This commit refines the kernel networking configuration modernization alignment for AArch64 devices (H700, RK3326, RK3399, RK3566, RK3588, S922X, SDM845, SM8250, SM8550, SM8650). It builds upon the standardization and modernization patches merged in PR #2213, prioritizing "gaming-first" resources and boot speed while ensuring minimal bloat by removing uneeded existing modules and built in's to a validated set required for core use cases.
Detailed Justification of Changes:
Native Legacy Iptables Path & Future NFT Alignment
Change: Set CONFIG_IP_NF_IPTABLES=y and disabled CONFIG_NFT_COMPAT.
ROCKNIX Use Case: Userspace tools currently rely on legacy iptables. Disabling the NFT_COMPAT translation layer forces the kernel to use the native legacy code path, eliminating the CPU overhead of translating rules to nftables bytecode. This ensures maximal performance on limited hardware now, while paving the way for a future userspace transition to native nft tooling (aligning with upstream LibreELEC is moving towards) without the technical debt/potential perf regression of the compatibility layer on low end targets.
Built-in Netfilter & Conntrack (Reliability for Netplay/Tools)
Change: Moved Core Netfilter, Connection Tracking, and NAT to built-in (=y).
ROCKNIX Use Case: Features like Netplay, Scrapers, and Wi-Fi tethering rely on robust connection tracking. Baking this into the kernel prevents race conditions during boot where network services might fail because modules weren't loaded yet. It ensures consistent network behavior immediately upon boot without waiting for disk I/O to load modules. This is especially critical for devices where the NIC driver is built-in, ensuring the firewall stack is active the moment the network interface initializes.
Modularized Bridging & STP (Bloat Reduction)
Change: Moved CONFIG_BRIDGE, CONFIG_STP, and LLC to modules (=m).
ROCKNIX Use Case: These devices predominantly act as Wi-Fi clients, not network switches. There is no need to keep the Spanning Tree Protocol or Bridge logic resident in the static kernel image, consuming RAM and increasing kernel size. This change reduces the uncompressed image size, contributing to faster boot times.
On-Demand Drivers (RAM Optimization)
Change: Modularized CONFIG_TUN (VPNs), CONFIG_VETH (Containers), and CONFIG_NET_DSA (Switching).
ROCKNIX Use Case: Most users launch emulators immediately. VPNs and Docker containers are niche use cases. By modularizing these, we save RAM for the actual games and emulators. These drivers will now only load if the user explicitly enables a VPN or launches a container.
System Script Support
Change: Enabled CONFIG_NF_CONNTRACK_PROCFS=y.
ROCKNIX Use Case: The availability of standard procfs interfaces enabled by this option is critical for various system scripts (e.g., USBGadget configuration) to function correctly during boot and runtime operations.
Devices affected:
H700, RK3326, RK3399, RK3566, RK3588
S922X, SDM845, SM8250, SM8550, SM8650
This patch moves the distribution to a modern network stack using systemd-resolved
integrated with IWD and Connman, alongside a kernel configuration alignment to support
modern routing standards. This resolves historical connectivity issues regarding
DNS search paths, captive portals, blocked DNS scenarios, and IPv6 gateway selection.
Detailed changes:
1. Systemd-Resolved & Configuration Logic:
- Configured IWD to use native systemd-resolved support via DBus.
- Retained standard distribution `resolv.conf` symlink/pointer behavior for
backward compatibility.
- EXPANDED: Added support for persistent user overrides.
* If `/storage/.config/resolv.conf` is populated by the user, it will be
honored and take precedence over automatic discovery.
- Specific handling for domain search paths and captive portal complexity.
2. Connman Improvements:
- Removed hardcoded single fallback DNS entries.
- *Rationale:* These entries were never updated and caused connectivity/resolution
failures when the primary DNS path was blocked or unavailable.
3. System Integration & Permissions (Compatibility Shims):
- Added `dummy` user (UID 100) and `nobody` group (standard overflow UID/GID).
- *Rationale:* Required to satisfy `systemd-resolved` internal sandboxing constraints.
Although Rocknix runs as root, systemd-resolved enforces privilege dropping for
specific internal operations.
- *Standardization:* Aligning these mappings (User 100, nobody/nogroup) with
Linux standards resolves dependencies for multiple services beyond systemd
(e.g., NFS idmapd, Avahi, RPC).
- *Maintainability:* chosen over binary patching to ensure package cleanliness.
4. Avahi / mDNS:
- Integrated with existing Avahi setup to prevent systemd-resolved from
binding to mDNS ports, avoiding conflict.
5. IWD Updates:
- Optimized IPv6 support configuration.
- Enabled Kernel Crypto User API (`AF_ALG`) interaction for WPA3/SAE support.
6. Kernel Configuration Alignment:
- **Performance:** Enforced `TCP_CONG_BBR` and `NET_SCH_FQ_CODEL` as the
kernel defaults. This mitigates bufferbloat and improves throughput in
congested WiFi environments compared to the previous cubic/fifo defaults.
- **IPv6 Compliance:** Enabled `ROUTER_PREF`, `MULTIPLE_TABLES`, `SUBTREES`,
and `MROUTE`.
* *Rationale:* Required for policy routing used by modern network managers
and ensures correct gateway selection in multi-router environments.
- **VPN & VLAN Support:** Enabled `TUN`, `WIREGUARD`, `BRIDGE`, and `VLAN_8021Q`.
* *Rationale:* Provides necessary primitives for Tailscale, WireGuard, and
VLAN-tagged WAN/IoT isolation. Container networking (IPVLAN/MACVLAN)
remains disabled to prevent conflicts with L3 Master Device selection.
- **Netfilter Modernization:** Enabled `NF_TABLES` with `NFT_COMPAT` while
retaining legacy `IP_NF_IPTABLES` support.
* *Rationale:* Allows modern tooling to use efficient NFTables backends
while maintaining backward compatibility for existing user scripts.
- **Hardware Cryptography:** Enabled SoC-specific hardware crypto drivers as
modules (`CRYPTO_DEV_ROCKCHIP`, `CRYPTO_DEV_QCE`, `CRYPTO_DEV_AMLOGIC_GXL`,
`CRYPTO_DEV_SUN8I`) to support hardware-offloaded operations for IWD/SAE
and VPNs where available.
7. Device Specific Cleanups:
- **SDM845 (Kernel 5.18):** Explicitly disabled legacy Android Power Management
flags (`CONFIG_PM_SLEEP`, `CONFIG_SUSPEND`)
