// SPDX-License-Identifier: GPL-2.0-only /**************************************************************************** * Driver for Solarflare network controllers and boards * Copyright 2019 Solarflare Communications Inc. * Copyright 2020-2022 Xilinx Inc. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 as published * by the Free Software Foundation, incorporated herein by reference.
*/
enum efx_encap_type efx_tc_indr_netdev_type(struct net_device *net_dev)
{ if (netif_is_vxlan(net_dev)) return EFX_ENCAP_TYPE_VXLAN; if (netif_is_geneve(net_dev)) return EFX_ENCAP_TYPE_GENEVE;
return EFX_ENCAP_TYPE_NONE;
}
#define EFX_TC_HDR_TYPE_TTL_MASK ((u32)0xff) /* Hoplimit is stored in the most significant byte in the pedit ipv6 header action */ #define EFX_TC_HDR_TYPE_HLIMIT_MASK ~((u32)0xff000000) #define EFX_EFV_PF NULL /* Look up the representor information (efv) for a device. * May return NULL for the PF (us), or an error pointer for a device that * isn't supported as a TC offload endpoint
*/ struct efx_rep *efx_tc_flower_lookup_efv(struct efx_nic *efx, struct net_device *dev)
{ struct efx_rep *efv;
if (!dev) return ERR_PTR(-EOPNOTSUPP); /* Is it us (the PF)? */ if (dev == efx->net_dev) return EFX_EFV_PF; /* Is it an efx vfrep at all? */ if (dev->netdev_ops != &efx_ef100_rep_netdev_ops) return ERR_PTR(-EOPNOTSUPP); /* Is it ours? We don't support TC rules that include another * EF100's netdevices (not even on another port of the same NIC).
*/
efv = netdev_priv(dev); if (efv->parent != efx) return ERR_PTR(-EOPNOTSUPP); return efv;
}
/* Convert a driver-internal vport ID into an internal device (PF or VF) */ static s64 efx_tc_flower_internal_mport(struct efx_nic *efx, struct efx_rep *efv)
{
u32 mport;
if (IS_ERR(efv)) return PTR_ERR(efv); if (!efv) /* device is PF (us) */
efx_mae_mport_uplink(efx, &mport); else/* device is repr */
efx_mae_mport_mport(efx, efv->mport, &mport); return mport;
}
/* Convert a driver-internal vport ID into an external device (wire or VF) */
s64 efx_tc_flower_external_mport(struct efx_nic *efx, struct efx_rep *efv)
{
u32 mport;
if (IS_ERR(efv)) return PTR_ERR(efv); if (!efv) /* device is PF (us) */
efx_mae_mport_wire(efx, &mport); else/* device is repr */
efx_mae_mport_mport(efx, efv->mport, &mport); return mport;
}
staticvoid efx_tc_flower_put_mac(struct efx_nic *efx, struct efx_tc_mac_pedit_action *ped)
{ if (!refcount_dec_and_test(&ped->ref)) return; /* still in use */
rhashtable_remove_fast(&efx->tc->mac_ht, &ped->linkage,
efx_tc_mac_ht_params);
efx_mae_free_pedit_mac(efx, ped);
kfree(ped);
}
staticvoid efx_tc_free_action_set(struct efx_nic *efx, struct efx_tc_action_set *act, bool in_hw)
{ /* Failure paths calling this on the 'cursor' action set in_hw=false, * because if the alloc had succeeded we'd've put it in acts.list and * not still have it in act.
*/ if (in_hw) {
efx_mae_free_action_set(efx, act->fw_id); /* in_hw is true iff we are on an acts.list; make sure to * remove ourselves from that list before we are freed.
*/
list_del(&act->list);
} if (act->count) {
spin_lock_bh(&act->count->cnt->lock); if (!list_empty(&act->count_user))
list_del(&act->count_user);
spin_unlock_bh(&act->count->cnt->lock);
efx_tc_flower_put_counter_index(efx, act->count);
} if (act->encap_md) {
list_del(&act->encap_user);
efx_tc_flower_release_encap_md(efx, act->encap_md);
} if (act->src_mac)
efx_tc_flower_put_mac(efx, act->src_mac); if (act->dst_mac)
efx_tc_flower_put_mac(efx, act->dst_mac);
kfree(act);
}
/* Failure paths set in_hw=false, because usually the acts didn't get * to efx_mae_alloc_action_set_list(); if they did, the failure tree * has a separate efx_mae_free_action_set_list() before calling us.
*/ if (in_hw)
efx_mae_free_action_set_list(efx, acts); /* Any act that's on the list will be in_hw even if the list isn't */
list_for_each_entry_safe(act, next, &acts->list, list)
efx_tc_free_action_set(efx, act, true); /* Don't kfree, as acts is embedded inside a struct efx_tc_flow_rule */
}
/* Owing to internal TC infelicities, the IPV6_ADDRS key might be set * even on IPv4 filters; so rather than relying on dissector->used_keys * we check the addr_type in the CONTROL key. If we don't find it (or * it's masked, which should never happen), we treat both IPV4_ADDRS * and IPV6_ADDRS as absent.
*/ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) { struct flow_match_control fm;
flow_rule_match_control(rule, &fm); if (IS_ALL_ONES(fm.mask->addr_type)) switch (fm.key->addr_type) { case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
ipv = 4; break; case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
ipv = 6; break; default: break;
}
if (memchr_inv(fm.mask->ct_labels, 0, sizeof(fm.mask->ct_labels))) {
NL_SET_ERR_MSG_MOD(extack, "Matching on ct_label not supported"); return -EOPNOTSUPP;
}
}
return 0;
}
staticvoid efx_tc_flower_release_encap_match(struct efx_nic *efx, struct efx_tc_encap_match *encap)
{ int rc;
if (!refcount_dec_and_test(&encap->ref)) return; /* still in use */
if (encap->type == EFX_TC_EM_DIRECT) {
rc = efx_mae_unregister_encap_match(efx, encap); if (rc) /* Display message but carry on and remove entry from our * SW tables, because there's not much we can do about it.
*/
netif_err(efx, drv, efx->net_dev, "Failed to release encap match %#x, rc %d\n",
encap->fw_id, rc);
}
rhashtable_remove_fast(&efx->tc->encap_match_ht, &encap->linkage,
efx_tc_encap_match_ht_params); if (encap->pseudo)
efx_tc_flower_release_encap_match(efx, encap->pseudo);
kfree(encap);
}
/* We require that the socket-defining fields (IP addrs and UDP dest * port) are present and exact-match. Other fields may only be used * if the field-set (and any masks) are the same for all encap * matches on the same <sip,dip,dport> tuple; this is enforced by * pseudo encap matches.
*/ if (match->mask.enc_dst_ip | match->mask.enc_src_ip) { if (!IS_ALL_ONES(match->mask.enc_dst_ip)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on dst IP address"); return -EOPNOTSUPP;
} if (!IS_ALL_ONES(match->mask.enc_src_ip)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on src IP address"); return -EOPNOTSUPP;
} #ifdef CONFIG_IPV6 if (!ipv6_addr_any(&match->mask.enc_dst_ip6) ||
!ipv6_addr_any(&match->mask.enc_src_ip6)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match on both IPv4 and IPv6, don't understand"); return -EOPNOTSUPP;
}
} else {
ipv6 = true; if (!efx_ipv6_addr_all_ones(&match->mask.enc_dst_ip6)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on dst IP address"); return -EOPNOTSUPP;
} if (!efx_ipv6_addr_all_ones(&match->mask.enc_src_ip6)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on src IP address"); return -EOPNOTSUPP;
} #endif
} if (!IS_ALL_ONES(match->mask.enc_dport)) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match is not exact on dst UDP port"); return -EOPNOTSUPP;
} if (match->mask.enc_sport || match->mask.enc_ip_tos) { struct efx_tc_match pmatch = *match;
if (em_type == EFX_TC_EM_PSEUDO_MASK) { /* can't happen */
NL_SET_ERR_MSG_MOD(extack, "Bad recursion in egress encap match handler"); return -EOPNOTSUPP;
}
pmatch.value.enc_ip_tos = 0;
pmatch.mask.enc_ip_tos = 0;
pmatch.value.enc_sport = 0;
pmatch.mask.enc_sport = 0;
rc = efx_tc_flower_record_encap_match(efx, &pmatch, type,
EFX_TC_EM_PSEUDO_MASK,
match->mask.enc_ip_tos,
match->mask.enc_sport,
extack); if (rc) return rc;
pseudo = pmatch.encap;
} if (match->mask.enc_ip_ttl) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match on IP TTL not supported");
rc = -EOPNOTSUPP; goto fail_pseudo;
}
encap = kzalloc(sizeof(*encap), GFP_USER); if (!encap) {
rc = -ENOMEM; goto fail_pseudo;
}
encap->src_ip = match->value.enc_src_ip;
encap->dst_ip = match->value.enc_dst_ip; #ifdef CONFIG_IPV6
encap->src_ip6 = match->value.enc_src_ip6;
encap->dst_ip6 = match->value.enc_dst_ip6; #endif
encap->udp_dport = match->value.enc_dport;
encap->tun_type = type;
encap->ip_tos = match->value.enc_ip_tos;
encap->ip_tos_mask = match->mask.enc_ip_tos;
encap->child_ip_tos_mask = child_ip_tos_mask;
encap->udp_sport = match->value.enc_sport;
encap->udp_sport_mask = match->mask.enc_sport;
encap->child_udp_sport_mask = child_udp_sport_mask;
encap->type = em_type;
encap->pseudo = pseudo;
old = rhashtable_lookup_get_insert_fast(&efx->tc->encap_match_ht,
&encap->linkage,
efx_tc_encap_match_ht_params); if (old) { /* don't need our new entry */
kfree(encap); if (pseudo) /* don't need our new pseudo either */
efx_tc_flower_release_encap_match(efx, pseudo); if (IS_ERR(old)) /* oh dear, it's actually an error */ return PTR_ERR(old); /* check old and new em_types are compatible */ switch (old->type) { case EFX_TC_EM_DIRECT: /* old EM is in hardware, so mustn't overlap with a * pseudo, but may be shared with another direct EM
*/ if (em_type == EFX_TC_EM_DIRECT) break;
NL_SET_ERR_MSG_MOD(extack, "Pseudo encap match conflicts with existing direct entry"); return -EEXIST; case EFX_TC_EM_PSEUDO_MASK: /* old EM is protecting a ToS- or src port-qualified * filter, so may only be shared with another pseudo * for the same ToS and src port masks.
*/ if (em_type != EFX_TC_EM_PSEUDO_MASK) {
NL_SET_ERR_MSG_FMT_MOD(extack, "%s encap match conflicts with existing pseudo(MASK) entry",
em_type ? "Pseudo" : "Direct"); return -EEXIST;
} if (child_ip_tos_mask != old->child_ip_tos_mask) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Pseudo encap match for TOS mask %#04x conflicts with existing mask %#04x",
child_ip_tos_mask,
old->child_ip_tos_mask); return -EEXIST;
} if (child_udp_sport_mask != old->child_udp_sport_mask) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Pseudo encap match for UDP src port mask %#x conflicts with existing mask %#x",
child_udp_sport_mask,
old->child_udp_sport_mask); return -EEXIST;
} break; case EFX_TC_EM_PSEUDO_OR: /* old EM corresponds to an OR that has to be unique * (it must not overlap with any other OR, whether * direct-EM or pseudo).
*/
NL_SET_ERR_MSG_FMT_MOD(extack, "%s encap match conflicts with existing pseudo(OR) entry",
em_type ? "Pseudo" : "Direct"); return -EEXIST; default: /* Unrecognised pseudo-type. Just say no */
NL_SET_ERR_MSG_FMT_MOD(extack, "%s encap match conflicts with existing pseudo(%d) entry",
em_type ? "Pseudo" : "Direct",
old->type); return -EEXIST;
} /* check old and new tun_types are compatible */ if (old->tun_type != type) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Egress encap match with conflicting tun_type %u != %u",
old->tun_type, type); return -EEXIST;
} if (!refcount_inc_not_zero(&old->ref)) return -EAGAIN; /* existing entry found */
encap = old;
} else { if (em_type == EFX_TC_EM_DIRECT) {
rc = efx_mae_register_encap_match(efx, encap); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "Failed to record egress encap match in HW"); goto fail;
}
}
refcount_set(&encap->ref, 1);
}
match->encap = encap; return 0;
fail:
rhashtable_remove_fast(&efx->tc->encap_match_ht, &encap->linkage,
efx_tc_encap_match_ht_params);
kfree(encap);
fail_pseudo: if (pseudo)
efx_tc_flower_release_encap_match(efx, pseudo); return rc;
}
rid = kzalloc(sizeof(*rid), GFP_USER); if (!rid) return ERR_PTR(-ENOMEM);
rid->chain_index = chain_index; /* We don't take a reference here, because it's implied - if there's * a rule on the net_dev that's been offloaded to us, then the net_dev * can't go away until the rule has been deoffloaded.
*/
rid->net_dev = net_dev;
old = rhashtable_lookup_get_insert_fast(&efx->tc->recirc_ht,
&rid->linkage,
efx_tc_recirc_ht_params); if (old) { /* don't need our new entry */
kfree(rid); if (IS_ERR(old)) /* oh dear, it's actually an error */ return ERR_CAST(old); if (!refcount_inc_not_zero(&old->ref)) return ERR_PTR(-EAGAIN); /* existing entry found */
rid = old;
} else {
rc = ida_alloc_range(&efx->tc->recirc_ida, 1, U8_MAX, GFP_USER); if (rc < 0) {
rhashtable_remove_fast(&efx->tc->recirc_ht,
&rid->linkage,
efx_tc_recirc_ht_params);
kfree(rid); return ERR_PTR(rc);
}
rid->fw_id = rc;
refcount_set(&rid->ref, 1);
} return rid;
}
staticvoid efx_tc_put_recirc_id(struct efx_nic *efx, struct efx_tc_recirc_id *rid)
{ if (!refcount_dec_and_test(&rid->ref)) return; /* still in use */
rhashtable_remove_fast(&efx->tc->recirc_ht, &rid->linkage,
efx_tc_recirc_ht_params);
ida_free(&efx->tc->recirc_ida, rid->fw_id);
kfree(rid);
}
/* Release entries in subsidiary tables */
efx_tc_free_action_set_list(efx, &rule->acts, true); if (rule->match.rid)
efx_tc_put_recirc_id(efx, rule->match.rid); if (rule->match.encap)
efx_tc_flower_release_encap_match(efx, rule->match.encap);
rule->fw_id = MC_CMD_MAE_ACTION_RULE_INSERT_OUT_ACTION_RULE_ID_NULL;
}
staticconstchar *efx_tc_encap_type_name(enum efx_encap_type typ)
{ switch (typ) { case EFX_ENCAP_TYPE_NONE: return"none"; case EFX_ENCAP_TYPE_VXLAN: return"vxlan"; case EFX_ENCAP_TYPE_GENEVE: return"geneve"; default:
pr_warn_once("Unknown efx_encap_type %d encountered\n", typ); return"unknown";
}
}
/* For details of action order constraints refer to SF-123102-TC-1§12.6.1 */ enum efx_tc_action_order {
EFX_TC_AO_DECAP,
EFX_TC_AO_DEC_TTL,
EFX_TC_AO_PEDIT_MAC_ADDRS,
EFX_TC_AO_VLAN_POP,
EFX_TC_AO_VLAN_PUSH,
EFX_TC_AO_COUNT,
EFX_TC_AO_ENCAP,
EFX_TC_AO_DELIVER
}; /* Determine whether we can add @new action without violating order */ staticbool efx_tc_flower_action_order_ok(conststruct efx_tc_action_set *act, enum efx_tc_action_order new)
{ switch (new) { case EFX_TC_AO_DECAP: if (act->decap) returnfalse; /* PEDIT_MAC_ADDRS must not happen before DECAP, though it * can wait until much later
*/ if (act->dst_mac || act->src_mac) returnfalse;
/* Decrementing ttl must not happen before DECAP */ if (act->do_ttl_dec) returnfalse;
fallthrough; case EFX_TC_AO_VLAN_POP: if (act->vlan_pop >= 2) returnfalse; /* If we've already pushed a VLAN, we can't then pop it; * the hardware would instead try to pop an existing VLAN * before pushing the new one.
*/ if (act->vlan_push) returnfalse;
fallthrough; case EFX_TC_AO_VLAN_PUSH: if (act->vlan_push >= 2) returnfalse;
fallthrough; case EFX_TC_AO_COUNT: if (act->count) returnfalse;
fallthrough; case EFX_TC_AO_PEDIT_MAC_ADDRS: case EFX_TC_AO_ENCAP: if (act->encap_md) returnfalse;
fallthrough; case EFX_TC_AO_DELIVER: return !act->deliver; case EFX_TC_AO_DEC_TTL: if (act->encap_md) returnfalse; return !act->do_ttl_dec; default: /* Bad caller. Whatever they wanted to do, say they can't. */
WARN_ON_ONCE(1); returnfalse;
}
}
/** * DOC: TC conntrack sequences * * The MAE hardware can handle at most two rounds of action rule matching, * consequently we support conntrack through the notion of a "left-hand side * rule". This is a rule which typically contains only the actions "ct" and * "goto chain N", and corresponds to one or more "right-hand side rules" in * chain N, which typically match on +trk+est, and may perform ct(nat) actions. * RHS rules go in the Action Rule table as normal but with a nonzero recirc_id * (the hardware equivalent of chain_index), while LHS rules may go in either * the Action Rule or the Outer Rule table, the latter being preferred for * performance reasons, and set both DO_CT and a recirc_id in their response. * * Besides the RHS rules, there are often also similar rules matching on * +trk+new which perform the ct(commit) action. These are not offloaded.
*/
flow_action_for_each(i, fa, &fr->action) { switch (fa->id) { case FLOW_ACTION_GOTO: returntrue; case FLOW_ACTION_CT: /* If rule is -trk, or doesn't mention trk at all, then * a CT action implies a conntrack lookup (hence it's an * LHS rule). If rule is +trk, then a CT action could * just be ct(nat) or even ct(commit) (though the latter * can't be offloaded).
*/ if (!match->mask.ct_state_trk || !match->value.ct_state_trk) returntrue; break; default: break;
}
} returnfalse;
}
/* A foreign LHS rule has matches on enc_ keys at the TC layer (including an * implied match on enc_ip_proto UDP). Translate these into non-enc_ keys, * so that we can use the same MAE machinery as local LHS rules (and so that * the lhs_rules entries have uniform semantics). It may seem odd to do it * this way round, given that the corresponding fields in the MAE MCDIs are * all ENC_, but (a) we don't have enc_L2 or enc_ip_proto in struct * efx_tc_match_fields and (b) semantically an LHS rule doesn't have inner * fields so it's just matching on *the* header rather than the outer header. * Make sure that the non-enc_ keys were not already being matched on, as that * would imply a rule that needed a triple lookup. (Hardware can do that, * with OR-AR-CT-AR, but it halves packet rate so we avoid it where possible; * see efx_tc_flower_flhs_needs_ar().)
*/ staticint efx_tc_flower_translate_flhs_match(struct efx_tc_match *match)
{ int rc = 0;
#define COPY_MASK_AND_VALUE(_key, _ekey) ({ \ if (match->mask._key) { \
rc = -EOPNOTSUPP; \
} else { \
match->mask._key = match->mask._ekey; \
match->mask._ekey = 0; \
match->value._key = match->value._ekey; \
match->value._ekey = 0; \
} \
rc; \
}) #define COPY_FROM_ENC(_key) COPY_MASK_AND_VALUE(_key, enc_##_key) if (match->mask.ip_proto) return -EOPNOTSUPP;
match->mask.ip_proto = ~0;
match->value.ip_proto = IPPROTO_UDP; if (COPY_FROM_ENC(src_ip) || COPY_FROM_ENC(dst_ip)) return rc; #ifdef CONFIG_IPV6 if (!ipv6_addr_any(&match->mask.src_ip6)) return -EOPNOTSUPP;
match->mask.src_ip6 = match->mask.enc_src_ip6;
memset(&match->mask.enc_src_ip6, 0, sizeof(struct in6_addr)); if (!ipv6_addr_any(&match->mask.dst_ip6)) return -EOPNOTSUPP;
match->mask.dst_ip6 = match->mask.enc_dst_ip6;
memset(&match->mask.enc_dst_ip6, 0, sizeof(struct in6_addr)); #endif if (COPY_FROM_ENC(ip_tos) || COPY_FROM_ENC(ip_ttl)) return rc; /* should really copy enc_ip_frag but we don't have that in * parse_match yet
*/ if (COPY_MASK_AND_VALUE(l4_sport, enc_sport) ||
COPY_MASK_AND_VALUE(l4_dport, enc_dport)) return rc; return 0; #undef COPY_FROM_ENC #undef COPY_MASK_AND_VALUE
}
/* If a foreign LHS rule wants to match on keys that are only available after * encap header identification and parsing, then it can't be done in the Outer * Rule lookup, because that lookup determines the encap type used to parse * beyond the outer headers. Thus, such rules must use the OR-AR-CT-AR lookup * sequence, with an EM (struct efx_tc_encap_match) in the OR step. * Return true iff the passed match requires this.
*/ staticbool efx_tc_flower_flhs_needs_ar(struct efx_tc_match *match)
{ /* matches on inner-header keys can't be done in OR */ return match->mask.eth_proto ||
match->mask.vlan_tci[0] || match->mask.vlan_tci[1] ||
match->mask.vlan_proto[0] || match->mask.vlan_proto[1] ||
memchr_inv(match->mask.eth_saddr, 0, ETH_ALEN) ||
memchr_inv(match->mask.eth_daddr, 0, ETH_ALEN) ||
match->mask.ip_proto ||
match->mask.ip_tos || match->mask.ip_ttl ||
match->mask.src_ip || match->mask.dst_ip || #ifdef CONFIG_IPV6
!ipv6_addr_any(&match->mask.src_ip6) ||
!ipv6_addr_any(&match->mask.dst_ip6) || #endif
match->mask.ip_frag || match->mask.ip_firstfrag ||
match->mask.l4_sport || match->mask.l4_dport ||
match->mask.tcp_flags || /* nor can VNI */
match->mask.enc_keyid;
}
if (!pipe) { /* more actions after a non-pipe action */
NL_SET_ERR_MSG_MOD(extack, "Action follows non-pipe action"); return -EINVAL;
} switch (fa->id) { case FLOW_ACTION_GOTO: if (!fa->chain_index) {
NL_SET_ERR_MSG_MOD(extack, "Can't goto chain 0, no looping in hw"); return -EOPNOTSUPP;
}
rid = efx_tc_get_recirc_id(efx, fa->chain_index,
net_dev); if (IS_ERR(rid)) {
NL_SET_ERR_MSG_MOD(extack, "Failed to allocate a hardware recirculation ID for this chain_index"); return PTR_ERR(rid);
}
act->rid = rid; if (fa->hw_stats) { struct efx_tc_counter_index *cnt;
if (!(fa->hw_stats & FLOW_ACTION_HW_STATS_DELAYED)) {
NL_SET_ERR_MSG_FMT_MOD(extack, "hw_stats_type %u not supported (only 'delayed')",
fa->hw_stats); return -EOPNOTSUPP;
}
cnt = efx_tc_flower_get_counter_index(efx, tc->cookie,
ctype); if (IS_ERR(cnt)) {
NL_SET_ERR_MSG_MOD(extack, "Failed to obtain a counter"); return PTR_ERR(cnt);
}
WARN_ON(act->count); /* can't happen */
act->count = cnt;
}
pipe = false; break; case FLOW_ACTION_CT: if (act->zone) {
NL_SET_ERR_MSG_MOD(extack, "Can't offload multiple ct actions"); return -EOPNOTSUPP;
} if (fa->ct.action & (TCA_CT_ACT_COMMIT |
TCA_CT_ACT_FORCE)) {
NL_SET_ERR_MSG_MOD(extack, "Can't offload ct commit/force"); return -EOPNOTSUPP;
} if (fa->ct.action & TCA_CT_ACT_CLEAR) {
NL_SET_ERR_MSG_MOD(extack, "Can't clear ct in LHS rule"); return -EOPNOTSUPP;
} if (fa->ct.action & (TCA_CT_ACT_NAT |
TCA_CT_ACT_NAT_SRC |
TCA_CT_ACT_NAT_DST)) {
NL_SET_ERR_MSG_MOD(extack, "Can't perform NAT in LHS rule - packet isn't conntracked yet"); return -EOPNOTSUPP;
} if (fa->ct.action) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled ct.action %u for LHS rule",
fa->ct.action); return -EOPNOTSUPP;
}
ct_zone = efx_tc_ct_register_zone(efx, fa->ct.zone,
fa->ct.flow_table); if (IS_ERR(ct_zone)) {
NL_SET_ERR_MSG_MOD(extack, "Failed to register for CT updates"); return PTR_ERR(ct_zone);
}
act->zone = ct_zone; break; default:
NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled action %u for LHS rule",
fa->id); return -EOPNOTSUPP;
}
}
if (pipe) {
NL_SET_ERR_MSG_MOD(extack, "Missing goto chain in LHS rule"); return -EOPNOTSUPP;
} return 0;
}
staticvoid efx_tc_flower_release_lhs_actions(struct efx_nic *efx, struct efx_tc_lhs_action *act)
{ if (act->rid)
efx_tc_put_recirc_id(efx, act->rid); if (act->zone)
efx_tc_ct_unregister_zone(efx, act->zone); if (act->count)
efx_tc_flower_put_counter_index(efx, act->count);
}
/** * struct efx_tc_mangler_state - accumulates 32-bit pedits into fields * * @dst_mac_32: dst_mac[0:3] has been populated * @dst_mac_16: dst_mac[4:5] has been populated * @src_mac_16: src_mac[0:1] has been populated * @src_mac_32: src_mac[2:5] has been populated * @dst_mac: h_dest field of ethhdr * @src_mac: h_source field of ethhdr * * Since FLOW_ACTION_MANGLE comes in 32-bit chunks that do not * necessarily equate to whole fields of the packet header, this * structure is used to hold the cumulative effect of the partial * field pedits that have been processed so far.
*/ struct efx_tc_mangler_state {
u8 dst_mac_32:1; /* eth->h_dest[0:3] */
u8 dst_mac_16:1; /* eth->h_dest[4:5] */
u8 src_mac_16:1; /* eth->h_source[0:1] */
u8 src_mac_32:1; /* eth->h_source[2:5] */ unsignedchar dst_mac[ETH_ALEN]; unsignedchar src_mac[ETH_ALEN];
};
/** efx_tc_complete_mac_mangle() - pull complete field pedits out of @mung * @efx: NIC we're installing a flow rule on * @act: action set (cursor) to update * @mung: accumulated partial mangles * @extack: netlink extended ack for reporting errors * * Check @mung to find any combinations of partial mangles that can be * combined into a complete packet field edit, add that edit to @act, * and consume the partial mangles from @mung.
*/
if (mung->dst_mac_32 && mung->dst_mac_16) {
ped = efx_tc_flower_get_mac(efx, mung->dst_mac, extack); if (IS_ERR(ped)) return PTR_ERR(ped);
/* Check that we have not already populated dst_mac */ if (act->dst_mac)
efx_tc_flower_put_mac(efx, act->dst_mac);
act->dst_mac = ped;
/* consume the incomplete state */
mung->dst_mac_32 = 0;
mung->dst_mac_16 = 0;
} if (mung->src_mac_16 && mung->src_mac_32) {
ped = efx_tc_flower_get_mac(efx, mung->src_mac, extack); if (IS_ERR(ped)) return PTR_ERR(ped);
/* Check that we have not already populated src_mac */ if (act->src_mac)
efx_tc_flower_put_mac(efx, act->src_mac);
act->src_mac = ped;
/* consume the incomplete state */
mung->src_mac_32 = 0;
mung->src_mac_16 = 0;
} return 0;
}
staticint efx_tc_pedit_add(struct efx_nic *efx, struct efx_tc_action_set *act, conststruct flow_action_entry *fa, struct netlink_ext_ack *extack)
{ switch (fa->mangle.htype) { case FLOW_ACT_MANGLE_HDR_TYPE_IP4: switch (fa->mangle.offset) { case offsetof(struct iphdr, ttl): /* check that pedit applies to ttl only */ if (fa->mangle.mask != ~EFX_TC_HDR_TYPE_TTL_MASK) break;
/* Adding 0xff is equivalent to decrementing the ttl. * Other added values are not supported.
*/ if ((fa->mangle.val & EFX_TC_HDR_TYPE_TTL_MASK) != U8_MAX) break;
/* check that we do not decrement ttl twice */ if (!efx_tc_flower_action_order_ok(act,
EFX_TC_AO_DEC_TTL)) {
NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl are not supported"); return -EOPNOTSUPP;
}
act->do_ttl_dec = 1; return 0; default: break;
} break; case FLOW_ACT_MANGLE_HDR_TYPE_IP6: switch (fa->mangle.offset) { case round_down(offsetof(struct ipv6hdr, hop_limit), 4): /* check that pedit applies to hoplimit only */ if (fa->mangle.mask != EFX_TC_HDR_TYPE_HLIMIT_MASK) break;
/* Adding 0xff is equivalent to decrementing the hoplimit. * Other added values are not supported.
*/ if ((fa->mangle.val >> 24) != U8_MAX) break;
/* check that we do not decrement hoplimit twice */ if (!efx_tc_flower_action_order_ok(act,
EFX_TC_AO_DEC_TTL)) {
NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl are not supported"); return -EOPNOTSUPP;
}
act->do_ttl_dec = 1; return 0; default: break;
} break; default: break;
}
NL_SET_ERR_MSG_FMT_MOD(extack, "ttl add action type %x %x %x/%x is not supported",
fa->mangle.htype, fa->mangle.offset,
fa->mangle.val, fa->mangle.mask); return -EOPNOTSUPP;
}
/** * efx_tc_mangle() - handle a single 32-bit (or less) pedit * @efx: NIC we're installing a flow rule on * @act: action set (cursor) to update * @fa: FLOW_ACTION_MANGLE action metadata * @mung: accumulator for partial mangles * @extack: netlink extended ack for reporting errors * @match: original match used along with the mangle action * * Identify the fields written by a FLOW_ACTION_MANGLE, and record * the partial mangle state in @mung. If this mangle completes an * earlier partial mangle, consume and apply to @act by calling * efx_tc_complete_mac_mangle().
*/
switch (fa->mangle.htype) { case FLOW_ACT_MANGLE_HDR_TYPE_ETH:
BUILD_BUG_ON(offsetof(struct ethhdr, h_dest) != 0);
BUILD_BUG_ON(offsetof(struct ethhdr, h_source) != 6); if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_PEDIT_MAC_ADDRS)) {
NL_SET_ERR_MSG_MOD(extack, "Pedit mangle mac action violates action order"); return -EOPNOTSUPP;
} switch (fa->mangle.offset) { case 0: if (fa->mangle.mask) {
NL_SET_ERR_MSG_FMT_MOD(extack, "mask (%#x) of eth.dst32 mangle is not supported",
fa->mangle.mask); return -EOPNOTSUPP;
} /* Ethernet address is little-endian */
mac32 = cpu_to_le32(fa->mangle.val);
memcpy(mung->dst_mac, &mac32, sizeof(mac32));
mung->dst_mac_32 = 1; return efx_tc_complete_mac_mangle(efx, act, mung, extack); case 4: if (fa->mangle.mask == 0xffff) {
mac16 = cpu_to_le16(fa->mangle.val >> 16);
memcpy(mung->src_mac, &mac16, sizeof(mac16));
mung->src_mac_16 = 1;
} elseif (fa->mangle.mask == 0xffff0000) {
mac16 = cpu_to_le16((u16)fa->mangle.val);
memcpy(mung->dst_mac + 4, &mac16, sizeof(mac16));
mung->dst_mac_16 = 1;
} else {
NL_SET_ERR_MSG_FMT_MOD(extack, "mask (%#x) of eth+4 mangle is not high or low 16b",
fa->mangle.mask); return -EOPNOTSUPP;
} return efx_tc_complete_mac_mangle(efx, act, mung, extack); case 8: if (fa->mangle.mask) {
NL_SET_ERR_MSG_FMT_MOD(extack, "mask (%#x) of eth.src32 mangle is not supported",
fa->mangle.mask); return -EOPNOTSUPP;
}
mac32 = cpu_to_le32(fa->mangle.val);
memcpy(mung->src_mac + 2, &mac32, sizeof(mac32));
mung->src_mac_32 = 1; return efx_tc_complete_mac_mangle(efx, act, mung, extack); default:
NL_SET_ERR_MSG_FMT_MOD(extack, "mangle eth+%u %x/%x is not supported",
fa->mangle.offset, fa->mangle.val, fa->mangle.mask); return -EOPNOTSUPP;
} break; case FLOW_ACT_MANGLE_HDR_TYPE_IP4: switch (fa->mangle.offset) { case offsetof(struct iphdr, ttl): /* we currently only support pedit IP4 when it applies * to TTL and then only when it can be achieved with a * decrement ttl action
*/
/* check that pedit applies to ttl only */ if (fa->mangle.mask != ~EFX_TC_HDR_TYPE_TTL_MASK) {
NL_SET_ERR_MSG_FMT_MOD(extack, "mask (%#x) out of range, only support mangle action on ipv4.ttl",
fa->mangle.mask); return -EOPNOTSUPP;
}
/* we can only convert to a dec ttl when we have an * exact match on the ttl field
*/ if (match->mask.ip_ttl != U8_MAX) {
NL_SET_ERR_MSG_FMT_MOD(extack, "only support mangle ttl when we have an exact match, current mask (%#x)",
match->mask.ip_ttl); return -EOPNOTSUPP;
}
/* check that we don't try to decrement 0, which equates * to setting the ttl to 0xff
*/ if (match->value.ip_ttl == 0) {
NL_SET_ERR_MSG_MOD(extack, "decrement ttl past 0 is not supported"); return -EOPNOTSUPP;
}
/* check that we do not decrement ttl twice */ if (!efx_tc_flower_action_order_ok(act,
EFX_TC_AO_DEC_TTL)) {
NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl is not supported"); return -EOPNOTSUPP;
}
/* check pedit can be achieved with decrement action */
tr_ttl = match->value.ip_ttl - 1; if ((fa->mangle.val & EFX_TC_HDR_TYPE_TTL_MASK) == tr_ttl) {
act->do_ttl_dec = 1; return 0;
}
fallthrough; default:
NL_SET_ERR_MSG_FMT_MOD(extack, "only support mangle on the ttl field (offset is %u)",
fa->mangle.offset); return -EOPNOTSUPP;
} break; case FLOW_ACT_MANGLE_HDR_TYPE_IP6: switch (fa->mangle.offset) { case round_down(offsetof(struct ipv6hdr, hop_limit), 4): /* we currently only support pedit IP6 when it applies * to the hoplimit and then only when it can be achieved * with a decrement hoplimit action
*/
/* check that pedit applies to ttl only */ if (fa->mangle.mask != EFX_TC_HDR_TYPE_HLIMIT_MASK) {
NL_SET_ERR_MSG_FMT_MOD(extack, "mask (%#x) out of range, only support mangle action on ipv6.hop_limit",
fa->mangle.mask);
return -EOPNOTSUPP;
}
/* we can only convert to a dec ttl when we have an * exact match on the ttl field
*/ if (match->mask.ip_ttl != U8_MAX) {
NL_SET_ERR_MSG_FMT_MOD(extack, "only support hop_limit when we have an exact match, current mask (%#x)",
match->mask.ip_ttl); return -EOPNOTSUPP;
}
/* check that we don't try to decrement 0, which equates * to setting the ttl to 0xff
*/ if (match->value.ip_ttl == 0) {
NL_SET_ERR_MSG_MOD(extack, "decrementing hop_limit past 0 is not supported"); return -EOPNOTSUPP;
}
/* check that we do not decrement hoplimit twice */ if (!efx_tc_flower_action_order_ok(act,
EFX_TC_AO_DEC_TTL)) {
NL_SET_ERR_MSG_MOD(extack, "multiple dec ttl is not supported"); return -EOPNOTSUPP;
}
/* check pedit can be achieved with decrement action */
tr_ttl = match->value.ip_ttl - 1; if ((fa->mangle.val >> 24) == tr_ttl) {
act->do_ttl_dec = 1; return 0;
}
fallthrough; default:
NL_SET_ERR_MSG_FMT_MOD(extack, "only support mangle on the hop_limit field"); return -EOPNOTSUPP;
} default:
NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled mangle htype %u for action rule",
fa->mangle.htype); return -EOPNOTSUPP;
} return 0;
}
/** * efx_tc_incomplete_mangle() - check for leftover partial pedits * @mung: accumulator for partial mangles * @extack: netlink extended ack for reporting errors * * Since the MAE can only overwrite whole fields, any partial * field mangle left over on reaching packet delivery (mirred or * end of TC actions) cannot be offloaded. Check for any such * and reject them with -%EOPNOTSUPP.
*/
staticint efx_tc_incomplete_mangle(struct efx_tc_mangler_state *mung, struct netlink_ext_ack *extack)
{ if (mung->dst_mac_32 || mung->dst_mac_16) {
NL_SET_ERR_MSG_MOD(extack, "Incomplete pedit of destination MAC address"); return -EOPNOTSUPP;
} if (mung->src_mac_16 || mung->src_mac_32) {
NL_SET_ERR_MSG_MOD(extack, "Incomplete pedit of source MAC address"); return -EOPNOTSUPP;
} return 0;
}
type = efx_tc_indr_netdev_type(net_dev); if (type == EFX_ENCAP_TYPE_NONE) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match on unsupported tunnel device"); return -EOPNOTSUPP;
}
rc = efx_mae_check_encap_type_supported(efx, type); if (rc) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Firmware reports no support for %s encap match",
efx_tc_encap_type_name(type)); return rc;
} /* This is an Action Rule, so it needs a separate Encap Match in the * Outer Rule table. Insert that now.
*/
rc = efx_tc_flower_record_encap_match(efx, match, type,
EFX_TC_EM_DIRECT, 0, 0, extack); if (rc) return rc;
match->mask.recirc_id = 0xff; if (match->mask.ct_state_trk && match->value.ct_state_trk) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk");
rc = -EOPNOTSUPP; goto release_encap_match;
} /* LHS rules are always -trk, so we don't need to match on that */
match->mask.ct_state_trk = 0;
match->value.ct_state_trk = 0; /* We must inhibit match on TCP SYN/FIN/RST, so that SW can see * the packet and update the conntrack table. * Outer Rules will do that with CT_TCP_FLAGS_INHIBIT, but Action * Rules don't have that; instead they support matching on * TCP_SYN_FIN_RST (aka TCP_INTERESTING_FLAGS), so use that. * This is only strictly needed if there will be a DO_CT action, * which we don't know yet, but typically there will be and it's * simpler not to bother checking here.
*/
match->mask.tcp_syn_fin_rst = true;
rc = efx_mae_match_check_caps(efx, &match->mask, extack); if (rc) goto release_encap_match;
if (tc->common.chain_index) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule only allowed in chain 0"); return -EOPNOTSUPP;
}
if (!efx_tc_match_is_encap(&match->mask)) { /* This is not a tunnel decap rule, ignore it */
netif_dbg(efx, drv, efx->net_dev, "Ignoring foreign LHS filter without encap match\n"); return -EOPNOTSUPP;
}
if (efx_tc_flower_flhs_needs_ar(match)) return efx_tc_flower_replace_foreign_lhs_ar(efx, tc, fr, match,
net_dev);
type = efx_tc_indr_netdev_type(net_dev); if (type == EFX_ENCAP_TYPE_NONE) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match on unsupported tunnel device"); return -EOPNOTSUPP;
}
rc = efx_mae_check_encap_type_supported(efx, type); if (rc) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Firmware reports no support for %s encap match",
efx_tc_encap_type_name(type)); return rc;
} /* Reserve the outer tuple with a pseudo Encap Match */
rc = efx_tc_flower_record_encap_match(efx, match, type,
EFX_TC_EM_PSEUDO_OR, 0, 0,
extack); if (rc) return rc;
if (match->mask.ct_state_trk && match->value.ct_state_trk) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk");
rc = -EOPNOTSUPP; goto release_encap_match;
} /* LHS rules are always -trk, so we don't need to match on that */
match->mask.ct_state_trk = 0;
match->value.ct_state_trk = 0;
rc = efx_tc_flower_translate_flhs_match(match); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule cannot match on inner fields"); goto release_encap_match;
}
rc = efx_mae_match_check_caps_lhs(efx, &match->mask, extack); if (rc) goto release_encap_match;
/* Parse match */
memset(&match, 0, sizeof(match));
rc = efx_tc_flower_parse_match(efx, fr, &match, extack); if (rc) return rc; /* The rule as given to us doesn't specify a source netdevice. * But, determining whether packets from a VF should match it is * complicated, so leave those to the software slowpath: qualify * the filter with source m-port == wire.
*/
rc = efx_tc_flower_external_mport(efx, EFX_EFV_PF); if (rc < 0) {
NL_SET_ERR_MSG_MOD(extack, "Failed to identify ingress m-port for foreign filter"); return rc;
}
match.value.ingress_port = rc;
match.mask.ingress_port = ~0;
if (efx_tc_rule_is_lhs_rule(fr, &match)) return efx_tc_flower_replace_foreign_lhs(efx, tc, fr, &match,
net_dev);
if (tc->common.chain_index) { struct efx_tc_recirc_id *rid;
rid = efx_tc_get_recirc_id(efx, tc->common.chain_index, net_dev); if (IS_ERR(rid)) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Failed to allocate a hardware recirculation ID for chain_index %u",
tc->common.chain_index); return PTR_ERR(rid);
}
match.rid = rid;
match.value.recirc_id = rid->fw_id;
}
match.mask.recirc_id = 0xff;
/* AR table can't match on DO_CT (+trk). But a commonly used pattern is * +trk+est, which is strictly implied by +est, so rewrite it to that.
*/ if (match.mask.ct_state_trk && match.value.ct_state_trk &&
match.mask.ct_state_est && match.value.ct_state_est)
match.mask.ct_state_trk = 0; /* Thanks to CT_TCP_FLAGS_INHIBIT, packets with interesting flags could * match +trk-est (CT_HIT=0) despite being on an established connection. * So make -est imply -tcp_syn_fin_rst match to ensure these packets * still hit the software path.
*/ if (match.mask.ct_state_est && !match.value.ct_state_est) { if (match.value.tcp_syn_fin_rst) { /* Can't offload this combination */
NL_SET_ERR_MSG_MOD(extack, "TCP flags and -est conflict for offload");
rc = -EOPNOTSUPP; goto release;
}
match.mask.tcp_syn_fin_rst = true;
}
flow_action_for_each(i, fa, &fr->action) { switch (fa->id) { case FLOW_ACTION_REDIRECT: case FLOW_ACTION_MIRRED: /* mirred means mirror here */
to_efv = efx_tc_flower_lookup_efv(efx, fa->dev); if (IS_ERR(to_efv)) continue;
found = true; break; default: break;
}
} if (!found) { /* We don't care. */
netif_dbg(efx, drv, efx->net_dev, "Ignoring foreign filter that doesn't egdev us\n");
rc = -EOPNOTSUPP; goto release;
}
rc = efx_mae_match_check_caps(efx, &match.mask, extack); if (rc) goto release;
if (efx_tc_match_is_encap(&match.mask)) { enum efx_encap_type type;
type = efx_tc_indr_netdev_type(net_dev); if (type == EFX_ENCAP_TYPE_NONE) {
NL_SET_ERR_MSG_MOD(extack, "Egress encap match on unsupported tunnel device");
rc = -EOPNOTSUPP; goto release;
}
rc = efx_mae_check_encap_type_supported(efx, type); if (rc) {
NL_SET_ERR_MSG_FMT_MOD(extack, "Firmware reports no support for %s encap match",
efx_tc_encap_type_name(type)); goto release;
}
rc = efx_tc_flower_record_encap_match(efx, &match, type,
EFX_TC_EM_DIRECT, 0, 0,
extack); if (rc) goto release;
} elseif (!tc->common.chain_index) { /* This is not a tunnel decap rule, ignore it */
netif_dbg(efx, drv, efx->net_dev, "Ignoring foreign filter without encap match\n");
rc = -EOPNOTSUPP; goto release;
}
/* Parse actions. For foreign rules we only support decap & redirect. * See corresponding code in efx_tc_flower_replace() for theory of * operation & how 'act' cursor is used.
*/
flow_action_for_each(i, fa, &fr->action) { struct efx_tc_action_set save;
switch (fa->id) { case FLOW_ACTION_REDIRECT: case FLOW_ACTION_MIRRED: /* See corresponding code in efx_tc_flower_replace() for * long explanations of what's going on here.
*/
save = *act; if (fa->hw_stats) { struct efx_tc_counter_index *ctr;
if (!(fa->hw_stats & FLOW_ACTION_HW_STATS_DELAYED)) {
NL_SET_ERR_MSG_FMT_MOD(extack, "hw_stats_type %u not supported (only 'delayed')",
fa->hw_stats);
rc = -EOPNOTSUPP; goto release;
} if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_COUNT)) {
NL_SET_ERR_MSG_MOD(extack, "Count action violates action order (can't happen)");
rc = -EOPNOTSUPP; goto release;
}
ctr = efx_tc_flower_get_counter_index(efx,
tc->cookie,
EFX_TC_COUNTER_TYPE_AR); if (IS_ERR(ctr)) {
rc = PTR_ERR(ctr);
NL_SET_ERR_MSG_MOD(extack, "Failed to obtain a counter"); goto release;
}
act->count = ctr;
INIT_LIST_HEAD(&act->count_user);
}
if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_DELIVER)) { /* can't happen */
rc = -EOPNOTSUPP;
NL_SET_ERR_MSG_MOD(extack, "Deliver action violates action order (can't happen)"); goto release;
}
to_efv = efx_tc_flower_lookup_efv(efx, fa->dev); /* PF implies egdev is us, in which case we really * want to deliver to the uplink (because this is an * ingress filter). If we don't recognise the egdev * at all, then we'd better trap so SW can handle it.
*/ if (IS_ERR(to_efv))
to_efv = EFX_EFV_PF; if (to_efv == EFX_EFV_PF) { if (uplinked) break;
uplinked = true;
}
rc = efx_tc_flower_internal_mport(efx, to_efv); if (rc < 0) {
NL_SET_ERR_MSG_MOD(extack, "Failed to identify egress m-port"); goto release;
}
act->dest_mport = rc;
act->deliver = 1;
rc = efx_mae_alloc_action_set(efx, act); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (mirred)"); goto release;
}
list_add_tail(&act->list, &rule->acts.list);
act = NULL; if (fa->id == FLOW_ACTION_REDIRECT) break; /* end of the line */ /* Mirror, so continue on with saved act */
act = kzalloc(sizeof(*act), GFP_USER); if (!act) {
rc = -ENOMEM; goto release;
}
*act = save; break; case FLOW_ACTION_TUNNEL_DECAP: if (!efx_tc_flower_action_order_ok(act, EFX_TC_AO_DECAP)) {
rc = -EINVAL;
NL_SET_ERR_MSG_MOD(extack, "Decap action violates action order"); goto release;
}
act->decap = 1; /* If we previously delivered/trapped to uplink, now * that we've decapped we'll want another copy if we * try to deliver/trap to uplink again.
*/
uplinked = false; break; default:
NL_SET_ERR_MSG_FMT_MOD(extack, "Unhandled action %u",
fa->id);
rc = -EOPNOTSUPP; goto release;
}
}
if (act) { if (!uplinked) { /* Not shot/redirected, so deliver to default dest (which is * the uplink, as this is an ingress filter)
*/
efx_mae_mport_uplink(efx, &act->dest_mport);
act->deliver = 1;
}
rc = efx_mae_alloc_action_set(efx, act); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "Failed to write action set to hw (deliver)"); goto release;
}
list_add_tail(&act->list, &rule->acts.list);
act = NULL; /* Prevent double-free in error path */
}
rc = efx_mae_alloc_action_set_list(efx, &rule->acts); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "Failed to write action set list to hw"); goto release;
}
rc = efx_mae_insert_rule(efx, &rule->match, EFX_TC_PRIO_TC,
rule->acts.fw_id, &rule->fw_id); if (rc) {
NL_SET_ERR_MSG_MOD(extack, "Failed to insert rule in hw"); goto release_acts;
} return 0;
release_acts:
efx_mae_free_action_set_list(efx, &rule->acts);
release: /* We failed to insert the rule, so free up any entries we created in * subsidiary tables.
*/ if (match.rid)
efx_tc_put_recirc_id(efx, match.rid); if (act)
efx_tc_free_action_set(efx, act, false); if (rule) { if (!old)
rhashtable_remove_fast(&efx->tc->match_action_ht,
&rule->linkage,
efx_tc_match_action_ht_params);
efx_tc_free_action_set_list(efx, &rule->acts, false);
}
kfree(rule); if (match.encap)
efx_tc_flower_release_encap_match(efx, match.encap); return rc;
}
if (tc->common.chain_index) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule only allowed in chain 0"); return -EOPNOTSUPP;
}
if (match->mask.ct_state_trk && match->value.ct_state_trk) {
NL_SET_ERR_MSG_MOD(extack, "LHS rule can never match +trk"); return -EOPNOTSUPP;
} /* LHS rules are always -trk, so we don't need to match on that */
match->mask.ct_state_trk = 0;
match->value.ct_state_trk = 0;
rc = efx_mae_match_check_caps_lhs(efx, &match->mask, extack); if (rc) return rc;
if (!tc_can_offload_extack(efx->net_dev, extack)) return -EOPNOTSUPP; if (WARN_ON(!efx->tc)) return -ENETDOWN; if (WARN_ON(!efx->tc->up)) return -ENETDOWN;
from_efv = efx_tc_flower_lookup_efv(efx, net_dev); if (IS_ERR(from_efv)) { /* Not from our PF or representors, so probably a tunnel dev */ return efx_tc_flower_replace_foreign(efx, net_dev, tc);
}
if (efv != from_efv) { /* can't happen */
NL_SET_ERR_MSG_FMT_MOD(extack, "for %s efv is %snull but from_efv is %snull (can't happen)",
--> --------------------
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
