Commits on Dec 8, 2017
  1. opkg: bump to version 2017-12-08

    Rafał Miłecki
    Rafał Miłecki committed Dec 8, 2017
    This updates package to the latest commit from the lede-17.01 branch. It
    contains few fixes backported from the master:
    1) SHA256 fix
    2) URL encoding which allows hosting packages on some more picky servers
    9f61f7a opkg_download: decode file:/ URLs
    3c46c88 file_util: implement urldecode_path()
    79908c2 file_util: consolidate hex/unhex routines
    793fbac opkg: encode archive filenames while constructing download URLs
    a6bb5cb file_util: implement urlencode_path() helper
    098e774 libopkg: fix SHA256 calculation for big endian system
    Signed-off-by: Rafał Miłecki <>
Commits on Dec 7, 2017
  1. hostapd: backport fix for wnm_sleep_mode=0

    Timo Sigurdsson authored and stintel committed Nov 14, 2017
    wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
    Network Management (WNM) Sleep Mode handshake. Currently, hostapd
    processes WNM Sleep Mode requests from clients regardless of the setting
    wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
    order to ignore such requests by clients when wnm_sleep_mode is disabled
    (which is the default).
    Signed-off-by: Timo Sigurdsson <>
    [rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
    Signed-off-by: Stijn Tintel <>
    (cherry picked from commit bd45e15
     fixed PKG_RELEASE and renumbered patch)
  2. hostapd: Expose the tdls_prohibit option to UCI

    Timo Sigurdsson authored and stintel committed Nov 14, 2017
    wpa_disable_eapol_key_retries can't prevent attacks against the
    Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
    that the existing hostapd option tdls_prohibit can be used to further
    complicate this possibility at the AP side. tdls_prohibit=1 makes
    hostapd advertise that use of TDLS is not allowed in the BSS.
    Note: If an attacker manages to lure both TDLS peers into a fake
    AP, hiding the tdls_prohibit advertisement from them, it might be
    possible to bypass this protection.
    Make this option configurable via UCI, but disabled by default.
    Signed-off-by: Timo Sigurdsson <>
    (cherry picked from commit 6515887)
Commits on Dec 6, 2017
  1. dnsmasq: backport infinite dns retries fix

    dedeckeh committed Dec 6, 2017
    If all configured dns servers return refused in response to a query in
    strict mode; dnsmasq will end up in an infinite loop retransmitting the
    dns query resulting into high CPU load.
    Problem is fixed by checking for the end of a dns server list iteration
    in strict mode.
    Signed-off-by: Hans Dedecker <>
Commits on Dec 4, 2017
  1. curl: apply CVE 2017-8816 and 2017-8817 security patches

    Stijn Segers authored and dedeckeh committed Dec 3, 2017
    This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
    Curl package.
    Compile-tested on ar71xx, ramips and x86.
    Signed-off-by: Stijn Segers <>
  2. mt76: update to the latest version

    nbd168 committed Nov 17, 2017
    Significant performance/stability improvements for MT76x2 and MT7603.
    Adds LED support.
    2895775 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature
    1dae8f0 mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature
    5e49aa9 Fix errors found by cppcheck
    1b8c8a0 mt7603: add LED definition registers
    4d83561 mt76x2: add LED register definitions
    2f40e4a mt76x2: Support using PCI ID as chip ID
    27c64bc mt76: add led support using mac80211 led framework
    dfd64fc mt76x2: init: add ma80211 led callbacks
    215edf1 mt7603: init: add ma80211 led callbacks
    9d36ff2 mt76x2: Add PCI identifier for MT7602
    0b7984e mt7603: remove unnecessary mcu register read function
    f5498d2 debugfs: add support for changing the LED pin
    8e453b3 mac80211: move DT led configuration to the "led" child node
    8f1673a mt76x2: limit client WCID entries to 0-127
    f9d9c22 mt76x2: clear drop flag for all WCIDs on init
    0dd8b68 mt76x2: clear per-WCID tx rate lookup register
    3e5afe7 mt76x2: add helper function for setting drop mask
    941555b mt76x2: clear drop mask when sending a PS response
    7dfb354 mt76: increase rx ring size for mt76x2
    73902dc mt76x2: add rx statistics registers
    fe79816 mt76x2: fix LNA gain register annotation
    cc588c5 mt76x2: sync channel gain value with latest reference driver
    60a4d67 mt76x2: implement dynamic AGC tuning based on false packet detection count
    4bc9aa9 mt76x2: add more gain tuning based on the latest reference driver
    0a0d16f mt76x2: sync tx power related values with reference driver
    8c821aa mac80211: add missing include
    82acc85 mt7603: add missing include required on newer kernels
    2c1a77c mt76x2: fix transmission of encrypted management frames
    0532315 mt76x2: increase OFDM SIFS time
    1acde21 mt76x2: add channel argument to eeprom tx power functions
    58364a2 mt76x2: initialize channel power limits
    c2bd89e mt76x2: convert between per-chain tx power and combined output
    e7eaa7c mt7603: rename mt7603_mac_reset to mt7603_pse_reset
    ea4c2a1 mt7603: rename MT_PSE_RESET register
    c86c3a0 mt7603: remove watchdog reset on interface stop
    4490f93 mt7603: remove WARN_ON_ONCE for workaround checks
    3075059 mt7603: simplify PSE reset
    4ed7e07 mt7603: warn if PSE reset fails
    7dc8db1 mt7603: clean up dma debug reads
    41e6a04 mt7603: make mt7603_mac_watchdog_reset() static
    dc7a351 mt7603: clear wtbl PS bit for powersave responses
    123acf2 mt7603: set tx-skip flag for powersave clients
    7dd2a9e mt7603: initialize wtbl ps flag on station add
    86ddef3 mt76x2: remove some harmless WARN_ONs in tx status and rx path
    e326bc2 mt7603: remove some harmless WARN_ONs in rx path
    Signed-off-by: Felix Fietkau <>
  3. tools: patch various gnu tools for macOS 10.13

    rmounce authored and nbd168 committed Aug 3, 2017
    These host tools compile but may crash at runtime when building on
    macOS 10.13 (High Sierra). Backport upstream gnulib patch until new
    releases of affected tools.
    Signed-off-by: Ryan Mounce <>
  4. samba36: backport an upstream fix for an information leak (CVE-2017-1…

    nbd168 committed Dec 4, 2017
    Signed-off-by: Felix Fietkau <>
Commits on Nov 27, 2017
  1. ramips: backport MT7628 pinmux fixes

    mkresin committed Nov 18, 2017
    According to the datasheet the REFCLK pin is shared with GPIO#37 and
    the PERST pin is shared with GPIO#36.
    While at it fix a typo inside the pinmux setup code. The function is called
    refclk and not reclk.
    Update device tree source files accordingly.
    Signed-off-by: Mathias Kresin <>
  2. ramips: add missing reset button for Nexx WT1520

    musashino205 authored and mkresin committed Nov 25, 2017
    This commit adds missing the GPIO key used as reset button.
    Nexx WT1520 has a GPIO key for factory reset, but it's not defined in
    WT1520.dtsi and cannot use it.
    Drop the UART (full) from the device tree source file, it was never
    used for this board. Adjust the kernel bootargs accordingly.
    Signed-off-by: INAGAKI Hiroshi <>
    [add note about dropped UART (full) to the commit message]
    Signed-off-by: Mathias Kresin <>
  3. wireguard: bump to snapshot 20171127

    Kevin Darbyshire-Bryant authored and dedeckeh committed Nov 27, 2017
    == Changes ==
     * compat: support timespec64 on old kernels
     * compat: support AVX512BW+VL by lying
     * compat: fix typo and ranges
     * compat: support 4.15's netlink and barrier changes
     * poly1305-avx512: requires AVX512F+VL+BW
     Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.
     * blake2s: AVX512F+VL implementation
     * blake2s: tweak avx512 code
     * blake2s: hmac space optimization
     Another terrific submission from Samuel Neves: we now have an implementation
     of Blake2s using AVX512, which is extremely fast.
     * allowedips: optimize
     * allowedips: simplify
     * chacha20: directly assign constant and initial state
     Small performance tweaks.
     * tools: fix removing preshared keys
     * qemu: use https site
     * qemu: take shared lock for untarring
     Small bug fixes.
    Remove myself from the maintainers list: we have enough and I'm happy to
    carry on doing package bumps on ad-hoc basis without the 'official'
    Run-tested: ar71xx Archer C7 v2
    Signed-off-by: Kevin Darbyshire-Bryant <>
Commits on Nov 26, 2017
  1. kernel: bump 4.4 to 4.4.102

    bladeoner authored and hauke committed Nov 26, 2017
    Refreshed all patches.
    Removed upstream ramips patch: 0063-set-CM_GCR_BASE_CMDEFTGT_MEM-according-to-datasheet.patch
    Compile-tested: ar71xx
    Run-tested: ar71xx
    Signed-off-by: Etienne Haarsma <>
    Tested-by: Stijn Segers <>
Commits on Nov 24, 2017
  1. wireguard: bump to 20171122

    Kevin Darbyshire-Bryant authored and dedeckeh committed Nov 24, 2017
    Bump to latest WireGuard snapshot release:
    ed479fa (tag: 0.0.20171122) version: bump snapshot
    efd9db0 chacha20poly1305: poly cleans up its own state
    5700b61 poly1305-x86_64: unclobber %rbp
    314c172 global: switch from timeval to timespec
    9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
    7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
    abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
    6507a03 chacha20poly1305: add more test vectors, some of which are weird
    6f136a3 compat: new kernels have netlink fixes
    e4b3875 compat: stable finally backported fix
    cc07250 qemu: use unprefixed strip when not cross-compiling
    64f1a6d tools: tighten up strtoul parsing
    c3a04fe device: uninitialize socket first in destruction
    82e6e3b socket: only free socket after successful creation of new
    df318d1 compat: fix compilation with PaX
    d911cd9 curve25519-neon: compile in thumb mode
    d355e57 compat: 3.16.50 got proper rt6_get_cookie
    666ee61 qemu: update kernel
    2420e18 allowedips: do not write out of bounds
    185c324 selftest: allowedips: randomized test mutex update
    3f6ed7e wg-quick: document localhost exception and v6 rule
    Compile-tested-for: ar71xx
    Run-tested-on: ar71xx Archer C7 v2
    Signed-off-by: Kevin Darbyshire-Bryant <>
Commits on Nov 22, 2017
  1. ramips: fix Planex CS-QR10 device packages

    mkresin committed Nov 18, 2017
    Add kmod-sound-core, it is a dependency of kmod-sound-mt7620 and will
    not be autoselected.
    Remove kmod-i2c-core, it will be autoselected by kmod-i2c-ralink.
    Signed-off-by: Mathias Kresin <>
  2. ramips: fix DCH-M225 support

    mkresin committed Nov 18, 2017
    Setting the pins of the uartf group to gpio+i2s at the time the i2c
    driver loads is to late for the WPS gpio button.
    The gpio-keys driver fails to load since the pin used by the WPS button
    is not yet set to GPIO. The WPS button with the rfkill keycode is
    essential for this wifi only board.
    Add the missing sound and i2c kernel modules corresponding to the
    device nodes.
    Signed-off-by: Mathias Kresin <>
Commits on Nov 20, 2017
  1. dnsmasq: load instance-specific conf-file if exists

    epinter authored and dedeckeh committed Nov 15, 2017
    Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
    but not used by dnsmasq.
    Signed-off-by: Emerson Pinter <>
Commits on Nov 17, 2017
  1. rpcd: update to version 2017-11-12

    dangowrt committed Nov 17, 2017
    a0231be8fbc61 fix memory leak in packagelist
    4e483312b0216 sys: add packagelist method
    Signed-off-by: Daniel Golle <>
Commits on Nov 16, 2017
  1. brcm47xx: fix switch port mapping on D-Link DIR-330

    gtrtfm authored and mkresin committed Nov 2, 2017
    D-Link DIR-330 is clone of ASUS WL500GP2, by default conf the WAN port is
    eth1, it's not working cus eth1 not soldered and wan port function
    performs 5th port of the switch.
    Signed-off-by: Antony Black <>
  2. wireguard: fix portability issue

    nbd168 authored and dedeckeh committed Nov 11, 2017
    Check if the compiler defines __linux__, instead of assuming that the
    host OS is the same as the target OS.
    Signed-off-by: Felix Fietkau <>
  3. wireguard: move to kernel build directory

    nbd168 authored and dedeckeh committed Nov 11, 2017
    It builds a kernel module, so its build dir should be target specific
    Signed-off-by: Felix Fietkau <>
  4. wireguard: bump to 0.0.20171111

    Kevin Darbyshire-Bryant authored and dedeckeh committed Nov 16, 2017
    edaad55 (tag: 0.0.20171111) version: bump snapshot
    7a989b3 tools: allow for NULL keys everywhere
    46f8cbc curve25519: reject deriving from NULL private keys
    9b43542 tools: remove ioctl cruft
    f6cea8e allowedips: rename from routingtable
    23f553e wg-quick: allow for tabs in keys
    ab9befb netlink: make sure we reserve space for NLMSG_DONE
    73405c0 compat: 4.4.0 has strange ECN function
    868be0c wg-quick: stat the correct enclosing folder of config file
    ceb11ba qemu: bump kernel version
    0a8e173 receive: hoist fpu outside of receive loop
    bee188a qemu: more debugging
    f1fdd8d device: wait for all peers to be freed before destroying
    2188248 qemu: check for memory leaks
    c77a34e netlink: plug memory leak
    0ac8efd device: please lockdep
    a51e196 global: revert changes
    65c49d7 Kconfig: remove trailing whitespace
    Compile-tested-for: ar71xx
    Run-tested-on: ar71xx Archer C7 v2
    Signed-off-by: Kevin Darbyshire-Bryant <>
Commits on Nov 15, 2017
  1. procd: update to latest git HEAD (fixes and improvements)

    dedeckeh committed Nov 15, 2017
    d9dc0e0 service: fix calls to blobmsg_parse()
    5db8f70 procd: add missing new lines inside debug code
    8d5d29c service: fix SERVICE_ATTR_NAME usage in service_handle_set
    Signed-off-by: Hans Dedecker <>
Commits on Nov 12, 2017
  1. openssl: update to 1.0.2m

    tripolar authored and lynxis committed Nov 9, 2017
    don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
    ../ undefined reference to `SSLv3_client_method'
    Fixes CVE: CVE-2017-3735, CVE-2017-3736
    Signed-off-by: Peter Wagner <>
Commits on Nov 10, 2017
  1. brcm47xx: fix switch port mapping on Asus RT-N12 and RT-N16 models

    jow- committed Jul 19, 2017
    On Asus RT-N12 and RT-N16 models, the WAN and LAN4 ports are swapped in the
    initial switch configuration since the presets present in nvram appear to be
    Add special casing for these models to detect_by_model() in order to ensure
    a proper switch configuration.
    Fixes FS#502.
    (cherry picked from commit 96ed69101da254b0cb61a0dfc42bd48d27bfacb9
      and squashed with commit f2fdd68)
    Signed-off-by: Jo-Philipp Wich <>
Commits on Nov 9, 2017
  1. rpcd: update to the latest version from 2017-11-09

    Rafał Miłecki
    Rafał Miłecki committed Nov 9, 2017
    9a8640183c031 plugin: use RTLD_LOCAL instead of RTLD_GLOBAL when loading library
    Signed-off-by: Rafał Miłecki <>
  2. mountd: bump to git HEAD version (optimization fixes)

    dedeckeh committed Nov 9, 2017
    7826ca5 mount: add mount with ignore=1 for unsupported filesystems
    75e7412 mount: drop duplicated filesystem check from mount_add_list
    Signed-off-by: Hans Dedecker <>
Commits on Nov 8, 2017
  1. fix default_postinst function

    ratkaj authored and mkresin committed Nov 7, 2017
    When we run "opkg install" on a package that installs an uci-defaults
    script, will fail to evaluate that script in its
    default_postinst function.
    This happens because there is no "./" present and it searches for the
    file in paths specified by the PATH variable. This would work on bash,
    but it will not work on ash and some other shells like sh, zsh. This
    applys to the ". filename" directive used in this case.
    This patch will make the path relative to the /etc/uci-defaults
    Fixes: FS#1021
    Signed-off-by: Marko Ratkaj <>
Commits on Nov 5, 2017
  1. wireguard: version bump to 0.0.20171101

    Kevin Darbyshire-Bryant authored and dedeckeh committed Nov 3, 2017
    Update wireguard to latest snapshot:
    9fc5daf version: bump snapshot
    748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
    7be9894 timers: switch to kees' new timer_list functions
    6be9a66 wg-quick: save all hooks on save
    752e7af version: bump snapshot
    2cd9642 wg-quick: fsync the temporary file before renaming
    b139499 wg-quick: allow for saving existing interface
    582c201 contrib: add reresolve-dns
    8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
    c138276 wg-quick: allow for the hatchet, but not by default
    d03f2a0 global: use fewer BUG_ONs
    6d681ce timers: guard entire setting in block
    4bf32ca curve25519: only enable int128 if compiler support is sound
    86e06a3 device: expand scope of destruct lock
    e3661ab global: get rid of useless forward declarations
    bedc77a device: only take reference if netns is different
    7c07e22 wg-quick: remember to rewind DNS settings on failure
    2352ec0 wg-quick: allow specifiying multiple hooks
    573cb19 qemu: test using four cores
    e09ec4d global: style nits
    4d3deae qemu: work around ccache bugs
    7491cd4 global: infuriating kernel iterator style
    78e079c peer: store total number of peers instead of iterating
    d4e2752 peer: get rid of peer_for_each magic
    6cf12d1 compat: be sure to include header before testing
    3ea08d8 qemu: allow for cross compilation
    d467551 crypto/avx: make sure we can actually use ymm registers
    c786c46 blake2: include headers for macros
    328e386 global: accept decent suggestions
    a473592 compat: fix up stat calculation for udp tunnel
    9d930f5 stats: more robust accounting
    311ca62 selftest: initialize mutex in routingtable selftest
    8a9a6d3 netns: use time-based test instead of quantity-based
    e480068 netns: use read built-in instead of ncat hack for dmesg
    Compile-tested-for: ar71xx
    Run-tested-on: ar71xx Archer C7 v2
    Signed-off-by: Kevin Darbyshire-Bryant <>
Commits on Nov 3, 2017
  1. ar71xx: fix LED config for DIR-869 A1

    Florian Beier authored and mkresin committed Oct 25, 2017
    This fixes the LED configuration for the D-Link DIR-869 A1. In order to
    support the device I probed around using an initramfs image for the
    UniFi AC. Pulling GPIO 15 to low enabled the LEDs while high disabled them.
    GPIO 16 set to low meant that the color was white while pulling it to high
    made the color change to orange. The past code was written based upon these
    However, running a flashed image I now discovered that GPIO 15 controls the
    orange LEDs while GPIO 16 controls the white ones and that both are active
    when low. This means that the GPIOs were inverted and one active_low was set
    wrong which this patch fixes.
    Behavior of the LED front after this patch is applied:
    cat /sys/devices/platform/leds-gpio/leds/d-link:white:status/brightness
    0   -> white LEDs are OFF
    255 -> white LEDs are ON
    cat /sys/devices/platform/leds-gpio/leds/d-link🍊status/brightness
    0   -> orange LEDs are OFF
    255 -> orange LEDs are ON
    If the brightness of both is set to 255 the LED front will be white.
    If the brightness of both is set to 0 the LED front will be off.
    Signed-off-by: Florian Beier <>
  2. ipq806x: nbg6817: sync MAC addresses to the upstream values

    pkgadd authored and mkresin committed Oct 30, 2017
    The ZyXEL NBG6817 calculates all MAC addresses based on the ethaddr
    value stored in the U-Boot environment (0:APPSBLENV). No MAC addresses
    are stored in the ART partition and the generated MAC addresses for the
    wlan interfaces alternate randomly between 12:34:56:78:90:12 and
    interface	  new/ OEM MAC	old MAC
    wlan-2.4g (phy1): ethaddr	undefined
    wlan-5g   (phy0): ethaddr + 1	undefined
    lan             : ethaddr + 2	ethaddr
    wan             : ethaddr + 3	ethaddr + 1
    This patch defines stable MAC addresses for the wlan interfaces for
    the first time instead of generating them at random. The previously
    defined values for lan/ wan are changed to follow the settings of the
    OEM firmware.
    Signed-off-by: Stefan Lippers-Hollmann <>
  3. ipq806x: nbg6817: add kmod-fs-ext4 to device packages

    pkgadd authored and mkresin committed Oct 19, 2017
    The ZyXEL NBG6817 uses an eMMC flash for the rootfs, which is split
    into the readonly squashfs and ext4 for the overlay. This adds the
    required package to the device packages to allow mounting the overlay
    by default.
    /dev/root on /rom type squashfs (ro,relatime)
    proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
    sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
    tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
    /dev/loop0 on /overlay type ext4 (rw,noatime,data=ordered)
    overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work)
    tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
    devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
    debugfs on /sys/kernel/debug type debugfs (rw,noatime)
    mountd(pid1040) on /tmp/run/blockd type autofs (rw,relatime,fd=7,pgrp=1,timeout=30,minproto=5,maxproto=5,indirect)
    Before this commit, the ext4 based overlayfs could not be mounted,
    which left only the tmpfs based/ volatile  emergency overlay in place.
    Signed-off-by: Stefan Lippers-Hollmann <>
  4. uclient: update to the latest version, fixes fetch of multiple files

    nbd168 committed Nov 2, 2017
    4b87d83 uclient-fetch: fix overloading of output_file variable
    Signed-off-by: Felix Fietkau <>
Commits on Oct 27, 2017
  1. ramips: fix Youku-YK1 support

    RoEdAl authored and mkresin committed Oct 21, 2017
    Remove the ephy-pins from the ethernet device tree node. The ephy-pins
    are useed to controll the ePHY LEDs and this board doesn't have these.
    Instead one of the ePHY pins is used in GPIO mode to control the WAN
    Use the switch LED trigger to control the WAN LED. Move the power LED
    handling to to show the boot status via this LED.
    Add the missing kernel packages for USB and microSD card reader to the
    default package selection.
    Fix the maximum image size value. The board has a 32MByte flash chip.
    Fixes: FS#1055
    Signed-off-by: Edmunt Pienkowsky <>
    [make the commit message more verbose, remove GPIO pinmux for pins not
    used as GPIOs]
    Signed-off-by: Mathias Kresin <>
Commits on Oct 25, 2017
  1. tools/squashfs4: include sysmacros.h explicitly

    eamaclean authored and mkresin committed Oct 23, 2017
    glibc is moving to remove the include of sys/sysmacros.h from
    sys/types.h, and some distros have done this early. Other libcs may
    already lack this include. Include sysmacros.h explicitly.
    Fixes: FS#1017
    Signed-off-by: Alex Maclean <>
    [refresh patches]
    Signed-off-by: Mathias Kresin <>
  2. tools/squashfs: include sysmacros.h explicitly

    eamaclean authored and mkresin committed Oct 23, 2017
    glibc is moving to remove the include of sys/sysmacros.h from
    sys/types.h, and some distros have done this early. Other libcs may
    already lack this include. Include sysmacros.h explicitly.
    Fixes: FS#1018
    Signed-off-by: Alex Maclean <>