| // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) |
| /* Copyright (C) 2017-2018 Netronome Systems, Inc. */ |
| |
| #include <linux/skbuff.h> |
| #include <net/devlink.h> |
| #include <net/pkt_cls.h> |
| |
| #include "cmsg.h" |
| #include "main.h" |
| #include "../nfpcore/nfp_cpp.h" |
| #include "../nfpcore/nfp_nsp.h" |
| #include "../nfp_app.h" |
| #include "../nfp_main.h" |
| #include "../nfp_net.h" |
| #include "../nfp_port.h" |
| |
| #define NFP_FLOWER_SUPPORTED_TCPFLAGS \ |
| (TCPHDR_FIN | TCPHDR_SYN | TCPHDR_RST | \ |
| TCPHDR_PSH | TCPHDR_URG) |
| |
| #define NFP_FLOWER_SUPPORTED_CTLFLAGS \ |
| (FLOW_DIS_IS_FRAGMENT | \ |
| FLOW_DIS_FIRST_FRAG) |
| |
| #define NFP_FLOWER_WHITELIST_DISSECTOR \ |
| (BIT(FLOW_DISSECTOR_KEY_CONTROL) | \ |
| BIT(FLOW_DISSECTOR_KEY_BASIC) | \ |
| BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_TCP) | \ |
| BIT(FLOW_DISSECTOR_KEY_PORTS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_VLAN) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_OPTS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IP) | \ |
| BIT(FLOW_DISSECTOR_KEY_MPLS) | \ |
| BIT(FLOW_DISSECTOR_KEY_IP)) |
| |
| #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR \ |
| (BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_OPTS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IP)) |
| |
| #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R \ |
| (BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS)) |
| |
| #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R \ |
| (BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \ |
| BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS)) |
| |
| #define NFP_FLOWER_MERGE_FIELDS \ |
| (NFP_FLOWER_LAYER_PORT | \ |
| NFP_FLOWER_LAYER_MAC | \ |
| NFP_FLOWER_LAYER_TP | \ |
| NFP_FLOWER_LAYER_IPV4 | \ |
| NFP_FLOWER_LAYER_IPV6) |
| |
| #define NFP_FLOWER_PRE_TUN_RULE_FIELDS \ |
| (NFP_FLOWER_LAYER_PORT | \ |
| NFP_FLOWER_LAYER_MAC | \ |
| NFP_FLOWER_LAYER_IPV4 | \ |
| NFP_FLOWER_LAYER_IPV6) |
| |
| struct nfp_flower_merge_check { |
| union { |
| struct { |
| __be16 tci; |
| struct nfp_flower_mac_mpls l2; |
| struct nfp_flower_tp_ports l4; |
| union { |
| struct nfp_flower_ipv4 ipv4; |
| struct nfp_flower_ipv6 ipv6; |
| }; |
| }; |
| unsigned long vals[8]; |
| }; |
| }; |
| |
| static int |
| nfp_flower_xmit_flow(struct nfp_app *app, struct nfp_fl_payload *nfp_flow, |
| u8 mtype) |
| { |
| u32 meta_len, key_len, mask_len, act_len, tot_len; |
| struct sk_buff *skb; |
| unsigned char *msg; |
| |
| meta_len = sizeof(struct nfp_fl_rule_metadata); |
| key_len = nfp_flow->meta.key_len; |
| mask_len = nfp_flow->meta.mask_len; |
| act_len = nfp_flow->meta.act_len; |
| |
| tot_len = meta_len + key_len + mask_len + act_len; |
| |
| /* Convert to long words as firmware expects |
| * lengths in units of NFP_FL_LW_SIZ. |
| */ |
| nfp_flow->meta.key_len >>= NFP_FL_LW_SIZ; |
| nfp_flow->meta.mask_len >>= NFP_FL_LW_SIZ; |
| nfp_flow->meta.act_len >>= NFP_FL_LW_SIZ; |
| |
| skb = nfp_flower_cmsg_alloc(app, tot_len, mtype, GFP_KERNEL); |
| if (!skb) |
| return -ENOMEM; |
| |
| msg = nfp_flower_cmsg_get_data(skb); |
| memcpy(msg, &nfp_flow->meta, meta_len); |
| memcpy(&msg[meta_len], nfp_flow->unmasked_data, key_len); |
| memcpy(&msg[meta_len + key_len], nfp_flow->mask_data, mask_len); |
| memcpy(&msg[meta_len + key_len + mask_len], |
| nfp_flow->action_data, act_len); |
| |
| /* Convert back to bytes as software expects |
| * lengths in units of bytes. |
| */ |
| nfp_flow->meta.key_len <<= NFP_FL_LW_SIZ; |
| nfp_flow->meta.mask_len <<= NFP_FL_LW_SIZ; |
| nfp_flow->meta.act_len <<= NFP_FL_LW_SIZ; |
| |
| nfp_ctrl_tx(app->ctrl, skb); |
| |
| return 0; |
| } |
| |
| static bool nfp_flower_check_higher_than_mac(struct flow_cls_offload *f) |
| { |
| struct flow_rule *rule = flow_cls_offload_flow_rule(f); |
| |
| return flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS) || |
| flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV6_ADDRS) || |
| flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS) || |
| flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ICMP); |
| } |
| |
| static bool nfp_flower_check_higher_than_l3(struct flow_cls_offload *f) |
| { |
| struct flow_rule *rule = flow_cls_offload_flow_rule(f); |
| |
| return flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS) || |
| flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ICMP); |
| } |
| |
| static int |
| nfp_flower_calc_opt_layer(struct flow_dissector_key_enc_opts *enc_opts, |
| u32 *key_layer_two, int *key_size, bool ipv6, |
| struct netlink_ext_ack *extack) |
| { |
| if (enc_opts->len > NFP_FL_MAX_GENEVE_OPT_KEY || |
| (ipv6 && enc_opts->len > NFP_FL_MAX_GENEVE_OPT_KEY_V6)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: geneve options exceed maximum length"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (enc_opts->len > 0) { |
| *key_layer_two |= NFP_FLOWER_LAYER2_GENEVE_OP; |
| *key_size += sizeof(struct nfp_flower_geneve_options); |
| } |
| |
| return 0; |
| } |
| |
| static int |
| nfp_flower_calc_udp_tun_layer(struct flow_dissector_key_ports *enc_ports, |
| struct flow_dissector_key_enc_opts *enc_op, |
| u32 *key_layer_two, u8 *key_layer, int *key_size, |
| struct nfp_flower_priv *priv, |
| enum nfp_flower_tun_type *tun_type, bool ipv6, |
| struct netlink_ext_ack *extack) |
| { |
| int err; |
| |
| switch (enc_ports->dst) { |
| case htons(IANA_VXLAN_UDP_PORT): |
| *tun_type = NFP_FL_TUNNEL_VXLAN; |
| *key_layer |= NFP_FLOWER_LAYER_VXLAN; |
| |
| if (ipv6) { |
| *key_layer |= NFP_FLOWER_LAYER_EXT_META; |
| *key_size += sizeof(struct nfp_flower_ext_meta); |
| *key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6; |
| *key_size += sizeof(struct nfp_flower_ipv6_udp_tun); |
| } else { |
| *key_size += sizeof(struct nfp_flower_ipv4_udp_tun); |
| } |
| |
| if (enc_op) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: encap options not supported on vxlan tunnels"); |
| return -EOPNOTSUPP; |
| } |
| break; |
| case htons(GENEVE_UDP_PORT): |
| if (!(priv->flower_ext_feats & NFP_FL_FEATS_GENEVE)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support geneve offload"); |
| return -EOPNOTSUPP; |
| } |
| *tun_type = NFP_FL_TUNNEL_GENEVE; |
| *key_layer |= NFP_FLOWER_LAYER_EXT_META; |
| *key_size += sizeof(struct nfp_flower_ext_meta); |
| *key_layer_two |= NFP_FLOWER_LAYER2_GENEVE; |
| |
| if (ipv6) { |
| *key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6; |
| *key_size += sizeof(struct nfp_flower_ipv6_udp_tun); |
| } else { |
| *key_size += sizeof(struct nfp_flower_ipv4_udp_tun); |
| } |
| |
| if (!enc_op) |
| break; |
| if (!(priv->flower_ext_feats & NFP_FL_FEATS_GENEVE_OPT)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support geneve option offload"); |
| return -EOPNOTSUPP; |
| } |
| err = nfp_flower_calc_opt_layer(enc_op, key_layer_two, key_size, |
| ipv6, extack); |
| if (err) |
| return err; |
| break; |
| default: |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel type unknown"); |
| return -EOPNOTSUPP; |
| } |
| |
| return 0; |
| } |
| |
| static int |
| nfp_flower_calculate_key_layers(struct nfp_app *app, |
| struct net_device *netdev, |
| struct nfp_fl_key_ls *ret_key_ls, |
| struct flow_cls_offload *flow, |
| enum nfp_flower_tun_type *tun_type, |
| struct netlink_ext_ack *extack) |
| { |
| struct flow_rule *rule = flow_cls_offload_flow_rule(flow); |
| struct flow_dissector *dissector = rule->match.dissector; |
| struct flow_match_basic basic = { NULL, NULL}; |
| struct nfp_flower_priv *priv = app->priv; |
| u32 key_layer_two; |
| u8 key_layer; |
| int key_size; |
| int err; |
| |
| if (dissector->used_keys & ~NFP_FLOWER_WHITELIST_DISSECTOR) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match not supported"); |
| return -EOPNOTSUPP; |
| } |
| |
| /* If any tun dissector is used then the required set must be used. */ |
| if (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR && |
| (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R) |
| != NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R && |
| (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R) |
| != NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel match not supported"); |
| return -EOPNOTSUPP; |
| } |
| |
| key_layer_two = 0; |
| key_layer = NFP_FLOWER_LAYER_PORT; |
| key_size = sizeof(struct nfp_flower_meta_tci) + |
| sizeof(struct nfp_flower_in_port); |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS) || |
| flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_MPLS)) { |
| key_layer |= NFP_FLOWER_LAYER_MAC; |
| key_size += sizeof(struct nfp_flower_mac_mpls); |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) { |
| struct flow_match_vlan vlan; |
| |
| flow_rule_match_vlan(rule, &vlan); |
| if (!(priv->flower_ext_feats & NFP_FL_FEATS_VLAN_PCP) && |
| vlan.key->vlan_priority) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support VLAN PCP offload"); |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) { |
| struct flow_match_enc_opts enc_op = { NULL, NULL }; |
| struct flow_match_ipv4_addrs ipv4_addrs; |
| struct flow_match_ipv6_addrs ipv6_addrs; |
| struct flow_match_control enc_ctl; |
| struct flow_match_ports enc_ports; |
| bool ipv6_tun = false; |
| |
| flow_rule_match_enc_control(rule, &enc_ctl); |
| |
| if (enc_ctl.mask->addr_type != 0xffff) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: wildcarded protocols on tunnels are not supported"); |
| return -EOPNOTSUPP; |
| } |
| |
| ipv6_tun = enc_ctl.key->addr_type == |
| FLOW_DISSECTOR_KEY_IPV6_ADDRS; |
| if (ipv6_tun && |
| !(priv->flower_ext_feats & NFP_FL_FEATS_IPV6_TUN)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: firmware does not support IPv6 tunnels"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (!ipv6_tun && |
| enc_ctl.key->addr_type != FLOW_DISSECTOR_KEY_IPV4_ADDRS) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel address type not IPv4 or IPv6"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (ipv6_tun) { |
| flow_rule_match_enc_ipv6_addrs(rule, &ipv6_addrs); |
| if (memchr_inv(&ipv6_addrs.mask->dst, 0xff, |
| sizeof(ipv6_addrs.mask->dst))) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match IPv6 destination address is supported"); |
| return -EOPNOTSUPP; |
| } |
| } else { |
| flow_rule_match_enc_ipv4_addrs(rule, &ipv4_addrs); |
| if (ipv4_addrs.mask->dst != cpu_to_be32(~0)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match IPv4 destination address is supported"); |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_OPTS)) |
| flow_rule_match_enc_opts(rule, &enc_op); |
| |
| if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_PORTS)) { |
| /* check if GRE, which has no enc_ports */ |
| if (!netif_is_gretap(netdev)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: an exact match on L4 destination port is required for non-GRE tunnels"); |
| return -EOPNOTSUPP; |
| } |
| |
| *tun_type = NFP_FL_TUNNEL_GRE; |
| key_layer |= NFP_FLOWER_LAYER_EXT_META; |
| key_size += sizeof(struct nfp_flower_ext_meta); |
| key_layer_two |= NFP_FLOWER_LAYER2_GRE; |
| |
| if (ipv6_tun) { |
| key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6; |
| key_size += |
| sizeof(struct nfp_flower_ipv6_udp_tun); |
| } else { |
| key_size += |
| sizeof(struct nfp_flower_ipv4_udp_tun); |
| } |
| |
| if (enc_op.key) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: encap options not supported on GRE tunnels"); |
| return -EOPNOTSUPP; |
| } |
| } else { |
| flow_rule_match_enc_ports(rule, &enc_ports); |
| if (enc_ports.mask->dst != cpu_to_be16(~0)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match L4 destination port is supported"); |
| return -EOPNOTSUPP; |
| } |
| |
| err = nfp_flower_calc_udp_tun_layer(enc_ports.key, |
| enc_op.key, |
| &key_layer_two, |
| &key_layer, |
| &key_size, priv, |
| tun_type, ipv6_tun, |
| extack); |
| if (err) |
| return err; |
| |
| /* Ensure the ingress netdev matches the expected |
| * tun type. |
| */ |
| if (!nfp_fl_netdev_is_tunnel_type(netdev, *tun_type)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: ingress netdev does not match the expected tunnel type"); |
| return -EOPNOTSUPP; |
| } |
| } |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_BASIC)) |
| flow_rule_match_basic(rule, &basic); |
| |
| if (basic.mask && basic.mask->n_proto) { |
| /* Ethernet type is present in the key. */ |
| switch (basic.key->n_proto) { |
| case cpu_to_be16(ETH_P_IP): |
| key_layer |= NFP_FLOWER_LAYER_IPV4; |
| key_size += sizeof(struct nfp_flower_ipv4); |
| break; |
| |
| case cpu_to_be16(ETH_P_IPV6): |
| key_layer |= NFP_FLOWER_LAYER_IPV6; |
| key_size += sizeof(struct nfp_flower_ipv6); |
| break; |
| |
| /* Currently we do not offload ARP |
| * because we rely on it to get to the host. |
| */ |
| case cpu_to_be16(ETH_P_ARP): |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: ARP not supported"); |
| return -EOPNOTSUPP; |
| |
| case cpu_to_be16(ETH_P_MPLS_UC): |
| case cpu_to_be16(ETH_P_MPLS_MC): |
| if (!(key_layer & NFP_FLOWER_LAYER_MAC)) { |
| key_layer |= NFP_FLOWER_LAYER_MAC; |
| key_size += sizeof(struct nfp_flower_mac_mpls); |
| } |
| break; |
| |
| /* Will be included in layer 2. */ |
| case cpu_to_be16(ETH_P_8021Q): |
| break; |
| |
| default: |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on given EtherType is not supported"); |
| return -EOPNOTSUPP; |
| } |
| } else if (nfp_flower_check_higher_than_mac(flow)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: cannot match above L2 without specified EtherType"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (basic.mask && basic.mask->ip_proto) { |
| switch (basic.key->ip_proto) { |
| case IPPROTO_TCP: |
| case IPPROTO_UDP: |
| case IPPROTO_SCTP: |
| case IPPROTO_ICMP: |
| case IPPROTO_ICMPV6: |
| key_layer |= NFP_FLOWER_LAYER_TP; |
| key_size += sizeof(struct nfp_flower_tp_ports); |
| break; |
| } |
| } |
| |
| if (!(key_layer & NFP_FLOWER_LAYER_TP) && |
| nfp_flower_check_higher_than_l3(flow)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: cannot match on L4 information without specified IP protocol type"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_TCP)) { |
| struct flow_match_tcp tcp; |
| u32 tcp_flags; |
| |
| flow_rule_match_tcp(rule, &tcp); |
| tcp_flags = be16_to_cpu(tcp.key->flags); |
| |
| if (tcp_flags & ~NFP_FLOWER_SUPPORTED_TCPFLAGS) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: no match support for selected TCP flags"); |
| return -EOPNOTSUPP; |
| } |
| |
| /* We only support PSH and URG flags when either |
| * FIN, SYN or RST is present as well. |
| */ |
| if ((tcp_flags & (TCPHDR_PSH | TCPHDR_URG)) && |
| !(tcp_flags & (TCPHDR_FIN | TCPHDR_SYN | TCPHDR_RST))) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: PSH and URG is only supported when used with FIN, SYN or RST"); |
| return -EOPNOTSUPP; |
| } |
| |
| /* We need to store TCP flags in the either the IPv4 or IPv6 key |
| * space, thus we need to ensure we include a IPv4/IPv6 key |
| * layer if we have not done so already. |
| */ |
| if (!basic.key) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on TCP flags requires a match on L3 protocol"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (!(key_layer & NFP_FLOWER_LAYER_IPV4) && |
| !(key_layer & NFP_FLOWER_LAYER_IPV6)) { |
| switch (basic.key->n_proto) { |
| case cpu_to_be16(ETH_P_IP): |
| key_layer |= NFP_FLOWER_LAYER_IPV4; |
| key_size += sizeof(struct nfp_flower_ipv4); |
| break; |
| |
| case cpu_to_be16(ETH_P_IPV6): |
| key_layer |= NFP_FLOWER_LAYER_IPV6; |
| key_size += sizeof(struct nfp_flower_ipv6); |
| break; |
| |
| default: |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on TCP flags requires a match on IPv4/IPv6"); |
| return -EOPNOTSUPP; |
| } |
| } |
| } |
| |
| if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) { |
| struct flow_match_control ctl; |
| |
| flow_rule_match_control(rule, &ctl); |
| if (ctl.key->flags & ~NFP_FLOWER_SUPPORTED_CTLFLAGS) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on unknown control flag"); |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| ret_key_ls->key_layer = key_layer; |
| ret_key_ls->key_layer_two = key_layer_two; |
| ret_key_ls->key_size = key_size; |
| |
| return 0; |
| } |
| |
| static struct nfp_fl_payload * |
| nfp_flower_allocate_new(struct nfp_fl_key_ls *key_layer) |
| { |
| struct nfp_fl_payload *flow_pay; |
| |
| flow_pay = kmalloc(sizeof(*flow_pay), GFP_KERNEL); |
| if (!flow_pay) |
| return NULL; |
| |
| flow_pay->meta.key_len = key_layer->key_size; |
| flow_pay->unmasked_data = kmalloc(key_layer->key_size, GFP_KERNEL); |
| if (!flow_pay->unmasked_data) |
| goto err_free_flow; |
| |
| flow_pay->meta.mask_len = key_layer->key_size; |
| flow_pay->mask_data = kmalloc(key_layer->key_size, GFP_KERNEL); |
| if (!flow_pay->mask_data) |
| goto err_free_unmasked; |
| |
| flow_pay->action_data = kmalloc(NFP_FL_MAX_A_SIZ, GFP_KERNEL); |
| if (!flow_pay->action_data) |
| goto err_free_mask; |
| |
| flow_pay->nfp_tun_ipv4_addr = 0; |
| flow_pay->nfp_tun_ipv6 = NULL; |
| flow_pay->meta.flags = 0; |
| INIT_LIST_HEAD(&flow_pay->linked_flows); |
| flow_pay->in_hw = false; |
| flow_pay->pre_tun_rule.dev = NULL; |
| |
| return flow_pay; |
| |
| err_free_mask: |
| kfree(flow_pay->mask_data); |
| err_free_unmasked: |
| kfree(flow_pay->unmasked_data); |
| err_free_flow: |
| kfree(flow_pay); |
| return NULL; |
| } |
| |
| static int |
| nfp_flower_update_merge_with_actions(struct nfp_fl_payload *flow, |
| struct nfp_flower_merge_check *merge, |
| u8 *last_act_id, int *act_out) |
| { |
| struct nfp_fl_set_ipv6_tc_hl_fl *ipv6_tc_hl_fl; |
| struct nfp_fl_set_ip4_ttl_tos *ipv4_ttl_tos; |
| struct nfp_fl_set_ip4_addrs *ipv4_add; |
| struct nfp_fl_set_ipv6_addr *ipv6_add; |
| struct nfp_fl_push_vlan *push_vlan; |
| struct nfp_fl_pre_tunnel *pre_tun; |
| struct nfp_fl_set_tport *tport; |
| struct nfp_fl_set_eth *eth; |
| struct nfp_fl_act_head *a; |
| unsigned int act_off = 0; |
| bool ipv6_tun = false; |
| u8 act_id = 0; |
| u8 *ports; |
| int i; |
| |
| while (act_off < flow->meta.act_len) { |
| a = (struct nfp_fl_act_head *)&flow->action_data[act_off]; |
| act_id = a->jump_id; |
| |
| switch (act_id) { |
| case NFP_FL_ACTION_OPCODE_OUTPUT: |
| if (act_out) |
| (*act_out)++; |
| break; |
| case NFP_FL_ACTION_OPCODE_PUSH_VLAN: |
| push_vlan = (struct nfp_fl_push_vlan *)a; |
| if (push_vlan->vlan_tci) |
| merge->tci = cpu_to_be16(0xffff); |
| break; |
| case NFP_FL_ACTION_OPCODE_POP_VLAN: |
| merge->tci = cpu_to_be16(0); |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_TUNNEL: |
| /* New tunnel header means l2 to l4 can be matched. */ |
| eth_broadcast_addr(&merge->l2.mac_dst[0]); |
| eth_broadcast_addr(&merge->l2.mac_src[0]); |
| memset(&merge->l4, 0xff, |
| sizeof(struct nfp_flower_tp_ports)); |
| if (ipv6_tun) |
| memset(&merge->ipv6, 0xff, |
| sizeof(struct nfp_flower_ipv6)); |
| else |
| memset(&merge->ipv4, 0xff, |
| sizeof(struct nfp_flower_ipv4)); |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_ETHERNET: |
| eth = (struct nfp_fl_set_eth *)a; |
| for (i = 0; i < ETH_ALEN; i++) |
| merge->l2.mac_dst[i] |= eth->eth_addr_mask[i]; |
| for (i = 0; i < ETH_ALEN; i++) |
| merge->l2.mac_src[i] |= |
| eth->eth_addr_mask[ETH_ALEN + i]; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_IPV4_ADDRS: |
| ipv4_add = (struct nfp_fl_set_ip4_addrs *)a; |
| merge->ipv4.ipv4_src |= ipv4_add->ipv4_src_mask; |
| merge->ipv4.ipv4_dst |= ipv4_add->ipv4_dst_mask; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_IPV4_TTL_TOS: |
| ipv4_ttl_tos = (struct nfp_fl_set_ip4_ttl_tos *)a; |
| merge->ipv4.ip_ext.ttl |= ipv4_ttl_tos->ipv4_ttl_mask; |
| merge->ipv4.ip_ext.tos |= ipv4_ttl_tos->ipv4_tos_mask; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_IPV6_SRC: |
| ipv6_add = (struct nfp_fl_set_ipv6_addr *)a; |
| for (i = 0; i < 4; i++) |
| merge->ipv6.ipv6_src.in6_u.u6_addr32[i] |= |
| ipv6_add->ipv6[i].mask; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_IPV6_DST: |
| ipv6_add = (struct nfp_fl_set_ipv6_addr *)a; |
| for (i = 0; i < 4; i++) |
| merge->ipv6.ipv6_dst.in6_u.u6_addr32[i] |= |
| ipv6_add->ipv6[i].mask; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_IPV6_TC_HL_FL: |
| ipv6_tc_hl_fl = (struct nfp_fl_set_ipv6_tc_hl_fl *)a; |
| merge->ipv6.ip_ext.ttl |= |
| ipv6_tc_hl_fl->ipv6_hop_limit_mask; |
| merge->ipv6.ip_ext.tos |= ipv6_tc_hl_fl->ipv6_tc_mask; |
| merge->ipv6.ipv6_flow_label_exthdr |= |
| ipv6_tc_hl_fl->ipv6_label_mask; |
| break; |
| case NFP_FL_ACTION_OPCODE_SET_UDP: |
| case NFP_FL_ACTION_OPCODE_SET_TCP: |
| tport = (struct nfp_fl_set_tport *)a; |
| ports = (u8 *)&merge->l4.port_src; |
| for (i = 0; i < 4; i++) |
| ports[i] |= tport->tp_port_mask[i]; |
| break; |
| case NFP_FL_ACTION_OPCODE_PRE_TUNNEL: |
| pre_tun = (struct nfp_fl_pre_tunnel *)a; |
| ipv6_tun = be16_to_cpu(pre_tun->flags) & |
| NFP_FL_PRE_TUN_IPV6; |
| break; |
| case NFP_FL_ACTION_OPCODE_PRE_LAG: |
| case NFP_FL_ACTION_OPCODE_PUSH_GENEVE: |
| break; |
| default: |
| return -EOPNOTSUPP; |
| } |
| |
| act_off += a->len_lw << NFP_FL_LW_SIZ; |
| } |
| |
| if (last_act_id) |
| *last_act_id = act_id; |
| |
| return 0; |
| } |
| |
| static int |
| nfp_flower_populate_merge_match(struct nfp_fl_payload *flow, |
| struct nfp_flower_merge_check *merge, |
| bool extra_fields) |
| { |
| struct nfp_flower_meta_tci *meta_tci; |
| u8 *mask = flow->mask_data; |
| u8 key_layer, match_size; |
| |
| memset(merge, 0, sizeof(struct nfp_flower_merge_check)); |
| |
| meta_tci = (struct nfp_flower_meta_tci *)mask; |
| key_layer = meta_tci->nfp_flow_key_layer; |
| |
| if (key_layer & ~NFP_FLOWER_MERGE_FIELDS && !extra_fields) |
| return -EOPNOTSUPP; |
| |
| merge->tci = meta_tci->tci; |
| mask += sizeof(struct nfp_flower_meta_tci); |
| |
| if (key_layer & NFP_FLOWER_LAYER_EXT_META) |
| mask += sizeof(struct nfp_flower_ext_meta); |
| |
| mask += sizeof(struct nfp_flower_in_port); |
| |
| if (key_layer & NFP_FLOWER_LAYER_MAC) { |
| match_size = sizeof(struct nfp_flower_mac_mpls); |
| memcpy(&merge->l2, mask, match_size); |
| mask += match_size; |
| } |
| |
| if (key_layer & NFP_FLOWER_LAYER_TP) { |
| match_size = sizeof(struct nfp_flower_tp_ports); |
| memcpy(&merge->l4, mask, match_size); |
| mask += match_size; |
| } |
| |
| if (key_layer & NFP_FLOWER_LAYER_IPV4) { |
| match_size = sizeof(struct nfp_flower_ipv4); |
| memcpy(&merge->ipv4, mask, match_size); |
| } |
| |
| if (key_layer & NFP_FLOWER_LAYER_IPV6) { |
| match_size = sizeof(struct nfp_flower_ipv6); |
| memcpy(&merge->ipv6, mask, match_size); |
| } |
| |
| return 0; |
| } |
| |
| static int |
| nfp_flower_can_merge(struct nfp_fl_payload *sub_flow1, |
| struct nfp_fl_payload *sub_flow2) |
| { |
| /* Two flows can be merged if sub_flow2 only matches on bits that are |
| * either matched by sub_flow1 or set by a sub_flow1 action. This |
| * ensures that every packet that hits sub_flow1 and recirculates is |
| * guaranteed to hit sub_flow2. |
| */ |
| struct nfp_flower_merge_check sub_flow1_merge, sub_flow2_merge; |
| int err, act_out = 0; |
| u8 last_act_id = 0; |
| |
| err = nfp_flower_populate_merge_match(sub_flow1, &sub_flow1_merge, |
| true); |
| if (err) |
| return err; |
| |
| err = nfp_flower_populate_merge_match(sub_flow2, &sub_flow2_merge, |
| false); |
| if (err) |
| return err; |
| |
| err = nfp_flower_update_merge_with_actions(sub_flow1, &sub_flow1_merge, |
| &last_act_id, &act_out); |
| if (err) |
| return err; |
| |
| /* Must only be 1 output action and it must be the last in sequence. */ |
| if (act_out != 1 || last_act_id != NFP_FL_ACTION_OPCODE_OUTPUT) |
| return -EOPNOTSUPP; |
| |
| /* Reject merge if sub_flow2 matches on something that is not matched |
| * on or set in an action by sub_flow1. |
| */ |
| err = bitmap_andnot(sub_flow2_merge.vals, sub_flow2_merge.vals, |
| sub_flow1_merge.vals, |
| sizeof(struct nfp_flower_merge_check) * 8); |
| if (err) |
| return -EINVAL; |
| |
| return 0; |
| } |
| |
| static unsigned int |
| nfp_flower_copy_pre_actions(char *act_dst, char *act_src, int len, |
| bool *tunnel_act) |
| { |
| unsigned int act_off = 0, act_len; |
| struct nfp_fl_act_head *a; |
| u8 act_id = 0; |
| |
| while (act_off < len) { |
| a = (struct nfp_fl_act_head *)&act_src[act_off]; |
| act_len = a->len_lw << NFP_FL_LW_SIZ; |
| act_id = a->jump_id; |
| |
| switch (act_id) { |
| case NFP_FL_ACTION_OPCODE_PRE_TUNNEL: |
| if (tunnel_act) |
| *tunnel_act = true; |
| /* fall through */ |
| case NFP_FL_ACTION_OPCODE_PRE_LAG: |
| memcpy(act_dst + act_off, act_src + act_off, act_len); |
| break; |
| default: |
| return act_off; |
| } |
| |
| act_off += act_len; |
| } |
| |
| return act_off; |
| } |
| |
| static int |
| nfp_fl_verify_post_tun_acts(char *acts, int len, struct nfp_fl_push_vlan **vlan) |
| { |
| struct nfp_fl_act_head *a; |
| unsigned int act_off = 0; |
| |
| while (act_off < len) { |
| a = (struct nfp_fl_act_head *)&acts[act_off]; |
| |
| if (a->jump_id == NFP_FL_ACTION_OPCODE_PUSH_VLAN && !act_off) |
| *vlan = (struct nfp_fl_push_vlan *)a; |
| else if (a->jump_id != NFP_FL_ACTION_OPCODE_OUTPUT) |
| return -EOPNOTSUPP; |
| |
| act_off += a->len_lw << NFP_FL_LW_SIZ; |
| } |
| |
| /* Ensure any VLAN push also has an egress action. */ |
| if (*vlan && act_off <= sizeof(struct nfp_fl_push_vlan)) |
| return -EOPNOTSUPP; |
| |
| return 0; |
| } |
| |
| static int |
| nfp_fl_push_vlan_after_tun(char *acts, int len, struct nfp_fl_push_vlan *vlan) |
| { |
| struct nfp_fl_set_tun *tun; |
| struct nfp_fl_act_head *a; |
| unsigned int act_off = 0; |
| |
| while (act_off < len) { |
| a = (struct nfp_fl_act_head *)&acts[act_off]; |
| |
| if (a->jump_id == NFP_FL_ACTION_OPCODE_SET_TUNNEL) { |
| tun = (struct nfp_fl_set_tun *)a; |
| tun->outer_vlan_tpid = vlan->vlan_tpid; |
| tun->outer_vlan_tci = vlan->vlan_tci; |
| |
| return 0; |
| } |
| |
| act_off += a->len_lw << NFP_FL_LW_SIZ; |
| } |
| |
| /* Return error if no tunnel action is found. */ |
| return -EOPNOTSUPP; |
| } |
| |
| static int |
| nfp_flower_merge_action(struct nfp_fl_payload *sub_flow1, |
| struct nfp_fl_payload *sub_flow2, |
| struct nfp_fl_payload *merge_flow) |
| { |
| unsigned int sub1_act_len, sub2_act_len, pre_off1, pre_off2; |
| struct nfp_fl_push_vlan *post_tun_push_vlan = NULL; |
| bool tunnel_act = false; |
| char *merge_act; |
| int err; |
| |
| /* The last action of sub_flow1 must be output - do not merge this. */ |
| sub1_act_len = sub_flow1->meta.act_len - sizeof(struct nfp_fl_output); |
| sub2_act_len = sub_flow2->meta.act_len; |
| |
| if (!sub2_act_len) |
| return -EINVAL; |
| |
| if (sub1_act_len + sub2_act_len > NFP_FL_MAX_A_SIZ) |
| return -EINVAL; |
| |
| /* A shortcut can only be applied if there is a single action. */ |
| if (sub1_act_len) |
| merge_flow->meta.shortcut = cpu_to_be32(NFP_FL_SC_ACT_NULL); |
| else |
| merge_flow->meta.shortcut = sub_flow2->meta.shortcut; |
| |
| merge_flow->meta.act_len = sub1_act_len + sub2_act_len; |
| merge_act = merge_flow->action_data; |
| |
| /* Copy any pre-actions to the start of merge flow action list. */ |
| pre_off1 = nfp_flower_copy_pre_actions(merge_act, |
| sub_flow1->action_data, |
| sub1_act_len, &tunnel_act); |
| merge_act += pre_off1; |
| sub1_act_len -= pre_off1; |
| pre_off2 = nfp_flower_copy_pre_actions(merge_act, |
| sub_flow2->action_data, |
| sub2_act_len, NULL); |
| merge_act += pre_off2; |
| sub2_act_len -= pre_off2; |
| |
| /* FW does a tunnel push when egressing, therefore, if sub_flow 1 pushes |
| * a tunnel, there are restrictions on what sub_flow 2 actions lead to a |
| * valid merge. |
| */ |
| if (tunnel_act) { |
| char *post_tun_acts = &sub_flow2->action_data[pre_off2]; |
| |
| err = nfp_fl_verify_post_tun_acts(post_tun_acts, sub2_act_len, |
| &post_tun_push_vlan); |
| if (err) |
| return err; |
| |
| if (post_tun_push_vlan) { |
| pre_off2 += sizeof(*post_tun_push_vlan); |
| sub2_act_len -= sizeof(*post_tun_push_vlan); |
| } |
| } |
| |
| /* Copy remaining actions from sub_flows 1 and 2. */ |
| memcpy(merge_act, sub_flow1->action_data + pre_off1, sub1_act_len); |
| |
| if (post_tun_push_vlan) { |
| /* Update tunnel action in merge to include VLAN push. */ |
| err = nfp_fl_push_vlan_after_tun(merge_act, sub1_act_len, |
| post_tun_push_vlan); |
| if (err) |
| return err; |
| |
| merge_flow->meta.act_len -= sizeof(*post_tun_push_vlan); |
| } |
| |
| merge_act += sub1_act_len; |
| memcpy(merge_act, sub_flow2->action_data + pre_off2, sub2_act_len); |
| |
| return 0; |
| } |
| |
| /* Flow link code should only be accessed under RTNL. */ |
| static void nfp_flower_unlink_flow(struct nfp_fl_payload_link *link) |
| { |
| list_del(&link->merge_flow.list); |
| list_del(&link->sub_flow.list); |
| kfree(link); |
| } |
| |
| static void nfp_flower_unlink_flows(struct nfp_fl_payload *merge_flow, |
| struct nfp_fl_payload *sub_flow) |
| { |
| struct nfp_fl_payload_link *link; |
| |
| list_for_each_entry(link, &merge_flow->linked_flows, merge_flow.list) |
| if (link->sub_flow.flow == sub_flow) { |
| nfp_flower_unlink_flow(link); |
| return; |
| } |
| } |
| |
| static int nfp_flower_link_flows(struct nfp_fl_payload *merge_flow, |
| struct nfp_fl_payload *sub_flow) |
| { |
| struct nfp_fl_payload_link *link; |
| |
| link = kmalloc(sizeof(*link), GFP_KERNEL); |
| if (!link) |
| return -ENOMEM; |
| |
| link->merge_flow.flow = merge_flow; |
| list_add_tail(&link->merge_flow.list, &merge_flow->linked_flows); |
| link->sub_flow.flow = sub_flow; |
| list_add_tail(&link->sub_flow.list, &sub_flow->linked_flows); |
| |
| return 0; |
| } |
| |
| /** |
| * nfp_flower_merge_offloaded_flows() - Merge 2 existing flows to single flow. |
| * @app: Pointer to the APP handle |
| * @sub_flow1: Initial flow matched to produce merge hint |
| * @sub_flow2: Post recirculation flow matched in merge hint |
| * |
| * Combines 2 flows (if valid) to a single flow, removing the initial from hw |
| * and offloading the new, merged flow. |
| * |
| * Return: negative value on error, 0 in success. |
| */ |
| int nfp_flower_merge_offloaded_flows(struct nfp_app *app, |
| struct nfp_fl_payload *sub_flow1, |
| struct nfp_fl_payload *sub_flow2) |
| { |
| struct flow_cls_offload merge_tc_off; |
| struct nfp_flower_priv *priv = app->priv; |
| struct netlink_ext_ack *extack = NULL; |
| struct nfp_fl_payload *merge_flow; |
| struct nfp_fl_key_ls merge_key_ls; |
| int err; |
| |
| ASSERT_RTNL(); |
| |
| extack = merge_tc_off.common.extack; |
| if (sub_flow1 == sub_flow2 || |
| nfp_flower_is_merge_flow(sub_flow1) || |
| nfp_flower_is_merge_flow(sub_flow2)) |
| return -EINVAL; |
| |
| err = nfp_flower_can_merge(sub_flow1, sub_flow2); |
| if (err) |
| return err; |
| |
| merge_key_ls.key_size = sub_flow1->meta.key_len; |
| |
| merge_flow = nfp_flower_allocate_new(&merge_key_ls); |
| if (!merge_flow) |
| return -ENOMEM; |
| |
| merge_flow->tc_flower_cookie = (unsigned long)merge_flow; |
| merge_flow->ingress_dev = sub_flow1->ingress_dev; |
| |
| memcpy(merge_flow->unmasked_data, sub_flow1->unmasked_data, |
| sub_flow1->meta.key_len); |
| memcpy(merge_flow->mask_data, sub_flow1->mask_data, |
| sub_flow1->meta.mask_len); |
| |
| err = nfp_flower_merge_action(sub_flow1, sub_flow2, merge_flow); |
| if (err) |
| goto err_destroy_merge_flow; |
| |
| err = nfp_flower_link_flows(merge_flow, sub_flow1); |
| if (err) |
| goto err_destroy_merge_flow; |
| |
| err = nfp_flower_link_flows(merge_flow, sub_flow2); |
| if (err) |
| goto err_unlink_sub_flow1; |
| |
| merge_tc_off.cookie = merge_flow->tc_flower_cookie; |
| err = nfp_compile_flow_metadata(app, &merge_tc_off, merge_flow, |
| merge_flow->ingress_dev, extack); |
| if (err) |
| goto err_unlink_sub_flow2; |
| |
| err = rhashtable_insert_fast(&priv->flow_table, &merge_flow->fl_node, |
| nfp_flower_table_params); |
| if (err) |
| goto err_release_metadata; |
| |
| err = nfp_flower_xmit_flow(app, merge_flow, |
| NFP_FLOWER_CMSG_TYPE_FLOW_MOD); |
| if (err) |
| goto err_remove_rhash; |
| |
| merge_flow->in_hw = true; |
| sub_flow1->in_hw = false; |
| |
| return 0; |
| |
| err_remove_rhash: |
| WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table, |
| &merge_flow->fl_node, |
| nfp_flower_table_params)); |
| err_release_metadata: |
| nfp_modify_flow_metadata(app, merge_flow); |
| err_unlink_sub_flow2: |
| nfp_flower_unlink_flows(merge_flow, sub_flow2); |
| err_unlink_sub_flow1: |
| nfp_flower_unlink_flows(merge_flow, sub_flow1); |
| err_destroy_merge_flow: |
| kfree(merge_flow->action_data); |
| kfree(merge_flow->mask_data); |
| kfree(merge_flow->unmasked_data); |
| kfree(merge_flow); |
| return err; |
| } |
| |
| /** |
| * nfp_flower_validate_pre_tun_rule() |
| * @app: Pointer to the APP handle |
| * @flow: Pointer to NFP flow representation of rule |
| * @extack: Netlink extended ACK report |
| * |
| * Verifies the flow as a pre-tunnel rule. |
| * |
| * Return: negative value on error, 0 if verified. |
| */ |
| static int |
| nfp_flower_validate_pre_tun_rule(struct nfp_app *app, |
| struct nfp_fl_payload *flow, |
| struct netlink_ext_ack *extack) |
| { |
| struct nfp_flower_meta_tci *meta_tci; |
| struct nfp_flower_mac_mpls *mac; |
| struct nfp_fl_act_head *act; |
| u8 *mask = flow->mask_data; |
| bool vlan = false; |
| int act_offset; |
| u8 key_layer; |
| |
| meta_tci = (struct nfp_flower_meta_tci *)flow->unmasked_data; |
| if (meta_tci->tci & cpu_to_be16(NFP_FLOWER_MASK_VLAN_PRESENT)) { |
| u16 vlan_tci = be16_to_cpu(meta_tci->tci); |
| |
| vlan_tci &= ~NFP_FLOWER_MASK_VLAN_PRESENT; |
| flow->pre_tun_rule.vlan_tci = cpu_to_be16(vlan_tci); |
| vlan = true; |
| } else { |
| flow->pre_tun_rule.vlan_tci = cpu_to_be16(0xffff); |
| } |
| |
| key_layer = meta_tci->nfp_flow_key_layer; |
| if (key_layer & ~NFP_FLOWER_PRE_TUN_RULE_FIELDS) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: too many match fields"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (!(key_layer & NFP_FLOWER_LAYER_MAC)) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: MAC fields match required"); |
| return -EOPNOTSUPP; |
| } |
| |
| /* Skip fields known to exist. */ |
| mask += sizeof(struct nfp_flower_meta_tci); |
| mask += sizeof(struct nfp_flower_in_port); |
| |
| /* Ensure destination MAC address is fully matched. */ |
| mac = (struct nfp_flower_mac_mpls *)mask; |
| if (!is_broadcast_ether_addr(&mac->mac_dst[0])) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: dest MAC field must not be masked"); |
| return -EOPNOTSUPP; |
| } |
| |
| if (key_layer & NFP_FLOWER_LAYER_IPV4 || |
| key_layer & NFP_FLOWER_LAYER_IPV6) { |
| /* Flags and proto fields have same offset in IPv4 and IPv6. */ |
| int ip_flags = offsetof(struct nfp_flower_ipv4, ip_ext.flags); |
| int ip_proto = offsetof(struct nfp_flower_ipv4, ip_ext.proto); |
| int size; |
| int i; |
| |
| size = key_layer & NFP_FLOWER_LAYER_IPV4 ? |
| sizeof(struct nfp_flower_ipv4) : |
| sizeof(struct nfp_flower_ipv6); |
| |
| mask += sizeof(struct nfp_flower_mac_mpls); |
| |
| /* Ensure proto and flags are the only IP layer fields. */ |
| for (i = 0; i < size; i++) |
| if (mask[i] && i != ip_flags && i != ip_proto) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: only flags and proto can be matched in ip header"); |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| /* Action must be a single egress or pop_vlan and egress. */ |
| act_offset = 0; |
| act = (struct nfp_fl_act_head *)&flow->action_data[act_offset]; |
| if (vlan) { |
| if (act->jump_id != NFP_FL_ACTION_OPCODE_POP_VLAN) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: match on VLAN must have VLAN pop as first action"); |
| return -EOPNOTSUPP; |
| } |
| |
| act_offset += act->len_lw << NFP_FL_LW_SIZ; |
| act = (struct nfp_fl_act_head *)&flow->action_data[act_offset]; |
| } |
| |
| if (act->jump_id != NFP_FL_ACTION_OPCODE_OUTPUT) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: non egress action detected where egress was expected"); |
| return -EOPNOTSUPP; |
| } |
| |
| act_offset += act->len_lw << NFP_FL_LW_SIZ; |
| |
| /* Ensure there are no more actions after egress. */ |
| if (act_offset != flow->meta.act_len) { |
| NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: egress is not the last action"); |
| return -EOPNOTSUPP; |
| } |
| |
| return 0; |
| } |
| |
| /** |
| * nfp_flower_add_offload() - Adds a new flow to hardware. |
| * @app: Pointer to the APP handle |
| * @netdev: netdev structure. |
| * @flow: TC flower classifier offload structure. |
| * |
| * Adds a new flow to the repeated hash structure and action payload. |
| * |
| * Return: negative value on error, 0 if configured successfully. |
| */ |
| static int |
| nfp_flower_add_offload(struct nfp_app *app, struct net_device *netdev, |
| struct flow_cls_offload *flow) |
| { |
| enum nfp_flower_tun_type tun_type = NFP_FL_TUNNEL_NONE; |
| struct nfp_flower_priv *priv = app->priv; |
| struct netlink_ext_ack *extack = NULL; |
| struct nfp_fl_payload *flow_pay; |
| struct nfp_fl_key_ls *key_layer; |
| struct nfp_port *port = NULL; |
| int err; |
| |
| extack = flow->common.extack; |
| if (nfp_netdev_is_nfp_repr(netdev)) |
| port = nfp_port_from_netdev(netdev); |
| |
| key_layer = kmalloc(sizeof(*key_layer), GFP_KERNEL); |
| if (!key_layer) |
| return -ENOMEM; |
| |
| err = nfp_flower_calculate_key_layers(app, netdev, key_layer, flow, |
| &tun_type, extack); |
| if (err) |
| goto err_free_key_ls; |
| |
| flow_pay = nfp_flower_allocate_new(key_layer); |
| if (!flow_pay) { |
| err = -ENOMEM; |
| goto err_free_key_ls; |
| } |
| |
| err = nfp_flower_compile_flow_match(app, flow, key_layer, netdev, |
| flow_pay, tun_type, extack); |
| if (err) |
| goto err_destroy_flow; |
| |
| err = nfp_flower_compile_action(app, flow, netdev, flow_pay, extack); |
| if (err) |
| goto err_destroy_flow; |
| |
| if (flow_pay->pre_tun_rule.dev) { |
| err = nfp_flower_validate_pre_tun_rule(app, flow_pay, extack); |
| if (err) |
| goto err_destroy_flow; |
| } |
| |
| err = nfp_compile_flow_metadata(app, flow, flow_pay, netdev, extack); |
| if (err) |
| goto err_destroy_flow; |
| |
| flow_pay->tc_flower_cookie = flow->cookie; |
| err = rhashtable_insert_fast(&priv->flow_table, &flow_pay->fl_node, |
| nfp_flower_table_params); |
| if (err) { |
| NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot insert flow into tables for offloads"); |
| goto err_release_metadata; |
| } |
| |
| if (flow_pay->pre_tun_rule.dev) |
| err = nfp_flower_xmit_pre_tun_flow(app, flow_pay); |
| else |
| err = nfp_flower_xmit_flow(app, flow_pay, |
| NFP_FLOWER_CMSG_TYPE_FLOW_ADD); |
| if (err) |
| goto err_remove_rhash; |
| |
| if (port) |
| port->tc_offload_cnt++; |
| |
| flow_pay->in_hw = true; |
| |
| /* Deallocate flow payload when flower rule has been destroyed. */ |
| kfree(key_layer); |
| |
| return 0; |
| |
| err_remove_rhash: |
| WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table, |
| &flow_pay->fl_node, |
| nfp_flower_table_params)); |
| err_release_metadata: |
| nfp_modify_flow_metadata(app, flow_pay); |
| err_destroy_flow: |
| if (flow_pay->nfp_tun_ipv6) |
| nfp_tunnel_put_ipv6_off(app, flow_pay->nfp_tun_ipv6); |
| kfree(flow_pay->action_data); |
| kfree(flow_pay->mask_data); |
| kfree(flow_pay->unmasked_data); |
| kfree(flow_pay); |
| err_free_key_ls: |
| kfree(key_layer); |
| return err; |
| } |
| |
| static void |
| nfp_flower_remove_merge_flow(struct nfp_app *app, |
| struct nfp_fl_payload *del_sub_flow, |
| struct nfp_fl_payload *merge_flow) |
| { |
| struct nfp_flower_priv *priv = app->priv; |
| struct nfp_fl_payload_link *link, *temp; |
| struct nfp_fl_payload *origin; |
| bool mod = false; |
| int err; |
| |
| link = list_first_entry(&merge_flow->linked_flows, |
| struct nfp_fl_payload_link, merge_flow.list); |
| origin = link->sub_flow.flow; |
| |
| /* Re-add rule the merge had overwritten if it has not been deleted. */ |
| if (origin != del_sub_flow) |
| mod = true; |
| |
| err = nfp_modify_flow_metadata(app, merge_flow); |
| if (err) { |
| nfp_flower_cmsg_warn(app, "Metadata fail for merge flow delete.\n"); |
| goto err_free_links; |
| } |
| |
| if (!mod) { |
| err = nfp_flower_xmit_flow(app, merge_flow, |
| NFP_FLOWER_CMSG_TYPE_FLOW_DEL); |
| if (err) { |
| nfp_flower_cmsg_warn(app, "Failed to delete merged flow.\n"); |
| goto err_free_links; |
| } |
| } else { |
| __nfp_modify_flow_metadata(priv, origin); |
| err = nfp_flower_xmit_flow(app, origin, |
| NFP_FLOWER_CMSG_TYPE_FLOW_MOD); |
| if (err) |
| nfp_flower_cmsg_warn(app, "Failed to revert merge flow.\n"); |
| origin->in_hw = true; |
| } |
| |
| err_free_links: |
| /* Clean any links connected with the merged flow. */ |
| list_for_each_entry_safe(link, temp, &merge_flow->linked_flows, |
| merge_flow.list) |
| nfp_flower_unlink_flow(link); |
| |
| kfree(merge_flow->action_data); |
| kfree(merge_flow->mask_data); |
| kfree(merge_flow->unmasked_data); |
| WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table, |
| &merge_flow->fl_node, |
| nfp_flower_table_params)); |
| kfree_rcu(merge_flow, rcu); |
| } |
| |
| static void |
| nfp_flower_del_linked_merge_flows(struct nfp_app *app, |
| struct nfp_fl_payload *sub_flow) |
| { |
| struct nfp_fl_payload_link *link, *temp; |
| |
| /* Remove any merge flow formed from the deleted sub_flow. */ |
| list_for_each_entry_safe(link, temp, &sub_flow->linked_flows, |
| sub_flow.list) |
| nfp_flower_remove_merge_flow(app, sub_flow, |
| link->merge_flow.flow); |
| } |
| |
| /** |
| * nfp_flower_del_offload() - Removes a flow from hardware. |
| * @app: Pointer to the APP handle |
| * @netdev: netdev structure. |
| * @flow: TC flower classifier offload structure |
| * |
| * Removes a flow from the repeated hash structure and clears the |
| * action payload. Any flows merged from this are also deleted. |
| * |
| * Return: negative value on error, 0 if removed successfully. |
| */ |
| static int |
| nfp_flower_del_offload(struct nfp_app *app, struct net_device *netdev, |
| struct flow_cls_offload *flow) |
| { |
| struct nfp_flower_priv *priv = app->priv; |
| struct netlink_ext_ack *extack = NULL; |
| struct nfp_fl_payload *nfp_flow; |
| struct nfp_port *port = NULL; |
| int err; |
| |
| extack = flow->common.extack; |
| if (nfp_netdev_is_nfp_repr(netdev)) |
| port = nfp_port_from_netdev(netdev); |
| |
| nfp_flow = nfp_flower_search_fl_table(app, flow->cookie, netdev); |
| if (!nfp_flow) { |
| NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot remove flow that does not exist"); |
| return -ENOENT; |
| } |
| |
| err = nfp_modify_flow_metadata(app, nfp_flow); |
| if (err) |
| goto err_free_merge_flow; |
| |
| if (nfp_flow->nfp_tun_ipv4_addr) |
| nfp_tunnel_del_ipv4_off(app, nfp_flow->nfp_tun_ipv4_addr); |
| |
| if (nfp_flow->nfp_tun_ipv6) |
| nfp_tunnel_put_ipv6_off(app, nfp_flow->nfp_tun_ipv6); |
| |
| if (!nfp_flow->in_hw) { |
| err = 0; |
| goto err_free_merge_flow; |
| } |
| |
| if (nfp_flow->pre_tun_rule.dev) |
| err = nfp_flower_xmit_pre_tun_del_flow(app, nfp_flow); |
| else |
| err = nfp_flower_xmit_flow(app, nfp_flow, |
| NFP_FLOWER_CMSG_TYPE_FLOW_DEL); |
| /* Fall through on error. */ |
| |
| err_free_merge_flow: |
| nfp_flower_del_linked_merge_flows(app, nfp_flow); |
| if (port) |
| port->tc_offload_cnt--; |
| kfree(nfp_flow->action_data); |
| kfree(nfp_flow->mask_data); |
| kfree(nfp_flow->unmasked_data); |
| WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table, |
| &nfp_flow->fl_node, |
| nfp_flower_table_params)); |
| kfree_rcu(nfp_flow, rcu); |
| return err; |
| } |
| |
| static void |
| __nfp_flower_update_merge_stats(struct nfp_app *app, |
| struct nfp_fl_payload *merge_flow) |
| { |
| struct nfp_flower_priv *priv = app->priv; |
| struct nfp_fl_payload_link *link; |
| struct nfp_fl_payload *sub_flow; |
| u64 pkts, bytes, used; |
| u32 ctx_id; |
| |
| ctx_id = be32_to_cpu(merge_flow->meta.host_ctx_id); |
| pkts = priv->stats[ctx_id].pkts; |
| /* Do not cycle subflows if no stats to distribute. */ |
| if (!pkts) |
| return; |
| bytes = priv->stats[ctx_id].bytes; |
| used = priv->stats[ctx_id].used; |
| |
| /* Reset stats for the merge flow. */ |
| priv->stats[ctx_id].pkts = 0; |
| priv->stats[ctx_id].bytes = 0; |
| |
| /* The merge flow has received stats updates from firmware. |
| * Distribute these stats to all subflows that form the merge. |
| * The stats will collected from TC via the subflows. |
| */ |
| list_for_each_entry(link, &merge_flow->linked_flows, merge_flow.list) { |
| sub_flow = link->sub_flow.flow; |
| ctx_id = be32_to_cpu(sub_flow->meta.host_ctx_id); |
| priv->stats[ctx_id].pkts += pkts; |
| priv->stats[ctx_id].bytes += bytes; |
| priv->stats[ctx_id].used = max_t(u64, used, |
| priv->stats[ctx_id].used); |
| } |
| } |
| |
| static void |
| nfp_flower_update_merge_stats(struct nfp_app *app, |
| struct nfp_fl_payload *sub_flow) |
| { |
| struct nfp_fl_payload_link *link; |
| |
| /* Get merge flows that the subflow forms to distribute their stats. */ |
| list_for_each_entry(link, &sub_flow->linked_flows, sub_flow.list) |
| __nfp_flower_update_merge_stats(app, link->merge_flow.flow); |
| } |
| |
| /** |
| * nfp_flower_get_stats() - Populates flow stats obtained from hardware. |
| * @app: Pointer to the APP handle |
| * @netdev: Netdev structure. |
| * @flow: TC flower classifier offload structure |
| * |
| * Populates a flow statistics structure which which corresponds to a |
| * specific flow. |
| * |
| * Return: negative value on error, 0 if stats populated successfully. |
| */ |
| static int |
| nfp_flower_get_stats(struct nfp_app *app, struct net_device *netdev, |
| struct flow_cls_offload *flow) |
| { |
| struct nfp_flower_priv *priv = app->priv; |
| struct netlink_ext_ack *extack = NULL; |
| struct nfp_fl_payload *nfp_flow; |
| u32 ctx_id; |
| |
| extack = flow->common.extack; |
| nfp_flow = nfp_flower_search_fl_table(app, flow->cookie, netdev); |
| if (!nfp_flow) { |
| NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot dump stats for flow that does not exist"); |
| return -EINVAL; |
| } |
| |
| ctx_id = be32_to_cpu(nfp_flow->meta.host_ctx_id); |
| |
| spin_lock_bh(&priv->stats_lock); |
| /* If request is for a sub_flow, update stats from merged flows. */ |
| if (!list_empty(&nfp_flow->linked_flows)) |
| nfp_flower_update_merge_stats(app, nfp_flow); |
| |
| flow_stats_update(&flow->stats, priv->stats[ctx_id].bytes, |
| priv->stats[ctx_id].pkts, priv->stats[ctx_id].used, |
| FLOW_ACTION_HW_STATS_DELAYED); |
| |
| priv->stats[ctx_id].pkts = 0; |
| priv->stats[ctx_id].bytes = 0; |
| spin_unlock_bh(&priv->stats_lock); |
| |
| return 0; |
| } |
| |
| static int |
| nfp_flower_repr_offload(struct nfp_app *app, struct net_device *netdev, |
| struct flow_cls_offload *flower) |
| { |
| if (!eth_proto_is_802_3(flower->common.protocol)) |
| return -EOPNOTSUPP; |
| |
| switch (flower->command) { |
| case FLOW_CLS_REPLACE: |
| return nfp_flower_add_offload(app, netdev, flower); |
| case FLOW_CLS_DESTROY: |
| return nfp_flower_del_offload(app, netdev, flower); |
| case FLOW_CLS_STATS: |
| return nfp_flower_get_stats(app, netdev, flower); |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| static int nfp_flower_setup_tc_block_cb(enum tc_setup_type type, |
| void *type_data, void *cb_priv) |
| { |
| struct nfp_repr *repr = cb_priv; |
| |
| if (!tc_cls_can_offload_and_chain0(repr->netdev, type_data)) |
| return -EOPNOTSUPP; |
| |
| switch (type) { |
| case TC_SETUP_CLSFLOWER: |
| return nfp_flower_repr_offload(repr->app, repr->netdev, |
| type_data); |
| case TC_SETUP_CLSMATCHALL: |
| return nfp_flower_setup_qos_offload(repr->app, repr->netdev, |
| type_data); |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| static LIST_HEAD(nfp_block_cb_list); |
| |
| static int nfp_flower_setup_tc_block(struct net_device *netdev, |
| struct flow_block_offload *f) |
| { |
| struct nfp_repr *repr = netdev_priv(netdev); |
| struct nfp_flower_repr_priv *repr_priv; |
| struct flow_block_cb *block_cb; |
| |
| if (f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS) |
| return -EOPNOTSUPP; |
| |
| repr_priv = repr->app_priv; |
| repr_priv->block_shared = f->block_shared; |
| f->driver_block_list = &nfp_block_cb_list; |
| |
| switch (f->command) { |
| case FLOW_BLOCK_BIND: |
| if (flow_block_cb_is_busy(nfp_flower_setup_tc_block_cb, repr, |
| &nfp_block_cb_list)) |
| return -EBUSY; |
| |
| block_cb = flow_block_cb_alloc(nfp_flower_setup_tc_block_cb, |
| repr, repr, NULL); |
| if (IS_ERR(block_cb)) |
| return PTR_ERR(block_cb); |
| |
| flow_block_cb_add(block_cb, f); |
| list_add_tail(&block_cb->driver_list, &nfp_block_cb_list); |
| return 0; |
| case FLOW_BLOCK_UNBIND: |
| block_cb = flow_block_cb_lookup(f->block, |
| nfp_flower_setup_tc_block_cb, |
| repr); |
| if (!block_cb) |
| return -ENOENT; |
| |
| flow_block_cb_remove(block_cb, f); |
| list_del(&block_cb->driver_list); |
| return 0; |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| int nfp_flower_setup_tc(struct nfp_app *app, struct net_device *netdev, |
| enum tc_setup_type type, void *type_data) |
| { |
| switch (type) { |
| case TC_SETUP_BLOCK: |
| return nfp_flower_setup_tc_block(netdev, type_data); |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| struct nfp_flower_indr_block_cb_priv { |
| struct net_device *netdev; |
| struct nfp_app *app; |
| struct list_head list; |
| }; |
| |
| static struct nfp_flower_indr_block_cb_priv * |
| nfp_flower_indr_block_cb_priv_lookup(struct nfp_app *app, |
| struct net_device *netdev) |
| { |
| struct nfp_flower_indr_block_cb_priv *cb_priv; |
| struct nfp_flower_priv *priv = app->priv; |
| |
| /* All callback list access should be protected by RTNL. */ |
| ASSERT_RTNL(); |
| |
| list_for_each_entry(cb_priv, &priv->indr_block_cb_priv, list) |
| if (cb_priv->netdev == netdev) |
| return cb_priv; |
| |
| return NULL; |
| } |
| |
| static int nfp_flower_setup_indr_block_cb(enum tc_setup_type type, |
| void *type_data, void *cb_priv) |
| { |
| struct nfp_flower_indr_block_cb_priv *priv = cb_priv; |
| struct flow_cls_offload *flower = type_data; |
| |
| if (flower->common.chain_index) |
| return -EOPNOTSUPP; |
| |
| switch (type) { |
| case TC_SETUP_CLSFLOWER: |
| return nfp_flower_repr_offload(priv->app, priv->netdev, |
| type_data); |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |
| |
| void nfp_flower_setup_indr_tc_release(void *cb_priv) |
| { |
| struct nfp_flower_indr_block_cb_priv *priv = cb_priv; |
| |
| list_del(&priv->list); |
| kfree(priv); |
| } |
| |
| static int |
| nfp_flower_setup_indr_tc_block(struct net_device *netdev, struct nfp_app *app, |
| struct flow_block_offload *f, void *data, |
| void (*cleanup)(struct flow_block_cb *block_cb)) |
| { |
| struct nfp_flower_indr_block_cb_priv *cb_priv; |
| struct nfp_flower_priv *priv = app->priv; |
| struct flow_block_cb *block_cb; |
| |
| if ((f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS && |
| !nfp_flower_internal_port_can_offload(app, netdev)) || |
| (f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_EGRESS && |
| nfp_flower_internal_port_can_offload(app, netdev))) |
| return -EOPNOTSUPP; |
| |
| switch (f->command) { |
| case FLOW_BLOCK_BIND: |
| cb_priv = nfp_flower_indr_block_cb_priv_lookup(app, netdev); |
| if (cb_priv && |
| flow_block_cb_is_busy(nfp_flower_setup_indr_block_cb, |
| cb_priv, |
| &nfp_block_cb_list)) |
| return -EBUSY; |
| |
| cb_priv = kmalloc(sizeof(*cb_priv), GFP_KERNEL); |
| if (!cb_priv) |
| return -ENOMEM; |
| |
| cb_priv->netdev = netdev; |
| cb_priv->app = app; |
| list_add(&cb_priv->list, &priv->indr_block_cb_priv); |
| |
| block_cb = flow_indr_block_cb_alloc(nfp_flower_setup_indr_block_cb, |
| cb_priv, cb_priv, |
| nfp_flower_setup_indr_tc_release, |
| f, netdev, data, app, cleanup); |
| if (IS_ERR(block_cb)) { |
| list_del(&cb_priv->list); |
| kfree(cb_priv); |
| return PTR_ERR(block_cb); |
| } |
| |
| flow_block_cb_add(block_cb, f); |
| list_add_tail(&block_cb->driver_list, &nfp_block_cb_list); |
| return 0; |
| case FLOW_BLOCK_UNBIND: |
| cb_priv = nfp_flower_indr_block_cb_priv_lookup(app, netdev); |
| if (!cb_priv) |
| return -ENOENT; |
| |
| block_cb = flow_block_cb_lookup(f->block, |
| nfp_flower_setup_indr_block_cb, |
| cb_priv); |
| if (!block_cb) |
| return -ENOENT; |
| |
| flow_indr_block_cb_remove(block_cb, f); |
| list_del(&block_cb->driver_list); |
| return 0; |
| default: |
| return -EOPNOTSUPP; |
| } |
| return 0; |
| } |
| |
| int |
| nfp_flower_indr_setup_tc_cb(struct net_device *netdev, void *cb_priv, |
| enum tc_setup_type type, void *type_data, |
| void *data, |
| void (*cleanup)(struct flow_block_cb *block_cb)) |
| { |
| if (!nfp_fl_is_netdev_to_offload(netdev)) |
| return -EOPNOTSUPP; |
| |
| switch (type) { |
| case TC_SETUP_BLOCK: |
| return nfp_flower_setup_indr_tc_block(netdev, cb_priv, |
| type_data, data, cleanup); |
| default: |
| return -EOPNOTSUPP; |
| } |
| } |