update mtkhnat and add jdc cloud(mt7621) support

package/network/config/firewall/Makefile

@@ -9,13 +9,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
-PKG_SOURCE_DATE:=2021-03-29
+PKG_SOURCE_DATE:=2021-03-23
-PKG_SOURCE_VERSION:=a4355a6faea2c4d59c90cd52851fa9aab4ccee5c
+PKG_SOURCE_VERSION:=61db17edddb1f05e8107f0dbef6f7d060ce67483
-PKG_MIRROR_HASH:=747db79b11010bbfb708aae1793857c8d959d9270c7392f8c78d2d2110cf2fe7
+PKG_MIRROR_HASH:=b2eb09816640e14e2dae21fb54ea05c33858fe0004844fe8d99e541a2e19e9c0
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=ISC
 
@@ -28,9 +28,7 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables \
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +iptables-mod-fullconenat
-	+kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat \
-	+iptables-mod-fullconenat
 endef
 
 define Package/firewall/description

package/network/config/firewall/files/firewall.config

@@ -3,7 +3,7 @@ config defaults
 	option input		ACCEPT
 	option output		ACCEPT
 	option forward		REJECT
-	option fullcone		1
+	option fullcone	0
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1
 
@@ -55,13 +55,11 @@ config rule
 	option target		ACCEPT
 
 # Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
+# see https://github.com/openwrt/openwrt/issues/5066
 config rule
 	option name		Allow-DHCPv6
 	option src		wan
 	option proto		udp
-	option src_ip		fc00::/6
-	option dest_ip		fc00::/6
 	option dest_port	546
 	option family		ipv6
 	option target		ACCEPT
@@ -130,10 +128,10 @@ config rule
 	option proto		udp
 	option target		ACCEPT
 
-# Allow interoperability with traceroute classic note that
+# allow interoperability with traceroute classic
-# traceroute uses a fixed port range, and depends on getting
+# note that traceroute uses a fixed port range, and depends on getting
-# back ICMP Unreachables. If we're operating in DROP mode, it
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
-# won't work so we explicitly REJECT packets on these ports.
+# work so we explicitly REJECT packets on these ports.
 config rule
 	option name		Support-UDP-Traceroute
 	option src		wan

package/network/config/firewall/patches/001-firewall3-fix-locking-issue.patch

@@ -0,0 +1,38 @@
+From df1306a96127e91ff2d513a0a67345baaf61d113 Mon Sep 17 00:00:00 2001
+From: Florian Eckert <fe@dev.tdt.de>
+Date: Fri, 19 Nov 2021 09:51:02 +0100
+Subject: [PATCH] firewall3: fix locking issue
+
+By calling the command 'fw3 reload' several times at the same time, I
+noticed that the locking was not working properly. It happened from time
+to time that some firewall rules were present twice in the system!
+
+By removing the 'unlink' systemcall, this error no longer occurred on my
+systems.
+
+Since fw3 does not run as a service, it makes no sense to delete this
+lock file every time a filehandler is no longer open on this lock file,
+because fw3 binary is not running.
+
+If fw3 does run as a service then we can remove this lock file on
+service stop. But this is not the case for fw3.
+
+Signed-off-by: Florian Eckert <fe@dev.tdt.de>
+---
+ utils.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/utils.c b/utils.c
+index 17d5bf9..92e966c 100644
+--- a/utils.c
++++ b/utils.c
+@@ -397,7 +397,6 @@ fw3_unlock_path(int *fd, const char *lockpath)
+ 		warn("Cannot release exclusive lock: %s", strerror(errno));
+ 
+ 	close(*fd);
+-	unlink(FW3_LOCKFILE);
+ 
+ 	*fd = -1;
+ }
+-- 
+2.30.2

package/network/config/firewall/patches/100-fullconenat.patch

@@ -1,28 +1,34 @@
+index 85a3750..9fac9b1 100644
 --- a/defaults.c
 +++ b/defaults.c
-@@ -48,7 +48,9 @@ const struct fw3_option fw3_flag_opts[] = {
+@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
  	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
  	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
  	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
-+
+-
-+	FW3_OPT("fullcone",            bool,     defaults, fullcone),
++	
- 
++	FW3_OPT("fullcone",           bool,     defaults, fullcone),
++	
  	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
  	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
  	FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
+diff --git a/options.h b/options.h
+index 6edd174..c02eb97 100644
 --- a/options.h
 +++ b/options.h
-@@ -296,6 +296,7 @@ struct fw3_defaults
+@@ -267,6 +267,7 @@ struct fw3_defaults
- 	enum fw3_reject_code tcp_reject_code;
+ 	bool drop_invalid;
- 	enum fw3_reject_code any_reject_code;
  
-+	bool fullcone;
  	bool syn_flood;
++	bool fullcone;
  	struct fw3_limit syn_flood_rate;
  
+ 	bool tcp_syncookies;
+diff --git a/zones.c b/zones.c
+index 2aa7473..57eead0 100644
 --- a/zones.c
 +++ b/zones.c
-@@ -670,6 +670,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
  	struct fw3_address *msrc;
  	struct fw3_address *mdest;
  	struct fw3_ipt_rule *r;
@@ -30,7 +36,7 @@
  
  	if (!fw3_is_family(zone, handle->family))
  		return;
-@@ -755,8 +756,22 @@ print_zone_rule(struct fw3_ipt_handle *h
+@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
  				{
  					r = fw3_ipt_rule_new(handle);
  					fw3_ipt_rule_src_dest(r, msrc, mdest);

target/linux/ramips/dts/mt7621_jdcloud_re-sp-01b.dts

@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+
+#include "mt7621.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	compatible = "jdcloud,re-sp-01b", "mediatek,mt7621-soc";
+	model = "JDCloud RE-SP-01B";
+
+	aliases {
+		led-boot = &led_red;
+		led-failsafe = &led_red;
+		led-running = &led_green;
+		led-upgrade = &led_blue;
+	};
+
+	chosen {
+		bootargs = "console=ttyS0,115200";
+	};
+
+	keys {
+		compatible = "gpio-keys";
+
+		reset {
+			label = "reset";
+			gpios = <&gpio 18 GPIO_ACTIVE_LOW>;
+			linux,code = <KEY_RESTART>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		led_red: red {
+			label = "red:sys";
+			gpios = <&gpio 6 GPIO_ACTIVE_LOW>;
+			panic-indicator;
+		};
+
+		led_green: green {
+			label = "green:sys";
+			gpios = <&gpio 8 GPIO_ACTIVE_LOW>;
+		};
+
+		led_blue: blue {
+			label = "blue:sys";
+			gpios = <&gpio 12 GPIO_ACTIVE_LOW>;
+		};
+	};
+};
+
+&sdhci {
+	status = "okay";
+};
+
+&spi0 {
+	status = "okay";
+
+	flash@0 {
+		compatible = "jedec,spi-nor";
+		reg = <0>;
+		spi-max-frequency = <50000000>;
+
+		partitions {
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "u-boot";
+				reg = <0x0 0x30000>;
+				read-only;
+			};
+
+			partition@30000 {
+				label = "config";
+				reg = <0x30000 0x10000>;
+				read-only;
+			};
+
+			factory: partition@40000 {
+				label = "factory";
+				reg = <0x40000 0x10000>;
+				read-only;
+			};
+
+			partition@50000 {
+				compatible = "denx,uimage";
+				label = "firmware";
+				reg = <0x50000 0x1ab0000>;
+			};
+
+			partition@1b00000 {
+				label = "mini";
+				reg = <0x1b00000 0x400000>;
+				read-only;
+			};
+
+			partition@1f00000 {
+				label = "oem";
+				reg = <0x1f00000 0x100000>;
+				read-only;
+			};
+		};
+	};
+};
+
+&gmac0 {
+	nvmem-cells = <&macaddr_factory_e000>;
+	nvmem-cell-names = "mac-address";
+};
+
+&gmac1 {
+	nvmem-cells = <&macaddr_factory_e000>;
+	nvmem-cell-names = "mac-address";
+	mac-address-increment = <(-2)>;
+};
+
+&switch0 {
+	/* must delete compatible property */
+	/delete-property/ compatible;
+};
+
+&hnat {
+        mtketh-wan = "eth1";
+        mtketh-ppd = "eth0";
+        mtketh-lan = "eth0";
+	ext-devices = "wlan0","wlan1","rax0","ra0", "rai0","apclii0","apclix0", "apcli0";
+        mtketh-max-gmac = <2>;
+        status = "okay";
+};
+
+&gsw {
+	mediatek,mdio = <&mdio>;
+	mediatek,portmap = "wllll";
+	mediatek,mcm;
+	mt7530,direct-phy-access;
+
+	resets = <&rstctrl 2>;
+	reset-names = "mcm";
+
+	port5: port@5 {
+		compatible = "mediatek,mt753x-port";
+		reg = <5>;
+		phy-mode = "rgmii";
+		fixed-link {
+			speed = <1000>;
+			full-duplex;
+		};
+	};
+
+	port6: port@6 {
+		compatible = "mediatek,mt753x-port";
+		reg = <6>;
+		phy-mode = "rgmii";
+		fixed-link {
+			speed = <1000>;
+			full-duplex;
+		};
+	};
+
+	mdio-bus {
+		#address-cells = <1>;
+		#size-cells = <0>;
+	};
+};
+
+
+&pcie {
+	status = "okay";
+};
+
+&pcie0 {
+	wifi@0,0 {
+		reg = <0x0000 0 0 0 0>;
+		mediatek,mtd-eeprom = <&factory 0x0>;
+	};
+};
+
+&pcie1 {
+	wifi@0,0 {
+		reg = <0x0000 0 0 0 0>;
+		mediatek,mtd-eeprom = <&factory 0x8000>;
+		ieee80211-freq-limit = <5000000 6000000>;
+	};
+};
+
+&state_default {
+	gpio {
+		groups = "uart2", "uart3", "wdt";
+		function = "gpio";
+	};
+};

target/linux/ramips/files/drivers/net/ethernet/mediateksdk/mtk_eth_soc.c

@@ -1418,7 +1418,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
 			goto release_desc;
 
 		/* alloc new buffer */
-		new_data = kmalloc(ring->frag_size, GFP_ATOMIC);
+		new_data = napi_alloc_frag(ring->frag_size);
 		if (unlikely(!new_data)) {
 			netdev->stats.rx_dropped++;
 			goto release_desc;
@@ -1429,7 +1429,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
 					  ring->buf_size,
 					  DMA_FROM_DEVICE);
 		if (unlikely(dma_mapping_error(eth->dev, dma_addr))) {
-			kfree(new_data);
+			skb_free_frag(new_data);
 			netdev->stats.rx_dropped++;
 			goto release_desc;
 		}
@@ -1438,9 +1438,9 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
 				 ring->buf_size, DMA_FROM_DEVICE);
 
 		/* receive data */
-		skb = build_skb(data, 0);
+		skb = build_skb(data, ring->frag_size);
 		if (unlikely(!skb)) {
-			kfree(data);
+			skb_free_frag(data);
 			netdev->stats.rx_dropped++;
 			goto skip_rx;
 		}
@@ -1884,7 +1884,7 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag)
 		return -ENOMEM;
 
 	for (i = 0; i < rx_dma_size; i++) {
-		ring->data[i] = kmalloc(ring->frag_size, GFP_ATOMIC);
+		ring->data[i] = netdev_alloc_frag(ring->frag_size);
 		if (!ring->data[i])
 			return -ENOMEM;
 	}
@@ -1971,7 +1971,7 @@ static void mtk_rx_clean(struct mtk_eth *eth, struct mtk_rx_ring *ring, int in_s
 					 ring->dma[i].rxd1,
 					 ring->buf_size,
 					 DMA_FROM_DEVICE);
-			kfree(ring->data[i]);
+			skb_free_frag(ring->data[i]);
 		}
 		kfree(ring->data);
 		ring->data = NULL;

target/linux/ramips/files/drivers/net/ethernet/mediateksdk/mtk_hnat/hnat_nf_hook.c

@@ -1485,6 +1485,9 @@ int mtk_sw_nat_hook_tx(struct sk_buff *skb, int gmac_no)
 
 	if (gmac_no != NR_WHNAT_WDMA_PORT)
 		return NF_ACCEPT;
+		
+	if (unlikely(!skb_mac_header_was_set(skb)))
+		return 0;
 
 	if (!skb_hnat_is_hashed(skb))
 		return NF_ACCEPT;
@@ -1727,7 +1730,10 @@ static unsigned int mtk_hnat_nf_post_routing(
 	if (skb_hnat_alg(skb) || unlikely(!is_magic_tag_valid(skb) ||
 					  !IS_SPACE_AVAILABLE_HEAD(skb)))
 		return 0;
-
+		
+	if (unlikely(!skb_mac_header_was_set(skb)))
+		return 0;
+		
 	if (unlikely(!skb_hnat_is_hashed(skb)))
 		return 0;
 

target/linux/ramips/image/mt7621.mk

@@ -1004,6 +1004,16 @@ define Device/lenovo_newifi-d1
 endef
 TARGET_DEVICES += lenovo_newifi-d1
 
+define Device/jdcloud_re-sp-01b
+   $(Device/dsa-migration)
+   IMAGE_SIZE := 27328k
+   DEVICE_VENDOR := JDCloud
+   DEVICE_MODEL := RE-SP-01B
+   DEVICE_PACKAGES := kmod-fs-ext4 kmod-mt7603e kmod-mt7615d luci-app-mtwifi\
+ 	 kmod-sdhci-mt7620 kmod-usb3
+ endef
+ TARGET_DEVICES += jdcloud_re-sp-01b
+ 
 define Device/linksys_e5600
   $(Device/dsa-migration)
   $(Device/uimage-lzma-loader)

target/linux/ramips/mt7621/base-files/etc/board.d/02_network

@@ -127,6 +127,7 @@ ramips_setup_interfaces()
 		ucidef_add_switch "switch0" \
 			"0:lan" "1:lan" "2:lan" "3:lan" "4:wan" "6u@eth0" "5u@eth1"
 		;;
+	jdcloud,re-sp-01b|\
 	jcg,q20)
 		ucidef_add_switch "switch0" \
 			"1:lan" "2:lan" "3:lan" "4:lan" "0:wan" "6u@eth0" "5u@eth1"
@@ -291,6 +292,12 @@ ramips_setup_macs()
 		wan_mac=$(mtd_get_mac_binary factory 0xe006)
 		label_mac=$(mtd_get_mac_binary factory 0x4)
 		;;
+	jdcloud,re-sp-01b)
+ 		local index="$(find_mtd_index "config")"
+ 		label_mac=$(macaddr_canonicalize $(dd if="/dev/mtd${index}" bs=12 skip=17449 iflag=skip_bytes count=1 2>/dev/null))
+ 		lan_mac=$label_mac
+ 		wan_mac=$label_mac
+ 		;;
 	linksys,e5600|\
 	linksys,ea6350-v4|\
 	linksys,ea7300-v1|\