Qualcomm Fast Path For LEDE

I started with gwlim's patchset for Barrier Breaker 14.07, included fast path, cake as a scheduler and updated the kernel version to 3.10.107. Nevertheless basically all components of the firmware are outdated and I would not recommend to use it.
I can upload my modified patchset if you want but it is not fully automated and I can't give you any support on this.

Hi K3nny, very kind of you and thank you.

I would like to try your modified patchset if you have them uploaded somewhere.

Here is the download link: https://www.sendspace.com/file/54pdnb

Follow the instructions at gwlim's repository: https://github.com/gwlim/mips24k-barrier-breaker-patch/tree/f8f78bd8ddcf29f2a919063d71ed41ce6e9aa494 but instead of cloning his repository, copy the files from my patchset into the openwrt directory. The rest of the instructions remains basically the same.

Start building the firmware and the process should break while compiling the packages shortcut-fe or kmod-sched-cake. You need to compile them separately with:

make V=s package/kernel/shortcut-fe/clean
make V=s package/kernel/shortcut-fe/prepare USE_SOURCE_DIR=package/kernel/shortcut-fe/src
make V=s package/kernel/kmod-sched-cake/clean
make V=s package/kernel/kmod-sched-cake/prepare USE_SOURCE_DIR=package/kernel/kmod-sched-cake/src

Afterwards continue building again and it should finish successfully.

Btw, you can track all my changes with git.

Many thanks K3NNY, i will do it right now and feedback the results.

After running the script ./bb_openwrt.sh and make menuconfig, under kernel-->network support--> , there is no appearing of kmod-fast-classifier and shortcut-fe.

Is it normal and should i go on the make V=s compiling?

by the way, i used the original bb1407 and haven't done any upgrades of linux 3.10.49

@avbohemen I have exactly the same problem with Strongswan IPsec site-to-site connections. I resolved that by disable conntracking for my local networks (connected through IPsec connection). Fast-classifier is getting connection to offload from conntrack table, this breaks connections in IPsec tunnel.
Example of excluding connections from adding do conntrack table:
iptables -t raw -A PREROUTING -m iprange --src-range --dst-range -j CT --notrack

I described this in details in blogpost https://taczanowski.net/strongswan-ipsec-on-lede-openwrt-with-fast-classifier-and-shortcut-fe-modules/

@gwlim Thanks for you awesome work! :slight_smile:

You essentially gave up control of network packets flow of your router, which is not advisable.

I encountered similar issue with OpenVPN for my Broadcom routers running DD-WRT with QCA SFE. It doesn’t route packets that are policy routed. So I patched the fast-classifier connection manager to make it work.

The QCA SFE fast-classifier have problem looking up the destination interface properly when the routing table use is not the default table. So I hacked it to use the route table that the netfilter stack already found and used. Seems to have solved my problem. This has the benefit of also accelerating packets going thru the VPN tunnel, as it doesn’t have to go thru the netfilter again.

I made the same patch for LEDE/OpenWRT. If you’re interested, see if the patch solves your problem. You cab get my patch here:



@quarky I'm testing your sfe-code, while compiling I get this error:

make[3]: Entering directory '/home/bouwew/escalade/LEDE/package/kernel/shortcut-fe'
rm -f /home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/.built
touch /home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/.built_check
cat /dev/null > /home/bouwew/escalade/LEDE/staging_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/pkginfo/shortcut-fe.symvers; for subdir in .; do cat /home/bouwew/escalade/LEDE/staging_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/pkginfo/*.symvers 2>/dev/null > /home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/$subdir/Module.symvers; done
make -C "/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/linux-4.9.77" ARCH="arm" CROSS_COMPILE="arm-openwrt-linux-muslgnueabi-" SUBDIRS="/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe" EXTRA_CFLAGS="" modules
make[4]: Entering directory '/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/linux-4.9.77'
CC [M] /home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.o
/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.c: In function 'sfe_ipv4_recv_udp':
/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.c:1366:5: error: 'struct sk_buff' has no member named 'fast_forwarded'
skb->fast_forwarded = 1;
/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.c: In function 'sfe_ipv4_recv_tcp':
/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.c:1909:5: error: 'struct sk_buff' has no member named 'fast_forwarded'
skb->fast_forwarded = 1;
scripts/Makefile.build:293: recipe for target '/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.o' failed
make[5]: *** [/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe/sfe_ipv4.o] Error 1
Makefile:1495: recipe for target 'module/home/bouwew/escalade/LEDE/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x/shortcut-fe' failed

Am I doing something wrong? Can you please provide help?

For your info, I'm trying to build this on LEDE Master, target Netgear R7800.

@quarky Thanks for your response :slight_smile:
I will look on your patch :slight_smile:

I don't see many disadvantages of disabling conntracking for connections between my local networks. Probably this connections can't be shaping by SQM - this is disadvantage. But it is still managed by iptables, I can block traffic etc. In generally I need conntrack only for outbound connections from my local network to the internet :slight_smile:

In context of ofloading connections going through IPsec tunnel by fast-classifier, I don't see advantages of this, becouse this packets (all of them) must be processed by IPsec stack and it is slow regardless of using fast-classifier.

Another difficult thing is that strongswan does not using interfaces, only xfrm policies and route table 220. Traffic to remote network behind tunnel is routed through WAN interface o router, for example:

root@LEDE:~# ip route show table 220 via WAN_IP dev eth0.2  proto static  src

eth0.2 is the WAN interface, is the network behind IPsec tunnel.

Of course, method with excluding connections from conntrack is a hack for this problem. I also thinking that the better why is to handle such situations in fast-classfier module.


You likely only copied the shortcut-fe folder without the kernel patches. You need the kernel patched to support shortcut-fe. The patches the ones provided by the OP, which I just took and applied to the lede-17.01 branch.

That’s explains why you had problem when SFE kicks in. Do post back if my patch solves your problem as well.

@quarky Ah, yes, I understand what's wrong. You have only included the patches for kernel 4.4, and master is on kernel 4.9.

@dissent1 In case you haven't noticed this, please find the interesting modification to SFE by @quarky, a few posts up.

@quarky I builded image based on your repository and flashed my router. It seems that it works in the same way like my previous build based on gwlim's images. I have to disable conntrack to get working my tunnel properly. Without this, TCP connection through tunnel can be established, but it freezes after pass a few packets (when SFE starts offloading)

@jtaczanowski @quarky I've made a build of lede master with @quarky's changes incorporated in the original SFE-patch by dissent1. As far as I can test it, it works.
I'm using IPSEC, connecting my Android tablet via the Strongswan app to my home network.

My changes are made to the fast-classifier connection manager only as I’m using that only. Did you also enable the sfe-cm connection manager as well?

V[quote="bouwew, post:581, topic:4582"]
I’ve made a build of lede master with @quarky’s changes incorporated in the original SFE-patch by dissent1. As far as I can test it, it works.

I’m using IPSEC, connecting my Android tablet via the Strongswan app to my home network.

Did it work with SFE without the changes to the fast-classifier connection manager? @jtaczanowski is reporting that it did not work with the changes I did.

I was building image without kmod-shortcut-fe-cm module. My dmesg and lsmod looks as follows:

root@LEDE:~# dmesg | grep -i "sfe|fast"
[ 9.912854] fast-classifier (PBR safe v0.1): starting up
[ 9.918496] fast-classifier: registered
root@LEDE:~# lsmod | grep -i "sfe|fast"
fast_classifier 44416 0
nf_conntrack 49600 15 nf_nat_ipv4,nf_conntrack_ipv6,nf_conntrack_ipv4,fast_classifier,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_CT,nf_nat_masquerade_ipv4,nf_nat,nf_conntrack_rtcache,sch_cake
shortcut_fe 51088 1 fast_classifier
shortcut_fe_ipv6 52144 1 fast_classifier

When I have enabled conntracking (and have problems with traffic flow through IPsec tunnel),
I can see in /sys/fast_classifier/debug_info connections between my local networks connected through IPsec tunnel. For example

root@LEDE:~# cat /sys/fast_classifier/debug_info
size=16 offload=0 offload_no_match=0 offloaded=20 done=19 offl_dbg_msg_fail=20 done_dbg_msg_fail=19
o=0, p=6 [b8:af:67:70:86:7f]:[84:3d:c6:73:d4:58] m=00000000 h=8
o=1, p=6 [b8:af:67:70:86:7f]:[84:3d:c6:73:d4:58] m=00000000 h=128
o=0, p=6 [b8:af:67:70:86:7f]:[84:3d:c6:73:d4:58] m=00000000 h=104 it is my remote network behind IPsec tunnel, it is my local network with LEDE router
I'm trying to connecting from host to

This is the rest of the configuration that may matter:

iptables -t nat -A zone_wan_postrouting -o eth0.2 ! -d -m comment --comment "!fw3" -j MASQUERADE

And that is how I was building image from your repo:

297 git clone https://github.com/quarkysg/openwrt.git
298 cd openwrt/
299 git branch
300 git branch -v
301 git branch -r
302 git checkout origin/lede-17.01-quarkysg
303 git log
304 ./scripts/feeds update -a
305 ./scripts/feeds install -a
306 cp ../lede_gwlim_openvpn_strongswan/.config . (this is my config in which I have enabled packages like stronswan, fastclassfier)
307 make menuconfig
308 make -j 2

@quarky No, I haven't compiled and tested that option.

How can I get this to work on my WRT1200AC v2?
I'm a newbie to LEDE and I've no means to compile anything.

Thanks in advance.

1 Like