addons/openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run at f710397308fa1e57db00dd976f1337b762d09dd3 · home-assistant/addons · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/usr/bin/with-contenv bashio
# vim: ft=bash
# shellcheck shell=bash
# ==============================================================================
# OpenThread BorderRouter start script
# ==============================================================================

# shellcheck source=./openthread_border_router/rootfs/etc/s6-overlay/scripts/otbr-agent-common
. /etc/s6-overlay/scripts/otbr-agent-common

declare backbone_if
declare device
declare baudrate
declare flow_control
declare migrate_flow_control
declare otbr_log_level
declare otbr_log_level_int
declare otbr_rest_listen
declare otbr_rest_listen_port

# Cleanup unused configs
if bashio::config.exists 'autoflash_firmware'; then
    bashio::addon.option 'autoflash_firmware'
fi

backbone_if=""

# Backbone network interface can be configured by user or auto-detected by looking for the primary network interface in the system.
# If no primary network interface is found, the app will exit with an error and ask the user to configure a backbone network interface in the app configuration.
if bashio::config.has_value 'backbone_interface'; then
    backbone_if="$(bashio::config 'backbone_interface')"
else
    backbone_if="$(bashio::api.supervisor 'GET' '/network/info' '' 'first(.interfaces[] | select (.primary == true)) .interface // empty')"
    if [ -z "${backbone_if}" ]; then
        # If no backbone interface is found, exit with error
        bashio::exit.nok "No primary network interface found. Please configure a backbone network interface in the apps configuration."
    fi
fi

device=$(bashio::config 'device')

if bashio::config.has_value 'network_device'; then
    device="/tmp/ttyOTBR"
fi

baudrate=$(bashio::config 'baudrate')
flow_control=""

if bashio::config.true 'flow_control'; then
    flow_control="&uart-flow-control"
    migrate_flow_control="hardware"
else
    flow_control="&uart-init-deassert"
    migrate_flow_control="none"
fi

otbr_log_level=$(bashio::string.lower "$(bashio::config otbr_log_level)")
case "${otbr_log_level}" in
    debug)
        otbr_log_level_int="7"
        ;;
    info)
        otbr_log_level_int="6"
        ;;
    notice)
        otbr_log_level_int="5"
        ;;
    warning)
        otbr_log_level_int="4"
        ;;
    error)
        otbr_log_level_int="3"
        ;;
    critical)
        otbr_log_level_int="2"
        ;;
    alert)
        otbr_log_level_int="1"
        ;;
    emergency)
        otbr_log_level_int="0"
        ;;
    *)
        bashio::exit.nok "Unknown otbr_log_level: ${otbr_log_level}"
        ;;
esac

# shellcheck disable=SC2015
mkdir -p /data/thread && ln -sft /var/lib /data/thread || bashio::exit.nok "Could not create directory /var/lib/thread to store Thread data."

# We compile the OTBR with firewall support, so otbr-agent tries to update the
# ipsets. Therefor, create ipsets always to avoid errors from otbr-agent. Just
# the ipsets  won't have an effect in practice when the firewall is disabled.
ipset create -exist otbr-ingress-deny-src hash:net family inet6
ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6
ipset create -exist otbr-ingress-allow-dst hash:net family inet6
ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6

if bashio::config.true 'firewall'; then
    bashio::log.info "Setup OTBR firewall..."

    ip6tables -N "${otbr_forward_ingress_chain}"

    ip6tables -I FORWARD 1 -o "${thread_if}" -j "${otbr_forward_ingress_chain}"

    ip6tables -A "${otbr_forward_ingress_chain}" -m pkttype --pkt-type unicast -i "${thread_if}" -j DROP
    ip6tables -A "${otbr_forward_ingress_chain}" -m set --match-set otbr-ingress-deny-src src -j DROP
    ip6tables -A "${otbr_forward_ingress_chain}" -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
    ip6tables -A "${otbr_forward_ingress_chain}" -m pkttype --pkt-type unicast -j DROP
    ip6tables -A "${otbr_forward_ingress_chain}" -j ACCEPT

    ip6tables -N "${otbr_forward_egress_chain}"
    ip6tables -I FORWARD 2 -i "${thread_if}" -j "${otbr_forward_egress_chain}"
    ip6tables -A "${otbr_forward_egress_chain}" -j ACCEPT
else
    # Make sure ip6tables allow IP forwarding
    ip6tables -A FORWARD -i "${thread_if}" -o "${backbone_if}" -j ACCEPT
    ip6tables -A FORWARD -i "${backbone_if}" -o "${thread_if}" -j ACCEPT
fi

if bashio::config.true 'nat64'; then
    # Mark Thread traffic in mangle
    iptables -t mangle -A PREROUTING -i "${thread_if}" -j MARK --set-mark "${otbr_fw_mark}"

    # MASQUERADE marked traffic
    iptables -t nat -A POSTROUTING -m mark --mark "${otbr_fw_mark}" -j MASQUERADE

    # NAT64 forward chain — jump unconditionally, filter inside
    iptables -N "${otbr_forward_nat64_chain}"
    iptables -I FORWARD 1 -j "${otbr_forward_nat64_chain}"

    # Forward marked traffic
    iptables -A "${otbr_forward_nat64_chain}" -m mark --mark "${otbr_fw_mark}" -o "${backbone_if}" -j ACCEPT
    # Use conntrack to identify return traffic
    iptables -A "${otbr_forward_nat64_chain}" -m conntrack --ctstate ESTABLISHED,RELATED -i "${backbone_if}" -o "${thread_if}" -j ACCEPT
fi

otbr_rest_listen="::"
otbr_rest_listen_port="$(bashio::addon.port 8081)"

# If user port is not set, listen on local interface only
if ! bashio::var.has_value "${otbr_rest_listen_port}"; then
    otbr_rest_listen="$(bashio::addon.ip_address)"
    otbr_rest_listen_port="8081"
elif [ "${otbr_rest_listen_port}" != "8081" ]; then
    bashio::log.warning "Custom OpenThread REST API port is not supported. Using 8081."
    otbr_rest_listen_port="8081"
fi

# Store REST API listen information for check script
echo "${otbr_rest_listen}" > /tmp/otbr-agent-rest-api
echo "${otbr_rest_listen_port}" >> /tmp/otbr-agent-rest-api

# Migrate OTBR settings to new adapter if needed
bashio::log.info "Migrating OTBR settings if needed..."
python3 /usr/local/bin/migrate_otbr_settings.py \
    --adapter "${device}" \
    --baudrate "${baudrate}" \
    --flow-control "${migrate_flow_control}" \
    --data-dir /data/thread/

bashio::log.info "Starting otbr-agent..."
# shellcheck disable=SC2086
exec s6-notifyoncheck -d -s 300 -w 300 -n 0 stdbuf -oL \
    "/usr/sbin/otbr-agent" -I ${thread_if} -B "${backbone_if}" \
        --rest-listen-address "${otbr_rest_listen}" \
        -d${otbr_log_level_int} -v -s \
        "spinel+hdlc+uart://${device}?uart-baudrate=${baudrate}${flow_control}" \
        "trel://${backbone_if}"