silabs-multiprotocol: add otbr NAT64 support

silabs-multiprotocol/DOCS.md

@@ -83,6 +83,7 @@ Add-on configuration:
 | otbr_enable        | Enable OpenThread BorderRouter                         |
 | otbr_log_level     | Set the log level of the OpenThread BorderRouter Agent     |
 | otbr_firewall      | Enable OpenThread Border Router firewall to block unnecessary traffic |
+| orbr_nat64         | Enable OpenThread Border Router NAT64 to allow Thread devices accessing IPv4 addresses |
 
 ## Architecture
 

silabs-multiprotocol/Dockerfile

@@ -102,7 +102,7 @@ RUN \
     && curl -O https://www.silabs.com/documents/login/software/slc_cli_linux.zip \
     && unzip slc_cli_linux.zip \
     && cd slc_cli/ && chmod +x slc
- 
+
 ENV PATH="/usr/src/slc_cli/:$PATH"
 
 RUN \
@@ -235,6 +235,9 @@ RUN \
         -DOTBR_BORDER_ROUTING=ON \
         -DOTBR_REST=ON \
         -DOTBR_BACKBONE_ROUTER=ON \
+        -DOTBR_NAT64=ON \
+        -DOT_POSIX_NAT64_CIDR="192.168.255.0/24" \
+        -DOTBR_DNS_UPSTREAM_QUERY=ON \
         && cd build/otbr/ \
         && ninja \
         && ninja install) \

silabs-multiprotocol/config.yaml

@@ -32,6 +32,7 @@ options:
   otbr_enable: true
   otbr_log_level: notice
   otbr_firewall: true
+  otbr_nat64: false
 ports:
   9999/tcp: null
   8080/tcp: null
@@ -50,5 +51,6 @@ schema:
   otbr_enable: bool
   otbr_log_level: list(debug|info|notice|warning|error|critical|alert|emergency)
   otbr_firewall: bool
+  otbr_nat64: bool
 stage: experimental
 startup: services

silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/type

@@ -0,0 +1 @@
+oneshot

silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent-configure/up

@@ -0,0 +1 @@
+/etc/s6-overlay/scripts/otbr-agent-configure.sh

silabs-multiprotocol/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run

@@ -98,6 +98,13 @@ else
     ip6tables-legacy -P FORWARD ACCEPT
 fi
 
+if bashio::config.true 'otbr_nat64'; then
+    iptables -t mangle -A PREROUTING -i "${thread_if}" -j MARK --set-mark 0x1001
+    iptables -t nat -A POSTROUTING -m mark --mark 0x1001 -j MASQUERADE
+    iptables -t filter -A FORWARD -o "${backbone_if}" -j ACCEPT
+    iptables -t filter -A FORWARD -i "${backbone_if}" -j ACCEPT
+fi
+
 otbr_rest_listen="::"
 otbr_rest_listen_port="$(bashio::addon.port 8081)"
 

silabs-multiprotocol/rootfs/etc/s6-overlay/scripts/otbr-agent-configure.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Configure OTBR depending on add-on settings
+# ==============================================================================
+
+if bashio::config.true 'otbr_nat64'; then
+    bashio::log.info "Enabling NAT64."
+    ot-ctl nat64 enable
+    ot-ctl dns server upstream enable
+fi
+
+# To avoid asymmetric link quality the TX power from the controller should not
+# exceed that of what other Thread routers devices typically use.
+ot-ctl txpower 6

silabs-multiprotocol/translations/en.yaml

@@ -34,6 +34,11 @@ configuration:
     name: OTBR firewall
     description: >-
       Use OpenThread Border Router firewall to block unnecessary traffic.
+  otbr_nat64:
+    name: OTBR NAT64
+    description: >-
+      Enable OpenThread Border Router IPv6 to IPv4 network address translation.
+      This allows Thread devices to communicate with devices on the Internet.
 network:
   9999/tcp: EmberZNet EZSP/ASH port
   8080/tcp: OpenThread Web port