Revert "fixx"

This reverts commit c9a0b338aa.
2025-03-09 15:40:03 +00:00 · 2022-05-05 01:25:46 +08:00 · 2022-05-05 01:25:46 +08:00 · 6ccc0dfb7c
commit 6ccc0dfb7c
parent 12b775cd70
30 changed files with 13104 additions and 0 deletions
--- a/fast-classifier/Makefile
+++ b/fast-classifier/Makefile
@ -0,0 +1,92 @@
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=fast-classifier
+PKG_RELEASE:=1
+PKG_CONFIG_DEPENDS := CONFIG_IPV6
+
+include $(INCLUDE_DIR)/package.mk
+
+define KernelPackage/$(PKG_NAME)/Default
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
+  TITLE:=Kernel driver for FAST Classifier
+  FILES:=$(PKG_BUILD_DIR)/fast-classifier.ko
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y CONFIG_NF_CONNTRACK_MARK=y
+  PROVIDES:=$(PKG_NAME)
+endef
+
+define KernelPackage/$(PKG_NAME)
+  $(call KernelPackage/$(PKG_NAME)/Default)
+endef
+
+define KernelPackage/$(PKG_NAME)-noload
+  $(call KernelPackage/$(PKG_NAME)/Default)
+endef
+
+define KernelPackage/$(PKG_NAME)/Default/description
+FAST Classifier talks to SFE to make decisions about offloading connections
+endef
+
+define KernelPackage/$(PKG_NAME)/description
+$(call KernelPackage/$(PKG_NAME)/Default/description)
+endef
+
+define KernelPackage/$(PKG_NAME)-noload/description
+$(call KernelPackage/$(PKG_NAME)/Default/description)
+
+This package does not load $(PKG_NAME) at boot by default
+endef
+
+define Package/fast-classifier-example
+  TITLE:=Example user space program for fast-classifier
+  DEPENDS:=+libnl +kmod-fast-classifier
+endef
+
+define Package/fast-classifier-example/description
+Example user space program that communicates with fast
+classifier kernel module
+endef
+
+SFE_MAKE_OPTS:=SFE_SUPPORT_IPV6=$(if $(CONFIG_IPV6),y,n)
+
+define Build/Compile/kmod
+	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" $(SFE_MAKE_OPTS) \
+		$(KERNEL_MAKE_FLAGS) \
+		$(PKG_MAKE_FLAGS) \
+		M="$(PKG_BUILD_DIR)" \
+		CONFIG_FAST_CLASSIFIER=m \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
+		modules
+endef
+
+define Build/Compile/example
+	$(TARGET_CC) -o $(PKG_BUILD_DIR)/userspace_fast_classifier \
+		-I $(PKG_BUILD_DIR) \
+		-I$(STAGING_DIR)/usr/include/libnl \
+		-I$(STAGING_DIR)/usr/include/libnl3 \
+		-lnl-genl-3 -lnl-3 \
+		$(PKG_BUILD_DIR)/nl_classifier_test.c
+endef
+
+define Build/Compile
+	$(Build/Compile/kmod)
+	$(if $(CONFIG_PACKAGE_fast-classifier-example),$(Build/Compile/example))
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_BUILD_DIR)/fast-classifier.h $(1)/usr/include/
+endef
+
+
+define Package/fast-classifier-example/install
+	$(INSTALL_DIR) $(1)/sbin
+	$(CP) $(PKG_BUILD_DIR)/userspace_fast_classifier $(1)/sbin/
+endef
+
+$(eval $(call KernelPackage,$(PKG_NAME)))
+$(eval $(call KernelPackage,$(PKG_NAME)-noload))
+#$(eval $(call BuildPackage,fast-classifier-example))
--- a/fast-classifier/src/Makefile
+++ b/fast-classifier/src/Makefile
@ -0,0 +1,10 @@
+obj-$(CONFIG_FAST_CLASSIFIER) += fast-classifier.o
+
+ifeq ($(SFE_SUPPORT_IPV6),)
+SFE_SUPPORT_IPV6=y
+endif
+ccflags-$(SFE_SUPPORT_IPV6) += -DSFE_SUPPORT_IPV6
+
+ccflags-y += -I$(obj)/../shortcut-fe
+
+obj ?= .
--- a/fast-classifier/src/fast-classifier.c
+++ b/fast-classifier/src/fast-classifier.c
--- a/fast-classifier/src/fast-classifier.h
+++ b/fast-classifier/src/fast-classifier.h
@ -0,0 +1,57 @@
+/*
+ * User space header to send message to the fast classifier
+ *
+ * Copyright (c) 2013,2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <linux/if_ether.h>
+
+#define FAST_CLASSIFIER_GENL_VERSION	(1)
+#define FAST_CLASSIFIER_GENL_NAME	"FC"
+#define FAST_CLASSIFIER_GENL_MCGRP	"FC_MCGRP"
+#define FAST_CLASSIFIER_GENL_HDRSIZE	(0)
+
+enum {
+	FAST_CLASSIFIER_A_UNSPEC,
+	FAST_CLASSIFIER_A_TUPLE,
+	__FAST_CLASSIFIER_A_MAX,
+};
+
+#define FAST_CLASSIFIER_A_MAX (__FAST_CLASSIFIER_A_MAX - 1)
+
+enum {
+	FAST_CLASSIFIER_C_UNSPEC,
+	FAST_CLASSIFIER_C_OFFLOAD,
+	FAST_CLASSIFIER_C_OFFLOADED,
+	FAST_CLASSIFIER_C_DONE,
+	__FAST_CLASSIFIER_C_MAX,
+};
+
+#define FAST_CLASSIFIER_C_MAX (__FAST_CLASSIFIER_C_MAX - 1)
+
+struct fast_classifier_tuple {
+	unsigned short ethertype;
+	unsigned char proto;
+	union {
+		struct in_addr in;
+		struct in6_addr in6;
+	} src_saddr;
+	union {
+		struct in_addr in;
+		struct in6_addr in6;
+	} dst_saddr;
+	unsigned short sport;
+	unsigned short dport;
+	unsigned char smac[ETH_ALEN];
+	unsigned char dmac[ETH_ALEN];
+};
--- a/fast-classifier/src/nl_classifier_test.c
+++ b/fast-classifier/src/nl_classifier_test.c
@ -0,0 +1,281 @@
+/*
+ * Copyright (c) 2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <signal.h>
+#include <arpa/inet.h>
+
+#define NL_CLASSIFIER_GENL_VERSION	1
+#define NL_CLASSIFIER_GENL_FAMILY	"FC"
+#define NL_CLASSIFIER_GENL_GROUP	"FC_MCGRP"
+#define NL_CLASSIFIER_GENL_HDRSIZE	0
+
+enum NL_CLASSIFIER_CMD {
+	NL_CLASSIFIER_CMD_UNSPEC,
+	NL_CLASSIFIER_CMD_ACCEL,
+	NL_CLASSIFIER_CMD_ACCEL_OK,
+	NL_CLASSIFIER_CMD_CONNECTION_CLOSED,
+	NL_CLASSIFIER_CMD_MAX,
+};
+
+enum NL_CLASSIFIER_ATTR {
+	NL_CLASSIFIER_ATTR_UNSPEC,
+	NL_CLASSIFIER_ATTR_TUPLE,
+	NL_CLASSIFIER_ATTR_MAX,
+};
+
+union nl_classifier_tuple_ip {
+	struct in_addr in;
+	struct in6_addr in6;
+};
+
+struct nl_classifier_tuple {
+	unsigned short af;
+	unsigned char proto;
+	union nl_classifier_tuple_ip src_ip;
+	union nl_classifier_tuple_ip dst_ip;
+	unsigned short sport;
+	unsigned short dport;
+	unsigned char smac[6];
+	unsigned char dmac[6];
+};
+
+struct nl_classifier_instance {
+	struct nl_sock *sock;
+	int family_id;
+	int group_id;
+	int stop;
+};
+
+struct nl_classifier_instance nl_cls_inst;
+
+static struct nla_policy nl_classifier_genl_policy[(NL_CLASSIFIER_ATTR_MAX+1)] = {
+	[NL_CLASSIFIER_ATTR_TUPLE] = { .type = NLA_UNSPEC },
+};
+
+void nl_classifier_dump_nl_tuple(struct nl_classifier_tuple *tuple)
+{
+	char ip_str[64];
+
+	printf("protocol = %s\n", (tuple->proto == IPPROTO_UDP) ? "udp" : ((tuple->proto == IPPROTO_TCP) ? "tcp" : "unknown"));
+	printf("source ip = %s\n", inet_ntop(tuple->af, &tuple->src_ip, ip_str, sizeof(ip_str)));
+	printf("destination ip = %s\n", inet_ntop(tuple->af, &tuple->dst_ip, ip_str, sizeof(ip_str)));
+	printf("source port = %d\n", ntohs(tuple->sport));
+	printf("destination port = %d\n", ntohs(tuple->dport));
+}
+
+int nl_classifier_msg_recv(struct nl_msg *msg, void *arg)
+{
+	struct nlmsghdr *nlh = nlmsg_hdr(msg);
+	struct genlmsghdr *gnlh = nlmsg_data(nlh);
+	struct nlattr *attrs[(NL_CLASSIFIER_ATTR_MAX+1)];
+
+	genlmsg_parse(nlh, NL_CLASSIFIER_GENL_HDRSIZE, attrs, NL_CLASSIFIER_ATTR_MAX, nl_classifier_genl_policy);
+
+	switch (gnlh->cmd) {
+	case NL_CLASSIFIER_CMD_ACCEL_OK:
+		printf("Acceleration successful:\n");
+		nl_classifier_dump_nl_tuple(nla_data(attrs[NL_CLASSIFIER_ATTR_TUPLE]));
+		return NL_OK;
+	case NL_CLASSIFIER_CMD_CONNECTION_CLOSED:
+		printf("Connection is closed:\n");
+		nl_classifier_dump_nl_tuple(nla_data(attrs[NL_CLASSIFIER_ATTR_TUPLE]));
+		return NL_OK;
+	default:
+		printf("nl classifier received unknow message %d\n", gnlh->cmd);
+	}
+
+	return NL_SKIP;
+}
+
+void nl_classifier_offload(struct nl_classifier_instance *inst,
+			   unsigned char proto, unsigned long *src_saddr,
+			   unsigned long *dst_saddr, unsigned short sport,
+			   unsigned short dport, int af)
+{
+	struct nl_msg *msg;
+	int ret;
+	struct nl_classifier_tuple classifier_msg;
+
+	memset(&classifier_msg, 0, sizeof(classifier_msg));
+	classifier_msg.af = af;
+	classifier_msg.proto = proto;
+	memcpy(&classifier_msg.src_ip, src_saddr, (af == AF_INET ? 4 : 16));
+	memcpy(&classifier_msg.dst_ip, dst_saddr, (af == AF_INET ? 4 : 16));
+	classifier_msg.sport = sport;
+	classifier_msg.dport = dport;
+
+	msg = nlmsg_alloc();
+	if (!msg) {
+		printf("Unable to allocate message\n");
+		return;
+	}
+
+	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, inst->family_id,
+		    NL_CLASSIFIER_GENL_HDRSIZE, NLM_F_REQUEST,
+		    NL_CLASSIFIER_CMD_ACCEL, NL_CLASSIFIER_GENL_VERSION);
+	nla_put(msg, NL_CLASSIFIER_ATTR_TUPLE, sizeof(classifier_msg), &classifier_msg);
+
+	ret = nl_send_auto(inst->sock, msg);
+	if (ret < 0) {
+		printf("send netlink message failed.\n");
+		nlmsg_free(msg);
+		return;
+	}
+
+	nlmsg_free(msg);
+	printf("nl classifier offload connection successful\n");
+}
+
+int nl_classifier_init(struct nl_classifier_instance *inst)
+{
+	int ret;
+
+	inst->sock = nl_socket_alloc();
+	if (!inst->sock) {
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(inst->sock);
+
+	inst->family_id = genl_ctrl_resolve(inst->sock, NL_CLASSIFIER_GENL_FAMILY);
+	if (inst->family_id < 0) {
+		printf("Unable to resolve family %s\n", NL_CLASSIFIER_GENL_FAMILY);
+		goto init_failed;
+	}
+
+	inst->group_id = genl_ctrl_resolve_grp(inst->sock, NL_CLASSIFIER_GENL_FAMILY, NL_CLASSIFIER_GENL_GROUP);
+	if (inst->group_id < 0) {
+		printf("Unable to resolve mcast group %s\n", NL_CLASSIFIER_GENL_GROUP);
+		goto init_failed;
+	}
+
+	ret = nl_socket_add_membership(inst->sock, inst->group_id);
+	if (ret < 0) {
+		printf("Unable to add membership\n");
+		goto init_failed;
+	}
+
+	nl_socket_disable_seq_check(inst->sock);
+	nl_socket_modify_cb(inst->sock, NL_CB_VALID, NL_CB_CUSTOM, nl_classifier_msg_recv, NULL);
+
+	printf("nl classifier init successful\n");
+	return 0;
+
+init_failed:
+	if (inst->sock) {
+		nl_close(inst->sock);
+		nl_socket_free(inst->sock);
+		inst->sock = NULL;
+	}
+	return -1;
+}
+
+void nl_classifier_exit(struct nl_classifier_instance *inst)
+{
+	if (inst->sock) {
+		nl_close(inst->sock);
+		nl_socket_free(inst->sock);
+		inst->sock = NULL;
+	}
+	printf("nl classifier exit successful\n");
+}
+
+int nl_classifier_parse_arg(int argc, char *argv[], unsigned char *proto, unsigned long *src_saddr,
+			    unsigned long *dst_saddr, unsigned short *sport, unsigned short *dport, int *af)
+{
+	int ret;
+	unsigned short port;
+
+	if (argc < 7) {
+		printf("help: nl_classifier <v4|v6> <udp|tcp> <source ip> <destination ip> <source port> <destination port>\n");
+		return -1;
+	}
+
+	if (0 == strncmp(argv[1], "v4", 2)) {
+		*af = AF_INET;
+	} else if (0 == strncmp(argv[1], "v6", 2)) {
+		*af = AF_INET6;
+	} else {
+		printf("Address family is not supported");
+		return -1;
+	}
+
+	if (0 == strncmp(argv[2], "udp", 3)) {
+		*proto = IPPROTO_UDP;
+	} else if (0 == strncmp(argv[2], "tcp", 3)) {
+		*proto = IPPROTO_TCP;
+	} else {
+		printf("Protocol is not supported");
+		return -1;
+	}
+
+	ret = inet_pton(*af, argv[3], src_saddr);
+	if (ret <= 0) {
+		printf("source ip has wrong format\n");
+		return -1;
+	}
+
+	ret = inet_pton(*af, argv[4], dst_saddr);
+	if (ret <= 0) {
+		printf("destination ip has wrong format\n");
+		return -1;
+	}
+
+	port = strtol(argv[5], NULL, 0);
+	*sport = htons(port);
+	port = strtol(argv[6], NULL, 0);
+	*dport = htons(port);
+
+	printf("nl classifier parse arguments successful\n");
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	struct nl_classifier_instance *inst = &nl_cls_inst;
+	unsigned char proto;
+	unsigned long src_addr[4];
+	unsigned long dst_addr[4];
+	unsigned short sport;
+	unsigned short dport;
+	int af;
+	int ret;
+
+	ret = nl_classifier_parse_arg(argc, argv, &proto, src_addr, dst_addr, &sport, &dport, &af);
+	if (ret < 0) {
+		printf("Failed to parse arguments\n");
+		return ret;
+	}
+
+	ret = nl_classifier_init(inst);
+	if (ret < 0) {
+		printf("Unable to init generic netlink\n");
+		return ret;
+	}
+
+	nl_classifier_offload(inst, proto, src_addr, dst_addr, sport, dport, af);
+
+	/* main loop to listen on message */
+	while (!inst->stop) {
+		nl_recvmsgs_default(inst->sock);
+	}
+
+	nl_classifier_exit(inst);
+
+	return 0;
+}
--- a/fast-classifier/src/sfe.h
+++ b/fast-classifier/src/sfe.h
@ -0,0 +1,114 @@
+/*
+ * sfe.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*
+ * The following are debug macros used throughout the SFE.
+ *
+ * The DEBUG_LEVEL enables the followings based on its value,
+ * when dynamic debug option is disabled.
+ *
+ * 0 = OFF
+ * 1 = ASSERTS / ERRORS
+ * 2 = 1 + WARN
+ * 3 = 2 + INFO
+ * 4 = 3 + TRACE
+ */
+#define DEBUG_LEVEL 2
+
+#if (DEBUG_LEVEL < 1)
+#define DEBUG_ASSERT(s, ...)
+#define DEBUG_ERROR(s, ...)
+#else
+#define DEBUG_ASSERT(c, s, ...) if (!(c)) { pr_emerg("ASSERT: %s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__); BUG(); }
+#define DEBUG_ERROR(s, ...) pr_err("%s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if defined(CONFIG_DYNAMIC_DEBUG)
+/*
+ * Compile messages for dynamic enable/disable
+ */
+#define DEBUG_WARN(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#define DEBUG_INFO(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#define DEBUG_TRACE(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#else
+
+/*
+ * Statically compile messages at different levels
+ */
+#if (DEBUG_LEVEL < 2)
+#define DEBUG_WARN(s, ...)
+#else
+#define DEBUG_WARN(s, ...) pr_warn("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if (DEBUG_LEVEL < 3)
+#define DEBUG_INFO(s, ...)
+#else
+#define DEBUG_INFO(s, ...) pr_notice("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if (DEBUG_LEVEL < 4)
+#define DEBUG_TRACE(s, ...)
+#else
+#define DEBUG_TRACE(s, ...) pr_info("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+#endif
+
+#ifdef CONFIG_NF_FLOW_COOKIE
+typedef int (*flow_cookie_set_func_t)(u32 protocol, __be32 src_ip, __be16 src_port,
+				      __be32 dst_ip, __be16 dst_port, u16 flow_cookie);
+/*
+ * sfe_register_flow_cookie_cb
+ *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
+ *
+ * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
+ * can use this function to configure flow cookie for a flow.
+ * return: 0, success; !=0, fail
+ */
+int sfe_register_flow_cookie_cb(flow_cookie_set_func_t cb);
+
+/*
+ * sfe_unregister_flow_cookie_cb
+ *	unregister function which is used to configure flow cookie for a flow
+ *
+ * return: 0, success; !=0, fail
+ */
+int sfe_unregister_flow_cookie_cb(flow_cookie_set_func_t cb);
+
+typedef int (*sfe_ipv6_flow_cookie_set_func_t)(u32 protocol, __be32 src_ip[4], __be16 src_port,
+						__be32 dst_ip[4], __be16 dst_port, u16 flow_cookie);
+
+/*
+ * sfe_ipv6_register_flow_cookie_cb
+ *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
+ *
+ * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
+ * can use this function to configure flow cookie for a flow.
+ * return: 0, success; !=0, fail
+ */
+int sfe_ipv6_register_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
+
+/*
+ * sfe_ipv6_unregister_flow_cookie_cb
+ *	unregister function which is used to configure flow cookie for a flow
+ *
+ * return: 0, success; !=0, fail
+ */
+int sfe_ipv6_unregister_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
+
+#endif /*CONFIG_NF_FLOW_COOKIE*/
--- a/fast-classifier/src/sfe_backport.h
+++ b/fast-classifier/src/sfe_backport.h
@ -0,0 +1,195 @@
+/*
+ * sfe_backport.h
+ *	Shortcut forwarding engine compatible header file.
+ *
+ * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <linux/version.h>
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
+#include <net/netfilter/nf_conntrack_timeout.h>
+#else
+enum udp_conntrack {
+	UDP_CT_UNREPLIED,
+	UDP_CT_REPLIED,
+	UDP_CT_MAX
+};
+
+static inline unsigned int *
+nf_ct_timeout_lookup(struct net *net, struct nf_conn *ct,
+		     struct nf_conntrack_l4proto *l4proto)
+{
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+	struct nf_conn_timeout *timeout_ext;
+	unsigned int *timeouts;
+
+	timeout_ext = nf_ct_timeout_find(ct);
+	if (timeout_ext)
+		timeouts = NF_CT_TIMEOUT_EXT_DATA(timeout_ext);
+	else
+		timeouts = l4proto->get_timeouts(net);
+
+	return timeouts;
+#else
+	return l4proto->get_timeouts(net);
+#endif /*CONFIG_NF_CONNTRACK_TIMEOUT*/
+}
+#endif /*KERNEL_VERSION(3, 7, 0)*/
+#endif /*KERNEL_VERSION(3, 4, 0)*/
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(void *priv, \
+			    struct sk_buff *SKB, \
+			    const struct nf_hook_state *state)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(const struct nf_hook_ops *OPS, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#else
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(unsigned int HOOKNUM, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#endif
+
+#define sfe_cm_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define sfe_cm_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP6_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0))
+#define SFE_NF_CT_DEFAULT_ZONE (&nf_ct_zone_dflt)
+#else
+#define SFE_NF_CT_DEFAULT_ZONE NF_CT_DEFAULT_ZONE
+#endif
+
+/*
+ * sfe_dev_get_master
+ * 	get master of bridge port, and hold it
+ */
+static inline struct net_device *sfe_dev_get_master(struct net_device *dev)
+{
+	struct net_device *master;
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+	rcu_read_lock();
+	master = netdev_master_upper_dev_get_rcu(dev);
+	if (master)
+		dev_hold(master);
+
+	rcu_read_unlock();
+#else
+	master = dev->master;
+	if (master)
+		dev_hold(master);
+#endif
+	return master;
+}
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
+#define SFE_DEV_EVENT_PTR(PTR) netdev_notifier_info_to_dev(PTR)
+#else
+#define SFE_DEV_EVENT_PTR(PTR) (struct net_device *)(PTR)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_acct *NM
+#else
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_counter *NM
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_ACCT_COUNTER(NM) ((NM)->counter)
+#else
+#define SFE_ACCT_COUNTER(NM) (NM)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+#define sfe_hash_for_each_possible(name, obj, node, member, key) \
+	hash_for_each_possible(name, obj, member, key)
+#else
+#define sfe_hash_for_each_possible(name, obj, node, member, key) \
+	hash_for_each_possible(name, obj, node, member, key)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+#define sfe_hash_for_each(name, bkt, node, obj, member) \
+	hash_for_each(name, bkt, obj, member)
+#else
+#define sfe_hash_for_each(name, bkt, node, obj, member) \
+	hash_for_each(name, bkt, node, obj, member)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
+#define sfe_dst_get_neighbour(dst, daddr) dst_neigh_lookup(dst, daddr)
+#else
+static inline struct neighbour *
+sfe_dst_get_neighbour(struct dst_entry *dst, void *daddr)
+{
+	struct neighbour *neigh = dst_get_neighbour_noref(dst);
+
+	if (neigh)
+		neigh_hold(neigh);
+
+	return neigh;
+}
+#endif
--- a/fast-classifier/src/sfe_cm.h
+++ b/fast-classifier/src/sfe_cm.h
@ -0,0 +1,259 @@
+/*
+ * sfe_cm.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * connection flags.
+ */
+#define SFE_CREATE_FLAG_NO_SEQ_CHECK BIT(0)
+					/* Indicates that we should not check sequence numbers */
+#define SFE_CREATE_FLAG_REMARK_PRIORITY BIT(1)
+					/* Indicates that we should remark priority of skb */
+#define SFE_CREATE_FLAG_REMARK_DSCP BIT(2)
+					/* Indicates that we should remark DSCP of packet */
+
+/*
+ * IPv6 address structure
+ */
+struct sfe_ipv6_addr {
+	__be32 addr[4];
+};
+
+typedef union {
+	__be32			ip;
+	struct sfe_ipv6_addr	ip6[1];
+} sfe_ip_addr_t;
+
+/*
+ * connection creation structure.
+ */
+struct sfe_connection_create {
+	int protocol;
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	u32 flags;
+	u32 src_mtu;
+	u32 dest_mtu;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t src_ip_xlate;
+	sfe_ip_addr_t dest_ip;
+	sfe_ip_addr_t dest_ip_xlate;
+	__be16 src_port;
+	__be16 src_port_xlate;
+	__be16 dest_port;
+	__be16 dest_port_xlate;
+	u8 src_mac[ETH_ALEN];
+	u8 src_mac_xlate[ETH_ALEN];
+	u8 dest_mac[ETH_ALEN];
+	u8 dest_mac_xlate[ETH_ALEN];
+	u8 src_td_window_scale;
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u8 dest_td_window_scale;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u32 mark;
+#ifdef CONFIG_XFRM
+	u32 original_accel;
+	u32 reply_accel;
+#endif
+	u32 src_priority;
+	u32 dest_priority;
+	u32 src_dscp;
+	u32 dest_dscp;
+};
+
+/*
+ * connection destruction structure.
+ */
+struct sfe_connection_destroy {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+};
+
+typedef enum sfe_sync_reason {
+	SFE_SYNC_REASON_STATS,	/* Sync is to synchronize stats */
+	SFE_SYNC_REASON_FLUSH,	/* Sync is to flush a entry */
+	SFE_SYNC_REASON_DESTROY	/* Sync is to destroy a entry(requested by connection manager) */
+} sfe_sync_reason_t;
+
+/*
+ * Structure used to sync connection stats/state back within the system.
+ *
+ * NOTE: The addresses here are NON-NAT addresses, i.e. the true endpoint addressing.
+ * 'src' is the creator of the connection.
+ */
+struct sfe_connection_sync {
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	int is_v6;			/* Is it for ipv6? */
+	int protocol;			/* IP protocol number (IPPROTO_...) */
+	sfe_ip_addr_t src_ip;		/* Non-NAT source address, i.e. the creator of the connection */
+	sfe_ip_addr_t src_ip_xlate;	/* NATed source address */
+	__be16 src_port;		/* Non-NAT source port */
+	__be16 src_port_xlate;		/* NATed source port */
+	sfe_ip_addr_t dest_ip;		/* Non-NAT destination address, i.e. to whom the connection was created */
+	sfe_ip_addr_t dest_ip_xlate;	/* NATed destination address */
+	__be16 dest_port;		/* Non-NAT destination port */
+	__be16 dest_port_xlate;		/* NATed destination port */
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u64 src_packet_count;
+	u64 src_byte_count;
+	u32 src_new_packet_count;
+	u32 src_new_byte_count;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u64 dest_packet_count;
+	u64 dest_byte_count;
+	u32 dest_new_packet_count;
+	u32 dest_new_byte_count;
+	u32 reason;		/* reason for stats sync message, i.e. destroy, flush, period sync */
+	u64 delta_jiffies;		/* Time to be added to the current timeout to keep the connection alive */
+};
+
+/*
+ * connection mark structure
+ */
+struct sfe_connection_mark {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+	u32 mark;
+};
+
+/*
+ * Expose the hook for the receive processing.
+ */
+extern int (*athrs_fast_nat_recv)(struct sk_buff *skb);
+
+/*
+ * Expose what should be a static flag in the TCP connection tracker.
+ */
+extern int nf_ct_tcp_no_window_check;
+
+/*
+ * This callback will be called in a timer
+ * at 100 times per second to sync stats back to
+ * Linux connection track.
+ *
+ * A RCU lock is taken to prevent this callback
+ * from unregistering.
+ */
+typedef void (*sfe_sync_rule_callback_t)(struct sfe_connection_sync *);
+
+/*
+ * IPv4 APIs used by connection manager
+ */
+int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv4_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv4_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv4_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv4_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_mark_rule(struct sfe_connection_mark *mark);
+
+#ifdef SFE_SUPPORT_IPV6
+/*
+ * IPv6 APIs used by connection manager
+ */
+int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv6_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv6_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark);
+#else
+static inline int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb)
+{
+	return 0;
+}
+
+static inline int sfe_ipv6_create_rule(struct sfe_connection_create *sic)
+{
+	return 0;
+}
+
+static inline void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid)
+{
+	return;
+}
+
+static inline void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev)
+{
+	return;
+}
+
+static inline void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback)
+{
+	return;
+}
+
+static inline void sfe_ipv6_update_rule(struct sfe_connection_create *sic)
+{
+	return;
+}
+
+static inline void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark)
+{
+	return;
+}
+#endif
+
+/*
+ * sfe_ipv6_addr_equal()
+ *	compare ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_ipv6_addr_equal(struct sfe_ipv6_addr *a,
+				      struct sfe_ipv6_addr *b)
+{
+	return a->addr[0] == b->addr[0] &&
+	       a->addr[1] == b->addr[1] &&
+	       a->addr[2] == b->addr[2] &&
+	       a->addr[3] == b->addr[3];
+}
+
+/*
+ * sfe_ipv4_addr_equal()
+ *	compare ipv4 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+#define sfe_ipv4_addr_equal(a, b) ((u32)(a) == (u32)(b))
+
+/*
+ * sfe_addr_equal()
+ *	compare ipv4 or ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_addr_equal(sfe_ip_addr_t *a,
+				 sfe_ip_addr_t *b, int is_v4)
+{
+	return is_v4 ? sfe_ipv4_addr_equal(a->ip, b->ip) : sfe_ipv6_addr_equal(a->ip6, b->ip6);
+}
--- a/fast-classifier/src/userspace_example.c
+++ b/fast-classifier/src/userspace_example.c
@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 2013,2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <arpa/inet.h>
+
+#include <fast-classifier.h>
+
+static struct nl_sock *sock;
+static struct nl_sock *sock_event;
+static int family;
+static int grp_id;
+
+static struct nla_policy fast_classifier_genl_policy[FAST_CLASSIFIER_A_MAX + 1] = {
+	[FAST_CLASSIFIER_A_TUPLE] = { .type = NLA_UNSPEC },
+};
+
+void dump_fc_tuple(struct fast_classifier_tuple *fc_msg)
+{
+	char src_str[INET_ADDRSTRLEN];
+	char dst_str[INET_ADDRSTRLEN];
+
+	printf("TUPLE: %d, %s, %s, %d, %d"
+			" SMAC=%02x:%02x:%02x:%02x:%02x:%02x",
+			" DMAC=%02x:%02x:%02x:%02x:%02x:%02x\n",
+				fc_msg->proto,
+				inet_ntop(AF_INET,
+					  &fc_msg->src_saddr.in.s_addr,
+					  src_str,
+					  INET_ADDRSTRLEN),
+				inet_ntop(AF_INET,
+					  &fc_msg->dst_saddr.in.s_addr,
+					  dst_str,
+					  INET_ADDRSTRLEN),
+				fc_msg->sport, fc_msg->dport,
+				fc_msg->smac[0], fc_msg->smac[1], fc_msg->smac[2],
+				fc_msg->smac[3], fc_msg->smac[4], fc_msg->smac[5],
+				fc_msg->dmac[0], fc_msg->dmac[1], fc_msg->dmac[2],
+				fc_msg->dmac[3], fc_msg->dmac[4], fc_msg->dmac[5]);
+}
+
+static int parse_cb(struct nl_msg *msg, void *arg)
+{
+	struct nlmsghdr *nlh = nlmsg_hdr(msg);
+	struct genlmsghdr *gnlh = nlmsg_data(nlh);
+	struct nlattr *attrs[FAST_CLASSIFIER_A_MAX];
+
+	genlmsg_parse(nlh, 0, attrs, FAST_CLASSIFIER_A_MAX, fast_classifier_genl_policy);
+
+	switch (gnlh->cmd) {
+	case FAST_CLASSIFIER_C_OFFLOADED:
+		printf("Got a offloaded message\n");
+		dump_fc_tuple(nla_data(attrs[FAST_CLASSIFIER_A_TUPLE]));
+		return NL_OK;
+	case FAST_CLASSIFIER_C_DONE:
+		printf("Got a done message\n");
+		dump_fc_tuple(nla_data(attrs[FAST_CLASSIFIER_A_TUPLE]));
+		return NL_OK;
+	}
+
+	return NL_SKIP;
+}
+
+int fast_classifier_init(void)
+{
+	int err;
+
+	sock = nl_socket_alloc();
+	if (!sock) {
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(sock);
+
+	sock_event = nl_socket_alloc();
+	if (!sock_event) {
+		nl_close(sock);
+		nl_socket_free(sock);
+		printf("Unable to allocation socket.\n");
+		return -1;
+	}
+	genl_connect(sock_event);
+
+	family = genl_ctrl_resolve(sock, FAST_CLASSIFIER_GENL_NAME);
+	if (family < 0) {
+		nl_close(sock_event);
+		nl_close(sock);
+		nl_socket_free(sock);
+		nl_socket_free(sock_event);
+		printf("Unable to resolve family\n");
+		return -1;
+	}
+
+	grp_id = genl_ctrl_resolve_grp(sock, FAST_CLASSIFIER_GENL_NAME,
+				       FAST_CLASSIFIER_GENL_MCGRP);
+	if (grp_id < 0) {
+		printf("Unable to resolve mcast group\n");
+		return -1;
+	}
+
+	err = nl_socket_add_membership(sock_event, grp_id);
+	if (err < 0) {
+		printf("Unable to add membership\n");
+		return -1;
+	}
+
+	nl_socket_disable_seq_check(sock_event);
+	nl_socket_modify_cb(sock_event, NL_CB_VALID, NL_CB_CUSTOM, parse_cb, NULL);
+
+	return 0;
+}
+
+void fast_classifier_close(void)
+{
+	nl_close(sock_event);
+	nl_close(sock);
+	nl_socket_free(sock_event);
+	nl_socket_free(sock);
+}
+
+void fast_classifier_ipv4_offload(unsigned char proto, unsigned long src_saddr,
+				  unsigned long dst_saddr, unsigned short sport,
+				  unsigned short dport)
+{
+	struct nl_msg *msg;
+	int ret;
+#ifdef DEBUG
+	char src_str[INET_ADDRSTRLEN];
+	char dst_str[INET_ADDRSTRLEN];
+#endif
+	struct fast_classifier_tuple fc_msg;
+
+#ifdef DEBUG
+	printf("DEBUG: would offload: %d, %s, %s, %d, %d\n", proto,
+	       inet_ntop(AF_INET, &src_saddr,  src_str, INET_ADDRSTRLEN),
+	       inet_ntop(AF_INET, &dst_saddr,  dst_str, INET_ADDRSTRLEN),
+	       sport, dport);
+#endif
+
+	fc_msg.proto = proto;
+	fc_msg.src_saddr.in.s_addr = src_saddr;
+	fc_msg.dst_saddr.in.s_addr = dst_saddr;
+	fc_msg.sport = sport;
+	fc_msg.dport = dport;
+	fc_msg.smac[0] = 'a';
+	fc_msg.smac[1] = 'b';
+	fc_msg.smac[2] = 'c';
+	fc_msg.smac[3] = 'd';
+	fc_msg.smac[4] = 'e';
+	fc_msg.smac[5] = 'f';
+	fc_msg.dmac[0] = 'f';
+	fc_msg.dmac[1] = 'e';
+	fc_msg.dmac[2] = 'd';
+	fc_msg.dmac[3] = 'c';
+	fc_msg.dmac[4] = 'b';
+	fc_msg.dmac[5] = 'a';
+
+	if (fast_classifier_init() < 0) {
+		printf("Unable to init generic netlink\n");
+		exit(1);
+	}
+
+	msg = nlmsg_alloc();
+	if (!msg) {
+		nl_socket_free(sock);
+		printf("Unable to allocate message\n");
+		return;
+	}
+
+	genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family,
+		    FAST_CLASSIFIER_GENL_HDRSIZE, NLM_F_REQUEST,
+		    FAST_CLASSIFIER_C_OFFLOAD, FAST_CLASSIFIER_GENL_VERSION);
+	nla_put(msg, 1, sizeof(fc_msg), &fc_msg);
+
+	ret = nl_send_auto_complete(sock, msg);
+
+	nlmsg_free(msg);
+	if (ret < 0) {
+		printf("nlmsg_free failed");
+		nl_close(sock);
+		nl_socket_free(sock);
+		return;
+	}
+
+	ret = nl_wait_for_ack(sock);
+	if (ret < 0) {
+		printf("wait for ack failed");
+		nl_close(sock);
+		nl_socket_free(sock);
+		return;
+	}
+}
+
+void fast_classifier_listen_for_messages(void)
+{
+	printf("waiting for netlink events\n");
+
+	while (1) {
+		nl_recvmsgs_default(sock_event);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	if (fast_classifier_init() < 0) {
+		printf("Unable to init generic netlink\n");
+		exit(1);
+	}
+
+	fast_classifier_ipv4_offload('a', 0, 0, 0, 0);
+
+	/* this never returns */
+	fast_classifier_listen_for_messages();
+
+	fast_classifier_close();
+
+	return 0;
+}
--- a/luci-app-packet-capture/Makefile
+++ b/luci-app-packet-capture/Makefile
@ -0,0 +1,14 @@
+# Copyright 2020 Wojciech Jowsa (wojciech.jowsa@gmail.com)
+# This is free software, licensed under the Apache License, Version 2.0
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=Packet capture application
+LUCI_DEPENDS:=+luci-mod-admin-full +tcpdump +uhttpd-mod-ubus +coreutils +coreutils-timeout
+
+PKG_MAINTAINER:=Wojciech Jowsa <wojciech.jowsa@gmail.com>
+PKG_LICENSE:=Apache-2.0
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signatureet
--- a/luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js
+++ b/luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js
@ -0,0 +1,287 @@
+'use strict';
+'require rpc';
+'require uci';
+'require ui';
+'require fs';
+'require form';
+'require network';
+'require tools.widgets as widgets';
+
+var eventSource,
+	captureFilePoll,
+	hostName;
+
+function stopTcpdump() {
+	fs.exec("/usr/libexec/packet_capture_stop").then(function(replay) {
+		if (eventSource)
+			eventSource.close();
+	}.bind(this)).catch(function(error) {
+		console.log(error);
+	});
+}
+
+window.addEventListener('beforeunload', stopTcpdump);
+
+var callLuciProcessList = rpc.declare({
+	object: 'luci',
+	method: 'getProcessList',
+	expect: { result: [] }
+});
+
+var callInitAction = rpc.declare({
+	object: 'luci',
+	method: 'setInitAction',
+	params: [ 'name', 'action' ],
+	expect: { result: false }
+});
+
+function addOutput() {
+	var tcpdumpOut = document.querySelectorAll('[id$="tcpdump_out"]')[0];
+	if (tcpdumpOut)
+		return;
+
+	var frameEl = E('div', {'class': 'cbi-value'});
+
+	frameEl.appendChild(E('textarea', {
+			'id': 'tcpdump_out',
+			'class': 'cbi-input-textarea',
+			'readonly': '',
+			'style': 'width:100%',
+			'rows': 30,
+	}));
+
+	frameEl.firstElementChild.style.fontFamily = 'monospace';
+
+	var downloadBtn = document.querySelectorAll('[id$="download_file"]')[0];
+	if (downloadBtn)
+		downloadBtn.parentNode.insertBefore(frameEl, downloadBtn.nextSibling);
+}
+
+var downloadCaptureFile = function(ev) {
+	var form = E('form', {
+		method: 'post',
+		action: '/cgi-bin/cgi-download',
+		enctype: 'application/x-www-form-urlencoded'
+	}, E('input', { type: 'hidden', name: 'sessionid', value: rpc.getSessionID()},
+	   E('input', { type: 'hidden', name: 'path', value: "/tmp/capture.pcap"},
+	   E('input', { type: 'hidden', name: 'filename', value: hostName + "-" + Date.now() + ".pcap"},
+	   E('input', { type: 'hidden', name: 'mimetype', value: 'application/vnd.tcpdump.pcap'}
+	)))));
+
+	ev.currentTarget.parentNode.appendChild(form);
+	form.submit();
+	form.parentNode.removeChild(form);
+}
+
+function subscribeTcpdump() {
+	if (eventSource)
+		eventSource.close();
+
+	eventSource = new EventSource('/ubus/subscribe/tcpdump' + '?' + rpc.getSessionID());
+	eventSource.onerror = function(event) {
+		eventSource.close();
+		console.log(event);
+	};
+
+	addOutput();
+	var textOut = document.querySelectorAll('[id$="tcpdump_out"]')[0];
+	textOut.value = "";
+	eventSource.addEventListener("tcpdump.data", function(event) {
+		textOut.value = textOut.value + "\n" + JSON.parse(event.data).data;
+	});
+}
+
+function updateButtons() {
+	var tasks = [];
+	tasks.push(fs.stat("/var/run/packet_capture.pid").then(L.bind(function(res) {
+		var downloadBtn = document.querySelectorAll('[id$="download_file"]')[0];
+		if (!downloadBtn)
+			return;
+		if (!eventSource || eventSource.readyState == 2)
+			subscribeTcpdump();
+		var textOut = document.querySelectorAll('[id$="tcpdump_out"]')[0];
+		if (textOut)
+			textOut.style.borderColor = "green";
+		var startBtn = document.querySelectorAll('[id$="start_tcpdump"]')[0];
+		if (startBtn)
+			startBtn.hidden = true;
+		var stopBtn = document.querySelectorAll('[id$="stop_tcpdump"]')[0];
+		if (stopBtn)
+			stopBtn.hidden = false;
+		return;
+	})).catch(function(error) {
+		var textOut = document.querySelectorAll('[id$="tcpdump_out"]')[0];
+		if (textOut)
+			textOut.style.borderColor = "red";
+		var startBtn = document.querySelectorAll('[id$="start_tcpdump"]')[0];
+		if (startBtn)
+			startBtn.hidden = false;
+		var stopBtn = document.querySelectorAll('[id$="stop_tcpdump"]')[0];
+		if (stopBtn)
+			stopBtn.hidden = true;
+		if (eventSource)
+			eventSource.close();
+	}));
+
+	return  Promise.all(tasks);
+}
+
+function updatePollCheckCaptureFileExists() {
+	checkCaptureFileExists();
+	L.Poll.remove(captureFilePoll);
+	L.Poll.add(L.bind(checkCaptureFileExists, m),5);
+}
+
+function checkCaptureFileExists() {
+	var tasks = [];
+	tasks.push(fs.stat("/tmp/capture.pcap").then(L.bind(function(res) {
+		var downloadBtn = document.querySelector('[data-action="download"]');
+		if (!downloadBtn)
+			return;
+		var downloadCheckBox = document.querySelectorAll('[data-widget-id$="file"]')[0].checked;
+		if (!downloadCheckBox) {
+			fs.remove("/tmp/capture.pcap").then(function(replay) {
+				downloadBtn.disabled = true;;
+			}.bind(this)).catch(function(error) {
+				console.log(error);
+			});
+		} else {
+			downloadBtn.disabled = false;
+		}
+	})).catch(function(error) {
+		var downloadBtn = document.querySelector('[data-action="download"]');
+		if (downloadBtn)
+			downloadBtn.disabled = true;
+	}));
+
+	return  Promise.all(tasks);
+}
+
+return L.view.extend({
+
+	load: function() {
+		return Promise.all([
+		uci.load('system')
+		]);
+	},
+
+	handleDownload: function(ev) {
+		downloadCaptureFile(ev);
+	},
+
+	render: function(processes) {
+		var m, s, o;
+
+		hostName = uci.get('system', '@system[0]', 'hostname');
+
+		m = new form.Map('packet_capture', _('Packet Capture - Tcpdump'), _('Capture packets with tcpdump.'));
+		s = m.section(form.TypedSection, 'tcpdump');
+		s.anonymous = 1;
+
+		o = s.option(widgets.DeviceSelect, 'interface', _('Interface'), _(''));
+		o.noaliases = true;
+		o.modalonly = true;
+		o.rmempty = false;
+		o.filter = function(section_id, value) {
+			return true;
+		}
+
+		o = s.option(form.Value, 'filter', _('Filter'), _('Tcpdump filter like protocol, port etc.'));
+		o.modalonly = false;
+		o.datatype = 'and(minlength(1),maxlength(1024))';
+
+		o = s.option(form.Value, 'duration', _('Duration'), _('Duration of packet capturing in seconds.'));
+		o.modalonly = false;
+		o.datatype = 'range(1,4294967296)';
+
+		o = s.option(form.Value, 'packets', _('Packets'), _('Number of packets to be captured.'));
+		o.modalonly = false;
+		o.datatype = 'range(1,4294967296)';
+
+		o = s.option(form.Flag, 'domains', _('Resolve domains'), _("Convert host addresses to names."));
+
+		o = s.option(form.Flag, 'verbose', _('Verbose output'), _("Print the link-level header on each dump line."));
+
+		o = s.option(form.Flag, 'file', _('Save to file'), _("Save capture to pcap file."));
+
+		o = s.option(form.Button, 'start_tcpdump', _('Start tcpdump'), _(''));
+		o.inputstyle = 'apply';
+		o.onclick = ui.createHandlerFn(this, function(section_id, ev) {
+			var downloadBtn = document.querySelector('[data-action="download"]');
+			if (!downloadBtn)
+				return;
+			fs.remove("/tmp/capture.pcap").then(function(replay) {
+				downloadBtn.disabled = true;;
+			}.bind(this)).catch(function(error) {
+				console.log(error);
+			});
+
+			var iface = document.querySelectorAll('[id$="interface"]')[1].value,
+			    filter = document.querySelectorAll('[id$="filter"]')[2].value,
+				packets = document.querySelectorAll('[id$="packets"]')[2].value,
+				duration = document.querySelectorAll('[id$="duration"]')[2].value,
+				verbose = document.querySelectorAll('[data-widget-id$="verbose"]')[0].checked,
+				domains = document.querySelectorAll('[data-widget-id$="domains"]')[0].checked,
+				file = document.querySelectorAll('[data-widget-id$="file"]')[0].checked
+
+			var args = {
+				"interface": iface,
+				"filter": filter,
+				"packets": packets,
+				"duration": duration,
+				"verbose": verbose,
+				"domains": domains,
+				"file": file
+			}
+
+			return fs.exec_direct('/usr/libexec/packet_capture_start', [JSON.stringify(args)]).then(function(replay) {
+				var error_position = replay.search("error:");
+				if (error_position != -1){
+					ui.showModal(_(replay.substring(error_position + 6, replay.length)), [
+						E('div', { 'class': 'right' }, [
+							E('button', {
+								'class': 'cbi-button cbi-button-negative important',
+								'click': function(ev) {
+									ui.hideModal();
+								}
+							}, _('Close')),
+						])
+					]);
+					return;
+				}
+				rpc.list.apply(rpc).then(function(res) {
+					for (var k in res) {
+						if (res[k] == "tcpdump" )
+							subscribeTcpdump()
+					}
+				}.bind(this));
+			}.bind(this)).catch(function(error) {
+				console.log(error);
+			});
+		});
+
+		o = s.option(form.Button, 'stop_tcpdump', _('Stop tcpdump'), _(''));
+		o.inputstyle = 'apply';
+		o.onclick =  ui.createHandlerFn(this, function(section_id, ev) {
+			if (!eventSource)
+				return;
+			return fs.exec("/usr/libexec/packet_capture_stop").then(function(replay) {
+				eventSource.close();
+			}.bind(this)).catch(function(error) {
+				console.log(error);
+			});
+		});
+
+		o = s.option(form.Button, 'download_file', _('Download capture file'));
+		o.inputstyle = 'action important';
+		o.inputtitle = _('Download');
+		o.data_action = 'download'
+		o.onclick = this.handleDownload;
+
+		L.Poll.add(L.bind(updateButtons, m),1);
+		captureFilePoll = L.bind(updatePollCheckCaptureFileExists, m);
+		L.Poll.add(captureFilePoll,1);
+
+		return m.render();
+	},
+});
--- a/luci-app-packet-capture/po/fr/packet-capture.po
+++ b/luci-app-packet-capture/po/fr/packet-capture.po
@ -0,0 +1,99 @@
+msgid ""
+msgstr ""
+"PO-Revision-Date: 2021-03-31 15:07+0000\n"
+"Last-Translator: Weblate Admin <contact@openmptcprouter.com>\n"
+"Language-Team: French <http://weblate.openmptcprouter.com/projects/omr/"
+"luciapplicationspacket-capture/fr/>\n"
+"Language: fr\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=n > 1;\n"
+"X-Generator: Weblate 4.5.2\n"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Capture packets with tcpdump."
+msgstr "Capturez des paquets avec tcpdump."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:247
+msgid "Close"
+msgstr "Fermer"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Convert host addresses to names."
+msgstr "Convertissez les adresses d'hôte en noms."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:277
+msgid "Download"
+msgstr "Téléchargement"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:275
+msgid "Download capture file"
+msgstr "Télécharger le fichier de capture"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration"
+msgstr "Durée"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration of packet capturing in seconds."
+msgstr "Durée de la capture des paquets en secondes."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Filter"
+msgstr "Filtre"
+
+#: luci-app-packet-capture/root/usr/share/rpcd/acl.d/luci-app-packet-capture.json:3
+msgid "Grant access to tcpdump ubus object"
+msgstr "Accorder l'accès à l'objet ubus tcpdump"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:181
+msgid "Interface"
+msgstr "Interface"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Number of packets to be captured."
+msgstr "Nombre de paquets à capturer."
+
+#: luci-app-packet-capture/root/usr/share/luci/menu.d/luci-app-packet-capture.json:3
+msgid "Packet Capture"
+msgstr "Capture de paquets"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Packet Capture - Tcpdump"
+msgstr "Capture de paquets - Tcpdump"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Packets"
+msgstr "Paquets"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Print the link-level header on each dump line."
+msgstr "Imprimez l'en-tête du lien sur chaque ligne de capture."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Resolve domains"
+msgstr "Résoudre les domaines"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save capture to pcap file."
+msgstr "Enregistrez la capture dans le fichier pcap."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save to file"
+msgstr "Enregistrer dans un fichier"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:207
+msgid "Start tcpdump"
+msgstr "Démarrez tcpdump"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:263
+msgid "Stop tcpdump"
+msgstr "Arrêter tcpdump"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Tcpdump filter like protocol, port etc."
+msgstr "Filtre pour tcpdump comme le protocole, le port, etc."
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Verbose output"
+msgstr "Sortie verbeuse"
--- a/luci-app-packet-capture/po/templates/packet-capture.pot
+++ b/luci-app-packet-capture/po/templates/packet-capture.pot
@ -0,0 +1,90 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Capture packets with tcpdump."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:247
+msgid "Close"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Convert host addresses to names."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:277
+msgid "Download"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:275
+msgid "Download capture file"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration of packet capturing in seconds."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Filter"
+msgstr ""
+
+#: luci-app-packet-capture/root/usr/share/rpcd/acl.d/luci-app-packet-capture.json:3
+msgid "Grant access to tcpdump ubus object"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:181
+msgid "Interface"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Number of packets to be captured."
+msgstr ""
+
+#: luci-app-packet-capture/root/usr/share/luci/menu.d/luci-app-packet-capture.json:3
+msgid "Packet Capture"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Packet Capture - Tcpdump"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Packets"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Print the link-level header on each dump line."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Resolve domains"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save capture to pcap file."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save to file"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:207
+msgid "Start tcpdump"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:263
+msgid "Stop tcpdump"
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Tcpdump filter like protocol, port etc."
+msgstr ""
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Verbose output"
+msgstr ""
--- a/luci-app-packet-capture/po/zh_Hans/packet-capture.po
+++ b/luci-app-packet-capture/po/zh_Hans/packet-capture.po
@ -0,0 +1,99 @@
+msgid ""
+msgstr ""
+"PO-Revision-Date: 2021-04-30 16:03+0000\n"
+"Last-Translator: niergouge <1150108426@qq.com>\n"
+"Language-Team: Chinese (Simplified) <http://weblate.openmptcprouter.com/"
+"projects/omr/luciapplicationspacket-capture/zh_Hans/>\n"
+"Language: zh_Hans\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Weblate 4.5.2\n"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Capture packets with tcpdump."
+msgstr "使用tcpdump捕获数据包。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:247
+msgid "Close"
+msgstr "关闭"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Convert host addresses to names."
+msgstr "将主机地址转换为名称。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:277
+msgid "Download"
+msgstr "下载"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:275
+msgid "Download capture file"
+msgstr "下载抓包文件"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration"
+msgstr "持续时间"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:193
+msgid "Duration of packet capturing in seconds."
+msgstr "抓包时间(以秒为单位)。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Filter"
+msgstr "过滤器"
+
+#: luci-app-packet-capture/root/usr/share/rpcd/acl.d/luci-app-packet-capture.json:3
+msgid "Grant access to tcpdump ubus object"
+msgstr "授权访问tcpdump ubus对象"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:181
+msgid "Interface"
+msgstr "接口"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Number of packets to be captured."
+msgstr "需要抓包的个数。"
+
+#: luci-app-packet-capture/root/usr/share/luci/menu.d/luci-app-packet-capture.json:3
+msgid "Packet Capture"
+msgstr "数据包捕获"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:177
+msgid "Packet Capture - Tcpdump"
+msgstr "Tcpdump抓包"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:197
+msgid "Packets"
+msgstr "包"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Print the link-level header on each dump line."
+msgstr "打印每个转储行上的链接标题。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:201
+msgid "Resolve domains"
+msgstr "解决域"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save capture to pcap file."
+msgstr "保存捕获到pcap文件。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:205
+msgid "Save to file"
+msgstr "保存到文件"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:207
+msgid "Start tcpdump"
+msgstr "开始tcp转存"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:263
+msgid "Stop tcpdump"
+msgstr "停止tcp转存"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:189
+msgid "Tcpdump filter like protocol, port etc."
+msgstr "Tcp转存过滤协议，端口等。"
+
+#: luci-app-packet-capture/htdocs/luci-static/resources/view/packet_capture/tcpdump.js:203
+msgid "Verbose output"
+msgstr "详细输出"
--- a/luci-app-packet-capture/root/etc/config/packet_capture
+++ b/luci-app-packet-capture/root/etc/config/packet_capture
@ -0,0 +1 @@
+config tcpdump
--- a/luci-app-packet-capture/root/usr/libexec/packet_capture
+++ b/luci-app-packet-capture/root/usr/libexec/packet_capture
@ -0,0 +1,64 @@
+#!/usr/bin/env lua
+
+local ubus = require "ubus"
+local fs = require "nixio.fs"
+
+local conn = ubus.connect()
+if not conn then
+	error("Failed to connect to ubus")
+	return
+end
+
+local args = "-n"
+local duration = ""
+
+if arg[1] ~= nil then
+	args = arg[1]
+	if arg[2] ~= "" then
+		duration = arg[2]
+	end
+end
+
+local filter = fs.stat("/tmp/tcpdump_filter")
+if filter then
+	args = args .. " -F /tmp/tcpdump_filter"
+end
+
+local ubus_objects = {
+	tcpdump = {
+	}
+}
+
+conn:add( ubus_objects )
+
+os.execute("sleep 1")
+
+local command = "tcpdump -l " .. args .. " 2>&1"
+
+if duration ~= "" then
+	command = "timeout " .. duration .. " " .. command
+end
+
+local pipe = io.popen(command)
+
+for line in pipe:lines() do
+		local params = {
+				data = line
+		}
+		conn:notify(ubus_objects.tcpdump.__ubusobj, "tcpdump.data", params)
+end
+
+local pcap = fs.stat("/tmp/capture.pcap0")
+if pcap then
+	fs.move("/tmp/capture.pcap0","/tmp/capture.pcap")
+	fs.remove("/tmp/capture.pcap1")
+end
+
+if filter then
+	fs.remove("/tmp/tcpdump_filter")
+end
+
+conn:close()
+pipe:close()
+
+fs.remove("/var/run/packet_capture.pid")
--- a/luci-app-packet-capture/root/usr/libexec/packet_capture_start
+++ b/luci-app-packet-capture/root/usr/libexec/packet_capture_start
@ -0,0 +1,69 @@
+#!/bin/sh
+
+. /usr/share/libubox/jshn.sh
+
+PIDFILE="/var/run/packet_capture.pid"
+
+if [ -f "$PIDFILE"];then
+    echo "error: Packet capture is running"
+    exit 1
+fi
+
+json_load "$1"
+json_get_var interface interface
+json_get_var filter filter
+json_get_var duration duration
+json_get_var packets packets
+json_get_var verbose verbose
+json_get_var domains domains
+json_get_var file file
+
+args="-n"
+
+if [ "$domains" == "1" ];then
+	args=""
+fi
+
+if  [ -n "$interface" ];then
+	ip a show "$interface" > /dev/null 2>&1
+	if [ "$?" == "1" ]; then
+        echo "error: Incorrect format of an interface"
+        exit 1
+    fi
+
+	args="$args -i $interface"
+fi
+
+if [ -n "$packets" ];then
+    echo "$packets" | egrep  '^[0-9]*$'
+    if [ "$?" -eq 0 ];then
+        args="$args -c $packets"
+    else
+        echo "error: Incorrect packets argument"
+        exit 1
+    fi
+fi
+
+if [ "$verbose" == "1"  ];then
+	args="$args  -e"
+fi
+
+if [ "$file" == "1" ];then
+	mem=$(awk '/MemTotal/ {print $2}' /proc/meminfo)
+	args="$args -W 2 -C $((mem/(1024 * 10))) -w /tmp/capture.pcap -z /usr/libexec/packet_capture_stop"
+fi
+
+if [ -n "$filter" ];then
+    tcpdump -i lo -d "$filter" >/dev/null 2>/dev/null
+	if [ $? -eq 1 ];then
+		echo "error: Incorrect filter argument"
+		exit 1
+	fi
+	echo "$filter" > /tmp/tcpdump_filter
+fi
+
+(/usr/libexec/packet_capture "$args" "$duration")&
+
+echo $! > /var/run/packet_capture.pid
+
+exit 0
--- a/luci-app-packet-capture/root/usr/libexec/packet_capture_stop
+++ b/luci-app-packet-capture/root/usr/libexec/packet_capture_stop
@ -0,0 +1,9 @@
+#!/bin/sh
+
+pid=$(cat /var/run/packet_capture.pid)
+if [ -n "$pid" ] && grep -sq packet_capture "/proc/$pid/cmdline"; then
+    ppid=$(pgrep -P $pid)
+    kill -TERM $ppid
+fi
+
+exit 0
--- a/luci-app-packet-capture/root/usr/share/luci/menu.d/luci-app-packet-capture.json
+++ b/luci-app-packet-capture/root/usr/share/luci/menu.d/luci-app-packet-capture.json
@ -0,0 +1,18 @@
+{
+	"admin/services/packet_capture": {
+		"title": "Packet Capture",
+		"order": 90,
+		"action": {
+			"type": "view",
+			"path": "packet_capture/tcpdump"
+		},
+		"depends" : {
+			"acl": [ "luci-app-packet-capture" ],
+			"uci": { "packet_capture": true },
+			"fs": { "/usr/libexec/packet_capture": "executable",
+				"/usr/libexec/packet_capture_start": "executable",
+				"/usr/libexec/packet_capture_stop": "executable"
+			}
+		}
+	}
+}
--- a/luci-app-packet-capture/root/usr/share/rpcd/acl.d/luci-app-packet-capture.json
+++ b/luci-app-packet-capture/root/usr/share/rpcd/acl.d/luci-app-packet-capture.json
@ -0,0 +1,25 @@
+{
+	"luci-app-packet-capture": {
+		"description": "Grant access to tcpdump ubus object",
+		"read": {
+			"cgi-io": [ "download", "exec" ],
+			"ubus": {
+				"tcpdump": [ "*" ],
+				"luci": [ "getProcessList" ]
+			},
+			"uci": [ "packet_capture", "system" ],
+			"file": {
+				"/tmp/capture.pcap": [ "read" ]
+			}
+		},
+		"write": {
+			"uci": [ "packet_capture" ],
+			"file": {
+				"/usr/libexec/packet_capture_start": [ "exec" ],
+				"/usr/libexec/packet_capture_stop": [ "exec" ],
+				"/usr/libexec/packet_capture": [ "exec" ],
+				"/tmp/capture.pcap": [ "write" ]
+			}
+		}
+	}
+}
--- a/shortcut-fe/Makefile
+++ b/shortcut-fe/Makefile
@ -0,0 +1,77 @@
+#
+# Copyright (c) 2014 The Linux Foundation. All rights reserved.
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=shortcut-fe
+PKG_RELEASE:=2
+PKG_CONFIG_DEPENDS := CONFIG_IPV6
+
+include $(INCLUDE_DIR)/package.mk
+
+define KernelPackage/shortcut-fe
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=
+  TITLE:=Kernel driver for SFE
+  FILES:=$(PKG_BUILD_DIR)/shortcut-fe.ko $(if $(CONFIG_IPV6),$(PKG_BUILD_DIR)/shortcut-fe-ipv6.ko,)
+  KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y \
+	   CONFIG_NF_CONNTRACK_TIMEOUT=y \
+	   CONFIG_SHORTCUT_FE=y \
+	   CONFIG_XFRM=y
+  AUTOLOAD:=$(call AutoLoad,09,shortcut-fe shortcut-fe-ipv6)
+endef
+
+define KernelPackage/shortcut-fe/Description
+Shortcut is an in-Linux-kernel IP packet forwarding engine.
+endef
+
+define KernelPackage/shortcut-fe/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) ./files/usr/bin/sfe_dump $(1)/usr/bin
+endef
+
+define KernelPackage/shortcut-fe-cm
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  DEPENDS:=+kmod-ipt-conntrack +kmod-shortcut-fe
+  TITLE:=Kernel driver for SFE
+  FILES:=$(PKG_BUILD_DIR)/shortcut-fe-cm.ko
+  KCONFIG:=CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
+endef
+
+define KernelPackage/shortcut-fe-cm/Description
+Simple connection manager for the Shortcut forwarding engine.
+endef
+
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
+		$(KERNEL_MAKE_FLAGS) \
+		$(PKG_MAKE_FLAGS) \
+		M="$(PKG_BUILD_DIR)" \
+		modules \
+		$(if $(CONFIG_IPV6),EXTRA_CFLAGS="-DSFE_SUPPORT_IPV6" SFE_SUPPORT_IPV6=y,)
+endef
+
+#ifneq ($(CONFIG_PACKAGE_kmod-shortcut-fe)$(CONFIG_PACKAGE_kmod-shortcut-fe-cm),)
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/shortcut-fe
+	$(CP) -rf $(PKG_BUILD_DIR)/sfe.h $(1)/usr/include/shortcut-fe
+endef
+#endif
+
+$(eval $(call KernelPackage,shortcut-fe))
+$(eval $(call KernelPackage,shortcut-fe-cm))
--- a/shortcut-fe/files/usr/bin/sfe_dump
+++ b/shortcut-fe/files/usr/bin/sfe_dump
@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Copyright (c) 2015 The Linux Foundation. All rights reserved.
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+#@sfe_dump
+#@example : sfe_dump (ipv4|ipv6)
+sfe_dump(){
+	[ -e "/dev/sfe_ipv4" ] || {
+		dev_num=$(cat /sys/sfe_ipv4/debug_dev)
+		mknod /dev/sfe_ipv4 c $dev_num 0
+	}
+	[ -e "/dev/sfe_ipv6" ] || {
+		dev_num=$(cat /sys/sfe_ipv6/debug_dev)
+		mknod /dev/sfe_ipv6 c $dev_num 0
+	}
+	cat /dev/sfe_$1
+}
+
+if [ -z "$1" ]; then
+	sfe_dump ipv4
+	sfe_dump ipv6
+else
+	sfe_dump $1
+fi
--- a/shortcut-fe/src/Kconfig
+++ b/shortcut-fe/src/Kconfig
@ -0,0 +1,15 @@
+#
+# Shortcut forwarding engine
+#
+
+config SHORTCUT_FE
+	tristate "Shortcut Forwarding Engine"
+	depends on NF_CONNTRACK
+	default n
+	help
+	  Shortcut is a fast in-kernel packet forwarding engine.
+
+	  To compile this code as a module, choose M here: the module will be
+	  called shortcut-fe.
+
+	  If unsure, say N.
--- a/shortcut-fe/src/Makefile
+++ b/shortcut-fe/src/Makefile
@ -0,0 +1,23 @@
+#
+# Makefile for Shortcut FE.
+#
+
+obj-m += shortcut-fe.o
+
+ifdef SFE_SUPPORT_IPV6
+obj-m += shortcut-fe-ipv6.o
+endif
+
+obj-m += shortcut-fe-cm.o
+
+shortcut-fe-objs := \
+	sfe_ipv4.o
+
+ifdef SFE_SUPPORT_IPV6
+shortcut-fe-ipv6-objs := \
+	sfe_ipv6.o
+endif
+
+shortcut-fe-cm-objs := \
+	sfe_cm.o
+
--- a/shortcut-fe/src/sfe.h
+++ b/shortcut-fe/src/sfe.h
@ -0,0 +1,114 @@
+/*
+ * sfe.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*
+ * The following are debug macros used throughout the SFE.
+ *
+ * The DEBUG_LEVEL enables the followings based on its value,
+ * when dynamic debug option is disabled.
+ *
+ * 0 = OFF
+ * 1 = ASSERTS / ERRORS
+ * 2 = 1 + WARN
+ * 3 = 2 + INFO
+ * 4 = 3 + TRACE
+ */
+#define DEBUG_LEVEL 2
+
+#if (DEBUG_LEVEL < 1)
+#define DEBUG_ASSERT(s, ...)
+#define DEBUG_ERROR(s, ...)
+#else
+#define DEBUG_ASSERT(c, s, ...) if (!(c)) { pr_emerg("ASSERT: %s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__); BUG(); }
+#define DEBUG_ERROR(s, ...) pr_err("%s:%d:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if defined(CONFIG_DYNAMIC_DEBUG)
+/*
+ * Compile messages for dynamic enable/disable
+ */
+#define DEBUG_WARN(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#define DEBUG_INFO(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#define DEBUG_TRACE(s, ...) pr_debug("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#else
+
+/*
+ * Statically compile messages at different levels
+ */
+#if (DEBUG_LEVEL < 2)
+#define DEBUG_WARN(s, ...)
+#else
+#define DEBUG_WARN(s, ...) pr_warn("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if (DEBUG_LEVEL < 3)
+#define DEBUG_INFO(s, ...)
+#else
+#define DEBUG_INFO(s, ...) pr_notice("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+
+#if (DEBUG_LEVEL < 4)
+#define DEBUG_TRACE(s, ...)
+#else
+#define DEBUG_TRACE(s, ...) pr_info("%s[%d]:" s, __FUNCTION__, __LINE__, ##__VA_ARGS__)
+#endif
+#endif
+
+#ifdef CONFIG_NF_FLOW_COOKIE
+typedef int (*flow_cookie_set_func_t)(u32 protocol, __be32 src_ip, __be16 src_port,
+				      __be32 dst_ip, __be16 dst_port, u16 flow_cookie);
+/*
+ * sfe_register_flow_cookie_cb
+ *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
+ *
+ * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
+ * can use this function to configure flow cookie for a flow.
+ * return: 0, success; !=0, fail
+ */
+int sfe_register_flow_cookie_cb(flow_cookie_set_func_t cb);
+
+/*
+ * sfe_unregister_flow_cookie_cb
+ *	unregister function which is used to configure flow cookie for a flow
+ *
+ * return: 0, success; !=0, fail
+ */
+int sfe_unregister_flow_cookie_cb(flow_cookie_set_func_t cb);
+
+typedef int (*sfe_ipv6_flow_cookie_set_func_t)(u32 protocol, __be32 src_ip[4], __be16 src_port,
+						__be32 dst_ip[4], __be16 dst_port, u16 flow_cookie);
+
+/*
+ * sfe_ipv6_register_flow_cookie_cb
+ *	register a function in SFE to let SFE use this function to configure flow cookie for a flow
+ *
+ * Hardware driver which support flow cookie should register a callback function in SFE. Then SFE
+ * can use this function to configure flow cookie for a flow.
+ * return: 0, success; !=0, fail
+ */
+int sfe_ipv6_register_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
+
+/*
+ * sfe_ipv6_unregister_flow_cookie_cb
+ *	unregister function which is used to configure flow cookie for a flow
+ *
+ * return: 0, success; !=0, fail
+ */
+int sfe_ipv6_unregister_flow_cookie_cb(sfe_ipv6_flow_cookie_set_func_t cb);
+
+#endif /*CONFIG_NF_FLOW_COOKIE*/
--- a/shortcut-fe/src/sfe_backport.h
+++ b/shortcut-fe/src/sfe_backport.h
@ -0,0 +1,195 @@
+/*
+ * sfe_backport.h
+ *	Shortcut forwarding engine compatible header file.
+ *
+ * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <linux/version.h>
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0))
+#include <net/netfilter/nf_conntrack_timeout.h>
+#else
+enum udp_conntrack {
+	UDP_CT_UNREPLIED,
+	UDP_CT_REPLIED,
+	UDP_CT_MAX
+};
+
+static inline unsigned int *
+nf_ct_timeout_lookup(struct net *net, struct nf_conn *ct,
+		     struct nf_conntrack_l4proto *l4proto)
+{
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+	struct nf_conn_timeout *timeout_ext;
+	unsigned int *timeouts;
+
+	timeout_ext = nf_ct_timeout_find(ct);
+	if (timeout_ext)
+		timeouts = NF_CT_TIMEOUT_EXT_DATA(timeout_ext);
+	else
+		timeouts = l4proto->get_timeouts(net);
+
+	return timeouts;
+#else
+	return l4proto->get_timeouts(net);
+#endif /*CONFIG_NF_CONNTRACK_TIMEOUT*/
+}
+#endif /*KERNEL_VERSION(3, 7, 0)*/
+#endif /*KERNEL_VERSION(3, 4, 0)*/
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(void *priv, \
+			    struct sk_buff *SKB, \
+			    const struct nf_hook_state *state)
+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(const struct nf_hook_ops *OPS, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#else
+#define sfe_define_post_routing_hook(FN_NAME, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+static unsigned int FN_NAME(unsigned int HOOKNUM, \
+			    struct sk_buff *SKB, \
+			    const struct net_device *UNUSED, \
+			    const struct net_device *OUT, \
+			    int (*OKFN)(struct sk_buff *))
+#endif
+
+#define sfe_cm_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define sfe_cm_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__sfe_cm_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv4_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv4_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+#define fast_classifier_ipv6_post_routing_hook(HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN) \
+	sfe_define_post_routing_hook(__fast_classifier_ipv6_post_routing_hook, HOOKNUM, OPS, SKB, UNUSED, OUT, OKFN)
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV4_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV4,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP_PRI_NAT_SRC + 1,	\
+	}
+#else
+#define SFE_IPV6_NF_POST_ROUTING_HOOK(fn) \
+	{						\
+		.hook = fn,				\
+		.owner = THIS_MODULE,			\
+		.pf = NFPROTO_IPV6,			\
+		.hooknum = NF_INET_POST_ROUTING,	\
+		.priority = NF_IP6_PRI_NAT_SRC + 1,	\
+	}
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0))
+#define SFE_NF_CT_DEFAULT_ZONE (&nf_ct_zone_dflt)
+#else
+#define SFE_NF_CT_DEFAULT_ZONE NF_CT_DEFAULT_ZONE
+#endif
+
+/*
+ * sfe_dev_get_master
+ * 	get master of bridge port, and hold it
+ */
+static inline struct net_device *sfe_dev_get_master(struct net_device *dev)
+{
+	struct net_device *master;
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+	rcu_read_lock();
+	master = netdev_master_upper_dev_get_rcu(dev);
+	if (master)
+		dev_hold(master);
+
+	rcu_read_unlock();
+#else
+	master = dev->master;
+	if (master)
+		dev_hold(master);
+#endif
+	return master;
+}
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
+#define SFE_DEV_EVENT_PTR(PTR) netdev_notifier_info_to_dev(PTR)
+#else
+#define SFE_DEV_EVENT_PTR(PTR) (struct net_device *)(PTR)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_acct *NM
+#else
+#define SFE_NF_CONN_ACCT(NM) struct nf_conn_counter *NM
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0))
+#define SFE_ACCT_COUNTER(NM) ((NM)->counter)
+#else
+#define SFE_ACCT_COUNTER(NM) (NM)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+#define sfe_hash_for_each_possible(name, obj, node, member, key) \
+	hash_for_each_possible(name, obj, member, key)
+#else
+#define sfe_hash_for_each_possible(name, obj, node, member, key) \
+	hash_for_each_possible(name, obj, node, member, key)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0))
+#define sfe_hash_for_each(name, bkt, node, obj, member) \
+	hash_for_each(name, bkt, obj, member)
+#else
+#define sfe_hash_for_each(name, bkt, node, obj, member) \
+	hash_for_each(name, bkt, node, obj, member)
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 4, 0))
+#define sfe_dst_get_neighbour(dst, daddr) dst_neigh_lookup(dst, daddr)
+#else
+static inline struct neighbour *
+sfe_dst_get_neighbour(struct dst_entry *dst, void *daddr)
+{
+	struct neighbour *neigh = dst_get_neighbour_noref(dst);
+
+	if (neigh)
+		neigh_hold(neigh);
+
+	return neigh;
+}
+#endif
--- a/shortcut-fe/src/sfe_cm.c
+++ b/shortcut-fe/src/sfe_cm.c
--- a/shortcut-fe/src/sfe_cm.h
+++ b/shortcut-fe/src/sfe_cm.h
@ -0,0 +1,259 @@
+/*
+ * sfe_cm.h
+ *	Shortcut forwarding engine.
+ *
+ * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * connection flags.
+ */
+#define SFE_CREATE_FLAG_NO_SEQ_CHECK BIT(0)
+					/* Indicates that we should not check sequence numbers */
+#define SFE_CREATE_FLAG_REMARK_PRIORITY BIT(1)
+					/* Indicates that we should remark priority of skb */
+#define SFE_CREATE_FLAG_REMARK_DSCP BIT(2)
+					/* Indicates that we should remark DSCP of packet */
+
+/*
+ * IPv6 address structure
+ */
+struct sfe_ipv6_addr {
+	__be32 addr[4];
+};
+
+typedef union {
+	__be32			ip;
+	struct sfe_ipv6_addr	ip6[1];
+} sfe_ip_addr_t;
+
+/*
+ * connection creation structure.
+ */
+struct sfe_connection_create {
+	int protocol;
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	u32 flags;
+	u32 src_mtu;
+	u32 dest_mtu;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t src_ip_xlate;
+	sfe_ip_addr_t dest_ip;
+	sfe_ip_addr_t dest_ip_xlate;
+	__be16 src_port;
+	__be16 src_port_xlate;
+	__be16 dest_port;
+	__be16 dest_port_xlate;
+	u8 src_mac[ETH_ALEN];
+	u8 src_mac_xlate[ETH_ALEN];
+	u8 dest_mac[ETH_ALEN];
+	u8 dest_mac_xlate[ETH_ALEN];
+	u8 src_td_window_scale;
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u8 dest_td_window_scale;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u32 mark;
+#ifdef CONFIG_XFRM
+	u32 original_accel;
+	u32 reply_accel;
+#endif
+	u32 src_priority;
+	u32 dest_priority;
+	u32 src_dscp;
+	u32 dest_dscp;
+};
+
+/*
+ * connection destruction structure.
+ */
+struct sfe_connection_destroy {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+};
+
+typedef enum sfe_sync_reason {
+	SFE_SYNC_REASON_STATS,	/* Sync is to synchronize stats */
+	SFE_SYNC_REASON_FLUSH,	/* Sync is to flush a entry */
+	SFE_SYNC_REASON_DESTROY	/* Sync is to destroy a entry(requested by connection manager) */
+} sfe_sync_reason_t;
+
+/*
+ * Structure used to sync connection stats/state back within the system.
+ *
+ * NOTE: The addresses here are NON-NAT addresses, i.e. the true endpoint addressing.
+ * 'src' is the creator of the connection.
+ */
+struct sfe_connection_sync {
+	struct net_device *src_dev;
+	struct net_device *dest_dev;
+	int is_v6;			/* Is it for ipv6? */
+	int protocol;			/* IP protocol number (IPPROTO_...) */
+	sfe_ip_addr_t src_ip;		/* Non-NAT source address, i.e. the creator of the connection */
+	sfe_ip_addr_t src_ip_xlate;	/* NATed source address */
+	__be16 src_port;		/* Non-NAT source port */
+	__be16 src_port_xlate;		/* NATed source port */
+	sfe_ip_addr_t dest_ip;		/* Non-NAT destination address, i.e. to whom the connection was created */
+	sfe_ip_addr_t dest_ip_xlate;	/* NATed destination address */
+	__be16 dest_port;		/* Non-NAT destination port */
+	__be16 dest_port_xlate;		/* NATed destination port */
+	u32 src_td_max_window;
+	u32 src_td_end;
+	u32 src_td_max_end;
+	u64 src_packet_count;
+	u64 src_byte_count;
+	u32 src_new_packet_count;
+	u32 src_new_byte_count;
+	u32 dest_td_max_window;
+	u32 dest_td_end;
+	u32 dest_td_max_end;
+	u64 dest_packet_count;
+	u64 dest_byte_count;
+	u32 dest_new_packet_count;
+	u32 dest_new_byte_count;
+	u32 reason;		/* reason for stats sync message, i.e. destroy, flush, period sync */
+	u64 delta_jiffies;		/* Time to be added to the current timeout to keep the connection alive */
+};
+
+/*
+ * connection mark structure
+ */
+struct sfe_connection_mark {
+	int protocol;
+	sfe_ip_addr_t src_ip;
+	sfe_ip_addr_t dest_ip;
+	__be16 src_port;
+	__be16 dest_port;
+	u32 mark;
+};
+
+/*
+ * Expose the hook for the receive processing.
+ */
+extern int (*athrs_fast_nat_recv)(struct sk_buff *skb);
+
+/*
+ * Expose what should be a static flag in the TCP connection tracker.
+ */
+extern int nf_ct_tcp_no_window_check;
+
+/*
+ * This callback will be called in a timer
+ * at 100 times per second to sync stats back to
+ * Linux connection track.
+ *
+ * A RCU lock is taken to prevent this callback
+ * from unregistering.
+ */
+typedef void (*sfe_sync_rule_callback_t)(struct sfe_connection_sync *);
+
+/*
+ * IPv4 APIs used by connection manager
+ */
+int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv4_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv4_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv4_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv4_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv4_mark_rule(struct sfe_connection_mark *mark);
+
+#ifdef SFE_SUPPORT_IPV6
+/*
+ * IPv6 APIs used by connection manager
+ */
+int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb);
+int sfe_ipv6_create_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid);
+void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev);
+void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback);
+void sfe_ipv6_update_rule(struct sfe_connection_create *sic);
+void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark);
+#else
+static inline int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb)
+{
+	return 0;
+}
+
+static inline int sfe_ipv6_create_rule(struct sfe_connection_create *sic)
+{
+	return 0;
+}
+
+static inline void sfe_ipv6_destroy_rule(struct sfe_connection_destroy *sid)
+{
+	return;
+}
+
+static inline void sfe_ipv6_destroy_all_rules_for_dev(struct net_device *dev)
+{
+	return;
+}
+
+static inline void sfe_ipv6_register_sync_rule_callback(sfe_sync_rule_callback_t callback)
+{
+	return;
+}
+
+static inline void sfe_ipv6_update_rule(struct sfe_connection_create *sic)
+{
+	return;
+}
+
+static inline void sfe_ipv6_mark_rule(struct sfe_connection_mark *mark)
+{
+	return;
+}
+#endif
+
+/*
+ * sfe_ipv6_addr_equal()
+ *	compare ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_ipv6_addr_equal(struct sfe_ipv6_addr *a,
+				      struct sfe_ipv6_addr *b)
+{
+	return a->addr[0] == b->addr[0] &&
+	       a->addr[1] == b->addr[1] &&
+	       a->addr[2] == b->addr[2] &&
+	       a->addr[3] == b->addr[3];
+}
+
+/*
+ * sfe_ipv4_addr_equal()
+ *	compare ipv4 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+#define sfe_ipv4_addr_equal(a, b) ((u32)(a) == (u32)(b))
+
+/*
+ * sfe_addr_equal()
+ *	compare ipv4 or ipv6 address
+ *
+ * return: 1, equal; 0, no equal
+ */
+static inline int sfe_addr_equal(sfe_ip_addr_t *a,
+				 sfe_ip_addr_t *b, int is_v4)
+{
+	return is_v4 ? sfe_ipv4_addr_equal(a->ip, b->ip) : sfe_ipv6_addr_equal(a->ip6, b->ip6);
+}
--- a/shortcut-fe/src/sfe_ipv4.c
+++ b/shortcut-fe/src/sfe_ipv4.c
--- a/shortcut-fe/src/sfe_ipv6.c
+++ b/shortcut-fe/src/sfe_ipv6.c