diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
index 956c7935a..5e9855ce1 100644
--- a/doc/ChangeLog.md
+++ b/doc/ChangeLog.md
@@ -18,6 +18,12 @@ All notable changes to the project are documented in this file.
 - Add `legacy-rates` option to re-enable 802.11b rates on 2.4 GHz for
   old IoT devices (disabled by default)
 
+### Fixes
+
+- Firewall masquerade no longer enables the global IPv4/IPv6 forwarding
+  sysctls.  You must now enable IP forwarding explicitly on the interfaces
+  that should route traffic; enabling NAT alone is no longer enough
+
 [wifi]: wifi.md
 
 [v26.05.0][] - 2026-05-29
diff --git a/patches/hostapd/0003-more-limit-bssid-mask.patch b/patches/hostapd/0003-more-limit-bssid-mask.patch
new file mode 100644
index 000000000..4349057ec
--- /dev/null
+++ b/patches/hostapd/0003-more-limit-bssid-mask.patch
@@ -0,0 +1,17 @@
+diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
+index 72a0bf503..9bdc2b41d 100644
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -916,12 +916,6 @@ static int hostapd_validate_bssid_configuration(struct hostapd_iface *iface)
+ 	if (bits < j)
+ 		bits = j;
+ 
+-	if (bits > 40) {
+-		wpa_printf(MSG_ERROR, "Too many bits in the BSSID mask (%u)",
+-			   bits);
+-		return -1;
+-	}
+-
+ 	os_memset(mask, 0xff, ETH_ALEN);
+ 	j = bits / 8;
+ 	for (i = 5; i > 5 - j; i--)