Added ability to delete denied ports using wildcard option.
```
echo del * > /proc/sys/net/ecm/udp_denied_ports
echo del * > /proc/sys/net/ecm/tcp_denied_ports
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Upstream OpenWrt 24.10 and later uses nftables by default.
Bridge filtering is not really needed anymore.
This should also prevent unnecessary chain dependencies getting built
like like `kmod-ipt-ipopt`.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Overhaul the way platform-specific requirements are handled since
IPQ60xx and IPQ50xx don't support all the same features as IPQ807x.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
can`t compile qca-nss-ecm packages in case 'l2tp' I got issue that there is no ppp_generic package.
So, this change will fix building for l2tp case and will not broke pppoe case
EDIT: Fix whitespace
In Linux kernel 6.6, the sysctl infrastructure changed
how it handles user/kernel memory boundaries.
The sysctl handlers now take a regular void *buffer instead
of void __user *buffer because the sysctl core now handles
the user-to-kernel copy/validation automatically.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Only build frontend based on selected acceleration engine.
ECM can build frontends for NSS/SFE/PPE, but for now only include option
for NSS.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Brings in the following commits from 12.5 branch:
2024-11-06 - 30fbfa4 - Fix for null dev entries in emesh-sawf.
2024-08-28 - 0718f48 - Add interface num to identify vlan device
Signed-off-by: Sean Khan <datapronix@protonmail.com>
This commit fixes two issues with how ECM module options are configured:
1. `/etc/modules.conf` was modified on every ECM start/restart,
even when no changes were needed.
2. If any other ECM parameters were set in `/etc/modules.conf` it would
overwrite them as the entire line was replaced.
The solution extracts configuration logic into a dedicated function that
only modifies what's necessary, properly handling all cases (updating existing
parameters, appending to existing options, or creating new options).
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Previous change was reloading ECM on client DHCP requests causing
temporary packet loss. Change reload trigger to instead just disable
packet steering (the original intent of this feature).
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Converted ecm init to PROCD service and added a function ensure packet steering
is always disabled when loading.
Added additional firewall/network/packet_steering triggers in case user
changes to packet steering are made in the web interface.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
`tx-checksumming` breaks multicast traffic over mesh interfaces.
Add a check in hotplug script to see if interface is mesh interface
and automatically disable `tx-checksumming`.
New option added to ecm config: `disable_gro_list`
This config option defaults to '1' (AKA disable rx-gro-list)
`rx-gro-list` is enabled by default in mainline OpenWrt, however it
is very bug prone, and causes various issues related to
UDP traffic (i.e DHCP, WireGuard, DNS, etc.)
This option is not explicitly required. If a user sets this to '0', a
warning will be shown in the logs everytime ECM is started.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
NSS_IPV4_RULE_CREATE_RAWIP_VALID is only found in NSS FW 12.5 and
higher. Check if enabled before and macros for it.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
`NSS_IPV4_RULE_CREATE_RAWIP_VALID` is only available in NSS FW
version 12.5, which is not publically availiable.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
When using `nft insert rule` the rule is inserted on top of the
`forward_wan` chain, which bypasses any filtering in place. Instead,
append the rule to the end of the chain.
Other changes include renaming chain `RATE-LIMIT` to `ECM-RATE-LIMIT`
for better rule classification, and `shellformat` formatting.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
`lo` and `bonding_masters` interfaces are not managed by ethtool, so
should be skipped when disabling any interface features.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
iptables based bridge filtering is incompatible with nftables (fw4), and
causes just causes NAT loopback issues.
This is only required for systems using legacy iptables (fw3) as the
primary firewalling. nftables doesn't need explicit enablement of bridge filtering.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Update to comply with APK's `pkgver` format.
Rather than stick with the same convention as upstream `qca-ssdk` and
`qca-nss-dp` which uses:
```
$(PKG_NAME)-$(PKG_SOURCE_DATE)~$(PKG_SOURCE_VERSION)
```
i.e. `qca-ssdk-2024.06.13~c451136b.tar.zst`
Add in the QSDK version as part of the release since we
have options to build for both 11.4 and 12.5. This makes it easier to
debug build related issues, by knowing exactly which QSDK version is
being built against.
Example:
```
qca-nss-drv-11.4.0.5.2021.06.24~dc14ca2.tar.zst
qca-nss-drv-12.5.2024.04.06~53a0dc1.tar.zst
qca-nss-clients-11.4.0.5.2021.08.17~153998d.tar.zst
qca-nss-clients-12.5.2024.03.05~9a53b18.tar.zst
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
note: qca-nss-crypto, and qca-nss-cfi are non-code change releases, but
align with naming scheme upstream anyways.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
The way ECM uci config is handled is pretty ugly due to it not specifying a
named section for 'general'.
Current:
```
➤ uci show ecm
ecm.global=ecm
ecm.global.acceleration_engine='nss'
ecm.@general[0]=general
ecm.@general[0].enable_bridge_filtering='0'
ecm.@general[0].disable_offloads='0'
ecm.@general[0].disable_flow_control='0'
ecm.@general[0].disable_interrupt_moderation='0'
ecm.@general[0].disable_gro='0'
```
None of the options require the use of unnamed sections
(like /etc/config/dhcp does when defining configs for multiple hosts)
With this change the config would produce:
```
ecm.global=ecm
ecm.global.acceleration_engine='nss'
ecm.general=ecm
ecm.general.enable_bridge_filtering='0'
ecm.general.disable_offloads='0'
ecm.general.disable_flow_control='0'
ecm.general.disable_interrupt_moderation='0'
ecm.general.disable_gro='0'
```
Which is a lot easier to read, and access programmatically.
We can also merge `global` and `general` into a single section as it
doesn't really make sense why we need global/general when it's
technically "ALL" globally applied.
For now, to ease users on the change, let's just stick to 2 sections.
**PLEASE NOTE: For users building their own images, and storing their**
**configs in 'files/etc/config/ecm' you will need to manually update the**
**config before compiling.**
For users using **sysupgrade** or installing without custom config at build
time 'files/etc/config/ecm' should be OK.
The following can be run manually on the config file 'ecm'
```sh
conf=/etc/config/ecm
uci -q show ecm.general || {
echo "Converting 'ECM' config to new format."
sed -i "s/config.*general.*/config ecm 'general'/g" "$conf"
}
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Since many of ECM's module depends are dynamic and chosen at build time
`kmodloader` seems to have trouble properly loading its dependencies.
Attempt to parse ecm's module depends and load them prior to installing
the module.
This commit also replaces error prone `uci get` command with `config_get`,
in case certain options are missing from `/etc/config/ecm`
`is_mlo_device` is a check for whether a device is multi-link operation
capable, it is also geared towards WiFi 7 which is only supported on
IPQ95xx/53xx platforms with SFE. Since these patches are only focused on NSS,
rather than unecessarily patching the kernel, don't check if device is MLO capable.
