WARNING: Makefile 'package/qca/qca-nss-drv/Makefile' has a dependency on 'kmod-qca-nss-dp', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-ovsmgr', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-ovsmgr', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-ovsmgr', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-hyfi-bridge', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-mcs', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-ovsmgr', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-hyfi-bridge', which does not exist
WARNING: Makefile 'package/qca/qca-nss-ecm/Makefile' has a dependency on 'kmod-qca-mcs', which does not exist
PS: This router is only supported on the snapshots.
PS2: I don't know if this is relevant or not, but with the November 12th snapshops, I can't get the WAN to work. Not even with static IP address. Had to return to the November 9th one:
Good to know that this finally gets some traction. The ipq806x (and I believe for ipx807x) NSS firmware currently doesn't support GCM mode tho. I guess the developers concentrated on GCM due to it being the recommended mode currently. Hopefully adding AES-CBC-SHA-HMAC mode should be straightforward.
At the moment I don't really have much time to hack router firmware due to work. Hopefully I can restart this sometime in future soon.
Do you think the openvpn kmod will give better perf as it will skip the userspace problem?
Also I wonder if wireguard performance can benefit of the crypto core.
To follow up and to raise awareness for others on the spontaneous restarts, there seem to be an underlying bug not related to NSS that may cause router restarts.
I had 17d uptime with my NSS build before a spontaneous restart yesterday.
The crash logs points directly to the already created bug report below.
The workaround mentioned in that bug report is to use performance governor.
Your restarts may be from a different cause but it might be worth a try to change to performance governor if you are still facing frequent restart problem and not already using the performance governor.
As for the fix for that reported bug, it may take quite some time to get fixed...
Definitely. From what I’ve tested with the NSS crypto core, moving from user space to kernel space for the data plane results in 4X improvement in thruput. With further optimization, it should go higher (I hope) with better integration with the NSS firmware.
I briefly looked at the ovpn-dco code. It looks like they are creating a separate network interface and not using the Linux tun interface, which makes sense since the tun interface is mainly for user space processes to send network packets. I think using the new approach should make integration with the NSS a lot easier using the NSS virtual interface APIs.
Unfortunately the NSS firmware doesn’t support the crypto algorithm or the authentication mode that WireGuard is using. Good news is that I could get about 200mbps (if my memory serves) thruput between a mt7621 and a bcm4708 SoC router over a WAN link between two ISPs across two countries. Using ipq806x SoC routers for both ends would definitely results in higher WireGuard thruput.
Speaking of NSS and VPN, any idea if ipsec is or can be offloaded to NSS?
I'm currently running a separate VM for VPN related stuff (to keeps the route's CPU utilization low)
Was wondering if R7800 could handle the VPN part as well with the help of NSS
I run a variant of hnyman's build on my R7800 (i won't tag him as i don't think it's anything to do with his build), with some minor changes of my own, among them support for jumbo frames and using DSA instead of swconfig.
I tried merging this in but could not get it to work successfully...I left the DSA config in place initially (including the DTS changes) which resulted in none of the ethernet ports starting, luckily wireless still worked. I reverted the DSA changes in the DTS and in /etc/config, still no joy. Then I did a factory reset and the LAN ports came up, but still no WAN port. In luci it complains that the device is not present, in the kernel log you can see eth1 start up, but not eth0.
I'm afraid all this is a bit beyond me, anything obvious I've missed?
Wish I knew why NSS enabled image won't boot for me. The config i use is basically the same config as hnyman use in his builds now when he enabled wireguard support.
My build is pretty similar to hynman’s. I have my diffconfig posted if you want to compare - or if it is helpful you could try my sysupgrade and add on your packages (just to try it out).
There must be a package or dependency that it doesn’t like.