From 7d0fa17d0e0c798b1a205c7fbda3eb24af411408 Mon Sep 17 00:00:00 2001
From: Sean Khan <datapronix@protonmail.com>
Date: Tue, 2 Jul 2024 20:20:10 -0400
Subject: [PATCH] qca-nss-ecm: Add fw4 check for bridge filter

iptables based bridge filtering is incompatible with nftables (fw4), and
causes just causes NAT loopback issues.

This is only required for systems using legacy iptables (fw3) as the
primary firewalling. nftables doesn't need explicit enablement of bridge filtering.

Signed-off-by: Sean Khan <datapronix@protonmail.com>
---
 qca-nss-ecm/Makefile               |  2 +-
 qca-nss-ecm/files/qca-nss-ecm.init | 44 +++++++++++++++++-------------
 2 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/qca-nss-ecm/Makefile b/qca-nss-ecm/Makefile
index 1c29070..359defd 100644
--- a/qca-nss-ecm/Makefile
+++ b/qca-nss-ecm/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=qca-nss-ecm
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/qca-nss-ecm.git
 PKG_SOURCE_PROTO:=git
diff --git a/qca-nss-ecm/files/qca-nss-ecm.init b/qca-nss-ecm/files/qca-nss-ecm.init
index c1598a0..a4b8ace 100644
--- a/qca-nss-ecm/files/qca-nss-ecm.init
+++ b/qca-nss-ecm/files/qca-nss-ecm.init
@@ -15,7 +15,7 @@
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# The shebang above has an extra space intentially to avoid having
+# The shebang above has an extra space intentionally to avoid having
 # openwrt build scripts automatically enable this package starting
 # at boot.
 
@@ -54,21 +54,32 @@ get_front_end_mode() {
       ;;
     *)
       echo '0'
+      ;;
   esac
 }
 
-enable_bridge_filtering() {
-  sysctl_update net.bridge.bridge-nf-call-arptables 1
-  sysctl_update net.bridge.bridge-nf-call-iptables 1
-  sysctl_update net.bridge.bridge-nf-call-ip6tables 1
-}
-
 disable_bridge_filtering() {
   sysctl_update net.bridge.bridge-nf-call-arptables 0
   sysctl_update net.bridge.bridge-nf-call-iptables 0
   sysctl_update net.bridge.bridge-nf-call-ip6tables 0
 }
 
+enable_bridge_filtering() {
+
+  # If bridge filtering is enabled, apply and persist the sysctl flags
+  config_load ecm
+  config_get enable_bridge_filtering general enable_bridge_filtering 0
+
+  # shellcheck disable=2154
+  if [ "$enable_bridge_filtering" -eq 1 ]; then
+    sysctl_update net.bridge.bridge-nf-call-arptables 1
+    sysctl_update net.bridge.bridge-nf-call-iptables 1
+    sysctl_update net.bridge.bridge-nf-call-ip6tables 1
+  else
+    disable_bridge_filtering
+  fi
+}
+
 load_ecm() {
   [ -d /sys/module/ecm ] || {
     local get_front_end_mode
@@ -91,7 +102,7 @@ load_ecm() {
 
   # Set conntrack event mode to 1 for 6.1 kernel to get the conntrack events from ECM
   local kernel_major
-  kernel_major=$(uname -r |cut -d. -f1)
+  kernel_major=$(uname -r | cut -d. -f1)
   if [ "$kernel_major" -eq 6 ]; then
     echo 1 > /proc/sys/net/netfilter/nf_conntrack_events
   fi
@@ -102,7 +113,7 @@ unload_ecm() {
 
   # Change it back to 6.1 linux's default setting
   local kernel_major
-  kernel_major="$(uname -r |cut -d. -f1)"
+  kernel_major="$(uname -r | cut -d. -f1)"
   if [ "$kernel_major" -eq 6 ]; then
     echo 2 > /proc/sys/net/netfilter/nf_conntrack_events
   fi
@@ -128,21 +139,16 @@ unload_ecm() {
 start() {
   load_ecm
 
-  # If the acceleration engine is NSS, enable wifi redirect
-  [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
-
-  # If bridge filtering is enabled, apply and persist the sysctl flags
-  config_load ecm
-  config_get enable_bridge_filtering general enable_bridge_filtering "0"
-
-  # shellcheck disable=2154
-  if [ "$enable_bridge_filtering" -eq 1 ]; then
-    echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
+  # Only enable bridge filtering if using deprecated fw3
+  if [ ! -r /sbin/fw4 ]; then
     enable_bridge_filtering
   else
     disable_bridge_filtering
   fi
 
+  # If the acceleration engine is NSS, enable wifi redirect
+  [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
+
   if [ -d /sys/module/qca_ovsmgr ]; then
     insmod ecm_ovs
   fi