Got cmm working

2026-05-11 07:01:39 +08:00
parent 35f2edc0b5
commit 7411e1994b
23 changed files with 213 additions and 40 deletions
--- a/ask/cmm/cmm.conf
+++ b/ask/cmm/cmm.conf
@@ -17,10 +17,11 @@ config fastforward pptp
 	option port		1723

 # Optional logging
-# NOTE: "stdout" only supported in our own patched version
+# NOTE: "stdout" only supported in our own patched version.
+# Keep info disabled by default; CMM receives the whole conntrack stream.
 config logging
 	option file	stdout
 	option command	0
 	option error	1
 	option warning	1
-	option info	1
+	option info	0
--- a/docker/ask.Dockerfile
+++ b/docker/ask.Dockerfile
@@ -51,8 +51,16 @@ COPY "${LIBNFCT_TAR}"	  ./libnetfilter_conntrack-${LIBNFCT_VERSION}.tar.xz
 # Provision the musl cross-compiler from musl.cc
 RUN tar zxf "aarch64_musl_cc.tar.gz" -C /opt

-# Expose the musl compiler to the PATH
-ENV PATH="/opt/aarch64-linux-musl-cross/bin:${PATH}"
+# Common paths / flags for the remaining ASK build.
+# Keep userspace fully static against the musl sysroot.
+ENV PATH="/opt/aarch64-linux-musl-cross/bin:${PATH}" \
+	ASK_DIR=/src/ASK \
+	KERNEL_DIR=/src/linux \
+	SYSROOT=/opt/aarch64-linux-musl-cross/aarch64-linux-musl \
+	HOST=aarch64-linux-musl \
+	CROSS_COMPILE=aarch64-linux-musl- \
+	ARCH=arm64 \
+	PLATFORM=LS1043A

 # Extract and build the dependency libraries
 RUN mkdir -p ASK/sources/tarballs && \
@@ -65,7 +73,7 @@ RUN mkdir linux && tar zxf "kernel.tar.gz" -C "linux" --strip-components=1 && \

 # ASK's Kernel patches
 COPY patches/ask/split-kernel-patch.sh /src/split-kernel-patch.sh
-COPY patches/ask/kernel/*.patch /src/ASK/patches/kernel/updated-patch/
+COPY patches/ask/upstream/kernel/*.patch /src/ASK/patches/kernel/updated-patch/

 RUN chmod +x /src/split-kernel-patch.sh && \
 	PATCH_FILE="/src/ASK/patches/kernel/002-mono-gateway-ask-kernel_linux_6_12.patch" \
@@ -74,6 +82,17 @@ RUN chmod +x /src/split-kernel-patch.sh && \
 	/src/split-kernel-patch.sh split && \
 	/src/split-kernel-patch.sh apply

+# Build the kernel first, without the custom DTS
+COPY kernel-extra.config /src/kernel-extra.config
+COPY kernel-build/ensure-kconfig.sh /src/
+
+RUN cd /src/linux \
+ && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" defconfig lsdk.config \
+ && ./scripts/kconfig/merge_config.sh -m .config "${ASK_DIR}/config/kernel/defconfig" /src/kernel-extra.config \
+ && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig \
+ && /src/ensure-kconfig.sh .config /src/kernel-extra.config \
+ && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" -j"$(nproc)"
+
 # tclap
 RUN mkdir -p tclap && tar zxf "tclap.tar.gz" -C "tclap" --strip-components=1 && \
 	cp -r tclap/include/tclap /opt/aarch64-linux-musl-cross/aarch64-linux-musl/include/ && \
@@ -135,15 +154,18 @@ RUN mkdir fmlib && \
 		LIBXML2_HEADER_PATH=/opt/aarch64-linux-musl-cross/aarch64-linux-musl/include/libxml2 \
 		TCLAP_HEADER_PATH=/opt/aarch64-linux-musl-cross/aarch64-linux-musl/include

-# Common paths / flags for the remaining ASK build.
-# Keep userspace fully static against the musl sysroot.
-ENV ASK_DIR=/src/ASK \
-	KERNEL_DIR=/src/linux \
-	SYSROOT=/opt/aarch64-linux-musl-cross/aarch64-linux-musl \
-	HOST=aarch64-linux-musl \
-	CROSS_COMPILE=aarch64-linux-musl- \
-	ARCH=arm64 \
-	PLATFORM=LS1043A
+# Patch verdor's modules
+RUN mkdir -p /src/patches/ask
+COPY patches/ask/ /src/patches/ask/
+
+RUN cd /src/ASK && \
+	git init -q && git add -A && git commit -q -m "base" && \
+	find /src/patches/ask \
+		-path /src/patches/ask/upstream -prune -o \
+		-name '*.patch' -print \
+		| sort > /tmp/ask-module-patches.list && \
+	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply --check && \
+	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply

 # Build patched libnfnetlink + libnetfilter_conntrack into the musl sysroot.
 # These are needed by cmm through pkg-config.
@@ -163,8 +185,15 @@ RUN mkdir -p "${ASK_DIR}/sources" && \
 	tar xf "${ASK_DIR}/sources/tarballs/libnetfilter_conntrack-${LIBNFCT_VERSION}.tar.xz" \
 		-C libnetfilter_conntrack --strip-components=1 && \
 	cd libnetfilter_conntrack && \
+	cp /src/patches/ask/upstream/libnetfilter-conntrack/* "${ASK_DIR}/patches/libnetfilter-conntrack/" && \
 	git init -q && git add -A && git commit -q -m "upstream" && \
-	git apply "${ASK_DIR}/patches/libnetfilter-conntrack/01-nxp-ask-comcerto-fp-extensions.patch" && \
+	find "${ASK_DIR}/patches/libnetfilter-conntrack/" \
+		-name '*.patch' -exec sha256sum {} \; && \
+	find "${ASK_DIR}/patches/libnetfilter-conntrack/" \
+		-name '*.patch' -print \
+		| sort > /tmp/libnfct-patches.list && \
+	test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply --check && \
+	test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply && \
 	PKG_CONFIG_PATH="${SYSROOT}/lib/pkgconfig" \
 	CC=aarch64-linux-musl-gcc AR=aarch64-linux-musl-ar RANLIB=aarch64-linux-musl-ranlib \
 	./configure --host="${HOST}" --prefix="${SYSROOT}" \
@@ -179,17 +208,6 @@ RUN make -C "${ASK_DIR}/fci/lib" \
 	CC=aarch64-linux-musl-gcc \
 	AR=aarch64-linux-musl-ar

-# Build the kernel first, without the custom DTS
-COPY kernel-extra.config /src/kernel-extra.config
-COPY kernel-build/ensure-kconfig.sh /src/
-
-RUN cd /src/linux \
- && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" defconfig lsdk.config \
- && ./scripts/kconfig/merge_config.sh -m .config "${ASK_DIR}/config/kernel/defconfig" /src/kernel-extra.config \
- && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig \
- && /src/ensure-kconfig.sh .config /src/kernel-extra.config \
- && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" -j"$(nproc)"
-
 # DTS changes happen after the expensive kernel build layer
 COPY kernel-build/dts/*.dts /src/linux/arch/arm64/boot/dts/freescale/

@@ -203,19 +221,6 @@ RUN cd /src/linux \
 && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" \
 	  "freescale/${DEVICE_TREE_TARGET}.dtb"

-# Patch verdor's modules
-RUN mkdir -p /src/patches/ask
-COPY patches/ask/ /src/patches/ask/
-
-RUN cd /src/ASK && \
-	git init -q && git add -A && git commit -q -m "base" && \
-	find /src/patches/ask \
-		-path /src/patches/ask/kernel -prune -o \
-		-name '*.patch' -print \
-		| sort > /tmp/ask-module-patches.list && \
-	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply --check && \
-	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply
-
 # Build out-of-tree ASK kernel modules: cdx -> fci, plus auto_bridge.
 RUN make -C "${ASK_DIR}/cdx" \
 		CROSS_COMPILE="${CROSS_COMPILE}" \
@@ -286,7 +291,6 @@ RUN mkdir -p /out/rootfs-cfg/etc/dpa && \
 	mkdir -p /out/rootfs-cfg/etc/cmm && \
 	cp "${ASK_DIR}/config/fastforward" /out/rootfs-cfg/etc/cmm/fastforward.vendor.orig

-
 FROM scratch AS export

 ARG DEVICE_TREE_TARGET
--- a/patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch
+++ b/patches/ask/cmm/0003-cmm-ignore-non-fastpath-conntracks.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: monok8s authors <monok8s@localhost>
+Date: Mon, 11 May 2026 00:00:00 +0000
+Subject: [PATCH] cmm: ignore conntracks without fastpath metadata
+
+CMM receives conntrack notifications for the whole system conntrack table.
+On a Kubernetes node, many entries are unrelated to Comcerto/NXP fastpath:
+loopback traffic, local control-plane traffic, Cilium traffic, broadcast,
+multicast, and ordinary slow-path flows.
+
+Those entries do not necessarily carry the private fastpath attributes CMM
+expects. Treat them as non-fastpathable instead of trying to process them.
+
+---
+ cmm/src/ffcontrol.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/cmm/src/ffcontrol.c b/cmm/src/ffcontrol.c
+--- a/cmm/src/ffcontrol.c
+++ b/cmm/src/ffcontrol.c
+@@ -75,6 +75,25 @@
+ 	return 1;
+ }
+ 
+/*****************************************************************
+* cmmFcHasFastpathAttrs()
+*
+* CMM receives all conntrack notifications, including entries that
+* never passed through the Comcerto/NXP fastpath hooks. Those entries
+* do not have the private fastpath attributes needed below. Treat them
+* as ordinary slow-path conntracks and ignore them.
+******************************************************************/
+static int cmmFcHasFastpathAttrs(struct nf_conntrack *ct)
+{
+	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IIF))
+		return 0;
+
+	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IFINDEX))
+		return 0;
+
+	return 1;
+}
+
+ /*****************************************************************
+ * cmmIsConntrack4Allowed()
+ *
+@@ -92,6 +111,12 @@
+ 	sAddr = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC);
+ 	dAddr = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC);
+ 
+	if (!cmmFcHasFastpathAttrs(ct)) {
+		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
+			  __func__);
+		goto refused;
+	}
+
+ 	 /* Multicast connections are not forwarded */
+ 	 if (MULTICAST(dAddr)) {
+ 		cmm_print(DEBUG_WARNING, "%s: conntrack multicast dst:%s:%x src:%s:%x\n", __func__,
+@@ -197,6 +222,12 @@
+ 	Saddr = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
+ 	SaddrReply = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
+ 
+	if (!Saddr || !SaddrReply || !cmmFcHasFastpathAttrs(ct)) {
+		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
+			  __func__);
+		goto refused;
+	}
+
+ 	if ((SaddrReply[0] & ntohl(0xff000000)) == ntohl(0xff000000))
+ 	{
+ 		goto refused;
+-- 
+2.45.0
--- a/patches/ask/upstream/README.md
+++ b/patches/ask/upstream/README.md
@@ -0,0 +1 @@
+This is for when vendor is already patching upstream source. And we are patching on top of it.
--- a/patches/ask/upstream/kernel/0005-driversnetethernetfreescalesdk_dpaa__dpaa_eth.h.patch
+++ b/patches/ask/upstream/kernel/0005-driversnetethernetfreescalesdk_dpaa__dpaa_eth.h.patch
--- a/patches/ask/upstream/kernel/0009-driversnetethernetfreescalesdk_dpaa__dpaa_eth_sg.c.patch
+++ b/patches/ask/upstream/kernel/0009-driversnetethernetfreescalesdk_dpaa__dpaa_eth_sg.c.patch
--- a/patches/ask/upstream/kernel/0062-driversnetppp__ppp_generic.c.patch
+++ b/patches/ask/upstream/kernel/0062-driversnetppp__ppp_generic.c.patch
--- a/patches/ask/upstream/kernel/0068-driversstagingfsl_qbman__qman_high.c.patch
+++ b/patches/ask/upstream/kernel/0068-driversstagingfsl_qbman__qman_high.c.patch
--- a/patches/ask/upstream/kernel/0071-includelinuxif_bridge.h.patch
+++ b/patches/ask/upstream/kernel/0071-includelinuxif_bridge.h.patch
--- a/patches/ask/upstream/kernel/0078-includenetxfrm.h.patch
+++ b/patches/ask/upstream/kernel/0078-includenetxfrm.h.patch
--- a/patches/ask/upstream/kernel/0086-includeuapilinuxnetfilternfnetlink_conntrack.h.patch
+++ b/patches/ask/upstream/kernel/0086-includeuapilinuxnetfilternfnetlink_conntrack.h.patch
--- a/patches/ask/upstream/kernel/0100-netbridgebr_private.h.patch
+++ b/patches/ask/upstream/kernel/0100-netbridgebr_private.h.patch
--- a/patches/ask/upstream/kernel/0103-netcoredev.c.patch
+++ b/patches/ask/upstream/kernel/0103-netcoredev.c.patch
--- a/patches/ask/upstream/kernel/0108-netipv4ip_output.c.patch
+++ b/patches/ask/upstream/kernel/0108-netipv4ip_output.c.patch
--- a/patches/ask/upstream/kernel/0112-netipv6ip6_output.c.patch
+++ b/patches/ask/upstream/kernel/0112-netipv6ip6_output.c.patch
--- a/patches/ask/upstream/kernel/0115-netipv6output_core.c.patch
+++ b/patches/ask/upstream/kernel/0115-netipv6output_core.c.patch
--- a/patches/ask/upstream/kernel/0119-netkeyaf_key.c.patch
+++ b/patches/ask/upstream/kernel/0119-netkeyaf_key.c.patch
--- a/patches/ask/upstream/kernel/0124-netnetfilternf_conntrack_netlink.c.patch
+++ b/patches/ask/upstream/kernel/0124-netnetfilternf_conntrack_netlink.c.patch
--- a/patches/ask/upstream/kernel/0129-netwirelessKconfig.patch
+++ b/patches/ask/upstream/kernel/0129-netwirelessKconfig.patch
--- a/patches/ask/upstream/kernel/0131-netxfrmMakefile.patch
+++ b/patches/ask/upstream/kernel/0131-netxfrmMakefile.patch
--- a/patches/ask/upstream/kernel/0136-netxfrmxfrm_policy.c.patch
+++ b/patches/ask/upstream/kernel/0136-netxfrmxfrm_policy.c.patch
--- a/patches/ask/upstream/kernel/0137-netxfrmxfrm_state.c.patch
+++ b/patches/ask/upstream/kernel/0137-netxfrmxfrm_state.c.patch
--- a/patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch
+++ b/patches/ask/upstream/libnetfilter-conntrack/02-libnetfilter-conntrack-do-not-abort-on-unusable-nxp-attrs-v3.patch
@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mono <dev@mono>
+Date: Mon, 11 May 2026 00:00:00 +0900
+Subject: [PATCH] libnetfilter_conntrack: do not abort on unusable NXP attrs
+
+The NXP ASK extension patch teaches libnetfilter_conntrack about
+Comcerto/Layerscape fast-path and QoS conntrack attributes, but it also
+uses abi_breakage() when those attributes are present with a shape this
+userspace does not expect.
+
+That is too fragile for CMM. CMM dumps the global conntrack table, which
+can contain ordinary Kubernetes/Cilium conntrack entries alongside entries
+that are relevant to the NXP fast path. A single unexpected or
+unrepresentable vendor attribute must not abort the entire dump before CMM
+has a chance to ignore the entry.
+
+Keep unsupported attribute IDs ignored as before. For NXP fast-path/QoS
+attributes that fail validation or nested parsing, skip only that attribute
+or fast-path block and continue parsing the rest of the conntrack object.
+
+Signed-off-by: Mono <dev@mono>
+---
+ src/conntrack/parse_mnl.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/conntrack/parse_mnl.c b/src/conntrack/parse_mnl.c
+index 33f7824..0000000 100644
+--- a/src/conntrack/parse_mnl.c
+++ b/src/conntrack/parse_mnl.c
+@@ -873,16 +873,16 @@ nfct_parse_comcerto_fp_attr_cb(const struct nlattr *attr, void *data)
+ 	case CTA_COMCERTO_FP_IIF:
+ 	case CTA_COMCERTO_FP_UNDERLYING_IIF:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+-			abi_breakage();
+			return MNL_CB_OK;
+ 		break;
+ 	case CTA_COMCERTO_FP_UNDERLYING_VID:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0)
+-			abi_breakage();
+			return MNL_CB_OK;
+ 		break;
+ 	case CTA_COMCERTO_FP_XFRM_HANDLE:
+ 		/* 4 x u32 = 16 bytes */
+ 		if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC, 16) < 0)
+-			abi_breakage();
+			return MNL_CB_OK;
+ 		break;
+ 	}
+ 	tb[type] = attr;
+@@ -1024,11 +1024,11 @@ nfct_parse_conntrack_attr_cb(const struct nlattr *attr, void *data)
+ 	case CTA_LAYERSCAPE_FP_ORIG:
+ 	case CTA_LAYERSCAPE_FP_REPLY:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+-			abi_breakage();
+			return MNL_CB_OK;
+ 		break;
+ 	case CTA_QOSCONNMARK:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
+-			abi_breakage();
+			return MNL_CB_OK;
+ 		break;
+ 	}
+ 	tb[type] = attr;
+@@ -1164,18 +1164,21 @@ nfct_payload_parse(const void *payload, size_t payload_len,
+ 
+ 	/* NXP ASK: Comcerto fast path and QoS */
+ 	if (tb[CTA_LAYERSCAPE_FP_ORIG]) {
+-		if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct,
+-					   __DIR_ORIG) < 0)
+-			return -1;
+		/*
+		 * Do not abort the entire conntrack dump if one fast-path
+		 * extension block cannot be represented by this userspace.
+		 */
+		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct,
+					 __DIR_ORIG);
+ 	}
+ 
+ 	if (tb[CTA_LAYERSCAPE_FP_REPLY]) {
+-		if (nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct,
+-					   __DIR_REPL) < 0)
+-			return -1;
+		/* See CTA_LAYERSCAPE_FP_ORIG handling above. */
+		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct,
+					 __DIR_REPL);
+ 	}
+ 
+ 	if (tb[CTA_QOSCONNMARK]) {
+ 		ct->qosconnmark = be64toh(mnl_attr_get_u64(tb[CTA_QOSCONNMARK]));
+ 		set_bit(ATTR_QOSCONNMARK, ct->head.set);
+ 	}
+-- 
+2.47.3
				`@@ -0,0 +1 @@`
				`This is for when vendor is already patching upstream source. And we are patching on top of it.`