Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ip6] drop UDP datagrams from an untrusted origin to TMF port #9437

Merged
merged 1 commit into from
Oct 5, 2023

Conversation

superwhd
Copy link
Contributor

@superwhd superwhd commented Sep 19, 2023

This PR drops UDP datagrams from an untrusted origin to TMF port.

Examples of untrusted origin:

  • A process other than OT on the host sends the packet to Thread network via platform API.
  • A packet forwarded from infrastructure network to Thread network by Thread Border Router.

OT shouldn't allow UDP datagrams from untrusted origins going to TMF port of any Thread device.

To implement this, there's an API otIp6SendFromOrigin introduced. This can be used for specifying the origin of a packet you want to send. This PR also encapsulates the 'origin' information in Message::Metadata.

@size-report
Copy link

size-report bot commented Sep 19, 2023

Size Report of OpenThread

Merging #9437 into main(a363396).

name branch text data bss total
ot-cli-ftd main 462576 760 66204 529540
#9437 462840 760 66204 529804
+/- +264 0 0 +264
ot-ncp-ftd main 433948 760 61368 496076
#9437 434148 760 61368 496276
+/- +200 0 0 +200
libopenthread-ftd.a main 232194 0 40166 272360
#9437 232521 0 40166 272687
+/- +327 0 0 +327
libopenthread-cli-ftd.a main 55964 0 8051 64015
#9437 55964 0 8051 64015
+/- 0 0 0 0
libopenthread-ncp-ftd.a main 31497 0 5852 37349
#9437 31497 0 5852 37349
+/- 0 0 0 0
ot-cli-mtd main 361072 760 51132 412964
#9437 361320 760 51132 413212
+/- +248 0 0 +248
ot-ncp-mtd main 344820 760 46304 391884
#9437 345012 760 46304 392076
+/- +192 0 0 +192
libopenthread-mtd.a main 154669 0 25102 179771
#9437 154968 0 25102 180070
+/- +299 0 0 +299
libopenthread-cli-mtd.a main 39029 0 8043 47072
#9437 39029 0 8043 47072
+/- 0 0 0 0
libopenthread-ncp-mtd.a main 24377 0 5852 30229
#9437 24377 0 5852 30229
+/- 0 0 0 0
ot-cli-ftd-br main 529368 768 131076 661212
#9437 529648 768 131076 661492
+/- +280 0 0 +280
libopenthread-ftd-br.a main 294047 5 105014 399066
#9437 294386 5 105014 399405
+/- +339 0 0 +339
libopenthread-cli-ftd-br.a main 69165 0 8075 77240
#9437 69165 0 8075 77240
+/- 0 0 0 0
ot-rcp main 61880 564 20532 82976
#9437 61880 564 20532 82976
+/- 0 0 0 0
libopenthread-rcp.a main 9182 0 4988 14170
#9437 9182 0 4988 14170
+/- 0 0 0 0
libopenthread-radio.a main 18528 0 206 18734
#9437 18528 0 206 18734
+/- 0 0 0 0

@superwhd superwhd changed the title [ip6] drop IPv6 datagrams from an untrusted source heading to TMF port [ip6] drop IPv6 datagrams from an untrusted origin heading to TMF port Sep 19, 2023
@superwhd superwhd changed the title [ip6] drop IPv6 datagrams from an untrusted origin heading to TMF port [ip6] drop IPv6 datagrams from an untrusted origin going to TMF port Sep 19, 2023
@superwhd superwhd changed the title [ip6] drop IPv6 datagrams from an untrusted origin going to TMF port [ip6] drop IPv6 datagrams from an untrusted origin to TMF port Sep 19, 2023
@superwhd superwhd changed the title [ip6] drop IPv6 datagrams from an untrusted origin to TMF port [ip6] drop UDP datagrams from an untrusted origin to TMF port Sep 20, 2023
@codecov
Copy link

codecov bot commented Sep 20, 2023

Codecov Report

Merging #9437 (e1656ae) into main (a363396) will decrease coverage by 1.77%.
The diff coverage is 81.48%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9437      +/-   ##
==========================================
- Coverage   85.86%   84.10%   -1.77%     
==========================================
  Files         559      539      -20     
  Lines       73896    71873    -2023     
==========================================
- Hits        63453    60448    -3005     
- Misses      10443    11425     +982     
Files Coverage Δ
include/openthread/coap.h 100.00% <ø> (ø)
src/core/api/ip6_api.cpp 71.55% <100.00%> (-6.02%) ⬇️
src/core/common/message.cpp 98.07% <100.00%> (+0.01%) ⬆️
src/core/common/message.hpp 99.29% <100.00%> (-0.01%) ⬇️
src/core/net/ip6.hpp 94.11% <ø> (-0.89%) ⬇️
src/core/net/ip6_mpl.cpp 84.37% <100.00%> (+0.28%) ⬆️
src/core/thread/mesh_forwarder.cpp 85.20% <100.00%> (-1.75%) ⬇️
src/posix/platform/netif.cpp 69.42% <100.00%> (-21.60%) ⬇️
tests/unit/test_message.cpp 100.00% <100.00%> (ø)
src/core/api/coap_api.cpp 62.29% <83.33%> (+1.76%) ⬆️
... and 4 more

... and 127 files with indirect coverage changes

src/core/common/message.hpp Outdated Show resolved Hide resolved
@superwhd superwhd force-pushed the filter-tmf branch 2 times, most recently from 367be59 to c8d23c1 Compare September 21, 2023 04:49
@superwhd superwhd marked this pull request as ready for review September 21, 2023 07:04
src/core/thread/mesh_forwarder_ftd.cpp Outdated Show resolved Hide resolved
tests/scripts/thread-cert/border_router/test_firewall.py Outdated Show resolved Hide resolved
tests/scripts/thread-cert/border_router/test_firewall.py Outdated Show resolved Hide resolved
src/core/api/ip6_api.cpp Outdated Show resolved Hide resolved
Copy link
Member

@abtink abtink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @superwhd

Some suggestions/ideas below:

include/openthread/message.h Show resolved Hide resolved
include/openthread/message.h Outdated Show resolved Hide resolved
src/core/common/message.hpp Outdated Show resolved Hide resolved
src/core/net/ip6.cpp Outdated Show resolved Hide resolved
@superwhd superwhd force-pushed the filter-tmf branch 4 times, most recently from d317c84 to 9d1e724 Compare September 25, 2023 07:31
@jwhui jwhui merged commit e64f38a into openthread:main Oct 5, 2023
105 checks passed
superwhd pushed a commit to superwhd/openthread that referenced this pull request Oct 13, 2023
* upstream/main:
  [test] fix unused returned `error` warning in `test_message` (openthread#9496)
  [mesh-forwarder] remove message if no pending tx in `SendMessage()` (openthread#9495)
  [crypto-platform] fix build issue with mbedtls v3.5.0 (openthread#9492)
  [mle-router] add `RouterRoleTransition` nested class (openthread#9490)
  [routing-manager] include Stub Router flag in emitted RAs by BR (openthread#9486)
  [ip6] drop UDP datagrams from an untrusted origin to TMF port (openthread#9437)
  [mle] handle received Advertisements from `RxOnlyNeighbor` on FED (openthread#9484)
  [docs] fix typos in Doxygen documentation (openthread#9485)
  [mle] send data polls after Child ID Request ack (openthread#9264)
  [mle] simplify reattach on losing connectivity to leader (openthread#9479)
  [backbone-router] use `TimeTicker` directly to delay registration (openthread#9483)
  [bbr-local] simplify `AddService()` and its use (openthread#9477)
  [github-actions] fix the `codespell` version in `spell-check` job (openthread#9482)
  github-actions: bump actions/checkout from 4.0.0 to 4.1.0 (openthread#9476)
  [routing-manager] new config to use heap for `PrefixTable` entries (openthread#9455)
  [docs] Doxygen tags for CLI commands [`neighbor linkquality` — `networkidtimeout`]  (openthread#9466)
  [nd6] add `RaFlagsExtOption` and track flags in received RAs (openthread#9448)
  [mle] simplify `ProcessRouteTlv()` call in `HandleAdvertisement()` (openthread#9465)
  [joiner] check for non-zero joiner UDP port before electing a joiner router (openthread#9445)
  [posix] address coverity warning: argument cannot be negative (openthread#9453)
  [ip6] update where `HandlePayload()` check `message` is not null (openthread#9462)
  [script] exclude `ot_testing` and `__pycache__` when building the OTBR docker (openthread#9457)
  [docs] adding Doxygen tags for CLIs `mac retries direct` - `mac send` (openthread#9451)
  [docs] add Doxygen tags for CLI commands (`macfilter rss add`  - `macfilter rss remove`) (openthread#9442)
  [address-resolver] set minimum `kMaxNonEvictableSnoopedEntries` to `1` (openthread#9460)
  github-actions: bump github/codeql-action from 2.21.4 to 2.21.8 (openthread#9459)
  Revert "[nat64] enable discovering NAT64 AIL prefix for OpenWRT (openthread#9441)" (openthread#9458)
  [spinel] reset mState to kStateDisabled if recovering from kStateDisaled (openthread#9450)
  [tmf] set default snoop cache entry count to 1/16 of total (openthread#9440)
  [nat64] enable discovering NAT64 AIL prefix for OpenWRT (openthread#9441)
  [docs] add Doxygen tags for CLI commands (`macfilter` - `macfilter addr`) (openthread#9424)
  [border-agent] simplify `ForwardContext` allocation and ownership (openthread#9444)
  [posix] update the default channel masks in the configuration file (openthread#9443)
  [tcp] address uninitialized variable warning (openthread#9438)
  [cli] fix `ba state` output and conversion of state to string (openthread#9433)
  [border-agent] smaller enhancements (openthread#9432)
  github-actions: bump actions/checkout from 3.6.0 to 4.0.0 (openthread#9429)
  [spinel] save MAC frame counter to a local variable (openthread#9407)
  [posix] add channel mask configurations to configuration file (openthread#9391)
  [firewall] implement packet filtering in OT core (openthread#9402)
  [netdata] remove unallocated router ID entries on recovery after reset (openthread#9421)
  [posix] add a flag to turn posix multicast routing feature on/off (openthread#9412)
  [docs] add Doxygen tags for CLI commands (`tvcheck` - `unsecure`) (openthread#9419)
  [url] add methods to parse parameters from url (openthread#9392)
  [mac] fix channel switching issue during energy scan (openthread#9405)
  [address-resolver] remove cache entry if its RLOC16 is unreachable (openthread#9411)
  [include] remove include of core config file (openthread#9417)
  [csl] ignore zero valued CSL IE period (openthread#9414)
  [mac] document and adjust to standards based timing concepts (openthread#9322)
  github-actions: bump actions/setup-go from 4.0.1 to 4.1.0 (openthread#9413)
  [mle] suppress Announce response to orphan child on same channel and PAN ID (openthread#9388)
  [cli] add Doxygen tags to all `trel` commands (openthread#9406)
  [docs] CLI updates (openthread#9401)
  [srp-server] process completed update from proxy from taskelt (openthread#9398)
  [script] `check-size` to generate formatted table on push (openthread#9382)
  [data-poll-handler] reset tx attempts when replacing a frame (openthread#9397)
  github-actions: bump actions/checkout from 3.5.3 to 3.6.0 (openthread#9396)
  [link-metrics] implement link metrics manager (openthread#9375)
  [docs] added Doxygen tags to new CLIs (openthread#9384)
  [mle] add `OPENTHREAD_CONFIG_MLE_DEVICE_PROPERTY_LEADER_WEIGHT_ENABLE` (openthread#9387)
  [cli] fix RTT compiling issue (openthread#9385)
  [meshcop] print TLV State after receiving responses (openthread#9350)
  [core] add separate `neighbor.hpp`, `child.hpp`, and `router.hpp` (openthread#9376)
  [mesh-forwarder] update `aIp6Header` arg name to follow style guide (openthread#9378)
  github-actions: bump github/codeql-action from 2.20.3 to 2.21.4 (openthread#9377)
  [docs] add tags to new CLIs (openthread#9367)
  [script] update the `check-size` report (openthread#9368)
  [trel] bugfix for MAC security failure on key sequence change (openthread#9371)
  [cli] simplify `dataset` commands (openthread#9366)
  [docs] cli cmd doc updates (locate - log level) (openthread#9354)
  [tcplp] add support for TCP Fast Open (without cookie management) (openthread#9165)
  github-actions: bump step-security/harden-runner from 2.5.0 to 2.5.1 (openthread#9365)
  [mesh-forwarder] minimize use of default parameters in methods (openthread#9364)
  [posix] allow disabling CLI for daemon (openthread#9357)
  [dnssd-server] simplify resolving of query by proxy (openthread#9353)
  [dnssd-server] determine query type & simplify processing of query name (openthread#9349)
  [mac-frame] update `GenerateEnhAck()` to use `InitMacHeader()` (openthread#9338)
  [mle] reorganize MLE constants (openthread#9355)
  github-actions: bump actions/setup-python from 4.6.1 to 4.7.0 (openthread#9356)
  [mac-frame] update `InitMacFrame()` (openthread#9337)
  [cli] support RTT as cli interface (openthread#9148)
  [docs] added Doxygen tags to 4 CLIs (openthread#9352)
  [link-metrics] update link metrics callback parameter (openthread#9343)
  github-actions: bump docker/setup-buildx-action from 2.5.0 to 2.9.1 (openthread#9344)
  [posix] fix rcp reset flow in `ResetRcp` (openthread#9314)
  [mesh-forwarder] disallow new message eviction in `ApplyDirectTxQueueLimit()` (openthread#9348)
  [dns-client] handle multiple CNAME record in response (openthread#9339)
  [netdata] fix the source address check in `LeaderBase::RouteLookup()` (openthread#9335)
  [dnssd-server] simplifications and enhancements (openthread#9334)
  [dnssd-server] send response if `ResolveByUpstream()` fails (openthread#9331)
  [clang-tidy] fix `bugprone-too-small-loop-variable` warnings (openthread#9321)
  [spinel] networkInfo may not exist when recovering from RCP failure (openthread#9327)
  [mle] reorder `Mle` class member variables (openthread#9320)
  [thci] fix for ncs thci issues (openthread#9328)
  [docs] fix some typos (openthread#9324)
  github-actions: bump step-security/harden-runner from 2.4.1 to 2.5.0 (openthread#9325)
  [mle] change `protected` declarations as `private (openthread#9317)
  [mac-frame] check rx frame security level in `GenerateEnhAck()` (openthread#9315)
  [mle] update Avd trickle timer interval based on router neighbor count (openthread#9307)
  [link-metrics] verify neighbor state when processing messages (openthread#9311)
  [routing-manager] add `SetIfIndex` in `RoutingManager` (openthread#9305)
  [clang-tidy] move config to `.clang-tidy` file (openthread#9308)
  github-actions: bump step-security/harden-runner from 2.3.1 to 2.4.1 (openthread#9310)
  [srp-server] ensure `Host` is freed when committing with zero key-lease (openthread#9309)
  [cli] add docs for `detach` command (openthread#9303)
  [config] define separate project and platform core config header (openthread#9291)
  [mle] define separate `TxChallenge` and `RxChallenge` types (openthread#9304)
  [csl] update CSL public APIs to use microseconds unit for period (openthread#9285)
  [srp-server] simplify tracking of host key (openthread#9296)
  [srp-server] simplify `RemoveHost()` method (openthread#9295)
  [posix] loose check for NETLINK_EXT_ACK and NETLINK_CAP_ACK (openthread#9299)
  [posix] fix name of vendor-supplied target to `OT_POSIX_CONFIG_RCP_VENDOR_INTERFACE` (openthread#9297)
  [posix] replace RCP vendor extension find package with include command (openthread#9241)
  [random] remove mbedtls header from api (openthread#9286)
  [mle] simplify `HandleChildIdRequest()` (openthread#9292)
  [link-metrics] minimize the Link Metrics entry count for MTD (openthread#9188)
  [cmake] add macros to simplify CMake config definition (openthread#9288)
  [dnssd-server] skip additional records on a PTR query with multiple answers (openthread#9281)
  [posix] fix logging of netlink errors (openthread#9287)
  github-actions: bump docker/login-action from 2.1.0 to 2.2.0 (openthread#9289)
  [routing-manager] support Advertising PIO (AP) flag in published route (openthread#9274)
  [toranj] remove docs from test specific config headers (openthread#9276)
  [github-action] install `prettier@2.0.4` in `pretty` job (openthread#9279)
  [routing-manager] add `SetState()` in `OnLinkPrefixManager` (openthread#9273)
  [border-agent] fix struct typedef for `otBorderAgentId` (openthread#9277)
  [spinel] fix error code when waiting rcp response timeout (openthread#9278)
  [srp-server] simplify sub-type services (openthread#9208)
  [mle] ensure key sequence is updated in MLE responses (openthread#9271)
  [mesh-forwarder] add time-in-queue statistics collection feature (openthread#9170)
  [net-diag] define Child, Neighbor, and Child IPv6 Address List TLVs (openthread#8866)
  github-actions: bump github/codeql-action from 2.3.5 to 2.20.3 (openthread#9265)
  [time] update DistantFuture/Past() to exclude value half range apart (openthread#9263)
  [commissioner] simplify and fix scheduling of expiration timer (openthread#9262)
  [test] fix unused returned value warning in `test_hdlc` (openthread#9256)
  Bump grpcio from 1.20.1 to 1.53.0 in /tools/harness-simulation/harness (openthread#9257)
  [cli] fix `childsupervision` commands documentation (openthread#9201)
  [posix] fix the snprintf buffer overflow issue (openthread#9251)
  [mac] remove duplicated method for getting the MAC frame length (openthread#9254)
  [spinel] return error from `SaveFrame` if not enough space is available (openthread#9244)
  github-actions: bump actions/setup-python from 4.6.0 to 4.6.1 (openthread#9252)
  [routing-manager] `PdPrefixManager` to clear prefix bits when extending length (openthread#9249)
  [ncp] keep timeout zero during ramp-down in spinel `ADDRESS_CACHE_TABLE` (openthread#9247)
  [csl] add APIs to retrieve status (openthread#8793)
  [address-resolver] implement ramp-down mechanism for retry delay (openthread#9162)
  [routing-manager] determine route preference from parent link quality (openthread#9080)
  [mesh-forwarder] only mark Key ID Mode 0 and 1 as secure
  [posix] fix missing `nullptr` pointer check (openthread#9179)
  [examples] remove example platform redirects (openthread#9246)
  [build] cleanup autotools references (openthread#9242)
  [mac] move ack processing to `HandleTransmitDone()` (openthread#9245)
  [mle] delay router role downgrade on security policy change (openthread#9187)
  [dataset] add build option for `GenerateLocal` (openthread#9215)
  [dns] add `otDnsEncodeTxtData()` API (openthread#9214)
  [meshcop] fix compilation error mbedtls_base64_encode not defined (openthread#9206)
  [message] allow heap usage when using non-thread commissioning (openthread#9205)
  [build] remove autotools (openthread#9027)
  [message] remove child mask from message metadata in MTD (openthread#9213)
  [tmf] BRs default to 256 address cache entries (openthread#9078)
  [logging] fix print format related to infra netif logs (openthread#9212)
  [tests] properly configure operational dataset in BR tests (openthread#9209)
  [netdata] mechanism to detect & signal when network data gets full (openthread#9073)
  [toranj-cli] properly configure operational dataset (openthread#9207)
  [unit-test] properly configure operational dataset (openthread#9203)
  [srp-server] allow service instance label with dot character (openthread#9198)
  github-actions: bump ossf/scorecard-action from 2.1.3 to 2.2.0 (openthread#9204)
  [script] properly configure dataset in `check-posix-pty` (openthread#9202)
  [test] update unit test emulating radio (openthread#9200)
  [docs] add radio defgroup for proper documentation (openthread#9195)
  [csl] ensure child is synchronized when preparing a CSL transmission (openthread#9199)
  [otci] properly configure operational dataset (openthread#9190)
  [thread-cert] properly configure operational dataset (openthread#9189)
  [posix] add posix support for sending RA messages to routing manager (openthread#9160)
  [cli] expose `otLinkSetEnabled` (openthread#9193)
  github-actions: bump actions/checkout from 3.5.2 to 3.5.3 (openthread#9192)
  [expect] properly configure operational dataset (openthread#9183)
  [thci] revert spellcheck in THCI method names (openthread#9175)
  [coap] fix minor typo (openthread#9180)
  [netif] simplify signaling address events (openthread#9173)
  [mac] enable/disable radio together with MAC (openthread#9156)
  [cli] add command to get tcp results (openthread#9142)
  [radio] add radio statistics of tx/rx/sleep cycle (openthread#9071)
  [routing-manager] remove unnecessary `kOnMeshPrefixLength` decl (openthread#9176)
  [spinel] move `SpiFrame` implementation to spi_frame.hpp (openthread#9151)
  [cli] update `OutputEidCacheEntry()` (openthread#9171)
  [mesh-diag] fix initializing of `mEndOffset` in `ChildIterator` (openthread#9172)
  [routing-manager] require valid on-link prefix to be /64 (openthread#9167)
  [config] add `mesh_forwarder.h` config header file (openthread#9164)
  github-actions: bump codecov/codecov-action from 3.1.3 to 3.1.4 (openthread#9166)
  [spinel] move the `MultiFrameBuffer` implementation to multi_frame_buffer.hpp (openthread#9150)
  [mle] send unicast Link Request to 1.2 parent on router role promo (openthread#9154)
  [docs] cli cmd doc updates (mliid - multiradio neighbor) (openthread#9155)
  [toranj] update `build.sh` script to use Thread version 1.3.1 (openthread#9159)
  [csl] improved CSL debug logging (openthread#9040)
  [mle] restrict `otDeviceProperties` to version 1.3.1 or later (openthread#9157)
  [spinel] remove fetching the ncp dataset (openthread#9140)
  [cmake] fix OT_THREAD_VERSION comparison in CMake (openthread#9158)
  [bbr] simplify `DomainPrefixEvent` (openthread#9152)
  [routing-manager] initial PD support with platform generated RA (openthread#9050)
  [tlvs] new helper to find the start and end offsets of a TLV value (openthread#9144)
  [spinel] fix the non-virtual destructor error (openthread#9139)
  [posix] replace fd_sets with the mainloop context (openthread#9127)
  [logging] fix rtt logging not using defined buffer index (openthread#9133)
  [netif] use fix type to u8 for addr_gen_mode (openthread#9147)
  [mlr] use `Array<>` to track old registered MLR addresses (openthread#9134)
  [cli] add helper `ProcessEnableDisable()` methods (openthread#9138)
  [mle] simplify tracking of registered DUA address by child (openthread#9137)
  [posix] unify the spinel interface functions (openthread#9107)
  github-actions: bump actions/checkout from 3.3.0 to 3.5.2 (openthread#9132)
  [bbr] move BBR constants to related source files (openthread#9129)
  [cli] add CLI Backbone Router (`Bbr`) sub-module (openthread#9128)
  [sntp-client] smaller enhancements (openthread#9125)
  [github-actions] update ubuntu to 22.04 on `ot-commissioner` test (openthread#9130)
  [toranj] update `build.sh` script to use CMake for all builds (openthread#9115)
  [routing-manager] fix deprecating on-link prefix from inactive router (openthread#9121)
  [backbone-router] use `Clamp` to check MLR timeout value (openthread#9119)
  [core] use `Min()`, `Max()` to clip values (openthread#9117)
  [build] delete the removed child supervision config in `cmake-build` (openthread#9111)
  [posix] add unified platform API for setting NAT64 CIDR during runtime (openthread#8947)
  [link-quality] fix corner case of `ScaleRawValueToRssi` (openthread#9102)
  [posix] fix setting non-standard baudrate on mac (openthread#9090)
  [routing-manager] update logs (openthread#9095)
  [random] add `Fill<ObjectType>()` function (openthread#9097)
  [csl] fix 15.4-secured broadcast frames (openthread#9103)
  [posix] add Thread network default interface name configuration (openthread#9089)
  github-actions: bump github/codeql-action from 2.3.3 to 2.3.5 (openthread#9100)
  [radio] fix return code doc of link metrics api (openthread#9098)
  [docs] remove redundant "This method" and "This function" (openthread#9096)
  [cli] update documentation of `Process()` method in CLI sub-modules (openthread#9093)
  [cli] add CLI `MacFilter` sub-module (openthread#9088)
  [cli] add helper `OutputNat64Counters()` (openthread#9087)
  [tests] check whether the unreachable address is included in the DNS-SD response (openthread#9075)
  [uptime] requires UPTIME feature to be enabled on FTD build (openthread#9079)
  [alarm] `otPlatAlarm` requirements clarification (openthread#9067)
  [test] add code spell check and correct wrong spelling (openthread#9066)
  github-actions: bump actions/setup-go from 4.0.0 to 4.0.1 (openthread#9076)
  [notifier] add missing event in `EventToString()` (openthread#9072)
  [cli] add CLI DNS sub-module (openthread#9069)
  [core] add the instance id (openthread#9055)
  [cli] fix config check for "vendor" command (openthread#9068)
  [ncp] fix RegisterPeekPokeDelegates call (openthread#9064)
  [border-agent] set Border Agent ID via CLI (openthread#9049)
  [dns-client] new API resolve host and address (openthread#9054)
  [routing-manager] add `OmrPrefixManager` (openthread#9062)
  [csl] split min receive window into MHR ahead and after times (openthread#9041)
  [ip6] add `Tidy` method to `Ip6::Prefix` (openthread#9057)
  [cli] support adding vendor command list to cli apps (openthread#9001)
  [radio-spinel] add log on RCP timeout error during init (openthread#9059)
  [mle] echo back "Supervision TLV" in Child ID Response (openthread#9061)
  [tests] fix `routing_manager` unit tests (openthread#9053)
  [nat64] check OMR prefix when selecting favored NAT64 prefix (openthread#8995)
  github-actions: bump github/codeql-action from 2.2.12 to 2.3.3 (openthread#9051)

Change-Id: Ib37b5a0813cc447220c822928d6a88ce8f435249
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 15, 2024
Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we need to trust messages sent by reference devices.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 16, 2024
Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we need to trust messages sent by reference devices.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 16, 2024
…rd custom tmf messages from host

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle that can let reference devices (with platform udp enabled) send and forward these custom TMF messages from the host.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 17, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 17, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 18, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 18, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 18, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 18, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 18, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 19, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 22, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 22, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 25, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa added a commit to SiliconLabs/openthread that referenced this pull request Apr 26, 2024
…om unknown origins

Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
jwhui pushed a commit that referenced this pull request Apr 26, 2024
…om unknown origins (#10028)

Reference devices that are part of the Thread test harness construct
CoAP packets sent on TMF port 61631 for certain tests, for example in
the 5.9.x series where they have to force address errors (a/ae) for
duplicate DUA or re-registration tests. These tests started to fail
when reference device firmware was updated recently to a newer
OpenThread stack that included the change in
#9437.

Example:
```
udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0'
Ip6-----------: Dropping TMF message from untrusted origin
```

For certification purposes, we are adding a cli toggle (for reference
devices) as a test sub-command to disable the filter that drops TMF
messages from unknown origins.
abtink added a commit to abtink/openthread that referenced this pull request Jul 25, 2024
This commit removes the checks previously performed on messages with
the origin `HostTrusted` that are to be forwarded to the Thread mesh.
This origin is used for messages generated by the OpenThread stack
itself. These checks were unnecessarily restricting such messages
from using Thread Control UDP port numbers (like TMF, MLE, etc.).
The additional check `!IsLoopbackToHostAllowed()` (which is set to
`true` by default on such messages) bypassed the entire block,
preventing any functional impact.

Recent related changes (in openthread#9437) added similar guard checks for
messages with `HostUntrusted` origins.
jwhui pushed a commit that referenced this pull request Jul 30, 2024
…10546)

This commit removes the checks previously performed on messages with
the origin `HostTrusted` that are to be forwarded to the Thread mesh.
This origin is used for messages generated by the OpenThread stack
itself. These checks were unnecessarily restricting such messages
from using Thread Control UDP port numbers (like TMF, MLE, etc.).
The additional check `!IsLoopbackToHostAllowed()` (which is set to
`true` by default on such messages) bypassed the entire block,
preventing any functional impact.

Recent related changes (in #9437) added similar guard checks for
messages with `HostUntrusted` origins.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants