-865L support
- build: harmonize BW Limiter filenames, service name, variables names, etc., also in NVRAM; it was a real mess...; Note: those using BW Limiter must either manually rename the variables in NVRAM or enter the values from scratch
- build: don't include USB pages and other stuff on routers with wl_high module but without USB support
- build: fix rp-pppoe recipe - patches were not applied
- build: kernel: add comment and statistic netfilter for iptables (Mega-VPN and AIO targets)
- build: reduce size for pppd/dnsmasq only for smallest targets
- build: changes in patch_files macro
- build: librt is required on every target with USB support (for e2fsprogs)
- IPv6: extend GUI status page (status-overview.asp) - show IPv6 WAN DNS addresses
- IPv6: send ICMPv6 RSes only when RAs are accepted; see https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v3.19&id=026359bc6eddfdc2d2e684bf0b51691649b90f33
- IPv6: unify logic evaluating inet6_dev's accept_ra property; see https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v3.19&id=aeaf6e9d2f49d793d3eb8c1af4095cf25e061b94
- IPv6: make 'addrconf_rs_timer' send Router Solicitations (and re-arm itself) if Router Advertisements are accepted; see https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v3.19&id=9ba2add3cf5c103b7236f82a023c8ee05a51e4d1
- IPv6: split IPv6 / IPv4 up and down logic (they work independent of each other now)
- GUI: openvpn: remove option to enable/disable NCP (deprecated)
- GUI: openvpn: make Data Ciphers (ncp-ciphers) editable
- GUI: openvpn: only use the old --cipher setting in static key mode
- GUI: openvpn: add stub/stub-v2 compression support to OpenVPN client 
- GUI: openvpn: implement tls-crypt-v2 support
- GUI: openvpn server: fix bug with generating client configuration in 'secret' mode
- GUI: openvpn server: implement 'Serial number' for generated client configuration in 'tls' mode
- GUI: openvpn server: implement CRL file
- GUI: openvpn client: distinguish between remote-cert-tls and verify-x509-name options
- GUI: advanced-wlanvifs.asp - add AP Isolation setting also for VIFs
- GUI: Admin: Debugging: add Clear Cache link (removes all Storage Object item for domain/IP address)
- GUI: also add localStorage.clear() on admin-upgrade and admin-access pages
- GUI: basic-network.asp - repair scan button function and provide control channel at wireless survey
- GUI: improvement to shutdown() - added 2nd pop-up with confirmation
- GUI: Advanced: DHCP/DNS: extend allowed dnsmasq custom configuration text area to 4096 characters
- GUI: MultiWAN Routing: extend Domain field to 70 characters
- GUI: QoS Graphs: fix displaying correct number of connections for the lowest priority class in BW Distribution
- GUI: tinc: properly format the display of information on the Status page
- GUI: Admin: Debugging: add possibility to enable segfault logging to syslog
- GUI: Advanced: Firewall: simplify the part with WAN behavior for ping and traceroute
- GUI: advanced-wireless - restrict tx power range (for very low values); Via GUI we allow a tx power range in mW from 5 to 1000 or default value 0 (-1 will be used for the wl driver) --> AVOID 1-4 mW area; see latest findings https://www.linksysinfo.org/index.php?threads/tenda-ac15-ac1900-tomato-firmware-support.71709/page-14#post-321389
- adblock: update blacklist URLs
- busybox: add (conditionally, only for AIO and Mega-VPN targets) time and getopt applets
- dropbear: use common random source for ltm
- dropbear: libtommath: enable fixed cutoffs as size-optimization
- ebtables: reduce size (except for Mega-VPN and AIO targets)
- ffmpeg/minidlna: do not reduce size for Mega-VPN and AIO targets
- firewall: RT and RT-N branches (MIPS) do not load ipt_REDIRECT automagically
- firewall: adjust limit connection attempts (ssh/telnet) for IPv6 (and align to IPv4 --> remove incoming device, apply to all)
- dnsmasq: suppress more unwanted errors/warning about ipset
- dnsmasq: add default edns_pktsz
- firewall: allow incoming IPv6 from br0 to br3 (and align also to IPv4)
- getdns: listeners reply returned wireformat (fix from upstream, issue #430)
- ipset: reduce size
- ipset: do not reduce size for Mega-VPN and AIO targets
- iptables: update reduce size patch
- MOTD: only display Wireless info if that radio is enabled
- MOTD: fix motd and remove ethstate leftovers
- multiwan: in case of multiwan, don't set default gateway route. mwanroute script will handle this
- multiwan: mwan_load_balance: if connection is down, clear old mwan state
- multiwan: make watchdog less destructive to the routing table (only modify route of test hosts); change default checker to curl
- watchdog: new method of checking without breaking existing connections to the check hosts
- watchdog: fix incorrect ISPPPD check and condition
- ntp: implement ntp server properly
- openvpn: switch to the subnet topology, instead of the deprecated net30 topology; Ref: https://community.openvpn.net/openvpn/wiki/Topology#Topologysubnet
- openvpn: ensure DHCP doesn't override our default route (fixes TAP+DHCP)
- openvpn: hide build date
- openvpn: add 'mode p2p' option to generated client config if auth mode is static
- openvpn: fix some OpenVPN issues in the smallest image (MiniVPN - j)
- openvpn-2.4: reduce size (disable des)
- openssl: conf: add extendedKeyUsage also to usr_cert section
- patches: dropbear: add forgotten LOCAL_IDENT to override orig ident
- pppd: fix/correction for commit IPv6: split IPv6 / IPv4 up and down logic (see https://bitbucket.org/pedro311/freshtomato-arm/commits/d365748b8f458a196a6351849f0aa985263bd1b0); fix for: PPTP Server and Client not working anymore
- pppd: add two patches from openwrt: retain foreign default routes on Linux, remove runtime kernel checks
- vpnrouting: do not add local routes if in PBR strict mode; also use 'via $route_vpn_gateway' if available
- vsftpd: add native support for basic ftp_tls using router httpd cert/key
- httpd: openvpn.c: fix generation of client configuration file for user&pass/user&pass only Auth
- httpd: fix problems with server.pem key when using HTTPS
- httpd: use UTF-8 decoding for SSIDs
- www: fix escapeCGI to properly encode unicode
- defaults.c : disable IP Traffic (cstats) Monitoring feature by default and save cpu workload; In additon disabling cstats avoids the waring/note at basic-network.asp that netmask should have at least 22 bits (255.255.252.0); fix issue #72
- rc: firewall.c: use REDIRECT target instead of DNAT to intercept dns traffic, as it's more efficient
- rc: firewall.c: raise a little allowed hit count in BF protection for remote GUI access (part 2 for IPv6)
- rc: firewall.c: only intercept udp requests to port 123, ntpd does not listen to tcp
- rc: firewall.c: be more restrictive, only allow ICMP messages we need
- rc: openvpn.c: add keepalive to client config
- rc: openvpn.c: client: fix ineffective "route" directives when PBR active; discussion: https://www.linksysinfo.org/index.php?threads/openvpn-client-bug-flaw-ineffective-route-directives-when-pbr-active.75941/
- rc: ppp.c: - set nvram "wan_iface" also in case IPv6 link up (function ip6up_main()); fix for: ipup_main() not yet (or later) called --> nvram variable "wan_iface" needed for function start_dhcp6c()
- rc: vsftpd: disable (broken) process isolation under MIPS
- rc: services: adjust function start_dnsmasq() and check wireless bridge after stop_dnsmasq(); fix for: in wireless ethernet bridge mode, router time not working anymore
- rc: wan.c - adjust function config_pppd() and start/add IPv6 only for "wan" (no IPv6 multiwan support)
- shared: defaults: change wifi rxchain powersave mode; turn it off by default now; Note: this can/could help some netgear router user


2020.7          2020.10.01
--------------------------

Note: fix the critical bug for RT-AC branch (when using webmonitor) with iptables not working, therefore no firewall. This release only includes images for RT-AC branch.

- openssl: update to 1.1.1h
- iptables: patches: fix commit eeb9ed2 for iptables regarding webmon for RT-AC branch (add forgotten #ifdef for include)
- openvpn: extend data-cipher length as per the ovpn documentation
- www: vpn-tinc.asp: fix typo


2020.6          2020.09.25
--------------------------

- kernel: make xt_recent built-in instead of module
- busybox: clean sources of 1.25.1, add patches instead
- dnsmasq: update to 2.82
- libcurl: update to 7.72.0
- libjson: udpdate to 0.15 (20200726)
- nano: update to 5.2
- nginx: update to 1.19.2
- sqlite: update to 3.33.0
- openvpn: update to 2.5_rc1
- transmission: update to 3.00
- tor: update to 0.4.4.5
- iptables: clean sources of 1.3.8, add patches instead
- libcurl: update CA certificate bundle as of 2020-07-22
- OpenVPN: use the iproute2 ip tool instead of ifconfig
- system: add option to adjust tcp/udp buffers and thresholds
- build: update logic how to apply patches
- build: rom: use a local copy of ca-certificates file when unable to download
- build RT-AC: optimize size for 'e' target (VPN)
- build: nfs-utils: tune recipe; don't build mount.nfs
- build: re-add OpenVPN 2.4 only for 'j' target because of size
- make: build the modules needed by apcupsd standalone - the way it is done so far only (unnecessarily) increases the kernel size, and we don't need amazing performance here and I bet 95% of users don't use it
- make: re-add Netgear WNDR4000
- router: fix build of libFLAC in some cases
- remove libuuid checking in miniupnpd build
- fix building router/conf on GCC 10 compiler on host
- MULTIWAN: rc: dhcp.c: call function mwan_table_del(prefix) for dual WAN and multi WAN setups
- MULTIWAN: rc: dhcp.c: call function mwan_load_balance() for dual WAN and multi WAN setups
- IPv6: adjust start and stop logic
- GUI: Status: Device List: also deauthenticate device when deleting DHCP lease
- GUI: keep wireless noise floor value(s) current on device list page
- GUI: advanced-wireless.asp: reboot the router if the user wants to change the wireless country
- GUI: Device List: better match the pictures to the signal level
- GUI SDK6 / RT-AC branch: advanced-wireless.asp: make it possible to select country rev; when changing country settings for the wireless driver, also change bootloader default values
- GUI: advanced-wireless.asp - hide option Bluetooth Coexistence for 5 GHz wireless interfaces
- GUI: include AdvancedTomato font into the css stylesheet
- iptables: fix save formatting for libipt_webst, libipt_account, ROUTE target, TRIGGER target
- iptables: fix list formatting for ROUTE target
- iptables: fix match for ipt_account
- dnsmasq: suppress unwanted errors in log caused by adding already existing rule to ipset
- httpd: update the way how failed GUI login attempts are added to log
- patches: iptables: remove unneeded files; fix filenames; cosmetics
- implement option to prevent Firefox's automatic usage of DoH
- DNS: Fix the bug even when WAN DNS server is set to Auto, still using what was previously entered in the Manual DNS field
- rc: dnsmasq: reject wpad hostname (protect against VU#598349)
- rc: firewall.c: raise a little allowed hit count in BF protection for remote GUI access
- rc: fix segfault in dhcpc-release and dhcpc-renew when run without arguments
- rc: init.c: revert commit to force EU country for all RT-AC66U/R router
- rc: mwan.c: adjust function mwan_table_del() and remove only active and valid DNS
- rc: network.c: do not unload the wifi driver by default
- nvram: defaults.c: don't prioritize AES-256 over AES-128 (no AES acceleration)
- nvram: defaults.c: adjust redial period to 20 seconds
- openvpn: try to use CHACHA20-POLY1305 (if supported by the remote end) on routers without AES acceleration
- openvpn: disable compression by default
- openvpn: update config file generation for OpenVPN 2.5
- rc: wan.c: do not restart wireless at function start_wan()
- rom: Makefile: fix downloading dnscrypt-proxy resolvers file
- www: tomato.js: add SameSite=Lax also when deleting cookies
- fix Netgear WNDR3700v3 Vlan port order and hide "VID Offset" for RT-N/RT-AC Routers
- change Netgear Model Detection for WNDR3400/v2/v3 and WNDR3700v3/4000
- fix Netgear WNDR3700v3/4000 Ethernet Port State
- fix Netgear WNDR3700v3/4000 LED "fileExtGPIOstatus" logic
- Asus RT-AC66U/R: set/adjust country code and rev for US router to enable 80 MHz channels (with fresh/default setup)


2020.5          2020.07.17
--------------------------

Note: mainly bugfixes (see *)

- (*) kernel: fix access to unitialized pointer (ported from DD-WRT, Broadcom bug)
- (*) kernel: patch kernel against CVE-2016-5195
- (*) kernel: fix reuse-after-free in DCCP
- kernel: r2q change message from priority WARNING to priority DEBUG
- build: tune compiler for mips32r2 (see performance comparison: https://bitbucket.org/pedro311/freshtomato-mips/commits/8ec693519c077d2e88ca09a24ae397525302d9e5)
- (*) firewall: fix commit 9f50277 (brute force mitigation rule on port defined for GUI remote access) - increase hitcount / lower period of time (hardcoded)
- libevent: update to 2.1.12-stable; tune recipe to solve configure errors (unable to find openssl/zlib)
- tor: update to 0.4.3.6
- libcurl: update to 7.71.1
- httpd: add to log failed GUI login attempts
- www: tomato.js: add SameSite=Lax when creating cookies
- (*) www: clearcookies.asp: remove the comment left when debugging
- (*) rc: network.c: do not unload (reload) RT-N (5.110.x) wifi driver for WNDR3400v1/WNDR3700v3 (similar case like E3000)


2020.4          2020.07.10
--------------------------

- Add Asus RT-N12 HP support
- adminer: update to 4.7.7
- libyaml: update to 0.2.5
- tor: update to 0.4.3.5
- libcurl: update to 7.71.0
- e2fsprogs: update to 1.45.6
- nettle: update to 3.6
- libexif: update to 0.6.22
- nano: update to 4.9.3
- nginx: update to 1.19.0
- sqlite: update to 3.32.3
- rp-pppoe: update to 3.14
- libevent: update to 2.1.11-stable + libs optimization
- dropbear: update to 2020.80; remove patch 102-fix-cbc_mode-cant-be-fully-disabled - already in upstream
- libnfsidmap: update to 0.27
- libjson-c: update to 1c6086a (2020.05.31) snapshot
- portmap: update to 4836a4a (2014-06-23) snapshot; remove unneeded patch - already in upstream
- accel-pptp: clean sources of 0.8.5 add patches instead
- build: openssl-1.1: for AIO targets optimize for speed
- build: enable PPTP/L2TP for Netgear WNDR 3400/3400v2/3400v3/3700v3 VPN (wndr64-vpn/wndr3400v2-vpn) targets
- build: enable PPTPD for Netgear WNDR 3400/3400v2/3400v3/3700v3 VPN (wndr64-vpn/wndr3400v2-vpn) targets
- build: enable JFFS for Netgear WNDR 3400/3400v2/3400v3/3700v3 MiniIPv6 (wndr64/wndr3400v2) targets
- switch4g: fix modem reset, it works at last
- SNMP: add device name and FW version to nsExtendOutput table
- MDU: send User-Agent also in case of Custom url
- samba: add protocol selection options (SMBv1, SMBv2, SMBv1 + SMBv2); make SMBv2 + SMBv1 the default (no change)
- samba: configuration tune up: at last with disabled 'sendfile' on RT-N66U increased (read) speed-up from 9,5MB/s to 13,2MB/s (with only SMBv1 enabled, even 14,4MB/s)
- httpd: limit SSL certificate to 13 months if clock has been set; new Apple initiative to force removal of possibly compromised certs 
- firewall: openvpn: fix duplicate openvpn rules on wan/openvpn restart
- firewall: retry failed iptables-restore in a few secs
- firewall: add a brute force mitigation rule on port defined for GUI remote access
- openvpn: fix multiple issues in stopping vpn services
- openvpn: set up firewall in correct order - before starting openvpn but after stopping it
- openvpn: shutdown all running servers/clients on wan stop and remove tunnel modules
- openvpn: completely remove logging for the smallest targets to save some space
- openvpn: ensure duplicate-cn is set as default if not specified
- openvpn: no longer dump stats to system log
- dropbear: change allowed encryption algo to AES128 only (for small targets only)
- dropbear: strip version from ident
- GUI: Admin Access: SSH Daemon: add ed25519/ecdsa to the allowed authentication keys; also fix the regexp to check the entire field, not just the first line
- GUI: Administration: Upgrade: fix missing css when loading reboot.asp
- GUI: Admin Restrictions: change permitted value for Limit Connections Attempts
- GUI: advanced-wireless.asp - adjust note/comment for transmit power option
- GUI: basic-network.asp - hide and disable wan options/settings if the user selects/enables wireless bridge mode
- Makefile: e2500: because of the size, build with the KERN_SIZE_OPT flag
- router: Makefile: snmp: tune recipe; add only needed mibs; enable logging (/var/log/snmpd.log)
- router: rc: network.c: do not unload (reload) RT-N (5.110.x) wifi driver for Linksys E3000; note: this is a workaround (only needed for E3000), to avoid a reboot after saving basic settings for example. (No change for all other routers)
- router: shared: update ifaddrs.c
- router: www: advanced-routing.asp: remove Mode option - it has "undocumented" secondary effects
- rom: simplify ca-bundle update


2020.3          2020.05.10
--------------------------

TL;DR:
- OpenSSL 1.1.x now in: (no USB) Max, and all images with USB support, except: WNDR3400/3700v3 MiniIPv6 and Netgear WNDR3400v2/v3 MiniIPv6
- AdvancedTomato-like themes now in: (no USB) Max, Linksys E1000v2-v2.1/Cisco M10v2 Mini, Linksys E1000v2-v2.1/Cisco M10v2 MiniIPv6, Linksys E1200v1 Mini, Linksys E1200v1 MiniIPv6, and all images with USB support
- NEW: built-in wsdd2 (on targets with Samba). wsdd2 is a small daemon that can service WSD/LLMNR queries. It allows the router to be visible in Windows's Network list without requiring SMB1 support

- kernel: squashfs: update to compile on Debian 10.x
- add wsdd2. wsdd2 is a small daemon that can service WSD/LLMNR queries. It allows the router to be visible in Windows's Network list without requiring SMB1 support
- openssl-1.1: update to 1.1.1g
- miniupnpd: update to 2.1.20200329
- adminer: update to 4.7.6
- dnsmasq: update to 2.81
- tor: update to 0.4.2.7
- nano: update to 4.9
- libcurl: update to 7.69.1
- nginx: update to 1.17.10
- nano: update to 4.9.2
- libyaml: update to 0.2.3
- iperf: update to 3.7
- openvpn: update to 2.4.9
- libncurses: update to 6.2
- libjson-c: update to 0.14 (2020.04.19); due to autoconf support removed for CMake, Makefile recipes have been updated
- dropbear: update to 90cfbe1 (2020.03.27) snapshot
- dnsmasq: remove 19036 trust anchor, now expired
- miniupnpd: revert previous upstream changes that prevented the use of a private IP on the WAN interface
- libcurl: smtp: set auth correctly
- adblock: switch URL for Windows 10 blacklist
- adblock: a few changes so that it doesn’t start simultaneously; correction in the blacklist address
- Revert "busybox: wget: openssl11: fix ssl when built with OpenSSL-1.1.x" No more needed - we have symlink to openssl11 now
- Allow a custom autorefresh status script for each wan and output its HTML in the overview page for USB targets
- Add xterm-256color terminal This solves a problem with message “Error opening terminal: xterm-256color” when user tries to run nano on some platforms
- dropbear: build with SFTPSERVER support, except for MiniVPN/MiniVPN2 (j/j2) targets
- dropbear: disable 3DES and CBC, except for MiniVPN/MiniVPN2 (j/j2) targets
- dropbear: Fix CBC_MODE can't be fully disabled
- dropbear: disable ED25519 on small targets to save space
- MDU: update for Cloudflare DDNS, fixes #30
- Use strip instead of gcc to determine toolchain path to allow using ccache
- GUI: Administration: BWM/IPT: fix html (inability to backup stats)
- GUI: Admin Access: restart sshd if password is changed (otherwise, the old will be used until reboot)
- GUI: Admin: JFFS: add more info about possible errors, fix minor html problems
- GUI: Tools: IPerf: two modifications move initialization to earlyInit() to avoid flickering when loading the page enable background images for 'Start/Stop test' button 
- GUI: OpenVPN Client: also 'Policy Routing (strict)' should be impossible to select if interface is TAP
- build: apcupsd: omit check for shutdown file; needed if compiled with ccache
- build: add JFFS support on BRCM Nand Flash Partition
- build: fix accidental compilation of all images (even large ones) with the “light” openssl11 option; fixes #23
- build: remove mediaserver on 'e', 'c', 'd', 'g', 'u', 'b' and 't' targets - it's not needed, we have Samba here; besides, more space is needed
- build: always add cacert.pem when built with Stubby, fixes #26
- build: don't use size optimization only for 'z' (AIO) and 'o' (Mega-VPN), but also for 'e' (VPN), 'c' (BTGui-VPN), 'd' (Nocat-VPN), 'k' (Nocat-MiniVPN), 'g' (Tor-VPN), 'u' (BT), 't' (BT-VPN), 'a' (MiniVPN), 'b' (Big-VPN) and 'm' (Max) targets
- build: openssl11: enable OpenSSL 1.1.x on all targets with USB support
- build: enable KEYGEN (TLS keys generator in GUI for VPN Server) on all targets with USB support; it also means that they will be built with full openssl11
- build: enable AdvancedTomato-like themes on all targets with USB support
- build: remove Captive Portal (nocatsplash) on 'b' (Big-VPN) target - more space needed
- build: remove unused 'g' (Tor-VPN) target and derivatives
- build: remove 'k' (Nocat-MiniVPN) target, it's identical to 'd' (Nocat-VPN)
- build: remove 'a' (MiniVPN) target, it's identical to 'c' (BTgui-VPN)
- build: disable KEYGEN on 't' (BT-VPN) target, because of size
- build: add MEDIASRV to large targets using the 'e' recipe, from where it was removed. Delete OPENSSL11, ADVTHEMES and KEYGEN - they were added to 'e'
- build: add KERN_SIZE_OPT to 'j' and 'j2' targets
- build: add OPTIMIZE_SIZE_MORE and KERN_SIZE_OPT_MORE flags to 'f' and 'v' targets
- build: add OPENSSL11 flag to 'rtn53' target, and remove SNMP
- build: add OPENSSL11 flag to 'e2500' target, and remove SNMP
- build: add OPENSSL11 flag to 'n6' target
- build: add KERN_SIZE_OPT to 'm' (Max) targets
- build: disable KEYGEN on 'n60e', 'n60c', 'n60b', 'n60d', 'n60o' (Linksys E-series) targets with USB support, because of size
- build: enable AdvancedTomato-like themes on 'n6' (Tenda N6), 'wndr3400v2' (Netgear WNDR3400v2/v3 MiniIPv6), 'e2500' (Linksys E2500 Max), 'rtn53' (Asus RT-N53) and 'wndr64' (Netgear WNDR3400/3700v3 MiniIPv6) targets
- build: enable AdvancedTomato-like themes on 'e1000v2' (Linksys E1000v2), 'e1200v1' (Linksys E1200v1) and 'f5d' (Belkin F5D8235v3) targets
- build: config.c: remove KEYGEN dependence on OPENVPN (TLS keys generator in GUI for VPN Server)
- build: add HFS to 'o' (Mega-VPN) target
- build: remove mistakenly added NO_KEYGEN flags in commit 55380e4 to 'n60o' (E-Series Mega-VPN) target
- build: add KERN_SIZE_OPT to 'n60e' (E-Series VPN), 'n60c' (E-Series BTgui-VPN), 'n60u' (E-Series BT), 'n60t' (E-Series BT-VPN), 'n60b' (E-Series Big-VPN) and 'n60d' (E-Series Nocat-VPN)
- build: disable KEYGEN on 'n64m' (64KB E-Series Max) target; remove unused 64KB targets
- build: disable KEYGEN on 'n60m' (60KB E-Series Max) target
- build: iproute2: in case of size optimization needed for smallest targets, skip the 'ipmonitor', 'xfrm' and 'help' utilities only (besides not showing warnings/errors as it used to be)
- Makefile: build Belkin F7D (f7d) with OpenVPN
- router: Makefile: avoid building libcurl more than once
- router: Makefile: avoid building nettle (and gmp) if not needed
- router: Makefile: tune to work on Debian 10.x as a host
- router: Makefile: add -fPIC where needed also as CFLAGS
- router: httpd: bwm.c: extend allowed IPT backup size
- router: httpd: openvpn.c: generating a CSR request does not require the -days parameter
- router: others: tomatoanon: change URL for version checker to freshtomato.org; cosmetics
- router: rc: jffs2: mtd_erase() should return 0 on success for its MIPS version, to be identical to the ARM version
- router: rc: mtd.c: fix JFFS2 formatting for non RT-AC
- router: www: vpn-pptp.asp: fix typo (in commit 8a36d5e) causing JS error


2020.2          2020.03.20
--------------------------

Note: Because of changes in GUI it is recommended to clear the browser cache, or use Ctrl+F5

- Add / Extend Asus RT-N12 A1/B1/C1/D1/VP support (v1.0)
- Add Asus RT-N12K support (almost the same like D1 Version)
- kernel: tcp: avoid infinite loop in tcp_splice_read() Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue
- kernel: net: don't call strlen() on the user buffer in packet_bind_spkt() KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in packet_bind_spkt()
- kernel: ipv6: do not increment mac header when it’s unset Otherwise we’ll overflow the integer. This occurs when layer 3 tunneled packets are handed off to the IPv6 layer
- kernel: ipv6: Allow IPv4-mapped address as next-hop Made kernel accept IPv6 routes with IPv4-mapped address as next-hop
- gmp: update to 6.2.0
- nginx: update to 1.17.9
- php: back to 5.X branch (5.6.40 - 2019.01.10) - newer causing problems
- sqlite: update to 3.31.1
- curl: update to 7.69.0
- dnsmasq: update to 2.81rc3
- libexif: update to 54b6f7f (2020.02.29) snapshot
- nano: update to 4.8
- tor: update to 0.4.2.6
- pcre: update to 8.44
- getdns/stubby: update to 1.6.0/0.3.0
- pppd: fixes from upstream (pppd: Fix bounds check in EAP code; pppd: Ignore received EAP messages when not doing EAP)
- spawn-fcgi: update to 3c1b01c (2019.08.25) snapshot; clean sources, add patch instead, cosmetic in router/Makefile
- libcurl: update CA certificate bundle as of 2020-01-01
- openssl11: add OpenSSL 1.1.1d to the tree
- openssl11: add build recipes
- openssl11: Enable OpenSSL 1.1.1 in router/Makefile
- openssl11: add patch
- openssl11: tor: enable OpenSSL 1.1.x support
- openssl11: OpenVPN: enable OpenSSL 1.1.x support
- openssl11: getdns/stubby: enable OpenSSL 1.1.x support
- openssl11: vsftpd: enable OpenSSL 1.1.x support
- openssl11: tinc: enable OpenSSL 1.1.x support
- openssl11: nginx: enable OpenSSL 1.1.x support
- openssl11: mysql: enable OpenSSL 1.1.x support
- openssl11: don’t build test and fuzz to shorten build time
- openssl11: enable OpenSSL 1.1.1 for httpd, mssl, mdu (if built with mssl)
- openssl11: enable OpenSSL 1.1.x for libcurl, mdu (if built with libcurl), transmission
- openssl11: dnsmasq: add openssl backend for DNSSEC
- openssl11: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
- openssl11: priorize CHACHA over GCM for models with no AES acceleration
- openssl11: first attempt to reduce size for smaller targets
- openssl11: fix typo in commit e734e48 causing build break
- openssl11: enable OpenSSL 1.1.x on AIO/Mega-VPN/Max/MiniVPN(USB) (z/o/m/a) targets
- openssl11: enable OpenSSL 1.1.x on n60k target (E3000USB-Nocat-MiniVPN)
- openssl11: enable OpenSSL 1.1.x on RT-AC targets (and r64e in RT-N)
- openssl11: enable OpenSSL 1.1.x on: TendaN60; Belkin F5D,F7D,F9K; Netgear WNR3500LV2; Netgear WNDR3400/3700v3 VPN; Netgear WNDR3400v2/v3 VPN
- busybox: wget: openssl11: fix ssl when built with OpenSSL-1.1.x
- GUI: Fix Issue #15 to allow configuring remote access in router mode
- GUI: TOR: add an option to resolve only .onion/.exit domains without having to configure anything else
- GUI: Admin Access: fix info about default web username
- GUI: Admin Access: delete the unnecessary http_root variable (Allow web login as “root”) - now the username is ‘root’ if it’s not entered, no need to check/uncheck something
- GUI: overview: fix the order of the enable/disable wifi buttons for routers with three radios
- GUI: overview: fix issue when warning about unsecured wifi appears, even if this radio is temporarily disabled by “Disable” button on this page
- GUI: Admin Access: do not restart sshd if there are no configuration changes
- GUI: Basic Network: fix the order in which the wifi interfaces are selected when setting Wireless Client Mode (bug similar to that on the Overview page)
- GUI: clean-up; the first step to sorting out this mess
- GUI: add AdvancedTomato-like themes: red, blue, green and dark for AIO/Mega-VPN/Max targets
- GUI: support showing status of hilink modem reachable from any WAN
- GUI: add AdvancedTomato-like themes for all RT-AC targets (and r64e in RT-N)
- GUI: add AdvancedTomato-like themes for: TendaN60; Belkin F7D,F9K; Netgear WNR3500LV2; Netgear WNDR3400/3700v3 VPN; Netgear WNDR3400v2/v3 VPN
- Use Cyassl only on small targets when NO_HTTPS is defined - otherwise use OpenSSL for httpd, mssl and mdu
- MDU: disable SSL_VERIFYPEER, if built with libcurl but without local CA cert file (fix problem on non-AIO targets)
- stubby: add different config file if target is build without CA cert
- stubby: update Google tls_pubkey_pinset in configuration file
- nginx: move (forgotten) changes in tree to the patch
- build: openssl11: update libfoo.pl for OpenSSL 1.1.x
- httpd: gencert.sh: add emailAddress attribute to generated certificate
- httpd: gencert.sh: use openssl11 when available for certificate generation; use genpkey command for key generation
- Makefile: add NFS Server and IPERF to target ‘o’ (Mega-VPN)
- router: Makefile: openssl/openssl11: tweak build recipes; removed unused ciphers
- router: Makefile: openvpn: link against zlib only if zlib is installed; clean-up
- router: Makefile: openssl11: distinguish OPENSSL_CIPHERS depending on the OpenSSL version
- router: Makefile: samba3: build with libiconv if available
- router: Makefile: dnsmasq: build with NO_TFTP only for MiniVPN/MiniVPN2 (j/j2) targets; fixes #21
- router: Makefile: add symlink to openssl
- router: httpd: Makefile: remove pthread from LIBS
- router: httpd: misc.c: change memory format specifiers to unsigned integer (there was an overflow in displaying memory sizes above 2GB)
- router: others: secure adblock with lock file; better compress scripts; reformat ttb-2.0.5 help
- router: others: mymotd: fix ‘bad number’ bug when wanX is disabled
- router: rc: services.c: add warning to syslog when dnsmasq is skipped because of WEB mode enabled. Fixes #2
- router: rc: init.c - Reboot automatically when the kernel panics and set waiting time (3 sec now)
- router: rc: init.c - set overcommit_memory and overcommit_ratio
- router: rc: blink_br.c - exit / stop blink_br for router with more than one LAN LED (we do not need blink_br in that case –> save memory/cpu load)
- router: rc: init.c - Adjust et and wl thresh value after reset (for wifi-driver and et_linux.c)
- router: rc: network.c - rework start and stop of emf/lan/wl - fix/correct start and stop of EMF (stop failed almost every time and also router stuck/hung sometimes at reboot via GUI!) - make EMF multi-lan aware - give feedback about start and stop EMF - rework basic start and stop of start_lan / start_lan_wl / start_wl / start_wireless
- router: rc: init.c - remove start_nas()/stop_nas() (already done at start_services()/stop_services())
- router: rc: network.c - bring down loopback interface if we stop lan (and some cosmetic)
- router: rc: network.c - unload/load wifi driver only with start_lan() and stop_lan()
- router: rc: init.c - load usb wifi driver at sysinit (keep it the “old way”)
- router: www: vpn-tinc.asp: fix some bugs, add link to the tutorial, clean-up
- router: www: status-overview.asp: add missing 10Mb port icons, add set of half-duplex icons, code optimization/reduce size, clean-up


2020.1          2020.01.20
--------------------------

- openssl: update to 1.0.2u
- nano: update to 4.7
- tinc: update to de7d5a0 (2019.07.17) snapshot
- dnsmasq: update to ab53883 (2020.01.11) snapshot
- e2fsprogs: update to 1.45.5
- libcurl: update to 7.68.0
- GUI: FTP Server Configuration: add usage notes
- GUI: advanced-vlan-r1.asp - Prevent vlan reset to default at init (fixes #11)
- GUI: advanced-vlan.asp - make it possible to create a VLAN with all ports (including tag on!). Fixes issue #12
- GUI: Static DHCP/ARP/IPT: also restart dnsmasq when saving
- GUI: Advanced: DHCP / DNS Server (LAN): change the ‘DHCPC Options’ format to a 256 character textarea
- mdu: fix some bugs (again)
- stubby: add syslog support
- pppd: restore the use of libcrypt to support DES instead of OpenSSL (commit #5c08f06 introduced an upstream change: 'Use openssl for DES instead of libcrypt / glibc', with no choice of libcrypt (only libdes and OpenSSL). It requires OpenSSL 1.0.2 and prevents compilation with OpenSSL 1.1. This commit fixes it))
- pppd: fixes from upstream (pppd.h: Add missing headers; pppd: Don't free static string; pppd: Limit memory accessed by string formats with max length specified; pppd: Make sure word read from options file is null-terminated; pppd: Avoid use of strnlen (and strlen) in vslprintf)
- miniupnpd: get rid of OpenSSL dependencies in miniupnpd, optimization, cosmetics
- router: Makefile: tune libyaml/getdns recipes - reduce size
- vpnrouting: fix the extraction of foreign options from the OpenVPN server, add a warning if the option is enabled but nothing was received from the server, change firewall restart - move to the very end
- NFS: allow selection of protocol version; optimization and clean-up; move code from nfs.rc script to nfs.c


2019.4          2019.12.29
--------------------------

- kernel RT-AC: fix MultiWAN support that seems broken since few release (thanks @tvlz for pointing this out)
- dnsmasq: update to 7d04e17 (2019.12.12) snapshot
- accel-pptp: various fixes and updates; (forgotten commit from RT-AC branch)
- pptpd: update poptop to 3b7a80c (2019.10.14) snapshot
- ebtables: up version to 2.0.11
- libusb: fixes from upstream 
- tor: update to 0.4.2.5
- nano: update to 4.6
- php: update to 7.2.26
- libjson-c: update to d6b968d (2019.12.13) snapshot
- libexif: update to da025b3 (2019.12.13) snapshot
- libubox: update to 07413cc (2019.11.24) snapshot
- usb-modeswitch: update to 2.6.0
- usb_modeswitch: update data package to 20191128
- pppd: fixes/updates from upstream
- adminer: update to 4.7.5
- DDNS: add dns.he.net DDNS support 
- DDNS: use libcurl if available for DDNS 
- mdu: libs optimization (added lately libcurl)
- mdu: fixes and improvements
- pppd: merge patches 109-fixes-from-upstream and 110-various-fixes-for-errors-found-by-coverity-static-analysis with the sources
- pppd: fix build break with opensssl
- busybox: add CONFIG_FEATURE_NETSTAT_PRG to configuration, for netstat -p functionality
- NFS: fix connection problems: "nfsd: unable to resolve ANYADDR:nfs: Servname not supported for ai_socktype"
- nvram utility: fix unwanted new line in output when variable in nvram is set but empty (fixes problems with e.g: “nvram get VAR | wc -l”)
- TTBv2: add local storage and custom URL support for routers with USB support (based on @rs232 commit)
- VPN PPTP: changes and improvements - tested on Android and MIPS/ARM routers in different configurations, working (both: lan access and internet)
- dropbear: build back with “Remote Forwarding” support (only for server) 
- GUI: Hide references to TOR on advanced-dhcpdns.asp if image was built without it
- GUI: PPTP Client Configuration: fix problems with “Start/Stop Now” button
- GUI: OpenVPN Client: cosmetic; (as suggested by @rs232: https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm-development-thread.74117/post-309967)
- GUI: Hide options for IPv6 on advanced-dhcpdns.asp if image was built without it
- GUI: add Model Name to the header
- patches: fix pppd patch (111-reduce-size); (call to log errors or warnings resulted in unwanted termination of pppd)
- patches: portmap: fix patch
- Makefile: fix “make help” - add missing quotation marks
- Makefile: change to using Stubby instead of Dnscrypt for all builds
- Makefile: add 'j2/r2j2' (MiniVPN2) targets - with PPTPD instead of OpenVPN
- router: Makefile: pppd: build pppd with openssl support only if ‘full’ version is compiled
- router: Makefile: do not add /rom/etc/vpn to image
- router: Makefile: dnsmasq: build with NO_TFTP and NO_SCRIPT also for bigger targets, to reduce size
- router: accel-pptp: fix some warnings from code analyzer
- router: mdu: Makefile: fix build break, caused by commit #14def07; (also fix two compiler warnings)
- router: mdu: fix missing User-Agent curl header
- router: others: sysinfo: add -p switch to netstat (thanks @tvlz)
- router: others: Makefile: remove stealthMode script for very small targets / images (save ~5,5 KB space)
- router: www: vpn-pptp.asp: fix annoying bug that clicking “Start Now” causing pop-up window with warning “Unsaved changes will be lost. Continue anyway?”
- router: rc: Makefile: - add missing NVRAM option to save space in NVRAM and reduce image size a little bit
- router: rc: pptp_client.c: fix the inability to enable pptp when “Start with WAN” is unchecked
- router: rc: pptpd.c: add interface ppp1* to dnsmasq config (only for DNS); (fix for: PPTP Client Android 9 cellphone/smartphone can now successfully connect and use the tunnel)
- router: rc: pptpd.c: add interfaces vlan* and eth* to dnsmasq config (only for DNS); (fix for: PPTP Client Android 9 cellphone/smartphone can now successfully connect and can access local lan / samba / et cetera)
- router: rc: services.c: c: Add WPAD DHCP option for Win7/8 by default if dhcpd_auth >=0 is fixed in nvram
- router: rc: usb.c: set USB LED after saving settings (case web admin)
- router: www: tomato.js: cosmetics (thanks @tvlz)
- router: www: tools-survey.asp: cosmetic (thanks @tvlz)
- Revert “hiding nvram size summary when displaying mymotd” (Not needed in the mips branch)
- Revert “accel-pptp: change code optimization from -O2 to -Os to save some space”
- Tenda N60: fix reboot when saving settings (Issue #7)
- WNR3500L/v2: change LED table and adjust WAN / Internet LED
- WNR3500L/v2: change LED table and adjust LED DIAG (Power LED)


2019.3          2019.11.23
--------------------------

 Finally, the image for MIPSR1 target MiniVPN (4MB, 3866624 bytes) fits!

- miniupnpd: update to 2.1.20191006
- dnsmasq: update to 936bd82 snapshot
- sqlite: update to 3.30.1
- e2fsprogs: update to 1.45.4
- nano: update to 4.5
- php: update to 7.2.24
- xl2tpd: update to 1.3.15
- libogg: update to 1.3.4
- openvpn: update to 2.4.8
- libxml2: update to 2.9.10 + libs optimization (remove patch [fix-build-break] - fix already in upstream)
- libcurl: update to 7.67.0
- flac: update to 1.3.3
- OpenVPN: disable-lz4 and enable-small for “j” (MiniVPN) target to reduce size (enable-small disable OCC, usage message and verb 4 parm list; image size now: 3936256 bytes; still too much (3866624 max) - WIP)
- libcurl: Updated CA certificate bundle as of 2019-10-16
- dropbear: reduce size if flag TCONFIG_OPTIMIZE_SIZE_MORE is set
- GUI: OpenVPN server: extend Username field to 25 chars
- GUI: Add a checkbox to enable the Broadcom FastNAT module to load for every target except j (r2j, etc) and v (r2v, etc) [also in RT-N/RT-AC branch]
- GUI: Report CFE version on status-overview.asp page
- GUI: there is no need to reboot the router after enabling/disabling Broadcom FastNAT
- GUI: rename “Enable SYN cookies” to “Enable TCP SYN cookies”
- GUI: reading webmon logs from end to beginning to repair display
- QoS: fix iproute2 on commit #831a43b (unfortunatelly, this increases the image size)
- TTB: fix memory leak, when WAN or tomatothemebase.eu is down (bug present from the very beginning)
- hiding nvram size summary when displaying mymotd
- Rename flag TCONFIG_OPENVPN_SMALL to TCONFIG_OPTIMIZE_SIZE_MORE (this name will better describe its use in the future)
- Makefile: remove PPTPD from “j” image to reduce size
- Makefile: disable elimination of PRINTK code - it was not a good idea…
- router: Makefile: build dnsmasq with NO_SCRIPT, NO_LOOP and NO_TFTP to reduce size
- router: Makefile: dnsmasq: use NO_AUTH, NO_LOOP, NO_SCRIPT and - additonally - NO_AUTH, only if flag TCONFIG_OPTIMIZE_SIZE_MORE is set
- router: Makefile: openvpn: build with –disable-server if flag TCONFIG_OPTIMIZE_SIZE_MORE is set
- router: Makefile: dropbear: build without “scp” support if flag TCONFIG_OPTIMIZE_SIZE_MORE is set
- router: httpd: misc.c: tune-up function get_cfeversion()
- router: nvram: defaults.c: remove one more example (script_brau), if target is small or NVRAM 32K
- router: others: mymotd: fix typo in #c7a1b35
- router: others: wwansignal: simplify checkPid(), cause we have only low priority process here
- router: rc: firewall.c: fix compiler warning
- router: rc: nginx.c: clean-up, code optimization - size reduced by almost 4kB
- router: rc: openvpn.c: fix typo causing wrong netmask to be added to the nat for bridges 2 - 4
- router: rc: openvpn.c: clean-up, code optimization - size reduced by almost 4kB
- router: rc: services.c: make reading stubby version more secure
- router: rc: services.c: clean-up, code optimization - size reduced by almost 3kB
- router: rc/shared: fix compiler warnings (align to ARM branch)
- router: www: about.asp: add BT donation address to the page + cosmetics
- Linksys WRT54G/GS/GL: assign unique MAC address for 2.4 GHz WiFi, was always 00:90:4C:5F:00:2A after upgrade/nvram full erase (for every router)
- Linksys E2000: correct order of the ports on status and advanced-vlan pages


2019.3-220-beta 2019.09.29
--------------------------

- kernel/kernel RT: prepare for conditional elimination of PRINTK code - reduce kernel size for selected targets
- nfs-utils: clean sources 1.1.5, add patches instead
- nfs-utils: update to 1.2.1
- nettle: update to 3.5.1 + fix build break
- ebtables: update to 2019.06.28 snapshot
- portmap: clean-sources 6.0, add patch instead
- e2fsprogs: update to 1.45.3
- sqlite: update to 3.29.0
- php: update to 7.2.22
- uqmi: update to 2019.06.27 (1965c71) snapshot
- nginx: update to 1.16.1
- ffmpeg: update to 0.6.7
- nano: update to 4.4
- tor: update to 0.4.1.5
- miniupnpd: update to 2.1.20190902
- dnsmasq: update to 2.80-e24abf2 snapshot
- adminer: update to 4.7.3 2019-08-27
- libxml2: update to 2.9.9 + libs optimization + fix build break
- libpng: update to 1.2.59 + libs optimization
- libubox: update to 2019.06.16 (ecf5617) snapshot
- libjson-c: update to 2019.06.09 (07ea04e) snaphot
- libexif: update to 2019.06.15 (a0c04d9) snaphot
- libiconv: update to 1.16 + libs optimization
- libevent: update to 2.0.23-beta
- libcurl: update to 7.66.0 + libs optimization
- libusb: update to 1.0.23
- openssl: update to 1.0.2t
- libcurl: updated CA certificate bundle as of 2019-08-28
- nfs-utils: move rc script from patch to a file + cosmetics
- dnsmasq: fix wrong return code from explore_rrset() with some errors
- ebtables: build ipv6 extension only if needed
- pcre: reduce size
- GUI: fix/add conditional OpenVPN client restart, if the entry was removed from Routing Policy table only by clicking the "x" sign
- GUI: about.asp: remove some info if more space is needed in small targets (+fix)
- BTGUI: move "btcheck" script to "others" subdir
- Make solving domain .onion using Tor optional (add option in "DHCP / DNS Server" settings; default is off)
- OpenVPN: add Strict Mode to client's Routing Policy (strict mode takes extra steps to ensure that only routes going through the VPN tunnel get used for tunnelled clients; kill switch is still missing)
- Makefile: remove size optimization for kernel in Netgear WNDR3400/3400V2/3400V3/3700V3
- Makefile/config: introduce new TCONFIG_OPTIMIZE_SIZE variable used for size optimization on small-size targets
- Makefile: switch from dnscrypt-proxy to stubby on small targets to save space
- Makefile: elimination of BUG code - reduce kernel size for j and r2j targets
- Makefile: enable elimination of PRINTK code - reduce kernel size for j and r2j targets
- Makefiles: optimize for size (emf, igs, et, robocfg, wlconf)
- dnsmasq: reduce size on small targets
- iproute2: reduce size on small targets
- pppd: reduce size on small targets
- xl2tpd: reduce size on small targets
- iptables: reduce size on small targets
- glib: reduce size on small targets
- ffmpeg/minidlna: reduce size on small targets
- snmp: reduce size on small targets
- ntfs-3g: reduce size on small targets
- samba3: reduce size on small targets
- udevtrigger: reduce size
- httpd: gencert.sh: add "TLS Web Server Authentication" to certificate's extended attributes (new requirement from iOS/MacOS; Ported from RMerlin, thanks: https://github.com/RMerl/asuswrt-merlin.ng/commit/e786dfa2a5faac92c77c499a9b7fb0923efce892)
- httpd: limit SSL certificate to 2 years if clock is accurate (Based on RMerlin's commit: https://github.com/RMerl/asuswrt-merlin.ng/commit/9e1566a472b3babcbe463e21e5b00a1b1efff30a)
- router: Makefile: fix OpenVPN recipe (remove deprecated "with-plugindir" option; add "PLUGINDIR" instead)
- router: Makefile: pppd: also reduce the size of chat and pppol2tp plugin
- router: Makefile: clean-up tor recipe
- router: Makefile: fix libnfsidmap recipe
- router: Makefile: flac: remove deprecated option, cosmetics
- router: Makefile: clean-up pptpd recipe
- router: Makefile: optimize lzo and OpenVPN for speed for AIO targets
- router: Makefile: zebra: remove deprecated option, fix naming of second one
- router: Makefile: udpxy: reduce size
- router: Makefile: hotplug2: reduce size
- router: Makefile: xl2tpd: reduce size
- router: Makefile: bridge: reduce size
- router: Makefile: rp-pppoe: reduce size
- router: Makefile: ipset: reduce size
- router: Makefile: accel-pptp: reduce size
- router: Makefile: snmp: reduce size
- router: Makefile: glib: reduce size
- router: Makefile: libusb10: reduce size
- router: Makefile: jpeg: reduce size
- router: Makefile: libid3tag: reduce size
- router: Makefile: zlib: reduce size
- router: Makefile: miniupnpd: reduce size
- router: Makefile: libcurl: tune-up recipe (reduce size; add zlib support; add (Open)SSL support to AIO targets; libs optimization; cosmetics in patch)
- router: Makefile: libsub: fix typo (usb_modeswitch works again)
- router: Makefile: tune OpenVPN recipe
- router: Makefile: build openssl always with no-err; with no-rc4 if transmission is disabled
- router: cstats: Makefile: reduce size
- router: httpd: openvpn.c: fix compiler warnings
- router: mssl: Makefile: reduce size of libmssl.so
- router: nvram: defaults.c: remove some examples if more space is needed in nvram
- router: others: Makefile: Remove comments from scripts to safe some space
- router: others: mymotd: cosmetics
- router: others: stealthMode: remove Sunset mode because Yahoo API is down + cosmetics
- router: rc: optimize code for size for small targets
- router: rstats: Makefile: reduce size
- router: wanuptime: fix compiler warnings
- router: www: Makefile: also remove wwan-sms.asp if target is without USB support
- router: www: wwan_parser.js: declare variables with "var" instead of "let" for uglifyjs to work correctly
- router: www: *.svg: cosmetics
- miniupnpd: fix patches after commit #151e792
- samba3: optimize code for speed for AIO targets, otherwise - reduce size
- Clean-up tree and Makefile (unused package udev)
- Clean-up tree and Makefile (unused package vlan)
- Add Cloudflare DDNS support
- Move disabling of rp_filter from mwan to firewall and make it multiwan aware
- Test and fix wwansignal with all possible modes of Huawei E8372
- Use nvram_safe_get to avoid crash in case of null pointer.
- Fix undefined function reference in wwan_parser.js
- Fix race condition starting wireless WAN causing route addition failure
- switch4g: also try to reset modem in QMI mode
- Revert "libcurl: disable proxy and libcurl output options" (TBH: the profit on the smaller size is illusory)
- Revert "kernel: backport ida_simple_* kernel functions." (we don't have space for this...)
- E4200v1: fix overlapping MAC addresses with more than one VIF per WiFi module
- E4200v1: adjust WiFi setup/init parameter (align to dd wrt)


2019.3.118-beta 2019.07.06
--------------------------

Recommendations:
- clear your NVRAM after upgrade!
- users using OpenVPN client: check your settings!
- GUI problems: use Ctrl+F5 and/or clean your browser cache.

- kernel: backport ida_simple_* kernel functions
- kernel RT-AC: update netfilter_bridge headers, to fix compilation of ebtables
- nano: update to 4.3
- sqlite: update to 3.28.0
- miniupnpd: update to 2.1.20190630
- php: update to 7.2.19
- tor: update to 0.4.0.5
- nginx: update to 1.16.0 - Stable Branch
- pcre: update to 8.43
- xl2tpd: update to v1.3.14les
- libcurl: update to 7.65.1
- openssl: update to 1.0.2s
- libcurl: update CA certificate bundle as of 2019-05-15
- e2fsprogs: update to 1.45.2
- pppd: various fixes for errors found by coverity static analysis
- patches: update patch for xl2tpd + cosmetics
- patches: cosmetics in php patch
- patches: fixes in pppd patches
- patches: ebtables: build ipv6 extension only if needed
- patches: ebtables: build only needed extensions
- libcurl: fix build break
- ebtables: restore original Makefile in extensions subfolder
- ebtables: restore original #include in ebt_ip.c
- ppp: fix race condition between ppp watchdog and redial (for keepalive mode)
- RT-N15U: change LED table - assign GPIO 6 for LED_AOSS / Power LED (active LOW, inverted) - assign GPIO 4 for LED_BRDIGE / LAN LED (active LOW)
- GUI: fix removal of the WWAN SMS
- GUI: fix undefined Modem Type on "WWAN Modem Status" (also lack of link to view WWAN SMS) when modem on different wan than the first one
- GUI: OpenVPN server: fix JS error casued by commit #e43cf81 that make it impossible to save the configuration
- GUI: OpenVPN server: fix JS error casued by commit #e43cf81 that make it impossible to save the configuration
- GUI: OpenVPN Client: extend password field to 70 characters
- GUI: add "Wifi Security Disabled" warning on Status Overview page (discussion: https://www.linksysinfo.org/index.php?threads/security-enhancement-lets-disable-the-aps-by-default.74557/)
- GUI: advanced-dhcpdns.asp - add DHCP IPv6 lease time option
- GUI: advanced-firewall.asp - add IGMP proxy option quickleave (default turned on (no change). The user can turn it off now if required)
- GUI: advanced-firewall.asp - Add note for hidden IGMP proxy settings
- GUI: status-overview.asp - extend Ethernet Ports State
- IPv6: fix IPv6 6to4 tunnel (if remote host was on 6to4, the packets were dropped because of wrong routing and tunnel settings; this fixes issue #51; Reference: http://tomatousb.org/forum/t-461151/6to4-tunnel-in-tomatousb-is-done-wrong)
- OpenVPN: fix generating an openvpn client configuration on server with TLS authorization [2]
- OpenVPN: key generation: add also "key-direction" in the second case
- OpenVPN: use of the OpenVPN scripting engine
- OpenVPN: Routing Policy: copy routes from the main table to the alternate routing table
- OpenVPN: configurable inbound allow/drop firewall policy for clients
- OpenVPN: fix the visibility of the Routing Policy table and when the rules are to be applied
- OpenVPN: "Manage Client-Specific Options" Fix bug when more than one subnet per client is defined in ccd (only the last one was stored in ccd).
- OpenVPN: Client: also run up/down script for Static Key auth
- OpenVPN: Client/Server: add tls-crypt as an option - encrypt and authenticate all control channel packets with the key (change the name of the option from "Extra HMAC authorization (tls-auth)" to "TLS control channel security (tls-auth/tls-crypt)", add warnings if exported client file will require OpenVPN 2.4.0 or newer)
- OpenVPN: Client: move back firewall rules to vpn.c script
- OpenVPN: Client: split updown script
- OpenVPN: Client: simplify use of Routing Policy (remove route-nopull and route-noexec options, add in "Redirect Internet traffic" option "Routing Policy" instead, remove unused variables from NVRAM, fix links to OpenVPN howtos)
- OpenVPN: rename files and functions from vpn to ovpn/openvpn for better consistency
- OpenVPN: some improvements (updown-client.sh: remove unneeded dnsmasq restart; vpnrouting.sh: add a FW restart instead of a simple local script call - when kill switch will be ready, it can be change back)
- Integrate OpenVPN 2.4.7 Tunnelblick XOR patch (allows using obfuscated servers)
- Fix openvpn password validation to actually accept 70 characters
- Adjust OpenVPN policy routing priority to come before multiwan rules
- Fix OpenVPN policy based routing in case of using route-nopull or no pushed routes (Don't depend on $route_vpn_gateway because it is not passed by OpenVPN when no routes are pushed)
- When OpenVPN inbound firewall is enabled, adjust fw rules to allow reply packets
- Add routes for all LAN bridges when creating multiwan routing tables
- Disable rp_filter on multiwan routing add to allow policy-based routing to work
- Implement MultiWAN Up script (WAN number passed as $1) that runs regardless of which one is considered the "primary" one
- Fix 4g wan restart causing wrong restart of wan1 due to dhcpc-event bound event behavior and missing wanX_iface nvram var
- Makefile: cosmetic
- Makefile: save space in NVRAM for routers with 32k NVRAM
- Makefile: fix for commit https://bitbucket.org/pedro311/freshtomato-mips/commits/dedf5c4f288d03ebbfe877c0654b00b1b8a5e3bf (commit has made nvram size 32k for n60x/n64x builds tied to the r2x builds)
- Makefile: separate Netgear WNDR3400/3700v3 builds from Netgear WNDR3400v2/v3 builds
- router: clean-up of unused files and variables
- router: Makefile: remove the patches in reverse order
- router: Makefile: fix logic in applying/unapplaying the patches
- router: Makefile: php: remove deprecated option - --without-mcrypt
- router: Makefile: libcurl: clean build recipe (add --disable-threaded-resolver to fix possible build break; enable IPv6 only if IPv6 is really enabled; remove old option --disable-thread)
- router: Makefile: clean-up and simplify libcurl recipe
- router: Makefile: dnsmasq: skip gost validation with nettle, it's not supported anyway
- router: rc: optimizing code, cosmetics (mainly for openvpn part; based on @RMerlin - thanks!)
- router: rc: button.c - do some clean-up/cosmetic - use LED_ON and LED_OFF - call get_model() only once - add some comments
- router: rc: init.c / shared: led.c - do some clean-up - use LED_ON and LED_OFF - cosmetic - add some comments
- router: rc: rc.c / init.c / wan.c - remove obsolete SET_LED() and defines - clean-up
- router: rc: blink_br.c: - introduce bridge LED for some Router (for example RT-N15U) - sync / catch up with ARM branch - LED_BRIDGE will turn on/off if a ethernet cable is connected/disconnected - add support for RT-N15U (full LED support now with this commit)
- router: rc: led.c: - small optimization for led_main(), compare (full) led name only once (Hint: stay as close as possible to ARM branch)
- router: rc: vpn.c: add missing closedir() in write_vpn_dnsmasq_config() function
- router: rc: openvpn.c: Make firewall rules consistent in both IPv4 and IPv6
- router: shared: led.c: - do call get_model() only once (only cosmetic / optimization)
- router: shared: shared.h: - remove not used define LED_BLINK (and cosmetic)
- router: www: basic-time.asp: fix javascript error caused by commit #20f1ca0
- wwansignal: fix problems with signal level and LAC value on some modems (ie. Huawei E8372)
- Revert "netfilter: ebtables: fix wrong name length while copying to user-space" (it breaks ebtables totally...)


2019.2          2019.04.20
--------------------------

- openssl: update to 1.0.2r
- SQLite: update to 3.27.2
- php: update to 7.2.17
- dnsmasq: update to 2.80-343b7b4 snapshot
- libcurl: update to 7.64.1
- nano: update to 4.0
- dropbear: update to 2019.78
- pppd: clean sources 2.4.5, add patches instead
- pppd: update to 2.4.6
- pppd: update to 2.4.7
- pppd: fixes from upstream
- miniupnpd: update to 2.1.20190408
- libyaml: update to 0.2.2
- getdns: update to 1.5.2 + upstream build error fix
- libubox: update to eeef7b5 snapshot
- getdns: add patch to fix missing define for log_warn
- patches: miniupnpd: fix naming, cosmetics
- patches: libcurl: cosmetics
- ebtables: add 2 patches (Check -C parameters correctly, Check port range correctly)
- GUI: fix at last Wireless Ethernet Bridge mode. It doesn't solve the problem if WL does not connect to AP (ie. on WPE2 Personal + AES), but it solves of updating time and dnslookup (valid /etc/resolv.conf)
- GUI: QOS: fix JS error on View Details page, when view in given class
- GUI: QOS: fix (again) some problems on View Details page
- GUI: QOS: fix table sorting by "Protocol" on View Details page
- GUI: OpenVPN: remove support for the RC ciphers. DES is kept for now, for legacy reasons
- GUI: OpenVPN: Fix vpn-server.asp visible key fields
- GUI: PPTP Client: increase max length of "server address" to 50 chararacters
- GUI: add support of WWAN modem signal - use a minimum of 10 seconds of refresh time for best readings on Status -> Overview page
- GUI: advanced-routing.asp - add option to force IGMPv2 - cosmetic
- GUI: add support of multi WAN in modem status
- GUI: add support of SMS inbox for 4G non-hilink/3G modems
- GUI: fix ports order caused by commit #081d9ad + clean-up
- Cleanup of unused rp-l2tp from the tree and Makefile
- OpenVPN: change the default order of Negotiable Ciphers
- OpenVPN: fix generating an openvpn client configuration on server with TLS authorization (enable remote-cert-tls)
- router: Makefile: clean-up openvpn recipe
- router: Makefile: build openssl with no SSLv2 and SSLv3 support
- router: Makefile: clean-up miniupnpd build recipe
- router: Makefile: build dnsmasq with HAVE_AUTH flag
- router: httpd/rc: vpn.c: replace &buffer[0] (and &buffer2[0], &buf[0]) references in openvpn with straight buffer, for better readability and reduced risk of errors
- router: httpd: correct generation of HTTPS certificate
- router: nvram: defaults.c: cosmetics - rebranding ;)
- router: others: wwansignal: fix showing the 3G signal level
- router: others: switch3g/switch4g/wwansignal: some improvements/fixes
- router: rc: change the name of the ntpc service to ntpd + some code changes, in accordance with other start/stop functions
- router: rc: init.c: change back to where the start_wan() function is called
- router: rc: init.c: change min_free_kbytes setting - catch up to AsusWRT / Merlin and also Netgear (case 20 MByte right now, was 14 MByte)
- router: rc: network.c - change blink behaviour / start
- router: rc: vpn.c: increase interface queue length from 100 to 1000 bytes
- router: rc: services.c: add some logging when starting/stopping services
- router: rc: services.c: change the way how "serial" and "uuid" are created in minidlna config
- router: rc/shared: clean-up, cosmetics, fix compiler warnings
- router: rc: clean-up (cosmetics)
- router: shared: led.c: RT-N15U: change LED table - set GPIO 1 for LED_WLAN active HIGH --> small fix, was active LOW
- router: utils: robocfg.c - catch up to AsusWRT / Merlin (thx) - one file for both, ARM and MIPS
- router: www: tools-shell.asp: support of multiple lines pasted into termlib window
- router: www: status-overview.asp: a few W3C fixes
- router: www: Makefile: remove more obsolete stuff from html
- router: www: another W3C fixes
- Revert "router: rc: init.c: change back to where the start_wan () function is called"


2019.1          2019.02.27
--------------------------

- kernel RT-AC: drivers: net: usb: cdc-ether.c: clean packet filter upon probe
- php: update to 7.2.15
- getdns: update to 1.5.1 (stubby 0.2.5)
- tor: updated to 0.3.5.8
- dnsmasq: update to 2.80-28cfe36 snapshot (add back ability to compile without IPv6 support to minimize size of dnsmasq (as a patch), cosmetics in other patches, little cleanup in router/Makefile)
- adminer: update from 4.7.0 to 4.7.1 2019-01-24
- libcurl: updated CA certificate bundle as of 2019-01-23
- libcurl: update to 7.64.0
- stubby: add Google DNSoTLS (ipv4/ipv6) to stubby.yml
- nettle: update to 3.4.1
- SQLite: update to 3.27.1
- miniupnpd: update to 2.1.20190210
- OpenVPN: update to 2.4.7
- switch4g: add support for rndis protocol
- switch4g: fix path for DIAG device in qmi_wwan mode
- stubby: change round_robin_upstreams to 1
- tinc: revert: Use git describe to populate autoconf's VERSION (it is needed to have proper "tinc --version" string, it must be remembered that with every tinc update, change the version number in the patch)
- tinc: synchronize source with ARM branch. For unknown reasons, MIPS version was quite different from the ARM...
- E4200v1: change LED pin table - this router has only 2 LEDs at the cisco LOGO
- vpnrouting: fix cleaning of routing after stopping the OpenVPN client with "Redirect through VPN" checked - not working from the very beginning (commit that adds this function, also responsible for the error: https://bitbucket.org/pedro311/freshtomato-mips/commits/4c75d36f6fb2c1da1de8d7db33e2a91714d045e8)
- DDNS: HE.net IPv6 Tunnel Broker uses now Dyn DNS Update API http://dyn.com/support/developers/api/
- DDNS: FreeDNS: add possibility to update IP with custom value as on other services, add https
- DDNS: opendns requires now HTTP 1.1 in request header
- GUI: OpenVPN ServerX & ClientX - restrict option/setting "Poll Interval" to 0-30 minutes (values > 30 are not usefull)
- GUI: OpenVPN: increase max length of client common name to 255 chararacters
- GUI: new termlib based tools-shell.asp as an option for o (Mega-VPN) and z (AIO) targets
- GUI optimization tools: optimize also javascript in .asp and .jsx files with filter (I know it will break W3C compatibility in some places, but we really need that to decrease image size...)
- GUI: add option for OpenVPN server to force IPv4 or IPv6 for connection
- GUI: add option for OpenVPN client to choose IPv4 or IPv6 only connection
- GUI: fix generate vpn client config
- GUI: QOS: hide View Details when QOS is disabled
- GUI: Wireless Filter: add a warning about the number of MAC addresses supported + cosmetics
- GUI: fix IPv6 mask matches
- router: Makefile: build nginx with http v2 module
- router: Makefile: don't ln /usr/share to /tmp when samba3 is installed
- router: Makefile: pptp-client: remove (forgotten) obsolete sh ip scripts
- router: Makefile: fix tor build failures
- router: Makefile: some changes with clean up
- router: httpd: tomato.c: additional commit for #c6db081 and #c7d5c2c (increase length of variables for vpn protocol to 11 characters)
- router: httpd: fix warnings in compiler; clean-up
- router: mdu: mdu.c: clean-up & simplify some if conditions
- router: mdu: remove no more needed functions/files/includes
- router: mdu: fix compiler warnings
- router: rc: blink_5g.c: old blink 5g code is obsolete [RT-AC]
- router: rc: dhcp.c: clean-up
- router: rc: dhcp.c: remove unused variable
- router: rc: wan.c: cleanup WAN LED control [RT-AC]
- router: rc: fix warnings in compiler; clean-up
- router: shared: led.c: clean-up; remove unused code
- router: shared: led.c: extend GPIO pin support from 0-15 to 0-31
- router: shared: misc.c: add support for WAN LED for more MIPS Router according to LED table at file shared/led.c [RT-AC]
- router: shared: misc.c: fix a few typos (wrong type, pointer by mistake) at function wan_led_off(...) and check_wanup(...)
- router: shared: misc.c: change/fix function wan_led(int mode) --> call by value
- router: shared: misc.c: add/fix missing fclose(...) and some cosmetic
- router: shared: shared.h: add missing prototype declaration for function wan_led(...) and wan_led_off(...) [RT-AC]
- router: shared: fix warnings in compiler; clean-up
- router: shared: fix warnings in compiler [RT-AC]
- router: www: vpn-client.asp: change allowed server address length to 60 characters (it's amazing that such long addresses exist ...)
- router: www: basic-ddns.asp: clean-up of vars, remove unneeded js code
- Improved a little bit build progress indicator


2019.1.015-beta 2019.01.10
--------------------------

- kernel: ipv6: Drop packets for loopback address from outside of the box
- kernel: ipv6: drop packets when source address is multicast
- kernel: ipv6: don't accept multicast traffic with scope 0
- kernel: ipv6: don't accept node local multicast traffic from the wire
- kernel: ipv6: drop non loopback packets claiming to originate from ::1
- kernel: ipv6: use ND_REACHABLE_TIME and ND_RETRANS_TIMER instead of magic number
- kernel: ipv6: ip6_forward: perform skb->pkt_type check at the beginning
- kernel: ipv6: drop frames with attached skb->sk in forwarding
- kernel: net: Discard and warn about LRO'd skbs received for forwarding
- kernel: ipv4: ip_forward: perform skb->pkt_type check at the beginning
- kernel: ipv4: ip_forward: Drop frames with attached skb->sk
- kernel: net: ipv4: igmp.c: bonding: fix to rejoin multicast groups immediately
- kernel: net: ipv4: igmp.c: igmp: Reduce Unsolicited report interval to 1s when using IGMPv3
- kernel: net: ipv4: igmp.c: Make igmp group member RFC 3376 compliant
- kernel: ipv6: Remove IPV6_ADDR_RESERVED
- kernel RT-AC: backport useful macros and defines from upstream
- udpxy: update to 1.0.23-12, clean sources
- e2fsprogs: update to 1.44.5
- Makefile: remove n60z (AIO) target, because the image size exceeds the flash size (16MB)
- miniupnpd: do not disable port forwarding when in double NAT / CGNAT
- udpxy: fix start with PPP connection
- udpxy: extend GUI function (advanced-firewall.asp)
- GUI: adblock: update lists immediately, if called from the GUI
- GUI: MultiWAN Routing: increase the maximum number of digits to 80 for Port
- router: httpd: misc.c: use function check_wanup_time(char *prefix) for void asp_link_uptime(int argc, char **argv) to get the link uptime (wanX)
- router: shared: misc.c: make function check_wanup_time() mwan-ready; small change/adjustment to rstats & cstats to use the new function; cosmetic for rstats & cstats at function calc(): add typecast (long) to meet variable wanuptime (long)
- dnsmasq: fix router reboots, when connected to wifi with specific configuration


2018.5          2018.12.21
--------------------------

- kernel: netfilter: ip6_tables: fix information leak to userspace
- kernel: ipv6: Warn users if maximum number of routes is reached
- kernel: inet6: prevent network storms caused by linux IPv6 routers
- kernel: ipv4: correct IGMP behavior on v3 query during v2-compatibility mode
- openssl: update to 1.0.2q
- SQLite: update to 3.26.0
- adminer: update from 4.6.3 to 4.7.0 2018-11-24
- xl2tpd: update to 1.3.13
- php: update to 7.2.13
- nginx: update to 1.14.2
- libcurl: updated CA certificate bundle as of 2018-12-05
- libcurl: update to 7.63.
- rp-pppoe: update to 3.13
- miniupnpd: update to git snapshot from 20181206
- comgt: clean sources of v 0.32, add patches instead
- OpenVPN: add TLS keys generator in GUI for VPN Server as an option for o (Mega-VPN) and z (AIO) targets. Add ability to generate VPN client configuration for TLS
- WIDE-DHCPv6: Fix manpages This patch fixes wide-dhcpv6 manpages (paths, typos, ...)
- WIDE-DHCPv6: Don't strip binaries This patch prevents wide-dhcpv6 build system from stripping built binaries
- WIDE-DHCPv6: Make sla-len config optional
- WIDE-DHCPv6: Make sla-id config optional
- WIDE-DHCPv6: cflag patch
- WIDE-DHCPv6: Fix parallel make race condition
- WIDE-DHCPv6: Adding ifid option to the dhcp6c.conf prefix-interface statement
- IPv6: small fix/changes for DHCPv6 with Prefix Delegation - let IPv6 RA via WAN take care of adding the default route - only add default route ::/0 if option/nvram "ipv6_isp_opt" is enabled via GUI basic-ipv6.asp (Some ISPs/Tomato User maybe need that)
- IPv6: extend GUI status page (status-overview.asp) - show IPv6 addresses for interface wan, br0, br1, br2 and br3
- IPv6: DHCPv6 PD: small corrections - fix visibility for "Request /64 subnet for" --> right now only applicable for DHCPv6 with PD (and not for Native/Static IPv6)
- IPv6: DHCPv6 PD: - override the default EUI-64 address selection and create a very userfriendly address for br0...br3 (--> ends with ::1 now)
- IPv6: small change for DNSMASQ DHCPv6 start address (new ::2 up to ::FFFF:FFFF); leave ::1 address for the router interface brX --> used with DHCPv6-PD (WIDE-DHCPv6) now
- Clean-up of unused matrixssl from the tree, Makefile and other places
- router: Makefile: cosmetics + fix make depend
- router: httpd: tomato.c: fix the correct length of wanX_modem_dev variables
- router: httpd: vpn.c: use system() instead run_program()
- router: mssl: mssl.c: fix start of httpd with HTTPS ON on f and r2f (Mini) targets
- router: rc: firewall.c: allow responses from the dhcpv6 server (Port 547) to the client (Port 546) (--> add Server Port 547)
- router: rom: Makefile: decrease number of tries to 1 for wget. It's already in loop
- router: www: admin-access.asp: change allowed password length to 60 characters
- router: www: vpn-client.asp: change allowed server address length to 40 characters
- router: www: fixes for W3C + some cosmetics
- router: www: qos-classify.asp: change allowed port length to 130 characters
- patches: openssl: split and simplify tomato-mips-specific patch
- switch4g: fix variable initialization in modemReset() function
- switch3g/switch4g: add info to log about successful PIN verification


2018.5.083-beta 2018.11.25
--------------------------

- kernel: BCM47XX: add vectored interrupt support (ie: Linksys WRT160N3, Cisco M10, Asus RT-N12, Linksys EA6500v1, Tenda N80, Tenda W1800R, Buffalo WZR-D1800H, Asus RT-N66U)
- kernel: drivers: net: usb: qmi_wwan.c: fix CVE-2017-16650
- tor: Update to 0.3.4.9
- php: update to 7.2.12
- nano: update to 3.2
- SQLite: pdate to 3.25.3
- dnsmasq: update to 2.80
- uqmi: update to uqmi-01944dd
- libubox: update to libubox-c83a84a, clean sources, add patch instead
- tinc: update to 1.1pre17
- snmpd: update to 5.8
- libcurl: update CA certificate bundle as of 2018-10-17
- libcurl: update to 7.62.0
- dropbear: fix from upstream for CVE-2018-15599
- nginx: update to 1.14.1
- apcupsd: update to 3.14.14
- miniupnpd: update to git snapshot from 20181031 (includes PCP fix)
- mssl: Updated cipher list
- Add IPERF bandwidth test tool with GUI as an option
- GUI: adblock: add warning
- GUI: stubby: add the ability to choose the level of logging
- GUI: add feature to generate VPN static key from GUI
- Add GUI optimization tools that are run before compilation
- GUI: add warning on OpenVPN server page about needed free NVRAM space
- GUI: add option for OpenVPN LZ4-V2 compression
- GUI: Generation of iperf commandline
- GUI: IPerf: fix some minor JS bugs
- www: W3C never-ending-story
- dnsmasq: change default dns priority to 'no-resolv'
- dnsmasq: improve insecure ds syslog to handle servers that really do not support dnssec
- patches: fix mysql re-check patch
- cosmetic and small updates for IPv6
- btools: libfoo.pl: fix typo
- btools: libfoo.pl: prepare for new package (iperf)
- Makefile: add targets n60h, n60k and n60l to build images for Linksys E3000 without minidlna
- Makefile: add stubby to target "o" (Mega-VPN)
- Makefile: remove targets "n60l" (VPN-noMS) and "n60h" (IPv6-VPN) for E3000. Add "n60a" (MiniVPN) instead. Clean-up
- Makefile: changes for "n60" (TendaN60) target: remove minidlna because of the large image size, add dnscrypt-proxy and JFFS instead
- router: preparation of variables for new version of switch4g/switch3g
- router: preparation of variables for new version of switch4g/switch3g part 2
- router: Makefile: fix build when valgrind is installed on host
- router: Makefile: fix nano not working due to missing libstdc++ library (Mega-VPN target)
- router: Makefile: add libnfnetlink-clean target (additionally add PARALLEL_BUILD to MAKE)
- router: Makefile: Filter support for PHP needs to be enabled for h5ai
- router: Makefile: fix typo
- router: www: qos-graphs.asp: Hide "Zoom Graphs" because it doesn't work anyway
- router: www: status-overview.asp: Cosmetics (W3C)
- router: www: tomato.js: small fixes
- router: www: basic-ipv6.asp AND rc: dhcp.c - some cosmetic - add missing verifcation for lanX_ipv6 - add/change comments (also at file httpd/tomato.c) - add additional check before we request a prefix for br1/br2/br3
- router: httpd: increase HTTP_MAX_LISTENERS to 16 --> avoid error message "number of listeners exceeded the max allowed" --> advanced setups with Dual-Stack (IPv4 and IPv6) and remote access need more listerners
- router: httpd: wl.c: fix popen/pclose
- router: httpd: update gencert.sh script
- router: httpd: tomato.c - sync NVRAM variables sequence of OpenVPN Server 1 and Server 2 - add missing default-values for variables "vpn_server1_userpass" and "vpn_server1_nocert"
- router: httpd: iperf.c: change the location of the pid file
- router: dhcp.c: add some comments -cosmetic -change *lanif to const char (pointer can be changed but not char), because of getifaddr return value (const char*) -remove semicolon after some if-conditions
- router: nvram: defaults.c: change default value for ntp_updates (Auto Update Time) to 1 (Auto interval)
- router: rc: vpn.c: add some comments -protection/cosmetic within function start_vpn_eas() and stop_vpn_eas: add check that i (counter for Server X/Client Y) will always be < 4 before write value to nums[i]
- router: rc: network.c - Do not enable IPv6 for 'all', 'eth0', 'eth1', 'eth2' (ethX) - IPv6 will live on the bridged instances
- router: rc: services.c: fix: Static DNS settings broken with WAN disabled (i.e. operating as AP)
- router: usbmodeswitch: remove obsolete files from the device database
- small fix for IPv6 accept_ra: make it possible to change accept_ra value for WAN and LAN(br0...br3) without reboot/restart of the router
- IPv6: restrict Accept RA from LAN option (with dnsmasq)
- stubby: make tls_authentication REQUIRED
- toolchain: update to support IPerf (def. of be64toh and htobe64)
- adblock: clean-up, fixes, improvements
- adblock: decrease timeout for wget to a reasonable value
- adblock: fix race condition when wan is up; avoid adblock to start downloading over and over (on some connections 2-3 times); instead, it's better to have one inactive process
- switch3g: change PIDFILE location
- switch3g: rework (1/2)
- switch4g: change PIDFILE location
- switch4g: add more possible options to Network Type and Roaming for 2nd type (qmi-wwan) non-hilink modems
- switch4g: rework
- switch4g: do not search all DIAGS every time - instead use already found in searchDiag()
- vpnrouting: stay as close as possible to ARM
- mssl: fix ssl context ciphers & options wasn't applied
- nano: bindings: when Ctrl+Shift+Delete has no keycode, don't use KEY_BSP
- nano: fix compilation again when configured with --enable-tiny
- tor: make tor fully functional, so users can solve xxx.onion website dns and visit tor sites
- Final clean-up of UI files according to the Web Consortium W3C standard
- Fix PHP build when libicu is installed
- Fix build when LZMA is installed on host
- Fix "cannot run test program while cross compiling"
- Remove residues in the code after ARIA2
- Cleanup of unused libusb from the tree and Makefile


2018.4          2018.09.10
--------------------------

- kernel: cifs: fix possible memory corruption in CIFSFindNext
- kernel: netfilter: nf_conntrack: fix early_drop with reliable event delivery
- kernel: netfilter: ebtables: fix wrong name length while copying to user-space
- tor: update to 0.3.3.9
- openssl: update to 1.0.2p
- php: update to 7.2.9
- e2fsprogs: update to 1.44.4
- dnsmasq: update to 2.80test6
- libcurl: update to 7.61.1
- Preliminary support for stubby
- Makefile: changes for a (r2a) target: remove minidlna because of the large image size, add dnscrypt-proxy and JFFS instead
- GUI: add a needed include file for code utilizing bwm-common.js
- GUI: display quality as percentage in device list
- GUI: ipt-graphs.asp: do not display graphs if monitoring has been disabled
- GUI: do not display bwm or ipt graphs if monitoring has been disabled
- Fixing the `uname -r` issue in readme
- router: rc: transmission.c: sysctl binary is not included in TomatoUSB, write values directly instead
- router: rc: firewall.c and rc.h: add function "enable_ndp_proxy()" - Enable NDP Proxy for IPv6 builds - add missing conditional compilation
- radvd: remove leftovers at file router/rc/rc.h (Tomato uses dnsmasq)
- OpenVPN: make IPv6 connection possible if IPv6 is enabled
- OpenVPN: extend Server GUI functionality - add option to push LAN(br0)...LAN4(br3) (only if available) - push the suitable DNS Server LAN IP
- Fix curl build failures
- stealthmode: update to 0.11 (also resolves conflict caused by commit # 6857a6d)


2018.3.106-beta 2018.07.22
--------------------------

- miniupnpd: update to 2.1.20180706
- dnsmasq: update to 2.80test2 (Fri, 29 Jun 2018 15:39:41 +0200)
- tor: update to 0.3.3.8
- libjson-c: update to 0.13.1
- dnscrypt-proxy: update resolvers csv to 20180709
- WNR3500Lv2: add JFFS support
- Fix JFFS2 formatting for non RT-AC
- Increase the maximum size that is used when reading the ssh-host-key (to 4096 bits)
- Makefile: clean-up; remove variable CONFIG_LINUX26, which is no longer used since 4 years
- Makefile RT-AC: fix c (r2c) target; for unknown reasons, target c (r2c) was the same as a (r2a)
- Makefile RT-AC: changes for a (r2a) target: remove minidlna because of the large image size, add dnscrypt-proxy and JFFS instead
- Makefile RT-AC: add KERN_SIZE_OPT to f (r2f), i (r2i) and j (r2j) targets to save some space
- Revert "WNR3500Lv2: add JFFS support"; causing issues
- Revert "Fix JFFS2 formatting for non RT-AC"; causing issues


2018.3.082-beta 2018.07.09
--------------------------

- kernel RT/RT-N: update netfilter_bridge headers, to fix compilation of ebtables
- kernel: tweak input class modules, removing mouse/joystick support
- libcurl: update to 7.60.0
- sqlite: update to 3.24.0
- nano: update to 2.9.8
- ebtables: update to master-head as at May 25, 2018
- tor: update to 0.3.3.7
- xl2tpd: update to 1.3.12
- dnsmasq: update to 2.80test2 (Tue, 12 Jun 2018 17:37:40 +0200)
- libcurl: updated CA certificate bundle as of 2018-06-20
- tinc: update to 1.1pre16
- php: update to 7.2.7
- Updated adminer from 4.6.2 to 4.6.3 2018-06-28
- vsftpd: clean 3.0.3 sources, add patch instead; addtionally, change code optimization from -O2 to -Os to save some space
- samba: enable PARALLEL_BUILD directive for components. Change code optimization to -Os to save some space
- GUI: do not list HTTPS options on Admin Access page, if build with NO_HTTPS flag
- GUI: only include curl as a connection checker, if it's built
- GUI: openvpn: add AES-*-GCM ciphers to the available legacy ciphers
- nas-ups: fix of annoying error when APCUPSD Deamon is down on router start
- busybox: enable TEE command
- dnscrypt-proxy: remove unneeded public-resolvers.md file from build
- dnscrypt-proxy: define own timeout and number of tries for wget to use local copy of server list much quicker than with defaults
- openssl: change code optimization from -O3 to -Os to save some space
- pppd: change code optimization from -O2 to -Os to save some space
- nvram: change code optimization from -O2 to -Os to save some space
- et: change code optimization from -O2 to -Os to save some space
- rp-pppoe: change code optimization from -O2 to -Os to save some space
- accel-pptp: change code optimization from -O2 to -Os to save some space
- ipset: change code optimization from -O2 to -Os to save some space
- nettle: change code optimization from -O2 to -Os to save some space
- igmproxy: change code optimization from -O2 to -Os to save some space
- mysql: change code optimization from -O2 to -Os to save some space
- p910nd: change code optimization from -O2 to -Os to save some space
- lzo: change code optimization from -O3 to -Os to save some space
- apcupsd: fix code optimization to -Os to save some space
- portmap: fix code optimization to -Os to save some space
- pptpd: fix code optimization to -Os to save some space
- glib: fix code optimization to -Os to save some space
- nocat: change code optimization from -O2 to -Os to save some space
- nginx: change code optimization to -Os to save some space
- comgt: change code optimization to -Os to save some space
- transmission: add -Os flag also for g++ compiler to save same space
- patches: dnsmasq: log packet resize reports at debug level instead of warning since they are too frequent
- Makefile: Changes for wndr64* and f5d/f7d targets, due to the large image size; wndr64: remove minidlna; wndr64-vpn: remove samba; f5d/f7d: remove minidlna
- Makefile: kernel: optimize for size (gcc -Os) also for K26 builds
- Makefile: use kernel size optimization (gcc -Os) also for f5d, f7d and f9k targets, but remove as default behavour (added by one of merges from master branch)
- Makefile: enable back on minidlna for f5d and f7d targets
- router: httpd: tomato.c: fix typo
- router: Makefile: fix the issue causing the huawei_ether.ko module to be added to the image even when building without USB support - saving 60kB
- router: Makefile: cleanup
- router: Makefile: add PARALLEL_BUILD directive to dhcpv6
- router: Makefile: add PARALLEL_BUILD back to e2fsprogs
- router: Makefile: add size optimization to dnsmasq and compile with NO_DUMPFILE
- router: Makefile: add LOCKFILE/LOCKDIR to ebtables
- router: Makefile: change code optimization for openvpn from -O3 to -Os to save some KBs
- router: Makefile: remove dbclient from dropbear for f, i and j targets (Mini, MiniIPv6, MiniVPN), to save some space
- router: Makefile: compile dnsmasq with NO_ID, NO_AUTH and NO_GMP directive + some cosmetics
- router: rc: clean-up
- router: rc: init.c: fix compiler warnings
- router: rc: wan.c: start miniupnpd after httpd/later to avoid disabling IPv6 at miniupnpd startup (does happen sometimes with 2018-3) --> solves miniupnpd warning ("no HTTP IPv6 address, disabling IPv6") at reboot / restart
- router: www: status-overview.asp: fix wireless show/hide state retension
- router: www: advanced-tor.asp: fix search for specified words in Custom Configuration
- router: www: advanced-tor.asp: allow to enter "SocksPort" also in Custom Configuration
- router: www: basic-network.asp: fix a different URL to the VLAN page for MIPSR1 / MIPSR2
- router: www: clean-up to save some space
- router: httpd/rc: fix warnings in compiler


2018.3.006-beta 2018.06.01
--------------------------

- kernel: usb: qmi_wwan: add support for Netgear Fuse (Aircard 779S)
- kernel: IGMP: resolve potential for divide by 0, allowing remote attackers to cause a denial of service via IGMP packets (CVE-2012-0207)
- nano: update to 2.9.6
- transmission: update to 2.94
- miniupnpd: update to 2.1
- openssl: clean sources 1.0.2k, add patches instead
- openssl: update to 1.0.2o
- minidlna: update to 1.2.1
- e2fsprogs: update to 1.44.2 (fix toolchain to support it)
- nano: update to 2.9.7
- bridge-utils: update to 1.6 (plus commits in master as at May 7, 2018)
- samba: ported Samba 3.6.25 (SMB1 + SMB2 support) from asuswrt-merlin with all patches, deleted old Samba 3.0.37
- ntpd: transition from using ntpclient/ntpc to Busybox ntpd
- snmpd: update to v5.8.rc2
- php: update to 7.2.6
- tor: update to 0.3.3.6
- btools/libfoo.pl: there's no library to optimize in Samba 3.6.x, Makefile build Samba with static libraries
- BWL: Manipulate waniface only if QoS is Disabled
- Delete unnecessary /router/samba folder
- dhcpv6: incorporating and bringing inline against the below... Several fixes (router/dhcpv6/dhcp6c.c)
- dhcpv6: remove from commit 9274c3f fix: "dhcpv6: close file descriptors on exec", because it breaks compilation on mips
- dhcpv6: fixing use of memset. It was noted in this ticket, though no fix upstream. https://sourceforge.net/p/wide-dhcpv6/bugs/35/
- dhcpv6: no need for sizeoff(char) (in router/dhcpv6/dhcp6c.c)
- dhcpv6: fix dhcp6 parallel build failure with poudriere on FreeBSD, by implementing patch from bug 38
- dhcpv6: patch #1 from: https://sourceforge.net/p/wide-dhcpv6/bugs/36/ Resolve bind(control sock): Address already in use error
- dhcpv6: patch #2 from https://sourceforge.net/p/wide-dhcpv6/bugs/36/ Resolves bind(control sock): Address already in use issue
- dhcpv6: fix bad memset in auth.c
- dhcpv6: fix a number of resource/memory leaks
- httpd: fix potential FILE * resource leak
- httpd: allow for NULL termination on variable partname by increasing its size from 16 to 17
- httpd: rework save_variables procedure so that sprintf is not writing to the same variable, in which case the results are considered undefined
- miniupnpd: add real ipv6 support
- ntpd: clean ups in ntp start proc
- router/Makefile: e2fsprogs: fix e2fsprogs build; tune configure options, disable parallel makefile due errors, build only libraries needed by nfs (tomato uses e2fs tools from busybox)
- router/Makefile: openssl: make proper call to openssl Configure script
- router/Makefile: tinc: don't build doc and GUI
- router/Makefile: transmission: don't build cli tools
- router/Makefile: change "autoreconf" to "autoreconf -fsi" for pcre (sync with ARM branch)
- router/Makefile: change "autoreconf -fvi" to "autoreconf -fsi" for libnfsidmap (sync with ARM branch)
- router/Makefile: mdadm: skip building mdadm man pages
- router/Makefile: gmp: optimize gmp build; fix compilation with different autotools version, allow parallel make, don't build demos and doc
- router/Makefile: add "--ipv6" to miniupnpd-config
- router/Makefile: delete unnecessary code, after Samba 3.0.x and Samba 3.5.x
- router/Makefile: openssl: fix build break for "f" and "r2f" targets
- router/shared/defaults.c: disable "nf_sip" by default (GUI @ Tracking / NAT Helpers SIP - Option Off)
- samba: improve performance
- samba: chain code can return uninitialized memory when talloc buffer is grown (CVE-2017-15275)
- samba: Prevent client short SMB1 write from writing server memory to file (CVE-2017-12163)
- samba: only fallback to anonymous if authentication was not requested (CVE-2017-12150)
- www: Modified Bandwidth Limiter warnings
- www: advanced-vlan.asp: update to the newest version (Apr 16 2018)
- www: default theme - original 'usbblue'
- www: tools-wol.asp: WOL bugfix
- www: advanced-firewall.asp: fix typo at IGMP proxy notes section (wrong example value for downstream threshold)
- www: Makefile: cleanup comments more aggressively 


2018.2          2018.05.13
--------------------------
not public

- kernel: ip6_tunnel: get the min mtu properly in ip6_tnl_xmit
- Add Netgear WNDR3400v3 support
- Add/Update Belkin F5D/F7D/F9K support
- igmpproxy: update to 0.2.1
- usb_modeswitch: update to 2.52, and data package to 2017-08-06
- xl2tpd: update to 1.3.11
- tinc: update to 1.1pre15
- miniupnpd: update to 2.0.20180503
- OpenVPN: update to 2.4.6
- nginx: update to 1.13.8 Mainline version (from 1.10.3 Legacy version)
- php: update to 7.2.5
- nettle: update to 3.4
- minidlna: clean sources 1.1.6, add patch instead
- dropbear: update to 2018.76
- dnscrypt-proxy: change update-resolvers script to process v2 resolvers format
- dnscrypt-proxy: update local copy of dnscrypt-resolvers.csv file
- dnscrypt-proxy: added possibility to enable in GUI ephemeral-keys option
- libid3tag: fix build/link error on Ubuntu + some additional fixes
- dnsmasq: cosmetics
- GUI: fix BWM/IPT graphs
- GUI: Wireless Filter: add ability to choose filtering method on every physical and virtual wifi interface separately
- GUI: Virtual Wireless Interfaces: fixed lack of 80MHz bandwith for the 5GHz band in drop down list
- GUI: www: default theme - original 'usbblue'
- GUI: add possibility to change default IP (198.51.100.1) where DNS queries send to trigger connect-on-demand
- GUI: basic-network.asp: LCP Echo (Interval|Link fail limit) is used also with PPTP, L2TP and PPP3G so let's make it possible to modify.
- A collection of patches and fixes to make it to work pppoe, pptp_client, PPTP server, wan, mwan, etc (@tsynik)
- adblock: add NoCoin list to adblock (cryptomining)
- adblock: fix issue with too short field for blacklist url (90 -> 130 chars)
- adblock: fix logic of parsing downloaded blacklist files
- allow IGMPv3 for LAN
- IGMP proxy: add the possiblity for a custom config (instead of the tomato default)
- Static IPv6 configuration changes/improvements
- www/qos-settings.asp: fixed issue #11 - QoS bandwidth calculation is missing since v132
- Improvements to 'sysinfo' script
- WL: wireless survey rework
- httpd/tomato.c: cleanup
- others/switch4g: add B8 (900 MHz) LTE band to choose from
- others/watchdog: increase curl timeout from 3 to 5 seconds in ckcurl function
- rc: usb.c/init.c fixed old typos
- rc/misc.c: FTP data connection fails from WAN side when port is not 21
- rc/redial.c: re-connection problems have been resolved with Keep Alive mode on PPPoE/PPTP/L2TP
- rc/services.c: miniupnpd - changed the coding to use an interface name for the listening_ip= value instead of an IP/netmask to prevent log flood
- rc/services.c: fixes issues with httpd
- rc/services.c: Connect On Demand could no longer work as designed, due to address 1.1.1.1 becoming a legit recursive DNS server, so a different IP address was chosen for this purpose.
- rc/wan.c: fixed shutdown of the 4g/lte modem during router restart
- rc/wan.c: cosmetics + preparation for upcoming changes in switch3g
- rc/wan.c: removed "bump wan state file on connect (don't wait watchdog result)"
- router/wan.c: cleanup (some addtions to chat file; add: ppp_debug also switch on debbuging mode in chat)
- busybox: change uname
- Multiwan: rc/nvram/defaults: add forgotten "wanX_ppp_redialperiod" default values for wans 2-4
- patches: cosmetics in php patch
- Makefile: Fix TOR build on some systems
- Makefile: --with-mysql option is no longer supported in PHP7. You need to use mysqli extension for this.
- router/Makefile: enabled mini-gmp, saves 4KB


2018.1.066-beta 2018-04-27
--------------------------

- kernel: patch kernel against CVE-2016-10229
- kernel: disable router anycast address for /127 and /128 prefixes
- kernel: resolve force_igmp_version ignored when a IGMPv3 query received
- kernel: igmp: add a missing spin_lock_init()
- kernel: igmp: acquire pmc lock for ip_mc_clear_src()
- kernel: proc/sysctl: fix the int overflow for jiffies conversion
- kernel: net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
- flac: update to 1.3.2
- libxml2: update to 2.9.3
- libpng: update to 1.2.57
- libcurl: update to 7.59.0
- pcre: update to 8.42
- nano: update to 2.9.5
- libsodium: update to 1.0.15
- Tor: update to 0.3.2.10
- OpenVPN: update to 2.4.5
- dnscrypt-proxy: update to 1.9.5
- dnsmasq: update to 2.79
- adminer: update to 4.6.2 2018-02-20 (only English)
- uqmi: updated to uqmi-8ceeab6
- lzo: update to 2.10
- libcurl: update CA certificate bundle as of 2018-03-07
- libexif: update to 0.6.21
- libogg: update to 1.3.3
- libvorbis: update to 1.3.6
- libusb: update to 1.0.22
- pptpd: update to 1.4.0
- rp-pppoe: update to 3.12
- ntfs-3g: update to 2017.3.23
- sqlite: update to 3.23.1
- GUI: OpenVPN: add LZ4, NCP and auth digest support
- GUI: IP Traffic and Bandwith monitors: add possibility to change unit of displayed speeds (kbit/KB and Mbit/MB)
- GUI: QoS/BW Limiter: increase the maximum number of digits in speed fields to 8
- GUI: add possibility to select LTE band and roaming on 4G/LTE connection
- libcurl: size optimization (disable proxy and libcurl output options)
- OpenVPN: change configuration option 'tls-remote' to 'remote-cert-tls', because 'tls-remote' is deprecated or even removed in newest openvpn version
- OpenVPN client: fixed issue #136: added 'route-noexec' to client configuration to prevent DNS leaks
- OpenVPN: change default client's remote/local IPs, so each is different
- OpenVPN: change default remote/local IPs/subnet for servers, so each is different
- switch3g/4g, watchdog: fix modem recognition, logic of watchdog
- switch4g: improved/fixed QMI modem support
- busybox: drop modules.dep path hack, it doesn't required
- busybox: add hostname applet, required by some Entware packages
- minidlna: add persistent uuid based on router's mac
- Miniupnpd: [PATCH] Tomato Specific: Enable Miniupnpd portinuse check
- Makefile: disable RAID (mdadm binary) on AIO (z) and Mega-VPN (o) targets
- router/Makefile: remove dependencies from various install recipes, to reduce the amount of double (and triple) recompile duing build
- flac: fix compilation on Mint x64
- nfs-utils: PATCH exportfs: getexportent interprets -test-client- as default options
- rc/ppp.c: typo
- rc/pptp_client.c: add pptp-client user/pass quotation (fix issue #148)
- rc/services.c: [PATCH] REVERT: Do not write out 'no-dhcp-interface' in dnsmasq.conf
- rc/services.c: SIGINT seems to be issued too soon against dnsmasq - wait one second before doing so
- rc/services.c: correct val for unlink 
- rc/services.c: avoid concurrent connections
- rc/tor.c: removed deprecated option from config (AllowUnverifiedNodes)
- rc/tor.c: add localhost ports and .onion support; disable IPv6 names resolution for onion domains by default;
  enable LAN pool for clients; add AvoidDiskWrites option to config
- rc/wan.c: fix typos, redial period for pppd
- rc/wan.c: move l2tp route fix to preset_wan
- rc/wan.c: don't terminate xl2tpd on every ppp start
- rc/wan.c: dnsmasq process was receiving a second SIGINT signal. Instead of triggering another DNSSEC time checking, it was killing process
- rc/wan.c: start adblock only when wan is up
- rc/wan.c: fix boot with only secondary/etc wan active (assume current wan is primary if previous is not up)
- rc/wan.c: adblock improvments, just start once
- rc/wan.c: cleanup
- rc/watchdog.c: changed one of connection checkers from wget to curl; now this is a recommended method for LTE connections
- fix "Enable DSCP Fix", and make it MultiWan aware *
- fix ntpc for mwan
- ipv4: Resolve force_igmp_version ignored when a IGMPv3 query received
- upnp: external and internal port arguments are swapped in miniupnpd's config file
- Code cleanup/improvements
- Make igmpproxy MWAN-friendly (It flooded logs when only secondary wan was connected)
- Improve vpnrouting and switch3g script logic, other small changes
- tinc: Add daemon poll option to check if the daemon is running, Similar to OpenVPN
- Revert: GUI: fix problem with passing Tagged/UNtagged on same port when using default vlan (Not working as intended/has problems)


2018.1.010-beta 2018-04-15
--------------------------
not public

- dnsmasq: update to 2.78
- nano: update to 2.8.1
- ncurses: update to 6.1
- transmission: update to 2.93
- php: update to 5.6.33
- GUI: fix issue with too short field for DNS 1/DNS 2
- GUI: fix problem with passing Tagged/UNtagged on same port when using default vlan
- E2500/3200: change nvram size to 32kB, to prevent the 5GHz radio from disappearing
- sqlite: update to 3.23.1