Rebase with develop

CHANGELOG.md

@@ -4,13 +4,29 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [2.5.1](https://github.com/rdkcentral/utopia/compare/2.5.0...2.5.1)
+
+- RDKB-64891: Add support for PsidOffset 0 [`#316`](https://github.com/rdkcentral/utopia/pull/316)
+- RDKB-58910, RDKB-60010 : Move the WAN IPV6 configuration from brlan0 [`#69`](https://github.com/rdkcentral/utopia/pull/69)
+- RDKB-64265:  Removing erouter0 hardcode for reusability for different wan interface [`#311`](https://github.com/rdkcentral/utopia/pull/311)
+- RDKCOM-5574: RDKBDEV-3417 RDKBACCL-1092 FW Upgrade is not working via tftp server configurations [`#285`](https://github.com/rdkcentral/utopia/pull/285)
+- RDKB-62889: Reduce Repetitive logging [`#300`](https://github.com/rdkcentral/utopia/pull/300)
+- Revert "RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature" [`#313`](https://github.com/rdkcentral/utopia/pull/313)
+- RDKB-62529: Able to access the blocked port HTTPS sites [`#283`](https://github.com/rdkcentral/utopia/pull/283)
+- SHARMAN-4067 Delay in NTP sync observed after FactoryReset [`#306`](https://github.com/rdkcentral/utopia/pull/306)
+- XB10-2633: [26Q2_Sprint][OS][Residential]Connected clients are not receiving IPv6 addresses and do not have IPv6 internet connectivity. [`#298`](https://github.com/rdkcentral/utopia/pull/298)
+- Merge tag '2.5.0' into develop [`721f70a`](https://github.com/rdkcentral/utopia/commit/721f70a1cdd0c595fc785bccb88e0ec25502a78a)
+
 #### [2.5.0](https://github.com/rdkcentral/utopia/compare/2.4.0...2.5.0)
 
+> 7 May 2026
+
 - RDKB-64189: Enable ZRAM to optimize and reduce RDKB memory usage [`#291`](https://github.com/rdkcentral/utopia/pull/291)
 - RDKB-64265 Hardcoded WAN Interface Name (erouter0) in Business Gateway Feature [`#282`](https://github.com/rdkcentral/utopia/pull/282)
 - RDKB-64365: TCP / UDP port usage DMs returns empty value [`#299`](https://github.com/rdkcentral/utopia/pull/299)
 - RDKCOM-5533: RDKBDEV-3385 VODAFONE-45 Sysevent daemon getting stuck due to fd & worker exhaustion [`#230`](https://github.com/rdkcentral/utopia/pull/230)
 - RDKB-64588: High impact coverity issues in utopia [`#293`](https://github.com/rdkcentral/utopia/pull/293)
+- Add changelog for release 2.5.0 [`03b1826`](https://github.com/rdkcentral/utopia/commit/03b18263d34d270adc8bd7a0a3c9e26b5448acf8)
 - Merge tag '2.4.0' into develop [`3a3b46b`](https://github.com/rdkcentral/utopia/commit/3a3b46b3c1435ad8befba696d37f54125c1939aa)
 
 #### [2.4.0](https://github.com/rdkcentral/utopia/compare/2.3.0...2.4.0)

configure.ac

@@ -105,7 +105,7 @@ if test x"${MACHINE}" != x; then
                      [The machine type])
 fi
 
-AM_CONDITIONAL([MACHINE_SCXER10], [test "x$MACHINE" = "xscxer10"])
+AM_CONDITIONAL([MACHINE_SCXER10], [echo "$MACHINE" | grep -q "scxer10"])
 
 AM_CONDITIONAL([MULTILAN_FEATURE], [test "$MULTILAN_FEATURE" = "yes"])
 AM_CONDITIONAL([CPC_FIREWALL_ENABLE], [test "x$CPC_FIREWALL_ENABLE" = "xtrue"])

source/firewall/Makefile.am

@@ -27,7 +27,7 @@ if ONESTACK_PRODUCT_REQ
 AM_LDFLAGS += -lrdkb_feature_mode_gate
 endif
 
-firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c  firewall_ext.c
+firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c  firewall_ext.c firewall_utils.c
 if CPC_FIREWALL_ENABLE
 firewall_SOURCES += firewall_lib.c firewall_dsl.c rabid.c
 AM_LDFLAGS += -lrdkconfig

source/firewall/firewall.c

@@ -745,8 +745,6 @@ int rfstatus;
  * For simplicity purposes we cap the number of syscfg entries within a
  * specific namespace. This cap is controlled by MAX_SYSCFG_ENTRIES
  */
-#define MAX_PORT 65535
-
 #define MAX_NAMESPACE 64
 
 #define MAX_SRC_IP_TABLE_ROW    10   /*RDKB-7145, CID-33123, defining max size for src_ip[MAX_SRC_IP_TABLE_ENTRY][]*/
@@ -870,7 +868,6 @@ void firewall_log( char* fmt, ...)
 #ifdef WAN_FAILOVER_SUPPORTED
 unsigned int Get_Device_Mode()
 {
-	FIREWALL_DEBUG("Inside Get_Device_Mode\n");
         syscfg_get(NULL, "Device_Mode", dev_type, sizeof(dev_type));
         unsigned int dev_mode = atoi(dev_type);
         Dev_Mode mode;
@@ -926,7 +923,6 @@ char* get_iface_ipaddr(const char* iface_name)
 
 bool isServiceNeeded()
 {
-        FIREWALL_DEBUG("Inside isServiceNeeded\n");
         if (Get_Device_Mode()==EXTENDER_MODE)
         {
 		FIREWALL_DEBUG("Service Not Needed\n");
@@ -945,7 +941,6 @@ bool isServiceNeeded()
 		}
         }
 
-      FIREWALL_DEBUG("returning true\n");
     return TRUE;
 }
 #endif
@@ -1115,8 +1110,8 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp)
     char ipaddress_str[BUFLEN_32] = {0};
     char mapt_config_ratio_str[BUFLEN_64] = {0};
     char mapt_config_value[BUFLEN_8] = {0};
-    unsigned int contiguous_port = 0;
-    int ratio = 0;
+   unsigned int contiguous_port = 0;
+   int block_shift = 0;
     int port = 0;
     unsigned int i =0;
     unsigned int j = 0;
@@ -1268,16 +1263,22 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp)
 
         psidLen = atoi(sysevent_val);
 
-        if (offset == 0)
-            offset = 6;
-
         a = (1 << offset);
         m = 16 - (psidLen + offset);
         contiguous_port = (1 << m);
-        ratio = 16 - offset;
+        block_shift = 16 - offset;
 
-        // Exclude i=0 block as per original logic
-        total_ports = (a * contiguous_port) - contiguous_port;
+        // total ports
+        if (offset == 0)
+        {
+            /* Single contiguous block (psid = 0 will use the well-known ports) */
+            total_ports = a * contiguous_port;
+        }
+        else
+        {
+            /* Skip first block (well-known ports) as reserved ports */
+            total_ports = (a - 1) * contiguous_port;
+        }
         memset(sysevent_val, 0, sizeof(sysevent_val));
         snprintf(sysevent_val, sizeof(sysevent_val), "%u", total_ports);
         if(sysevent_set(sysevent_fd, sysevent_token, SYSEVENT_MAPT_TOTAL_PORTS, sysevent_val, 0) != 0)
@@ -1287,13 +1288,15 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp)
         FIREWALL_DEBUG("MAPT Info: offset=%u, psid=%u, psidLen=%u, port_blocks=%u, contiguous_port=%u, total_ports=%u \n" COMMA
             offset COMMA psid COMMA psidLen COMMA a COMMA  contiguous_port COMMA total_ports);
 
+        int start_i = (offset == 0) ? 0 : 1;
+
         /* Start of port range parameters. */
         /* create rules */
-        for(i=1; i< (a); i++)
+        for(i = start_i; i < a; i++)
         {
             for(j=0; j<(contiguous_port); j++)
             {
-                port = (i<<ratio) + (psid <<(m)) + j;
+               port = (i << block_shift) + (psid << m) + j;
 
                 if(j == 0)
                     initialPortValue = port;
@@ -3313,7 +3316,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f
            FIREWALL_DEBUG("Entering do_single_port_forwarding\n");
 #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
    BOOL isBothProtocol = FALSE;
-   BOOL isFeatureDisabled = TRUE;
 #endif
    query[0] = '\0';
    rc = syscfg_get(NULL, "SinglePortForwardCount", query, sizeof(query)); 
@@ -3328,12 +3330,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f
          count = MAX_SYSCFG_ENTRIES;
       }
    }
-#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
-   {
-       FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA TRUE);
-       isFeatureDisabled = FALSE;
-   }
-#endif
 
    for (idx=1 ; idx<=count ; idx++) {
       namespace[0] = '\0';
@@ -3685,12 +3681,6 @@ int do_single_port_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *f
 #endif
    }
 SinglePortForwardNext:
-#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
-     if(isFeatureDisabled == TRUE)
-     {
-         FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA FALSE);
-     }
-#endif
            FIREWALL_DEBUG("Exiting do_single_port_forwarding\n");       
    return(0);
 }
@@ -3714,7 +3704,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi
    int count;
 #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
    BOOL isBothProtocol = FALSE;
-   BOOL isFeatureDisabled = TRUE;
 #endif
 
 #ifdef CISCO_CONFIG_TRUE_STATIC_IP 
@@ -3735,10 +3724,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi
          count = MAX_SYSCFG_ENTRIES;
       }
    }
-#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
-   FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA TRUE);
-   isFeatureDisabled = FALSE;
-#endif
 
    for (idx=1 ; idx<=count ; idx++) {
       namespace[0] = '\0';
@@ -4142,13 +4127,6 @@ int do_port_range_forwarding(FILE *nat_fp, FILE *filter_fp, int iptype, FILE *fi
 
    }
 PortRangeForwardNext:
-#if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46)
-      if (isFeatureDisabled == TRUE)
-      {
-          FIREWALL_DEBUG("PortMapping:Feature Enable %d\n" COMMA FALSE);
-      }
-#endif
-
          FIREWALL_DEBUG("Exiting do_port_range_forwarding\n");
 
    return(0);
@@ -6343,7 +6321,6 @@ static int remote_access_set_proto(FILE *filt_fp, FILE *nat_fp, const char *port
   	char httpsport[64] = {0};
   	char tmpQuery[MAX_QUERY];
 
-         FIREWALL_DEBUG("Entering remote_access_set_proto\n");   
         ret = syscfg_get(NULL, "mgmt_wan_httpport", httpport, sizeof(port));
 #if defined(CONFIG_CCSP_WAN_MGMT_PORT)
           tmpQuery[0] = '\0';
@@ -6384,7 +6361,6 @@ static int remote_access_set_proto(FILE *filt_fp, FILE *nat_fp, const char *port
         fprintf(filt_fp, "-A INPUT -i %s %s -p tcp -m tcp --dport %s -j ACCEPT\n", interface, src, port); 
       }
     }
-         FIREWALL_DEBUG("Exiting remote_access_set_proto\n");    
     return 0;
 }
 int wan_lan_webui_attack(FILE *fp, const char *interface)
@@ -9148,14 +9124,6 @@ static int do_parcon_device_cloud_mgmt(FILE *fp, int iptype, FILE *cron_fp)
    return(0);
 }
 
-static int validate_port(char* port_num)
-{
-   int port = atoi(port_num);
-   if ( port <= 0 || port > MAX_PORT )
-      return -1;
-
-   return 0;
-}
 /*
  * add parental control managed service(ports) rules
  */
@@ -10142,21 +10110,9 @@ static int do_lan2wan_misc(FILE *filter_fp)
         else if (strcmp(query,"ACCEPT") == 0) {
             fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723  -j ACCEPT\n");
         }
-        char sites_enabled[MAX_QUERY];
-        sites_enabled[0] = '\0';
-        syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled));
-        if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled
-        {
-            syscfg_get("blockssl", "result", query, sizeof(query));
-            if (strcmp(query,"DROP") == 0) {
-                fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443  -j DROP\n");
-                fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443  -j DROP\n");
-            }
-            else if(strcmp(query,"ACCEPT") == 0) {
-                fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443  -j ACCEPT\n");
-                fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443  -j ACCEPT\n");
-            }
-        }
+
+        // Apply SSL blocking rule
+        do_ssl_blocking_rules(filter_fp, "lan2wan_misc");
     }
 #endif
 
@@ -12039,6 +11995,7 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE *
 
 #if defined (_PLATFORM_BANANAPI_R4_)
        isRawTableUsed = 1;
+       fprintf(raw_fp, "-F\n");
        fprintf(raw_fp, "-A OUTPUT -p udp --dport 69 -j CT --helper tftp\n");
 #endif
 

source/firewall/firewall.h

@@ -1246,3 +1246,32 @@ void  proxy_dns(FILE *nat_fp,int family);
 */
 void get_iface_ipaddr_ula(const char* ifname,char* ipaddr, int max_ip_size);
 #endif
+
+#define MAX_PORT 65535
+
+/**
+* @brief Validate if a port number string is valid.
+*
+* @param[in] port_num - Pointer to the port number string.
+*
+* @return The status of the operation.
+* @retval 0 if port is valid (1-65535).
+* @retval -1 if port is invalid.
+*
+*/
+int validate_port(const char* port_num);
+
+/**
+* @brief Apply SSL blocking rules based on managed sites/services configuration.
+*
+* Checks if managed sites or managed services (with port 443) are enabled,
+* and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443.
+* Rules are skipped per protocol if managed services covers that protocol on port 443.
+*
+* @param[in] fp         - Pointer to the FILE stream for writing firewall rules.
+* @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6").
+*
+* @return None.
+*
+*/
+void do_ssl_blocking_rules(FILE *fp, const char *chain_name);

source/firewall/firewall_ipv6.c

@@ -186,9 +186,9 @@ int numifs = sizeof(ifnames) / sizeof(*ifnames);
 #define V6_BLOCKFRAGIPPKT   "v6_BlockFragIPPkts"
 #define V6_PORTSCANPROTECT  "v6_PortScanProtect"
 #define V6_IPFLOODDETECT    "v6_IPFloodDetect"
-
+#define IPV6_PREFIX_BUF_LEN 128
 #if defined (_ONESTACK_PRODUCT_REQ_)
-static char ipv6_delegation_prefix[129] ={0};
+static char ipv6_delegation_prefix[IPV6_PREFIX_BUF_LEN+1] ={0};
 #endif
 /*
  ****************************************************************
@@ -269,17 +269,15 @@ int prepare_ipv6_firewall(const char *fw_file)
 		ret=-2;
 		goto clean_up_files;
 	}
-        
-    #if defined (_ONESTACK_PRODUCT_REQ_)
-	 char sysEventName[256] ={0};
+#if defined (_ONESTACK_PRODUCT_REQ_)
+	char sysEventName[256] ={0};
+	memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix));
 	if (isFeatureSupportedInCurrentMode(FEATURE_IPV6_DELEGATION))
 	{
-	    snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname);
-	    memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix));
-	    memset(ipv6_delegation_prefix, 0, sizeof(ipv6_delegation_prefix));
-	    sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix));
+		snprintf(sysEventName, sizeof(sysEventName), "tr_%s_dhcpv6_client_v6pref", current_wan_ifname);
+		sysevent_get(sysevent_fd, sysevent_token, sysEventName, ipv6_delegation_prefix, sizeof(ipv6_delegation_prefix));
 	}
-   #endif
+#endif 
 
    #ifdef RDKB_EXTENDER_ENABLED  
 
@@ -423,6 +421,10 @@ int prepare_ipv6_firewall(const char *fw_file)
 
    #endif
 
+#if defined (_PLATFORM_BANANAPI_R4_)
+        fprintf(fp, "*raw\n-F\n");
+#endif
+
 	/*add rules before this*/
 #if !defined(_BWG_PRODUCT_REQ_)
 	fprintf(raw_fp, "COMMIT\n");
@@ -1254,7 +1256,7 @@ void do_ipv6_filter_table(FILE *fp){
       fprintf(fp, "-A FORWARD -d 0::/96  -j LOG_FORWARD_DROP\n");
 
       // Basic RPF check on the egress & ingress traffic
-      char prefix[129];
+      char prefix[IPV6_PREFIX_BUF_LEN+1];
       prefix[0] = 0;
 #ifdef FEATURE_MAPE
       char prev_prefix[MAX_QUERY] = {0};
@@ -1753,22 +1755,9 @@ void do_ipv6_filter_table(FILE *fp){
         fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 500  -j ACCEPT\n");
         fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500  -j ACCEPT\n");
     }
-    char sites_enabled[MAX_QUERY];
-    sites_enabled[0] = '\0';
-    syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled));
-    if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled
-    {
-        queryv6[0] = '\0';
+    // Apply SSL blocking rules
+    do_ssl_blocking_rules(fp, "lan2wan_misc_ipv6");
 
-        if((0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){
-            fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443  -j DROP\n");
-            fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443  -j DROP\n");
-        }
-        else if(strcmp(queryv6,"ACCEPT") == 0){
-            fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443  -j ACCEPT\n");
-            fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443  -j ACCEPT\n");
-        }
-    }
     queryv6[0] = '\0';
 
     if((0 == syscfg_get(NULL, "blockl2tp::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){
@@ -2143,8 +2132,8 @@ typedef enum{
 void applyRoutingRules(FILE* fp,ipv6_type type)
 {
        FIREWALL_DEBUG("Entering applyRoutingRules, ipv6_type is %d \n" COMMA type);
-         char prefix[64] ;
-         memset(prefix,0,sizeof(prefix));
+         char prefix[IPV6_PREFIX_BUF_LEN+1];
+	 memset(prefix,0,sizeof(prefix));
          int i ;
          if ( ULA_IPV6 == type)
 	 {