From: Marcin Szycik <marcin.szycik@linux.intel.com>
To: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org, sandeep.penigalapati@intel.com,
ananth.s@intel.com, alexander.duyck@gmail.com,
Marcin Szycik <marcin.szycik@linux.intel.com>
Subject: [PATCH iwl-next v2 00/10] Add ACL support
Date: Thu, 9 Apr 2026 13:59:53 +0200 [thread overview]
Message-ID: <20260409120003.2719-1-marcin.szycik@linux.intel.com> (raw)
E8xx hardware provides a Ternary Classifier block for implementing
functions such as ACL (Access Control List). In this series it's simply
referred to as "ACL".
Implement ACL filtering. This expands support of network flow classification
rules for the ethtool ntuple command. ACL filtering allows for an ip or port
field's optional mask to be specified.
Example filters:
ethtool -N eth0 flow-type tcp4 dst-port 8880 m 0x00ff action 10
ethtool -N eth0 flow-type tcp4 src-ip 192.168.0.55 m 0.0.0.255 action -1
This is a resurrection of an old series from 2020 [1] with several
improvements, but the fundamental logic unchanged. v1 was almost pulled
in, but ultimately it was decided to drop it [2] because of unresolved
issues. One issue was too many defensive NULL checks. Second issue is
about inconsistency when using multiple input sets. Both are addressed
in this patchset.
More about the second issue:
From [3]:
>I would argue that you need to have some sort of logic that basically
>checks to see if you are going to hit the input set issue and falls
>back and applies the ACL rules. Otherwise you are significantly
>hampering the usefulness of this filter type. It doesn't make sense
>that dropping a field will cause a rule to fail to be added, but
>masking a single bit in some field will make it valid. It would make
>it a nightmare to use from the user point of view as the rules come
>across as arbitrary.
Flow Director (FD) has a hardware limitation where all filters for the same
packet type must use identical input sets. Previously, attempting to add the
second filter would fail.
Patch 10 adds automatic fallback to ACL block when FD cannot accommodate a
filter due to input set conflicts, which resolves this inconsistency.
v2:
* Rebase. Notable conflicts were the removal of ice_status and the addition of
libie (which affected AdminQ communication)
* Reduce the number of defensive NULL checks
* Use = {} instead of memset for definitions
* Use kzalloc_obj() instead of plain kzalloc()
* Move from devm_ to plain allocation for objects that don't require it
* Move iterator declaration to loop start
* Move some defines out of structs
* Fix kdoc (except untouched ice_ethtool_fdir.c functions)
* Adjust style (err for return variable, spacing, rewrite some comments,
* commit messages)
* Remove overly verbose comments
* Add patches 5, 6, 9 and 10
* More changes listed in patches (if applicable)
[1] https://lore.kernel.org/intel-wired-lan/20200914153720.48498-1-anthony.l.nguyen@intel.com
[2] https://lore.kernel.org/netdev/7192efe4d27c93148b3205e65f37203c89170316.camel@intel.com/#t
[3] https://lore.kernel.org/netdev/CAKgT0Ucxd5-gvEwWAdbL04ER2o++RX_oekUV3E0rYquEgFKj1w@mail.gmail.com
Lukasz Czapnik (1):
ice: use ACL for ntuple rules that conflict with FDir
Marcin Szycik (3):
Revert "ice: remove unused ice_flow_entry fields"
ice: use plain alloc/dealloc for ice_ntuple_fltr
ice: re-introduce ice_dealloc_flow_entry() helper
Real Valiquette (5):
ice: initialize ACL table
ice: initialize ACL scenario
ice: create flow profile
ice: create ACL entry
ice: program ACL entry
Tony Nguyen (1):
ice: rename shared Flow Director functions and structs
drivers/net/ethernet/intel/ice/Makefile | 5 +-
drivers/net/ethernet/intel/ice/ice.h | 21 +-
drivers/net/ethernet/intel/ice/ice_acl.h | 170 +++
drivers/net/ethernet/intel/ice/ice_acl_main.h | 9 +
.../net/ethernet/intel/ice/ice_adminq_cmd.h | 391 +++++-
drivers/net/ethernet/intel/ice/ice_arfs.h | 2 +-
drivers/net/ethernet/intel/ice/ice_fdir.h | 18 +-
.../net/ethernet/intel/ice/ice_flex_pipe.h | 2 +
drivers/net/ethernet/intel/ice/ice_flow.h | 39 +-
.../net/ethernet/intel/ice/ice_lan_tx_rx.h | 3 +
drivers/net/ethernet/intel/ice/ice_type.h | 5 +
drivers/net/ethernet/intel/ice/ice_acl.c | 486 +++++++
drivers/net/ethernet/intel/ice/ice_acl_ctrl.c | 1111 +++++++++++++++
drivers/net/ethernet/intel/ice/ice_acl_main.c | 293 ++++
drivers/net/ethernet/intel/ice/ice_arfs.c | 8 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 8 +-
...ce_ethtool_fdir.c => ice_ethtool_ntuple.c} | 641 ++++++---
drivers/net/ethernet/intel/ice/ice_fdir.c | 30 +-
.../net/ethernet/intel/ice/ice_flex_pipe.c | 11 +-
drivers/net/ethernet/intel/ice/ice_flow.c | 1208 ++++++++++++++++-
drivers/net/ethernet/intel/ice/ice_lib.c | 10 +-
drivers/net/ethernet/intel/ice/ice_main.c | 91 +-
drivers/net/ethernet/intel/ice/virt/fdir.c | 32 +-
23 files changed, 4344 insertions(+), 250 deletions(-)
create mode 100644 drivers/net/ethernet/intel/ice/ice_acl.h
create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_main.h
create mode 100644 drivers/net/ethernet/intel/ice/ice_acl.c
create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_ctrl.c
create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_main.c
rename drivers/net/ethernet/intel/ice/{ice_ethtool_fdir.c => ice_ethtool_ntuple.c} (79%)
--
2.49.0
next reply other threads:[~2026-04-09 13:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 11:59 Marcin Szycik [this message]
2026-04-09 11:59 ` [PATCH iwl-next v2 01/10] ice: rename shared Flow Director functions and structs Marcin Szycik
2026-04-09 11:59 ` [PATCH iwl-next v2 02/10] ice: initialize ACL table Marcin Szycik
2026-04-09 11:59 ` [PATCH iwl-next v2 03/10] ice: initialize ACL scenario Marcin Szycik
2026-04-09 11:59 ` [PATCH iwl-next v2 04/10] ice: create flow profile Marcin Szycik
2026-04-09 11:59 ` [PATCH iwl-next v2 05/10] Revert "ice: remove unused ice_flow_entry fields" Marcin Szycik
2026-04-09 11:59 ` [PATCH iwl-next v2 06/10] ice: use plain alloc/dealloc for ice_ntuple_fltr Marcin Szycik
2026-04-09 12:00 ` [PATCH iwl-next v2 07/10] ice: create ACL entry Marcin Szycik
2026-04-09 12:00 ` [PATCH iwl-next v2 08/10] ice: program " Marcin Szycik
2026-04-09 13:35 ` [Intel-wired-lan] " Loktionov, Aleksandr
2026-04-09 12:00 ` [PATCH iwl-next v2 09/10] ice: re-introduce ice_dealloc_flow_entry() helper Marcin Szycik
2026-04-09 12:00 ` [PATCH iwl-next v2 10/10] ice: use ACL for ntuple rules that conflict with FDir Marcin Szycik
2026-04-09 17:37 ` [Intel-wired-lan] " Przemek Kitszel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409120003.2719-1-marcin.szycik@linux.intel.com \
--to=marcin.szycik@linux.intel.com \
--cc=alexander.duyck@gmail.com \
--cc=ananth.s@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=netdev@vger.kernel.org \
--cc=sandeep.penigalapati@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox