[PATCH net-next 00/12] netfilter: add hardware offload infrastructure

[Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>]

Hi,

This patchset adds support for Netfilter hardware offloads.

This patchset reuses the existing block infrastructure, the
netdev_ops->ndo_setup_tc() interface, TC_SETUP_CLSFLOWER classifier and
the flow rule API.

Patch #1 moves tcf_block_cb code before the indirect block
	 infrastructure to avoid forward declarations in the next
	 patches. This is just a preparation patch.

Patch #2 adds tcf_block_cb_alloc() to allocate flow block callbacks.

Patch #3 adds tcf_block_cb_free() to release flow block callbacks.

Patch #4 adds the tcf_block_setup() infrastructure, which allows drivers
         to set up flow block callbacks. This infrastructure transports
         these objects via list (through the tc_block_offload object)
	 back to the core for registration.

            CLS_API                           DRIVER
        TC_SETUP_BLOCK    ---------->  setup flow_block_cb object &
                                 it adds object to flow_block_offload->cb_list
                                                |
            CLS_API     <-----------------------'
           registers                     list if flow block
         flow_block_cb &                   travels back to
       calls ->reoffload               the core for registration

Patch #5 extends tcf_block_cb_alloc() to allow drivers to set a release
	 callback that is invoked from tcf_block_cb_free() to release
         private driver block information.

Patch #6 adds tcf_setup_block_offload(), this helper function is used by
         most drivers to setup the block, including common bind and
         unbind operations.

Patch #7 adapts drivers to use the infrastructure introduced in Patch #4.

Patch #8 stops exposing the tc block structure to drivers, by caching
	 the only information that drivers need, ie. block is shared
	 flag.

Patch #9 removes the tcf_block_cb_register() / _unregister()
	 infrastructure, since it is now unused after Patch #7.

Patch #10 moves the flow_block API to the net/core/flow_offload.c core.
          This renames tcf_block_cb to flow_block_cb as well as the
	  functions to allocate, release, lookup and setup flow block
	  callbacks.

Patch #11 makes sure that only one flow block callback per device is
          possible by now. This means only one of the ethtool / tc /
          netfilter subsystems can use hardware offloads, until drivers
	  are updated to remove this limitation.

Patch #12 introduces basic netfilter hardware offload infrastructure
	  for the ingress chain. This includes 5-tuple matching and
          accept / drop actions. Only basechains are supported at this
          stage, no .reoffload callback is implemented either.

Please, apply, thanks.

Pablo Neira Ayuso (12):
  net: sched: move tcf_block_cb before indr_block
  net: sched: add tcf_block_cb_alloc()
  net: sched: add tcf_block_cb_free()
  net: sched: add tcf_block_setup()
  net: sched: add release callback to struct tcf_block_cb
  net: sched: add tcf_setup_block_offload()
  net: use tcf_block_setup() infrastructure
  net: cls_api: do not expose tcf_block to drivers
  net: sched: remove tcf_block_cb_{register,unregister}()
  net: flow_offload: add flow_block_cb API
  net: flow_offload: don't allow block sharing until drivers support this
  netfilter: nf_tables: add hardware offload support

 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |  26 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c      |  28 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |  26 +-
 drivers/net/ethernet/intel/i40e/i40e_main.c        |  26 +-
 drivers/net/ethernet/intel/iavf/iavf_main.c        |  35 +-
 drivers/net/ethernet/intel/igb/igb_main.c          |  24 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c      |  27 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c  |  27 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c   |  62 ++-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |  87 ++--
 drivers/net/ethernet/mscc/ocelot_ace.h             |   4 +-
 drivers/net/ethernet/mscc/ocelot_flower.c          |  45 +-
 drivers/net/ethernet/mscc/ocelot_tc.c              |  28 +-
 drivers/net/ethernet/netronome/nfp/abm/cls.c       |  19 +-
 drivers/net/ethernet/netronome/nfp/abm/main.h      |   2 +-
 drivers/net/ethernet/netronome/nfp/bpf/main.c      |  29 +-
 .../net/ethernet/netronome/nfp/flower/offload.c    |  63 ++-
 drivers/net/ethernet/qlogic/qede/qede_main.c       |  23 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |  22 +-
 drivers/net/netdevsim/netdev.c                     |  26 +-
 include/net/flow_offload.h                         |  52 +++
 include/net/netfilter/nf_tables.h                  |  13 +
 include/net/netfilter/nf_tables_offload.h          |  76 ++++
 include/net/pkt_cls.h                              |  90 +---
 include/uapi/linux/netfilter/nf_tables.h           |   2 +
 net/core/flow_offload.c                            | 121 +++++
 net/dsa/slave.c                                    |  16 +-
 net/netfilter/Makefile                             |   2 +-
 net/netfilter/nf_tables_api.c                      |  22 +-
 net/netfilter/nf_tables_offload.c                  | 233 ++++++++++
 net/netfilter/nft_cmp.c                            |  53 +++
 net/netfilter/nft_immediate.c                      |  31 ++
 net/netfilter/nft_meta.c                           |  27 ++
 net/netfilter/nft_payload.c                        | 187 ++++++++
 net/sched/cls_api.c                                | 502 ++++++++++-----------
 35 files changed, 1305 insertions(+), 751 deletions(-)
 create mode 100644 include/net/netfilter/nf_tables_offload.h
 create mode 100644 net/netfilter/nf_tables_offload.c

-- 
2.11.0