Hi, This patchset adds support for Netfilter hardware offloads. This patchset reuses the existing block infrastructure, the netdev_ops->ndo_setup_tc() interface, TC_SETUP_CLSFLOWER classifier and the flow rule API. Patch #1 adds flow_block_cb_setup_simple(), most drivers do the same thing to set up flow blocks, to reduce the number of changes, consolidate codebase. Use _simple() postfix as requested by Jakub Kicinski. This new function resides in net/core/flow_offload.c Patch #2 renames TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND. Patch #3 renames TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*. Patch #4 adds flow_block_cb_alloc() and flow_block_cb_free() helper functions, this is the first patch of the flow block API. Patch #5 adds the helper to deal with list operations in the flow block API. This includes flow_block_cb_lookup(), flow_block_cb_add() and flow_block_cb_remove(). Patch #6 adds flow_block_cb_priv(), flow_block_cb_incref() and flow_block_cb_decref() which completes the flow block API. Patch #7 updates the cls_api to use the flow block API from the new tcf_block_setup(). This infrastructure transports these objects via list (through the tc_block_offload object) back to the core for registration. CLS_API DRIVER TC_SETUP_BLOCK ----------> setup flow_block_cb object & it adds object to flow_block_offload->cb_list | CLS_API <-----------------------' registers list with flow blocks flow_block_cb & travels back to calls ->reoffload the core for registration drivers allocate and sets up (configure the blocks), then registration happens from the core (cls_api and netfilter). Patch #8 updates drivers to use the flow block API. Patch #9 removes the tcf block callback API, which is replaced by the flow block API. Patch #10 adds the flow_block_cb_is_busy() helper to check if the block is already used by a subsystem. This helper is invoked from drivers. Once drivers are updated to support for multiple subsystems, they can remove this check. Patch #11 rename tc structure and definitions for the block bind/unbind path. Patch #12 introduces basic netfilter hardware offload infrastructure for the ingress chain. This includes 5-tuple exact matching and accept / drop rule actions. Only basechains are supported at this stage, no .reoffload callback is implemented either. Default policy to "accept" is only supported for now. table netdev filter { chain ingress { type filter hook ingress device eth0 priority 0; flags offload; ip daddr 192.168.0.10 tcp dport 22 drop } } This patchset reuses the existing tcf block callback API and it places it in the flow block callback API in net/core/flow_offload.c. This series aims to address Jakub and Jiri's feedback, please see specific patches in this batch for changelog in this v4. Please, apply. Thank you very much. P.S: yes, Phil, I still believe there is a chance. Pablo Neira Ayuso (12): net: flow_offload: add flow_block_cb_setup_simple() net: flow_offload: rename TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND net: flow_offload: rename TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_* net: flow_offload: add flow_block_cb_alloc() and flow_block_cb_free() net: flow_offload: add list handling functions net: flow_offload: add flow_block_cb_{priv,incref,decref}() net: sched: use flow block API drivers: net: use flow block API net: sched: remove tcf block API net: flow_offload: add flow_block_cb_is_busy() and use it net: flow_offload: rename tc_cls_flower_offload to flow_cls_offload netfilter: nf_tables: add hardware offload support drivers/net/ethernet/broadcom/bnxt/bnxt.c | 27 +-- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 29 +-- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 35 +-- .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 22 +- .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h | 6 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 49 ++-- drivers/net/ethernet/intel/iavf/iavf_main.c | 58 ++--- drivers/net/ethernet/intel/igb/igb_main.c | 43 ++-- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 30 +-- .../net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 6 +- .../net/ethernet/mellanox/mlx5/core/en/tc_tun.h | 8 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c | 18 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_gre.c | 4 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 10 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 38 +-- drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 94 ++++---- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 34 +-- drivers/net/ethernet/mellanox/mlx5/core/en_tc.h | 6 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 116 +++++---- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 10 +- .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 34 +-- drivers/net/ethernet/mscc/ocelot_ace.h | 4 +- drivers/net/ethernet/mscc/ocelot_flower.c | 70 +++--- drivers/net/ethernet/mscc/ocelot_tc.c | 47 ++-- drivers/net/ethernet/netronome/nfp/abm/cls.c | 22 +- drivers/net/ethernet/netronome/nfp/abm/main.h | 2 +- drivers/net/ethernet/netronome/nfp/bpf/main.c | 30 +-- drivers/net/ethernet/netronome/nfp/flower/action.c | 14 +- drivers/net/ethernet/netronome/nfp/flower/main.h | 6 +- drivers/net/ethernet/netronome/nfp/flower/match.c | 44 ++-- .../net/ethernet/netronome/nfp/flower/metadata.c | 2 +- .../net/ethernet/netronome/nfp/flower/offload.c | 116 +++++---- drivers/net/ethernet/qlogic/qede/qede.h | 2 +- drivers/net/ethernet/qlogic/qede/qede_filter.c | 2 +- drivers/net/ethernet/qlogic/qede/qede_main.c | 32 +-- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +- drivers/net/netdevsim/netdev.c | 29 +-- include/net/flow_offload.h | 96 ++++++++ include/net/netfilter/nf_tables.h | 14 ++ include/net/netfilter/nf_tables_offload.h | 76 ++++++ include/net/pkt_cls.h | 129 +--------- include/uapi/linux/netfilter/nf_tables.h | 2 + net/core/flow_offload.c | 118 +++++++++ net/dsa/slave.c | 33 ++- net/netfilter/Makefile | 2 +- net/netfilter/nf_tables_api.c | 39 ++- net/netfilter/nf_tables_offload.c | 267 +++++++++++++++++++++ net/netfilter/nft_cmp.c | 53 ++++ net/netfilter/nft_immediate.c | 31 +++ net/netfilter/nft_meta.c | 27 +++ net/netfilter/nft_payload.c | 187 +++++++++++++++ net/sched/cls_api.c | 211 ++++++++-------- net/sched/cls_flower.c | 24 +- net/sched/sch_ingress.c | 6 +- 56 files changed, 1579 insertions(+), 880 deletions(-) create mode 100644 include/net/netfilter/nf_tables_offload.h create mode 100644 net/netfilter/nf_tables_offload.c -- 2.11.0