Firmware-update: FreshTomato 2025.4

FreshTomato versie 2025.4 is uitgekomen. FreshTomato is van Tomato afgeleide firmware voor verschillende op Arm of MIPS gebaseerde routers van Asus, D-Link, Huawei, Linksys, Netgear, Tenda en Xiaomi. Het kan gezien worden als de voortzetting van 'Tomato by Shibby' sinds deze ontwikkelaar, Michał Rupental, zijn tijd aan andere projecten wil besteden. De FreshTomato-firmware voegt ten opzichte van de originele firmware van de fabrikant diverse extra opties toe, zoals een realtime-bandbreedtemonitor en uitgebreide instelmogelijkheden. De firmware is beschikbaar voor routers met een Arm- of MIPS-cpu.

Changes in version 2025.4

• Warning: due to changes in the naming of some nvram variables, users of BW Limiter and tftp in dnsmasq should review their settings.
• SDK6/SDK7/SDK714: help wireless vif mac addr issues
• SDK6/SDK7/SDK714: fix Serial Flash Memory Init (Part 2)
• libcurl: update to 8.16.0
• sqlite: update to 3.50.4
• dnsmasq: update to v2.92test21
• iperf: update to 3.19.1
• php: update to 8.3.26
• nginx: update to 1.29.1
• meson: update to 1.9.1
• libsodium: update to latest 1.0.20-stable
• libffi: update to 3.5.2
• nano: update to 8.6
• pcre2: update to 10.46
• adminer: update to adminneo 5.1.1
• libjpeg-turbo: update to 3.1.2
• libxml2: update to 2.15.0
• expat: update to 2.7.3
• tor: update to 0.4.8.18
• GUI: Advanced: DHCP/DNS/TFTP: add a field to enter custom configuration for stubby (close #28)
• GUI: Correction to menu references
• GUI: Administration: CIFS Client: fix refreshing 'Total / Free Size' (close #122)
• GUI: Advanced: VLAN: fix link in Notes (close #81)
• GUI: VPN: Wireguard: delete notes - point to a link to dedicated page on our wiki as help
• GUI: VPN: Wireguard: make it more intuitive that import depends on VPN type
• GUI: VPN: Wireguard: make Peers Parameters (used only for config generation) as a separate tab
• build: add DLINK DIR868L with wireguard image
• build: remove no more needed (and icomplete implemented) TCONFIG_SSH
• build: Makefile: convert expat recipe to cmake
• build: Makefile: tune avahi recipe
• avahi: backport CVE fixes from upstream and use clean sources
• bwlimit: change the names of variables to make them more similar to existing ones and easier to manage
• dnsmasq: change the name of dnsmasq tftp variable to make it more similar to existing ones and easier to manage
• dnsmasq: restore use of check_services() to check if dnsmasq is up (disabled in commit bb82460)
• httpd: ddns.c: code shrink
• httpd: httpd.c: define MAX_CONN_ACCEPT and MAX_CONN_TIMEOUT and tune them
• httpd: httpd.c: use global int_1 variable; use proper socklen_t data type
• httpd: httpd.c: use SO_KEEPALIVE instead of TCP_NODELAY for setsockopt()
• httpd: httpd.c: rewrite match() function to be fully non-recursive
• httpd: httpd.c: add syslog logout succesful message and tune failed message
• httpd: misc.c: iterate over BRIDGE_COUNT for ether-wake
• httpd: tomato.c: get rid of TCONFIG_MULTIWAN, use MWAN_MAX instead. Also use BRIDGE_COUNT to enumerate lan variables
• httpd: nvram.c: use static buffer for asp_jsdefaults()
• httpd: iperf.c: sanitize hostname more precisely (see commit bc96c20)
• httpd: nvram.c: iterate over MWAN_MAX and BRIDGE_COUNT to get values from other wans/lans
• httpd: misc.c: iterate over MWAN_MAX in asp_dns()
• httpd: misc.c: iterate over MWAN_MAX in asp_wanup()
• httpd: misc.c: iterate over MWAN_MAX in asp_link_uptime()
• httpd: dhcp.c: iterate over MWAN_MAX in asp_dhcpc_time()
• httpd: misc.c: iterate over MWAN_MAX in asp_wanstatus(); some code cleaning
• httpd: comment out asp_jiffies()
• miniupnpd: win10 & 11 workaround (help version IGD v1 in IGD v2 mode) - show forwarded ports at Windows GUI (again)
• ntpd: use ulimit to run ntpd with high nice and limited memory to eliminate denial of service attack (close #37)
• OpenVPN Client: add Routing Policy Prioritization
• OpenVPN: handle dnsmasq ipset file correctly
• openssl: backport fix for OpenSSL 3.0.17 regression
• rc: wireguard.c: fix script execution after using replace_in_file()
• rc: get rid of TCONFIG_MULTIWAN, iterate over MWAN_MAX instead; part 3
• rc: use only one anon enum policy definition for both OpenVPN and Wireguard
• rc: openvpn.c: update CTF bypass
• rc: firewall.c: use buffer for wanX name - reduce code size
• rc: dhcp.c: code shrink
• rc: network.c: fix two typos (close #121)
• rc: move dnsmasq stuff to outer file
• rc/shared: introduce and use gen_urandom() function
• rc: firewall.c: iterate over BRIDGE_COUNT in filter6_input(void)
• rc: firewall.c: move run_pptpd_firewall_script() to the front
• rc: introduce and use restart_firewall() function. Move restart_firewall() to the end in exec_service()
• rc: openvpn.c: iterate over BRIDGE_COUNT for br_ipaddr/br_netmask
• rc: network.c: iterate over BRIDGE_COUNT for /etc/hosts
• rc: network.c: iterate over BRIDGE_COUNT and MWAN_MAX in do_static_routes()
• rc: dhcp.c: iterate over BRIDGE_COUNT in start_dhcp6c()
• rc: dhcp.c: update start_dhcp6c() for BRIDGE_COUNT values > 4 (up to 32)
• rc: roamast.c: add check for upper threshold (new --> 25000 Kbps) idle rate roaming assistent
• rc: dnsmasq.c: use SIGHUP instead of mistakenly used SIGINT in reload_dnsmasq()
• rc: openvpn.c: simplify write_ovpn_resolv() function
• rc: pptp_client.c: simplify write_pptpc_resolv() function
• rc: protect firewall scripts with simple_lock()/simple_unlock(), do the same for vpnrouting.sh
• rom: update CA bundle to 2025-08-12
• shared: strings.c: update trimstr() function
• shared: defaults.c: get rid of TCONFIG_MULTIWAN, use MWAN_MAX instead. Also use BRIDGE_COUNT to enumerate lan variables
• tomato.css - improved to print and printscreen in dark-mode
• Wireguard: handle dnsmasq ipset file correctly
• Wireguard: add Routing Policy Prioritization in PBR mode
• wireguard/OpenVPN: do not delete PBR table when using the client in non-PRB mode - just hide it and don't add Kill Switch rules to iptables
• wireguard: fix crash with CTF enabled
• www: use global C variable definitions required by javascript, instead of locally defined ones
• www: admin-tomatoanon.asp: add a note
• Revert "www: vpn-client.asp: only add routing value in Routing Policy mode, otherwise remove all data from the routing table"
• Revert "www: vpn-wireguard.asp: only add routing value in 'External' and Routing Policy mode, otherwise remove all data from the routing table"
• Revert "www: vpn-wireguard.asp: clean routing policy if not in 'External' mode"
• www: vpn-wireguard.asp: do not restart service if only the 'Enable On Start' option was changed
• www: vpn-client.asp: do not restart client if only the 'Enable On Start' option was changed
• www: vpn-server.asp: do not restart server if only the 'Enable On Start' option was changed
• www: fix compilation (navi) without PPTPD
• www: vpn-client.asp: check if we need to restart firewall in special cases even if client is down; clean-up
• www: vpn-wireguard.asp: check if we need to restart firewall in special cases even if 'client' is down
• www: advanced-dhcpdns.asp: Adjust String.trim() usage
• www: ipt-[daily|monthly].asp: iterate over MAX_BRIDGE_ID in redraw()
• www: qos-graphs.asp: iterate over MAXWAN_NUM to get irates/orates; also small changes in httpd/ctnf.c (asp_qrate) to get an array
• www: rename isup.jsz to isup.jsx to protect its content by http_id
• switch4g: fix kernel module load order (and don't change it in the future...)
• switch4g: slightly improve the conditions when checking the interface/IP
• Buffalo WZR-1750DHP: improve support (add SPI suppport, fix VLAN support, fix wl hardware order, adjust linux MTD, remove hardcoded limits for board_ns (working correct))
• Buffalo WZR-1750DHP: bring router back to life :-) (reduce NVRAM space to 32 KByte for now!)
• Tenda AC15: adjust command (use 0x9F only) for reading manufacturer/ memory / density for SPI flash