oxwrt v0.2.0

[0.2.0] — 2026-04-21

release.sh

• BSD-awk-compatible CHANGELOG prepend (f9bc755)

security

• prune firewall deferred-items list to genuine non-goals (3b6eda7)
• live-audit findings for debug-ssh + upnpd (2a80c61)
• drop NET_ADMIN from corerad, document why hostapd keeps it (4885cec)
• debug-ssh bold warning + host-netns SECURITY entry + veth validator (a18b0c9)

firewall

• absolute-date schedule windows (c6e0c72)
• NOTRACK — rule-level conntrack bypass (42bb346)
• QoS primitives — set_mark + set_dscp (5632f4f)
• CT helpers (FTP, SIP, TFTP, PPTP, H.323, IRC) (f68bee1)
• fw4-parity pass 2 — mtu_fix, forwardings, synflood, rule-level counter/burst/reject_with/device (df186bf)
• port ranges + proto-only rule support (edab449)
• IPv6 port-forwards + declarative ipsets (fw4-parity) (3660afc)
• baseline defaults + config examples + SECURITY.md (0e633e4)
• port-forward reflection (hairpin NAT) + IPv6 masquerade (22ccb09)
• rule primitives (ip/mac/port/icmp-type/limit/log/enabled) + zone output policy (0d13f3e)
• schedule field for time-based rules via meta day / meta hour (83b3a6d)
• [[firewall.raw_nft]] escape hatch for unusual rules (c60ee84)
• tighten rule validator — dnat consistency + icmp/port + empty name (7b149fe)
• replace boolean shortcuts with zone + rule model (7da5acb)

validate

• preserve 'invalid internal IP' error wording (053b7c9)

ci

• tag-triggered release workflow (f001dc1)
• rust-toolchain.toml pin + make ci-check mirror target (8e5fd63)
• more clippy-1.95 sites in oxwrtd + raise QEMU test caps (a64ac49)
• clippy 1.95 lints in linux-only code + serialise metrics tests (24ba8b5)
• fix clippy (1.95 doc-lazy / large-enum) + QEMU config path (7bcb1c8)
• scripts/release.sh + CHANGELOG.md bootstrap (a1d9829)
• QEMU harness already exists; add rollback + dry-run assertions (26f3e03)
• scope fmt check to oxwrt workspace packages only (672c3e4)
• fix missing squic checkout in fmt + missing fields in net.rs test (1ef50cd)
• expand workflow with fmt + clippy + test jobs; cargo fmt pass (8b0625c)
• install ipxe-qemu for efi-virtio.rom (b5a9391)
• check out wave-cl/squic-rust as sibling dir for path-dep (d74e9ac)
• run QEMU integration test on every push/PR (cce6b9b)

release

• RELEASING.md runbook + release.sh polish (94100d5)

imagebuilder

• bake provisioning/oxwrt.secrets.toml into images (0237f0f)
• bake provisioning/key.ed25519 into /etc/oxwrt/ (5bc6d81)

docs+scripts

• scrub stale /etc/oxwrt.toml path references (c49d350)

hooks

• opt-in pre-push runs make ci-check (7507b5e)

svc_resolv

• DNS for isolated-netns services — resolv.conf + gateway DNAT (26a22aa)

container/reload

• fix veth pair teardown race on service respawn (f6cf72f)

reload

• document that spec changes auto-respawn the service (3d1a925)
• cleanup stale exemptions BEFORE coordinator respawn (not after) (347ea91)
• also cleanup proto-155 exemptions after coordinator respawn (2ae7996)
• zero-thrash reconcile for services and VLAN ifaces (c396f80)
• call net.bring_up so VLAN sub-ifaces created via CRUD take effect (8e9a630)

diag

• ship drill + ss binaries + transitive libs (b931efe)
• sysctl accepts a specific key (b102437)
• ping + traceroute accept IPv6 targets (5dbad51)
• devices — parse /proc/net/arp for a LAN-side device view (b31d5c2)
• wol — send Wake-on-LAN magic packet via LAN broadcast (5945cad)
• ping-many + vpn-auto-switch --via-router (ace932d)
• add nft-summary op for condensed firewall state dump (daae449)
• add stall <secs> op, verifying watchdog fires on hang (a4803e8)
• add diag resolv RPC (994e017)
• add nft / conntrack / sysctl ops (3117279)

upnpd

• from-source miniupnpd 2.3.7 with nftables backend + correct option names (ee7ce82)

crud

• deep-merge security on service update — close the partial-patch footgun (a5e4c25)

services

• default pid_namespace = true on every shipped service (a210150)
• fixes discovered during first PID-1-style live run (50bb43d)
• fix coredhcp config + straighten rootfs layout for packages (b65780d)

container

• pid_namespace opt-in, decoupled from user_namespace (ec2558c)

rust-toolchain

• include aarch64-unknown-linux-musl target (ed01022)

chore

• cargo fmt --all (matches CI rustfmt) (3633de5)
• drop hw-dump/ + three resolved-bug diagnostic blocks (cd81d97)
• silence dead-code warnings + auto-applied clippy suggestions (ce65208)

config

• example covers max_connections / max_rpcs_per_sec / include_secrets (18efaa4)
• drop legacy /etc/oxwrt.toml fallback + fix backup path (12e50ef)
• comment out debug-ssh service by default (4d0e8df)
• promote corerad RA timers to per-network optional overrides (c27cacf)
• render ntpd-rs ntp.toml from a new [ntp] section (4b566e8)
• render coredhcp.yml from a new [dhcp] section (ba1d6e2)
• render hickory-dns named.toml from a new [dns] section (3e8b58c)
• absorb authorized_keys + SSH known_hosts into the TOML (e91c80c)
• strip inline secrets from example + ship secrets.toml.example (7f0dc03)
• one-shot migration shim + oxctl dump-config + backup knob (56143d4)
• split secrets into oxwrt.secrets.toml on every writer path (d04ef7a)
• merge secrets-overlay file + env vars at load time (7915ec6)
• refresh vpn_client + metrics sections for v2 features (ff3070b)
• refresh upnp index entry — scaffolding complete (b98bf03)
• refresh example with mwan3 + routes6 + metrics breadth (13d25c1)
• migrate persisted path to /etc/oxwrt/oxwrt.toml + forensics (783a741)
• expand oxwrt.toml so every schema field has an example (5ae93be)
• move LAN from 192.168.1.0/24 to 192.168.50.0/24 (c37c13a)
• fix coredhcp leases bind-mount source path (12f0204)
• unify wan/lan/networks into [[networks]] tagged enum (e62924b)
• separate network topology from firewall policy (730bb9f)

preinit

• demote expected mount-race logs on MT6000 (3fac246)
• override correct failsafe file + drop uci from urandom_seed (7829e7a)
• kill failsafe prompts, stub uci, use monotonic-uptime log timer (6e4aa86)
• use usleep for fractional-second poll (BusyBox compat) (a5b93f1)
• wait for eth0 before failsafe announces (a51799f)

clock

• retry sntp bootstrap on ENETUNREACH startup race (91539b1)

control

• per-connection RPC rate limit + release-pubkey bake (8293e22)
• max_connections cap on sQUIC listener (1bc1bb1)

sysupgrade

• ed25519 release-signature verification on FwUpdate (b6306c4)
• write rootfs before kernel via two-pass tar extraction (356f920)
• preflight uses independent fd (not try_clone) (da43b23)
• plain tar (not gzipped) + pre-flight validation (d0d06ea)
• pre-open all files before pivot_root (f6edd4f)
• fix fwtool trailer layout (16-byte BE, not 12-byte LE) (dbe14f1)
• native eMMC flash for mediatek/filogic (no ubus) (a8ba365)

oxctl

• diff — unified-line diff of local TOML vs live config (36bcbf1)
• watch subcommand for live-updating RPC display (854afdd)
• wizard — interactive first-flash starter config generator (f1d20de)
• vpn-auto-switch — ping-race picks the fastest Mullvad relay (580d7c2)
• mullvad-relays + vpn-switch-relay — Mullvad API integration (e56b1ef)

docs

• README.md — landing doc for the project (c28d184)
• SECURITY.md threat model + regression guard on example config (acdca5b)
• document identity-vs-config split + wizard emits [dns]/[dhcp]/[ntp] (9539b9c)

init

• extract the three *_main tokio bodies into init/main_loop.rs (08998a2)
• write /etc/resolv.conf pointing at the LAN IP (c77474b)
• split the 2144-line init.rs into topic submodules (b31ac72)
• reset coredhcp lease DB on LAN subnet change (8738478)
• fallback /dev to tmpfs + mknod when kernel lacks devtmpfs (cdf0d8b)
• more verbose early_mounts + /dev + /proc/mounts diagnostics (cbd766b)
• EROFS-tolerant early_mounts + early_console + panic hook (d8ab804)
• mount_root hot path (Stage 4a) (c6f9f35)
• rename_netdevs_from_dts (Stage 3 of procd-init takeover) (b9b09d2)
• mount_root coexist detection (Stage 2, detect-only) (4d021b3)
• load_modules (Stage 1 of procd-init takeover) (a2a0864)
• quiet the boot logs (b430a39)
• tolerate ENODEV on early_mounts (not just EBUSY) (0b818ff)

rollback

• promote single snapshot to a ring of 5 (7698442)
• oxctl reload --dry-run preflight validation (9aca683)
• auto-restore on failed reload (one-shot, non-recursive) (aa27e7d)
• .last-good snapshot + oxctl rollback subcommand (d971397)

net

• split install_firewall + helpers into net/firewall.rs (35b9a02)
• per-zone WAN routing for multi-WAN source-based split (f64c751)
• VLAN-aware bridging (802.1Q vlan_filtering + per-port VIDs) (d74501f)

wan

• optional mac_address override on [[networks]] type="wan" (68d75b9)
• send DHCPv4 hostname (opt 12) and vendor-class-id (opt 60) (3782511)
• ICMP probes (mwan3 v2) + per-WAN Status breakdown (3949268)
• multi-WAN failover coordinator (v1 — lease-state health) (4453283)
• retry initial DHCP acquire + firewall input rule for OFFER (741eca9)

backup_sftp

• scheduled off-router config snapshots via SSH (0941bed)

wifi_rotate

• scheduled passphrase regeneration + QR sidecar (83294ba)

ddns

• add Namecheap, dynv6, and Hurricane Electric providers (fc6df20)
• CRUD RPC + live reload (b32fa17)
• dynamic-DNS updater with duckdns + cloudflare providers (519d637)

metrics

• per-service cgroup v2 stats (memory, CPU, pids) (b89f014)
• reconcile listener on reload (idempotent apply) (ac2d16b)
• real counters — DHCP acquire, reload, blocklist fetches (2b909f3)
• add Prometheus-format /metrics endpoint (ee0f733)

main

• disable /dev/kmsg rate limit for oxwrtd's tracing writer (9e51809)
• don't match -h as --help (5751750)
• combine three heuristics for "init invoked us" (f09bdad)
• suppress usage print when stderr isn't a tty (a0333ed)

contrib/grafana

• ship-ready Grafana dashboard for oxwrt metrics (49d1e18)

vpn_client

• persistent endpoint-exemption cleanup across reboots (95bf4f4)
• bypass_destinations_v6 — IPv6 counterpart to task #1 (6115a9e)
• ...