Hi,
This patchset adds support for Netfilter hardware offloads.
This patchset reuses the existing block infrastructure, the
netdev_ops->ndo_setup_tc() interface, TC_SETUP_CLSFLOWER classifier and
the flow rule API.
Patch #1 adds flow_block_cb_setup_simple(), most drivers do the same thing
to set up flow blocks, to reduce the number of changes, consolidate
codebase. Use _simple() postfix as requested by Jakub Kicinski.
This new function resides in net/core/flow_offload.c
Patch #2 renames TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND.
Patch #3 renames TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*.
Patch #4 adds flow_block_cb_alloc() and flow_block_cb_free() helper
functions, this is the first patch of the flow block API.
Patch #5 adds the helper to deal with list operations in the flow block API.
This includes flow_block_cb_lookup(), flow_block_cb_add() and
flow_block_cb_remove().
Patch #6 adds flow_block_cb_priv(), flow_block_cb_incref() and
flow_block_cb_decref() which completes the flow block API.
Patch #7 updates the cls_api to use the flow block API from the new
tcf_block_setup(). This infrastructure transports these objects
via list (through the tc_block_offload object) back to the core
for registration.
CLS_API DRIVER
TC_SETUP_BLOCK ----------> setup flow_block_cb object &
it adds object to flow_block_offload->cb_list
|
CLS_API <-----------------------'
registers list with flow blocks
flow_block_cb & travels back to
calls ->reoffload the core for registration
drivers allocate and sets up (configure the blocks), then
registration happens from the core (cls_api and netfilter).
Patch #8 updates drivers to use the flow block API.
Patch #9 removes the tcf block callback API, which is replaced by the
flow block API.
Patch #10 adds the flow_block_cb_is_busy() helper to check if the block
is already used by a subsystem. This helper is invoked from
drivers. Once drivers are updated to support for multiple
subsystems, they can remove this check.
Patch #11 introduces basic netfilter hardware offload infrastructure
for the ingress chain. This includes 5-tuple exact matching
and accept / drop rule actions. Only basechains are supported
at this stage, no .reoffload callback is implemented either.
Default policy to "accept" is only supported for now.
table netdev filter {
flags offload;
chain ingress {
type filter hook ingress device eth0 priority 0;
ip daddr 192.168.0.10 tcp dport 22 drop
}
}
This patchset reuses the existing tcf block callback API and it places it
in the flow block callback API in net/core/flow_offload.c.
This series aims to addres Jakub Kicinski's feedback, mostly targeting to
reducing the batch size and reordering patches.
Please, apply. Thanks.
Pablo Neira Ayuso (11):
net: flow_offload: add flow_block_cb_setup_simple()
net: flow_offload: rename TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND
net: flow_offload: rename TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*
net: flow_offload: add flow_block_cb_alloc() and flow_block_cb_free()
net: flow_offload: add list handling functions
net: flow_offload: add flow_block_cb_{priv,incref,decref}()
net: sched: use flow block API
drivers: net: use flow block API
net: sched: remove tcf block API
net: flow_offload: add flow_block_cb_is_busy() and use it
netfilter: nf_tables: add hardware offload support
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 27 +--
drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 29 +--
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 27 +--
drivers/net/ethernet/intel/i40e/i40e_main.c | 27 +--
drivers/net/ethernet/intel/iavf/iavf_main.c | 36 +--
drivers/net/ethernet/intel/igb/igb_main.c | 27 +--
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 30 +--
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 30 +--
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 76 +++---
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 103 +++++---
drivers/net/ethernet/mscc/ocelot_ace.h | 4 +-
drivers/net/ethernet/mscc/ocelot_flower.c | 47 ++--
drivers/net/ethernet/mscc/ocelot_tc.c | 46 ++--
drivers/net/ethernet/netronome/nfp/abm/cls.c | 22 +-
drivers/net/ethernet/netronome/nfp/abm/main.h | 2 +-
drivers/net/ethernet/netronome/nfp/bpf/main.c | 30 +--
.../net/ethernet/netronome/nfp/flower/offload.c | 83 ++++---
drivers/net/ethernet/qlogic/qede/qede_main.c | 24 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +-
drivers/net/netdevsim/netdev.c | 29 +--
include/net/flow_offload.h | 67 ++++++
include/net/netfilter/nf_tables.h | 13 +
include/net/netfilter/nf_tables_offload.h | 76 ++++++
include/net/pkt_cls.h | 89 +------
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/core/flow_offload.c | 118 ++++++++++
net/dsa/slave.c | 33 ++-
net/netfilter/Makefile | 2 +-
net/netfilter/nf_tables_api.c | 22 +-
net/netfilter/nf_tables_offload.c | 261 +++++++++++++++++++++
net/netfilter/nft_cmp.c | 53 +++++
net/netfilter/nft_immediate.c | 31 +++
net/netfilter/nft_meta.c | 27 +++
net/netfilter/nft_payload.c | 187 +++++++++++++++
net/sched/cls_api.c | 213 ++++++++---------
net/sched/sch_ingress.c | 6 +-
36 files changed, 1298 insertions(+), 624 deletions(-)
create mode 100644 include/net/netfilter/nf_tables_offload.h
create mode 100644 net/netfilter/nf_tables_offload.c
--
2.11.0
