[PATCH net-next 0/6] netfilter flowtable hardware offload

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, paulb@mellanox.com,
	ozsh@mellanox.com, majd@mellanox.com, saeedm@mellanox.com
Subject: [PATCH net-next 0/6] netfilter flowtable hardware offload
Date: Tue, 12 Nov 2019 00:29:50 +0100	[thread overview]
Message-ID: <20191111232956.24898-1-pablo@netfilter.org> (raw)

Hi,

The following patchset adds hardware offload support for the flowtable
infrastructure [1]. This infrastructure provides a fast datapath for
the classic Linux forwarding path that users can enable through policy,
eg.

 table inet x {
      flowtable f {
               hook ingress priority 10 devices = { eth0, eth1 }
	       flags offload
      }
      chain y {
               type filter hook forward priority 0; policy accept;
               ip protocol tcp flow offload @f
      }
 }

This example above enables the fastpath for TCP traffic between devices
eth0 and eth1. Users can turn on the hardware offload through the
'offload' flag from the flowtable definition. If this new flag is not
specified, the software flowtable datapath is used.

This patchset is composed of 4 preparation patches:

#1 Move pointer to conntrack object to the flow_offload structure.
#2 Remove useless union from the flow_offload structure.
#3 Remove superfluous flow_offload_entry structure.
#4 Detach routing information from the flow_offload object to leave
   room to extend this infrastructure, eg. accelerate bridge forwarding.

And 2 patches to add the hardware offload control and data planes:

#5 Add the netlink control plane and the interface to set up the flowtable
   hardware offload. This includes a new NFTA_FLOWTABLE_FLAGS netlink
   attribute to convey the optional NF_FLOWTABLE_HW_OFFLOAD flag.
#6 Add the hardware offload datapath: This code uses the flow_offload
   API available at net/core/flow_offload.h to represent the flow
   through two flow_rule objects to configure an exact 5-tuple matching
   on each direction plus the corresponding forwarding actions, that is,
   the MAC address, NAT and checksum updates; and port redirection in
   order to configure the hardware datapath. This patch only supports
   for IPv4 support and statistics collection for flow aging as an initial
   step.

This patchset introduces a new flow_block callback type that needs to be
set up to configure the flowtable hardware offload.

The first client of this infrastructure follows up after this batch.
I would like to thank Mellanox for developing the first upstream driver
to use this infrastructure.

Please, apply.

[1] Documentation/networking/nf_flowtable.txt

Pablo Neira Ayuso (6):
  netfilter: nf_flow_table: move conntrack object to struct flow_offload
  netfilter: nf_flow_table: remove union from flow_offload structure
  netfilter: nf_flowtable: remove flow_offload_entry structure
  netfilter: nf_flow_table: detach routing information from flow description
  netfilter: nf_tables: add flowtable offload control plane
  netfilter: nf_flow_table: hardware offload support

 include/linux/netdevice.h                |   1 +
 include/net/netfilter/nf_flow_table.h    |  60 ++-
 include/uapi/linux/netfilter/nf_tables.h |   2 +
 net/ipv4/netfilter/nf_flow_table_ipv4.c  |   2 +
 net/ipv6/netfilter/nf_flow_table_ipv6.c  |   2 +
 net/netfilter/Makefile                   |   3 +-
 net/netfilter/nf_flow_table_core.c       | 173 ++++---
 net/netfilter/nf_flow_table_inet.c       |   2 +
 net/netfilter/nf_flow_table_offload.c    | 758 +++++++++++++++++++++++++++++++
 net/netfilter/nf_tables_api.c            |  21 +-
 net/netfilter/nft_flow_offload.c         |   5 +-
 11 files changed, 955 insertions(+), 74 deletions(-)
 create mode 100644 net/netfilter/nf_flow_table_offload.c

-- 
2.11.0