re-add Turbo ACC center

package/lean/luci-app-flowoffload/Makefile

@@ -0,0 +1,17 @@
+# Copyright (C) 2016 Openwrt.org
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=LuCI support for Flow Offload
+LUCI_DEPENDS:=+kmod-ipt-offload +pdnsd-alt @LINUX_4_14
+LUCI_PKGARCH:=all
+PKG_VERSION:=1.0
+PKG_RELEASE:=7
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+

package/lean/luci-app-flowoffload/luasrc/controller/flowoffload.lua

@@ -0,0 +1,41 @@
+module("luci.controller.flowoffload", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/flowoffload") then
+		return
+	end
+	local page
+	page = entry({"admin", "network", "flowoffload"}, cbi("flowoffload"), _("Turbo ACC Center"), 101)
+	page.i18n = "flowoffload"
+	page.dependent = true
+	
+	entry({"admin", "network", "flowoffload", "status"}, call("action_status"))
+end
+
+local function is_running()
+	return luci.sys.call("iptables --list | grep FLOWOFFLOAD >/dev/null") == 0
+end
+
+local function is_bbr()
+	return luci.sys.call("sysctl net.ipv4.tcp_congestion_control | grep bbr >/dev/null") == 0
+end
+
+local function is_fullcone()
+	return luci.sys.call("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") == 0
+end
+
+local function is_dns()
+	return luci.sys.call("pgrep dnscache >/dev/null") == 0
+end
+
+function action_status()
+	luci.http.prepare_content("application/json")
+	luci.http.write_json({
+		run_state = is_running(),
+		down_state = is_bbr(),
+		up_state = is_fullcone(),
+		dns_state = is_dns()
+	})
+end
+
+

package/lean/luci-app-flowoffload/luasrc/model/cbi/flowoffload.lua

@@ -0,0 +1,34 @@
+local m,s,o
+local SYS  = require "luci.sys"
+
+m = Map("flowoffload")
+m.title	= translate("Turbo ACC Acceleration Settings")
+m.description = translate("Opensource Linux Flow Offload driver (Fast Path or HWNAT)")
+m:append(Template("flow/status"))
+
+s = m:section(TypedSection, "flow")
+s.addremove = false
+s.anonymous = true
+
+flow = s:option(Flag, "flow_offloading", translate("Enable"))
+flow.default = 0
+flow.rmempty = false
+flow.description = translate("Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)")
+
+hw = s:option(Flag, "flow_offloading_hw", translate("HWNAT"))
+hw.default = 0
+hw.rmempty = true
+hw.description = translate("Enable Hardware NAT (depends on hw capability like MTK 762x)")
+hw:depends("flow_offloading", 1)
+
+dns = s:option(Flag, "dns", translate("DNS Acceleration"))
+dns.default = 0
+dns.rmempty = false
+dns.description = translate("Enable DNS Cache Acceleration and anti ISP DNS pollution")
+
+o = s:option(Value, "dns_server", translate("Upsteam DNS Server"))
+o.default = "114.114.114.114 ,114.114.115.115"
+o.description = translate("Muitiple DNS server can saperate with ','")
+o:depends("dns", 1)
+
+return m

package/lean/luci-app-flowoffload/luasrc/view/flow/status.htm

@@ -0,0 +1,24 @@
+<fieldset class="cbi-section">
+	<legend><%:Running Status%></legend>
+	<table width="100%" cellspacing="10" id="_xlnetacc_status_table">
+		<tr><td width="33%">FLOW 加速状态</td><td id="_run_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">BBR 加速</td><td id="_down_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">FULLCONE NAT加速</td><td id="_up_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">DNS 加速</td><td id="_dns_state"><em><%:Collecting data...%></em></td></tr>
+	</table>
+</fieldset>
+
+<script type="text/javascript">//<![CDATA[
+	var run_state = document.getElementById('_run_state');
+	var down_state = document.getElementById('_down_state');
+	var up_state = document.getElementById('_up_state');
+	var dns_state = document.getElementById('_dns_state');
+	XHR.poll(5, '<%=luci.dispatcher.build_url("admin", "network", "flowoffload", "status")%>', null, function(x, status) {
+		if ( x && x.status == 200 ) {
+			run_state.innerHTML = status.run_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			down_state.innerHTML = status.down_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			up_state.innerHTML = status.up_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			dns_state.innerHTML = status.dns_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+		}
+	});
+//]]></script>

package/lean/luci-app-flowoffload/po/zh-cn/flowoffload.po

@@ -0,0 +1,35 @@
+msgid "Flow Offload ACC"
+msgstr "Flow Offload 转发加速"
+
+msgid "Turbo ACC Center"
+msgstr "Turbo ACC 网络加速"
+
+msgid "Turbo ACC Acceleration Settings"
+msgstr "Turbo ACC 网络加速设置"
+
+msgid "Linux Flow Offload Forwarding Engine Settings"
+msgstr "Linux Flow Offload Forwarding 转发加速引擎设置"
+
+msgid "Opensource Linux Flow Offload driver (Fast Path or HWNAT)"
+msgstr "开源 Linux Flow Offload 驱动 (支持 Fast Path 或者 HWNAT)"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)"
+msgstr "开启 Flow Offloading 转发加速. (降低CPU占用 / 增强路由转发性能，和多WAN或者QOS功能可能会冲突)"
+
+msgid "Enable Hardware NAT (depends on hw capability like MTK 762x)"
+msgstr "启用硬件HWNAT加速（依赖特定的硬件，例如 MTK 762x 系列）"
+
+msgid "DNS Acceleration"
+msgstr "DNS 加速"
+
+msgid "Enable DNS Cache Acceleration and anti ISP DNS pollution"
+msgstr "启用DNS多线程查询、缓存，并防止ISP的DNS广告和域名劫持"
+
+msgid "Upsteam DNS Server"
+msgstr "上游 DNS 服务器(国内)"
+
+msgid "Muitiple DNS server can saperate with ','"
+msgstr "支持多个上游DNS服务器，用','分隔（注意用英文逗号).请填写您最快的DNS服务器"

package/lean/luci-app-flowoffload/root/etc/config/flowoffload

@@ -0,0 +1,7 @@
+
+config flow
+	option flow_offloading '1'
+	option flow_offloading_hw '0'
+	option dns '0'
+	option dns_server '114.114.114.114 ,114.114.115.115'
+

package/lean/luci-app-flowoffload/root/etc/init.d/flowoffload

@@ -0,0 +1,206 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2011-2015 OpenWrt.org
+
+START=60
+
+DNSMASQ_RESTART=N
+DNS_SERVER="114.114.114.114,114.114.115.115"
+
+start_pdnsd() {
+  DNS_SERVER=$(uci get flowoffload.@flow[0].dns_server 2>/dev/null)
+
+	[ -d /var/etc ] || mkdir -p /var/etc
+	
+  if [ ! -f /var/dnscache/pdnsd.cache ]; then
+    mkdir -p /var/dnscache
+    echo -ne "pd13\000\000\000\000" > /var/dnscache/pdnsd.cache
+    chown -R nobody.nogroup /var/dnscache
+	fi
+	
+	cat > /var/etc/dnscache.conf <<EOF
+global {
+    perm_cache=1024;        # dns缓存大小，单位KB，建议不要写的太大
+    cache_dir="/var/dnscache";     # 缓存文件的位置
+    pid_file = /var/run/dnscache.pid;
+    server_ip = 0.0.0.0;        # pdnsd监听的网卡，0.0.0.0是全部网卡
+    server_port=5333;           # pdnsd监听的端口，不要和别的服务冲突即可
+    status_ctl = on;
+    paranoid=on;                  # 二次请求模式，如果请求主DNS服务器返回的是垃圾地址，就向备用服务器请求
+    query_method=udp_only;      
+    neg_domain_pol = off;  
+    par_queries = 400;          # 最多同时请求数
+    min_ttl = 1h;               # DNS结果最短缓存时间
+    max_ttl = 1w;               # DNS结果最长缓存时间
+    timeout = 10;               # DNS请求超时时间，单位秒
+}
+
+server {  
+    label = "routine";         
+    ip = $DNS_SERVER;     # 这里为主要上级 dns 的 ip 地址，建议填写一个当地最快的DNS地址  
+    timeout = 5;              # DNS请求超时时间
+    reject = 74.125.127.102,  # 以下是脏IP，也就是DNS污染一般会返回的结果，如果收到如下DNS结果会触发二次请求（TCP协议一般不会碰到脏IP）
+        74.125.155.102,  
+        74.125.39.102,  
+        74.125.39.113,  
+        209.85.229.138,  
+        128.121.126.139,  
+        159.106.121.75,  
+        169.132.13.103,  
+        192.67.198.6,  
+        202.106.1.2,  
+        202.181.7.85,  
+        203.161.230.171,  
+        203.98.7.65,  
+        207.12.88.98,  
+        208.56.31.43,  
+        209.145.54.50,  
+        209.220.30.174,  
+        209.36.73.33,  
+        211.94.66.147,  
+        213.169.251.35,  
+        216.221.188.182,  
+        216.234.179.13,  
+        243.185.187.39,  
+        37.61.54.158,  
+        4.36.66.178,  
+        46.82.174.68,  
+        59.24.3.173,  
+        64.33.88.161,  
+        64.33.99.47,  
+        64.66.163.251,  
+        65.104.202.252,  
+        65.160.219.113,  
+        66.45.252.237,  
+        69.55.52.253,  
+        72.14.205.104,  
+        72.14.205.99,  
+        78.16.49.15,  
+        8.7.198.45,  
+        93.46.8.89,  
+        37.61.54.158,  
+        243.185.187.39,  
+        190.93.247.4,  
+        190.93.246.4,  
+        190.93.245.4,  
+        190.93.244.4,  
+        65.49.2.178,  
+        189.163.17.5,  
+        23.89.5.60,  
+        49.2.123.56,  
+        54.76.135.1,  
+        77.4.7.92,  
+        118.5.49.6,  
+        159.24.3.173,  
+        188.5.4.96,  
+        197.4.4.12,  
+        220.250.64.24,  
+        243.185.187.30,  
+        249.129.46.48,  
+        253.157.14.165;  
+    reject_policy = fail;  
+    exclude = ".google.com",  
+        ".gstatic.com",  
+        ".googleusercontent.com",  
+        ".googlepages.com",  
+        ".googlevideo.com",  
+        ".googlecode.com",  
+        ".googleapis.com",  
+        ".googlesource.com",  
+        ".googledrive.com",  
+        ".ggpht.com",  
+        ".youtube.com",  
+        ".youtu.be",  
+        ".ytimg.com",  
+        ".twitter.com",  
+        ".facebook.com",  
+        ".fastly.net",  
+        ".akamai.net",  
+        ".akamaiedge.net",  
+        ".akamaihd.net",  
+        ".edgesuite.net",  
+        ".edgekey.net";  
+}
+
+server {  
+    label = "special";                  # 这个随便写  
+    ip = 208.67.222.222,208.67.220.220; # 这里为备用DNS服务器的 ip 地址  
+    port = 5353;                        # 推荐使用53以外的端口（DNS服务器必须支持） 
+    proxy_only = on;
+    timeout = 5;  
+}  
+
+source {
+	owner=localhost;
+//	serve_aliases=on;
+	file="/etc/hosts";
+}
+
+rr {
+	name=localhost;
+	reverse=on;
+	a=127.0.0.1;
+	owner=localhost;
+	soa=localhost,root.localhost,42,86400,900,86400,86400;
+}
+EOF
+
+	/usr/sbin/dnscache -c /var/etc/dnscache.conf -d && echo "Start DNS Cache"
+}
+
+stop_pdnsd() {
+  kill $(pidof dnscache) >/dev/null 2>&1 || killall -9 dnscache >/dev/null 2>&1 
+  echo "Stop DNS Cache"
+}
+
+change_dns() {
+ 	uci delete dhcp.@dnsmasq[0].server >/dev/null 2>&1
+	uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#5333
+	uci delete dhcp.@dnsmasq[0].resolvfile >/dev/null 2>&1
+	uci set dhcp.@dnsmasq[0].noresolv=1
+	uci commit dhcp
+}
+
+revert_dns() {
+	uci del_list dhcp.@dnsmasq[0].server=127.0.0.1#5333 >/dev/null 2>&1
+	uci set dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
+	uci delete dhcp.@dnsmasq[0].noresolv >/dev/null 2>&1
+	uci commit dhcp
+}
+
+start(){
+  dns=$(uci get flowoffload.@flow[0].dns 2>/dev/null)
+  if [ $dns -eq 1 ];  then
+    start_pdnsd
+    change_dns
+  fi
+  uci set firewall.@defaults[0].flow_offloading=$(uci get flowoffload.@flow[0].flow_offloading)
+  uci set firewall.@defaults[0].flow_offloading_hw=$(uci get flowoffload.@flow[0].flow_offloading_hw)
+  uci commit firewall
+  if [ "$DNSMASQ_RESTART" = N ]; then
+    /etc/init.d/dnsmasq restart && echo "DNSMASQ change"
+    /etc/init.d/firewall restart
+  fi
+}
+
+stop(){
+    dns=$(uci get firewall.@defaults[0].dns 2>/dev/null)
+	  stop_pdnsd
+    revert_dns
+    uci set firewall.@defaults[0].flow_offloading=$(uci get flowoffload.@flow[0].flow_offloading)
+    uci set firewall.@defaults[0].flow_offloading_hw=$(uci get flowoffload.@flow[0].flow_offloading_hw)
+    uci commit firewall
+	  if [ "$DNSMASQ_RESTART" = N ]; then
+      /etc/init.d/dnsmasq restart && echo "DNSMASQ revert"
+      /etc/init.d/firewall restart
+    fi
+}
+
+restart(){
+    DNSMASQ_RESTART=Y
+    stop
+    start
+	  /etc/init.d/dnsmasq restart && echo "DNSMASQ restart"
+    /etc/init.d/firewall restart
+}
+
+

package/lean/luci-app-flowoffload/root/etc/uci-defaults/flowoffload

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+uci set firewall.@defaults[0].flow_offloading=1
+uci commit firewall
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@flowoffload[-1]
+	add ucitrack flowoffload
+	set ucitrack.@flowoffload[-1].init=flowoffload
+	commit ucitrack
+EOF
+
+exit 0

package/lean/luci-app-sfe/Makefile

@@ -0,0 +1,17 @@
+# Copyright (C) 2016 Openwrt.org
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=LuCI support for Turbo ACC (SFE)
+LUCI_DEPENDS:=+kmod-fast-classifier +pdnsd-alt @LINUX_4_9
+LUCI_PKGARCH:=all
+PKG_VERSION:=1.0
+PKG_RELEASE:=10
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+

package/lean/luci-app-sfe/luasrc/controller/sfe.lua

@@ -0,0 +1,39 @@
+module("luci.controller.sfe", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/sfe") then
+		return
+	end
+	local page
+	page = entry({"admin", "network", "sfe"}, cbi("sfe"), _("Turbo ACC Center"), 100)
+	page.i18n = "sfe"
+	page.dependent = true
+	
+	entry({"admin", "network", "sfe", "status"}, call("action_status"))
+end
+
+local function is_running()
+	return luci.sys.call("lsmod | grep fast_classifier >/dev/null") == 0
+end
+
+local function is_bbr()
+	return luci.sys.call("sysctl net.ipv4.tcp_congestion_control | grep bbr >/dev/null") == 0
+end
+
+local function is_fullcone()
+	return luci.sys.call("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") == 0
+end
+
+local function is_dns()
+	return luci.sys.call("pgrep dnscache >/dev/null") == 0
+end
+
+function action_status()
+	luci.http.prepare_content("application/json")
+	luci.http.write_json({
+		run_state = is_running(),
+		down_state = is_bbr(),
+		up_state = is_fullcone(),
+		dns_state = is_dns()
+	})
+end

package/lean/luci-app-sfe/luasrc/model/cbi/sfe.lua

@@ -0,0 +1,40 @@
+
+m = Map("sfe")
+m.title	= translate("Turbo ACC Acceleration Settings")
+m.description = translate("Opensource Qualcomm Shortcut FE driver (Fast Path)")
+
+m:append(Template("sfe/status"))
+
+s = m:section(TypedSection, "sfe", "")
+s.addremove = false
+s.anonymous = true
+
+
+enable = s:option(Flag, "enabled", translate("Enable SFE Fast Path"))
+enable.default = 0
+enable.rmempty = false
+enable.description = translate("Enable Fast Path offloading for connections. (decrease cpu load / increase routing throughput)")
+
+wifi = s:option(Flag, "wifi", translate("Bridge Acceleration"))
+wifi.default = 0
+wifi.rmempty = false
+wifi.description = translate("Enable Bridge Acceleration (may be functional conflict with bridge-mode VPN Server)")
+wifi:depends("enabled", 1)
+
+ipv6 = s:option(Flag, "ipv6", translate("IPv6 Acceleration"))
+ipv6.default = 0
+ipv6.rmempty = false
+ipv6.description = translate("Enable IPv6 Acceleration")
+ipv6:depends("enabled", 1)
+
+dns = s:option(Flag, "dns", translate("DNS Acceleration"))
+dns.default = 0
+dns.rmempty = false
+dns.description = translate("Enable DNS Cache Acceleration and anti ISP DNS pollution")
+
+o = s:option(Value, "dns_server", translate("Upsteam DNS Server"))
+o.default = "114.114.114.114,114.114.115.115"
+o.description = translate("Muitiple DNS server can saperate with ','")
+o:depends("dns", 1)
+
+return m

package/lean/luci-app-sfe/luasrc/view/sfe/status.htm

@@ -0,0 +1,24 @@
+<fieldset class="cbi-section">
+	<legend><%:Running Status%></legend>
+	<table width="100%" cellspacing="10" id="_xlnetacc_status_table">
+		<tr><td width="33%">SFE 加速状态</td><td id="_run_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">BBR 加速</td><td id="_down_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">FULLCONE NAT加速</td><td id="_up_state"><em><%:Collecting data...%></em></td></tr>
+		<tr><td width="33%">DNS 加速</td><td id="_dns_state"><em><%:Collecting data...%></em></td></tr>
+	</table>
+</fieldset>
+
+<script type="text/javascript">//<![CDATA[
+	var run_state = document.getElementById('_run_state');
+	var down_state = document.getElementById('_down_state');
+	var up_state = document.getElementById('_up_state');
+	var dns_state = document.getElementById('_dns_state');
+	XHR.poll(5, '<%=luci.dispatcher.build_url("admin", "network", "sfe", "status")%>', null, function(x, status) {
+		if ( x && x.status == 200 ) {
+			run_state.innerHTML = status.run_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			down_state.innerHTML = status.down_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			up_state.innerHTML = status.up_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+			dns_state.innerHTML = status.dns_state ? '<em><b><font color=green><%:RUNNING%></font></b></em>' : '<em><b><font color=red><%:NOT RUNNING%></font></b></em>';
+		}
+	});
+//]]></script>

package/lean/luci-app-sfe/po/zh-cn/sfe.po

@@ -0,0 +1,47 @@
+msgid "SFE Acceleration"
+msgstr "SFE 转发加速"
+
+msgid "Turbo ACC Center"
+msgstr "Turbo ACC 网络加速"
+
+msgid "Turbo ACC Acceleration Settings"
+msgstr "Turbo ACC 网络加速设置"
+
+msgid "Shortcut Forwarding Engine Acceleration Settings"
+msgstr "SFE 转发加速引擎设置"
+
+msgid "Opensource Qualcomm Shortcut FE driver (Fast Path)"
+msgstr "来自高通开源的 Shortcut FE 转发加速引擎 (Fast Path)"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Enable SFE Fast Path"
+msgstr "启用 SFE Fast Path 加速"
+
+msgid "Enable Fast Path offloading for connections. (decrease cpu load / increase routing throughput)"
+msgstr "开启 Fast Path 转发加速. (降低CPU占用 / 增强路由转发性能，和多WAN或者QOS功能可能会冲突)"
+
+msgid "Bridge Acceleration"
+msgstr "桥接加速"
+
+msgid "Enable Bridge Acceleration (may be functional conflict with bridge-mode VPN Server)"
+msgstr "启用桥接加速 (可能会和路由器上桥接模式的VPN服务器冲突)"
+
+msgid "IPv6 Acceleration"
+msgstr "IPv6 加速"
+
+msgid "Enable IPv6 Acceleration"
+msgstr "开启IPv6加速"
+
+msgid "DNS Acceleration"
+msgstr "DNS 加速"
+
+msgid "Enable DNS Cache Acceleration and anti ISP DNS pollution"
+msgstr "启用DNS多线程查询、缓存，并防止ISP的DNS广告和域名劫持"
+
+msgid "Upsteam DNS Server"
+msgstr "上游 DNS 服务器(国内)"
+
+msgid "Muitiple DNS server can saperate with ','"
+msgstr "支持多个上游DNS服务器，用','分隔（注意用英文逗号).请填写您最快的DNS服务器"

package/lean/luci-app-sfe/root/etc/config/sfe

@@ -0,0 +1,8 @@
+
+config sfe 'config'
+	option enabled '1'
+	option ipv6 '0'
+	option wifi '0'
+	option dns '0'
+	option dns_server '114.114.114.114 ,114.114.115.115'
+

package/lean/luci-app-sfe/root/etc/init.d/sfe

@@ -0,0 +1,218 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2011-2015 OpenWrt.org
+
+START=30
+
+DNSMASQ_RESTART=N
+DNS_SERVER="114.114.114.114,114.114.115.115"
+
+start_pdnsd() {
+  DNS_SERVER=$(uci get sfe.config.dns_server 2>/dev/null)
+
+	[ -d /var/etc ] || mkdir -p /var/etc
+	
+  if [ ! -f /var/dnscache/pdnsd.cache ]; then
+    mkdir -p /var/dnscache
+    echo -ne "pd13\000\000\000\000" > /var/dnscache/pdnsd.cache
+    chown -R nobody.nogroup /var/dnscache
+	fi
+	
+	cat > /var/etc/dnscache.conf <<EOF
+global {
+    perm_cache=1024;        # dns缓存大小，单位KB，建议不要写的太大
+    cache_dir="/var/dnscache";     # 缓存文件的位置
+    pid_file = /var/run/dnscache.pid;
+    server_ip = 0.0.0.0;        # pdnsd监听的网卡，0.0.0.0是全部网卡
+    server_port=5333;           # pdnsd监听的端口，不要和别的服务冲突即可
+    status_ctl = on;
+    paranoid=on;                  # 二次请求模式，如果请求主DNS服务器返回的是垃圾地址，就向备用服务器请求
+    query_method=udp_only;      
+    neg_domain_pol = off;  
+    par_queries = 400;          # 最多同时请求数
+    min_ttl = 1h;               # DNS结果最短缓存时间
+    max_ttl = 1w;               # DNS结果最长缓存时间
+    timeout = 10;               # DNS请求超时时间，单位秒
+}
+
+server {  
+    label = "routine";         
+    ip = $DNS_SERVER;     # 这里为主要上级 dns 的 ip 地址，建议填写一个当地最快的DNS地址  
+    timeout = 5;              # DNS请求超时时间
+    reject = 74.125.127.102,  # 以下是脏IP，也就是DNS污染一般会返回的结果，如果收到如下DNS结果会触发二次请求（TCP协议一般不会碰到脏IP）
+        74.125.155.102,  
+        74.125.39.102,  
+        74.125.39.113,  
+        209.85.229.138,  
+        128.121.126.139,  
+        159.106.121.75,  
+        169.132.13.103,  
+        192.67.198.6,  
+        202.106.1.2,  
+        202.181.7.85,  
+        203.161.230.171,  
+        203.98.7.65,  
+        207.12.88.98,  
+        208.56.31.43,  
+        209.145.54.50,  
+        209.220.30.174,  
+        209.36.73.33,  
+        211.94.66.147,  
+        213.169.251.35,  
+        216.221.188.182,  
+        216.234.179.13,  
+        243.185.187.39,  
+        37.61.54.158,  
+        4.36.66.178,  
+        46.82.174.68,  
+        59.24.3.173,  
+        64.33.88.161,  
+        64.33.99.47,  
+        64.66.163.251,  
+        65.104.202.252,  
+        65.160.219.113,  
+        66.45.252.237,  
+        69.55.52.253,  
+        72.14.205.104,  
+        72.14.205.99,  
+        78.16.49.15,  
+        8.7.198.45,  
+        93.46.8.89,  
+        37.61.54.158,  
+        243.185.187.39,  
+        190.93.247.4,  
+        190.93.246.4,  
+        190.93.245.4,  
+        190.93.244.4,  
+        65.49.2.178,  
+        189.163.17.5,  
+        23.89.5.60,  
+        49.2.123.56,  
+        54.76.135.1,  
+        77.4.7.92,  
+        118.5.49.6,  
+        159.24.3.173,  
+        188.5.4.96,  
+        197.4.4.12,  
+        220.250.64.24,  
+        243.185.187.30,  
+        249.129.46.48,  
+        253.157.14.165;  
+    reject_policy = fail;  
+    exclude = ".google.com",  
+        ".gstatic.com",  
+        ".googleusercontent.com",  
+        ".googlepages.com",  
+        ".googlevideo.com",  
+        ".googlecode.com",  
+        ".googleapis.com",  
+        ".googlesource.com",  
+        ".googledrive.com",  
+        ".ggpht.com",  
+        ".youtube.com",  
+        ".youtu.be",  
+        ".ytimg.com",  
+        ".twitter.com",  
+        ".facebook.com",  
+        ".fastly.net",  
+        ".akamai.net",  
+        ".akamaiedge.net",  
+        ".akamaihd.net",  
+        ".edgesuite.net",  
+        ".edgekey.net";  
+}
+
+server {  
+    label = "special";                  # 这个随便写  
+    ip = 208.67.222.222,208.67.220.220; # 这里为备用DNS服务器的 ip 地址  
+    port = 5353;                        # 推荐使用53以外的端口（DNS服务器必须支持） 
+    proxy_only = on;
+    timeout = 5;  
+}  
+
+source {
+	owner=localhost;
+//	serve_aliases=on;
+	file="/etc/hosts";
+}
+
+rr {
+	name=localhost;
+	reverse=on;
+	a=127.0.0.1;
+	owner=localhost;
+	soa=localhost,root.localhost,42,86400,900,86400,86400;
+}
+EOF
+
+	/usr/sbin/dnscache -c /var/etc/dnscache.conf -d && echo "Start DNS Cache"
+}
+
+stop_pdnsd() {
+  kill $(pidof dnscache) >/dev/null 2>&1 || killall -9 dnscache >/dev/null 2>&1 
+  echo "Stop DNS Cache"
+}
+
+change_dns() {
+ 	uci delete dhcp.@dnsmasq[0].server >/dev/null 2>&1
+	uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#5333
+	uci delete dhcp.@dnsmasq[0].resolvfile >/dev/null 2>&1
+	uci set dhcp.@dnsmasq[0].noresolv=1
+	uci commit dhcp
+}
+
+revert_dns() {
+	uci del_list dhcp.@dnsmasq[0].server=127.0.0.1#5333 >/dev/null 2>&1
+	uci set dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
+	uci delete dhcp.@dnsmasq[0].noresolv >/dev/null 2>&1
+	uci commit dhcp
+}
+
+start(){
+  enable=$(uci get sfe.config.enabled 2>/dev/null)
+  wifi=$(uci get sfe.config.wifi)
+  ipv6=$(uci get sfe.config.ipv6)
+  dns=$(uci get sfe.config.dns 2>/dev/null)
+	if [ $enable -eq 1 ]; then
+      echo "enable"
+      ! (lsmod | grep fast_classifier >/dev/null) && (modprobe fast_classifier)
+      if [ $wifi -eq 1 ] ;  then
+       echo 1 > /sys/fast_classifier/skip_to_bridge_ingress
+      else
+       echo 0 > /sys/fast_classifier/skip_to_bridge_ingress
+      fi
+      if [ $ipv6 -eq 1 ];  then
+        sfe_ipv6=$(cat /sys/sfe_ipv6/debug_dev)
+        [ ! -f /dev/sfe_ipv6 ] && mknod /dev/sfe_ipv6 c $sfe_ipv6 0
+      else
+        rm -f /dev/sfe_ipv6
+      fi
+   else
+      rmmod fast_classifier >/dev/null 2>&1 
+  fi
+  if [ $dns -eq 1 ];  then
+    start_pdnsd
+    change_dns
+  fi
+  if [ "$DNSMASQ_RESTART" = N ]; then
+    /etc/init.d/dnsmasq restart && echo "DNSMASQ change"
+  fi
+}
+
+stop(){
+    enable=$(uci get sfe.config.enabled 2>/dev/null)
+    [ $enable -ne 1 ] && rmmod fast_classifier >/dev/null 2>&1 
+	  stop_pdnsd
+    revert_dns
+	  if [ "$DNSMASQ_RESTART" = N ]; then
+      /etc/init.d/dnsmasq restart && echo "DNSMASQ revert"
+    fi
+}
+
+restart(){
+    DNSMASQ_RESTART=Y
+	  stop
+	  start
+	  /etc/init.d/dnsmasq restart && echo "DNSMASQ restart"
+}
+
+

package/lean/luci-app-sfe/root/etc/uci-defaults/sfe

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@sfe[-1]
+	add ucitrack sfe
+	set ucitrack.@sfe[-1].init=sfe
+	commit ucitrack
+EOF
+
+[ ! -f /usr/sbin/dnscache ] && ln /usr/sbin/pdnsd /usr/sbin/dnscache
+/etc/init.d/sfe enable
+
+rm -f /tmp/luci-indexcache
+exit 0

package/lean/openwrt-fullconenat/Makefile

@@ -0,0 +1,65 @@
+#
+# Copyright (C) 2018 Chion Tang <tech@chionlab.moe>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=fullconenat
+PKG_VERSION:=1.0
+PKG_RELEASE:=4
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/Chion82/netfilter-full-cone-nat.git
+PKG_SOURCE_VERSION:=ec14efee249ef11409827a87d6a23dd53deb5149
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/iptables-mod-fullconenat
+  SUBMENU:=Firewall
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=FULLCONENAT iptables extension
+  DEPENDS:=+iptables +kmod-ipt-fullconenat
+  MAINTAINER:=Chion Tang <tech@chionlab.moe>
+endef
+
+define Package/iptables-mod-fullconenat/install
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables
+endef
+
+define KernelPackage/ipt-fullconenat
+  SUBMENU:=Netfilter Extensions
+  TITLE:=FULLCONENAT netfilter module
+  DEPENDS:=+kmod-nf-ipt +kmod-nf-nat
+  MAINTAINER:=Chion Tang <tech@chionlab.moe>
+  KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
+  FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko
+endef
+
+include $(INCLUDE_DIR)/kernel-defaults.mk
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(CP) ./files/Makefile $(PKG_BUILD_DIR)/
+endef
+
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
+        CROSS_COMPILE="$(TARGET_CROSS)" \
+        ARCH="$(LINUX_KARCH)" \
+        SUBDIRS="$(PKG_BUILD_DIR)" \
+        EXTRA_CFLAGS="$(BUILDFLAGS)" \
+        modules
+	$(call Build/Compile/Default)
+endef
+
+$(eval $(call BuildPackage,iptables-mod-fullconenat))
+$(eval $(call KernelPackage,ipt-fullconenat))

package/lean/openwrt-fullconenat/files/Makefile

@@ -0,0 +1,7 @@
+libipt_FULLCONENAT.so: libipt_FULLCONENAT.o
+	$(CC) -shared -lxtables -o $@ $^;
+libipt_FULLCONENAT.o: libipt_FULLCONENAT.c
+	$(CC) ${CFLAGS} -fPIC -D_INIT=$*_init -c -o $@ $<;
+
+obj-m += xt_FULLCONENAT.o
+

package/lean/shortcut-fe/Makefile

@@ -0,0 +1,121 @@
+#
+# Copyright (c) 2014 The Linux Foundation. All rights reserved.
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=shortcut-fe
+PKG_RELEASE:=2
+
+include $(INCLUDE_DIR)/package.mk
+
+define KernelPackage/shortcut-fe
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=@IPV6 @!LINUX_4_14
+  TITLE:=Kernel driver for SFE
+  FILES:=$(PKG_BUILD_DIR)/shortcut-fe.ko $(PKG_BUILD_DIR)/shortcut-fe-ipv6.ko
+  KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_SHORTCUT_FE=y
+  AUTOLOAD:=$(call AutoProbe,shortcut-fe shortcut-fe-ipv6)
+endef
+
+define KernelPackage/shortcut-fe/Description
+Shortcut is an in-Linux-kernel IP packet forwarding engine.
+endef
+
+define KernelPackage/shortcut-fe-cm
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
+  TITLE:=Kernel driver for SFE
+  FILES:=$(PKG_BUILD_DIR)/shortcut-fe-cm.ko
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y CONFIG_NF_CONNTRACK_MARK=y
+  AUTOLOAD:=$(call AutoProbe,shortcut-fe-cm)
+endef
+
+define KernelPackage/shortcut-fe-cm/Description
+Simple connection manager for the Shortcut forwarding engine.
+endef
+
+define KernelPackage/fast-classifier
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
+  TITLE:=Kernel driver for FAST Classifier
+  FILES:=$(PKG_BUILD_DIR)/fast-classifier.ko
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y CONFIG_NF_CONNTRACK_MARK=y
+  AUTOLOAD:=$(call AutoLoad,z,fast-classifier)
+  PROVIDES:=$(PKG_NAME)
+endef
+
+define KernelPackage/fast-classifier/description
+FAST Classifier connection manager for Shortcut forwarding engine. 
+It talks to SFE to make decisions about offloading connections.
+endef
+
+define Package/fast-classifier-example
+  TITLE:=Example user space program for fast-classifier
+  DEPENDS:=+libnl +kmod-fast-classifier
+endef
+
+define Package/fast-classifier-example/description
+Example user space program that communicates with fast
+classifier kernel module
+endef
+
+MAKE_OPTS:= \
+		ARCH="$(LINUX_KARCH)" \
+		CROSS_COMPILE="$(TARGET_CROSS)" \
+		SUBDIRS="$(PKG_BUILD_DIR)" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)"
+
+define Build/Compile
+	$(MAKE) -C "$(LINUX_DIR)" \
+		$(MAKE_OPTS) \
+		modules
+	$(if $(CONFIG_PACKAGE_fast-classifier-example),$(Build/Compile/fast-classifier-example))
+endef
+
+define Build/Compile/fast-classifier-example
+	$(TARGET_CC) -o $(PKG_BUILD_DIR)/userspace_fast_classifier \
+		-I $(PKG_BUILD_DIR) \
+		-I$(STAGING_DIR)/usr/include/libnl \
+		-I$(STAGING_DIR)/usr/include/libnl3 \
+		-lnl-genl-3 -lnl-3 \
+		$(PKG_BUILD_DIR)/nl_classifier_test.c
+endef
+
+ifneq ($(CONFIG_PACKAGE_kmod-shortcut-fe)$(CONFIG_PACKAGE_kmod-shortcut-fe-cm)$(CONFIG_PACKAGE_kmod-fast-classifier),)
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/shortcut-fe
+	$(CP) -rf $(PKG_BUILD_DIR)/sfe.h $(1)/usr/include/shortcut-fe
+ifneq ($(CONFIG_PACKAGE_kmod-fast-classifier),)
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_BUILD_DIR)/fast-classifier.h $(1)/usr/include/
+endif
+endef
+endif
+
+define Package/fast-classifier-example/install
+	$(INSTALL_DIR) $(1)/sbin
+	$(CP) $(PKG_BUILD_DIR)/userspace_fast_classifier $(1)/sbin/
+endef
+
+$(eval $(call KernelPackage,shortcut-fe))
+$(eval $(call KernelPackage,shortcut-fe-cm))
+$(eval $(call KernelPackage,fast-classifier))
+#$(eval $(call BuildPackage,fast-classifier-example))
+

package/lean/shortcut-fe/src/Kconfig

@@ -0,0 +1,14 @@
+#
+# Shortcut forwarding engine
+#
+
+config SHORTCUT_FE
+	tristate "Shortcut Forwarding Engine"
+	depends on NF_CONNTRACK
+	---help---
+	  Shortcut is a fast in-kernel packet forwarding engine.
+
+	  To compile this code as a module, choose M here: the module will be
+	  called shortcut-fe.
+
+	  If unsure, say N.

package/lean/shortcut-fe/src/Makefile

@@ -0,0 +1,14 @@
+#
+# Makefile for Shortcut FE.
+#
+
+obj-m += shortcut-fe.o shortcut-fe-ipv6.o shortcut-fe-cm.o fast-classifier.o
+
+shortcut-fe-objs := \
+	sfe_ipv4.o
+
+shortcut-fe-ipv6-objs := \
+	sfe_ipv6.o
+
+shortcut-fe-cm-objs := \
+	sfe_cm.o

package/lean/shortcut-fe/src/README

@@ -0,0 +1,122 @@
+Shortcut Forwarding Engine
+--------------------------
+
+Welcome to "Shortcut" :-)
+
+Here's a quick FAQ:
+
+
+Q) What is Shortcut?
+
+A) Shortcut is an in-Linux-kernel IP packet forwarding engine.  It's designed
+to offer very high speed IP packet forwarding based on IP connection tracking.
+It's dramatically faster than the standard netfilter-based NAT forwarding path
+but is designed to synchronise state back to netfilter/conntrack so that it
+doesn't need to deal with all of the complexities of special cases.
+
+
+Q) What versions of IP does it support?
+
+A) The current version only supports IPv4 but will be extended to support IPv6 in
+the future.
+
+
+Q) What transport protocols does it support?
+
+A) TCP and UDP.  It also knows enough about ICMP to spot ICMP error messages
+related to TCP and UDP and handle things accordingly.
+
+
+Q) Is there a design spec for this software?
+
+A) Not at the moment.  I'll write one when I get more time.  The code is
+intended to be a good tutorial though - it's very heavily commented.  If you
+find yourself reading something and not understanding it then I take that to
+mean I've probably not done a sufficently good job of explaining what it's
+doing in the comments.  Let me know - I will try to fix it :-)
+
+
+Q) Why was it written?
+
+A) It was written as a demonstration of what can be done to provide high
+performance forwarding inside the kernel.  There were two initial motivations:
+
+1) To provide a platform to enable research into how QoS analysis systems can
+offload work and avoid huge Linux overheads.
+
+2) To provide a tool to investigate the behaviour of various processors, SoCs
+and software sets so that we can characterize and design new network processor
+SoCs.
+
+
+Q) How much faster is it than the Linux kernel forwarding path?
+
+A) At the time of pushing this to github it's been tested on a QCA AP135.
+This has a Scorpion (QCA Scopion, not the QMC one :-)) SoC, QCA9550.  The
+SoC's processor is a MIPS74K running at 720 MHz and with a DDR2 memory
+subsystem that offers a peak of 600 MT/s (16-bit transfers).
+
+Running IPv4 NAT forwarding of UDP between the board's 2 GMAC ports and
+using a SmartBits 200 as a traffic generator Linux is able to forward 70k PPS.
+Once the SFE code is invoked this will increase to 350k PPS!
+
+There's also a slightly hacky mode which causes SFE to bypass the Linux
+bridge layer, but this isn't really ready for use because it doesn't have
+sufficient MAC address checks or integration of statistics back to the
+Ethernet bridge, but that runs at 436k PPS.
+
+
+Q) Are there any diagnostics?
+
+A) Yes, this is a research tool after all!  There's a complex way to do this
+that's more general purpose and a simple one - here's the simple one:
+
+	mknod /dev/sfe c 253 0
+
+The file /dev/sfe is an XML-ish output and provides details of all the
+network connections currently being offloaded.  It also reports the numbers
+of packets that took various "exception" paths within the code.  In addition
+it provides a summary of the number of connections, attempts to accelerate
+connections, cancel accelerations, etc.  It also reports the numbers of
+packets that were forwarded and not forwarded by the engine and has some
+stats on the effectiveness of the hashing algorithm it uses.
+
+
+Q) How does the code interact with Linux?
+
+A) There are four minor patches required to make this software run with
+Linux.  These are currently against a 3.3.8 or 3.4.0 kernel:
+
+* (net/core/dev.c) adds a hook to allow packets to be extracted out.
+
+* (net/netfilter/nf_conntrack_proto_tcp.c) exposes a state variable inside
+  netfilter that's necessary to enable TCP sequence and ACK checking within
+  the offload path.  Note that this specific patch is against the QCA QSDK
+  patched version of 3.3.8 - there's a slightly braindead "performance"
+  patch in that kernel, courtesy of the OpenWrt community that makes the
+  Linux forwarding path slightly faster at the expense of losing
+  functionality :-(
+
+* (net/Kconfig) adds the shortcut-fe option.
+
+* (net/Makefile) adds the shortcut-fe build support.
+
+Once these are applied and the module is loaded then everything else
+is automatic :-)  The patches are in this git repo.
+
+
+Q) Are any of the pieces reused from other projects?
+
+A) Yes!  Some of the forwarding concepts are reused from the Ubicom Network
+Accelerator that morphed into part of the Akronite NSS.  This code has all
+been substantially changed though to accomodate Linux's needs.
+
+There are also some pieces that I borrowed from the QCA "FastNAT" software
+written by Xiaoping Fan <xfan@qca.qualcomm.com>.  Xiaoping's code was the
+first actual demonstration within QCA that this in-kernel concept could yield
+signficant performance gains.
+
+
+Enjoy!
+Dave Hudson <dhudson@qti.qualcomm.com>
+

package/lean/shortcut-fe/src/fast-classifier.h

@@ -0,0 +1,57 @@
+/*
+ * User space header to send message to the fast classifier
+ *
+ * Copyright (c) 2013,2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <linux/if_ether.h>
+
+#define FAST_CLASSIFIER_GENL_VERSION	(1)
+#define FAST_CLASSIFIER_GENL_NAME	"FC"
+#define FAST_CLASSIFIER_GENL_MCGRP	"FC_MCGRP"
+#define FAST_CLASSIFIER_GENL_HDRSIZE	(0)
+
+enum {
+	FAST_CLASSIFIER_A_UNSPEC,
+	FAST_CLASSIFIER_A_TUPLE,
+	__FAST_CLASSIFIER_A_MAX,
+};
+
+#define FAST_CLASSIFIER_A_MAX (__FAST_CLASSIFIER_A_MAX - 1)
+
+enum {
+	FAST_CLASSIFIER_C_UNSPEC,
+	FAST_CLASSIFIER_C_OFFLOAD,
+	FAST_CLASSIFIER_C_OFFLOADED,
+	FAST_CLASSIFIER_C_DONE,
+	__FAST_CLASSIFIER_C_MAX,
+};
+
+#define FAST_CLASSIFIER_C_MAX (__FAST_CLASSIFIER_C_MAX - 1)
+
+struct fast_classifier_tuple {
+	unsigned short ethertype;
+	unsigned char proto;
+	union {
+		struct in_addr in;
+		struct in6_addr in6;
+	} src_saddr;
+	union {
+		struct in_addr in;
+		struct in6_addr in6;
+	} dst_saddr;
+	unsigned short sport;
+	unsigned short dport;
+	unsigned char smac[ETH_ALEN];
+	unsigned char dmac[ETH_ALEN];
+};

package/lean/shortcut-fe/src/nl_classifier_test.c

@@ -0,0 +1,281 @@
+/*
+ * Copyright (c) 2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <signal.h>
+#include <arpa/inet.h>
+
+#define NL_CLASSIFIER_GENL_VERSION	1
+#define NL_CLASSIFIER_GENL_FAMILY	"FC"
+#define NL_CLASSIFIER_GENL_GROUP	"FC_MCGRP"
+#define NL_CLASSIFIER_GENL_HDRSIZE	0
+
+enum NL_CLASSIFIER_CMD {
+	NL_CLASSIFIER_CMD_UNSPEC,
+	NL_CLASSIFIER_CMD_ACCEL,
+	NL_CLASSIFIER_CMD_ACCEL_OK,
+	NL_CLASSIFIER_CMD_CONNECTION_CLOSED,
+	NL_CLASSIFIER_CMD_MAX,
+};
+
+enum NL_CLASSIFIER_ATTR {
+	NL_CLASSIFIER_ATTR_UNSPEC,
+	NL_CLASSIFIER_ATTR_TUPLE,
+	NL_CLASSIFIER_ATTR_MAX,
+};
+
+union nl_classifier_tuple_ip {
+	struct in_addr in;
+	struct in6_addr in6;
+};
+
+struct nl_classifier_tuple {
+	unsigned short af;
+	unsigned char proto;
+	union nl_classifier_tuple_ip src_ip;
+	union nl_classifier_tuple_ip dst_ip;
+	unsigned short sport;
+	unsigned short dport;
+	unsigned char smac[6];
+	unsigned char dmac[6];
+};
+
+struct nl_classifier_instance {
+	struct nl_sock *sock;
+	int family_id;
+	int group_id;
+	int stop;
+};
+
+struct nl_classifier_instance nl_cls_inst;
+
+static struct nla_policy nl_classifier_genl_policy[(NL_CLASSIFIER_ATTR_MAX+1)] = {
+	[NL_CLASSIFIER_ATTR_TUPLE] = { .type = NLA_UNSPEC },
+};
+
+void nl_classifier_dump_nl_tuple(struct nl_classifier_tuple *tuple)
+{
+	char ip_str[64];
+
+	printf("protocol = %s\n", (tuple->proto == IPPROTO_UDP) ? "udp" : ((tuple->proto == IPPROTO_TCP) ? "tcp" : "unknown"));
+	printf("source ip = %s\n", inet_ntop(tuple->af, &tuple->src_ip, ip_str, sizeof(ip_str)));
+	printf("destination ip = %s\n", inet_ntop(tuple->af, &tuple->dst_ip, ip_str, sizeof(ip_str)));
+	printf("source port = %d\n", ntohs(tuple->sport));
+	printf("destination port = %d\n", ntohs(tuple->dport));
+}
+
+int nl_classifier_msg_recv(struct nl_msg *msg, void *arg)
+{
+	struct nlmsghdr *nlh = nlmsg_hdr(msg);
+	struct genlmsghdr *gnlh = nlmsg_data(nlh);
+	struct nlattr *attrs[(NL_CLASSIFIER_ATTR_MAX+1)];
+
+	genlmsg_parse(nlh, NL_CLASSIFIER_GENL_HDRSIZE, attrs, NL_CLASSIFIER_ATTR_MAX, nl_classifier_genl_policy);
+
+	switch (gnlh->cmd) {
+	case NL_CLASSIFIER_CMD_ACCEL_OK:
+		printf("Acceleration successful:\n");
+		nl_classifier_dump_nl_tuple(nla_data(attrs[NL_CLASSIFIER_ATTR_TUPLE]));
+		return NL_OK;
+	case NL_CLASSIFIER_CMD_CONNECTION_CLOSED:
+		printf("Connection is closed:\n");
+		nl_classifier_dump_nl_tuple(nla_data(attrs[NL_CLASSIFIER_ATTR_TUPLE]));
+		return NL_OK;
+	default:
+		printf("nl classifier received unknow message %d\n", gnlh->cmd);
+	}
+
+	return NL_SKIP;
+}
+
+void nl_classifier_offload(struct nl_classifier_instance *inst,
+			   unsigned char proto, unsigned long *src_saddr,
+			   unsigned long *dst_saddr, unsigned short sport,
+			   unsigned short dport, int af)
+{
+	struct nl_msg *msg;
+	int ret;
+	struct nl_classifier_tuple classifier_msg;
+
+	memset(&classifier_msg, 0, sizeof(classifier_msg));
+	classifier_msg.af = af;
+	classifier_msg.proto = proto;
+	memcpy(&classifier_msg.src_ip, src_saddr, (af == AF_INET ? 4 : 16));
+	memcpy(&classifier_msg.dst_ip, dst_saddr, (af == AF_INET ? 4 : 16));
+	classifier_msg.sport = sport;
+	classifier_msg.dport = dport;
+
+	msg = nlmsg_alloc();
+	if (!msg) {
+		printf("Unable to allocate message\n");
+		return;
+	}
+
+	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, inst->family_id,
+		    NL_CLASSIFIER_GENL_HDRSIZE, NLM_F_REQUEST,
+		    NL_CLASSIFIER_CMD_ACCEL, NL_CLASSIFIER_GENL_VERSION);
+	nla_put(msg, NL_CLASSIFIER_ATTR_TUPLE, sizeof(classifier_msg), &classifier_msg);
+
+	ret = nl_send_auto(inst->sock, msg);
+	if (ret < 0) {
+		printf("send netlink message failed.\n");
+		nlmsg_free(msg);
+		return;
+	}
+
+	nlmsg_free(msg);
+	printf("nl classifier offload connection successful\n");
+}
+
+int nl_classifier_init(struct nl_classifier_instance *inst)
+{
+	int ret;
+
+	inst->sock = nl_socket_alloc();
+	if (!inst->sock) {
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(inst->sock);
+
+	inst->family_id = genl_ctrl_resolve(inst->sock, NL_CLASSIFIER_GENL_FAMILY);
+	if (inst->family_id < 0) {
+		printf("Unable to resolve family %s\n", NL_CLASSIFIER_GENL_FAMILY);
+		goto init_failed;
+	}
+
+	inst->group_id = genl_ctrl_resolve_grp(inst->sock, NL_CLASSIFIER_GENL_FAMILY, NL_CLASSIFIER_GENL_GROUP);
+	if (inst->group_id < 0) {
+		printf("Unable to resolve mcast group %s\n", NL_CLASSIFIER_GENL_GROUP);
+		goto init_failed;
+	}
+
+	ret = nl_socket_add_membership(inst->sock, inst->group_id);
+	if (ret < 0) {
+		printf("Unable to add membership\n");
+		goto init_failed;
+	}
+
+	nl_socket_disable_seq_check(inst->sock);
+	nl_socket_modify_cb(inst->sock, NL_CB_VALID, NL_CB_CUSTOM, nl_classifier_msg_recv, NULL);
+
+	printf("nl classifier init successful\n");
+	return 0;
+
+init_failed:
+	if (inst->sock) {
+		nl_close(inst->sock);
+		nl_socket_free(inst->sock);
+		inst->sock = NULL;
+	}
+	return -1;
+}
+
+void nl_classifier_exit(struct nl_classifier_instance *inst)
+{
+	if (inst->sock) {
+		nl_close(inst->sock);
+		nl_socket_free(inst->sock);
+		inst->sock = NULL;
+	}
+	printf("nl classifier exit successful\n");
+}
+
+int nl_classifier_parse_arg(int argc, char *argv[], unsigned char *proto, unsigned long *src_saddr,
+			    unsigned long *dst_saddr, unsigned short *sport, unsigned short *dport, int *af)
+{
+	int ret;
+	unsigned short port;
+
+	if (argc < 7) {
+		printf("help: nl_classifier <v4|v6> <udp|tcp> <source ip> <destination ip> <source port> <destination port>\n");
+		return -1;
+	}
+
+	if (0 == strncmp(argv[1], "v4", 2)) {
+		*af = AF_INET;
+	} else if (0 == strncmp(argv[1], "v6", 2)) {
+		*af = AF_INET6;
+	} else {
+		printf("Address family is not supported");
+		return -1;
+	}
+
+	if (0 == strncmp(argv[2], "udp", 3)) {
+		*proto = IPPROTO_UDP;
+	} else if (0 == strncmp(argv[2], "tcp", 3)) {
+		*proto = IPPROTO_TCP;
+	} else {
+		printf("Protocol is not supported");
+		return -1;
+	}
+
+	ret = inet_pton(*af, argv[3], src_saddr);
+	if (ret <= 0) {
+		printf("source ip has wrong format\n");
+		return -1;
+	}
+
+	ret = inet_pton(*af, argv[4], dst_saddr);
+	if (ret <= 0) {
+		printf("destination ip has wrong format\n");
+		return -1;
+	}
+
+	port = strtol(argv[5], NULL, 0);
+	*sport = htons(port);
+	port = strtol(argv[6], NULL, 0);
+	*dport = htons(port);
+
+	printf("nl classifier parse arguments successful\n");
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	struct nl_classifier_instance *inst = &nl_cls_inst;
+	unsigned char proto;
+	unsigned long src_addr[4];
+	unsigned long dst_addr[4];
+	unsigned short sport;
+	unsigned short dport;
+	int af;
+	int ret;
+
+	ret = nl_classifier_parse_arg(argc, argv, &proto, src_addr, dst_addr, &sport, &dport, &af);
+	if (ret < 0) {
+		printf("Failed to parse arguments\n");
+		return ret;
+	}
+
+	ret = nl_classifier_init(inst);
+	if (ret < 0) {
+		printf("Unable to init generic netlink\n");
+		return ret;
+	}
+
+	nl_classifier_offload(inst, proto, src_addr, dst_addr, sport, dport, af);
+
+	/* main loop to listen on message */
+	while (!inst->stop) {
+		nl_recvmsgs_default(inst->sock);
+	}
+
+	nl_classifier_exit(inst);
+
+	return 0;
+}

package/lean/shortcut-fe/src/sfe.h

@@ -0,0 +1,61 @@
+/*
+ * sfe.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Debug output verbosity level.
+ */
+#define DEBUG_LEVEL 0
+
+#if (DEBUG_LEVEL < 1)
+#define DEBUG_ERROR(s, ...)
+#else
+#define DEBUG_ERROR(s, ...) \
+do { \
+	printk("%s[%u]: ERROR:", __FILE__, __LINE__); \
+	printk(s, ##__VA_ARGS__); \
+} while (0)
+#endif
+
+#if (DEBUG_LEVEL < 2)
+#define DEBUG_WARN(s, ...)
+#else
+#define DEBUG_WARN(s, ...) \
+do { \
+	printk("%s[%u]: WARN:", __FILE__, __LINE__); \
+	printk(s, ##__VA_ARGS__); \
+} while (0)
+#endif
+
+#if (DEBUG_LEVEL < 3)
+#define DEBUG_INFO(s, ...)
+#else
+#define DEBUG_INFO(s, ...) \
+do { \
+	printk("%s[%u]: INFO:", __FILE__, __LINE__); \
+	printk(s, ##__VA_ARGS__); \
+} while (0)
+#endif
+
+#if (DEBUG_LEVEL < 4)
+#define DEBUG_TRACE(s, ...)
+#else
+#define DEBUG_TRACE(s, ...) \
+do { \
+	printk("%s[%u]: TRACE:", __FILE__, __LINE__); \
+	printk(s, ##__VA_ARGS__); \
+} while (0)
+#endif

package/lean/shortcut-fe/src/sfe_backport.h

@@ -0,0 +1,138 @@
+/*
+ * sfe_backport.h
+ *	Shortcut forwarding engine compatible header file.
+ *
+ * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <linux/version.h>
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(void *priv, \
+			    struct sk_buff *SKB, \
+			    const struct nf_hook_state *state)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(const struct nf_hook_ops *OPS, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#else
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(unsigned int HOOKNUM, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#endif
+
+#define sfe_cm_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define sfe_cm_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP6_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0))
+#define SFE_NF_CT_DEFAULT_ZONE (&nf_ct_zone_dflt)
+#else
+#define SFE_NF_CT_DEFAULT_ZONE NF_CT_DEFAULT_ZONE
+#endif
+
+/*
+ * sfe_dev_get_master
+ * 	get master of bridge port, and hold it
+ */
+static inline struct net_device *sfe_dev_get_master(struct net_device *dev)
+{
+	struct net_device *master;
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+	rcu_read_lock();
+	master = netdev_master_upper_dev_get_rcu(dev);
+	if (master)
+		dev_hold(master);
+
+	rcu_read_unlock();
+#else
+	master = dev->master;
+	if (master)
+		dev_hold(master);
+#endif
+	return master;
+}
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
+#define SFE_DEV_EVENT_PTR(PTR) netdev_notifier_info_to_dev(PTR)
+#else
+#define SFE_DEV_EVENT_PTR(PTR) (struct net_device *)(PTR)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_acct *NM
+#else
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_counter *NM
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_ACCT_COUNTER(NM) ((NM)->counter)
+#else
+#define SFE_ACCT_COUNTER(NM) (NM)
+#endif
+
+#define sfe_hash_for_each_possible(name, obj, member, key) \
+	hash_for_each_possible(name, obj, member, key)
+
+#define sfe_hash_for_each(name, bkt, obj, member) \
+	hash_for_each(name, bkt, obj, member)

package/lean/shortcut-fe/src/sfe_cm.h

@@ -0,0 +1,222 @@
+/*
+ * sfe_cm.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * connection flags.
+ */
+#define SFE_CREATE_FLAG_NO_SEQ_CHECK BIT(0)
+					/* Indicates that we should not check sequence numbers */
+#define SFE_CREATE_FLAG_REMARK_PRIORITY BIT(1)
+					/* Indicates that we should remark priority of skb */
+#define SFE_CREATE_FLAG_REMARK_DSCP BIT(2)
+					/* Indicates that we should remark DSCP of packet */
+
+/*
+ * IPv6 address structure
+ */
+struct sfe_ipv6_addr {
+	__be32 addr[4];
+};
+
+typedef union {
+	__be32			ip;
+	struct sfe_ipv6_addr	ip6[1];
+} sfe_ip_addr_t;
+
+/*
+ * connection creation structure.
+ */
+struct sfe_connection_create {
+	int protocol;
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	u32 flags;
+	u32 src_mtu;
+	u32 dest_mtu;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t src_ip_xlate;
+	sfe_ip_addr_t dest_ip;
+	sfe_ip_addr_t dest_ip_xlate;
+	__be16 src_port;
+	__be16 src_port_xlate;
+	__be16 dest_port;
+	__be16 dest_port_xlate;
+	u8 src_mac[ETH_ALEN];
+	u8 src_mac_xlate[ETH_ALEN];
+	u8 dest_mac[ETH_ALEN];
+	u8 dest_mac_xlate[ETH_ALEN];
+	u8 src_td_window_scale;
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u8 dest_td_window_scale;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u32 mark;
+#ifdef CONFIG_XFRM
+	u32 original_accel;
+	u32 reply_accel;
+#endif
+	u32 src_priority;
+	u32 dest_priority;
+	u32 src_dscp;
+	u32 dest_dscp;
+};
+
+/*
+ * connection destruction structure.
+ */
+struct sfe_connection_destroy {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+};
+
+typedef enum sfe_sync_reason {
+	SFE_SYNC_REASON_STATS,	/* Sync is to synchronize stats */
+	SFE_SYNC_REASON_FLUSH,	/* Sync is to flush a entry */
+	SFE_SYNC_REASON_DESTROY	/* Sync is to destroy a entry(requested by connection manager) */
+} sfe_sync_reason_t;
+
+/*
+ * Structure used to sync connection stats/state back within the system.
+ *
+ * NOTE: The addresses here are NON-NAT addresses, i.e. the true endpoint addressing.
+ * 'src' is the creator of the connection.
+ */
+struct sfe_connection_sync {
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	int is_v6;			/* Is it for ipv6? */
+	int protocol;			/* IP protocol number (IPPROTO_...) */
+	sfe_ip_addr_t src_ip;		/* Non-NAT source address, i.e. the creator of the connection */
+	sfe_ip_addr_t src_ip_xlate;	/* NATed source address */
+	__be16 src_port;		/* Non-NAT source port */
+	__be16 src_port_xlate;		/* NATed source port */
+	sfe_ip_addr_t dest_ip;		/* Non-NAT destination address, i.e. to whom the connection was created */
+	sfe_ip_addr_t dest_ip_xlate;	/* NATed destination address */
+	__be16 dest_port;		/* Non-NAT destination port */
+	__be16 dest_port_xlate;		/* NATed destination port */
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u64 src_packet_count;
+	u64 src_byte_count;
+	u32 src_new_packet_count;
+	u32 src_new_byte_count;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u64 dest_packet_count;
+	u64 dest_byte_count;
+	u32 dest_new_packet_count;
+	u32 dest_new_byte_count;
+	u32 reason;		/* reason for stats sync message, i.e. destroy, flush, period sync */
+	u64 delta_jiffies;		/* Time to be added to the current timeout to keep the connection alive */
+};
+
+/*
+ * connection mark structure
+ */
+struct sfe_connection_mark {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+	u32 mark;
+};
+
+/*
+ * Expose the hook for the receive processing.
+ */
+extern int (*fast_nat_recv)(struct sk_buff *skb);
+
+/*
+ * Expose what should be a static flag in the TCP connection tracker.
+ */
+extern int nf_ct_tcp_no_window_check;
+
+/*
+ * This callback will be called in a timer
+ * at 100 times per second to sync stats back to
+ * Linux connection track.
+ *
+ * A RCU lock is taken to prevent this callback
+ * from unregistering.
+ */
+typedef void (*sfe_sync_rule_callback_t)(struct sfe_connection_sync *);
+
+/*
+ * IPv4 APIs used by connection manager
+ */
+int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv4_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv4_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv4_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv4_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_mark_rule(struct sfe_connection_mark *mark);
+
+/*
+ * IPv6 APIs used by connection manager
+ */
+int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv6_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv6_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark);
+
+/*
+ * sfe_ipv6_addr_equal()
+ *	compare ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_ipv6_addr_equal(struct sfe_ipv6_addr *a,
+				      struct sfe_ipv6_addr *b)
+{
+	return a->addr[0] == b->addr[0] &&
+	       a->addr[1] == b->addr[1] &&
+	       a->addr[2] == b->addr[2] &&
+	       a->addr[3] == b->addr[3];
+}
+
+/*
+ * sfe_ipv4_addr_equal()
+ *	compare ipv4 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+#define sfe_ipv4_addr_equal(a, b) ((u32)(a) == (u32)(b))
+
+/*
+ * sfe_addr_equal()
+ *	compare ipv4 or ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_addr_equal(sfe_ip_addr_t *a,
+				 sfe_ip_addr_t *b, int is_v4)
+{
+	return is_v4 ? sfe_ipv4_addr_equal(a->ip, b->ip) : sfe_ipv6_addr_equal(a->ip6, b->ip6);
+}

package/lean/shortcut-fe/src/userspace_example.c

@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 2013,2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <arpa/inet.h>
+
+#include "fast-classifier.h"
+
+static struct nl_sock *sock;
+static struct nl_sock *sock_event;
+static int family;
+static int grp_id;
+
+static struct nla_policy fast_classifier_genl_policy[FAST_CLASSIFIER_A_MAX + 1] = {
+	[FAST_CLASSIFIER_A_TUPLE] = { .type = NLA_UNSPEC },
+};
+
+void dump_fc_tuple(struct fast_classifier_tuple *fc_msg)
+{
+	char src_str[INET_ADDRSTRLEN];
+	char dst_str[INET_ADDRSTRLEN];
+
+	printf("TUPLE: %d, %s, %s, %d, %d"
+			" SMAC=%02x:%02x:%02x:%02x:%02x:%02x",
+			" DMAC=%02x:%02x:%02x:%02x:%02x:%02x\n",
+				fc_msg->proto,
+				inet_ntop(AF_INET,
+					  &fc_msg->src_saddr.in.s_addr,
+					  src_str,
+					  INET_ADDRSTRLEN),
+				inet_ntop(AF_INET,
+					  &fc_msg->dst_saddr.in.s_addr,
+					  dst_str,
+					  INET_ADDRSTRLEN),
+				fc_msg->sport, fc_msg->dport,
+				fc_msg->smac[0], fc_msg->smac[1], fc_msg->smac[2],
+				fc_msg->smac[3], fc_msg->smac[4], fc_msg->smac[5],
+				fc_msg->dmac[0], fc_msg->dmac[1], fc_msg->dmac[2],
+				fc_msg->dmac[3], fc_msg->dmac[4], fc_msg->dmac[5]);
+}
+
+static int parse_cb(struct nl_msg *msg, void *arg)
+{
+	struct nlmsghdr *nlh = nlmsg_hdr(msg);
+	struct genlmsghdr *gnlh = nlmsg_data(nlh);
+	struct nlattr *attrs[FAST_CLASSIFIER_A_MAX];
+
+	genlmsg_parse(nlh, 0, attrs, FAST_CLASSIFIER_A_MAX, fast_classifier_genl_policy);
+
+	switch (gnlh->cmd) {
+	case FAST_CLASSIFIER_C_OFFLOADED:
+		printf("Got a offloaded message\n");
+		dump_fc_tuple(nla_data(attrs[FAST_CLASSIFIER_A_TUPLE]));
+		return NL_OK;
+	case FAST_CLASSIFIER_C_DONE:
+		printf("Got a done message\n");
+		dump_fc_tuple(nla_data(attrs[FAST_CLASSIFIER_A_TUPLE]));
+		return NL_OK;
+	}
+
+	return NL_SKIP;
+}
+
+int fast_classifier_init(void)
+{
+	int err;
+
+	sock = nl_socket_alloc();
+	if (!sock) {
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(sock);
+
+	sock_event = nl_socket_alloc();
+	if (!sock_event) {
+		nl_close(sock);
+		nl_socket_free(sock);
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(sock_event);
+
+	family = genl_ctrl_resolve(sock, FAST_CLASSIFIER_GENL_NAME);
+	if (family < 0) {
+		nl_close(sock_event);
+		nl_close(sock);
+		nl_socket_free(sock);
+		nl_socket_free(sock_event);
+		printf("Unable to resolve family\n");
+		return -1;
+	}
+
+	grp_id = genl_ctrl_resolve_grp(sock, FAST_CLASSIFIER_GENL_NAME,
+				       FAST_CLASSIFIER_GENL_MCGRP);
+	if (grp_id < 0) {
+		printf("Unable to resolve mcast group\n");
+		return -1;
+	}
+
+	err = nl_socket_add_membership(sock_event, grp_id);
+	if (err < 0) {
+		printf("Unable to add membership\n");
+		return -1;
+	}
+
+	nl_socket_disable_seq_check(sock_event);
+	nl_socket_modify_cb(sock_event, NL_CB_VALID, NL_CB_CUSTOM, parse_cb, NULL);
+
+	return 0;
+}
+
+void fast_classifier_close(void)
+{
+	nl_close(sock_event);
+	nl_close(sock);
+	nl_socket_free(sock_event);
+	nl_socket_free(sock);
+}
+
+void fast_classifier_ipv4_offload(unsigned char proto, unsigned long src_saddr,
+				  unsigned long dst_saddr, unsigned short sport,
+				  unsigned short dport)
+{
+	struct nl_msg *msg;
+	int ret;
+#ifdef DEBUG
+	char src_str[INET_ADDRSTRLEN];
+	char dst_str[INET_ADDRSTRLEN];
+#endif
+	struct fast_classifier_tuple fc_msg;
+
+#ifdef DEBUG
+	printf("DEBUG: would offload: %d, %s, %s, %d, %d\n", proto,
+	       inet_ntop(AF_INET, &src_saddr,  src_str, INET_ADDRSTRLEN),
+	       inet_ntop(AF_INET, &dst_saddr,  dst_str, INET_ADDRSTRLEN),
+	       sport, dport);
+#endif
+
+	fc_msg.proto = proto;
+	fc_msg.src_saddr.in.s_addr = src_saddr;
+	fc_msg.dst_saddr.in.s_addr = dst_saddr;
+	fc_msg.sport = sport;
+	fc_msg.dport = dport;
+	fc_msg.smac[0] = 'a';
+	fc_msg.smac[1] = 'b';
+	fc_msg.smac[2] = 'c';
+	fc_msg.smac[3] = 'd';
+	fc_msg.smac[4] = 'e';
+	fc_msg.smac[5] = 'f';
+	fc_msg.dmac[0] = 'f';
+	fc_msg.dmac[1] = 'e';
+	fc_msg.dmac[2] = 'd';
+	fc_msg.dmac[3] = 'c';
+	fc_msg.dmac[4] = 'b';
+	fc_msg.dmac[5] = 'a';
+
+	if (fast_classifier_init() < 0) {
+		printf("Unable to init generic netlink\n");
+		exit(1);
+	}
+
+	msg = nlmsg_alloc();
+	if (!msg) {
+		nl_socket_free(sock);
+		printf("Unable to allocate message\n");
+		return;
+	}
+
+	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family,
+		    FAST_CLASSIFIER_GENL_HDRSIZE, NLM_F_REQUEST,
+		    FAST_CLASSIFIER_C_OFFLOAD, FAST_CLASSIFIER_GENL_VERSION);
+	nla_put(msg, 1, sizeof(fc_msg), &fc_msg);
+
+	ret = nl_send_auto_complete(sock, msg);
+
+	nlmsg_free(msg);
+	if (ret < 0) {
+		printf("nlmsg_free failed");
+		nl_close(sock);
+		nl_socket_free(sock);
+		return;
+	}
+
+	ret = nl_wait_for_ack(sock);
+	if (ret < 0) {
+		printf("wait for ack failed");
+		nl_close(sock);
+		nl_socket_free(sock);
+		return;
+	}
+}
+
+void fast_classifier_listen_for_messages(void)
+{
+	printf("waiting for netlink events\n");
+
+	while (1) {
+		nl_recvmsgs_default(sock_event);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	if (fast_classifier_init() < 0) {
+		printf("Unable to init generic netlink\n");
+		exit(1);
+	}
+
+	fast_classifier_ipv4_offload('a', 0, 0, 0, 0);
+
+	/* this never returns */
+	fast_classifier_listen_for_messages();
+
+	fast_classifier_close();
+
+	return 0;
+}