Skip to content

RDKB-63599:Private LAN traffic on/off handling #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sshriv323 merged 28 commits into from
Feb 28, 2026
Merged

RDKB-63599:Private LAN traffic on/off handling #247

Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
0a3293d
RDKB-777777: Get the udhcpc arguments for virtual mta interface
Amaresh-Kotekal Nov 27, 2025
18a8f27
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Dec 12, 2025
9ec72c7
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Dec 16, 2025
af6fb95
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Dec 17, 2025
99fbc60
RDKB-777777: Get the udhcpc arguments for virtual mta interface
Amaresh-Kotekal Dec 18, 2025
0ad0623
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Dec 19, 2025
65c01cf
RDKB-777777: Get the udhcpc arguments for virtual mta interface
Amaresh-Kotekal Dec 19, 2025
3caa07e
RDKB-777777: Get the udhcpc arguments for macvlan mta interface
Amaresh-Kotekal Dec 24, 2025
6440c35
RDKB-62812:Create Virtual Interface for voice and initialize DHCP
Amaresh-Kotekal Dec 25, 2025
241dcde
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 20, 2026
e3fcff2
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 22, 2026
62c3669
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 23, 2026
5893aed
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 23, 2026
72b32fb
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 28, 2026
0de112f
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Jan 31, 2026
c3f88ae
RDKB-62813:DHCP Data Handling and Initialization of voice
Amaresh-Kotekal Jan 31, 2026
b4546c7
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 4, 2026
52f8ccb
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 7, 2026
bda2d1f
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 9, 2026
165c493
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 11, 2026
8a068ed
RDKB-62813:DHCP Data Handling and Initialization of voice
Amaresh-Kotekal Feb 12, 2026
9c80873
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 13, 2026
6d77542
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 26, 2026
3fe41ff
CIECCPE-590:Private LAN traffic on/off based on wifi link status
Amaresh-Kotekal Feb 26, 2026
544aad8
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 26, 2026
b6216ee
CIECCPE-590:Private LAN traffic on/off based on wifi link status
Amaresh-Kotekal Feb 26, 2026
54804d0
Merge branch 'rdkcentral:develop' into develop
Amaresh-Kotekal Feb 27, 2026
ad80856
Merge branch 'develop' into develop
sshriv323 Feb 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions source/firewall/firewall.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12925,7 +12925,23 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE *
#endif
}

/*
* Check if LAN to WAN forwarding is enabled
*/
char cEnabled[8] = {0};
sysevent_get(sysevent_fd, sysevent_token, "lan_wan_forwarding_enabled", cEnabled, sizeof(cEnabled));
if ('\0' != cEnabled[0])
{
if('\0' == lan_ifname[0])
snprintf(lan_ifname, sizeof(lan_ifname), "brlan0");

int iEnabled = atoi(cEnabled);
if (0 == iEnabled)
{
Comment on lines +12931 to +12940
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

atoi(cEnabled) treats any non-numeric non-empty value (e.g., "true"/"false") as 0, which would disable forwarding unexpectedly. This file usually treats sysevent/syscfg boolean flags as enabled unless the value is empty or exactly "0" (e.g., ciscoconnect_guest_enable, lanhost_tracking_enabled). Consider parsing this flag the same way (explicitly check for "0") or validate that the value is strictly "0"/"1" before using atoi.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@Amaresh-Kotekal Amaresh-Kotekal Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOT ADDRESSED.
we are only setting the lan_wan_forwarding_enabled as "0" or "1"

fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname);
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DROP rule is limited to -i lan_ifname, but there are other interfaces that also jump into lan2wan (e.g., ETH_MESH_BRIDGE, XHS_BRIDGE, LNF_BRIDGE in the MAPT/NAT46 block). With the current match, forwarding can remain possible for those paths even when lan_wan_forwarding_enabled is 0. If the intent is to disable all LAN→WAN forwarding handled by lan2wan, consider making the DROP unconditional within lan2wan (or covering all relevant ingress interfaces).

Suggested change
fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname);
/* Disable all LAN->WAN forwarding handled by the lan2wan chain,
* regardless of ingress interface.
*/
fprintf(filter_fp, "-A lan2wan -j DROP\n");

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@Amaresh-Kotekal Amaresh-Kotekal Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOT ADDRESSED. We wan't block only private LAN if the wifi link status is non serviceable.

Comment on lines +12935 to +12941
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lan_ifname is defaulted to "brlan0" here, but the variable has already been used earlier in this function to emit multiple iptables rules (e.g., FORWARD/OUTPUT jumps). If a default is needed when syscfg_get("lan_ifname") returns empty, it should be applied at initialization time so all generated rules are consistent; otherwise this late fallback only affects the new DROP rule and subsequent rules.

Suggested change
if('\0' == lan_ifname[0])
snprintf(lan_ifname, sizeof(lan_ifname), "brlan0");
int iEnabled = atoi(cEnabled);
if (0 == iEnabled)
{
fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname);
int iEnabled = atoi(cEnabled);
if (0 == iEnabled)
{
if ('\0' != lan_ifname[0])
{
fprintf(filter_fp, "-A lan2wan -i %s -j DROP\n", lan_ifname);
}

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@Amaresh-Kotekal Amaresh-Kotekal Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOT ADDRESSED. We don't want to touch the previous implementation.

FIREWALL_DEBUG("LAN to WAN forwarding disabled, dropping all traffic from LAN to WAN\n");
}
}
/***********************
* set lan to wan subrule by order
* *********************/
Expand Down
Loading