RDKB-63599:Private LAN traffic on/off handling#247
RDKB-63599:Private LAN traffic on/off handling#247sshriv323 merged 28 commits intordkcentral:developfrom
Conversation
Reason for change:Added the new entry for virual mta interface Test Procedure: verify the logic and functionality Risks: Low Priority: P1
Reason for change:Added the new entry for virual mta interface Test Procedure: verify the logic and functionality Risks: Low Priority: P1
Reason for change:Added the new entry for virual mta interface Test Procedure: verify the logic and functionality Risks: Low Priority: P1
Reason for change:Added the new entry for mac vlan interface Test Procedure: verify the logic and functionality Risks: High Priority: P1
Reason for change:Added the new entry for virual mta interface Test Procedure: verify the logic and functionality Risks: High Priority: P1
Reason for change:Initializing the voice Test Procedure: verify the voice is initialized or not Risks: High Priority: P1
Reason for change:Setting the syscfg variables based on partner json values Test Procedure: verify the voice is initialized or not Risks: High Priority: P1
Reason for change:debug build Test Procedure: verify the logic and functionality Risks: High Priority: P1
Reason for change:debug build Test Procedure: verify the logic and functionality Risks: High Priority: P1
There was a problem hiding this comment.
Pull request overview
This PR adds handling to disable LAN→WAN forwarding by reading a lan_wan_forwarding_enabled sysevent flag and injecting an iptables DROP rule into the lan2wan chain when forwarding is disabled.
Changes:
- Read
lan_wan_forwarding_enabledfrom sysevent during firewall rule generation. - When disabled, add a
lan2wanchain rule to drop forwarded traffic from the LAN interface.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| char cEnabled[8] = {0}; | ||
| sysevent_get(sysevent_fd, sysevent_token, "lan_wan_forwarding_enabled", cEnabled, sizeof(cEnabled)); | ||
| if ('\0' != cEnabled[0]) | ||
| { | ||
| if('\0' == lan_ifname[0]) | ||
| snprintf(lan_ifname, sizeof(lan_ifname), "brlan0"); | ||
|
|
||
| int iEnabled = atoi(cEnabled); | ||
| if (0 == iEnabled) | ||
| { |
There was a problem hiding this comment.
atoi(cEnabled) treats any non-numeric non-empty value (e.g., "true"/"false") as 0, which would disable forwarding unexpectedly. This file usually treats sysevent/syscfg boolean flags as enabled unless the value is empty or exactly "0" (e.g., ciscoconnect_guest_enable, lanhost_tracking_enabled). Consider parsing this flag the same way (explicitly check for "0") or validate that the value is strictly "0"/"1" before using atoi.
There was a problem hiding this comment.
NOT ADDRESSED.
we are only setting the lan_wan_forwarding_enabled as "0" or "1"
| int iEnabled = atoi(cEnabled); | ||
| if (0 == iEnabled) | ||
| { | ||
| fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname); |
There was a problem hiding this comment.
The DROP rule is limited to -i lan_ifname, but there are other interfaces that also jump into lan2wan (e.g., ETH_MESH_BRIDGE, XHS_BRIDGE, LNF_BRIDGE in the MAPT/NAT46 block). With the current match, forwarding can remain possible for those paths even when lan_wan_forwarding_enabled is 0. If the intent is to disable all LAN→WAN forwarding handled by lan2wan, consider making the DROP unconditional within lan2wan (or covering all relevant ingress interfaces).
| fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname); | |
| /* Disable all LAN->WAN forwarding handled by the lan2wan chain, | |
| * regardless of ingress interface. | |
| */ | |
| fprintf(filter_fp, "-A lan2wan -j DROP\n"); |
There was a problem hiding this comment.
NOT ADDRESSED. We wan't block only private LAN if the wifi link status is non serviceable.
| if('\0' == lan_ifname[0]) | ||
| snprintf(lan_ifname, sizeof(lan_ifname), "brlan0"); | ||
|
|
||
| int iEnabled = atoi(cEnabled); | ||
| if (0 == iEnabled) | ||
| { | ||
| fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname); |
There was a problem hiding this comment.
lan_ifname is defaulted to "brlan0" here, but the variable has already been used earlier in this function to emit multiple iptables rules (e.g., FORWARD/OUTPUT jumps). If a default is needed when syscfg_get("lan_ifname") returns empty, it should be applied at initialization time so all generated rules are consistent; otherwise this late fallback only affects the new DROP rule and subsequent rules.
| if('\0' == lan_ifname[0]) | |
| snprintf(lan_ifname, sizeof(lan_ifname), "brlan0"); | |
| int iEnabled = atoi(cEnabled); | |
| if (0 == iEnabled) | |
| { | |
| fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname); | |
| int iEnabled = atoi(cEnabled); | |
| if (0 == iEnabled) | |
| { | |
| if ('\0' != lan_ifname[0]) | |
| { | |
| fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname); | |
| } |
There was a problem hiding this comment.
NOT ADDRESSED. We don't want to touch the previous implementation.
|
I have read the CLA Document and I hereby sign the CLA 1 out of 2 committers have signed the CLA. |
Reason for change: Private LAN traffic on/off based on wifi link status
Test Procedure: verify the logic and functionality
Risks: High
Priority: P1