From 687f2c9f619bee812b87c2d5361b816fe6625468 Mon Sep 17 00:00:00 2001 From: Hirrangandhi Devaraj <208949566+hirrangandhid@users.noreply.github.com> Date: Fri, 13 Feb 2026 17:53:51 +0530 Subject: [PATCH 01/10] RDKB-63137 RDKB-63214: Fetch defaultFile based on Devicemode for Onestack (#220) Reason for change: Default file should be fetched based on Devicemode for Onestack products. Test Procedure: Set Devicemode to residential/business, and ensure proper system_default file is loaded. Risks: medium Priority: P1 --- .../apply_system_defaults.c | 50 ++++++++++++++----- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c index 65596924..ced8309f 100644 --- a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c +++ b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c @@ -330,7 +330,7 @@ static int handle_version (char* name, char* value) return ret; } -static int check_version (void) +static int check_version (const char* defaultsFile) { char buf[1024]; char *line; @@ -338,11 +338,11 @@ static int check_version (void) char *value; FILE *fp; - fp = fopen (DEFAULT_FILE, "r"); + fp = fopen (defaultsFile, "r"); if (fp == NULL) { - printf ("[utopia] no system default file (%s) found\n", DEFAULT_FILE); + printf ("[utopia] no system default file (%s) found\n", defaultsFile); return -1; } @@ -404,7 +404,7 @@ static int check_version (void) * Parameters : * Return Value : 0 if ok, -1 if not */ -static int set_syscfg_defaults (void) +static int set_syscfg_defaults (const char *defaultsFile) { char buf[1024]; char *line; @@ -412,11 +412,11 @@ static int set_syscfg_defaults (void) char *value; FILE *fp; - fp = fopen (DEFAULT_FILE, "r"); + fp = fopen (defaultsFile, "r"); if (fp == NULL) { - printf ("[utopia] no system default file (%s) found\n", DEFAULT_FILE); + printf ("[utopia] no system default file (%s) found\n", defaultsFile); return -1; } @@ -474,7 +474,7 @@ static int set_syscfg_defaults (void) * Parameters : * Return Value : 0 if ok, -1 if not */ -static int set_sysevent_defaults (void) +static int set_sysevent_defaults (const char *defaultsFile) { char buf[1024]; char *line; @@ -482,11 +482,11 @@ static int set_sysevent_defaults (void) char *value; FILE *fp; - fp = fopen (DEFAULT_FILE, "r"); + fp = fopen (defaultsFile, "r"); if (fp == NULL) { - printf ("[utopia] no system default file (%s) found\n", DEFAULT_FILE); + printf ("[utopia] no system default file (%s) found\n", defaultsFile); return -1; } @@ -561,13 +561,21 @@ static int set_sysevent_defaults (void) */ static int set_defaults(void) { + const char *defaultsFile = DEFAULT_FILE; + +#ifdef _ONESTACK_PRODUCT_REQ_ + // Determine defaults file based on device mode for OneStack products + defaultsFile = onestackutils_get_defaults_file(); + APPLY_PRINT("%s - onestackutils_get_defaults_file returned %s\n", __FUNCTION__, defaultsFile); +#endif // _ONESTACK_PRODUCT_REQ_ + + APPLY_PRINT("%s: defaultsFile: %s\n", __FUNCTION__, defaultsFile); #if ! defined (ALWAYS_CONVERT) - check_version(); + check_version(defaultsFile); #endif - set_syscfg_defaults(); - set_sysevent_defaults(); - + set_syscfg_defaults(defaultsFile); + set_sysevent_defaults(defaultsFile); return 0; } @@ -3374,7 +3382,9 @@ static void getPartnerIdWithRetry(char* buf, char* PartnerID) retryCount--; } +#ifndef _ONESTACK_PRODUCT_REQ_ set_defaults(); + if (syscfg_dirty) { @@ -3382,6 +3392,7 @@ static void getPartnerIdWithRetry(char* buf, char* PartnerID) syscfg_commit(); APPLY_PRINT("Number_Of_Entries_Commited_to_Sysconfig_Database=%d\n",syscfg_dirty); } +#endif #if defined(_SYNDICATION_BUILDS_) v_secure_system( "/lib/rdk/apply_partner_customization.sh" ); @@ -3454,6 +3465,19 @@ static void getPartnerIdWithRetry(char* buf, char* PartnerID) get_PartnerID ( PartnerID ); } +#ifdef _ONESTACK_PRODUCT_REQ_ + // For OneStack products, set_defaults() must be called after get_PartnerID() to ensure the partner ID and device mode are correctly configured + set_defaults(); + + if (syscfg_dirty) + { + printf("[utopia] [init] committing default syscfg values\n"); + syscfg_commit(); + APPLY_PRINT("Number_Of_Entries_Commited_to_Sysconfig_Database=%d\n",syscfg_dirty); + } +#endif + + #if defined (_RDKB_GLOBAL_PRODUCT_REQ_) CheckAndHandleInvalidPartnerIDRecoveryProcess(PartnerID); #endif // (_RDKB_GLOBAL_PRODUCT_REQ_) From 9b0c32866772adb1bb4edae5638c81805a8a7ec8 Mon Sep 17 00:00:00 2001 From: Amaresh-Kotekal Date: Sun, 15 Feb 2026 15:30:00 -0800 Subject: [PATCH 02/10] RDKB-62810,RDKB-62812:Initialize the default variables for Virtual Voice Interface creation (#171) **Reason for change**:Setting the default variables for virtual voice interface creation **Test Procedure**: verify the virtual voice interface creation functionality. **Risks**: High **Priority**: P1 --- source/firewall/firewall.c | 10 +++ .../apply_system_defaults.c | 81 ++++++++++++++++++- 2 files changed, 90 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index b0237dd7..ce9fb1ee 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -12546,6 +12546,16 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * updateAmenityNetworkRules(filter_fp,mangle_fp , AF_INET); #endif } + #if defined(VOICE_MTA_SUPPORT) + char cVoiceRule[64] = {0}; + sysevent_get(sysevent_fd, sysevent_token, "VoiceIpRule", cVoiceRule, sizeof(cVoiceRule)); + FIREWALL_DEBUG("%s: VoiceIpRule=%s\n" COMMA __FUNCTION__ COMMA cVoiceRule); + if (strlen(cVoiceRule) > 0) + { + fprintf(filter_fp,"%s\n", cVoiceRule); + FIREWALL_DEBUG("%s: Applied VoiceIpRule\n" COMMA __FUNCTION__); + } + #endif //Add wan2self restrictions to other wan interfaces //ping is allowed to cm and mta inferfaces regardless the firewall level #if !defined(_HUB4_PRODUCT_REQ_) diff --git a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c index ced8309f..1ffa5d9e 100644 --- a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c +++ b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c @@ -1458,6 +1458,19 @@ STATIC void addInSysCfgdDB (char *key, char *value) } } #endif + #if defined (VOICE_MTA_SUPPORT) + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Enabled")) + if (0 == IsValuePresentinSyscfgDB("VoiceSupport_Enabled")) + set_syscfg_partner_values(value, "VoiceSupport_Enabled"); + + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.InterfaceName")) + if (0 == IsValuePresentinSyscfgDB("VoiceSupport_IfaceName")) + set_syscfg_partner_values(value, "VoiceSupport_IfaceName"); + + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Mode")) + if (0 == IsValuePresentinSyscfgDB("VoiceSupport_Mode")) + set_syscfg_partner_values(value, "VoiceSupport_Mode"); + #endif /*VOICE_MTA_SUPPORT*/ if ( 0 == strcmp ( key, "Device.X_RDK_WebConfig.URL") ) { if ( 0 == IsValuePresentinSyscfgDB( "WEBCONFIG_INIT_URL" ) ) @@ -1723,6 +1736,16 @@ STATIC void updateSysCfgdDB (char *key, char *value) set_syscfg_partner_values( value,"IPv4SecondaryDhcpServerOptions" ); } #endif + #if defined (VOICE_MTA_SUPPORT) + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Enabled")) + set_syscfg_partner_values(value, "VoiceSupport_Enabled"); + + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.InterfaceName")) + set_syscfg_partner_values(value, "VoiceSupport_IfaceName"); + + if (0 == strcmp(key, "Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Mode")) + set_syscfg_partner_values(value, "VoiceSupport_Mode"); + #endif /*VOICE_MTA_SUPPORT*/ if ( 0 == strcmp ( key, "Device.X_RDK_WebConfig.URL") ) { set_syscfg_partner_values( value,"WEBCONFIG_INIT_URL" ); @@ -3030,7 +3053,6 @@ static int apply_partnerId_default_values (char *data, char *PartnerID) { APPLY_PRINT("%s - Default Value of StartupIPMode is NULL\n", __FUNCTION__ ); } - paramObjVal = cJSON_GetObjectItem(cJSON_GetObjectItem( partnerObj, "Default_VoIP_Configuration_FileName"), "ActiveValue"); if ( paramObjVal != NULL ) { @@ -3105,7 +3127,64 @@ if ( paramObjVal != NULL ) { APPLY_PRINT("%s - Default Value of Secondary dhcp server option is NULL\n", __FUNCTION__ ); } + #endif + #if defined (VOICE_MTA_SUPPORT) + paramObjVal = cJSON_GetObjectItem(cJSON_GetObjectItem(partnerObj,"Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Enabled"),"ActiveValue"); + if(paramObjVal != NULL) + { + char *pVoiceSupportEnabled = NULL; + pVoiceSupportEnabled = paramObjVal->valuestring; + if(pVoiceSupportEnabled != NULL && pVoiceSupportEnabled[0] != '\0') + { + set_syscfg_partner_values(pVoiceSupportEnabled,"VoiceSupport_Enabled"); + } + else + { + APPLY_PRINT("%s - VoiceSupportEnabled Value is NULL\n", __FUNCTION__ ); + } + } + else + { + APPLY_PRINT("%s - VoiceSupportEnabled Object is NULL\n", __FUNCTION__ ); + } + paramObjVal = cJSON_GetObjectItem(cJSON_GetObjectItem(partnerObj,"Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.InterfaceName"),"ActiveValue"); + if(paramObjVal != NULL) + { + char *pVoiceSupportIfaceName = NULL; + pVoiceSupportIfaceName = paramObjVal->valuestring; + if(pVoiceSupportIfaceName != NULL && pVoiceSupportIfaceName[0] != '\0') + { + set_syscfg_partner_values(pVoiceSupportIfaceName,"VoiceSupport_IfaceName"); + } + else + { + APPLY_PRINT("%s - VoiceSupportIfaceName Value is NULL\n", __FUNCTION__ ); + } + } + else + { + APPLY_PRINT("%s - VoiceSupportIfaceName Object is NULL\n", __FUNCTION__ ); + } + paramObjVal = cJSON_GetObjectItem(cJSON_GetObjectItem(partnerObj,"Device.X_RDKCENTRAL-COM_Epon_MTA.VoiceSupport.Mode"),"ActiveValue"); + if(paramObjVal != NULL) + { + char *pVoiceSupportMode = NULL; + pVoiceSupportMode = paramObjVal->valuestring; + if(pVoiceSupportMode != NULL && pVoiceSupportMode[0] != '\0') + { + set_syscfg_partner_values(pVoiceSupportMode,"VoiceSupport_Mode"); + } + else + { + APPLY_PRINT("%s - VoiceSupportMode Value is NULL\n", __FUNCTION__ ); + } + } + else + { + APPLY_PRINT("%s - VoiceSupportMode Object is NULL\n", __FUNCTION__ ); + } + #endif /*VOICE_MTA_SUPPORT*/ paramObjVal = cJSON_GetObjectItem(cJSON_GetObjectItem( partnerObj, "Device.DeviceInfo.X_RDKCENTRAL-COM_Syndication.WANsideSSH.Enable"), "ActiveValue"); if ( paramObjVal != NULL ) { From 315e5575dfb0768b09386ad24040aa55262489c8 Mon Sep 17 00:00:00 2001 From: Suganya-Sugumar <222150366+Suganya-Sugumar@users.noreply.github.com> Date: Wed, 18 Feb 2026 05:34:22 +0000 Subject: [PATCH 03/10] Add changelog for release 2.2.0 --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f37b21e5..becd6309 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,26 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [2.2.0](https://github.com/rdkcentral/utopia/compare/2.1.0...2.2.0) + +- RDKB-62810,RDKB-62812:Initialize the default variables for Virtual Voice Interface creation [`#171`](https://github.com/rdkcentral/utopia/pull/171) +- RDKB-63137 RDKB-63214: Fetch defaultFile based on Devicemode for Onestack [`#220`](https://github.com/rdkcentral/utopia/pull/220) +- RDKB-60656 : Available memory check for firmware downloads [`#182`](https://github.com/rdkcentral/utopia/pull/182) +- RDKB-62977 RDKB-63450: Native build for Coverity - Updating README.md [`#213`](https://github.com/rdkcentral/utopia/pull/213) +- RDKB-63378 : Set the stackmode for single build [`#206`](https://github.com/rdkcentral/utopia/pull/206) +- RDKB-62977 RDKB-63450: Native build for Coverity - Use Git Submodule [`#207`](https://github.com/rdkcentral/utopia/pull/207) +- Merge tag '2.1.0' into develop [`362d0d3`](https://github.com/rdkcentral/utopia/commit/362d0d3453af6dfe8e1cb2d08e99c946ac0dc638) + #### [2.1.0](https://github.com/rdkcentral/utopia/compare/2.0.1...2.1.0) +> 4 February 2026 + - RDKB-62660: Fix pausing device option from Xfinity app is not working [`#199`](https://github.com/rdkcentral/utopia/pull/199) - RDKB-62977 RDKB-62978: Native Build for Coverity - Updating Code [`#194`](https://github.com/rdkcentral/utopia/pull/194) - XF10-123 : Add script in cron job [`#187`](https://github.com/rdkcentral/utopia/pull/187) - XF10-286: Enable missing features in Firewall for XF10 [`#138`](https://github.com/rdkcentral/utopia/pull/138) - RDKB-62977 RDKB-62978: Native Build for Coverity [`#163`](https://github.com/rdkcentral/utopia/pull/163) +- Add changelog for release 2.1.0 [`f131a56`](https://github.com/rdkcentral/utopia/commit/f131a56ad78c6a9afacb17806ad17ed72a317165) - Merge tag '2.0.1' into develop [`af08995`](https://github.com/rdkcentral/utopia/commit/af0899501306757b966f203f6f4452fde7054551) #### [2.0.1](https://github.com/rdkcentral/utopia/compare/2.0.0...2.0.1) From 475404ac7b9f47b9586322140656c1473b6dab80 Mon Sep 17 00:00:00 2001 From: bunnam988 <107185904+bunnam988@users.noreply.github.com> Date: Wed, 18 Feb 2026 11:46:11 +0530 Subject: [PATCH 04/10] RDKB-60656 : Available memory check for firmware downloads (#224) RDKB-60656 : Available memory check for firmware downloads Reason for change: Before firmware download, we need to check if the device have enough memory Test Procedure: 1. while firmware download, available memory check logs should be seen. 2. If available memory < required memory, firmware download should not start. Risks: medium Priority: P1 Dependent PRs: https://github.com/rdkcentral/xconf-client/pull/13 https://github.com/rdkcentral/provisioning-and-management/pull/178 https://github.com/rdkcentral/utopia/pull/182 https://github.com/rdkcentral/cable-modem-agent/pull/23 https://github.com/rdkcentral/miscellaneous-broadband/pull/37 https://github.com/rdk-gdcs/apparmor-profiles/pull/49 Dependent Gerrits: https://gerrit.teamccp.com/#/q/topic:RDKB-60656+(status:open+OR+status:merged) --- source/scripts/init/defaults/system_defaults_xd4 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source/scripts/init/defaults/system_defaults_xd4 b/source/scripts/init/defaults/system_defaults_xd4 index 115d581b..222d7bde 100755 --- a/source/scripts/init/defaults/system_defaults_xd4 +++ b/source/scripts/init/defaults/system_defaults_xd4 @@ -1440,3 +1440,8 @@ $LatencyMeasure_TCPReportInterval=15 $RemoteDebuggerEnabled=false $RemoteDebuggerIssueType=NULL +#FwDwld_AvlMem_RsrvThreshold Default value +$FwDwld_AvlMem_RsrvThreshold=20 + +#FwDwld_ImageProcMemPercent Default value +$FwDwld_ImageProcMemPercent=0 From b1cdc480e9c2acc98ce226f53ef8a13244528996 Mon Sep 17 00:00:00 2001 From: Goutam Damodaran <140494857+GoutamD2905@users.noreply.github.com> Date: Wed, 18 Feb 2026 16:08:59 +0530 Subject: [PATCH 05/10] =?UTF-8?q?RDKB-63137=20RDKB-63542:=20Ability=20to?= =?UTF-8?q?=20Toggle=20DeviceMode=20Using=20ActivatePar=E2=80=A6=20(#222)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RDKB-63137 RDKB-63542: Ability to Toggle DeviceMode Using ActivatePartnerID Support Reason for Change: RDKB‑63470 is a sub‑task under the RDKB‑63137 user story to implement support for the TR‑181 DeviceMode parameter. This update ensures correct toggling of DeviceMode through ActivatePartnerID. Test Procedure: The build should compile successfully, and TR‑181 operations—including setting PartnerID and activating PartnerID—must function without errors. DeviceMode transitions (residential ↔ business) should be validated as per the test steps. Risks: Low. Signed-off-by: [Goutam_Damodaran@comcast.com](mailto:Goutam_Damodaran@comcast.com) --- .../init/src/apply_system_defaults/apply_system_defaults.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c index 1ffa5d9e..de9b773a 100644 --- a/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c +++ b/source/scripts/init/src/apply_system_defaults/apply_system_defaults.c @@ -969,7 +969,9 @@ static int get_PartnerID (char *PartnerID) #endif // _ONESTACK_PRODUCT_REQ_ validatePartnerId ( PartnerID ); +#ifndef _ONESTACK_PRODUCT_REQ_ unlink("/nvram/.partner_ID"); +#endif // _ONESTACK_PRODUCT_REQ_ } set_syscfg_partner_values(PartnerID,"PartnerID"); From 58dc6679d61d10ac680ab194fbeb9806aa264d72 Mon Sep 17 00:00:00 2001 From: aj970-crypto Date: Thu, 19 Feb 2026 05:09:15 +0530 Subject: [PATCH 06/10] LTE-2775 : Observing RDKB_PROCESS_CRASHED : zebra is not running, restarting the zebra in XLE (#181) **LTE-2775 :** Observing RDKB_PROCESS_CRASHED : zebra is not running, restarting the zebra in XLE Reason for change: 1. The zebra restart logic requires **bridge mode to be 0 and the LAN to be fully started**. Previously, both LAN startup and the zebra start were triggered from the same location in service_devicemode.c. In cases where LAN initialization was slightly delayed, zebra startup would fail because it was being triggered before the LAN was ready. 2. To address this, zebra startup has been moved to service_routed.sh, ensuring that the zebra process is started only after the LAN is fully initialized. Test Procedure: Check zebra process when XLE is in router mode. Risks: Low Priority: P1 --------- Signed-off-by: aj970 Co-authored-by: Santosh Nayak <70348540+snayak002c@users.noreply.github.com> --- source/scripts/init/service.d/service_routed.sh | 5 ++++- source/service_deviceMode/service_devicemode.c | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/source/scripts/init/service.d/service_routed.sh b/source/scripts/init/service.d/service_routed.sh index 41421dde..03d65159 100755 --- a/source/scripts/init/service.d/service_routed.sh +++ b/source/scripts/init/service.d/service_routed.sh @@ -67,7 +67,10 @@ case "$1" in lan-status) status=$(sysevent get lan-status) if [ "$status" == "started" ]; then - service_routed start + service_routed start + if [ "$BOX_TYPE" == "WNXL11BWL" ]; then + service_routed radv-start + fi elif [ "$status" == "stopped" ]; then # As per Sky requirement, radvd should run with ULA prefix though the wan-status is down if [ "$BOX_TYPE" != "HUB4" ] && [ "$BOX_TYPE" != "SR300" ] && [ "$BOX_TYPE" != "SE501" ] && [ "$BOX_TYPE" != "SR213" ] && [ "$BOX_TYPE" != "WNXL11BWL" ] && [ "$LANULASupport" != "true" ]; then diff --git a/source/service_deviceMode/service_devicemode.c b/source/service_deviceMode/service_devicemode.c index 3626ba66..01bff266 100644 --- a/source/service_deviceMode/service_devicemode.c +++ b/source/service_deviceMode/service_devicemode.c @@ -417,7 +417,9 @@ int service_start(int mode) sysevent_set(sysevent_fd, sysevent_token, "lnf-setup", buf, 0); #endif runCommandInShellBlocking("systemctl restart CcspLMLite.service"); - sysevent_set(sysevent_fd, sysevent_token, "zebra-restart", "", 0); +#if !defined(_WNXL11BWL_PRODUCT_REQ_) + sysevent_set(sysevent_fd, sysevent_token, "zebra-restart", "", 0); +#endif } break; case DEVICE_MODE_EXTENDER: From a42a45b7a877c0f49f1cef084df44e168b230399 Mon Sep 17 00:00:00 2001 From: Krithiksha Prabhakar Date: Fri, 20 Feb 2026 07:11:32 +0530 Subject: [PATCH 07/10] RDKBNETWOR-74 : Implement MAP-E Firewall Rules (#54) Reason for change: Receive the MAP-E options from DhcpManager and configure the tunnel interface. Test Procedure: Verify functionality by passing DHCPv6 Option 94 and the ip6tnl tunnel interface is correctly configured and brought up. Testing Done : Results are captured in RDKBNETWOR-77 --------- Signed-off-by: Krithiksha Prabhakar Co-authored-by: Parthiban Selvaraj <167313466+S-Parthiban-Selvaraj@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall.c | 168 +++++++++++++++++++++++++------- source/firewall/firewall.h | 8 ++ source/firewall/firewall_ipv6.c | 24 ++++- 3 files changed, 161 insertions(+), 39 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index ce9fb1ee..b6c7776c 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -487,6 +487,8 @@ void logPrintMain(char* filename, int line, char *fmt,...); #define LNF_BRIDGE "br106" #endif +BOOL isMAPEReady = 0; + #define V4_BLOCKFRAGIPPKT "v4_BlockFragIPPkts" #define V4_PORTSCANPROTECT "v4_PortScanProtect" #define V4_IPFLOODDETECT "v4_IPFloodDetect" @@ -2500,6 +2502,18 @@ static int prepare_globals_from_configuration(void) isCacheActive = (0 == strcmp("started", transparent_cache_state)) ? 1 : 0; isFirewallEnabled = (0 == strcmp("0", firewall_enabled)) ? 0 : 1; +#ifdef FEATURE_MAPE + char mape_status[32] = {0}; + char d_log[128] = {0}; + syscfg_get(NULL, "mape_config_flag", mape_status, sizeof(mape_status)); + if(!strcmp(mape_status, "true")){//MAP-E + isMAPEReady=1; + syscfg_get(NULL, "mape_ipv4_address", current_wan_ipaddr, sizeof(current_wan_ipaddr)); + } + sprintf(d_log, "isMAPEReady=%d, current_wan_ipaddr=%s\n", isMAPEReady, current_wan_ipaddr); + FIREWALL_DEBUG(d_log); +#endif + #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) isMAPTReady = isMAPTSet(); @@ -5427,6 +5441,10 @@ static int do_wan_nat_lan_clients(FILE *fp) if (!isMAPTReady) { #endif //FEATURE_MAPT +#ifdef FEATURE_MAPE + if(!isMAPEReady) + { +#endif if (IsHotspotActive()) { #if defined (WAN_FAILOVER_SUPPORTED) @@ -5465,6 +5483,9 @@ static int do_wan_nat_lan_clients(FILE *fp) #endif /*WIFI_MANAGE_SUPPORTED*/ } } +#ifdef FEATURE_MAPE + } +#endif #if defined (FEATURE_MAPT) || defined (FEATURE_SUPPORT_MAPT_NAT46) } #endif @@ -5495,7 +5516,24 @@ static int do_wan_nat_lan_clients(FILE *fp) } // fprintf(fp, "%s\n", str); - +#ifdef FEATURE_MAPE + if(isMAPEReady) + { + unsigned short min_port = 0; + unsigned short max_port = 0; + + min_port=10000; + max_port=10000; + fprintf(fp, "-A postrouting_towan -o %s -p udp -j MASQUERADE --to-ports %hu-%hu\n", "ip6tnl", min_port, max_port); + fprintf(fp,"-A postrouting_towan -o %s -p tcp -j MASQUERADE --to-ports %hu-%hu\n", "ip6tnl", min_port, max_port); + fprintf(fp, "-A postrouting_towan -o %s -p icmp -j MASQUERADE --to-ports %hu-%hu\n", "ip6tnl", min_port, max_port); + fprintf(fp, "-A postrouting_towan -o %s -j MASQUERADE\n", "ip6tnl"); + } + else + { + fprintf(fp, "-A postrouting_towan -j SNAT --to-source %s\n", natip4); + } +#endif if (isCacheActive) { fprintf(fp, "-A PREROUTING -i %s -p tcp --dport 80 -j DNAT --to %s:%s\n", lan_ifname, lan_ipaddr, "3128"); } @@ -6180,7 +6218,14 @@ int do_wan2self_attack(FILE *fp,char* wan_ip) // connection as well char isp_connection[MAX_QUERY]; isp_connection[0] = '\0'; - sysevent_get(sysevent_fd, sysevent_token, "ipv4_wan_ipaddr", isp_connection, sizeof(isp_connection)); + if(isMAPEReady) + { + strcpy(isp_connection, current_wan_ipaddr); + } + else + { + sysevent_get(sysevent_fd, sysevent_token, "ipv4_wan_ipaddr", isp_connection, sizeof(isp_connection)); + } if ('\0' != isp_connection[0] && 0 != strcmp("0.0.0.0", isp_connection) && 0 != strcmp(isp_connection, wan_ip)) { @@ -6213,9 +6258,9 @@ int do_wan2self_attack(FILE *fp,char* wan_ip) // These rules add scanners to the portscan list, and log the attempt. - fprintf(fp, "-A PortScanning -i %s -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix \"Portscan:\" -m limit --limit 1/minute --limit-burst 1\n", current_wan_ifname); + fprintf(fp, "-A PortScanning -i %s -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix \"Portscan:\" -m limit --limit 1/minute --limit-burst 1\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); - fprintf(fp, "-A PortScanning -i %s -p tcp -m tcp --dport 139 -m recent --name portscan --set -j xlog_drop_wanattack\n", current_wan_ifname); + fprintf(fp, "-A PortScanning -i %s -p tcp -m tcp --dport 139 -m recent --name portscan --set -j xlog_drop_wanattack\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); } // FIREWALL_DEBUG("Exiting do_wan2self_attack\n"); return(0); @@ -6270,13 +6315,17 @@ static int remote_access_set_proto(FILE *filt_fp, FILE *nat_fp, const char *port if ((ret != 0) || ('\0' == httpsport[0])) { strcpy(httpsport, "8181"); } - if (family == AF_INET) { - if ((0 == strcmp(httpport, port)) || (0 == strcmp(httpsport, port))) { - fprintf(filt_fp, "-A wan2self_mgmt -i %s %s -p tcp -m tcp --dport %s -j webui_limit\n", interface, src, port); - } else { - fprintf(filt_fp, "-A wan2self_mgmt -i %s %s -p tcp -m tcp --dport %s -j ACCEPT \n", interface, src, port); - } - } else { + if (family == AF_INET) + { + if ((0 == strcmp(httpport, port)) || (0 == strcmp(httpsport, port))) + { + fprintf(filt_fp, "-A wan2self_mgmt -i %s %s -p tcp -m tcp --dport %s -j webui_limit\n", interface, src, port); + } + else + { + fprintf(filt_fp, "-A wan2self_mgmt -i %s %s -p tcp -m tcp --dport %s -j ACCEPT\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:interface, src, port); + } + } else { #if defined(_COSA_BCM_MIPS_) //Fix for XF3-5627 if(0 == strcmp("80", port)) { char IPv6[INET6_ADDRSTRLEN]; @@ -9792,7 +9841,7 @@ static int prepare_lan_bandwidth_tracking(FILE *fp) fprintf(fp, "-N bandwidth_%s\n", ip); fprintf(fp, "-A bandwidth_%s -j RETURN\n", ip); - fprintf(fp, "-A lan2wan_bandwidth -s %s -o %s -j bandwidth_%s\n", ip, current_wan_ifname, ip); + fprintf(fp, "-A lan2wan_bandwidth -s %s -o %s -j bandwidth_%s\n", ip, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, ip); hosts++; } @@ -10998,6 +11047,10 @@ static int prepare_multinet_filter_input (FILE *filter_fp) FIREWALL_DEBUG("Entering prepare_multinet_filter_input\n"); #endif +#ifdef FEATURE_MAPE + fprintf(filter_fp, "-I INPUT -i %s -p gre -j ACCEPT\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); +#endif + #if (defined(FEATURE_MAPT) && defined(NAT46_KERNEL_SUPPORT)) || defined(FEATURE_SUPPORT_MAPT_NAT46) if (isMAPTReady) { @@ -11123,12 +11176,12 @@ static int prepare_multinet_filter_forward (FILE *filter_fp) fprintf(filter_fp, "-A INPUT -i %s -m pkttype ! --pkt-type unicast -j ACCEPT\n", net_resp); #ifdef MULTILAN_FEATURE if ( 0 == strncmp( lan_ifname, net_resp, strlen(lan_ifname))){ - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j lan2wan\n", net_resp, current_wan_ifname); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j lan2wan\n", net_resp, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); } - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j wan2lan\n", current_wan_ifname, net_resp); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j wan2lan\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, net_resp); #else - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", net_resp, current_wan_ifname); - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", current_wan_ifname, net_resp); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", net_resp, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, net_resp); #endif /*MULTILAN_FEATURE*/ } #endif /*_HUB4_PRODUCT_REQ_*/ @@ -11651,13 +11704,13 @@ int prepare_lnf_internet_rules(FILE *mangle_fp,int iptype) memset(lnf_ipaddress, 0, sizeof(lnf_ipaddress)); syscfg_get(NULL, "iot_ipaddr", lnf_ipaddress, sizeof(lnf_ipaddress)); fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs0 -m limit --limit 1/minute -j LOG --log-prefix \"Internet packets in LnF\"\n", - current_wan_ifname,lnf_ipaddress); - fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs0 -j DROP\n",current_wan_ifname,lnf_ipaddress); + isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname,lnf_ipaddress); + fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs0 -j DROP\n",isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname,lnf_ipaddress); fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs1 -m limit --limit 1/minute -j LOG --log-prefix \"Internet packets in LnF\"\n", - current_wan_ifname,lnf_ipaddress); - fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs1 -j DROP\n",current_wan_ifname,lnf_ipaddress); - fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -j ACCEPT\n",current_wan_ifname,lnf_ipaddress); + isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname,lnf_ipaddress); + fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -m dscp --dscp-class cs1 -j DROP\n",isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname,lnf_ipaddress); + fprintf(mangle_fp, "-A FORWARD -i %s -d %s/24 -j ACCEPT\n",isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname,lnf_ipaddress); } else { @@ -11827,6 +11880,43 @@ static void do_secure_backhaul(FILE *filter_fp) } #endif #endif + +#ifdef FEATURE_MAPE +int prepare_mape_rules(FILE *mangle_fp) +{ + char mape_enable[64] = {0}; + char lan_ip_address[64] = {0}; + char lan_subnet_mask[64] = {0}; + char lan_prefix[80] = {0}; + + syscfg_get(NULL,"mape_config_flag",mape_enable, sizeof(mape_enable)); + if( mape_enable[0] != '\0' ) + { + if (strcmp(mape_enable, "true") == 0) + { + syscfg_get(NULL, "lan_ipaddr", lan_ip_address, sizeof(lan_ip_address)); + if( lan_ip_address[0] != '\0' ) + { + syscfg_get(NULL, "lan_netmask", lan_subnet_mask, sizeof(lan_subnet_mask)); + if( lan_subnet_mask[0] != '\0' ) + { + unsigned int lanSubnetMask = inet_network(lan_subnet_mask); + unsigned int subnetCount = 0; + while (lanSubnetMask) + { + subnetCount += lanSubnetMask & 1; + lanSubnetMask = lanSubnetMask >> 1; + } + snprintf(lan_prefix, sizeof(lan_prefix), "%s/%u", lan_ip_address, subnetCount); + fprintf(mangle_fp, "-A PREROUTING -p all -i %s -d %s -j ACCEPT\n", current_wan_ifname, lan_prefix); + } + } + } + } + return 0; +} +#endif + /* * Procedure : prepare_subtables * Purpose : prepare the iptables-restore file that establishes all @@ -11926,7 +12016,9 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * prepare_lnf_internet_rules(mangle_fp,4); prepare_dscp_rule_for_host_mngt_traffic(mangle_fp); prepare_xconf_rules(mangle_fp); - +#ifdef FEATURE_MAPE + prepare_mape_rules(mangle_fp); +#endif #ifdef CONFIG_BUILD_TRIGGER #ifndef CONFIG_KERNEL_NF_TRIGGER_SUPPORT @@ -12092,7 +12184,7 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * } else // Add erouter0 prerouting_fromwan chain for 'Dual Stack' line only #endif //FEATURE_MAPT - fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan\n", current_wan_ifname); + fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); prepare_multinet_prerouting_nat(nat_fp); #ifdef CONFIG_BUILD_TRIGGER #ifdef CONFIG_KERNEL_NF_TRIGGER_SUPPORT @@ -12145,10 +12237,10 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #endif //NAT46_KERNEL_SUPPORT if (!isMAPTReady) { // Add erouter0 prerouting_fromwan_todmz chain for 'Dual Stack' line only - fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan_todmz\n", current_wan_ifname); + fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan_todmz\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); fprintf(nat_fp, "-A POSTROUTING -j postrouting_ephemeral\n"); // This breaks emta DNS routing on XF3. We may need some special rule here. - fprintf(nat_fp, "-A POSTROUTING -o %s -j postrouting_towan\n", current_wan_ifname); + fprintf(nat_fp, "-A POSTROUTING -o %s -j postrouting_towan\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); } #endif // FEATURE_MAPT @@ -12157,10 +12249,10 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * if( 0 != strncmp( devicePartnerId, "sky-", 4 ) ) #endif { - fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan_todmz\n", current_wan_ifname); + fprintf(nat_fp, "-A PREROUTING -i %s -j prerouting_fromwan_todmz\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); fprintf(nat_fp, "-A POSTROUTING -j postrouting_ephemeral\n"); // This breaks emta DNS routing on XF3. We may need some special rule here. - fprintf(nat_fp, "-A POSTROUTING -o %s -j postrouting_towan\n", current_wan_ifname); + fprintf(nat_fp, "-A POSTROUTING -o %s -j postrouting_towan\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); } #endif //_HUB4_PRODUCT_REQ_ ENDS @@ -12442,6 +12534,9 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * fprintf(filter_fp, "-A INPUT -i lo -m state --state NEW -j ACCEPT\n"); fprintf(filter_fp, "-A INPUT -j general_input\n"); +#ifdef FEATURE_MAPE + fprintf(filter_fp, "-A INPUT -i %s -j wan2self\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); +#endif wan_lan_webui_attack(filter_fp,lan_ifname); // Rate limiting the webui-access lan side lan_access_set_proto(filter_fp, "80",lan_ifname); @@ -12518,7 +12613,7 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * fprintf(filter_fp, "-A INPUT -i %s -j wan2self_mgmt\n", ecm_wan_ifname); } #endif /*_HUB4_PRODUCT_REQ_*/ - fprintf(filter_fp, "-A INPUT -i %s -j wan2self_mgmt\n", current_wan_ifname); + fprintf(filter_fp, "-A INPUT -i %s -j wan2self_mgmt\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); #if !defined(_HUB4_PRODUCT_REQ_) && !defined(_PLATFORM_RASPBERRYPI_) && !defined(_PLATFORM_TURRIS_) && !defined(_PLATFORM_BANANAPI_R4_) && !defined (NO_MTA_FEATURE_SUPPORT) #if defined (_RDKB_GLOBAL_PRODUCT_REQ_) if( 0 != strncmp( devicePartnerId, "sky-", 4 ) ) @@ -12529,10 +12624,10 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #endif /*_HUB4_PRODUCT_REQ_*/ fprintf(filter_fp, "-A INPUT -i %s -j lan2self\n", lan_ifname); fprintf(filter_fp, "-A INPUT -i %s -j wan2self\n", current_wan_ifname); - if ('\0' != default_wan_ifname[0] && 0 != strlen(default_wan_ifname) && 0 != strcmp(default_wan_ifname, current_wan_ifname)) { + if ('\0' != default_wan_ifname[0] && 0 != strlen(default_wan_ifname) && 0 != strcmp(default_wan_ifname, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname)) { // even if current_wan_ifname is ppp we still want to consider default wan ifname as an interface // but dont duplicate - fprintf(filter_fp, "-A INPUT -i %s -j wan2self\n", default_wan_ifname); + fprintf(filter_fp, "-A INPUT -i %s -j wan2self\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:default_wan_ifname); } if (FALSE == bAmenityEnabled) { @@ -12724,8 +12819,8 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #endif fprintf(filter_fp, "-A FORWARD -j general_forward\n"); - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j wan2lan\n", current_wan_ifname, lan_ifname); - fprintf(filter_fp, "-A FORWARD -i %s -o %s -j lan2wan\n", lan_ifname, current_wan_ifname); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j wan2lan\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, lan_ifname); + fprintf(filter_fp, "-A FORWARD -i %s -o %s -j lan2wan\n", lan_ifname, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); // need br0 to br0 for virtual services) fprintf(filter_fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", lan_ifname, lan_ifname); prepare_multinet_filter_forward(filter_fp); @@ -12791,8 +12886,8 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * fprintf(filter_fp,"-A INPUT -i %s -m pkttype ! --pkt-type unicast -j ACCEPT\n",iot_ifName); //fprintf(filter_fp,"-A FORWARD -i %s -o %s -j ACCEPT\n",iot_ifName,iot_ifName); //fprintf(filter_fp, "-I FORWARD 2 -i %s -o %s -j lan2wan_iot_allow\n", iot_ifName,current_wan_ifname); - fprintf(filter_fp, "-I FORWARD 2 -i %s -o %s -j ACCEPT\n", iot_ifName,current_wan_ifname); - fprintf(filter_fp, "-I FORWARD 3 -i %s -o %s -j wan2lan_iot_allow\n", current_wan_ifname, iot_ifName); + fprintf(filter_fp, "-I FORWARD 2 -i %s -o %s -j ACCEPT\n", iot_ifName,isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); + fprintf(filter_fp, "-I FORWARD 3 -i %s -o %s -j wan2lan_iot_allow\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, iot_ifName); //zqiu: R5337 //do_lan2wan_IoT_Allow(filter_fp); do_wan2lan_IoT_Allow(filter_fp); @@ -13904,6 +13999,9 @@ static int prepare_disabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *n //zqiu: RDKB-5686: xconf rule should work for pseudo bridge mode prepare_xconf_rules(mangle_fp); +#ifdef FEATURE_MAPE + prepare_mape_rules(mangle_fp); +#endif #ifdef CONFIG_BUILD_TRIGGER #ifndef CONFIG_KERNEL_NF_TRIGGER_SUPPORT @@ -14031,7 +14129,7 @@ static int prepare_disabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *n fprintf(filter_fp, "-A INPUT -p tcp -m multiport --dports 80,443 -d %s -j ACCEPT\n",lan0_ipaddr); #endif #if defined (MULTILAN_FEATURE) - fprintf(filter_fp, "-A INPUT -i %s -j wan2self_mgmt\n", current_wan_ifname); + fprintf(filter_fp, "-A INPUT -i %s -j wan2self_mgmt\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); #else fprintf(filter_fp, "-A INPUT ! -i %s -j wan2self_mgmt\n", isBridgeMode == 0 ? lan_ifname : cmdiag_ifname); #endif diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 2d3bc2a4..7a82d772 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -147,6 +147,9 @@ extern BOOL isMAPTReady; #endif // NAT46_KERNEL_SUPPORT #endif +#define MAPE_TUNNEL_INTERFACE "ip6tnl" +extern BOOL isMAPEReady; + /* HUB4 application specific defines. */ #ifdef _HUB4_PRODUCT_REQ_ #ifdef HUB4_BFD_FEATURE_ENABLED @@ -495,6 +498,11 @@ void do_container_allow(FILE *pFilter, FILE *pMangle, FILE *pNat, int family); */ int do_mapt_rules_v6(FILE *filter_fp); +#ifdef FEATURE_MAPE +//MAPE related function +int prepare_mape_rules(FILE *mangle_fp); +#endif + // HUB4 specific functions #ifdef _HUB4_PRODUCT_REQ_ /** diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 442402c7..798a6b0a 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1240,6 +1240,12 @@ void do_ipv6_filter_table(FILE *fp){ // Basic RPF check on the egress & ingress traffic char prefix[129]; prefix[0] = 0; +#ifdef FEATURE_MAPE + char prev_prefix[MAX_QUERY] = {0}; + + sysevent_get(sysevent_fd, sysevent_token, "previous_ipv6_prefix", prev_prefix, sizeof(prev_prefix)); +#endif + #ifdef WAN_FAILOVER_SUPPORTED if (0 == checkIfULAEnabled()) { @@ -1252,6 +1258,12 @@ void do_ipv6_filter_table(FILE *fp){ #else sysevent_get(sysevent_fd, sysevent_token, "ipv6_prefix", prefix, sizeof(prefix)); #endif +#ifdef FEATURE_MAPE + if (prev_prefix[0] != '\0' && prefix[0] != '\0' && strcmp(prev_prefix, prefix) != 0) + { + fprintf(fp, "-A FORWARD -i brlan0 -o erouter0 -s %s -j REJECT --reject-with icmp6-policy-fail\n", prev_prefix); + } +#endif if ( '\0' != prefix[0] ) { //fprintf(fp, "-A FORWARD ! -s %s -i %s -m limit --limit 10/sec -j LOG --log-level %d --log-prefix \"UTOPIA: FW. IPv6 FORWARD anti-spoofing\"\n", prefix, lan_ifname,syslog_level); //fprintf(fp, "-A FORWARD ! -s %s -i %s -m limit --limit 10/sec -j REJECT --reject-with icmp6-adm-prohibited\n", prefix, lan_ifname); @@ -1736,10 +1748,11 @@ static int prepare_ipv6_multinet(FILE *fp) */ fprintf(fp, "-A INPUT -i %s -j ACCEPT\n", iface_name); - fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", iface_name, current_wan_ifname); - fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", iface_name, ecm_wan_ifname); - fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", current_wan_ifname, iface_name); - fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", ecm_wan_ifname, iface_name); + fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", iface_name, isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname); + fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", iface_name, ecm_wan_ifname); + fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", isMAPEReady?MAPE_TUNNEL_INTERFACE:current_wan_ifname, iface_name); + fprintf(fp, "-A FORWARD -i %s -o %s -j ACCEPT\n", ecm_wan_ifname, iface_name); + } } while ((p = strtok(NULL, " ")) != NULL); @@ -2014,6 +2027,9 @@ void do_ipv6_sn_filter(FILE* fp) { prepare_dscp_rules_to_prioritized_clnt(fp); prepare_dscp_rule_for_host_mngt_traffic(fp); prepare_xconf_rules(fp); +#ifdef FEATURE_MAPE + prepare_mape_rules(fp); +#endif #endif #ifdef _COSA_INTEL_XB3_ARM_ From c5fd2bdf21ee0a7ae6a4a239dce2c2dbf1466d54 Mon Sep 17 00:00:00 2001 From: aadhithan01 <64963550+aadhithan01@users.noreply.github.com> Date: Fri, 20 Feb 2026 10:29:49 +0530 Subject: [PATCH 08/10] RDKB-63584: dnsmasq is not running when enabling DHCPMANAGER (#232) RDKB-63584 : dibbler-server is not running when enable the DHCPMANAGER Reason for change: pmon is disabled in dhcpmanager enabled build, this was disabled for older DHCPMANAGER for Xb6 platform Test Procedure: kill dnsmasq and dibbler-server , check selfheal restarts it Risks: Low Signed-off-by:Aadhithan_PE@comcast.com UT:https://ccp.sys.comcast.net/browse/RDKB-63584?focusedId=24660985&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24660985 --- source/pmon/pmon.c | 4 +--- source/scripts/init/c_registration/15_dhcp_server.c | 4 ---- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/source/pmon/pmon.c b/source/pmon/pmon.c index 85cbe84c..4a33efae 100644 --- a/source/pmon/pmon.c +++ b/source/pmon/pmon.c @@ -178,13 +178,11 @@ static int proc_mon (const char *proc_name, const char *pid_file, const char *cm return 0; } v_secure_system("echo ' RDKB_PROCESS_CRASHED : %s is not running, need restart ' >> /rdklogs/logs/SelfHeal.txt.0 ",proc_name); - //dnsmasq selfheal mechanism is in Aggresive Selfheal for DHCP Manager - #if !defined (FEATURE_RDKB_DHCP_MANAGER) if(!strcmp(proc_name,"dnsmasq")) { t2_event_d("SYS_SH_dnsmasq_restart",1); } - #endif + printf("pmon: attempting to restart '%s' using '%s'\n", proc_name, cmd); if (pid_file) { printf("pmon: removing pid file %s\n", pid_file); diff --git a/source/scripts/init/c_registration/15_dhcp_server.c b/source/scripts/init/c_registration/15_dhcp_server.c index 2aee6edd..bd0a9146 100644 --- a/source/scripts/init/c_registration/15_dhcp_server.c +++ b/source/scripts/init/c_registration/15_dhcp_server.c @@ -85,11 +85,7 @@ const char* SERVICE_CUSTOM_EVENTS[] = { void srv_register(void) { sm_register(SERVICE_NAME, SERVICE_DEFAULT_HANDLER, SERVICE_CUSTOM_EVENTS); - - //dnsmasq selfheal mechanism is in Aggresive Selfheal for DHCP Manager - #if !defined (FEATURE_RDKB_DHCP_MANAGER) v_secure_system("/etc/utopia/service.d/pmon.sh register dhcp_server"); - #endif } #ifdef RDKB_EXTENDER_ENABLED From d366f3794d1aedfe4bd1ed045617ceb397034739 Mon Sep 17 00:00:00 2001 From: aadhithan01 <64963550+aadhithan01@users.noreply.github.com> Date: Fri, 20 Feb 2026 10:57:11 +0530 Subject: [PATCH 09/10] Rdkb 63584: srv_unregister remove DHCPManager Distro (#234) Rdkb 63584: srv_unregister remove DHCPManager Distro This PR removes the DHCP Manager distro-specific compile guard in the DHCP server registration helper so that srv_unregister() always unregisters dhcp_server from pmon, aligning unregister behavior with the existing unconditional srv_register() behavior. Changes: Remove the #if !defined(FEATURE_RDKB_DHCP_MANAGER) guard around pmon.sh unregister dhcp_server. Drop the associated comment about the DHCP Manager self-heal mechanism. --- source/scripts/init/c_registration/15_dhcp_server.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/scripts/init/c_registration/15_dhcp_server.c b/source/scripts/init/c_registration/15_dhcp_server.c index bd0a9146..0b1751a8 100644 --- a/source/scripts/init/c_registration/15_dhcp_server.c +++ b/source/scripts/init/c_registration/15_dhcp_server.c @@ -149,10 +149,7 @@ void stop_service() void srv_unregister(void) { - //dnsmasq selfheal mechanism is in Aggresive Selfheal for DHCP Manager - #if !defined (FEATURE_RDKB_DHCP_MANAGER) v_secure_system("/etc/utopia/service.d/pmon.sh unregister dhcp_server"); - #endif #ifdef RDKB_EXTENDER_ENABLED stop_service(); From 88b1d0d9580ad2a59e15270a96bf96082b27e12d Mon Sep 17 00:00:00 2001 From: Riyaz <49856943+Khan3033@users.noreply.github.com> Date: Fri, 20 Feb 2026 22:36:51 +0530 Subject: [PATCH 10/10] RDKB-62594 : Addition of RFC parameter for Stage agent (#235) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit US: RDKB-62968: Subtask: RDKB-63632 - Addition of RFC parameter for Stage Agent Reason for change: Add RFC flag Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.STAGE.Enable to execute the app Test Procedure: Build with stage agent changes and test Risks: None Is this a Bug or a User Story (US)?: US: RDKB-62968 - STAGE development - Phase 1 (SSH trigger). Subtask: RDKB-63632 2. If it is a User Story: * Have all dependent PRs from other components been listed (if any)?: Below PR's are dependent PR's    https://github.com/rdkcentral/tr69hostif/pull/366    https://github.com/rdkcentral/utopia/pull/235    https://github.com/rdkcentral/provisioning-and-management/pull/195 * Does the commit message include both the User Story ticket and the Subtask ticket? Yes * Will be all changes related to the User Story squashed and merged in a single commit?: No * Has the PR been raised only after completing all changes for the User Story (no partial changes)? : Yes * Has code development for the User Story been completed?: Yes * If yes, has the Gerrit topic or list of all dependent PRs across components (including meta-layer changes) been shared?:topic: https://gerrit.teamccp.com/#/q/topic:RDKB-62968-StageAgent-26Q1_sprint+(status:open+OR+status:merged) 3. Is there a validation log available in the Jira ticket for verifying builds with the updated generic-srcrev.inc across all platforms?: Yes * If yes, have the links to validation comments been shared?: https://ccp.sys.comcast.net/secure/attachment/14230070/14230070_D89C8E72F2E0_Stage_Logs_02-20-26-06-19AM.tgz Signed-off-by: rriyaz502 Co-authored-by: rriyaz502 --- source/scripts/init/defaults/system_defaults_arm | 2 ++ source/scripts/init/defaults/system_defaults_bci | 3 +++ 2 files changed, 5 insertions(+) diff --git a/source/scripts/init/defaults/system_defaults_arm b/source/scripts/init/defaults/system_defaults_arm index 4b58b93e..af4fcae8 100755 --- a/source/scripts/init/defaults/system_defaults_arm +++ b/source/scripts/init/defaults/system_defaults_arm @@ -1497,3 +1497,5 @@ $FwDwld_AvlMem_RsrvThreshold=20 #FwDwld_ImageProcMemPercent Default value $FwDwld_ImageProcMemPercent=0 +#STAGE Default value +$StageEnabled=false diff --git a/source/scripts/init/defaults/system_defaults_bci b/source/scripts/init/defaults/system_defaults_bci index cb485d56..1a891c77 100755 --- a/source/scripts/init/defaults/system_defaults_bci +++ b/source/scripts/init/defaults/system_defaults_bci @@ -1346,3 +1346,6 @@ $FwDwld_AvlMem_RsrvThreshold=20 #FwDwld_ImageProcMemPercent Default value $FwDwld_ImageProcMemPercent=0 + +#STAGE Default value +$StageEnabled=false