cmm offload is now working

2026-05-14 07:29:45 +08:00
parent 1dab92663d
commit 839576a15f
6 changed files with 270 additions and 0 deletions
--- a/devtools/eth2-dhcp.yaml
+++ b/devtools/eth2-dhcp.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-lan-dhcp-config
+  namespace: mono-system
+data:
+  dnsmasq.conf: |
+    interface=eth2
+    bind-interfaces
+    dhcp-range=192.168.50.100,192.168.50.200,255.255.255.0,12h
+    dhcp-option=3,192.168.50.1
+    dhcp-option=6,1.1.1.1,8.8.8.8
+    log-dhcp
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: test-lan-dhcp
+  namespace: mono-system
+spec:
+  selector:
+    matchLabels:
+      app: test-lan-dhcp
+  template:
+    metadata:
+      labels:
+        app: test-lan-dhcp
+    spec:
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/hostname: monok8s-master
+      containers:
+      - name: dnsmasq
+        image: alpine:3.23
+        securityContext:
+          privileged: true
+        command:
+        - /bin/sh
+        - -c
+        - |
+          apk add --no-cache dnsmasq iproute2 iptables
+          ip addr replace 192.168.50.1/24 dev eth2
+          ip link set eth2 up
+          exec dnsmasq --no-daemon --conf-file=/etc/dnsmasq.conf
+        volumeMounts:
+        - name: config
+          mountPath: /etc/dnsmasq.conf
+          subPath: dnsmasq.conf
+      volumes:
+      - name: config
+        configMap:
+          name: test-lan-dhcp-config
--- a/docker/ask.Dockerfile
+++ b/docker/ask.Dockerfile
@@ -167,6 +167,19 @@ RUN cd /src/ASK && \
 	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply --check && \
 	test ! -s /tmp/ask-module-patches.list || xargs -a /tmp/ask-module-patches.list git apply

+# Verify ct enum
+COPY scripts/check-ctenum/kernel_ctenum.c /src/check-ctenum/kernel_ctenum.c
+
+RUN cd /src/linux \
+ && make ARCH="${ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" \
+      headers_install INSTALL_HDR_PATH=/tmp/kernel-headers \
+ && cc -I/tmp/kernel-headers/include \
+      /src/check-ctenum/kernel_ctenum.c \
+      -o /tmp/kernel_ctenum \
+ && /tmp/kernel_ctenum | sort > /src/kernel_ctenum.txt
+
+COPY scripts/check-ctenum/libnfct_ctenum.c /src/check-ctenum/libnfct_ctenum.c
+
 # Build patched libnfnetlink + libnetfilter_conntrack into the musl sysroot.
 # These are needed by cmm through pkg-config.
 RUN mkdir -p "${ASK_DIR}/sources" && \
@@ -194,6 +207,15 @@ RUN mkdir -p "${ASK_DIR}/sources" && \
 		| sort > /tmp/libnfct-patches.list && \
 	test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply --check && \
 	test ! -s /tmp/libnfct-patches.list || xargs -a /tmp/libnfct-patches.list git apply && \
+####### Ensure parities for KERNEL <-> libnfct's enum #######
+cd /src/libnetfilter_conntrack \
+&& cc -I. -I"${SYSROOT}/include" /src/check-ctenum/libnfct_ctenum.c -o /tmp/libnfct_ctenum \
+&& /tmp/libnfct_ctenum | sort > /tmp/libnfct_ctenum.txt \
+&& echo "libnfct conntrack enum values:" \
+&& cat /tmp/libnfct_ctenum.txt \
+&& echo "Comparing kernel/libnfct conntrack enum ABI:" \
+&& diff -u /src/kernel_ctenum.txt /tmp/libnfct_ctenum.txt && \
+####### End #######
 	PKG_CONFIG_PATH="${SYSROOT}/lib/pkgconfig" \
 	CC=aarch64-linux-musl-gcc AR=aarch64-linux-musl-ar RANLIB=aarch64-linux-musl-ranlib \
 	./configure --host="${HOST}" --prefix="${SYSROOT}" \
--- a/patches/ask/upstream/libnetfilter-conntrack/03-debug-messages-v2.patch
+++ b/patches/ask/upstream/libnetfilter-conntrack/03-debug-messages-v2.patch
@@ -0,0 +1,158 @@
+diff --git a/src/conntrack/parse_mnl.c b/src/conntrack/parse_mnl.c
+index 72abc67..941075a 100644
+--- a/src/conntrack/parse_mnl.c
+++ b/src/conntrack/parse_mnl.c
+@@ -13,6 +13,24 @@
+ #include <libmnl/libmnl.h>
+ #include <limits.h>
+ #include <endian.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+static void ask_nfct_dbg(const char *fmt, ...)
+{
+	FILE *f;
+	va_list ap;
+
+	f = fopen("/tmp/libnfct-cmm.log", "a");
+	if (!f)
+		return;
+
+	va_start(ap, fmt);
+	vfprintf(f, fmt, ap);
+	va_end(ap);
+
+	fclose(f);
+}
+ 
+ static int
+ nfct_parse_ip_attr_cb(const struct nlattr *attr, void *data)
+@@ -863,25 +881,44 @@ nfct_parse_comcerto_fp_attr_cb(const struct nlattr *attr, void *data)
+ 	const struct nlattr **tb = data;
+ 	int type = mnl_attr_get_type(attr);
+ 
+-	if (mnl_attr_type_valid(attr, CTA_COMCERTO_FP_MAX) < 0)
+-		return MNL_CB_OK;
+    ask_nfct_dbg("nested fp attr raw_type=0x%x type=%u len=%u payload_len=%u\n",
+            attr->nla_type, type, attr->nla_len,
+            mnl_attr_get_payload_len(attr));
+
+	if (mnl_attr_type_valid(attr, CTA_COMCERTO_FP_MAX) < 0) {
+        ask_nfct_dbg("nested fp attr type invalid raw_type=0x%x type=%u max=%u\n",
+                attr->nla_type, type, CTA_COMCERTO_FP_MAX);
+        return MNL_CB_OK;
+	}
+ 
+ 	switch(type) {
+ 	case CTA_COMCERTO_FP_MARK:
+ 	case CTA_COMCERTO_FP_IFINDEX:
+ 	case CTA_COMCERTO_FP_IIF:
+ 	case CTA_COMCERTO_FP_UNDERLYING_IIF:
+-		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+-			return MNL_CB_OK;
+		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
+            ask_nfct_dbg("nested fp attr U32 validation failed type=%u raw_type=0x%x len=%u payload_len=%u\n",
+                    type, attr->nla_type, attr->nla_len,
+                    mnl_attr_get_payload_len(attr));
+            return MNL_CB_OK;
+        }
+ 		break;
+ 	case CTA_COMCERTO_FP_UNDERLYING_VID:
+-		if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0)
+-			return MNL_CB_OK;
+		if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) {
+            ask_nfct_dbg("nested fp attr U16 validation failed type=%u raw_type=0x%x len=%u payload_len=%u\n",
+                    type, attr->nla_type, attr->nla_len,
+                    mnl_attr_get_payload_len(attr));
+            return MNL_CB_OK;
+        }
+ 		break;
+ 	case CTA_COMCERTO_FP_XFRM_HANDLE:
+ 		/* 4 x u32 = 16 bytes */
+-		if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC, 16) < 0)
+-			return MNL_CB_OK;
+        if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC, 16) < 0) {
+            ask_nfct_dbg("nested fp attr XFRM validation failed type=%u raw_type=0x%x len=%u payload_len=%u\n",
+                    type, attr->nla_type, attr->nla_len,
+                    mnl_attr_get_payload_len(attr));
+            return MNL_CB_OK;
+        }
+ 		break;
+ 	}
+ 	tb[type] = attr;
+@@ -893,9 +930,23 @@ nfct_parse_comcerto_fp(const struct nlattr *attr, struct nf_conntrack *ct,
+ 		       int dir)
+ {
+ 	struct nlattr *tb[CTA_COMCERTO_FP_MAX+1] = {};
+-
+-	if (mnl_attr_parse_nested(attr, nfct_parse_comcerto_fp_attr_cb, tb) < 0)
+-		return -1;
+    ask_nfct_dbg("enter nfct_parse_comcerto_fp dir=%d outer_raw_type=0x%x outer_type=%u len=%u payload_len=%u\n",
+            dir, attr->nla_type, mnl_attr_get_type(attr),
+            attr->nla_len, mnl_attr_get_payload_len(attr));
+
+    if (mnl_attr_parse_nested(attr, nfct_parse_comcerto_fp_attr_cb, tb) < 0) {
+        ask_nfct_dbg("mnl_attr_parse_nested FAILED dir=%d\n", dir);
+        return -1;
+    }
+
+    ask_nfct_dbg("fp nested result dir=%d mark=%d ifindex=%d iif=%d underlying_iif=%d vid=%d xfrm=%d\n",
+            dir,
+            !!tb[CTA_COMCERTO_FP_MARK],
+            !!tb[CTA_COMCERTO_FP_IFINDEX],
+            !!tb[CTA_COMCERTO_FP_IIF],
+            !!tb[CTA_COMCERTO_FP_UNDERLYING_IIF],
+            !!tb[CTA_COMCERTO_FP_UNDERLYING_VID],
+            !!tb[CTA_COMCERTO_FP_XFRM_HANDLE]);
+ 
+ 	if (tb[CTA_COMCERTO_FP_IIF]) {
+ 		ct->fp_info[dir].iif =
+@@ -984,6 +1035,11 @@ nfct_parse_conntrack_attr_cb(const struct nlattr *attr, void *data)
+ {
+ 	const struct nlattr **tb = data;
+ 	int type = mnl_attr_get_type(attr);
+    if (type == CTA_LAYERSCAPE_FP_ORIG || type == CTA_LAYERSCAPE_FP_REPLY) {
+        ask_nfct_dbg("top fp attr raw_type=0x%x type=%u len=%u payload_len=%u\n",
+                attr->nla_type, type, attr->nla_len,
+                mnl_attr_get_payload_len(attr));
+    }
+ 
+ 	if (mnl_attr_type_valid(attr, CTA_MAX) < 0)
+ 		return MNL_CB_OK;
+@@ -1023,8 +1079,12 @@ nfct_parse_conntrack_attr_cb(const struct nlattr *attr, void *data)
+ 	/* NXP ASK: Comcerto fast path and QoS */
+ 	case CTA_LAYERSCAPE_FP_ORIG:
+ 	case CTA_LAYERSCAPE_FP_REPLY:
+-		if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+        if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) {
+			ask_nfct_dbg("top fp attr nested validation failed raw_type=0x%x type=%u len=%u payload_len=%u\n",
+				     attr->nla_type, type, attr->nla_len,
+				     mnl_attr_get_payload_len(attr));
+ 			return MNL_CB_OK;
+		}
+ 		break;
+ 	case CTA_QOSCONNMARK:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
+@@ -1168,12 +1228,22 @@ nfct_payload_parse(const void *payload, size_t payload_len,
+ 		 * Do not abort the entire conntrack dump if one fast-path
+ 		 * extension block cannot be represented by this userspace.
+ 		 */
+        ask_nfct_dbg("payload parse: saw CTA_LAYERSCAPE_FP_ORIG raw_type=0x%x type=%u len=%u payload_len=%u\n",
+                tb[CTA_LAYERSCAPE_FP_ORIG]->nla_type,
+                mnl_attr_get_type(tb[CTA_LAYERSCAPE_FP_ORIG]),
+                tb[CTA_LAYERSCAPE_FP_ORIG]->nla_len,
+                mnl_attr_get_payload_len(tb[CTA_LAYERSCAPE_FP_ORIG]));
+ 		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_ORIG], ct,
+ 					 __DIR_ORIG);
+ 	}
+ 
+ 	if (tb[CTA_LAYERSCAPE_FP_REPLY]) {
+ 		/* See CTA_LAYERSCAPE_FP_ORIG handling above. */
+        ask_nfct_dbg("payload parse: saw CTA_LAYERSCAPE_FP_REPLY raw_type=0x%x type=%u len=%u payload_len=%u\n",
+                tb[CTA_LAYERSCAPE_FP_REPLY]->nla_type,
+                mnl_attr_get_type(tb[CTA_LAYERSCAPE_FP_REPLY]),
+                tb[CTA_LAYERSCAPE_FP_REPLY]->nla_len,
+                mnl_attr_get_payload_len(tb[CTA_LAYERSCAPE_FP_REPLY]));
+ 		nfct_parse_comcerto_fp(tb[CTA_LAYERSCAPE_FP_REPLY], ct,
+ 					 __DIR_REPL);
+ 	}
--- a/patches/ask/upstream/libnetfilter-conntrack/04-libnfct-add-missing-enum.patch
+++ b/patches/ask/upstream/libnetfilter-conntrack/04-libnfct-add-missing-enum.patch
@@ -0,0 +1,12 @@
+diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+index 418870a..510b5a8 100644
+--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+@@ -60,6 +60,7 @@ enum ctattr_type {
+ 	CTA_SYNPROXY,
+ 	CTA_FILTER,
+ 	CTA_STATUS_MASK,
+	CTA_TIMESTAMP_EVENT,
+ 	/* NXP ASK: Layerscape fast path attributes - order must match kernel! */
+ 	CTA_LAYERSCAPE_FP_ORIG,
+ 	CTA_LAYERSCAPE_FP_REPLY,
--- a/scripts/check-ctenum/kernel_ctenum.c
+++ b/scripts/check-ctenum/kernel_ctenum.c
@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
+
+int main(void)
+{
+	printf("CTA_TIMESTAMP_EVENT=%d\n", CTA_TIMESTAMP_EVENT);
+	printf("CTA_LAYERSCAPE_FP_ORIG=%d\n", CTA_LAYERSCAPE_FP_ORIG);
+	printf("CTA_LAYERSCAPE_FP_REPLY=%d\n", CTA_LAYERSCAPE_FP_REPLY);
+	printf("CTA_QOSCONNMARK=%d\n", CTA_QOSCONNMARK);
+	printf("CTA_QOSCONNMARK_PAD=%d\n", CTA_QOSCONNMARK_PAD);
+	printf("CTA_MAX=%d\n", CTA_MAX);
+	return 0;
+}
--- a/scripts/check-ctenum/libnfct_ctenum.c
+++ b/scripts/check-ctenum/libnfct_ctenum.c
@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include "include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h"
+
+int main(void)
+{
+	printf("CTA_TIMESTAMP_EVENT=%d\n", CTA_TIMESTAMP_EVENT);
+	printf("CTA_LAYERSCAPE_FP_ORIG=%d\n", CTA_LAYERSCAPE_FP_ORIG);
+	printf("CTA_LAYERSCAPE_FP_REPLY=%d\n", CTA_LAYERSCAPE_FP_REPLY);
+	printf("CTA_QOSCONNMARK=%d\n", CTA_QOSCONNMARK);
+	printf("CTA_QOSCONNMARK_PAD=%d\n", CTA_QOSCONNMARK_PAD);
+	printf("CTA_MAX=%d\n", CTA_MAX);
+	return 0;
+}