Merge branch 'dev' into master

2025-08-23 06:35:49 -07:00 · 2023-01-08 00:22:18 +08:00 · 2023-01-08 00:22:18 +08:00 · d6b11b25e1
commit d6b11b25e1
parent d11221d7fa ab503902c8
92 changed files with 1986 additions and 4473 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@ -1,26 +1,7 @@
 local registry = "084037375216.dkr.ecr.us-east-2.amazonaws.com";
 local targets = [
-      //
+      { "os": "linux",   "name": "sid", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x", "riscv64" ], "events": [ "push", "tag", "custom" ] },
      // Render these into .drone.yaml by running "make drone"
      //      
      { "os": "linux", "name": "el9", "isas": [ "amd64", "arm64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "el8", "isas": [ "amd64", "arm64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "el7", "isas": [ "amd64", "ppc64le"], "events": [ "tag" ] },
      { "os": "linux", "name": "el6", "isas": [ "amd64" ], "events": [ "tag" ] },
      { "os": "linux", "name": "amzn2", "isas": [ "amd64", "arm64" ], "events": [ "tag" ] },
      { "os": "linux", "name": "fc37", "isas": [ "amd64", "arm64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "fc36", "isas": [ "amd64", "arm64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "fc35", "isas": [ "amd64", "arm64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "jammy", "isas": [ "amd64", "arm64", "armv7", "riscv64", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "focal", "isas": [ "amd64", "arm64", "armv7", "riscv64", "ppc64le"  ], "events": [ "tag" ] },
      { "os": "linux", "name": "bionic", "isas": [ "amd64", "arm64", "386", "ppc64le", "s390x" ], "events": ["tag" ] },
      { "os": "linux", "name": "xenial", "isas": [ "amd64", "arm64", "386" ], "events": [ "tag" ] },
      { "os": "linux", "name": "sid", "isas": [ "386", "amd64", "arm64", "armv7", "riscv64", "mips64le", "ppc64le", "s390x" ], "events": [ "push", "tag" ] },
      { "os": "linux", "name": "bookworm", "isas": [ "amd64", "arm64", "armv7", "386", "mips64le", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "bullseye", "isas": [ "amd64", "arm64", "armv7", "386", "mips64le", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "buster", "isas": [ "amd64", "arm64", "armv7", "386", "mips64le", "ppc64le", "s390x" ], "events": [ "tag" ] },
      { "os": "linux", "name": "stretch", "isas": [ "amd64", "arm64", "386" ], "events": [ "tag" ] },
      // { "os": "windows", "name": "win2k19", "isas": [ "amd64" ], "events": ["push", "tag" ] }
 ];
 local Build(platform, os, isa, events) = {
@ -32,27 +13,18 @@ local Build(platform, os, isa, events) = {
  "steps": [
    {
      "name": "build",
-      "image": "registry.sean.farm/honda-builder",
+      "image": registry + "/honda-builder",
-      "commands": [ "./ci/scripts/build.sh " + platform + " " + isa + " " + "100.0.0+${DRONE_COMMIT_SHA:0:8}" + " " + "${DRONE_BUILD_EVENT}" ]
+      "commands": [
        "aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin " + registry,
        "./ci/scripts/build.sh " + platform + " " + isa + " " + "100.0.0+${DRONE_COMMIT_SHA:0:8}" + " " + "${DRONE_BUILD_EVENT}"
      ]
    },
-    {
+    // {
-      "name": "list",
+    //   "name": "list",
-      "image": "registry.sean.farm/honda-builder",
+    //   "image": registry + "/honda-builder",
-      "commands": [ "ls -la " + platform ]
+    //   "commands": [ "ls -la " + platform ]
-    },
+    // },
    {
      "name": "notify-mattermost",
      "image": "registry.sean.farm/mattermost-notify",
      "environment": {
        "token": { "from_secret": "mattermost-token" },
        "host": { "from_secret": "mattermost-host" },
        "channel": { "from_secret": "mattermost-channel" },
        "maxRetry": 3,
      },
      "when": { "status": [ "failure" ] }
    }
  ],  
  "image_pull_secrets": [ "dockerconfigjson" ],
  [ if isa == "arm64" || isa == "armv7" then "platform" ]: { os: os, arch: "arm64" },
  "trigger": { "event": events }
 };
--- a/.drone.yml
+++ b/.drone.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,108 @@
 on: [ push ]
 jobs:
  build_ubuntu:
    runs-on: ubuntu-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf false
        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v3
    - name: Install Rust
      uses: actions-rs/toolchain@v1
      with:
        toolchain: stable
        target: aarch64-apple-darwin
        override: true
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: actions/cache@v3
      continue-on-error: false
      with:
        path: |
          ~/.cargo/bin/
          ~/.cargo/registry/index/
          ~/.cargo/registry/cache/
          ~/.cargo/git/db/
          target/
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
        restore-keys: ${{ runner.os }}-cargo-
    - name: make
      run: make
    - name: selftest
      run: |
        make selftest
        ./zerotier-selftest
  build_macos:
    runs-on: macos-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf false
        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v3
    - name: Install Rust
      uses: actions-rs/toolchain@v1
      with:
        toolchain: stable
        target: aarch64-apple-darwin
        override: true
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: actions/cache@v3
      continue-on-error: false
      with:
        path: |
          ~/.cargo/bin/
          ~/.cargo/registry/index/
          ~/.cargo/registry/cache/
          ~/.cargo/git/db/
          target/
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
        restore-keys: ${{ runner.os }}-cargo-
    - name: make
      run: make
    - name: selftest
      run: |
        make selftest
        ./zerotier-selftest
  build_windows:
    runs-on: windows-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf false
        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v3
    - name: Install Rust
      uses: actions-rs/toolchain@v1
      with:
        toolchain: stable
        target: aarch64-apple-darwin
        override: true
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: actions/cache@v3
      continue-on-error: false
      with:
        path: |
          ~/.cargo/bin/
          ~/.cargo/registry/index/
          ~/.cargo/registry/cache/
          ~/.cargo/git/db/
          target/
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
        restore-keys: ${{ runner.os }}-cargo-
    - name: setup msbuild
      uses: microsoft/setup-msbuild@v1.1.3
    - name: msbuild
      run: |
        msbuild windows\ZeroTierOne.sln /m /p:Configuration=Release  /property:Platform=x64 /t:ZeroTierOne:Rebuild        
--- a/.gitignore
+++ b/.gitignore
@ -137,3 +137,4 @@ __pycache__
 *.pyc
 *_source.tar.bz2
 snap/.snapcraft
 tcp-proxy/tcp-proxy
--- a/Dockerfile.release
+++ b/Dockerfile.release
@ -1,22 +1,17 @@
 # vim: ft=dockerfile
-FROM debian:buster as stage
+FROM debian:bullseye
 ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/
 ARG ARCH=amd64
 ARG VERSION
-RUN apt-get update -qq && apt-get install curl -y
+RUN apt-get update -qq && apt-get install curl gpg -y
-RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
+RUN mkdir -p /usr/share/zerotier && \
    curl -o /usr/share/zerotier/tmp.asc "https://download.zerotier.com/contact%40zerotier.com.gpg" && \
    gpg --no-default-keyring --keyring /usr/share/zerotier/zerotier.gpg --import /usr/share/zerotier/tmp.asc && \
    rm -f /usr/share/zerotier/tmp.asc && \
    echo "deb [signed-by=/usr/share/zerotier/zerotier.gpg] http://download.zerotier.com/debian/bullseye bullseye main" > /etc/apt/sources.list.d/zerotier.list
-FROM debian:buster
+RUN apt-get update -qq && apt-get install zerotier-one=${VERSION} curl iproute2 net-tools iputils-ping openssl libssl1.1 -y
 RUN apt-get update -qq && apt-get install openssl libssl1.1 -y
 COPY --from=stage zerotier-one.deb .
 RUN dpkg -i zerotier-one.deb && rm -f zerotier-one.deb
 RUN echo "${VERSION}" >/etc/zerotier-version
 RUN rm -rf /var/lib/zerotier-one
 COPY entrypoint.sh.release /entrypoint.sh
--- a/365
+++ b/365
@ -1,365 +0,0 @@
 pipeline {
    options {
        disableConcurrentBuilds()
        preserveStashes(buildCount: 10)
        timestamps()
    }
    parameters {
        booleanParam(name: "BUILD_ALL", defaultValue: false, description: "Build all supported platform/architecture combos.  Defaults to x86/x64 only")
    }
    agent none
    stages {
        stage ("Build") {
            steps {
                script {
                    def tasks = [:]
                    tasks << buildStaticBinaries()
                    tasks << buildDebianNative()
                    tasks << buildCentosNative()
                    parallel tasks
                }
            }
        }
        stage ("Package Static") {
            steps {
                script {
                    parallel packageStatic()
                }
            }
        }
    }
 }
 def buildStaticBinaries() {
    def tasks = [:]
    def dist = ["alpine"]
    def archs = []
    if (params.BUILD_ALL == true) {
        archs = ["arm64", "amd64", "i386", "armhf", "armel", "ppc64le", "s390x"]
    } else {
        archs = ["amd64", "i386"]
    }
    tasks << getTasks(dist, archs, { distro, platform -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                sh "echo ${distro}-${platform}"
                def runtime = docker.image("ztbuild/${distro}-${platform}:latest")
                runtime.inside {
                    dir("build") {
                        sh 'make -j8 ZT_STATIC=1 all'
                        sh "file ./zerotier-one"
                        sh "mv zerotier-one zerotier-one-static-${platform}"
                        stash includes: 'zerotier-one-static-*', name: "static-${platform}"
                    }
                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
                }
            }
        }
        return myNode
    })
    return tasks
 }
 def getTasks(axisDistro, axisPlatform, task) {
    def tasks = [:]
    for(int i=0; i< axisDistro.size(); i++) {
        def axisDistroValue = axisDistro[i]
        for(int j=0; j< axisPlatform.size(); j++) {
            def axisPlatformValue = axisPlatform[j]
            tasks["${axisDistroValue}/${axisPlatformValue}"] = task(axisDistroValue, axisPlatformValue)
        }
    }
    return tasks
 }
 def packageStatic() {
    def tasks = [:]
    def centos6 = ["centos6"]
    def centos6Arch = ["i386", "amd64"]
    tasks << getTasks(centos6, centos6Arch, { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    dir("build") {
                        unstash "static-${arch}"
                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
                        sh "make redhat"
                        sh "mkdir -p ${distro}"
                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
                    }
                }
                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
            }
        }
        return myNode
    })
    def centos7 = ["centos7"]
    def centos7Arch = ["i386"]
    tasks << getTasks(centos7, centos7Arch, { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    dir("build") {
                        unstash "static-${arch}"
                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
                        sh "make redhat"
                        sh "mkdir -p ${distro}"
                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
                    }
                }
                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
            }
        }
        return myNode
    })
    if (params.BUILD_ALL == true) {
        def clefos7 = ["clefos"]
        def clefos7Arch = ["s390x"]
        tasks << getTasks(clefos7, clefos7Arch, { distro, arch -> 
            def myNode = {
                node ('linux-build') {
                    dir ("build") {
                        checkout scm
                    }
                    def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                    runtime.inside {
                        dir("build/") {
                            unstash "static-${arch}"
                            sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
                            sh "make redhat"
                            sh "mkdir -p ${distro}"
                            sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
                            archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
                        }
                    }
                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
                }
            }
            return myNode
        })
    }
    def debianJessie = ["debian-jessie"]
    def debianJessieArchs = []
    if (params.BUILD_ALL == true) {
        debianJessieArch = ["armhf", "armel", "amd64", "i386"]
    } else {
        debianJessieArch = ["amd64", "i386"]
    }
    tasks << getTasks(debianJessie, debianJessieArch, { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    sh "ls -la ."
                    dir('build/') {
                        sh "ls -la ."
                        unstash "static-${arch}"
                        sh "pwd"
                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
                        sh "mv -f debian/rules.static debian/rules"
                        sh "make debian"
                    }
                    sh "mkdir -p ${distro}"
                    sh "mv *.deb ${distro}"
                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
                }
                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
            }
        }
        return myNode
    })
    def ubuntuTrusty = ["ubuntu-trusty"]
    def ubuntuTrustyArch = []
    if (params.BUILD_ALL == true) {
        ubuntuTrustyArch = ["i386", "amd64", "armhf", "arm64", "ppc64le"]
    } else {
        ubuntuTrustyArch = ["i386", "amd64"]
    }
    tasks << getTasks(ubuntuTrusty, ubuntuTrustyArch, { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    sh "ls -la ."
                    dir('build/') {
                        sh "ls -la ."
                        unstash "static-${arch}"
                        sh "pwd"
                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
                        sh "mv -f debian/rules.static debian/rules"
                        sh "make debian"
                    }
                    sh "mkdir -p ${distro}"
                    sh "mv *.deb ${distro}"
                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
                }
                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
            }
        }
        return myNode
    })
    def debianWheezy = ["debian-wheezy"]
    def debianWheezyArchs = []
    if (params.BUILD_ALL == true) {
        debianWheezyArchs = ["armhf", "armel", "amd64", "i386"]
    } else {
        debianWheezyArchs = ["amd64", "i386"]
    }
    tasks << getTasks(debianJessie, debianJessieArch, { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    dir('build/') {
                        unstash "static-${arch}"
                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
                        sh "mv -f debian/rules.wheezy.static debian/rules"
                        sh "mv -f debian/control.wheezy debian/control"
                        sh "make debian"
                    }
                    sh "mkdir -p ${distro}"
                    sh "mv *.deb ${distro}"
                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
                }
                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
            }
        }
        return myNode
    })
    return tasks
 }
 def buildDebianNative() {
    def tasks = [:]
    def buster = ["debian-buster", "debian-stretch", "debian-bullseye", "debian-sid"]
    def busterArchs = []
    if (params.BUILD_ALL) {
        busterArchs = ["s390x", "ppc64le", "i386", "armhf", "armel", "arm64", "amd64"]
    } else {
        busterArchs = ["amd64", "i386"]
    }
    def build = { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    dir("build") {
                        sh 'make debian'
                    }
                    sh "mkdir -p ${distro}"
                    sh "mv *.deb ${distro}"
                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
                }
            }
        }
        return myNode
    }
    tasks << getTasks(buster, busterArchs, build)
    // bash is broken when running under QEMU-s390x on Xenial
    def xenial = ["ubuntu-xenial"]
    def xenialArchs = []
    if (params.BUILD_ALL == true) {
        xenialArchs = ["i386", "amd64", "armhf", "arm64", "ppc64le"]
    } else {
        xenialArchs = ["i386", "amd64"]
    }
    tasks << getTasks(xenial, xenialArchs, build)
    def ubuntu = ["ubuntu-bionic", "ubuntu-eoan"]
    def ubuntuArchs = []
    if (params.BUILD_ALL == true) {
        ubuntuArchs = ["i386", "amd64", "armhf", "arm64", "ppc64le", "s390x"]
    } else {
        ubuntuArchs = ["i386", "amd64"]
    }
    tasks << getTasks(ubuntu, ubuntuArchs, build)
    def kali = ["kali-rolling"]
    def kaliArchs = ["amd64"]
    tasks << getTasks(kali, kaliArchs, build)
    return tasks
 }
 def buildCentosNative() {
    def tasks = [:]
    def build = { distro, arch -> 
        def myNode = {
            node ('linux-build') {
                dir ("build") {
                    checkout scm
                }
                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
                runtime.inside {
                    dir("build") {
                        sh 'make -j4'
                        sh 'make redhat'
                        sh "mkdir -p ${distro}"
                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
                    }
                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
                }
            }
        }
        return myNode
    }
    def centos8 = ["centos8"]
    def centos8Archs = []
    if (params.BUILD_ALL == true) {
        centos8Archs = ["amd64", "arm64", "ppc64le"]
    } else {
        centos8Archs = ["amd64"]
    }
    tasks << getTasks(centos8, centos8Archs, build)
    def centos7 = ["centos7"]
    def centos7Archs = ["amd64"]
    tasks << getTasks(centos7, centos7Archs, build)
    return tasks
 }
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -1,6 +1,17 @@
 ZeroTier Release Notes
 ======
 # 2022-11-01 -- Version 1.10.2
 * Fix another SSO "stuck client" issue in zeroidc.
 * Expose root-reported external IP/port information via the local JSON API for better diagnostics.
 * Multipath: CLI output improvement for inspecting bonds
 * Multipath: balance-aware mode
 * Multipath: Custom policies
 * Multipath: Link quality measurement improvements
 Note that releases are coming few and far between because most of our dev effort is going into version 2.
 # 2022-06-27 -- Version 1.10.1
 * Fix an issue that could cause SSO clients to get "stuck" on stale auth URLs.
@ -21,7 +32,7 @@ ZeroTier Release Notes
 # 2022-04-25 -- Version 1.8.9
- * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind spordaic reports of link failures under some conditions.
+ * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind sporadic reports of link failures under some conditions.
 * Fized a memory leak in SSO/OIDC support.
 * Fixed SSO/OIDC display error on CLI.
 * Fixed a bug causing nodes to sometimes fail to push certs to each other (primarily affects SSO/OIDC use cases).
--- a/ci/Dockerfile.deb
+++ b/ci/Dockerfile.deb
@ -1,5 +1,5 @@
 ARG PLATFORM
-FROM registry.sean.farm/${PLATFORM}-builder as stage
+FROM 084037375216.dkr.ecr.us-east-2.amazonaws.com/${PLATFORM}-builder as stage
 WORKDIR /work/build
 COPY . .
 RUN make debian
--- a/ci/Dockerfile.none
+++ b/ci/Dockerfile.none
@ -0,0 +1,5 @@
 ARG PLATFORM
 FROM 084037375216.dkr.ecr.us-east-2.amazonaws.com/${PLATFORM}-builder as stage
 WORKDIR /work
 COPY . .
 RUN make
--- a/ci/Dockerfile.rpm
+++ b/ci/Dockerfile.rpm
@ -1,5 +1,5 @@
 ARG PLATFORM
-FROM registry.sean.farm/${PLATFORM}-builder as stage
+FROM 084037375216.dkr.ecr.us-east-2.amazonaws.com/${PLATFORM}-builder as stage
 WORKDIR /root/rpmbuild/BUILD
 COPY . .
 RUN make redhat
--- a/ci/scripts/build.sh
+++ b/ci/scripts/build.sh
@ -8,6 +8,9 @@ export VERSION=$3
 export EVENT=$4
 case $PLATFORM in
    sid)
        export PKGFMT=none
        ;;
    el*|fc*|amzn*)
        export PKGFMT=rpm
        ;;
@ -15,21 +18,20 @@ case $PLATFORM in
        export PKGFMT=deb
 esac
-# OSX
+#
-# x86_64-apple-darwin
+# Allow user to drop in custom Dockerfile for PLATFORM
-# aarch64-apple-darwin
+#
-# Windows
+if [ -f "ci/Dockerfile.${PLATFORM}" ]; then
-# x86_64-pc-windows-msvc
+    export DOCKERFILE="ci/Dockerfile.${PLATFORM}"
-# i686-pc-windows-msvc
+else
-# aarch64-pc-windows-msvc
+    export DOCKERFILE="ci/Dockerfile.${PKGFMT}"
 fi
-# Linux
+#
-# i686-unknown-linux-gnu
+# Rust sometimes gets confused about where it's running.
-# x86_64-unknown-linux-gnu
+# Normally, the build images will have Rust pre-baked.
-# arm-unknown-linux-gnueabi       ?
+# Pass RUST_TRIPLET for convenience when using a custom Dockerfile
 # arm-unknown-linux-gnueabihf     ?
 # armv7-unknown-linux-gnueabihf
 #
 case $ZT_ISA in
@ -41,13 +43,9 @@ case $ZT_ISA in
        export DOCKER_ARCH=amd64
        export RUST_TRIPLET=x86_64-unknown-linux-gnu
        ;;
    armv6)
        export DOCKER_ARCH=arm/v6
        export RUST_TRIPLET=arm-unknown-linux-gnueabi
        ;;
    armv7)
        export DOCKER_ARCH=arm/v7
-        export RUST_TRIPLET=arm-unknown-linux-gnueabihf
+        export RUST_TRIPLET=armv7-unknown-linux-gnueabihf
        ;;
    arm64)
        export DOCKER_ARCH=arm64/v8
@ -75,11 +73,9 @@ case $ZT_ISA in
        ;;
 esac
-if [ -f "ci/Dockerfile.${PLATFORM}" ]; then
+#
-    export DOCKERFILE="ci/Dockerfile.${PLATFORM}"
+# Print debug info
-else
+#
    export DOCKERFILE="ci/Dockerfile.${PKGFMT}"
 fi
 echo "#~~~~~~~~~~~~~~~~~~~~"
 echo "$0 variables:"
@ -94,23 +90,37 @@ echo "PWD: ${PWD}"
 echo "DOCKERFILE: ${DOCKERFILE}"
 echo "#~~~~~~~~~~~~~~~~~~~~"
-if [ ${EVENT} == "push" ]; then
+#
-make munge_rpm zerotier-one.spec VERSION=${VERSION}
+# Munge RPM and Deb
-make munge_deb debian/changelog VERSION=${VERSION}
+#
 if [ ${PKGFMT} != "none" ] && [ ${EVENT} != "tag" ]; then
    make munge_rpm zerotier-one.spec VERSION=${VERSION}
    make munge_deb debian/changelog VERSION=${VERSION}
 fi
-export DOCKER_BUILDKIT=1
+#
-docker run --privileged --rm tonistiigi/binfmt --install all
+# Assemble buildx arguments
 #
-# docker pull --platform linux/${DOCKER_ARCH} registry.sean.farm/${PLATFORM}-builder
+build_args=(
    --no-cache
    --build-arg PLATFORM=${PLATFORM}
    --build-arg RUST_TRIPLET=${RUST_TRIPLET}
    --build-arg DOCKER_ARCH=${DOCKER_ARCH}
    --platform linux/${DOCKER_ARCH}
    -f ${DOCKERFILE}
    -t build
    .
 )
-docker buildx build \
+if [ ${PKGFMT} != "none" ]; then
-       --build-arg PLATFORM="${PLATFORM}" \
+    build_args+=("--output type=local,dest=.")
-       --build-arg RUST_TRIPLET="${RUST_TRIPLET}" \
+    build_args+=("--target export")
-       --build-arg DOCKER_ARCH="${DOCKER_ARCH}" \
+fi
-       --platform linux/${DOCKER_ARCH} \
+
-       -f ${DOCKERFILE} \
+#
-       -t build \
+# Do build
-       . \
+#
-       --output type=local,dest=. \
+
-       --target export
+docker buildx build ${build_args[@]}
--- a/controller/PostgreSQL.cpp
+++ b/controller/PostgreSQL.cpp
@ -113,7 +113,7 @@ MemberNotificationReceiver::MemberNotificationReceiver(PostgreSQL *p, pqxx::conn
 	: pqxx::notification_receiver(c, channel)
 	, _psql(p)
 {
-	fprintf(stderr, "initialize MemberNotificaitonReceiver\n");
+	fprintf(stderr, "initialize MemberNotificationReceiver\n");
 }
@ -140,7 +140,7 @@ NetworkNotificationReceiver::NetworkNotificationReceiver(PostgreSQL *p, pqxx::co
 }
 void NetworkNotificationReceiver::operator() (const std::string &payload, int packend_pid) {
-	fprintf(stderr, "Network Notificaiton received: %s\n", payload.c_str());
+	fprintf(stderr, "Network Notification received: %s\n", payload.c_str());
 	json tmp(json::parse(payload));
 	json &ov = tmp["old_val"];
 	json &nv = tmp["new_val"];
@ -185,7 +185,7 @@ PostgreSQL::PostgreSQL(const Identity &myId, const char *path, int listenPort, R
 	fprintf(stderr, "ZT_SSO_PSK: %s\n", ssoPskHex);
 #endif
 	if (ssoPskHex) {
-		// SECURITY: note that ssoPskHex will always be null-terminated if libc acatually
+		// SECURITY: note that ssoPskHex will always be null-terminated if libc actually
 		// returns something non-NULL. If the hex encodes something shorter than 48 bytes,
 		// it will be padded at the end with zeroes. If longer, it'll be truncated.
 		Utils::unhex(ssoPskHex, _ssoPsk, sizeof(_ssoPsk));
@ -217,10 +217,11 @@ PostgreSQL::PostgreSQL(const Identity &myId, const char *path, int listenPort, R
 		opts.password = _rc->password;
 		opts.db = 0;
 		opts.keep_alive = true;
-		opts.connect_timeout = std::chrono::seconds(5);
+		opts.connect_timeout = std::chrono::seconds(3);
 		poolOpts.size = 25;
-		poolOpts.wait_timeout = std::chrono::milliseconds(1000);
+		poolOpts.wait_timeout = std::chrono::seconds(5);
-		poolOpts.connection_lifetime = std::chrono::minutes(5);
+		poolOpts.connection_lifetime = std::chrono::minutes(3);
 		poolOpts.connection_idle_time = std::chrono::minutes(1);
 		if (_rc->clusterMode) {
 			fprintf(stderr, "Using Redis in Cluster Mode\n");
 			_cluster = std::make_shared<sw::redis::RedisCluster>(opts, poolOpts);
@ -709,11 +710,11 @@ void PostgreSQL::initializeNetworks()
 			if (_redisMemberStatus) {
 				fprintf(stderr, "adding networks to redis...\n");
 				if (_rc->clusterMode) {
-					auto tx = _cluster->transaction(_myAddressStr, true);
+					auto tx = _cluster->transaction(_myAddressStr, true, false);
 					tx.sadd(setKey, networkSet.begin(), networkSet.end());
 					tx.exec();
 				} else {
-					auto tx = _redis->transaction(true);
+					auto tx = _redis->transaction(true, false);
 					tx.sadd(setKey, networkSet.begin(), networkSet.end());
 					tx.exec();
 				}
@ -765,13 +766,13 @@ void PostgreSQL::initializeMembers()
 			if (!deletes.empty()) {
 				try {
 					if (_rc->clusterMode) {
-						auto tx = _cluster->transaction(_myAddressStr, true);
+						auto tx = _cluster->transaction(_myAddressStr, true, false);
 						for (std::string k : deletes) {
 							tx.del(k);
 						}
 						tx.exec();
 					} else {
-						auto tx = _redis->transaction(true);
+						auto tx = _redis->transaction(true, false);
 						for (std::string k : deletes) {
 							tx.del(k);
 						}
@ -784,22 +785,29 @@ void PostgreSQL::initializeMembers()
 		}
 		char qbuf[2048];
-		sprintf(qbuf, "SELECT m.id, m.network_id, m.active_bridge, m.authorized, m.capabilities, (EXTRACT(EPOCH FROM m.creation_time AT TIME ZONE 'UTC')*1000)::bigint, m.identity, "
+		sprintf(qbuf,
-			"	(EXTRACT(EPOCH FROM m.last_authorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
+			"SELECT m.id, m.network_id, m.active_bridge, m.authorized, m.capabilities, "
-			"	(EXTRACT(EPOCH FROM m.last_deauthorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
+				"(EXTRACT(EPOCH FROM m.creation_time AT TIME ZONE 'UTC')*1000)::bigint, m.identity, "
-			"	m.remote_trace_level, m.remote_trace_target, m.tags, m.v_major, m.v_minor, m.v_rev, m.v_proto, "
+				"(EXTRACT(EPOCH FROM m.last_authorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
-			"	m.no_auto_assign_ips, m.revision, sso_exempt, "
+				"(EXTRACT(EPOCH FROM m.last_deauthorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
-			"	(SELECT (EXTRACT(EPOCH FROM e.authentication_expiry_time)*1000)::bigint "
+				"m.remote_trace_level, m.remote_trace_target, m.tags, m.v_major, m.v_minor, m.v_rev, m.v_proto, "
-	 		"		FROM ztc_sso_expiry e "
+				"m.no_auto_assign_ips, m.revision, m.sso_exempt, "
-			"		INNER JOIN ztc_network n1 "
+				"(CASE WHEN n.sso_enabled = TRUE AND m.sso_exempt = FALSE THEN "
-			"			ON n.id = e.network_id "
+				" ( "
-			"		WHERE e.network_id = m.network_id AND e.member_id = m.id AND n.sso_enabled = TRUE AND e.authentication_expiry_time IS NOT NULL "
+				"	SELECT (EXTRACT(EPOCH FROM e.authentication_expiry_time)*1000)::bigint "
-			"		ORDER BY e.authentication_expiry_time DESC LIMIT 1) AS authentication_expiry_time, "
+				"	FROM ztc_sso_expiry e "
-			"	ARRAY(SELECT DISTINCT address FROM ztc_member_ip_assignment WHERE member_id = m.id AND network_id = m.network_id) AS assigned_addresses "
+				"	INNER JOIN ztc_network n1 "
 				"	ON n1.id = e.network_id  AND n1.deleted = TRUE "
 				"	WHERE e.network_id = m.network_id AND e.member_id = m.id AND n.sso_enabled = TRUE AND e.authentication_expiry_time IS NOT NULL "
 				"	ORDER BY e.authentication_expiry_time DESC LIMIT 1 "
 				" ) "
 				" ELSE NULL "
 				" END) AS authentication_expiry_time, "
 				"ARRAY(SELECT DISTINCT address FROM ztc_member_ip_assignment WHERE member_id = m.id AND network_id = m.network_id) AS assigned_addresses "
 			"FROM ztc_member m "
 			"INNER JOIN ztc_network n "
 			"	ON n.id = m.network_id "
-			"WHERE n.controller_id = '%s' AND m.deleted = false", _myAddressStr.c_str());
+			"WHERE n.controller_id = '%s' AND n.deleted = FALSE AND m.deleted = FALSE", _myAddressStr.c_str());
 		auto c = _pool->borrow();
 		auto c2 = _pool->borrow();
 		pqxx::work w{*c->c};
@ -925,13 +933,13 @@ void PostgreSQL::initializeMembers()
 			if (_redisMemberStatus) {
 				fprintf(stderr, "Load member data into redis...\n");
 				if (_rc->clusterMode) {
-					auto tx = _cluster->transaction(_myAddressStr, true);
+					auto tx = _cluster->transaction(_myAddressStr, true, false);
 					for (auto it : networkMembers) {
 						tx.sadd(it.first, it.second);
 					}
 					tx.exec();
 				} else {
-					auto tx = _redis->transaction(true);
+					auto tx = _redis->transaction(true, false);
 					for (auto it : networkMembers) {
 						tx.sadd(it.first, it.second);
 					}
@ -951,6 +959,7 @@ void PostgreSQL::initializeMembers()
 		}
 	} catch (sw::redis::Error &e) {
 		fprintf(stderr, "ERROR: Error initializing members (redis): %s\n", e.what());
 		exit(-1);
 	} catch (std::exception &e) {
 		fprintf(stderr, "ERROR: Error initializing member: %s-%s %s\n", networkId.c_str(), memberId.c_str(), e.what());
 		exit(-1);
@ -1012,12 +1021,16 @@ void PostgreSQL::heartbeat()
 		}
 		_pool->unborrow(c);
-		if (_redisMemberStatus) {
+		try {
-			if (_rc->clusterMode) {
+			if (_redisMemberStatus) {
-				_cluster->zadd("controllers", "controllerId", ts);
+				if (_rc->clusterMode) {
-			} else {
+					_cluster->zadd("controllers", "controllerId", ts);
-				_redis->zadd("controllers", "controllerId", ts);
+				} else {
 					_redis->zadd("controllers", "controllerId", ts);
 				}
 			}
 		} catch (sw::redis::Error &e) {
 			fprintf(stderr, "ERROR: Redis error in heartbeat thread: %s\n", e.what());
 		}
 		std::this_thread::sleep_for(std::chrono::milliseconds(1000));
@ -1374,7 +1387,7 @@ void PostgreSQL::commitThread()
 						"sso_enabled = EXCLUDED.sso_enabled",
 						id,
 						_myAddressStr,
-						OSUtils::jsonDump(config["capabilitles"], -1),
+						OSUtils::jsonDump(config["capabilities"], -1),
 						(bool)config["enableBroadcast"],
 						OSUtils::now(),
 						(int)config["mtu"],
@ -1573,7 +1586,7 @@ void PostgreSQL::onlineNotificationThread()
 /**
 * ONLY UNCOMMENT FOR TEMPORARY DB MAINTENANCE
 *
- * This define temproarly turns off writing to the member status table
+ * This define temporarily turns off writing to the member status table
 * so it can be reindexed when the indexes get too large.
 */
@ -1694,10 +1707,10 @@ void PostgreSQL::onlineNotification_Redis()
 		try {
 			if (!lastOnline.empty()) {
 				if (_rc->clusterMode) {
-					auto tx = _cluster->transaction(controllerId, true);
+					auto tx = _cluster->transaction(controllerId, true, false);
 					count = _doRedisUpdate(tx, controllerId, lastOnline);
 				} else {
-					auto tx = _redis->transaction(true);
+					auto tx = _redis->transaction(true, false);
 					count = _doRedisUpdate(tx, controllerId, lastOnline);
 				}
 			}
--- a/controller/README.md
+++ b/controller/README.md
@ -246,7 +246,7 @@ This returns a JSON object containing all member IDs as keys and their `memberRe
 | vMajor                | integer       | Most recently known major version                 | no       |
 | vMinor                | integer       | Most recently known minor version                 | no       |
 | vRev                  | integer       | Most recently known revision                      | no       |
-| vProto                | integer       | Most recently known protocl version               | no       |
+| vProto                | integer       | Most recently known protocol version               | no       |
 Note that managed IP assignments are only used if they fall within a managed route. Otherwise they are ignored.
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
 zerotier-one (1.10.2) unstable; urgency=medium
  * See RELEASE-NOTES.md for release notes.
 -- Adam Ierymenko <adam.ierymenko@zerotier.com>  Thu, 13 Oct 2022 01:00:00 -0700
 zerotier-one (1.10.1) unstable; urgency=medium
  * See RELEASE-NOTES.md for release notes.
--- a/doc/zerotier-one.8.md
+++ b/doc/zerotier-one.8.md
@ -81,7 +81,7 @@ These are found in the service's working directory.
   If the ZeroTier One service is built with the network controller enabled, it periodically backs up its controller.db database in this file (currently every 5 minutes if there have been changes). Since this file is not a currently in use SQLite3 database it's safer to back up without corruption. On new backups the file is rotated out rather than being rewritten in place.
 * `iddb.d/` (directory):
-   Caches the public identity of every peer ZeroTier has spoken with in the last 60 days. This directory and its contents can be deleted, but this may result in slower connection initations since it will require that we go out and re-fetch full identities for peers we're speaking to.
+   Caches the public identity of every peer ZeroTier has spoken with in the last 60 days. This directory and its contents can be deleted, but this may result in slower connection initiations since it will require that we go out and re-fetch full identities for peers we're speaking to.
 * `networks.d` (directory):
   This caches network configurations and certificate information for networks you belong to. ZeroTier scans this directory for <network ID>.conf files on startup to recall its networks, so "touch"ing an empty <network ID>.conf file in this directory is a way of pre-configuring ZeroTier to join a specific network on startup without using the API. If the config file is empty ZeroTIer will just fetch it from the network's controller.
--- a/dockerbuild/Dockerfile.alpine
+++ b/dockerbuild/Dockerfile.alpine
@ -1,23 +0,0 @@
 FROM alpine:3.15
 ARG go_pkg_url
 RUN apk add --update alpine-sdk linux-headers cmake openssh curl
 RUN adduser -D -s /bin/ash jenkins && \
    passwd -u jenkins && \
    ssh-keygen -A && \
    mkdir /home/jenkins/.ssh && \
    chown -R jenkins:jenkins /home/jenkins
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz
 COPY authorized_keys /home/jenkins/.ssh/authorized_keys
 RUN chown -R jenkins:jenkins /home/jenkins/.ssh && \
    chmod 600 /home/jenkins/.ssh/authorized_keys
 EXPOSE 22
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.centos6
+++ b/dockerbuild/Dockerfile.centos6
@ -1,20 +0,0 @@
 FROM centos:6
 ARG go_pkg_url
 RUN yum update -y
 RUN yum install -y curl git wget openssh-server sudo make rpmdevtools && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
   rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.centos6-i386
+++ b/dockerbuild/Dockerfile.centos6-i386
@ -1,21 +0,0 @@
 FROM i386/centos:6
 ARG go_pkg_url
 RUN echo i386 > /etc/yum/vars/basearch && echo i686 > /etc/yum/vars/arch
 RUN yum install -y curl git wget openssh-server sudo make rpmdevtools && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.centos7
+++ b/dockerbuild/Dockerfile.centos7
@ -1,25 +0,0 @@
 FROM centos:7
 ARG go_pkg_url
 RUN yum install -y epel-release
 RUN yum install -y curl git wget openssh-server sudo make development-tools rpmdevtools clang gcc-c++ ruby ruby-devel centos-release-scl devtoolset-8 llvm-toolset-7 && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN wget -qO- "https://cmake.org/files/v3.15/cmake-3.15.1-Linux-x86_64.tar.gz" | tar --strip-components=1 -xz -C /usr/local
 RUN /usr/bin/ssh-keygen -A
 RUN useradd jenkins-build
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n\
  source scl_source enable devtoolset-8 llvm-toolset-7\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.centos7-i386
+++ b/dockerbuild/Dockerfile.centos7-i386
@ -1,22 +0,0 @@
 FROM centos:7
 ARG go_pkg_url
 RUN yum install -y curl git wget openssh-server sudo make development-tools rpmdevtools clang gcc-c++ ruby ruby-devel && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN /usr/bin/ssh-keygen -A
 RUN useradd jenkins-build
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.centos8
+++ b/dockerbuild/Dockerfile.centos8
@ -1,25 +0,0 @@
 FROM centos:8
 ARG go_pkg_url
 RUN yum install -y epel-release
 RUN yum install -y curl git wget openssh-server sudo make rpmdevtools clang gcc-c++ ruby ruby-devel && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN wget -qO- "https://cmake.org/files/v3.15/cmake-3.15.1-Linux-x86_64.tar.gz" | tar --strip-components=1 -xz -C /usr/local
 RUN /usr/bin/ssh-keygen -A
 RUN useradd jenkins-build
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n\
  source scl_source enable devtoolset-8 llvm-toolset-7\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.clefos-s390x
+++ b/dockerbuild/Dockerfile.clefos-s390x
@ -1,20 +0,0 @@
 FROM s390x/clefos:7
 ARG go_pkg_url
 RUN yum install -y curl git wget openssh-server sudo make development-tools rpmdevtools clang gcc-c++ ruby ruby-devel && yum clean all
 RUN curl -s $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN /usr/bin/ssh-keygen -A
 RUN echo $'\n\
  export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n'\
  >> ~/.bash_profile
 RUN mkdir /rpmbuild && chmod 777 /rpmbuild
 CMD ["/usr/sbin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-bullseye
+++ b/dockerbuild/Dockerfile.debian-bullseye
@ -1,15 +0,0 @@
 FROM debian:bullseye-20191224
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-buster
+++ b/dockerbuild/Dockerfile.debian-buster
@ -1,15 +0,0 @@
 FROM debian:buster-20191224
 ARG go_pkg_url
 RUN apt-get update && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-jessie
+++ b/dockerbuild/Dockerfile.debian-jessie
@ -1,15 +0,0 @@
 FROM debian:jessie-20191224
 ARG go_pkg_url
 RUN apt-get update && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-sid
+++ b/dockerbuild/Dockerfile.debian-sid
@ -1,15 +0,0 @@
 FROM debian:sid-20191224
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-stretch
+++ b/dockerbuild/Dockerfile.debian-stretch
@ -1,15 +0,0 @@
 FROM debian:stretch-20191224
 ARG go_pkg_url
 RUN apt-get update && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.debian-wheezy
+++ b/dockerbuild/Dockerfile.debian-wheezy
@ -1,23 +0,0 @@
 FROM debian:wheezy-20190228
 ARG go_pkg_url
 RUN echo "deb http://archive.debian.org/debian/ wheezy contrib main non-free" > /etc/apt/sources.list && \
    echo "deb-src http://archive.debian.org/debian/ wheezy contrib main non-free" >> /etc/apt/sources.list && \
    apt-get update && apt-get install -y apt-utils && \
    apt-get install -y --force-yes \
    curl gcc make sudo expect gnupg fakeroot perl-base=5.14.2-21+deb7u3 perl \
    libc-bin=2.13-38+deb7u10 libc6=2.13-38+deb7u10 libc6-dev build-essential \
    cdbs devscripts equivs automake autoconf libtool libaudit-dev selinux-basics \
    libdb5.1=5.1.29-5 libdb5.1-dev libssl1.0.0=1.0.1e-2+deb7u20 procps gawk libsigsegv2 \
    curl ca-certificates devscripts
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.kali-rolling
+++ b/dockerbuild/Dockerfile.kali-rolling
@ -1,15 +0,0 @@
 FROM kalilinux/kali-rolling:latest
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd cmake
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.ubuntu-bionic
+++ b/dockerbuild/Dockerfile.ubuntu-bionic
@ -1,15 +0,0 @@
 FROM ubuntu:bionic-20200112
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.ubuntu-eoan
+++ b/dockerbuild/Dockerfile.ubuntu-eoan
@ -1,15 +0,0 @@
 FROM ubuntu:eoan-20200114
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.ubuntu-trusty
+++ b/dockerbuild/Dockerfile.ubuntu-trusty
@ -1,15 +0,0 @@
 FROM ubuntu:trusty-20191217
 ARG go_pkg_url
 RUN apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Dockerfile.ubuntu-xenial
+++ b/dockerbuild/Dockerfile.ubuntu-xenial
@ -1,15 +0,0 @@
 FROM ubuntu:xenial-20200114
 ARG go_pkg_url
 RUN apt-get update && apt-get -y install build-essential curl ca-certificates devscripts dh-systemd
 RUN curl -s -k $go_pkg_url -o go.tar.gz && \
    tar -C /usr/local -xzf go.tar.gz && \
    rm go.tar.gz
 RUN groupadd -g 1000 jenkins-build && useradd -u 1000 -g 1000 jenkins-build
 RUN chmod 777 /home
 CMD ["/usr/bin/sshd", "-D"]
--- a/dockerbuild/Makefile
+++ b/dockerbuild/Makefile
@ -1,108 +0,0 @@
 .PHONY: all
 all:	alpine centos debian ubuntu kali-rolling
 alpine:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.alpine . -t ztbuild/alpine-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.alpine . -t ztbuild/alpine-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.alpine . -t ztbuild/alpine-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.alpine . -t ztbuild/alpine-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.alpine . -t ztbuild/alpine-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.alpine . -t ztbuild/alpine-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.alpine . -t ztbuild/alpine-s390x --load
 centos:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.centos7 . -t ztbuild/centos7-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.centos7-i386 . -t ztbuild/centos7-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.centos6 . -t ztbuild/centos6-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.centos6-i386 . -t ztbuild/centos6-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.centos8 . -t ztbuild/centos8-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.centos8 . -t ztbuild/centos8-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.centos8 . -t ztbuild/centos8-ppc64le --load
 debian:	debian-wheezy debian-jessie debian-buster debian-stretch debian-bullseye debian-sid
 debian-wheezy:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-wheezy . -t ztbuild/debian-wheezy-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-wheezy . -t ztbuild/debian-wheezy-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-wheezy . -t ztbuild/debian-wheezy-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-wheezy . -t ztbuild/debian-wheezy-i386 --load
 debian-jessie:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-jessie . -t ztbuild/debian-jessie-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-jessie . -t ztbuild/debian-jessie-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-jessie . -t ztbuild/debian-jessie-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-jessie . -t ztbuild/debian-jessie-i386 --load
 debian-buster:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-buster . -t ztbuild/debian-buster-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.debian-buster . -t ztbuild/debian-buster-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-buster . -t ztbuild/debian-buster-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-buster . -t ztbuild/debian-buster-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-buster . -t ztbuild/debian-buster-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.debian-buster . -t ztbuild/debian-buster-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.debian-buster . -t ztbuild/debian-buster-s390x --load
 debian-stretch:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.debian-stretch . -t ztbuild/debian-stretch-s390x --load
 debian-bullseye:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.debian-bullseye . -t ztbuild/debian-bullseye-s390x --load
 debian-sid:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.debian-sid . -t ztbuild/debian-sid-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.debian-sid . -t ztbuild/debian-sid-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v6 -f Dockerfile.debian-sid . -t ztbuild/debian-sid-armel --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.debian-sid . -t ztbuild/debian-sid-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.debian-sid . -t ztbuild/debian-sid-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.debian-sid . -t ztbuild/debian-sid-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.debian-sid . -t ztbuild/debian-sid-s390x --load
 ubuntu: ubuntu-trusty ubuntu-xenial ubuntu-bionic ubuntu-eoan
 ubuntu-trusty:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.ubuntu-trusty . -t ztbuild/ubuntu-trusty-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.ubuntu-trusty . -t ztbuild/ubuntu-trusty-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.ubuntu-trusty . -t ztbuild/ubuntu-trusty-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.ubuntu-trusty . -t ztbuild/ubuntu-trusty-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.ubuntu-trusty . -t ztbuild/ubuntu-trusty-ppc64le --load
 ubuntu-xenial:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.ubuntu-xenial . -t ztbuild/ubuntu-xenial-s390x --load
 ubuntu-bionic:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.ubuntu-bionic . -t ztbuild/ubuntu-bionic-s390x --load
 ubuntu-eoan:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-amd64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-arm64.tar.gz" --platform linux/arm64 -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-arm64 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz" --platform linux/arm/v7 -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-armhf --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-386.tar.gz" --platform linux/386 -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-i386 --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-ppc64le.tar.gz" --platform linux/ppc64le -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-ppc64le --load
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-s390x.tar.gz" --platform linux/s390x -f Dockerfile.ubuntu-eoan . -t ztbuild/ubuntu-eoan-s390x --load
 kali-rolling:
 	@docker buildx build --build-arg go_pkg_url="https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz" --platform linux/amd64 -f Dockerfile.kali-rolling . -t ztbuild/kali-rolling-amd64 --load
--- a/dockerbuild/authorized_keys
+++ b/dockerbuild/authorized_keys
@ -1,2 +0,0 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8hgysbj2Luu3aN/Ya2wr4Y9LpUGqWWfn3k+UhIwOIE/Kd7/YpLjxHpseUA1hLnj9kHFShH8eiqoY0S6EDIYrTUwbXMMu8454lX/LcJOCJ9RlSeMMf7vpkxcI7cVRgOA430a3FR7M0Q8vKlyJzxxAEjMIxMyuVyinknfanNt+sQFiDUvOXoacqgZAHBWMlO7wOPyHWHNOzy7g8N0dHiJveKZqX/UUwuqJuS6UBq7MBMSU6TcMvJwHr+AbNvfyIUWCqlTByqFL9cmviRbIvQanxoRxi/5fVUGhtVBXUYvbCdFxDw5W2Svo9fDMm4Z5xWAD7rY1J3AM15RVyRTTtYvgD
--- a/dockerbuild/pipelint.sh
+++ b/dockerbuild/pipelint.sh
@ -1,13 +0,0 @@
 # curl (REST API)
 # User
 JENKINS_USER=grant
 # Api key from "/me/configure" on my Jenkins instance
 JENKINS_USER_KEY=11edf2d49321321119712c46c6349eaad7
 # Url for my local Jenkins instance.
 JENKINS_URL=http://$JENKINS_USER:$JENKINS_USER_KEY@jenkins.int.zerotier.com
 # JENKINS_CRUMB is needed if your Jenkins master has CRSF protection enabled (which it should)
 JENKINS_CRUMB=`curl "$JENKINS_URL/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)"`
 curl -X POST -H $JENKINS_CRUMB -F "jenkinsfile=<Jenkinsfile" $JENKINS_URL/pipeline-model-converter/validate
--- a/ext/central-controller-docker/Dockerfile.builder
+++ b/ext/central-controller-docker/Dockerfile.builder
@ -18,6 +18,8 @@ RUN apt -y install \
    libssl-dev \
    postgresql-client \
    postgresql-client-common \
-    curl
+    curl \
    google-perftools \
    libgoogle-perftools-dev
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
--- a/ext/central-controller-docker/Dockerfile.run_base
+++ b/ext/central-controller-docker/Dockerfile.run_base
@ -1,8 +1,14 @@
 FROM ubuntu:jammy
 RUN apt update && apt upgrade -y
 RUN apt -y install \
    postgresql-client \
    postgresql-client-common \
    libjemalloc2 \
    libpq5 \
-    curl
+    curl \
    binutils \
    linux-tools-gke \
    perf-tools-unstable \
    google-perftools
--- a/ext/installfiles/mac/ZeroTier
+++ b/ext/installfiles/mac/ZeroTier
@ -701,7 +701,7 @@
 				<key>USE_HFS+_COMPRESSION</key>
 				<false/>
 				<key>VERSION</key>
-				<string>1.10.1</string>
+				<string>1.10.2</string>
 			</dict>
 			<key>TYPE</key>
 			<integer>0</integer>
--- a/ext/installfiles/windows/Prerequisites/Visual
+++ b/ext/installfiles/windows/Prerequisites/Visual
--- a/ext/installfiles/windows/Prerequisites/Visual
+++ b/ext/installfiles/windows/Prerequisites/Visual
--- a/ext/installfiles/windows/ZeroTier
+++ b/ext/installfiles/windows/ZeroTier
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<DOCUMENT Type="Advanced Installer" CreateVersion="10.9" version="19.5" Modules="enterprise" RootPath="." Language="en" Id="{DC564647-6BF0-4550-87F4-89C938D0159C}">
+<DOCUMENT Type="Advanced Installer" CreateVersion="10.9" version="20.0" Modules="enterprise" RootPath="." Language="en" Id="{DC564647-6BF0-4550-87F4-89C938D0159C}">
  <COMPONENT cid="caphyon.advinst.msicomp.ProjectOptionsComponent">
-    <ROW Name="HiddenItems" Value="ActSyncAppComponent;CPLAppletComponent;AutorunComponent;GameUxComponent;SilverlightSlnComponent;AppXAppDetailsComponent;FixupComponent;AppXCapabilitiesComponent;AppXDependenciesComponent;AppXProductDetailsComponent;AppXVisualAssetsComponent;AppXAppDeclarationsComponent;AppXUriRulesComponent;MsiXDiffComponent;MsixManifestEditorComponent"/>
+    <ROW Name="HiddenItems" Value="ActSyncAppComponent;CPLAppletComponent;AutorunComponent;GameUxComponent;SilverlightSlnComponent;SharePointSlnComponent;AppXAppDetailsComponent;FixupComponent;AppXCapabilitiesComponent;AppXDependenciesComponent;AppXProductDetailsComponent;AppXVisualAssetsComponent;AppXAppDeclarationsComponent;AppXUriRulesComponent;MsiXDiffComponent;MsixManifestEditorComponent"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiPropsComponent">
    <ROW Property="AI_BITMAP_DISPLAY_MODE" Value="0"/>
@ -9,7 +9,7 @@
    <ROW Property="AI_EMBD_MSI_EXTR_PATH" Value="[TempFolder]" ValueLocId="-"/>
    <ROW Property="AI_EXTERNALUIUNINSTALLERNAME" MultiBuildValue="DefaultBuild:aiui"/>
    <ROW Property="AI_FINDEXE_TITLE" Value="Select the installation package for [|ProductName]" ValueLocId="AI.Property.FindExeTitle"/>
-    <ROW Property="AI_PACKAGING_TOOL" Value="Advanced Installer 19.5 build 36301275" ValueLocId="-"/>
+    <ROW Property="AI_PACKAGING_TOOL" Value="Advanced Installer 20.0 build e4706cc2" ValueLocId="-"/>
    <ROW Property="AI_PREDEF_LCONDS_PROPS" Value="AI_DETECTED_DOTNET_VERSION"/>
    <ROW Property="AI_PREREQ_REPAIR_ENABLED" MultiBuildValue="ExeBuild:1"/>
    <ROW Property="AI_PRODUCTNAME_ARP" Value="ZeroTier One"/>
@ -32,10 +32,10 @@
    <ROW Property="LIMITUI" MultiBuildValue="DefaultBuild:1"/>
    <ROW Property="MSIFASTINSTALL" MultiBuildValue="DefaultBuild:2"/>
    <ROW Property="Manufacturer" Value="ZeroTier, Inc."/>
-    <ROW Property="ProductCode" Value="1033:{5FF7375F-69D4-4CAA-800B-3EA1E587AAAE} " Type="16"/>
+    <ROW Property="ProductCode" Value="1033:{49E28DB8-25E1-4B84-81B8-D6C7C8091A40} " Type="16"/>
    <ROW Property="ProductLanguage" Value="1033"/>
    <ROW Property="ProductName" Value="ZeroTier One"/>
-    <ROW Property="ProductVersion" Value="1.10.0"/>
+    <ROW Property="ProductVersion" Value="1.10.2"/>
    <ROW Property="REBOOT" MultiBuildValue="DefaultBuild:ReallySuppress"/>
    <ROW Property="SecureCustomProperties" Value="OLDPRODUCTS;AI_NEWERPRODUCTFOUND;AI_SETUPEXEPATH;SETUPEXEDIR"/>
    <ROW Property="UpgradeCode" Value="{B0E2A5F3-88B6-4E77-B922-CB4739B4C4C8}"/>
@ -70,12 +70,10 @@
    <ROW Directory="x86_Dir" Directory_Parent="tapwindows_Dir" DefaultDir="x86" DirectoryOptions="12"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiCompsComponent">
-    <ROW Component="A918597FE054CCCB65ABDBA0AD8F63C" ComponentId="{9EBBA2D0-7170-4C6C-9B07-9405F08DC282}" Directory_="APPDIR" Attributes="4" KeyPath="A918597FE054CCCB65ABDBA0AD8F63C" Options="2"/>
+    <ROW Component="AI_CustomARPName" ComponentId="{578A0B34-2AAA-4452-B725-86FC90EB4C2B}" Directory_="APPDIR" Attributes="4" KeyPath="DisplayName" Options="1"/>
    <ROW Component="AI_CustomARPName" ComponentId="{B1226053-207C-4922-AF29-49542B56F5FB}" Directory_="APPDIR" Attributes="4" KeyPath="DisplayName" Options="1"/>
    <ROW Component="AI_DisableModify" ComponentId="{46FFA8C5-A0CB-4E05-9AD3-911D543DE8CA}" Directory_="APPDIR" Attributes="4" KeyPath="NoModify" Options="1"/>
    <ROW Component="AI_ExePath" ComponentId="{8E02B36C-7A19-429B-A93E-77A9261AC918}" Directory_="APPDIR" Attributes="4" KeyPath="AI_ExePath"/>
    <ROW Component="APPDIR" ComponentId="{4DD7907D-D7FE-4CD6-B1A0-B5C1625F5133}" Directory_="APPDIR" Attributes="0"/>
    <ROW Component="C4FE6FD5B7C4D07B3A313E754A9A6A8" ComponentId="{8F2CBC66-14B3-4DF4-8F6E-4B79B080BB12}" Directory_="APPDIR" Attributes="4" KeyPath="C4FE6FD5B7C4D07B3A313E754A9A6A8" Options="2"/>
    <ROW Component="One" ComponentId="{41AB11E7-066E-414A-96F8-F051D3D3B353}" Directory_="One_Dir" Attributes="0"/>
    <ROW Component="ProductInformation" ComponentId="{DB078D04-EA8E-4A7C-9001-89BAD932F9D9}" Directory_="APPDIR" Attributes="4" KeyPath="Version"/>
    <ROW Component="ZeroTier" ComponentId="{8864F744-9BDF-4891-88A1-6D23D76BCCB1}" Directory_="ZeroTier_Dir" Attributes="0"/>
@ -94,8 +92,6 @@
    <ROW Component="zttap300_x86_win10" ComponentId="{9F913E48-095B-4EA3-98DA-EDAB1593F3E3}" Directory_="x86_Dir" Attributes="0" Condition="NOT VersionNT64" KeyPath="zttap300.cat_3" Type="0"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiFeatsComponent">
    <ROW Feature="A918597FE054CCCB65ABDBA0AD8F63C" Title="Visual C++ Redistributable for Visual Studio 2015-2022 x86" Description="Visual C++ Redistributable for Visual Studio 2015-2022 x86" Display="5" Level="1" Attributes="0"/>
    <ROW Feature="C4FE6FD5B7C4D07B3A313E754A9A6A8" Title="Visual C++ Redistributable for Visual Studio 2015-2022 x64" Description="Visual C++ Redistributable for Visual Studio 2015-2022 x64" Display="3" Level="1" Attributes="0"/>
    <ROW Feature="MainFeature" Title="MainFeature" Description="Description" Display="1" Level="1" Directory_="APPDIR" Attributes="0"/>
    <ROW Feature="ZeroTierOne" Title="MainFeature" Description="ZeroTier One" Display="0" Level="1" Directory_="APPDIR" Attributes="0"/>
    <ATTRIBUTE name="CurrentFeature" value="ZeroTierOne"/>
@ -164,25 +160,19 @@
    <ROW Fragment="WelcomeDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\WelcomeDlg.aip"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiActionTextComponent">
    <ROW Action="AI_ConfigureChainer" Description="Configuring prerequisites launcher" DescriptionLocId="ActionText.Description.AI_ConfigureChainer" Template="Configure Launcher" TemplateLocId="ActionText.Template.AI_ConfigureChainer"/>
    <ROW Action="AI_DeleteLzma" Description="Deleting files extracted from archive" DescriptionLocId="ActionText.Description.AI_DeleteLzma" TemplateLocId="-"/>
    <ROW Action="AI_DeleteRLzma" Description="Deleting files extracted from archive" DescriptionLocId="ActionText.Description.AI_DeleteLzma" TemplateLocId="-"/>
    <ROW Action="AI_DownloadPrereq" Description="Downloading prerequisite software" DescriptionLocId="ActionText.Description.AI_DownloadPrereq" Template="Downloading [1]{[2] completed}" TemplateLocId="ActionText.Template.AI_DownloadPrereq"/>
    <ROW Action="AI_ExtractFiles" Description="Extracting files from archive" DescriptionLocId="ActionText.Description.AI_ExtractLzma" TemplateLocId="-"/>
    <ROW Action="AI_ExtractLzma" Description="Extracting files from archive" DescriptionLocId="ActionText.Description.AI_ExtractLzma" TemplateLocId="-"/>
    <ROW Action="AI_ExtractPrereq" Description="Extracting prerequisite software" DescriptionLocId="ActionText.Description.AI_ExtractPrereq" Template="Extracting [1]{[2] completed}" TemplateLocId="ActionText.Template.AI_ExtractPrereq"/>
    <ROW Action="AI_FwConfig" Description="Executing Windows Firewall configurations" DescriptionLocId="ActionText.Description.AI_FwConfig" Template="Configuring Windows Firewall rule: &quot;[1]&quot;" TemplateLocId="ActionText.Template.AI_FwConfig"/>
    <ROW Action="AI_FwInstall" Description="Generating actions to configure Windows Firewall" DescriptionLocId="ActionText.Description.AI_FwInstall"/>
    <ROW Action="AI_FwRemove" Description="Executing Windows Firewall configurations" DescriptionLocId="ActionText.Description.AI_FwRemove" Template="Configuring Windows Firewall rule:  &quot;[1]&quot;" TemplateLocId="ActionText.Template.AI_FwRemove"/>
    <ROW Action="AI_FwRollback" Description="Rolling back Windows Firewall configurations." DescriptionLocId="ActionText.Description.AI_FwRollback" Template="Rolling back Windows Firewall configurations." TemplateLocId="ActionText.Template.AI_FwRollback"/>
    <ROW Action="AI_FwUninstall" Description="Generating actions to configure Windows Firewall" DescriptionLocId="ActionText.Description.AI_FwUninstall"/>
    <ROW Action="AI_InstallPostPrerequisite" Description="Installing prerequisite software" DescriptionLocId="ActionText.Description.AI_InstallPrerequisite" Template="Installing [1]{[2] completed}" TemplateLocId="ActionText.Template.AI_InstallPrerequisite"/>
    <ROW Action="AI_InstallPrerequisite" Description="Installing prerequisite software" DescriptionLocId="ActionText.Description.AI_InstallPrerequisite" Template="Installing [1]{[2] completed}" TemplateLocId="ActionText.Template.AI_InstallPrerequisite"/>
    <ROW Action="AI_TxtUpdaterCommit" Description="Commit text file changes. " DescriptionLocId="ActionText.Description.AI_TxtUpdaterCommit" Template="Commit text file changes." TemplateLocId="ActionText.Template.AI_TxtUpdaterCommit"/>
    <ROW Action="AI_TxtUpdaterConfig" Description="Executing text file updates" DescriptionLocId="ActionText.Description.AI_TxtUpdaterConfig" Template="Updating text file: &quot;[1]&quot;" TemplateLocId="ActionText.Template.AI_TxtUpdaterConfig"/>
    <ROW Action="AI_TxtUpdaterInstall" Description="Generating actions to configure text files updates" DescriptionLocId="ActionText.Description.AI_TxtUpdaterInstall"/>
    <ROW Action="AI_TxtUpdaterRollback" Description="Rolling back text file changes. " DescriptionLocId="ActionText.Description.AI_TxtUpdaterRollback" Template="Rolling back text file changes." TemplateLocId="ActionText.Template.AI_TxtUpdaterRollback"/>
    <ROW Action="AI_VerifyPrereq" Description="Verifying prerequisites" DescriptionLocId="ActionText.Description.AI_VerifyPrereq" Template="[1] was not installed correctly." TemplateLocId="ActionText.Template.AI_VerifyPrereq"/>
    <ROW Action="AI_XmlCommit" Description="Committing XML file configurations." DescriptionLocId="ActionText.Description.AI_XmlCommit" Template="Committing XML file configurations." TemplateLocId="ActionText.Template.AI_XmlCommit"/>
    <ROW Action="AI_XmlConfig" Description="Executing XML file configurations" DescriptionLocId="ActionText.Description.AI_XmlConfig" Template="Configuring XML file: &quot;[1]&quot;" TemplateLocId="ActionText.Template.AI_XmlConfig"/>
    <ROW Action="AI_XmlInstall" Description="Generating actions to configure XML files" DescriptionLocId="ActionText.Description.AI_XmlInstall"/>
@ -201,12 +191,10 @@
    <ROW Name="SoftwareDetector.dll" SourcePath="&lt;AI_CUSTACTS&gt;SoftwareDetector.dll"/>
    <ROW Name="TxtUpdater.dll" SourcePath="&lt;AI_CUSTACTS&gt;TxtUpdater.dll"/>
    <ROW Name="aicustact.dll" SourcePath="&lt;AI_CUSTACTS&gt;aicustact.dll"/>
    <ROW Name="aipackagechainer.exe" SourcePath="&lt;AI_CUSTACTS&gt;aipackagechainer.exe"/>
    <ROW Name="chainersupport.dll" SourcePath="&lt;AI_CUSTACTS&gt;chainersupport.dll"/>
    <ROW Name="file_deleter.ps1" SourcePath="&lt;AI_SCRIPTS&gt;file_deleter.ps1"/>
    <ROW Name="lzmaextractor.dll" SourcePath="&lt;AI_CUSTACTS&gt;lzmaextractor.dll"/>
    <ROW Name="msichainer.exe" SourcePath="&lt;AI_CUSTACTS&gt;msichainer.exe"/>
-    <ROW Name="viewer.exe" SourcePath="&lt;AI_CUSTACTS&gt;viewer.exe"/>
+    <ROW Name="viewer.exe" SourcePath="&lt;AI_CUSTACTS&gt;viewer.exe" DigSign="true"/>
    <ROW Name="xmlCfg.dll" SourcePath="&lt;AI_CUSTACTS&gt;xmlCfg.dll"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiControlComponent">
@ -262,9 +250,6 @@
    <ROW Dialog_="WelcomeDlg" Control_="Back" Event="[ButtonText_Next]" Argument="[AI_ButtonText_Next_Orig]" Condition="AI_INSTALL" Ordering="0" Options="2"/>
    <ROW Dialog_="WelcomeDlg" Control_="Back" Event="[Text_Next]" Argument="[AI_Text_Next_Orig]" Condition="AI_INSTALL" Ordering="1" Options="2"/>
    <ROW Dialog_="ExitDialog" Control_="Finish" Event="DoAction" Argument="AI_ChainerScheduleReboot" Condition="Not AIEXTERNALUI" Ordering="302"/>
    <ROW Dialog_="ExitDialog" Control_="Finish" Event="DoAction" Argument="AI_CleanPrereq" Condition="1" Ordering="303"/>
    <ROW Dialog_="FatalError" Control_="Finish" Event="DoAction" Argument="AI_CleanPrereq" Condition="1" Ordering="102"/>
    <ROW Dialog_="UserExit" Control_="Finish" Event="DoAction" Argument="AI_CleanPrereq" Condition="1" Ordering="101"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiCreateFolderComponent">
    <ROW Directory_="networks.d_Dir" Component_="networks.d" ManualDelete="false"/>
@ -282,9 +267,7 @@
    <ROW Action="AI_AppSearchEx" Type="1" Source="Prereq.dll" Target="DoAppSearchEx"/>
    <ROW Action="AI_BACKUP_AI_SETUPEXEPATH" Type="51" Source="AI_SETUPEXEPATH_ORIGINAL" Target="[AI_SETUPEXEPATH]"/>
    <ROW Action="AI_ChainerScheduleReboot" Type="1" Source="chainersupport.dll" Target="ScheduleReboot" WithoutSeq="true"/>
    <ROW Action="AI_CleanPrereq" Type="65" Source="Prereq.dll" Target="CleanPrereq" WithoutSeq="true"/>
    <ROW Action="AI_CommitChainers" Type="11841" Source="chainersupport.dll" Target="CommitChainedPackages" WithoutSeq="true"/>
    <ROW Action="AI_ConfigureChainer" Type="1" Source="Prereq.dll" Target="ConfigurePrereqLauncher"/>
    <ROW Action="AI_DATA_SETTER" Type="51" Source="CustomActionData" Target="[~]"/>
    <ROW Action="AI_DATA_SETTER_1" Type="51" Source="CustomActionData" Target="[~]"/>
    <ROW Action="AI_DATA_SETTER_2" Type="51" Source="CustomActionData" Target="[~]"/>
@ -299,13 +282,11 @@
    <ROW Action="AI_DeleteRLzma" Type="1281" Source="lzmaextractor.dll" Target="DeleteLZMAFiles"/>
    <ROW Action="AI_DetectSoftware" Type="257" Source="SoftwareDetector.dll" Target="OnDetectSoftware"/>
    <ROW Action="AI_DoRemoveExternalUIStub" Type="3585" Source="ExternalUICleaner.dll" Target="DoRemoveExternalUIStub" WithoutSeq="true"/>
    <ROW Action="AI_DownloadPrereq" Type="1" Source="Prereq.dll" Target="DownloadPrereq"/>
    <ROW Action="AI_DpiContentScale" Type="1" Source="aicustact.dll" Target="DpiContentScale"/>
    <ROW Action="AI_EnableDebugLog" Type="321" Source="aicustact.dll" Target="EnableDebugLog"/>
    <ROW Action="AI_ExtractCadLzma" Type="51" Source="AI_ExtractLzma" Target="[AI_SETUPEXEPATH]"/>
    <ROW Action="AI_ExtractFiles" Type="1" Source="Prereq.dll" Target="ExtractSourceFiles" AdditionalSeq="AI_DATA_SETTER_4"/>
    <ROW Action="AI_ExtractLzma" Type="1025" Source="lzmaextractor.dll" Target="ExtractLZMAFiles"/>
    <ROW Action="AI_ExtractPrereq" Type="65" Source="Prereq.dll" Target="ExtractPrereq"/>
    <ROW Action="AI_FindExeLzma" Type="1" Source="lzmaextractor.dll" Target="FindEXE"/>
    <ROW Action="AI_FwConfig" Type="11265" Source="NetFirewall.dll" Target="OnFwConfig" WithoutSeq="true"/>
    <ROW Action="AI_FwInstall" Type="1" Source="NetFirewall.dll" Target="OnFwInstall" AdditionalSeq="AI_DATA_SETTER_2"/>
@ -314,9 +295,6 @@
    <ROW Action="AI_FwUninstall" Type="1" Source="NetFirewall.dll" Target="OnFwUninstall" AdditionalSeq="AI_DATA_SETTER_3"/>
    <ROW Action="AI_GetArpIconPath" Type="1" Source="aicustact.dll" Target="GetArpIconPath"/>
    <ROW Action="AI_InstallModeCheck" Type="1" Source="aicustact.dll" Target="UpdateInstallMode" WithoutSeq="true"/>
    <ROW Action="AI_InstallPostPrerequisite" Type="1" Source="Prereq.dll" Target="InstallPostPrereq"/>
    <ROW Action="AI_InstallPrerequisite" Type="1" Source="Prereq.dll" Target="InstallPrereq"/>
    <ROW Action="AI_LaunchChainer" Type="3314" Source="AI_PREREQ_CHAINER"/>
    <ROW Action="AI_PREPARE_UPGRADE" Type="65" Source="aicustact.dll" Target="PrepareUpgrade"/>
    <ROW Action="AI_PrepareChainers" Type="1" Source="chainersupport.dll" Target="PrepareChainedPackages"/>
    <ROW Action="AI_RESTORE_AI_SETUPEXEPATH" Type="51" Source="AI_SETUPEXEPATH" Target="[AI_SETUPEXEPATH_ORIGINAL]"/>
@ -331,7 +309,6 @@
    <ROW Action="AI_TxtUpdaterConfig" Type="11265" Source="TxtUpdater.dll" Target="OnTxtUpdaterConfig" WithoutSeq="true"/>
    <ROW Action="AI_TxtUpdaterInstall" Type="1" Source="TxtUpdater.dll" Target="OnTxtUpdaterInstall"/>
    <ROW Action="AI_TxtUpdaterRollback" Type="11521" Source="TxtUpdater.dll" Target="OnTxtUpdaterRollback" WithoutSeq="true"/>
    <ROW Action="AI_VerifyPrereq" Type="1" Source="Prereq.dll" Target="VerifyPrereq"/>
    <ROW Action="AI_XmlCommit" Type="11777" Source="xmlCfg.dll" Target="OnXmlCommit" WithoutSeq="true"/>
    <ROW Action="AI_XmlConfig" Type="11265" Source="xmlCfg.dll" Target="OnXmlConfig" WithoutSeq="true"/>
    <ROW Action="AI_XmlInstall" Type="1" Source="xmlCfg.dll" Target="OnXmlInstall" AdditionalSeq="AI_DATA_SETTER"/>
@ -377,8 +354,6 @@
    <ROW Feature_="ZeroTierOne" Component_="x64"/>
    <ROW Feature_="ZeroTierOne" Component_="x86"/>
    <ROW Feature_="ZeroTierOne" Component_="i686_1"/>
    <ROW Feature_="C4FE6FD5B7C4D07B3A313E754A9A6A8" Component_="C4FE6FD5B7C4D07B3A313E754A9A6A8"/>
    <ROW Feature_="A918597FE054CCCB65ABDBA0AD8F63C" Component_="A918597FE054CCCB65ABDBA0AD8F63C"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiIconsComponent">
    <ROW Name="ZeroTierIcon.exe" SourcePath="..\..\..\artwork\ZeroTierIcon.ico" Index="0"/>
@ -393,7 +368,7 @@
    <ROW Action="AI_DATA_SETTER" Condition="(REMOVE &lt;&gt; &quot;ALL&quot;)" Sequence="5102"/>
    <ROW Action="AI_XmlUninstall" Condition="(REMOVE)" Sequence="3102"/>
    <ROW Action="AI_DATA_SETTER_1" Condition="(REMOVE)" Sequence="3101"/>
-    <ROW Action="InstallFinalize" Sequence="6604" SeqType="0" MsiKey="InstallFinalize"/>
+    <ROW Action="InstallFinalize" Sequence="6605" SeqType="0" MsiKey="InstallFinalize"/>
    <ROW Action="AI_RemoveExternalUIStub" Condition="(REMOVE=&quot;ALL&quot;) AND ((VersionNT &gt; 500) OR((VersionNT = 500) AND (ServicePackLevel &gt;= 4)))" Sequence="1501"/>
    <ROW Action="TapDeviceRemove32" Condition="( Installed AND ( REMOVE = &quot;ALL&quot; OR AI_INSTALL_MODE = &quot;Remove&quot; ) AND NOT UPGRADINGPRODUCTCODE ) AND ( NOT VersionNT64 )" Sequence="1605"/>
    <ROW Action="TapDeviceRemove64" Condition="( Installed AND ( REMOVE = &quot;ALL&quot; OR AI_INSTALL_MODE = &quot;Remove&quot; ) AND NOT UPGRADINGPRODUCTCODE ) AND ( VersionNT64 )" Sequence="1606"/>
@ -422,12 +397,9 @@
    <ROW Action="AI_GetArpIconPath" Sequence="1401"/>
    <ROW Action="TerminateUINew" Sequence="1604"/>
    <ROW Action="AI_DATA_SETTER_5" Sequence="1603"/>
-    <ROW Action="LaunchUI" Condition="( NOT Installed ) AND ( ZTHEADLESS = &quot;No&quot; )" Sequence="6605"/>
+    <ROW Action="LaunchUI" Condition="( NOT Installed ) AND ( ZTHEADLESS = &quot;No&quot; )" Sequence="6606"/>
    <ROW Action="AI_DETECT_MODERNWIN" Condition="(VersionNT &gt;= 603)" Sequence="54" MsiKey="AI_DETECT_MODERNWIN"/>
    <ROW Action="AI_ResolveLocalizedCredentials" Sequence="51"/>
    <ROW Action="AI_ConfigureChainer" Condition="((UILevel = 2) OR (UILevel = 3)) AND (NOT UPGRADINGPRODUCTCODE)" Sequence="6602"/>
    <ROW Action="AI_LaunchChainer" Condition="AI_PREREQ_CHAINER AND (NOT UPGRADINGPRODUCTCODE)" Sequence="6603"/>
    <ROW Action="AI_VerifyPrereq" Sequence="1101"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiInstallUISequenceComponent">
    <ROW Action="AI_RESTORE_LOCATION" Condition="APPDIR=&quot;&quot;" Sequence="749"/>
@ -440,11 +412,6 @@
    <ROW Action="AI_EnableDebugLog" Sequence="52"/>
    <ROW Action="AI_AppSearchEx" Sequence="101"/>
    <ROW Action="AI_ResolveLocalizedCredentials" Sequence="51"/>
    <ROW Action="AI_DownloadPrereq" Sequence="1296"/>
    <ROW Action="AI_ExtractPrereq" Sequence="1297"/>
    <ROW Action="AI_InstallPrerequisite" Sequence="1298"/>
    <ROW Action="AI_InstallPostPrerequisite" Sequence="1300"/>
    <ROW Action="AI_CleanPrereq" Sequence="1301"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiLaunchConditionsComponent">
    <ROW Condition="( Version9X OR ( NOT VersionNT64 ) OR ( VersionNT64 AND ((VersionNT64 &lt;&gt; 600) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 600) OR (MsiNTProductType = 1)) AND ((VersionNT64 &lt;&gt; 601) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 601) OR (MsiNTProductType = 1)) ) )" Description="[ProductName] cannot be installed on the following Windows versions: [WindowsTypeNT64Display]." DescriptionLocId="AI.LaunchCondition.NoSpecificNT64" IsPredefined="true" Builds="DefaultBuild"/>
@ -453,6 +420,7 @@
    <ROW Condition="(VersionNT &lt;&gt; 400)" Description="[ProductName] cannot be installed on [WindowsTypeNT40Display]." DescriptionLocId="AI.LaunchCondition.NoNT40" IsPredefined="true" Builds="DefaultBuild;ExeBuild"/>
    <ROW Condition="(VersionNT &lt;&gt; 500)" Description="[ProductName] cannot be installed on [WindowsTypeNT50Display]." DescriptionLocId="AI.LaunchCondition.NoNT50" IsPredefined="true" Builds="DefaultBuild;ExeBuild"/>
    <ROW Condition="AI_DETECTED_DOTNET_VERSION &gt;= AI_REQUIRED_DOTNET_VERSION" Description="[ProductName] cannot be installed on systems with .NET Framework version lower than [AI_REQUIRED_DOTNET_DISPLAY]." DescriptionLocId="AI.LaunchCondition.DotNET" IsPredefined="true" Builds="DefaultBuild"/>
    <ROW Condition="NOT AiArm64" Description="[ProductName] cannot be installed on systems running on ARM64 processors. Check for a ARM64 version of [ProductName]" DescriptionLocId="AI.LaunchCondition.ARM64" IsPredefined="true" Builds="DefaultBuild"/>
    <ROW Condition="Privileged" Description="[ProductName] requires administrative privileges to install." DescriptionLocId="AI.LaunchCondition.Privileged" IsPredefined="true" Builds="DefaultBuild"/>
    <ROW Condition="SETUPEXEDIR OR (REMOVE=&quot;ALL&quot;)" Description="This package can only be run from a bootstrapper." DescriptionLocId="AI.LaunchCondition.RequireBootstrapper" IsPredefined="true" Builds="ExeBuild"/>
    <ROW Condition="VersionNT" Description="[ProductName] cannot be installed on [WindowsType9XDisplay]." DescriptionLocId="AI.LaunchCondition.No9X" IsPredefined="true" Builds="DefaultBuild;ExeBuild"/>
@ -479,10 +447,8 @@
    <ROW Signature_="AI_EXE_PATH_LM" Root="2" Key="Software\Caphyon\Advanced Installer\LZMA\[ProductCode]\[ProductVersion]" Name="AI_ExePath" Type="2"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiRegsComponent">
    <ROW Registry="A918597FE054CCCB65ABDBA0AD8F63C" Root="-1" Key="Software\Caphyon\Advanced Installer\Prereqs\[ProductCode]\[ProductVersion]" Name="A918597FE054CCCB65ABDBA0AD8F63C" Value="1" Component_="A918597FE054CCCB65ABDBA0AD8F63C"/>
    <ROW Registry="AI_ExePath" Root="-1" Key="Software\Caphyon\Advanced Installer\LZMA\[ProductCode]\[ProductVersion]" Name="AI_ExePath" Value="[AI_SETUPEXEPATH]" Component_="AI_ExePath"/>
    <ROW Registry="AdvancedInstaller" Root="-1" Key="Software\Caphyon\Advanced Installer" Name="\"/>
    <ROW Registry="C4FE6FD5B7C4D07B3A313E754A9A6A8" Root="-1" Key="Software\Caphyon\Advanced Installer\Prereqs\[ProductCode]\[ProductVersion]" Name="C4FE6FD5B7C4D07B3A313E754A9A6A8" Value="1" Component_="C4FE6FD5B7C4D07B3A313E754A9A6A8"/>
    <ROW Registry="Caphyon" Root="-1" Key="Software\Caphyon" Name="\"/>
    <ROW Registry="Comments" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="Comments" Value="[ARPCOMMENTS]" Component_="AI_CustomARPName"/>
    <ROW Registry="Contact" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="Contact" Value="[ARPCONTACT]" Component_="AI_CustomARPName"/>
@ -501,12 +467,9 @@
    <ROW Registry="NoModify" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="NoModify" Value="#1" Component_="AI_DisableModify" VirtualValue="#"/>
    <ROW Registry="NoRepair" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="NoRepair" Value="#1" Component_="AI_CustomARPName" VirtualValue="#"/>
    <ROW Registry="Path" Root="-1" Key="Software\[Manufacturer]\[ProductName]" Name="Path" Value="[APPDIR]" Component_="ProductInformation"/>
    <ROW Registry="Prereqs" Root="-1" Key="Software\Caphyon\Advanced Installer\Prereqs" Name="\"/>
    <ROW Registry="ProductCode" Root="-1" Key="Software\Caphyon\Advanced Installer\Prereqs\[ProductCode]" Name="\"/>
    <ROW Registry="ProductCode_1" Root="-1" Key="Software\Caphyon\Advanced Installer\LZMA\[ProductCode]" Name="\"/>
    <ROW Registry="ProductName" Root="-1" Key="Software\[Manufacturer]\[ProductName]" Name="\"/>
    <ROW Registry="ProductNameProductVersion" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="\"/>
    <ROW Registry="ProductVersion" Root="-1" Key="Software\Caphyon\Advanced Installer\Prereqs\[ProductCode]\[ProductVersion]" Name="\"/>
    <ROW Registry="ProductVersion_1" Root="-1" Key="Software\Caphyon\Advanced Installer\LZMA\[ProductCode]\[ProductVersion]" Name="\"/>
    <ROW Registry="Publisher" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="Publisher" Value="[Manufacturer]" Component_="AI_CustomARPName"/>
    <ROW Registry="Readme" Root="-1" Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\[ProductName] [ProductVersion]" Name="Readme" Value="[ARPREADME]" Component_="AI_CustomARPName"/>
@ -540,15 +503,7 @@
    <ROW UpgradeCode="[|UpgradeCode]" VersionMin="0.0.1" VersionMax="[|ProductVersion]" Attributes="257" ActionProperty="OLDPRODUCTS"/>
    <ROW UpgradeCode="[|UpgradeCode]" VersionMin="[|ProductVersion]" Attributes="2" ActionProperty="AI_NEWERPRODUCTFOUND"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.PreReqComponent">
    <ROW PrereqKey="A918597FE054CCCB65ABDBA0AD8F63C" DisplayName="Visual C++ Redistributable for Visual Studio 2015-2022 x86" VersionMin="14.30" SetupFileUrl="Prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x86.exe" Location="0" ExactSize="0" WinNTVersions="Windows Vista RTM x86, Windows Vista SP1 x86, Windows Server 2008 RTM x86, Windows 7 RTM x86" WinNT64Versions="Windows Vista RTM x64, Windows Vista SP1 x64, Windows Server 2008 RTM x64, Windows 7 RTM x64, Windows Server 2008 R2 RTM x64" Operator="0" NoUiComLine="/q /norestart" Options="f" TargetName="Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x86.exe" Feature="A918597FE054CCCB65ABDBA0AD8F63C"/>
    <ROW PrereqKey="C4FE6FD5B7C4D07B3A313E754A9A6A8" DisplayName="Visual C++ Redistributable for Visual Studio 2015-2022 x64" VersionMin="14.30" SetupFileUrl="Prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" Location="0" ExactSize="0" WinNTVersions="Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86" WinNT64Versions="Windows Vista RTM x64, Windows Vista SP1 x64, Windows Server 2008 RTM x64, Windows 7 RTM x64, Windows Server 2008 R2 RTM x64" Operator="1" NoUiComLine="/q /norestart" Options="xf" TargetName="Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" Feature="C4FE6FD5B7C4D07B3A313E754A9A6A8"/>
    <ATTRIBUTE name="PrereqsOrder" value="C4FE6FD5B7C4D07B3A313E754A9A6A8 A918597FE054CCCB65ABDBA0AD8F63C"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.PreReqSearchComponent">
    <ROW SearchKey="A918597FE054CCCB65ABDBA0AD8F63CSyst" Prereq="A918597FE054CCCB65ABDBA0AD8F63C" SearchType="0" SearchString="[SystemFolder]vcruntime140.dll" VerMin="14.30.30704" Order="2" Property="PreReqSearch_1_A918597FE054CCCB65AB"/>
    <ROW SearchKey="A918597FE054CCCB65ABDBA0AD8F63CVers" Prereq="A918597FE054CCCB65ABDBA0AD8F63C" SearchType="2" SearchString="HKLM\SOFTWARE\Microsoft\DevDiv\VC\Servicing\14.0\RuntimeMinimum\Version" VerMin="14.30.30704" Order="1" Property="PreReqSearch_A918597FE054CCCB65ABDB"/>
    <ROW SearchKey="C4FE6FD5B7C4D07B3A313E754A9A6A8Vers" Prereq="C4FE6FD5B7C4D07B3A313E754A9A6A8" SearchType="2" SearchString="HKLM\SOFTWARE\Microsoft\DevDiv\VC\Servicing\14.0\RuntimeMinimum\Version" VerMin="14.30.30704" Order="1" Property="PreReqSearch_C4FE6FD5B7C4D07B3A313E"/>
    <ROW SearchKey="UpgradeCode" SearchType="4" SearchString="{88AA80DE-14CA-4443-B024-6EC13F3EDDAD}" Order="2" Property="ZTTAP300_X86_INSTALLED"/>
    <ROW SearchKey="_" SearchType="4" SearchString="{88AA80DE-14CA-4443-B024-6EC13F3EDDAD}" Order="1" Property="ZTTAP300_X64_INSTALLED"/>
  </COMPONENT>
@ -573,7 +528,7 @@
    <ROW XmlAttribute="xsischemaLocation" XmlElement="swidsoftware_identification_tag" Name="xsi:schemaLocation" Flags="14" Order="3" Value="http://standards.iso.org/iso/19770/-2/2008/schema.xsd software_identification_tag.xsd"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.XmlElementComponent">
-    <ROW XmlElement="swidbuild" ParentElement="swidnumeric" Name="swid:build" Condition="1" Order="2" Flags="14" Text="0" UpdateIndexInParent="0"/>
+    <ROW XmlElement="swidbuild" ParentElement="swidnumeric" Name="swid:build" Condition="1" Order="2" Flags="14" Text="2" UpdateIndexInParent="0"/>
    <ROW XmlElement="swidentitlement_required_indicator" ParentElement="swidsoftware_identification_tag" Name="swid:entitlement_required_indicator" Condition="1" Order="0" Flags="14" Text="false" UpdateIndexInParent="0"/>
    <ROW XmlElement="swidmajor" ParentElement="swidnumeric" Name="swid:major" Condition="1" Order="0" Flags="14" Text="1" UpdateIndexInParent="0"/>
    <ROW XmlElement="swidminor" ParentElement="swidnumeric" Name="swid:minor" Condition="1" Order="1" Flags="14" Text="10" UpdateIndexInParent="0"/>
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@ -86,6 +86,11 @@ extern "C" {
 */
 #define ZT_MIN_PHYSMTU 1400
 /**
 * Maximum physical interface name length. This number is gigantic because of Windows.
 */
 #define ZT_MAX_PHYSIFNAME 256
 /**
 * Default UDP payload size (physical path MTU) not including UDP and IP overhead
 *
@ -1203,7 +1208,7 @@ typedef struct
 	bool ssoEnabled;
 	/**
-	 * SSO verison
+	 * SSO version
 	 */
 	uint64_t ssoVersion;
@ -1317,35 +1322,20 @@ typedef struct
 	 */
 	float packetErrorRatio;
 	/**
 	 * Mean throughput
 	 */
 	uint64_t throughputMean;
 	/**
 	 * Maximum observed throughput
 	 */
 	float throughputMax;
 	/**
 	 * Throughput variance
 	 */
 	float throughputVariance;
 	/**
 	 * Address scope
 	 */
 	uint8_t scope;
 	/**
-	 * Percentage of traffic allocated to this path
+	 * Relative quality value
 	 */
-	float allocation;
+	float relativeQuality;
 	/**
-	 * Name of physical interface (for monitoring)
+	 * Name of physical interface this path resides on
 	 */
-	char ifname[32];
+	char ifname[ZT_MAX_PHYSIFNAME];
 	uint64_t localSocket;
@ -1354,6 +1344,21 @@ typedef struct
 	 */
 	int expired;
 	/**
 	 * Whether this path is currently included in the bond
 	 */
 	uint8_t bonded;
 	/**
 	 * Whether this path is currently eligible to be used in a bond
 	 */
 	uint8_t eligible;
 	/**
 	 * The capacity of this link (as given to bonding layer)
 	 */
 	uint32_t linkSpeed;
 	/**
 	 * Is path preferred?
 	 */
@ -2061,7 +2066,7 @@ ZT_SDK_API int ZT_Node_sendUserMessage(ZT_Node *node,void *tptr,uint64_t dest,ui
 * NetworkConfigMaster base class in node/. No type checking is performed,
 * so a pointer to anything else will result in a crash.
 *
- * @param node ZertTier One node
+ * @param node ZeroTier One node
 * @param networkConfigMasterInstance Instance of NetworkConfigMaster C++ class or NULL to disable
 * @return OK (0) or error code if a fatal error condition has occurred
 */
--- a/java/README.md
+++ b/java/README.md
@ -5,7 +5,7 @@ ZeroTier One SDK - Android JNI Wrapper
 Building
 -----
-Reqires:
+Requires:
 * JDK
 * ANT
--- a/java/jni/Android.mk
+++ b/java/jni/Android.mk
@ -1,66 +0,0 @@
 LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 LOCAL_MODULE := ZeroTierOneJNI
 LOCAL_C_INCLUDES := \
    $(ZT1)/include \
    $(ZT1)/node \
    $(ZT1)/osdep
 LOCAL_LDLIBS := -llog
 # LOCAL_CFLAGS := -g
 APP_UNIFIED_HEADERS := true
 LOCAL_CFLAGS := -DZT_USE_MINIUPNPC
 ifeq ($(TARGET_ARCH_ABI),x86_64)
    LOCAL_CXXFLAGS := -maes -mpclmul -msse3 -msse4.1
 endif
 ifeq ($(TARGET_ARCH_ABI),arm64-v8a)
    LOCAL_ARM_NEON := true
    LOCAL_CXXFLAGS := -march=armv8-a+crypto -mfloat-abi=softfp -mfpu=neon -maes -isystem $NDK/sysroot/usr/include/$TRIPLE
 endif
 # ZeroTierOne SDK source files
 LOCAL_SRC_FILES := \
    $(ZT1)/node/AES.cpp \
    $(ZT1)/node/AES_aesni.cpp \
    $(ZT1)/node/AES_armcrypto.cpp \
    $(ZT1)/node/Bond.cpp \
    $(ZT1)/node/C25519.cpp \
 	$(ZT1)/node/Capability.cpp \
 	$(ZT1)/node/CertificateOfMembership.cpp \
 	$(ZT1)/node/CertificateOfOwnership.cpp \
 	$(ZT1)/node/Identity.cpp \
 	$(ZT1)/node/IncomingPacket.cpp \
 	$(ZT1)/node/InetAddress.cpp \
 	$(ZT1)/node/Membership.cpp \
 	$(ZT1)/node/Multicaster.cpp \
 	$(ZT1)/node/Network.cpp \
 	$(ZT1)/node/NetworkConfig.cpp \
 	$(ZT1)/node/Node.cpp \
 	$(ZT1)/node/OutboundMulticast.cpp \
 	$(ZT1)/node/Packet.cpp \
 	$(ZT1)/node/Path.cpp \
 	$(ZT1)/node/Peer.cpp \
 	$(ZT1)/node/Poly1305.cpp \
 	$(ZT1)/node/Revocation.cpp \
 	$(ZT1)/node/Salsa20.cpp \
 	$(ZT1)/node/SelfAwareness.cpp \
 	$(ZT1)/node/SHA512.cpp \
 	$(ZT1)/node/Switch.cpp \
 	$(ZT1)/node/Tag.cpp \
 	$(ZT1)/node/Topology.cpp \
 	$(ZT1)/node/Trace.cpp \
 	$(ZT1)/node/Utils.cpp \
 	$(ZT1)/osdep/OSUtils.cpp
 # JNI Files
 LOCAL_SRC_FILES += \
 	com_zerotierone_sdk_Node.cpp \
 	ZT_jniarray.cpp \
 	ZT_jniutils.cpp \
 	ZT_jnilookup.cpp
 include $(BUILD_SHARED_LIBRARY)
--- a/java/jni/Application.mk
+++ b/java/jni/Application.mk
@ -1,5 +0,0 @@
 # NDK_TOOLCHAIN_VERSION := clang3.5
 APP_STL := c++_static
 APP_CPPFLAGS := -Wall -fstack-protector -fexceptions -fno-strict-aliasing -frtti -Wno-deprecated-register -DZT_NO_TYPE_PUNNING=1
 APP_PLATFORM := android-21
 APP_ABI := all
--- a/java/jni/ZT_jniarray.cpp
+++ b/java/jni/ZT_jniarray.cpp
@ -5,6 +5,7 @@
 #include "ZT_jniarray.h"
 #include <vector>
 #include <string>
 #include <cassert>
 jclass java_util_ArrayList;
 jmethodID java_util_ArrayList_;
--- a/java/jni/ZT_jnilookup.cpp
+++ b/java/jni/ZT_jnilookup.cpp
@ -62,7 +62,7 @@ jclass JniLookup::findClass(const std::string &name)
    JNIEnv *env = NULL;
    if(m_jvm->GetEnv((void**)&env, JNI_VERSION_1_6) != JNI_OK)
    {
-        LOGE("Error retreiving JNI Environment");
+        LOGE("Error retrieving JNI Environment");
        return NULL;
    }
    const char *c = name.c_str();
--- a/java/jni/ZT_jniutils.cpp
+++ b/java/jni/ZT_jniutils.cpp
@ -296,7 +296,7 @@ jobject newInetAddress(JNIEnv *env, const sockaddr_storage &addr)
        inetAddressClass, "getByAddress", "([B)Ljava/net/InetAddress;");
    if(env->ExceptionCheck() || inetAddress_getByAddress == NULL)
    {
-        LOGE("Erorr finding getByAddress() static method");
+        LOGE("Error finding getByAddress() static method");
        return NULL;
    }
--- a/java/jni/com_zerotierone_sdk_Node.cpp
+++ b/java/jni/com_zerotierone_sdk_Node.cpp
@ -107,7 +107,7 @@ namespace {
        enum ZT_VirtualNetworkConfigOperation operation,
        const ZT_VirtualNetworkConfig *config)
    {
-        LOGV("VritualNetworkConfigFunctionCallback");
+        LOGV("VirtualNetworkConfigFunctionCallback");
        JniRef *ref = (JniRef*)userData;
        JNIEnv *env = NULL;
        ref->jvm->GetEnv((void**)&env, JNI_VERSION_1_6);
@ -573,7 +573,26 @@ namespace {
            return true;
        }
-        struct sockaddr_storage nullAddress = {0};
+        //
        // was:
        // struct sockaddr_storage nullAddress = {0};
        //
        // but was getting this warning:
        // warning: suggest braces around initialization of subobject
        //
        // when building ZeroTierOne
        //
        struct sockaddr_storage nullAddress;
        //
        // It is possible to assume knowledge about internals of sockaddr_storage and construct
        // correct 0-initializer, but it is simpler to just treat sockaddr_storage as opaque and
        // use memset here to fill with 0
        //
        // This is also done in InetAddress.hpp for InetAddress
        //
        memset(&nullAddress, 0, sizeof(sockaddr_storage));
        jobject remoteAddressObj = NULL;
        if(memcmp(remoteAddress, &nullAddress, sizeof(sockaddr_storage)) != 0)
@ -1025,7 +1044,7 @@ JNIEXPORT jobject JNICALL Java_com_zerotier_sdk_Node_processWirePacket(
        inetAddressClass, "getAddress", "()[B");
    if(getAddressMethod == NULL)
    {
-        // cant find InetAddress.getAddres()
+        // cant find InetAddress.getAddress()
        return createResultObject(env, ZT_RESULT_FATAL_ERROR_INTERNAL);
    }
--- a/java/src/com/zerotier/sdk/NativeUtils.java
+++ b/java/src/com/zerotier/sdk/NativeUtils.java
@ -43,7 +43,7 @@ public class NativeUtils {
        String[] parts = path.split("/");
        String filename = (parts.length > 1) ? parts[parts.length - 1] : null;
-        // Split filename to prexif and suffix (extension)
+        // Split filename to prefix and suffix (extension)
        String prefix = "";
        String suffix = null;
        if (filename != null) {
--- a/java/src/com/zerotier/sdk/Node.java
+++ b/java/src/com/zerotier/sdk/Node.java
@ -84,7 +84,7 @@ public class Node {
     *
     * @param now Current clock in milliseconds
     * @param getListener User written instance of the {@link DataStoreGetListener} interface called to get objects from persistent storage.  This instance must be unique per Node object.
-     * @param putListener User written intstance of the {@link DataStorePutListener} interface called to put objects in persistent storage.  This instance must be unique per Node object.
+     * @param putListener User written instance of the {@link DataStorePutListener} interface called to put objects in persistent storage.  This instance must be unique per Node object.
     * @param sender
     * @param eventListener User written instance of the {@link EventListener} interface to receive status updates and non-fatal error notices.  This instance must be unique per Node object.
     * @param frameListener 
@ -197,7 +197,7 @@ public class Node {
     * Join a network
     *
     * <p>This may generate calls to the port config callback before it returns,
-     * or these may be deffered if a netconf is not available yet.</p>
+     * or these may be deferred if a netconf is not available yet.</p>
     *
     * <p>If we are already a member of the network, nothing is done and OK is
     * returned.</p>
--- a/java/src/com/zerotier/sdk/NodeStatus.java
+++ b/java/src/com/zerotier/sdk/NodeStatus.java
@ -38,7 +38,7 @@ public final class NodeStatus {
 	/**
 	 * 40-bit ZeroTier address of this node
 	 */
-	public final long getAddres() {
+	public final long getAddress() {
 		return address;
 	}
--- a/make-bsd.mk
+++ b/make-bsd.mk
@ -133,7 +133,7 @@ endif
 # Fail if system architecture could not be determined
 ifeq ($(ZT_ARCHITECTURE),999)
-ERR=$(error FATAL: architecture could not be determined from $(CC) -dumpmachine: $CC_MACH)
+ERR=$(error FATAL: architecture could not be determined from $(CC) -dumpmachine: $(CC_MACH))
 .PHONY: err
 err: ; $(ERR)
 endif
--- a/make-linux.mk
+++ b/make-linux.mk
@ -198,6 +198,11 @@ ifeq ($(CC_MACH),armv6kz)
 	override DEFS+=-DZT_NO_TYPE_PUNNING
 	ZT_USE_ARM32_NEON_ASM_CRYPTO=1
 endif
 ifeq ($(CC_MACH),armv6k)
 	ZT_ARCHITECTURE=3
 	override DEFS+=-DZT_NO_TYPE_PUNNING
 	ZT_USE_ARM32_NEON_ASM_CRYPTO=1
 endif
 ifeq ($(CC_MACH),armv7)
 	ZT_ARCHITECTURE=3
 	override DEFS+=-DZT_NO_TYPE_PUNNING
@ -257,7 +262,7 @@ endif
 # Fail if system architecture could not be determined
 ifeq ($(ZT_ARCHITECTURE),999)
-ERR=$(error FATAL: architecture could not be determined from $(CC) -dumpmachine: $CC_MACH)
+ERR=$(error FATAL: architecture could not be determined from $(CC) -dumpmachine: $(CC_MACH))
 .PHONY: err
 err: ; $(ERR)
 endif
@ -498,15 +503,12 @@ snap-uninstall: FORCE
 	snap remove zerotier
 snap-build-remote: FORCE
-	cd pkg && snapcraft remote-build --build-on=amd64,arm64,s390x,ppc64el,armhf,i386
+	cd pkg && snapcraft remote-build --build-for=amd64,arm64,s390x,ppc64el,armhf,i386
-snap-upload-beta: FORCE
+snap-upload: ./pkg/*.snap
-	snapcraft login --with-file=snapcraft-login-data
+	for file in $^ ; do \
-	pushd pkg
+		snapcraft upload --release=beta,edge,candidate $${file} ; \
 	for SNAPFILE in ./*.snap; do\
 		snapcraft upload --release=stable,beta,edge,candidate $${SNAPFILE};\
 	done
 	popd
 synology-pkg: FORCE
 	cd pkg/synology ; ./build.sh build
--- a/node/Bond.cpp
+++ b/node/Bond.cpp
--- a/node/Bond.hpp
+++ b/node/Bond.hpp
@ -14,6 +14,7 @@
 #ifndef ZT_BOND_HPP
 #define ZT_BOND_HPP
 #include "../osdep/Binder.hpp"
 #include "../osdep/Phy.hpp"
 #include "Packet.hpp"
 #include "Path.hpp"
@ -28,7 +29,7 @@
 /**
 * Indices for the path quality weight vector
 */
-enum ZT_BondQualityWeightIndex { ZT_QOS_LAT_IDX, ZT_QOS_LTM_IDX, ZT_QOS_PDV_IDX, ZT_QOS_PLR_IDX, ZT_QOS_PER_IDX, ZT_QOS_THR_IDX, ZT_QOS_THM_IDX, ZT_QOS_THV_IDX, ZT_QOS_AGE_IDX, ZT_QOS_SCP_IDX, ZT_QOS_WEIGHT_SIZE };
+enum ZT_BondQualityWeightIndex { ZT_QOS_LAT_MAX_IDX, ZT_QOS_PDV_MAX_IDX, ZT_QOS_PLR_MAX_IDX, ZT_QOS_PER_MAX_IDX, ZT_QOS_LAT_WEIGHT_IDX, ZT_QOS_PDV_WEIGHT_IDX, ZT_QOS_PLR_WEIGHT_IDX, ZT_QOS_PER_WEIGHT_IDX, ZT_QOS_PARAMETER_SIZE };
 /**
 *  Multipath bonding policy
@ -116,21 +117,19 @@ class Link {
 	 *
 	 * @param ifnameStr
 	 * @param ipvPref
-	 * @param speed
+	 * @param capacity
 	 * @param enabled
 	 * @param mode
 	 * @param failoverToLinkStr
 	 * @param userSpecifiedAlloc
 	 */
-	Link(std::string ifnameStr, uint8_t ipvPref, uint32_t speed, bool enabled, uint8_t mode, std::string failoverToLinkStr, float userSpecifiedAlloc)
+	Link(std::string ifnameStr, uint8_t ipvPref, uint32_t capacity, bool enabled, uint8_t mode, std::string failoverToLinkStr)
 		: _ifnameStr(ifnameStr)
 		, _ipvPref(ipvPref)
-		, _speed(speed)
+		, _capacity(capacity)
-		, _relativeSpeed(0)
+		, _relativeCapacity(0.0)
 		, _enabled(enabled)
 		, _mode(mode)
 		, _failoverToLinkStr(failoverToLinkStr)
 		, _userSpecifiedAlloc(userSpecifiedAlloc)
 		, _isUserSpecified(false)
 	{
 	}
@ -194,29 +193,29 @@ class Link {
 	}
 	/**
-	 * @return The speed of the link relative to others in the bond.
+	 * @return The capacity of the link relative to others in the bond.
 	 */
-	inline uint8_t relativeSpeed()
+	inline float relativeCapacity()
 	{
-		return _relativeSpeed;
+		return _relativeCapacity;
 	}
 	/**
-	 * Sets the speed of the link relative to others in the bond.
+	 * Sets the capacity of the link relative to others in the bond.
 	 *
-	 * @param relativeSpeed The speed relative to the rest of the link.
+	 * @param relativeCapacity The capacity relative to the rest of the link.
 	 */
-	inline void setRelativeSpeed(uint8_t relativeSpeed)
+	inline void setRelativeCapacity(float relativeCapacity)
 	{
-		_relativeSpeed = relativeSpeed;
+		_relativeCapacity = relativeCapacity;
 	}
 	/**
-	 * @return The absolute speed of the link (as specified by the user.)
+	 * @return The absolute capacity of the link (as specified by the user.)
 	 */
-	inline uint32_t speed()
+	inline uint32_t capacity()
 	{
-		return _speed;
+		return _capacity;
 	}
 	/**
@ -262,14 +261,14 @@ class Link {
 	uint8_t _ipvPref;
 	/**
-	 * User-specified speed of this link
+	 * User-specified capacity of this link
 	 */
-	uint32_t _speed;
+	uint32_t _capacity;
 	/**
 	 * Speed relative to other specified links (computed by Bond)
 	 */
-	uint8_t _relativeSpeed;
+	float _relativeCapacity;
 	/**
 	 * Whether this link is enabled, or (disabled (possibly bad config))
@ -287,11 +286,6 @@ class Link {
 	 */
 	std::string _failoverToLinkStr;
 	/**
 	 * User-specified allocation
 	 */
 	float _userSpecifiedAlloc;
 	/**
 	 * Whether or not this link was created as a result of manual user specification. This is
 	 * important to know because certain policy decisions are dependent on whether the user
@ -307,6 +301,17 @@ class Peer;
 class Bond {
  public:
 	/**
 	 * Stop bond's internal functions (can be resumed)
 	 */
 	void stopBond();
 	/**
 	 * Start or resume a bond's internal functions
 	 */
 	void startBond();
 	/**
 	 * @return Whether this link is permitted to become a member of a bond.
 	 */
@ -328,6 +333,14 @@ class Bond {
 		return ! _bondPolicyTemplates.empty() || _defaultPolicy;
 	}
 	/**
 	 * Sets a pointer to an instance of _binder used by the Bond to get interface data
 	 */
 	static void setBinder(Binder* b)
 	{
 		_binder = b;
 	}
 	/**
 	 * @param basePolicyName Bonding policy name (See ZeroTierOne.h)
 	 * @return The bonding policy code for a given human-readable bonding policy name
@ -461,7 +474,7 @@ class Bond {
 	 * @param createIfNeeded Whether a Link object is created if the name wasn't previously in the link map
 	 * @return Physical link definition
 	 */
-	static SharedPtr<Link> getLinkBySocket(const std::string& policyAlias, uint64_t localSocket, bool createIfNeeded);
+	SharedPtr<Link> getLinkBySocket(const std::string& policyAlias, uint64_t localSocket, bool createIfNeeded);
 	/**
 	 * Gets a reference to a physical link definition given its human-readable system name.
@ -573,6 +586,14 @@ class Bond {
 		return _policyAlias;
 	}
 	/**
 	 * Return whether this bond is able to properly process traffic
 	 */
 	bool isReady()
 	{
 		return _numBondedPaths;
 	}
 	/**
 	 * Inform the bond about the path that its peer (owning object) just learned about.
 	 * If the path is allowed to be used, it will be inducted into the bond on a trial
@ -703,8 +724,9 @@ class Bond {
 	 *
 	 * @param flow Flow to be assigned
 	 * @param now Current time
 	 * @param reassign Whether this flow is being re-assigned to another path
 	 */
-	bool assignFlowToBondedPath(SharedPtr<Flow>& flow, int64_t now);
+	bool assignFlowToBondedPath(SharedPtr<Flow>& flow, int64_t now, bool reassign);
 	/**
 	 * Determine whether a path change should occur given the remote peer's reported utility and our
@ -793,60 +815,12 @@ class Bond {
 	void setBondParameters(int policy, SharedPtr<Bond> templateBond, bool useTemplate);
 	/**
-	 * Check and assign user-specified quality weights to this bond.
+	 * Check and assign user-specified link quality parameters to this bond.
 	 *
-	 * @param weights Set of user-specified weights
+	 * @param weights Set of user-specified parameters
-	 * @param len Length of weight vector
+	 * @param len Length of parameter vector
 	 */
-	void setUserQualityWeights(float weights[], int len);
+	void setUserLinkQualitySpec(float weights[], int len);
 	/**
 	 * @param latencyInMilliseconds Maximum acceptable latency.
 	 */
 	void setMaxAcceptableLatency(int16_t latencyInMilliseconds)
 	{
 		_maxAcceptableLatency = latencyInMilliseconds;
 	}
 	/**
 	 * @param latencyInMilliseconds Maximum acceptable (mean) latency.
 	 */
 	void setMaxAcceptableMeanLatency(int16_t latencyInMilliseconds)
 	{
 		_maxAcceptableMeanLatency = latencyInMilliseconds;
 	}
 	/**
 	 * @param latencyVarianceInMilliseconds Maximum acceptable packet delay variance (jitter).
 	 */
 	void setMaxAcceptablePacketDelayVariance(int16_t latencyVarianceInMilliseconds)
 	{
 		_maxAcceptablePacketDelayVariance = latencyVarianceInMilliseconds;
 	}
 	/**
 	 * @param lossRatio Maximum acceptable packet loss ratio (PLR).
 	 */
 	void setMaxAcceptablePacketLossRatio(float lossRatio)
 	{
 		_maxAcceptablePacketLossRatio = lossRatio;
 	}
 	/**
 	 * @param errorRatio Maximum acceptable packet error ratio (PER).
 	 */
 	void setMaxAcceptablePacketErrorRatio(float errorRatio)
 	{
 		_maxAcceptablePacketErrorRatio = errorRatio;
 	}
 	/**
 	 * @param errorRatio Maximum acceptable packet error ratio (PER).
 	 */
 	void setMinAcceptableAllocation(float minAlloc)
 	{
 		_minAcceptableAllocation = (uint8_t)(minAlloc * 255);
 	}
 	/**
 	 * @return Whether the user has defined links for use on this bond
@ -873,11 +847,11 @@ class Bond {
 	}
 	/**
-	 * @return Whether the user has specified link speeds
+	 * @return Whether the user has specified link capacities
 	 */
-	inline bool userHasSpecifiedLinkSpeeds()
+	inline bool userHasSpecifiedLinkCapacities()
 	{
-		return _userHasSpecifiedLinkSpeeds;
+		return _userHasSpecifiedLinkCapacities;
 	}
 	/**
@ -916,10 +890,9 @@ class Bond {
 	 */
 	inline bool rateGateQoS(int64_t now, SharedPtr<Path>& path)
 	{
 		// TODO: Verify before production
 		char pathStr[64] = { 0 };
 		path->address().toString(pathStr);
-		int diff = now - _lastQoSRateCheck;
+		uint64_t diff = now - _lastQoSRateCheck;
 		if ((diff) <= (_qosSendInterval / ZT_MAX_PEER_NETWORK_PATHS)) {
 			++_qosCutoffCount;
 		}
@ -927,7 +900,6 @@ class Bond {
 			_qosCutoffCount = 0;
 		}
 		_lastQoSRateCheck = now;
 		// fprintf(stderr, "rateGateQoS (count=%d, send_interval=%d, diff=%d, path=%s)\n", _qosCutoffCount, _qosSendInterval, diff, pathStr);
 		return (_qosCutoffCount < (ZT_MAX_PEER_NETWORK_PATHS * 2));
 	}
@ -939,7 +911,6 @@ class Bond {
 	 */
 	inline bool rateGatePathNegotiation(int64_t now, SharedPtr<Path>& path)
 	{
 		// TODO: Verify before production
 		char pathStr[64] = { 0 };
 		path->address().toString(pathStr);
 		int diff = now - _lastPathNegotiationReceived;
@ -950,7 +921,6 @@ class Bond {
 			_pathNegotiationCutoffCount = 0;
 		}
 		_lastPathNegotiationReceived = now;
 		// fprintf(stderr, "rateGateNeg (count=%d, send_interval=%d, diff=%d, path=%s)\n", _pathNegotiationCutoffCount, (ZT_PATH_NEGOTIATION_CUTOFF_TIME / ZT_MAX_PEER_NETWORK_PATHS), diff, pathStr);
 		return (_pathNegotiationCutoffCount < (ZT_MAX_PEER_NETWORK_PATHS * 2));
 	}
@ -970,14 +940,6 @@ class Bond {
 		return _failoverInterval;
 	}
 	/**
 	 * @param strategy Strategy that the bond uses to re-assign protocol flows.
 	 */
 	inline void setFlowRebalanceStrategy(uint32_t strategy)
 	{
 		_flowRebalanceStrategy = strategy;
 	}
 	/**
 	 * @param strategy Strategy that the bond uses to prob for path aliveness and quality
 	 */
@ -1058,7 +1020,7 @@ class Bond {
 	}
 	/**
-	 * @return the number of links comprising this bond which are considered alive
+	 * @return the number of links in this bond which are considered alive
 	 */
 	inline uint8_t getNumAliveLinks()
 	{
@ -1066,7 +1028,7 @@ class Bond {
 	};
 	/**
-	 * @return the number of links comprising this bond
+	 * @return the number of links in this bond
 	 */
 	inline uint8_t getNumTotalLinks()
 	{
@ -1074,20 +1036,11 @@ class Bond {
 	}
 	/**
-	 *
+	 * @return Whether flow-hashing is currently supported for this bond.
 	 * @param allowFlowHashing
 	 */
-	inline void setFlowHashing(bool allowFlowHashing)
+	bool flowHashingSupported()
 	{
-		_allowFlowHashing = allowFlowHashing;
+		return _policy == ZT_BOND_POLICY_BALANCE_XOR || _policy == ZT_BOND_POLICY_BALANCE_AWARE;
 	}
 	/**
 	 * @return Whether flow-hashing is currently enabled for this bond.
 	 */
 	bool flowHashingEnabled()
 	{
 		return _allowFlowHashing;
 	}
 	/**
@ -1150,25 +1103,8 @@ class Bond {
 	 */
 	bool abForciblyRotateLink();
 	/**
 	 * @param now Current time
 	 * @return All known paths to this peer
 	 */
 	inline std::vector<SharedPtr<Path> > paths(const int64_t now) const
 	{
 		std::vector<SharedPtr<Path> > pp;
 		Mutex::Lock _l(_paths_m);
 		for (unsigned int i = 0; i < ZT_MAX_PEER_NETWORK_PATHS; ++i) {
 			if (! _paths[i].p)
 				break;
 			pp.push_back(_paths[i].p);
 		}
 		return pp;
 	}
 	/**
 	 * Emit message to tracing system but with added timestamp and subsystem info
 	 *
 	 */
 	void log(const char* fmt, ...)
 #ifdef __GNUC__
@ -1200,7 +1136,6 @@ class Bond {
 	/**
 	 * Emit message to tracing system but with added timestamp and subsystem info
 	 *
 	 */
 	void debug(const char* fmt, ...)
 #ifdef __GNUC__
@ -1235,6 +1170,7 @@ class Bond {
 		NominatedPath()
 			: lastAckSent(0)
 			, lastAckReceived(0)
 			, lastQoSReceived(0)
 			, unackedBytes(0)
 			, packetsReceivedSinceLastAck(0)
 			, lastQoSMeasurement(0)
@ -1243,6 +1179,7 @@ class Bond {
 			, lastAliveToggle(0)
 			, alive(false)
 			, eligible(true)
 			, lastEligibility(0)
 			, whenNominated(0)
 			, refractoryPeriod(0)
 			, ipvPref(0)
@ -1250,19 +1187,14 @@ class Bond {
 			, onlyPathOnLink(false)
 			, bonded(false)
 			, negotiated(false)
-			, shouldReallocateFlows(false)
+			, shouldAvoid(false)
 			, assignedFlowCount(0)
-			, latencyMean(0)
+			, latency(0)
 			, latencyVariance(0)
 			, packetLossRatio(0)
 			, packetErrorRatio(0)
-			, throughputMean(0)
+			, relativeQuality(0)
-			, throughputMax(0)
+			, relativeLinkCapacity(0)
 			, throughputVariance(0)
 			, allocation(0)
 			, byteLoad(0)
 			, relativeByteLoad(0)
 			, affinity(0)
 			, failoverScore(0)
 			, packetsReceivedSinceLastQoS(0)
 			, packetsIn(0)
@ -1310,6 +1242,14 @@ class Bond {
 			return (! ipvPref || ((p->_addr.isV4() && (ipvPref == 4 || ipvPref == 46 || ipvPref == 64)) || ((p->_addr.isV6() && (ipvPref == 6 || ipvPref == 46 || ipvPref == 64)))));
 		}
 		/**
 		 * @return True if a path exists on a link marked as a spare
 		 */
 		inline bool isSpare()
 		{
 			return mode == ZT_BOND_SLAVE_MODE_SPARE;
 		}
 		/**
 		 * @return True if a path is preferred over another on the same physical link (according to user pref.)
 		 */
@ -1322,7 +1262,7 @@ class Bond {
 		 * @param now Current time
 		 * @return Whether a QoS (VERB_QOS_MEASUREMENT) packet needs to be emitted at this time
 		 */
-		inline bool needsToSendQoS(int64_t now, int qosSendInterval)
+		inline bool needsToSendQoS(int64_t now, uint64_t qosSendInterval)
 		{
 			// fprintf(stderr, "QOS table (%d / %d)\n", packetsReceivedSinceLastQoS, ZT_QOS_TABLE_SIZE);
 			return ((packetsReceivedSinceLastQoS >= ZT_QOS_TABLE_SIZE) || ((now - lastQoSMeasurement) > qosSendInterval)) && packetsReceivedSinceLastQoS;
@ -1332,7 +1272,7 @@ class Bond {
 		 * @param now Current time
 		 * @return Whether an ACK (VERB_ACK) packet needs to be emitted at this time
 		 */
-		inline bool needsToSendAck(int64_t now, int ackSendInterval)
+		inline bool needsToSendAck(int64_t now, uint64_t ackSendInterval)
 		{
 			return ((now - lastAckSent) >= ackSendInterval || (packetsReceivedSinceLastAck == ZT_QOS_TABLE_SIZE)) && packetsReceivedSinceLastAck;
 		}
@ -1359,6 +1299,7 @@ class Bond {
 		uint64_t lastAckSent;
 		uint64_t lastAckReceived;
 		uint64_t lastQoSReceived;
 		uint64_t unackedBytes;
 		uint64_t packetsReceivedSinceLastAck;
@ -1367,28 +1308,25 @@ class Bond {
 		uint64_t lastRefractoryUpdate;		 // The last time that the refractory period was updated.
 		uint64_t lastAliveToggle;			 // The last time that the path was marked as "alive".
 		bool alive;
-		bool eligible;						   // State of eligibility at last check. Used for determining state changes.
+		bool eligible;				  // State of eligibility at last check. Used for determining state changes.
-		uint64_t whenNominated;				   // Timestamp indicating when this path's trial period began.
+		uint64_t lastEligibility;	  // The last time that this path was eligible
-		uint32_t refractoryPeriod;			   // Amount of time that this path will be prevented from becoming a member of a bond.
+		uint64_t whenNominated;		  // Timestamp indicating when this path's trial period began.
-		uint8_t ipvPref;					   // IP version preference inherited from the physical link.
+		uint32_t refractoryPeriod;	  // Amount of time that this path will be prevented from becoming a member of a bond.
-		uint8_t mode;						   // Mode inherited from the physical link.
+		uint8_t ipvPref;			  // IP version preference inherited from the physical link.
-		bool onlyPathOnLink;				   // IP version preference inherited from the physical link.
+		uint8_t mode;				  // Mode inherited from the physical link.
-		bool enabled;						   // Enabled state inherited from the physical link.
+		bool onlyPathOnLink;		  // IP version preference inherited from the physical link.
-		bool bonded;						   // Whether this path is currently part of a bond.
+		bool enabled;				  // Enabled state inherited from the physical link.
-		bool negotiated;					   // Whether this path was intentionally negotiated by either peer.
+		bool bonded;				  // Whether this path is currently part of a bond.
-		bool shouldReallocateFlows;			   // Whether flows should be moved from this path. Current traffic flows will be re-allocated immediately.
+		bool negotiated;			  // Whether this path was intentionally negotiated by either peer.
-		uint16_t assignedFlowCount;			   // The number of flows currently assigned to this path.
+		bool shouldAvoid;			  // Whether flows should be moved from this path. Current traffic flows will be re-allocated immediately.
-		float latencyMean;					   // The mean latency (computed from a sliding window.)
+		uint16_t assignedFlowCount;	  // The number of flows currently assigned to this path.
-		float latencyVariance;				   // Packet delay variance (computed from a sliding window.)
+		float latency;				  // The mean latency (computed from a sliding window.)
-		float packetLossRatio;				   // The ratio of lost packets to received packets.
+		float latencyVariance;		  // Packet delay variance (computed from a sliding window.)
-		float packetErrorRatio;				   // The ratio of packets that failed their MAC/CRC checks to those that did not.
+		float packetLossRatio;		  // The ratio of lost packets to received packets.
-		uint64_t throughputMean;			   // The estimated mean throughput of this path.
+		float packetErrorRatio;		  // The ratio of packets that failed their MAC/CRC checks to those that did not.
-		uint64_t throughputMax;				   // The maximum observed throughput of this path.
+		float relativeQuality;		  // The relative quality of the link.
-		float throughputVariance;			   // The variance in the estimated throughput of this path.
+		float relativeLinkCapacity;	  // The relative capacity of the link.
-		uint8_t allocation;					   // The relative quality of this path to all others in the bond, [0-255].
+
 		uint64_t byteLoad;					   // How much load this path is under.
 		uint8_t relativeByteLoad;			   // How much load this path is under (relative to other paths in the bond.)
 		uint8_t affinity;					   // Relative value expressing how "deserving" this path is of new traffic.
 		uint32_t failoverScore;				   // Score that indicates to what degree this path is preferred over others that are available to the bonding policy. (specifically for active-backup)
 		int32_t packetsReceivedSinceLastQoS;   // Number of packets received since the last VERB_QOS_MEASUREMENT was sent to the remote peer.
@ -1405,7 +1343,6 @@ class Bond {
 		{
 			p = path;
 			whenNominated = now;
 			p->_bondingMetricPtr = (void*)this;
 		}
 	};
@ -1480,15 +1417,19 @@ class Bond {
 	std::string _policyAlias;	// Custom name given by the user to this bond type.
 	static Binder* _binder;
 	/**
 	 * Set of indices corresponding to paths currently included in the bond proper. This
 	 * may only be updated during a call to curateBond(). The reason for this is so that
 	 * we can simplify the high frequency packet egress logic.
 	 */
-	int _bondIdxMap[ZT_MAX_PEER_NETWORK_PATHS];
+	int _realIdxMap[ZT_MAX_PEER_NETWORK_PATHS] = { ZT_MAX_PEER_NETWORK_PATHS };
-	int _numBondedPaths;						  // Number of paths currently included in the _bondIdxMap set.
+	int _numBondedPaths;						  // Number of paths currently included in the _realIdxMap set.
-	std::map<int32_t, SharedPtr<Flow> > _flows;	  // Flows hashed according to port and protocol
+	std::map<int16_t, SharedPtr<Flow> > _flows;	  // Flows hashed according to port and protocol
-	float _qw[ZT_QOS_WEIGHT_SIZE];				  // How much each factor contributes to the "quality" score of a path.
+	float _qw[ZT_QOS_PARAMETER_SIZE];			  // Link quality specification (can be customized by user)
 	bool _run;
 	uint8_t _policy;
 	uint32_t _upDelay;
@ -1511,7 +1452,6 @@ class Bond {
 	// balance-aware
 	uint64_t _totalBondUnderload;
 	uint8_t _flowRebalanceStrategy;
 	// dynamic link monitoring
 	uint8_t _linkMonitorStrategy;
@ -1525,21 +1465,11 @@ class Bond {
 	/**
 	 * Timers and intervals
 	 */
-	uint32_t _failoverInterval;
+	uint64_t _failoverInterval;
-	uint32_t _qosSendInterval;
+	uint64_t _qosSendInterval;
-	uint32_t _ackSendInterval;
+	uint64_t _ackSendInterval;
-	uint32_t throughputMeasurementInterval;
+	uint64_t throughputMeasurementInterval;
-	uint32_t _qualityEstimationInterval;
+	uint64_t _qualityEstimationInterval;
 	/**
 	 * Acceptable quality thresholds
 	 */
 	float _maxAcceptablePacketLossRatio;
 	float _maxAcceptablePacketErrorRatio;
 	uint16_t _maxAcceptableLatency;
 	uint16_t _maxAcceptableMeanLatency;
 	uint16_t _maxAcceptablePacketDelayVariance;
 	uint8_t _minAcceptableAllocation;
 	/**
 	 * Link state reporting
@ -1589,7 +1519,7 @@ class Bond {
 	bool _userHasSpecifiedLinks;				  // Whether the user has specified links for this bond.
 	bool _userHasSpecifiedPrimaryLink;			  // Whether the user has specified a primary link for this bond.
 	bool _userHasSpecifiedFailoverInstructions;	  // Whether the user has specified failover instructions for this bond.
-	bool _userHasSpecifiedLinkSpeeds;			  // Whether the user has specified links speeds for this bond.
+	bool _userHasSpecifiedLinkCapacities;		  // Whether the user has specified links capacities for this bond.
 	/**
 	 * How frequently (in ms) a VERB_ECHO is sent to a peer to verify that a
 	 * path is still active. A value of zero (0) will disable active path
--- a/node/Constants.hpp
+++ b/node/Constants.hpp
@ -390,7 +390,7 @@
 /**
 * Number of samples to consider when processing real-time path statistics
 */
-#define ZT_QOS_SHORTTERM_SAMPLE_WIN_SIZE 32
+#define ZT_QOS_SHORTTERM_SAMPLE_WIN_SIZE 64
 /**
 * Max allowable time spent in any queue (in ms)
@ -517,7 +517,7 @@
 #define ZT_ACK_CUTOFF_LIMIT 128
 #define ZT_ACK_DRAINAGE_DIVISOR (1000 / ZT_ACK_CUTOFF_LIMIT)
-#define ZT_BOND_DEFAULT_REFRCTORY_PERIOD 8000
+#define ZT_BOND_DEFAULT_REFRACTORY_PERIOD 8000
 #define ZT_BOND_MAX_REFRACTORY_PERIOD 600000
 /**
--- a/node/DNS.hpp
+++ b/node/DNS.hpp
@ -24,7 +24,7 @@
 namespace ZeroTier {
 /**
- * DNS data serealization methods
+ * DNS data serialization methods
 */
 class DNS {
 public:
@ -44,6 +44,7 @@ public:
        char *d = (char*)b.data()+p;
        memset(dns, 0, sizeof(ZT_VirtualNetworkDNS));
        memcpy(dns->domain, d, 128);
        dns->domain[127] = 0;
        p += 128;
        for (unsigned int j = 0; j < ZT_MAX_DNS_SERVERS; ++j) {
            p += reinterpret_cast<InetAddress *>(&(dns->server_addr[j]))->deserialize(b, p);
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@ -707,7 +707,7 @@ bool IncomingPacket::_doFRAME(const RuntimeEnvironment *RR,void *tPtr,const Shar
 {
 	int32_t _flowId = ZT_QOS_NO_FLOW;
 	SharedPtr<Bond> bond = peer->bond();
-	if (bond && bond->flowHashingEnabled()) {
+	if (bond && bond->flowHashingSupported()) {
 		if (size() > ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD) {
 			const unsigned int etherType = at<uint16_t>(ZT_PROTO_VERB_FRAME_IDX_ETHERTYPE);
 			const unsigned int frameLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
--- a/node/Multicaster.cpp
+++ b/node/Multicaster.cpp
@ -268,7 +268,8 @@ void Multicaster::send(
 			const unsigned int gatherLimit = (limit - (unsigned int)gs.members.size()) + 1;
-			if ((gs.members.empty())||((now - gs.lastExplicitGather) >= ZT_MULTICAST_EXPLICIT_GATHER_DELAY)) {
+			int timerScale = RR->node->lowBandwidthModeEnabled() ? 3 : 1;
 			if ((gs.members.empty())||((now - gs.lastExplicitGather) >= (ZT_MULTICAST_EXPLICIT_GATHER_DELAY * timerScale))) {
 				gs.lastExplicitGather = now;
 				Address explicitGatherPeers[16];
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@ -177,7 +177,7 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
 // dns (binary blobs)
 #define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
-// sso enabld
+// sso enabled
 #define ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED "ssoe"
 // so version
 #define ZT_NETWORKCONFIG_DICT_KEY_SSO_VERSION "ssov"
@ -200,7 +200,7 @@ namespace ZeroTier {
 // AuthInfo Version
 #define ZT_AUTHINFO_DICT_KEY_VERSION "aV"
-// authenticaiton URL
+// authentication URL
 #define ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL "aU"
 // issuer URL
 #define ZT_AUTHINFO_DICT_KEY_ISSUER_URL "iU"
@ -659,7 +659,7 @@ public:
 	bool ssoEnabled;
 	/**
-	 * SSO verison
+	 * SSO version
 	 */
 	uint64_t ssoVersion;
--- a/node/Node.cpp
+++ b/node/Node.cpp
@ -50,7 +50,8 @@ Node::Node(void *uptr,void *tptr,const struct ZT_Node_Callbacks *callbacks,int64
 	_lastPingCheck(0),
 	_lastGratuitousPingCheck(0),
 	_lastHousekeepingRun(0),
-	_lastMemoizedTraceSettings(0)
+	_lastMemoizedTraceSettings(0),
 	_lowBandwidthMode(false)
 {
 	if (callbacks->version != 0)
 		throw ZT_EXCEPTION_INVALID_ARGUMENT;
@ -202,6 +203,14 @@ public:
 	{
 		const std::vector<InetAddress> *const alwaysContactEndpoints = _alwaysContact.get(p->address());
 		if (alwaysContactEndpoints) {
 			// Contact upstream peers as infrequently as possible
 			ZT_PeerRole role = RR->topology->role(p->address());
 			int roleBasedTimerScale = (role == ZT_PEER_ROLE_LEAF) ? 2 : 16;
 			if ((RR->node->now() - p->lastSentFullHello()) <= (ZT_PATH_HEARTBEAT_PERIOD * roleBasedTimerScale)) {
 				return;
 			}
 			const unsigned int sent = p->doPingAndKeepalive(_tPtr,_now);
 			bool contacted = (sent != 0);
@ -262,7 +271,7 @@ ZT_ResultCode Node::processBackgroundTasks(void *tptr,int64_t now,volatile int64
 		}
 	}
-	unsigned long timeUntilNextPingCheck = ZT_PING_CHECK_INVERVAL;
+	unsigned long timeUntilNextPingCheck = _lowBandwidthMode ? (ZT_PING_CHECK_INVERVAL * 5) : ZT_PING_CHECK_INVERVAL;
 	const int64_t timeSinceLastPingCheck = now - _lastPingCheck;
 	if (timeSinceLastPingCheck >= timeUntilNextPingCheck) {
 		try {
@ -309,6 +318,7 @@ ZT_ResultCode Node::processBackgroundTasks(void *tptr,int64_t now,volatile int64
 			// Get peers we should stay connected to according to network configs
 			// Also get networks and whether they need config so we only have to do one pass over networks
 			int timerScale = _lowBandwidthMode ? 64 : 1;
 			std::vector< std::pair< SharedPtr<Network>,bool > > networkConfigNeeded;
 			{
 				Mutex::Lock l(_networks_m);
@ -317,7 +327,7 @@ ZT_ResultCode Node::processBackgroundTasks(void *tptr,int64_t now,volatile int64
 				SharedPtr<Network> *network = (SharedPtr<Network> *)0;
 				while (i.next(nwid,network)) {
 					(*network)->config().alwaysContactAddresses(alwaysContact);
-					networkConfigNeeded.push_back( std::pair< SharedPtr<Network>,bool >(*network,(((now - (*network)->lastConfigUpdate()) >= ZT_NETWORK_AUTOCONF_DELAY)||(!(*network)->hasConfig()))) );
+					networkConfigNeeded.push_back( std::pair< SharedPtr<Network>,bool >(*network,(((now - (*network)->lastConfigUpdate()) >= ZT_NETWORK_AUTOCONF_DELAY * timerScale)||(!(*network)->hasConfig()))) );
 				}
 			}
@ -336,9 +346,12 @@ ZT_ResultCode Node::processBackgroundTasks(void *tptr,int64_t now,volatile int64
 			// Refresh network config or broadcast network updates to members as needed
 			for(std::vector< std::pair< SharedPtr<Network>,bool > >::const_iterator n(networkConfigNeeded.begin());n!=networkConfigNeeded.end();++n) {
-				if (n->second)
+				if (n->second) {
 					n->first->requestConfiguration(tptr);
-				n->first->sendUpdatesToMembers(tptr);
+				}
 				if (! _lowBandwidthMode) {
 					n->first->sendUpdatesToMembers(tptr);
 				}
 			}
 			// Update online status, post status change as event
@ -496,15 +509,30 @@ ZT_PeerList *Node::peers() const
 		SharedPtr<Path> bestp(pi->second->getAppropriatePath(_now,false));
 		p->pathCount = 0;
 		for(std::vector< SharedPtr<Path> >::iterator path(paths.begin());path!=paths.end();++path) {
-			memcpy(&(p->paths[p->pathCount].address),&((*path)->address()),sizeof(struct sockaddr_storage));
+			if((*path)->valid()) {
-			p->paths[p->pathCount].localSocket = (*path)->localSocket();
+				memcpy(&(p->paths[p->pathCount].address),&((*path)->address()),sizeof(struct sockaddr_storage));
-			p->paths[p->pathCount].lastSend = (*path)->lastOut();
+				p->paths[p->pathCount].localSocket = (*path)->localSocket();
-			p->paths[p->pathCount].lastReceive = (*path)->lastIn();
+				p->paths[p->pathCount].lastSend = (*path)->lastOut();
-			p->paths[p->pathCount].trustedPathId = RR->topology->getOutboundPathTrust((*path)->address());
+				p->paths[p->pathCount].lastReceive = (*path)->lastIn();
-			p->paths[p->pathCount].expired = 0;
+				p->paths[p->pathCount].trustedPathId = RR->topology->getOutboundPathTrust((*path)->address());
-			p->paths[p->pathCount].preferred = ((*path) == bestp) ? 1 : 0;
+				p->paths[p->pathCount].expired = 0;
-			p->paths[p->pathCount].scope = (*path)->ipScope();
+				p->paths[p->pathCount].preferred = ((*path) == bestp) ? 1 : 0;
-			++p->pathCount;
+				p->paths[p->pathCount].scope = (*path)->ipScope();
 				if (pi->second->bond()) {
 					p->paths[p->pathCount].latencyMean = (*path)->latencyMean();
 					p->paths[p->pathCount].latencyVariance = (*path)->latencyVariance();
 					p->paths[p->pathCount].packetLossRatio = (*path)->packetLossRatio();
 					p->paths[p->pathCount].packetErrorRatio = (*path)->packetErrorRatio();
 					p->paths[p->pathCount].relativeQuality = (*path)->relativeQuality();
 					p->paths[p->pathCount].linkSpeed = (*path)->givenLinkSpeed();
 					p->paths[p->pathCount].bonded = (*path)->bonded();
 					p->paths[p->pathCount].eligible = (*path)->eligible();
 					std::string ifname = std::string((*path)->ifname());
 					memset(p->paths[p->pathCount].ifname, 0x0, std::min((int)ifname.length() + 1, ZT_MAX_PHYSIFNAME));
 					memcpy(p->paths[p->pathCount].ifname, ifname.c_str(), std::min((int)ifname.length(), ZT_MAX_PHYSIFNAME));
 				}
 				++p->pathCount;
 			}
 		}
 		if (pi->second->bond()) {
 			p->isBonded = pi->second->bond();
--- a/node/Node.hpp
+++ b/node/Node.hpp
@ -35,6 +35,7 @@
 #include "NetworkController.hpp"
 #include "Hashtable.hpp"
 #include "Bond.hpp"
 #include "SelfAwareness.hpp"
 // Bit mask for "expecting reply" hash
 #define ZT_EXPECTING_REPLIES_BUCKET_MASK1 255
@ -187,6 +188,8 @@ public:
 	inline const Identity &identity() const { return _RR.identity; }
 	inline const std::vector<InetAddress> SurfaceAddresses() const { return _RR.sa->whoami(); }
 	inline Bond *bondController() const { return _RR.bc; }
 	/**
@ -266,6 +269,16 @@ public:
 		_stats.inVerbBytes[v] += (uint64_t)bytes;
 	}
 	inline void setLowBandwidthMode(bool isEnabled)
 	{
 		_lowBandwidthMode = isEnabled;
 	}
 	inline bool lowBandwidthModeEnabled()
 	{
 		return _lowBandwidthMode;
 	}
 private:
 	RuntimeEnvironment _RR;
 	RuntimeEnvironment *RR;
@ -313,6 +326,7 @@ private:
 	int64_t _lastMemoizedTraceSettings;
 	volatile int64_t _prngState[2];
 	bool _online;
 	bool _lowBandwidthMode;
 };
 } // namespace ZeroTier
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@ -1249,6 +1249,14 @@ public:
 		return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3);
 	}
 	/**
 	 * @return Whether this packet is currently encrypted
 	 */
 	inline bool isEncrypted() const
 	{
 		return (cipher() == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) || (cipher() == ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV);
 	}
 	/**
 	 * Set this packet's cipher suite
 	 */
--- a/node/Path.hpp
+++ b/node/Path.hpp
@ -85,6 +85,15 @@ public:
 		_lastTrustEstablishedPacketReceived(0),
 		_lastEchoRequestReceived(0),
 		_localSocket(-1),
 		_latencyMean(0.0),
 		_latencyVariance(0.0),
 		_packetLossRatio(0.0),
 		_packetErrorRatio(0.0),
 		_valid(true),
 		_eligible(false),
 		_bonded(false),
 		_givenLinkSpeed(0),
 		_relativeQuality(0),
 		_latency(0xffff),
 		_addr(),
 		_ipScope(InetAddress::IP_SCOPE_NONE)
@ -96,6 +105,15 @@ public:
 		_lastTrustEstablishedPacketReceived(0),
 		_lastEchoRequestReceived(0),
 		_localSocket(localSocket),
 		_latencyMean(0.0),
 		_latencyVariance(0.0),
 		_packetLossRatio(0.0),
 		_packetErrorRatio(0.0),
 		_valid(true),
 		_eligible(false),
 		_bonded(false),
 		_givenLinkSpeed(0),
 		_relativeQuality(0),
 		_latency(0xffff),
 		_addr(addr),
 		_ipScope(addr.ipScope())
@ -176,7 +194,7 @@ public:
 	 */
 	inline unsigned int preferenceRank() const
 	{
-		// This causes us to rank paths in order of IP scope rank (see InetAdddress.hpp) but
+		// This causes us to rank paths in order of IP scope rank (see InetAddress.hpp) but
 		// within each IP scope class to prefer IPv6 over IPv4.
 		return ( ((unsigned int)_ipScope << 1) | (unsigned int)(_addr.ss_family == AF_INET6) );
 	}
@ -280,10 +298,63 @@ public:
 		return false;
 	}
-	void *_bondingMetricPtr;
+	/**
 	 * @return Mean latency as reported by the bonding layer
 	 */
 	inline unsigned int latencyMean() const { return _latencyMean; }
 	/**
 	 * @return Latency variance as reported by the bonding layer
 	 */
 	inline unsigned int latencyVariance() const { return _latencyVariance; }
 	/**
 	 * @return Packet Loss Ratio as reported by the bonding layer
 	 */
 	inline unsigned int packetLossRatio() const { return _packetLossRatio; }
 	/**
 	 * @return Packet Error Ratio as reported by the bonding layer
 	 */
 	inline unsigned int packetErrorRatio() const { return _packetErrorRatio; }
 	/**
 	 * @return Whether this path is valid as reported by the bonding layer. The bonding layer
 	 * actually checks with Phy to see if the interface is still up
 	 */
 	inline unsigned int valid() const { return _valid; }
 	/**
 	 * @return Whether this path is eligible for use in a bond as reported by the bonding layer
 	 */
 	inline unsigned int eligible() const { return _eligible; }
 	/**
 	 * @return Whether this path is bonded as reported by the bonding layer
 	 */
 	inline unsigned int bonded() const { return _bonded; }
 	/**
 	 * @return Given link capacity as reported by the bonding layer
 	 */
 	inline unsigned int givenLinkSpeed() const { return _givenLinkSpeed; }
 	/**
 	 * @return Path's quality as reported by the bonding layer
 	 */
 	inline float relativeQuality() const { return _relativeQuality; }
 	/**
 	 * @return Physical interface name that this path lives on
 	 */
 	char *ifname() {
 		return _ifname;
 	}
 private:
 	char _ifname[ZT_MAX_PHYSIFNAME] = { };
 	volatile int64_t _lastOut;
 	volatile int64_t _lastIn;
 	volatile int64_t _lastTrustEstablishedPacketReceived;
@ -291,6 +362,17 @@ private:
 	int64_t _lastEchoRequestReceived;
 	int64_t _localSocket;
 	volatile float _latencyMean;
 	volatile float _latencyVariance;
 	volatile float _packetLossRatio;
 	volatile float _packetErrorRatio;
 	volatile bool _valid;
 	volatile bool _eligible;
 	volatile bool _bonded;
 	volatile uint32_t _givenLinkSpeed;
 	volatile float _relativeQuality;
 	volatile unsigned int _latency;
 	InetAddress _addr;
 	InetAddress::IpScope _ipScope; // memoize this since it's a computed value checked often
--- a/node/Peer.cpp
+++ b/node/Peer.cpp
@ -219,11 +219,15 @@ void Peer::received(
 	// is done less frequently.
 	if (this->trustEstablished(now)) {
 		const int64_t sinceLastPush = now - _lastDirectPathPushSent;
-		if (sinceLastPush >= ((hops == 0) ? ZT_DIRECT_PATH_PUSH_INTERVAL_HAVEPATH : ZT_DIRECT_PATH_PUSH_INTERVAL)) {
+		bool lowBandwidth = RR->node->lowBandwidthModeEnabled();
 		int timerScale = lowBandwidth ? 16 : 1;
 		if (sinceLastPush >= ((hops == 0) ? ZT_DIRECT_PATH_PUSH_INTERVAL_HAVEPATH * timerScale : ZT_DIRECT_PATH_PUSH_INTERVAL)) {
 			_lastDirectPathPushSent = now;
 			std::vector<InetAddress> pathsToPush(RR->node->directPaths());
-			std::vector<InetAddress> ma = RR->sa->whoami();
+			if (! lowBandwidth) {
-			pathsToPush.insert(pathsToPush.end(), ma.begin(), ma.end());
+				std::vector<InetAddress> ma = RR->sa->whoami();
 				pathsToPush.insert(pathsToPush.end(), ma.begin(), ma.end());
 			}
 			if (!pathsToPush.empty()) {
 				std::vector<InetAddress>::const_iterator p(pathsToPush.begin());
 				while (p != pathsToPush.end()) {
@ -270,30 +274,30 @@ SharedPtr<Path> Peer::getAppropriatePath(int64_t now, bool includeExpired, int32
 {
 	Mutex::Lock _l(_paths_m);
 	Mutex::Lock _lb(_bond_m);
-	if (!_bond) {
+	if(_bond && _bond->isReady()) {
-		unsigned int bestPath = ZT_MAX_PEER_NETWORK_PATHS;
+		return _bond->getAppropriatePath(now, flowId);
 		/**
 		 * Send traffic across the highest quality path only. This algorithm will still
 		 * use the old path quality metric from protocol version 9.
 		 */
 		long bestPathQuality = 2147483647;
 		for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
 			if (_paths[i].p) {
 				if ((includeExpired)||((now - _paths[i].lr) < ZT_PEER_PATH_EXPIRATION)) {
 					const long q = _paths[i].p->quality(now) / _paths[i].priority;
 					if (q <= bestPathQuality) {
 						bestPathQuality = q;
 						bestPath = i;
 					}
 				}
 			} else break;
 		}
 		if (bestPath != ZT_MAX_PEER_NETWORK_PATHS) {
 			return _paths[bestPath].p;
 		}
 		return SharedPtr<Path>();
 	}
-	return _bond->getAppropriatePath(now, flowId);
+	unsigned int bestPath = ZT_MAX_PEER_NETWORK_PATHS;
 	/**
 	 * Send traffic across the highest quality path only. This algorithm will still
 	 * use the old path quality metric from protocol version 9.
 	 */
 	long bestPathQuality = 2147483647;
 	for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
 		if (_paths[i].p) {
 			if ((includeExpired)||((now - _paths[i].lr) < ZT_PEER_PATH_EXPIRATION)) {
 				const long q = _paths[i].p->quality(now) / _paths[i].priority;
 				if (q <= bestPathQuality) {
 					bestPathQuality = q;
 					bestPath = i;
 				}
 			}
 		} else break;
 	}
 	if (bestPath != ZT_MAX_PEER_NETWORK_PATHS) {
 		return _paths[bestPath].p;
 	}
 	return SharedPtr<Path>();
 }
 void Peer::introduce(void *const tPtr,const int64_t now,const SharedPtr<Peer> &other) const
@ -453,7 +457,7 @@ void Peer::sendHELLO(void *tPtr,const int64_t localSocket,const InetAddress &atA
 	if (atAddress) {
 		outp.armor(_key,false,nullptr); // false == don't encrypt full payload, but add MAC
 		RR->node->expectReplyTo(outp.packetId());
-		RR->node->putPacket(tPtr,-1,atAddress,outp.data(),outp.size());
+		RR->node->putPacket(tPtr,RR->node->lowBandwidthModeEnabled() ? localSocket : -1,atAddress,outp.data(),outp.size());
 	} else {
 		RR->node->expectReplyTo(outp.packetId());
 		RR->sw->send(tPtr,outp,false); // false == don't encrypt full payload, but add MAC
@ -477,8 +481,9 @@ void Peer::tryMemorizedPath(void *tPtr,int64_t now)
 	if ((now - _lastTriedMemorizedPath) >= ZT_TRY_MEMORIZED_PATH_INTERVAL) {
 		_lastTriedMemorizedPath = now;
 		InetAddress mp;
-		if (RR->node->externalPathLookup(tPtr,_id.address(),-1,mp))
+		if (RR->node->externalPathLookup(tPtr,_id.address(),-1,mp)) {
 			attemptToContactAt(tPtr,-1,mp,now,true);
 		}
 	}
 }
--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@ -302,6 +302,8 @@ public:
 	 */
 	inline int64_t isActive(int64_t now) const { return ((now - _lastNontrivialReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 	inline int64_t lastSentFullHello() { return _lastSentFullHello; }
 	/**
 	 * @return Latency in milliseconds of best/aggregate path or 0xffff if unknown / no paths
 	 */
--- a/node/SHA512.cpp
+++ b/node/SHA512.cpp
@ -1,5 +1,7 @@
 // This code is public domain, taken from a PD crypto source file on GitHub.
 #include <algorithm>
 #include "SHA512.hpp"
 #include "Utils.hpp"
--- a/node/Switch.cpp
+++ b/node/Switch.cpp
@ -1045,7 +1045,9 @@ void Switch::_sendViaSpecificPath(void *tPtr,SharedPtr<Peer> peer,SharedPtr<Path
 	if (trustedPathId) {
 		packet.setTrusted(trustedPathId);
 	} else {
-		packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
+		if (!packet.isEncrypted()) {
 			packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
 		}
 		RR->node->expectReplyTo(packet.packetId());
 	}
--- a/one.cpp
+++ b/one.cpp
@ -611,42 +611,50 @@ static int cli(int argc,char **argv)
 					} else {
 						int numAliveLinks = OSUtils::jsonInt(j["numAliveLinks"],0);
 						int numTotalLinks = OSUtils::jsonInt(j["numTotalLinks"],0);
-						printf("Peer               : %s\n", arg1.c_str());
+						printf("Peer                   : %s\n", arg1.c_str());
-						printf("Bond               : %s\n", OSUtils::jsonString(j["bondingPolicy"],"-").c_str());
+						printf("Bond                   : %s\n", OSUtils::jsonString(j["bondingPolicyStr"],"-").c_str());
-						//if (bondingPolicy == ZT_BOND_POLICY_ACTIVE_BACKUP) {
+						printf("Link Select Method     : %d\n", (int)OSUtils::jsonInt(j["linkSelectMethod"],0));
-						printf("Link Select Method : %d\n", (int)OSUtils::jsonInt(j["linkSelectMethod"],0));
+						printf("Links                  : %d/%d\n", numAliveLinks, numTotalLinks);
-						//}
+						printf("Failover Interval (ms) : %d\n", (int)OSUtils::jsonInt(j["failoverInterval"],0));
-						printf("Links              : %d/%d\n", numAliveLinks, numTotalLinks);
+						printf("Up Delay (ms)          : %d\n", (int)OSUtils::jsonInt(j["upDelay"],0));
-						printf("Failover Interval  : %d (ms)\n", (int)OSUtils::jsonInt(j["failoverInterval"],0));
+						printf("Down Delay (ms)        : %d\n", (int)OSUtils::jsonInt(j["downDelay"],0));
-						printf("Up Delay           : %d (ms)\n", (int)OSUtils::jsonInt(j["upDelay"],0));
+						printf("Packets Per Link       : %d\n", (int)OSUtils::jsonInt(j["packetsPerLink"],0));
-						printf("Down Delay         : %d (ms)\n", (int)OSUtils::jsonInt(j["downDelay"],0));
+						nlohmann::json &p = j["paths"];
 						printf("Packets Per Link   : %d (ms)\n", (int)OSUtils::jsonInt(j["packetsPerLink"],0));
 						nlohmann::json &p = j["links"];
 						if (p.is_array()) {
-							printf("\n     Interface Name\t\t\t\t\t     Path\t Alive\n");
+							printf("\nidx"
-							for(int i=0; i<80; i++) { printf("-"); }
+							"                  interface"
 							"                                  "
 							"path               socket\n");
 							for(int i=0; i<100; i++) { printf("-"); }
 							printf("\n");
 							for (int i=0; i<p.size(); i++)
 							{
-								printf("[%d] %15s %45s %12d\n",
+								printf("%2d: %26s %51s %.16llx\n",
 									i,
 									OSUtils::jsonString(p[i]["ifname"],"-").c_str(),
-									OSUtils::jsonString(p[i]["path"],"-").c_str(),
+									OSUtils::jsonString(p[i]["address"],"-").c_str(),
-									(int)OSUtils::jsonInt(p[i]["alive"],0));
+									(unsigned long long)OSUtils::jsonInt(p[i]["localSocket"],0)
 									);
 							}
-							printf("\n        Latency     Jitter     Loss     Error        Speed   Alloc\n");
+							printf("\nidx     lat      pdv     "
-							for(int i=0; i<80; i++) { printf("-"); }
+							"plr     per    capacity    qual      "
 							"rx_age      tx_age  eligible  bonded\n");
 							for(int i=0; i<100; i++) { printf("-"); }
 							printf("\n");
 							for (int i=0; i<p.size(); i++)
 							{
-								printf("[%d]       %5.3f      %5.3f    %5.3f     %5.3f     %8d   %5d\n",
+								printf("%2d: %8.2f %8.2f %7.4f %7.4f %10d %7.4f %11d %11d %9d %7d\n",
 									i,
 									OSUtils::jsonDouble(p[i]["latencyMean"], 0),
 									OSUtils::jsonDouble(p[i]["latencyVariance"], 0),
 									OSUtils::jsonDouble(p[i]["packetLossRatio"], 0),
 									OSUtils::jsonDouble(p[i]["packetErrorRatio"], 0),
 									(int)OSUtils::jsonInt(p[i]["givenLinkSpeed"], 0),
-									(int)OSUtils::jsonInt(p[i]["allocation"], 0));
+									OSUtils::jsonDouble(p[i]["relativeQuality"], 0),
 									(int)OSUtils::jsonInt(p[i]["lastInAge"], 0),
 									(int)OSUtils::jsonInt(p[i]["lastOutAge"], 0),
 									(int)OSUtils::jsonInt(p[i]["eligible"],0),
 									(int)OSUtils::jsonInt(p[i]["bonded"],0));
 							}
 						}
 					}
--- a/osdep/Binder.hpp
+++ b/osdep/Binder.hpp
@ -42,7 +42,9 @@
 #if (defined(__unix__) || defined(__APPLE__)) && !defined(__LINUX__) && !defined(ZT_SDK)
 #include <net/if.h>
 #if ! defined(TARGET_OS_IOS)
 #include <netinet6/in6_var.h>
 #endif
 #include <sys/ioctl.h>
 #endif
@ -66,6 +68,9 @@
 // Max number of bindings
 #define ZT_BINDER_MAX_BINDINGS 256
 // Maximum physical interface name length. This number is gigantic because of Windows.
 #define ZT_MAX_PHYSIFNAME 256
 namespace ZeroTier {
 /**
@ -88,6 +93,7 @@ class Binder {
 		PhySocket* udpSock;
 		PhySocket* tcpListenSock;
 		InetAddress address;
 		char ifname[256] = {};
 	};
  public:
@ -307,7 +313,14 @@ class Binder {
 #else
 			const bool gotViaProc = false;
 #endif
-#if ! defined(ZT_SDK) || ! defined(__ANDROID__)	  // getifaddrs() freeifaddrs() not available on Android
+
 			//
 			// prevent:
 			// warning: unused variable 'gotViaProc'
 			//
 			(void)gotViaProc;
 #if ! (defined(ZT_SDK) || defined(__ANDROID__))	  // getifaddrs() freeifaddrs() not available on Android
 			if (! gotViaProc) {
 				struct ifaddrs* ifatbl = (struct ifaddrs*)0;
 				struct ifaddrs* ifa;
@ -320,7 +333,7 @@ class Binder {
 					while (ifa) {
 						if ((ifa->ifa_name) && (ifa->ifa_addr)) {
 							InetAddress ip = *(ifa->ifa_addr);
-#if (defined(__unix__) || defined(__APPLE__)) && !defined(__LINUX__) && !defined(ZT_SDK)
+#if (defined(__unix__) || defined(__APPLE__)) && !defined(__LINUX__) && !defined(ZT_SDK) && !defined(TARGET_OS_IOS)
 							// Check if the address is an IPv6 Temporary Address, macOS/BSD version
 							if (ifa->ifa_addr->sa_family == AF_INET6) {
 								struct sockaddr_in6* sa6 = (struct sockaddr_in6*)ifa->ifa_addr;
@ -443,7 +456,7 @@ class Binder {
 						_bindings[_bindingCount].udpSock = udps;
 						_bindings[_bindingCount].tcpListenSock = tcps;
 						_bindings[_bindingCount].address = ii->first;
-						phy.setIfName(udps, (char*)ii->second.c_str(), (int)ii->second.length());
+						memcpy(_bindings[_bindingCount].ifname, (char*)ii->second.c_str(), (int)ii->second.length());
 						++_bindingCount;
 					}
 				}
@ -514,6 +527,22 @@ class Binder {
 		return false;
 	}
 	/**
 	 * @param s Socket object
 	 * @param nameBuf Buffer to store name of interface which this Socket object is bound to
 	 * @param buflen Length of buffer to copy name into
 	 */
 	void getIfName(PhySocket* s, char* nameBuf, int buflen) const
 	{
 		Mutex::Lock _l(_lock);
 		for (unsigned int b = 0, c = _bindingCount; b < c; ++b) {
 			if (_bindings[b].udpSock == s) {
 				memcpy(nameBuf, _bindings[b].ifname, buflen);
 				break;
 			}
 		}
 	}
  private:
 	_Binding _bindings[ZT_BINDER_MAX_BINDINGS];
 	std::atomic<unsigned int> _bindingCount;
--- a/osdep/ManagedRoute.cpp
+++ b/osdep/ManagedRoute.cpp
@ -477,7 +477,7 @@ bool ManagedRoute::sync()
 	if ((newSystemVia)&&(!newSystemDevice[0])) {
 		rtes = _getRTEs(newSystemVia,true);
 		for(std::vector<_RTE>::iterator r(rtes.begin());r!=rtes.end();++r) {
-			if ( (r->device[0]) && (strcmp(r->device,_device) != 0) ) {
+			if ( (r->device[0]) && (strcmp(r->device,_device) != 0) && r->target.netmaskBits() != 0) {
 				Utils::scopy(newSystemDevice,sizeof(newSystemDevice),r->device);
 				break;
 			}
--- a/osdep/OSUtils.cpp
+++ b/osdep/OSUtils.cpp
@ -43,6 +43,10 @@
 #include "OSUtils.hpp"
 #ifdef __GCC__
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
 namespace ZeroTier {
 unsigned int OSUtils::ztsnprintf(char *buf,unsigned int len,const char *fmt,...)
--- a/osdep/Phy.hpp
+++ b/osdep/Phy.hpp
@ -140,12 +140,11 @@ private:
 	};
 	struct PhySocketImpl {
-		PhySocketImpl() { memset(ifname, 0, sizeof(ifname)); }
+		PhySocketImpl() {}
 		PhySocketType type;
 		ZT_PHY_SOCKFD_TYPE sock;
 		void *uptr; // user-settable pointer
 		ZT_PHY_SOCKADDR_STORAGE_TYPE saddr; // remote for TCP_OUT and TCP_IN, local for TCP_LISTEN, RAW, and UDP
 		char ifname[256 + 4];
 	};
 	std::list<PhySocketImpl> _socks;
@ -243,38 +242,6 @@ public:
 		return &(reinterpret_cast<PhySocketImpl*>(s)->uptr);
 	}
 	/**
 	 * @param s Socket object
 	 * @param nameBuf Buffer to store name of interface which this Socket object is bound to
 	 * @param buflen Length of buffer to copy name into
 	 */
 	static inline void getIfName(PhySocket* s, char* nameBuf, int buflen)
 	{
 		PhySocketImpl& sws = *(reinterpret_cast<PhySocketImpl*>(s));
 		if (sws.type == ZT_PHY_SOCKET_CLOSED) {
 			return;
 		}
 		if (s) {
 			memcpy(nameBuf, reinterpret_cast<PhySocketImpl*>(s)->ifname, buflen);
 		}
 	}
 	/**
 	 * @param s Socket object
 	 * @param ifname Buffer containing name of interface that this Socket object is bound to
 	 * @param len Length of name of interface
 	 */
 	static inline void setIfName(PhySocket* s, char* ifname, int len)
 	{
 		PhySocketImpl& sws = *(reinterpret_cast<PhySocketImpl*>(s));
 		if (sws.type == ZT_PHY_SOCKET_CLOSED) {
 			return;
 		}
 		if (s) {
 			memcpy(&(reinterpret_cast<PhySocketImpl*>(s)->ifname), ifname, len);
 		}
 	}
 	/**
 	 * Cause poll() to stop waiting immediately
 	 *
--- a/osdep/WinFWHelper.cpp
+++ b/osdep/WinFWHelper.cpp
@ -0,0 +1,172 @@
 #include "WinFWHelper.hpp"
 namespace ZeroTier {
 void ZeroTier::WinFWHelper::newICMPRule(const InetAddress& ip, uint64_t nwid)
 {
 	char nwString[32] = { 0 };
 	char ipbuf[64];
 	sprintf(nwString, "%.16llx", nwid);
 	std::string nwString2 = { nwString };
 	ip.toString(ipbuf);
 	if (ip.isV4()) {
 		WinFWHelper::newICMPv4Rule(ipbuf, nwid);
 	}
 	else {
 		WinFWHelper::newICMPv6Rule(ipbuf, nwid);
 	}
 }
 void ZeroTier::WinFWHelper::removeICMPRule(const InetAddress& ip, uint64_t nwid)
 {
 	char nwString[32] = { 0 };
 	char ipbuf[64];
 	sprintf(nwString, "%.16llx", nwid);
 	std::string nwString2 = { nwString };
 	ip.toString(ipbuf);
 	if (ip.isV4()) {
 		WinFWHelper::removeICMPv4Rule(ipbuf, nwid);
 	}
 	else {
 		WinFWHelper::removeICMPv6Rule(ipbuf, nwid);
 	}
 }
 void WinFWHelper::newICMPv4Rule(std::string address, uint64_t nwid)
 {
 	// allows icmp, scoped to a specific ip address and interface name
 	char nwString[32] = { 0 };
 	sprintf(nwString, "%.16llx", nwid);
 	std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "New-NetFirewallRule -DisplayName zerotier-icmpv4-)" + nwString2 + address +
 			R"( -InterfaceAlias 'ZeroTier One `[)" + nwString2 + R"(`]')" + 
 			" -Protocol ICMPv4 -Action Allow" + 
 			" -LocalAddress " + address + "\"\r\n";
 		_run(cmd);
 }
 void WinFWHelper::newICMPv6Rule(std::string address, uint64_t nwid)
 {
 		// allows icmp, scoped to a specific ip address and interface name
 		char nwString[32] = { 0 };
 		sprintf(nwString, "%.16llx", nwid);
 		std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "New-NetFirewallRule -DisplayName zerotier-icmpv6-)" + nwString2 + address +
 			R"( -InterfaceAlias 'ZeroTier One `[)" + nwString2 + R"(`]')" + 
 			" -Protocol ICMPv6 -Action Allow" + 
 			" -LocalAddress " + address + "\"\r\n";
 		_run(cmd);
 }
 void WinFWHelper::removeICMPv4Rule(std::string addr, uint64_t nwid)
 {
 		// removes 1 icmp firewall rule
 		char nwString[32] = { 0 };
 		sprintf(nwString, "%.16llx", nwid);
 		std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "Remove-NetFirewallRule -DisplayName zerotier-icmpv4-)" + nwString2 + addr +
 		 "\"\r\n";
 		_run(cmd);
 }
 void WinFWHelper::removeICMPv6Rule(std::string addr, uint64_t nwid)
 {
 		// removes 1 icmp firewall rule
 		char nwString[32] = { 0 };
 		sprintf(nwString, "%.16llx", nwid);
 		std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "Remove-NetFirewallRule -DisplayName zerotier-icmpv6-)" + nwString2 + addr +
 		 "\"\r\n";
 		_run(cmd);
 }
 void WinFWHelper::removeICMPv4Rules(uint64_t nwid)
 {
 		// removes all icmp firewall rules for this network id
 		char nwString[32] = { 0 };
 		sprintf(nwString, "%.16llx", nwid);
 		std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "Remove-NetFirewallRule -DisplayName zerotier-icmpv4-)" + nwString2 + "*\" \r\n";
 		_run(cmd);
 }
 void WinFWHelper::removeICMPv6Rules(uint64_t nwid)
 {
 		// removes all icmp firewall rules for this network id
 		char nwString[32] = { 0 };
 		sprintf(nwString, "%.16llx", nwid);
 		std::string nwString2 = { nwString };
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "Remove-NetFirewallRule -DisplayName zerotier-icmpv6-)" + nwString2 + "*\" \r\n";
 		_run(cmd);
 }
 void WinFWHelper::removeICMPRules()
 {
 		// removes all icmp firewall rules for all networks
 		std::string cmd = R"(C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "Remove-NetFirewallRule -DisplayName zerotier-icmp*)" + std::string("\r\n");
 		_run(cmd);
 }
 void WinFWHelper::removeICMPRules(uint64_t nwid)
 {
 		// removes all icmp firewall rules for this network
 		WinFWHelper::removeICMPv4Rules(nwid);
 		WinFWHelper::removeICMPv6Rules(nwid);
 }
 void WinFWHelper::_run(std::string cmd)
 {
 		#ifdef ZT_DEBUG
 				fprintf(stderr, cmd.c_str());
 		#endif
 		STARTUPINFOA startupInfo;
 		PROCESS_INFORMATION processInfo;
 		startupInfo.cb = sizeof(startupInfo);
 		memset(&startupInfo, 0, sizeof(STARTUPINFOA));
 		memset(&processInfo, 0, sizeof(PROCESS_INFORMATION));
 		if (CreateProcessA(NULL, (LPSTR)cmd.c_str(), NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &startupInfo, &processInfo)) {
 			WaitForSingleObject(processInfo.hProcess, INFINITE);
 			CloseHandle(processInfo.hProcess);
 			CloseHandle(processInfo.hThread);
 		}
 }
 }	// namespace ZeroTier
--- a/osdep/WinFWHelper.hpp
+++ b/osdep/WinFWHelper.hpp
@ -0,0 +1,31 @@
 #ifndef WIN_FW_HELPER_H_
 #define WIN_FW_HELPER_H_
 #include "../node/InetAddress.hpp"
 #include <cstdint>
 #include <vector>
 namespace ZeroTier {
 class WinFWHelper {
  public:
 	static void newICMPRule(const InetAddress& ip, uint64_t nwid);
 	static void removeICMPRule(const InetAddress& ip, uint64_t nwid);
 	static void removeICMPRules(uint64_t nwid);
 	static void removeICMPRules();
  private:
 	static void _run(std::string cmd);
 	static void newICMPv4Rule(std::string address, uint64_t nwid);
 	static void newICMPv6Rule(std::string address, uint64_t nwid);
 	static void removeICMPv4Rule(std::string address, uint64_t nwid);
 	static void removeICMPv6Rule(std::string address, uint64_t nwid);
 	static void removeICMPv4Rules(uint64_t nwid);
 	static void removeICMPv6Rules(uint64_t nwid);
 };
 }	// namespace ZeroTier
 #endif
--- a/pkg/README.md
+++ b/pkg/README.md
@ -1,4 +1,4 @@
 Third-party packaging
 =====
-Builds packages for various embedded devices and appliances and platforms
+For package documentation see the `Devices` section here: [docs.zerotier.com](https://docs.zerotier.com/)
--- a/pkg/synology/dsm7-docker/Dockerfile
+++ b/pkg/synology/dsm7-docker/Dockerfile
@ -2,13 +2,12 @@
 FROM alpine:latest as builder
-RUN apk add --no-cache rust cargo
+WORKDIR /src
-RUN apk add  openssl-dev
+RUN apk add --no-cache rust cargo \
-
+  && apk add  openssl-dev \
-RUN apk add --update alpine-sdk linux-headers \
+  && apk add --update alpine-sdk linux-headers \
  && git clone --quiet https://github.com/zerotier/ZeroTierOne.git /src \
-  && git -C src reset --quiet --hard ${ZTO_COMMIT} \
+  && git reset --quiet --hard ${ZTO_COMMIT} \
  && cd /src \
  && make -f make-linux.mk
 FROM alpine:latest
@ -18,6 +17,7 @@ LABEL description="ZeroTier One docker image for Synology NAS"
 RUN apk add --update --no-cache bash jq libc6-compat libstdc++
 EXPOSE 9993/udp
 ENV MAX_WAIT_SECS SLEEP_TIME
 COPY --from=builder /src/zerotier-one /usr/sbin/
 RUN mkdir -p /var/lib/zerotier-one \
--- a/pkg/synology/dsm7-docker/entrypoint.sh
+++ b/pkg/synology/dsm7-docker/entrypoint.sh
@ -1,29 +1,81 @@
 #!/bin/bash
 set -uo pipefail
 trap 'trap " " SIGTERM; kill 0; wait' SIGTERM SIGQUIT SIGINT
 echo "Starting Zerotier-One"
 zerotier-one -d
-# Wait for ZT service to come online before attempting queries
+echo "Wait for ZT service to come online before attempting queries..."
-sleep 15
+MAX_WAIT_SECS="${MAX_WAIT_SECS:-90}"
 SLEEP_TIME="${SLEEP_TIME:-15}"
 if [[ "$SLEEP_TIME" -le 0 ]]
 then
  SLEEP_TIME=1
 fi
 iterations=$((MAX_WAIT_SECS/SLEEP_TIME))
 online=false
 for ((s=0; s<=iterations; s++))
 do
    online="$(zerotier-cli -j info | jq '.online' 2>/dev/null)"
    if [[ "$online" == "true" ]]
    then
        break
    fi
    sleep "$SLEEP_TIME"
    echo " ."
 done
 if [[ "$online" != "true" ]]
 then
    echo "Waited $MAX_WAIT_SECS for zerotier-one to start, exiting." >&2
    exit 1
 fi
 echo "done."
 (
 echo "Starting route helper"
 while true
 do
-    NETWORK_COUNT=$(zerotier-cli -j listnetworks | jq -r '. | length')
+    if ! NETWORK_LIST="$(zerotier-cli -j listnetworks)"
-    if [ "$NETWORK_COUNT" -gt 0 ]; then
+    then
      echo "Route helper: $NETWORK_LIST" >&2
      exit 1
    fi
    NETWORK_COUNT="$(jq -r '. | length' <<< "$NETWORK_LIST")"
    if [[ "$NETWORK_COUNT" -gt 0 ]]
    then
        for ((j=0; j<=$((NETWORK_COUNT-1)); j++))
        do
-            ROUTE_COUNT=$(zerotier-cli -j listnetworks | jq -r '.['$j'].routes | length')
+            ALLOW_DEFAULT="$(jq -r '.['$j'].allowDefault' <<< "$NETWORK_LIST")"
            ROUTE_COUNT="$(jq -r '.['$j'].routes | length' <<< "$NETWORK_LIST")"
            for ((k=0; k<=$((ROUTE_COUNT-1)); k++))
            do
-                ROUTE=$(zerotier-cli -j listnetworks | jq -r '.['$j'].routes['$k'].target')
+                ROUTE="$(jq -r '.['$j'].routes['$k'].target' <<< "$NETWORK_LIST")"
-                EXIST=$(ip route show $ROUTE | wc -l)
+                if [[ -n "$ROUTE" ]]
                if [ $EXIST -eq 0 ];
                then
-                    IFNAME=$(zerotier-cli -j listnetworks | jq -r '.['$j'] | .portDeviceName')
+                    # check if route is default and allowDefault enabled for this network
-                    ip route add $ROUTE dev $IFNAME
+                    if [[ "$ROUTE" == "0.0.0.0/0" && "$ALLOW_DEFAULT" == "false" ]]
-                    # Routes will be deleted when ZT brings the interface down
+                    then
                      continue
                    fi
                    EXIST="$(ip -o route show "$ROUTE")"
                    if [[ -z "${EXIST}" ]]
                    then
                        IFNAME="$(jq -r '.['$j'] | .portDeviceName' <<< "$NETWORK_LIST")"
                        echo " Adding route $ROUTE to dev $IFNAME"
                        ip route add "$ROUTE" dev "$IFNAME"
                        # Routes will be deleted when ZT brings the interface down
                    fi
                fi
            done
        done
        sleep 15
    fi
-done
+    sleep 15
 done ) &
 wait
--- a/selftest.cpp
+++ b/selftest.cpp
@ -667,7 +667,7 @@ static int testPacket()
 	std::cout << "(compressed: " << complen << ", decompressed: " << a.size() << ") ";
 	if (a != b) {
-		std::cout << "FAIL (compresssion)" << std::endl;
+		std::cout << "FAIL (compression)" << std::endl;
 		return -1;
 	}
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@ -78,6 +78,7 @@
 #include "../osdep/MacDNSHelper.hpp"
 #elif defined(__WINDOWS__)
 #include "../osdep/WinDNSHelper.hpp"
 #include "../osdep/WinFWHelper.hpp"
 #endif
 #ifdef ZT_USE_SYSTEM_HTTP_PARSER
@ -520,7 +521,7 @@ static void _networkToJson(nlohmann::json &nj,NetworkState &ns)
 	}
 }
-static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)
+static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer, SharedPtr<Bond> &bond)
 {
 	char tmp[256];
@ -541,10 +542,15 @@ static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)
 	pj["latency"] = peer->latency;
 	pj["role"] = prole;
 	pj["isBonded"] = peer->isBonded;
-	if (peer->isBonded) {
+	if (bond && peer->isBonded) {
-		pj["bondingPolicy"] = peer->bondingPolicy;
+		pj["bondingPolicyCode"] = peer->bondingPolicy;
 		pj["bondingPolicyStr"] = Bond::getPolicyStrByCode(peer->bondingPolicy);
 		pj["numAliveLinks"] = peer->numAliveLinks;
 		pj["numTotalLinks"] = peer->numTotalLinks;
 		pj["failoverInterval"] = bond->getFailoverInterval();
 		pj["downDelay"] = bond->getDownDelay();
 		pj["upDelay"] = bond->getUpDelay();
 		pj["packetsPerLink"] = bond->getPacketsPerLink();
 	}
 	nlohmann::json pa = nlohmann::json::array();
@ -560,58 +566,25 @@ static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)
 		j["expired"] = (bool)(peer->paths[i].expired != 0);
 		j["preferred"] = (bool)(peer->paths[i].preferred != 0);
 		j["localSocket"] = peer->paths[i].localSocket;
 		if (bond && peer->isBonded) {
 			uint64_t now = OSUtils::now();
 			j["ifname"] = std::string(peer->paths[i].ifname);
 			j["latencyMean"] = peer->paths[i].latencyMean;
 			j["latencyVariance"] = peer->paths[i].latencyVariance;
 			j["packetLossRatio"] = peer->paths[i].packetLossRatio;
 			j["packetErrorRatio"] = peer->paths[i].packetErrorRatio;
 			j["lastInAge"] = (now - lastReceive);
 			j["lastOutAge"] = (now - lastSend);
 			j["bonded"] = peer->paths[i].bonded;
 			j["eligible"] = peer->paths[i].eligible;
 			j["givenLinkSpeed"] = peer->paths[i].linkSpeed;
 			j["relativeQuality"] = peer->paths[i].relativeQuality;
 		}
 		pa.push_back(j);
 	}
 	pj["paths"] = pa;
 }
 static void _bondToJson(nlohmann::json &pj, SharedPtr<Bond> &bond)
 {
 	uint64_t now = OSUtils::now();
 	int bondingPolicy = bond->policy();
 	pj["bondingPolicy"] = Bond::getPolicyStrByCode(bondingPolicy);
 	if (bondingPolicy == ZT_BOND_POLICY_NONE) {
 		return;
 	}
 	pj["numAliveLinks"] = bond->getNumAliveLinks();
 	pj["numTotalLinks"] = bond->getNumTotalLinks();
 	pj["failoverInterval"] = bond->getFailoverInterval();
 	pj["downDelay"] = bond->getDownDelay();
 	pj["upDelay"] = bond->getUpDelay();
 	if (bondingPolicy == ZT_BOND_POLICY_BALANCE_RR) {
 		pj["packetsPerLink"] = bond->getPacketsPerLink();
 	}
 	if (bondingPolicy == ZT_BOND_POLICY_ACTIVE_BACKUP) {
 		pj["linkSelectMethod"] = bond->getLinkSelectMethod();
 	}
 	nlohmann::json pa = nlohmann::json::array();
 	std::vector< SharedPtr<Path> > paths = bond->paths(now);
 	for(unsigned int i=0;i<paths.size();++i) {
 		char pathStr[128];
 		paths[i]->address().toString(pathStr);
 		nlohmann::json j;
 		j["ifname"] = bond->getLink(paths[i])->ifname();
 		j["path"] = pathStr;
 		/*
 		j["alive"] = paths[i]->alive(now,true);
 		j["bonded"] = paths[i]->bonded();
 		j["latencyMean"] = paths[i]->latencyMean();
 		j["latencyVariance"] = paths[i]->latencyVariance();
 		j["packetLossRatio"] = paths[i]->packetLossRatio();
 		j["packetErrorRatio"] = paths[i]->packetErrorRatio();
 		j["givenLinkSpeed"] = 1000;
 		j["allocation"] = paths[i]->allocation();
 		*/
 		pa.push_back(j);
 	}
 	pj["links"] = pa;
 }
 static void _moonToJson(nlohmann::json &mj,const World &world)
 {
 	char tmp[4096];
@ -875,6 +848,9 @@ public:
 	virtual ~OneServiceImpl()
 	{
 #ifdef __WINDOWS__ 
 		WinFWHelper::removeICMPRules();
 #endif
 		_binder.closeAll(_phy);
 		_phy.close(_localControlSocket4);
 		_phy.close(_localControlSocket6);
@ -883,6 +859,8 @@ public:
 		curl_global_cleanup();
 #endif
 #ifdef ZT_USE_MINIUPNPC
 		delete _portMapper;
 #endif
@ -927,6 +905,7 @@ public:
 				_node = new Node(this,(void *)0,&cb,OSUtils::now());
 			}
 			// local.conf
 			readLocalSettings();
 			applyLocalConfig();
@ -1429,7 +1408,7 @@ public:
 		/* Note: this is kind of restricted in what it'll take. It does not support
 		 * URL encoding, and /'s in URL args will screw it up. But the only URL args
-		 * it really uses in ?jsonp=funcionName, and otherwise it just takes simple
+		 * it really uses in ?jsonp=functionName, and otherwise it just takes simple
 		 * paths to simply-named resources. */
 		if (!ps.empty()) {
 			std::size_t qpos = ps[ps.size() - 1].find('?');
@ -1498,23 +1477,27 @@ public:
 				if (ps[0] == "bond") {
 					if (_node->bondController()->inUse()) {
 						if (ps.size() == 3) {
 							//fprintf(stderr, "ps[0]=%s\nps[1]=%s\nps[2]=%s\n", ps[0].c_str(), ps[1].c_str(), ps[2].c_str());
 							if (ps[2].length() == 10) {
 								// check if hex string
-								const uint64_t id = Utils::hexStrToU64(ps[2].c_str());
+
-								if (ps[1] == "show") {
+								ZT_PeerList *pl = _node->peers();
-									SharedPtr<Bond> bond = _node->bondController()->getBondByPeerId(id);
+								if (pl) {
-									if (bond) {
+									uint64_t wantp = Utils::hexStrToU64(ps[2].c_str());
-										_bondToJson(res,bond);
+									for(unsigned long i=0;i<pl->peerCount;++i) {
-										scode = 200;
+										if (pl->peers[i].address == wantp) {
-									} else {
+											if (ps[1] == "show") {
-										fprintf(stderr, "unable to find bond to peer %llx\n", (unsigned long long)id);
+												SharedPtr<Bond> bond = _node->bondController()->getBondByPeerId(wantp);
-										scode = 400;
+												if (bond) {
 													_peerToJson(res,&(pl->peers[i]),bond);
 													scode = 200;
 												} else {
 													scode = 400;
 												}
 											}
 										}
 									}
 								}
-								if (ps[1] == "flows") {
+								_node->freeQueryResult((void *)pl);
 									fprintf(stderr, "displaying flows\n");
 								}
 							}
 						}
 					} else {
@ -1550,7 +1533,7 @@ public:
 					settings["primaryPort"] = OSUtils::jsonInt(settings["primaryPort"],(uint64_t)_primaryPort) & 0xffff;
 					settings["secondaryPort"] = OSUtils::jsonInt(settings["secondaryPort"],(uint64_t)_secondaryPort) & 0xffff;
 					settings["tertiaryPort"] = OSUtils::jsonInt(settings["tertiaryPort"],(uint64_t)_tertiaryPort) & 0xffff;
-					// Enumerate all external listening address/port pairs
+					// Enumerate all local address/port pairs that this node is listening on
 					std::vector<InetAddress> boundAddrs(_binder.allBoundLocalInterfaceAddresses());
 					auto boundAddrArray = json::array();
 					for (int i = 0; i < boundAddrs.size(); i++) {
@ -1559,6 +1542,15 @@ public:
 						boundAddrArray.push_back(ipBuf);
 					}
 					settings["listeningOn"] = boundAddrArray;
 					// Enumerate all external address/port pairs that are reported for this node
 					std::vector<InetAddress> surfaceAddrs = _node->SurfaceAddresses();
 					auto surfaceAddrArray = json::array();
 					for (int i = 0; i < surfaceAddrs.size(); i++) {
 						char ipBuf[64] = { 0 };
 						surfaceAddrs[i].toString(ipBuf);
 						surfaceAddrArray.push_back(ipBuf);
 					}
 					settings["surfaceAddresses"] = surfaceAddrArray;
 #ifdef ZT_USE_MINIUPNPC
 					settings["portMappingEnabled"] = OSUtils::jsonBool(settings["portMappingEnabled"],true);
@ -1637,36 +1629,12 @@ public:
 							res = nlohmann::json::array();
 							for(unsigned long i=0;i<pl->peerCount;++i) {
 								nlohmann::json pj;
-								_peerToJson(pj,&(pl->peers[i]));
+								SharedPtr<Bond> bond = SharedPtr<Bond>();
-								res.push_back(pj);
+								if (pl->peers[i].isBonded) {
-							}
+									const uint64_t id = pl->peers[i].address;
-
+									bond = _node->bondController()->getBondByPeerId(id);
 							scode = 200;
 						} else if (ps.size() == 2) {
 							// Return a single peer by ID or 404 if not found
 							uint64_t wantp = Utils::hexStrToU64(ps[1].c_str());
 							for(unsigned long i=0;i<pl->peerCount;++i) {
 								if (pl->peers[i].address == wantp) {
 									_peerToJson(res,&(pl->peers[i]));
 									scode = 200;
 									break;
 								}
-							}
+								_peerToJson(pj,&(pl->peers[i]),bond);
 						} else scode = 404;
 						_node->freeQueryResult((void *)pl);
 					} else scode = 500;
 				} else if (ps[0] == "bonds") {
 					ZT_PeerList *pl = _node->peers();
 					if (pl) {
 						if (ps.size() == 1) {
 							// Return [array] of all peers
 							res = nlohmann::json::array();
 							for(unsigned long i=0;i<pl->peerCount;++i) {
 								nlohmann::json pj;
 								_peerToJson(pj,&(pl->peers[i]));
 								res.push_back(pj);
 							}
@ -1677,7 +1645,11 @@ public:
 							uint64_t wantp = Utils::hexStrToU64(ps[1].c_str());
 							for(unsigned long i=0;i<pl->peerCount;++i) {
 								if (pl->peers[i].address == wantp) {
-									_peerToJson(res,&(pl->peers[i]));
+									SharedPtr<Bond> bond = SharedPtr<Bond>();
 									if (pl->peers[i].isBonded) {
 										bond = _node->bondController()->getBondByPeerId(wantp);
 									}
 									_peerToJson(res,&(pl->peers[i]),bond);
 									scode = 200;
 									break;
 								}
@ -1771,11 +1743,11 @@ public:
 				if (ps[0] == "bond") {
 					if (_node->bondController()->inUse()) {
 						if (ps.size() == 3) {
 							//fprintf(stderr, "ps[0]=%s\nps[1]=%s\nps[2]=%s\n", ps[0].c_str(), ps[1].c_str(), ps[2].c_str());
 							if (ps[2].length() == 10) {
 								// check if hex string
 								const uint64_t id = Utils::hexStrToU64(ps[2].c_str());
 								if (ps[1] == "rotate") {
 									exit(0);
 									SharedPtr<Bond> bond = _node->bondController()->getBondByPeerId(id);
 									if (bond) {
 										scode = bond->abForciblyRotateLink() ? 200 : 400;
@ -1784,9 +1756,6 @@ public:
 										scode = 400;
 									}
 								}
 								if (ps[1] == "enable") {
 									fprintf(stderr, "enabling bond\n");
 								}
 							}
 						}
 					} else {
@ -2041,6 +2010,7 @@ public:
 		json &settings = lc["settings"];
 		if (!_node->bondController()->inUse()) {
 			_node->bondController()->setBinder(&_binder);
 			// defaultBondingPolicy
 			std::string defaultBondingPolicyStr(OSUtils::jsonString(settings["defaultBondingPolicy"],""));
 			int defaultBondingPolicy = _node->bondController()->getPolicyCodeByStr(defaultBondingPolicyStr);
@ -2068,32 +2038,24 @@ public:
 				}
 				// New bond, used as a copy template for new instances
 				SharedPtr<Bond> newTemplateBond = new Bond(NULL, basePolicyStr, customPolicyStr, SharedPtr<Peer>());
 				// Acceptable ranges
 				newTemplateBond->setPolicy(basePolicyCode);
-				newTemplateBond->setMaxAcceptableLatency(OSUtils::jsonInt(customPolicy["maxAcceptableLatency"],-1));
+				// Custom link quality spec
-				newTemplateBond->setMaxAcceptableMeanLatency(OSUtils::jsonInt(customPolicy["maxAcceptableMeanLatency"],-1));
+				json &linkQualitySpec = customPolicy["linkQuality"];
-				newTemplateBond->setMaxAcceptablePacketDelayVariance(OSUtils::jsonInt(customPolicy["maxAcceptablePacketDelayVariance"],-1));
+				if (linkQualitySpec.size() == ZT_QOS_PARAMETER_SIZE) {
-				newTemplateBond->setMaxAcceptablePacketLossRatio((float)OSUtils::jsonDouble(customPolicy["maxAcceptablePacketLossRatio"],-1));
+					float weights[ZT_QOS_PARAMETER_SIZE] = {};
-				newTemplateBond->setMaxAcceptablePacketErrorRatio((float)OSUtils::jsonDouble(customPolicy["maxAcceptablePacketErrorRatio"],-1));
+					weights[ZT_QOS_LAT_MAX_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["lat_max"],0.0);
-				newTemplateBond->setMinAcceptableAllocation((float)OSUtils::jsonDouble(customPolicy["minAcceptableAllocation"],0));
+					weights[ZT_QOS_PDV_MAX_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["pdv_max"],0.0);
-				// Quality weights
+					weights[ZT_QOS_PLR_MAX_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["plr_max"],0.0);
-				json &qualityWeights = customPolicy["qualityWeights"];
+					weights[ZT_QOS_PER_MAX_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["per_max"],0.0);
-				if (qualityWeights.size() == ZT_QOS_WEIGHT_SIZE) { // TODO: Generalize this
+					weights[ZT_QOS_LAT_WEIGHT_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["lat_weight"],0.0);
-					float weights[ZT_QOS_WEIGHT_SIZE];
+					weights[ZT_QOS_PDV_WEIGHT_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["pdv_weight"],0.0);
-					weights[ZT_QOS_LAT_IDX] = (float)OSUtils::jsonDouble(qualityWeights["lat"],0.0);
+					weights[ZT_QOS_PLR_WEIGHT_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["plr_weight"],0.0);
-					weights[ZT_QOS_LTM_IDX] = (float)OSUtils::jsonDouble(qualityWeights["ltm"],0.0);
+					weights[ZT_QOS_PER_WEIGHT_IDX] = (float)OSUtils::jsonDouble(linkQualitySpec["per_weight"],0.0);
-					weights[ZT_QOS_PDV_IDX] = (float)OSUtils::jsonDouble(qualityWeights["pdv"],0.0);
+					newTemplateBond->setUserLinkQualitySpec(weights,ZT_QOS_PARAMETER_SIZE);
 					weights[ZT_QOS_PLR_IDX] = (float)OSUtils::jsonDouble(qualityWeights["plr"],0.0);
 					weights[ZT_QOS_PER_IDX] = (float)OSUtils::jsonDouble(qualityWeights["per"],0.0);
 					weights[ZT_QOS_THR_IDX] = (float)OSUtils::jsonDouble(qualityWeights["thr"],0.0);
 					weights[ZT_QOS_THM_IDX] = (float)OSUtils::jsonDouble(qualityWeights["thm"],0.0);
 					weights[ZT_QOS_THV_IDX] = (float)OSUtils::jsonDouble(qualityWeights["thv"],0.0);
 					newTemplateBond->setUserQualityWeights(weights,ZT_QOS_WEIGHT_SIZE);
 				}
 				// Bond-specific properties
 				newTemplateBond->setUpDelay(OSUtils::jsonInt(customPolicy["upDelay"],-1));
 				newTemplateBond->setDownDelay(OSUtils::jsonInt(customPolicy["downDelay"],-1));
 				newTemplateBond->setFlowRebalanceStrategy(OSUtils::jsonInt(customPolicy["flowRebalanceStrategy"],(uint64_t)0));
 				newTemplateBond->setFailoverInterval(OSUtils::jsonInt(customPolicy["failoverInterval"],ZT_BOND_FAILOVER_DEFAULT_INTERVAL));
 				newTemplateBond->setPacketsPerLink(OSUtils::jsonInt(customPolicy["packetsPerLink"],-1));
@ -2102,16 +2064,8 @@ public:
 				for (json::iterator linkItr = links.begin(); linkItr != links.end();++linkItr) {
 					std::string linkNameStr(linkItr.key());
 					json &link = linkItr.value();
 					bool enabled = OSUtils::jsonInt(link["enabled"],true);
-					uint32_t speed = OSUtils::jsonInt(link["speed"],0);
+					uint32_t capacity = OSUtils::jsonInt(link["capacity"],0);
 					float alloc = (float)OSUtils::jsonDouble(link["alloc"],0);
 					if (speed && alloc) {
 						fprintf(stderr, "error: cannot specify both speed (%d) and alloc (%f) for link (%s), pick one, link disabled.\n",
 							speed, alloc, linkNameStr.c_str());
 						enabled = false;
 					}
 					uint8_t ipvPref = OSUtils::jsonInt(link["ipvPref"],0);
 					std::string failoverToStr(OSUtils::jsonString(link["failoverTo"],""));
 					// Mode
@ -2129,7 +2083,7 @@ public:
 						failoverToStr = "";
 						enabled = false;
 					}
-					_node->bondController()->addCustomLink(customPolicyStr, new Link(linkNameStr,ipvPref,speed,enabled,linkMode,failoverToStr,alloc));
+					_node->bondController()->addCustomLink(customPolicyStr, new Link(linkNameStr,ipvPref,capacity,enabled,linkMode,failoverToStr));
 				}
 				std::string linkSelectMethodStr(OSUtils::jsonString(customPolicy["activeReselect"],"optimize"));
 				if (linkSelectMethodStr == "always") {
@ -2147,12 +2101,6 @@ public:
 				if (newTemplateBond->getLinkSelectMethod() < 0 || newTemplateBond->getLinkSelectMethod() > 3) {
 					fprintf(stderr, "warning: invalid value (%s) for linkSelectMethod, assuming mode: always\n", linkSelectMethodStr.c_str());
 				}
 				/*
 				newBond->setPolicy(_node->bondController()->getPolicyCodeByStr(basePolicyStr));
 				newBond->setFlowHashing((bool)OSUtils::jsonInt(userSpecifiedBondingPolicies[i]["allowFlowHashing"],(bool)allowFlowHashing));
 				newBond->setBondMonitorInterval((unsigned int)OSUtils::jsonInt(userSpecifiedBondingPolicies[i]["monitorInterval"],(uint64_t)0));
 				newBond->setAllowPathNegotiation((bool)OSUtils::jsonInt(userSpecifiedBondingPolicies[i]["allowPathNegotiation"],(bool)false));
 				*/
 				if (!_node->bondController()->addCustomPolicy(newTemplateBond)) {
 					fprintf(stderr, "error: a custom policy of this name (%s) already exists.\n", customPolicyStr.c_str());
 				}
@ -2171,7 +2119,7 @@ public:
 		// bondingPolicy cannot be used with allowTcpFallbackRelay
 		_allowTcpFallbackRelay = OSUtils::jsonBool(settings["allowTcpFallbackRelay"],true);
 #ifdef ZT_TCP_FALLBACK_RELAY
-		_fallbackRelayAddress = InetAddress(OSUtils::jsonString("tcpFallbackRelay", ZT_TCP_FALLBACK_RELAY).c_str());
+		_fallbackRelayAddress = InetAddress(OSUtils::jsonString(settings["tcpFallbackRelay"], ZT_TCP_FALLBACK_RELAY).c_str());
 #endif
 		_primaryPort = (unsigned int)OSUtils::jsonInt(settings["primaryPort"],(uint64_t)_primaryPort) & 0xffff;
 		_allowSecondaryPort = OSUtils::jsonBool(settings["allowSecondaryPort"],true);
@ -2181,6 +2129,7 @@ public:
 			fprintf(stderr,"WARNING: using manually-specified secondary and/or tertiary ports. This can cause NAT issues." ZT_EOL_S);
 		}
 		_portMappingEnabled = OSUtils::jsonBool(settings["portMappingEnabled"],true);
 		_node->setLowBandwidthMode(OSUtils::jsonBool(settings["lowBandwidthMode"],false));
 #ifndef ZT_SDK
 		const std::string up(OSUtils::jsonString(settings["softwareUpdate"],ZT_SOFTWARE_UPDATE_DEFAULT));
@ -2321,6 +2270,10 @@ public:
 				if (std::find(newManagedIps.begin(),newManagedIps.end(),*ip) == newManagedIps.end()) {
 					if (!n.tap()->removeIp(*ip))
 						fprintf(stderr,"ERROR: unable to remove ip address %s" ZT_EOL_S, ip->toString(ipbuf));
 					#ifdef __WINDOWS__
 					WinFWHelper::removeICMPRule(*ip, n.config().nwid);
 					#endif
 				}
 			}
@ -2328,6 +2281,10 @@ public:
 				if (std::find(n.managedIps().begin(),n.managedIps().end(),*ip) == n.managedIps().end()) {
 					if (!n.tap()->addIp(*ip))
 						fprintf(stderr,"ERROR: unable to add ip address %s" ZT_EOL_S, ip->toString(ipbuf));
 					#ifdef __WINDOWS__
 					WinFWHelper::newICMPRule(*ip, n.config().nwid);
 					#endif
 				}
 			}
@ -2808,8 +2765,10 @@ public:
 					n.tap().reset();
 					_nets.erase(nwid);
 #if defined(__WINDOWS__) && !defined(ZT_SDK)
-					if ((op == ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY)&&(winInstanceId.length() > 0))
+					if ((op == ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY) && (winInstanceId.length() > 0)) {
 						WindowsEthernetTap::deletePersistentTapDevice(winInstanceId.c_str());
 						WinFWHelper::removeICMPRules(nwid);
 					}
 #endif
 					if (op == ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_DESTROY) {
 						char nlcpath[256];
--- a/tcp-proxy/Makefile
+++ b/tcp-proxy/Makefile
@ -0,0 +1,7 @@
 CXX=$(shell which clang++ g++ c++ 2>/dev/null | head -n 1)
 all:
 	$(CXX) -O3 -fno-rtti -o tcp-proxy tcp-proxy.cpp
 clean:
 	rm -f *.o tcp-proxy *.dSYM
--- a/tcp-proxy/README.md
+++ b/tcp-proxy/README.md
@ -0,0 +1,35 @@
 TCP Proxy Server
 ======
 This is the TCP proxy server we run for TCP tunneling from peers behind difficult NATs. Regular users won't have much use for this.
 ## How to run your own
 Currently you must build it and distribute it to your server manually. 
 To reduce latency, the tcp-relay should be as close as possible to the nodes it is serving. A datacenter in the same city or the LAN would be ideal.
 ### Build
 `cd tcp-relay`
 `make`
 ### Point your node at it
 The default tcp relay is at `204.80.128.1/443` -an anycast address.
 #### Option 1 - local.conf configuration
 See [Service docs](https://github.com/zerotier/ZeroTierOne/blob/e0acccc3c918b59678033e585b31eb000c68fdf2/service/README.md) for more info on local.conf
 `{ "settings": { "tcpFallbackRelay": "198.51.100.123/443"  } }`
 #### Option 2 - redirect 204.80.128.1 to your own IP
 If you are the admin of the network that is blocking ZeroTier UDP, you can transparently redirect 204.80.128.1 to one of your IP addresses. Users won't need to edit their local client configuration.
 Configuring this in your Enterprise Firewall is left as an exercise to the reader.
 Here is an iptables example for illustrative purposes:
 ``` shell
 -A PREROUTING -p tcp -d 204.80.128.1 --dport 443 -j DNAT --to-destination 198.51.100.123
 -A POSTROUTING -p tcp -d 198.51.100.123 --dport 443 -j SNAT --to-source 204.80.128.1
 ```
--- a/tcp-proxy/tcp-proxy.cpp
+++ b/tcp-proxy/tcp-proxy.cpp
@ -0,0 +1,317 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2016  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 // HACK! Will eventually use epoll() or something in Phy<> instead of select().
 // Also be sure to change ulimit -n and fs.file-max in /etc/sysctl.conf on relays.
 #if defined(__linux__) || defined(__LINUX__) || defined(__LINUX) || defined(LINUX)
 #include <linux/posix_types.h>
 #include <bits/types.h>
 #undef __FD_SETSIZE
 #define __FD_SETSIZE 1048576
 #undef FD_SETSIZE
 #define FD_SETSIZE 1048576
 #endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 #include <stdint.h>
 #include <unistd.h>
 #include <signal.h>
 #include <map>
 #include <set>
 #include <string>
 #include <algorithm>
 #include <vector>
 #include "../osdep/Phy.hpp"
 #define ZT_TCP_PROXY_CONNECTION_TIMEOUT_SECONDS 300
 #define ZT_TCP_PROXY_TCP_PORT 443
 using namespace ZeroTier;
 /*
 * ZeroTier TCP Proxy Server
 *
 * This implements a simple packet encapsulation that is designed to look like
 * a TLS connection. It's not a TLS connection, but it sends TLS format record
 * headers. It could be extended in the future to implement a fake TLS
 * handshake.
 *
 * At the moment, each packet is just made to look like TLS application data:
 *   <[1] TLS content type> - currently 0x17 for "application data"
 *   <[1] TLS major version> - currently 0x03 for TLS 1.2
 *   <[1] TLS minor version> - currently 0x03 for TLS 1.2
 *   <[2] payload length> - 16-bit length of payload in bytes
 *   <[...] payload> - Message payload
 *
 * TCP is inherently inefficient for encapsulating Ethernet, since TCP and TCP
 * like protocols over TCP lead to double-ACKs. So this transport is only used
 * to enable access when UDP or other datagram protocols are not available.
 *
 * Clients send a greeting, which is a four-byte message that contains:
 *   <[1] ZeroTier major version>
 *   <[1] minor version>
 *   <[2] revision>
 *
 * If a client has sent a greeting, it uses the new version of this protocol
 * in which every encapsulated ZT packet is prepended by an IP address where
 * it should be forwarded (or where it came from for replies). This causes
 * this proxy to act as a remote UDP socket similar to a socks proxy, which
 * will allow us to move this function off the rootservers and onto dedicated
 * proxy nodes.
 *
 * Older ZT clients that do not send this message get their packets relayed
 * to/from 127.0.0.1:9993, which will allow them to talk to and relay via
 * the ZT node on the same machine as the proxy. We'll only support this for
 * as long as such nodes appear to be in the wild.
 */
 struct TcpProxyService;
 struct TcpProxyService
 {
 	Phy<TcpProxyService *> *phy;
 	int udpPortCounter;
 	struct Client
 	{
 		char tcpReadBuf[131072];
 		char tcpWriteBuf[131072];
 		unsigned long tcpWritePtr;
 		unsigned long tcpReadPtr;
 		PhySocket *tcp;
 		PhySocket *udp;
 		time_t lastActivity;
 		bool newVersion;
 	};
 	std::map< PhySocket *,Client > clients;
 	PhySocket *getUnusedUdp(void *uptr)
 	{
 		for(int i=0;i<65535;++i) {
 			++udpPortCounter;
 			if (udpPortCounter > 0xfffe)
 				udpPortCounter = 1024;
 			struct sockaddr_in laddr;
 			memset(&laddr,0,sizeof(struct sockaddr_in));
 			laddr.sin_family = AF_INET;
 			laddr.sin_port = htons((uint16_t)udpPortCounter);
 			PhySocket *udp = phy->udpBind(reinterpret_cast<struct sockaddr *>(&laddr),uptr);
 			if (udp)
 				return udp;
 		}
 		return (PhySocket *)0;
 	}
 	void phyOnDatagram(PhySocket *sock,void **uptr,const struct sockaddr *localAddr,const struct sockaddr *from,void *data,unsigned long len)
 	{
 		if (!*uptr)
 			return;
 		if ((from->sa_family == AF_INET)&&(len >= 16)&&(len < 2048)) {
 			Client &c = *((Client *)*uptr);
 			c.lastActivity = time((time_t *)0);
 			unsigned long mlen = len;
 			if (c.newVersion)
 				mlen += 7; // new clients get IP info
 			if ((c.tcpWritePtr + 5 + mlen) <= sizeof(c.tcpWriteBuf)) {
 				if (!c.tcpWritePtr)
 					phy->setNotifyWritable(c.tcp,true);
 				c.tcpWriteBuf[c.tcpWritePtr++] = 0x17; // look like TLS data
 				c.tcpWriteBuf[c.tcpWritePtr++] = 0x03; // look like TLS 1.2
 				c.tcpWriteBuf[c.tcpWritePtr++] = 0x03; // look like TLS 1.2
 				c.tcpWriteBuf[c.tcpWritePtr++] = (char)((mlen >> 8) & 0xff);
 				c.tcpWriteBuf[c.tcpWritePtr++] = (char)(mlen & 0xff);
 				if (c.newVersion) {
 					c.tcpWriteBuf[c.tcpWritePtr++] = (char)4; // IPv4
 					*((uint32_t *)(c.tcpWriteBuf + c.tcpWritePtr)) = ((const struct sockaddr_in *)from)->sin_addr.s_addr;
 					c.tcpWritePtr += 4;
 					*((uint16_t *)(c.tcpWriteBuf + c.tcpWritePtr)) = ((const struct sockaddr_in *)from)->sin_port;
 					c.tcpWritePtr += 2;
 				}
 				for(unsigned long i=0;i<len;++i)
 					c.tcpWriteBuf[c.tcpWritePtr++] = ((const char *)data)[i];
 			}
 			printf("<< UDP %s:%d -> %.16llx\n",inet_ntoa(reinterpret_cast<const struct sockaddr_in *>(from)->sin_addr),(int)ntohs(reinterpret_cast<const struct sockaddr_in *>(from)->sin_port),(unsigned long long)&c);
 		}
 	}
 	void phyOnTcpConnect(PhySocket *sock,void **uptr,bool success)
 	{
 		// unused, we don't initiate outbound connections
 	}
 	void phyOnTcpAccept(PhySocket *sockL,PhySocket *sockN,void **uptrL,void **uptrN,const struct sockaddr *from)
 	{
 		Client &c = clients[sockN];
 		PhySocket *udp = getUnusedUdp((void *)&c);
 		if (!udp) {
 			phy->close(sockN);
 			clients.erase(sockN);
 			printf("** TCP rejected, no more UDP ports to assign\n");
 			return;
 		}
 		c.tcpWritePtr = 0;
 		c.tcpReadPtr = 0;
 		c.tcp = sockN;
 		c.udp = udp;
 		c.lastActivity = time((time_t *)0);
 		c.newVersion = false;
 		*uptrN = (void *)&c;
 		printf("<< TCP from %s -> %.16llx\n",inet_ntoa(reinterpret_cast<const struct sockaddr_in *>(from)->sin_addr),(unsigned long long)&c);
 	}
 	void phyOnTcpClose(PhySocket *sock,void **uptr)
 	{
 		if (!*uptr)
 			return;
 		Client &c = *((Client *)*uptr);
 		phy->close(c.udp);
 		clients.erase(sock);
 		printf("** TCP %.16llx closed\n",(unsigned long long)*uptr);
 	}
 	void phyOnTcpData(PhySocket *sock,void **uptr,void *data,unsigned long len)
 	{
 		Client &c = *((Client *)*uptr);
 		c.lastActivity = time((time_t *)0);
 		for(unsigned long i=0;i<len;++i) {
 			if (c.tcpReadPtr >= sizeof(c.tcpReadBuf)) {
 				phy->close(sock);
 				return;
 			}
 			c.tcpReadBuf[c.tcpReadPtr++] = ((const char *)data)[i];
 			if (c.tcpReadPtr >= 5) {
 				unsigned long mlen = ( ((((unsigned long)c.tcpReadBuf[3]) & 0xff) << 8) | (((unsigned long)c.tcpReadBuf[4]) & 0xff) );
 				if (c.tcpReadPtr >= (mlen + 5)) {
 					if (mlen == 4) {
 						// Right now just sending this means the client is 'new enough' for the IP header
 						c.newVersion = true;
 						printf("<< TCP %.16llx HELLO\n",(unsigned long long)*uptr);
 					} else if (mlen >= 7) {
 						char *payload = c.tcpReadBuf + 5;
 						unsigned long payloadLen = mlen;
 						struct sockaddr_in dest;
 						memset(&dest,0,sizeof(dest));
 						if (c.newVersion) {
 							if (*payload == (char)4) {
 								// New clients tell us where their packets go.
 								++payload;
 								dest.sin_family = AF_INET;
 								dest.sin_addr.s_addr = *((uint32_t *)payload);
 								payload += 4;
 								dest.sin_port = *((uint16_t *)payload); // will be in network byte order already
 								payload += 2;
 								payloadLen -= 7;
 							}
 						} else {
 							// For old clients we will just proxy everything to a local ZT instance. The
 							// fact that this will come from 127.0.0.1 will in turn prevent that instance
 							// from doing unite() with us. It'll just forward. There will not be many of
 							// these.
 							dest.sin_family = AF_INET;
 							dest.sin_addr.s_addr = htonl(0x7f000001); // 127.0.0.1
 							dest.sin_port = htons(9993);
 						}
 						// Note: we do not relay to privileged ports... just an abuse prevention rule.
 						if ((ntohs(dest.sin_port) > 1024)&&(payloadLen >= 16)) {
 							phy->udpSend(c.udp,(const struct sockaddr *)&dest,payload,payloadLen);
 							printf(">> TCP %.16llx to %s:%d\n",(unsigned long long)*uptr,inet_ntoa(dest.sin_addr),(int)ntohs(dest.sin_port));
 						}
 					}
 					memmove(c.tcpReadBuf,c.tcpReadBuf + (mlen + 5),c.tcpReadPtr -= (mlen + 5));
 				}
 			}
 		}
 	}
 	void phyOnTcpWritable(PhySocket *sock,void **uptr)
 	{
 		Client &c = *((Client *)*uptr);
 		if (c.tcpWritePtr) {
 			long n = phy->streamSend(sock,c.tcpWriteBuf,c.tcpWritePtr);
 			if (n > 0) {
 				memmove(c.tcpWriteBuf,c.tcpWriteBuf + n,c.tcpWritePtr -= (unsigned long)n);
 				if (!c.tcpWritePtr)
 					phy->setNotifyWritable(sock,false);
 			}
 		} else phy->setNotifyWritable(sock,false);
 	}
 	void doHousekeeping()
 	{
 		std::vector<PhySocket *> toClose;
 		time_t now = time((time_t *)0);
 		for(std::map< PhySocket *,Client >::iterator c(clients.begin());c!=clients.end();++c) {
 			if ((now - c->second.lastActivity) >= ZT_TCP_PROXY_CONNECTION_TIMEOUT_SECONDS) {
 				toClose.push_back(c->first);
 				toClose.push_back(c->second.udp);
 			}
 		}
 		for(std::vector<PhySocket *>::iterator s(toClose.begin());s!=toClose.end();++s)
 			phy->close(*s);
 	}
 };
 int main(int argc,char **argv)
 {
 	signal(SIGPIPE,SIG_IGN);
 	signal(SIGHUP,SIG_IGN);
 	srand(time((time_t *)0));
 	TcpProxyService svc;
 	Phy<TcpProxyService *> phy(&svc,false,true);
 	svc.phy = &phy;
 	svc.udpPortCounter = 1023;
 	{
 		struct sockaddr_in laddr;
 		memset(&laddr,0,sizeof(laddr));
 		laddr.sin_family = AF_INET;
 		laddr.sin_port = htons(ZT_TCP_PROXY_TCP_PORT);
 		if (!phy.tcpListen((const struct sockaddr *)&laddr)) {
 			fprintf(stderr,"%s: fatal error: unable to bind TCP port %d\n",argv[0],ZT_TCP_PROXY_TCP_PORT);
 			return 1;
 		}
 	}
 	time_t lastDidHousekeeping = time((time_t *)0);
 	for(;;) {
 		phy.poll(120000);
 		time_t now = time((time_t *)0);
 		if ((now - lastDidHousekeeping) > 120) {
 			lastDidHousekeeping = now;
 			svc.doHousekeeping();
 		}
 	}
 	return 0;
 }
--- a/version.h
+++ b/version.h
@ -27,7 +27,7 @@
 /**
 * Revision
 */
-#define ZEROTIER_ONE_VERSION_REVISION 1
+#define ZEROTIER_ONE_VERSION_REVISION 2
 /**
 * Build version
--- a/windows/ZeroTierOne/ServiceInstaller.cpp
+++ b/windows/ZeroTierOne/ServiceInstaller.cpp
@ -49,28 +49,34 @@ std::string InstallService(PSTR pszServiceName,
                    PSTR pszAccount, 
                    PSTR pszPassword)
 {
-	std::string ret;
+    std::string ret;
-    char szPathTmp[MAX_PATH],szPath[MAX_PATH];
+    std::string path(0x7FFF, '\0');
    SC_HANDLE schSCManager = NULL;
    SC_HANDLE schService = NULL;
    SERVICE_DESCRIPTION sd;
    LPTSTR szDesc = TEXT("ZeroTier network virtualization service.");
-    if (GetModuleFileName(NULL, szPathTmp, ARRAYSIZE(szPath)) == 0)
+    DWORD dwCharacters = GetModuleFileName(NULL, path.data(), path.size());
    if (dwCharacters == 0)
    {
-		ret = "GetModuleFileName failed, unable to get path to self";
+        ret = "GetModuleFileName failed, unable to get path to self";
        goto Cleanup;
    }
-	// Quote path in case it contains spaces
+    // Trim excess nulls which the returned size does not include
-	_snprintf_s(szPath,sizeof(szPath),"\"%s\"",szPathTmp);
+    path.resize(dwCharacters);
    // Quote path in case it contains spaces
    path = '"' + path + '"';
    // Open the local default service control manager database
    schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | 
        SC_MANAGER_CREATE_SERVICE);
    if (schSCManager == NULL)
    {
-		ret = "OpenSCManager failed";
+        ret = "OpenSCManager failed";
        goto Cleanup;
    }
@ -83,7 +89,7 @@ std::string InstallService(PSTR pszServiceName,
        SERVICE_WIN32_OWN_PROCESS,      // Service type
        dwStartType,                    // Service start type
        SERVICE_ERROR_NORMAL,           // Error control type
-        szPath,                         // Service's binary
+        path.c_str(),                   // Service's binary
        NULL,                           // No load ordering group
        NULL,                           // No tag identifier
        pszDependencies,                // Dependencies
@ -92,7 +98,7 @@ std::string InstallService(PSTR pszServiceName,
        );
    if (schService == NULL)
    {
-		ret = "CreateService failed";
+        ret = "CreateService failed";
        goto Cleanup;
    }
@ -112,7 +118,7 @@ Cleanup:
        schService = NULL;
    }
-	return ret;
+    return ret;
 }
--- a/windows/ZeroTierOne/ZeroTierOne.vcxproj
+++ b/windows/ZeroTierOne/ZeroTierOne.vcxproj
@ -124,6 +124,7 @@
    <ClCompile Include="..\..\osdep\PortMapper.cpp" />
    <ClCompile Include="..\..\osdep\WinDNSHelper.cpp" />
    <ClCompile Include="..\..\osdep\WindowsEthernetTap.cpp" />
    <ClCompile Include="..\..\osdep\WinFWHelper.cpp" />
    <ClCompile Include="..\..\selftest.cpp">
      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
@ -241,6 +242,7 @@
    <ClInclude Include="..\..\osdep\Thread.hpp" />
    <ClInclude Include="..\..\osdep\WinDNSHelper.hpp" />
    <ClInclude Include="..\..\osdep\WindowsEthernetTap.hpp" />
    <ClInclude Include="..\..\osdep\WinFWHelper.hpp" />
    <ClInclude Include="..\..\service\OneService.hpp" />
    <ClInclude Include="..\..\service\SoftwareUpdater.hpp" />
    <ClInclude Include="..\..\version.h" />
@ -302,7 +304,7 @@
    <PlatformToolset>v143</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>MultiByte</CharacterSet>
-    <UseOfMfc>false</UseOfMfc>
+    <UseOfMfc>Static</UseOfMfc>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
@ -310,7 +312,7 @@
    <PlatformToolset>v143</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>MultiByte</CharacterSet>
-    <UseOfMfc>false</UseOfMfc>
+    <UseOfMfc>Static</UseOfMfc>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
@ -547,7 +549,7 @@
      <SDLCheck>true</SDLCheck>
      <AdditionalIncludeDirectories>$(SolutionDir)\..\ext;$(SolutionDir)\..\zeroidc\target;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>ZT_SSO_ENABLED=1;ZT_EXPORT;FD_SETSIZE=1024;STATICLIB;ZT_SALSA20_SSE;ZT_USE_MINIUPNPC;MINIUPNP_STATICLIB;WIN32;NOMINMAX;ZT_SOFTWARE_UPDATE_DEFAULT="apply";ZT_BUILD_PLATFORM=2;ZT_BUILD_ARCHITECTURE=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
      <StringPooling>true</StringPooling>
      <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
      <FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
@ -583,7 +585,7 @@
      <SDLCheck>true</SDLCheck>
      <AdditionalIncludeDirectories>$(SolutionDir)\..\ext;$(SolutionDir)\..\zeroidc\target;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>ZT_SSO_ENABLED=1;ZT_EXPORT;FD_SETSIZE=1024;STATICLIB;ZT_SOFTWARE_UPDATE_DEFAULT="apply";ZT_SALSA20_SSE;ZT_USE_MINIUPNPC;MINIUPNP_STATICLIB;WIN32;NOMINMAX;ZT_BUILD_PLATFORM=2;ZT_BUILD_ARCHITECTURE=2;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
      <EnableEnhancedInstructionSet>NotSet</EnableEnhancedInstructionSet>
      <StringPooling>true</StringPooling>
      <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
--- a/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters
+++ b/windows/ZeroTierOne/ZeroTierOne.vcxproj.filters
@ -288,6 +288,9 @@
    <ClCompile Include="..\..\node\AES_armcrypto.cpp">
      <Filter>Source Files\node</Filter>
    </ClCompile>
    <ClCompile Include="..\..\osdep\WinFWHelper.cpp">
      <Filter>Source Files\osdep</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="resource.h">
@ -551,6 +554,9 @@
    <ClInclude Include="..\..\osdep\WinDNSHelper.hpp">
      <Filter>Header Files\osdep</Filter>
    </ClInclude>
    <ClInclude Include="..\..\osdep\WinFWHelper.hpp">
      <Filter>Header Files\osdep</Filter>
    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="ZeroTierOne.rc">
--- a/zeroidc/.cargo/config.toml
+++ b/zeroidc/.cargo/config.toml
@ -10,8 +10,8 @@ rustflags=["-C", "link-arg=-mmacosx-version-min=10.13"]
 [target.aarch64-apple-darwin]
 rustflags=["-C", "link-arg=-mmacosx-version-min=10.13"]
-#[target.x86_64-pc-windows-msvc]
+[target.x86_64-pc-windows-msvc]
-#rustflags = ["-C", "target-feature=+crt-static"]
+rustflags = ["-C", "target-feature=+crt-static"]
-#[target.i686-pc-windows-msvc]
+[target.i686-pc-windows-msvc]
-#rustflags = ["-C", "target-feature=+crt-static"]
+rustflags = ["-C", "target-feature=+crt-static"]
--- a/zeroidc/src/lib.rs
+++ b/zeroidc/src/lib.rs
@ -354,15 +354,21 @@ impl ZeroIDC {
                                            }
                                            None => {
                                                println!("no id token?!?");
                                                (*inner_local.lock().unwrap()).exp_time = 0;
                                                (*inner_local.lock().unwrap()).running = false;
                                            }
                                        }
                                    }
                                    Err(e) => {
                                        println!("token error: {}", e);
                                        (*inner_local.lock().unwrap()).exp_time = 0;
                                        (*inner_local.lock().unwrap()).running = false;
                                    }
                                }
                            } else {
                                println!("token response??");
                                (*inner_local.lock().unwrap()).exp_time = 0;
                                (*inner_local.lock().unwrap()).running = false;
                            }
                        } else {
                            #[cfg(debug_assertions)]
@ -370,6 +376,8 @@ impl ZeroIDC {
                        }
                    } else {
                        println!("no refresh token?");
                        (*inner_local.lock().unwrap()).exp_time = 0;
                        (*inner_local.lock().unwrap()).running = false;
                    }
                    sleep(Duration::from_secs(1));
@ -377,6 +385,7 @@ impl ZeroIDC {
                        running = (*inner_local.lock().unwrap()).running;
                    }
                }
                // end run loop
                println!("thread done!");
                (*inner_local.lock().unwrap()).running = false;
@ -489,7 +498,8 @@ impl ZeroIDC {
                            let n = match i.nonce.clone() {
                                Some(n) => n,
                                None => {
-                                    println!("no noce");
+                                    println!("no nonce");
                                    i.running = false;
                                    return None;
                                }
                            };
@ -498,6 +508,7 @@ impl ZeroIDC {
                                Some(t) => t,
                                None => {
                                    println!("no id token");
                                    i.running = false;
                                    return None;
                                }
                            };
@ -506,6 +517,7 @@ impl ZeroIDC {
                                Ok(c) => c,
                                Err(_e) => {
                                    println!("no claims");
                                    i.running = false;
                                    return None;
                                }
                            };
@ -514,6 +526,7 @@ impl ZeroIDC {
                                Ok(s) => s,
                                Err(_) => {
                                    println!("no signing algorithm");
                                    i.running = false;
                                    return None;
                                }
                            };
@ -526,12 +539,14 @@ impl ZeroIDC {
                                    Ok(h) => h,
                                    Err(e) => {
                                        println!("Error hashing access token: {}", e);
                                        i.running = false;
                                        return None;
                                    }
                                };
                                if actual_hash != *expected_hash {
                                    println!("token hash error");
                                    i.running = false;
                                    return None;
                                }
                            }
@ -540,7 +555,7 @@ impl ZeroIDC {
                        Err(e) => {
                            println!("token response error: {:?}", e.to_string());
                            println!("\t {:?}", e.source());
-
+                            i.running = false;
                            None
                        }
                    }
@ -625,10 +640,12 @@ impl ZeroIDC {
                                    Ok(bytes)
                                } else if res.status() == 402 {
-                                        Err(SSOExchangeError::new(
+                                    i.running = false;
-                                            "additional license seats required. Please contact your network administrator.".to_string(),
+                                    Err(SSOExchangeError::new(
-                                        ))
+                                        "additional license seats required. Please contact your network administrator.".to_string(),
                                    ))
                                } else {
                                    i.running = false;
                                    Err(SSOExchangeError::new(
                                        "error from central endpoint".to_string(),
                                    ))
@ -640,20 +657,24 @@ impl ZeroIDC {
                                println!("Status: {}", res.status().unwrap());
                                println!("Post error: {}", res);
                                i.exp_time = 0;
                                i.running = false;
                                Err(SSOExchangeError::new(
                                    "error from central endpoint".to_string(),
                                ))
                            }
                        }
                    } else {
                        i.running = false;
                        Err(SSOExchangeError::new(
                            "error splitting state token".to_string(),
                        ))
                    }
                } else {
                    i.running = false;
                    Err(SSOExchangeError::new("invalid token response".to_string()))
                }
            } else {
                i.running = false;
                Err(SSOExchangeError::new("invalid pkce verifier".to_string()))
            }
        });
--- a/zerotier-one.spec
+++ b/zerotier-one.spec
@ -1,5 +1,5 @@
 Name:           zerotier-one
-Version:        1.10.1
+Version:        1.10.2
 Release:        1%{?dist}
 Summary:        ZeroTier network virtualization service
@ -59,6 +59,12 @@ Requires:       systemd openssl
 Requires(pre): /usr/sbin/useradd, /usr/bin/getent
 %endif
 %if "%{?dist}" == ".amzn2022"
 BuildRequires:  systemd openssl-devel
 Requires:       systemd openssl
 Requires(pre): /usr/sbin/useradd, /usr/bin/getent
 %endif
 %description
 ZeroTier is a software defined networking layer for Earth.
@ -131,6 +137,9 @@ chmod 0755 $RPM_BUILD_ROOT/etc/init.d/zerotier-one
 %endif
 %changelog
 * Mon Oct 13 2022 Adam Ierymenko <adam.ierymenko@zerotier.com> - 1.10.2
 - see https://github.com/zerotier/ZeroTierOne for release notes
 * Mon Jun 27 2022 Adam Ierymenko <adam.ierymenko@zerotier.com> - 1.10.1
 - see https://github.com/zerotier/ZeroTierOne for release notes
		`@ -1,2 +0,0 @@`
			`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8hgysbj2Luu3aN/Ya2wr4Y9LpUGqWWfn3k+UhIwOIE/Kd7/YpLjxHpseUA1hLnj9kHFShH8eiqoY0S6EDIYrTUwbXMMu8454lX/LcJOCJ9RlSeMMf7vpkxcI7cVRgOA430a3FR7M0Q8vKlyJzxxAEjMIxMyuVyinknfanNt+sQFiDUvOXoacqgZAHBWMlO7wOPyHWHNOzy7g8N0dHiJveKZqX/UUwuqJuS6UBq7MBMSU6TcMvJwHr+AbNvfyIUWCqlTByqFL9cmviRbIvQanxoRxi/5fVUGhtVBXUYvbCdFxDw5W2Svo9fDMm4Z5xWAD7rY1J3AM15RVyRTTtYvgD`