Got cmm working

patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch

@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: monok8s authors <monok8s@localhost>
+Date: Mon, 11 May 2026 00:00:00 +0000
+Subject: [PATCH] cmm: ignore conntracks without fastpath metadata
+
+CMM receives conntrack notifications for the whole system conntrack table.
+On a Kubernetes node, many entries are unrelated to Comcerto/NXP fastpath:
+loopback traffic, local control-plane traffic, Cilium traffic, broadcast,
+multicast, and ordinary slow-path flows.
+
+Those entries do not necessarily carry the private fastpath attributes CMM
+expects. Treat them as non-fastpathable instead of trying to process them.
+
+---
+ cmm/src/ffcontrol.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/cmm/src/ffcontrol.c b/cmm/src/ffcontrol.c
+--- a/cmm/src/ffcontrol.c
++++ b/cmm/src/ffcontrol.c
+@@ -75,6 +75,25 @@
+ 	return 1;
+ }
+ 
++/*****************************************************************
++* cmmFcHasFastpathAttrs()
++*
++* CMM receives all conntrack notifications, including entries that
++* never passed through the Comcerto/NXP fastpath hooks. Those entries
++* do not have the private fastpath attributes needed below. Treat them
++* as ordinary slow-path conntracks and ignore them.
++******************************************************************/
++static int cmmFcHasFastpathAttrs(struct nf_conntrack *ct)
++{
++	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IIF))
++		return 0;
++
++	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IFINDEX))
++		return 0;
++
++	return 1;
++}
++
+ /*****************************************************************
+ * cmmIsConntrack4Allowed()
+ *
+@@ -92,6 +111,12 @@
+ 	sAddr = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC);
+ 	dAddr = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC);
+ 
++	if (!cmmFcHasFastpathAttrs(ct)) {
++		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
++			  __func__);
++		goto refused;
++	}
++
+ 	 /* Multicast connections are not forwarded */
+ 	 if (MULTICAST(dAddr)) {
+ 		cmm_print(DEBUG_WARNING, "%s: conntrack multicast dst:%s:%x src:%s:%x\n", __func__,
+@@ -197,6 +222,12 @@
+ 	Saddr = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
+ 	SaddrReply = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
+ 
++	if (!Saddr || !SaddrReply || !cmmFcHasFastpathAttrs(ct)) {
++		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
++			  __func__);
++		goto refused;
++	}
++
+ 	if ((SaddrReply[0] & ntohl(0xff000000)) == ntohl(0xff000000))
+ 	{
+ 		goto refused;
+-- 
+2.45.0

patches/ask/upstream/README.md

@@ -0,0 +1 @@
+This is for when vendor is already patching upstream source. And we are patching on top of it.

patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch

@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mono <dev@mono>
+Date: Mon, 11 May 2026 00:00:00 +0900
+Subject: [PATCH] libnetfilter_conntrack: do not abort on unusable NXP attrs
+
+The NXP ASK extension patch teaches libnetfilter_conntrack about
+Comcerto/Layerscape fast-path and QoS conntrack attributes, but it also
+uses abi_breakage() when those attributes are present with a shape this
+userspace does not expect.
+
+That is too fragile for CMM. CMM dumps the global conntrack table, which
+can contain ordinary Kubernetes/Cilium conntrack entries alongside entries
+that are relevant to the NXP fast path. A single unexpected or
+unrepresentable vendor attribute must not abort the entire dump before CMM
+has a chance to ignore the entry.
+
+Keep unsupported attribute IDs ignored as before. For NXP fast-path/QoS
+attributes that fail validation or nested parsing, skip only that attribute
+or fast-path block and continue parsing the rest of the conntrack object.
+
+Signed-off-by: Mono <dev@mono>
+---
+ src/conntrack/parse_mnl.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/conntrack/parse_mnl.c b/src/conntrack/parse_mnl.c
+index 33f7824..0000000 100644
+--- a/src/conntrack/parse_mnl.c
++++ b/src/conntrack/parse_mnl.c
+@@ -873,16 +873,16 @@ nfct_parse_comcerto_fp_attr_cb(const struct nlattr *attr, void *data)
+ 	case CTA_COMCERTO_FP_IIF:
+ 	case CTA_COMCERTO_FP_UNDERLYING_IIF:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+-			abi_breakage();
++			return MNL_CB_OK;
+ 		break;
+ 	case CTA_COMCERTO_FP_UNDERLYING_VID:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0)
+-			abi_breakage();
++			return MNL_CB_OK;
+ 		break;
+ 	case CTA_COMCERTO_FP_XFRM_HANDLE:
+ 		/* 4 x u32 = 16 bytes */
+ 		if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC, 16) < 0)
+-			abi_breakage();
++			return MNL_CB_OK;
+ 		break;
+ 	}
+ 	tb[type] = attr;
+@@ -1024,11 +1024,11 @@ nfct_parse_conntrack_attr_cb(const struct nlattr *attr, void *data)
+ 	case CTA_LAYERSCAPE_FP_ORIG:
+ 	case CTA_LAYERSCAPE_FP_REPLY:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+-			abi_breakage();
++			return MNL_CB_OK;
+ 		break;
+ 	case CTA_QOSCONNMARK:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
+-			abi_breakage();
++			return MNL_CB_OK;
+ 		break;
+ 	}
+ 	tb[type] = attr;
+@@ -1164,18 +1164,21 @@ nfct_payload_parse(const void *payload, size_t payload_len,
+ 
+ 	/* NXP ASK: Comcerto fast path and QoS */
+ 	if (tb[CTA_LAYERSCAPE_FP_ORIG]) {
+-		if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct,
+-					   __DIR_ORIG) < 0)
+-			return -1;
++		/*
++		 * Do not abort the entire conntrack dump if one fast-path
++		 * extension block cannot be represented by this userspace.
++		 */
++		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct,
++					 __DIR_ORIG);
+ 	}
+ 
+ 	if (tb[CTA_LAYERSCAPE_FP_REPLY]) {
+-		if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct,
+-					   __DIR_REPL) < 0)
+-			return -1;
++		/* See CTA_LAYERSCAPE_FP_ORIG handling above. */
++		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct,
++					 __DIR_REPL);
+ 	}
+ 
+ 	if (tb[CTA_QOSCONNMARK]) {
+ 		ct->qosconnmark = be64toh(mnl_attr_get_u64(tb[CTA_QOSCONNMARK]));
+ 		set_bit(ATTR_QOSCONNMARK, ct->head.set);
+ 	}
+-- 
+2.47.3