openthread_border_router: Add NAT64 and TREL support

openthread_border_router/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 2.4.0
+
+- Enable TREL
+- Enable NAT64 (disabled by default)
+- Bump to OTBR POSIX version 27ed99f375 (2023-12-13 10:11:52 -0800)
+- Bump universal SiLabs flasher to 0.0.15
+- Shutdown add-on on otbr-agent crash (use Supervisor Watchdog functionality
+  for automatic restarts)
+
 ## 2.3.2
 
 - Bump to OTBR POSIX version 9e50efa8de (2023-08-23 21:28:30 -0700)

openthread_border_router/DOCS.md

@@ -64,6 +64,7 @@ Add-on configuration:
 | autoflash_firmware | Automatically install/update firmware (Home Assistant SkyConnect/Yellow) |
 | otbr_log_level     | Set the log level of the OpenThread BorderRouter Agent     |
 | firewall           | Enable OpenThread Border Router firewall to block unnecessary traffic |
+| nat64              | Enable NAT64 to allow Thread devices accessing IPv4 addresses |
 
 ## Support
 

openthread_border_router/Dockerfile

@@ -10,7 +10,6 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ENV BORDER_ROUTING 1
 ENV BACKBONE_ROUTER 1
-ENV OTBR_OPTIONS "-DOTBR_DBUS=OFF -DOT_POSIX_CONFIG_RCP_BUS=UART -DOT_DIAGNOSTIC=1 -DOT_LINK_RAW=1 -DOTBR_VENDOR_NAME=HomeAssistant -DOTBR_PRODUCT_NAME=OpenThreadBorderRouter"
 ENV PLATFORM debian
 ENV RELEASE 1
 ENV WEB_GUI 1
@@ -31,18 +30,19 @@ ENV OTBR_UNUSED_DEBS libavahi-client3 avahi-daemon rsyslog
 
 WORKDIR /usr/src
 
-# Install npm/nodejs for WebUI manually to avoid systemd getting pulled in
+# Install npm/nodejs for WebUI before calling script/bootstrap to avoid
+# systemd getting pulled in
 RUN \
     set -x \
     && apt-get update \
     && apt-get install -y --no-install-recommends \
-       git \
        iproute2 \
        python3 \
        python3-pip \
        lsb-release \
        netcat-openbsd \
        sudo \
+       git \
        nodejs \
        npm \
     && git clone --depth 1 -b main \
@@ -63,25 +63,30 @@ RUN \
         -DOTBR_FEATURE_FLAGS=ON \
         -DOTBR_DNSSD_DISCOVERY_PROXY=ON \
         -DOTBR_SRP_ADVERTISING_PROXY=ON \
-        -DOTBR_INFRA_IF_NAME=eth0 \
         -DOTBR_MDNS=mDNSResponder \
         -DOTBR_VERSION= \
         -DOT_PACKAGE_VERSION= \
         -DOTBR_DBUS=OFF \
-        -DOT_POSIX_CONFIG_RCP_BUS=UART \
+        -DOT_POSIX_RCP_BUS_UART=ON \
         -DOT_LINK_RAW=1 \
         -DOTBR_VENDOR_NAME="Home Assistant" \
         -DOTBR_PRODUCT_NAME="OpenThread Border Router" \
         -DOTBR_WEB=ON \
         -DOTBR_BORDER_ROUTING=ON \
         -DOTBR_REST=ON \
         -DOTBR_BACKBONE_ROUTER=ON \
+        -DOTBR_TREL=ON \
+        -DOTBR_NAT64=ON \
+        -DOT_POSIX_NAT64_CIDR="192.168.255.0/24" \
+        -DOTBR_DNS_UPSTREAM_QUERY=ON \
         && cd build/otbr/ \
         && ninja \
         && ninja install) \
-    && pip install universal-silabs-flasher==${UNIVERSAL_SILABS_FLASHER} \
+    && pip install gpiod==1.5.4 universal-silabs-flasher==${UNIVERSAL_SILABS_FLASHER} \
     && apt-get purge -y --auto-remove \
        git \
+       nodejs \
+       npm \
        ${OTBR_BUILD_DEPS} \
        ${OTBR_UNUSED_DEBS} \
     && rm -rf /var/lib/apt/lists/* \

openthread_border_router/build.yaml

@@ -3,5 +3,5 @@ build_from:
   aarch64: ghcr.io/home-assistant/aarch64-base-debian:bullseye
   amd64: ghcr.io/home-assistant/amd64-base-debian:bullseye
 args:
-  OTBR_VERSION: 9e50efa8de3c9cf73936fc8a3e9ba32587d80066
-  UNIVERSAL_SILABS_FLASHER: 0.0.13
+  OTBR_VERSION: 27ed99f3751f738bc7647256d3f54f2af54d72f3
+  UNIVERSAL_SILABS_FLASHER: 0.0.15

openthread_border_router/config.yaml

@@ -1,5 +1,5 @@
 ---
-version: 2.3.2
+version: 2.4.0
 slug: openthread_border_router
 name: OpenThread Border Router
 description: OpenThread Border Router add-on
@@ -29,6 +29,7 @@ options:
   autoflash_firmware: true
   otbr_log_level: notice
   firewall: true
+  nat64: false
 ports:
   8080/tcp: null
   8081/tcp: null
@@ -42,5 +43,6 @@ schema:
   autoflash_firmware: bool
   otbr_log_level: list(debug|info|notice|warning|error|critical|alert|emergency)
   firewall: bool
+  nat64: bool
 stage: experimental
 startup: services

openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type

@@ -0,0 +1 @@
+oneshot

openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up

@@ -0,0 +1 @@
+/etc/s6-overlay/scripts/otbr-agent-configure.sh

openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/finish

@@ -2,8 +2,17 @@
 #==============================================================================
 # OpenThread BorderRouter Daemon finish script
 #==============================================================================
-bashio::log.info "otbr-agent ended with exit code ${1} (signal ${2})..."
+if test "$1" -eq 256 ; then
+  e=$((128 + $2))
+else
+  e="$1"
+fi
 
+if test "$e" -ne 0; then
+    bashio::log.warning "otbr-agent exited with code $e (by signal $2)."
+else
+    bashio::log.info "otbr-agent exited with code $e (by signal $2)."
+fi
 
 . /etc/s6-overlay/scripts/otbr-agent-common
 
@@ -40,10 +49,10 @@ if ip6tables -L $otbr_forward_egress_chain 2> /dev/null; then
 fi
 bashio::log.info "OTBR firewall teardown completed."
 
-if test "$1" -eq 256 ; then
-  e=$((128 + $2))
-else
-  e="$1"
+if test "$e" -ne 0; then
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+    # It seems this is required otherwise this script gets called twice for some
+    # reason...
+    s6-svc -d /run/s6-rc/servicedirs/otbr-agent/
+    /run/s6/basedir/bin/halt
 fi
-
-echo "$e" > /run/s6-linux-init-container-results/exitcode

openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run

@@ -87,6 +87,13 @@ else
     ip6tables-legacy -P FORWARD ACCEPT
 fi
 
+if bashio::config.true 'nat64'; then
+    iptables -t mangle -A PREROUTING -i ${thread_if} -j MARK --set-mark 0x1001
+    iptables -t nat -A POSTROUTING -m mark --mark 0x1001 -j MASQUERADE
+    iptables -t filter -A FORWARD -o ${backbone_if} -j ACCEPT
+    iptables -t filter -A FORWARD -i ${backbone_if} -j ACCEPT
+fi
+
 otbr_rest_listen="::"
 otbr_rest_listen_port="$(bashio::addon.port 8081)"
 

openthread_border_router/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Configure OTBR depending on add-on settings
+# ==============================================================================
+
+if bashio::config.true 'nat64'; then
+    bashio::log.info "Enabling NAT64."
+    ot-ctl nat64 enable
+fi

openthread_border_router/translations/en.yaml

@@ -23,6 +23,9 @@ configuration:
     name: OTBR firewall
     description: >-
       Use OpenThread Border Router firewall to block unnecessary traffic.
+  nat64:
+    name: NAT64
+    description: Enable IPv6 to IPv4 network address translation.
 network:
   8080/tcp: OpenThread Web port
   8081/tcp: OpenThread REST API port

silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/finish

@@ -46,4 +46,10 @@ else
   e="$1"
 fi
 
-echo "$e" > /run/s6-linux-init-container-results/exitcode
+if test "$e" -ne 0; then
+    bashio::log.warning "otbr-agent exited with code $e (by signal $2)."
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+    exec /run/s6/basedir/bin/halt
+else
+    bashio::log.info "otbr-agent exited with code $e (by signal $2)."
+fi