From f832136df4e802740489f02891a93b3755b3a35f Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Thu, 2 Apr 2026 20:46:02 +0530 Subject: [PATCH 01/24] Update firewall.c --- source/firewall/firewall.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index c612c6ea..0fcb9b64 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10124,9 +10124,13 @@ static int do_lan2wan_misc(FILE *filter_fp) fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723 -j ACCEPT\n"); } char sites_enabled[MAX_QUERY]; + char services_enabled[MAX_QUERY]; sites_enabled[0] = '\0'; + services_enabled[0] = '\0'; syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && + (services_enabled[0] != '\0' && services_enabled[0] == '0')) // managed site/services list enabled { syscfg_get("blockssl", "result", query, sizeof(query)); if (strcmp(query,"DROP") == 0) { From e652091910af5254a91ea32ca134889e346dcc24 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Thu, 2 Apr 2026 21:19:38 +0530 Subject: [PATCH 02/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 57f4a705..61421255 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1745,9 +1745,14 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500 -j ACCEPT\n"); } char sites_enabled[MAX_QUERY]; + char services_enabled[MAX_QUERY]; sites_enabled[0] = '\0'; + services_enabled[0] = '\0'; syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - if (sites_enabled[0] != '\0' && sites_enabled[0] == '0') // managed site list enabled + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + // Skip SSL blocking if either managed sites or managed services is enabled + if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && + (services_enabled[0] != '\0' && services_enabled[0] == '0')) { queryv6[0] = '\0'; From 479b570ca54f924f09fef98f106201b7a0b83420 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 13:42:49 +0530 Subject: [PATCH 03/24] Update firewall.c --- source/firewall/firewall.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 0fcb9b64..4a64ff99 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10129,8 +10129,34 @@ static int do_lan2wan_misc(FILE *filter_fp) services_enabled[0] = '\0'; syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + // Check if managed services has port 443 configured + int ms_has_port_443 = 0; + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY]; + int ms_count = 0; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') ms_count = atoi(ms_count_str); + for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { + char ns[MAX_QUERY], start_port[16], end_port[16]; + snprintf(query, sizeof(query), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, query, ns, sizeof(ns)); + if (ns[0] == '\0') continue; + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + int sp = atoi(start_port); + int ep = atoi(end_port); + FIREWALL_DEBUG("sp:%d, ep:%d\n", sp, ep); + if (sp <= 443 && ep >= 443) { + ms_has_port_443 = 1; + } + } + } + FIREWALL_DEBUG("ms_has_port_443:%d\n", ms_has_port_443); + // Skip SSL blocking if: + // 1. managed sites is enabled, OR + // 2. managed services is enabled AND has port 443 configured. if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && - (services_enabled[0] != '\0' && services_enabled[0] == '0')) // managed site/services list enabled + !(services_enabled[0] != '\0' && services_enabled[0] != '0' && ms_has_port_443)) { syscfg_get("blockssl", "result", query, sizeof(query)); if (strcmp(query,"DROP") == 0) { From 38cee92c7b5837aaa27f585bc85e684717fe6e13 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 13:46:48 +0530 Subject: [PATCH 04/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 61421255..0ceda7dc 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1750,9 +1750,36 @@ void do_ipv6_filter_table(FILE *fp){ services_enabled[0] = '\0'; syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); - // Skip SSL blocking if either managed sites or managed services is enabled + // Check if managed services has port 443 configured + int ms_has_port_443 = 0; + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY]; + char query_tmp[MAX_QUERY]; + int ms_count = 0; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') ms_count = atoi(ms_count_str); + for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { + char ns[MAX_QUERY], start_port[16], end_port[16]; + snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, query_tmp, ns, sizeof(ns)); + if (ns[0] == '\0') continue; + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + int sp = atoi(start_port); + int ep = atoi(end_port); + FIREWALL_DEBUG("%s sp:%d, ep:%d\n" COMMA sp COMMA ep); + if (sp <= 443 && ep >= 443) { + ms_has_port_443 = 1; + } + } + } + + FIREWALL_DEBUG("%sms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); + // Skip SSL blocking if: + // 1. managed sites is enabled, OR + // 2. managed services is enabled AND has port 443 configured if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && - (services_enabled[0] != '\0' && services_enabled[0] == '0')) + !(services_enabled[0] != '\0' && services_enabled[0] != '0' && ms_has_port_443)) { queryv6[0] = '\0'; From 6a3776ed1920bd2fc2e23b39d71f757acb94c582 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 14:02:26 +0530 Subject: [PATCH 05/24] Update firewall.c --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 4a64ff99..d016008e 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10145,13 +10145,13 @@ static int do_lan2wan_misc(FILE *filter_fp) syscfg_get(ns, "end_port", end_port, sizeof(end_port)); int sp = atoi(start_port); int ep = atoi(end_port); - FIREWALL_DEBUG("sp:%d, ep:%d\n", sp, ep); + FIREWALL_DEBUG("%s, sp:%d, ep:%d\n" COMMA __FUNCTION__ COMMA sp COMMA ep); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; } } } - FIREWALL_DEBUG("ms_has_port_443:%d\n", ms_has_port_443); + FIREWALL_DEBUG("%s: ms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); // Skip SSL blocking if: // 1. managed sites is enabled, OR // 2. managed services is enabled AND has port 443 configured. From 0995087479acf8b9964e6b9f06ab5c7dbe9bf9e9 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 14:03:41 +0530 Subject: [PATCH 06/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 0ceda7dc..56e0fd43 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1767,14 +1767,14 @@ void do_ipv6_filter_table(FILE *fp){ syscfg_get(ns, "end_port", end_port, sizeof(end_port)); int sp = atoi(start_port); int ep = atoi(end_port); - FIREWALL_DEBUG("%s sp:%d, ep:%d\n" COMMA sp COMMA ep); + FIREWALL_DEBUG("%s, sp:%d, ep:%d\n" COMMA __FUNCTION__ COMMA sp COMMA ep); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; } } } - FIREWALL_DEBUG("%sms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); + FIREWALL_DEBUG("%s, ms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); // Skip SSL blocking if: // 1. managed sites is enabled, OR // 2. managed services is enabled AND has port 443 configured From 569a4dd6f35f3bd64a2a00f8e6b8d5918e392d27 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 14:23:40 +0530 Subject: [PATCH 07/24] Update firewall.c --- source/firewall/firewall.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index d016008e..daf85e69 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10133,13 +10133,14 @@ static int do_lan2wan_misc(FILE *filter_fp) int ms_has_port_443 = 0; if (services_enabled[0] != '\0' && services_enabled[0] != '0') { char ms_count_str[MAX_QUERY]; + char ms_namespace_key[MAX_QUERY]; int ms_count = 0; syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); if (ms_count_str[0] != '\0') ms_count = atoi(ms_count_str); for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { char ns[MAX_QUERY], start_port[16], end_port[16]; - snprintf(query, sizeof(query), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, query, ns, sizeof(ns)); + snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); if (ns[0] == '\0') continue; syscfg_get(ns, "start_port", start_port, sizeof(start_port)); syscfg_get(ns, "end_port", end_port, sizeof(end_port)); From 759a423b6a12db409add7a50ffd6d933106dc6fa Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 17:05:56 +0530 Subject: [PATCH 08/24] Update firewall.c --- source/firewall/firewall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index daf85e69..df06bcfe 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10146,13 +10146,12 @@ static int do_lan2wan_misc(FILE *filter_fp) syscfg_get(ns, "end_port", end_port, sizeof(end_port)); int sp = atoi(start_port); int ep = atoi(end_port); - FIREWALL_DEBUG("%s, sp:%d, ep:%d\n" COMMA __FUNCTION__ COMMA sp COMMA ep); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; + break; } } } - FIREWALL_DEBUG("%s: ms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); // Skip SSL blocking if: // 1. managed sites is enabled, OR // 2. managed services is enabled AND has port 443 configured. From 66a18ac1b04aba070b066ee0b8dc539cac2af800 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 3 Apr 2026 17:06:41 +0530 Subject: [PATCH 09/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 56e0fd43..2876612b 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1767,14 +1767,12 @@ void do_ipv6_filter_table(FILE *fp){ syscfg_get(ns, "end_port", end_port, sizeof(end_port)); int sp = atoi(start_port); int ep = atoi(end_port); - FIREWALL_DEBUG("%s, sp:%d, ep:%d\n" COMMA __FUNCTION__ COMMA sp COMMA ep); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; + break; } } } - - FIREWALL_DEBUG("%s, ms_has_port_443:%d\n" COMMA __FUNCTION__ COMMA ms_has_port_443); // Skip SSL blocking if: // 1. managed sites is enabled, OR // 2. managed services is enabled AND has port 443 configured From 2e293d8f7baf4697aa11e62cd2b540f1c529a78f Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:45:55 +0530 Subject: [PATCH 10/24] Update source/firewall/firewall.c Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index df06bcfe..8ef0c494 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10136,7 +10136,14 @@ static int do_lan2wan_misc(FILE *filter_fp) char ms_namespace_key[MAX_QUERY]; int ms_count = 0; syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') ms_count = atoi(ms_count_str); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { char ns[MAX_QUERY], start_port[16], end_port[16]; snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); From 18205b4591320ac965448700e84cbfab2e8e6e0f Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:46:17 +0530 Subject: [PATCH 11/24] Update source/firewall/firewall_ipv6.c Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall_ipv6.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 2876612b..8a551714 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1757,7 +1757,14 @@ void do_ipv6_filter_table(FILE *fp){ char query_tmp[MAX_QUERY]; int ms_count = 0; syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') ms_count = atoi(ms_count_str); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { char ns[MAX_QUERY], start_port[16], end_port[16]; snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); From fa638837013a6ad245ebd74d014f4cfecc2517b3 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 13:22:26 +0530 Subject: [PATCH 12/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 8a551714..f7e52d8a 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1770,13 +1770,21 @@ void do_ipv6_filter_table(FILE *fp){ snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); syscfg_get(NULL, query_tmp, ns, sizeof(ns)); if (ns[0] == '\0') continue; + // Get and validate start_port syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || 0 != validate_port(start_port)) { + continue; + } + // Get and validate end_port syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || 0 != validate_port(end_port)) { + continue; + } + // Check if port 443 is within range int sp = atoi(start_port); int ep = atoi(end_port); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; - break; } } } From 2948e100ccac5ff06361bd73035a0360716f361f Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 13:23:45 +0530 Subject: [PATCH 13/24] Update firewall.c --- source/firewall/firewall.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 8ef0c494..a4e80574 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10150,12 +10150,19 @@ static int do_lan2wan_misc(FILE *filter_fp) syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); if (ns[0] == '\0') continue; syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || 0 != validate_port(start_port)) { + continue; + } + // Get and validate end_port syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || 0 != validate_port(end_port)) { + continue; + } + // Check if port 443 is within range int sp = atoi(start_port); int ep = atoi(end_port); if (sp <= 443 && ep >= 443) { ms_has_port_443 = 1; - break; } } } From 6f3a2b4c665c89a504c48b4ce87875db4a031caf Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:17:13 +0530 Subject: [PATCH 14/24] Update firewall.h --- source/firewall/firewall.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 7a82d772..02514c17 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1246,3 +1246,23 @@ void proxy_dns(FILE *nat_fp,int family); */ void get_iface_ipaddr_ula(const char* ifname,char* ipaddr, int max_ip_size); #endif + +#define MAX_PORT 65535 + +/** +* @brief Validate if a port number string is valid. +* +* @param[in] port_num - Pointer to the port number string. +* +* @return The status of the operation. +* @retval 0 if port is valid (1-65535). +* @retval -1 if port is invalid. +* +*/ +static inline int validate_port(const char* port_num) +{ + int port = atoi(port_num); + if (port <= 0 || port > MAX_PORT) + return -1; + return 0; +} From 62bd5d85d2c2f81ba3bbed17c7ec6cc60b0c6fa4 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:19:02 +0530 Subject: [PATCH 15/24] Update firewall.c --- source/firewall/firewall.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index a4e80574..f066ad64 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -740,8 +740,6 @@ int rfstatus; * For simplicity purposes we cap the number of syscfg entries within a * specific namespace. This cap is controlled by MAX_SYSCFG_ENTRIES */ -#define MAX_PORT 65535 - #define MAX_NAMESPACE 64 #define MAX_SRC_IP_TABLE_ROW 10 /*RDKB-7145, CID-33123, defining max size for src_ip[MAX_SRC_IP_TABLE_ENTRY][]*/ @@ -9129,14 +9127,6 @@ static int do_parcon_device_cloud_mgmt(FILE *fp, int iptype, FILE *cron_fp) return(0); } -static int validate_port(char* port_num) -{ - int port = atoi(port_num); - if ( port <= 0 || port > MAX_PORT ) - return -1; - - return 0; -} /* * add parental control managed service(ports) rules */ From 2fc790431955d38ab373cf170fa2b5439aa495a8 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:42:37 +0530 Subject: [PATCH 16/24] Update firewall.h --- source/firewall/firewall.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 02514c17..576be198 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1266,3 +1266,5 @@ static inline int validate_port(const char* port_num) return -1; return 0; } +#endif /* __FIREWALL_H__ */ + From 9855690410667a00aa068d6a1936626c97df8ff1 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:56:33 +0530 Subject: [PATCH 17/24] Update firewall.h --- source/firewall/firewall.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 576be198..02514c17 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1266,5 +1266,3 @@ static inline int validate_port(const char* port_num) return -1; return 0; } -#endif /* __FIREWALL_H__ */ - From f9a5d3f43cbf8259179cd33e8e5539243aaf52c3 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:51:43 +0530 Subject: [PATCH 18/24] Update firewall.c --- source/firewall/firewall.c | 130 ++++++++++++++++++++++--------------- 1 file changed, 78 insertions(+), 52 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index f066ad64..76a9c744 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10113,63 +10113,89 @@ static int do_lan2wan_misc(FILE *filter_fp) else if (strcmp(query,"ACCEPT") == 0) { fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - char services_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - services_enabled[0] = '\0'; + // Check if managed sites/services affect SSL blocking on port 443 + int ms_has_tcp_443 = 0; + int ms_has_udp_443 = 0; + char sites_enabled[MAX_QUERY] = {0}; + char services_enabled[MAX_QUERY] = {0}; + syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); - // Check if managed services has port 443 configured - int ms_has_port_443 = 0; - if (services_enabled[0] != '\0' && services_enabled[0] != '0') { - char ms_count_str[MAX_QUERY]; - char ms_namespace_key[MAX_QUERY]; - int ms_count = 0; - syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') { - ms_count = atoi(ms_count_str); - } - if (ms_count < 0) { - ms_count = 0; - } else if (ms_count > MAX_SYSCFG_ENTRIES) { - ms_count = MAX_SYSCFG_ENTRIES; - } - for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { - char ns[MAX_QUERY], start_port[16], end_port[16]; - snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); - if (ns[0] == '\0') continue; - syscfg_get(ns, "start_port", start_port, sizeof(start_port)); - if (start_port[0] == '\0' || 0 != validate_port(start_port)) { - continue; - } - // Get and validate end_port - syscfg_get(ns, "end_port", end_port, sizeof(end_port)); - if (end_port[0] == '\0' || 0 != validate_port(end_port)) { - continue; - } - // Check if port 443 is within range - int sp = atoi(start_port); - int ep = atoi(end_port); - if (sp <= 443 && ep >= 443) { - ms_has_port_443 = 1; + + // If managed sites is enabled, skip SSL blocking entirely + if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { + ms_has_tcp_443 = 1; + ms_has_udp_443 = 1; + } else { + // Check managed services for port 443 + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY] = {0}; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } + for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { + char ns[MAX_QUERY], prot[10]; + char ms_namespace_key[MAX_QUERY]; + + snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); + if (ns[0] == '\0') continue; + + // Get protocol to check if we can skip this entry + syscfg_get(ns, "proto", prot, sizeof(prot)); + + // Skip if this protocol is already covered (tcp only and tcp flag set, or udp only and udp flag set) + if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || + (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { + continue; + } + + // Check port range + char start_port[16], end_port[16]; + // Get and validate start_port + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || 0 != validate_port(start_port)) { + continue; + } + // Get and validate end_port + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || 0 != validate_port(end_port)) { + continue; + } + + int sp = atoi(start_port); + int ep = atoi(end_port); + if (sp > 443 || ep < 443) continue; // Port 443 not in range + + // Set flags based on protocol + if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { + ms_has_tcp_443 = ms_has_udp_443 = 1; + break; + } else if (strncasecmp("tcp", prot, 3) == 0) { + ms_has_tcp_443 = 1; + } else if (strncasecmp("udp", prot, 3) == 0) { + ms_has_udp_443 = 1; + } } } } - // Skip SSL blocking if: - // 1. managed sites is enabled, OR - // 2. managed services is enabled AND has port 443 configured. - if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && - !(services_enabled[0] != '\0' && services_enabled[0] != '0' && ms_has_port_443)) - { + + // Emit SSL blocking rules for protocols not covered by managed services + if (!(ms_has_tcp_443 && ms_has_udp_443)) { syscfg_get("blockssl", "result", query, sizeof(query)); - if (strcmp(query,"DROP") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j DROP\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(query,"ACCEPT") == 0) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j ACCEPT\n"); - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j ACCEPT\n"); + if (strcmp(query, "DROP") == 0 || strcmp(query, "ACCEPT") == 0) { + if (!ms_has_udp_443) { + fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j %s\n", query); + } + if (!ms_has_tcp_443) { + fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j %s\n", query); + } } } } From 1b5ba90d12b5fcd76363b5fb0377a43ddd52a859 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:58:39 +0530 Subject: [PATCH 19/24] Update firewall_ipv6.c --- source/firewall/firewall_ipv6.c | 134 +++++++++++++++++++------------- 1 file changed, 81 insertions(+), 53 deletions(-) diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index f7e52d8a..0c5f3dc8 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1744,65 +1744,93 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 500 -j ACCEPT\n"); fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500 -j ACCEPT\n"); } - char sites_enabled[MAX_QUERY]; - char services_enabled[MAX_QUERY]; - sites_enabled[0] = '\0'; - services_enabled[0] = '\0'; + // Check if managed sites/services affect SSL blocking on port 443 + int ms_has_tcp_443 = 0; + int ms_has_udp_443 = 0; + char sites_enabled[MAX_QUERY] = {0}; + char services_enabled[MAX_QUERY] = {0}; + syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); - // Check if managed services has port 443 configured - int ms_has_port_443 = 0; - if (services_enabled[0] != '\0' && services_enabled[0] != '0') { - char ms_count_str[MAX_QUERY]; - char query_tmp[MAX_QUERY]; - int ms_count = 0; - syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') { - ms_count = atoi(ms_count_str); - } - if (ms_count < 0) { - ms_count = 0; - } else if (ms_count > MAX_SYSCFG_ENTRIES) { - ms_count = MAX_SYSCFG_ENTRIES; - } - for (int i = 1; i <= ms_count && !ms_has_port_443; i++) { - char ns[MAX_QUERY], start_port[16], end_port[16]; - snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, query_tmp, ns, sizeof(ns)); - if (ns[0] == '\0') continue; - // Get and validate start_port - syscfg_get(ns, "start_port", start_port, sizeof(start_port)); - if (start_port[0] == '\0' || 0 != validate_port(start_port)) { - continue; - } - // Get and validate end_port - syscfg_get(ns, "end_port", end_port, sizeof(end_port)); - if (end_port[0] == '\0' || 0 != validate_port(end_port)) { - continue; + + // If managed sites is enabled, skip SSL blocking entirely + if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { + ms_has_tcp_443 = 1; + ms_has_udp_443 = 1; + } else { + // Check managed services for port 443 + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY] = {0}; + int ms_count = 0; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); } - // Check if port 443 is within range - int sp = atoi(start_port); - int ep = atoi(end_port); - if (sp <= 443 && ep >= 443) { - ms_has_port_443 = 1; + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { + ms_count = MAX_SYSCFG_ENTRIES; + } + + for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { + char ns[MAX_QUERY], prot[10]; + char query_tmp[MAX_QUERY]; + + snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, query_tmp, ns, sizeof(ns)); + if (ns[0] == '\0') continue; + + // Get protocol to check if we can skip this entry + syscfg_get(ns, "proto", prot, sizeof(prot)); + + // Skip if this protocol is already covered (tcp only and tcp flag set, or udp only and udp flag set) + if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || + (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { + continue; + } + + // Check port range + char start_port[16], end_port[16]; + // Get and validate start_port + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || 0 != validate_port(start_port)) { + continue; + } + // Get and validate end_port + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (end_port[0] == '\0' || 0 != validate_port(end_port)) { + continue; + } + + int sp = atoi(start_port); + int ep = atoi(end_port); + if (sp > 443 || ep < 443) continue; // Port 443 not in range + + // Set flags based on protocol + if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { + ms_has_tcp_443 = ms_has_udp_443 = 1; + break; + } else if (strncasecmp("tcp", prot, 3) == 0) { + ms_has_tcp_443 = 1; + } else if (strncasecmp("udp", prot, 3) == 0) { + ms_has_udp_443 = 1; + } } } } - // Skip SSL blocking if: - // 1. managed sites is enabled, OR - // 2. managed services is enabled AND has port 443 configured - if ((sites_enabled[0] != '\0' && sites_enabled[0] == '0') && - !(services_enabled[0] != '\0' && services_enabled[0] != '0' && ms_has_port_443)) - { + + // Emit SSL blocking rules for protocols not covered by managed services + if (!(ms_has_tcp_443 && ms_has_udp_443)) { queryv6[0] = '\0'; - - if((0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j DROP\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j DROP\n"); - } - else if(strcmp(queryv6,"ACCEPT") == 0){ - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j ACCEPT\n"); - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j ACCEPT\n"); + if (0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) { + if (strcmp(queryv6, "DROP") == 0 || strcmp(queryv6, "ACCEPT") == 0) { + if (!ms_has_udp_443) { + fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j %s\n", queryv6); + } + if (!ms_has_tcp_443) { + fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j %s\n", queryv6); + } + } } } queryv6[0] = '\0'; From 1e49d90357d8f805b349000b0812886d22318478 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:59:13 +0530 Subject: [PATCH 20/24] Update firewall.c --- source/firewall/firewall.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 76a9c744..584c256a 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10130,6 +10130,7 @@ static int do_lan2wan_misc(FILE *filter_fp) syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); if (services_enabled[0] != '\0' && services_enabled[0] != '0') { char ms_count_str[MAX_QUERY] = {0}; + int ms_count = 0; syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); if (ms_count_str[0] != '\0') { ms_count = atoi(ms_count_str); From 775d17df3501fe97aba92faac306106ae68ebe0e Mon Sep 17 00:00:00 2001 From: suriya-prem Date: Tue, 14 Apr 2026 06:51:58 +0000 Subject: [PATCH 21/24] Updated Files to have common function --- source/firewall/Makefile.am | 2 +- source/firewall/firewall.c | 87 +------------------- source/firewall/firewall.h | 26 ++++-- source/firewall/firewall_ipv6.c | 90 +-------------------- source/firewall/firewall_utils.c | 133 +++++++++++++++++++++++++++++++ 5 files changed, 157 insertions(+), 181 deletions(-) create mode 100644 source/firewall/firewall_utils.c diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index 946aaceb..5e113f28 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -27,7 +27,7 @@ if ONESTACK_PRODUCT_REQ AM_LDFLAGS += -lrdkb_feature_mode_gate endif -firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c +firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c firewall_utils.c if CPC_FIREWALL_ENABLE firewall_SOURCES += firewall_lib.c firewall_dsl.c rabid.c AM_LDFLAGS += -lrdkconfig diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 584c256a..b49c2cd7 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10113,92 +10113,9 @@ static int do_lan2wan_misc(FILE *filter_fp) else if (strcmp(query,"ACCEPT") == 0) { fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 1723 -j ACCEPT\n"); } - // Check if managed sites/services affect SSL blocking on port 443 - int ms_has_tcp_443 = 0; - int ms_has_udp_443 = 0; - char sites_enabled[MAX_QUERY] = {0}; - char services_enabled[MAX_QUERY] = {0}; - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - - // If managed sites is enabled, skip SSL blocking entirely - if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { - ms_has_tcp_443 = 1; - ms_has_udp_443 = 1; - } else { - // Check managed services for port 443 - syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); - if (services_enabled[0] != '\0' && services_enabled[0] != '0') { - char ms_count_str[MAX_QUERY] = {0}; - int ms_count = 0; - syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') { - ms_count = atoi(ms_count_str); - } - if (ms_count < 0) { - ms_count = 0; - } else if (ms_count > MAX_SYSCFG_ENTRIES) { - ms_count = MAX_SYSCFG_ENTRIES; - } - for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { - char ns[MAX_QUERY], prot[10]; - char ms_namespace_key[MAX_QUERY]; - - snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); - if (ns[0] == '\0') continue; - - // Get protocol to check if we can skip this entry - syscfg_get(ns, "proto", prot, sizeof(prot)); - - // Skip if this protocol is already covered (tcp only and tcp flag set, or udp only and udp flag set) - if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || - (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { - continue; - } - - // Check port range - char start_port[16], end_port[16]; - // Get and validate start_port - syscfg_get(ns, "start_port", start_port, sizeof(start_port)); - if (start_port[0] == '\0' || 0 != validate_port(start_port)) { - continue; - } - // Get and validate end_port - syscfg_get(ns, "end_port", end_port, sizeof(end_port)); - if (end_port[0] == '\0' || 0 != validate_port(end_port)) { - continue; - } - - int sp = atoi(start_port); - int ep = atoi(end_port); - if (sp > 443 || ep < 443) continue; // Port 443 not in range - - // Set flags based on protocol - if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { - ms_has_tcp_443 = ms_has_udp_443 = 1; - break; - } else if (strncasecmp("tcp", prot, 3) == 0) { - ms_has_tcp_443 = 1; - } else if (strncasecmp("udp", prot, 3) == 0) { - ms_has_udp_443 = 1; - } - } - } - } - - // Emit SSL blocking rules for protocols not covered by managed services - if (!(ms_has_tcp_443 && ms_has_udp_443)) { - syscfg_get("blockssl", "result", query, sizeof(query)); - if (strcmp(query, "DROP") == 0 || strcmp(query, "ACCEPT") == 0) { - if (!ms_has_udp_443) { - fprintf(filter_fp, "-A lan2wan_misc -p udp --dport 443 -j %s\n", query); - } - if (!ms_has_tcp_443) { - fprintf(filter_fp, "-A lan2wan_misc -p tcp --dport 443 -j %s\n", query); - } - } - } + // Apply SSL blocking rule + do_ssl_blocking_rules(filter_fp, "lan2wan_misc"); } #endif diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 02514c17..5a1e71f4 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1259,10 +1259,22 @@ void get_iface_ipaddr_ula(const char* ifname,char* ipaddr, int max_ip_size); * @retval -1 if port is invalid. * */ -static inline int validate_port(const char* port_num) -{ - int port = atoi(port_num); - if (port <= 0 || port > MAX_PORT) - return -1; - return 0; -} +int validate_port(const char* port_num); + +/** +* @brief Apply SSL blocking rules based on managed sites/services configuration. +* +* Checks if managed sites or managed services (with port 443) are enabled, +* and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. +* Rules are skipped per protocol if managed services covers that protocol on port 443. +* +* This function is shared by both IPv4 (firewall.c) and IPv6 (firewall_ipv6.c) +* to avoid code duplication. +* +* @param[in] fp - Pointer to the FILE stream for writing firewall rules. +* @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). +* +* @return None. +* +*/ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name); diff --git a/source/firewall/firewall_ipv6.c b/source/firewall/firewall_ipv6.c index 0c5f3dc8..b92a5220 100644 --- a/source/firewall/firewall_ipv6.c +++ b/source/firewall/firewall_ipv6.c @@ -1744,95 +1744,9 @@ void do_ipv6_filter_table(FILE *fp){ fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 500 -j ACCEPT\n"); fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 4500 -j ACCEPT\n"); } - // Check if managed sites/services affect SSL blocking on port 443 - int ms_has_tcp_443 = 0; - int ms_has_udp_443 = 0; - char sites_enabled[MAX_QUERY] = {0}; - char services_enabled[MAX_QUERY] = {0}; - - syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); - - // If managed sites is enabled, skip SSL blocking entirely - if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { - ms_has_tcp_443 = 1; - ms_has_udp_443 = 1; - } else { - // Check managed services for port 443 - syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); - if (services_enabled[0] != '\0' && services_enabled[0] != '0') { - char ms_count_str[MAX_QUERY] = {0}; - int ms_count = 0; - syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - if (ms_count_str[0] != '\0') { - ms_count = atoi(ms_count_str); - } - if (ms_count < 0) { - ms_count = 0; - } else if (ms_count > MAX_SYSCFG_ENTRIES) { - ms_count = MAX_SYSCFG_ENTRIES; - } - - for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { - char ns[MAX_QUERY], prot[10]; - char query_tmp[MAX_QUERY]; - - snprintf(query_tmp, sizeof(query_tmp), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, query_tmp, ns, sizeof(ns)); - if (ns[0] == '\0') continue; - - // Get protocol to check if we can skip this entry - syscfg_get(ns, "proto", prot, sizeof(prot)); - - // Skip if this protocol is already covered (tcp only and tcp flag set, or udp only and udp flag set) - if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || - (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { - continue; - } - - // Check port range - char start_port[16], end_port[16]; - // Get and validate start_port - syscfg_get(ns, "start_port", start_port, sizeof(start_port)); - if (start_port[0] == '\0' || 0 != validate_port(start_port)) { - continue; - } - // Get and validate end_port - syscfg_get(ns, "end_port", end_port, sizeof(end_port)); - if (end_port[0] == '\0' || 0 != validate_port(end_port)) { - continue; - } + // Apply SSL blocking rules + do_ssl_blocking_rules(fp, "lan2wan_misc_ipv6"); - int sp = atoi(start_port); - int ep = atoi(end_port); - if (sp > 443 || ep < 443) continue; // Port 443 not in range - - // Set flags based on protocol - if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { - ms_has_tcp_443 = ms_has_udp_443 = 1; - break; - } else if (strncasecmp("tcp", prot, 3) == 0) { - ms_has_tcp_443 = 1; - } else if (strncasecmp("udp", prot, 3) == 0) { - ms_has_udp_443 = 1; - } - } - } - } - - // Emit SSL blocking rules for protocols not covered by managed services - if (!(ms_has_tcp_443 && ms_has_udp_443)) { - queryv6[0] = '\0'; - if (0 == syscfg_get(NULL, "blockssl::result", queryv6, sizeof(queryv6))) { - if (strcmp(queryv6, "DROP") == 0 || strcmp(queryv6, "ACCEPT") == 0) { - if (!ms_has_udp_443) { - fprintf(fp, "-A lan2wan_misc_ipv6 -p udp --dport 443 -j %s\n", queryv6); - } - if (!ms_has_tcp_443) { - fprintf(fp, "-A lan2wan_misc_ipv6 -p tcp --dport 443 -j %s\n", queryv6); - } - } - } - } queryv6[0] = '\0'; if((0 == syscfg_get(NULL, "blockl2tp::result", queryv6, sizeof(queryv6))) && strcmp(queryv6,"DROP") == 0){ diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c new file mode 100644 index 00000000..a90d7316 --- /dev/null +++ b/source/firewall/firewall_utils.c @@ -0,0 +1,133 @@ +/* + * If not stated otherwise in this file or this component's Licenses.txt file the + * following copyright and licenses apply: + * + * Copyright 2015 RDK Management + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "firewall.h" + +/** + * @brief Validate if a port number string is valid. + * + * @param[in] port_num - Pointer to the port number string. + * + * @return The status of the operation. + * @retval 0 if port is valid (1-65535). + * @retval -1 if port is invalid. + */ +int validate_port(const char* port_num) +{ + int port = atoi(port_num); + if (port <= 0 || port > MAX_PORT) + return -1; + return 0; +} + +/** + * @brief Apply SSL blocking rules based on managed sites/services configuration. + * + * Checks if managed sites or managed services (with port 443) are enabled, + * and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. + * Rules are skipped per protocol if managed services already covers that + * protocol on port 443. + * + * This function is shared by both IPv4 (firewall.c) and IPv6 (firewall_ipv6.c) + * to avoid code duplication. + * + * @param[in] fp - Pointer to the FILE stream for writing firewall rules. + * @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). + */ +void do_ssl_blocking_rules(FILE *fp, const char *chain_name) +{ + int ms_has_tcp_443 = 0; + int ms_has_udp_443 = 0; + char sites_enabled[MAX_QUERY] = {0}; + char services_enabled[MAX_QUERY] = {0}; + + syscfg_get(NULL, "managedsites_enabled", sites_enabled, sizeof(sites_enabled)); + + /* If managed sites is enabled, skip SSL blocking entirely */ + if (sites_enabled[0] != '\0' && sites_enabled[0] != '0') { + ms_has_tcp_443 = 1; + ms_has_udp_443 = 1; + } else { + /* Check managed services for port 443 */ + syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); + if (services_enabled[0] != '\0' && services_enabled[0] != '0') { + char ms_count_str[MAX_QUERY] = {0}; + syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); + int ms_count = atoi(ms_count_str); + if (ms_count > MAX_SYSCFG_ENTRIES) + ms_count = MAX_SYSCFG_ENTRIES; + + for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { + char ns[MAX_QUERY], prot[10]; + char ms_namespace_key[MAX_QUERY]; + + snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); + syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); + if (ns[0] == '\0') + continue; + + /* Get protocol to check if we can skip this entry */ + syscfg_get(ns, "proto", prot, sizeof(prot)); + + /* Skip if this protocol is already covered */ + if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) || + (strncasecmp("udp", prot, 3) == 0 && ms_has_udp_443)) { + continue; + } + + /* Check port range */ + char start_port[16], end_port[16]; + syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + syscfg_get(ns, "end_port", end_port, sizeof(end_port)); + if (validate_port(start_port) != 0 || validate_port(end_port) != 0) + continue; + + int sp = atoi(start_port); + int ep = atoi(end_port); + if (sp > 443 || ep < 443) + continue; /* Port 443 not in range */ + + /* Set flags based on protocol */ + if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { + ms_has_tcp_443 = ms_has_udp_443 = 1; + break; + } else if (strncasecmp("tcp", prot, 3) == 0) { + ms_has_tcp_443 = 1; + } else if (strncasecmp("udp", prot, 3) == 0) { + ms_has_udp_443 = 1; + } + } + } + } + + /* Emit SSL blocking rules for protocols not covered by managed services */ + if (!(ms_has_tcp_443 && ms_has_udp_443)) { + char query[MAX_QUERY] = {0}; + if (0 == syscfg_get(NULL, "blockssl::result", query, sizeof(query))) { + if (strcmp(query, "DROP") == 0 || strcmp(query, "ACCEPT") == 0) { + if (!ms_has_udp_443) { + fprintf(fp, "-A %s -p udp --dport 443 -j %s\n", chain_name, query); + } + if (!ms_has_tcp_443) { + fprintf(fp, "-A %s -p tcp --dport 443 -j %s\n", chain_name, query); + } + } + } + } +} From 53dd717fafbd9601bfae775006e4a5f75277f0fa Mon Sep 17 00:00:00 2001 From: suriya-prem Date: Wed, 15 Apr 2026 15:59:13 +0000 Subject: [PATCH 22/24] Addressed comments --- source/firewall/firewall.h | 3 --- source/firewall/firewall_utils.c | 24 +++++++++++++++--------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/source/firewall/firewall.h b/source/firewall/firewall.h index 5a1e71f4..70418829 100644 --- a/source/firewall/firewall.h +++ b/source/firewall/firewall.h @@ -1268,9 +1268,6 @@ int validate_port(const char* port_num); * and emits appropriate SSL blocking (DROP/ACCEPT) rules for port 443. * Rules are skipped per protocol if managed services covers that protocol on port 443. * -* This function is shared by both IPv4 (firewall.c) and IPv6 (firewall_ipv6.c) -* to avoid code duplication. -* * @param[in] fp - Pointer to the FILE stream for writing firewall rules. * @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). * diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c index a90d7316..ccfa7d6c 100644 --- a/source/firewall/firewall_utils.c +++ b/source/firewall/firewall_utils.c @@ -2,7 +2,7 @@ * If not stated otherwise in this file or this component's Licenses.txt file the * following copyright and licenses apply: * - * Copyright 2015 RDK Management + * Copyright 2025 RDK Management * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -44,8 +44,6 @@ int validate_port(const char* port_num) * Rules are skipped per protocol if managed services already covers that * protocol on port 443. * - * This function is shared by both IPv4 (firewall.c) and IPv6 (firewall_ipv6.c) - * to avoid code duplication. * * @param[in] fp - Pointer to the FILE stream for writing firewall rules. * @param[in] chain_name - The iptables chain name (e.g., "lan2wan_misc" or "lan2wan_misc_ipv6"). @@ -68,11 +66,16 @@ void do_ssl_blocking_rules(FILE *fp, const char *chain_name) syscfg_get(NULL, "managedservices_enabled", services_enabled, sizeof(services_enabled)); if (services_enabled[0] != '\0' && services_enabled[0] != '0') { char ms_count_str[MAX_QUERY] = {0}; + int ms_count = 0; syscfg_get(NULL, "ManagedServiceBlockCount", ms_count_str, sizeof(ms_count_str)); - int ms_count = atoi(ms_count_str); - if (ms_count > MAX_SYSCFG_ENTRIES) + if (ms_count_str[0] != '\0') { + ms_count = atoi(ms_count_str); + } + if (ms_count < 0) { + ms_count = 0; + } else if (ms_count > MAX_SYSCFG_ENTRIES) { ms_count = MAX_SYSCFG_ENTRIES; - + } for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { char ns[MAX_QUERY], prot[10]; char ms_namespace_key[MAX_QUERY]; @@ -94,14 +97,17 @@ void do_ssl_blocking_rules(FILE *fp, const char *chain_name) /* Check port range */ char start_port[16], end_port[16]; syscfg_get(ns, "start_port", start_port, sizeof(start_port)); + if (start_port[0] == '\0' || validate_port(start_port) != 0) { + continue; + } syscfg_get(ns, "end_port", end_port, sizeof(end_port)); - if (validate_port(start_port) != 0 || validate_port(end_port) != 0) + if (end_port[0] == '\0' || validate_port(end_port) != 0) { continue; + } int sp = atoi(start_port); int ep = atoi(end_port); - if (sp > 443 || ep < 443) - continue; /* Port 443 not in range */ + if (sp > 443 || ep < 443) continue; /* Port 443 not in range */ /* Set flags based on protocol */ if (prot[0] == '\0' || strncasecmp("both", prot, 4) == 0) { From 140986e7799e9a4d5190b99ab047e7ff331b08a3 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Thu, 16 Apr 2026 11:59:46 +0530 Subject: [PATCH 23/24] Update source/firewall/firewall_utils.c Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c index ccfa7d6c..17288aff 100644 --- a/source/firewall/firewall_utils.c +++ b/source/firewall/firewall_utils.c @@ -95,7 +95,7 @@ void do_ssl_blocking_rules(FILE *fp, const char *chain_name) } /* Check port range */ - char start_port[16], end_port[16]; + char start_port[16] = {0}, end_port[16] = {0}; syscfg_get(ns, "start_port", start_port, sizeof(start_port)); if (start_port[0] == '\0' || validate_port(start_port) != 0) { continue; From b4efd76be286a4963e8bc0ddd444b2ac870973d9 Mon Sep 17 00:00:00 2001 From: Suriyanarayanan <224775237+suriya-prem@users.noreply.github.com> Date: Fri, 17 Apr 2026 09:47:53 +0530 Subject: [PATCH 24/24] Update source/firewall/firewall_utils.c Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall_utils.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/source/firewall/firewall_utils.c b/source/firewall/firewall_utils.c index 17288aff..0ee213ee 100644 --- a/source/firewall/firewall_utils.c +++ b/source/firewall/firewall_utils.c @@ -77,16 +77,17 @@ void do_ssl_blocking_rules(FILE *fp, const char *chain_name) ms_count = MAX_SYSCFG_ENTRIES; } for (int i = 1; i <= ms_count && !(ms_has_tcp_443 && ms_has_udp_443); i++) { - char ns[MAX_QUERY], prot[10]; - char ms_namespace_key[MAX_QUERY]; + char ns[MAX_QUERY] = {0}, prot[10] = {0}; + char ms_namespace_key[MAX_QUERY] = {0}; snprintf(ms_namespace_key, sizeof(ms_namespace_key), "ManagedServiceBlock_%d", i); - syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)); - if (ns[0] == '\0') + if (syscfg_get(NULL, ms_namespace_key, ns, sizeof(ns)) != 0 || ns[0] == '\0') continue; /* Get protocol to check if we can skip this entry */ - syscfg_get(ns, "proto", prot, sizeof(prot)); + if (syscfg_get(ns, "proto", prot, sizeof(prot)) != 0) { + prot[0] = '\0'; + } /* Skip if this protocol is already covered */ if ((strncasecmp("tcp", prot, 3) == 0 && ms_has_tcp_443) ||