Added ability to delete denied ports using wildcard option.
```
echo del * > /proc/sys/net/ecm/udp_denied_ports
echo del * > /proc/sys/net/ecm/tcp_denied_ports
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Instead forcing all components to be built together, selectively build
feature sets based on driver and client selections.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Allow resetting some stats via debugfs interface.
Not all stats are resettable,
```sh
echo 0 > /sys/kernel/debug/qca-nss-drv/stats/drv
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
If the kernel passes smaller user buffer to copy stats
than required, copy the partial content from local buffer
and in next call copy the remaining content.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
This is just a functional fix, the underlying framework for PPE VP is
not really useful for anything on ipq807x.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
When debug logging is enabled for bridge or gre a null
pointer deref error was causing system to crash
Signed-off-by: Sean Khan <datapronix@protonmail.com>
In kernels prior to 6.10, dev_base_lock was required to protect the
net_device list traversal. From 6.10 onward the lock was
dropped in favor of RCU.
To preserve previous behavior (i.e. 24.10-nss on kernel 6.6), restore
read_lock()/read_unlock() and wrap into kernel macros check.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
IPQ5018 and IPQ6018 are limited to 512MB so set default accordingly.
RMNET is also only supported on IPQ807x and IPQ5018.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Reworked SMP affinity handling for better balancing of PPDU and USBs
```
Pinning IRQ(46) nss_queue0 to CPU 0 (NSS Core 0)
Pinning IRQ(47) nss_queue1 to CPU 1 (NSS Core 0)
Pinning IRQ(48) nss_queue2 to CPU 2 (NSS Core 0)
Pinning IRQ(49) nss_queue3 to CPU 3 (NSS Core 0)
Pinning IRQ(57) nss_queue0 to CPU 3 (NSS Core 1)
Pinning IRQ(58) nss_queue1 to CPU 2 (NSS Core 1)
Pinning IRQ(59) nss_queue2 to CPU 1 (NSS Core 1)
Pinning IRQ(60) nss_queue3 to CPU 0 (NSS Core 1)
Pinning IRQ(43) nss_empty_buf_sos to CPU 0 (NSS Core 0)
Pinning IRQ(44) nss_empty_buf_queue to CPU 0 (NSS Core 0)
Pinning IRQ(53) nss_empty_buf_sos to CPU 3 (NSS Core 1)
Pinning IRQ(55) nss_empty_buf_queue to CPU 3 (NSS Core 1)
Pinning IRQ(41) xhci-hcd:usb1 to CPU 2
Pinning IRQ(42) xhci-hcd:usb3 to CPU 2
Pinning IRQ(79) ppdu-end-interrupts-mac1 to CPU 2
Pinning IRQ(83) ppdu-end-interrupts-mac2 to CPU 3
Pinning IRQ(81) ppdu-end-interrupts-mac3 to CPU 1
```
Primarily meant to improve performance on Arcadyan AW1000 which uses USB
based cellular modems (xhci-hcd:usb3). They are now pinned to CPU 2
Signed-off-by: Sean Khan <datapronix@protonmail.com>
It's not necessary to escape '#' and '=' in awk regexes, doing so
causes gawk to throw warnings.
Busybox awk is more permissive and does not throw warnings.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
These packages really shouldn't be in this repository as it's not the
core focus of the project. I am unable to test or maintain these since
it requires a device with a Quectel modem and cellular service, neither of
which I have access to.
For `Arcadyan AW1000` users you may be interested in trying:
https://github.com/immortalwrt/wwan-packages
All issues related to these packages will be closed and not addressed
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Upstream OpenWrt 24.10 and later uses nftables by default.
Bridge filtering is not really needed anymore.
This should also prevent unnecessary chain dependencies getting built
like like `kmod-ipt-ipopt`.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Prevent selecting or building NSS features that are ipq806x specific
These include:
- Port ID (nss_portid.c)
- OAM (nss_oam.c)
- Timestamping (nss_tstamp.c)
- Legacy WiFi Offload (nss_wifi.c)
Signed-off-by: Sean Khan <datapronix@protonmail.com>
It was accidentally removed in commit: de828e39b
("treewide: Additional fixes for kernel 6.12 + GCC 14.3")
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Several QCA NSS modules compile successfully but do not
function properly at runtime. This is due to either faulty
implementation or deliberate disabling of certain features in the NSS
firmware by Qualcomm.
Based on extensive testing with NSS firmware 11.4:
- Only 22 out of 64 dynamic interface types succeed in creation.
- All others return NACK, indicating lack of support or broken
implementation.
Modules affected include DTLS, IPSEC, TLS, CAPWAP, GRE redirect paths,
VXLAN, CLMAP and more.
OpenVPN support is partially enabled on crypto core, but requires patching
userspace OpenVPN to function — outside scope here. Wireguard is preferred
as it already achieves line-rate performance without relying on NSS offload.
Marking these kernel packages as BROKEN to prevent false expectations
and discourage their use, though they're available should Qualcomm
ever release a firmware that supports them. (NOT GOING TO HAPPEN...)
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Recent changes in nss-clients enabled unconditional evaluation
of the `qca-nss-drv-dtlsmgr` and `qca-nss-drv-tlsmgr` packages,
which always pulled in their dependencies, including `qca-nss-cfi`
and `qca-nss-crypto`, even if these packages were not selected.
This caused build failures due to missing symbols when the
required NSS crypto components were not enabled.
This commit updates the Makefiles for `qca-nss-crypto` and `qca-nss-cfi`
to ensure that their build and install steps are only executed
if the corresponding package is selected.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
"@" symbol implies "CONFIG_SOME_SYMBOL" whereas without implies
"CONFIG_PACKAGE_some-package". The later is what we want here since
nss-eip-firmware is a package.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
commit 7a0c508 `treewide: rework handling platform specific features`
accidently set tun6rd and tlsmgr to 'y' vs. 'm' causing them to be built
if selected.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Overhaul the way platform-specific requirements are handled since
IPQ60xx and IPQ50xx don't support all the same features as IPQ807x.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
GCC 15 has stricter checks for header macros where
mismatches between `#ifndef` and `#define` are flagged as errors.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
First attempt at backporting the 12.5 ipq50xx fixes to 11.4.
Fixes compilation errors, but not tested on hardware yet.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
can`t compile qca-nss-ecm packages in case 'l2tp' I got issue that there is no ppp_generic package.
So, this change will fix building for l2tp case and will not broke pppoe case
EDIT: Fix whitespace
The previous refactor (32dd47ec) attempted to use a common definition
block (`nss-firmware-common`) for package metadata and builds.
However, the way it was referenced (`$(nss-firmware-common)`) didn't
work for inheriting properties like TITLE, SECTION, CATEGORY, or
the install logic via `$(call ...)` within the sub-package definitions.
This resulted in the platform-specific packages
(`ipq807x`, `ipq60xx`, `ipq50xx`) being built without any firmwares
leading to empty `.ipk` files and failure to boot.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
