build: add natflow based offloading for routing/NAT

Signed-off-by: sbwml <admin@cooluc.com>

openwrt/23-config-common

@@ -21,6 +21,9 @@ CONFIG_PACKAGE_iptables-nft=y
 CONFIG_PACKAGE_xtables-nft=y
 # CONFIG_PACKAGE_iptables-legacy is not set
 
+# Natflow
+CONFIG_PACKAGE_natflow=m
+
 # SFE
 CONFIG_PACKAGE_kmod-fast-classifier=y
 CONFIG_PACKAGE_kmod-shortcut-fe-cm=y

openwrt/23-config-musl-r8500

@@ -37,6 +37,9 @@ CONFIG_PACKAGE_iptables-nft=y
 CONFIG_PACKAGE_xtables-nft=y
 # CONFIG_PACKAGE_iptables-legacy is not set
 
+# Natflow
+CONFIG_PACKAGE_natflow=m
+
 # SFE
 CONFIG_PACKAGE_kmod-fast-classifier=y
 CONFIG_PACKAGE_kmod-shortcut-fe-cm=y

openwrt/build.sh

@@ -458,6 +458,7 @@ if [ "$platform" = "x86_64" ]; then
         rm -f $kmodpkg_name/Packages*
         # driver firmware
         cp -a bin/packages/x86_64/base/*firmware*.ipk $kmodpkg_name/
+        cp -a bin/packages/x86_64/base/*natflow*.ipk $kmodpkg_name/
         bash kmod-sign $kmodpkg_name
         tar zcf x86_64-$kmodpkg_name.tar.gz $kmodpkg_name
         rm -rf $kmodpkg_name
@@ -496,6 +497,7 @@ elif [ "$platform" = "armv8" ]; then
         rm -f $kmodpkg_name/Packages*
         # driver firmware
         cp -a bin/packages/aarch64_generic/base/*firmware*.ipk $kmodpkg_name/
+        cp -a bin/packages/aarch64_generic/base/*natflow*.ipk $kmodpkg_name/
         bash kmod-sign $kmodpkg_name
         tar zcf armv8-$kmodpkg_name.tar.gz $kmodpkg_name
         rm -rf $kmodpkg_name
@@ -524,6 +526,7 @@ elif [ "$platform" = "bcm53xx" ]; then
         rm -f $kmodpkg_name/Packages*
         # driver firmware
         cp -a bin/packages/arm_cortex-a9/base/*firmware*.ipk $kmodpkg_name/
+        cp -a bin/packages/arm_cortex-a9/base/*natflow*.ipk $kmodpkg_name/
         bash kmod-sign $kmodpkg_name
         tar zcf bcm53xx-$kmodpkg_name.tar.gz $kmodpkg_name
         rm -rf $kmodpkg_name
@@ -557,6 +560,7 @@ else
         rm -f $kmodpkg_name/Packages*
         # driver firmware
         cp -a bin/packages/aarch64_generic/base/*firmware*.ipk $kmodpkg_name/
+        cp -a bin/packages/aarch64_generic/base/*natflow*.ipk $kmodpkg_name/
         bash kmod-sign $kmodpkg_name
         tar zcf aarch64-$kmodpkg_name.tar.gz $kmodpkg_name
         rm -rf $kmodpkg_name

openwrt/patch/firewall4/0005-luci-app-firewall-add-natflow-offload-support.patch

@@ -0,0 +1,55 @@
+From 518eadc602c8e61621c8c1091585a134d978d596 Mon Sep 17 00:00:00 2001
+From: sbwml <admin@cooluc.com>
+Date: Sun, 8 Sep 2024 03:40:30 +0800
+Subject: [PATCH] luci-app-firewall: add natflow offload support
+
+Signed-off-by: sbwml <admin@cooluc.com>
+---
+ .../resources/view/firewall/zones.js          | 20 +++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js b/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
+index 1bedd2c..522d001 100644
+--- a/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
++++ b/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
+@@ -122,6 +122,21 @@ return view.extend({
+ 			o.depends('shortcut_fe', '1');
+ 		}
+
++		/* Natflow offload support */
++		if (L.hasSystemFeature('natflow')) {
++			o = s.option(form.Flag, 'natflow',
++			_('Natflow offloading'),
++			_('Natflow based offloading for routing/NAT'));
++			o.optional = true;
++
++			o = s.option(form.Value, 'natflow_delay_pkts',
++			_('Natflow delay packet'),
++			_('Set up the natflow delay packet'));
++			o.datatype = 'and(uinteger,min(0))';
++			o.default = 0;
++			o.depends('natflow', '1');
++		}
++
+ 		s = m.section(form.GridSection, 'zone', _('Zones'));
+ 		s.addremove = true;
+ 		s.anonymous = true;
+@@ -418,12 +433,13 @@ return view.extend({
+ 			const checkboxes = document.querySelectorAll('.cbi-checkbox input[type="checkbox"]');
+ 			checkboxes.forEach((checkbox) => {
+ 				const widgetId = checkbox.getAttribute('data-widget-id');
+-				if ((widgetId.includes('flow_offloading') && !widgetId.includes('flow_offloading_hw')) || widgetId.includes('shortcut_fe')) {
++				if ((widgetId.includes('flow_offloading') && !widgetId.includes('flow_offloading_hw')) || widgetId.includes('shortcut_fe') || widgetId.includes('natflow')) {
+ 					checkbox.addEventListener('change', function() {
+ 						if (this.checked) {
+ 							checkboxes.forEach((cb) => {
+ 								if (cb !== this && (cb.getAttribute('data-widget-id').includes('flow_offloading') ||
+-									cb.getAttribute('data-widget-id').includes('shortcut_fe'))) {
++									cb.getAttribute('data-widget-id').includes('shortcut_fe') ||
++									cb.getAttribute('data-widget-id').includes('natflow'))) {
+ 									cb.checked = false;
+ 								}
+ 							});
+-- 
+2.42.0
+

openwrt/scripts/00-prepare_base.sh

@@ -198,12 +198,16 @@ git clone https://$gitea/sbwml/nft-fullcone package/new/nft-fullcone
 # IPv6 NAT
 git clone https://$github/sbwml/packages_new_nat6 package/new/nat6
 
-# Patch Luci add nft_fullcone/bcm_fullcone & shortcut-fe & ipv6-nat & custom nft command option
+# natflow
+git clone https://$github/sbwml/package_new_natflow package/new/natflow
+
+# Patch Luci add nft_fullcone/bcm_fullcone & shortcut-fe & natflow & ipv6-nat & custom nft command option
 pushd feeds/luci
     curl -s https://$mirror/openwrt/patch/firewall4/0001-luci-app-firewall-add-nft-fullcone-and-bcm-fullcone-.patch | patch -p1
     curl -s https://$mirror/openwrt/patch/firewall4/0002-luci-app-firewall-add-shortcut-fe-option.patch | patch -p1
     curl -s https://$mirror/openwrt/patch/firewall4/0003-luci-app-firewall-add-ipv6-nat-option.patch | patch -p1
     curl -s https://$mirror/openwrt/patch/firewall4/0004-luci-add-firewall-add-custom-nft-rule-support.patch | patch -p1
+    curl -s https://$mirror/openwrt/patch/firewall4/0005-luci-app-firewall-add-natflow-offload-support.patch | patch -p1
 popd
 
 # openssl - quictls