#
0c7fe3b3 |
|
10-Oct-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support offloading ct(nat) action in RHS rules If an IP address and/or L4 port for NAPT is available from a CT match, the MAE will perform the edits; if no CT lookup has been performed for this packet, the CT lookup did not return a match, or the matched CT entry did not include NAPT, the action will have no effect. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
e4470561 |
|
02-Oct-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support TC rules which require OR-AR-CT-AR flow When a foreign LHS rule (TC rule from a tunnel netdev which requests conntrack lookup) matches on inner headers or enc_key_id, these matches cannot be performed by the Outer Rule table, as the keys are only available after the tunnel type has been identified (by the OR lookup) and the rest of the headers parsed accordingly. Offload such rules with an Action Rule, using the LOOKUP_CONTROL section of the AR response to specify the conntrack and/or recirculation actions, combined with an Outer Rule which performs only the usual Encap Match duties. This processing flow, as it requires two AR lookups per packet, is less performant than OR-CT-AR, so only use it where necessary. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
ec1dc6c8 |
|
02-Oct-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support TC left-hand-side rules on foreign netdevs Allow a tunnel netdevice (such as a vxlan) to offload conntrack lookups, in much the same way as efx netdevs. To ensure this rule does not overlap with other tunnel rules on the same sip,dip,dport tuple, register a pseudo encap match of a new type (EFX_TC_EM_PSEUDO_OR), which unlike PSEUDO_MASK may only be referenced once (because an actual Outer Rule in hardware exists, although its fw_id is not recorded in the encap match entry). Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
66f72887 |
|
23-Aug-2023 |
Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> |
sfc: add decrement ttl by offloading set ipv4 ttl actions Offload pedit set ipv4 ttl field, where the ttl field has already been matched and the new value is one less, by translating it to a decrement. Co-developed-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
439c4be9 |
|
23-Aug-2023 |
Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> |
sfc: introduce ethernet pedit set action infrastructure Introduce the initial ethernet pedit set action infrastructure in preparation for adding mac src and dst pedit action offloads. Co-developed-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
01ad088f |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: offload left-hand side rules for conntrack Handle the (comparatively) simple case of a -trk rule on an efx netdev (i.e. not a tunnel decap rule) with ct and goto chain actions. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
1dfc29be |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: conntrack state matches in TC rules Parse ct_state trk/est, mark and zone out of flower keys, and plumb them through to the hardware, performing some minor translations. Nothing can actually hit them yet as we're not offloading any DO_CT actions. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
29416025 |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: handle non-zero chain_index on TC rules Map it to an 8-bit recirc_id for use by the hardware. Currently nothing in the driver is offloading 'goto chain' actions, so these rules cannot yet be hit. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
1909387f |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: offload conntrack flow entries (match only) from CT zones No handling yet for FLOW_ACTION_MANGLE (NAT or NAPT) actions. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
c3bb5c6a |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: functions to register for conntrack zone offload Bind a stub callback to the netfilter flow table. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
3bf969e8 |
|
07-Aug-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add MAE table machinery for conntrack table Access to the connection tracking table in EF100 hardware is through a "generic" table mechanism, whereby a firmware call at probe time gives the driver a description of the field widths and offsets, so that the driver can then construct key and response bitstrings at runtime. Probe the NIC for this information and populate the needed metadata into a new meta_ct field of struct efx_tc_state. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
9a14f2e3 |
|
21-Jun-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: keep alive neighbour entries while a TC encap action is using them When processing counter updates, if any action set using the newly incremented counter includes an encap action, prod the corresponding neighbouring entry to indicate to the neighbour cache that the entry is still in use and passing traffic. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Link: https://lore.kernel.org/r/20230621121504.17004-1-edward.cree@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
7e5e7d80 |
|
08-Jun-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: neighbour lookup for TC encap action offload For each neighbour we're interested in, create a struct efx_neigh_binder object which has a list of all the encap_actions using it. When we receive a neighbouring update (through the netevent notifier), find the corresponding efx_neigh_binder and update all its users. Since the actual generation of encap headers is still only a stub, the resulting rules still get left on fallback actions. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
b4da4235 |
|
08-Jun-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: some plumbing towards TC encap action offload Create software objects to manage the metadata for encap actions that can be attached to TC rules. However, since we don't yet have the neighbouring information (needed to generate the Ethernet header), all rules with encap actions are marked as "unready" and thus insert the fallback action into hardware rather than actually offloading the encapsulation action. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
e16ca7fb |
|
08-Jun-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add fallback action-set-lists for TC offload When offloading a TC encap action, the action information for the hardware might not be "ready": if there's currently no neighbour entry available for the destination address, we can't construct the Ethernet header to prepend to the packet. In this case, we still offload the flow rule, but with its action-set-list ID pointing at a "fallback" action which simply delivers the packet to its default destination (as though no flow rule had matched), thus allowing software TC to handle it. Later, when we receive a neighbouring update that allows us to construct the encap header, the rule will become "ready" and we will update its action-set-list ID in hardware to point at the actual offloaded actions. This patch sets up these fallback ASLs, but does not yet use them. Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
b6583d5e |
|
11-May-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support TC decap rules matching on enc_src_port Allow efx_tc_encap_match entries to include a udp_sport and a udp_sport_mask. As with enc_ip_tos, use pseudos to enforce that all encap matches within a given <src_ip,dst_ip,udp_dport> tuple have the same udp_sport_mask. Note that since we use a single layer of pseudos for both fields, two matches that differ in (say) udp_sport value aren't permitted to have different ip_tos_mask, even though this would technically be safe. Current userland TC does not support setting enc_src_port; this patch was tested with an iproute2 patched to support it. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
3c9561c0 |
|
11-May-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support TC decap rules matching on enc_ip_tos Allow efx_tc_encap_match entries to include an ip_tos and ip_tos_mask. To avoid partially-overlapping Outer Rules (which can lead to undefined behaviour in the hardware), store extra "pseudo" entries in our encap_match hashtable, which are used to enforce that all Outer Rule entries within a given <src_ip,dst_ip,udp_dport> tuple (or IPv6 equivalent) have the same ip_tos_mask. The "direct" encap_match entry takes a reference on the "pseudo", allowing it to be destroyed when all "direct" entries using it are removed. efx_tc_em_pseudo_type is an enum rather than just a bool because in future an additional pseudo-type will be added to support Conntrack offload. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
56beb35d |
|
11-May-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: populate enc_ip_tos matches in MAE outer rules Currently tc.c will block them before they get here, but following patch will change that. Use the extack message from efx_mae_check_encap_match_caps() instead of writing a new one, since there's now more being fed in than just an IP version. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
17654d84 |
|
27-Mar-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add offloading of 'foreign' TC (decap) rules A 'foreign' rule is one for which the net_dev is not the sfc netdevice or any of its representors. The driver registers indirect flow blocks for tunnel netdevs so that it can offload decap rules. For example: tc filter add dev vxlan0 parent ffff: protocol ipv4 flower \ enc_src_ip 10.1.0.2 enc_dst_ip 10.1.0.1 \ enc_key_id 1000 enc_dst_port 4789 \ action tunnel_key unset \ action mirred egress redirect dev $REPRESENTOR When notified of a rule like this, register an encap match on the IP and dport tuple (creating an Outer Rule table entry) and insert an MAE action rule to perform the decapsulation and deliver to the representee. Moved efx_tc_delete_rule() below efx_tc_flower_release_encap_match() to avoid the need for a forward declaration. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
746224cd |
|
27-Mar-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add code to register and unregister encap matches Add a hashtable to detect duplicate and conflicting matches. If match is not a duplicate, call MAE functions to add/remove it from OR table. Calling code not added yet, so mark the new functions as unused. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
2245eb00 |
|
27-Mar-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add functions to insert encap matches into the MAE An encap match corresponds to an entry in the exact-match Outer Rule table; the lookup response includes the encap type (protocol) allowing the hardware to continue parsing into the inner headers. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
b9d5c9b7 |
|
27-Mar-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add notion of match on enc keys to MAE machinery Extend the MAE caps check to validate that the hardware supports these outer-header matches where used by the driver. Extend efx_mae_populate_match_criteria() to fill in the outer rule ID and VNI match fields. Nothing yet populates these match fields, nor creates outer rules. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
05ccd8d8 |
|
09-Mar-2023 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: support offloading TC VLAN push/pop actions to the MAE EF100 can pop and/or push up to two VLAN tags. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230309115904.56442-1-edward.cree@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
2e0f1eb0 |
|
14-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: attach an MAE counter to TC actions that need it The only actions that expect stats (that sfc HW supports) are gact shot (drop), mirred redirect and mirred mirror. Since these are 'deliverish' actions that end an action-set, we only require at most one counter per action-set. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
19a0c989 |
|
14-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add hashtables for MAE counters and counter ID mappings Nothing populates them yet. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
25730d8b |
|
14-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add extra RX channel to receive MAE counter updates on ef100 Currently there is no counter-allocating machinery to connect the resulting counter update values to; that will be added in a subsequent patch. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
e5731274 |
|
14-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add ef100 MAE counter support functions Start and stop MAE counter streaming, and grant credits. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
5d1d24da |
|
03-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add Layer 4 matches to ef100 TC offload Support matching on UDP/TCP source and destination ports and TCP flags, with masking if supported by the hardware. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
5ca7ef29 |
|
03-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add Layer 3 flag matches to ef100 TC offload Support matching on ip_frag and ip_firstfrag. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
c178dff3 |
|
03-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add Layer 3 matches to ef100 TC offload Support matching on IP protocol, Type of Service, Time To Live, source and destination addresses, with masking if supported by the hardware. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
6d1c604d |
|
03-Nov-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add Layer 2 matches to ef100 TC offload Support matching on EtherType, VLANs and ethernet source/destination addresses, with masking if supported by the hardware. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
ad1c80d5 |
|
18-Oct-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: use formatted extacks instead of efx_tc_err() Since we can now get a formatted message back to the user with NL_SET_ERR_MSG_FMT_MOD(), there's no need for our special logging. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
d902e1a7 |
|
26-Sep-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: bare bones TC offload on EF100 This is the absolute minimum viable TC implementation to get traffic to VFs and allow them to be tested; it supports no match fields besides ingress port, no actions besides mirred and drop, and no stats. Example usage: tc filter add dev $PF parent ffff: flower skip_sw \ action mirred egress mirror dev $VFREP tc filter add dev $VFREP parent ffff: flower skip_sw \ action mirred egress redirect dev $PF gives a VF unfiltered access to the network out the physical port ($PF acts here as a physical port representor). More matches, actions, and counters will be added in subsequent patches. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
7ce3e235 |
|
26-Sep-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: interrogate MAE capabilities at probe time Different versions of EF100 firmware and FPGA bitstreams support different matching capabilities in the Match-Action Engine. Probe for these at start of day; subsequent patches will validate TC offload requests against the reported capabilities. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
f54a28a2 |
|
26-Sep-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: add a hashtable for offloaded TC rules Nothing inserts into this table yet, but we have code to remove rules on FLOW_CLS_DESTROY or at driver teardown time, in both cases also attempting to remove the corresponding hardware rules. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
7c9d266d |
|
26-Sep-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: optional logging of TC offload errors TC offload support will involve complex limitations on what matches and actions a rule can do, in some cases potentially depending on rules already offloaded. So add an ethtool private flag "log-tc-errors" which controls reporting the reasons for un-offloadable TC rules at NETIF_INFO. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
9dc0cad2 |
|
26-Sep-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: bind blocks for TC offload on EF100 Bind direct blocks for the MAE-admin PF and each VF representor. Currently these connect to a stub efx_tc_flower() that only returns -EOPNOTSUPP; subsequent patches will implement flower offloads to the Match-Action Engine. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
e37f3b15 |
|
28-Jul-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: use a dynamic m-port for representor RX and set it promisc Representors do not want to be subject to the PF's Ethernet address filters, since traffic from VFs will typically have a destination either elsewhere on the link segment or on an overlay network. So, create a dynamic m-port with promiscuous and all-multicast filters, and set it as the egress port of representor default rules. Since the m-port is an alias of the calling PF's own m-port, traffic will still be delivered to the PF's RXQs, but it will be subject to the VNRX filter rules installed on the dynamic m-port (specified by the v-port ID field of the filter spec). Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
67ab160e |
|
28-Jul-2022 |
Edward Cree <ecree.xilinx@gmail.com> |
sfc: insert default MAE rules to connect VFs to representors Default rules are low-priority switching rules which the hardware uses in the absence of higher-priority rules. Each representor requires a corresponding rule matching traffic from its representee VF and delivering to the PF (where a check on INGRESS_MPORT in __ef100_rx_packet() will direct it to the representor). No rule is required in the reverse direction, because representor TX uses a TX override descriptor to bypass the MAE and deliver directly to the VF. Since inserting any rule into the MAE disables the firmware's own default rules, also insert a pair of rules to connect the PF to the physical network port and vice-versa. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|