diff --git a/ask/cmm/cmm.conf b/ask/cmm/cmm.conf index 5951418..0e2977a 100644 --- a/ask/cmm/cmm.conf +++ b/ask/cmm/cmm.conf @@ -17,10 +17,11 @@ config fastforward pptp option port 1723 # Optional logging -# NOTE: "stdout" only supported in our own patched version +# NOTE: "stdout" only supported in our own patched version. +# Keep info disabled by default; CMM receives the whole conntrack stream. config logging option file stdout option command 0 option error 1 option warning 1 - option info 1 + option info 0 diff --git a/docker/ask.Dockerfile b/docker/ask.Dockerfile index 82e6028..896620a 100644 --- a/docker/ask.Dockerfile +++ b/docker/ask.Dockerfile @@ -51,8 +51,16 @@ COPY "${LIBNFCT_TAR}" ./libnetfilter_conntrack-${LIBNFCT_VERSION}.tar.xz # Provision the musl cross-compiler from musl.cc RUN tar zxf "aarch64_musl_cc.tar.gz" -C /opt -# Expose the musl compiler to the PATH -ENV PATH="/opt/aarch64-linux-musl-cross/bin:${PATH}" +# Common paths / flags for the remaining ASK build. +# Keep userspace fully static against the musl sysroot. +ENV PATH="/opt/aarch64-linux-musl-cross/bin:${PATH}" \ + ASK_DIR=/src/ASK \ + KERNEL_DIR=/src/linux \ + SYSROOT=/opt/aarch64-linux-musl-cross/aarch64-linux-musl \ + HOST=aarch64-linux-musl \ + CROSS_COMPILE=aarch64-linux-musl- \ + ARCH=arm64 \ + PLATFORM=LS1043A # Extract and build the dependency libraries RUN mkdir -p ASK/sources/tarballs && \ @@ -65,7 +73,7 @@ RUN mkdir linux && tar zxf "kernel.tar.gz" -C "linux" --strip-components=1 && \ # ASK's Kernel patches COPY patches/ask/split-kernel-patch.sh /src/split-kernel-patch.sh -COPY patches/ask/kernel/*.patch /src/ASK/patches/kernel/updated-patch/ +COPY patches/ask/upstream/kernel/*.patch /src/ASK/patches/kernel/updated-patch/ RUN chmod +x /src/split-kernel-patch.sh && \ PATCH_FILE="/src/ASK/patches/kernel/002-mono-gateway-ask-kernel_linux_6_12.patch" \ @@ -74,6 +82,17 @@ RUN chmod +x /src/split-kernel-patch.sh && \ /src/split-kernel-patch.sh split && \ /src/split-kernel-patch.sh apply +# Build the kernel first, without the custom DTS +COPY kernel-extra.config /src/kernel-extra.config +COPY kernel-build/ensure-kconfig.sh /src/ + +RUN cd /src/linux \ + && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" defconfig lsdk.config \ + && ./scripts/kconfig/merge_config.sh -m .config "${ASK_DIR}/config/kernel/defconfig" /src/kernel-extra.config \ + && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig \ + && /src/ensure-kconfig.sh .config /src/kernel-extra.config \ + && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" -j"$(nproc)" + # tclap RUN mkdir -p tclap && tar zxf "tclap.tar.gz" -C "tclap" --strip-components=1 && \ cp -r tclap/include/tclap /opt/aarch64-linux-musl-cross/aarch64-linux-musl/include/ && \ @@ -135,15 +154,18 @@ RUN mkdir fmlib && \ LIBXML2_HEADER_PATH=/opt/aarch64-linux-musl-cross/aarch64-linux-musl/include/libxml2 \ TCLAP_HEADER_PATH=/opt/aarch64-linux-musl-cross/aarch64-linux-musl/include -# Common paths / flags for the remaining ASK build. -# Keep userspace fully static against the musl sysroot. -ENV ASK_DIR=/src/ASK \ - KERNEL_DIR=/src/linux \ - SYSROOT=/opt/aarch64-linux-musl-cross/aarch64-linux-musl \ - HOST=aarch64-linux-musl \ - CROSS_COMPILE=aarch64-linux-musl- \ - ARCH=arm64 \ - PLATFORM=LS1043A +# Patch verdor's modules +RUN mkdir -p /src/patches/ask +COPY patches/ask/ /src/patches/ask/ + +RUN cd /src/ASK && \ + git init -q && git add -A && git commit -q -m "base" && \ + find /src/patches/ask \ + -path /src/patches/ask/upstream -prune -o \ + -name '*.patch' -print \ + | sort > /tmp/ask-module-patches.list && \ + test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply --check && \ + test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply # Build patched libnfnetlink + libnetfilter_conntrack into the musl sysroot. # These are needed by cmm through pkg-config. @@ -163,8 +185,15 @@ RUN mkdir -p "${ASK_DIR}/sources" && \ tar xf "${ASK_DIR}/sources/tarballs/libnetfilter_conntrack-${LIBNFCT_VERSION}.tar.xz" \ -C libnetfilter_conntrack --strip-components=1 && \ cd libnetfilter_conntrack && \ + cp /src/patches/ask/upstream/libnetfilter-conntrack/* "${ASK_DIR}/patches/libnetfilter-conntrack/" && \ git init -q && git add -A && git commit -q -m "upstream" && \ - git apply "${ASK_DIR}/patches/libnetfilter-conntrack/01-nxp-ask-comcerto-fp-extensions.patch" && \ + find "${ASK_DIR}/patches/libnetfilter-conntrack/" \ + -name '*.patch' -exec sha256sum {} \; && \ + find "${ASK_DIR}/patches/libnetfilter-conntrack/" \ + -name '*.patch' -print \ + | sort > /tmp/libnfct-patches.list && \ + test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply --check && \ + test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply && \ PKG_CONFIG_PATH="${SYSROOT}/lib/pkgconfig" \ CC=aarch64-linux-musl-gcc AR=aarch64-linux-musl-ar RANLIB=aarch64-linux-musl-ranlib \ ./configure --host="${HOST}" --prefix="${SYSROOT}" \ @@ -179,17 +208,6 @@ RUN make -C "${ASK_DIR}/fci/lib" \ CC=aarch64-linux-musl-gcc \ AR=aarch64-linux-musl-ar -# Build the kernel first, without the custom DTS -COPY kernel-extra.config /src/kernel-extra.config -COPY kernel-build/ensure-kconfig.sh /src/ - -RUN cd /src/linux \ - && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" defconfig lsdk.config \ - && ./scripts/kconfig/merge_config.sh -m .config "${ASK_DIR}/config/kernel/defconfig" /src/kernel-extra.config \ - && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig \ - && /src/ensure-kconfig.sh .config /src/kernel-extra.config \ - && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" -j"$(nproc)" - # DTS changes happen after the expensive kernel build layer COPY kernel-build/dts/*.dts /src/linux/arch/arm64/boot/dts/freescale/ @@ -203,19 +221,6 @@ RUN cd /src/linux \ && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" \ "freescale/${DEVICE_TREE_TARGET}.dtb" -# Patch verdor's modules -RUN mkdir -p /src/patches/ask -COPY patches/ask/ /src/patches/ask/ - -RUN cd /src/ASK && \ - git init -q && git add -A && git commit -q -m "base" && \ - find /src/patches/ask \ - -path /src/patches/ask/kernel -prune -o \ - -name '*.patch' -print \ - | sort > /tmp/ask-module-patches.list && \ - test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply --check && \ - test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply - # Build out-of-tree ASK kernel modules: cdx -> fci, plus auto_bridge. RUN make -C "${ASK_DIR}/cdx" \ CROSS_COMPILE="${CROSS_COMPILE}" \ @@ -286,7 +291,6 @@ RUN mkdir -p /out/rootfs-cfg/etc/dpa && \ mkdir -p /out/rootfs-cfg/etc/cmm && \ cp "${ASK_DIR}/config/fastforward" /out/rootfs-cfg/etc/cmm/fastforward.vendor.orig - FROM scratch AS export ARG DEVICE_TREE_TARGET diff --git a/patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch b/patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch new file mode 100644 index 0000000..65f478c --- /dev/null +++ b/patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch @@ -0,0 +1,74 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: monok8s authors +Date: Mon, 11 May 2026 00:00:00 +0000 +Subject: [PATCH] cmm: ignore conntracks without fastpath metadata + +CMM receives conntrack notifications for the whole system conntrack table. +On a Kubernetes node, many entries are unrelated to Comcerto/NXP fastpath: +loopback traffic, local control-plane traffic, Cilium traffic, broadcast, +multicast, and ordinary slow-path flows. + +Those entries do not necessarily carry the private fastpath attributes CMM +expects. Treat them as non-fastpathable instead of trying to process them. + +--- + cmm/src/ffcontrol.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/cmm/src/ffcontrol.c b/cmm/src/ffcontrol.c +--- a/cmm/src/ffcontrol.c ++++ b/cmm/src/ffcontrol.c +@@ -75,6 +75,25 @@ + return 1; + } + ++/***************************************************************** ++* cmmFcHasFastpathAttrs() ++* ++* CMM receives all conntrack notifications, including entries that ++* never passed through the Comcerto/NXP fastpath hooks. Those entries ++* do not have the private fastpath attributes needed below. Treat them ++* as ordinary slow-path conntracks and ignore them. ++******************************************************************/ ++static int cmmFcHasFastpathAttrs(struct nf_conntrack *ct) ++{ ++ if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IIF)) ++ return 0; ++ ++ if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IFINDEX)) ++ return 0; ++ ++ return 1; ++} ++ + /***************************************************************** + * cmmIsConntrack4Allowed() + * +@@ -92,6 +111,12 @@ + sAddr = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC); + dAddr = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC); + ++ if (!cmmFcHasFastpathAttrs(ct)) { ++ cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n", ++ __func__); ++ goto refused; ++ } ++ + /* Multicast connections are not forwarded */ + if (MULTICAST(dAddr)) { + cmm_print(DEBUG_WARNING, "%s: conntrack multicast dst:%s:%x src:%s:%x\n", __func__, +@@ -197,6 +222,12 @@ + Saddr = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC); + SaddrReply = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC); + ++ if (!Saddr || !SaddrReply || !cmmFcHasFastpathAttrs(ct)) { ++ cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n", ++ __func__); ++ goto refused; ++ } ++ + if ((SaddrReply[0] & ntohl(0xff000000)) == ntohl(0xff000000)) + { + goto refused; +-- +2.45.0 \ No newline at end of file diff --git a/patches/ask/upstream/README.md b/patches/ask/upstream/README.md new file mode 100644 index 0000000..4d534d0 --- /dev/null +++ b/patches/ask/upstream/README.md @@ -0,0 +1 @@ +This is for when vendor is already patching upstream source. And we are patching on top of it. diff --git a/patches/ask/kernel/0005-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth.h.patch b/patches/ask/upstream/kernel/0005-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth.h.patch similarity index 100% rename from patches/ask/kernel/0005-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth.h.patch rename to patches/ask/upstream/kernel/0005-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth.h.patch diff --git a/patches/ask/kernel/0009-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth_sg.c.patch b/patches/ask/upstream/kernel/0009-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth_sg.c.patch similarity index 100% rename from patches/ask/kernel/0009-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth_sg.c.patch rename to patches/ask/upstream/kernel/0009-drivers__net__ethernet__freescale__sdk_dpaa__dpaa_eth_sg.c.patch diff --git a/patches/ask/kernel/0062-drivers__net__ppp__ppp_generic.c.patch b/patches/ask/upstream/kernel/0062-drivers__net__ppp__ppp_generic.c.patch similarity index 100% rename from patches/ask/kernel/0062-drivers__net__ppp__ppp_generic.c.patch rename to patches/ask/upstream/kernel/0062-drivers__net__ppp__ppp_generic.c.patch diff --git a/patches/ask/kernel/0068-drivers__staging__fsl_qbman__qman_high.c.patch b/patches/ask/upstream/kernel/0068-drivers__staging__fsl_qbman__qman_high.c.patch similarity index 100% rename from patches/ask/kernel/0068-drivers__staging__fsl_qbman__qman_high.c.patch rename to patches/ask/upstream/kernel/0068-drivers__staging__fsl_qbman__qman_high.c.patch diff --git a/patches/ask/kernel/0071-include__linux__if_bridge.h.patch b/patches/ask/upstream/kernel/0071-include__linux__if_bridge.h.patch similarity index 100% rename from patches/ask/kernel/0071-include__linux__if_bridge.h.patch rename to patches/ask/upstream/kernel/0071-include__linux__if_bridge.h.patch diff --git a/patches/ask/kernel/0078-include__net__xfrm.h.patch b/patches/ask/upstream/kernel/0078-include__net__xfrm.h.patch similarity index 100% rename from patches/ask/kernel/0078-include__net__xfrm.h.patch rename to patches/ask/upstream/kernel/0078-include__net__xfrm.h.patch diff --git a/patches/ask/kernel/0086-include__uapi__linux__netfilter__nfnetlink_conntrack.h.patch b/patches/ask/upstream/kernel/0086-include__uapi__linux__netfilter__nfnetlink_conntrack.h.patch similarity index 100% rename from patches/ask/kernel/0086-include__uapi__linux__netfilter__nfnetlink_conntrack.h.patch rename to patches/ask/upstream/kernel/0086-include__uapi__linux__netfilter__nfnetlink_conntrack.h.patch diff --git a/patches/ask/kernel/0100-net__bridge__br_private.h.patch b/patches/ask/upstream/kernel/0100-net__bridge__br_private.h.patch similarity index 100% rename from patches/ask/kernel/0100-net__bridge__br_private.h.patch rename to patches/ask/upstream/kernel/0100-net__bridge__br_private.h.patch diff --git a/patches/ask/kernel/0103-net__core__dev.c.patch b/patches/ask/upstream/kernel/0103-net__core__dev.c.patch similarity index 100% rename from patches/ask/kernel/0103-net__core__dev.c.patch rename to patches/ask/upstream/kernel/0103-net__core__dev.c.patch diff --git a/patches/ask/kernel/0108-net__ipv4__ip_output.c.patch b/patches/ask/upstream/kernel/0108-net__ipv4__ip_output.c.patch similarity index 100% rename from patches/ask/kernel/0108-net__ipv4__ip_output.c.patch rename to patches/ask/upstream/kernel/0108-net__ipv4__ip_output.c.patch diff --git a/patches/ask/kernel/0112-net__ipv6__ip6_output.c.patch b/patches/ask/upstream/kernel/0112-net__ipv6__ip6_output.c.patch similarity index 100% rename from patches/ask/kernel/0112-net__ipv6__ip6_output.c.patch rename to patches/ask/upstream/kernel/0112-net__ipv6__ip6_output.c.patch diff --git a/patches/ask/kernel/0115-net__ipv6__output_core.c.patch b/patches/ask/upstream/kernel/0115-net__ipv6__output_core.c.patch similarity index 100% rename from patches/ask/kernel/0115-net__ipv6__output_core.c.patch rename to patches/ask/upstream/kernel/0115-net__ipv6__output_core.c.patch diff --git a/patches/ask/kernel/0119-net__key__af_key.c.patch b/patches/ask/upstream/kernel/0119-net__key__af_key.c.patch similarity index 100% rename from patches/ask/kernel/0119-net__key__af_key.c.patch rename to patches/ask/upstream/kernel/0119-net__key__af_key.c.patch diff --git a/patches/ask/kernel/0124-net__netfilter__nf_conntrack_netlink.c.patch b/patches/ask/upstream/kernel/0124-net__netfilter__nf_conntrack_netlink.c.patch similarity index 100% rename from patches/ask/kernel/0124-net__netfilter__nf_conntrack_netlink.c.patch rename to patches/ask/upstream/kernel/0124-net__netfilter__nf_conntrack_netlink.c.patch diff --git a/patches/ask/kernel/0129-net__wireless__Kconfig.patch b/patches/ask/upstream/kernel/0129-net__wireless__Kconfig.patch similarity index 100% rename from patches/ask/kernel/0129-net__wireless__Kconfig.patch rename to patches/ask/upstream/kernel/0129-net__wireless__Kconfig.patch diff --git a/patches/ask/kernel/0131-net__xfrm__Makefile.patch b/patches/ask/upstream/kernel/0131-net__xfrm__Makefile.patch similarity index 100% rename from patches/ask/kernel/0131-net__xfrm__Makefile.patch rename to patches/ask/upstream/kernel/0131-net__xfrm__Makefile.patch diff --git a/patches/ask/kernel/0136-net__xfrm__xfrm_policy.c.patch b/patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch similarity index 100% rename from patches/ask/kernel/0136-net__xfrm__xfrm_policy.c.patch rename to patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch diff --git a/patches/ask/kernel/0137-net__xfrm__xfrm_state.c.patch b/patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch similarity index 100% rename from patches/ask/kernel/0137-net__xfrm__xfrm_state.c.patch rename to patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch diff --git a/patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch b/patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch new file mode 100644 index 0000000..80e842a --- /dev/null +++ b/patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch @@ -0,0 +1,93 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mono +Date: Mon, 11 May 2026 00:00:00 +0900 +Subject: [PATCH] libnetfilter_conntrack: do not abort on unusable NXP attrs + +The NXP ASK extension patch teaches libnetfilter_conntrack about +Comcerto/Layerscape fast-path and QoS conntrack attributes, but it also +uses abi_breakage() when those attributes are present with a shape this +userspace does not expect. + +That is too fragile for CMM. CMM dumps the global conntrack table, which +can contain ordinary Kubernetes/Cilium conntrack entries alongside entries +that are relevant to the NXP fast path. A single unexpected or +unrepresentable vendor attribute must not abort the entire dump before CMM +has a chance to ignore the entry. + +Keep unsupported attribute IDs ignored as before. For NXP fast-path/QoS +attributes that fail validation or nested parsing, skip only that attribute +or fast-path block and continue parsing the rest of the conntrack object. + +Signed-off-by: Mono +--- + src/conntrack/parse_mnl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/conntrack/parse_mnl.c b/src/conntrack/parse_mnl.c +index 33f7824..0000000 100644 +--- a/src/conntrack/parse_mnl.c ++++ b/src/conntrack/parse_mnl.c +@@ -873,16 +873,16 @@ nfct_parse_comcerto_fp_attr_cb(const struct nlattr *attr, void *data) + case CTA_COMCERTO_FP_IIF: + case CTA_COMCERTO_FP_UNDERLYING_IIF: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) +- abi_breakage(); ++ return MNL_CB_OK; + break; + case CTA_COMCERTO_FP_UNDERLYING_VID: + if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) +- abi_breakage(); ++ return MNL_CB_OK; + break; + case CTA_COMCERTO_FP_XFRM_HANDLE: + /* 4 x u32 = 16 bytes */ + if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC, 16) < 0) +- abi_breakage(); ++ return MNL_CB_OK; + break; + } + tb[type] = attr; +@@ -1024,11 +1024,11 @@ nfct_parse_conntrack_attr_cb(const struct nlattr *attr, void *data) + case CTA_LAYERSCAPE_FP_ORIG: + case CTA_LAYERSCAPE_FP_REPLY: + if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) +- abi_breakage(); ++ return MNL_CB_OK; + break; + case CTA_QOSCONNMARK: + if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) +- abi_breakage(); ++ return MNL_CB_OK; + break; + } + tb[type] = attr; +@@ -1164,18 +1164,21 @@ nfct_payload_parse(const void *payload, size_t payload_len, + + /* NXP ASK: Comcerto fast path and QoS */ + if (tb[CTA_LAYERSCAPE_FP_ORIG]) { +- if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct, +- __DIR_ORIG) < 0) +- return -1; ++ /* ++ * Do not abort the entire conntrack dump if one fast-path ++ * extension block cannot be represented by this userspace. ++ */ ++ nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct, ++ __DIR_ORIG); + } + + if (tb[CTA_LAYERSCAPE_FP_REPLY]) { +- if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct, +- __DIR_REPL) < 0) +- return -1; ++ /* See CTA_LAYERSCAPE_FP_ORIG handling above. */ ++ nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct, ++ __DIR_REPL); + } + + if (tb[CTA_QOSCONNMARK]) { + ct->qosconnmark = be64toh(mnl_attr_get_u64(tb[CTA_QOSCONNMARK])); + set_bit(ATTR_QOSCONNMARK, ct->head.set); + } +-- +2.47.3