In previous otbr docker tests, when creating docker containers, all the
containers(otbr nodes) are connected to the same docker network bridge `backbone0`
(when the env PORT_OFFSET is not set or set to 0), this means all the
otbr nodes are connected to the same infrastructures.
This commit adds support to enable user to config otbr instance
infrastructures seperately in `TOPOLOGY` when defining test cases, this
provides flexibility to run multi-ail related test cases.
The format to define backbone interface per node is:
```
class NewTestCase(thread_cert.TestCase):
...
BR = 1
...
TOPOLOGY = {
BR: {
...
'is_otbr': True,
'backbone': <backbone-name>,
...
}
...
}
...
```
`'backbone': <backbone-name>` is optional, when it's not given when
defining a otbr node, the backbone is default as
`BACKBONE_DOCKER_NETWORK_NAME`. The `<backbone-name>` is suggested to be
defined as `backbone[0-9]` to make it more easy to read and understand.
This commit also adds test_multi_ail.py as an example test case to use
this new method, this test case checks the two otbr nodes are connected
to the different infra and are in the same Thread mesh network.
In some cases that `_do_packet_verification` is False (e.g. verify() is
not defined), the docker network is not correctly removed.
docker network interface should always be removed at the end of the test
if it was created at the begin of the test
This commit supresses the docker output unless verbose mode is enabled,
which helps preventing unnecessary output from cluttering the console.
docker output is enabled when:
* env VERBOSE is set to a non-zero value
docker output is suppressed (redirecting to /dev/null) when:
* VERBOSE is not explicitly set in env, or
* env VERBOSE is set to 0
The cli command `linkmetrics` only provides an asynchronous output
method. It is difficult for scripts to call the `ot-ctl` to capture
the results of asynchronous output.
This commit replaces the command `linkmetrics mgmt` and `linkmetrics
query` with commands `linkmetrics config` and `linkmetrics
request`. Both the commands `linkmetrics config` and `linkmetrics
request` are set to the `sync` mode by default, and an option `async`
is added to these commands to support `async` mode.
This commit updates SRP client's `AutoHostAddress` behavior to
defer SRP updates on SLAAC address deprecation events.
Under `AutoHostAddressMode`, all preferred addresses on Thread Netif,
excluding link-local and mesh-local addresses, are registered. If no
eligible address is available, then the ML-EID will be registered.
This commit adds a new mechanism where if a previously registered
address starts being deprecated (e.g., due to an OMR prefix removal
from Network Data), the SRP update is deferred. The client will
re-register after the deprecation time has elapsed and the address is
removed. In the meantime, if any other event triggers the client to
send an SRP update, the updated address list will be included in that
update.
This commit also updates `test_srp_auto_host_address` to validate the
newly added behavior.
This commit makes two changes in `test_advertising_proxy`:
- In the test step where the server is restarted, a longer wait time
is used to account for the longer jitter interval used by SRP
client in such a case.
- Due to the use of short lease time (10 seconds) in this test, the
client will refresh the registered services quickly. Therefore, in
`check_host_and_service()`, any of `Registered`, `ToRefresh`, or
`Refreshing` states are accepted as indicating successful
registration.
This commit improves the `Srp::Client` mechanism for applying random
jitter delays before sending update messages to the server. It now
supports different jitter ranges based on specific triggers. Since
trigger events are often network-wide, potentially causing
simultaneous SRP re-registration from many nodes, longer jitter
intervals are used to distribute the resulting SRP update
transmissions and avoid congestion.
The following triggers are covered:
- Server switch: Client switching to a new server while already
connected to a discovered server. This occurs when a new server
entry appears in Network Data which is preferred over the current
selection.
- Server restart: Client was previously connected to a server that
disappeared from Network Data. Later, the same or a new server is
discovered in Network Data.
- SLAAC address add or remove: This is generally triggered by updates
to SLAAC prefixes in Network Data (e.g., OMR prefix changes).
- First registration after attach:
- If the device is attaching to an established Thread mesh
(e.g., after a reboot or initial pairing), the Network Data it
receives should already include a server entry, leading to a
quick server selection after attach. If server selection occurs
within a short window, a shorter TX jitter is used, allowing the
device to register quickly and become discoverable.
- If server discovery takes longer, a longer TX jitter is used. This
situation can indicate a server/BR starting up or a network-wide
restart of many nodes (e.g., due to a power outage).
This commit introduces `TxJitter` class to manage the requested TX
jitter based on a trigger reason. It tracks the time of the event
that triggered a longer jitter request. If the update message is sent
immediately after the trigger event, the requested maximum jitter is
applied. However, if the update message is sent later, the maximum
jitter is adjusted proportionally to the time elapsed since the
trigger event. If the elapsed time exceeds the requested maximum
jitter interval, the default short jitter is applied to avoid
unnecessary registration delay.
This commit removes the option to set `key_switch_guardtime` when
constructing nodes and network topology in test scripts. The
following tests are updated to reflect this change:
- `Cert_5_8_02_KeyIncrement.py`
- `Cert_5_8_03_KeyIncrementRollOver.py`
- `Cert_6_6_01_KeyIncrement.py`
- `Cert_6_6_02_KeyIncrementRollOver.py`
This commit refines the `NetworkData::Publisher` to differentiate
between DNS/SRP unicast entries based on whether the address
information resides in service data (part of service TLV) or server
data (part of server sub-TLV).
Additionally, if another BR adds a service data unicast entry,
`Publisher` will zero out the desired count for server data unicast
entries, effectively removing any previously published server data
unicast entries.
The `test_netdata_publisher` has been updated to validate all the
newly added behaviors.
Unicast SRP dataset uses a ephemeral UDP port which could be taken by
another process. Currently SRP server creates the socket at the port
after the server is added into netdata. However, at that moment the
port may not be available on the platform so it may fail to create the
socket and start the server.
This commit adds the logic to restart the enabling process with
another port candidate if SRP server fails to create the socket.
This commit enables channel manager on SSED, together with channel monitor,
auto-selecting a better CSL channel for the link between child and its parent.
It also fixes tracking of CcaSuccessRate on CslChannel and adds toranj tests
for auto-channel selection and thread_cert test for autocsl-channel selection.
Updates validation logic after published route entry replacement to
prevent occasional failures due to a race condition. This increases
test stability.
- Validates that key guard time is updated to 93% of key rotation
time when it changes.
- Checks for proper key sequence updates after key rotation
expiration.
- Confirms key guard mechanism blocks key sequence increments
while mesh nodes staying connected.
This commit makes changes/fixes to `KeyManager` regarding key switch
guard time.
Key Rotation Time updates:
- When the Key Rotation Time changes (due to security policy updates),
the key switch guard time (`mKeySwitchGuardTime`) is also adjusted.
It's set to 93% of the Rotation Time (rounded down).
- Immediately checks if the new rotation time indicates a rotation is
due and keys are rotated.
New variable `mKeySwitchGuardTimer`:
- This is reset to the current guard time whenever the key sequence is
updated.
- It decrements hourly until reaching zero.
- Key switch guard comparison is made with this value, aligning the
implementation with the Thread specification.
`SetCurrentKeySequence()` modification:
- Now accepts a new input parameter that determines whether to apply
or ignore the key switch guard when updating the key sequence.
- During a key rotation check (when the rotation time has passed), the
key switch guard is ignored and we always move to the next key
sequence number.
Other changes:
- Variables handling guard and rotation time now use `uint16_t`
instead of `uint32_t` to align with security policy definitions.
- API and CLI command documentation for setting the "key switch guard
time" emphasize that they are intended for testing purposes.
This commit implements address deprecation mechanism in `Slaac` class.
When a prefix is removed from Network Data, its corresponding SLAAC
address is not removed immediately. Instead, it is marked as
deprecated and its "preferred" flag is set to false. After a
deprecation interval (300 seconds), the deprecated address is
removed. If the prefix is re-added to Network Data before the
deprecation time elapses, the SLAAC address is also reinstated.
Since the number of SLAAC address entries is limited, non-deprecated
addresses are prioritized. This means that if a new entry is required
for a new prefix, the earliest deprecating entry can be evicted to
accommodate the new entry.
The `Slaac` module keeps track of the associated Domain IDs for
deprecating SLAAC prefixes, even if the related Prefix TLV has
already been removed from the Network Data. This information is used
during external route lookup in `NetworkData::Leader::RouteLookup()`
if a deprecating SLAAC address is used as the source address in
an outbound message, ensuring that the message is not dropped and
can be delivered.
This commit also adds a detailed test `test-027-slaac-address.py`
validating various behaviors of SLAAC module.
This commit updates how the `NetworkData::Publisher` handles "DNS/SRP
Service Unicast Address" entries. Specifically, when a "DNS/SRP
Service Anycast" entry is added by another BR, the publisher will set
the desired count of unicast entries to zero. This effectively
removes any previously added unicast entry. This new behavior is
only applied when the address and port are included in the Server TLV
data in a "DNS/SRP Service Unicast Address" entry.
The `test_netdata_publisher` has been updated to verify this new
behavior.
Config `OPENTHREAD_CONFIG_SRP_CLIENT_AUTO_START_DEFAULT_MODE` is
changed to use `1` by default (unless explicitly overridden in
project configs).
It also updates related test scripts to utilize auto-start mode or
explicitly disable it for manual SRP client control, reflecting this
default change.
Create OT API to support trel telemetry which is supported through
platform API and also add cli support to get/reset trel counters.
Metrics we are adding are:
- trel_frames_tx
- trel_bytes_tx
- trel_frames_rx
- trel_bytes_rx
- trel_frames_tx_failed
- num_trel_peers
Metrics already supported through API:
- trel_enabled
This commit updates the `AutoAddress` mode in `Srp::Client` to
exclude any deprecated (non-preferred) address when registering
host addresses.
It also updates `test_srp_auto_host_address` to validate the new
behavior.
There was a check `self.assertNotEqual(br1_external_routes,
br2_external_routes)` that verifies the external route entries of BR1
and BR2 are different, based on the fact that their external route
prefixes (in /64) were different. However, today we're using generic
external routes like `fc00::/7` so the external route entries will be
the same when BR1 and BR2 have the same RLOC16.
I updated the test case to verify that the devices have expected
external route entries respectively.
This commit adds `otNetDataGetCommissioningDataset()` as a public
API to retrieve the Commissioning Dataset from the Network Data.
It also updates CLI `netdata show` command to output the Commissioning
Dataset information. The documentation in `README_NETDATA.md` and
in `cli_network_data` are also updated. The test scripts that parse
`netdata show` output are also updated.
This commit drops UDP datagrams from an untrusted origin to TMF port.
Examples of untrusted origin:
- A process other than OT on the host sends the packet to Thread
network via platform API.
- A packet forwarded from infrastructure network to Thread network by
Thread Border Router.
OT shouldn't allow UDP datagrams from untrusted origins going to TMF
port of any Thread device.
To implement this, there's an API `otIp6SendFromOrigin`
introduced. This can be used for specifying the origin of a packet you
want to send. This commit also encapsulates the 'origin' information
in `Message::Metadata`.
This commit implements the packet logic in OT core. It aims to have
the same effect as what's already achieved by our iptables-based
firewall. Instead of leveraging iptables, this commit filters the
border routing packets in user space by checking the
source/destination addresses of a packet.
This commit also adds a job to do BR regression test when this feature
is enabled and iptables-based firewall is disabled.
This commit implements a new module LinkMetricsManager, which utilizes
the Link Metrics feature to get the Link Metrics data from neighboring
devices.
The commit also adds a few tests to the module:
- Unit Test: tests/unit/test_link_metrics_manager.cpp, will be run in
`unit-tests` in `unit.yml`.
- Expect Test: tests/scripts/expect/v1_2-linkmetricsmgr.exp, will be
run in `expects` in `simulation-1.2.yml`.
- Simulation Test:
tests/scripts/thread-cert/v1_2_LowPower_test_link_metrics_manager.py,
will be run in `packet-verification-low-power` in
`simulation-1.2.yml`.
In `LeaderBase::RouteLookup()`, OT currently checks the source address
of the packet to ensure it matches any of the Prefix TLV in leader's
netdata. Actually it should also verify that the Prefix TLV has a
Border Router sub-TLV.
In the current implementation, OT may wrongly send/forward a packet to
BR when its source address matches with a Prefix TLV which only
contains an External Route sub-TLV. This lets BR accidentally forward
packets from Thread to infra network. For example, a packet from
Mesh-Local address to On-Link address will be wrongly forwarded to
infra network.
I recently noticed this problem because we're now using either
`fc00:/7` or `::/0` for external routes in netdata, which always
matches Mesh-Local source addresses and makes the issue more obvious.
This commit updates public APIs for getting and setting CSL period to
use microseconds unit instead of the internal ten symbols unit. This
makes the APIs easier to use.
The CSL APIs have been renamed to follow the `otLinkGet/SetCsl{Item}()`
pattern, which is the common naming style of OpenThread. This
renaming will make the APIs more consistent and avoid potential
confusion with the now-removed APIs, which used a different unit for
CSL period.
This commit also updates the related CLI CSL commands:
- The `csl period` expects the given period to be in microseconds.
- The `csl` command (which outputs all CSL parameter) shows the CSL
period in microsecond unit (e.g., "Period: 160000us").
The NCP spinel `SPINEL_PROP_THREAD_CSL_PERIOD` is also updated to use
microsecond unit for CSL period.
The related test script are updated to use the new unit, in particular
the test harness `setCSLperiod()` in `harness-thci/OpenThread.py` is
updated (no need to convert from msec).
This commit updates `Dns::ServiceDiscovery::Server` such that when
answering a PTR query with more than one answer, it does not include
additional records. This is to keep the size of the response small.
This commit also updates the test scripts validating browse (PTR
query) function to check the new behavior. In particular, a common
python function `_parse_dns_service_info()` is added to parse service
info in CLI output of "dns browse" or "dns service" commands and
handle if output of "dns browse" does not include service info.
Processing of the Key Sequence is happening after each individual MLE
command processing, which leads to generating MLE responses with
outdated Key Sequence.
Make sure that the new greater Key Sequence is applied before
generating any MLE response.
A test case is updated to catch the case in which fragmented Child Id
Response was generated with the old Key Sequence whereas each
individual MAC fragment is already updated with the new Key Sequence,
leading to a security error.
This commit contains multiple changes to Network Diagnostics
modules.
It adds new TLVs: Child TLV, Child IPv6 Address List TLV, Router
Neighbor TLV and MLE counters TLV.
Child TLV contains information about a child entry including RLOC16,
extended MAC address, mode (rx-on-idle, FTD/MTD, full netdata,
CSL-sync), timeout, age, supervision interval, CSL period and
timeout, and link quality info such as RSS (last and average) and
frame/message error rates. Neighbor TLV provides similar info for a
router neighbor. The Child IPv6 Address List TLV allows to query a
parent to get the list of IPv6 addresses registered by its MTD
children.
The new Child and Neighbor TLVs can be requested in Network Diagnostic
Get Query "d/dq" message to a router (unicast) or multiple routers
(multicast). The router responds with one or more Network Diagnostic
Get Answer "d/da" messages.
We allow multiple Answer messages to be sent in response to a Query.
This is to support the case where a router has many children, and we
want to avoid sending a large message that contains all of the TLVs
for all of the children. Instead, we can send a sequence of Answer
messages, each of which contains a subset of the TLVs.
Each Answer message includes an Answer TLV that indicates the index of
the message in the sequence. The first Answer message has an index of
0, the second has an index of 1, and so on. The Answer TLV also
indicates whether the message is the last one in the sequence, or if
there are more Answer messages to come. Answer messages are sent in
sequence, and the next one is not sent until we receive a successful
CoAP ACK/response for the previous one.
This commit adds a Query ID TLV (with a 16-bit identifier as it
value) that can be optionally included in a Query message. The Query
ID is echoed back in all Answer messages associated with the same
Query message. This allows a node that sends multiple Queries to
distinguish between the received Answers.
This commit updates `MeshDiag` to use the newly added TLVs
to query the child table or children IPv6 addresses of a router.
New public OpenThread APIs under `otMeshDiag` are added for this,
along with CLI commands and their documentation. A test-case is added
to validate the newly added mechanism.
This commit adds a mechanism to delay the downgrade of routers or
leader when the security policy TLV changes in the Active Operational
Dataset such that the device is no longer eligible to act as a
router.
If the decision to become a child is made due to a security policy
change, the device first delays a random period up to the "router
selection jitter" before downgrading. If the device is the leader, an
additional fixed delay of 10 seconds is added to the random period.
If the security policy changes again while the device is waiting to
downgrade such that it becomes router-eligible again, the downgrade
is cancelled and the device remains in its current role.
This commit adds a `test_router_downgrade_on_sec_policy_change` to
validate the behavior of newly added mechanism.
This commit also updates the CLI `dataset` sub-commands to allow
getting and setting the "version threshold for routing" (VR) field in
security policy.
We should notice that the default CIDR (`192.168.255.0/24`) is not
safe to use, however, in most cases, the CIDR used can only be
determined during runtime since the single binary might be distributed
to BRs in different network conditions. And we cannot conclude an
always safe CIDR in all conditions.
This commit will emit an event when NAT64 CIDR is changed. So the
platform driver can update the route for NAT64.
This commit adds a public OT API to replace a previously published
external route entry in the Thread Network Data. It also adds a
related CLI command, and updates `test_netdata_publisher` to
validate the new behavior.
This commit migrate tests not targeting autotool to cmake.
* removed openthread-test-driver
* removed functional tests from autotool based check
* corrected file permission of python scripts
* added --run-directory to specify directory to collect logs and captures
* get test-ot-test-srp-server pass on POSIX platform