[PATCH 00/15 net-next,v2] netfilter: add hardware offload infrastructure

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

This patchset adds support for Netfilter hardware offloads.

This patchset reuses the existing block infrastructure, the
netdev_ops->ndo_setup_tc() interface, TC_SETUP_CLSFLOWER classifier and
the flow rule API.

Patch #1 moves tcf_block_cb code before the indirect block
         infrastructure to avoid forward declarations in the next
         patches. This is just a preparation patch.

Patch #2 adds tcf_block_cb_alloc() to allocate flow block callbacks.

Patch #3 adds tcf_block_cb_free() to release flow block callbacks.

Patch #4 adds the tcf_block_setup() infrastructure, which allows drivers
         to set up flow block callbacks. This infrastructure transports
         these objects via list (through the tc_block_offload object)
         back to the core for registration.

            CLS_API                           DRIVER
        TC_SETUP_BLOCK    ---------->  setup flow_block_cb object &
                                 it adds object to flow_block_offload->cb_list
                                                |
            CLS_API     <-----------------------'
           registers                     list with flow blocks
         flow_block_cb &                   travels back to
       calls ->reoffload               the core for registration

         This patch introduces a global flow block list for all drivers
	 which is a temporary artifact to make incremental changes, it
	 is removed in patch #12!

Patch #5 extends tcf_block_cb_alloc() to allow drivers to set a release
         callback that is invoked from tcf_block_cb_free() to release
         private driver block information.

Patch #6 adds tcf_setup_block_offload(), this helper function is used by
         most drivers to setup the block, including common bind and
         unbind operations.

Patch #7 adapts drivers to use the infrastructure introduced in Patch #4.

Patch #8 stops exposing the tc block structure to drivers, by caching
         the only information that drivers need, ie. block is shared
         flag.

Patch #9 removes the tcf_block_cb_register() / _unregister()
         infrastructure, since it is now unused after Patch #7.

Patch #10 moves the flow_block API to the net/core/flow_offload.c file.
          This renames from tcf_block_cb to flow_block_cb as well as the
          functions to allocate, release, lookup and setup flow block
          callbacks.

Patch #11 makes sure that only one flow block callback per device is
          possible by now. This means only one of the ethtool / tc /
          netfilter subsystems can use hardware offloads, until drivers
          are updated to remove this limitation.

Patch #12 introduces a flow block list per-driver, this is a step
	  towards offloading multiple subsystems. This needs more work
	  on the driver side to support for this.

Patch #13 renames TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND.

Patch #14 renames TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*.

Patch #15 introduces basic netfilter hardware offload infrastructure
          for the ingress chain. This includes 5-tuple exact matching
	  and accept / drop rule actions. Only basechains are supported
	  at this stage, no .reoffload callback is implemented either.
	  Default policy to "accept" is only supported for now.

An example ruleset looks like this:

	table netdev filter {
		flags offload;

		chain ingress {
	                type filter hook ingress device eth0 priority 0;

			ip daddr 192.168.0.10 tcp dport 22 drop
	        }
	}

The 'offload' flag specifies that this table (and anything that is enclosed
into this table) belongs to hardware.

Please, apply, thanks.

Pablo Neira Ayuso (15):
  net: sched: move tcf_block_cb before indr_block
  net: sched: add tcf_block_cb_alloc()
  net: sched: add tcf_block_cb_free()
  net: sched: add tcf_block_setup()
  net: sched: add release callback to struct tcf_block_cb
  net: sched: add tcf_setup_block_offload()
  net: use tcf_block_setup() infrastructure
  net: cls_api: do not expose tcf_block to drivers
  net: sched: remove tcf_block_cb_{register,unregister}()
  net: flow_offload: add flow_block_cb API
  net: flow_offload: don't allow subsystem to reuse blocks
  net: flow_offload: make flow block callback list per-driver
  net: flow_offload: rename TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND
  net: flow_offload: rename TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*
  netfilter: nf_tables: add hardware offload support

 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |  26 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c      |  29 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |  26 +-
 drivers/net/ethernet/intel/i40e/i40e_main.c        |  26 +-
 drivers/net/ethernet/intel/iavf/iavf_main.c        |  35 +-
 drivers/net/ethernet/intel/igb/igb_main.c          |  26 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c      |  29 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c  |  29 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c   |  70 ++-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |  97 ++--
 drivers/net/ethernet/mscc/ocelot_ace.h             |   4 +-
 drivers/net/ethernet/mscc/ocelot_flower.c          |  47 +-
 drivers/net/ethernet/mscc/ocelot_tc.c              |  42 +-
 drivers/net/ethernet/netronome/nfp/abm/cls.c       |  22 +-
 drivers/net/ethernet/netronome/nfp/abm/main.h      |   2 +-
 drivers/net/ethernet/netronome/nfp/bpf/main.c      |  30 +-
 .../net/ethernet/netronome/nfp/flower/offload.c    |  76 +--
 drivers/net/ethernet/qlogic/qede/qede_main.c       |  23 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |  23 +-
 drivers/net/netdevsim/netdev.c                     |  29 +-
 include/net/flow_offload.h                         |  56 +++
 include/net/netfilter/nf_tables.h                  |  13 +
 include/net/netfilter/nf_tables_offload.h          |  76 +++
 include/net/pkt_cls.h                              |  90 +---
 include/uapi/linux/netfilter/nf_tables.h           |   2 +
 net/core/flow_offload.c                            | 123 +++++
 net/dsa/slave.c                                    |  28 +-
 net/netfilter/Makefile                             |   2 +-
 net/netfilter/nf_tables_api.c                      |  22 +-
 net/netfilter/nf_tables_offload.c                  | 261 ++++++++++
 net/netfilter/nft_cmp.c                            |  53 +++
 net/netfilter/nft_immediate.c                      |  31 ++
 net/netfilter/nft_meta.c                           |  27 ++
 net/netfilter/nft_payload.c                        | 187 ++++++++
 net/sched/cls_api.c                                | 526 ++++++++++-----------
 net/sched/sch_ingress.c                            |   6 +-
 36 files changed, 1411 insertions(+), 783 deletions(-)
 create mode 100644 include/net/netfilter/nf_tables_offload.h
 create mode 100644 net/netfilter/nf_tables_offload.c

-- 
2.11.0