shortcut-fe: update to QSDK11.4 HEAD (#7832)

2025-04-16 04:13:31 +00:00 · 2021-09-09 00:42:58 +08:00 · 2021-09-09 00:42:58 +08:00 · 4e1354dc49
commit 4e1354dc49
parent 52c8a137ac
18 changed files with 321 additions and 137 deletions
--- a/package/lean/luci-app-turboacc/Makefile
+++ b/package/lean/luci-app-turboacc/Makefile
@ -16,7 +16,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_DNSFORWARDER \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_DNSPROXY \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_OFFLOADING \
-	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE
+	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE \
+	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE_DRV
 	
 LUCI_TITLE:=LuCI support for Flow Offload / Shortcut-FE
 LUCI_PKGARCH:=all
@ -25,7 +26,8 @@ LUCI_DEPENDS:=+pdnsd-alt \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_DNSFORWARDER:dnsforwarder \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_DNSPROXY:dnsproxy \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_OFFLOADING:kmod-ipt-offload \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE:kmod-fast-classifier
+	+PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE:kmod-shortcut-fe-cm \
+	+PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE_DRV:kmod-shortcut-fe-drv

 define Package/$(PKG_NAME)/config
 config PACKAGE_$(PKG_NAME)_INCLUDE_OFFLOADING
@ -33,6 +35,11 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_OFFLOADING
 	depends on PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE=n
 	default y if i386||x86_64||TARGET_ramips

+config PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE_DRV
+	bool "Include Shortcut-FE for ECM"
+	depends on PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE=n
+	default y if (TARGET_ipq806x||TARGET_ipq807x)
+
 config PACKAGE_$(PKG_NAME)_INCLUDE_SHORTCUT_FE
 	bool "Include Shortcut-FE"
 	default y if !(TARGET_ipq806x||TARGET_ipq807x||TARGET_ramips)
--- a/package/lean/luci-app-turboacc/luasrc/model/cbi/turboacc.lua
+++ b/package/lean/luci-app-turboacc/luasrc/model/cbi/turboacc.lua
@ -24,25 +24,13 @@ hw_flow.description = translate("Requires hardware NAT support. Implemented at l
 hw_flow:depends("sw_flow", 1)
 end

-if nixio.fs.access("/lib/modules/" .. kernel_version .. "/fast-classifier.ko") then
+if nixio.fs.access("/lib/modules/" .. kernel_version .. "/shortcut-fe-cm.ko") then
 sfe_flow = s:option(Flag, "sfe_flow", translate("Shortcut-FE flow offloading"))
 sfe_flow.default = 0
 sfe_flow.description = translate("Shortcut-FE based offloading for routing/NAT")
 sfe_flow:depends("sw_flow", 0)
 end

-sfe_bridge = s:option(Flag, "sfe_bridge", translate("Bridge Acceleration"))
-sfe_bridge.default = 0
-sfe_bridge.description = translate("Enable Bridge Acceleration (may be functional conflict with bridge-mode VPN server)")
-sfe_bridge:depends("sfe_flow", 1)
-
-if nixio.fs.access("/proc/sys/net/ipv6") then
-sfe_ipv6 = s:option(Flag, "sfe_ipv6", translate("IPv6 Acceleration"))
-sfe_ipv6.default = 0
-sfe_ipv6.description = translate("Enable IPv6 Acceleration")
-sfe_ipv6:depends("sfe_flow", 1)
-end
-
 if nixio.fs.access("/lib/modules/" .. kernel_version .. "/tcp_bbr.ko") then
 bbr_cca = s:option(Flag, "bbr_cca", translate("BBR CCA"))
 bbr_cca.default = 0
--- a/package/lean/luci-app-turboacc/root/etc/config/turboacc
+++ b/package/lean/luci-app-turboacc/root/etc/config/turboacc
@ -3,8 +3,6 @@ config turboacc 'config'
 	option sw_flow '1'
 	option hw_flow '1'
 	option sfe_flow '1'
-	option sfe_bridge '1'
-	option sfe_ipv6 '0'
 	option fullcone_nat '1'
 	option bbr_cca '0'
 	option dns_caching '0'
--- a/package/lean/luci-app-turboacc/root/etc/init.d/turboacc
+++ b/package/lean/luci-app-turboacc/root/etc/init.d/turboacc
@ -15,8 +15,6 @@ inital_conf(){
 	config_get "sw_flow" "config" "sw_flow" "0"
 	config_get "hw_flow" "config" "hw_flow" "0"
 	config_get "sfe_flow" "config" "sfe_flow" "0"
-	config_get "sfe_bridge" "config" "sfe_bridge" "0"
-	config_get "sfe_ipv6" "config" "sfe_ipv6" "0"
 	config_get "bbr_cca" "config" "bbr_cca" "0"
 	config_get "fullcone_nat" "config" "fullcone_nat" "0"
 	config_get "dns_caching" "config" "dns_caching" "0"
@ -24,7 +22,7 @@ inital_conf(){
 	config_get "dns_caching_dns" "config" "dns_caching_dns"

 	[ ! -e "/lib/modules/$(uname -r)/xt_FLOWOFFLOAD.ko" ] && { sw_flow="0"; hw_flow="0"; }
-	[ ! -e "/lib/modules/$(uname -r)/fast-classifier.ko" ] && { sfe_flow="0"; sfe_bridge="0"; sfe_ipv6="0"; }
+	[ ! -e "/lib/modules/$(uname -r)/shortcut-fe-cm.ko" ] && sfe_flow="0"
 	[ ! -e "/lib/modules/$(uname -r)/tcp_bbr.ko" ] && bbr_cca="0"
 	[ ! -e "/lib/modules/$(uname -r)/xt_FULLCONENAT.ko" ] && fullcone_nat="0"
 }
@ -233,13 +231,10 @@ start(){
 	uci commit firewall

 	[ "${sw_flow}" -ne "1" ] && [ "${sfe_flow}" -eq "1" ] && {
-		lsmod | grep -q fast_classifier || modprobe fast_classifier 2>"/dev/null"
-		echo "${sfe_bridge}" > "/sys/fast_classifier/skip_to_bridge_ingress" 2>"/dev/null"
-		if [ "${sfe_ipv6}" -eq "1" ]; then
-			[ ! -e "/dev/sfe_ipv6" ] && mknod "/dev/sfe_ipv6" "c" "$(cat "/sys/sfe_ipv6/debug_dev")" "0"
-		else
-			rm -f "/dev/sfe_ipv6"
-		fi
+		[ "$(have_ecm_init)" = "0" ] && {
+			/etc/init.d/shortcut-fe enabled && /etc/init.d/shortcut-fe disable
+			/etc/init.d/shortcut-fe start
+		}
 	}

 	if [ "${bbr_cca}" -eq "1" ];  then
@ -283,9 +278,7 @@ stop(){
 	uci commit firewall

 	[ "${sfe_flow}" -ne "1" ] && {
-		echo "0" > "/sys/fast_classifier/skip_to_bridge_ingress" 2>"/dev/null"
-		rm -f "/dev/sfe_ipv6"
-		rmmod "fast_classifier" 2>"/dev/null"
+		[ "$(have_ecm_init)" = "0" ] && /etc/init.d/shortcut-fe stop 2>"/dev/null"
 	}

 	stop_dnscache
@ -305,6 +298,10 @@ restart(){
 	/etc/init.d/firewall restart >"/dev/null" 2>&1
 }

+have_ecm_init() {
+	[ -d "/etc/init.d/qca-nss-ecm" ] && echo 1 && return
+	echo 0
+}

 check_status(){
 	case "$1" in
@ -313,9 +310,14 @@ check_status(){
 			echo -n "Flow Offloading"
 			exit 0
 		elif lsmod | grep -q "ecm"; then
-			echo -n "QCA-NSS-ECM"
-			exit 0
-		elif lsmod | grep -q "fast_classifier"; then
+			if lsmod | grep -q "shortcut_fe_drv"; then
+				echo -n "QCA-NSS-ECM-SFE"
+				exit 0
+			else
+				echo -n "QCA-NSS-ECM"
+				exit 0
+			fi
+		elif lsmod | grep -q "shortcut_fe_cm"; then
 			echo -n "Shortcut-FE"
 			exit 0
 		else
--- a/package/lean/shortcut-fe/fast-classifier/Makefile
+++ b/package/lean/shortcut-fe/fast-classifier/Makefile
@ -1,3 +1,17 @@
+#
+# Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+ 
 include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk

@ -14,8 +28,11 @@ define KernelPackage/$(PKG_NAME)/Default
  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
  TITLE:=Kernel driver for FAST Classifier
  FILES:=$(PKG_BUILD_DIR)/fast-classifier.ko
-  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y CONFIG_NF_CONNTRACK_MARK=y
-  PROVIDES:=$(PKG_NAME)
+  KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y \
+  	   CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y \
+  	   CONFIG_NF_CONNTRACK_MARK=y \
+  	   CONFIG_XFRM=y
+  CONFLICTS:=kmod-shortcut-fe-drv kmod-shortcut-fe-cm
 endef

 define KernelPackage/$(PKG_NAME)
@ -51,6 +68,8 @@ classifier kernel module
 endef

 SFE_MAKE_OPTS:=SFE_SUPPORT_IPV6=$(if $(CONFIG_IPV6),y,n)
+HAVE_ECM:=$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-standard)
+

 define Build/Compile/kmod
 	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" $(SFE_MAKE_OPTS) \
@ -58,6 +77,7 @@ define Build/Compile/kmod
 		$(PKG_MAKE_FLAGS) \
 		M="$(PKG_BUILD_DIR)" \
 		CONFIG_FAST_CLASSIFIER=m \
+		$(if $(HAVE_ECM),EXTRA_CFLAGS+="-DCONFIG_SFE_ECM" CONFIG_SFE_ECM=y,) \
 		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
 		modules
 endef
--- a/package/lean/shortcut-fe/fast-classifier/src/fast-classifier.c
+++ b/package/lean/shortcut-fe/fast-classifier/src/fast-classifier.c
@ -1744,8 +1744,11 @@ static int __init fast_classifier_init(void)
 {
 	struct fast_classifier *sc = &__sc;
 	int result = -1;
+#ifdef CONFIG_SFE_ECM
+	int (*fast_recv)(struct sk_buff *skb);
+#endif

-	printk(KERN_ALERT "fast-classifier (PBR safe v2.1.4a): starting up\n");
+	printk(KERN_ALERT "fast-classifier: starting up\n");
 	DEBUG_INFO("SFE CM init\n");

 	hash_init(fc_conn_ht);
@ -1810,6 +1813,7 @@ static int __init fast_classifier_init(void)
 		goto exit3;
 	}

+#ifdef CONFIG_NF_CONNTRACK_EVENTS
 	/*
 	 * Register a notifier hook to get fast notifications of expired connections.
 	 */
@ -1817,12 +1821,14 @@ static int __init fast_classifier_init(void)
 	result = nf_conntrack_register_chain_notifier(&init_net, &fast_classifier_conntrack_notifier);
 #else
 	result = nf_conntrack_register_notifier(&init_net, &fast_classifier_conntrack_notifier);
+#endif
 	if (result < 0) {
 		DEBUG_ERROR("can't register nf notifier hook: %d\n", result);
 		goto exit4;
 	}
 #endif

+
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
 	result = genl_register_family(&fast_classifier_gnl_family);
 	if (result) {
@ -1865,7 +1871,16 @@ static int __init fast_classifier_init(void)
 	/*
 	 * Hook the receive path in the network stack.
 	 */
+#ifdef CONFIG_SFE_ECM
+	rcu_read_lock();
+	fast_recv = rcu_dereference(athrs_fast_nat_recv);
+	rcu_read_unlock();
+	if (!fast_recv) {
+		BUG_ON(athrs_fast_nat_recv);
+	}
+#else
 	BUG_ON(athrs_fast_nat_recv);
+#endif
 	RCU_INIT_POINTER(athrs_fast_nat_recv, fast_classifier_recv);

 	/*
@ -1974,3 +1989,4 @@ module_exit(fast_classifier_exit)

 MODULE_DESCRIPTION("Shortcut Forwarding Engine - Connection Manager");
 MODULE_LICENSE("Dual BSD/GPL");
+
--- a/package/lean/shortcut-fe/shortcut-fe/Makefile
+++ b/package/lean/shortcut-fe/shortcut-fe/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014 The Linux Foundation. All rights reserved.
+# Copyright (c) 2013-2018, 2020 The Linux Foundation. All rights reserved.
 # Permission to use, copy, modify, and/or distribute this software for
 # any purpose with or without fee is hereby granted, provided that the
 # above copyright notice and this permission notice appear in all copies.
@ -31,7 +31,7 @@ define KernelPackage/shortcut-fe
 	   CONFIG_NF_CONNTRACK_TIMEOUT=y \
 	   CONFIG_SHORTCUT_FE=y \
 	   CONFIG_XFRM=y
-  AUTOLOAD:=$(call AutoLoad,09,shortcut-fe shortcut-fe-ipv6)
+  PROVIDES:=$(PKG_NAME)
 endef

 define KernelPackage/shortcut-fe/Description
@ -39,10 +39,14 @@ Shortcut is an in-Linux-kernel IP packet forwarding engine.
 endef

 define KernelPackage/shortcut-fe/install
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/shortcut-fe $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./files/usr/bin/sfe_dump $(1)/usr/bin
 endef

+HAVE_ECM:=$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-premium-noload)$(CONFIG_PACKAGE_kmod-qca-nss-ecm-standard)
+
 define KernelPackage/shortcut-fe-cm
  SECTION:=kernel
  CATEGORY:=Kernel modules
@ -50,7 +54,10 @@ define KernelPackage/shortcut-fe-cm
  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
  TITLE:=Kernel driver for SFE
  FILES:=$(PKG_BUILD_DIR)/shortcut-fe-cm.ko
-  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y \
+  	   CONFIG_NF_CONNTRACK_EVENTS=y \
+  	   CONFIG_XFRM=y
+  CONFLICTS:=kmod-shortcut-fe-drv
 endef

 define KernelPackage/shortcut-fe-cm/Description
@ -58,12 +65,13 @@ Simple connection manager for the Shortcut forwarding engine.
 endef

 define Build/Compile
-	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
+	$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
 		$(KERNEL_MAKE_FLAGS) \
 		$(PKG_MAKE_FLAGS) \
 		M="$(PKG_BUILD_DIR)" \
-		modules \
-		$(if $(CONFIG_IPV6),EXTRA_CFLAGS="-DSFE_SUPPORT_IPV6" SFE_SUPPORT_IPV6=y,)
+		$(if $(CONFIG_IPV6),EXTRA_CFLAGS+="-DSFE_SUPPORT_IPV6" SFE_SUPPORT_IPV6=y,) \
+		$(if $(HAVE_ECM),EXTRA_CFLAGS+="-DCONFIG_SFE_ECM" CONFIG_SFE_ECM=y,) \
+		modules
 endef

 ifneq ($(CONFIG_PACKAGE_kmod-shortcut-fe)$(CONFIG_PACKAGE_kmod-shortcut-fe-cm),)
--- a/package/lean/shortcut-fe/shortcut-fe/files/etc/init.d/shortcut-fe
+++ b/package/lean/shortcut-fe/shortcut-fe/files/etc/init.d/shortcut-fe
@ -0,0 +1,57 @@
+#!/bin/sh /etc/rc.common
+#
+# Copyright (c) 2014-2015 The Linux Foundation. All rights reserved.
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+#SFE connection manager has a lower priority, it should be started after other connection manager
+#to detect the existence of connection manager with higher priority
+START=72
+
+have_cm() {
+	[ -d "/sys/kernel/debug/ecm" ] && echo 1 && return
+
+	echo 0
+}
+
+load_sfe() {
+        [ -d "/sys/module/shortcut_fe" ] || insmod shortcut-fe
+        [ -d "/sys/module/shortcut_fe_ipv6" ] || insmod shortcut-fe-ipv6
+}
+
+#load shortcut-fe connection manager
+load_sfe_cm() {
+	local kernel_version=$(uname -r)
+
+	#no ecm :
+	#shortcut-fe-drv.ko is not needed because other connection manager is not enabled
+	[ -d "/sys/module/shortcut_fe_drv" ] && rmmod shortcut_fe_drv
+
+	[ -e "/lib/modules/$kernel_version/shortcut-fe-cm.ko" ] && {
+		[ -d /sys/module/shortcut_fe_cm ] || insmod /lib/modules/$kernel_version/shortcut-fe-cm.ko
+	}
+	[ -e "/lib/modules/$kernel_version/fast-classifier.ko" ] && {
+		[ -d /sys/module/fast_classifier ] || insmod /lib/modules/$kernel_version/fast-classifier.ko
+	}
+}
+
+start() {
+	[ "$(have_cm)" = "0" ] && load_sfe && load_sfe_cm
+}
+
+stop() {
+	[ -d "/sys/module/shortcut_fe_drv" ] && rmmod shortcut_fe_drv
+	[ -d "/sys/module/shortcut_fe_cm" ] && rmmod shortcut_fe_cm
+	[ -d "/sys/module/fast_classifier" ] && rmmod fast_classifier
+	[ -d "/sys/module/shortcut_fe_ipv6" ] && rmmod shortcut-fe-ipv6
+	[ -d "/sys/module/shortcut_fe" ] && rmmod shortcut-fe
+}
--- a/package/lean/shortcut-fe/shortcut-fe/src/Makefile
+++ b/package/lean/shortcut-fe/shortcut-fe/src/Makefile
@ -21,3 +21,4 @@ endif
 shortcut-fe-cm-objs := \
 	sfe_cm.o

+ccflags-y += -Werror -Wall
--- a/package/lean/shortcut-fe/shortcut-fe/src/sfe_backport.h
+++ b/package/lean/shortcut-fe/shortcut-fe/src/sfe_backport.h
@ -180,7 +180,7 @@ static inline struct net_device *sfe_dev_get_master(struct net_device *dev)
 #endif

 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
-#define sfe_dst_get_neighbour(dst, daddr) dst_neigh_lookup(dst, daddr)
+#define sfe_dst_get_neighbour(dst, daddr) dst_neigh_lookup(dst, addr)
 #else
 static inline struct neighbour *
 sfe_dst_get_neighbour(struct dst_entry *dst, void *daddr)
--- a/package/lean/shortcut-fe/shortcut-fe/src/sfe_cm.c
+++ b/package/lean/shortcut-fe/shortcut-fe/src/sfe_cm.c
@ -2,7 +2,7 @@
 * sfe-cm.c
 *	Shortcut forwarding engine connection manager.
 *
- * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018, 2020 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
@ -220,11 +220,11 @@ static bool sfe_cm_find_dev_and_mac_addr(sfe_ip_addr_t *addr, struct net_device

 		dst = (struct dst_entry *)rt;
 	} else {
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0))
-		rt6 = rt6_lookup(&init_net, (struct in6_addr *)addr->ip6, 0, 0, NULL, 0);
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0))
 		rt6 = rt6_lookup(&init_net, (struct in6_addr *)addr->ip6, 0, 0, 0);
-#endif /*KERNEL_VERSION(4, 17, 0)*/
+#else
+		rt6 = rt6_lookup(&init_net, (struct in6_addr *)addr->ip6, 0, 0, NULL, 0);
+#endif
 		if (!rt6) {
 			goto ret_fail;
 		}
@ -352,16 +352,18 @@ static unsigned int sfe_cm_post_routing(struct sk_buff *skb, int is_v4)
 		return NF_ACCEPT;
 	}

-#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0))
 	/*
 	 * Don't process untracked connections.
 	 */
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0))
 	if (unlikely(nf_ct_is_untracked(ct))) {
+#else
+	if (unlikely(ctinfo == IP_CT_UNTRACKED)) {
+#endif
 		sfe_cm_incr_exceptions(SFE_CM_EXCEPTION_CT_NO_TRACK);
 		DEBUG_TRACE("untracked connection\n");
 		return NF_ACCEPT;
 	}
-#endif /*KERNEL_VERSION(4, 12, 0)*/

 	/*
 	 * Unconfirmed connection may be dropped by Linux at the final step,
@ -510,6 +512,21 @@ static unsigned int sfe_cm_post_routing(struct sk_buff *skb, int is_v4)
 			return NF_ACCEPT;
 		}
 		spin_unlock_bh(&ct->lock);
+		
+		/*
+		 * Somehow, SFE is not playing nice with IPSec traffic.
+		 * Do not accelerate for now.
+		 */
+		if (ntohs(sic.dest_port) == 4500 || ntohs(sic.dest_port) == 500) {
+			if (likely(is_v4))
+				DEBUG_TRACE("IPsec bypass: %pI4:%d(%pI4:%d) to %pI4:%d(%pI4:%d)\n",
+					&sic.src_ip.ip, ntohs(sic.src_port), &sic.src_ip_xlate.ip, ntohs(sic.src_port_xlate),
+					&sic.dest_ip.ip, ntohs(sic.dest_port), &sic.dest_ip_xlate.ip, ntohs(sic.dest_port_xlate));
+			else
+				DEBUG_TRACE("IPsec bypass: %pI6:%d to %pI6:%d\n",
+					&sic.src_ip.ip6, ntohs(sic.src_port), &sic.dest_ip.ip6, ntohs(sic.dest_port));
+			return NF_ACCEPT;
+		}
 		break;

 	case IPPROTO_UDP:
@ -533,10 +550,10 @@ static unsigned int sfe_cm_post_routing(struct sk_buff *skb, int is_v4)
 	 * For packets de-capsulated from xfrm, we still can accelerate it
 	 * on the direction we just received the packet.
 	 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0))
-	if (unlikely(skb_ext_exist(skb, SKB_EXT_SEC_PATH))) {
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0))
 	if (unlikely(skb->sp)) {
+#else
+	if (unlikely(secpath_exists(skb))) {
 #endif
 		if (sic.protocol == IPPROTO_TCP &&
 		    !(sic.flags & SFE_CREATE_FLAG_NO_SEQ_CHECK)) {
@ -688,14 +705,11 @@ static int sfe_cm_conntrack_event(unsigned int events, struct nf_ct_event *item)
 	}

 #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0))
-	/*
-	 * If this is an untracked connection then we can't have any state either.
-	 */
 	if (unlikely(nf_ct_is_untracked(ct))) {
 		DEBUG_TRACE("ignoring untracked conn\n");
 		return NOTIFY_DONE;
 	}
-#endif /*KERNEL_VERSION(4, 12, 0)*/
+#endif

 	/*
 	 * We're only interested in destroy events.
@ -825,18 +839,17 @@ static void sfe_cm_sync_rule(struct sfe_connection_sync *sis)
 	ct = nf_ct_tuplehash_to_ctrack(h);
 #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 0))
 	NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
-#endif /*KERNEL_VERSION(4, 9, 0)*/
-
+#endif
 	/*
 	 * Only update if this is not a fixed timeout
 	 */
 	if (!test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
 		spin_lock_bh(&ct->lock);
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0))
-		ct->timeout += sis->delta_jiffies;
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 0))
 		ct->timeout.expires += sis->delta_jiffies;
-#endif /*KERNEL_VERSION(4, 9, 0)*/
+#else
+		ct->timeout += sis->delta_jiffies;
+#endif
 		spin_unlock_bh(&ct->lock);
 	}

@ -891,26 +904,26 @@ static void sfe_cm_sync_rule(struct sfe_connection_sync *sis)

 			if (reply_pkts != 0) {
 				unsigned int *timeouts;
-
+				struct nf_conntrack_l4proto *l4proto __maybe_unused;
 				set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
 				set_bit(IPS_ASSURED_BIT, &ct->status);

-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0))
-				timeouts = nf_ct_timeout_lookup(ct);
-#else
-				struct nf_conntrack_l4proto *l4proto;
-
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0))
 				l4proto = __nf_ct_l4proto_find((sis->is_v6 ? AF_INET6 : AF_INET), IPPROTO_UDP);
 				timeouts = nf_ct_timeout_lookup(&init_net, ct, l4proto);
-#endif /*KERNEL_VERSION(4, 19, 0)*/
+				spin_lock_bh(&ct->lock);
+				ct->timeout.expires = jiffies + timeouts[UDP_CT_REPLIED];
+				spin_unlock_bh(&ct->lock);
+#else
+				timeouts = nf_ct_timeout_lookup(ct);
+				if (!timeouts) {
+					timeouts = udp_get_timeouts(nf_ct_net(ct));
+				}

 				spin_lock_bh(&ct->lock);
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0))
 				ct->timeout = jiffies + timeouts[UDP_CT_REPLIED];
-#else
-				ct->timeout.expires = jiffies + timeouts[UDP_CT_REPLIED];
-#endif /*KERNEL_VERSION(4, 9, 0)*/
 				spin_unlock_bh(&ct->lock);
+#endif
 			}
 		}
 		break;
@ -1001,6 +1014,9 @@ static int __init sfe_cm_init(void)
 {
 	struct sfe_cm *sc = &__sc;
 	int result = -1;
+#ifdef CONFIG_SFE_ECM
+	int (*fast_recv)(struct sk_buff *skb);
+#endif

 	DEBUG_INFO("SFE CM init\n");

@ -1036,7 +1052,11 @@ static int __init sfe_cm_init(void)
 	/*
 	 * Register our netfilter hooks.
 	 */
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0))
+	result = nf_register_hooks(sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
+#else
 	result = nf_register_net_hooks(&init_net, sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
+#endif
 	if (result < 0) {
 		DEBUG_ERROR("can't register nf post routing hook: %d\n", result);
 		goto exit3;
@ -1049,22 +1069,30 @@ static int __init sfe_cm_init(void)
 	 */
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 #ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
-	(void)nf_conntrack_register_chain_notifier(&init_net, &sfe_cm_conntrack_notifier);
+	result = nf_conntrack_register_chain_notifier(&init_net, &sfe_cm_conntrack_notifier);
 #else
 	result = nf_conntrack_register_notifier(&init_net, &sfe_cm_conntrack_notifier);
+#endif
 	if (result < 0) {
 		DEBUG_ERROR("can't register nf notifier hook: %d\n", result);
 		goto exit4;
 	}
 #endif
-#endif
-
 	spin_lock_init(&sc->lock);

 	/*
 	 * Hook the receive path in the network stack.
 	 */
+#ifdef CONFIG_SFE_ECM
+	rcu_read_lock();
+	fast_recv = rcu_dereference(athrs_fast_nat_recv);
+	rcu_read_unlock();
+	if (!fast_recv) {
+		BUG_ON(athrs_fast_nat_recv);
+	}
+#else
 	BUG_ON(athrs_fast_nat_recv);
+#endif
 	RCU_INIT_POINTER(athrs_fast_nat_recv, sfe_cm_recv);

 	/*
@ -1075,10 +1103,15 @@ static int __init sfe_cm_init(void)
 	return 0;

 #ifdef CONFIG_NF_CONNTRACK_EVENTS
-#ifndef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
 exit4:
+#ifdef CONFIG_NF_CONNTRACK_CHAIN_EVENTS
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0))
+	nf_unregister_hooks(sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
+#else
 	nf_unregister_net_hooks(&init_net, sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
 #endif
+
+#endif
 #endif
 exit3:
 	unregister_inet6addr_notifier(&sc->inet6_notifier);
@ -1129,8 +1162,12 @@ static void __exit sfe_cm_exit(void)
 	nf_conntrack_unregister_notifier(&init_net, &sfe_cm_conntrack_notifier);
 #endif
 #endif
-	nf_unregister_net_hooks(&init_net, sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));

+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0))
+	nf_unregister_hooks(sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
+#else
+	nf_unregister_net_hooks(&init_net, sfe_cm_ops_post_routing, ARRAY_SIZE(sfe_cm_ops_post_routing));
+#endif
 	unregister_inet6addr_notifier(&sc->inet6_notifier);
 	unregister_inetaddr_notifier(&sc->inet_notifier);
 	unregister_netdevice_notifier(&sc->dev_notifier);
--- a/package/lean/shortcut-fe/shortcut-fe/src/sfe_ipv4.c
+++ b/package/lean/shortcut-fe/shortcut-fe/src/sfe_ipv4.c
@ -2,7 +2,7 @@
 * sfe_ipv4.c
 *	Shortcut forwarding engine - IPv4 edition.
 *
- * Copyright (c) 2013-2016, 2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2016, 2019-2020 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
@ -1311,14 +1311,13 @@ static int sfe_ipv4_recv_udp(struct sfe_ipv4 *si, struct sk_buff *skb, struct ne
 	 * change the cloned skb's data section.
 	 */
 	if (unlikely(skb_cloned(skb))) {
-		DEBUG_TRACE("%p: skb is a cloned skb\n", skb);
+		DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
 		skb = skb_unshare(skb, GFP_ATOMIC);
                if (!skb) {
 			DEBUG_WARN("Failed to unshare the cloned skb\n");
 			si->exception_events[SFE_IPV4_EXCEPTION_EVENT_CLONED_SKB_UNSHARE_ERROR]++;
 			si->packets_not_forwarded++;
 			spin_unlock_bh(&si->lock);
-
 			return 0;
 		}

@ -1891,14 +1890,13 @@ static int sfe_ipv4_recv_tcp(struct sfe_ipv4 *si, struct sk_buff *skb, struct ne
 	 * change the cloned skb's data section.
 	 */
 	if (unlikely(skb_cloned(skb))) {
-		DEBUG_TRACE("%p: skb is a cloned skb\n", skb);
+		DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
 		skb = skb_unshare(skb, GFP_ATOMIC);
                if (!skb) {
 			DEBUG_WARN("Failed to unshare the cloned skb\n");
 			si->exception_events[SFE_IPV4_EXCEPTION_EVENT_CLONED_SKB_UNSHARE_ERROR]++;
 			si->packets_not_forwarded++;
 			spin_unlock_bh(&si->lock);
-
 			return 0;
 		}

@ -2512,7 +2510,7 @@ int sfe_ipv4_create_rule(struct sfe_connection_create *sic)
 		spin_unlock_bh(&si->lock);

 		DEBUG_TRACE("connection already exists - mark: %08x, p: %d\n"
-			    "  s: %s:%pM:%pI4:%u, d: %s:%pM:%pI4:%u\n",
+			    "  s: %s:%pxM:%pI4:%u, d: %s:%pxM:%pI4:%u\n",
 			    sic->mark, sic->protocol,
 			    sic->src_dev->name, sic->src_mac, &sic->src_ip.ip, ntohs(sic->src_port),
 			    sic->dest_dev->name, sic->dest_mac, &sic->dest_ip.ip, ntohs(sic->dest_port));
@ -2728,8 +2726,8 @@ int sfe_ipv4_create_rule(struct sfe_connection_create *sic)
 	 * We have everything we need!
 	 */
 	DEBUG_INFO("new connection - mark: %08x, p: %d\n"
-		   "  s: %s:%pM(%pM):%pI4(%pI4):%u(%u)\n"
-		   "  d: %s:%pM(%pM):%pI4(%pI4):%u(%u)\n",
+		   "  s: %s:%pxM(%pxM):%pI4(%pI4):%u(%u)\n"
+		   "  d: %s:%pxM(%pxM):%pI4(%pI4):%u(%u)\n",
 		   sic->mark, sic->protocol,
 		   sic->src_dev->name, sic->src_mac, sic->src_mac_xlate,
 		   &sic->src_ip.ip, &sic->src_ip_xlate.ip, ntohs(sic->src_port), ntohs(sic->src_port_xlate),
@ -2858,17 +2856,17 @@ another_round:
 /*
 * sfe_ipv4_periodic_sync()
 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-static void sfe_ipv4_periodic_sync(struct timer_list *arg)
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 static void sfe_ipv4_periodic_sync(unsigned long arg)
-#endif /*KERNEL_VERSION(4, 15, 0)*/
-{
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-	struct sfe_ipv4 *si = (struct sfe_ipv4 *)arg->cust_data;
 #else
+static void sfe_ipv4_periodic_sync(struct timer_list *tl)
+#endif
+{
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 	struct sfe_ipv4 *si = (struct sfe_ipv4 *)arg;
-#endif /*KERNEL_VERSION(4, 15, 0)*/
+#else
+	struct sfe_ipv4 *si = from_timer(si, tl, timer);
+#endif
 	u64 now_jiffies;
 	int quota;
 	sfe_sync_rule_callback_t sync_rule_callback;
@ -3547,12 +3545,11 @@ static int __init sfe_ipv4_init(void)
 	/*
 	 * Create a timer to handle periodic statistics.
 	 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-	timer_setup(&si->timer, sfe_ipv4_periodic_sync, 0);
-	si->timer.cust_data = (unsigned long)si;
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 	setup_timer(&si->timer, sfe_ipv4_periodic_sync, (unsigned long)si);
-#endif /*KERNEL_VERSION(4, 15, 0)*/
+#else
+	timer_setup(&si->timer, sfe_ipv4_periodic_sync, 0);
+#endif
 	mod_timer(&si->timer, jiffies + ((HZ + 99) / 100));

 	spin_lock_init(&si->lock);
--- a/package/lean/shortcut-fe/shortcut-fe/src/sfe_ipv6.c
+++ b/package/lean/shortcut-fe/shortcut-fe/src/sfe_ipv6.c
@ -2,7 +2,7 @@
 * sfe_ipv6.c
 *	Shortcut forwarding engine - IPv6 support.
 *
- * Copyright (c) 2015-2016, 2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015-2016, 2019-2020 The Linux Foundation. All rights reserved.
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
 * above copyright notice and this permission notice appear in all copies.
@ -1369,14 +1369,13 @@ static int sfe_ipv6_recv_udp(struct sfe_ipv6 *si, struct sk_buff *skb, struct ne
 	 * change the cloned skb's data section.
 	 */
 	if (unlikely(skb_cloned(skb))) {
-		DEBUG_TRACE("%p: skb is a cloned skb\n", skb);
+		DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
 		skb = skb_unshare(skb, GFP_ATOMIC);
                if (!skb) {
 			DEBUG_WARN("Failed to unshare the cloned skb\n");
 			si->exception_events[SFE_IPV6_EXCEPTION_EVENT_CLONED_SKB_UNSHARE_ERROR]++;
 			si->packets_not_forwarded++;
 			spin_unlock_bh(&si->lock);
-
 			return 0;
 		}

@ -1929,14 +1928,13 @@ static int sfe_ipv6_recv_tcp(struct sfe_ipv6 *si, struct sk_buff *skb, struct ne
 	 * change the cloned skb's data section.
 	 */
 	if (unlikely(skb_cloned(skb))) {
-		DEBUG_TRACE("%p: skb is a cloned skb\n", skb);
+		DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
 		skb = skb_unshare(skb, GFP_ATOMIC);
                if (!skb) {
 			DEBUG_WARN("Failed to unshare the cloned skb\n");
 			si->exception_events[SFE_IPV6_EXCEPTION_EVENT_CLONED_SKB_UNSHARE_ERROR]++;
 			si->packets_not_forwarded++;
 			spin_unlock_bh(&si->lock);
-
 			return 0;
 		}

@ -2328,7 +2326,7 @@ int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb)
 		si->packets_not_forwarded++;
 		spin_unlock_bh(&si->lock);

-		DEBUG_TRACE("payload_len: %u, exceeds len: %u\n", payload_len, (len - sizeof(struct sfe_ipv6_ip_hdr)));
+		DEBUG_TRACE("payload_len: %u, exceeds len: %u\n", payload_len, (len - (unsigned int)sizeof(struct sfe_ipv6_ip_hdr)));
 		return 0;
 	}

@ -2526,7 +2524,7 @@ int sfe_ipv6_create_rule(struct sfe_connection_create *sic)
 		spin_unlock_bh(&si->lock);

 		DEBUG_TRACE("connection already exists - mark: %08x, p: %d\n"
-			    "  s: %s:%pM:%pI6:%u, d: %s:%pM:%pI6:%u\n",
+			    "  s: %s:%pxM:%pI6:%u, d: %s:%pxM:%pI6:%u\n",
 			    sic->mark, sic->protocol,
 			    sic->src_dev->name, sic->src_mac, sic->src_ip.ip6, ntohs(sic->src_port),
 			    sic->dest_dev->name, sic->dest_mac, sic->dest_ip.ip6, ntohs(sic->dest_port));
@ -2742,8 +2740,8 @@ int sfe_ipv6_create_rule(struct sfe_connection_create *sic)
 	 * We have everything we need!
 	 */
 	DEBUG_INFO("new connection - mark: %08x, p: %d\n"
-		   "  s: %s:%pM(%pM):%pI6(%pI6):%u(%u)\n"
-		   "  d: %s:%pM(%pM):%pI6(%pI6):%u(%u)\n",
+		   "  s: %s:%pxM(%pxM):%pI6(%pI6):%u(%u)\n"
+		   "  d: %s:%pxM(%pxM):%pI6(%pI6):%u(%u)\n",
 		   sic->mark, sic->protocol,
 		   sic->src_dev->name, sic->src_mac, sic->src_mac_xlate,
 		   sic->src_ip.ip6, sic->src_ip_xlate.ip6, ntohs(sic->src_port), ntohs(sic->src_port_xlate),
@ -2866,17 +2864,17 @@ another_round:
 /*
 * sfe_ipv6_periodic_sync()
 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-static void sfe_ipv6_periodic_sync(struct timer_list *arg)
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 static void sfe_ipv6_periodic_sync(unsigned long arg)
-#endif /*KERNEL_VERSION(4, 15, 0)*/
-{
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-	struct sfe_ipv6 *si = (struct sfe_ipv6 *)arg->cust_data;
 #else
+static void sfe_ipv6_periodic_sync(struct timer_list *tl)
+#endif
+{
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 	struct sfe_ipv6 *si = (struct sfe_ipv6 *)arg;
-#endif /*KERNEL_VERSION(4, 15, 0)*/
+#else
+	struct sfe_ipv6 *si = from_timer(si, tl, timer);
+#endif
 	u64 now_jiffies;
 	int quota;
 	sfe_sync_rule_callback_t sync_rule_callback;
@ -3555,12 +3553,11 @@ static int __init sfe_ipv6_init(void)
 	/*
 	 * Create a timer to handle periodic statistics.
 	 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0))
-	timer_setup(&si->timer, sfe_ipv6_periodic_sync, 0);
-	si->timer.cust_data = (unsigned long)si;
-#else
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
 	setup_timer(&si->timer, sfe_ipv6_periodic_sync, (unsigned long)si);
-#endif /*KERNEL_VERSION(4, 15, 0)*/
+#else
+	timer_setup(&si->timer, sfe_ipv6_periodic_sync, 0);
+#endif
 	mod_timer(&si->timer, jiffies + ((HZ + 99) / 100));

 	spin_lock_init(&si->lock);
--- a/package/lean/shortcut-fe/simulated-driver/Makefile
+++ b/package/lean/shortcut-fe/simulated-driver/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015 The Linux Foundation. All rights reserved.
+# Copyright (c) 2015,2016 The Linux Foundation. All rights reserved.
 # Permission to use, copy, modify, and/or distribute this software for
 # any purpose with or without fee is hereby granted, provided that the
 # above copyright notice and this permission notice appear in all copies.
@ -17,10 +17,12 @@ include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=shortcut-fe-simulated-driver
 PKG_RELEASE:=1
+PKG_CONFIG_DEPENDS := CONFIG_IPV6

 PKG_SOURCE_URL:=https://source.codeaurora.org/quic/qsdk/oss/lklm/shortcut-fe
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=c7dd8173b178affc9d8da22f51610243be994e1c
+PKG_SOURCE_DATE:=2021-03-17
+PKG_SOURCE_VERSION:=697977d8d0ccf0ab596e5692d08608a75dd7f33d

 include $(INCLUDE_DIR)/package.mk

@ -29,22 +31,22 @@ define KernelPackage/shortcut-fe-drv
  CATEGORY:=Kernel modules
  SUBMENU:=Network Support
  DEPENDS:=@TARGET_ipq806x||TARGET_ipq807x +kmod-shortcut-fe
+  KCONFIG:=CONFIG_NET_CLS_ACT=y \
+   	    CONFIG_XFRM=y
  TITLE:=Simulated sfe driver for ECM
  FILES:=$(PKG_BUILD_DIR)/simulated-driver/shortcut-fe-drv.ko
-  AUTOLOAD:=$(call AutoLoad,10,shortcut-fe-drv)
 endef

 define KernelPackage/shortcut-fe-drv/Description
 Simulated sfe driver which act as an adapter to convert message between a connection manager and the SFE core engine.
 endef

-EXTRA_CFLAGS+=-DSFE_SUPPORT_IPV6
-
 define Build/Compile
 	$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
 		$(KERNEL_MAKE_FLAGS) \
 		$(PKG_MAKE_FLAGS) \
 		M="$(PKG_BUILD_DIR)/simulated-driver" \
+		$(if $(CONFIG_IPV6),EXTRA_CFLAGS+="-DSFE_SUPPORT_IPV6" SFE_SUPPORT_IPV6=y,) \
 		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
 		modules
 endef
--- a/package/qca/nss/qca-nss-ecm-64/files/qca-nss-ecm.init
+++ b/package/qca/nss/qca-nss-ecm-64/files/qca-nss-ecm.init
@ -57,6 +57,10 @@ load_sfe() {
 		[ -d /sys/module/shortcut_fe_ipv6 ] || insmod shortcut-fe-ipv6
 	}

+	[ -e "/lib/modules/$kernel_version/shortcut-fe-cm.ko" ] && {
+		[ -d /sys/module/shortcut_fe_cm ] || insmod shortcut-fe-cm
+	}
+
 	[ -e "/lib/modules/$kernel_version/shortcut-fe-drv.ko" ] && {
 		[ -d /sys/module/shortcut_fe_drv ] || insmod shortcut-fe-drv
 	}
@ -97,13 +101,6 @@ unload_ecm() {
 }

 start() {
-	# If SFE CM is loaded, return.
-	if [ -d /sys/module/shortcut_fe_cm ]; then
-		echo "shortcut_fe CM is loaded, unload it first"
-		echo "cmd: /etc/init.d/shortcut_fe stop"
-		return
-	fi
-
 	load_ecm

 	# If the acceleration engine is NSS, enable wifi redirect.
--- a/package/qca/nss/qca-nss-ecm/files/qca-nss-ecm.init
+++ b/package/qca/nss/qca-nss-ecm/files/qca-nss-ecm.init
@ -47,9 +47,24 @@ support_bridge() {
 }

 load_sfe() {
-	[ -d /sys/module/shortcut_fe ] || insmod shortcut-fe
-	[ -d /sys/module/shortcut_fe_ipv6 ] || insmod shortcut-fe-ipv6
-	[ -d /sys/module/shortcut_fe_drv ] || insmod shortcut-fe-drv
+	local kernel_version=$(uname -r)
+
+	[ -e "/lib/modules/$kernel_version/shortcut-fe.ko" ] && {
+		[ -d /sys/module/shortcut_fe ] || insmod shortcut-fe
+	}
+
+	[ -e "/lib/modules/$kernel_version/shortcut-fe-ipv6.ko" ] && {
+		[ -d /sys/module/shortcut_fe_ipv6 ] || insmod shortcut-fe-ipv6
+	}
+
+	[ -e "/lib/modules/$kernel_version/shortcut-fe-cm.ko" ] && {
+		[ -d /sys/module/shortcut_fe_cm ] || insmod shortcut-fe-cm
+	}
+
+	[ -e "/lib/modules/$kernel_version/shortcut-fe-drv.ko" ] && {
+		[ -d /sys/module/shortcut_fe_drv ] || insmod shortcut-fe-drv
+	}
+	
 }

 load_ecm() {
--- a/target/linux/ipq807x/patches-5.10/601-netfilter-export-udp_get_timeouts-function.patch
+++ b/target/linux/ipq807x/patches-5.10/601-netfilter-export-udp_get_timeouts-function.patch
--- a/target/linux/generic/hack-5.4/601-netfilter-export-udp_get_timeouts-function.patch
+++ b/target/linux/generic/hack-5.4/601-netfilter-export-udp_get_timeouts-function.patch
@ -0,0 +1,42 @@
+From ba041eb8000e4a8f556ca641335894f7e7429dbb Mon Sep 17 00:00:00 2001
+From: Ailick <277498654@qq.com>
+Date: Sat, 21 Aug 2021 17:12:22 +0800
+Subject: [PATCH] net: patch linux kernel to support shortcut-fe-cm
+
+---
+ nf_conntrack_proto_udp.c | 3 ++-
+ nf_conntrack_timeout.h | 2 +
+ 1 file changed, 2 insertion(+)
+
+diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
+index 6dd7239..e1f6d69 100644
+--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
+@@ -123,5 +123,7 @@ static inline void nf_ct_destroy_timeout(struct nf_conn *ct)
+ extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name);
+ extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout);
+ #endif
+
+extern unsigned int *udp_get_timeouts(struct net *net);
+ 
+ #endif /* _NF_CONNTRACK_TIMEOUT_H */
+diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
+index 7365b43..2238d55 100644
+--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
+@@ -29,10 +29,11 @@ static const unsigned int udp_timeouts[UDP_CT_MAX] = {
+ 	[UDP_CT_REPLIED]	= 120*HZ,
+ };
+ 
+-static unsigned int *udp_get_timeouts(struct net *net)
+unsigned int *udp_get_timeouts(struct net *net)
+ {
+ 	return nf_udp_pernet(net)->timeouts;
+ }
+EXPORT_SYMBOL(udp_get_timeouts);
+ 
+ static void udp_error_log(const struct sk_buff *skb,
+ 			  const struct nf_hook_state *state,
+-- 
+2.17.1
+