| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190704234843.6601-1-pablo@netfilter.org>
Date: Fri, 5 Jul 2019 01:48:28 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netdev@...r.kernel.org
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
thomas.lendacky@....com, f.fainelli@...il.com,
ariel.elior@...ium.com, michael.chan@...adcom.com,
madalin.bucur@....com, yisen.zhuang@...wei.com,
salil.mehta@...wei.com, jeffrey.t.kirsher@...el.com,
tariqt@...lanox.com, saeedm@...lanox.com, jiri@...lanox.com,
idosch@...lanox.com, jakub.kicinski@...ronome.com,
peppe.cavallaro@...com, grygorii.strashko@...com, andrew@...n.ch,
vivien.didelot@...il.com, alexandre.torgue@...com,
joabreu@...opsys.com, linux-net-drivers@...arflare.com,
ogerlitz@...lanox.com, Manish.Chopra@...ium.com,
marcelo.leitner@...il.com, mkubecek@...e.cz,
venkatkumar.duvvuru@...adcom.com, maxime.chevallier@...tlin.com,
cphealy@...il.com
Subject: [PATCH 00/15 net-next,v2] netfilter: add hardware offload infrastructure
Hi,
This patchset adds support for Netfilter hardware offloads.
This patchset reuses the existing block infrastructure, the
netdev_ops->ndo_setup_tc() interface, TC_SETUP_CLSFLOWER classifier and
the flow rule API.
Patch #1 moves tcf_block_cb code before the indirect block
infrastructure to avoid forward declarations in the next
patches. This is just a preparation patch.
Patch #2 adds tcf_block_cb_alloc() to allocate flow block callbacks.
Patch #3 adds tcf_block_cb_free() to release flow block callbacks.
Patch #4 adds the tcf_block_setup() infrastructure, which allows drivers
to set up flow block callbacks. This infrastructure transports
these objects via list (through the tc_block_offload object)
back to the core for registration.
CLS_API DRIVER
TC_SETUP_BLOCK ----------> setup flow_block_cb object &
it adds object to flow_block_offload->cb_list
|
CLS_API <-----------------------'
registers list with flow blocks
flow_block_cb & travels back to
calls ->reoffload the core for registration
This patch introduces a global flow block list for all drivers
which is a temporary artifact to make incremental changes, it
is removed in patch #12!
Patch #5 extends tcf_block_cb_alloc() to allow drivers to set a release
callback that is invoked from tcf_block_cb_free() to release
private driver block information.
Patch #6 adds tcf_setup_block_offload(), this helper function is used by
most drivers to setup the block, including common bind and
unbind operations.
Patch #7 adapts drivers to use the infrastructure introduced in Patch #4.
Patch #8 stops exposing the tc block structure to drivers, by caching
the only information that drivers need, ie. block is shared
flag.
Patch #9 removes the tcf_block_cb_register() / _unregister()
infrastructure, since it is now unused after Patch #7.
Patch #10 moves the flow_block API to the net/core/flow_offload.c file.
This renames from tcf_block_cb to flow_block_cb as well as the
functions to allocate, release, lookup and setup flow block
callbacks.
Patch #11 makes sure that only one flow block callback per device is
possible by now. This means only one of the ethtool / tc /
netfilter subsystems can use hardware offloads, until drivers
are updated to remove this limitation.
Patch #12 introduces a flow block list per-driver, this is a step
towards offloading multiple subsystems. This needs more work
on the driver side to support for this.
Patch #13 renames TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND.
Patch #14 renames TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*.
Patch #15 introduces basic netfilter hardware offload infrastructure
for the ingress chain. This includes 5-tuple exact matching
and accept / drop rule actions. Only basechains are supported
at this stage, no .reoffload callback is implemented either.
Default policy to "accept" is only supported for now.
An example ruleset looks like this:
table netdev filter {
flags offload;
chain ingress {
type filter hook ingress device eth0 priority 0;
ip daddr 192.168.0.10 tcp dport 22 drop
}
}
The 'offload' flag specifies that this table (and anything that is enclosed
into this table) belongs to hardware.
Please, apply, thanks.
Pablo Neira Ayuso (15):
net: sched: move tcf_block_cb before indr_block
net: sched: add tcf_block_cb_alloc()
net: sched: add tcf_block_cb_free()
net: sched: add tcf_block_setup()
net: sched: add release callback to struct tcf_block_cb
net: sched: add tcf_setup_block_offload()
net: use tcf_block_setup() infrastructure
net: cls_api: do not expose tcf_block to drivers
net: sched: remove tcf_block_cb_{register,unregister}()
net: flow_offload: add flow_block_cb API
net: flow_offload: don't allow subsystem to reuse blocks
net: flow_offload: make flow block callback list per-driver
net: flow_offload: rename TC_BLOCK_{UN}BIND to FLOW_BLOCK_{UN}BIND
net: flow_offload: rename TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_*
netfilter: nf_tables: add hardware offload support
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 26 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 29 +-
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 26 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 35 +-
drivers/net/ethernet/intel/igb/igb_main.c | 26 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 29 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 29 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 70 ++-
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 97 ++--
drivers/net/ethernet/mscc/ocelot_ace.h | 4 +-
drivers/net/ethernet/mscc/ocelot_flower.c | 47 +-
drivers/net/ethernet/mscc/ocelot_tc.c | 42 +-
drivers/net/ethernet/netronome/nfp/abm/cls.c | 22 +-
drivers/net/ethernet/netronome/nfp/abm/main.h | 2 +-
drivers/net/ethernet/netronome/nfp/bpf/main.c | 30 +-
.../net/ethernet/netronome/nfp/flower/offload.c | 76 +--
drivers/net/ethernet/qlogic/qede/qede_main.c | 23 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +-
drivers/net/netdevsim/netdev.c | 29 +-
include/net/flow_offload.h | 56 +++
include/net/netfilter/nf_tables.h | 13 +
include/net/netfilter/nf_tables_offload.h | 76 +++
include/net/pkt_cls.h | 90 +---
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/core/flow_offload.c | 123 +++++
net/dsa/slave.c | 28 +-
net/netfilter/Makefile | 2 +-
net/netfilter/nf_tables_api.c | 22 +-
net/netfilter/nf_tables_offload.c | 261 ++++++++++
net/netfilter/nft_cmp.c | 53 +++
net/netfilter/nft_immediate.c | 31 ++
net/netfilter/nft_meta.c | 27 ++
net/netfilter/nft_payload.c | 187 ++++++++
net/sched/cls_api.c | 526 ++++++++++-----------
net/sched/sch_ingress.c | 6 +-
36 files changed, 1411 insertions(+), 783 deletions(-)
create mode 100644 include/net/netfilter/nf_tables_offload.h
create mode 100644 net/netfilter/nf_tables_offload.c
--
2.11.0
Powered by blists - more mailing lists