From 2c9ffba36324198f8dfd69a464e089dc0f777ce1 Mon Sep 17 00:00:00 2001
From: Qosmio <datapronix@protonmail.com>
Date: Mon, 8 Jan 2024 17:44:47 -0500
Subject: [PATCH] qca-nss-ecm: properly setup firewall, init, defaults for 6.1

---
 qca/qca-nss-ecm/files/qca-nss-ecm.defaults |  20 ++-
 qca/qca-nss-ecm/files/qca-nss-ecm.firewall |  21 +--
 qca/qca-nss-ecm/files/qca-nss-ecm.init     | 167 +++++++++++----------
 3 files changed, 111 insertions(+), 97 deletions(-)

diff --git a/qca/qca-nss-ecm/files/qca-nss-ecm.defaults b/qca/qca-nss-ecm/files/qca-nss-ecm.defaults
index 308e265..60f7406 100644
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.defaults
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.defaults
@@ -16,13 +16,19 @@
 #
 
 uci -q batch << EOF
-	delete firewall.qcanssecm
-	set firewall.qcanssecm=include
-	set firewall.qcanssecm.type=script
-	set firewall.qcanssecm.path=/etc/firewall.d/qca-nss-ecm
-	set firewall.qcanssecm.family=any
-	set firewall.qcanssecm.reload=1
-	commit firewall
+    delete firewall.qcanssecm
+    set firewall.qcanssecm=include
+    set firewall.qcanssecm.type=script
+    set firewall.qcanssecm.path=/etc/firewall.d/qca-nss-ecm
+    commit firewall
 EOF
 
+grep -q "fw3" /etc/init.d/firewall && {
+  uci -q batch << EOF
+    set firewall.qcanssecm.family=any
+    set firewall.qcanssecm.reload=1
+    commit firewall
+EOF
+}
+
 exit 0
diff --git a/qca/qca-nss-ecm/files/qca-nss-ecm.firewall b/qca/qca-nss-ecm/files/qca-nss-ecm.firewall
index 2ec5b7e..1a2a4b5 100644
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.firewall
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.firewall
@@ -1,11 +1,14 @@
 #!/bin/sh
-if [ ! -r /sbin/fw4 ]; then
-iptables-save|grep physdev-is-bridged|while read a; do
-	iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-done
-iptables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
-ip6tables-save|grep physdev-is-bridged|while read a; do
-	ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-done
-ip6tables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
+
+if grep -q "fw3" /etc/init.d/firewall; then
+	iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
+	iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
+	iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+	iptables -A RATE-LIMIT -j DROP
+	iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
+elif grep -q "fw4" /etc/init.d/firewall; then
+	nft add chain inet fw4 RATE-LIMIT
+	nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
+	nft add rule inet fw4 RATE-LIMIT counter drop
+	nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
 fi
diff --git a/qca/qca-nss-ecm/files/qca-nss-ecm.init b/qca/qca-nss-ecm/files/qca-nss-ecm.init
index ac77672..e67608d 100644
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.init
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.init
@@ -18,116 +18,121 @@
 # openwrt build scripts automatically enable this package starting
 # at boot.
 
-START=19
+START=26
 
-get_front_end_mode() {
-	config_load "ecm"
-	config_get front_end global acceleration_engine "auto"
-
-	case $front_end in
-	auto)
-		echo '0'
-		;;
-	nss)
-		echo '1'
-		;;
-	*)
-		echo 'uci_option_acceleration_engine is invalid'
-	esac
+sysctl_update() {
+  local name value file
+  name=${1//\//\\/}
+  value=${2//\//\\/}
+  file=${3:-/etc/sysctl.d/qca-nss-ecm.conf}
+  sed -i -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
+    -e '$a'"${name}"'='"${value}" "${file}"
+  sysctl -w ${name}=${value}
 }
 
-support_bridge() {
-	# NSS support bridge acceleration
-	[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0
+get_front_end_mode() {
+  config_load "ecm"
+  config_get front_end global acceleration_engine "auto"
+
+  case $front_end in
+    auto)
+      echo '0'
+      ;;
+    nss)
+      echo '1'
+      ;;
+    *)
+      echo 'uci_option_acceleration_engine is invalid'
+  esac
 }
 
 enable_bridge_filtering() {
-	sysctl -w net.bridge.bridge-nf-call-arptables=1
-	sysctl -w net.bridge.bridge-nf-call-iptables=1
-	sysctl -w net.bridge.bridge-nf-call-ip6tables=1
-
-	if ([ -z "$(grep "net.bridge.bridge-nf-call-arptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
-		[ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
-		[ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] \
-	); then
-		echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
-		echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
-		echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
-	fi
+  sysctl_update net.bridge.bridge-nf-call-arptables 1
+  sysctl_update net.bridge.bridge-nf-call-iptables 1
+  sysctl_update net.bridge.bridge-nf-call-ip6tables 1
 }
 
 disable_bridge_filtering() {
-	sysctl -w net.bridge.bridge-nf-call-arptables=0
-	sysctl -w net.bridge.bridge-nf-call-iptables=0
-	sysctl -w net.bridge.bridge-nf-call-ip6tables=0
-
-	sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
-	sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
-	sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
+  sysctl_update net.bridge.bridge-nf-call-arptables 0
+  sysctl_update net.bridge.bridge-nf-call-iptables 0
+  sysctl_update net.bridge.bridge-nf-call-ip6tables 0
 }
 
 load_ecm() {
-	[ -d /sys/module/ecm ] || {
-		insmod ecm front_end_selection=$(get_front_end_mode)
-		echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
-	}
+  [ -d /sys/module/ecm ] || {
+    insmod ecm front_end_selection="$(get_front_end_mode)"
+    echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
+  }
 
-	support_bridge
+  # Set conntrack event mode to 1 for 6.1 kernel to get the conntrack events from ECM
+  local kernel_major
+  kernel_major=$(uname -r |cut -d. -f1)
+  if [ "$kernel_major" -eq 6 ]; then
+    echo 1 > /proc/sys/net/netfilter/nf_conntrack_events
+  fi
 }
 
 unload_ecm() {
-	disable_bridge_filtering
+  disable_bridge_filtering
 
-	if [ -d /sys/module/ecm ]; then
-		#
-		# Stop ECM frontends
-		#
-		echo 1 > /sys/kernel/debug/ecm/front_end_ipv4_stop
-		echo 1 > /sys/kernel/debug/ecm/front_end_ipv6_stop
+  # Change it back to 6.1 linux's default setting
+  local kernel_major
+  kernel_major="$(uname -r |cut -d. -f1)"
+  if [ "$kernel_major" -eq 6 ]; then
+    echo 2 > /proc/sys/net/netfilter/nf_conntrack_events
+  fi
 
-		#
-		# Defunct the connections
-		#
-	    echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
-		sleep 5
+  if [ -d /sys/module/ecm ]; then
+    #
+    # Stop ECM frontends
+    #
+    echo 1 > /sys/kernel/debug/ecm/front_end_ipv4_stop
+    echo 1 > /sys/kernel/debug/ecm/front_end_ipv6_stop
 
-		rmmod ecm
-		sleep 1
-	fi
+    #
+    # Defunct the connections
+    #
+    echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
+    sleep 5
+
+    rmmod ecm
+    sleep 1
+  fi
 }
 
 start() {
-	load_ecm
+  load_ecm
 
-	# If the acceleration engine is NSS, enable wifi redirect
-	[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
+  # If the acceleration engine is NSS, enable wifi redirect
+  [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
 
-	# If bridge filtering is enabled, apply and persist the sysctl flags
-	local bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)"
-	if [ "$bridge_filtering_enabled" -eq 1 ]; then
-		echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
-		enable_bridge_filtering
-	else
-		disable_bridge_filtering
-	fi
+  # If bridge filtering is enabled, apply and persist the sysctl flags
+  local bridge_filtering_enabled
+  bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)"
+  if [ "$bridge_filtering_enabled" -eq 1 ]; then
+    echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
+    enable_bridge_filtering
+  else
+    disable_bridge_filtering
+  fi
 
-	if [ -d /sys/module/qca_ovsmgr ]; then
-		insmod ecm_ovs
-	fi
+  if [ -d /sys/module/qca_ovsmgr ]; then
+    insmod ecm_ovs
+  fi
 }
 
 stop() {
-	# If ECM is already not loaded, just return
-	if [ ! -d /sys/module/ecm ]; then
-		return
-	fi
+  # If ECM is already not loaded, just return
+  if [ ! -d /sys/module/ecm ]; then
+    return
+  fi
 
-	# If the acceleration engine is NSS, disable wifi redirect
-	[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0
+  # If the acceleration engine is NSS, disable wifi redirect
+  [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0
 
-	if [ -d /sys/module/ecm_ovs ]; then
-		rmmod ecm_ovs
-	fi
+  if [ -d /sys/module/ecm_ovs ]; then
+    rmmod ecm_ovs
+  fi
 
-	unload_ecm
+  unload_ecm
 }