From 2c29616048770530cb6efa06fba780769a4dec4f Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Thu, 25 Jun 2026 10:35:18 +0530 Subject: [PATCH 01/11] RDKB-64133: Allow restoreConfig in business devices --- source/firewall/firewall.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 50538050..303ac705 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -371,6 +371,7 @@ Defines used to control conditional compilation #ifdef _ONESTACK_PRODUCT_REQ_ #include +extern int is_devicemode_business(void); #endif #ifdef FEATURE_464XLAT @@ -1500,6 +1501,14 @@ void do_webui_attack_filter(FILE *filter_fp) fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".pi"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".sh"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".py"); +#if defined(_CBR2_PRODUCT_REQ_) + fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); +#elif defined(_ONESTACK_PRODUCT_REQ_) + if (is_devicemode_business()) + { + fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); + } +#endif fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", "multipart/form-data"); FIREWALL_DEBUG("Exiting do_webui_attack_filter\n"); } From cd68743687f3e60d0a2d710cd0713e8e2553a484 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Thu, 25 Jun 2026 12:10:27 +0530 Subject: [PATCH 02/11] RDKB-64133: Fix linker error - use isFeatureSupportedInCurrentMode for business mode check --- source/firewall/firewall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 303ac705..f99ca100 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -371,7 +371,6 @@ Defines used to control conditional compilation #ifdef _ONESTACK_PRODUCT_REQ_ #include -extern int is_devicemode_business(void); #endif #ifdef FEATURE_464XLAT @@ -1504,7 +1503,7 @@ void do_webui_attack_filter(FILE *filter_fp) #if defined(_CBR2_PRODUCT_REQ_) fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); #elif defined(_ONESTACK_PRODUCT_REQ_) - if (is_devicemode_business()) + if (isFeatureSupportedInCurrentMode(FEATURE_TRUE_STATIC_IP)) { fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); } From 908d74a88e6e2d09b4426b51d896a356ffc8961c Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Thu, 25 Jun 2026 12:23:33 +0530 Subject: [PATCH 03/11] RDKB-64133: Link -ldevicemode in firewall for OneStack business mode check --- source/firewall/Makefile.am | 1 + source/firewall/firewall.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index 5e113f28..79c2789e 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -25,6 +25,7 @@ bin_PROGRAMS = firewall nfq_handler if ONESTACK_PRODUCT_REQ AM_LDFLAGS += -lrdkb_feature_mode_gate +AM_LDFLAGS += -ldevicemode endif firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c firewall_utils.c diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index f99ca100..82a77a11 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1503,7 +1503,7 @@ void do_webui_attack_filter(FILE *filter_fp) #if defined(_CBR2_PRODUCT_REQ_) fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); #elif defined(_ONESTACK_PRODUCT_REQ_) - if (isFeatureSupportedInCurrentMode(FEATURE_TRUE_STATIC_IP)) + if (is_devicemode_business()) { fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); } From 54dade9e9a81c1eefdd1db5276608d5fa519cd9f Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Thu, 25 Jun 2026 12:29:23 +0530 Subject: [PATCH 04/11] RDKB-64133: Add devicemode.h include for is_devicemode_business in firewall --- source/firewall/firewall.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 82a77a11..42075440 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -371,6 +371,7 @@ Defines used to control conditional compilation #ifdef _ONESTACK_PRODUCT_REQ_ #include +#include #endif #ifdef FEATURE_464XLAT From faa919fd625ffdb8c05247dc9d6360b268008c48 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B <57708013+pavankumar464@users.noreply.github.com> Date: Thu, 25 Jun 2026 14:23:26 +0530 Subject: [PATCH 05/11] Apply suggestions from code review Tighten the match to the HTTP request line by including the following " HTTP" token and limiting the search window to the beginning of the payload (e.g., --from 0 --to 64). Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 42075440..df20b3cf 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1502,11 +1502,11 @@ void do_webui_attack_filter(FILE *filter_fp) fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".sh"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".py"); #if defined(_CBR2_PRODUCT_REQ_) - fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); + fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); #elif defined(_ONESTACK_PRODUCT_REQ_) if (is_devicemode_business()) { - fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --string \"%s\" --to 65535 -j RETURN \n", "POST /restoreConfig.jst"); + fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); } #endif fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", "multipart/form-data"); From 79e55bdd85e581cb6c4ed30153e936b6b40de808 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Thu, 25 Jun 2026 14:28:49 +0530 Subject: [PATCH 06/11] RDKB-64133: Scope libdevicemode linkage to firewall target only --- source/firewall/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index 79c2789e..cc57d9a8 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -25,7 +25,6 @@ bin_PROGRAMS = firewall nfq_handler if ONESTACK_PRODUCT_REQ AM_LDFLAGS += -lrdkb_feature_mode_gate -AM_LDFLAGS += -ldevicemode endif firewall_SOURCES = firewall_ipv6.c firewall.c firewall_priv.c firewall_interface.c firewall_ext.c firewall_utils.c @@ -41,6 +40,10 @@ firewall_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/ulog/libulog.la \ $(top_builddir)/source/util/utils/libutopiautil.la +if ONESTACK_PRODUCT_REQ +firewall_LDADD += -ldevicemode +endif + nfq_handler_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/sysevent/lib/libsysevent.la \ $(top_builddir)/source/ulog/libulog.la From e1c6aab4ee2558bef4189bbdca2d30a57e57c95f Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Mon, 29 Jun 2026 10:17:01 +0530 Subject: [PATCH 07/11] replace business mode check with feature-mode gate --- source/firewall/firewall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index df20b3cf..740fe8f6 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1504,7 +1504,7 @@ void do_webui_attack_filter(FILE *filter_fp) #if defined(_CBR2_PRODUCT_REQ_) fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); #elif defined(_ONESTACK_PRODUCT_REQ_) - if (is_devicemode_business()) + if (isFeatureSupportedInCurrentMode(FEATURE_SAVE_RESTORE)) { fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); } From 620e270d94c45b52bf732ff09638dd8afb4d6997 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B <57708013+pavankumar464@users.noreply.github.com> Date: Mon, 29 Jun 2026 14:19:37 +0530 Subject: [PATCH 08/11] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- source/firewall/Makefile.am | 3 --- source/firewall/firewall.c | 1 - 2 files changed, 4 deletions(-) diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index cc57d9a8..e8faeeab 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -40,9 +40,6 @@ firewall_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/ulog/libulog.la \ $(top_builddir)/source/util/utils/libutopiautil.la -if ONESTACK_PRODUCT_REQ -firewall_LDADD += -ldevicemode -endif nfq_handler_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/sysevent/lib/libsysevent.la \ diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 740fe8f6..6a539e4d 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -371,7 +371,6 @@ Defines used to control conditional compilation #ifdef _ONESTACK_PRODUCT_REQ_ #include -#include #endif #ifdef FEATURE_464XLAT From c3de90b4f62b988c3b12805732836a4c84c087d8 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Mon, 29 Jun 2026 14:26:05 +0530 Subject: [PATCH 09/11] firewall: remove extra blank line in Makefile.am --- source/firewall/Makefile.am | 1 - 1 file changed, 1 deletion(-) diff --git a/source/firewall/Makefile.am b/source/firewall/Makefile.am index e8faeeab..5e113f28 100644 --- a/source/firewall/Makefile.am +++ b/source/firewall/Makefile.am @@ -40,7 +40,6 @@ firewall_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/ulog/libulog.la \ $(top_builddir)/source/util/utils/libutopiautil.la - nfq_handler_LDADD = $(top_builddir)/source/syscfg/lib/libsyscfg.la \ $(top_builddir)/source/sysevent/lib/libsysevent.la \ $(top_builddir)/source/ulog/libulog.la From aba8c721efac8daba19109b5658907e21a78d859 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Mon, 29 Jun 2026 14:31:38 +0530 Subject: [PATCH 10/11] firewall: append restoreConfig whitelist rule to preserve attack-signature drops --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 6a539e4d..81328ac5 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1501,11 +1501,11 @@ void do_webui_attack_filter(FILE *filter_fp) fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".sh"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".py"); #if defined(_CBR2_PRODUCT_REQ_) - fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); + fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); #elif defined(_ONESTACK_PRODUCT_REQ_) if (isFeatureSupportedInCurrentMode(FEATURE_SAVE_RESTORE)) { - fprintf(filter_fp, "-I UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); + fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); } #endif fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", "multipart/form-data"); From 7b479ccb5135e77afd245c161103b7634ab45599 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Reddy B Date: Tue, 30 Jun 2026 22:09:25 +0530 Subject: [PATCH 11/11] firewall: align restoreConfig RETURN rule with ONESTACK feature-gate pattern --- source/firewall/firewall.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 81328ac5..726d3f80 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1500,13 +1500,13 @@ void do_webui_attack_filter(FILE *filter_fp) fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".pi"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".sh"); fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", ".py"); -#if defined(_CBR2_PRODUCT_REQ_) +#if defined(_CBR2_PRODUCT_REQ_) || defined(_ONESTACK_PRODUCT_REQ_) + #ifdef _ONESTACK_PRODUCT_REQ_ + if(isFeatureSupportedInCurrentMode(FEATURE_SAVE_RESTORE)) + #endif + { fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); -#elif defined(_ONESTACK_PRODUCT_REQ_) - if (isFeatureSupportedInCurrentMode(FEATURE_SAVE_RESTORE)) - { - fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -p tcp -m string --algo bm --from 0 --to 64 --string \"%s\" -j RETURN \n", "POST /restoreConfig.jst HTTP"); - } + } #endif fprintf(filter_fp, "-A UPLOAD_ATTACK_FILTER -m string --algo bm --string \"%s\" -j DROP \n", "multipart/form-data"); FIREWALL_DEBUG("Exiting do_webui_attack_filter\n");