From 6a35969314a0b350f2445cd77000ba3c4b9633cf Mon Sep 17 00:00:00 2001 From: umasankar098 Date: Tue, 12 May 2026 00:14:13 +0530 Subject: [PATCH 01/12] SHARMAN-4067 Delay in NTP sync observed after FactoryReset (#306) SHARMAN-4067 Delay in NTP sync observed after FactoryReset Reason for change: Adding a timeout value and maximum retry in the curl command to avoid indefinite stuck of curl waiting for the response Test Procedure: NA Risks: LOW Priority: P1 Signed-off-by: usi096 Co-authored-by: usi096 Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/scripts/init/service.d/service_connectivitycheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/scripts/init/service.d/service_connectivitycheck.sh b/source/scripts/init/service.d/service_connectivitycheck.sh index 728fb319..9427c713 100644 --- a/source/scripts/init/service.d/service_connectivitycheck.sh +++ b/source/scripts/init/service.d/service_connectivitycheck.sh @@ -91,7 +91,7 @@ while true; do fi exit 0 fi - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL") + HTTP_CODE=$(curl -s --connect-timeout 3 --max-time 5 -o /dev/null -w "%{http_code}" "$URL") CURL_STATUS=$? uptime=$(cut -d. -f1 /proc/uptime) uptime_ms=$((uptime*1000)) From fff0496ea72bfaf54fbcb77d8e35f834005aac85 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Tue, 12 May 2026 08:03:57 +0530 Subject: [PATCH 02/12] RDKB-62529: Able to access the blocked port HTTPS sites (#283) RDKB-62529: Able to access the blocked port HTTPS sites Reason for change: Blocked port HTTPS site is accessible. Test Procedure: Add HTTPS port in managed services in parental control. Risks: Low Priority: P1 Signed-off-by: suriyanarayanan_mp@comcast.com --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: suriya-prem Co-authored-by: aadhithan01 <64963550+aadhithan01@users.noreply.github.com> Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/firewall/Makefile.am | 2 +- source/firewall/firewall.c | 28 +------ source/firewall/firewall.h | 29 +++++++ source/firewall/firewall_ipv6.c | 17 +--- source/firewall/firewall_utils.c | 140 +++++++++++++++++++++++++++++++ 5 files changed, 175 insertions(+), 41 deletions(-) create mode 100644 source/firewall/firewall_utils.c diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index 946aaceb..5e113f28 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -27,7 +27,7 @@ if ONESTACK_PRODUCT_REQ AM_LDFLAGS += -lrdkb_feature_mode_gate endif -firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c +firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c firewall_utils.c if CPC_FIREWALL_ENABLE firewall_SOURCES += firewall_lib.c firewall_dsl.c rabid.c AM_LDFLAGS += -lrdkconfig diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 7d94dbac..6606fe35 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -745,8 +745,6 @@ int rfstatus; * For simplicity purposes we cap the number of syscfg entries within a * specific namespace. This cap is controlled by MAX_SYSCFG_ENTRIES */ -#define MAX_PORT 65535 - #define MAX_NAMESPACE 64 #define MAX_SRC_IP_TABLE_ROW 10 /*RDKB-7145, CID-33123, defining max size for src_ip[MAX_SRC_IP_TABLE_ENTRY][]*/ @@ -9148,14 +9146,6 @@ static int do_parcon_device_cloud_mgmt(FILE *fp, int iptype, FILE *cron_fp) return(0); } -static int validate_port(char* port_num) -{ - int port = atoi(port_num); - if ( port <= 0 || port > MAX_PORT ) - return -1; - - return 0; -} /* * add parental control managed service(ports) rules */ @@ -10142,21 +10132,9 @@ static int do_lan2wan_misc(FILE *filter_fp) else if (strcmp(query,"ACCEPT") == 0) { fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled - { - syscfg_get("blockssl", "result", query, sizeof(query)); - if (strcmp(query,"DROP") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j DROP\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(query,"ACCEPT") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j ACCEPT\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j ACCEPT\n"); - } - } + + // Apply SSL blocking rule + do_ssl_blocking_rules(filter_fp, "lan2wan_misc"); } #endif diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 7a82d772..70418829 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1246,3 +1246,32 @@ void proxy_dns(FILE *nat_fp,int family); */ void get_iface_ipaddr_ula(const char* ifname,char* ipaddr, int max_ip_size); #endif + +#define MAX_PORT 65535 + +/** +* @brief Validate if a port number string is valid. +* +* @param[in] port_num - Pointer to the port number string. +* +* @return The status of the operation. +* @retval 0 if port is valid (1-65535). +* @retval -1 if port is invalid. +* +*/ +int validate_port(const char* port_num); + +/** +* @brief Apply SSL blocking rules based on managed sites/services configuration. +* +* Checks if managed sites or managed services (with port 443) are enabled, +* and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. +* Rules are skipped per protocol if managed services covers that protocol on port 443. +* +* @param[in] fp - Pointer to the FILE stream for writing firewall rules. +* @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). +* +* @return None. +* +*/ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name); diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 082e05a6..e1f2227d 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1753,22 +1753,9 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 500 -j ACCEPT\n"); fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled - { - queryv6[0] = '\0'; + // Apply SSL blocking rules + do_ssl_blocking_rules(fp, "lan2wan_misc_ipv6"); - if((0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j DROP\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(queryv6,"ACCEPT") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j ACCEPT\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j ACCEPT\n"); - } - } queryv6[0] = '\0'; if((0 == syscfg_get(NULL, "blockl2tp::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c new file mode 100644 index 00000000..3d2c9e7a --- /dev/null +++ b/source/firewall/firewall_utils.c @@ -0,0 +1,140 @@ +/* + * If not stated otherwise in this file or this component's Licenses.txt file the + * following copyright and licenses apply: + * + * Copyright 2026 RDK Management + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "firewall.h" + +/** + * @brief Validate if a port number string is valid. + * + * @param[in] port_num - Pointer to the port number string. + * + * @return The status of the operation. + * @retval 0 if port is valid (1-65535). + * @retval -1 if port is invalid. + */ +int validate_port(const char* port_num) +{ + int port = atoi(port_num); + if (port <= 0 || port > MAX_PORT) + return -1; + return 0; +} + +/** + * @brief Apply SSL blocking rules based on managed sites/services configuration. + * + * Checks if managed sites or managed services (with port 443) are enabled, + * and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. + * Rules are skipped per protocol if managed services already covers that + * protocol on port 443. + * + * + * @param[in] fp - Pointer to the FILE stream for writing firewall rules. + * @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). + */ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name) +{ + int ms_has_tcp_443 = 0; + int ms_has_udp_443 = 0; + char sites_enabled[MAX_QUERY] = {0}; + char services_enabled[MAX_QUERY] = {0}; + + syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); + + /* If managed sites is enabled, skip SSL blocking entirely */ + if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { + ms_has_tcp_443 = 1; + ms_has_udp_443 = 1; + } else { + /* Check managed services for port 443 */ + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY] = {0}; + int ms_count = 0; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } + for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { + char ns[MAX_QUERY] = {0}, prot[10] = {0}; + char ms_namespace_key[MAX_QUERY] = {0}; + + snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); + if (syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)) != 0 || ns[0] == '\0') + continue; + + /* Get protocol to check if we can skip this entry */ + if (syscfg_get(ns, "proto", prot, sizeof(prot)) != 0) { + prot[0] = '\0'; + } + + /* Skip if this protocol is already covered */ + if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || + (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { + continue; + } + + /* Check port range */ + char start_port[16] = {0}, end_port[16] = {0}; + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || validate_port(start_port) != 0) { + continue; + } + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || validate_port(end_port) != 0) { + continue; + } + + int sp = atoi(start_port); + int ep = atoi(end_port); + if (sp > 443 || ep < 443) continue; /* Port 443 not in range */ + + /* Set flags based on protocol */ + if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { + ms_has_tcp_443 = ms_has_udp_443 = 1; + break; + } else if (strncasecmp("tcp", prot, 3) == 0) { + ms_has_tcp_443 = 1; + } else if (strncasecmp("udp", prot, 3) == 0) { + ms_has_udp_443 = 1; + } + } + } + } + + /* Emit SSL blocking rules for protocols not covered by managed services */ + if (!(ms_has_tcp_443 && ms_has_udp_443)) { + char query[MAX_QUERY] = {0}; + if (0 == syscfg_get(NULL, "blockssl::result", query, sizeof(query))) { + if (strcmp(query, "DROP") == 0 || strcmp(query, "ACCEPT") == 0) { + if (!ms_has_udp_443) { + fprintf(fp, "-A %s -p udp --dport 443 -j %s\n", chain_name, query); + } + if (!ms_has_tcp_443) { + fprintf(fp, "-A %s -p tcp --dport 443 -j %s\n", chain_name, query); + } + } + } + } +} From 0eec5186e1642517f94679f3382a3f13e8857c35 Mon Sep 17 00:00:00 2001 From: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> Date: Tue, 12 May 2026 08:58:35 -0700 Subject: [PATCH 03/12] Revert "RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature" (#313) Reverts rdkcentral/utopia#282 --- source/firewall/firewall_ipv6.c | 41 +++++++++++++-------------------- 1 file changed, 16 insertions(+), 25 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index e1f2227d..b92a5220 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -187,8 +187,9 @@ int numifs = sizeof(ifnames) / sizeof(*ifnames); #define V6_PORTSCANPROTECT "v6_PortScanProtect" #define V6_IPFLOODDETECT "v6_IPFloodDetect" -#if defined (_ONESTACK_PRODUCT_REQ_) -static char ipv6_delegation_prefix[129] ={0}; +#ifdef _ONESTACK_PRODUCT_REQ_ +#define COSA_DML_DHCPV6_CLIENT_IFNAME "erouter0" +#define COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME "tr_"COSA_DML_DHCPV6_CLIENT_IFNAME"_dhcpv6_client_v6pref" #endif /* **************************************************************** @@ -270,17 +271,7 @@ int prepare_ipv6_firewall(const char *fw_file) goto clean_up_files; } - #if defined (_ONESTACK_PRODUCT_REQ_) - char sysEventName[256] ={0}; - if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) - { - snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname); - memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); - memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); - sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix)); - } - #endif - + #ifdef RDKB_EXTENDER_ENABLED if (isExtProfile() == 0) @@ -1272,14 +1263,14 @@ void do_ipv6_filter_table(FILE *fp){ #ifdef _ONESTACK_PRODUCT_REQ_ if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); + sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); } else { - sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); + sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); } #else - sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); + sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); #endif } @@ -1287,7 +1278,7 @@ void do_ipv6_filter_table(FILE *fp){ #ifdef _ONESTACK_PRODUCT_REQ_ if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); + sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); } else { @@ -1309,7 +1300,7 @@ void do_ipv6_filter_table(FILE *fp){ #if defined (_COSA_FOR_BCI_) || defined (_ONESTACK_PRODUCT_REQ_) /* adding forward rule for PD traffic */ #ifdef _ONESTACK_PRODUCT_REQ_ - if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) + if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { fprintf(fp, "-A FORWARD -s %s -i %s -j ACCEPT\n", prefix, lan_ifname); if (strncasecmp(firewall_levelv6, "Custom", strlen("Custom")) == 0) @@ -2139,22 +2130,22 @@ void applyRoutingRules(FILE* fp,ipv6_type type) } else { - #ifdef _ONESTACK_PRODUCT_REQ_ - if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) +#ifdef _ONESTACK_PRODUCT_REQ_ + if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); + sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); } else { sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); } - #else +#else sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); - #endif +#endif } - if (strlen(prefix) != 0) + if (strlen(prefix) != 0 ) { - char *token_pref =NULL; + char *token_pref =NULL; token_pref = strtok(prefix,"/"); for(i = 0; i < mesh_wan_ipv6_num; i++) { From 0fbe6af1237602f8aa87194a5f77f8efade808dd Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Wed, 13 May 2026 05:33:33 +0530 Subject: [PATCH 04/12] RDKB-62889: Reduce Repetitive logging (#300) RDKB-62889: Reduce Repetitive logging Reason for change: Remove unwanted logs. Test Procedure: Check firewall debug log file Risks: Low Priority: P1 Signed-off-by: Suriyanarayanan_MP@comcast.com --------- Co-authored-by: suriya-prem Co-authored-by: Harnish Patel <163233851+hpatel006c@users.noreply.github.com> Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/firewall/firewall.c | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 6606fe35..49542ee8 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -868,7 +868,6 @@ void firewall_log( char* fmt, ...) #ifdef WAN_FAILOVER_SUPPORTED unsigned int Get_Device_Mode() { - FIREWALL_DEBUG("Inside Get_Device_Mode\n"); syscfg_get(NULL, "Device_Mode", dev_type, sizeof(dev_type)); unsigned int dev_mode = atoi(dev_type); Dev_Mode mode; @@ -924,7 +923,6 @@ char* get_iface_ipaddr(const char* iface_name) bool isServiceNeeded() { - FIREWALL_DEBUG("Inside isServiceNeeded\n"); if (Get_Device_Mode()==EXTENDER_MODE) { FIREWALL_DEBUG("Service Not Needed\n"); @@ -943,7 +941,6 @@ bool isServiceNeeded() } } - FIREWALL_DEBUG("returning true\n"); return TRUE; } #endif @@ -3311,7 +3308,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f FIREWALL_DEBUG("Entering do_single_port_forwarding\n"); #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) BOOL isBothProtocol = FALSE; - BOOL isFeatureDisabled = TRUE; #endif query[0] = '\0'; rc = syscfg_get(NULL, "SinglePortForwardCount", query, sizeof(query)); @@ -3326,12 +3322,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f count = MAX_SYSCFG_ENTRIES; } } -#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) - { - FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA TRUE); - isFeatureDisabled = FALSE; - } -#endif for (idx=1 ; idx<=count ; idx++) { namespace[0] = '\0'; @@ -3683,12 +3673,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f #endif } SinglePortForwardNext: -#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) - if(isFeatureDisabled == TRUE) - { - FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA FALSE); - } -#endif FIREWALL_DEBUG("Exiting do_single_port_forwarding\n"); return(0); } @@ -3712,7 +3696,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi int count; #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) BOOL isBothProtocol = FALSE; - BOOL isFeatureDisabled = TRUE; #endif #ifdef CISCO_CONFIG_TRUE_STATIC_IP @@ -3733,10 +3716,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi count = MAX_SYSCFG_ENTRIES; } } -#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) - FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA TRUE); - isFeatureDisabled = FALSE; -#endif for (idx=1 ; idx<=count ; idx++) { namespace[0] = '\0'; @@ -4140,13 +4119,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi } PortRangeForwardNext: -#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) - if (isFeatureDisabled == TRUE) - { - FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA FALSE); - } -#endif - FIREWALL_DEBUG("Exiting do_port_range_forwarding\n"); return(0); @@ -6341,7 +6313,6 @@ static int remote_access_set_proto(FILE *filt_fp, FILE *nat_fp, const char *port char httpsport[64] = {0}; char tmpQuery[MAX_QUERY]; - FIREWALL_DEBUG("Entering remote_access_set_proto\n"); ret = syscfg_get(NULL, "mgmt_wan_httpport", httpport, sizeof(port)); #if defined(CONFIG_CCSP_WAN_MGMT_PORT) tmpQuery[0] = '\0'; @@ -6382,7 +6353,6 @@ static int remote_access_set_proto(FILE *filt_fp, FILE *nat_fp, const char *port fprintf(filt_fp, "-A INPUT -i %s %s -p tcp -m tcp --dport %s -j ACCEPT\n", interface, src, port); } } - FIREWALL_DEBUG("Exiting remote_access_set_proto\n"); return 0; } int wan_lan_webui_attack(FILE *fp, const char *interface) From 51e50fd72dd7dacd601800f985a16381f49f6d16 Mon Sep 17 00:00:00 2001 From: SsandhyaR Date: Fri, 15 May 2026 01:03:30 +0530 Subject: [PATCH 05/12] RDKCOM-5574: RDKBDEV-3417 RDKBACCL-1092 FW Upgrade is not working via tftp server configurations (#285) Reason for change: since we defined isRawTableUsed as 1, adding the raw rule for ipv6 as explicity as per codeflow Test procedure: check the ipv6 functionality Risks: Low --------- Signed-off-by: ssiras826 Signed-off-by: ssiras826 --- source/firewall/firewall.c | 1 + source/firewall/firewall_ipv6.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 49542ee8..b9354061 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -11987,6 +11987,7 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #if defined (_PLATFORM_BANANAPI_R4_) isRawTableUsed = 1; + fprintf(raw_fp, "-F\n"); fprintf(raw_fp, "-A OUTPUT -p udp --dport 69 -j CT --helper tftp\n"); #endif diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index b92a5220..9f06c622 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -414,6 +414,10 @@ int prepare_ipv6_firewall(const char *fw_file) #endif +#if defined (_PLATFORM_BANANAPI_R4_) + fprintf(fp, "*raw\n-F\n"); +#endif + /*add rules before this*/ #if !defined(_BWG_PRODUCT_REQ_) fprintf(raw_fp, "COMMIT\n"); From a2fa3bd07e8378f2bedb2ffd5d102e26cfccc7d3 Mon Sep 17 00:00:00 2001 From: rirfha948 Date: Mon, 18 May 2026 23:38:29 +0530 Subject: [PATCH 06/12] RDKB-64265: Removing erouter0 hardcode for reusability for different wan interface (#311) Test Procedure: - Build OneStack Image - In Business-mode, Check dibbler server is started and server.conf has prefix-delegation class - In Residential-mode, check whether device behaves as a non-CBR device Risks: None Priority: P1 - [] Is this a User Story (US)? This is a bug ticket - [x] Have all dependent PRs from other components been listed ? - [x] Does the commit message include both the User Story ticket and the Subtask ticket? - [x] Will be all changes related to the User Story squashed and merged in a single commit? - [x] Has the PR been raised only after completing all changes for the User Story (no partial changes)? - [x] Has code development for the User Story been completed? - [x] If yes, has the Gerrit topic or list of all dependent PRs across components (including meta-layer changes) been shared? https://gerrit.teamccp.com/#/c/953000/ - [x] Is there a validation log available in the Jira ticket for verifying builds with the updated generic-srcrev.inc across all platforms? --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/firewall/firewall_ipv6.c | 49 +++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 9f06c622..755c1580 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -186,10 +186,9 @@ int numifs = sizeof(ifnames) / sizeof(*ifnames); #define V6_BLOCKFRAGIPPKT "v6_BlockFragIPPkts" #define V6_PORTSCANPROTECT "v6_PortScanProtect" #define V6_IPFLOODDETECT "v6_IPFloodDetect" - -#ifdef _ONESTACK_PRODUCT_REQ_ -#define COSA_DML_DHCPV6_CLIENT_IFNAME "erouter0" -#define COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME "tr_"COSA_DML_DHCPV6_CLIENT_IFNAME"_dhcpv6_client_v6pref" +#define IPV6_PREFIX_BUF_LEN 128 +#if defined (_ONESTACK_PRODUCT_REQ_) +static char ipv6_delegation_prefix[IPV6_PREFIX_BUF_LEN+1] ={0}; #endif /* **************************************************************** @@ -270,8 +269,16 @@ int prepare_ipv6_firewall(const char *fw_file) ret=-2; goto clean_up_files; } - - +#if defined (_ONESTACK_PRODUCT_REQ_) + char sysEventName[256] ={0}; + memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix)); + if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) + { + snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname); + sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix)); + } +#endif + #ifdef RDKB_EXTENDER_ENABLED if (isExtProfile() == 0) @@ -1249,7 +1256,7 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A FORWARD -d 0::/96 -j LOG_FORWARD_DROP\n"); // Basic RPF check on the egress & ingress traffic - char prefix[129]; + char prefix[IPV6_PREFIX_BUF_LEN+1]; prefix[0] = 0; #ifdef FEATURE_MAPE char prev_prefix[MAX_QUERY] = {0}; @@ -1267,14 +1274,14 @@ void do_ipv6_filter_table(FILE *fp){ #ifdef _ONESTACK_PRODUCT_REQ_ if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); + snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); } else { - sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); + sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); } #else - sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); + sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); #endif } @@ -1282,7 +1289,7 @@ void do_ipv6_filter_table(FILE *fp){ #ifdef _ONESTACK_PRODUCT_REQ_ if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); + snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); } else { @@ -1304,7 +1311,7 @@ void do_ipv6_filter_table(FILE *fp){ #if defined (_COSA_FOR_BCI_) || defined (_ONESTACK_PRODUCT_REQ_) /* adding forward rule for PD traffic */ #ifdef _ONESTACK_PRODUCT_REQ_ - if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) + if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { fprintf(fp, "-A FORWARD -s %s -i %s -j ACCEPT\n", prefix, lan_ifname); if (strncasecmp(firewall_levelv6, "Custom", strlen("Custom")) == 0) @@ -2125,8 +2132,8 @@ typedef enum{ void applyRoutingRules(FILE* fp,ipv6_type type) { FIREWALL_DEBUG("Entering applyRoutingRules, ipv6_type is %d \n" COMMA type); - char prefix[64] ; - memset(prefix,0,sizeof(prefix)); + char prefix[IPV6_PREFIX_BUF_LEN+1]; + memset(prefix,0,sizeof(prefix)); int i ; if ( ULA_IPV6 == type) { @@ -2134,22 +2141,22 @@ void applyRoutingRules(FILE* fp,ipv6_type type) } else { -#ifdef _ONESTACK_PRODUCT_REQ_ - if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) + #ifdef _ONESTACK_PRODUCT_REQ_ + if(isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION)) { - sysevent_get(sysevent_fd, sysevent_token, COSA_DML_DHCPV6C_PREF_SYSEVENT_NAME, prefix, sizeof(prefix)); + snprintf(prefix, sizeof(prefix), "%s", ipv6_delegation_prefix); } else { sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); } -#else + #else sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); -#endif + #endif } - if (strlen(prefix) != 0 ) + if (strlen(prefix) != 0) { - char *token_pref =NULL; + char *token_pref =NULL; token_pref = strtok(prefix,"/"); for(i = 0; i < mesh_wan_ipv6_num; i++) { From 3cb8cbf13f25ee713c79d1d91157f5285b39d8ec Mon Sep 17 00:00:00 2001 From: Parthiban Selvaraj <167313466+S-Parthiban-Selvaraj@users.noreply.github.com> Date: Mon, 18 May 2026 23:12:20 +0100 Subject: [PATCH 07/12] RDKB-58910, RDKB-60010 : Move the WAN IPV6 configuration from brlan0 (#69) Reason for change: [NTP] Remove sky specific workarounds from the NTP script . Test Procedure: Updated in Jira. Risks: none Priority: P1 This PR is dependent on the following related PRs: https://github.com/rdkcentral/telco-voice-manager/pull/5 https://github.com/rdkcentral/utopia/pull/69 https://github.com/rdkcentral/wan-manager/pull/79 https://github.com/rdkcentral/provisioning-and-management/pull/127 https://github.com/rdkcentral/xconf-client/pull/20 https://github.com/rdkcentral/test-and-diagnostic/pull/172 https://github.com/rdk-gdcs/firewall/pull/5 https://github.com/rdkcentral/sysint-broadband/pull/34 --------- Signed-off-by: Parthiban Selvaraj Signed-off-by: Jonathan Wu Co-authored-by: Goutam Damodaran <140494857+GoutamD2905@users.noreply.github.com> Co-authored-by: Jonathan Wu <195466430+jonathanwu-csv@users.noreply.github.com> Co-authored-by: Jonathan Wu Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- .../dhcp_server_functions.sh | 1 + source/scripts/init/service.d/service_ntpd.sh | 71 +------------------ source/scripts/init/service.d/service_sshd.sh | 14 ---- 3 files changed, 4 insertions(+), 82 deletions(-) diff --git a/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh b/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh index faec0aca..ff6b4861 100755 --- a/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh +++ b/source/scripts/init/service.d/service_dhcp_server/dhcp_server_functions.sh @@ -41,6 +41,7 @@ DHCP_CONF=/etc/dnsmasq.conf DHCP_STATIC_HOSTS_FILE=/etc/dhcp_static_hosts DHCP_OPTIONS_FILE=/var/dhcp_options SelfHealSupport=`sysevent get SelfhelpWANConnectionDiagSupport` +# LANIPV6Support only used for identifying the ULA usage LANIPV6Support=`sysevent get LANIPv6GUASupport` if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$SelfHealSupport" = "true" ]; then LOCAL_DHCP_CONF=/tmp/dnsmasq.conf diff --git a/source/scripts/init/service.d/service_ntpd.sh b/source/scripts/init/service.d/service_ntpd.sh index 62b39e03..a16532a6 100644 --- a/source/scripts/init/service.d/service_ntpd.sh +++ b/source/scripts/init/service.d/service_ntpd.sh @@ -50,7 +50,6 @@ NTP_CONF_TMP=/tmp/ntp.conf NTP_CONF_QUICK_SYNC=/tmp/ntp_quick_sync.conf LOCKFILE=/var/tmp/service_ntpd.pid BIN=ntpd -WAN_IPv6_UP=0 QUICK_SYNC_PID="" QUICK_SYNC_DONE=0 @@ -171,33 +170,7 @@ wan_wait () #Make sure WAN interface has an IPv4 or IPv6 address before telling NTP to listen on Interface WAN_IPv4=`ifconfig -a "$WAN_INTERFACE" | grep inet | grep -v inet6 | tr -s " " | cut -d ":" -f2 | cut -d " " -f1 | head -n1` - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$LANIPV6Support" = "true" ]; then - CURRENT_WAN_IPV6_STATUS=`sysevent get ipv6_connection_state` - if [ "up" = "$CURRENT_WAN_IPV6_STATUS" ] ; then - ULAprefix=`sysevent get ula_address |cut -d ':' -f1` - if [ -z "$ULAprefix" ]; then - WAN_IPv6=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | grep -v 'fdd7' | cut -d '/' -f1 | head -n1` - else - WAN_IPv6=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | grep -v 'fdd7' | grep -v "$ULAprefix" | cut -d '/' -f1 | head -n1` - fi - WAN_IPv6_UP=1 - # SHARMAN-2301 - #This change is for UK MAP-T SR213. When NTP servers are IPv4 only and there is no IPv4 WAN IP on the interface we will use $NTPD_IPV6_INTERFACE(currently brlan0) ipv4 ip to sort ntpd daemon socket problems and routing. - if [ "$BOX_TYPE" = "SR213" ] || [ "$LANIPV6Support" == "true" ]; then - MAPT_STATS=$(sysevent get mapt_config_flag) - echo_t "SERVICE_NTPD : MAPT_STATS=$MAPT_STATS" - if [ x"$MAPT_STATS" = x"set" ]; then - IPV4_CONN_STATE=$(sysevent get ipv4_connection_state) - echo_t "SERVICE_NTPD : IPV4_CONN_STATE=$IPV4_CONN_STATE" - if [ x"$IPV4_CONN_STATE" != x"up" ]; then - WAN_IPv4=`ifconfig "$NTPD_IPV6_INTERFACE" | grep inet\ \addr | cut -d ':' -f2 |cut -d ' ' -f1` - fi - fi - fi - fi - else - WAN_IPv6=`ifconfig "$WAN_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | cut -d '/' -f1 | head -n1` - fi + WAN_IPv6=`ifconfig "$WAN_INTERFACE" | grep inet6 | grep Global | awk '/inet6/{print $3}' | cut -d '/' -f1 | head -n1` if [ -n "$WAN_IPv4" ] || [ -n "$WAN_IPv6" ]; then if [ "$2" = "quickSync" ];then @@ -572,19 +545,6 @@ service_start () echo "interface ignore wildcard" >> $NTP_CONF_TMP echo "interface listen 127.0.0.1" >> $NTP_CONF_TMP echo "interface listen ::1" >> $NTP_CONF_TMP - #SHARMAN-2301 - #This change is for UK MAP-T SR213. Since we will not have any of the global IP on WAN interface, We need to add the IPv6 interface (currently brlan0) to the config file - if [ "$BOX_TYPE" = "SR213" ] || [ "$LANIPV6Support" = "true" ]; then - MAPT_STATS=$(sysevent get mapt_config_flag) - echo_t "SERVICE_NTPD : MAPT_STATS=$MAPT_STATS" - if [ x"$MAPT_STATS" = x"set" ]; then - IPV4_CONN_STATE=$(sysevent get ipv4_connection_state) - echo_t "SERVICE_NTPD : IPV4_CONN_STATE=$IPV4_CONN_STATE" - if [ x"$IPV4_CONN_STATE" != x"up" ]; then - echo "interface listen $NTPD_IPV6_INTERFACE" >> $NTP_CONF_TMP - fi - fi - fi if [ -n "$WAN_IP" ]; then echo "interface listen $WAN_IP" >> $NTP_CONF_TMP @@ -593,21 +553,6 @@ service_start () fi fi - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$LANIPV6Support" = "true" ]; then - # SKYH4-2006: To listen v6 server, update the conf file after getting valid v6 IP(CURRENT_WAN_V6_PREFIX) - CURRENT_WAN_IPV6_STATUS=`sysevent get ipv6_connection_state` - - if [ "up" = "$CURRENT_WAN_IPV6_STATUS" ] ; then - CURRENT_WAN_V6_PREFIX=`syscfg get ipv6_prefix_address` - if [ -n "$CURRENT_WAN_V6_PREFIX" ]; then - echo "interface listen $CURRENT_WAN_V6_PREFIX" >> $NTP_CONF_TMP - sysevent set ntp_ipv6_listen "set" - else - sysevent set ntp_ipv6_listen "unset" - fi - fi - fi - if [ "$MULTI_CORE" = "yes" ] && [ "$NTPD_IMMED_PEER_SYNC" != "true" ]; then echo "interface listen $HOST_INTERFACE_IP" >> $NTP_CONF_TMP fi @@ -630,18 +575,8 @@ service_start () uptime_ms=$((uptime*1000)) echo_t "SERVICE_NTPD : Starting NTP Quick Sync" >> $NTPD_LOG_NAME t2ValNotify "SYS_INFO_NTPSTART_split" $uptime_ms - if [ "$BOX_TYPE" = "HUB4" ] || [ "$BOX_TYPE" = "SR300" ] || [ "$BOX_TYPE" = "SE501" ] || [ "$BOX_TYPE" = "SR213" ] || [ "$BOX_TYPE" = "WNXL11BWL" ] || [ "$ntpHealthCheck" = "true" ]; then - if [ $WAN_IPv6_UP -eq 1 ]; then - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - else - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -4 -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - fi - else - $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & - QUICK_SYNC_PID=$! - fi + $BIN -c $NTP_CONF_QUICK_SYNC --interface "$QUICK_SYNC_WAN_IP" -x -gq -l $NTPD_LOG_NAME & + QUICK_SYNC_PID=$! if [ -n "$QUICK_SYNC_PID" ];then set_ntp_quicksync_status fi diff --git a/source/scripts/init/service.d/service_sshd.sh b/source/scripts/init/service.d/service_sshd.sh index a2ba75cc..00c40b62 100755 --- a/source/scripts/init/service.d/service_sshd.sh +++ b/source/scripts/init/service.d/service_sshd.sh @@ -195,18 +195,6 @@ do_start() { commandString="$commandString -p [$CM_IPV6]:22" fi fi - elif [ "$BOX_TYPE" = "SCER11BEL" -a "$LANIPV6Support" = "true" ]; then - # In IPv6 only case (MAP-T), and if IPv6 GUA on LAN enabled case, use brlan0 interface to get v6 global address. - CM_IPV6=`ip -6 addr show dev brlan0 scope global | awk '/inet/{print $2}' | cut -d '/' -f1 | head -n1` - if [ ! -z "$CM_IPV6" ]; then - commandString="$commandString -p [$CM_IPV6]:22" - fi - - # Check IPv4 address. - CM_IPV4=`ip -4 addr show dev $CMINTERFACE scope global | awk '/inet/{print $2}' | cut -d '/' -f1` - if [ ! -z "$CM_IPV4" ]; then - commandString="$commandString -p [$CM_IPV4]:22" - fi elif [ "$BOX_TYPE" = "WNXL11BWL" ]; then CM_IP=`ip -4 addr show dev $CMINTERFACE scope global | awk '/inet/{print $2}' | cut -d '/' -f1 | head -n1` if [ ! -z $CM_IP ]; then @@ -270,8 +258,6 @@ do_start() { if ([ "$MANUFACTURE" = "Technicolor" ] || [ "$MODEL_NUM" = "SG417DBCT" ] || [ "$BOX_TYPE" = "WNXL11BWL" ]) ; then echo_t "dropbear -E -s -K 60 -b /etc/sshbanner.txt ${commandString} -r ${DROPBEAR_PARAMS_1} -r ${DROPBEAR_PARAMS_2} -a -P ${PID_FILE}" dropbear -E -s -b /etc/sshbanner.txt $commandString -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -a -P $PID_FILE -K 60 $USE_DEVKEYS 2>>$CONSOLEFILE - elif [ "$BOX_TYPE" = "SCER11BEL" -a "$LANIPV6Support" = "true" ]; then - dropbear -E -s -b /etc/sshbanner.txt $commandString -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -a -P $PID_FILE -K 60 $USE_DEVKEYS 2>>$CONSOLEFILE else dropbear -E -s -b /etc/sshbanner.txt -a -r $DROPBEAR_PARAMS_1 -r $DROPBEAR_PARAMS_2 -p [$CM_IP]:22 -P $PID_FILE $USE_DEVKEYS 2>>$CONSOLEFILE fi From f4cb252a7e283f1a01711f87cb7309a58f355a18 Mon Sep 17 00:00:00 2001 From: Sivaraj Sivalingam Date: Tue, 19 May 2026 16:53:15 -0400 Subject: [PATCH 08/12] RDKB-64891: Add support for PsidOffset 0 (#316) RDKB-64891: Add support for PsidOffset 0 Reason for change: Bring the changes added to support PsidOffset 0 on the 8.2 release with [RDKB-64484] [gerrit Change-Id: Ic7756a545a75bd77328d2ea08853d1b02b70ac75] Risks: High Priority: P1 Signed-off-by: Sivaraj_Sivalingam@comcast.com --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Harnish Patel <163233851+hpatel006c@users.noreply.github.com> --- source/firewall/firewall.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index b9354061..50538050 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1110,8 +1110,8 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) char ipaddress_str[BUFLEN_32] = {0}; char mapt_config_ratio_str[BUFLEN_64] = {0}; char mapt_config_value[BUFLEN_8] = {0}; - unsigned int contiguous_port = 0; - int ratio = 0; + unsigned int contiguous_port = 0; + int block_shift = 0; int port = 0; unsigned int i =0; unsigned int j = 0; @@ -1263,16 +1263,22 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) psidLen = atoi(sysevent_val); - if (offset == 0) - offset = 6; - a = (1 << offset); m = 16 - (psidLen + offset); contiguous_port = (1 << m); - ratio = 16 - offset; + block_shift = 16 - offset; - // Exclude i=0 block as per original logic - total_ports = (a * contiguous_port) - contiguous_port; + // total ports + if (offset == 0) + { + /* Single contiguous block (psid = 0 will use the well-known ports) */ + total_ports = a * contiguous_port; + } + else + { + /* Skip first block (well-known ports) as reserved ports */ + total_ports = (a - 1) * contiguous_port; + } memset(sysevent_val, 0, sizeof(sysevent_val)); snprintf(sysevent_val, sizeof(sysevent_val), "%u", total_ports); if(sysevent_set(sysevent_fd, sysevent_token, SYSEVENT_MAPT_TOTAL_PORTS, sysevent_val, 0) != 0) @@ -1282,13 +1288,15 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) FIREWALL_DEBUG("MAPT Info: offset=%u, psid=%u, psidLen=%u, port_blocks=%u, contiguous_port=%u, total_ports=%u \n" COMMA offset COMMA psid COMMA psidLen COMMA a COMMA contiguous_port COMMA total_ports); + int start_i = (offset == 0) ? 0 : 1; + /* Start of port range parameters. */ /* create rules */ - for(i=1; i< (a); i++) + for(i = start_i; i < a; i++) { for(j=0; j<(contiguous_port); j++) { - port = (i< Date: Wed, 20 May 2026 08:04:58 +0000 Subject: [PATCH 09/12] Add changelog for release 2.5.1 --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2f6d657..8ce77096 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,29 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [2.5.1](https://github.com/rdkcentral/utopia/compare/2.5.0...2.5.1) + +- RDKB-64891: Add support for PsidOffset 0 [`#316`](https://github.com/rdkcentral/utopia/pull/316) +- RDKB-58910, RDKB-60010 : Move the WAN IPV6 configuration from brlan0 [`#69`](https://github.com/rdkcentral/utopia/pull/69) +- RDKB-64265: Removing erouter0 hardcode for reusability for different wan interface [`#311`](https://github.com/rdkcentral/utopia/pull/311) +- RDKCOM-5574: RDKBDEV-3417 RDKBACCL-1092 FW Upgrade is not working via tftp server configurations [`#285`](https://github.com/rdkcentral/utopia/pull/285) +- RDKB-62889: Reduce Repetitive logging [`#300`](https://github.com/rdkcentral/utopia/pull/300) +- Revert "RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature" [`#313`](https://github.com/rdkcentral/utopia/pull/313) +- RDKB-62529: Able to access the blocked port HTTPS sites [`#283`](https://github.com/rdkcentral/utopia/pull/283) +- SHARMAN-4067 Delay in NTP sync observed after FactoryReset [`#306`](https://github.com/rdkcentral/utopia/pull/306) +- XB10-2633: [26Q2_Sprint][OS][Residential]Connected clients are not receiving IPv6 addresses and do not have IPv6 internet connectivity. [`#298`](https://github.com/rdkcentral/utopia/pull/298) +- Merge tag '2.5.0' into develop [`721f70a`](https://github.com/rdkcentral/utopia/commit/721f70a1cdd0c595fc785bccb88e0ec25502a78a) + #### [2.5.0](https://github.com/rdkcentral/utopia/compare/2.4.0...2.5.0) +> 7 May 2026 + - RDKB-64189: Enable ZRAM to optimize and reduce RDKB memory usage [`#291`](https://github.com/rdkcentral/utopia/pull/291) - RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature [`#282`](https://github.com/rdkcentral/utopia/pull/282) - RDKB-64365: TCP / UDP port usage DMs returns empty value [`#299`](https://github.com/rdkcentral/utopia/pull/299) - RDKCOM-5533: RDKBDEV-3385 VODAFONE-45 Sysevent daemon getting stuck due to fd & worker exhaustion [`#230`](https://github.com/rdkcentral/utopia/pull/230) - RDKB-64588: High impact coverity issues in utopia [`#293`](https://github.com/rdkcentral/utopia/pull/293) +- Add changelog for release 2.5.0 [`03b1826`](https://github.com/rdkcentral/utopia/commit/03b18263d34d270adc8bd7a0a3c9e26b5448acf8) - Merge tag '2.4.0' into develop [`3a3b46b`](https://github.com/rdkcentral/utopia/commit/3a3b46b3c1435ad8befba696d37f54125c1939aa) #### [2.4.0](https://github.com/rdkcentral/utopia/compare/2.3.0...2.4.0) From 691a6e16ce23547d2fee0616412778507fe31e14 Mon Sep 17 00:00:00 2001 From: manigandanj <47597704+manigandanj@users.noreply.github.com> Date: Tue, 26 May 2026 22:55:23 +0530 Subject: [PATCH 10/12] =?UTF-8?q?RDKCOM-5582:=20RDKBDEV-3436,=20RDKBACCL-8?= =?UTF-8?q?67=20brlan0=20not=20getting=20ip=20when=20switched=20from=20bri?= =?UTF-8?q?dge=20mode=20to=E2=80=A6=20(#95)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit … router mode in Bananapi Reason for change: Having same sysevent handler for reference platform Test procedure: Tested bridge-mode and router mode switching Risks: None Signed-off-by: Manigandan Gopalakrishnan Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/scripts/init/c_registration/02_ipv4.c | 2 +- source/scripts/init/c_registration/02_lanHandler.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source/scripts/init/c_registration/02_ipv4.c b/source/scripts/init/c_registration/02_ipv4.c index 50d052c6..885f55fe 100644 --- a/source/scripts/init/c_registration/02_ipv4.c +++ b/source/scripts/init/c_registration/02_ipv4.c @@ -66,7 +66,7 @@ const char* SERVICE_DEFAULT_HANDLER_BCI = "/etc/utopia/service.d/service_ipv4_bc * keep the define outside of the string quotation symbols * eg. "event3|/etc/code|"ACTION_FLAG_NOT_THREADSAFE"|"TUPLE_FLAG_SERIAL */ -#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) +#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) && !defined(_PLATFORM_BANANAPI_R4_) const char* SERVICE_CUSTOM_EVENTS[] = { "ipv4-resyncAll|/etc/utopia/service.d/service_ipv4.sh|NULL|"TUPLE_FLAG_EVENT, "ipv4-resync|/etc/utopia/service.d/service_ipv4.sh|NULL|"TUPLE_FLAG_EVENT, diff --git a/source/scripts/init/c_registration/02_lanHandler.c b/source/scripts/init/c_registration/02_lanHandler.c index a24f2b4d..6c314f96 100644 --- a/source/scripts/init/c_registration/02_lanHandler.c +++ b/source/scripts/init/c_registration/02_lanHandler.c @@ -43,7 +43,7 @@ #define SERVICE_NAME "lan" #define SERVICE_DEFAULT_HANDLER "/etc/utopia/service.d/lan_handler.sh" -#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) +#if defined(_COSA_INTEL_USG_ARM_) && !defined(INTEL_PUMA7) && !defined(_COSA_BCM_ARM_) && !defined(_PLATFORM_IPQ_) && !defined(_COSA_QCA_ARM_) && !defined(_PLATFORM_BANANAPI_R4_) const char* SERVICE_CUSTOM_EVENTS[] = { "pnm-status|/etc/utopia/service.d/lan_handler.sh", "bring-lan|/usr/bin/service_dhcp", From e58f6055676c52467b474f4922ec7a35671c9558 Mon Sep 17 00:00:00 2001 From: SanthoshGujulvajagadeesh <68006718+SanthoshGujulvajagadeesh@users.noreply.github.com> Date: Wed, 27 May 2026 17:12:40 +0530 Subject: [PATCH 11/12] RDKB-64184, RDKB-64546 : Add system defaults for RFCs in CUJO 26.1 release (#328) Reason for change: Add system defaults for the following RFCs * Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.NetworkIntelligence.Enable * Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.NetworkIntelligence.MemoryLimit * Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.AdvSecDNSECHBlocking.Enable * Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.AdvSecDoHBlocking.Enable Test Procedure: 1) Cujo Agent process should work as designed. 2) If Network Intelligence RFC is enabled, cujo-qosd process should work as designed. Risks: Low Priority: P1 Signed-off-by: Santhosh_GujulvaJagadeesh@comcast.com --- source/scripts/init/defaults/system_defaults_arm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source/scripts/init/defaults/system_defaults_arm b/source/scripts/init/defaults/system_defaults_arm index 9f039503..9af3ea17 100755 --- a/source/scripts/init/defaults/system_defaults_arm +++ b/source/scripts/init/defaults/system_defaults_arm @@ -939,6 +939,7 @@ $Adv_AdvSecOTMRFCEnable=1 $Adv_AdvSecUserSpaceRFCEnable=0 $Adv_WifiDataCollectionRFCEnable=0 $Adv_LevlRFCEnable=0 +$Adv_AdvSecNetworkIntelligenceRFCEnable=0 $Adv_AdvSecAgentRFCEnable=1 $Adv_AdvSecSafeBrowsingRFCEnable=1 $Adv_AdvSecCujoTelemetryWiFiFPRFCEnable=0 @@ -946,6 +947,8 @@ $Adv_AdvSecCujoTracerRFCEnable=0 $Adv_AdvSecCujoTelemetryRFCEnable=0 $Adv_SATERFCEnable=0 $Adv_TCPTrackerFilterDevicesRFCEnable=0 +$Adv_DoHBlockingRFCEnable=0 +$Adv_DNSECHBlockingRFCEnable=0 $Adv_RaptrRFCEnable=1 #Firewall log settings @@ -1295,6 +1298,9 @@ $Advsecurity_RabidMacCacheSize=10000 # Rabid dnscache size $Advsecurity_RabidDNSCacheSize=10000 +# cujo-ni memory limit +$Advsecurity_NetworkIntelligenceMemoryLimit=15 + #Ethernet bhaul bridge migration for LnF $iot_brname=br106 From f6685e20c9dbf319e06be5c68546b6df8ed28237 Mon Sep 17 00:00:00 2001 From: Sivagami27-Rasu <118176227+Sivagami27-Rasu@users.noreply.github.com> Date: Tue, 2 Jun 2026 02:07:25 +0530 Subject: [PATCH 12/12] XER10-2920 To bring the apply_system_defaults_psm in xer10-sky-uk (#329) To bring the /usr/bin/apply_system_defaults_psm in xer10-sky-uk. Adding xer10-sdk6.3 machine in configure.ac file --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index cb477656..045bd2ae 100644 --- a/configure.ac +++ b/configure.ac @@ -105,7 +105,7 @@ if test x"${MACHINE}" != x; then [The machine type]) fi -AM_CONDITIONAL([MACHINE_SCXER10], [test "x$MACHINE" = "xscxer10"]) +AM_CONDITIONAL([MACHINE_SCXER10], [echo "$MACHINE" | grep -q "scxer10"]) AM_CONDITIONAL([MULTILAN_FEATURE], [test "$MULTILAN_FEATURE" = "yes"]) AM_CONDITIONAL([CPC_FIREWALL_ENABLE], [test "x$CPC_FIREWALL_ENABLE" = "xtrue"])