tc.c 93 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /****************************************************************************
  3. * Driver for Solarflare network controllers and boards
  4. * Copyright 2019 Solarflare Communications Inc.
  5. * Copyright 2020-2022 Xilinx Inc.
  6. *
  7. * This program is free software; you can redistribute it and/or modify it
  8. * under the terms of the GNU General Public License version 2 as published
  9. * by the Free Software Foundation, incorporated herein by reference.
  10. */
  11. #include <net/pkt_cls.h>
  12. #include <net/vxlan.h>
  13. #include <net/geneve.h>
  14. #include <net/tc_act/tc_ct.h>
  15. #include "tc.h"
  16. #include "tc_bindings.h"
  17. #include "tc_encap_actions.h"
  18. #include "tc_conntrack.h"
  19. #include "mae.h"
  20. #include "ef100_rep.h"
  21. #include "efx.h"
  22. enum efx_encap_type efx_tc_indr_netdev_type(struct net_device *net_dev)
  23. {
  24. if (netif_is_vxlan(net_dev))
  25. return EFX_ENCAP_TYPE_VXLAN;
  26. if (netif_is_geneve(net_dev))
  27. return EFX_ENCAP_TYPE_GENEVE;
  28. return EFX_ENCAP_TYPE_NONE;
  29. }
  30. #define EFX_TC_HDR_TYPE_TTL_MASK ((u32)0xff)
  31. /* Hoplimit is stored in the most significant byte in the pedit ipv6 header action */
  32. #define EFX_TC_HDR_TYPE_HLIMIT_MASK ~((u32)0xff000000)
  33. #define EFX_EFV_PF NULL
  34. /* Look up the representor information (efv) for a device.
  35. * May return NULL for the PF (us), or an error pointer for a device that
  36. * isn't supported as a TC offload endpoint
  37. */
  38. struct efx_rep *efx_tc_flower_lookup_efv(struct efx_nic *efx,
  39. struct net_device *dev)
  40. {
  41. struct efx_rep *efv;
  42. if (!dev)
  43. return ERR_PTR(-EOPNOTSUPP);
  44. /* Is it us (the PF)? */
  45. if (dev == efx->net_dev)
  46. return EFX_EFV_PF;
  47. /* Is it an efx vfrep at all? */
  48. if (dev->netdev_ops != &efx_ef100_rep_netdev_ops)
  49. return ERR_PTR(-EOPNOTSUPP);
  50. /* Is it ours? We don't support TC rules that include another
  51. * EF100's netdevices (not even on another port of the same NIC).
  52. */
  53. efv = netdev_priv(dev);
  54. if (efv->parent != efx)
  55. return ERR_PTR(-EOPNOTSUPP);
  56. return efv;
  57. }
  58. /* Convert a driver-internal vport ID into an internal device (PF or VF) */
  59. static s64 efx_tc_flower_internal_mport(struct efx_nic *efx, struct efx_rep *efv)
  60. {
  61. u32 mport;
  62. if (IS_ERR(efv))
  63. return PTR_ERR(efv);
  64. if (!efv) /* device is PF (us) */
  65. efx_mae_mport_uplink(efx, &mport);
  66. else /* device is repr */
  67. efx_mae_mport_mport(efx, efv->mport, &mport);
  68. return mport;
  69. }
  70. /* Convert a driver-internal vport ID into an external device (wire or VF) */
  71. s64 efx_tc_flower_external_mport(struct efx_nic *efx, struct efx_rep *efv)
  72. {
  73. u32 mport;
  74. if (IS_ERR(efv))
  75. return PTR_ERR(efv);
  76. if (!efv) /* device is PF (us) */
  77. efx_mae_mport_wire(efx, &mport);
  78. else /* device is repr */
  79. efx_mae_mport_mport(efx, efv->mport, &mport);
  80. return mport;
  81. }
  82. static const struct rhashtable_params efx_tc_mac_ht_params = {
  83. .key_len = offsetofend(struct efx_tc_mac_pedit_action, h_addr),
  84. .key_offset = 0,
  85. .head_offset = offsetof(struct efx_tc_mac_pedit_action, linkage),
  86. };
  87. static const struct rhashtable_params efx_tc_encap_match_ht_params = {
  88. .key_len = offsetof(struct efx_tc_encap_match, linkage),
  89. .key_offset = 0,
  90. .head_offset = offsetof(struct efx_tc_encap_match, linkage),
  91. };
  92. static const struct rhashtable_params efx_tc_match_action_ht_params = {
  93. .key_len = sizeof(unsigned long),
  94. .key_offset = offsetof(struct efx_tc_flow_rule, cookie),
  95. .head_offset = offsetof(struct efx_tc_flow_rule, linkage),
  96. };
  97. static const struct rhashtable_params efx_tc_lhs_rule_ht_params = {
  98. .key_len = sizeof(unsigned long),
  99. .key_offset = offsetof(struct efx_tc_lhs_rule, cookie),
  100. .head_offset = offsetof(struct efx_tc_lhs_rule, linkage),
  101. };
  102. static const struct rhashtable_params efx_tc_recirc_ht_params = {
  103. .key_len = offsetof(struct efx_tc_recirc_id, linkage),
  104. .key_offset = 0,
  105. .head_offset = offsetof(struct efx_tc_recirc_id, linkage),
  106. };
  107. static struct efx_tc_mac_pedit_action *efx_tc_flower_get_mac(struct efx_nic *efx,
  108. unsigned char h_addr[ETH_ALEN],
  109. struct netlink_ext_ack *extack)
  110. {
  111. struct efx_tc_mac_pedit_action *ped, *old;
  112. int rc;
  113. ped = kzalloc_obj(*ped, GFP_USER);
  114. if (!ped)
  115. return ERR_PTR(-ENOMEM);
  116. memcpy(ped->h_addr, h_addr, ETH_ALEN);
  117. old = rhashtable_lookup_get_insert_fast(&efx->tc->mac_ht,
  118. &ped->linkage,
  119. efx_tc_mac_ht_params);
  120. if (old) {
  121. /* don't need our new entry */
  122. kfree(ped);
  123. if (IS_ERR(old)) /* oh dear, it's actually an error */
  124. return ERR_CAST(old);
  125. if (!refcount_inc_not_zero(&old->ref))
  126. return ERR_PTR(-EAGAIN);
  127. /* existing entry found, ref taken */
  128. return old;
  129. }
  130. rc = efx_mae_allocate_pedit_mac(efx, ped);
  131. if (rc < 0) {
  132. NL_SET_ERR_MSG_MOD(extack, "Failed to store pedit MAC address in hw");
  133. goto out_remove;
  134. }
  135. /* ref and return */
  136. refcount_set(&ped->ref, 1);
  137. return ped;
  138. out_remove:
  139. rhashtable_remove_fast(&efx->tc->mac_ht, &ped->linkage,
  140. efx_tc_mac_ht_params);
  141. kfree(ped);
  142. return ERR_PTR(rc);
  143. }
  144. static void efx_tc_flower_put_mac(struct efx_nic *efx,
  145. struct efx_tc_mac_pedit_action *ped)
  146. {
  147. if (!refcount_dec_and_test(&ped->ref))
  148. return; /* still in use */
  149. rhashtable_remove_fast(&efx->tc->mac_ht, &ped->linkage,
  150. efx_tc_mac_ht_params);
  151. efx_mae_free_pedit_mac(efx, ped);
  152. kfree(ped);
  153. }
  154. static void efx_tc_free_action_set(struct efx_nic *efx,
  155. struct efx_tc_action_set *act, bool in_hw)
  156. {
  157. /* Failure paths calling this on the 'cursor' action set in_hw=false,
  158. * because if the alloc had succeeded we'd've put it in acts.list and
  159. * not still have it in act.
  160. */
  161. if (in_hw) {
  162. efx_mae_free_action_set(efx, act->fw_id);
  163. /* in_hw is true iff we are on an acts.list; make sure to
  164. * remove ourselves from that list before we are freed.
  165. */
  166. list_del(&act->list);
  167. }
  168. if (act->count) {
  169. spin_lock_bh(&act->count->cnt->lock);
  170. if (!list_empty(&act->count_user))
  171. list_del(&act->count_user);
  172. spin_unlock_bh(&act->count->cnt->lock);
  173. efx_tc_flower_put_counter_index(efx, act->count);
  174. }
  175. if (act->encap_md) {
  176. list_del(&act->encap_user);
  177. efx_tc_flower_release_encap_md(efx, act->encap_md);
  178. }
  179. if (act->src_mac)
  180. efx_tc_flower_put_mac(efx, act->src_mac);
  181. if (act->dst_mac)
  182. efx_tc_flower_put_mac(efx, act->dst_mac);
  183. kfree(act);
  184. }
  185. static void efx_tc_free_action_set_list(struct efx_nic *efx,
  186. struct efx_tc_action_set_list *acts,
  187. bool in_hw)
  188. {
  189. struct efx_tc_action_set *act, *next;
  190. /* Failure paths set in_hw=false, because usually the acts didn't get
  191. * to efx_mae_alloc_action_set_list(); if they did, the failure tree
  192. * has a separate efx_mae_free_action_set_list() before calling us.
  193. */
  194. if (in_hw)
  195. efx_mae_free_action_set_list(efx, acts);
  196. /* Any act that's on the list will be in_hw even if the list isn't */
  197. list_for_each_entry_safe(act, next, &acts->list, list)
  198. efx_tc_free_action_set(efx, act, true);
  199. /* Don't kfree, as acts is embedded inside a struct efx_tc_flow_rule */
  200. }
  201. /* Boilerplate for the simple 'copy a field' cases */
  202. #define _MAP_KEY_AND_MASK(_name, _type, _tcget, _tcfield, _field) \
  203. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_##_name)) { \
  204. struct flow_match_##_type fm; \
  205. \
  206. flow_rule_match_##_tcget(rule, &fm); \
  207. match->value._field = fm.key->_tcfield; \
  208. match->mask._field = fm.mask->_tcfield; \
  209. }
  210. #define MAP_KEY_AND_MASK(_name, _type, _tcfield, _field) \
  211. _MAP_KEY_AND_MASK(_name, _type, _type, _tcfield, _field)
  212. #define MAP_ENC_KEY_AND_MASK(_name, _type, _tcget, _tcfield, _field) \
  213. _MAP_KEY_AND_MASK(ENC_##_name, _type, _tcget, _tcfield, _field)
  214. static int efx_tc_flower_parse_match(struct efx_nic *efx,
  215. struct flow_rule *rule,
  216. struct efx_tc_match *match,
  217. struct netlink_ext_ack *extack)
  218. {
  219. struct flow_dissector *dissector = rule->match.dissector;
  220. unsigned char ipv = 0;
  221. /* Owing to internal TC infelicities, the IPV6_ADDRS key might be set
  222. * even on IPv4 filters; so rather than relying on dissector->used_keys
  223. * we check the addr_type in the CONTROL key. If we don't find it (or
  224. * it's masked, which should never happen), we treat both IPV4_ADDRS
  225. * and IPV6_ADDRS as absent.
  226. */
  227. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) {
  228. struct flow_match_control fm;
  229. flow_rule_match_control(rule, &fm);
  230. if (IS_ALL_ONES(fm.mask->addr_type))
  231. switch (fm.key->addr_type) {
  232. case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
  233. ipv = 4;
  234. break;
  235. case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
  236. ipv = 6;
  237. break;
  238. default:
  239. break;
  240. }
  241. if (fm.mask->flags & FLOW_DIS_IS_FRAGMENT) {
  242. match->value.ip_frag = fm.key->flags & FLOW_DIS_IS_FRAGMENT;
  243. match->mask.ip_frag = true;
  244. }
  245. if (fm.mask->flags & FLOW_DIS_FIRST_FRAG) {
  246. match->value.ip_firstfrag = fm.key->flags & FLOW_DIS_FIRST_FRAG;
  247. match->mask.ip_firstfrag = true;
  248. }
  249. if (!flow_rule_is_supp_control_flags(FLOW_DIS_IS_FRAGMENT |
  250. FLOW_DIS_FIRST_FRAG,
  251. fm.mask->flags, extack))
  252. return -EOPNOTSUPP;
  253. }
  254. if (dissector->used_keys &
  255. ~(BIT_ULL(FLOW_DISSECTOR_KEY_CONTROL) |
  256. BIT_ULL(FLOW_DISSECTOR_KEY_BASIC) |
  257. BIT_ULL(FLOW_DISSECTOR_KEY_ETH_ADDRS) |
  258. BIT_ULL(FLOW_DISSECTOR_KEY_VLAN) |
  259. BIT_ULL(FLOW_DISSECTOR_KEY_CVLAN) |
  260. BIT_ULL(FLOW_DISSECTOR_KEY_IPV4_ADDRS) |
  261. BIT_ULL(FLOW_DISSECTOR_KEY_IPV6_ADDRS) |
  262. BIT_ULL(FLOW_DISSECTOR_KEY_PORTS) |
  263. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_KEYID) |
  264. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
  265. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
  266. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IP) |
  267. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_PORTS) |
  268. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_CONTROL) |
  269. BIT_ULL(FLOW_DISSECTOR_KEY_CT) |
  270. BIT_ULL(FLOW_DISSECTOR_KEY_TCP) |
  271. BIT_ULL(FLOW_DISSECTOR_KEY_IP))) {
  272. NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported flower keys %#llx",
  273. dissector->used_keys);
  274. return -EOPNOTSUPP;
  275. }
  276. MAP_KEY_AND_MASK(BASIC, basic, n_proto, eth_proto);
  277. /* Make sure we're IP if any L3/L4 keys used. */
  278. if (!IS_ALL_ONES(match->mask.eth_proto) ||
  279. !(match->value.eth_proto == htons(ETH_P_IP) ||
  280. match->value.eth_proto == htons(ETH_P_IPV6)))
  281. if (dissector->used_keys &
  282. (BIT_ULL(FLOW_DISSECTOR_KEY_IPV4_ADDRS) |
  283. BIT_ULL(FLOW_DISSECTOR_KEY_IPV6_ADDRS) |
  284. BIT_ULL(FLOW_DISSECTOR_KEY_PORTS) |
  285. BIT_ULL(FLOW_DISSECTOR_KEY_IP) |
  286. BIT_ULL(FLOW_DISSECTOR_KEY_TCP))) {
  287. NL_SET_ERR_MSG_FMT_MOD(extack,
  288. "L3/L4 flower keys %#llx require protocol ipv[46]",
  289. dissector->used_keys);
  290. return -EINVAL;
  291. }
  292. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) {
  293. struct flow_match_vlan fm;
  294. flow_rule_match_vlan(rule, &fm);
  295. if (fm.mask->vlan_id || fm.mask->vlan_priority || fm.mask->vlan_tpid) {
  296. match->value.vlan_proto[0] = fm.key->vlan_tpid;
  297. match->mask.vlan_proto[0] = fm.mask->vlan_tpid;
  298. match->value.vlan_tci[0] = cpu_to_be16(fm.key->vlan_priority << 13 |
  299. fm.key->vlan_id);
  300. match->mask.vlan_tci[0] = cpu_to_be16(fm.mask->vlan_priority << 13 |
  301. fm.mask->vlan_id);
  302. }
  303. }
  304. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CVLAN)) {
  305. struct flow_match_vlan fm;
  306. flow_rule_match_cvlan(rule, &fm);
  307. if (fm.mask->vlan_id || fm.mask->vlan_priority || fm.mask->vlan_tpid) {
  308. match->value.vlan_proto[1] = fm.key->vlan_tpid;
  309. match->mask.vlan_proto[1] = fm.mask->vlan_tpid;
  310. match->value.vlan_tci[1] = cpu_to_be16(fm.key->vlan_priority << 13 |
  311. fm.key->vlan_id);
  312. match->mask.vlan_tci[1] = cpu_to_be16(fm.mask->vlan_priority << 13 |
  313. fm.mask->vlan_id);
  314. }
  315. }
  316. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
  317. struct flow_match_eth_addrs fm;
  318. flow_rule_match_eth_addrs(rule, &fm);
  319. ether_addr_copy(match->value.eth_saddr, fm.key->src);
  320. ether_addr_copy(match->value.eth_daddr, fm.key->dst);
  321. ether_addr_copy(match->mask.eth_saddr, fm.mask->src);
  322. ether_addr_copy(match->mask.eth_daddr, fm.mask->dst);
  323. }
  324. MAP_KEY_AND_MASK(BASIC, basic, ip_proto, ip_proto);
  325. /* Make sure we're TCP/UDP if any L4 keys used. */
  326. if ((match->value.ip_proto != IPPROTO_UDP &&
  327. match->value.ip_proto != IPPROTO_TCP) || !IS_ALL_ONES(match->mask.ip_proto))
  328. if (dissector->used_keys &
  329. (BIT_ULL(FLOW_DISSECTOR_KEY_PORTS) |
  330. BIT_ULL(FLOW_DISSECTOR_KEY_TCP))) {
  331. NL_SET_ERR_MSG_FMT_MOD(extack,
  332. "L4 flower keys %#llx require ipproto udp or tcp",
  333. dissector->used_keys);
  334. return -EINVAL;
  335. }
  336. MAP_KEY_AND_MASK(IP, ip, tos, ip_tos);
  337. MAP_KEY_AND_MASK(IP, ip, ttl, ip_ttl);
  338. if (ipv == 4) {
  339. MAP_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, src, src_ip);
  340. MAP_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, dst, dst_ip);
  341. }
  342. #ifdef CONFIG_IPV6
  343. else if (ipv == 6) {
  344. MAP_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, src, src_ip6);
  345. MAP_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, dst, dst_ip6);
  346. }
  347. #endif
  348. MAP_KEY_AND_MASK(PORTS, ports, src, l4_sport);
  349. MAP_KEY_AND_MASK(PORTS, ports, dst, l4_dport);
  350. MAP_KEY_AND_MASK(TCP, tcp, flags, tcp_flags);
  351. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) {
  352. struct flow_match_control fm;
  353. flow_rule_match_enc_control(rule, &fm);
  354. if (flow_rule_has_enc_control_flags(fm.mask->flags, extack))
  355. return -EOPNOTSUPP;
  356. if (!IS_ALL_ONES(fm.mask->addr_type)) {
  357. NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported enc addr_type mask %u (key %u)",
  358. fm.mask->addr_type,
  359. fm.key->addr_type);
  360. return -EOPNOTSUPP;
  361. }
  362. switch (fm.key->addr_type) {
  363. case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
  364. MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
  365. src, enc_src_ip);
  366. MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
  367. dst, enc_dst_ip);
  368. break;
  369. #ifdef CONFIG_IPV6
  370. case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
  371. MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
  372. src, enc_src_ip6);
  373. MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
  374. dst, enc_dst_ip6);
  375. break;
  376. #endif
  377. default:
  378. NL_SET_ERR_MSG_FMT_MOD(extack,
  379. "Unsupported enc addr_type %u (supported are IPv4, IPv6)",
  380. fm.key->addr_type);
  381. return -EOPNOTSUPP;
  382. }
  383. MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, tos, enc_ip_tos);
  384. MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, ttl, enc_ip_ttl);
  385. MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, src, enc_sport);
  386. MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, dst, enc_dport);
  387. MAP_ENC_KEY_AND_MASK(KEYID, enc_keyid, enc_keyid, keyid, enc_keyid);
  388. } else if (dissector->used_keys &
  389. (BIT_ULL(FLOW_DISSECTOR_KEY_ENC_KEYID) |
  390. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
  391. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
  392. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_IP) |
  393. BIT_ULL(FLOW_DISSECTOR_KEY_ENC_PORTS))) {
  394. NL_SET_ERR_MSG_FMT_MOD(extack,
  395. "Flower enc keys require enc_control (keys: %#llx)",
  396. dissector->used_keys);
  397. return -EOPNOTSUPP;
  398. }
  399. if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CT)) {
  400. struct flow_match_ct fm;
  401. flow_rule_match_ct(rule, &fm);
  402. match->value.ct_state_trk = !!(fm.key->ct_state & TCA_FLOWER_KEY_CT_FLAGS_TRACKED);
  403. match->mask.ct_state_trk = !!(fm.mask->ct_state & TCA_FLOWER_KEY_CT_FLAGS_TRACKED);
  404. match->value.ct_state_est = !!(fm.key->ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED);
  405. match->mask.ct_state_est = !!(fm.mask->ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED);
  406. if (fm.mask->ct_state & ~(TCA_FLOWER_KEY_CT_FLAGS_TRACKED |
  407. TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED)) {
  408. NL_SET_ERR_MSG_FMT_MOD(extack,
  409. "Unsupported ct_state match %#x",
  410. fm.mask->ct_state);
  411. return -EOPNOTSUPP;
  412. }
  413. match->value.ct_mark = fm.key->ct_mark;
  414. match->mask.ct_mark = fm.mask->ct_mark;
  415. match->value.ct_zone = fm.key->ct_zone;
  416. match->mask.ct_zone = fm.mask->ct_zone;
  417. if (memchr_inv(fm.mask->ct_labels, 0, sizeof(fm.mask->ct_labels))) {
  418. NL_SET_ERR_MSG_MOD(extack, "Matching on ct_label not supported");
  419. return -EOPNOTSUPP;
  420. }
  421. }
  422. return 0;
  423. }
  424. static void efx_tc_flower_release_encap_match(struct efx_nic *efx,
  425. struct efx_tc_encap_match *encap)
  426. {
  427. int rc;
  428. if (!refcount_dec_and_test(&encap->ref))
  429. return; /* still in use */
  430. if (encap->type == EFX_TC_EM_DIRECT) {
  431. rc = efx_mae_unregister_encap_match(efx, encap);
  432. if (rc)
  433. /* Display message but carry on and remove entry from our
  434. * SW tables, because there's not much we can do about it.
  435. */
  436. netif_err(efx, drv, efx->net_dev,
  437. "Failed to release encap match %#x, rc %d\n",
  438. encap->fw_id, rc);
  439. }
  440. rhashtable_remove_fast(&efx->tc->encap_match_ht, &encap->linkage,
  441. efx_tc_encap_match_ht_params);
  442. if (encap->pseudo)
  443. efx_tc_flower_release_encap_match(efx, encap->pseudo);
  444. kfree(encap);
  445. }
  446. static int efx_tc_flower_record_encap_match(struct efx_nic *efx,
  447. struct efx_tc_match *match,
  448. enum efx_encap_type type,
  449. enum efx_tc_em_pseudo_type em_type,
  450. u8 child_ip_tos_mask,
  451. __be16 child_udp_sport_mask,
  452. struct netlink_ext_ack *extack)
  453. {
  454. struct efx_tc_encap_match *encap, *old, *pseudo = NULL;
  455. bool ipv6 = false;
  456. int rc;
  457. /* We require that the socket-defining fields (IP addrs and UDP dest
  458. * port) are present and exact-match. Other fields may only be used
  459. * if the field-set (and any masks) are the same for all encap
  460. * matches on the same <sip,dip,dport> tuple; this is enforced by
  461. * pseudo encap matches.
  462. */
  463. if (match->mask.enc_dst_ip | match->mask.enc_src_ip) {
  464. if (!IS_ALL_ONES(match->mask.enc_dst_ip)) {
  465. NL_SET_ERR_MSG_MOD(extack,
  466. "Egress encap match is not exact on dst IP address");
  467. return -EOPNOTSUPP;
  468. }
  469. if (!IS_ALL_ONES(match->mask.enc_src_ip)) {
  470. NL_SET_ERR_MSG_MOD(extack,
  471. "Egress encap match is not exact on src IP address");
  472. return -EOPNOTSUPP;
  473. }
  474. #ifdef CONFIG_IPV6
  475. if (!ipv6_addr_any(&match->mask.enc_dst_ip6) ||
  476. !ipv6_addr_any(&match->mask.enc_src_ip6)) {
  477. NL_SET_ERR_MSG_MOD(extack,
  478. "Egress encap match on both IPv4 and IPv6, don't understand");
  479. return -EOPNOTSUPP;
  480. }
  481. } else {
  482. ipv6 = true;
  483. if (!efx_ipv6_addr_all_ones(&match->mask.enc_dst_ip6)) {
  484. NL_SET_ERR_MSG_MOD(extack,
  485. "Egress encap match is not exact on dst IP address");
  486. return -EOPNOTSUPP;
  487. }
  488. if (!efx_ipv6_addr_all_ones(&match->mask.enc_src_ip6)) {
  489. NL_SET_ERR_MSG_MOD(extack,
  490. "Egress encap match is not exact on src IP address");
  491. return -EOPNOTSUPP;
  492. }
  493. #endif
  494. }
  495. if (!IS_ALL_ONES(match->mask.enc_dport)) {
  496. NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on dst UDP port");
  497. return -EOPNOTSUPP;
  498. }
  499. if (match->mask.enc_sport || match->mask.enc_ip_tos) {
  500. struct efx_tc_match pmatch = *match;
  501. if (em_type == EFX_TC_EM_PSEUDO_MASK) { /* can't happen */
  502. NL_SET_ERR_MSG_MOD(extack, "Bad recursion in egress encap match handler");
  503. return -EOPNOTSUPP;
  504. }
  505. pmatch.value.enc_ip_tos = 0;
  506. pmatch.mask.enc_ip_tos = 0;
  507. pmatch.value.enc_sport = 0;
  508. pmatch.mask.enc_sport = 0;
  509. rc = efx_tc_flower_record_encap_match(efx, &pmatch, type,
  510. EFX_TC_EM_PSEUDO_MASK,
  511. match->mask.enc_ip_tos,
  512. match->mask.enc_sport,
  513. extack);
  514. if (rc)
  515. return rc;
  516. pseudo = pmatch.encap;
  517. }
  518. if (match->mask.enc_ip_ttl) {
  519. NL_SET_ERR_MSG_MOD(extack, "Egress encap match on IP TTL not supported");
  520. rc = -EOPNOTSUPP;
  521. goto fail_pseudo;
  522. }
  523. rc = efx_mae_check_encap_match_caps(efx, ipv6, match->mask.enc_ip_tos,
  524. match->mask.enc_sport, extack);
  525. if (rc)
  526. goto fail_pseudo;
  527. encap = kzalloc_obj(*encap, GFP_USER);
  528. if (!encap) {
  529. rc = -ENOMEM;
  530. goto fail_pseudo;
  531. }
  532. encap->src_ip = match->value.enc_src_ip;
  533. encap->dst_ip = match->value.enc_dst_ip;
  534. #ifdef CONFIG_IPV6
  535. encap->src_ip6 = match->value.enc_src_ip6;
  536. encap->dst_ip6 = match->value.enc_dst_ip6;
  537. #endif
  538. encap->udp_dport = match->value.enc_dport;
  539. encap->tun_type = type;
  540. encap->ip_tos = match->value.enc_ip_tos;
  541. encap->ip_tos_mask = match->mask.enc_ip_tos;
  542. encap->child_ip_tos_mask = child_ip_tos_mask;
  543. encap->udp_sport = match->value.enc_sport;
  544. encap->udp_sport_mask = match->mask.enc_sport;
  545. encap->child_udp_sport_mask = child_udp_sport_mask;
  546. encap->type = em_type;
  547. encap->pseudo = pseudo;
  548. old = rhashtable_lookup_get_insert_fast(&efx->tc->encap_match_ht,
  549. &encap->linkage,
  550. efx_tc_encap_match_ht_params);
  551. if (old) {
  552. /* don't need our new entry */
  553. kfree(encap);
  554. if (pseudo) /* don't need our new pseudo either */
  555. efx_tc_flower_release_encap_match(efx, pseudo);
  556. if (IS_ERR(old)) /* oh dear, it's actually an error */
  557. return PTR_ERR(old);
  558. /* check old and new em_types are compatible */
  559. switch (old->type) {
  560. case EFX_TC_EM_DIRECT:
  561. /* old EM is in hardware, so mustn't overlap with a
  562. * pseudo, but may be shared with another direct EM
  563. */
  564. if (em_type == EFX_TC_EM_DIRECT)
  565. break;
  566. NL_SET_ERR_MSG_MOD(extack, "Pseudo encap match conflicts with existing direct entry");
  567. return -EEXIST;
  568. case EFX_TC_EM_PSEUDO_MASK:
  569. /* old EM is protecting a ToS- or src port-qualified
  570. * filter, so may only be shared with another pseudo
  571. * for the same ToS and src port masks.
  572. */
  573. if (em_type != EFX_TC_EM_PSEUDO_MASK) {
  574. NL_SET_ERR_MSG_FMT_MOD(extack,
  575. "%s encap match conflicts with existing pseudo(MASK) entry",
  576. em_type ? "Pseudo" : "Direct");
  577. return -EEXIST;
  578. }
  579. if (child_ip_tos_mask != old->child_ip_tos_mask) {
  580. NL_SET_ERR_MSG_FMT_MOD(extack,
  581. "Pseudo encap match for TOS mask %#04x conflicts with existing mask %#04x",
  582. child_ip_tos_mask,
  583. old->child_ip_tos_mask);
  584. return -EEXIST;
  585. }
  586. if (child_udp_sport_mask != old->child_udp_sport_mask) {
  587. NL_SET_ERR_MSG_FMT_MOD(extack,
  588. "Pseudo encap match for UDP src port mask %#x conflicts with existing mask %#x",
  589. child_udp_sport_mask,
  590. old->child_udp_sport_mask);
  591. return -EEXIST;
  592. }
  593. break;
  594. case EFX_TC_EM_PSEUDO_OR:
  595. /* old EM corresponds to an OR that has to be unique
  596. * (it must not overlap with any other OR, whether
  597. * direct-EM or pseudo).
  598. */
  599. NL_SET_ERR_MSG_FMT_MOD(extack,
  600. "%s encap match conflicts with existing pseudo(OR) entry",
  601. em_type ? "Pseudo" : "Direct");
  602. return -EEXIST;
  603. default: /* Unrecognised pseudo-type. Just say no */
  604. NL_SET_ERR_MSG_FMT_MOD(extack,
  605. "%s encap match conflicts with existing pseudo(%d) entry",
  606. em_type ? "Pseudo" : "Direct",
  607. old->type);
  608. return -EEXIST;
  609. }
  610. /* check old and new tun_types are compatible */
  611. if (old->tun_type != type) {
  612. NL_SET_ERR_MSG_FMT_MOD(extack,
  613. "Egress encap match with conflicting tun_type %u != %u",
  614. old->tun_type, type);
  615. return -EEXIST;
  616. }
  617. if (!refcount_inc_not_zero(&old->ref))
  618. return -EAGAIN;
  619. /* existing entry found */
  620. encap = old;
  621. } else {
  622. if (em_type == EFX_TC_EM_DIRECT) {
  623. rc = efx_mae_register_encap_match(efx, encap);
  624. if (rc) {
  625. NL_SET_ERR_MSG_MOD(extack, "Failed to record egress encap match in HW");
  626. goto fail;
  627. }
  628. }
  629. refcount_set(&encap->ref, 1);
  630. }
  631. match->encap = encap;
  632. return 0;
  633. fail:
  634. rhashtable_remove_fast(&efx->tc->encap_match_ht, &encap->linkage,
  635. efx_tc_encap_match_ht_params);
  636. kfree(encap);
  637. fail_pseudo:
  638. if (pseudo)
  639. efx_tc_flower_release_encap_match(efx, pseudo);
  640. return rc;
  641. }
  642. static struct efx_tc_recirc_id *efx_tc_get_recirc_id(struct efx_nic *efx,
  643. u32 chain_index,
  644. struct net_device *net_dev)
  645. {
  646. struct efx_tc_recirc_id *rid, *old;
  647. int rc;
  648. rid = kzalloc_obj(*rid, GFP_USER);
  649. if (!rid)
  650. return ERR_PTR(-ENOMEM);
  651. rid->chain_index = chain_index;
  652. /* We don't take a reference here, because it's implied - if there's
  653. * a rule on the net_dev that's been offloaded to us, then the net_dev
  654. * can't go away until the rule has been deoffloaded.
  655. */
  656. rid->net_dev = net_dev;
  657. old = rhashtable_lookup_get_insert_fast(&efx->tc->recirc_ht,
  658. &rid->linkage,
  659. efx_tc_recirc_ht_params);
  660. if (old) {
  661. /* don't need our new entry */
  662. kfree(rid);
  663. if (IS_ERR(old)) /* oh dear, it's actually an error */
  664. return ERR_CAST(old);
  665. if (!refcount_inc_not_zero(&old->ref))
  666. return ERR_PTR(-EAGAIN);
  667. /* existing entry found */
  668. rid = old;
  669. } else {
  670. rc = ida_alloc_range(&efx->tc->recirc_ida, 1, U8_MAX, GFP_USER);
  671. if (rc < 0) {
  672. rhashtable_remove_fast(&efx->tc->recirc_ht,
  673. &rid->linkage,
  674. efx_tc_recirc_ht_params);
  675. kfree(rid);
  676. return ERR_PTR(rc);
  677. }
  678. rid->fw_id = rc;
  679. refcount_set(&rid->ref, 1);
  680. }
  681. return rid;
  682. }
  683. static void efx_tc_put_recirc_id(struct efx_nic *efx, struct efx_tc_recirc_id *rid)
  684. {
  685. if (!refcount_dec_and_test(&rid->ref))
  686. return; /* still in use */
  687. rhashtable_remove_fast(&efx->tc->recirc_ht, &rid->linkage,
  688. efx_tc_recirc_ht_params);
  689. ida_free(&efx->tc->recirc_ida, rid->fw_id);
  690. kfree(rid);
  691. }
  692. static void efx_tc_delete_rule(struct efx_nic *efx, struct efx_tc_flow_rule *rule)
  693. {
  694. efx_mae_delete_rule(efx, rule->fw_id);
  695. /* Release entries in subsidiary tables */
  696. efx_tc_free_action_set_list(efx, &rule->acts, true);
  697. if (rule->match.rid)
  698. efx_tc_put_recirc_id(efx, rule->match.rid);
  699. if (rule->match.encap)
  700. efx_tc_flower_release_encap_match(efx, rule->match.encap);
  701. rule->fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL;
  702. }
  703. static const char *efx_tc_encap_type_name(enum efx_encap_type typ)
  704. {
  705. switch (typ) {
  706. case EFX_ENCAP_TYPE_NONE:
  707. return "none";
  708. case EFX_ENCAP_TYPE_VXLAN:
  709. return "vxlan";
  710. case EFX_ENCAP_TYPE_GENEVE:
  711. return "geneve";
  712. default:
  713. pr_warn_once("Unknown efx_encap_type %d encountered\n", typ);
  714. return "unknown";
  715. }
  716. }
  717. /* For details of action order constraints refer to SF-123102-TC-1§12.6.1 */
  718. enum efx_tc_action_order {
  719. EFX_TC_AO_DECAP,
  720. EFX_TC_AO_DEC_TTL,
  721. EFX_TC_AO_PEDIT_MAC_ADDRS,
  722. EFX_TC_AO_VLAN_POP,
  723. EFX_TC_AO_VLAN_PUSH,
  724. EFX_TC_AO_COUNT,
  725. EFX_TC_AO_ENCAP,
  726. EFX_TC_AO_DELIVER
  727. };
  728. /* Determine whether we can add @new action without violating order */
  729. static bool efx_tc_flower_action_order_ok(const struct efx_tc_action_set *act,
  730. enum efx_tc_action_order new)
  731. {
  732. switch (new) {
  733. case EFX_TC_AO_DECAP:
  734. if (act->decap)
  735. return false;
  736. /* PEDIT_MAC_ADDRS must not happen before DECAP, though it
  737. * can wait until much later
  738. */
  739. if (act->dst_mac || act->src_mac)
  740. return false;
  741. /* Decrementing ttl must not happen before DECAP */
  742. if (act->do_ttl_dec)
  743. return false;
  744. fallthrough;
  745. case EFX_TC_AO_VLAN_POP:
  746. if (act->vlan_pop >= 2)
  747. return false;
  748. /* If we've already pushed a VLAN, we can't then pop it;
  749. * the hardware would instead try to pop an existing VLAN
  750. * before pushing the new one.
  751. */
  752. if (act->vlan_push)
  753. return false;
  754. fallthrough;
  755. case EFX_TC_AO_VLAN_PUSH:
  756. if (act->vlan_push >= 2)
  757. return false;
  758. fallthrough;
  759. case EFX_TC_AO_COUNT:
  760. if (act->count)
  761. return false;
  762. fallthrough;
  763. case EFX_TC_AO_PEDIT_MAC_ADDRS:
  764. case EFX_TC_AO_ENCAP:
  765. if (act->encap_md)
  766. return false;
  767. fallthrough;
  768. case EFX_TC_AO_DELIVER:
  769. return !act->deliver;
  770. case EFX_TC_AO_DEC_TTL:
  771. if (act->encap_md)
  772. return false;
  773. return !act->do_ttl_dec;
  774. default:
  775. /* Bad caller. Whatever they wanted to do, say they can't. */
  776. WARN_ON_ONCE(1);
  777. return false;
  778. }
  779. }
  780. /**
  781. * DOC: TC conntrack sequences
  782. *
  783. * The MAE hardware can handle at most two rounds of action rule matching,
  784. * consequently we support conntrack through the notion of a "left-hand side
  785. * rule". This is a rule which typically contains only the actions "ct" and
  786. * "goto chain N", and corresponds to one or more "right-hand side rules" in
  787. * chain N, which typically match on +trk+est, and may perform ct(nat) actions.
  788. * RHS rules go in the Action Rule table as normal but with a nonzero recirc_id
  789. * (the hardware equivalent of chain_index), while LHS rules may go in either
  790. * the Action Rule or the Outer Rule table, the latter being preferred for
  791. * performance reasons, and set both DO_CT and a recirc_id in their response.
  792. *
  793. * Besides the RHS rules, there are often also similar rules matching on
  794. * +trk+new which perform the ct(commit) action. These are not offloaded.
  795. */
  796. static bool efx_tc_rule_is_lhs_rule(struct flow_rule *fr,
  797. struct efx_tc_match *match)
  798. {
  799. const struct flow_action_entry *fa;
  800. int i;
  801. flow_action_for_each(i, fa, &fr->action) {
  802. switch (fa->id) {
  803. case FLOW_ACTION_GOTO:
  804. return true;
  805. case FLOW_ACTION_CT:
  806. /* If rule is -trk, or doesn't mention trk at all, then
  807. * a CT action implies a conntrack lookup (hence it's an
  808. * LHS rule). If rule is +trk, then a CT action could
  809. * just be ct(nat) or even ct(commit) (though the latter
  810. * can't be offloaded).
  811. */
  812. if (!match->mask.ct_state_trk || !match->value.ct_state_trk)
  813. return true;
  814. break;
  815. default:
  816. break;
  817. }
  818. }
  819. return false;
  820. }
  821. /* A foreign LHS rule has matches on enc_ keys at the TC layer (including an
  822. * implied match on enc_ip_proto UDP). Translate these into non-enc_ keys,
  823. * so that we can use the same MAE machinery as local LHS rules (and so that
  824. * the lhs_rules entries have uniform semantics). It may seem odd to do it
  825. * this way round, given that the corresponding fields in the MAE MCDIs are
  826. * all ENC_, but (a) we don't have enc_L2 or enc_ip_proto in struct
  827. * efx_tc_match_fields and (b) semantically an LHS rule doesn't have inner
  828. * fields so it's just matching on *the* header rather than the outer header.
  829. * Make sure that the non-enc_ keys were not already being matched on, as that
  830. * would imply a rule that needed a triple lookup. (Hardware can do that,
  831. * with OR-AR-CT-AR, but it halves packet rate so we avoid it where possible;
  832. * see efx_tc_flower_flhs_needs_ar().)
  833. */
  834. static int efx_tc_flower_translate_flhs_match(struct efx_tc_match *match)
  835. {
  836. int rc = 0;
  837. #define COPY_MASK_AND_VALUE(_key, _ekey) ({ \
  838. if (match->mask._key) { \
  839. rc = -EOPNOTSUPP; \
  840. } else { \
  841. match->mask._key = match->mask._ekey; \
  842. match->mask._ekey = 0; \
  843. match->value._key = match->value._ekey; \
  844. match->value._ekey = 0; \
  845. } \
  846. rc; \
  847. })
  848. #define COPY_FROM_ENC(_key) COPY_MASK_AND_VALUE(_key, enc_##_key)
  849. if (match->mask.ip_proto)
  850. return -EOPNOTSUPP;
  851. match->mask.ip_proto = ~0;
  852. match->value.ip_proto = IPPROTO_UDP;
  853. if (COPY_FROM_ENC(src_ip) || COPY_FROM_ENC(dst_ip))
  854. return rc;
  855. #ifdef CONFIG_IPV6
  856. if (!ipv6_addr_any(&match->mask.src_ip6))
  857. return -EOPNOTSUPP;
  858. match->mask.src_ip6 = match->mask.enc_src_ip6;
  859. memset(&match->mask.enc_src_ip6, 0, sizeof(struct in6_addr));
  860. if (!ipv6_addr_any(&match->mask.dst_ip6))
  861. return -EOPNOTSUPP;
  862. match->mask.dst_ip6 = match->mask.enc_dst_ip6;
  863. memset(&match->mask.enc_dst_ip6, 0, sizeof(struct in6_addr));
  864. #endif
  865. if (COPY_FROM_ENC(ip_tos) || COPY_FROM_ENC(ip_ttl))
  866. return rc;
  867. /* should really copy enc_ip_frag but we don't have that in
  868. * parse_match yet
  869. */
  870. if (COPY_MASK_AND_VALUE(l4_sport, enc_sport) ||
  871. COPY_MASK_AND_VALUE(l4_dport, enc_dport))
  872. return rc;
  873. return 0;
  874. #undef COPY_FROM_ENC
  875. #undef COPY_MASK_AND_VALUE
  876. }
  877. /* If a foreign LHS rule wants to match on keys that are only available after
  878. * encap header identification and parsing, then it can't be done in the Outer
  879. * Rule lookup, because that lookup determines the encap type used to parse
  880. * beyond the outer headers. Thus, such rules must use the OR-AR-CT-AR lookup
  881. * sequence, with an EM (struct efx_tc_encap_match) in the OR step.
  882. * Return true iff the passed match requires this.
  883. */
  884. static bool efx_tc_flower_flhs_needs_ar(struct efx_tc_match *match)
  885. {
  886. /* matches on inner-header keys can't be done in OR */
  887. return match->mask.eth_proto ||
  888. match->mask.vlan_tci[0] || match->mask.vlan_tci[1] ||
  889. match->mask.vlan_proto[0] || match->mask.vlan_proto[1] ||
  890. memchr_inv(match->mask.eth_saddr, 0, ETH_ALEN) ||
  891. memchr_inv(match->mask.eth_daddr, 0, ETH_ALEN) ||
  892. match->mask.ip_proto ||
  893. match->mask.ip_tos || match->mask.ip_ttl ||
  894. match->mask.src_ip || match->mask.dst_ip ||
  895. #ifdef CONFIG_IPV6
  896. !ipv6_addr_any(&match->mask.src_ip6) ||
  897. !ipv6_addr_any(&match->mask.dst_ip6) ||
  898. #endif
  899. match->mask.ip_frag || match->mask.ip_firstfrag ||
  900. match->mask.l4_sport || match->mask.l4_dport ||
  901. match->mask.tcp_flags ||
  902. /* nor can VNI */
  903. match->mask.enc_keyid;
  904. }
  905. static int efx_tc_flower_handle_lhs_actions(struct efx_nic *efx,
  906. struct flow_cls_offload *tc,
  907. struct flow_rule *fr,
  908. struct net_device *net_dev,
  909. struct efx_tc_lhs_rule *rule)
  910. {
  911. struct netlink_ext_ack *extack = tc->common.extack;
  912. struct efx_tc_lhs_action *act = &rule->lhs_act;
  913. const struct flow_action_entry *fa;
  914. enum efx_tc_counter_type ctype;
  915. bool pipe = true;
  916. int i;
  917. ctype = rule->is_ar ? EFX_TC_COUNTER_TYPE_AR : EFX_TC_COUNTER_TYPE_OR;
  918. flow_action_for_each(i, fa, &fr->action) {
  919. struct efx_tc_ct_zone *ct_zone;
  920. struct efx_tc_recirc_id *rid;
  921. if (!pipe) {
  922. /* more actions after a non-pipe action */
  923. NL_SET_ERR_MSG_MOD(extack, "Action follows non-pipe action");
  924. return -EINVAL;
  925. }
  926. switch (fa->id) {
  927. case FLOW_ACTION_GOTO:
  928. if (!fa->chain_index) {
  929. NL_SET_ERR_MSG_MOD(extack, "Can't goto chain 0, no looping in hw");
  930. return -EOPNOTSUPP;
  931. }
  932. rid = efx_tc_get_recirc_id(efx, fa->chain_index,
  933. net_dev);
  934. if (IS_ERR(rid)) {
  935. NL_SET_ERR_MSG_MOD(extack, "Failed to allocate a hardware recirculation ID for this chain_index");
  936. return PTR_ERR(rid);
  937. }
  938. act->rid = rid;
  939. if (fa->hw_stats) {
  940. struct efx_tc_counter_index *cnt;
  941. if (!(fa->hw_stats & FLOW_ACTION_HW_STATS_DELAYED)) {
  942. NL_SET_ERR_MSG_FMT_MOD(extack,
  943. "hw_stats_type %u not supported (only 'delayed')",
  944. fa->hw_stats);
  945. return -EOPNOTSUPP;
  946. }
  947. cnt = efx_tc_flower_get_counter_index(efx, tc->cookie,
  948. ctype);
  949. if (IS_ERR(cnt)) {
  950. NL_SET_ERR_MSG_MOD(extack, "Failed to obtain a counter");
  951. return PTR_ERR(cnt);
  952. }
  953. WARN_ON(act->count); /* can't happen */
  954. act->count = cnt;
  955. }
  956. pipe = false;
  957. break;
  958. case FLOW_ACTION_CT:
  959. if (act->zone) {
  960. NL_SET_ERR_MSG_MOD(extack, "Can't offload multiple ct actions");
  961. return -EOPNOTSUPP;
  962. }
  963. if (fa->ct.action & (TCA_CT_ACT_COMMIT |
  964. TCA_CT_ACT_FORCE)) {
  965. NL_SET_ERR_MSG_MOD(extack, "Can't offload ct commit/force");
  966. return -EOPNOTSUPP;
  967. }
  968. if (fa->ct.action & TCA_CT_ACT_CLEAR) {
  969. NL_SET_ERR_MSG_MOD(extack, "Can't clear ct in LHS rule");
  970. return -EOPNOTSUPP;
  971. }
  972. if (fa->ct.action & (TCA_CT_ACT_NAT |
  973. TCA_CT_ACT_NAT_SRC |
  974. TCA_CT_ACT_NAT_DST)) {
  975. NL_SET_ERR_MSG_MOD(extack, "Can't perform NAT in LHS rule - packet isn't conntracked yet");
  976. return -EOPNOTSUPP;
  977. }
  978. if (fa->ct.action) {
  979. NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled ct.action %u for LHS rule",
  980. fa->ct.action);
  981. return -EOPNOTSUPP;
  982. }
  983. ct_zone = efx_tc_ct_register_zone(efx, fa->ct.zone,
  984. fa->ct.flow_table);
  985. if (IS_ERR(ct_zone)) {
  986. NL_SET_ERR_MSG_MOD(extack, "Failed to register for CT updates");
  987. return PTR_ERR(ct_zone);
  988. }
  989. act->zone = ct_zone;
  990. break;
  991. default:
  992. NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled action %u for LHS rule",
  993. fa->id);
  994. return -EOPNOTSUPP;
  995. }
  996. }
  997. if (pipe) {
  998. NL_SET_ERR_MSG_MOD(extack, "Missing goto chain in LHS rule");
  999. return -EOPNOTSUPP;
  1000. }
  1001. return 0;
  1002. }
  1003. static void efx_tc_flower_release_lhs_actions(struct efx_nic *efx,
  1004. struct efx_tc_lhs_action *act)
  1005. {
  1006. if (act->rid)
  1007. efx_tc_put_recirc_id(efx, act->rid);
  1008. if (act->zone)
  1009. efx_tc_ct_unregister_zone(efx, act->zone);
  1010. if (act->count)
  1011. efx_tc_flower_put_counter_index(efx, act->count);
  1012. }
  1013. /**
  1014. * struct efx_tc_mangler_state - accumulates 32-bit pedits into fields
  1015. *
  1016. * @dst_mac_32: dst_mac[0:3] has been populated
  1017. * @dst_mac_16: dst_mac[4:5] has been populated
  1018. * @src_mac_16: src_mac[0:1] has been populated
  1019. * @src_mac_32: src_mac[2:5] has been populated
  1020. * @dst_mac: h_dest field of ethhdr
  1021. * @src_mac: h_source field of ethhdr
  1022. *
  1023. * Since FLOW_ACTION_MANGLE comes in 32-bit chunks that do not
  1024. * necessarily equate to whole fields of the packet header, this
  1025. * structure is used to hold the cumulative effect of the partial
  1026. * field pedits that have been processed so far.
  1027. */
  1028. struct efx_tc_mangler_state {
  1029. u8 dst_mac_32:1; /* eth->h_dest[0:3] */
  1030. u8 dst_mac_16:1; /* eth->h_dest[4:5] */
  1031. u8 src_mac_16:1; /* eth->h_source[0:1] */
  1032. u8 src_mac_32:1; /* eth->h_source[2:5] */
  1033. unsigned char dst_mac[ETH_ALEN];
  1034. unsigned char src_mac[ETH_ALEN];
  1035. };
  1036. /** efx_tc_complete_mac_mangle() - pull complete field pedits out of @mung
  1037. * @efx: NIC we're installing a flow rule on
  1038. * @act: action set (cursor) to update
  1039. * @mung: accumulated partial mangles
  1040. * @extack: netlink extended ack for reporting errors
  1041. *
  1042. * Check @mung to find any combinations of partial mangles that can be
  1043. * combined into a complete packet field edit, add that edit to @act,
  1044. * and consume the partial mangles from @mung.
  1045. */
  1046. static int efx_tc_complete_mac_mangle(struct efx_nic *efx,
  1047. struct efx_tc_action_set *act,
  1048. struct efx_tc_mangler_state *mung,
  1049. struct netlink_ext_ack *extack)
  1050. {
  1051. struct efx_tc_mac_pedit_action *ped;
  1052. if (mung->dst_mac_32 && mung->dst_mac_16) {
  1053. ped = efx_tc_flower_get_mac(efx, mung->dst_mac, extack);
  1054. if (IS_ERR(ped))
  1055. return PTR_ERR(ped);
  1056. /* Check that we have not already populated dst_mac */
  1057. if (act->dst_mac)
  1058. efx_tc_flower_put_mac(efx, act->dst_mac);
  1059. act->dst_mac = ped;
  1060. /* consume the incomplete state */
  1061. mung->dst_mac_32 = 0;
  1062. mung->dst_mac_16 = 0;
  1063. }
  1064. if (mung->src_mac_16 && mung->src_mac_32) {
  1065. ped = efx_tc_flower_get_mac(efx, mung->src_mac, extack);
  1066. if (IS_ERR(ped))
  1067. return PTR_ERR(ped);
  1068. /* Check that we have not already populated src_mac */
  1069. if (act->src_mac)
  1070. efx_tc_flower_put_mac(efx, act->src_mac);
  1071. act->src_mac = ped;
  1072. /* consume the incomplete state */
  1073. mung->src_mac_32 = 0;
  1074. mung->src_mac_16 = 0;
  1075. }
  1076. return 0;
  1077. }
  1078. static int efx_tc_pedit_add(struct efx_nic *efx, struct efx_tc_action_set *act,
  1079. const struct flow_action_entry *fa,
  1080. struct netlink_ext_ack *extack)
  1081. {
  1082. switch (fa->mangle.htype) {
  1083. case FLOW_ACT_MANGLE_HDR_TYPE_IP4:
  1084. switch (fa->mangle.offset) {
  1085. case offsetof(struct iphdr, ttl):
  1086. /* check that pedit applies to ttl only */
  1087. if (fa->mangle.mask != ~EFX_TC_HDR_TYPE_TTL_MASK)
  1088. break;
  1089. /* Adding 0xff is equivalent to decrementing the ttl.
  1090. * Other added values are not supported.
  1091. */
  1092. if ((fa->mangle.val & EFX_TC_HDR_TYPE_TTL_MASK) != U8_MAX)
  1093. break;
  1094. /* check that we do not decrement ttl twice */
  1095. if (!efx_tc_flower_action_order_ok(act,
  1096. EFX_TC_AO_DEC_TTL)) {
  1097. NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl are not supported");
  1098. return -EOPNOTSUPP;
  1099. }
  1100. act->do_ttl_dec = 1;
  1101. return 0;
  1102. default:
  1103. break;
  1104. }
  1105. break;
  1106. case FLOW_ACT_MANGLE_HDR_TYPE_IP6:
  1107. switch (fa->mangle.offset) {
  1108. case round_down(offsetof(struct ipv6hdr, hop_limit), 4):
  1109. /* check that pedit applies to hoplimit only */
  1110. if (fa->mangle.mask != EFX_TC_HDR_TYPE_HLIMIT_MASK)
  1111. break;
  1112. /* Adding 0xff is equivalent to decrementing the hoplimit.
  1113. * Other added values are not supported.
  1114. */
  1115. if ((fa->mangle.val >> 24) != U8_MAX)
  1116. break;
  1117. /* check that we do not decrement hoplimit twice */
  1118. if (!efx_tc_flower_action_order_ok(act,
  1119. EFX_TC_AO_DEC_TTL)) {
  1120. NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl are not supported");
  1121. return -EOPNOTSUPP;
  1122. }
  1123. act->do_ttl_dec = 1;
  1124. return 0;
  1125. default:
  1126. break;
  1127. }
  1128. break;
  1129. default:
  1130. break;
  1131. }
  1132. NL_SET_ERR_MSG_FMT_MOD(extack,
  1133. "ttl add action type %x %x %x/%x is not supported",
  1134. fa->mangle.htype, fa->mangle.offset,
  1135. fa->mangle.val, fa->mangle.mask);
  1136. return -EOPNOTSUPP;
  1137. }
  1138. /**
  1139. * efx_tc_mangle() - handle a single 32-bit (or less) pedit
  1140. * @efx: NIC we're installing a flow rule on
  1141. * @act: action set (cursor) to update
  1142. * @fa: FLOW_ACTION_MANGLE action metadata
  1143. * @mung: accumulator for partial mangles
  1144. * @extack: netlink extended ack for reporting errors
  1145. * @match: original match used along with the mangle action
  1146. *
  1147. * Identify the fields written by a FLOW_ACTION_MANGLE, and record
  1148. * the partial mangle state in @mung. If this mangle completes an
  1149. * earlier partial mangle, consume and apply to @act by calling
  1150. * efx_tc_complete_mac_mangle().
  1151. */
  1152. static int efx_tc_mangle(struct efx_nic *efx, struct efx_tc_action_set *act,
  1153. const struct flow_action_entry *fa,
  1154. struct efx_tc_mangler_state *mung,
  1155. struct netlink_ext_ack *extack,
  1156. struct efx_tc_match *match)
  1157. {
  1158. __le32 mac32;
  1159. __le16 mac16;
  1160. u8 tr_ttl;
  1161. switch (fa->mangle.htype) {
  1162. case FLOW_ACT_MANGLE_HDR_TYPE_ETH:
  1163. BUILD_BUG_ON(offsetof(struct ethhdr, h_dest) != 0);
  1164. BUILD_BUG_ON(offsetof(struct ethhdr, h_source) != 6);
  1165. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_PEDIT_MAC_ADDRS)) {
  1166. NL_SET_ERR_MSG_MOD(extack,
  1167. "Pedit mangle mac action violates action order");
  1168. return -EOPNOTSUPP;
  1169. }
  1170. switch (fa->mangle.offset) {
  1171. case 0:
  1172. if (fa->mangle.mask) {
  1173. NL_SET_ERR_MSG_FMT_MOD(extack,
  1174. "mask (%#x) of eth.dst32 mangle is not supported",
  1175. fa->mangle.mask);
  1176. return -EOPNOTSUPP;
  1177. }
  1178. /* Ethernet address is little-endian */
  1179. mac32 = cpu_to_le32(fa->mangle.val);
  1180. memcpy(mung->dst_mac, &mac32, sizeof(mac32));
  1181. mung->dst_mac_32 = 1;
  1182. return efx_tc_complete_mac_mangle(efx, act, mung, extack);
  1183. case 4:
  1184. if (fa->mangle.mask == 0xffff) {
  1185. mac16 = cpu_to_le16(fa->mangle.val >> 16);
  1186. memcpy(mung->src_mac, &mac16, sizeof(mac16));
  1187. mung->src_mac_16 = 1;
  1188. } else if (fa->mangle.mask == 0xffff0000) {
  1189. mac16 = cpu_to_le16((u16)fa->mangle.val);
  1190. memcpy(mung->dst_mac + 4, &mac16, sizeof(mac16));
  1191. mung->dst_mac_16 = 1;
  1192. } else {
  1193. NL_SET_ERR_MSG_FMT_MOD(extack,
  1194. "mask (%#x) of eth+4 mangle is not high or low 16b",
  1195. fa->mangle.mask);
  1196. return -EOPNOTSUPP;
  1197. }
  1198. return efx_tc_complete_mac_mangle(efx, act, mung, extack);
  1199. case 8:
  1200. if (fa->mangle.mask) {
  1201. NL_SET_ERR_MSG_FMT_MOD(extack,
  1202. "mask (%#x) of eth.src32 mangle is not supported",
  1203. fa->mangle.mask);
  1204. return -EOPNOTSUPP;
  1205. }
  1206. mac32 = cpu_to_le32(fa->mangle.val);
  1207. memcpy(mung->src_mac + 2, &mac32, sizeof(mac32));
  1208. mung->src_mac_32 = 1;
  1209. return efx_tc_complete_mac_mangle(efx, act, mung, extack);
  1210. default:
  1211. NL_SET_ERR_MSG_FMT_MOD(extack, "mangle eth+%u %x/%x is not supported",
  1212. fa->mangle.offset, fa->mangle.val, fa->mangle.mask);
  1213. return -EOPNOTSUPP;
  1214. }
  1215. break;
  1216. case FLOW_ACT_MANGLE_HDR_TYPE_IP4:
  1217. switch (fa->mangle.offset) {
  1218. case offsetof(struct iphdr, ttl):
  1219. /* we currently only support pedit IP4 when it applies
  1220. * to TTL and then only when it can be achieved with a
  1221. * decrement ttl action
  1222. */
  1223. /* check that pedit applies to ttl only */
  1224. if (fa->mangle.mask != ~EFX_TC_HDR_TYPE_TTL_MASK) {
  1225. NL_SET_ERR_MSG_FMT_MOD(extack,
  1226. "mask (%#x) out of range, only support mangle action on ipv4.ttl",
  1227. fa->mangle.mask);
  1228. return -EOPNOTSUPP;
  1229. }
  1230. /* we can only convert to a dec ttl when we have an
  1231. * exact match on the ttl field
  1232. */
  1233. if (match->mask.ip_ttl != U8_MAX) {
  1234. NL_SET_ERR_MSG_FMT_MOD(extack,
  1235. "only support mangle ttl when we have an exact match, current mask (%#x)",
  1236. match->mask.ip_ttl);
  1237. return -EOPNOTSUPP;
  1238. }
  1239. /* check that we don't try to decrement 0, which equates
  1240. * to setting the ttl to 0xff
  1241. */
  1242. if (match->value.ip_ttl == 0) {
  1243. NL_SET_ERR_MSG_MOD(extack,
  1244. "decrement ttl past 0 is not supported");
  1245. return -EOPNOTSUPP;
  1246. }
  1247. /* check that we do not decrement ttl twice */
  1248. if (!efx_tc_flower_action_order_ok(act,
  1249. EFX_TC_AO_DEC_TTL)) {
  1250. NL_SET_ERR_MSG_MOD(extack,
  1251. "multiple dec ttl is not supported");
  1252. return -EOPNOTSUPP;
  1253. }
  1254. /* check pedit can be achieved with decrement action */
  1255. tr_ttl = match->value.ip_ttl - 1;
  1256. if ((fa->mangle.val & EFX_TC_HDR_TYPE_TTL_MASK) == tr_ttl) {
  1257. act->do_ttl_dec = 1;
  1258. return 0;
  1259. }
  1260. fallthrough;
  1261. default:
  1262. NL_SET_ERR_MSG_FMT_MOD(extack,
  1263. "only support mangle on the ttl field (offset is %u)",
  1264. fa->mangle.offset);
  1265. return -EOPNOTSUPP;
  1266. }
  1267. break;
  1268. case FLOW_ACT_MANGLE_HDR_TYPE_IP6:
  1269. switch (fa->mangle.offset) {
  1270. case round_down(offsetof(struct ipv6hdr, hop_limit), 4):
  1271. /* we currently only support pedit IP6 when it applies
  1272. * to the hoplimit and then only when it can be achieved
  1273. * with a decrement hoplimit action
  1274. */
  1275. /* check that pedit applies to ttl only */
  1276. if (fa->mangle.mask != EFX_TC_HDR_TYPE_HLIMIT_MASK) {
  1277. NL_SET_ERR_MSG_FMT_MOD(extack,
  1278. "mask (%#x) out of range, only support mangle action on ipv6.hop_limit",
  1279. fa->mangle.mask);
  1280. return -EOPNOTSUPP;
  1281. }
  1282. /* we can only convert to a dec ttl when we have an
  1283. * exact match on the ttl field
  1284. */
  1285. if (match->mask.ip_ttl != U8_MAX) {
  1286. NL_SET_ERR_MSG_FMT_MOD(extack,
  1287. "only support hop_limit when we have an exact match, current mask (%#x)",
  1288. match->mask.ip_ttl);
  1289. return -EOPNOTSUPP;
  1290. }
  1291. /* check that we don't try to decrement 0, which equates
  1292. * to setting the ttl to 0xff
  1293. */
  1294. if (match->value.ip_ttl == 0) {
  1295. NL_SET_ERR_MSG_MOD(extack,
  1296. "decrementing hop_limit past 0 is not supported");
  1297. return -EOPNOTSUPP;
  1298. }
  1299. /* check that we do not decrement hoplimit twice */
  1300. if (!efx_tc_flower_action_order_ok(act,
  1301. EFX_TC_AO_DEC_TTL)) {
  1302. NL_SET_ERR_MSG_MOD(extack,
  1303. "multiple dec ttl is not supported");
  1304. return -EOPNOTSUPP;
  1305. }
  1306. /* check pedit can be achieved with decrement action */
  1307. tr_ttl = match->value.ip_ttl - 1;
  1308. if ((fa->mangle.val >> 24) == tr_ttl) {
  1309. act->do_ttl_dec = 1;
  1310. return 0;
  1311. }
  1312. fallthrough;
  1313. default:
  1314. NL_SET_ERR_MSG_FMT_MOD(extack,
  1315. "only support mangle on the hop_limit field");
  1316. return -EOPNOTSUPP;
  1317. }
  1318. default:
  1319. NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled mangle htype %u for action rule",
  1320. fa->mangle.htype);
  1321. return -EOPNOTSUPP;
  1322. }
  1323. return 0;
  1324. }
  1325. /**
  1326. * efx_tc_incomplete_mangle() - check for leftover partial pedits
  1327. * @mung: accumulator for partial mangles
  1328. * @extack: netlink extended ack for reporting errors
  1329. *
  1330. * Since the MAE can only overwrite whole fields, any partial
  1331. * field mangle left over on reaching packet delivery (mirred or
  1332. * end of TC actions) cannot be offloaded. Check for any such
  1333. * and reject them with -%EOPNOTSUPP.
  1334. */
  1335. static int efx_tc_incomplete_mangle(struct efx_tc_mangler_state *mung,
  1336. struct netlink_ext_ack *extack)
  1337. {
  1338. if (mung->dst_mac_32 || mung->dst_mac_16) {
  1339. NL_SET_ERR_MSG_MOD(extack, "Incomplete pedit of destination MAC address");
  1340. return -EOPNOTSUPP;
  1341. }
  1342. if (mung->src_mac_16 || mung->src_mac_32) {
  1343. NL_SET_ERR_MSG_MOD(extack, "Incomplete pedit of source MAC address");
  1344. return -EOPNOTSUPP;
  1345. }
  1346. return 0;
  1347. }
  1348. static int efx_tc_flower_replace_foreign_lhs_ar(struct efx_nic *efx,
  1349. struct flow_cls_offload *tc,
  1350. struct flow_rule *fr,
  1351. struct efx_tc_match *match,
  1352. struct net_device *net_dev)
  1353. {
  1354. struct netlink_ext_ack *extack = tc->common.extack;
  1355. struct efx_tc_lhs_rule *rule, *old;
  1356. enum efx_encap_type type;
  1357. int rc;
  1358. type = efx_tc_indr_netdev_type(net_dev);
  1359. if (type == EFX_ENCAP_TYPE_NONE) {
  1360. NL_SET_ERR_MSG_MOD(extack, "Egress encap match on unsupported tunnel device");
  1361. return -EOPNOTSUPP;
  1362. }
  1363. rc = efx_mae_check_encap_type_supported(efx, type);
  1364. if (rc) {
  1365. NL_SET_ERR_MSG_FMT_MOD(extack,
  1366. "Firmware reports no support for %s encap match",
  1367. efx_tc_encap_type_name(type));
  1368. return rc;
  1369. }
  1370. /* This is an Action Rule, so it needs a separate Encap Match in the
  1371. * Outer Rule table. Insert that now.
  1372. */
  1373. rc = efx_tc_flower_record_encap_match(efx, match, type,
  1374. EFX_TC_EM_DIRECT, 0, 0, extack);
  1375. if (rc)
  1376. return rc;
  1377. match->mask.recirc_id = 0xff;
  1378. if (match->mask.ct_state_trk && match->value.ct_state_trk) {
  1379. NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk");
  1380. rc = -EOPNOTSUPP;
  1381. goto release_encap_match;
  1382. }
  1383. /* LHS rules are always -trk, so we don't need to match on that */
  1384. match->mask.ct_state_trk = 0;
  1385. match->value.ct_state_trk = 0;
  1386. /* We must inhibit match on TCP SYN/FIN/RST, so that SW can see
  1387. * the packet and update the conntrack table.
  1388. * Outer Rules will do that with CT_TCP_FLAGS_INHIBIT, but Action
  1389. * Rules don't have that; instead they support matching on
  1390. * TCP_SYN_FIN_RST (aka TCP_INTERESTING_FLAGS), so use that.
  1391. * This is only strictly needed if there will be a DO_CT action,
  1392. * which we don't know yet, but typically there will be and it's
  1393. * simpler not to bother checking here.
  1394. */
  1395. match->mask.tcp_syn_fin_rst = true;
  1396. rc = efx_mae_match_check_caps(efx, &match->mask, extack);
  1397. if (rc)
  1398. goto release_encap_match;
  1399. rule = kzalloc_obj(*rule, GFP_USER);
  1400. if (!rule) {
  1401. rc = -ENOMEM;
  1402. goto release_encap_match;
  1403. }
  1404. rule->cookie = tc->cookie;
  1405. rule->is_ar = true;
  1406. old = rhashtable_lookup_get_insert_fast(&efx->tc->lhs_rule_ht,
  1407. &rule->linkage,
  1408. efx_tc_lhs_rule_ht_params);
  1409. if (old) {
  1410. netif_dbg(efx, drv, efx->net_dev,
  1411. "Already offloaded rule (cookie %lx)\n", tc->cookie);
  1412. rc = -EEXIST;
  1413. NL_SET_ERR_MSG_MOD(extack, "Rule already offloaded");
  1414. goto release;
  1415. }
  1416. /* Parse actions */
  1417. rc = efx_tc_flower_handle_lhs_actions(efx, tc, fr, net_dev, rule);
  1418. if (rc)
  1419. goto release;
  1420. rule->match = *match;
  1421. rule->lhs_act.tun_type = type;
  1422. rc = efx_mae_insert_lhs_rule(efx, rule, EFX_TC_PRIO_TC);
  1423. if (rc) {
  1424. NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw");
  1425. goto release;
  1426. }
  1427. netif_dbg(efx, drv, efx->net_dev,
  1428. "Successfully parsed lhs rule (cookie %lx)\n",
  1429. tc->cookie);
  1430. return 0;
  1431. release:
  1432. efx_tc_flower_release_lhs_actions(efx, &rule->lhs_act);
  1433. if (!old)
  1434. rhashtable_remove_fast(&efx->tc->lhs_rule_ht, &rule->linkage,
  1435. efx_tc_lhs_rule_ht_params);
  1436. kfree(rule);
  1437. release_encap_match:
  1438. if (match->encap)
  1439. efx_tc_flower_release_encap_match(efx, match->encap);
  1440. return rc;
  1441. }
  1442. static int efx_tc_flower_replace_foreign_lhs(struct efx_nic *efx,
  1443. struct flow_cls_offload *tc,
  1444. struct flow_rule *fr,
  1445. struct efx_tc_match *match,
  1446. struct net_device *net_dev)
  1447. {
  1448. struct netlink_ext_ack *extack = tc->common.extack;
  1449. struct efx_tc_lhs_rule *rule, *old;
  1450. enum efx_encap_type type;
  1451. int rc;
  1452. if (tc->common.chain_index) {
  1453. NL_SET_ERR_MSG_MOD(extack, "LHS rule only allowed in chain 0");
  1454. return -EOPNOTSUPP;
  1455. }
  1456. if (!efx_tc_match_is_encap(&match->mask)) {
  1457. /* This is not a tunnel decap rule, ignore it */
  1458. netif_dbg(efx, drv, efx->net_dev, "Ignoring foreign LHS filter without encap match\n");
  1459. return -EOPNOTSUPP;
  1460. }
  1461. if (efx_tc_flower_flhs_needs_ar(match))
  1462. return efx_tc_flower_replace_foreign_lhs_ar(efx, tc, fr, match,
  1463. net_dev);
  1464. type = efx_tc_indr_netdev_type(net_dev);
  1465. if (type == EFX_ENCAP_TYPE_NONE) {
  1466. NL_SET_ERR_MSG_MOD(extack, "Egress encap match on unsupported tunnel device");
  1467. return -EOPNOTSUPP;
  1468. }
  1469. rc = efx_mae_check_encap_type_supported(efx, type);
  1470. if (rc) {
  1471. NL_SET_ERR_MSG_FMT_MOD(extack,
  1472. "Firmware reports no support for %s encap match",
  1473. efx_tc_encap_type_name(type));
  1474. return rc;
  1475. }
  1476. /* Reserve the outer tuple with a pseudo Encap Match */
  1477. rc = efx_tc_flower_record_encap_match(efx, match, type,
  1478. EFX_TC_EM_PSEUDO_OR, 0, 0,
  1479. extack);
  1480. if (rc)
  1481. return rc;
  1482. if (match->mask.ct_state_trk && match->value.ct_state_trk) {
  1483. NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk");
  1484. rc = -EOPNOTSUPP;
  1485. goto release_encap_match;
  1486. }
  1487. /* LHS rules are always -trk, so we don't need to match on that */
  1488. match->mask.ct_state_trk = 0;
  1489. match->value.ct_state_trk = 0;
  1490. rc = efx_tc_flower_translate_flhs_match(match);
  1491. if (rc) {
  1492. NL_SET_ERR_MSG_MOD(extack, "LHS rule cannot match on inner fields");
  1493. goto release_encap_match;
  1494. }
  1495. rc = efx_mae_match_check_caps_lhs(efx, &match->mask, extack);
  1496. if (rc)
  1497. goto release_encap_match;
  1498. rule = kzalloc_obj(*rule, GFP_USER);
  1499. if (!rule) {
  1500. rc = -ENOMEM;
  1501. goto release_encap_match;
  1502. }
  1503. rule->cookie = tc->cookie;
  1504. old = rhashtable_lookup_get_insert_fast(&efx->tc->lhs_rule_ht,
  1505. &rule->linkage,
  1506. efx_tc_lhs_rule_ht_params);
  1507. if (old) {
  1508. netif_dbg(efx, drv, efx->net_dev,
  1509. "Already offloaded rule (cookie %lx)\n", tc->cookie);
  1510. rc = -EEXIST;
  1511. NL_SET_ERR_MSG_MOD(extack, "Rule already offloaded");
  1512. goto release;
  1513. }
  1514. /* Parse actions */
  1515. rc = efx_tc_flower_handle_lhs_actions(efx, tc, fr, net_dev, rule);
  1516. if (rc)
  1517. goto release;
  1518. rule->match = *match;
  1519. rule->lhs_act.tun_type = type;
  1520. rc = efx_mae_insert_lhs_rule(efx, rule, EFX_TC_PRIO_TC);
  1521. if (rc) {
  1522. NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw");
  1523. goto release;
  1524. }
  1525. netif_dbg(efx, drv, efx->net_dev,
  1526. "Successfully parsed lhs rule (cookie %lx)\n",
  1527. tc->cookie);
  1528. return 0;
  1529. release:
  1530. efx_tc_flower_release_lhs_actions(efx, &rule->lhs_act);
  1531. if (!old)
  1532. rhashtable_remove_fast(&efx->tc->lhs_rule_ht, &rule->linkage,
  1533. efx_tc_lhs_rule_ht_params);
  1534. kfree(rule);
  1535. release_encap_match:
  1536. if (match->encap)
  1537. efx_tc_flower_release_encap_match(efx, match->encap);
  1538. return rc;
  1539. }
  1540. static int efx_tc_flower_replace_foreign(struct efx_nic *efx,
  1541. struct net_device *net_dev,
  1542. struct flow_cls_offload *tc)
  1543. {
  1544. struct flow_rule *fr = flow_cls_offload_flow_rule(tc);
  1545. struct netlink_ext_ack *extack = tc->common.extack;
  1546. struct efx_tc_flow_rule *rule = NULL, *old = NULL;
  1547. struct efx_tc_action_set *act = NULL;
  1548. bool found = false, uplinked = false;
  1549. const struct flow_action_entry *fa;
  1550. struct efx_tc_match match;
  1551. struct efx_rep *to_efv;
  1552. s64 rc;
  1553. int i;
  1554. /* Parse match */
  1555. memset(&match, 0, sizeof(match));
  1556. rc = efx_tc_flower_parse_match(efx, fr, &match, extack);
  1557. if (rc)
  1558. return rc;
  1559. /* The rule as given to us doesn't specify a source netdevice.
  1560. * But, determining whether packets from a VF should match it is
  1561. * complicated, so leave those to the software slowpath: qualify
  1562. * the filter with source m-port == wire.
  1563. */
  1564. rc = efx_tc_flower_external_mport(efx, EFX_EFV_PF);
  1565. if (rc < 0) {
  1566. NL_SET_ERR_MSG_MOD(extack, "Failed to identify ingress m-port for foreign filter");
  1567. return rc;
  1568. }
  1569. match.value.ingress_port = rc;
  1570. match.mask.ingress_port = ~0;
  1571. if (efx_tc_rule_is_lhs_rule(fr, &match))
  1572. return efx_tc_flower_replace_foreign_lhs(efx, tc, fr, &match,
  1573. net_dev);
  1574. if (tc->common.chain_index) {
  1575. struct efx_tc_recirc_id *rid;
  1576. rid = efx_tc_get_recirc_id(efx, tc->common.chain_index, net_dev);
  1577. if (IS_ERR(rid)) {
  1578. NL_SET_ERR_MSG_FMT_MOD(extack,
  1579. "Failed to allocate a hardware recirculation ID for chain_index %u",
  1580. tc->common.chain_index);
  1581. return PTR_ERR(rid);
  1582. }
  1583. match.rid = rid;
  1584. match.value.recirc_id = rid->fw_id;
  1585. }
  1586. match.mask.recirc_id = 0xff;
  1587. /* AR table can't match on DO_CT (+trk). But a commonly used pattern is
  1588. * +trk+est, which is strictly implied by +est, so rewrite it to that.
  1589. */
  1590. if (match.mask.ct_state_trk && match.value.ct_state_trk &&
  1591. match.mask.ct_state_est && match.value.ct_state_est)
  1592. match.mask.ct_state_trk = 0;
  1593. /* Thanks to CT_TCP_FLAGS_INHIBIT, packets with interesting flags could
  1594. * match +trk-est (CT_HIT=0) despite being on an established connection.
  1595. * So make -est imply -tcp_syn_fin_rst match to ensure these packets
  1596. * still hit the software path.
  1597. */
  1598. if (match.mask.ct_state_est && !match.value.ct_state_est) {
  1599. if (match.value.tcp_syn_fin_rst) {
  1600. /* Can't offload this combination */
  1601. NL_SET_ERR_MSG_MOD(extack, "TCP flags and -est conflict for offload");
  1602. rc = -EOPNOTSUPP;
  1603. goto release;
  1604. }
  1605. match.mask.tcp_syn_fin_rst = true;
  1606. }
  1607. flow_action_for_each(i, fa, &fr->action) {
  1608. switch (fa->id) {
  1609. case FLOW_ACTION_REDIRECT:
  1610. case FLOW_ACTION_MIRRED: /* mirred means mirror here */
  1611. to_efv = efx_tc_flower_lookup_efv(efx, fa->dev);
  1612. if (IS_ERR(to_efv))
  1613. continue;
  1614. found = true;
  1615. break;
  1616. default:
  1617. break;
  1618. }
  1619. }
  1620. if (!found) { /* We don't care. */
  1621. netif_dbg(efx, drv, efx->net_dev,
  1622. "Ignoring foreign filter that doesn't egdev us\n");
  1623. rc = -EOPNOTSUPP;
  1624. goto release;
  1625. }
  1626. rc = efx_mae_match_check_caps(efx, &match.mask, extack);
  1627. if (rc)
  1628. goto release;
  1629. if (efx_tc_match_is_encap(&match.mask)) {
  1630. enum efx_encap_type type;
  1631. type = efx_tc_indr_netdev_type(net_dev);
  1632. if (type == EFX_ENCAP_TYPE_NONE) {
  1633. NL_SET_ERR_MSG_MOD(extack,
  1634. "Egress encap match on unsupported tunnel device");
  1635. rc = -EOPNOTSUPP;
  1636. goto release;
  1637. }
  1638. rc = efx_mae_check_encap_type_supported(efx, type);
  1639. if (rc) {
  1640. NL_SET_ERR_MSG_FMT_MOD(extack,
  1641. "Firmware reports no support for %s encap match",
  1642. efx_tc_encap_type_name(type));
  1643. goto release;
  1644. }
  1645. rc = efx_tc_flower_record_encap_match(efx, &match, type,
  1646. EFX_TC_EM_DIRECT, 0, 0,
  1647. extack);
  1648. if (rc)
  1649. goto release;
  1650. } else if (!tc->common.chain_index) {
  1651. /* This is not a tunnel decap rule, ignore it */
  1652. netif_dbg(efx, drv, efx->net_dev,
  1653. "Ignoring foreign filter without encap match\n");
  1654. rc = -EOPNOTSUPP;
  1655. goto release;
  1656. }
  1657. rule = kzalloc_obj(*rule, GFP_USER);
  1658. if (!rule) {
  1659. rc = -ENOMEM;
  1660. goto release;
  1661. }
  1662. INIT_LIST_HEAD(&rule->acts.list);
  1663. rule->cookie = tc->cookie;
  1664. old = rhashtable_lookup_get_insert_fast(&efx->tc->match_action_ht,
  1665. &rule->linkage,
  1666. efx_tc_match_action_ht_params);
  1667. if (IS_ERR(old)) {
  1668. rc = PTR_ERR(old);
  1669. goto release;
  1670. } else if (old) {
  1671. netif_dbg(efx, drv, efx->net_dev,
  1672. "Ignoring already-offloaded rule (cookie %lx)\n",
  1673. tc->cookie);
  1674. rc = -EEXIST;
  1675. goto release;
  1676. }
  1677. act = kzalloc_obj(*act, GFP_USER);
  1678. if (!act) {
  1679. rc = -ENOMEM;
  1680. goto release;
  1681. }
  1682. /* Parse actions. For foreign rules we only support decap & redirect.
  1683. * See corresponding code in efx_tc_flower_replace() for theory of
  1684. * operation & how 'act' cursor is used.
  1685. */
  1686. flow_action_for_each(i, fa, &fr->action) {
  1687. struct efx_tc_action_set save;
  1688. switch (fa->id) {
  1689. case FLOW_ACTION_REDIRECT:
  1690. case FLOW_ACTION_MIRRED:
  1691. /* See corresponding code in efx_tc_flower_replace() for
  1692. * long explanations of what's going on here.
  1693. */
  1694. save = *act;
  1695. if (fa->hw_stats) {
  1696. struct efx_tc_counter_index *ctr;
  1697. if (!(fa->hw_stats & FLOW_ACTION_HW_STATS_DELAYED)) {
  1698. NL_SET_ERR_MSG_FMT_MOD(extack,
  1699. "hw_stats_type %u not supported (only 'delayed')",
  1700. fa->hw_stats);
  1701. rc = -EOPNOTSUPP;
  1702. goto release;
  1703. }
  1704. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_COUNT)) {
  1705. NL_SET_ERR_MSG_MOD(extack, "Count action violates action order (can't happen)");
  1706. rc = -EOPNOTSUPP;
  1707. goto release;
  1708. }
  1709. ctr = efx_tc_flower_get_counter_index(efx,
  1710. tc->cookie,
  1711. EFX_TC_COUNTER_TYPE_AR);
  1712. if (IS_ERR(ctr)) {
  1713. rc = PTR_ERR(ctr);
  1714. NL_SET_ERR_MSG_MOD(extack, "Failed to obtain a counter");
  1715. goto release;
  1716. }
  1717. act->count = ctr;
  1718. INIT_LIST_HEAD(&act->count_user);
  1719. }
  1720. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_DELIVER)) {
  1721. /* can't happen */
  1722. rc = -EOPNOTSUPP;
  1723. NL_SET_ERR_MSG_MOD(extack,
  1724. "Deliver action violates action order (can't happen)");
  1725. goto release;
  1726. }
  1727. to_efv = efx_tc_flower_lookup_efv(efx, fa->dev);
  1728. /* PF implies egdev is us, in which case we really
  1729. * want to deliver to the uplink (because this is an
  1730. * ingress filter). If we don't recognise the egdev
  1731. * at all, then we'd better trap so SW can handle it.
  1732. */
  1733. if (IS_ERR(to_efv))
  1734. to_efv = EFX_EFV_PF;
  1735. if (to_efv == EFX_EFV_PF) {
  1736. if (uplinked)
  1737. break;
  1738. uplinked = true;
  1739. }
  1740. rc = efx_tc_flower_internal_mport(efx, to_efv);
  1741. if (rc < 0) {
  1742. NL_SET_ERR_MSG_MOD(extack, "Failed to identify egress m-port");
  1743. goto release;
  1744. }
  1745. act->dest_mport = rc;
  1746. act->deliver = 1;
  1747. rc = efx_mae_alloc_action_set(efx, act);
  1748. if (rc) {
  1749. NL_SET_ERR_MSG_MOD(extack,
  1750. "Failed to write action set to hw (mirred)");
  1751. goto release;
  1752. }
  1753. list_add_tail(&act->list, &rule->acts.list);
  1754. act = NULL;
  1755. if (fa->id == FLOW_ACTION_REDIRECT)
  1756. break; /* end of the line */
  1757. /* Mirror, so continue on with saved act */
  1758. act = kzalloc_obj(*act, GFP_USER);
  1759. if (!act) {
  1760. rc = -ENOMEM;
  1761. goto release;
  1762. }
  1763. *act = save;
  1764. break;
  1765. case FLOW_ACTION_TUNNEL_DECAP:
  1766. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_DECAP)) {
  1767. rc = -EINVAL;
  1768. NL_SET_ERR_MSG_MOD(extack, "Decap action violates action order");
  1769. goto release;
  1770. }
  1771. act->decap = 1;
  1772. /* If we previously delivered/trapped to uplink, now
  1773. * that we've decapped we'll want another copy if we
  1774. * try to deliver/trap to uplink again.
  1775. */
  1776. uplinked = false;
  1777. break;
  1778. default:
  1779. NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled action %u",
  1780. fa->id);
  1781. rc = -EOPNOTSUPP;
  1782. goto release;
  1783. }
  1784. }
  1785. if (act) {
  1786. if (!uplinked) {
  1787. /* Not shot/redirected, so deliver to default dest (which is
  1788. * the uplink, as this is an ingress filter)
  1789. */
  1790. efx_mae_mport_uplink(efx, &act->dest_mport);
  1791. act->deliver = 1;
  1792. }
  1793. rc = efx_mae_alloc_action_set(efx, act);
  1794. if (rc) {
  1795. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (deliver)");
  1796. goto release;
  1797. }
  1798. list_add_tail(&act->list, &rule->acts.list);
  1799. act = NULL; /* Prevent double-free in error path */
  1800. }
  1801. rule->match = match;
  1802. netif_dbg(efx, drv, efx->net_dev,
  1803. "Successfully parsed foreign filter (cookie %lx)\n",
  1804. tc->cookie);
  1805. rc = efx_mae_alloc_action_set_list(efx, &rule->acts);
  1806. if (rc) {
  1807. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set list to hw");
  1808. goto release;
  1809. }
  1810. rc = efx_mae_insert_rule(efx, &rule->match, EFX_TC_PRIO_TC,
  1811. rule->acts.fw_id, &rule->fw_id);
  1812. if (rc) {
  1813. NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw");
  1814. goto release_acts;
  1815. }
  1816. return 0;
  1817. release_acts:
  1818. efx_mae_free_action_set_list(efx, &rule->acts);
  1819. release:
  1820. /* We failed to insert the rule, so free up any entries we created in
  1821. * subsidiary tables.
  1822. */
  1823. if (match.rid)
  1824. efx_tc_put_recirc_id(efx, match.rid);
  1825. if (act)
  1826. efx_tc_free_action_set(efx, act, false);
  1827. if (rule) {
  1828. if (!old)
  1829. rhashtable_remove_fast(&efx->tc->match_action_ht,
  1830. &rule->linkage,
  1831. efx_tc_match_action_ht_params);
  1832. efx_tc_free_action_set_list(efx, &rule->acts, false);
  1833. }
  1834. kfree(rule);
  1835. if (match.encap)
  1836. efx_tc_flower_release_encap_match(efx, match.encap);
  1837. return rc;
  1838. }
  1839. static int efx_tc_flower_replace_lhs(struct efx_nic *efx,
  1840. struct flow_cls_offload *tc,
  1841. struct flow_rule *fr,
  1842. struct efx_tc_match *match,
  1843. struct efx_rep *efv,
  1844. struct net_device *net_dev)
  1845. {
  1846. struct netlink_ext_ack *extack = tc->common.extack;
  1847. struct efx_tc_lhs_rule *rule, *old;
  1848. int rc;
  1849. if (tc->common.chain_index) {
  1850. NL_SET_ERR_MSG_MOD(extack, "LHS rule only allowed in chain 0");
  1851. return -EOPNOTSUPP;
  1852. }
  1853. if (match->mask.ct_state_trk && match->value.ct_state_trk) {
  1854. NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk");
  1855. return -EOPNOTSUPP;
  1856. }
  1857. /* LHS rules are always -trk, so we don't need to match on that */
  1858. match->mask.ct_state_trk = 0;
  1859. match->value.ct_state_trk = 0;
  1860. rc = efx_mae_match_check_caps_lhs(efx, &match->mask, extack);
  1861. if (rc)
  1862. return rc;
  1863. rule = kzalloc_obj(*rule, GFP_USER);
  1864. if (!rule)
  1865. return -ENOMEM;
  1866. rule->cookie = tc->cookie;
  1867. old = rhashtable_lookup_get_insert_fast(&efx->tc->lhs_rule_ht,
  1868. &rule->linkage,
  1869. efx_tc_lhs_rule_ht_params);
  1870. if (IS_ERR(old)) {
  1871. rc = PTR_ERR(old);
  1872. goto release;
  1873. } else if (old) {
  1874. netif_dbg(efx, drv, efx->net_dev,
  1875. "Already offloaded rule (cookie %lx)\n", tc->cookie);
  1876. rc = -EEXIST;
  1877. NL_SET_ERR_MSG_MOD(extack, "Rule already offloaded");
  1878. goto release;
  1879. }
  1880. /* Parse actions */
  1881. /* See note in efx_tc_flower_replace() regarding passed net_dev
  1882. * (used for efx_tc_get_recirc_id()).
  1883. */
  1884. rc = efx_tc_flower_handle_lhs_actions(efx, tc, fr, efx->net_dev, rule);
  1885. if (rc)
  1886. goto release;
  1887. rule->match = *match;
  1888. rc = efx_mae_insert_lhs_rule(efx, rule, EFX_TC_PRIO_TC);
  1889. if (rc) {
  1890. NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw");
  1891. goto release;
  1892. }
  1893. netif_dbg(efx, drv, efx->net_dev,
  1894. "Successfully parsed lhs rule (cookie %lx)\n",
  1895. tc->cookie);
  1896. return 0;
  1897. release:
  1898. efx_tc_flower_release_lhs_actions(efx, &rule->lhs_act);
  1899. if (!old)
  1900. rhashtable_remove_fast(&efx->tc->lhs_rule_ht, &rule->linkage,
  1901. efx_tc_lhs_rule_ht_params);
  1902. kfree(rule);
  1903. return rc;
  1904. }
  1905. static int efx_tc_flower_replace(struct efx_nic *efx,
  1906. struct net_device *net_dev,
  1907. struct flow_cls_offload *tc,
  1908. struct efx_rep *efv)
  1909. {
  1910. struct flow_rule *fr = flow_cls_offload_flow_rule(tc);
  1911. struct netlink_ext_ack *extack = tc->common.extack;
  1912. const struct ip_tunnel_info *encap_info = NULL;
  1913. struct efx_tc_flow_rule *rule = NULL, *old;
  1914. struct efx_tc_mangler_state mung = {};
  1915. struct efx_tc_action_set *act = NULL;
  1916. const struct flow_action_entry *fa;
  1917. struct efx_rep *from_efv, *to_efv;
  1918. struct efx_tc_match match;
  1919. u32 acts_id;
  1920. s64 rc;
  1921. int i;
  1922. if (!tc_can_offload_extack(efx->net_dev, extack))
  1923. return -EOPNOTSUPP;
  1924. if (WARN_ON(!efx->tc))
  1925. return -ENETDOWN;
  1926. if (WARN_ON(!efx->tc->up))
  1927. return -ENETDOWN;
  1928. from_efv = efx_tc_flower_lookup_efv(efx, net_dev);
  1929. if (IS_ERR(from_efv)) {
  1930. /* Not from our PF or representors, so probably a tunnel dev */
  1931. return efx_tc_flower_replace_foreign(efx, net_dev, tc);
  1932. }
  1933. if (efv != from_efv) {
  1934. /* can't happen */
  1935. NL_SET_ERR_MSG_FMT_MOD(extack, "for %s efv is %snull but from_efv is %snull (can't happen)",
  1936. netdev_name(net_dev), efv ? "non-" : "",
  1937. from_efv ? "non-" : "");
  1938. return -EINVAL;
  1939. }
  1940. /* Parse match */
  1941. memset(&match, 0, sizeof(match));
  1942. rc = efx_tc_flower_external_mport(efx, from_efv);
  1943. if (rc < 0) {
  1944. NL_SET_ERR_MSG_MOD(extack, "Failed to identify ingress m-port");
  1945. return rc;
  1946. }
  1947. match.value.ingress_port = rc;
  1948. match.mask.ingress_port = ~0;
  1949. rc = efx_tc_flower_parse_match(efx, fr, &match, extack);
  1950. if (rc)
  1951. return rc;
  1952. if (efx_tc_match_is_encap(&match.mask)) {
  1953. NL_SET_ERR_MSG_MOD(extack, "Ingress enc_key matches not supported");
  1954. return -EOPNOTSUPP;
  1955. }
  1956. if (efx_tc_rule_is_lhs_rule(fr, &match))
  1957. return efx_tc_flower_replace_lhs(efx, tc, fr, &match, efv,
  1958. net_dev);
  1959. /* chain_index 0 is always recirc_id 0 (and does not appear in recirc_ht).
  1960. * Conveniently, match.rid == NULL and match.value.recirc_id == 0 owing
  1961. * to the initial memset(), so we don't need to do anything in that case.
  1962. */
  1963. if (tc->common.chain_index) {
  1964. struct efx_tc_recirc_id *rid;
  1965. /* Note regarding passed net_dev:
  1966. * VFreps and PF can share chain namespace, as they have
  1967. * distinct ingress_mports. So we don't need to burn an
  1968. * extra recirc_id if both use the same chain_index.
  1969. * (Strictly speaking, we could give each VFrep its own
  1970. * recirc_id namespace that doesn't take IDs away from the
  1971. * PF, but that would require a bunch of additional IDAs -
  1972. * one for each representor - and that's not likely to be
  1973. * the main cause of recirc_id exhaustion anyway.)
  1974. */
  1975. rid = efx_tc_get_recirc_id(efx, tc->common.chain_index,
  1976. efx->net_dev);
  1977. if (IS_ERR(rid)) {
  1978. NL_SET_ERR_MSG_FMT_MOD(extack,
  1979. "Failed to allocate a hardware recirculation ID for chain_index %u",
  1980. tc->common.chain_index);
  1981. return PTR_ERR(rid);
  1982. }
  1983. match.rid = rid;
  1984. match.value.recirc_id = rid->fw_id;
  1985. }
  1986. match.mask.recirc_id = 0xff;
  1987. /* AR table can't match on DO_CT (+trk). But a commonly used pattern is
  1988. * +trk+est, which is strictly implied by +est, so rewrite it to that.
  1989. */
  1990. if (match.mask.ct_state_trk && match.value.ct_state_trk &&
  1991. match.mask.ct_state_est && match.value.ct_state_est)
  1992. match.mask.ct_state_trk = 0;
  1993. /* Thanks to CT_TCP_FLAGS_INHIBIT, packets with interesting flags could
  1994. * match +trk-est (CT_HIT=0) despite being on an established connection.
  1995. * So make -est imply -tcp_syn_fin_rst match to ensure these packets
  1996. * still hit the software path.
  1997. */
  1998. if (match.mask.ct_state_est && !match.value.ct_state_est) {
  1999. if (match.value.tcp_syn_fin_rst) {
  2000. /* Can't offload this combination */
  2001. rc = -EOPNOTSUPP;
  2002. goto release;
  2003. }
  2004. match.mask.tcp_syn_fin_rst = true;
  2005. }
  2006. rc = efx_mae_match_check_caps(efx, &match.mask, extack);
  2007. if (rc)
  2008. goto release;
  2009. rule = kzalloc_obj(*rule, GFP_USER);
  2010. if (!rule) {
  2011. rc = -ENOMEM;
  2012. goto release;
  2013. }
  2014. INIT_LIST_HEAD(&rule->acts.list);
  2015. rule->cookie = tc->cookie;
  2016. old = rhashtable_lookup_get_insert_fast(&efx->tc->match_action_ht,
  2017. &rule->linkage,
  2018. efx_tc_match_action_ht_params);
  2019. if (IS_ERR(old)) {
  2020. rc = PTR_ERR(old);
  2021. goto release;
  2022. } else if (old) {
  2023. netif_dbg(efx, drv, efx->net_dev,
  2024. "Already offloaded rule (cookie %lx)\n", tc->cookie);
  2025. NL_SET_ERR_MSG_MOD(extack, "Rule already offloaded");
  2026. rc = -EEXIST;
  2027. goto release;
  2028. }
  2029. /* Parse actions */
  2030. act = kzalloc_obj(*act, GFP_USER);
  2031. if (!act) {
  2032. rc = -ENOMEM;
  2033. goto release;
  2034. }
  2035. /**
  2036. * DOC: TC action translation
  2037. *
  2038. * Actions in TC are sequential and cumulative, with delivery actions
  2039. * potentially anywhere in the order. The EF100 MAE, however, takes
  2040. * an 'action set list' consisting of 'action sets', each of which is
  2041. * applied to the _original_ packet, and consists of a set of optional
  2042. * actions in a fixed order with delivery at the end.
  2043. * To translate between these two models, we maintain a 'cursor', @act,
  2044. * which describes the cumulative effect of all the packet-mutating
  2045. * actions encountered so far; on handling a delivery (mirred or drop)
  2046. * action, once the action-set has been inserted into hardware, we
  2047. * append @act to the action-set list (@rule->acts); if this is a pipe
  2048. * action (mirred mirror) we then allocate a new @act with a copy of
  2049. * the cursor state _before_ the delivery action, otherwise we set @act
  2050. * to %NULL.
  2051. * This ensures that every allocated action-set is either attached to
  2052. * @rule->acts or pointed to by @act (and never both), and that only
  2053. * those action-sets in @rule->acts exist in hardware. Consequently,
  2054. * in the failure path, @act only needs to be freed in memory, whereas
  2055. * for @rule->acts we remove each action-set from hardware before
  2056. * freeing it (efx_tc_free_action_set_list()), even if the action-set
  2057. * list itself is not in hardware.
  2058. */
  2059. flow_action_for_each(i, fa, &fr->action) {
  2060. struct efx_tc_action_set save;
  2061. u16 tci;
  2062. if (!act) {
  2063. /* more actions after a non-pipe action */
  2064. NL_SET_ERR_MSG_MOD(extack, "Action follows non-pipe action");
  2065. rc = -EINVAL;
  2066. goto release;
  2067. }
  2068. if ((fa->id == FLOW_ACTION_REDIRECT ||
  2069. fa->id == FLOW_ACTION_MIRRED ||
  2070. fa->id == FLOW_ACTION_DROP) && fa->hw_stats) {
  2071. struct efx_tc_counter_index *ctr;
  2072. /* Currently the only actions that want stats are
  2073. * mirred and gact (ok, shot, trap, goto-chain), which
  2074. * means we want stats just before delivery. Also,
  2075. * note that tunnel_key set shouldn't change the length
  2076. * — it's only the subsequent mirred that does that,
  2077. * and the stats are taken _before_ the mirred action
  2078. * happens.
  2079. */
  2080. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_COUNT)) {
  2081. /* All supported actions that count either steal
  2082. * (gact shot, mirred redirect) or clone act
  2083. * (mirred mirror), so we should never get two
  2084. * count actions on one action_set.
  2085. */
  2086. NL_SET_ERR_MSG_MOD(extack, "Count-action conflict (can't happen)");
  2087. rc = -EOPNOTSUPP;
  2088. goto release;
  2089. }
  2090. if (!(fa->hw_stats & FLOW_ACTION_HW_STATS_DELAYED)) {
  2091. NL_SET_ERR_MSG_FMT_MOD(extack, "hw_stats_type %u not supported (only 'delayed')",
  2092. fa->hw_stats);
  2093. rc = -EOPNOTSUPP;
  2094. goto release;
  2095. }
  2096. ctr = efx_tc_flower_get_counter_index(efx, tc->cookie,
  2097. EFX_TC_COUNTER_TYPE_AR);
  2098. if (IS_ERR(ctr)) {
  2099. rc = PTR_ERR(ctr);
  2100. NL_SET_ERR_MSG_MOD(extack, "Failed to obtain a counter");
  2101. goto release;
  2102. }
  2103. act->count = ctr;
  2104. INIT_LIST_HEAD(&act->count_user);
  2105. }
  2106. switch (fa->id) {
  2107. case FLOW_ACTION_DROP:
  2108. rc = efx_mae_alloc_action_set(efx, act);
  2109. if (rc) {
  2110. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (drop)");
  2111. goto release;
  2112. }
  2113. list_add_tail(&act->list, &rule->acts.list);
  2114. act = NULL; /* end of the line */
  2115. break;
  2116. case FLOW_ACTION_REDIRECT:
  2117. case FLOW_ACTION_MIRRED:
  2118. save = *act;
  2119. if (encap_info) {
  2120. struct efx_tc_encap_action *encap;
  2121. if (!efx_tc_flower_action_order_ok(act,
  2122. EFX_TC_AO_ENCAP)) {
  2123. rc = -EOPNOTSUPP;
  2124. NL_SET_ERR_MSG_MOD(extack, "Encap action violates action order");
  2125. goto release;
  2126. }
  2127. encap = efx_tc_flower_create_encap_md(
  2128. efx, encap_info, fa->dev, extack);
  2129. if (IS_ERR_OR_NULL(encap)) {
  2130. rc = PTR_ERR(encap);
  2131. if (!rc)
  2132. rc = -EIO; /* arbitrary */
  2133. goto release;
  2134. }
  2135. act->encap_md = encap;
  2136. list_add_tail(&act->encap_user, &encap->users);
  2137. act->dest_mport = encap->dest_mport;
  2138. act->deliver = 1;
  2139. if (act->count && !WARN_ON(!act->count->cnt)) {
  2140. /* This counter is used by an encap
  2141. * action, which needs a reference back
  2142. * so it can prod neighbouring whenever
  2143. * traffic is seen.
  2144. */
  2145. spin_lock_bh(&act->count->cnt->lock);
  2146. list_add_tail(&act->count_user,
  2147. &act->count->cnt->users);
  2148. spin_unlock_bh(&act->count->cnt->lock);
  2149. }
  2150. rc = efx_mae_alloc_action_set(efx, act);
  2151. if (rc) {
  2152. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (encap)");
  2153. goto release;
  2154. }
  2155. list_add_tail(&act->list, &rule->acts.list);
  2156. act->user = &rule->acts;
  2157. act = NULL;
  2158. if (fa->id == FLOW_ACTION_REDIRECT)
  2159. break; /* end of the line */
  2160. /* Mirror, so continue on with saved act */
  2161. save.count = NULL;
  2162. act = kzalloc_obj(*act, GFP_USER);
  2163. if (!act) {
  2164. rc = -ENOMEM;
  2165. goto release;
  2166. }
  2167. *act = save;
  2168. break;
  2169. }
  2170. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_DELIVER)) {
  2171. /* can't happen */
  2172. rc = -EOPNOTSUPP;
  2173. NL_SET_ERR_MSG_MOD(extack, "Deliver action violates action order (can't happen)");
  2174. goto release;
  2175. }
  2176. to_efv = efx_tc_flower_lookup_efv(efx, fa->dev);
  2177. if (IS_ERR(to_efv)) {
  2178. NL_SET_ERR_MSG_MOD(extack, "Mirred egress device not on switch");
  2179. rc = PTR_ERR(to_efv);
  2180. goto release;
  2181. }
  2182. rc = efx_tc_flower_external_mport(efx, to_efv);
  2183. if (rc < 0) {
  2184. NL_SET_ERR_MSG_MOD(extack, "Failed to identify egress m-port");
  2185. goto release;
  2186. }
  2187. act->dest_mport = rc;
  2188. act->deliver = 1;
  2189. rc = efx_mae_alloc_action_set(efx, act);
  2190. if (rc) {
  2191. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (mirred)");
  2192. goto release;
  2193. }
  2194. list_add_tail(&act->list, &rule->acts.list);
  2195. act = NULL;
  2196. if (fa->id == FLOW_ACTION_REDIRECT)
  2197. break; /* end of the line */
  2198. /* Mirror, so continue on with saved act */
  2199. save.count = NULL;
  2200. act = kzalloc_obj(*act, GFP_USER);
  2201. if (!act) {
  2202. rc = -ENOMEM;
  2203. goto release;
  2204. }
  2205. *act = save;
  2206. break;
  2207. case FLOW_ACTION_VLAN_POP:
  2208. if (act->vlan_push) {
  2209. act->vlan_push--;
  2210. } else if (efx_tc_flower_action_order_ok(act, EFX_TC_AO_VLAN_POP)) {
  2211. act->vlan_pop++;
  2212. } else {
  2213. NL_SET_ERR_MSG_MOD(extack,
  2214. "More than two VLAN pops, or action order violated");
  2215. rc = -EINVAL;
  2216. goto release;
  2217. }
  2218. break;
  2219. case FLOW_ACTION_VLAN_PUSH:
  2220. if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_VLAN_PUSH)) {
  2221. rc = -EINVAL;
  2222. NL_SET_ERR_MSG_MOD(extack,
  2223. "More than two VLAN pushes, or action order violated");
  2224. goto release;
  2225. }
  2226. tci = fa->vlan.vid & VLAN_VID_MASK;
  2227. tci |= fa->vlan.prio << VLAN_PRIO_SHIFT;
  2228. act->vlan_tci[act->vlan_push] = cpu_to_be16(tci);
  2229. act->vlan_proto[act->vlan_push] = fa->vlan.proto;
  2230. act->vlan_push++;
  2231. break;
  2232. case FLOW_ACTION_ADD:
  2233. rc = efx_tc_pedit_add(efx, act, fa, extack);
  2234. if (rc < 0)
  2235. goto release;
  2236. break;
  2237. case FLOW_ACTION_MANGLE:
  2238. rc = efx_tc_mangle(efx, act, fa, &mung, extack, &match);
  2239. if (rc < 0)
  2240. goto release;
  2241. break;
  2242. case FLOW_ACTION_TUNNEL_ENCAP:
  2243. if (encap_info) {
  2244. /* Can't specify encap multiple times.
  2245. * If you want to overwrite an existing
  2246. * encap_info, use an intervening
  2247. * FLOW_ACTION_TUNNEL_DECAP to clear it.
  2248. */
  2249. NL_SET_ERR_MSG_MOD(extack, "Tunnel key set when already set");
  2250. rc = -EINVAL;
  2251. goto release;
  2252. }
  2253. if (!fa->tunnel) {
  2254. NL_SET_ERR_MSG_MOD(extack, "Tunnel key set is missing key");
  2255. rc = -EOPNOTSUPP;
  2256. goto release;
  2257. }
  2258. encap_info = fa->tunnel;
  2259. break;
  2260. case FLOW_ACTION_TUNNEL_DECAP:
  2261. if (encap_info) {
  2262. encap_info = NULL;
  2263. break;
  2264. }
  2265. /* Since we don't support enc_key matches on ingress
  2266. * (and if we did there'd be no tunnel-device to give
  2267. * us a type), we can't offload a decap that's not
  2268. * just undoing a previous encap action.
  2269. */
  2270. NL_SET_ERR_MSG_MOD(extack, "Cannot offload tunnel decap action without tunnel device");
  2271. rc = -EOPNOTSUPP;
  2272. goto release;
  2273. case FLOW_ACTION_CT:
  2274. if (fa->ct.action != TCA_CT_ACT_NAT) {
  2275. rc = -EOPNOTSUPP;
  2276. NL_SET_ERR_MSG_FMT_MOD(extack, "Can only offload CT 'nat' action in RHS rules, not %d", fa->ct.action);
  2277. goto release;
  2278. }
  2279. act->do_nat = 1;
  2280. break;
  2281. default:
  2282. NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled action %u",
  2283. fa->id);
  2284. rc = -EOPNOTSUPP;
  2285. goto release;
  2286. }
  2287. }
  2288. rc = efx_tc_incomplete_mangle(&mung, extack);
  2289. if (rc < 0)
  2290. goto release;
  2291. if (act) {
  2292. /* Not shot/redirected, so deliver to default dest */
  2293. if (from_efv == EFX_EFV_PF)
  2294. /* Rule applies to traffic from the wire,
  2295. * and default dest is thus the PF
  2296. */
  2297. efx_mae_mport_uplink(efx, &act->dest_mport);
  2298. else
  2299. /* Representor, so rule applies to traffic from
  2300. * representee, and default dest is thus the rep.
  2301. * All reps use the same mport for delivery
  2302. */
  2303. efx_mae_mport_mport(efx, efx->tc->reps_mport_id,
  2304. &act->dest_mport);
  2305. act->deliver = 1;
  2306. rc = efx_mae_alloc_action_set(efx, act);
  2307. if (rc) {
  2308. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (deliver)");
  2309. goto release;
  2310. }
  2311. list_add_tail(&act->list, &rule->acts.list);
  2312. act = NULL; /* Prevent double-free in error path */
  2313. }
  2314. netif_dbg(efx, drv, efx->net_dev,
  2315. "Successfully parsed filter (cookie %lx)\n",
  2316. tc->cookie);
  2317. rule->match = match;
  2318. rc = efx_mae_alloc_action_set_list(efx, &rule->acts);
  2319. if (rc) {
  2320. NL_SET_ERR_MSG_MOD(extack, "Failed to write action set list to hw");
  2321. goto release;
  2322. }
  2323. if (from_efv == EFX_EFV_PF)
  2324. /* PF netdev, so rule applies to traffic from wire */
  2325. rule->fallback = &efx->tc->facts.pf;
  2326. else
  2327. /* repdev, so rule applies to traffic from representee */
  2328. rule->fallback = &efx->tc->facts.reps;
  2329. if (!efx_tc_check_ready(efx, rule)) {
  2330. netif_dbg(efx, drv, efx->net_dev, "action not ready for hw\n");
  2331. acts_id = rule->fallback->fw_id;
  2332. } else {
  2333. netif_dbg(efx, drv, efx->net_dev, "ready for hw\n");
  2334. acts_id = rule->acts.fw_id;
  2335. }
  2336. rc = efx_mae_insert_rule(efx, &rule->match, EFX_TC_PRIO_TC,
  2337. acts_id, &rule->fw_id);
  2338. if (rc) {
  2339. NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw");
  2340. goto release_acts;
  2341. }
  2342. return 0;
  2343. release_acts:
  2344. efx_mae_free_action_set_list(efx, &rule->acts);
  2345. release:
  2346. /* We failed to insert the rule, so free up any entries we created in
  2347. * subsidiary tables.
  2348. */
  2349. if (match.rid)
  2350. efx_tc_put_recirc_id(efx, match.rid);
  2351. if (act)
  2352. efx_tc_free_action_set(efx, act, false);
  2353. if (rule) {
  2354. if (!old)
  2355. rhashtable_remove_fast(&efx->tc->match_action_ht,
  2356. &rule->linkage,
  2357. efx_tc_match_action_ht_params);
  2358. efx_tc_free_action_set_list(efx, &rule->acts, false);
  2359. }
  2360. kfree(rule);
  2361. return rc;
  2362. }
  2363. static int efx_tc_flower_destroy(struct efx_nic *efx,
  2364. struct net_device *net_dev,
  2365. struct flow_cls_offload *tc)
  2366. {
  2367. struct netlink_ext_ack *extack = tc->common.extack;
  2368. struct efx_tc_lhs_rule *lhs_rule;
  2369. struct efx_tc_flow_rule *rule;
  2370. lhs_rule = rhashtable_lookup_fast(&efx->tc->lhs_rule_ht, &tc->cookie,
  2371. efx_tc_lhs_rule_ht_params);
  2372. if (lhs_rule) {
  2373. /* Remove it from HW */
  2374. efx_mae_remove_lhs_rule(efx, lhs_rule);
  2375. /* Delete it from SW */
  2376. efx_tc_flower_release_lhs_actions(efx, &lhs_rule->lhs_act);
  2377. rhashtable_remove_fast(&efx->tc->lhs_rule_ht, &lhs_rule->linkage,
  2378. efx_tc_lhs_rule_ht_params);
  2379. if (lhs_rule->match.encap)
  2380. efx_tc_flower_release_encap_match(efx, lhs_rule->match.encap);
  2381. netif_dbg(efx, drv, efx->net_dev, "Removed (lhs) filter %lx\n",
  2382. lhs_rule->cookie);
  2383. kfree(lhs_rule);
  2384. return 0;
  2385. }
  2386. rule = rhashtable_lookup_fast(&efx->tc->match_action_ht, &tc->cookie,
  2387. efx_tc_match_action_ht_params);
  2388. if (!rule) {
  2389. /* Only log a message if we're the ingress device. Otherwise
  2390. * it's a foreign filter and we might just not have been
  2391. * interested (e.g. we might not have been the egress device
  2392. * either).
  2393. */
  2394. if (!IS_ERR(efx_tc_flower_lookup_efv(efx, net_dev)))
  2395. netif_warn(efx, drv, efx->net_dev,
  2396. "Filter %lx not found to remove\n", tc->cookie);
  2397. NL_SET_ERR_MSG_MOD(extack, "Flow cookie not found in offloaded rules");
  2398. return -ENOENT;
  2399. }
  2400. /* Remove it from HW */
  2401. efx_tc_delete_rule(efx, rule);
  2402. /* Delete it from SW */
  2403. rhashtable_remove_fast(&efx->tc->match_action_ht, &rule->linkage,
  2404. efx_tc_match_action_ht_params);
  2405. netif_dbg(efx, drv, efx->net_dev, "Removed filter %lx\n", rule->cookie);
  2406. kfree(rule);
  2407. return 0;
  2408. }
  2409. static int efx_tc_flower_stats(struct efx_nic *efx, struct net_device *net_dev,
  2410. struct flow_cls_offload *tc)
  2411. {
  2412. struct netlink_ext_ack *extack = tc->common.extack;
  2413. struct efx_tc_counter_index *ctr;
  2414. struct efx_tc_counter *cnt;
  2415. u64 packets, bytes;
  2416. ctr = efx_tc_flower_find_counter_index(efx, tc->cookie);
  2417. if (!ctr) {
  2418. /* See comment in efx_tc_flower_destroy() */
  2419. if (!IS_ERR(efx_tc_flower_lookup_efv(efx, net_dev)))
  2420. if (net_ratelimit())
  2421. netif_warn(efx, drv, efx->net_dev,
  2422. "Filter %lx not found for stats\n",
  2423. tc->cookie);
  2424. NL_SET_ERR_MSG_MOD(extack, "Flow cookie not found in offloaded rules");
  2425. return -ENOENT;
  2426. }
  2427. if (WARN_ON(!ctr->cnt)) /* can't happen */
  2428. return -EIO;
  2429. cnt = ctr->cnt;
  2430. spin_lock_bh(&cnt->lock);
  2431. /* Report only new pkts/bytes since last time TC asked */
  2432. packets = cnt->packets;
  2433. bytes = cnt->bytes;
  2434. flow_stats_update(&tc->stats, bytes - cnt->old_bytes,
  2435. packets - cnt->old_packets, 0, cnt->touched,
  2436. FLOW_ACTION_HW_STATS_DELAYED);
  2437. cnt->old_packets = packets;
  2438. cnt->old_bytes = bytes;
  2439. spin_unlock_bh(&cnt->lock);
  2440. return 0;
  2441. }
  2442. int efx_tc_flower(struct efx_nic *efx, struct net_device *net_dev,
  2443. struct flow_cls_offload *tc, struct efx_rep *efv)
  2444. {
  2445. int rc;
  2446. if (!efx->tc)
  2447. return -EOPNOTSUPP;
  2448. mutex_lock(&efx->tc->mutex);
  2449. switch (tc->command) {
  2450. case FLOW_CLS_REPLACE:
  2451. rc = efx_tc_flower_replace(efx, net_dev, tc, efv);
  2452. break;
  2453. case FLOW_CLS_DESTROY:
  2454. rc = efx_tc_flower_destroy(efx, net_dev, tc);
  2455. break;
  2456. case FLOW_CLS_STATS:
  2457. rc = efx_tc_flower_stats(efx, net_dev, tc);
  2458. break;
  2459. default:
  2460. rc = -EOPNOTSUPP;
  2461. break;
  2462. }
  2463. mutex_unlock(&efx->tc->mutex);
  2464. return rc;
  2465. }
  2466. static int efx_tc_configure_default_rule(struct efx_nic *efx, u32 ing_port,
  2467. u32 eg_port, struct efx_tc_flow_rule *rule)
  2468. {
  2469. struct efx_tc_action_set_list *acts = &rule->acts;
  2470. struct efx_tc_match *match = &rule->match;
  2471. struct efx_tc_action_set *act;
  2472. int rc;
  2473. match->value.ingress_port = ing_port;
  2474. match->mask.ingress_port = ~0;
  2475. act = kzalloc_obj(*act);
  2476. if (!act)
  2477. return -ENOMEM;
  2478. act->deliver = 1;
  2479. act->dest_mport = eg_port;
  2480. rc = efx_mae_alloc_action_set(efx, act);
  2481. if (rc)
  2482. goto fail1;
  2483. EFX_WARN_ON_PARANOID(!list_empty(&acts->list));
  2484. list_add_tail(&act->list, &acts->list);
  2485. rc = efx_mae_alloc_action_set_list(efx, acts);
  2486. if (rc)
  2487. goto fail2;
  2488. rc = efx_mae_insert_rule(efx, match, EFX_TC_PRIO_DFLT,
  2489. acts->fw_id, &rule->fw_id);
  2490. if (rc)
  2491. goto fail3;
  2492. return 0;
  2493. fail3:
  2494. efx_mae_free_action_set_list(efx, acts);
  2495. fail2:
  2496. list_del(&act->list);
  2497. efx_mae_free_action_set(efx, act->fw_id);
  2498. fail1:
  2499. kfree(act);
  2500. return rc;
  2501. }
  2502. static int efx_tc_configure_default_rule_pf(struct efx_nic *efx)
  2503. {
  2504. struct efx_tc_flow_rule *rule = &efx->tc->dflt.pf;
  2505. u32 ing_port, eg_port;
  2506. efx_mae_mport_uplink(efx, &ing_port);
  2507. efx_mae_mport_wire(efx, &eg_port);
  2508. return efx_tc_configure_default_rule(efx, ing_port, eg_port, rule);
  2509. }
  2510. static int efx_tc_configure_default_rule_wire(struct efx_nic *efx)
  2511. {
  2512. struct efx_tc_flow_rule *rule = &efx->tc->dflt.wire;
  2513. u32 ing_port, eg_port;
  2514. efx_mae_mport_wire(efx, &ing_port);
  2515. efx_mae_mport_uplink(efx, &eg_port);
  2516. return efx_tc_configure_default_rule(efx, ing_port, eg_port, rule);
  2517. }
  2518. int efx_tc_configure_default_rule_rep(struct efx_rep *efv)
  2519. {
  2520. struct efx_tc_flow_rule *rule = &efv->dflt;
  2521. struct efx_nic *efx = efv->parent;
  2522. u32 ing_port, eg_port;
  2523. efx_mae_mport_mport(efx, efv->mport, &ing_port);
  2524. efx_mae_mport_mport(efx, efx->tc->reps_mport_id, &eg_port);
  2525. return efx_tc_configure_default_rule(efx, ing_port, eg_port, rule);
  2526. }
  2527. void efx_tc_deconfigure_default_rule(struct efx_nic *efx,
  2528. struct efx_tc_flow_rule *rule)
  2529. {
  2530. if (rule->fw_id != MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL)
  2531. efx_tc_delete_rule(efx, rule);
  2532. rule->fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL;
  2533. }
  2534. static int efx_tc_configure_fallback_acts(struct efx_nic *efx, u32 eg_port,
  2535. struct efx_tc_action_set_list *acts)
  2536. {
  2537. struct efx_tc_action_set *act;
  2538. int rc;
  2539. act = kzalloc_obj(*act);
  2540. if (!act)
  2541. return -ENOMEM;
  2542. act->deliver = 1;
  2543. act->dest_mport = eg_port;
  2544. rc = efx_mae_alloc_action_set(efx, act);
  2545. if (rc)
  2546. goto fail1;
  2547. EFX_WARN_ON_PARANOID(!list_empty(&acts->list));
  2548. list_add_tail(&act->list, &acts->list);
  2549. rc = efx_mae_alloc_action_set_list(efx, acts);
  2550. if (rc)
  2551. goto fail2;
  2552. return 0;
  2553. fail2:
  2554. list_del(&act->list);
  2555. efx_mae_free_action_set(efx, act->fw_id);
  2556. fail1:
  2557. kfree(act);
  2558. return rc;
  2559. }
  2560. static int efx_tc_configure_fallback_acts_pf(struct efx_nic *efx)
  2561. {
  2562. struct efx_tc_action_set_list *acts = &efx->tc->facts.pf;
  2563. u32 eg_port;
  2564. efx_mae_mport_uplink(efx, &eg_port);
  2565. return efx_tc_configure_fallback_acts(efx, eg_port, acts);
  2566. }
  2567. static int efx_tc_configure_fallback_acts_reps(struct efx_nic *efx)
  2568. {
  2569. struct efx_tc_action_set_list *acts = &efx->tc->facts.reps;
  2570. u32 eg_port;
  2571. efx_mae_mport_mport(efx, efx->tc->reps_mport_id, &eg_port);
  2572. return efx_tc_configure_fallback_acts(efx, eg_port, acts);
  2573. }
  2574. static void efx_tc_deconfigure_fallback_acts(struct efx_nic *efx,
  2575. struct efx_tc_action_set_list *acts)
  2576. {
  2577. efx_tc_free_action_set_list(efx, acts, true);
  2578. }
  2579. static int efx_tc_configure_rep_mport(struct efx_nic *efx)
  2580. {
  2581. u32 rep_mport_label;
  2582. int rc;
  2583. rc = efx_mae_allocate_mport(efx, &efx->tc->reps_mport_id, &rep_mport_label);
  2584. if (rc)
  2585. return rc;
  2586. pci_dbg(efx->pci_dev, "created rep mport 0x%08x (0x%04x)\n",
  2587. efx->tc->reps_mport_id, rep_mport_label);
  2588. /* Use mport *selector* as vport ID */
  2589. efx_mae_mport_mport(efx, efx->tc->reps_mport_id,
  2590. &efx->tc->reps_mport_vport_id);
  2591. return 0;
  2592. }
  2593. static void efx_tc_deconfigure_rep_mport(struct efx_nic *efx)
  2594. {
  2595. efx_mae_free_mport(efx, efx->tc->reps_mport_id);
  2596. efx->tc->reps_mport_id = MAE_MPORT_SELECTOR_NULL;
  2597. }
  2598. int efx_tc_insert_rep_filters(struct efx_nic *efx)
  2599. {
  2600. struct efx_filter_spec promisc, allmulti;
  2601. int rc;
  2602. if (efx->type->is_vf)
  2603. return 0;
  2604. if (!efx->tc)
  2605. return 0;
  2606. efx_filter_init_rx(&promisc, EFX_FILTER_PRI_REQUIRED, 0, 0);
  2607. efx_filter_set_uc_def(&promisc);
  2608. efx_filter_set_vport_id(&promisc, efx->tc->reps_mport_vport_id);
  2609. rc = efx_filter_insert_filter(efx, &promisc, false);
  2610. if (rc < 0)
  2611. return rc;
  2612. efx->tc->reps_filter_uc = rc;
  2613. efx_filter_init_rx(&allmulti, EFX_FILTER_PRI_REQUIRED, 0, 0);
  2614. efx_filter_set_mc_def(&allmulti);
  2615. efx_filter_set_vport_id(&allmulti, efx->tc->reps_mport_vport_id);
  2616. rc = efx_filter_insert_filter(efx, &allmulti, false);
  2617. if (rc < 0)
  2618. return rc;
  2619. efx->tc->reps_filter_mc = rc;
  2620. return 0;
  2621. }
  2622. void efx_tc_remove_rep_filters(struct efx_nic *efx)
  2623. {
  2624. if (efx->type->is_vf)
  2625. return;
  2626. if (!efx->tc)
  2627. return;
  2628. if (efx->tc->reps_filter_mc >= 0)
  2629. efx_filter_remove_id_safe(efx, EFX_FILTER_PRI_REQUIRED, efx->tc->reps_filter_mc);
  2630. efx->tc->reps_filter_mc = -1;
  2631. if (efx->tc->reps_filter_uc >= 0)
  2632. efx_filter_remove_id_safe(efx, EFX_FILTER_PRI_REQUIRED, efx->tc->reps_filter_uc);
  2633. efx->tc->reps_filter_uc = -1;
  2634. }
  2635. int efx_init_tc(struct efx_nic *efx)
  2636. {
  2637. int rc;
  2638. rc = efx_mae_get_caps(efx, efx->tc->caps);
  2639. if (rc)
  2640. return rc;
  2641. if (efx->tc->caps->match_field_count > MAE_NUM_FIELDS)
  2642. /* Firmware supports some match fields the driver doesn't know
  2643. * about. Not fatal, unless any of those fields are required
  2644. * (MAE_FIELD_SUPPORTED_MATCH_ALWAYS) but if so we don't know.
  2645. */
  2646. netif_warn(efx, probe, efx->net_dev,
  2647. "FW reports additional match fields %u\n",
  2648. efx->tc->caps->match_field_count);
  2649. if (efx->tc->caps->action_prios < EFX_TC_PRIO__NUM) {
  2650. netif_err(efx, probe, efx->net_dev,
  2651. "Too few action prios supported (have %u, need %u)\n",
  2652. efx->tc->caps->action_prios, EFX_TC_PRIO__NUM);
  2653. return -EIO;
  2654. }
  2655. rc = efx_tc_configure_default_rule_pf(efx);
  2656. if (rc)
  2657. return rc;
  2658. rc = efx_tc_configure_default_rule_wire(efx);
  2659. if (rc)
  2660. return rc;
  2661. rc = efx_tc_configure_rep_mport(efx);
  2662. if (rc)
  2663. return rc;
  2664. rc = efx_tc_configure_fallback_acts_pf(efx);
  2665. if (rc)
  2666. return rc;
  2667. rc = efx_tc_configure_fallback_acts_reps(efx);
  2668. if (rc)
  2669. return rc;
  2670. rc = efx_mae_get_tables(efx);
  2671. if (rc)
  2672. return rc;
  2673. rc = flow_indr_dev_register(efx_tc_indr_setup_cb, efx);
  2674. if (rc)
  2675. goto out_free;
  2676. efx->tc->up = true;
  2677. return 0;
  2678. out_free:
  2679. efx_mae_free_tables(efx);
  2680. return rc;
  2681. }
  2682. void efx_fini_tc(struct efx_nic *efx)
  2683. {
  2684. /* We can get called even if efx_init_struct_tc() failed */
  2685. if (!efx->tc)
  2686. return;
  2687. if (efx->tc->up)
  2688. flow_indr_dev_unregister(efx_tc_indr_setup_cb, efx, efx_tc_block_unbind);
  2689. efx_tc_deconfigure_rep_mport(efx);
  2690. efx_tc_deconfigure_default_rule(efx, &efx->tc->dflt.pf);
  2691. efx_tc_deconfigure_default_rule(efx, &efx->tc->dflt.wire);
  2692. efx_tc_deconfigure_fallback_acts(efx, &efx->tc->facts.pf);
  2693. efx_tc_deconfigure_fallback_acts(efx, &efx->tc->facts.reps);
  2694. efx->tc->up = false;
  2695. efx_mae_free_tables(efx);
  2696. }
  2697. /* At teardown time, all TC filter rules (and thus all resources they created)
  2698. * should already have been removed. If we find any in our hashtables, make a
  2699. * cursory attempt to clean up the software side.
  2700. */
  2701. static void efx_tc_encap_match_free(void *ptr, void *__unused)
  2702. {
  2703. struct efx_tc_encap_match *encap = ptr;
  2704. WARN_ON(refcount_read(&encap->ref));
  2705. kfree(encap);
  2706. }
  2707. static void efx_tc_recirc_free(void *ptr, void *arg)
  2708. {
  2709. struct efx_tc_recirc_id *rid = ptr;
  2710. struct efx_nic *efx = arg;
  2711. WARN_ON(refcount_read(&rid->ref));
  2712. ida_free(&efx->tc->recirc_ida, rid->fw_id);
  2713. kfree(rid);
  2714. }
  2715. static void efx_tc_lhs_free(void *ptr, void *arg)
  2716. {
  2717. struct efx_tc_lhs_rule *rule = ptr;
  2718. struct efx_nic *efx = arg;
  2719. netif_err(efx, drv, efx->net_dev,
  2720. "tc lhs_rule %lx still present at teardown, removing\n",
  2721. rule->cookie);
  2722. if (rule->lhs_act.zone)
  2723. efx_tc_ct_unregister_zone(efx, rule->lhs_act.zone);
  2724. if (rule->lhs_act.count)
  2725. efx_tc_flower_put_counter_index(efx, rule->lhs_act.count);
  2726. efx_mae_remove_lhs_rule(efx, rule);
  2727. kfree(rule);
  2728. }
  2729. static void efx_tc_mac_free(void *ptr, void *__unused)
  2730. {
  2731. struct efx_tc_mac_pedit_action *ped = ptr;
  2732. WARN_ON(refcount_read(&ped->ref));
  2733. kfree(ped);
  2734. }
  2735. static void efx_tc_flow_free(void *ptr, void *arg)
  2736. {
  2737. struct efx_tc_flow_rule *rule = ptr;
  2738. struct efx_nic *efx = arg;
  2739. netif_err(efx, drv, efx->net_dev,
  2740. "tc rule %lx still present at teardown, removing\n",
  2741. rule->cookie);
  2742. /* Also releases entries in subsidiary tables */
  2743. efx_tc_delete_rule(efx, rule);
  2744. kfree(rule);
  2745. }
  2746. int efx_init_struct_tc(struct efx_nic *efx)
  2747. {
  2748. int rc;
  2749. if (efx->type->is_vf)
  2750. return 0;
  2751. efx->tc = kzalloc_obj(*efx->tc);
  2752. if (!efx->tc)
  2753. return -ENOMEM;
  2754. efx->tc->caps = kzalloc_obj(struct mae_caps);
  2755. if (!efx->tc->caps) {
  2756. rc = -ENOMEM;
  2757. goto fail_alloc_caps;
  2758. }
  2759. INIT_LIST_HEAD(&efx->tc->block_list);
  2760. mutex_init(&efx->tc->mutex);
  2761. init_waitqueue_head(&efx->tc->flush_wq);
  2762. rc = efx_tc_init_encap_actions(efx);
  2763. if (rc < 0)
  2764. goto fail_encap_actions;
  2765. rc = efx_tc_init_counters(efx);
  2766. if (rc < 0)
  2767. goto fail_counters;
  2768. rc = rhashtable_init(&efx->tc->mac_ht, &efx_tc_mac_ht_params);
  2769. if (rc < 0)
  2770. goto fail_mac_ht;
  2771. rc = rhashtable_init(&efx->tc->encap_match_ht, &efx_tc_encap_match_ht_params);
  2772. if (rc < 0)
  2773. goto fail_encap_match_ht;
  2774. rc = rhashtable_init(&efx->tc->match_action_ht, &efx_tc_match_action_ht_params);
  2775. if (rc < 0)
  2776. goto fail_match_action_ht;
  2777. rc = rhashtable_init(&efx->tc->lhs_rule_ht, &efx_tc_lhs_rule_ht_params);
  2778. if (rc < 0)
  2779. goto fail_lhs_rule_ht;
  2780. rc = efx_tc_init_conntrack(efx);
  2781. if (rc < 0)
  2782. goto fail_conntrack;
  2783. rc = rhashtable_init(&efx->tc->recirc_ht, &efx_tc_recirc_ht_params);
  2784. if (rc < 0)
  2785. goto fail_recirc_ht;
  2786. ida_init(&efx->tc->recirc_ida);
  2787. efx->tc->reps_filter_uc = -1;
  2788. efx->tc->reps_filter_mc = -1;
  2789. INIT_LIST_HEAD(&efx->tc->dflt.pf.acts.list);
  2790. efx->tc->dflt.pf.fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL;
  2791. INIT_LIST_HEAD(&efx->tc->dflt.wire.acts.list);
  2792. efx->tc->dflt.wire.fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL;
  2793. INIT_LIST_HEAD(&efx->tc->facts.pf.list);
  2794. efx->tc->facts.pf.fw_id = MC_CMD_MAE_ACTION_SET_ALLOC_OUT_ACTION_SET_ID_NULL;
  2795. INIT_LIST_HEAD(&efx->tc->facts.reps.list);
  2796. efx->tc->facts.reps.fw_id = MC_CMD_MAE_ACTION_SET_ALLOC_OUT_ACTION_SET_ID_NULL;
  2797. efx->extra_channel_type[EFX_EXTRA_CHANNEL_TC] = &efx_tc_channel_type;
  2798. return 0;
  2799. fail_recirc_ht:
  2800. efx_tc_destroy_conntrack(efx);
  2801. fail_conntrack:
  2802. rhashtable_destroy(&efx->tc->lhs_rule_ht);
  2803. fail_lhs_rule_ht:
  2804. rhashtable_destroy(&efx->tc->match_action_ht);
  2805. fail_match_action_ht:
  2806. rhashtable_destroy(&efx->tc->encap_match_ht);
  2807. fail_encap_match_ht:
  2808. rhashtable_destroy(&efx->tc->mac_ht);
  2809. fail_mac_ht:
  2810. efx_tc_destroy_counters(efx);
  2811. fail_counters:
  2812. efx_tc_destroy_encap_actions(efx);
  2813. fail_encap_actions:
  2814. mutex_destroy(&efx->tc->mutex);
  2815. kfree(efx->tc->caps);
  2816. fail_alloc_caps:
  2817. kfree(efx->tc);
  2818. efx->tc = NULL;
  2819. return rc;
  2820. }
  2821. void efx_fini_struct_tc(struct efx_nic *efx)
  2822. {
  2823. if (!efx->tc)
  2824. return;
  2825. mutex_lock(&efx->tc->mutex);
  2826. EFX_WARN_ON_PARANOID(efx->tc->dflt.pf.fw_id !=
  2827. MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL);
  2828. EFX_WARN_ON_PARANOID(efx->tc->dflt.wire.fw_id !=
  2829. MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL);
  2830. EFX_WARN_ON_PARANOID(efx->tc->facts.pf.fw_id !=
  2831. MC_CMD_MAE_ACTION_SET_LIST_ALLOC_OUT_ACTION_SET_LIST_ID_NULL);
  2832. EFX_WARN_ON_PARANOID(efx->tc->facts.reps.fw_id !=
  2833. MC_CMD_MAE_ACTION_SET_LIST_ALLOC_OUT_ACTION_SET_LIST_ID_NULL);
  2834. rhashtable_free_and_destroy(&efx->tc->lhs_rule_ht, efx_tc_lhs_free, efx);
  2835. rhashtable_free_and_destroy(&efx->tc->match_action_ht, efx_tc_flow_free,
  2836. efx);
  2837. rhashtable_free_and_destroy(&efx->tc->encap_match_ht,
  2838. efx_tc_encap_match_free, NULL);
  2839. efx_tc_fini_conntrack(efx);
  2840. rhashtable_free_and_destroy(&efx->tc->recirc_ht, efx_tc_recirc_free, efx);
  2841. WARN_ON(!ida_is_empty(&efx->tc->recirc_ida));
  2842. ida_destroy(&efx->tc->recirc_ida);
  2843. rhashtable_free_and_destroy(&efx->tc->mac_ht, efx_tc_mac_free, NULL);
  2844. efx_tc_fini_counters(efx);
  2845. efx_tc_fini_encap_actions(efx);
  2846. mutex_unlock(&efx->tc->mutex);
  2847. mutex_destroy(&efx->tc->mutex);
  2848. kfree(efx->tc->caps);
  2849. kfree(efx->tc);
  2850. efx->tc = NULL;
  2851. }