CBR2-2258: Prefix delegation is broken on CBR2 8.2p8s1 build

[rirfha948]

Test Procedure:
Steps:

• Connect external router to CBR2
• Connect lan client behind external router
• Check on the router UI page if it has received IPv6 prefix from CB2
• Check IPv6 on the connected lan client, it should also have same prefix range
• Connected client must have internet over IPv4/IPv6 Risks: None

Priority: P1

• Is this a User Story (US)? CBR2-2258

• Have all dependent PRs from other components been listed ?
  Not dependent on any other PR

• Does the commit message include both the User Story ticket and the Subtask ticket?

• Will be all changes related to the User Story squashed and merged in a single commit?

• Has the PR been raised only after completing all changes for the User Story (no partial changes)?

• Has code development for the User Story been completed?

• If yes, has the Gerrit topic or list of all dependent PRs across components (including meta-layer changes) been shared?
  https://gerrit.teamccp.com/#/c/949606/

• Is there a validation log available in the Jira ticket for verifying builds with the updated generic-srcrev.inc across all platforms?
  CBR2-2252-logs.txt

[Copilot]

Pull request overview

This PR aims to fix IPv6 Prefix Delegation (PD) forwarding behavior on the CBR2 8.2p8s1 build by adjusting generated ip6tables FORWARD rules for delegated IPv6 prefixes.

Changes:

• Add a non-Custom firewall-level branch that inserts an additional FORWARD accept rule for traffic destined to the delegated IPv6 prefix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new non-"Custom" branch adds a blanket FORWARD ACCEPT for any packet with destination in prefix egressing lan_ifname. Because it has no -i constraint and is emitted before the later -A FORWARD -i <wan6_ifname> -o <lan_ifname> -j wan2lan rule, it can bypass the wan2lan policy logic (including firewall_levelv6 == High) and allow unsolicited inbound traffic to the delegated prefix. Consider restricting the match to the intended ingress interface(s) (e.g., wan6_ifname/current WAN) and/or jumping to wan2lan so existing firewall-level behavior is preserved rather than unconditionally accepting.

Suggested change

	fprintf(fp, "-A FORWARD -d %s -o %s -j ACCEPT\n", prefix, lan_ifname);
	fprintf(fp, "-A FORWARD -d %s -i %s -o %s -j wan2lan\n", prefix, wan6_ifname, lan_ifname);

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The newly added else block uses tab indentation and a brace style (else and { on separate lines) that doesn’t match the surrounding code in this function (most blocks use spaces and else{...} / else { ... } on one line). Please reformat this block to be consistent with the local style so future diffs stay minimal and readability remains consistent.

Suggested change

	else
	{
	fprintf(fp, "-A FORWARD -d %s -o %s -j wan2lan\n", prefix, lan_ifname);
	FIREWALL_DEBUG(" firewall_levelv6 is %s \n" COMMA firewall_levelv6);
	}
	else{
	fprintf(fp, "-A FORWARD -d %s -o %s -j wan2lan\n", prefix, lan_ifname);
	FIREWALL_DEBUG(" firewall_levelv6 is %s \n" COMMA firewall_levelv6);
	}