-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ip6] drop UDP datagrams from an untrusted origin to TMF port #9437
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
superwhd
force-pushed
the
filter-tmf
branch
from
September 19, 2023 15:22
3f8d823
to
3a618e7
Compare
Size Report of OpenThread
|
superwhd
changed the title
[ip6] drop IPv6 datagrams from an untrusted source heading to TMF port
[ip6] drop IPv6 datagrams from an untrusted origin heading to TMF port
Sep 19, 2023
superwhd
changed the title
[ip6] drop IPv6 datagrams from an untrusted origin heading to TMF port
[ip6] drop IPv6 datagrams from an untrusted origin going to TMF port
Sep 19, 2023
superwhd
changed the title
[ip6] drop IPv6 datagrams from an untrusted origin going to TMF port
[ip6] drop IPv6 datagrams from an untrusted origin to TMF port
Sep 19, 2023
superwhd
force-pushed
the
filter-tmf
branch
from
September 20, 2023 09:40
3a618e7
to
8ef618b
Compare
superwhd
changed the title
[ip6] drop IPv6 datagrams from an untrusted origin to TMF port
[ip6] drop UDP datagrams from an untrusted origin to TMF port
Sep 20, 2023
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #9437 +/- ##
==========================================
- Coverage 85.86% 84.10% -1.77%
==========================================
Files 559 539 -20
Lines 73896 71873 -2023
==========================================
- Hits 63453 60448 -3005
- Misses 10443 11425 +982
|
abtink
reviewed
Sep 20, 2023
superwhd
force-pushed
the
filter-tmf
branch
2 times, most recently
from
September 21, 2023 04:49
367be59
to
c8d23c1
Compare
erjiaqing
reviewed
Sep 21, 2023
superwhd
force-pushed
the
filter-tmf
branch
from
September 21, 2023 10:09
c8d23c1
to
dc46b24
Compare
erjiaqing
reviewed
Sep 22, 2023
erjiaqing
approved these changes
Sep 22, 2023
wgtdkp
reviewed
Sep 22, 2023
abtink
reviewed
Sep 23, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @superwhd
Some suggestions/ideas below:
abtink
reviewed
Sep 23, 2023
superwhd
force-pushed
the
filter-tmf
branch
4 times, most recently
from
September 25, 2023 07:31
d317c84
to
9d1e724
Compare
superwhd
force-pushed
the
filter-tmf
branch
from
September 30, 2023 00:43
10e0d6c
to
294ddc3
Compare
jwhui
approved these changes
Oct 2, 2023
jwhui
reviewed
Oct 2, 2023
jwhui
approved these changes
Oct 5, 2023
superwhd
pushed a commit
to superwhd/openthread
that referenced
this pull request
Oct 13, 2023
* upstream/main: [test] fix unused returned `error` warning in `test_message` (openthread#9496) [mesh-forwarder] remove message if no pending tx in `SendMessage()` (openthread#9495) [crypto-platform] fix build issue with mbedtls v3.5.0 (openthread#9492) [mle-router] add `RouterRoleTransition` nested class (openthread#9490) [routing-manager] include Stub Router flag in emitted RAs by BR (openthread#9486) [ip6] drop UDP datagrams from an untrusted origin to TMF port (openthread#9437) [mle] handle received Advertisements from `RxOnlyNeighbor` on FED (openthread#9484) [docs] fix typos in Doxygen documentation (openthread#9485) [mle] send data polls after Child ID Request ack (openthread#9264) [mle] simplify reattach on losing connectivity to leader (openthread#9479) [backbone-router] use `TimeTicker` directly to delay registration (openthread#9483) [bbr-local] simplify `AddService()` and its use (openthread#9477) [github-actions] fix the `codespell` version in `spell-check` job (openthread#9482) github-actions: bump actions/checkout from 4.0.0 to 4.1.0 (openthread#9476) [routing-manager] new config to use heap for `PrefixTable` entries (openthread#9455) [docs] Doxygen tags for CLI commands [`neighbor linkquality` — `networkidtimeout`] (openthread#9466) [nd6] add `RaFlagsExtOption` and track flags in received RAs (openthread#9448) [mle] simplify `ProcessRouteTlv()` call in `HandleAdvertisement()` (openthread#9465) [joiner] check for non-zero joiner UDP port before electing a joiner router (openthread#9445) [posix] address coverity warning: argument cannot be negative (openthread#9453) [ip6] update where `HandlePayload()` check `message` is not null (openthread#9462) [script] exclude `ot_testing` and `__pycache__` when building the OTBR docker (openthread#9457) [docs] adding Doxygen tags for CLIs `mac retries direct` - `mac send` (openthread#9451) [docs] add Doxygen tags for CLI commands (`macfilter rss add` - `macfilter rss remove`) (openthread#9442) [address-resolver] set minimum `kMaxNonEvictableSnoopedEntries` to `1` (openthread#9460) github-actions: bump github/codeql-action from 2.21.4 to 2.21.8 (openthread#9459) Revert "[nat64] enable discovering NAT64 AIL prefix for OpenWRT (openthread#9441)" (openthread#9458) [spinel] reset mState to kStateDisabled if recovering from kStateDisaled (openthread#9450) [tmf] set default snoop cache entry count to 1/16 of total (openthread#9440) [nat64] enable discovering NAT64 AIL prefix for OpenWRT (openthread#9441) [docs] add Doxygen tags for CLI commands (`macfilter` - `macfilter addr`) (openthread#9424) [border-agent] simplify `ForwardContext` allocation and ownership (openthread#9444) [posix] update the default channel masks in the configuration file (openthread#9443) [tcp] address uninitialized variable warning (openthread#9438) [cli] fix `ba state` output and conversion of state to string (openthread#9433) [border-agent] smaller enhancements (openthread#9432) github-actions: bump actions/checkout from 3.6.0 to 4.0.0 (openthread#9429) [spinel] save MAC frame counter to a local variable (openthread#9407) [posix] add channel mask configurations to configuration file (openthread#9391) [firewall] implement packet filtering in OT core (openthread#9402) [netdata] remove unallocated router ID entries on recovery after reset (openthread#9421) [posix] add a flag to turn posix multicast routing feature on/off (openthread#9412) [docs] add Doxygen tags for CLI commands (`tvcheck` - `unsecure`) (openthread#9419) [url] add methods to parse parameters from url (openthread#9392) [mac] fix channel switching issue during energy scan (openthread#9405) [address-resolver] remove cache entry if its RLOC16 is unreachable (openthread#9411) [include] remove include of core config file (openthread#9417) [csl] ignore zero valued CSL IE period (openthread#9414) [mac] document and adjust to standards based timing concepts (openthread#9322) github-actions: bump actions/setup-go from 4.0.1 to 4.1.0 (openthread#9413) [mle] suppress Announce response to orphan child on same channel and PAN ID (openthread#9388) [cli] add Doxygen tags to all `trel` commands (openthread#9406) [docs] CLI updates (openthread#9401) [srp-server] process completed update from proxy from taskelt (openthread#9398) [script] `check-size` to generate formatted table on push (openthread#9382) [data-poll-handler] reset tx attempts when replacing a frame (openthread#9397) github-actions: bump actions/checkout from 3.5.3 to 3.6.0 (openthread#9396) [link-metrics] implement link metrics manager (openthread#9375) [docs] added Doxygen tags to new CLIs (openthread#9384) [mle] add `OPENTHREAD_CONFIG_MLE_DEVICE_PROPERTY_LEADER_WEIGHT_ENABLE` (openthread#9387) [cli] fix RTT compiling issue (openthread#9385) [meshcop] print TLV State after receiving responses (openthread#9350) [core] add separate `neighbor.hpp`, `child.hpp`, and `router.hpp` (openthread#9376) [mesh-forwarder] update `aIp6Header` arg name to follow style guide (openthread#9378) github-actions: bump github/codeql-action from 2.20.3 to 2.21.4 (openthread#9377) [docs] add tags to new CLIs (openthread#9367) [script] update the `check-size` report (openthread#9368) [trel] bugfix for MAC security failure on key sequence change (openthread#9371) [cli] simplify `dataset` commands (openthread#9366) [docs] cli cmd doc updates (locate - log level) (openthread#9354) [tcplp] add support for TCP Fast Open (without cookie management) (openthread#9165) github-actions: bump step-security/harden-runner from 2.5.0 to 2.5.1 (openthread#9365) [mesh-forwarder] minimize use of default parameters in methods (openthread#9364) [posix] allow disabling CLI for daemon (openthread#9357) [dnssd-server] simplify resolving of query by proxy (openthread#9353) [dnssd-server] determine query type & simplify processing of query name (openthread#9349) [mac-frame] update `GenerateEnhAck()` to use `InitMacHeader()` (openthread#9338) [mle] reorganize MLE constants (openthread#9355) github-actions: bump actions/setup-python from 4.6.1 to 4.7.0 (openthread#9356) [mac-frame] update `InitMacFrame()` (openthread#9337) [cli] support RTT as cli interface (openthread#9148) [docs] added Doxygen tags to 4 CLIs (openthread#9352) [link-metrics] update link metrics callback parameter (openthread#9343) github-actions: bump docker/setup-buildx-action from 2.5.0 to 2.9.1 (openthread#9344) [posix] fix rcp reset flow in `ResetRcp` (openthread#9314) [mesh-forwarder] disallow new message eviction in `ApplyDirectTxQueueLimit()` (openthread#9348) [dns-client] handle multiple CNAME record in response (openthread#9339) [netdata] fix the source address check in `LeaderBase::RouteLookup()` (openthread#9335) [dnssd-server] simplifications and enhancements (openthread#9334) [dnssd-server] send response if `ResolveByUpstream()` fails (openthread#9331) [clang-tidy] fix `bugprone-too-small-loop-variable` warnings (openthread#9321) [spinel] networkInfo may not exist when recovering from RCP failure (openthread#9327) [mle] reorder `Mle` class member variables (openthread#9320) [thci] fix for ncs thci issues (openthread#9328) [docs] fix some typos (openthread#9324) github-actions: bump step-security/harden-runner from 2.4.1 to 2.5.0 (openthread#9325) [mle] change `protected` declarations as `private (openthread#9317) [mac-frame] check rx frame security level in `GenerateEnhAck()` (openthread#9315) [mle] update Avd trickle timer interval based on router neighbor count (openthread#9307) [link-metrics] verify neighbor state when processing messages (openthread#9311) [routing-manager] add `SetIfIndex` in `RoutingManager` (openthread#9305) [clang-tidy] move config to `.clang-tidy` file (openthread#9308) github-actions: bump step-security/harden-runner from 2.3.1 to 2.4.1 (openthread#9310) [srp-server] ensure `Host` is freed when committing with zero key-lease (openthread#9309) [cli] add docs for `detach` command (openthread#9303) [config] define separate project and platform core config header (openthread#9291) [mle] define separate `TxChallenge` and `RxChallenge` types (openthread#9304) [csl] update CSL public APIs to use microseconds unit for period (openthread#9285) [srp-server] simplify tracking of host key (openthread#9296) [srp-server] simplify `RemoveHost()` method (openthread#9295) [posix] loose check for NETLINK_EXT_ACK and NETLINK_CAP_ACK (openthread#9299) [posix] fix name of vendor-supplied target to `OT_POSIX_CONFIG_RCP_VENDOR_INTERFACE` (openthread#9297) [posix] replace RCP vendor extension find package with include command (openthread#9241) [random] remove mbedtls header from api (openthread#9286) [mle] simplify `HandleChildIdRequest()` (openthread#9292) [link-metrics] minimize the Link Metrics entry count for MTD (openthread#9188) [cmake] add macros to simplify CMake config definition (openthread#9288) [dnssd-server] skip additional records on a PTR query with multiple answers (openthread#9281) [posix] fix logging of netlink errors (openthread#9287) github-actions: bump docker/login-action from 2.1.0 to 2.2.0 (openthread#9289) [routing-manager] support Advertising PIO (AP) flag in published route (openthread#9274) [toranj] remove docs from test specific config headers (openthread#9276) [github-action] install `prettier@2.0.4` in `pretty` job (openthread#9279) [routing-manager] add `SetState()` in `OnLinkPrefixManager` (openthread#9273) [border-agent] fix struct typedef for `otBorderAgentId` (openthread#9277) [spinel] fix error code when waiting rcp response timeout (openthread#9278) [srp-server] simplify sub-type services (openthread#9208) [mle] ensure key sequence is updated in MLE responses (openthread#9271) [mesh-forwarder] add time-in-queue statistics collection feature (openthread#9170) [net-diag] define Child, Neighbor, and Child IPv6 Address List TLVs (openthread#8866) github-actions: bump github/codeql-action from 2.3.5 to 2.20.3 (openthread#9265) [time] update DistantFuture/Past() to exclude value half range apart (openthread#9263) [commissioner] simplify and fix scheduling of expiration timer (openthread#9262) [test] fix unused returned value warning in `test_hdlc` (openthread#9256) Bump grpcio from 1.20.1 to 1.53.0 in /tools/harness-simulation/harness (openthread#9257) [cli] fix `childsupervision` commands documentation (openthread#9201) [posix] fix the snprintf buffer overflow issue (openthread#9251) [mac] remove duplicated method for getting the MAC frame length (openthread#9254) [spinel] return error from `SaveFrame` if not enough space is available (openthread#9244) github-actions: bump actions/setup-python from 4.6.0 to 4.6.1 (openthread#9252) [routing-manager] `PdPrefixManager` to clear prefix bits when extending length (openthread#9249) [ncp] keep timeout zero during ramp-down in spinel `ADDRESS_CACHE_TABLE` (openthread#9247) [csl] add APIs to retrieve status (openthread#8793) [address-resolver] implement ramp-down mechanism for retry delay (openthread#9162) [routing-manager] determine route preference from parent link quality (openthread#9080) [mesh-forwarder] only mark Key ID Mode 0 and 1 as secure [posix] fix missing `nullptr` pointer check (openthread#9179) [examples] remove example platform redirects (openthread#9246) [build] cleanup autotools references (openthread#9242) [mac] move ack processing to `HandleTransmitDone()` (openthread#9245) [mle] delay router role downgrade on security policy change (openthread#9187) [dataset] add build option for `GenerateLocal` (openthread#9215) [dns] add `otDnsEncodeTxtData()` API (openthread#9214) [meshcop] fix compilation error mbedtls_base64_encode not defined (openthread#9206) [message] allow heap usage when using non-thread commissioning (openthread#9205) [build] remove autotools (openthread#9027) [message] remove child mask from message metadata in MTD (openthread#9213) [tmf] BRs default to 256 address cache entries (openthread#9078) [logging] fix print format related to infra netif logs (openthread#9212) [tests] properly configure operational dataset in BR tests (openthread#9209) [netdata] mechanism to detect & signal when network data gets full (openthread#9073) [toranj-cli] properly configure operational dataset (openthread#9207) [unit-test] properly configure operational dataset (openthread#9203) [srp-server] allow service instance label with dot character (openthread#9198) github-actions: bump ossf/scorecard-action from 2.1.3 to 2.2.0 (openthread#9204) [script] properly configure dataset in `check-posix-pty` (openthread#9202) [test] update unit test emulating radio (openthread#9200) [docs] add radio defgroup for proper documentation (openthread#9195) [csl] ensure child is synchronized when preparing a CSL transmission (openthread#9199) [otci] properly configure operational dataset (openthread#9190) [thread-cert] properly configure operational dataset (openthread#9189) [posix] add posix support for sending RA messages to routing manager (openthread#9160) [cli] expose `otLinkSetEnabled` (openthread#9193) github-actions: bump actions/checkout from 3.5.2 to 3.5.3 (openthread#9192) [expect] properly configure operational dataset (openthread#9183) [thci] revert spellcheck in THCI method names (openthread#9175) [coap] fix minor typo (openthread#9180) [netif] simplify signaling address events (openthread#9173) [mac] enable/disable radio together with MAC (openthread#9156) [cli] add command to get tcp results (openthread#9142) [radio] add radio statistics of tx/rx/sleep cycle (openthread#9071) [routing-manager] remove unnecessary `kOnMeshPrefixLength` decl (openthread#9176) [spinel] move `SpiFrame` implementation to spi_frame.hpp (openthread#9151) [cli] update `OutputEidCacheEntry()` (openthread#9171) [mesh-diag] fix initializing of `mEndOffset` in `ChildIterator` (openthread#9172) [routing-manager] require valid on-link prefix to be /64 (openthread#9167) [config] add `mesh_forwarder.h` config header file (openthread#9164) github-actions: bump codecov/codecov-action from 3.1.3 to 3.1.4 (openthread#9166) [spinel] move the `MultiFrameBuffer` implementation to multi_frame_buffer.hpp (openthread#9150) [mle] send unicast Link Request to 1.2 parent on router role promo (openthread#9154) [docs] cli cmd doc updates (mliid - multiradio neighbor) (openthread#9155) [toranj] update `build.sh` script to use Thread version 1.3.1 (openthread#9159) [csl] improved CSL debug logging (openthread#9040) [mle] restrict `otDeviceProperties` to version 1.3.1 or later (openthread#9157) [spinel] remove fetching the ncp dataset (openthread#9140) [cmake] fix OT_THREAD_VERSION comparison in CMake (openthread#9158) [bbr] simplify `DomainPrefixEvent` (openthread#9152) [routing-manager] initial PD support with platform generated RA (openthread#9050) [tlvs] new helper to find the start and end offsets of a TLV value (openthread#9144) [spinel] fix the non-virtual destructor error (openthread#9139) [posix] replace fd_sets with the mainloop context (openthread#9127) [logging] fix rtt logging not using defined buffer index (openthread#9133) [netif] use fix type to u8 for addr_gen_mode (openthread#9147) [mlr] use `Array<>` to track old registered MLR addresses (openthread#9134) [cli] add helper `ProcessEnableDisable()` methods (openthread#9138) [mle] simplify tracking of registered DUA address by child (openthread#9137) [posix] unify the spinel interface functions (openthread#9107) github-actions: bump actions/checkout from 3.3.0 to 3.5.2 (openthread#9132) [bbr] move BBR constants to related source files (openthread#9129) [cli] add CLI Backbone Router (`Bbr`) sub-module (openthread#9128) [sntp-client] smaller enhancements (openthread#9125) [github-actions] update ubuntu to 22.04 on `ot-commissioner` test (openthread#9130) [toranj] update `build.sh` script to use CMake for all builds (openthread#9115) [routing-manager] fix deprecating on-link prefix from inactive router (openthread#9121) [backbone-router] use `Clamp` to check MLR timeout value (openthread#9119) [core] use `Min()`, `Max()` to clip values (openthread#9117) [build] delete the removed child supervision config in `cmake-build` (openthread#9111) [posix] add unified platform API for setting NAT64 CIDR during runtime (openthread#8947) [link-quality] fix corner case of `ScaleRawValueToRssi` (openthread#9102) [posix] fix setting non-standard baudrate on mac (openthread#9090) [routing-manager] update logs (openthread#9095) [random] add `Fill<ObjectType>()` function (openthread#9097) [csl] fix 15.4-secured broadcast frames (openthread#9103) [posix] add Thread network default interface name configuration (openthread#9089) github-actions: bump github/codeql-action from 2.3.3 to 2.3.5 (openthread#9100) [radio] fix return code doc of link metrics api (openthread#9098) [docs] remove redundant "This method" and "This function" (openthread#9096) [cli] update documentation of `Process()` method in CLI sub-modules (openthread#9093) [cli] add CLI `MacFilter` sub-module (openthread#9088) [cli] add helper `OutputNat64Counters()` (openthread#9087) [tests] check whether the unreachable address is included in the DNS-SD response (openthread#9075) [uptime] requires UPTIME feature to be enabled on FTD build (openthread#9079) [alarm] `otPlatAlarm` requirements clarification (openthread#9067) [test] add code spell check and correct wrong spelling (openthread#9066) github-actions: bump actions/setup-go from 4.0.0 to 4.0.1 (openthread#9076) [notifier] add missing event in `EventToString()` (openthread#9072) [cli] add CLI DNS sub-module (openthread#9069) [core] add the instance id (openthread#9055) [cli] fix config check for "vendor" command (openthread#9068) [ncp] fix RegisterPeekPokeDelegates call (openthread#9064) [border-agent] set Border Agent ID via CLI (openthread#9049) [dns-client] new API resolve host and address (openthread#9054) [routing-manager] add `OmrPrefixManager` (openthread#9062) [csl] split min receive window into MHR ahead and after times (openthread#9041) [ip6] add `Tidy` method to `Ip6::Prefix` (openthread#9057) [cli] support adding vendor command list to cli apps (openthread#9001) [radio-spinel] add log on RCP timeout error during init (openthread#9059) [mle] echo back "Supervision TLV" in Child ID Response (openthread#9061) [tests] fix `routing_manager` unit tests (openthread#9053) [nat64] check OMR prefix when selecting favored NAT64 prefix (openthread#8995) github-actions: bump github/codeql-action from 2.2.12 to 2.3.3 (openthread#9051) Change-Id: Ib37b5a0813cc447220c822928d6a88ce8f435249
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 15, 2024
Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we need to trust messages sent by reference devices.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 16, 2024
Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we need to trust messages sent by reference devices.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 16, 2024
…rd custom tmf messages from host Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle that can let reference devices (with platform udp enabled) send and forward these custom TMF messages from the host.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 17, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 17, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 18, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 18, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 18, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 18, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 18, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 19, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 22, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 22, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 25, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
suveshpratapa
added a commit
to SiliconLabs/openthread
that referenced
this pull request
Apr 26, 2024
…om unknown origins Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in openthread#9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
jwhui
pushed a commit
that referenced
this pull request
Apr 26, 2024
…om unknown origins (#10028) Reference devices that are part of the Thread test harness construct CoAP packets sent on TMF port 61631 for certain tests, for example in the 5.9.x series where they have to force address errors (a/ae) for duplicate DUA or re-registration tests. These tests started to fail when reference device firmware was updated recently to a newer OpenThread stack that included the change in #9437. Example: ``` udp send fd00:db9:0:0:0:ff:fe00:5000 61631 -x 4102d63697b16e02646eff0401010010fd007d037d037d0389c3a350cdcf36e0' Ip6-----------: Dropping TMF message from untrusted origin ``` For certification purposes, we are adding a cli toggle (for reference devices) as a test sub-command to disable the filter that drops TMF messages from unknown origins.
abtink
added a commit
to abtink/openthread
that referenced
this pull request
Jul 25, 2024
This commit removes the checks previously performed on messages with the origin `HostTrusted` that are to be forwarded to the Thread mesh. This origin is used for messages generated by the OpenThread stack itself. These checks were unnecessarily restricting such messages from using Thread Control UDP port numbers (like TMF, MLE, etc.). The additional check `!IsLoopbackToHostAllowed()` (which is set to `true` by default on such messages) bypassed the entire block, preventing any functional impact. Recent related changes (in openthread#9437) added similar guard checks for messages with `HostUntrusted` origins.
jwhui
pushed a commit
that referenced
this pull request
Jul 30, 2024
…10546) This commit removes the checks previously performed on messages with the origin `HostTrusted` that are to be forwarded to the Thread mesh. This origin is used for messages generated by the OpenThread stack itself. These checks were unnecessarily restricting such messages from using Thread Control UDP port numbers (like TMF, MLE, etc.). The additional check `!IsLoopbackToHostAllowed()` (which is set to `true` by default on such messages) bypassed the entire block, preventing any functional impact. Recent related changes (in #9437) added similar guard checks for messages with `HostUntrusted` origins.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR drops UDP datagrams from an untrusted origin to TMF port.
Examples of untrusted origin:
OT shouldn't allow UDP datagrams from untrusted origins going to TMF port of any Thread device.
To implement this, there's an API
otIp6SendFromOrigin
introduced. This can be used for specifying the origin of a packet you want to send. This PR also encapsulates the 'origin' information inMessage::Metadata
.