him411/nss-packages-breeze303
1
0
Fork 0
mirror of https://github.com/breeze303/nss-packages.git synced 2025-12-16 08:44:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

qca-nss-ecm: bump to QSDK 12.0.5

Browse Source 
qca-nss-ecm: avoid a memcpy overflow in ecm_db

Reference:
https://github.com/robimarko/nss-packages/pull/10/files

qca-nss-ecm: fix nf_ct_net null pointer reference

Fixed by xsm1997, massive thanks!
It fixes a null pointer access which is introduced in previous qca-nss-ecm patches.

Reference:
https://github.com/bitthief/openwrt/issues/9
This commit is contained in:
Ansuel Smith 2022-05-14 19:55:48 +02:00 committed by bitthief
parent 487f8d1df0
commit 2a9e76182d
18 changed files with 1256 additions and 421 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
qca/qca-nss-ecm/Makefile
View File

@ -5,11 +5,12 @@ PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/qca-nss-ecm.git
PKG_SOURCE_PROTO:=git
PKG_SOURCE_DATE:=2021-06-15
PKG_SOURCE_VERSION:=34267065855d32f33264dc3054efb0e8103d627b
PKG_MIRROR_HASH:=0917659d69c5f3e6067d6671b9393b4b2d6b6cd5a7bacf5e7d6cf842dc906eca
PKG_SOURCE_DATE:=2022-07-09
PKG_SOURCE_VERSION:=83b4e6266f94e1084acc69c97706d0c86a44cfe3
PKG_MIRROR_HASH:=62d87358f3cbb8266ebc04000980516cc4c95025ed6d6d332e54d6c18f2e2510
PKG_BUILD_PARALLEL:=1
PKG_FLAGS:=nonshared
include $(INCLUDE_DIR)/kernel.mk
include $(INCLUDE_DIR)/package.mk
@ -19,19 +20,19 @@ define KernelPackage/qca-nss-ecm
CATEGORY:=Kernel modules
SUBMENU:=Network Support
DEPENDS:=@(TARGET_ipq807x||TARGET_ipq60xx) \
+iptables-mod-extra \
+iptables-mod-physdev \
+kmod-qca-nss-drv \
+iptables-mod-extra \
+kmod-ipt-conntrack \
+kmod-ipt-physdev \
+iptables-mod-physdev \
+kmod-ppp \
+kmod-pppoe
+kmod-pppoe \
+kmod-qca-mcs
TITLE:=QCA NSS Enhanced Connection Manager (ECM)
FILES:=$(PKG_BUILD_DIR)/*.ko
FILES:=$(PKG_BUILD_DIR)/ecm.ko
KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \
CONFIG_NF_CONNTRACK_EVENTS=y \
CONFIG_NF_CONNTRACK_CHAIN_EVENTS=n \
CONFIG_NF_CONNTRACK_DSCPREMARK_EXT=n
CONFIG_NF_CONNTRACK_EVENTS=y \
CONFIG_NF_CONNTRACK_DSCPREMARK_EXT=y
endef
define KernelPackage/qca-nss-ecm/Description
@ -53,29 +54,53 @@ endef
EXTRA_CFLAGS+=-I$(STAGING_DIR)/usr/include/qca-nss-drv
ifneq (, $(findstring $(CONFIG_TARGET_BOARD), "ipq807x" "ipq60xx"))
ECM_MAKE_OPTS+= ECM_FRONT_END_NSS_ENABLE=y \
ECM_CLASSIFIER_HYFI_ENABLE=n \
ECM_MAKE_OPTS:=ECM_IPV6_ENABLE=y
ECM_MAKE_OPTS+=ECM_FRONT_END_NSS_ENABLE=y \
ECM_FRONT_END_SFE_ENABLE=n \
ECM_NON_PORTED_SUPPORT_ENABLE=y \
ECM_MULTICAST_ENABLE=n \
ECM_INTERFACE_BOND_ENABLE=n \
ECM_INTERFACE_IPSEC_ENABLE=n \
ECM_INTERFACE_PPTP_ENABLE=n \
ECM_INTERFACE_PPPOE_ENABLE=y \
ECM_INTERFACE_L2TPV2_ENABLE=n \
ECM_INTERFACE_GRE_TAP_ENABLE=n \
ECM_INTERFACE_GRE_TUN_ENABLE=n \
ECM_INTERFACE_SIT_ENABLE=n \
ECM_INTERFACE_TUNIPIP6_ENABLE=n \
ECM_INTERFACE_RAWIP_ENABLE=n \
ECM_INTERFACE_VLAN_ENABLE=n \
ECM_CLASSIFIER_MARK_ENABLE=n \
ECM_CLASSIFIER_DSCP_ENABLE=n \
ECM_INTERFACE_VLAN_ENABLE=y \
ECM_CLASSIFIER_MARK_ENABLE=y \
ECM_CLASSIFIER_DSCP_ENABLE=y \
ECM_CLASSIFIER_PCC_ENABLE=n \
ECM_BAND_STEERING_ENABLE=n \
ECM_INTERFACE_PPPOE_ENABLE=y
ECM_BAND_STEERING_ENABLE=n
endif
ifeq ($(CONFIG_TARGET_BOARD), "ipq807x")
SOC="ipq807x_64"
else ifeq ($(CONFIG_TARGET_BOARD), "ipq60xx")
SOC="ipq60xx_64"
# Variant with additional features enabled for noload profile
define KernelPackage/qca-nss-ecm-noload
$(call KernelPackage/qca-nss-ecm)
TITLE+= (with noload features)
PROVIDES:=kmod-qca-nss-ecm
VARIANT:=noload
DEPENDS+=+kmod-bonding
endef
define KernelPackage/qca-nss-ecm-noload/Description
$(call KernelPackage/qca-nss-ecm/Description)
When selected, this package installs the driver, but does not load it at init.
endef
define KernelPackage/qca-nss-ecm-noload/install
$(call KernelPackage/qca-nss-ecm/install, $(1))
#
# Remove the START line from the init script, so that the symlink
# in the /etc/rc.d directory is not created.
#
sed -i '/START=/d' $(1)/etc/init.d/qca-nss-ecm
endef
ifneq ($(CONFIG_PACKAGE_kmod-qca-mcs),)
ECM_MAKE_OPTS+=ECM_MULTICAST_ENABLE=y
endif
define Build/InstallDev
@ -88,10 +113,12 @@ define Build/Compile
CROSS_COMPILE="$(TARGET_CROSS)" \
ARCH="$(LINUX_KARCH)" \
M="$(PKG_BUILD_DIR)" \
EXTRA_CFLAGS="$(EXTRA_CFLAGS)" SoC=$(SOC) \
EXTRA_CFLAGS="$(EXTRA_CFLAGS) -Wno-error=unused-function " \
SoC=$(CONFIG_TARGET_BOARD) \
$(KERNEL_MAKE_FLAGS) \
$(PKG_JOBS) \
modules
endef
$(eval $(call KernelPackage,qca-nss-ecm))
$(eval $(call KernelPackage,qca-nss-ecm-noload))

27
qca/qca-nss-ecm/files/qca-nss-ecm.firewall
View File

@ -1,18 +1,11 @@
#!/bin/sh
#
# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
if [ ! -r /sbin/fw4 ]; then
iptables-save|grep physdev-is-bridged|while read a; do
iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
done
iptables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
ip6tables-save|grep physdev-is-bridged|while read a; do
ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
done
ip6tables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
fi

61
qca/qca-nss-ecm/files/qca-nss-ecm.init
View File

@ -18,7 +18,7 @@
# openwrt build scripts automatically enable this package starting
# at boot.
START=19
START=75
get_front_end_mode() {
config_load "ecm"
@ -31,52 +31,33 @@ get_front_end_mode() {
nss)
echo '1'
;;
sfe)
echo '2'
;;
*)
echo 'uci_option_acceleration_engine is invalid'
esac
}
support_bridge() {
#NSS support bridge acceleration
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && return 0
#SFE doesn't support bridge acceleration
[ -d /sys/kernel/debug/ecm/ecm_sfe_ipv4 ] && return 1
}
load_sfe() {
local kernel_version=$(uname -r)
[ -e "/lib/modules/$kernel_version/shortcut-fe.ko" ] && {
[ -d /sys/module/shortcut_fe ] || insmod shortcut-fe
}
[ -e "/lib/modules/$kernel_version/shortcut-fe-ipv6.ko" ] && {
[ -d /sys/module/shortcut_fe_ipv6 ] || insmod shortcut-fe-ipv6
}
[ -e "/lib/modules/$kernel_version/shortcut-fe-drv.ko" ] && {
[ -d /sys/module/shortcut_fe_drv ] || insmod shortcut-fe-drv
}
# NSS support bridge acceleration
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0
}
load_ecm() {
[ -d /sys/module/ecm ] || {
[ ! -e /proc/device-tree/MP_256 ] && load_sfe
insmod ecm front_end_selection=$(get_front_end_mode)
echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
}
support_bridge && {
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
sysctl -w net.bridge.bridge-nf-call-arptables=1
sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
}
}
unload_ecm() {
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
sysctl -w net.bridge.bridge-nf-call-arptables=0
sysctl -w net.bridge.bridge-nf-call-iptables=0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
if [ -d /sys/module/ecm ]; then
#
@ -88,8 +69,8 @@ unload_ecm() {
#
# Defunct the connections
#
echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
sleep 5;
echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
sleep 5
rmmod ecm
sleep 1
@ -97,42 +78,36 @@ unload_ecm() {
}
start() {
# If SFE CM is loaded, return.
if [ -d /sys/module/shortcut_fe_cm ]; then
echo "shortcut_fe CM is loaded, unload it first"
echo "cmd: /etc/init.d/shortcut_fe stop"
return
fi
load_ecm
# If the acceleration engine is NSS, enable wifi redirect.
# If the acceleration engine is NSS, enable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
support_bridge && {
if ([ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && [ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ]); then
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
if ([ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && [ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ]); then
echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
fi
}
if [ -d /sys/module/qca_ovsmgr ]; then
insmod ecm_ovs
fi
}
stop() {
# If ECM is already not loaded, just return.
# If ECM is already not loaded, just return
if [ ! -d /sys/module/ecm ]; then
return
fi
# If the acceleration engine is NSS, disable wifi redirect.
# If the acceleration engine is NSS, disable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0
sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
if [ -d /sys/module/ecm_ovs ]; then
rmmod ecm_ovs

158
qca/qca-nss-ecm/patches/001-treewide-componentize-the-module-even-more.patch → qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch
View File

@ -1,7 +1,7 @@
From 73345c87b28a473b35b57e673f8de963c3d73da1 Mon Sep 17 00:00:00 2001
From 09980e54011e2d95a9db2d6134f635bc90e5a7f2 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Wed, 19 May 2021 02:38:53 +0200
Subject: [PATCH] treewide: componentize the module even more
Subject: [PATCH 01/12] treewide: componentize the module even more
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
@ -12,9 +12,11 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
frontends/ecm_front_end_common.c | 7 ++++
5 files changed, 72 insertions(+), 11 deletions(-)
diff --git a/Makefile b/Makefile
index a59cbce..f7e40f8 100644
--- a/Makefile
+++ b/Makefile
@@ -82,10 +82,18 @@ ccflags-$(ECM_INTERFACE_BOND_ENABLE) +=
@@ -113,9 +113,17 @@ ccflags-$(ECM_INTERFACE_BOND_ENABLE) += -DECM_INTERFACE_BOND_ENABLE
# Define ECM_INTERFACE_PPPOE_ENABLE=y in order
# to enable support for PPPoE acceleration.
# #############################################################################
@ -23,31 +25,30 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_INTERFACE_PPPOE_ENABLE=y
+endif
ccflags-$(ECM_INTERFACE_PPPOE_ENABLE) += -DECM_INTERFACE_PPPOE_ENABLE
# #############################################################################
+# #############################################################################
+# Define ECM_INTERFACE_L2TPV2_PPTP_ENABLE=y in order
+# to enable support for l2tpv2 or PPTP detection.
+# #############################################################################
+ccflags-$(ECM_INTERFACE_L2TPV2_PPTP_ENABLE) += -DECM_INTERFACE_L2TPV2_PPTP_ENABLE
+
+# #############################################################################
# #############################################################################
# Define ECM_INTERFACE_L2TPV2_ENABLE=y in order
# to enable support for l2tpv2 acceleration.
# #############################################################################
@@ -118,6 +126,12 @@ ccflags-$(ECM_INTERFACE_PPP_ENABLE) += -
ccflags-$(ECM_INTERFACE_MAP_T_ENABLE) += -DECM_INTERFACE_MAP_T_ENABLE
# #############################################################################
@@ -142,6 +150,12 @@ endif
endif
ccflags-$(ECM_INTERFACE_PPP_ENABLE) += -DECM_INTERFACE_PPP_ENABLE
+# #############################################################################
+# Define ECM_INTERFACE_GRE_ENABLE=y in order
+# to enable support for GRE detection.
+# #############################################################################
+ccflags-$(ECM_INTERFACE_GRE_ENABLE) += -DECM_INTERFACE_GRE_ENABLE
+
+# #############################################################################
# #############################################################################
# Define ECM_INTERFACE_GRE_TAP_ENABLE=y in order
# to enable support for GRE TAP interface.
# #############################################################################
@@ -186,7 +200,9 @@ ccflags-$(ECM_INTERFACE_OVS_BRIDGE_ENABL
@@ -218,7 +232,9 @@ ccflags-$(ECM_INTERFACE_OVS_BRIDGE_ENABLE) += -DECM_INTERFACE_OVS_BRIDGE_ENABLE
# #############################################################################
# Define ECM_INTERFACE_VLAN_ENABLE=y in order to enable support for VLAN
# #############################################################################
@ -56,9 +57,9 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_INTERFACE_VLAN_ENABLE=y
+endif
ccflags-$(ECM_INTERFACE_VLAN_ENABLE) += -DECM_INTERFACE_VLAN_ENABLE
# #############################################################################
@@ -228,7 +244,9 @@ ccflags-$(ECM_CLASSIFIER_OVS_ENABLE) +=
@@ -255,7 +271,9 @@ ccflags-$(ECM_CLASSIFIER_OVS_ENABLE) += -DECM_CLASSIFIER_OVS_ENABLE
# #############################################################################
# Define ECM_CLASSIFIER_MARK_ENABLE=y in order to enable mark classifier.
# #############################################################################
@ -68,8 +69,8 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+endif
ecm-$(ECM_CLASSIFIER_MARK_ENABLE) += ecm_classifier_mark.o
ccflags-$(ECM_CLASSIFIER_MARK_ENABLE) += -DECM_CLASSIFIER_MARK_ENABLE
@@ -247,7 +265,9 @@ ccflags-$(ECM_CLASSIFIER_NL_ENABLE) += -
@@ -274,7 +292,9 @@ ccflags-$(ECM_CLASSIFIER_NL_ENABLE) += -DECM_CLASSIFIER_NL_ENABLE
# #############################################################################
# Define ECM_CLASSIFIER_DSCP_ENABLE=y in order to enable DSCP classifier.
# #############################################################################
@ -80,7 +81,7 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
ecm-$(ECM_CLASSIFIER_DSCP_ENABLE) += ecm_classifier_dscp.o
ccflags-$(ECM_CLASSIFIER_DSCP_ENABLE) += -DECM_CLASSIFIER_DSCP_ENABLE
ccflags-$(ECM_CLASSIFIER_DSCP_IGS) += -DECM_CLASSIFIER_DSCP_IGS
@@ -274,7 +294,9 @@ endif
@@ -293,7 +313,9 @@ ccflags-$(ECM_CLASSIFIER_HYFI_ENABLE) += -DECM_CLASSIFIER_HYFI_ENABLE
# the Parental Controls subsystem classifier in ECM. Currently disabled until
# customers require it / if they need to integrate their Parental Controls with it.
# #############################################################################
@ -90,8 +91,8 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+endif
ecm-$(ECM_CLASSIFIER_PCC_ENABLE) += ecm_classifier_pcc.o
ccflags-$(ECM_CLASSIFIER_PCC_ENABLE) += -DECM_CLASSIFIER_PCC_ENABLE
@@ -301,28 +323,36 @@ ccflags-$(ECM_NON_PORTED_SUPPORT_ENABLE)
@@ -372,27 +372,36 @@ ccflags-$(ECM_NON_PORTED_SUPPORT_ENABLE)
# #############################################################################
# Define ECM_STATE_OUTPUT_ENABLE=y to support XML state output
# #############################################################################
@ -101,7 +102,7 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+endif
ecm-$(ECM_STATE_OUTPUT_ENABLE) += ecm_state.o
ccflags-$(ECM_STATE_OUTPUT_ENABLE) += -DECM_STATE_OUTPUT_ENABLE
# #############################################################################
# Define ECM_DB_ADVANCED_STATS_ENABLE to support XML state output
# #############################################################################
@ -110,7 +111,7 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_DB_ADVANCED_STATS_ENABLE=y
+endif
ccflags-$(ECM_DB_ADVANCED_STATS_ENABLE) += -DECM_DB_ADVANCED_STATS_ENABLE
# #############################################################################
# Define ECM_DB_CONNECTION_CROSS_REFERENCING_ENABLE=y in order to enable
# the database to track relationships between objects.
@ -120,19 +121,18 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_DB_CONNECTION_CROSS_REFERENCING_ENABLE=y
+endif
ccflags-$(ECM_DB_CONNECTION_CROSS_REFERENCING_ENABLE) += -DECM_DB_XREF_ENABLE
# #############################################################################
# Define ECM_TRACKER_DPI_SUPPORT_ENABLE=y in order to enable support for
# deep packet inspection and tracking of data with the trackers.
# #############################################################################
-ECM_TRACKER_DPI_SUPPORT_ENABLE=y
+ifndef $(ECM_TRACKER_DPI_SUPPORT_ENABLE)
+ ECM_TRACKER_DPI_SUPPORT_ENABLE=y
+endif
ccflags-$(ECM_TRACKER_DPI_SUPPORT_ENABLE) += -DECM_TRACKER_DPI_SUPPORT_ENABLE
# #############################################################################
@@ -330,14 +360,18 @@ ccflags-$(ECM_TRACKER_DPI_SUPPORT_ENABLE
@@ -356,14 +386,18 @@ ccflags-$(ECM_TRACKER_DPI_SUPPORT_ENABLE) += -DECM_TRACKER_DPI_SUPPORT_ENABLE
# support for the database keeping lists of connections that are assigned
# on a per TYPE of classifier basis.
# #############################################################################
@ -141,7 +141,7 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_DB_CLASSIFIER_TYPE_ASSIGNMENTS_TRACK_ENABLE=y
+endif
ccflags-$(ECM_DB_CLASSIFIER_TYPE_ASSIGNMENTS_TRACK_ENABLE) += -DECM_DB_CTA_TRACK_ENABLE
# #############################################################################
# Define ECM_BAND_STEERING_ENABLE=y in order to enable
# band steering feature.
@ -151,165 +151,171 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ ECM_BAND_STEERING_ENABLE=y
+endif
ccflags-$(ECM_BAND_STEERING_ENABLE) += -DECM_BAND_STEERING_ENABLE
# #############################################################################
diff --git a/ecm_db/ecm_db_connection.c b/ecm_db/ecm_db_connection.c
index 6d0bff4..77e5f3f 100644
--- a/ecm_db/ecm_db_connection.c
+++ b/ecm_db/ecm_db_connection.c
@@ -430,7 +430,9 @@ EXPORT_SYMBOL(ecm_db_connection_make_def
@@ -454,7 +454,9 @@ EXPORT_SYMBOL(ecm_db_connection_make_defunct);
*/
void ecm_db_connection_data_totals_update(struct ecm_db_connection_instance *ci, bool is_from, uint64_t size, uint64_t packets)
{
+#ifdef ECM_DB_ADVANCED_STATS_ENABLE
int32_t i;
+#endif
DEBUG_CHECK_MAGIC(ci, ECM_DB_CONNECTION_INSTANCE_MAGIC, "%px: magic failed\n", ci);
@@ -529,7 +531,9 @@ EXPORT_SYMBOL(ecm_db_connection_data_tot
@@ -553,7 +555,9 @@ EXPORT_SYMBOL(ecm_db_connection_data_totals_update);
*/
void ecm_db_connection_data_totals_update_dropped(struct ecm_db_connection_instance *ci, bool is_from, uint64_t size, uint64_t packets)
{
+#ifdef ECM_DB_ADVANCED_STATS_ENABLE
int32_t i;
+#endif
DEBUG_CHECK_MAGIC(ci, ECM_DB_CONNECTION_INSTANCE_MAGIC, "%px: magic failed\n", ci);
@@ -1508,6 +1512,7 @@ void ecm_db_connection_defunct_all(void)
@@ -1532,6 +1536,7 @@ void ecm_db_connection_defunct_all(void)
}
EXPORT_SYMBOL(ecm_db_connection_defunct_all);
+#ifdef ECM_INTERFACE_OVS_BRIDGE_ENABLE
/*
* ecm_db_connection_defunct_by_classifier()
* Make defunct based on masked fields
@@ -1667,6 +1672,7 @@ next_ci:
@@ -1698,6 +1703,7 @@ next_ci:
ECM_IP_ADDR_TO_OCTAL(dest_addr_mask), dest_port_mask, proto_mask, cnt);
}
}
+#endif
/*
* ecm_db_connection_defunct_by_port()
@@ -1956,6 +1962,7 @@ struct ecm_db_node_instance *ecm_db_conn
@@ -1987,6 +1993,7 @@ struct ecm_db_node_instance *ecm_db_connection_node_get_and_ref(struct ecm_db_co
}
EXPORT_SYMBOL(ecm_db_connection_node_get_and_ref);
+#ifdef ECM_DB_XREF_ENABLE
/*
* ecm_db_connection_mapping_get_and_ref_next()
* Return reference to next connection in the mapping chain in the specified direction.
@@ -1997,6 +2004,7 @@ struct ecm_db_connection_instance *ecm_d
@@ -2028,6 +2035,7 @@ struct ecm_db_connection_instance *ecm_db_connection_iface_get_and_ref_next(stru
return nci;
}
EXPORT_SYMBOL(ecm_db_connection_iface_get_and_ref_next);
+#endif
/*
* ecm_db_connection_mapping_get_and_ref()
diff --git a/ecm_db/ecm_db_node.c b/ecm_db/ecm_db_node.c
index c3d70be..89b386f 100644
--- a/ecm_db/ecm_db_node.c
+++ b/ecm_db/ecm_db_node.c
@@ -224,9 +224,11 @@ EXPORT_SYMBOL(ecm_db_node_get_and_ref_ne
@@ -224,8 +224,10 @@ EXPORT_SYMBOL(ecm_db_node_get_and_ref_next);
*/
int ecm_db_node_deref(struct ecm_db_node_instance *ni)
{
+#ifdef ECM_DB_XREF_ENABLE
#if (DEBUG_LEVEL >= 1)
int dir;
#endif
+#endif
#endif
DEBUG_CHECK_MAGIC(ni, ECM_DB_NODE_INSTANCE_MAGIC, "%px: magic failed\n", ni);
spin_lock_bh(&ecm_db_lock);
@@ -486,9 +488,11 @@ EXPORT_SYMBOL(ecm_db_node_iface_get_and_
@@ -486,8 +488,10 @@ EXPORT_SYMBOL(ecm_db_node_iface_get_and_ref);
void ecm_db_node_add(struct ecm_db_node_instance *ni, struct ecm_db_iface_instance *ii, uint8_t *address,
ecm_db_node_final_callback_t final, void *arg)
{
+#ifdef ECM_DB_XREF_ENABLE
#if (DEBUG_LEVEL >= 1)
int dir;
#endif
+#endif
#endif
ecm_db_node_hash_t hash_index;
struct ecm_db_listener_instance *li;
diff --git a/ecm_interface.c b/ecm_interface.c
index d7ca169..2ca02bc 100644
--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -1343,6 +1343,7 @@ struct neighbour *ecm_interface_ipv6_nei
@@ -1355,6 +1355,7 @@ struct neighbour *ecm_interface_ipv6_neigh_get(struct ecm_front_end_connection_i
*/
bool ecm_interface_is_pptp(struct sk_buff *skb, const struct net_device *out)
{
+#ifdef ECM_INTERFACE_PPTP_ENABLE
struct net_device *in;
/*
@@ -1367,6 +1368,7 @@ bool ecm_interface_is_pptp(struct sk_buf
@@ -1379,6 +1380,7 @@ bool ecm_interface_is_pptp(struct sk_buff *skb, const struct net_device *out)
}
dev_put(in);
+#endif
return false;
}
@@ -1379,6 +1381,7 @@ bool ecm_interface_is_pptp(struct sk_buf
@@ -1391,6 +1393,7 @@ bool ecm_interface_is_pptp(struct sk_buff *skb, const struct net_device *out)
*/
bool ecm_interface_is_l2tp_packet_by_version(struct sk_buff *skb, const struct net_device *out, int ver)
{
+#ifdef ECM_INTERFACE_L2TPV2_PPTP_ENABLE
uint32_t flag = 0;
struct net_device *in;
@@ -1411,6 +1414,7 @@ bool ecm_interface_is_l2tp_packet_by_ver
@@ -1423,6 +1426,7 @@ bool ecm_interface_is_l2tp_packet_by_version(struct sk_buff *skb, const struct n
}
dev_put(in);
+#endif
return false;
}
@@ -1423,6 +1427,7 @@ bool ecm_interface_is_l2tp_packet_by_ver
@@ -1435,6 +1439,7 @@ bool ecm_interface_is_l2tp_packet_by_version(struct sk_buff *skb, const struct n
*/
bool ecm_interface_is_l2tp_pptp(struct sk_buff *skb, const struct net_device *out)
{
+#ifdef ECM_INTERFACE_L2TPV2_PPTP_ENABLE
struct net_device *in;
/*
@@ -1445,6 +1450,7 @@ bool ecm_interface_is_l2tp_pptp(struct s
@@ -1457,6 +1462,7 @@ bool ecm_interface_is_l2tp_pptp(struct sk_buff *skb, const struct net_device *ou
}
dev_put(in);
+#endif
return false;
}
@@ -6630,6 +6636,7 @@ static void ecm_interface_regenerate_con
@@ -6770,6 +6776,7 @@ static void ecm_interface_regenerate_connections(struct ecm_db_iface_instance *i
return;
}
+#ifdef ECM_DB_XREF_ENABLE
for (dir = 0; dir < ECM_DB_OBJ_DIR_MAX; dir++) {
/*
* Re-generate all connections associated with this interface
@@ -6645,6 +6652,7 @@ static void ecm_interface_regenerate_con
@@ -6785,6 +6792,7 @@ static void ecm_interface_regenerate_connections(struct ecm_db_iface_instance *i
ci[dir] = cin;
}
}
+#endif
#ifdef ECM_MULTICAST_ENABLE
/*
diff --git a/frontends/ecm_front_end_common.c b/frontends/ecm_front_end_common.c
index 3b33c41..e21ca24 100644
--- a/frontends/ecm_front_end_common.c
+++ b/frontends/ecm_front_end_common.c
@@ -106,6 +106,7 @@ bool ecm_front_end_gre_proto_is_accel_al
@@ -228,6 +228,7 @@ bool ecm_front_end_gre_proto_is_accel_allowed(struct net_device *indev,
struct nf_conntrack_tuple *tuple,
int ip_version)
{
+#ifdef ECM_INTERFACE_GRE_ENABLE
struct net_device *dev;
struct gre_base_hdr *greh;
@@ -117,10 +118,12 @@ bool ecm_front_end_gre_proto_is_accel_al
@@ -239,10 +240,12 @@ bool ecm_front_end_gre_proto_is_accel_allowed(struct net_device *indev,
/*
* Case 1: PPTP locally terminated
*/
@ -319,10 +325,10 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
return true;
}
+#endif
/*
* Case 2: PPTP pass through
@@ -223,6 +226,10 @@ bool ecm_front_end_gre_proto_is_accel_al
@@ -350,6 +353,10 @@ bool ecm_front_end_gre_proto_is_accel_allowed(struct net_device *indev,
*/
DEBUG_TRACE("%px: GRE IPv%d pass through - allow acceleration\n", skb, ip_version);
return true;
@ -331,5 +337,7 @@ Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+ return false;
+#endif
}
#ifdef ECM_CLASSIFIER_DSCP_ENABLE
--
2.34.1

52
qca/qca-nss-ecm/patches/0002-treewide-rework-ipv6_dev_find_and_hold.patch Normal file
View File

@ -0,0 +1,52 @@
--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -334,7 +334,7 @@ static struct net_device *ecm_interface_dev_find_by_local_addr_ipv6(ip_addr_t ad
struct net_device *dev;
ECM_IP_ADDR_TO_NIN6_ADDR(addr6, addr);
- dev = (struct net_device *)ipv6_dev_find(&init_net, &addr6, 1);
+ dev = (struct net_device *)ipv6_dev_find_and_hold(&init_net, &addr6, 1);
return dev;
}
#endif
@@ -736,7 +764,7 @@ static bool ecm_interface_mac_addr_get_ipv6_no_route(struct net_device *dev, ip_
* Get the MAC address that corresponds to IP address given.
*/
ECM_IP_ADDR_TO_NIN6_ADDR(daddr, addr);
- local_dev = ipv6_dev_find(&init_net, &daddr, 1);
+ local_dev = ipv6_dev_find_and_hold(&init_net, &daddr, 1);
if (local_dev) {
DEBUG_TRACE("%pi6 is a local address\n", &daddr);
memcpy(mac_addr, dev->dev_addr, ETH_ALEN);
diff --git a/frontends/ecm_front_end_common.c b/frontends/ecm_front_end_common.c
index e21ca24..6054685 100644
--- a/frontends/ecm_front_end_common.c
+++ b/frontends/ecm_front_end_common.c
@@ -56,6 +56,9 @@
#include "ecm_db.h"
#include "ecm_front_end_common.h"
#include "ecm_interface.h"
+#ifdef ECM_IPV6_ENABLE
+#include "ecm_front_end_ipv6.h"
+#endif
/*
* Sysctl table header
@@ -315,7 +318,7 @@ bool ecm_front_end_gre_proto_is_accel_allowed(struct net_device *indev,
}
} else {
#ifdef ECM_IPV6_ENABLE
- dev = ipv6_dev_find(&init_net, &(tuple->src.u3.in6), 1);
+ dev = ipv6_dev_find_and_hold(&init_net, &(tuple->src.u3.in6), 1);
if (dev) {
/*
* Source IP address is local
@@ -325,7 +328,7 @@ bool ecm_front_end_gre_proto_is_accel_allowed(struct net_device *indev,
return false;
}
- dev = ipv6_dev_find(&init_net, &(tuple->dst.u3.in6), 1);
+ dev = ipv6_dev_find_and_hold(&init_net, &(tuple->dst.u3.in6), 1);
if (dev) {
/*
* Destination IP address is local

497
qca/qca-nss-ecm/patches/100-kernel-5.10-support.patch → qca/qca-nss-ecm/patches/0003-treewide-rework-debugfs-api-to-new-implementation.patch
View File

File diff suppressed because it is too large Load Diff

19
qca/qca-nss-ecm/patches/203-rework-nfct-notification.patch → qca/qca-nss-ecm/patches/0004-treewide-fix-wrong-chain-events-flag.patch
View File

@ -1,6 +1,18 @@
From 33a2f57d6852035730b353a14912ce2c588f3017 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sat, 15 May 2021 03:51:14 +0200
Subject: [PATCH 04/12] treewide: fix wrong chain events flag
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
ecm_conntrack_notifier.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
index 7b20132..9c8a45e 100644
--- a/ecm_conntrack_notifier.c
+++ b/ecm_conntrack_notifier.c
@@ -421,7 +421,11 @@ int ecm_conntrack_notifier_init(struct d
@@ -423,7 +423,11 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
/*
* Eventing subsystem is available so we register a notifier hook to get fast notifications of expired connections
*/
@ -12,7 +24,7 @@
if (result < 0) {
DEBUG_ERROR("Can't register nf notifier hook.\n");
debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
@@ -439,7 +443,9 @@ EXPORT_SYMBOL(ecm_conntrack_notifier_ini
@@ -441,7 +445,9 @@ EXPORT_SYMBOL(ecm_conntrack_notifier_init);
void ecm_conntrack_notifier_exit(void)
{
DEBUG_INFO("ECM Conntrack Notifier exit\n");
@ -23,3 +35,6 @@
nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
#endif
/*
--
2.34.1

30
qca/qca-nss-ecm/patches/205-resolve-high-load.patch → qca/qca-nss-ecm/patches/0005-qca-nss-ecm-resolve-the-cpu-high-load-regarding-ecm.patch
View File

@ -1,7 +1,7 @@
From 6924b71ed809b37fffd74d6428a8ca83e5919746 Mon Sep 17 00:00:00 2001
From 65aa71f33891bcf0b75995219e31abaf674c6199 Mon Sep 17 00:00:00 2001
From: Dirk Buchwalder <buchwalder@posteo.de>
Date: Sun, 27 Jun 2021 16:52:39 +0200
Subject: [PATCH] qca-nss-ecm: resolve the cpu high load regarding ecm
Subject: [PATCH 05/12] qca-nss-ecm: resolve the cpu high load regarding ecm
If using ECM, cpu load goes up (around 1.0) and stucks there.
This is due to using uninterruptible sleep function,
@ -13,43 +13,49 @@ Signed-off-by: Dirk Buchwalder buchwalder@posteo.de
frontends/nss/ecm_nss_ipv6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/frontends/nss/ecm_nss_ipv4.c b/frontends/nss/ecm_nss_ipv4.c
index 5b0ce29..719a747 100644
--- a/frontends/nss/ecm_nss_ipv4.c
+++ b/frontends/nss/ecm_nss_ipv4.c
@@ -2471,7 +2471,7 @@ static void ecm_nss_ipv4_stats_sync_req_
@@ -697,7 +697,7 @@ static void ecm_nss_ipv4_stats_sync_req_work(struct work_struct *work)
}
spin_unlock_bh(&ecm_nss_ipv4_lock);
- usleep_range(ECM_NSS_IPV4_STATS_SYNC_UDELAY - 100, ECM_NSS_IPV4_STATS_SYNC_UDELAY);
+ msleep_interruptible(ECM_NSS_IPV4_STATS_SYNC_UDELAY / 1000);
/*
* If index is 0, we are starting a new round, but if we still have time remain
@@ -2485,7 +2485,7 @@ static void ecm_nss_ipv4_stats_sync_req_
@@ -711,7 +711,7 @@ static void ecm_nss_ipv4_stats_sync_req_work(struct work_struct *work)
}
if (time_after(ecm_nss_ipv4_next_req_time, current_jiffies)) {
- msleep(jiffies_to_msecs(ecm_nss_ipv4_next_req_time - current_jiffies));
+ msleep_interruptible(jiffies_to_msecs(ecm_nss_ipv4_next_req_time - current_jiffies));
}
ecm_nss_ipv4_roll_check_jiffies = jiffies;
ecm_nss_ipv4_next_req_time = ecm_nss_ipv4_roll_check_jiffies + ECM_NSS_IPV4_STATS_SYNC_PERIOD;
diff --git a/frontends/nss/ecm_nss_ipv6.c b/frontends/nss/ecm_nss_ipv6.c
index 8d13f68..67ee364 100644
--- a/frontends/nss/ecm_nss_ipv6.c
+++ b/frontends/nss/ecm_nss_ipv6.c
@@ -2210,7 +2210,7 @@ static void ecm_nss_ipv6_stats_sync_req_
@@ -675,7 +675,7 @@ static void ecm_nss_ipv6_stats_sync_req_work(struct work_struct *work)
}
spin_unlock_bh(&ecm_nss_ipv6_lock);
- usleep_range(ECM_NSS_IPV6_STATS_SYNC_UDELAY - 100, ECM_NSS_IPV6_STATS_SYNC_UDELAY);
+ msleep_interruptible(ECM_NSS_IPV6_STATS_SYNC_UDELAY / 1000);
/*
* If index is 0, we are starting a new round, but if we still have time remain
@@ -2224,7 +2224,7 @@ static void ecm_nss_ipv6_stats_sync_req_
@@ -689,7 +689,7 @@ static void ecm_nss_ipv6_stats_sync_req_work(struct work_struct *work)
}
if (time_after(ecm_nss_ipv6_next_req_time, current_jiffies)) {
- msleep(jiffies_to_msecs(ecm_nss_ipv6_next_req_time - current_jiffies));
+ msleep_interruptible(jiffies_to_msecs(ecm_nss_ipv6_next_req_time - current_jiffies));
}
ecm_nss_ipv6_roll_check_jiffies = jiffies;
ecm_nss_ipv6_next_req_time = ecm_nss_ipv6_roll_check_jiffies + ECM_NSS_IPV6_STATS_SYNC_PERIOD;
--
2.34.1

54
qca/qca-nss-ecm/patches/0006-ecm_interface-switch-to-kernel_recvmsg-api.patch Normal file
View File

@ -0,0 +1,54 @@
From 5a91820d390b36dafd29075b55504827b0123e62 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sun, 8 May 2022 17:51:16 +0200
Subject: [PATCH 06/12] ecm_interface: switch to kernel_recvmsg api
set/get_fs() got dropped in 5.11+ kernel. Convert it to kernel_recvmsg
while fixing this deprecation.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
ecm_interface.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ecm_interface.c b/ecm_interface.c
index b461456..6be872a 100644
--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -7617,9 +7617,13 @@ static int ecm_interface_wifi_event_hand
static int ecm_interface_wifi_event_rx(struct socket *sock, struct sockaddr_nl *addr, unsigned char *buf, int len)
{
struct msghdr msg;
- struct iovec iov;
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
+ struct iovec iov;
mm_segment_t oldfs;
int size;
+#else
+ struct kvec iov;
+#endif
iov.iov_base = buf;
iov.iov_len = len;
@@ -7629,7 +7633,8 @@ static int ecm_interface_wifi_event_rx(s
msg.msg_namelen = sizeof(struct sockaddr_nl);
msg.msg_control = NULL;
msg.msg_controllen = 0;
- oldfs = get_fs();
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
+ oldfs = get_fs();
set_fs(KERNEL_DS);
iov_iter_init(&msg.msg_iter, READ, &iov, 1, len);
#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 7, 0))
@@ -7640,6 +7645,9 @@ static int ecm_interface_wifi_event_rx(s
set_fs(oldfs);
return size;
+#else
+ return kernel_recvmsg(sock, &msg, &iov, 1, iov.iov_len, 0);
+#endif
}
/*
--
2.34.1

72
qca/qca-nss-ecm/patches/0007-treewide-rework-notifier-changes-for-5.15.patch Normal file
View File

@ -0,0 +1,72 @@
From e9073363a50a25bddd96e808f04bcf56c45da4ac Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sun, 8 May 2022 18:19:47 +0200
Subject: [PATCH 07/12] treewide: rework notifier changes for 5.15
Rework notifier changes for 5.15 conntrack new implementation.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
ecm_conntrack_notifier.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
index 9c8a45e..9f2cdae 100644
--- a/ecm_conntrack_notifier.c
+++ b/ecm_conntrack_notifier.c
@@ -322,7 +322,7 @@ EXPORT_SYMBOL(ecm_conntrack_ipv4_event);
#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
static int ecm_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
#else
-static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item)
+static int ecm_conntrack_event(unsigned int events, const struct nf_ct_event *item)
#endif
{
#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
@@ -388,7 +388,11 @@ static struct notifier_block ecm_conntrack_notifier = {
* Netfilter conntrack event system to monitor connection tracking changes
*/
static struct nf_ct_event_notifier ecm_conntrack_notifier = {
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
.fcn = ecm_conntrack_event,
+#else
+ .ct_event = ecm_conntrack_event,
+#endif
};
#endif
#endif
@@ -426,13 +430,19 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
result = nf_conntrack_register_chain_notifier(&init_net, &ecm_conntrack_notifier);
#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
+#else
+ nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
+#endif
#endif
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
if (result < 0) {
DEBUG_ERROR("Can't register nf notifier hook.\n");
debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
return result;
}
+#endif
#endif
return 0;
@@ -448,7 +458,11 @@ void ecm_conntrack_notifier_exit(void)
#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
nf_conntrack_unregister_chain_notifier(&init_net, &ecm_conntrack_notifier);
#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
+#else
+ nf_conntrack_unregister_notifier(&init_net);
+#endif
#endif
/*
* Remove the debugfs files recursively.
--
2.34.1

151
qca/qca-nss-ecm/patches/0008-frontends-drop-use-of-static-be_liberal-and-no_windo.patch Normal file
View File

@ -0,0 +1,151 @@
From 15530431f3ce3273b3cfc2da356d7fb71ed48020 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sun, 8 May 2022 16:16:34 +0200
Subject: [PATCH 08/12] frontends: drop use of static be_liberal and
no_window_check
Implementation changed, check these values indirectly instead of relying
on an extern EXPORT_SYMBOL.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
frontends/nss/ecm_nss_ported_ipv4.c | 14 ++++----------
frontends/nss/ecm_nss_ported_ipv6.c | 14 ++++----------
frontends/sfe/ecm_sfe_ported_ipv4.c | 6 ++++--
frontends/sfe/ecm_sfe_ported_ipv6.c | 6 ++++--
4 files changed, 16 insertions(+), 24 deletions(-)
diff --git a/frontends/nss/ecm_nss_ported_ipv4.c b/frontends/nss/ecm_nss_ported_ipv4.c
index ea997e3..0c4261a 100644
--- a/frontends/nss/ecm_nss_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_ported_ipv4.c
@@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv4_connection_instance {
static int ecm_nss_ported_ipv4_accelerated_count[ECM_NSS_PORTED_IPV4_PROTO_MAX] = {0};
/* Array of Number of TCP and UDP connections currently offloaded */
-/*
- * Expose what should be a static flag in the TCP connection tracker.
- */
-#ifdef ECM_OPENWRT_SUPPORT
-extern int nf_ct_tcp_no_window_check;
-#endif
-extern int nf_ct_tcp_be_liberal;
-
/*
* ecm_nss_ported_ipv4_connection_callback()
* Callback for handling create ack/nack calls.
@@ -372,6 +364,8 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
uint8_t dest_mac_xlate[ETH_ALEN];
ecm_db_direction_t ecm_dir;
ecm_front_end_acceleration_mode_t result_mode;
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV4_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
@@ -1236,9 +1230,9 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
#ifdef ECM_OPENWRT_SUPPORT
- if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
+ if (tn->tcp_be_liberal || tn->tcp_no_window_check
#else
- if (nf_ct_tcp_be_liberal
+ if (tn->tcp_be_liberal
#endif
|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
diff --git a/frontends/nss/ecm_nss_ported_ipv6.c b/frontends/nss/ecm_nss_ported_ipv6.c
index 451a557..d1b3e14 100644
--- a/frontends/nss/ecm_nss_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_ported_ipv6.c
@@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv6_connection_instance {
static int ecm_nss_ported_ipv6_accelerated_count[ECM_NSS_PORTED_IPV6_PROTO_MAX] = {0};
/* Array of Number of TCP and UDP connections currently offloaded */
-/*
- * Expose what should be a static flag in the TCP connection tracker.
- */
-#ifdef ECM_OPENWRT_SUPPORT
-extern int nf_ct_tcp_no_window_check;
-#endif
-extern int nf_ct_tcp_be_liberal;
-
/*
* ecm_nss_ported_ipv6_connection_callback()
* Callback for handling create ack/nack calls.
@@ -376,6 +368,8 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
ip_addr_t src_ip;
ip_addr_t dest_ip;
ecm_front_end_acceleration_mode_t result_mode;
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
@@ -1162,9 +1156,9 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
#ifdef ECM_OPENWRT_SUPPORT
- if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
+ if (tn->tcp_be_liberal || tn->tcp_no_window_check
#else
- if (nf_ct_tcp_be_liberal
+ if (tn->tcp_be_liberal
#endif
|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
diff --git a/frontends/sfe/ecm_sfe_ported_ipv4.c b/frontends/sfe/ecm_sfe_ported_ipv4.c
index 53f5b07..ef719ec 100644
--- a/frontends/sfe/ecm_sfe_ported_ipv4.c
+++ b/frontends/sfe/ecm_sfe_ported_ipv4.c
@@ -421,6 +421,8 @@ static void ecm_sfe_ported_ipv4_connecti
uint8_t dest_mac_xlate[ETH_ALEN];
ecm_db_direction_t ecm_dir;
ecm_front_end_acceleration_mode_t result_mode;
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
@@ -1333,9 +1335,9 @@ static void ecm_sfe_ported_ipv4_connecti
nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
#ifdef ECM_OPENWRT_SUPPORT
- if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
+ if (tn->tcp_be_liberal || tn->tcp_no_window_check)
#else
- if (nf_ct_tcp_be_liberal
+ if (tn->tcp_be_liberal)
#endif
|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
diff --git a/frontends/sfe/ecm_sfe_ported_ipv6.c b/frontends/sfe/ecm_sfe_ported_ipv6.c
index ae04cb4..9abb563 100644
--- a/frontends/sfe/ecm_sfe_ported_ipv6.c
+++ b/frontends/sfe/ecm_sfe_ported_ipv6.c
@@ -426,7 +426,9 @@ static void ecm_sfe_ported_ipv6_connecti
ip_addr_t src_ip;
ip_addr_t dest_ip;
ecm_front_end_acceleration_mode_t result_mode;
- uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
+ uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
DEBUG_CHECK_MAGIC(npci, ECM_SFE_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
@@ -1293,9 +1295,9 @@ static void ecm_sfe_ported_ipv6_connecti
nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
#ifdef ECM_OPENWRT_SUPPORT
- if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
+ if (tn->tcp_be_liberal || tn->tcp_no_window_check)
#else
- if (nf_ct_tcp_be_liberal
+ if (tn->tcp_be_liberal)
#endif
|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
--
2.34.1

55
qca/qca-nss-ecm/patches/0009-ecm_tracker_datagram-drop-static-for-EXPORT_SYMBOL.patch Normal file
View File

@ -0,0 +1,55 @@
From 9827d8597545ecfee17eba7b08d48dbcdf55c614 Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sun, 8 May 2022 18:39:39 +0200
Subject: [PATCH 09/12] ecm_tracker_datagram: drop static for EXPORT_SYMBOL
EXPORT_SYMBOL should NOT be static
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
---
ecm_tracker_datagram.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ecm_tracker_datagram.c b/ecm_tracker_datagram.c
index 9c04d73..ae14146 100644
--- a/ecm_tracker_datagram.c
+++ b/ecm_tracker_datagram.c
@@ -203,7 +203,7 @@ static void ecm_tracker_datagram_datagram_discard(struct ecm_tracker_datagram_in
* ecm_tracker_datagram_discard_all()
* Discard all tracked data
*/
-static void ecm_tracker_datagram_discard_all(struct ecm_tracker_datagram_internal_instance *dtii)
+void ecm_tracker_datagram_discard_all(struct ecm_tracker_datagram_internal_instance *dtii)
{
int32_t src_count;
int32_t dest_count;
@@ -364,7 +364,7 @@ static void ecm_tracker_datagram_datagram_discard_callback(struct ecm_tracker_in
* ecm_tracker_datagram_datagram_size_get()
* Return size in bytes of datagram at index i that was sent to the target
*/
-static int32_t ecm_tracker_datagram_datagram_size_get(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, int32_t i)
+int32_t ecm_tracker_datagram_datagram_size_get(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, int32_t i)
{
struct ecm_tracker_datagram_internal_instance *dtii = (struct ecm_tracker_datagram_internal_instance *)uti;
@@ -412,7 +412,7 @@ static int32_t ecm_tracker_datagram_datagram_size_get_callback(struct ecm_tracke
* ecm_tracker_datagram_datagram_read()
* Read size bytes from datagram at index i into the buffer
*/
-static int ecm_tracker_datagram_datagram_read(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, int32_t i, int32_t offset, int32_t size, void *buffer)
+int ecm_tracker_datagram_datagram_read(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, int32_t i, int32_t offset, int32_t size, void *buffer)
{
struct ecm_tracker_datagram_internal_instance *dtii = (struct ecm_tracker_datagram_internal_instance *)uti;
int res;
@@ -466,7 +466,7 @@ static int ecm_tracker_datagram_datagram_read_callback(struct ecm_tracker_instan
* ecm_tracker_datagram_datagram_add()
* Append the datagram onto the tracker queue for the given target
*/
-static bool ecm_tracker_datagram_datagram_add(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, struct sk_buff *skb)
+bool ecm_tracker_datagram_datagram_add(struct ecm_tracker_datagram_instance *uti, ecm_tracker_sender_type_t sender, struct sk_buff *skb)
{
struct ecm_tracker_datagram_internal_instance *dtii = (struct ecm_tracker_datagram_internal_instance *)uti;
struct sk_buff *skbc;
--
2.34.1

73
qca/qca-nss-ecm/patches/0010-frontends-drop-udp_get_timeouts-and-use-standard-ups.patch Normal file
View File

@ -0,0 +1,73 @@
From ef638a84405c9f6556a9d7c257ccbba74efd228e Mon Sep 17 00:00:00 2001
From: Ansuel Smith <ansuelsmth@gmail.com>
Date: Sat, 14 May 2022 20:15:10 +0200
Subject: [PATCH 10/12] frontends: drop udp_get_timeouts and use standard
upstream api
Drop udp_get_timeouts and use nf_udp_pernet and ->timeouts
instead or relying on a downstream api not present upstream.
---
frontends/nss/ecm_nss_ipv4.c | 3 ++-
frontends/nss/ecm_nss_ipv6.c | 3 ++-
frontends/sfe/ecm_sfe_ipv4.c | 3 ++-
frontends/sfe/ecm_sfe_ipv6.c | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/frontends/nss/ecm_nss_ipv4.c b/frontends/nss/ecm_nss_ipv4.c
index 719a747..558819a 100644
--- a/frontends/nss/ecm_nss_ipv4.c
+++ b/frontends/nss/ecm_nss_ipv4.c
@@ -607,7 +607,8 @@ sync_conntrack:
#else
timeouts = nf_ct_timeout_lookup(ct);
if (!timeouts) {
- timeouts = udp_get_timeouts(nf_ct_net(ct));
+ struct nf_udp_net *un = nf_udp_pernet(nf_ct_net(ct));
+ timeouts = un->timeouts;
}
spin_lock_bh(&ct->lock);
diff --git a/frontends/nss/ecm_nss_ipv6.c b/frontends/nss/ecm_nss_ipv6.c
index 67ee364..51eb069 100644
--- a/frontends/nss/ecm_nss_ipv6.c
+++ b/frontends/nss/ecm_nss_ipv6.c
@@ -586,7 +586,8 @@ sync_conntrack:
#else
timeouts = nf_ct_timeout_lookup(ct);
if (!timeouts) {
- timeouts = udp_get_timeouts(nf_ct_net(ct));
+ struct nf_udp_net *un = nf_udp_pernet(nf_ct_net(ct));
+ timeouts = un->timeouts;
}
spin_lock_bh(&ct->lock);
diff --git a/frontends/sfe/ecm_sfe_ipv4.c b/frontends/sfe/ecm_sfe_ipv4.c
index 3f30821..931af5d 100644
--- a/frontends/sfe/ecm_sfe_ipv4.c
+++ b/frontends/sfe/ecm_sfe_ipv4.c
@@ -527,7 +527,8 @@ sync_conntrack:
#else
timeouts = nf_ct_timeout_lookup(ct);
if (!timeouts) {
- timeouts = udp_get_timeouts(nf_ct_net(ct));
+ struct nf_udp_net *un = nf_udp_pernet(nf_ct_net(ct));
+ timeouts = un->timeouts;
}
spin_lock_bh(&ct->lock);
diff --git a/frontends/sfe/ecm_sfe_ipv6.c b/frontends/sfe/ecm_sfe_ipv6.c
index 54fdbf3..63d8888 100644
--- a/frontends/sfe/ecm_sfe_ipv6.c
+++ b/frontends/sfe/ecm_sfe_ipv6.c
@@ -516,7 +516,8 @@ sync_conntrack:
#else
timeouts = nf_ct_timeout_lookup(ct);
if (!timeouts) {
- timeouts = udp_get_timeouts(nf_ct_net(ct));
+ struct nf_udp_net *un = nf_udp_pernet(nf_ct_net(ct));
+ timeouts = un->timeouts;
}
spin_lock_bh(&ct->lock);
--
2.34.1

20
qca/qca-nss-ecm/patches/0013-ecm_interface-fix-ppp-generic-function-calls-for-5.15.patch Normal file
View File

@ -0,0 +1,20 @@
--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -3551,7 +3551,7 @@ identifier_update:
if (skb && (skb->skb_iif == dev->ifindex)) {
struct pppol2tp_common_addr info;
- if (__ppp_is_multilink(dev) > 0) {
+ if (ppp_is_multilink(dev) > 0) {
DEBUG_TRACE("%px: Net device: %px is MULTILINK PPP - Unknown to the ECM\n", feci, dev);
type_info.unknown.os_specific_ident = dev_interface_num;
@@ -3561,7 +3561,7 @@ identifier_update:
ii = ecm_interface_unknown_interface_establish(&type_info.unknown, dev_name, dev_interface_num, ae_interface_num, dev_mtu);
return ii;
}
- channel_count = __ppp_hold_channels(dev, ppp_chan, 1);
+ channel_count = ppp_hold_channels(dev, ppp_chan, 1);
if (channel_count != 1) {
DEBUG_TRACE("%px: Net device: %px PPP has %d channels - ECM cannot handle this (interface becomes Unknown type)\n",
feci, dev, channel_count);

49
qca/qca-nss-ecm/patches/204-More-compile-fixes.patch
View File

@ -1,49 +0,0 @@
From e6d701c0d454d841366c556b2ef07a5203ffb35d Mon Sep 17 00:00:00 2001
From: Robert Marko <robimarko@gmail.com>
Date: Fri, 21 May 2021 21:41:31 +0200
Subject: [PATCH] More compile fixes
More runtime compile fixes.
Signed-off-by: Robert Marko <robimarko@gmail.com>
---
frontends/nss/ecm_nss_ported_ipv4.c | 12 +++---------
frontends/nss/ecm_nss_ported_ipv6.c | 12 +++---------
2 files changed, 6 insertions(+), 18 deletions(-)
--- a/frontends/nss/ecm_nss_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_ported_ipv4.c
@@ -2935,14 +2935,8 @@ done:
*/
bool ecm_nss_ported_ipv4_debugfs_init(struct dentry *dentry)
{
- struct dentry *udp_dentry;
-
- udp_dentry = debugfs_create_u32("udp_accelerated_count", S_IRUGO, dentry,
+ debugfs_create_u32("udp_accelerated_count", S_IRUGO, dentry,
&ecm_nss_ported_ipv4_accelerated_count[ECM_NSS_PORTED_IPV4_PROTO_UDP]);
- if (!udp_dentry) {
- DEBUG_ERROR("Failed to create ecm nss ipv4 udp_accelerated_count file in debugfs\n");
- return false;
- }
debugfs_create_u32("tcp_accelerated_count", S_IRUGO, dentry,
&ecm_nss_ported_ipv4_accelerated_count[ECM_NSS_PORTED_IPV4_PROTO_TCP]);
--- a/frontends/nss/ecm_nss_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_ported_ipv6.c
@@ -2723,14 +2723,8 @@ done:
*/
bool ecm_nss_ported_ipv6_debugfs_init(struct dentry *dentry)
{
- struct dentry *udp_dentry;
-
- udp_dentry = debugfs_create_u32("udp_accelerated_count", S_IRUGO, dentry,
+ debugfs_create_u32("udp_accelerated_count", S_IRUGO, dentry,
&ecm_nss_ported_ipv6_accelerated_count[ECM_NSS_PORTED_IPV6_PROTO_UDP]);
- if (!udp_dentry) {
- DEBUG_ERROR("Failed to create ecm nss ipv6 udp_accelerated_count file in debugfs\n");
- return false;
- }
debugfs_create_u32("tcp_accelerated_count", S_IRUGO, dentry,
&ecm_nss_ported_ipv6_accelerated_count[ECM_NSS_PORTED_IPV6_PROTO_TCP]);

146
qca/qca-nss-ecm/patches/900-treewide-export-ipv4-and-ipv6-symbols.patch Normal file
View File

@ -0,0 +1,146 @@
--- a/frontends/nss/ecm_nss_ipv4.h
+++ b/frontends/nss/ecm_nss_ipv4.h
@@ -14,6 +14,9 @@
**************************************************************************
*/
+#ifndef __ECM_FRONT_END_NSS_IPV4_H
+#define __ECM_FRONT_END_NSS_IPV4_H
+
#include <nss_api_if.h>
extern int ecm_nss_ipv4_no_action_limit_default; /* Default no-action limit. */
@@ -168,3 +171,5 @@ extern void ecm_nss_ipv4_accel_done_time
extern void ecm_nss_ipv4_decel_done_time_update(struct ecm_front_end_connection_instance *feci);
extern int ecm_nss_ipv4_init(struct dentry *dentry);
extern void ecm_nss_ipv4_exit(void);
+
+#endif /* __ECM_FRONT_END_NSS_IPV4_H */
--- a/frontends/nss/ecm_nss_ipv6.h
+++ b/frontends/nss/ecm_nss_ipv6.h
@@ -14,6 +14,9 @@
**************************************************************************
*/
+#ifndef __ECM_FRONT_END_NSS_IPV6_H
+#define __ECM_FRONT_END_NSS_IPV6_H
+
#include <nss_api_if.h>
extern int ecm_nss_ipv6_no_action_limit_default; /* Default no-action limit. */
@@ -168,3 +171,5 @@ extern void ecm_nss_ipv6_accel_done_time
extern void ecm_nss_ipv6_decel_done_time_update(struct ecm_front_end_connection_instance *feci);
extern int ecm_nss_ipv6_init(struct dentry *dentry);
extern void ecm_nss_ipv6_exit(void);
+
+#endif /* __ECM_FRONT_END_NSS_IPV6_H */
--- a/frontends/nss/ecm_nss_common.c
+++ b/frontends/nss/ecm_nss_common.c
@@ -67,6 +67,7 @@ bool ecm_nss_ipv6_is_conn_limit_reached(
return false;
}
+EXPORT_SYMBOL(ecm_nss_ipv6_is_conn_limit_reached);
#endif
/*
@@ -93,3 +94,4 @@ bool ecm_nss_ipv4_is_conn_limit_reached(
return false;
}
+EXPORT_SYMBOL(ecm_nss_ipv4_is_conn_limit_reached);
--- a/frontends/nss/ecm_nss_non_ported_ipv4.h
+++ b/frontends/nss/ecm_nss_non_ported_ipv4.h
@@ -19,7 +19,7 @@
extern bool ecm_nss_non_ported_ipv4_debugfs_init(struct dentry *dentry);
-extern struct ecm_front_end_connection_instance *ecm_nss_non_ported_ipv4_connection_instance_alloc(
- bool can_accel, int protocol,
- struct ecm_db_connection_instance **nci);
+struct ecm_front_end_connection_instance *ecm_nss_non_ported_ipv4_connection_instance_alloc(
+ bool can_accel, int protocol,
+ struct ecm_db_connection_instance **nci);
extern void ecm_nss_non_ported_ipv4_sit_set_peer(struct ecm_front_end_connection_instance *feci, struct sk_buff *skb);
--- a/frontends/nss/ecm_nss_non_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_non_ported_ipv4.c
@@ -1822,6 +1822,7 @@ struct ecm_front_end_connection_instance
return feci;
}
+EXPORT_SYMBOL(ecm_nss_non_ported_ipv4_connection_instance_alloc);
/*
* ecm_nss_non_ported_ipv4_debugfs_init()
--- a/frontends/nss/ecm_nss_non_ported_ipv6.h
+++ b/frontends/nss/ecm_nss_non_ported_ipv6.h
@@ -19,7 +19,7 @@
extern bool ecm_nss_non_ported_ipv6_debugfs_init(struct dentry *dentry);
-extern struct ecm_front_end_connection_instance *ecm_nss_non_ported_ipv6_connection_instance_alloc(
- bool can_accel,
- int protocol,
- struct ecm_db_connection_instance **nci);
+struct ecm_front_end_connection_instance *ecm_nss_non_ported_ipv6_connection_instance_alloc(
+ bool can_accel,
+ int protocol,
+ struct ecm_db_connection_instance **nci);
--- a/frontends/nss/ecm_nss_non_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_non_ported_ipv6.c
@@ -1648,6 +1648,7 @@ struct ecm_front_end_connection_instance
return feci;
}
+EXPORT_SYMBOL(ecm_nss_non_ported_ipv6_connection_instance_alloc);
/*
* ecm_nss_non_ported_ipv6_debugfs_init()
--- a/frontends/nss/ecm_nss_ported_ipv4.h
+++ b/frontends/nss/ecm_nss_ported_ipv4.h
@@ -19,7 +19,7 @@
extern bool ecm_nss_ported_ipv4_debugfs_init(struct dentry *dentry);
-extern struct ecm_front_end_connection_instance *ecm_nss_ported_ipv4_connection_instance_alloc(
- bool can_accel,
- int protocol,
- struct ecm_db_connection_instance **nci);
+struct ecm_front_end_connection_instance *ecm_nss_ported_ipv4_connection_instance_alloc(
+ bool can_accel,
+ int protocol,
+ struct ecm_db_connection_instance **nci);
--- a/frontends/nss/ecm_nss_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_ported_ipv4.c
@@ -1877,6 +1877,7 @@ struct ecm_front_end_connection_instance
return feci;
}
+EXPORT_SYMBOL(ecm_nss_ported_ipv4_connection_instance_alloc);
/*
* ecm_nss_ported_ipv4_debugfs_init()
--- a/frontends/nss/ecm_nss_ported_ipv6.h
+++ b/frontends/nss/ecm_nss_ported_ipv6.h
@@ -19,7 +19,7 @@
extern bool ecm_nss_ported_ipv6_debugfs_init(struct dentry *dentry);
-extern struct ecm_front_end_connection_instance *ecm_nss_ported_ipv6_connection_instance_alloc(
- bool can_accel,
- int protocol,
- struct ecm_db_connection_instance **nci);
+struct ecm_front_end_connection_instance *ecm_nss_ported_ipv6_connection_instance_alloc(
+ bool can_accel,
+ int protocol,
+ struct ecm_db_connection_instance **nci);
--- a/frontends/nss/ecm_nss_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_ported_ipv6.c
@@ -1791,6 +1791,7 @@ struct ecm_front_end_connection_instance
return feci;
}
+EXPORT_SYMBOL(ecm_nss_ported_ipv6_connection_instance_alloc);
/*
* ecm_nss_ported_ipv6_debugfs_init()

67
qca/qca-nss-ecm/patches/901-qca-nss-ecm-fix-a-memcpy-overflow-in-ecm_db.patch Normal file
View File

@ -0,0 +1,67 @@
From 1958e34c4c1b8b4fb62eba693fbd7693536947b9 Mon Sep 17 00:00:00 2001
From: flebourse <francis.lebourse@sfr.fr>
Date: Thu, 23 Dec 2021 16:11:06 +0100
Subject: [PATCH] qca-nss-ecm: fix a memcpy overflow in ecm_db
Calls to ipv6_addr_prefix() trigger a memcpy overflow if the prefix len
argument is greater than 128, cap it at this value.
stack bactrace:
detected buffer overflow in memcpy
Kernel BUG at fortify_panic+0x20/0x24
Internal error: Oops - BUG: 0 [#1] SMP
CPU: 2 PID: 2592 Comm: netifd Not tainted 5.10.80 #0
Hardware name: Xiaomi AX9000 (DT)
Call trace:
fortify_panic+0x20/0x24
ecm_db_exit+0x42c/0x49c [ecm]
ecm_db_exit+0x464/0x49c [ecm]
atomic_notifier_call_chain+0x5c/0x90
ip6_route_add+0x13c/0x1a4
inet6_rtm_newroute+0x98/0xa0
rtnetlink_rcv_msg+0x10c/0x34c
netlink_rcv_skb+0x5c/0x130
rtnetlink_rcv+0x1c/0x2c
netlink_unicast+0x1ec/0x2e0
netlink_sendmsg+0x1a4/0x394
____sys_sendmsg+0x270/0x2b4
___sys_sendmsg+0x7c/0xc0
__sys_sendmsg+0x5c/0xb0
__arm64_sys_sendmsg+0x28/0x34
el0_svc_common.constprop.0+0x88/0x190
do_el0_svc+0x74/0x94
el0_svc+0x14/0x20
el0_sync_handler+0xa8/0x130
el0_sync+0x184/0x1c0
Code: aa0003e1 912b4040 910003fd 97fff56c (d4210000)
Signed-off-By: Francis Le Bourse <francis.lebourse@sfr.fr>
---
ecm_db/ecm_db.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ecm_db/ecm_db.c b/ecm_db/ecm_db.c
index c6f408d..df04afd 100644
--- a/ecm_db/ecm_db.c
+++ b/ecm_db/ecm_db.c
@@ -298,7 +298,7 @@ static int ecm_db_ipv6_route_table_update_event(struct notifier_block *nb,
* Compute ECM connection's prefix destination address by masking it with the
* route config's destination address prefix length.
*/
- ipv6_addr_prefix(&prefix_addr, &ecm_in6, cfg->fc_dst_len);
+ ipv6_addr_prefix(&prefix_addr, &ecm_in6, min(128, cfg->fc_dst_len));
DEBUG_TRACE("dest addr prefix: %pI6 prefix_len: %d ecm_in6: %pI6\n", &prefix_addr, cfg->fc_dst_len, &ecm_in6);
@@ -326,7 +326,7 @@ static int ecm_db_ipv6_route_table_update_event(struct notifier_block *nb,
* Compute ECM connection's prefix source address by masking it with the
* route config's destination address prefix length.
*/
- ipv6_addr_prefix(&prefix_addr, &ecm_in6, cfg->fc_dst_len);
+ ipv6_addr_prefix(&prefix_addr, &ecm_in6, min(128, cfg->fc_dst_len));
DEBUG_TRACE("src addr prefix: %pI6 prefix_len: %d ecm_in6: %pI6\n", &prefix_addr, cfg->fc_dst_len, &ecm_in6);
--
2.1.4

75
qca/qca-nss-ecm/patches/902-qca-nss-ecm-Fix-nf_ct_net-null-pointer-reference.patch Normal file
View File

@ -0,0 +1,75 @@
--- a/frontends/nss/ecm_nss_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_ported_ipv4.c
@@ -335,8 +335,12 @@ static void ecm_nss_ported_ipv4_connecti
uint8_t dest_mac_xlate[ETH_ALEN];
ecm_db_direction_t ecm_dir;
ecm_front_end_acceleration_mode_t result_mode;
- struct net *net = nf_ct_net(ct);
- struct nf_tcp_net *tn = nf_tcp_pernet(net);
+ struct nf_tcp_net *tn;
+
+ if (ct) {
+ struct net *net = nf_ct_net(ct);
+ tn = nf_tcp_pernet(net);
+ }
DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
--- a/frontends/nss/ecm_nss_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_ported_ipv6.c
@@ -340,8 +340,12 @@ static void ecm_nss_ported_ipv6_connecti
ip_addr_t src_ip;
ip_addr_t dest_ip;
ecm_front_end_acceleration_mode_t result_mode;
- struct net *net = nf_ct_net(ct);
- struct nf_tcp_net *tn = nf_tcp_pernet(net);
+ struct nf_tcp_net *tn;
+
+ if (ct) {
+ struct net *net = nf_ct_net(ct);
+ tn = nf_tcp_pernet(net);
+ }
DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
--- a/frontends/sfe/ecm_sfe_ported_ipv4.c
+++ b/frontends/sfe/ecm_sfe_ported_ipv4.c
@@ -365,11 +365,15 @@ static void ecm_sfe_ported_ipv4_connecti
uint8_t dest_mac_xlate[ETH_ALEN];
ecm_db_direction_t ecm_dir;
ecm_front_end_acceleration_mode_t result_mode;
- struct net *net = nf_ct_net(ct);
- struct nf_tcp_net *tn = nf_tcp_pernet(net);
+ struct nf_tcp_net *tn;
uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
+ if (ct) {
+ struct net *net = nf_ct_net(ct);
+ tn = nf_tcp_pernet(net);
+ }
+
DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
/*
--- a/frontends/sfe/ecm_sfe_ported_ipv6.c
+++ b/frontends/sfe/ecm_sfe_ported_ipv6.c
@@ -369,11 +369,15 @@ static void ecm_sfe_ported_ipv6_connecti
ip_addr_t src_ip;
ip_addr_t dest_ip;
ecm_front_end_acceleration_mode_t result_mode;
- struct net *net = nf_ct_net(ct);
- struct nf_tcp_net *tn = nf_tcp_pernet(net);
+ struct nf_tcp_net *tn;
uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
+ if (ct) {
+ struct net *net = nf_ct_net(ct);
+ tn = nf_tcp_pernet(net);
+ }
+
DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
/*