From f4b833b7646af9aa31ecb044232969d3b40f71a4 Mon Sep 17 00:00:00 2001
From: regevbr <regevbr@gmail.com>
Date: Sat, 19 Apr 2025 18:54:45 +0300
Subject: [PATCH 1/2] add otbr NAT64 support

---
 silabs-multiprotocol/DOCS.md                      |  1 +
 silabs-multiprotocol/Dockerfile                   |  5 ++++-
 silabs-multiprotocol/config.yaml                  |  2 ++
 .../dependencies.d/otbr-agent                     |  0
 .../s6-overlay/s6-rc.d/otbr-agent-configure/type  |  1 +
 .../s6-overlay/s6-rc.d/otbr-agent-configure/up    |  1 +
 .../rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run  |  7 +++++++
 .../s6-rc.d/user/contents.d/otbr-agent-configure  |  0
 .../s6-overlay/scripts/otbr-agent-configure.sh    | 15 +++++++++++++++
 silabs-multiprotocol/translations/en.yaml         |  5 +++++
 10 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/dependencies.d/otbr-agent
 create mode 100644 silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type
 create mode 100755 silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up
 create mode 100644 silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/otbr-agent-configure
 create mode 100755 silabs-multiprotocol/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh

diff --git a/silabs-multiprotocol/DOCS.md b/silabs-multiprotocol/DOCS.md
index d333b0a445a..eccdb705da1 100644
--- a/silabs-multiprotocol/DOCS.md
+++ b/silabs-multiprotocol/DOCS.md
@@ -83,6 +83,7 @@ Add-on configuration:
 | otbr_enable        | Enable OpenThread BorderRouter                         |
 | otbr_log_level     | Set the log level of the OpenThread BorderRouter Agent     |
 | otbr_firewall      | Enable OpenThread Border Router firewall to block unnecessary traffic |
+| orbr_nat64         | Enable OpenThread Border Router NAT64 to allow Thread devices accessing IPv4 addresses |
 
 ## Architecture
 
diff --git a/silabs-multiprotocol/Dockerfile b/silabs-multiprotocol/Dockerfile
index 3852a7fa2fa..87aebf0516f 100644
--- a/silabs-multiprotocol/Dockerfile
+++ b/silabs-multiprotocol/Dockerfile
@@ -102,7 +102,7 @@ RUN \
     && curl -O https://www.silabs.com/documents/login/software/slc_cli_linux.zip \
     && unzip slc_cli_linux.zip \
     && cd slc_cli/ && chmod +x slc
- 
+
 ENV PATH="/usr/src/slc_cli/:$PATH"
 
 RUN \
@@ -235,6 +235,9 @@ RUN \
         -DOTBR_BORDER_ROUTING=ON \
         -DOTBR_REST=ON \
         -DOTBR_BACKBONE_ROUTER=ON \
+        -DOTBR_NAT64=ON \
+        -DOT_POSIX_NAT64_CIDR="192.168.255.0/24" \
+        -DOTBR_DNS_UPSTREAM_QUERY=ON \
         && cd build/otbr/ \
         && ninja \
         && ninja install) \
diff --git a/silabs-multiprotocol/config.yaml b/silabs-multiprotocol/config.yaml
index 6d5b2b11f6a..03aa40a22cf 100644
--- a/silabs-multiprotocol/config.yaml
+++ b/silabs-multiprotocol/config.yaml
@@ -32,6 +32,7 @@ options:
   otbr_enable: true
   otbr_log_level: notice
   otbr_firewall: true
+  otbr_nat64: false
 ports:
   9999/tcp: null
   8080/tcp: null
@@ -50,5 +51,6 @@ schema:
   otbr_enable: bool
   otbr_log_level: list(debug|info|notice|warning|error|critical|alert|emergency)
   otbr_firewall: bool
+  otbr_nat64: bool
 stage: experimental
 startup: services
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/dependencies.d/otbr-agent b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/dependencies.d/otbr-agent
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type
new file mode 100644
index 00000000000..bdd22a1850a
--- /dev/null
+++ b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type
@@ -0,0 +1 @@
+oneshot
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up
new file mode 100755
index 00000000000..0737177921a
--- /dev/null
+++ b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up
@@ -0,0 +1 @@
+/etc/s6-overlay/scripts/otbr-agent-configure.sh
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run
index b3bb2f7067c..a7b3196da84 100755
--- a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run
+++ b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run
@@ -98,6 +98,13 @@ else
     ip6tables-legacy -P FORWARD ACCEPT
 fi
 
+if bashio::config.true 'otbr_nat64'; then
+    iptables -t mangle -A PREROUTING -i "${thread_if}" -j MARK --set-mark 0x1001
+    iptables -t nat -A POSTROUTING -m mark --mark 0x1001 -j MASQUERADE
+    iptables -t filter -A FORWARD -o "${backbone_if}" -j ACCEPT
+    iptables -t filter -A FORWARD -i "${backbone_if}" -j ACCEPT
+fi
+
 otbr_rest_listen="::"
 otbr_rest_listen_port="$(bashio::addon.port 8081)"
 
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/otbr-agent-configure b/silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/otbr-agent-configure
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/silabs-multiprotocol/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh b/silabs-multiprotocol/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh
new file mode 100755
index 00000000000..93066281b51
--- /dev/null
+++ b/silabs-multiprotocol/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Configure OTBR depending on add-on settings
+# ==============================================================================
+
+if bashio::config.true 'otbr_nat64'; then
+    bashio::log.info "Enabling NAT64."
+    ot-ctl nat64 enable
+    ot-ctl dns server upstream enable
+fi
+
+# To avoid asymmetric link quality the TX power from the controller should not
+# exceed that of what other Thread routers devices typically use.
+ot-ctl txpower 6
diff --git a/silabs-multiprotocol/translations/en.yaml b/silabs-multiprotocol/translations/en.yaml
index 97c2fbc8266..c829f24dc1e 100644
--- a/silabs-multiprotocol/translations/en.yaml
+++ b/silabs-multiprotocol/translations/en.yaml
@@ -34,6 +34,11 @@ configuration:
     name: OTBR firewall
     description: >-
       Use OpenThread Border Router firewall to block unnecessary traffic.
+  otbr_nat64:
+    name: OTBR NAT64
+    description: >-
+      Enable OpenThread Border Router IPv6 to IPv4 network address translation.
+      This allows Thread devices to communicate with devices on the Internet.
 network:
   9999/tcp: EmberZNet EZSP/ASH port
   8080/tcp: OpenThread Web port

From f096364a5d1c4aeda440adccf9bf208dd88aa74d Mon Sep 17 00:00:00 2001
From: regevbr <regevbr@gmail.com>
Date: Sat, 19 Apr 2025 19:01:48 +0300
Subject: [PATCH 2/2] add otbr NAT64 support

---
 silabs-multiprotocol/DOCS.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/silabs-multiprotocol/DOCS.md b/silabs-multiprotocol/DOCS.md
index eccdb705da1..ddc32aa1f50 100644
--- a/silabs-multiprotocol/DOCS.md
+++ b/silabs-multiprotocol/DOCS.md
@@ -83,7 +83,7 @@ Add-on configuration:
 | otbr_enable        | Enable OpenThread BorderRouter                         |
 | otbr_log_level     | Set the log level of the OpenThread BorderRouter Agent     |
 | otbr_firewall      | Enable OpenThread Border Router firewall to block unnecessary traffic |
-| orbr_nat64         | Enable OpenThread Border Router NAT64 to allow Thread devices accessing IPv4 addresses |
+| otbr_nat64         | Enable OpenThread Border Router NAT64 to allow Thread devices accessing IPv4 addresses |
 
 ## Architecture