fix ecm

Author: Simon

PATCH/pkgs/sfev2/qca-nss-ecm/patches/0017-ecm-fix-notifiers-and-sysctl.patch

@@ -1,6 +1,6 @@
 --- a/ecm_db/ecm_db.c
 +++ b/ecm_db/ecm_db.c
-@@ -253,6 +253,40 @@ static struct file_operations ecm_db_def
+@@ -253,6 +253,56 @@ static struct file_operations ecm_db_def
  };
 
  /*
@@ -15,19 +15,35 @@
 +	case FIB_EVENT_ENTRY_REPLACE:
 +	case FIB_EVENT_ENTRY_DEL:
 +	case FIB_EVENT_ENTRY_ADD:
-+	case FIB_EVENT_RULE_ADD:
-+	case FIB_EVENT_RULE_DEL:
-+		if (info->family == AF_INET) {
-+			DEBUG_TRACE("FIB IPv4 event %lu, flushing v4 connections\n", event);
-+			ecm_db_connection_defunct_ip_version(4);
++		if ((info->family == AF_INET) && ecm_db_ipv4_route_enable) {
++			struct fib_entry_notifier_info *fen_info = (struct fib_entry_notifier_info *)ptr;
++			ip_addr_t subnet_addr;
++			ECM_NIN4_ADDR_TO_IP_ADDR(subnet_addr, fen_info->dst);
++			DEBUG_TRACE("FIB IPv4 event %lu, flushing subnet %pI4/%d\n", event, &fen_info->dst, fen_info->dst_len);
++			ecm_db_connection_defunct_by_ip_subnet(4, subnet_addr, fen_info->dst_len);
 +		}
 +#ifdef ECM_IPV6_ENABLE
-+		else if (info->family == AF_INET6) {
++		else if ((info->family == AF_INET6) && ecm_db_ipv6_route_enable) {
++			/*
++			 * For IPv6, we currently flush all connections as accessing
++			 * the specific subnet details from fib6_entry_notifier_info
++			 * across kernel versions is complex.
++			 */
 +			DEBUG_TRACE("FIB IPv6 event %lu, flushing v6 connections\n", event);
 +			ecm_db_connection_defunct_ip_version(6);
 +		}
 +#endif
 +		break;
++
++	case FIB_EVENT_RULE_ADD:
++	case FIB_EVENT_RULE_DEL:
++		/* Rules affect global routing policy, so we flush all */
++		if ((info->family == AF_INET) && ecm_db_ipv4_route_enable) {
++			ecm_db_connection_defunct_ip_version(4);
++		} else if ((info->family == AF_INET6) && ecm_db_ipv6_route_enable) {
++			ecm_db_connection_defunct_ip_version(6);
++		}
++		break;
 +	}
 +
 +	return NOTIFY_DONE;
@@ -41,68 +57,76 @@
   * ecm_db_ipv4_route_table_update_event()
   *	This is a call back for "routing table update event for IPv4".
   */
-@@ -565,7 +599,7 @@ static int ecm_db_ipv4_route_handler(con
+@@ -565,19 +615,13 @@ static int ecm_db_ipv4_route_handler(con
 
  	if (ecm_db_ipv4_route_enable) {
  		ecm_front_end_ipv4_stop_temp(1);
 -		ret = ip_rt_register_notifier(&ecm_db_iproute_table_update_nb);
-+		ret = register_fib_notifier(&init_net, &ecm_fib_notifier, NULL, NULL);
- 		if (ret) {
- 			DEBUG_ERROR("Could not register for the IPV4 routing events error:%d\n", ret);
- 		}
-@@ -574,10 +608,7 @@ static int ecm_db_ipv4_route_handler(con
+-		if (ret) {
+-			DEBUG_ERROR("Could not register for the IPV4 routing events error:%d\n", ret);
+-		}
++		/* Notifier already registered in init */
+ 		ecm_front_end_ipv4_stop_temp(0);
+ 		return ret;
  	}
 
  	ecm_front_end_ipv4_stop_temp(1);
 -	ret = ip_rt_unregister_notifier(&ecm_db_iproute_table_update_nb);
 -	if (ret) {
 -		DEBUG_ERROR("Could not unregister for the IPV4 routing events error:%d\n", ret);
 -	}
-+	unregister_fib_notifier(&init_net, &ecm_fib_notifier);
++	/* Notifier managed in init/exit */
  	ecm_front_end_ipv4_stop_temp(0);
 
  	return ret;
-@@ -626,7 +657,7 @@ static int ecm_db_ipv6_route_handler(con
+@@ -626,19 +670,13 @@ static int ecm_db_ipv6_route_handler(con
 
  	if (ecm_db_ipv6_route_enable) {
  		ecm_front_end_ipv6_stop_temp(1);
 -		ret = rt6_register_notifier(&ecm_db_ip6route_table_update_nb);
-+		ret = 0; /* rt6_register_notifier removed, using shared fib_notifier */
- 		if (ret) {
- 			DEBUG_ERROR("Could not register for the IPV6 routing events error:%d\n", ret);
- 		}
-@@ -635,10 +666,7 @@ static int ecm_db_ipv6_route_handler(con
+-		if (ret) {
+-			DEBUG_ERROR("Could not register for the IPV6 routing events error:%d\n", ret);
+-		}
++		/* Notifier already registered in init (shared fib_notifier) */
+ 		ecm_front_end_ipv6_stop_temp(0);
+ 		return ret;
  	}
 
  	ecm_front_end_ipv6_stop_temp(1);
 -	ret = rt6_unregister_notifier(&ecm_db_ip6route_table_update_nb);
 -	if (ret) {
 -		DEBUG_ERROR("Could not unregister for the IPV6 routing events error:%d\n", ret);
 -	}
-+	/* rt6_unregister_notifier removed, managed by fib_notifier */
++	/* Notifier managed in init/exit (shared fib_notifier) */
  	ecm_front_end_ipv6_stop_temp(0);
 
  	return ret;
-@@ -752,7 +780,8 @@ int ecm_db_init(struct dentry *dentry)
+@@ -751,20 +789,13 @@ int ecm_db_init(struct dentry *dentry)
+ 	/*
  	 * register for route table modification events
  	 */
- 	if (ecm_db_ipv4_route_enable) {
+-	if (ecm_db_ipv4_route_enable) {
 -		ret = ip_rt_register_notifier(&ecm_db_iproute_table_update_nb);
-+		/* Register FIB notifier (covers v4 and v6) */
-+		ret = register_fib_notifier(&init_net, &ecm_fib_notifier, NULL, NULL);
- 		if (ret) {
- 			DEBUG_ERROR("Could not register for the IPV4 routing events error:%d\n", ret);
- 		}
-@@ -760,7 +789,7 @@ int ecm_db_init(struct dentry *dentry)
+-		if (ret) {
+-			DEBUG_ERROR("Could not register for the IPV4 routing events error:%d\n", ret);
+-		}
++	ret = register_fib_notifier(&init_net, &ecm_fib_notifier, NULL, NULL);
++	if (ret) {
++		DEBUG_ERROR("Could not register for the routing events error:%d\n", ret);
+ 	}
 
  #ifdef ECM_IPV6_ENABLE
- 	if (ecm_db_ipv6_route_enable) {
+-	if (ecm_db_ipv6_route_enable) {
 -		ret = rt6_register_notifier(&ecm_db_ip6route_table_update_nb);
-+		/* rt6_register_notifier is gone, managed by fib_notifier */
- 		if (ret) {
- 			DEBUG_ERROR("Could not register for the IPV6 routing events error:%d\n", ret);
- 		}
-@@ -800,18 +829,12 @@ void ecm_db_exit(void)
+-		if (ret) {
+-			DEBUG_ERROR("Could not register for the IPV6 routing events error:%d\n", ret);
+-		}
+-	}
++	/* IPv6 notifier handled by shared fib_notifier */
+ #endif
+ 	return ret;
+ 
+@@ -800,19 +831,11 @@ void ecm_db_exit(void)
  	 * unregister for route table update events only if registered.
  	 */
  	if (ecm_db_ipv4_route_enable) {
@@ -114,60 +138,128 @@
  	}
 
  #ifdef ECM_IPV6_ENABLE
- 	if (ecm_db_ipv6_route_enable) {
+-	if (ecm_db_ipv6_route_enable) {
 -		ret = rt6_unregister_notifier(&ecm_db_ip6route_table_update_nb);
 -		if (ret) {
 -			DEBUG_ERROR("Could not unregister for the IPV6 routing events error:%d\n", ret);
 -		}
-+		/* managed by fib_notifier */
- 	}
+-	}
++	/* IPv6 notifier handled by shared fib_notifier */
  #endif
  	ecm_db_connection_defunct_all();
+ 
+--- a/ecm_db/ecm_db_connection.c
++++ b/ecm_db/ecm_db_connection.c
+@@ -5360,3 +5360,50 @@ void ecm_db_connection_exit(void)
+ 		unregister_sysctl_table(ecm_db_connection_ctl_table_header);
+ 	}
+ }
++
++/*
++ * ecm_db_connection_defunct_by_ip_subnet()
++ *Defunct connections that match the destination subnet.
++ */
++void ecm_db_connection_defunct_by_ip_subnet(int ip_version, ip_addr_t addr, int mask_len)
++{
++struct ecm_db_connection_instance *ci;
++uint32_t mask[4] = {0, 0, 0, 0};
++
++DEBUG_INFO("Defuncting IPv%d connections for subnet mask len %d\n", ip_version, mask_len);
++
++/* Generate mask */
++if (ip_version == 4) {
++if (mask_len > 32) mask_len = 32;
++if (mask_len > 0) mask[0] = (0xffffffff << (32 - mask_len));
++}
++// IPv6 mask generation omitted
++
++/*
++ * Iterate all connections
++ */
++ci = ecm_db_connections_get_and_ref_first();
++while (ci) {
++struct ecm_db_connection_instance *cin;
++bool match = false;
++
++if (ci->ip_version == ip_version) {
++ip_addr_t dst_addr;
++ecm_db_connection_address_get(ci, ECM_DB_OBJ_DIR_TO, dst_addr);
++// Apply mask to a[0] (assuming v4)
++if (ip_version == 4 && (dst_addr[0] & mask[0]) == (addr[0] & mask[0])) {
++match = true;
++}
++}
++
++if (match) {
++DEBUG_TRACE("%px: defunct (subnet match)\n", ci);
++ecm_db_connection_make_defunct(ci);
++}
++
++cin = ecm_db_connection_get_and_ref_next(ci);
++ecm_db_connection_deref(ci);
++ci = cin;
++}
++}
++EXPORT_SYMBOL(ecm_db_connection_defunct_by_ip_subnet);
+--- a/ecm_db/ecm_db_connection.h
++++ b/ecm_db/ecm_db_connection.h
+@@ -400,6 +400,8 @@ void ecm_db_connection_defunct_all(void)
+ void ecm_db_connection_defunct_by_port(int port, ecm_db_obj_dir_t dir);
+ void ecm_db_connection_defunct_by_protocol(int protocol);
+ void ecm_db_connection_defunct_ip_version(int ip_version);
++void ecm_db_connection_defunct_by_ip_subnet(int ip_version, ip_addr_t addr, int mask_len);
++void ecm_db_connection_defunct_by_ip_subnet(int ip_version, ip_addr_t addr, int mask_len);
+ 
+ struct ecm_db_connection_instance *ecm_db_connection_serial_find_and_ref(uint32_t serial);
+ struct ecm_db_connection_instance *ecm_db_connection_find_and_ref(ip_addr_t host1_addr,
 --- a/ecm_interface.c
 +++ b/ecm_interface.c
-@@ -10111,6 +10111,27 @@ static int ecm_interface_netevent_callba
+@@ -10111,6 +10111,30 @@ static int ecm_interface_netevent_callba
  	if (neigh->nud_state & NUD_FAILED) {
  		DEBUG_TRACE("NUD_FAILED for mac=%pM nud_state : 0x%x", neigh->ha, neigh->nud_state);
  		ecm_interface_node_connections_defunct_by_type(neigh->ha, ECM_DB_IP_VERSION_IGNORE, ECM_DB_CONNECTION_DEFUNCT_TYPE_ARP_DELETE);
 +	} else {
 +		/*
 +		 * Neighbour update event (Kernel 6.12 adaptation)
-+		 * Check if MAC address changed for this neighbor.
-+		 * Since standard netevent doesn't give us the old MAC, 
-+		 * and we can't easily look up connections by IP without the old MAC,
-+		 * we take a safe approach:
-+		 * If the neighbor is reachable/stale (valid), verify that
-+		 * connections using this IP actually match this MAC.
-+		 * 
-+		 * Ideally, we would use ecm_db_host_connections_defunct_by_ip(), 
-+		 * but since that API is missing, we must rely on NUD_FAILED handling 
-+		 * or implement a full IP-based lookup scan. 
-+		 * 
-+		 * For now, this patch assumes that a significant MAC change 
-+		 * will likely cause a NUD_FAILED transition or a new ARP resolution 
-+		 * that might trigger other events.
-+		 * 
-+		 * TODO: Implement true IP-based flush if strict MAC migration is needed.
-+		 * Note: neigh_mac_update_register_notify is removed in 6.12+
++		 * Reliable MAC roaming: Flush connections for this IP to force re-resolution.
 +		 */
++		ip_addr_t addr;
++		bool is_v4 = (neigh->tbl->family == AF_INET);
++		
++		if (is_v4) {
++			uint32_t val;
++			memcpy(&val, neigh->primary_key, sizeof(val));
++			ECM_NIN4_ADDR_TO_IP_ADDR(addr, val);
++		} else {
++			struct in6_addr v6;
++			memcpy(&v6, neigh->primary_key, sizeof(v6));
++			ECM_NIN6_ADDR_TO_IP_ADDR(addr, v6);
++		}
++
++		DEBUG_TRACE("Neigh update for %pI4/%pI6, flushing connections\n", 
++				is_v4 ? neigh->primary_key : NULL, 
++				is_v4 ? NULL : neigh->primary_key);
++
++		ecm_db_host_connections_defunct_by_dir(addr, ECM_DB_OBJ_DIR_FROM);
++		ecm_db_host_connections_defunct_by_dir(addr, ECM_DB_OBJ_DIR_TO);
  	}
 
  	return NOTIFY_DONE;
-@@ -10182,7 +10203,7 @@ int ecm_interface_init(void)
+@@ -10182,7 +10206,7 @@ int ecm_interface_init(void)
  	}
  #endif
  #ifdef ECM_DB_XREF_ENABLE
 -	neigh_mac_update_register_notify(&ecm_interface_neigh_mac_update_nb);
-+	/* neigh_mac_update_register_notify(&ecm_interface_neigh_mac_update_nb); - Removed in Kernel 6.12 */
++// 	neigh_mac_update_register_notify(&ecm_interface_neigh_mac_update_nb);
  #endif
  #ifdef ECM_INTERFACE_OVS_BRIDGE_ENABLE
  	ovsmgr_notifier_register(&ecm_interface_ovs_notifier);
-@@ -10213,7 +10234,7 @@ void ecm_interface_exit(void)
+@@ -10213,7 +10237,7 @@ void ecm_interface_exit(void)
 
  	unregister_netdevice_notifier(&ecm_interface_netdev_notifier);
  #ifdef ECM_DB_XREF_ENABLE
 -	neigh_mac_update_unregister_notify(&ecm_interface_neigh_mac_update_nb);
-+	/* neigh_mac_update_unregister_notify(&ecm_interface_neigh_mac_update_nb); - Removed in Kernel 6.12 */
++//	neigh_mac_update_unregister_notify(&ecm_interface_neigh_mac_update_nb);
  #endif
 
  #if defined(ECM_DB_XREF_ENABLE) && defined(ECM_BAND_STEERING_ENABLE)