diff --git a/CHANGELOG.md b/CHANGELOG.md index d2f6d657..8ce77096 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,29 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [2.5.1](https://github.com/rdkcentral/utopia/compare/2.5.0...2.5.1) + +- RDKB-64891: Add support for PsidOffset 0 [`#316`](https://github.com/rdkcentral/utopia/pull/316) +- RDKB-58910, RDKB-60010 : Move the WAN IPV6 configuration from brlan0 [`#69`](https://github.com/rdkcentral/utopia/pull/69) +- RDKB-64265: Removing erouter0 hardcode for reusability for different wan interface [`#311`](https://github.com/rdkcentral/utopia/pull/311) +- RDKCOM-5574: RDKBDEV-3417 RDKBACCL-1092 FW Upgrade is not working via tftp server configurations [`#285`](https://github.com/rdkcentral/utopia/pull/285) +- RDKB-62889: Reduce Repetitive logging [`#300`](https://github.com/rdkcentral/utopia/pull/300) +- Revert "RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature" [`#313`](https://github.com/rdkcentral/utopia/pull/313) +- RDKB-62529: Able to access the blocked port HTTPS sites [`#283`](https://github.com/rdkcentral/utopia/pull/283) +- SHARMAN-4067 Delay in NTP sync observed after FactoryReset [`#306`](https://github.com/rdkcentral/utopia/pull/306) +- XB10-2633: [26Q2_Sprint][OS][Residential]Connected clients are not receiving IPv6 addresses and do not have IPv6 internet connectivity. [`#298`](https://github.com/rdkcentral/utopia/pull/298) +- Merge tag '2.5.0' into develop [`721f70a`](https://github.com/rdkcentral/utopia/commit/721f70a1cdd0c595fc785bccb88e0ec25502a78a) + #### [2.5.0](https://github.com/rdkcentral/utopia/compare/2.4.0...2.5.0) +> 7 May 2026 + - RDKB-64189: Enable ZRAM to optimize and reduce RDKB memory usage [`#291`](https://github.com/rdkcentral/utopia/pull/291) - RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature [`#282`](https://github.com/rdkcentral/utopia/pull/282) - RDKB-64365: TCP / UDP port usage DMs returns empty value [`#299`](https://github.com/rdkcentral/utopia/pull/299) - RDKCOM-5533: RDKBDEV-3385 VODAFONE-45 Sysevent daemon getting stuck due to fd & worker exhaustion [`#230`](https://github.com/rdkcentral/utopia/pull/230) - RDKB-64588: High impact coverity issues in utopia [`#293`](https://github.com/rdkcentral/utopia/pull/293) +- Add changelog for release 2.5.0 [`03b1826`](https://github.com/rdkcentral/utopia/commit/03b18263d34d270adc8bd7a0a3c9e26b5448acf8) - Merge tag '2.4.0' into develop [`3a3b46b`](https://github.com/rdkcentral/utopia/commit/3a3b46b3c1435ad8befba696d37f54125c1939aa) #### [2.4.0](https://github.com/rdkcentral/utopia/compare/2.3.0...2.4.0) diff --git a/configure.ac b/configure.ac index cb477656..045bd2ae 100644 --- a/configure.ac +++ b/configure.ac @@ -105,7 +105,7 @@ if test x"${MACHINE}" != x; then [The machine type]) fi -AM_CONDITIONAL([MACHINE_SCXER10], [test "x$MACHINE" = "xscxer10"]) +AM_CONDITIONAL([MACHINE_SCXER10], [echo "$MACHINE" | grep -q "scxer10"]) AM_CONDITIONAL([MULTILAN_FEATURE], [test "$MULTILAN_FEATURE" = "yes"]) AM_CONDITIONAL([CPC_FIREWALL_ENABLE], [test "x$CPC_FIREWALL_ENABLE" = "xtrue"]) diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index 946aaceb..5e113f28 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -27,7 +27,7 @@ if ONESTACK_PRODUCT_REQ AM_LDFLAGS += -lrdkb_feature_mode_gate endif -firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c +firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c firewall_utils.c if CPC_FIREWALL_ENABLE firewall_SOURCES += firewall_lib.c firewall_dsl.c rabid.c AM_LDFLAGS += -lrdkconfig diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 7d94dbac..50538050 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -745,8 +745,6 @@ int rfstatus; * For simplicity purposes we cap the number of syscfg entries within a * specific namespace. This cap is controlled by MAX_SYSCFG_ENTRIES */ -#define MAX_PORT 65535 - #define MAX_NAMESPACE 64 #define MAX_SRC_IP_TABLE_ROW 10 /*RDKB-7145, CID-33123, defining max size for src_ip[MAX_SRC_IP_TABLE_ENTRY][]*/ @@ -870,7 +868,6 @@ void firewall_log( char* fmt, ...) #ifdef WAN_FAILOVER_SUPPORTED unsigned int Get_Device_Mode() { - FIREWALL_DEBUG("Inside Get_Device_Mode\n"); syscfg_get(NULL, "Device_Mode", dev_type, sizeof(dev_type)); unsigned int dev_mode = atoi(dev_type); Dev_Mode mode; @@ -926,7 +923,6 @@ char* get_iface_ipaddr(const char* iface_name) bool isServiceNeeded() { - FIREWALL_DEBUG("Inside isServiceNeeded\n"); if (Get_Device_Mode()==EXTENDER_MODE) { FIREWALL_DEBUG("Service Not Needed\n"); @@ -945,7 +941,6 @@ bool isServiceNeeded() } } - FIREWALL_DEBUG("returning true\n"); return TRUE; } #endif @@ -1115,8 +1110,8 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) char ipaddress_str[BUFLEN_32] = {0}; char mapt_config_ratio_str[BUFLEN_64] = {0}; char mapt_config_value[BUFLEN_8] = {0}; - unsigned int contiguous_port = 0; - int ratio = 0; + unsigned int contiguous_port = 0; + int block_shift = 0; int port = 0; unsigned int i =0; unsigned int j = 0; @@ -1268,16 +1263,22 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) psidLen = atoi(sysevent_val); - if (offset == 0) - offset = 6; - a = (1 << offset); m = 16 - (psidLen + offset); contiguous_port = (1 << m); - ratio = 16 - offset; + block_shift = 16 - offset; - // Exclude i=0 block as per original logic - total_ports = (a * contiguous_port) - contiguous_port; + // total ports + if (offset == 0) + { + /* Single contiguous block (psid = 0 will use the well-known ports) */ + total_ports = a * contiguous_port; + } + else + { + /* Skip first block (well-known ports) as reserved ports */ + total_ports = (a - 1) * contiguous_port; + } memset(sysevent_val, 0, sizeof(sysevent_val)); snprintf(sysevent_val, sizeof(sysevent_val), "%u", total_ports); if(sysevent_set(sysevent_fd, sysevent_token, SYSEVENT_MAPT_TOTAL_PORTS, sysevent_val, 0) != 0) @@ -1287,13 +1288,15 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) FIREWALL_DEBUG("MAPT Info: offset=%u, psid=%u, psidLen=%u, port_blocks=%u, contiguous_port=%u, total_ports=%u \n" COMMA offset COMMA psid COMMA psidLen COMMA a COMMA contiguous_port COMMA total_ports); + int start_i = (offset == 0) ? 0 : 1; + /* Start of port range parameters. */ /* create rules */ - for(i=1; i< (a); i++) + for(i = start_i; i < a; i++) { for(j=0; j<(contiguous_port); j++) { - port = (i< MAX_PORT ) - return -1; - - return 0; -} /* * add parental control managed service(ports) rules */ @@ -10142,21 +10110,9 @@ static int do_lan2wan_misc(FILE *filter_fp) else if (strcmp(query,"ACCEPT") == 0) { fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled - { - syscfg_get("blockssl", "result", query, sizeof(query)); - if (strcmp(query,"DROP") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j DROP\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(query,"ACCEPT") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j ACCEPT\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j ACCEPT\n"); - } - } + + // Apply SSL blocking rule + do_ssl_blocking_rules(filter_fp, "lan2wan_misc"); } #endif @@ -12039,6 +11995,7 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #if defined (_PLATFORM_BANANAPI_R4_) isRawTableUsed = 1; + fprintf(raw_fp, "-F\n"); fprintf(raw_fp, "-A OUTPUT -p udp --dport 69 -j CT --helper tftp\n"); #endif diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 7a82d772..70418829 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1246,3 +1246,32 @@ void proxy_dns(FILE *nat_fp,int family); */ void get_iface_ipaddr_ula(const char* ifname,char* ipaddr, int max_ip_size); #endif + +#define MAX_PORT 65535 + +/** +* @brief Validate if a port number string is valid. +* +* @param[in] port_num - Pointer to the port number string. +* +* @return The status of the operation. +* @retval 0 if port is valid (1-65535). +* @retval -1 if port is invalid. +* +*/ +int validate_port(const char* port_num); + +/** +* @brief Apply SSL blocking rules based on managed sites/services configuration. +* +* Checks if managed sites or managed services (with port 443) are enabled, +* and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. +* Rules are skipped per protocol if managed services covers that protocol on port 443. +* +* @param[in] fp - Pointer to the FILE stream for writing firewall rules. +* @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). +* +* @return None. +* +*/ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name); diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 082e05a6..755c1580 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -186,9 +186,9 @@ int numifs = sizeof(ifnames) / sizeof(*ifnames); #define V6_BLOCKFRAGIPPKT "v6_BlockFragIPPkts" #define V6_PORTSCANPROTECT "v6_PortScanProtect" #define V6_IPFLOODDETECT "v6_IPFloodDetect" - +#define IPV6_PREFIX_BUF_LEN 128 #if defined (_ONESTACK_PRODUCT_REQ_) -static char ipv6_delegation_prefix[129] ={0}; +static char ipv6_delegation_prefix[IPV6_PREFIX_BUF_LEN+1] ={0}; #endif /* **************************************************************** @@ -269,17 +269,15 @@ int prepare_ipv6_firewall(const char *fw_file) ret=-2; goto clean_up_files; } - - #if defined (_ONESTACK_PRODUCT_REQ_) - char sysEventName[256] ={0}; +#if defined (_ONESTACK_PRODUCT_REQ_) + char sysEventName[256] ={0}; + memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname); - memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); - memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); - sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix)); + snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname); + sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix)); } - #endif +#endif #ifdef RDKB_EXTENDER_ENABLED @@ -423,6 +421,10 @@ int prepare_ipv6_firewall(const char *fw_file) #endif +#if defined (_PLATFORM_BANANAPI_R4_) + fprintf(fp, "*raw\n-F\n"); +#endif + /*add rules before this*/ #if !defined(_BWG_PRODUCT_REQ_) fprintf(raw_fp, "COMMIT\n"); @@ -1254,7 +1256,7 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A FORWARD -d 0::/96 -j LOG_FORWARD_DROP\n"); // Basic RPF check on the egress & ingress traffic - char prefix[129]; + char prefix[IPV6_PREFIX_BUF_LEN+1]; prefix[0] = 0; #ifdef FEATURE_MAPE char prev_prefix[MAX_QUERY] = {0}; @@ -1753,22 +1755,9 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 500 -j ACCEPT\n"); fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled - { - queryv6[0] = '\0'; + // Apply SSL blocking rules + do_ssl_blocking_rules(fp, "lan2wan_misc_ipv6"); - if((0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j DROP\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(queryv6,"ACCEPT") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j ACCEPT\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j ACCEPT\n"); - } - } queryv6[0] = '\0'; if((0 == syscfg_get(NULL, "blockl2tp::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ @@ -2143,8 +2132,8 @@ typedef enum{ void applyRoutingRules(FILE* fp,ipv6_type type) { FIREWALL_DEBUG("Entering applyRoutingRules, ipv6_type is %d \n" COMMA type); - char prefix[64] ; - memset(prefix,0,sizeof(prefix)); + char prefix[IPV6_PREFIX_BUF_LEN+1]; + memset(prefix,0,sizeof(prefix)); int i ; if ( ULA_IPV6 == type) { diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c new file mode 100644 index 00000000..3d2c9e7a --- /dev/null +++ b/source/firewall/firewall_utils.c @@ -0,0 +1,140 @@ +/* + * If not stated otherwise in this file or this component's Licenses.txt file the + * following copyright and licenses apply: + * + * Copyright 2026 RDK Management + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "firewall.h" + +/** + * @brief Validate if a port number string is valid. + * + * @param[in] port_num - Pointer to the port number string. + * + * @return The status of the operation. + * @retval 0 if port is valid (1-65535). + * @retval -1 if port is invalid. + */ +int validate_port(const char* port_num) +{ + int port = atoi(port_num); + if (port <= 0 || port > MAX_PORT) + return -1; + return 0; +} + +/** + * @brief Apply SSL blocking rules based on managed sites/services configuration. + * + * Checks if managed sites or managed services (with port 443) are enabled, + * and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. + * Rules are skipped per protocol if managed services already covers that + * protocol on port 443. + * + * + * @param[in] fp - Pointer to the FILE stream for writing firewall rules. + * @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). + */ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name) +{ + int ms_has_tcp_443 = 0; + int ms_has_udp_443 = 0; + char sites_enabled[MAX_QUERY] = {0}; + char services_enabled[MAX_QUERY] = {0}; + + syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); + + /* If managed sites is enabled, skip SSL blocking entirely */ + if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { + ms_has_tcp_443 = 1; + ms_has_udp_443 = 1; + } else { + /* Check managed services for port 443 */ + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY] = {0}; + int ms_count = 0; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } + for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { + char ns[MAX_QUERY] = {0}, prot[10] = {0}; + char ms_namespace_key[MAX_QUERY] = {0}; + + snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); + if (syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)) != 0 || ns[0] == '\0') + continue; + + /* Get protocol to check if we can skip this entry */ + if (syscfg_get(ns, "proto", prot, sizeof(prot)) != 0) { + prot[0] = '\0'; + } + + /* Skip if this protocol is already covered */ + if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || + (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { + continue; + } + + /* Check port range */ + char start_port[16] = {0}, end_port[16] = {0}; + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || validate_port(start_port) != 0) { + continue; + } + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || validate_port(end_port) != 0) { + continue; + } + + int sp = atoi(start_port); + int ep = atoi(end_port); + if (sp > 443 || ep < 443) continue; /* Port 443 not in range */ + + /* Set flags based on protocol */ + if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { + ms_has_tcp_443 = ms_has_udp_443 = 1; + break; + } else if (strncasecmp("tcp", prot, 3) == 0) { + ms_has_tcp_443 = 1; + } else if (strncasecmp("udp", prot, 3) == 0) { + ms_has_udp_443 = 1; + } + } + } + } + + /* Emit SSL blocking rules for protocols not covered by managed services */ + if (!(ms_has_tcp_443 && ms_has_udp_443)) { + char query[MAX_QUERY] = {0}; + if (0 == syscfg_get(NULL, "blockssl::result", query, sizeof(query))) { + if (strcmp(query, "DROP") == 0 || strcmp(query, "ACCEPT") == 0) { + if (!ms_has_udp_443) { + fprintf(fp, "-A %s -p udp --dport 443 -j %s\n", chain_name, query); + } + if (!ms_has_tcp_443) { + fprintf(fp, "-A %s -p tcp --dport 443 -j %s\n", chain_name, query); + } + } + } + } +} diff --git a/source/scripts/init/c_registration/02_ipv4.c b/source/scripts/init/c_registration/02_ipv4.c index 50d052c6..885f55fe 100644 --- a/source/scripts/init/c_registration/02_ipv4.c +++ b/source/scripts/init/c_registration/02_ipv4.c @@ -66,7 +66,7 @@ const char* SERVICE_DEFAULT_HANDLER_BCI = "/etc/utopia/service.d/service_ipv4_bc * keep the define outside of the string quotation symbols * eg. "event3|/etc/code|"ACTION_FLAG_NOT_THREADSAFE"|"TUPLE_FLAG_SERIAL */ -#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) +#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) && !defined(_PLATFORM_BANANAPI_R4_) const char* SERVICE_CUSTOM_EVENTS[] = { "ipv4-resyncAll|/etc/utopia/service.d/service_ipv4.sh|NULL|"TUPLE_FLAG_EVENT, "ipv4-resync|/etc/utopia/service.d/service_ipv4.sh|NULL|"TUPLE_FLAG_EVENT, diff --git a/source/scripts/init/c_registration/02_lanHandler.c b/source/scripts/init/c_registration/02_lanHandler.c index a24f2b4d..6c314f96 100644 --- a/source/scripts/init/c_registration/02_lanHandler.c +++ b/source/scripts/init/c_registration/02_lanHandler.c @@ -43,7 +43,7 @@ #define SERVICE_NAME "lan" #define SERVICE_DEFAULT_HANDLER "/etc/utopia/service.d/lan_handler.sh" -#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) +#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) && !defined(_PLATFORM_BANANAPI_R4_) const char* SERVICE_CUSTOM_EVENTS[] = { "pnm-status|/etc/utopia/service.d/lan_handler.sh", "bring-lan|/usr/bin/service_dhcp", diff --git a/source/scripts/init/defaults/system_defaults_arm b/source/scripts/init/defaults/system_defaults_arm index 9f039503..9af3ea17 100755 --- a/source/scripts/init/defaults/system_defaults_arm +++ b/source/scripts/init/defaults/system_defaults_arm @@ -939,6 +939,7 @@ $Adv_AdvSecOTMRFCEnable=1 $Adv_AdvSecUserSpaceRFCEnable=0 $Adv_WifiDataCollectionRFCEnable=0 $Adv_LevlRFCEnable=0 +$Adv_AdvSecNetworkIntelligenceRFCEnable=0 $Adv_AdvSecAgentRFCEnable=1 $Adv_AdvSecSafeBrowsingRFCEnable=1 $Adv_AdvSecCujoTelemetryWiFiFPRFCEnable=0 @@ -946,6 +947,8 @@ $Adv_AdvSecCujoTracerRFCEnable=0 $Adv_AdvSecCujoTelemetryRFCEnable=0 $Adv_SATERFCEnable=0 $Adv_TCPTrackerFilterDevicesRFCEnable=0 +$Adv_DoHBlockingRFCEnable=0 +$Adv_DNSECHBlockingRFCEnable=0 $Adv_RaptrRFCEnable=1 #Firewall log settings @@ -1295,6 +1298,9 @@ $Advsecurity_RabidMacCacheSize=10000 # Rabid dnscache size $Advsecurity_RabidDNSCacheSize=10000 +# cujo-ni memory limit +$Advsecurity_NetworkIntelligenceMemoryLimit=15 + #Ethernet bhaul bridge migration for LnF $iot_brname=br106 diff --git a/source/scripts/init/service.d/service_connectivitycheck.sh b/source/scripts/init/service.d/service_connectivitycheck.sh index 728fb319..9427c713 100644 --- a/source/scripts/init/service.d/service_connectivitycheck.sh +++ b/source/scripts/init/service.d/service_connectivitycheck.sh @@ -91,7 +91,7 @@ while true; do fi exit 0 fi - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL") + HTTP_CODE=$(curl -s --connect-timeout 3 --max-time 5 -o /dev/null -w "%{http_code}" "$URL") CURL_STATUS=$? uptime=$(cut -d. -f1 /proc/uptime) uptime_ms=$((uptime*1000)) diff --git a/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh b/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh index faec0aca..ff6b4861 100755 --- a/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh +++ b/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh @@ -41,6 +41,7 @@ DHCP_CONF=/etc/dnsmasq.conf DHCP_STATIC_HOSTS_FILE=/etc/dhcp_static_hosts DHCP_OPTIONS_FILE=/var/dhcp_options SelfHealSupport=`sysevent get SelfhelpWANConnectionDiagSupport` +# LANIPV6Support only used for identifying the ULA usage LANIPV6Support=`sysevent get LANIPv6GUASupport` if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$SelfHealSupport" = "true" ]; then LOCAL_DHCP_CONF=/tmp/dnsmasq.conf diff --git a/source/scripts/init/service.d/service_ntpd.sh b/source/scripts/init/service.d/service_ntpd.sh index 62b39e03..a16532a6 100644 --- a/source/scripts/init/service.d/service_ntpd.sh +++ b/source/scripts/init/service.d/service_ntpd.sh @@ -50,7 +50,6 @@ NTP_CONF_TMP=/tmp/ntp.conf NTP_CONF_QUICK_SYNC=/tmp/ntp_quick_sync.conf LOCKFILE=/var/tmp/service_ntpd.pid BIN=ntpd -WAN_IPv6_UP=0 QUICK_SYNC_PID="" QUICK_SYNC_DONE=0 @@ -171,33 +170,7 @@ wan_wait () #Make sure WAN interface has an IPv4 or IPv6 address before telling NTP to listen on Interface WAN_IPv4=`ifconfig -a "$WAN_INTERFACE" | grep inet | grep -v inet6 | tr -s " " | cut -d ":" -f2 | cut -d " " -f1 | head -n1` - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$LANIPV6Support" = "true" ]; then - CURRENT_WAN_IPV6_STATUS=`sysevent get ipv6_connection_state` - if [ "up" = "$CURRENT_WAN_IPV6_STATUS" ] ; then - ULAprefix=`sysevent get ula_address |cut -d ':' -f1` - if [ -z "$ULAprefix" ]; then - WAN_IPv6=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | grep -v 'fdd7' | cut -d '/' -f1 | head -n1` - else - WAN_IPv6=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | grep -v 'fdd7' | grep -v "$ULAprefix" | cut -d '/' -f1 | head -n1` - fi - WAN_IPv6_UP=1 - # SHARMAN-2301 - #This change is for UK MAP-T SR213. When NTP servers are IPv4 only and there is no IPv4 WAN IP on the interface we will use $NTPD_IPV6_INTERFACE(currently brlan0) ipv4 ip to sort ntpd daemon socket problems and routing. - if [ "$BOX_TYPE" = "SR213" ] || [ "$LANIPV6Support" == "true" ]; then - MAPT_STATS=$(sysevent get mapt_config_flag) - echo_t "SERVICE_NTPD : MAPT_STATS=$MAPT_STATS" - if [ x"$MAPT_STATS" = x"set" ]; then - IPV4_CONN_STATE=$(sysevent get ipv4_connection_state) - echo_t "SERVICE_NTPD : IPV4_CONN_STATE=$IPV4_CONN_STATE" - if [ x"$IPV4_CONN_STATE" != x"up" ]; then - WAN_IPv4=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet\ \addr | cut -d ':' -f2 |cut -d ' ' -f1` - fi - fi - fi - fi - else - WAN_IPv6=`ifconfig "$WAN_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | cut -d '/' -f1 | head -n1` - fi + WAN_IPv6=`ifconfig "$WAN_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | cut -d '/' -f1 | head -n1` if [ -n "$WAN_IPv4" ] || [ -n "$WAN_IPv6" ]; then if [ "$2" = "quickSync" ];then @@ -572,19 +545,6 @@ service_start () echo "interface ignore wildcard" >> $NTP_CONF_TMP echo "interface listen 127.0.0.1" >> $NTP_CONF_TMP echo "interface listen ::1" >> $NTP_CONF_TMP - #SHARMAN-2301 - #This change is for UK MAP-T SR213. Since we will not have any of the global IP on WAN interface, We need to add the IPv6 interface (currently brlan0) to the config file - if [ "$BOX_TYPE" = "SR213" ] || [ "$LANIPV6Support" = "true" ]; then - MAPT_STATS=$(sysevent get mapt_config_flag) - echo_t "SERVICE_NTPD : MAPT_STATS=$MAPT_STATS" - if [ x"$MAPT_STATS" = x"set" ]; then - IPV4_CONN_STATE=$(sysevent get ipv4_connection_state) - echo_t "SERVICE_NTPD : IPV4_CONN_STATE=$IPV4_CONN_STATE" - if [ x"$IPV4_CONN_STATE" != x"up" ]; then - echo "interface listen $NTPD_IPV6_INTERFACE" >> $NTP_CONF_TMP - fi - fi - fi if [ -n "$WAN_IP" ]; then echo "interface listen $WAN_IP" >> $NTP_CONF_TMP @@ -593,21 +553,6 @@ service_start () fi fi - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$LANIPV6Support" = "true" ]; then - # SKYH4-2006: To listen v6 server, update the conf file after getting valid v6 IP(CURRENT_WAN_V6_PREFIX) - CURRENT_WAN_IPV6_STATUS=`sysevent get ipv6_connection_state` - - if [ "up" = "$CURRENT_WAN_IPV6_STATUS" ] ; then - CURRENT_WAN_V6_PREFIX=`syscfg get ipv6_prefix_address` - if [ -n "$CURRENT_WAN_V6_PREFIX" ]; then - echo "interface listen $CURRENT_WAN_V6_PREFIX" >> $NTP_CONF_TMP - sysevent set ntp_ipv6_listen "set" - else - sysevent set ntp_ipv6_listen "unset" - fi - fi - fi - if [ "$MULTI_CORE" = "yes" ] && [ "$NTPD_IMMED_PEER_SYNC" != "true" ]; then echo "interface listen $HOST_INTERFACE_IP" >> $NTP_CONF_TMP fi @@ -630,18 +575,8 @@ service_start () uptime_ms=$((uptime*1000)) echo_t "SERVICE_NTPD : Starting NTP Quick Sync" >> $NTPD_LOG_NAME t2ValNotify "SYS_INFO_NTPSTART_split" $uptime_ms - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$ntpHealthCheck" = "true" ]; then - if [ $WAN_IPv6_UP -eq 1 ]; then - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - else - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -4 -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - fi - else - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - fi + $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & + QUICK_SYNC_PID=$! if [ -n "$QUICK_SYNC_PID" ];then set_ntp_quicksync_status fi diff --git a/source/scripts/init/service.d/service_sshd.sh b/source/scripts/init/service.d/service_sshd.sh index a2ba75cc..00c40b62 100755 --- a/source/scripts/init/service.d/service_sshd.sh +++ b/source/scripts/init/service.d/service_sshd.sh @@ -195,18 +195,6 @@ do_start() { commandString="$commandString -p [$CM_IPV6]:22" fi fi - elif [ "$BOX_TYPE" = "SCER11BEL" -a "$LANIPV6Support" = "true" ]; then - # In IPv6 only case (MAP-T), and if IPv6 GUA on LAN enabled case, use brlan0 interface to get v6 global address. - CM_IPV6=`ip -6 addr show dev brlan0 scope global | awk '/inet/{print $2}' | cut -d '/' -f1 | head -n1` - if [ ! -z "$CM_IPV6" ]; then - commandString="$commandString -p [$CM_IPV6]:22" - fi - - # Check IPv4 address. - CM_IPV4=`ip -4 addr show dev $CMINTERFACE scope global | awk '/inet/{print $2}' | cut -d '/' -f1` - if [ ! -z "$CM_IPV4" ]; then - commandString="$commandString -p [$CM_IPV4]:22" - fi elif [ "$BOX_TYPE" = "WNXL11BWL" ]; then CM_IP=`ip -4 addr show dev $CMINTERFACE scope global | awk '/inet/{print $2}' | cut -d '/' -f1 | head -n1` if [ ! -z $CM_IP ]; then @@ -270,8 +258,6 @@ do_start() { if ([ "$MANUFACTURE" = "Technicolor" ] || [ "$MODEL_NUM" = "SG417DBCT" ] || [ "$BOX_TYPE" = "WNXL11BWL" ]) ; then echo_t "dropbear -E -s -K 60 -b /etc/sshbanner.txt ${commandString} -r ${DROPBEAR_PARAMS_1} -r ${DROPBEAR_PARAMS_2} -a -P ${PID_FILE}" dropbear -E -s -b /etc/sshbanner.txt $commandString -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -a -P $PID_FILE -K 60 $USE_DEVKEYS 2>>$CONSOLEFILE - elif [ "$BOX_TYPE" = "SCER11BEL" -a "$LANIPV6Support" = "true" ]; then - dropbear -E -s -b /etc/sshbanner.txt $commandString -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -a -P $PID_FILE -K 60 $USE_DEVKEYS 2>>$CONSOLEFILE else dropbear -E -s -b /etc/sshbanner.txt -a -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -p [$CM_IP]:22 -P $PID_FILE $USE_DEVKEYS 2>>$CONSOLEFILE fi