diff --git a/qca/qca-nss-ecm/Makefile b/qca/qca-nss-ecm/Makefile index 369e6c2..609b243 100644 --- a/qca/qca-nss-ecm/Makefile +++ b/qca/qca-nss-ecm/Makefile @@ -73,28 +73,6 @@ ECM_MAKE_OPTS+=ECM_FRONT_END_NSS_ENABLE=y \ ECM_BAND_STEERING_ENABLE=n endif -# Variant with additional features enabled for noload profile -define KernelPackage/qca-nss-ecm-noload -$(call KernelPackage/qca-nss-ecm) - TITLE+= (with noload features) - PROVIDES:=kmod-qca-nss-ecm - VARIANT:=noload -endef - -define KernelPackage/qca-nss-ecm-noload/Description - $(call KernelPackage/qca-nss-ecm/Description) - When selected, this package installs the driver, but does not load it at init. -endef - -define KernelPackage/qca-nss-ecm-noload/install - $(call KernelPackage/qca-nss-ecm/install, $(1)) - # - # Remove the START line from the init script, so that the symlink - # in the /etc/rc.d directory is not created. - # - sed -i '/START=/d' $(1)/etc/init.d/qca-nss-ecm -endef - # Disable ECM IPv6 support when global IPv6 support is disabled. ifneq ($(CONFIG_IPV6),) ECM_MAKE_OPTS+=ECM_IPV6_ENABLE=y @@ -176,4 +154,3 @@ define Build/Compile endef $(eval $(call KernelPackage,qca-nss-ecm)) -$(eval $(call KernelPackage,qca-nss-ecm-noload)) diff --git a/qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch b/qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch index 6559d4c..12b3490 100644 --- a/qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch +++ b/qca/qca-nss-ecm/patches/0001-treewide-componentize-the-module-even-more.patch @@ -5,12 +5,12 @@ Subject: [PATCH 01/12] treewide: componentize the module even more Signed-off-by: Ansuel Smith --- - Makefile | 56 +++++++++++++++++++++++++------- + Makefile | 57 +++++++++++++++++++++++++------- ecm_db/ecm_db_connection.c | 8 +++++ ecm_db/ecm_db_node.c | 4 +++ ecm_interface.c | 8 +++++ frontends/ecm_front_end_common.c | 7 ++++ - 5 files changed, 72 insertions(+), 11 deletions(-) + 5 files changed, 72 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index a59cbce..f7e40f8 100644 @@ -153,6 +153,14 @@ index a59cbce..f7e40f8 100644 ccflags-$(ECM_BAND_STEERING_ENABLE) += -DECM_BAND_STEERING_ENABLE # ############################################################################# +@@ -488,7 +488,6 @@ ccflags-y += -DECM_TRACKER_UDP_DEBUG_LEVEL=1 + ccflags-y += -DECM_BOND_NOTIFIER_DEBUG_LEVEL=1 + ccflags-y += -DECM_INTERFACE_DEBUG_LEVEL=1 + ccflags-y += -DECM_STATE_DEBUG_LEVEL=1 +-ccflags-y += -DECM_OPENWRT_SUPPORT=1 + ccflags-y += -DECM_NOTIFIER_DEBUG_LEVEL=1 + ccflags-y += -DECM_AE_CLASSIFIER_DEBUG_LEVEL=1 + diff --git a/ecm_db/ecm_db_connection.c b/ecm_db/ecm_db_connection.c index 6d0bff4..77e5f3f 100644 --- a/ecm_db/ecm_db_connection.c diff --git a/qca/qca-nss-ecm/patches/0005-qca-nss-ecm-resolve-the-cpu-high-load-regarding-ecm.patch b/qca/qca-nss-ecm/patches/0004-qca-nss-ecm-resolve-the-cpu-high-load-regarding-ecm.patch similarity index 100% rename from qca/qca-nss-ecm/patches/0005-qca-nss-ecm-resolve-the-cpu-high-load-regarding-ecm.patch rename to qca/qca-nss-ecm/patches/0004-qca-nss-ecm-resolve-the-cpu-high-load-regarding-ecm.patch diff --git a/qca/qca-nss-ecm/patches/0004-treewide-fix-wrong-chain-events-flag.patch b/qca/qca-nss-ecm/patches/0004-treewide-fix-wrong-chain-events-flag.patch deleted file mode 100644 index aa7e9fd..0000000 --- a/qca/qca-nss-ecm/patches/0004-treewide-fix-wrong-chain-events-flag.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 33a2f57d6852035730b353a14912ce2c588f3017 Mon Sep 17 00:00:00 2001 -From: Ansuel Smith -Date: Sat, 15 May 2021 03:51:14 +0200 -Subject: [PATCH 04/12] treewide: fix wrong chain events flag - -Signed-off-by: Ansuel Smith ---- - ecm_conntrack_notifier.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c -index 7b20132..9c8a45e 100644 ---- a/ecm_conntrack_notifier.c -+++ b/ecm_conntrack_notifier.c -@@ -423,7 +423,11 @@ int ecm_conntrack_notifier_init(struct dentry *dentry) - /* - * Eventing subsystem is available so we register a notifier hook to get fast notifications of expired connections - */ -+#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS -+ result = nf_conntrack_register_chain_notifier(&init_net, &ecm_conntrack_notifier); -+#else - result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); -+#endif - if (result < 0) { - DEBUG_ERROR("Can't register nf notifier hook.\n"); - debugfs_remove_recursive(ecm_conntrack_notifier_dentry); -@@ -441,7 +445,9 @@ EXPORT_SYMBOL(ecm_conntrack_notifier_init); - void ecm_conntrack_notifier_exit(void) - { - DEBUG_INFO("ECM Conntrack Notifier exit\n"); --#ifdef CONFIG_NF_CONNTRACK_EVENTS -+#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS -+ nf_conntrack_unregister_chain_notifier(&init_net, &ecm_conntrack_notifier); -+#else - nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier); - #endif - /* --- -2.34.1 - diff --git a/qca/qca-nss-ecm/patches/0006-ecm_interface-switch-to-kernel_recvmsg-api.patch b/qca/qca-nss-ecm/patches/0005-ecm_interface-switch-to-kernel_recvmsg-api.patch similarity index 100% rename from qca/qca-nss-ecm/patches/0006-ecm_interface-switch-to-kernel_recvmsg-api.patch rename to qca/qca-nss-ecm/patches/0005-ecm_interface-switch-to-kernel_recvmsg-api.patch diff --git a/qca/qca-nss-ecm/patches/0006-treewide-rework-notifier-changes-for-5.15.patch b/qca/qca-nss-ecm/patches/0006-treewide-rework-notifier-changes-for-5.15.patch new file mode 100644 index 0000000..d1cf315 --- /dev/null +++ b/qca/qca-nss-ecm/patches/0006-treewide-rework-notifier-changes-for-5.15.patch @@ -0,0 +1,91 @@ +From 0df0d3ffb4b6df09a28d233925b533de14be6f0e Mon Sep 17 00:00:00 2001 +From: Bit Thief +Date: Tue, 4 Apr 2023 05:22:33 +0300 +Subject: [PATCH] treewide: rework notifier changes for 5.15 + +--- + ecm_conntrack_notifier.c | 35 +++++++++++++++-------------------- + 1 file changed, 15 insertions(+), 20 deletions(-) + +diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c +index 5f802b7..50e8566 100644 +--- a/ecm_conntrack_notifier.c ++++ b/ecm_conntrack_notifier.c +@@ -332,15 +332,8 @@ EXPORT_SYMBOL(ecm_conntrack_ipv4_event); + * ecm_conntrack_event() + * Callback event invoked when conntrack connection state changes, currently we handle destroy events to quickly release state + */ +-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS +-static int ecm_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr) +-#else +-static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item) +-#endif ++static int ecm_conntrack_event(unsigned int events, const struct nf_ct_event *item) + { +-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS +- struct nf_ct_event *item = (struct nf_ct_event *)ptr; +-#endif + struct nf_conn *ct = item->ct; + + /* +@@ -387,23 +380,17 @@ static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item) + return NOTIFY_DONE; + } + +-#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS +-/* +- * struct notifier_block ecm_conntrack_notifier +- * Netfilter conntrack event system to monitor connection tracking changes +- */ +-static struct notifier_block ecm_conntrack_notifier = { +- .notifier_call = ecm_conntrack_event, +-}; +-#else + /* + * struct nf_ct_event_notifier ecm_conntrack_notifier + * Netfilter conntrack event system to monitor connection tracking changes + */ + static struct nf_ct_event_notifier ecm_conntrack_notifier = { +- .fcn = ecm_conntrack_event, +-}; ++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) ++ .fcn = ecm_conntrack_event, ++#else ++ .ct_event = ecm_conntrack_event, + #endif ++}; + #endif + + /* +@@ -440,12 +427,16 @@ int ecm_conntrack_notifier_init(struct dentry *dentry) + /* + * Eventing subsystem is available so we register a notifier hook to get fast notifications of expired connections + */ +- result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); ++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) ++ result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); + if (result < 0) { + DEBUG_ERROR("Can't register nf notifier hook.\n"); + debugfs_remove_recursive(ecm_conntrack_notifier_dentry); + return result; + } ++#else ++ nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); ++#endif + #endif + + return 0; +@@ -459,7 +450,11 @@ void ecm_conntrack_notifier_exit(void) + { + DEBUG_INFO("ECM Conntrack Notifier exit\n"); + #ifdef CONFIG_NF_CONNTRACK_EVENTS ++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) + nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier); ++#else ++ nf_conntrack_unregister_notifier(&init_net); ++#endif + #endif + /* + * Remove the debugfs files recursively. +-- +2.40.0 diff --git a/qca/qca-nss-ecm/patches/0008-frontends-drop-use-of-static-be_liberal-and-no_windo.patch b/qca/qca-nss-ecm/patches/0007-frontends-drop-use-of-static-be_liberal-and-no_windo.patch similarity index 51% rename from qca/qca-nss-ecm/patches/0008-frontends-drop-use-of-static-be_liberal-and-no_windo.patch rename to qca/qca-nss-ecm/patches/0007-frontends-drop-use-of-static-be_liberal-and-no_windo.patch index 9d9c753..c9bdfc3 100644 --- a/qca/qca-nss-ecm/patches/0008-frontends-drop-use-of-static-be_liberal-and-no_windo.patch +++ b/qca/qca-nss-ecm/patches/0007-frontends-drop-use-of-static-be_liberal-and-no_windo.patch @@ -1,22 +1,17 @@ -From 15530431f3ce3273b3cfc2da356d7fb71ed48020 Mon Sep 17 00:00:00 2001 -From: Ansuel Smith -Date: Sun, 8 May 2022 16:16:34 +0200 -Subject: [PATCH 08/12] frontends: drop use of static be_liberal and - no_window_check +From 6103e80ad89775eee55a97c8f8e07e9f2ac7d332 Mon Sep 17 00:00:00 2001 +From: Bit Thief +Date: Tue, 4 Apr 2023 05:43:43 +0300 +Subject: [PATCH] frontends: drop use of static be_liberal and no_window_check -Implementation changed, check these values indirectly instead of relying -on an extern EXPORT_SYMBOL. - -Signed-off-by: Ansuel Smith --- - frontends/nss/ecm_nss_ported_ipv4.c | 14 ++++---------- - frontends/nss/ecm_nss_ported_ipv6.c | 14 ++++---------- - frontends/sfe/ecm_sfe_ported_ipv4.c | 6 ++++-- - frontends/sfe/ecm_sfe_ported_ipv6.c | 6 ++++-- - 4 files changed, 16 insertions(+), 24 deletions(-) + frontends/nss/ecm_nss_ported_ipv4.c | 22 ++++++++-------------- + frontends/nss/ecm_nss_ported_ipv6.c | 20 +++++++------------- + frontends/sfe/ecm_sfe_ported_ipv4.c | 22 ++++++++-------------- + frontends/sfe/ecm_sfe_ported_ipv6.c | 22 ++++++++-------------- + 4 files changed, 31 insertions(+), 55 deletions(-) diff --git a/frontends/nss/ecm_nss_ported_ipv4.c b/frontends/nss/ecm_nss_ported_ipv4.c -index ea997e3..0c4261a 100644 +index 6375b6b..ed9c10b 100644 --- a/frontends/nss/ecm_nss_ported_ipv4.c +++ b/frontends/nss/ecm_nss_ported_ipv4.c @@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv4_connection_instance { @@ -34,29 +29,36 @@ index ea997e3..0c4261a 100644 /* * ecm_nss_ported_ipv4_connection_callback() * Callback for handling create ack/nack calls. -@@ -372,6 +364,8 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne +@@ -372,6 +364,12 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne uint8_t dest_mac_xlate[ETH_ALEN]; ecm_db_direction_t ecm_dir; ecm_front_end_acceleration_mode_t result_mode; -+ struct net *net = nf_ct_net(ct); -+ struct nf_tcp_net *tn = nf_tcp_pernet(net); ++ struct nf_tcp_net *tn; ++ ++ if (ct) { ++ struct net *net = nf_ct_net(ct); ++ tn = nf_tcp_pernet(net); ++ } DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV4_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci); -@@ -1236,9 +1230,9 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne +@@ -1235,12 +1233,8 @@ static void ecm_nss_ported_ipv4_connection_accelerate(struct ecm_front_end_conne + nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin; nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end; nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend; - #ifdef ECM_OPENWRT_SUPPORT +-#ifdef ECM_OPENWRT_SUPPORT - if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check -+ if (tn->tcp_be_liberal || tn->tcp_no_window_check - #else +-#else - if (nf_ct_tcp_be_liberal +-#endif +- || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) + if (tn->tcp_be_liberal - #endif - || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) ++ || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) || (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) { + nircm->rule_flags |= NSS_IPV4_RULE_CREATE_FLAG_NO_SEQ_CHECK; + } diff --git a/frontends/nss/ecm_nss_ported_ipv6.c b/frontends/nss/ecm_nss_ported_ipv6.c -index 451a557..d1b3e14 100644 +index 1be8a58..3062c12 100644 --- a/frontends/nss/ecm_nss_ported_ipv6.c +++ b/frontends/nss/ecm_nss_ported_ipv6.c @@ -125,14 +125,6 @@ struct ecm_nss_ported_ipv6_connection_instance { @@ -74,78 +76,128 @@ index 451a557..d1b3e14 100644 /* * ecm_nss_ported_ipv6_connection_callback() * Callback for handling create ack/nack calls. -@@ -376,6 +368,8 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne +@@ -376,6 +368,12 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne ip_addr_t src_ip; ip_addr_t dest_ip; ecm_front_end_acceleration_mode_t result_mode; -+ struct net *net = nf_ct_net(ct); -+ struct nf_tcp_net *tn = nf_tcp_pernet(net); ++ struct nf_tcp_net *tn; ++ ++ if (ct) { ++ struct net *net = nf_ct_net(ct); ++ tn = nf_tcp_pernet(net); ++ } DEBUG_CHECK_MAGIC(npci, ECM_NSS_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci); -@@ -1162,9 +1156,9 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne +@@ -1161,11 +1159,7 @@ static void ecm_nss_ported_ipv6_connection_accelerate(struct ecm_front_end_conne + nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin; nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end; nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend; - #ifdef ECM_OPENWRT_SUPPORT +-#ifdef ECM_OPENWRT_SUPPORT - if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check -+ if (tn->tcp_be_liberal || tn->tcp_no_window_check - #else +-#else - if (nf_ct_tcp_be_liberal +-#endif + if (tn->tcp_be_liberal - #endif || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) || (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) { + nircm->rule_flags |= NSS_IPV6_RULE_CREATE_FLAG_NO_SEQ_CHECK; diff --git a/frontends/sfe/ecm_sfe_ported_ipv4.c b/frontends/sfe/ecm_sfe_ported_ipv4.c -index 53f5b07..ef719ec 100644 +index 6e375f8..e5ae593 100644 --- a/frontends/sfe/ecm_sfe_ported_ipv4.c +++ b/frontends/sfe/ecm_sfe_ported_ipv4.c -@@ -421,6 +421,8 @@ static void ecm_sfe_ported_ipv4_connecti +@@ -123,14 +123,6 @@ struct ecm_sfe_ported_ipv4_connection_instance { + static int ecm_sfe_ported_ipv4_accelerated_count[ECM_SFE_PORTED_IPV4_PROTO_MAX] = {0}; + /* Array of Number of TCP and UDP connections currently offloaded */ + +-/* +- * Expose what should be a static flag in the TCP connection tracker. +- */ +-#ifdef ECM_OPENWRT_SUPPORT +-extern int nf_ct_tcp_no_window_check; +-#endif +-extern int nf_ct_tcp_be_liberal; +- + /* + * ecm_sfe_ported_ipv4_get_stats_bitmap() + * Get bit map +@@ -357,9 +357,15 @@ static void ecm_sfe_ported_ipv4_connecti uint8_t dest_mac_xlate[ETH_ALEN]; ecm_db_direction_t ecm_dir; ecm_front_end_acceleration_mode_t result_mode; -+ struct net *net = nf_ct_net(ct); -+ struct nf_tcp_net *tn = nf_tcp_pernet(net); ++ struct nf_tcp_net *tn; uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED); ecm_sfe_common_l2_accel_check_callback_t l2_accel_check; -@@ -1333,9 +1335,9 @@ static void ecm_sfe_ported_ipv4_connecti ++ if (ct) { ++ struct net *net = nf_ct_net(ct); ++ tn = nf_tcp_pernet(net); ++ } ++ + DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); + + /* +@@ -1332,11 +1330,7 @@ static void ecm_sfe_ported_ipv4_connection_accelerate(struct ecm_front_end_conne + nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin; nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end; nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend; - #ifdef ECM_OPENWRT_SUPPORT +-#ifdef ECM_OPENWRT_SUPPORT - if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check -+ if (tn->tcp_be_liberal || tn->tcp_no_window_check) - #else +-#else - if (nf_ct_tcp_be_liberal -+ if (tn->tcp_be_liberal) - #endif +-#endif ++ if (tn->tcp_be_liberal || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) || (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) { + nircm->rule_flags |= SFE_RULE_CREATE_FLAG_NO_SEQ_CHECK; diff --git a/frontends/sfe/ecm_sfe_ported_ipv6.c b/frontends/sfe/ecm_sfe_ported_ipv6.c -index ae04cb4..9abb563 100644 +index f1885aa..4a6fdbd 100644 --- a/frontends/sfe/ecm_sfe_ported_ipv6.c +++ b/frontends/sfe/ecm_sfe_ported_ipv6.c -@@ -426,7 +426,9 @@ static void ecm_sfe_ported_ipv6_connecti +@@ -124,14 +124,6 @@ struct ecm_sfe_ported_ipv6_connection_instance { + static int ecm_sfe_ported_ipv6_accelerated_count[ECM_SFE_PORTED_IPV6_PROTO_MAX] = {0}; + /* Array of Number of TCP and UDP connections currently offloaded */ + +-/* +- * Expose what should be a static flag in the TCP connection tracker. +- */ +-#ifdef ECM_OPENWRT_SUPPORT +-extern int nf_ct_tcp_no_window_check; +-#endif +-extern int nf_ct_tcp_be_liberal; +- + /* + * ecm_sfe_ported_ipv6_get_stats_bitmap() + * Get bit map +@@ -361,9 +361,15 @@ static void ecm_sfe_ported_ipv6_connecti ip_addr_t src_ip; ip_addr_t dest_ip; ecm_front_end_acceleration_mode_t result_mode; - uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED); -+ struct net *net = nf_ct_net(ct); -+ struct nf_tcp_net *tn = nf_tcp_pernet(net); ++ struct nf_tcp_net *tn; + uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED); ecm_sfe_common_l2_accel_check_callback_t l2_accel_check; - DEBUG_CHECK_MAGIC(npci, ECM_SFE_PORTED_IPV6_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", npci); -@@ -1293,9 +1295,9 @@ static void ecm_sfe_ported_ipv6_connecti ++ if (ct) { ++ struct net *net = nf_ct_net(ct); ++ tn = nf_tcp_pernet(net); ++ } ++ + DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); + + /* +@@ -1292,11 +1290,7 @@ static void ecm_sfe_ported_ipv6_connection_accelerate(struct ecm_front_end_conne + nircm->tcp_rule.return_max_window = ct->proto.tcp.seen[return_dir].td_maxwin; nircm->tcp_rule.return_end = ct->proto.tcp.seen[return_dir].td_end; nircm->tcp_rule.return_max_end = ct->proto.tcp.seen[return_dir].td_maxend; - #ifdef ECM_OPENWRT_SUPPORT +-#ifdef ECM_OPENWRT_SUPPORT - if (nf_ct_tcp_be_liberal || nf_ct_tcp_no_window_check -+ if (tn->tcp_be_liberal || tn->tcp_no_window_check) - #else +-#else - if (nf_ct_tcp_be_liberal -+ if (tn->tcp_be_liberal) - #endif +-#endif ++ if (tn->tcp_be_liberal || (ct->proto.tcp.seen[flow_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL) || (ct->proto.tcp.seen[return_dir].flags & IP_CT_TCP_FLAG_BE_LIBERAL)) { + nircm->rule_flags |= SFE_RULE_CREATE_FLAG_NO_SEQ_CHECK; -- -2.34.1 +2.40.0 diff --git a/qca/qca-nss-ecm/patches/0007-treewide-rework-notifier-changes-for-5.15.patch b/qca/qca-nss-ecm/patches/0007-treewide-rework-notifier-changes-for-5.15.patch deleted file mode 100644 index 262a8fb..0000000 --- a/qca/qca-nss-ecm/patches/0007-treewide-rework-notifier-changes-for-5.15.patch +++ /dev/null @@ -1,72 +0,0 @@ -From e9073363a50a25bddd96e808f04bcf56c45da4ac Mon Sep 17 00:00:00 2001 -From: Ansuel Smith -Date: Sun, 8 May 2022 18:19:47 +0200 -Subject: [PATCH 07/12] treewide: rework notifier changes for 5.15 - -Rework notifier changes for 5.15 conntrack new implementation. - -Signed-off-by: Ansuel Smith ---- - ecm_conntrack_notifier.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c -index 9c8a45e..9f2cdae 100644 ---- a/ecm_conntrack_notifier.c -+++ b/ecm_conntrack_notifier.c -@@ -322,7 +322,7 @@ EXPORT_SYMBOL(ecm_conntrack_ipv4_event); - #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS - static int ecm_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr) - #else --static int ecm_conntrack_event(unsigned int events, struct nf_ct_event *item) -+static int ecm_conntrack_event(unsigned int events, const struct nf_ct_event *item) - #endif - { - #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS -@@ -388,7 +388,11 @@ static struct notifier_block ecm_conntrack_notifier = { - * Netfilter conntrack event system to monitor connection tracking changes - */ - static struct nf_ct_event_notifier ecm_conntrack_notifier = { -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) - .fcn = ecm_conntrack_event, -+#else -+ .ct_event = ecm_conntrack_event, -+#endif - }; - #endif - #endif -@@ -426,13 +430,19 @@ int ecm_conntrack_notifier_init(struct dentry *dentry) - #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS - result = nf_conntrack_register_chain_notifier(&init_net, &ecm_conntrack_notifier); - #else -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) - result = nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); -+#else -+ nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); -+#endif - #endif -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) - if (result < 0) { - DEBUG_ERROR("Can't register nf notifier hook.\n"); - debugfs_remove_recursive(ecm_conntrack_notifier_dentry); - return result; - } -+#endif - #endif - - return 0; -@@ -448,7 +458,11 @@ void ecm_conntrack_notifier_exit(void) - #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS - nf_conntrack_unregister_chain_notifier(&init_net, &ecm_conntrack_notifier); - #else -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) - nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier); -+#else -+ nf_conntrack_unregister_notifier(&init_net); -+#endif - #endif - /* - * Remove the debugfs files recursively. --- -2.34.1 - diff --git a/qca/qca-nss-ecm/patches/0009-ecm_tracker_datagram-drop-static-for-EXPORT_SYMBOL.patch b/qca/qca-nss-ecm/patches/0008-ecm_tracker_datagram-drop-static-for-EXPORT_SYMBOL.patch similarity index 100% rename from qca/qca-nss-ecm/patches/0009-ecm_tracker_datagram-drop-static-for-EXPORT_SYMBOL.patch rename to qca/qca-nss-ecm/patches/0008-ecm_tracker_datagram-drop-static-for-EXPORT_SYMBOL.patch diff --git a/qca/qca-nss-ecm/patches/0010-frontends-drop-udp_get_timeouts-and-use-standard-ups.patch b/qca/qca-nss-ecm/patches/0009-frontends-drop-udp_get_timeouts-and-use-standard-ups.patch similarity index 100% rename from qca/qca-nss-ecm/patches/0010-frontends-drop-udp_get_timeouts-and-use-standard-ups.patch rename to qca/qca-nss-ecm/patches/0009-frontends-drop-udp_get_timeouts-and-use-standard-ups.patch diff --git a/qca/qca-nss-ecm/patches/0013-ecm_interface-fix-ppp-generic-function-calls-for-5.15.patch b/qca/qca-nss-ecm/patches/0010-ecm_interface-fix-ppp-generic-function-calls-for-5.15.patch similarity index 100% rename from qca/qca-nss-ecm/patches/0013-ecm_interface-fix-ppp-generic-function-calls-for-5.15.patch rename to qca/qca-nss-ecm/patches/0010-ecm_interface-fix-ppp-generic-function-calls-for-5.15.patch diff --git a/qca/qca-nss-ecm/patches/100-qca-nss-ecm-Fix-conntrack-created-firewall-stopped.patch b/qca/qca-nss-ecm/patches/100-qca-nss-ecm-Fix-conntrack-created-firewall-stopped.patch new file mode 100644 index 0000000..aaebad9 --- /dev/null +++ b/qca/qca-nss-ecm/patches/100-qca-nss-ecm-Fix-conntrack-created-firewall-stopped.patch @@ -0,0 +1,45 @@ +diff --git a/ecm_conntrack_notifier.c b/ecm_conntrack_notifier.c +index 50e8566..cf8bd33 100644 +--- a/ecm_conntrack_notifier.c ++++ b/ecm_conntrack_notifier.c +@@ -437,6 +437,26 @@ int ecm_conntrack_notifier_init(struct dentry *dentry) + #else + nf_conntrack_register_notifier(&init_net, &ecm_conntrack_notifier); + #endif ++ ++ /* ++ * Hold netns reference to keep the basic conntrack alive and ++ * track conntrack even when firewall stopped. ++ */ ++ result = nf_ct_netns_get(&init_net, NFPROTO_IPV4); ++ if (result < 0) { ++ DEBUG_ERROR("Can't hold ipv4 netns.\n"); ++ debugfs_remove_recursive(ecm_conntrack_notifier_dentry); ++ return result; ++ } ++#ifdef ECM_IPV6_ENABLE ++ result = nf_ct_netns_get(&init_net, NFPROTO_IPV6); ++ if (result < 0) { ++ DEBUG_ERROR("Can't hold ipv6 netns.\n"); ++ nf_ct_netns_put(&init_net, NFPROTO_IPV4); ++ debugfs_remove_recursive(ecm_conntrack_notifier_dentry); ++ return result; ++ } ++#endif + #endif + + return 0; +@@ -450,6 +470,13 @@ void ecm_conntrack_notifier_exit(void) + { + DEBUG_INFO("ECM Conntrack Notifier exit\n"); + #ifdef CONFIG_NF_CONNTRACK_EVENTS ++ /* ++ * Release netns reference. ++ */ ++ nf_ct_netns_put(&init_net, NFPROTO_IPV4); ++#ifdef ECM_IPV6_ENABLE ++ nf_ct_netns_put(&init_net, NFPROTO_IPV6); ++#endif + #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) + nf_conntrack_unregister_notifier(&init_net, &ecm_conntrack_notifier); + #else diff --git a/qca/qca-nss-ecm/patches/101-qca-nss-ecm-Skip-bridge-flow-packet-in-post-routing-hook.patch b/qca/qca-nss-ecm/patches/101-qca-nss-ecm-Skip-bridge-flow-packet-in-post-routing-hook.patch new file mode 100644 index 0000000..efd56c9 --- /dev/null +++ b/qca/qca-nss-ecm/patches/101-qca-nss-ecm-Skip-bridge-flow-packet-in-post-routing-hook.patch @@ -0,0 +1,57 @@ +diff --git a/frontends/cmn/ecm_ipv4.c b/frontends/cmn/ecm_ipv4.c +index f69eb45c135be420968bc2de1101c3220a8faeb6..cac02b4bef4fb4da2d5b8411efeb496a6d406db9 100644 +--- a/frontends/cmn/ecm_ipv4.c ++++ b/frontends/cmn/ecm_ipv4.c +@@ -1502,6 +1502,37 @@ vxlan_done: + #endif + } + ++/* ++ * ecm_ipv4_is_bridge_pkt() ++ * Return true if pkt is from bridge flow. ++ * If in/out dev is a bridge port and the other dev is a master ++ * of the same bridge port dev, then consider it a bridge flow packetĀ  ++ * and return true. ++ */ ++static bool ecm_ipv4_is_bridge_pkt(struct net_device *in, ++ struct net_device *out) ++{ ++ struct net_device *lower = NULL; ++ struct net_device *upper = NULL; ++ struct net_device *bridge = NULL; ++ ++ if (in->priv_flags & IFF_BRIDGE_PORT) { ++ lower = in; ++ bridge = out; ++ } else if (out->priv_flags & IFF_BRIDGE_PORT) { ++ lower = out; ++ bridge = in; ++ } ++ ++ if (!lower) ++ return false; ++ ++ rcu_read_lock(); ++ upper = netdev_master_upper_dev_get_rcu(lower); ++ rcu_read_unlock(); ++ return upper && (upper == bridge); ++} ++ + /* + * ecm_ipv4_post_routing_hook() + * Called for IP packets that are going out to interfaces after IP routing stage. +@@ -1572,6 +1603,14 @@ static unsigned int ecm_ipv4_post_routing_hook(void *priv, + return NF_ACCEPT; + } + ++ /* ++ * Skip bridge flow packet ++ */ ++ if (ecm_ipv4_is_bridge_pkt(in, out)) { ++ DEBUG_TRACE("Bridge flow, ignoring: %px\n", skb); ++ dev_put(in); ++ return NF_ACCEPT; ++ } + #ifndef ECM_INTERFACE_OVS_BRIDGE_ENABLE + /* + * skip OpenVSwitch flows because we don't accelerate them diff --git a/qca/qca-nss-ecm/patches/902-qca-nss-ecm-Fix-nf_ct_net-null-pointer-reference.patch b/qca/qca-nss-ecm/patches/902-qca-nss-ecm-Fix-nf_ct_net-null-pointer-reference.patch deleted file mode 100644 index 9ee5cc1..0000000 --- a/qca/qca-nss-ecm/patches/902-qca-nss-ecm-Fix-nf_ct_net-null-pointer-reference.patch +++ /dev/null @@ -1,75 +0,0 @@ ---- a/frontends/nss/ecm_nss_ported_ipv4.c -+++ b/frontends/nss/ecm_nss_ported_ipv4.c -@@ -335,8 +335,12 @@ static void ecm_nss_ported_ipv4_connecti - uint8_t dest_mac_xlate[ETH_ALEN]; - ecm_db_direction_t ecm_dir; - ecm_front_end_acceleration_mode_t result_mode; -- struct net *net = nf_ct_net(ct); -- struct nf_tcp_net *tn = nf_tcp_pernet(net); -+ struct nf_tcp_net *tn; -+ -+ if (ct) { -+ struct net *net = nf_ct_net(ct); -+ tn = nf_tcp_pernet(net); -+ } - - DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); - ---- a/frontends/nss/ecm_nss_ported_ipv6.c -+++ b/frontends/nss/ecm_nss_ported_ipv6.c -@@ -340,8 +340,12 @@ static void ecm_nss_ported_ipv6_connecti - ip_addr_t src_ip; - ip_addr_t dest_ip; - ecm_front_end_acceleration_mode_t result_mode; -- struct net *net = nf_ct_net(ct); -- struct nf_tcp_net *tn = nf_tcp_pernet(net); -+ struct nf_tcp_net *tn; -+ -+ if (ct) { -+ struct net *net = nf_ct_net(ct); -+ tn = nf_tcp_pernet(net); -+ } - - DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); - ---- a/frontends/sfe/ecm_sfe_ported_ipv4.c -+++ b/frontends/sfe/ecm_sfe_ported_ipv4.c -@@ -365,11 +365,15 @@ static void ecm_sfe_ported_ipv4_connecti - uint8_t dest_mac_xlate[ETH_ALEN]; - ecm_db_direction_t ecm_dir; - ecm_front_end_acceleration_mode_t result_mode; -- struct net *net = nf_ct_net(ct); -- struct nf_tcp_net *tn = nf_tcp_pernet(net); -+ struct nf_tcp_net *tn; - uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED); - ecm_sfe_common_l2_accel_check_callback_t l2_accel_check; - -+ if (ct) { -+ struct net *net = nf_ct_net(ct); -+ tn = nf_tcp_pernet(net); -+ } -+ - DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); - - /* - ---- a/frontends/sfe/ecm_sfe_ported_ipv6.c -+++ b/frontends/sfe/ecm_sfe_ported_ipv6.c -@@ -369,11 +369,15 @@ static void ecm_sfe_ported_ipv6_connecti - ip_addr_t src_ip; - ip_addr_t dest_ip; - ecm_front_end_acceleration_mode_t result_mode; -- struct net *net = nf_ct_net(ct); -- struct nf_tcp_net *tn = nf_tcp_pernet(net); -+ struct nf_tcp_net *tn; - uint32_t l2_accel_bits = (ECM_SFE_COMMON_FLOW_L2_ACCEL_ALLOWED | ECM_SFE_COMMON_RETURN_L2_ACCEL_ALLOWED); - ecm_sfe_common_l2_accel_check_callback_t l2_accel_check; - -+ if (ct) { -+ struct net *net = nf_ct_net(ct); -+ tn = nf_tcp_pernet(net); -+ } -+ - DEBUG_CHECK_MAGIC(feci, ECM_FRONT_END_CONNECTION_INSTANCE_MAGIC, "%px: magic failed", feci); - - /*