Fix SFE/conntrack race and HTB quantum warnings on IPQ9574 (#506)

* Flush SFE before conntrack deletes to fix double-free race on IPQ9574

When wansteer deletes conntrack entries (failover, config reload, reconcile,
shutdown), SFE may still hold offloaded fast-path references. SFE then tries
to clean up a stale path and hits a double-free, causing
"sfe_ipv4_remove_connection: Connection has been removed already" kernel errors.

Fix: flush SFE cache (IPv4 + IPv6) before every conntrack deletion. The order
SFE delete -> conntrack delete prevents the race. flushSFE() writes to
/sys/sfe_ipv4/flush and /sys/sfe_ipv6/flush, silently skipping on platforms
without SFE.

Covered paths:
- flushConntrackForMark (health failover, config reload, shutdown)
- Reconcile cycle (drift-detected rule rebuild)

* Replace misleading SFE sysfs test with idempotency test

TestFlushSFE_WritesToSysfs didn't actually call flushSFE() - it just
tested os.WriteFile on temp files. Replace with an idempotency test
that verifies multiple flushSFE calls are safe (relevant for
flushAllSteeredConntrack which calls it per-WAN).

* Change HTB minimum class rate from 64bit to 100kbit in Adaptive SQM

rate 64bit causes the kernel to log "HTB: quantum of class XXXXX is small"
warnings every time qdiscs are reapplied (every 5 minutes), generating ~21K
warnings per 3 hours in kern.log. This adds unnecessary eMMC write pressure
on the UniFi Cloud Gateway Fiber.

100kbit is still effectively zero guaranteed rate (classes borrow via ceil),
but produces a quantum of 1250 bytes with r2q 10, well above the warning
threshold. Also update the filter to match both 64bit (stock UniFi) and
100Kbit (after our update) as best-effort class markers.

Author: tvancott42

src/NetworkOptimizer.Sqm/ScriptGenerator.cs

@@ -568,8 +568,9 @@ local mem
         prio=$(echo ""$line"" | grep -o ""prio [0-9]*"" | awk '{print $2}')
         rate=$(echo ""$line"" | grep -o ""rate [0-9]*[a-zA-Z]*"" | awk '{print $2}')
 
-        # Skip classes with rate > 64bit (UniFi-configured classes)
-        if [ ""$rate"" != ""64bit"" ]; then
+        # Skip classes with a real guaranteed rate (UniFi-configured classes).
+        # Match 64bit (stock UniFi) and 100Kbit (after our update) as best-effort markers.
+        if [ ""$rate"" != ""64bit"" ] && [ ""$rate"" != ""100Kbit"" ]; then
             continue
         fi
 
@@ -585,9 +586,9 @@ tc qdisc change dev $device parent $classid handle $leaf_qdisc fq_codel limit $f
             fi
 
             if [ -n ""$prio"" ]; then
-                tc class change dev $device parent 1:1 classid $classid htb rate 64bit ceil ${new_rate}Mbit burst ${burst}b cburst ${burst}b prio $prio
+                tc class change dev $device parent 1:1 classid $classid htb rate 100kbit ceil ${new_rate}Mbit burst ${burst}b cburst ${burst}b prio $prio
             else
-                tc class change dev $device parent 1:1 classid $classid htb rate 64bit ceil ${new_rate}Mbit burst ${burst}b cburst ${burst}b
+                tc class change dev $device parent 1:1 classid $classid htb rate 100kbit ceil ${new_rate}Mbit burst ${burst}b cburst ${burst}b
             fi
         fi
     done

src/wansteer/main.go

@@ -132,6 +132,7 @@ func main() {
 			default:
 				slog.Info("shutdown signal received", "signal", sig)
 				removeRules()
+				// SFE flush happens inside flushAllSteeredConntrack via flushConntrackForMark
 				flushAllSteeredConntrack(cfg)
 				// Write final status
 				status := buildStatus(cfg, startedAt, lastReconcile, reconcileCount, health)
@@ -152,6 +153,10 @@ func main() {
 					"actual_rules", actual,
 					"jump_present", jumpOk,
 				)
+				// Flush SFE before rule changes: when rules are rebuilt,
+				// connections may shift WANs and SFE's offloaded paths
+				// become stale. Flushing prevents the double-free race.
+				flushSFE()
 				unhealthy := health.unhealthyWANs()
 				if err := reapplyRules(cfg, unhealthy); err != nil {
 					slog.Error("reconciliation failed", "error", err)

src/wansteer/rules.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math"
+	"os"
 	"os/exec"
 	"strings"
 )
@@ -329,10 +330,34 @@ func activeTargetWANs(cfg *Config) map[string]bool {
 	return targets
 }
 
+// flushSFE flushes the Shortcut Forwarding Engine cache for both IPv4 and IPv6.
+// On Qualcomm IPQ9574 (UniFi Cloud Gateway Fiber), SFE offloads connections into
+// a kernel fast path. If conntrack deletes an entry before SFE releases it, SFE
+// hits a double-free race that causes "sfe_ipv4_remove_connection: Connection has
+// been removed already" kernel errors. Always call this BEFORE deleting conntrack
+// entries.
+func flushSFE() {
+	for _, path := range []string{"/sys/sfe_ipv4/flush", "/sys/sfe_ipv6/flush"} {
+		if err := os.WriteFile(path, []byte("1"), 0644); err != nil {
+			// Not an error: SFE may not be present on all platforms
+			slog.Debug("sfe flush skipped", "path", path, "error", err)
+		} else {
+			slog.Debug("sfe cache flushed", "path", path)
+		}
+	}
+}
+
 // flushConntrackForMark deletes all conntrack entries with the given WAN fwmark.
 // This forces existing connections to be re-routed through the default WAN
 // when their assigned WAN goes down.
+// Order is critical: SFE flush must happen before conntrack delete to avoid
+// the SFE double-free race on IPQ9574.
 func flushConntrackForMark(fwmark string) {
+	// Flush SFE first: SFE must release offloaded connections before conntrack
+	// deletes the tracking entry, otherwise SFE tries to clean up a path whose
+	// conntrack entry is already gone.
+	flushSFE()
+
 	// conntrack -D -m <mark> deletes entries matching the mark
 	// The mark includes the WAN bits in 0x7e0000, so we match on those
 	err := run("conntrack", "-D", "-m", fwmark)

src/wansteer/wansteer_test.go

@@ -639,3 +639,22 @@ func TestBuildStatus_PopulatesFields(t *testing.T) {
 		t.Errorf("expected 2 WAN health entries, got %d", len(status.WANHealth))
 	}
 }
+
+// ---------------------------------------------------------------------------
+// SFE flush
+// ---------------------------------------------------------------------------
+
+func TestFlushSFE_NoSysfs(t *testing.T) {
+	// flushSFE should not panic or error when /sys/sfe_ipv4/flush doesn't exist.
+	// On non-gateway hosts (dev machines, CI), the sysfs paths won't exist and
+	// the function should silently skip them.
+	flushSFE() // must not panic
+}
+
+func TestFlushSFE_Idempotent(t *testing.T) {
+	// Calling flushSFE multiple times should be safe (e.g. when
+	// flushAllSteeredConntrack calls flushConntrackForMark per-WAN).
+	flushSFE()
+	flushSFE()
+	// No panic, no error - global SFE flush is idempotent
+}