From 60afb154885897bdb9c7170896210c62941a6856 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mattias=20Walstr=C3=B6m?= Date: Sun, 7 Jun 2026 11:52:15 +0200 Subject: [PATCH 1/2] Changelog: Add note about firewall changes Enable NAT no longer enable forwarding on *all* interfaces. --- doc/ChangeLog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md index 956c7935a..5e9855ce1 100644 --- a/doc/ChangeLog.md +++ b/doc/ChangeLog.md @@ -18,6 +18,12 @@ All notable changes to the project are documented in this file. - Add `legacy-rates` option to re-enable 802.11b rates on 2.4 GHz for old IoT devices (disabled by default) +### Fixes + +- Firewall masquerade no longer enables the global IPv4/IPv6 forwarding + sysctls. You must now enable IP forwarding explicitly on the interfaces + that should route traffic; enabling NAT alone is no longer enough + [wifi]: wifi.md [v26.05.0][] - 2026-05-29 From 5cdabe555f8b3b82bc3904e13b9b9ad18d72c0c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mattias=20Walstr=C3=B6m?= Date: Sun, 7 Jun 2026 11:53:09 +0200 Subject: [PATCH 2/2] hostapd: Do not limit BSSID hostapd limit hard what BSSID to use, this since hosatpd is desinged to use radio-mac+n as default. We demand the user to select the MAC address, if having multiple BSS. --- .../hostapd/0003-more-limit-bssid-mask.patch | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 patches/hostapd/0003-more-limit-bssid-mask.patch diff --git a/patches/hostapd/0003-more-limit-bssid-mask.patch b/patches/hostapd/0003-more-limit-bssid-mask.patch new file mode 100644 index 000000000..4349057ec --- /dev/null +++ b/patches/hostapd/0003-more-limit-bssid-mask.patch @@ -0,0 +1,17 @@ +diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c +index 72a0bf503..9bdc2b41d 100644 +--- a/src/ap/hostapd.c ++++ b/src/ap/hostapd.c +@@ -916,12 +916,6 @@ static int hostapd_validate_bssid_configuration(struct hostapd_iface *iface) + if (bits < j) + bits = j; + +- if (bits > 40) { +- wpa_printf(MSG_ERROR, "Too many bits in the BSSID mask (%u)", +- bits); +- return -1; +- } +- + os_memset(mask, 0xff, ETH_ALEN); + j = bits / 8; + for (i = 5; i > 5 - j; i--)