From 7aff58efe6e12ed26df03ae8fe2daa08b7acd21d Mon Sep 17 00:00:00 2001
From: Augusto Bott <augusto@bott.com.br>
Date: Mon, 5 Sep 2011 05:41:55 -0300
Subject: [PATCH] Static ARP binding

 * Added "static ARP" flag on nvram variable dhcpd_static (www/basic-static.asp)
 * New option "Ignore DHCP requests from unknown devices" (www/advanced-dhcpdns.asp)
 * Updated nvram/defaults.c, httpd/tomato.c and www/tools-wol.asp to handle changes (new format, max length, defaults, etc...)
 * Implementation quite similar to static ARP binding on Teaman-BWM
---
 release/src/router/httpd/tomato.c           |   3 +-
 release/src/router/nvram/defaults.c         |   2 +
 release/src/router/rc/Makefile              |   1 +
 release/src/router/rc/arpbind.c             |  46 ++++++++
 release/src/router/rc/init.c                |   1 +
 release/src/router/rc/rc.h                  |   4 +
 release/src/router/rc/services.c            |  29 ++++-
 release/src/router/www/advanced-dhcpdns.asp |  64 +++++++++--
 release/src/router/www/basic-static.asp     | 164 +++++++++++++++++-----------
 release/src/router/www/bwm-common.js        |   2 +-
 release/src/router/www/tomato.js            |   2 +-
 release/src/router/www/tools-wol.asp        |   2 +-
 12 files changed, 243 insertions(+), 77 deletions(-)
 create mode 100644 release/src/router/rc/arpbind.c

diff --git a/release/src/router/httpd/tomato.c b/release/src/router/httpd/tomato.c
index 0636bd857c..c40a1bca53 100644
--- a/release/src/router/httpd/tomato.c
+++ b/release/src/router/httpd/tomato.c
@@ -511,7 +511,7 @@ static const nvset_t nvset_list[] = {
 	{ "ntp_kiss",			V_LENGTH(0, 255)	},
 
 // basic-static
-	{ "dhcpd_static",		V_LENGTH(0, 106*101)},	// 106 (max chars per entry) x 100 entries
+	{ "dhcpd_static",		V_LENGTH(0, 105*141)},	// 105 (max chars per entry) x 140 entries
 
 // basic-ddns
 	{ "ddnsx0",				V_LENGTH(0, 2048)	},
@@ -685,6 +685,7 @@ static const nvset_t nvset_list[] = {
 	{ "dhcpc_custom",		V_LENGTH(0, 80)			},
 	{ "dns_norebind",		V_01				},
 	{ "dnsmasq_custom",		V_TEXT(0, 2048)		},
+	{ "dhcpd_static_only",	V_01				},
 //	{ "dnsmasq_norw",		V_01				},
 
 // advanced-firewall
diff --git a/release/src/router/nvram/defaults.c b/release/src/router/nvram/defaults.c
index 6487aa0c94..42221f1163 100644
--- a/release/src/router/nvram/defaults.c
+++ b/release/src/router/nvram/defaults.c
@@ -411,6 +411,7 @@ const defaults_t defaults[] = {
 	{ "dhcpc_custom",		""				},
 	{ "dns_norebind",		"1"				},
 	{ "dnsmasq_custom",		""				},
+	{ "dhcpd_static_only",	"0"				},
 //	{ "dnsmasq_norw",		"0"				},
 
 // advanced-firewall
@@ -569,6 +570,7 @@ const defaults_t defaults[] = {
 	{ "cstats_data",		""				},
 	{ "cstats_colors",		""				},
 	{ "cstats_exclude",		""				},
+	{ "cstats_include",		"192.168.1.0"	},
 	{ "cstats_sshut",		"1"				},
 	{ "cstats_bak",			"0"				},
 
diff --git a/release/src/router/rc/Makefile b/release/src/router/rc/Makefile
index 01f36e4815..0d7fb6288e 100644
--- a/release/src/router/rc/Makefile
+++ b/release/src/router/rc/Makefile
@@ -15,6 +15,7 @@ OBJS += firewall.o ppp.o telssh.o wnas.o
 OBJS += listen.o redial.o led.o qos.o forward.o misc.o mtd.o
 OBJS += buttons.o restrict.o gpio.o sched.o
 OBJS += account.o
+OBJS += arpbind.o
 #	heartbeat.o
 
 ifeq ($(TCONFIG_USB),y)
diff --git a/release/src/router/rc/arpbind.c b/release/src/router/rc/arpbind.c
new file mode 100644
index 0000000000..4400de8444
--- /dev/null
+++ b/release/src/router/rc/arpbind.c
@@ -0,0 +1,46 @@
+#include "rc.h"
+
+void start_arpbind(void) {
+
+	char *nvp, *nv, *b;
+	const char *ipaddr, *macaddr;
+	const char *name, *bind;
+
+	nvp = nv = strdup(nvram_safe_get("dhcpd_static"));
+	if (!nv) return;
+
+// clear arp table first
+	stop_arpbind();
+
+	while ((b = strsep(&nvp, ">")) != NULL) {
+		/*
+			macaddr<ip.ad.dr.ess<hostname<arpbind>anotherhwaddr<other.ip.addr.ess<othername<arpbind
+		*/
+
+		if ((vstrsep(b, "<", &macaddr, &ipaddr, &name, &bind)) != 4)
+			continue;
+		if (strchr(macaddr,',') != NULL)
+			continue;
+		if (strcmp(bind,"1") == 0)
+			eval ("arp", "-s", (char *)ipaddr, (char *)macaddr);
+	}
+	free(nv);
+}
+
+void stop_arpbind(void) {
+
+	FILE *f;
+	char buf[512];
+	char ipaddr[48] = "";
+
+	if ((f = fopen("/proc/net/arp", "r")) != NULL) {
+//		fgets(buf, sizeof(buf), f);	// header
+		while (fgets(buf, sizeof(buf), f)) {
+			if (sscanf(buf, "%s %*s %*s %*s %*s %*s", ipaddr) != 1) continue;
+			eval ("arp", "-d", (char *)ipaddr);
+		}
+		fclose(f);
+	}
+
+}
+
diff --git a/release/src/router/rc/init.c b/release/src/router/rc/init.c
index 2920e19d3a..595071d6c7 100644
--- a/release/src/router/rc/init.c
+++ b/release/src/router/rc/init.c
@@ -1438,6 +1438,7 @@ int init_main(int argc, char *argv[])
 			create_passwd();
 			start_vlan();
 			start_lan();
+			start_arpbind();
 			start_wan(BOOT);
 			start_services();
 			start_wl();
diff --git a/release/src/router/rc/rc.h b/release/src/router/rc/rc.h
index 8ca5e84ca7..d28c142151 100644
--- a/release/src/router/rc/rc.h
+++ b/release/src/router/rc/rc.h
@@ -279,6 +279,10 @@ extern void ipt_triggered(ipt_table_t table);
 extern void start_account(void);
 extern void stop_account(void);
 
+// arpbind.c
+extern void start_arpbind(void);
+extern void stop_arpbind(void);
+
 #ifdef TCONFIG_IPV6
 extern void ip6t_forward(void);
 #endif
diff --git a/release/src/router/rc/services.c b/release/src/router/rc/services.c
index 81e96c0d55..3b49c8c39a 100644
--- a/release/src/router/rc/services.c
+++ b/release/src/router/rc/services.c
@@ -147,6 +147,10 @@ void start_dnsmasq()
 		}
 	}
 
+	if (nvram_get_int("dhcpd_static_only")) {
+		fprintf(f, "dhcp-ignore=tag:!known\n");
+	}
+
 	// dhcp
 	do_dhcpd_hosts=0;
 	char lanN_proto[] = "lanXX_proto";
@@ -272,13 +276,20 @@ void start_dnsmasq()
 			fprintf(hf, "%s %s-wan\n", p, nv);
 	}
 
-	// 00:aa:bb:cc:dd:ee<123<xxxxxxxxxxxxxxxxxxxxxxxxxx.xyz> = 53 w/ delim
+	// PREVIOUS/OLD FORMAT:
+	// 00:aa:bb:cc:dd:ee<123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz> = 73 w/ delim
 	// 00:aa:bb:cc:dd:ee<123.123.123.123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz> = 85 w/ delim
-	// 00:aa:bb:cc:dd:ee,00:aa:bb:cc:dd:ee<123.123.123.123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz> = 106 w/ delim
+	// 00:aa:bb:cc:dd:ee,00:aa:bb:cc:dd:ee<123.123.123.123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz> = 103 w/ delim
+
+	// NEW FORMAT (+static ARP binding flag after hostname):
+	// 00:aa:bb:cc:dd:ee<123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz<a> = 75 w/ delim
+	// 00:aa:bb:cc:dd:ee<123.123.123.123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz<a> = 87 w/ delim
+	// 00:aa:bb:cc:dd:ee,00:aa:bb:cc:dd:ee<123.123.123.123<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xyz<a> = 105 w/ delim
+
 	p = nvram_safe_get("dhcpd_static");
 	while ((e = strchr(p, '>')) != NULL) {
 		n = (e - p);
-		if (n > 105) {
+		if (n > 104) {
 			p = e + 1;
 			continue;
 		}
@@ -306,6 +317,10 @@ void start_dnsmasq()
 
 		name = e + 1;
 
+		if ((e = strchr(name, '<')) != NULL) {
+			*e = 0;
+		}
+
 		if ((hf) && (*name != 0)) {
 			fprintf(hf, "%s %s\n", ip, name);
 		}
@@ -1970,6 +1985,12 @@ TOP:
 		goto CLEAR;
 	}
 
+	if (strcmp(service, "arpbind") == 0) {
+		if (action & A_STOP) stop_arpbind();
+		if (action & A_START) start_arpbind();
+		goto CLEAR;
+	}
+
 	if (strcmp(service, "qos") == 0) {
 		if (action & A_STOP) {
 			stop_qos();
@@ -2216,12 +2237,14 @@ TOP:
 			stop_dnsmasq();
 			stop_nas();
 			stop_wan();
+			stop_arpbind();
 			stop_lan();
 			stop_vlan();
 		}
 		if (action & A_START) {
 			start_vlan();
 			start_lan();
+			start_arpbind();
 			start_wan(BOOT);
 			start_nas();
 			start_dnsmasq();
diff --git a/release/src/router/www/advanced-dhcpdns.asp b/release/src/router/www/advanced-dhcpdns.asp
index cacd81b643..92aa529ffa 100644
--- a/release/src/router/www/advanced-dhcpdns.asp
+++ b/release/src/router/www/advanced-dhcpdns.asp
@@ -13,7 +13,7 @@
 <meta name='robots' content='noindex,nofollow'>
 <title>[<% ident(); %>] Advanced: DHCP / DNS</title>
 <link rel='stylesheet' type='text/css' href='tomato.css'>
-<link rel='stylesheet' type='text/css' href='color.css'>
+<% css(); %>
 <script type='text/javascript' src='tomato.js'></script>
 
 <!-- / / / -->
@@ -29,7 +29,7 @@ textarea {
 
 <script type='text/javascript'>
 
-//	<% nvram("dhcpd_dmdns,dns_addget,dhcpd_gwmode,dns_intcpt,dhcpd_slt,dhcpc_minpkt,dnsmasq_custom,dnsmasq_norw,dhcpd_lmax,dhcpc_custom,dns_norebind"); %>
+//	<% nvram("dhcpd_dmdns,dns_addget,dhcpd_gwmode,dns_intcpt,dhcpd_slt,dhcpc_minpkt,dnsmasq_custom,dnsmasq_norw,dhcpd_lmax,dhcpc_custom,dns_norebind,dhcpd_static_only"); %>
 
 if ((isNaN(nvram.dhcpd_lmax)) || ((nvram.dhcpd_lmax *= 1) < 1)) nvram.dhcpd_lmax = 255;
 
@@ -64,6 +64,7 @@ function save()
 	fom.dhcpd_gwmode.value = E('_f_dhcpd_gwmode').checked ? 1 : 0;
 	fom.dns_intcpt.value = E('_f_dns_intcpt').checked ? 1 : 0;
 	fom.dhcpc_minpkt.value = E('_f_dhcpc_minpkt').checked ? 1 : 0;
+	fom.dhcpd_static_only.value = E('_f_dhcpd_static_only').checked ? '1' : '0';
 
 	if (fom.dhcpc_minpkt.value != nvram.dhcpc_minpkt ||
 	    fom.dhcpc_custom.value != nvram.dhcpc_custom) {
@@ -89,10 +90,29 @@ function save()
 
 	form.submit(fom, 1);
 }
+
+function toggleVisibility(whichone) {
+	if(E('sesdiv' + whichone).style.display=='') {
+		E('sesdiv' + whichone).style.display='none';
+		E('sesdiv' + whichone + 'showhide').innerHTML='(Click here to show)';
+		cookie.set('adv_dhcpdns_' + whichone + '_vis', 0);
+	} else {
+		E('sesdiv' + whichone).style.display='';
+		E('sesdiv' + whichone + 'showhide').innerHTML='(Click here to hide)';
+		cookie.set('adv_dhcpdns_' + whichone + '_vis', 1);
+	}
+}
+
+function init() {
+	var c;
+	if (((c = cookie.get('adv_dhcpdns_notes_vis')) != null) && (c == '1')) {
+		toggleVisibility("notes");
+	}
+}
 </script>
 
 </head>
-<body>
+<body onload='init()'>
 <form id='_fom' method='post' action='tomato.cgi'>
 <table id='container' cellspacing=0>
 <tr><td colspan=2 id='header'>
@@ -115,6 +135,7 @@ function save()
 <input type='hidden' name='dhcpd_gwmode'>
 <input type='hidden' name='dns_intcpt'>
 <input type='hidden' name='dhcpc_minpkt'>
+<input type='hidden' name='dhcpd_static_only'>
 
 <div class='section-title'>DHCP / DNS Server (LAN)</div>
 <div class='section'>
@@ -125,6 +146,7 @@ createFieldTable('', [
 	{ title: 'Prevent DNS-rebind attacks', name: 'f_dns_norebind', type: 'checkbox', value: nvram.dns_norebind == '1' },
 	{ title: 'Intercept DNS port<br>(UDP 53)', name: 'f_dns_intcpt', type: 'checkbox', value: nvram.dns_intcpt == '1' },
 	{ title: 'Use user-entered gateway if WAN is disabled', name: 'f_dhcpd_gwmode', type: 'checkbox', value: nvram.dhcpd_gwmode == '1' },
+	{ title: 'Ignore DHCP requests from unknown devices', name: 'f_dhcpd_static_only', type: 'checkbox', value: nvram.dhcpd_static_only == '1' },
 	{ title: 'Maximum active DHCP leases', name: 'dhcpd_lmax', type: 'text', maxlen: 5, size: 8, value: nvram.dhcpd_lmax },
 	{ title: 'Static lease time', multi: [
 		{ name: 'f_dhcpd_sltsel', type: 'select', options: [[0,'Same as normal lease time'],[-1,'"Infinite"'],[1,'Custom']],
@@ -134,10 +156,8 @@ createFieldTable('', [
 	{ title: '<a href="http://www.thekelleys.org.uk/" target="_new">Dnsmasq</a><br>Custom configuration', name: 'dnsmasq_custom', type: 'textarea', value: nvram.dnsmasq_custom }
 ]);
 </script>
-<br>
-Note: The file /etc/dnsmasq.custom is also added to the end of Dnsmasq's configuration file if it exists.
-</div>
-<br>
+
+<!-- / / / -->
 
 <div class='section-title'>DHCP Client (WAN)</div>
 <div class='section'>
@@ -149,6 +169,36 @@ createFieldTable('', [
 </script>
 </div>
 
+<!-- / / / -->
+
+<div class='section-title'>Notes <small><i><a href='javascript:toggleVisibility("notes");'><span id='sesdivnotesshowhide'>(Click here to show)</span></a></i></small></div>
+<div class='section' id='sesdivnotes' style='display:none'>
+
+<i>DHCP / DNS Server (LAN):</i><br>
+<ul>
+<li><b>Use internal DNS</b> - Allow dnsmasq to be your DNS server on LAN.</li>
+<li><b>Use received DNS with user-entered DNS</b> - Add DNS servers received from your WAN connection to the static DNS server list (see <a href='basic-network.asp'>Network</a> configuration).</li>
+<li><b>Prevent DNS-rebind attacks</b> - Enable DNS rebinding protection on Dnsmasq.</li>
+<li><b>Intercept DNS port</b> - Any DNS requests/packets sent out to UDP port 53 are redirected to the internal DNS server.</li>
+<li><b>Use user-entered gateway if WAN is disabled</b> - DHCP will use the IP address of the router as the default gateway on each LAN.</li>
+<li><b>Ignore DHCP requests (...)</b> - Dnsmasq will ignore DHCP requests  to Only MAC addresses listed on the <a href='basic-static.asp'>Static DHCP/ARP</a> page won't be able to obtain an IP address through DHCP.</li>
+<li><b>Maximum active DHCP leases</b> - Self-explanatory.</li>
+<li><b>Static lease time</b> - Absolute maximum amount of time allowed for any DHCP lease to be valid.</li>
+<li><b>Custom configuration</b> - Extra options to be added to the Dnsmasq configuration file.</li>
+</ul>
+
+<i>DHCP Client (WAN):</i><br>
+<ul>
+<li><b>DHCPC Options</b> - Extra options for the DHCP client.</li>
+<li><b>Reduce packet size</b> - Self-explanatory.</li>
+</ul>
+
+<i>Other relevant notes/hints:</i><br>
+<ul>
+<li>The contents of file /etc/dnsmasq.custom are also added to the end of Dnsmasq's configuration file (if it exists).</li>
+</ul>
+
+</div>
 
 <!-- / / / -->
 
diff --git a/release/src/router/www/basic-static.asp b/release/src/router/www/basic-static.asp
index c80761963c..65eb76b995 100644
--- a/release/src/router/www/basic-static.asp
+++ b/release/src/router/www/basic-static.asp
@@ -15,18 +15,25 @@
 <head>
 <meta http-equiv='content-type' content='text/html;charset=utf-8'>
 <meta name='robots' content='noindex,nofollow'>
-<title>[<% ident(); %>] Basic: Static DHCP</title>
+<title>[<% ident(); %>] Basic: Static DHCP/ARP</title>
 <link rel='stylesheet' type='text/css' href='tomato.css'>
 <% css(); %>
 <script type='text/javascript' src='tomato.js'></script>
 
 <!-- / / / -->
 <style type='text/css'>
-#bs-grid .co1,
-#bs-grid .co2 {
+#bs-grid .co1 {
 	width: 120px;
+	text-align: center;
+}
+#bs-grid .co2 {
+	width: 80px;
+	text-align: center;
 }
 #bs-grid .co3 {
+	width: 120px;
+}
+#bs-grid .co4 {
 	width: 80px;
 	text-align: center;
 }
@@ -39,7 +46,7 @@
 
 <script type='text/javascript'>
 
-//	<% nvram("lan_ipaddr,lan_netmask,dhcpd_static,dhcpd_startip,cstats_include"); %>
+//	<% nvram("lan_ipaddr,lan_netmask,dhcpd_static,dhcpd_startip,dhcpd_static_only,cstats_include"); %>
 
 if (nvram.lan_ipaddr.match(/^(\d+\.\d+\.\d+)\.(\d+)$/)) ipp = RegExp.$1 + '.';
 	else ipp = '?.?.?.';
@@ -48,8 +55,7 @@ autonum = aton(nvram.lan_ipaddr) & aton(nvram.lan_netmask);
 
 var sg = new TomatoGrid();
 
-sg.exist = function(f, v)
-{
+sg.exist = function(f, v) {
 	var data = this.getAllData();
 	for (var i = 0; i < data.length; ++i) {
 		if (data[i][f] == v) return true;
@@ -57,51 +63,49 @@ sg.exist = function(f, v)
 	return false;
 }
 
-sg.existMAC = function(mac)
-{
+sg.existMAC = function(mac) {
 	if (isMAC0(mac)) return false;
 	return this.exist(0, mac) || this.exist(1, mac);
 }
 
-sg.existName = function(name)
-{
-	return this.exist(4, name);
+sg.existName = function(name) {
+	return this.exist(5, name);
 }
 
-sg.inStatic = function(n)
-{
-	return this.exist(2, n);
+sg.inStatic = function(n) {
+	return this.exist(3, n);
 }
 
 sg.dataToView = function(data) {
 	var v = [];
-	
-	var s = data[0];
+	var s = (data[0] == '00:00:00:00:00:00') ? '' : data[0];
 	if (!isMAC0(data[1])) s += '<br>' + data[1];
-	v.push(s);
-
-	v.push(escapeHTML('' + data[2]));
-	v.push((data[3].toString() != '0') ? 'Enabled' : '');
-	v.push(escapeHTML('' + data[4]));
+	v.push((s == '') ? '<center><small><i>(unset)</i></small></center>' : s);
 
+	v.push((data[2].toString() != '0') ? '<small><i>Enabled</i></small>' : '');
+	v.push(escapeHTML('' + data[3]));
+	v.push((data[4].toString() != '0') ? '<small><i>Enabled</i></small>' : '');
+	v.push(escapeHTML('' + data[5]));
 	return v;
 }
 
 sg.dataToFieldValues = function (data) {
 	return ([data[0],
 			data[1],
-			data[2],
-			(data[3].toString() != '0') ? 'checked' : '',
-			data[4]]);
+			(data[2].toString() != '0') ? 'checked' : '',
+			data[3],
+			(data[4].toString() != '0') ? 'checked' : '',
+			data[5]]);
 }
 
 sg.fieldValuesToData = function(row) {
 	var f = fields.getAll(row);
 	return ([f[0].value,
 			f[1].value,
-			f[2].value,
-			f[3].checked ? '1' : '0',
-			f[4].value]);
+			f[2].checked ? '1' : '0',
+			f[3].value,
+			f[4].checked ? '1' : '0',
+			f[5].value]);
 }
 
 sg.sortCompare = function(a, b) {
@@ -113,15 +117,20 @@ sg.sortCompare = function(a, b) {
 		r = cmpText(da[0], db[0]);
 		break;
 	case 1:
-		r = cmpIP(da[2], db[2]);
+		r = cmpInt(da[2], db[2]);
+		break;
+	case 2:
+		r = cmpIP(da[3], db[3]);
+		break;
+	case 3:
+		r = cmpInt(da[4], db[4]);
 		break;
 	}
-	if (r == 0) r = cmpText(da[4], db[4]);
+	if (r == 0) r = cmpText(da[5], db[5]);
 	return this.sortAscending ? r : -r;
 }
 
-sg.verifyFields = function(row, quiet)
-{
+sg.verifyFields = function(row, quiet) {
 	var f, s, i;
 
 	f = fields.getAll(row);
@@ -140,46 +149,67 @@ sg.verifyFields = function(row, quiet)
 		f[1].value = f[0].value;
 		f[0].value = s;
 	}
+
+	f[1].disabled = f[2].checked;
+
 	for (i = 0; i < 2; ++i) {
 		if (this.existMAC(f[i].value)) {
 			ferror.set(f[i], 'Duplicate MAC address', quiet);
 			return 0;
 		}
-	}	
+	}
 
-	if (f[2].value.indexOf('.') == -1) {
-		s = parseInt(f[2].value, 10)
+	if (f[3].value.indexOf('.') == -1) {
+		s = parseInt(f[3].value, 10)
 		if (isNaN(s) || (s <= 0) || (s >= 255)) {
-			ferror.set(f[2], 'Invalid IP address', quiet);
+			ferror.set(f[3], 'Invalid IP address', quiet);
 			return 0;
 		}
-		f[2].value = ipp + s;
+		f[3].value = ipp + s;
 	}
 
-	if ((!isMAC0(f[0].value)) && (this.inStatic(f[2].value))) {
-		ferror.set(f[2], 'Duplicate IP address', quiet);
+	if ((!isMAC0(f[0].value)) && (this.inStatic(f[3].value))) {
+		ferror.set(f[3], 'Duplicate IP address', quiet);
 		return 0;
 	}
 
-	if (!v_hostname(f[4], quiet, 5)) return 0;
-	if (!v_nodelim(f[4], quiet, 'Hostname', 1)) return 0;
-	s = f[4].value;
+/* REMOVE-BEGIN
+//	if (!v_hostname(f[5], quiet, 5)) return 0;
+//	if (!v_nodelim(f[5], quiet, 'Hostname', 1)) return 0;
+REMOVE-END */
+	s = f[5].value.trim().replace(/\s+/g, ' ');
+
 	if (s.length > 0) {
+		if (s.search(/^[.a-zA-Z0-9_\- ]+$/) == -1) {
+			ferror.set(f[5], 'Invalid hostname. Only characters "A-Z 0-9 . - _" are allowed.', quiet);
+			return 0;
+		}
 		if (this.existName(s)) {
-			ferror.set(f[4], 'Duplicate name.', quiet);
+			ferror.set(f[5], 'Duplicate hostname.', quiet);
 			return 0;
 		}
+		f[5].value = s;
 	}
 
 	if (isMAC0(f[0].value)) {
 		if (s == '') {
 			s = 'Both MAC address and name fields must not be empty.';
 			ferror.set(f[0], s, 1);
-			ferror.set(f[4], s, quiet);
+			ferror.set(f[5], s, quiet);
 			return 0;
+		} else {
+			ferror.clear(f[0]);
+			ferror.clear(f[5]);
 		}
 	}
 
+	if (((f[0].value == '00:00:00:00:00:00') || (f[1].value == '00:00:00:00:00:00')) && (f[0].value == f[1].value)) {
+		f[2].disabled=1;
+		f[2].checked=0;
+	} else {
+		f[2].disabled=0;
+	}
+
 	return 1;
 }
 
@@ -195,44 +225,47 @@ sg.resetNewEditor = function() {
 		if (c.length == 3) {
 			f[0].value = c[0];
 			f[1].value = '00:00:00:00:00:00';
-			f[2].value = c[1];
-			f[4].value = c[2];
+			f[3].value = c[1];
+			f[5].value = c[2];
 			return;
 		}
 	}
 
 	f[0].value = '00:00:00:00:00:00';
 	f[1].value = '00:00:00:00:00:00';
-	f[4].value = '';
+	f[2].disabled = 1;
+	f[2].checked = 0;
+	f[4].checked = 0;
+	f[5].value = '';
 
 	n = 10;
 	do {
 		if (--n < 0) {
-			f[2].value = '';
+			f[3].value = '';
 			return;
 		}
 		autonum++;
 	} while (((c = fixIP(ntoa(autonum), 1)) == null) || (c == nvram.lan_ipaddr) || (this.inStatic(c)));
 
-	f[2].value = c;
+	f[3].value = c;
 }
 
-sg.setup = function()
-{
+sg.setup = function() {
 	this.init('bs-grid', 'sort', 140, [
 		{ multi: [ { type: 'text', maxlen: 17 }, { type: 'text', maxlen: 17 } ] },
+		{ type: 'checkbox', prefix: '<div class="centered">', suffix: '</div>' },
 		{ type: 'text', maxlen: 15 },
 		{ type: 'checkbox', prefix: '<div class="centered">', suffix: '</div>' },
-		{ type: 'text', maxlen: 63 } ] );
+		{ type: 'text', maxlen: 50 } ] );
 
-	this.headerSet(['MAC Address', 'IP Address', 'IPTraffic', 'Hostname']);
+	this.headerSet(['MAC Address', 'Bound to', 'IP Address', 'IPTraffic', 'Hostname']);
 
 	var ipt = nvram.cstats_include.split(',');
 	var s = nvram.dhcpd_static.split('>');
 	for (var i = 0; i < s.length; ++i) {
-		var h = '0'
+		var h = '0';
 		var t = s[i].split('<');
-		if (t.length == 3) {
+		if ((t.length == 3) || (t.length == 4)) {
 			var d = t[0].split(',');
 			var ip = (t[1].indexOf('.') == -1) ? (ipp + t[1]) : t[1];
 			for (var j = 0; j < ipt.length; ++j) {
@@ -241,17 +274,19 @@ sg.setup = function()
 					break;
 				}
 			}
-			this.insertData(-1, [d[0], (d.length >= 2) ? d[1] : '00:00:00:00:00:00',
+			if (t.length == 3) {
+				t[3] = '0';
+			}
+			this.insertData(-1, [d[0], (d.length >= 2) ? d[1] : '00:00:00:00:00:00', t[3],
 				(t[1].indexOf('.') == -1) ? (ipp + t[1]) : t[1], h, t[2]]);
 		}
 	}
-	this.sort(3);
+	this.sort(4);
 	this.showNewEditor();
 	this.resetNewEditor();
 }
 
-function save()
-{
+function save() {
 	if (sg.isEditing()) return;
 
 	var data = sg.getAllData();
@@ -263,14 +298,13 @@ function save()
 		var d = data[i];
 		sdhcp += d[0];
 		if (!isMAC0(d[1])) sdhcp += ',' + d[1];
-		sdhcp += '<' + d[2] + '<' + d[4] + '>';
-		if (d[3] == '1') ipt += ((ipt.length > 0) ? ',' : '') + d[2];
+		sdhcp += '<' + d[3] + '<' + d[5] + '<' + d[2] + '>';
+		if (d[4] == '1') ipt += ((ipt.length > 0) ? ',' : '') + d[3];
 	}
 
 	var fom = E('_fom');
 	fom.dhcpd_static.value = sdhcp;
 	fom.cstats_include.value = ipt;
-
 	form.submit(fom, 1);
 }
 
@@ -311,12 +345,12 @@ function toggleVisibility(whichone) {
 <!-- / / / -->
 
 <input type='hidden' name='_nextpage' value='basic-static.asp'>
-<input type='hidden' name='_service' value='dhcpd-restart,cstats-restart'>
+<input type='hidden' name='_service' value='dhcpd-restart,cstats-restart,arpbind-restart'>
 
 <input type='hidden' name='dhcpd_static'>
 <input type='hidden' name='cstats_include'>
 
-<div class='section-title'>Static DHCP</div>
+<div class='section-title'>Static DHCP/ARP</div>
 <div class='section'>
 	<table class='tomato-grid' id='bs-grid'></table>
 </div>
@@ -325,6 +359,7 @@ function toggleVisibility(whichone) {
 <div class='section' id='sesdivnotes' style='display:none'>
 <ul>
 <li><b>MAC Address</b> - Unique identifier associated to a network interface on this particular device.</li>
+<li><b>Bound to</b> - Enforce static ARP binding of this particular IP/MAC address pair.</li>
 <li><b>IP Address</b> - Network address assigned to this device on the local network.</li>
 <li><b>IPTraffic</b> - Keep track of bandwidth usage for this IP address.</li>
 <li><b>Hostname</b> - Human-readable nickname/label assigned to this device on the network.</li>
@@ -334,6 +369,9 @@ function toggleVisibility(whichone) {
 <li><b>Other relevant notes/hints:</b>
 <ul>
 <li>To specify multiple hostnames for a device, separate them with spaces.</li>
+<li>To enable/enforce static ARP binding for a particular device, it must have only one MAC associated with that particular IP address (i.e. you can't have two MAC addresses linked to the same hostname/device in the table above).</li>
+<li>When ARP binding is enabled for a particular MAC/IP address pair, that device will always be shown as "active" in the <a href="tools-wol.asp">Wake On LAN</a> table.</li>
+<li>See also the <a href='advanced-dhcpdns.asp'>Advanced DHCP/DNS</a> settings page for more DHCP-related configuration options.</li>
 </ul>
 </ul>
 </small>
diff --git a/release/src/router/www/bwm-common.js b/release/src/router/www/bwm-common.js
index fc7c90f5c5..fd6c6b9c43 100644
--- a/release/src/router/www/bwm-common.js
+++ b/release/src/router/www/bwm-common.js
@@ -311,7 +311,7 @@ function populateCache() {
 		s = nvram.dhcpd_static.split('>');
 		for (var i = 0; i < s.length; ++i) {
 			var t = s[i].split('<');
-			if (t.length == 3) {
+			if ((t.length == 3) || (t.length == 4)) {
 				if (t[2] != '')
 					hostnamecache[t[1]] = t[2].split(' ').splice(0,1);
 			}
diff --git a/release/src/router/www/tomato.js b/release/src/router/www/tomato.js
index 0f0e5cd983..4f041c2f07 100644
--- a/release/src/router/www/tomato.js
+++ b/release/src/router/www/tomato.js
@@ -2301,7 +2301,7 @@ function navi()
 			['Identification',	'ident.asp'],
 			['Time',			'time.asp'],
 			['DDNS',			'ddns.asp'],
-			['Static DHCP',		'static.asp'],
+			['Static DHCP/ARP',	'static.asp'],
 			['Wireless Filter',	'wfilter.asp'] ] ],
 		['Advanced', 			'advanced', 0, [
 			['Conntrack/Netfilter',	'ctnf.asp'],
diff --git a/release/src/router/www/tools-wol.asp b/release/src/router/www/tools-wol.asp
index a83c1e6864..331fc4daa5 100644
--- a/release/src/router/www/tools-wol.asp
+++ b/release/src/router/www/tools-wol.asp
@@ -63,7 +63,7 @@ wg.populate = function()
 	var q = nvram.dhcpd_static.split('>');
 	for (i = 0; i < q.length; ++i) {
 		var e = q[i].split('<');
-		if (e.length == 3) {
+		if ((e.length == 3) || (e.length == 4)) {
 			var m = e[0].split(',');
 			for (j = 0; j < m.length; ++j) {
 				s.push([m[j], e[1], e[2]]);
-- 
2.11.4.GIT