qca-nss-ecm: rework/sync patches

qca-nss-ecm: remove noload build variant

qca-nss-ecm: backport bridge flow fixes

qca/qca-nss-ecm/Makefile

@@ -73,28 +73,6 @@ ECM_MAKE_OPTS+=ECM_FRONT_END_NSS_ENABLE=y \
 		ECM_BAND_STEERING_ENABLE=n
 endif
 
-# Variant with additional features enabled for noload profile
-define KernelPackage/qca-nss-ecm-noload
-$(call KernelPackage/qca-nss-ecm)
-  TITLE+= (with noload features)
-  PROVIDES:=kmod-qca-nss-ecm
-  VARIANT:=noload
-endef
-
-define KernelPackage/qca-nss-ecm-noload/Description
-  $(call KernelPackage/qca-nss-ecm/Description)
-  When selected, this package installs the driver, but does not load it at init.
-endef
-
-define KernelPackage/qca-nss-ecm-noload/install
-	$(call KernelPackage/qca-nss-ecm/install, $(1))
-	#
-	# Remove the START line from the init script, so that the symlink
-	# in the /etc/rc.d directory is not created.
-	#
-	sed -i '/START=/d' $(1)/etc/init.d/qca-nss-ecm
-endef
-
 # Disable ECM IPv6 support when global IPv6 support is disabled.
 ifneq ($(CONFIG_IPV6),)
 ECM_MAKE_OPTS+=ECM_IPV6_ENABLE=y
@@ -176,4 +154,3 @@ define Build/Compile
 endef
 
 $(eval $(call KernelPackage,qca-nss-ecm))
-$(eval $(call KernelPackage,qca-nss-ecm-noload))

qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch

@@ -5,12 +5,12 @@ Subject: [PATCH 01/12] treewide: componentize the module even more
 
 Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
 ---
- Makefile                         | 56 +++++++++++++++++++++++++-------
+ Makefile                         | 57 +++++++++++++++++++++++++-------
  ecm_db/ecm_db_connection.c       |  8 +++++
  ecm_db/ecm_db_node.c             |  4 +++
  ecm_interface.c                  |  8 +++++
  frontends/ecm_front_end_common.c |  7 ++++
- 5 files changed, 72 insertions(+), 11 deletions(-)
+ 5 files changed, 72 insertions(+), 12 deletions(-)
 
 diff --git a/Makefile b/Makefile
 index a59cbce..f7e40f8 100644
@@ -153,6 +153,14 @@ index a59cbce..f7e40f8 100644
  ccflags-$(ECM_BAND_STEERING_ENABLE) += -DECM_BAND_STEERING_ENABLE
 
  # #############################################################################
+@@ -488,7 +488,6 @@ ccflags-y += -DECM_TRACKER_UDP_DEBUG_LEVEL=1
+ ccflags-y += -DECM_BOND_NOTIFIER_DEBUG_LEVEL=1
+ ccflags-y += -DECM_INTERFACE_DEBUG_LEVEL=1
+ ccflags-y += -DECM_STATE_DEBUG_LEVEL=1
+-ccflags-y += -DECM_OPENWRT_SUPPORT=1
+ ccflags-y += -DECM_NOTIFIER_DEBUG_LEVEL=1
+ ccflags-y += -DECM_AE_CLASSIFIER_DEBUG_LEVEL=1
+
 diff --git a/ecm_db/ecm_db_connection.c b/ecm_db/ecm_db_connection.c
 index 6d0bff4..77e5f3f 100644
 --- a/ecm_db/ecm_db_connection.c

qca/qca-nss-ecm/patches/0004-treewide-fix-wrong-chain-events-flag.patch

@@ -1,40 +0,0 @@
-From 33a2f57d6852035730b353a14912ce2c588f3017 Mon Sep 17 00:00:00 2001
-From: Ansuel Smith <ansuelsmth@gmail.com>
-Date: Sat, 15 May 2021 03:51:14 +0200
-Subject: [PATCH 04/12] treewide: fix wrong chain events flag
-
-Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
----
- ecm_conntrack_notifier.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
-index 7b20132..9c8a45e 100644
---- a/ecm_conntrack_notifier.c
-+++ b/ecm_conntrack_notifier.c
-@@ -423,7 +423,11 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
- 	/*
- 	 * Eventing subsystem is available so we register a notifier hook to get fast notifications of expired connections
- 	 */
-+#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
-+	result = nf_conntrack_register_chain_notifier(&init_net, &ecm_conntrack_notifier);
-+#else
- 	result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
-+#endif
- 	if (result < 0) {
- 		DEBUG_ERROR("Can't register nf notifier hook.\n");
- 		debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
-@@ -441,7 +445,9 @@ EXPORT_SYMBOL(ecm_conntrack_notifier_init);
- void ecm_conntrack_notifier_exit(void)
- {
- 	DEBUG_INFO("ECM Conntrack Notifier exit\n");
--#ifdef CONFIG_NF_CONNTRACK_EVENTS
-+#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
-+	nf_conntrack_unregister_chain_notifier(&init_net, &ecm_conntrack_notifier);
-+#else
- 	nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
- #endif
- 	/*
--- 
-2.34.1
-

qca/qca-nss-ecm/patches/0006-treewide-rework-notifier-changes-for-5.15.patch

@@ -0,0 +1,91 @@
+From 0df0d3ffb4b6df09a28d233925b533de14be6f0e Mon Sep 17 00:00:00 2001
+From: Bit Thief <bitthief@protonmail.ch>
+Date: Tue, 4 Apr 2023 05:22:33 +0300
+Subject: [PATCH] treewide: rework notifier changes for 5.15
+
+---
+ ecm_conntrack_notifier.c | 35 +++++++++++++++--------------------
+ 1 file changed, 15 insertions(+), 20 deletions(-)
+
+diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
+index 5f802b7..50e8566 100644
+--- a/ecm_conntrack_notifier.c
++++ b/ecm_conntrack_notifier.c
+@@ -332,15 +332,8 @@ EXPORT_SYMBOL(ecm_conntrack_ipv4_event);
+  * ecm_conntrack_event()
+  *	Callback event invoked when conntrack connection state changes, currently we handle destroy events to quickly release state
+  */
+-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
+-static int ecm_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
+-#else
+-static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item)
+-#endif
++static int ecm_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ {
+-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
+-	struct nf_ct_event *item = (struct nf_ct_event *)ptr;
+-#endif
+ 	struct nf_conn *ct = item->ct;
+
+ 	/*
+@@ -387,23 +380,17 @@ static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item)
+ 	return NOTIFY_DONE;
+ }
+
+-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
+-/*
+- * struct notifier_block ecm_conntrack_notifier
+- *	Netfilter conntrack event system to monitor connection tracking changes
+- */
+-static struct notifier_block ecm_conntrack_notifier = {
+-	.notifier_call	= ecm_conntrack_event,
+-};
+-#else
+ /*
+  * struct nf_ct_event_notifier ecm_conntrack_notifier
+  *	Netfilter conntrack event system to monitor connection tracking changes
+  */
+ static struct nf_ct_event_notifier ecm_conntrack_notifier = {
+-	.fcn	= ecm_conntrack_event,
+-};
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
++    .fcn	= ecm_conntrack_event,
++#else
++    .ct_event	= ecm_conntrack_event,
+ #endif
++};
+ #endif
+
+ /*
+@@ -440,12 +427,16 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
+ 	/*
+ 	 * Eventing subsystem is available so we register a notifier hook to get fast notifications of expired connections
+ 	 */
+-	result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
++   result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
+ 	if (result < 0) {
+ 		DEBUG_ERROR("Can't register nf notifier hook.\n");
+ 		debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
+ 		return result;
+ 	}
++#else
++   nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
++#endif
+ #endif
+
+ 	return 0;
+@@ -459,7 +450,11 @@ void ecm_conntrack_notifier_exit(void)
+ {
+ 	DEBUG_INFO("ECM Conntrack Notifier exit\n");
+ #ifdef CONFIG_NF_CONNTRACK_EVENTS
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
+ 	nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
++#else
++   nf_conntrack_unregister_notifier(&init_net);
++#endif
+ #endif
+ 	/*
+ 	 * Remove the debugfs files recursively.
+--
+2.40.0

qca/qca-nss-ecm/patches/0007-frontends-drop-use-of-static-be_liberal-and-no_windo.patch

@@ -1,22 +1,17 @@
-From 15530431f3ce3273b3cfc2da356d7fb71ed48020 Mon Sep 17 00:00:00 2001
-From: Ansuel Smith <ansuelsmth@gmail.com>
-Date: Sun, 8 May 2022 16:16:34 +0200
-Subject: [PATCH 08/12] frontends: drop use of static be_liberal and
- no_window_check
+From 6103e80ad89775eee55a97c8f8e07e9f2ac7d332 Mon Sep 17 00:00:00 2001
+From: Bit Thief <bitthief@protonmail.ch>
+Date: Tue, 4 Apr 2023 05:43:43 +0300
+Subject: [PATCH] frontends: drop use of static be_liberal and no_window_check
 
-Implementation changed, check these values indirectly instead of relying
-on an extern EXPORT_SYMBOL.
-
-Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
 ---
- frontends/nss/ecm_nss_ported_ipv4.c | 14 ++++----------
- frontends/nss/ecm_nss_ported_ipv6.c | 14 ++++----------
- frontends/sfe/ecm_sfe_ported_ipv4.c |  6 ++++--
- frontends/sfe/ecm_sfe_ported_ipv6.c |  6 ++++--
- 4 files changed, 16 insertions(+), 24 deletions(-)
+ frontends/nss/ecm_nss_ported_ipv4.c | 22 ++++++++--------------
+ frontends/nss/ecm_nss_ported_ipv6.c | 20 +++++++-------------
+ frontends/sfe/ecm_sfe_ported_ipv4.c | 22 ++++++++--------------
+ frontends/sfe/ecm_sfe_ported_ipv6.c | 22 ++++++++--------------
+ 4 files changed, 31 insertions(+), 55 deletions(-)
 
 diff --git a/frontends/nss/ecm_nss_ported_ipv4.c b/frontends/nss/ecm_nss_ported_ipv4.c
-index ea997e3..0c4261a 100644
+index 6375b6b..ed9c10b 100644
 --- a/frontends/nss/ecm_nss_ported_ipv4.c
 +++ b/frontends/nss/ecm_nss_ported_ipv4.c
 @@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv4_connection_instance {
@@ -34,29 +29,36 @@ index ea997e3..0c4261a 100644
  /*
   * ecm_nss_ported_ipv4_connection_callback()
   *	Callback for handling create ack/nack calls.
-@@ -372,6 +364,8 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
+@@ -372,6 +364,12 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
  	uint8_t dest_mac_xlate[ETH_ALEN];
  	ecm_db_direction_t ecm_dir;
  	ecm_front_end_acceleration_mode_t result_mode;
-+	struct net *net = nf_ct_net(ct);
-+	struct nf_tcp_net *tn = nf_tcp_pernet(net);
++   struct nf_tcp_net *tn;
++
++   if (ct) {
++       struct net *net = nf_ct_net(ct);
++       tn = nf_tcp_pernet(net);
++   }
 
  	DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV4_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
 
-@@ -1236,9 +1230,9 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
+@@ -1235,12 +1233,8 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
+ 			nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin;
  			nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
  			nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
- #ifdef ECM_OPENWRT_SUPPORT
+-#ifdef ECM_OPENWRT_SUPPORT
 -			if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
-+			if (tn->tcp_be_liberal || tn->tcp_no_window_check
- #else
+-#else
 -			if (nf_ct_tcp_be_liberal
+-#endif
+-					|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
 +			if (tn->tcp_be_liberal
- #endif
- 					|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
++                   || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
  					|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
+ 				nircm->rule_flags |= NSS_IPV4_RULE_CREATE_FLAG_NO_SEQ_CHECK;
+ 			}
 diff --git a/frontends/nss/ecm_nss_ported_ipv6.c b/frontends/nss/ecm_nss_ported_ipv6.c
-index 451a557..d1b3e14 100644
+index 1be8a58..3062c12 100644
 --- a/frontends/nss/ecm_nss_ported_ipv6.c
 +++ b/frontends/nss/ecm_nss_ported_ipv6.c
 @@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv6_connection_instance {
@@ -74,78 +76,128 @@ index 451a557..d1b3e14 100644
  /*
   * ecm_nss_ported_ipv6_connection_callback()
   *	Callback for handling create ack/nack calls.
-@@ -376,6 +368,8 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
+@@ -376,6 +368,12 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
  	ip_addr_t src_ip;
  	ip_addr_t dest_ip;
  	ecm_front_end_acceleration_mode_t result_mode;
-+	struct net *net = nf_ct_net(ct);
-+	struct nf_tcp_net *tn = nf_tcp_pernet(net);
++   struct nf_tcp_net *tn;
++
++   if (ct) {
++       struct net *net = nf_ct_net(ct);
++       tn = nf_tcp_pernet(net);
++   }
 
  	DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
 
-@@ -1162,9 +1156,9 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
+@@ -1161,11 +1159,7 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
+ 			nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin;
  			nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
  			nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
- #ifdef ECM_OPENWRT_SUPPORT
+-#ifdef ECM_OPENWRT_SUPPORT
 -			if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
-+			if (tn->tcp_be_liberal || tn->tcp_no_window_check
- #else
+-#else
 -			if (nf_ct_tcp_be_liberal
+-#endif
 +			if (tn->tcp_be_liberal
- #endif
  					|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
  					|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
+ 				nircm->rule_flags |= NSS_IPV6_RULE_CREATE_FLAG_NO_SEQ_CHECK;
 diff --git a/frontends/sfe/ecm_sfe_ported_ipv4.c b/frontends/sfe/ecm_sfe_ported_ipv4.c
-index 53f5b07..ef719ec 100644
+index 6e375f8..e5ae593 100644
 --- a/frontends/sfe/ecm_sfe_ported_ipv4.c
 +++ b/frontends/sfe/ecm_sfe_ported_ipv4.c
-@@ -421,6 +421,8 @@ static void ecm_sfe_ported_ipv4_connecti
+@@ -123,14 +123,6 @@ struct ecm_sfe_ported_ipv4_connection_instance {
+ static int ecm_sfe_ported_ipv4_accelerated_count[ECM_SFE_PORTED_IPV4_PROTO_MAX] = {0};
+ 						/* Array of Number of TCP and UDP connections currently offloaded */
+
+-/*
+- * Expose what should be a static flag in the TCP connection tracker.
+- */
+-#ifdef ECM_OPENWRT_SUPPORT
+-extern int nf_ct_tcp_no_window_check;
+-#endif
+-extern int nf_ct_tcp_be_liberal;
+-
+ /*
+  * ecm_sfe_ported_ipv4_get_stats_bitmap()
+  *	Get bit map
+@@ -357,9 +357,15 @@ static void ecm_sfe_ported_ipv4_connecti
  	uint8_t dest_mac_xlate[ETH_ALEN];
  	ecm_db_direction_t ecm_dir;
  	ecm_front_end_acceleration_mode_t result_mode;
-+   struct net *net = nf_ct_net(ct);
-+   struct nf_tcp_net *tn = nf_tcp_pernet(net);
++   struct nf_tcp_net *tn;
  	uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
  	ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
 
-@@ -1333,9 +1335,9 @@ static void ecm_sfe_ported_ipv4_connecti
++   if (ct) {
++       struct net *net = nf_ct_net(ct);
++       tn = nf_tcp_pernet(net);
++   }
++
+ 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
+
+ 	/*
+@@ -1332,11 +1330,7 @@ static void ecm_sfe_ported_ipv4_connection_accelerate(struct ecm_front_end_conne
+ 			nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin;
  			nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
  			nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
- #ifdef ECM_OPENWRT_SUPPORT
+-#ifdef ECM_OPENWRT_SUPPORT
 -			if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
-+           if (tn->tcp_be_liberal || tn->tcp_no_window_check)
- #else
+-#else
 -			if (nf_ct_tcp_be_liberal
-+           if (tn->tcp_be_liberal)
- #endif
+-#endif
++			if (tn->tcp_be_liberal
  					|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
  					|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
+ 				nircm->rule_flags |= SFE_RULE_CREATE_FLAG_NO_SEQ_CHECK;
 diff --git a/frontends/sfe/ecm_sfe_ported_ipv6.c b/frontends/sfe/ecm_sfe_ported_ipv6.c
-index ae04cb4..9abb563 100644
+index f1885aa..4a6fdbd 100644
 --- a/frontends/sfe/ecm_sfe_ported_ipv6.c
 +++ b/frontends/sfe/ecm_sfe_ported_ipv6.c
-@@ -426,7 +426,9 @@ static void ecm_sfe_ported_ipv6_connecti
+@@ -124,14 +124,6 @@ struct ecm_sfe_ported_ipv6_connection_instance {
+ static int ecm_sfe_ported_ipv6_accelerated_count[ECM_SFE_PORTED_IPV6_PROTO_MAX] = {0};
+ 						/* Array of Number of TCP and UDP connections currently offloaded */
+
+-/*
+- * Expose what should be a static flag in the TCP connection tracker.
+- */
+-#ifdef ECM_OPENWRT_SUPPORT
+-extern int nf_ct_tcp_no_window_check;
+-#endif
+-extern int nf_ct_tcp_be_liberal;
+-
+ /*
+  * ecm_sfe_ported_ipv6_get_stats_bitmap()
+  *	Get bit map
+@@ -361,9 +361,15 @@ static void ecm_sfe_ported_ipv6_connecti
  	ip_addr_t src_ip;
  	ip_addr_t dest_ip;
  	ecm_front_end_acceleration_mode_t result_mode;
 -	uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
-+	struct net *net = nf_ct_net(ct);
-+   struct nf_tcp_net *tn = nf_tcp_pernet(net);
++	struct nf_tcp_net *tn;
 +   uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
  	ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
 
- 	DEBUG_CHECK_MAGIC(npci, ECM_SFE_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci);
-@@ -1293,9 +1295,9 @@ static void ecm_sfe_ported_ipv6_connecti
++   if (ct) {
++       struct net *net = nf_ct_net(ct);
++       tn = nf_tcp_pernet(net);
++   }
++
+ 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
+
+ 	/*
+@@ -1292,11 +1290,7 @@ static void ecm_sfe_ported_ipv6_connection_accelerate(struct ecm_front_end_conne
+ 			nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin;
  			nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end;
  			nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend;
- #ifdef ECM_OPENWRT_SUPPORT
+-#ifdef ECM_OPENWRT_SUPPORT
 -			if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check
-+           if (tn->tcp_be_liberal || tn->tcp_no_window_check)
- #else
+-#else
 -			if (nf_ct_tcp_be_liberal
-+			if (tn->tcp_be_liberal)
- #endif
+-#endif
++			if (tn->tcp_be_liberal
  					|| (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)
  					|| (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) {
+ 				nircm->rule_flags |= SFE_RULE_CREATE_FLAG_NO_SEQ_CHECK;
 --
-2.34.1
+2.40.0

qca/qca-nss-ecm/patches/0007-treewide-rework-notifier-changes-for-5.15.patch

@@ -1,72 +0,0 @@
-From e9073363a50a25bddd96e808f04bcf56c45da4ac Mon Sep 17 00:00:00 2001
-From: Ansuel Smith <ansuelsmth@gmail.com>
-Date: Sun, 8 May 2022 18:19:47 +0200
-Subject: [PATCH 07/12] treewide: rework notifier changes for 5.15
-
-Rework notifier changes for 5.15 conntrack new implementation.
-
-Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
----
- ecm_conntrack_notifier.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
-index 9c8a45e..9f2cdae 100644
---- a/ecm_conntrack_notifier.c
-+++ b/ecm_conntrack_notifier.c
-@@ -322,7 +322,7 @@ EXPORT_SYMBOL(ecm_conntrack_ipv4_event);
- #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
- static int ecm_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
- #else
--static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item)
-+static int ecm_conntrack_event(unsigned int events, const struct nf_ct_event *item)
- #endif
- {
- #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
-@@ -388,7 +388,11 @@ static struct notifier_block ecm_conntrack_notifier = {
-  *	Netfilter conntrack event system to monitor connection tracking changes
-  */
- static struct nf_ct_event_notifier ecm_conntrack_notifier = {
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
- 	.fcn	= ecm_conntrack_event,
-+#else
-+	.ct_event	= ecm_conntrack_event,
-+#endif
- };
- #endif
- #endif
-@@ -426,13 +430,19 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
- #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
- 	result = nf_conntrack_register_chain_notifier(&init_net, &ecm_conntrack_notifier);
- #else
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
- 	result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
-+#else
-+	nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
-+#endif
- #endif
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
- 	if (result < 0) {
- 		DEBUG_ERROR("Can't register nf notifier hook.\n");
- 		debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
- 		return result;
- 	}
-+#endif
- #endif
- 
- 	return 0;
-@@ -448,7 +458,11 @@ void ecm_conntrack_notifier_exit(void)
- #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
- 	nf_conntrack_unregister_chain_notifier(&init_net, &ecm_conntrack_notifier);
- #else
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
- 	nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
-+#else
-+	nf_conntrack_unregister_notifier(&init_net);
-+#endif
- #endif
- 	/*
- 	 * Remove the debugfs files recursively.
--- 
-2.34.1
-

qca/qca-nss-ecm/patches/100-qca-nss-ecm-Fix-conntrack-created-firewall-stopped.patch

@@ -0,0 +1,45 @@
+diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c
+index 50e8566..cf8bd33 100644
+--- a/ecm_conntrack_notifier.c
++++ b/ecm_conntrack_notifier.c
+@@ -437,6 +437,26 @@ int ecm_conntrack_notifier_init(struct dentry *dentry)
+ #else
+     nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier);
+ #endif
++
++    /*
++	 * Hold netns reference to keep the basic conntrack alive and
++	 * track conntrack even when firewall stopped.
++	 */
++	result = nf_ct_netns_get(&init_net, NFPROTO_IPV4);
++	if (result < 0) {
++		DEBUG_ERROR("Can't hold ipv4 netns.\n");
++		debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
++		return result;
++	}
++#ifdef ECM_IPV6_ENABLE
++	result = nf_ct_netns_get(&init_net, NFPROTO_IPV6);
++	if (result < 0) {
++		DEBUG_ERROR("Can't hold ipv6 netns.\n");
++		nf_ct_netns_put(&init_net, NFPROTO_IPV4);
++		debugfs_remove_recursive(ecm_conntrack_notifier_dentry);
++		return result;
++	}
++#endif
+ #endif
+
+ 	return 0;
+@@ -450,6 +470,13 @@ void ecm_conntrack_notifier_exit(void)
+ {
+ 	DEBUG_INFO("ECM Conntrack Notifier exit\n");
+ #ifdef CONFIG_NF_CONNTRACK_EVENTS
++	/*
++	 * Release netns reference.
++	 */
++	nf_ct_netns_put(&init_net, NFPROTO_IPV4);
++#ifdef ECM_IPV6_ENABLE
++	nf_ct_netns_put(&init_net, NFPROTO_IPV6);
++#endif
+ #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0))
+ 	nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier);
+ #else

qca/qca-nss-ecm/patches/101-qca-nss-ecm-Skip-bridge-flow-packet-in-post-routing-hook.patch

@@ -0,0 +1,57 @@
+diff --git a/frontends/cmn/ecm_ipv4.c b/frontends/cmn/ecm_ipv4.c
+index f69eb45c135be420968bc2de1101c3220a8faeb6..cac02b4bef4fb4da2d5b8411efeb496a6d406db9 100644
+--- a/frontends/cmn/ecm_ipv4.c
++++ b/frontends/cmn/ecm_ipv4.c
+@@ -1502,6 +1502,37 @@ vxlan_done:
+ #endif
+ }
+ 
++/*
++ * ecm_ipv4_is_bridge_pkt()
++ *	Return true if pkt is from bridge flow.
++ *	If in/out dev is a bridge port and the other dev is a master
++ *	of the same bridge port dev, then consider it a bridge flow packet 
++ *	and return true.
++ */
++static bool ecm_ipv4_is_bridge_pkt(struct net_device *in,
++		struct net_device *out)
++{
++	struct net_device *lower = NULL;
++	struct net_device *upper = NULL;
++	struct net_device *bridge = NULL;
++
++	if (in->priv_flags & IFF_BRIDGE_PORT) {
++		lower = in;
++		bridge = out;
++	} else if (out->priv_flags & IFF_BRIDGE_PORT) {
++		lower = out;
++		bridge = in;
++	}
++
++	if (!lower)
++		return false;
++
++	rcu_read_lock();
++	upper = netdev_master_upper_dev_get_rcu(lower);
++	rcu_read_unlock();
++	return upper && (upper == bridge);
++}
++
+ /*
+  * ecm_ipv4_post_routing_hook()
+  *	Called for IP packets that are going out to interfaces after IP routing stage.
+@@ -1572,6 +1603,14 @@ static unsigned int ecm_ipv4_post_routing_hook(void *priv,
+ 		return NF_ACCEPT;
+ 	}
+ 
++	/*
++	 * Skip bridge flow packet
++	 */
++	if (ecm_ipv4_is_bridge_pkt(in, out)) {
++		DEBUG_TRACE("Bridge flow, ignoring: %px\n", skb);
++		dev_put(in);
++		return NF_ACCEPT;
++	}
+ #ifndef ECM_INTERFACE_OVS_BRIDGE_ENABLE
+ 	/*
+ 	 * skip OpenVSwitch flows because we don't accelerate them

qca/qca-nss-ecm/patches/902-qca-nss-ecm-Fix-nf_ct_net-null-pointer-reference.patch

@@ -1,75 +0,0 @@
---- a/frontends/nss/ecm_nss_ported_ipv4.c
-+++ b/frontends/nss/ecm_nss_ported_ipv4.c
-@@ -335,8 +335,12 @@ static void ecm_nss_ported_ipv4_connecti
- 	uint8_t dest_mac_xlate[ETH_ALEN];
- 	ecm_db_direction_t ecm_dir;
- 	ecm_front_end_acceleration_mode_t result_mode;
--	struct net *net = nf_ct_net(ct);
--	struct nf_tcp_net *tn = nf_tcp_pernet(net);
-+	struct nf_tcp_net *tn;
-+
-+	if (ct) {
-+		struct net *net = nf_ct_net(ct);
-+		tn = nf_tcp_pernet(net);
-+	}
-
- 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
-
---- a/frontends/nss/ecm_nss_ported_ipv6.c
-+++ b/frontends/nss/ecm_nss_ported_ipv6.c
-@@ -340,8 +340,12 @@ static void ecm_nss_ported_ipv6_connecti
- 	ip_addr_t src_ip;
- 	ip_addr_t dest_ip;
- 	ecm_front_end_acceleration_mode_t result_mode;
--	struct net *net = nf_ct_net(ct);
--	struct nf_tcp_net *tn = nf_tcp_pernet(net);
-+	struct nf_tcp_net *tn;
-+
-+	if (ct) {
-+		struct net *net = nf_ct_net(ct);
-+		tn = nf_tcp_pernet(net);
-+	}
-
- 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
-
---- a/frontends/sfe/ecm_sfe_ported_ipv4.c
-+++ b/frontends/sfe/ecm_sfe_ported_ipv4.c
-@@ -365,11 +365,15 @@ static void ecm_sfe_ported_ipv4_connecti
- 	uint8_t dest_mac_xlate[ETH_ALEN];
- 	ecm_db_direction_t ecm_dir;
- 	ecm_front_end_acceleration_mode_t result_mode;
--   struct net *net = nf_ct_net(ct);
--   struct nf_tcp_net *tn = nf_tcp_pernet(net);
-+   struct nf_tcp_net *tn;
- 	uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
- 	ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
-
-+	if (ct) {
-+		struct net *net = nf_ct_net(ct);
-+		tn = nf_tcp_pernet(net);
-+	}
-+
- 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
-
- 	/*
-
---- a/frontends/sfe/ecm_sfe_ported_ipv6.c
-+++ b/frontends/sfe/ecm_sfe_ported_ipv6.c
-@@ -369,11 +369,15 @@ static void ecm_sfe_ported_ipv6_connecti
- 	ip_addr_t src_ip;
- 	ip_addr_t dest_ip;
- 	ecm_front_end_acceleration_mode_t result_mode;
--	struct net *net = nf_ct_net(ct);
--   struct nf_tcp_net *tn = nf_tcp_pernet(net);
-+	struct nf_tcp_net *tn;
-    uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED);
- 	ecm_sfe_common_l2_accel_check_callback_t l2_accel_check;
-
-+	if (ct) {
-+		struct net *net = nf_ct_net(ct);
-+		tn = nf_tcp_pernet(net);
-+	}
-+
- 	DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci);
-
- 	/*