Index: sys/dev/mlx5/mlx5_en/en.h =================================================================== --- sys/dev/mlx5/mlx5_en/en.h +++ sys/dev/mlx5/mlx5_en/en.h @@ -48,6 +48,7 @@ #include #include #include +#include #include #include @@ -838,6 +839,7 @@ struct mlx5e_clbr_point clbr_points[2]; u_int clbr_gen; + struct pfil_head *pfil; struct mlx5e_channel channel[]; }; Index: sys/dev/mlx5/mlx5_en/mlx5_en_main.c =================================================================== --- sys/dev/mlx5/mlx5_en/mlx5_en_main.c +++ sys/dev/mlx5/mlx5_en/mlx5_en_main.c @@ -3664,6 +3664,7 @@ struct sysctl_oid_list *child; int ncv = mdev->priv.eq_table.num_comp_vectors; char unit[16]; + struct pfil_head_args pa; int err; int i; u32 eth_proto_cap; @@ -3898,6 +3899,12 @@ callout_init(&priv->tstmp_clbr, CALLOUT_DIRECT); mlx5e_reset_calibration_callout(priv); + pa.pa_version = PFIL_VERSION; + pa.pa_flags = PFIL_IN; + pa.pa_type = PFIL_TYPE_ETHERNET; + pa.pa_headname = ifp->if_xname; + priv->pfil = pfil_head_register(&pa); + return (priv); #ifdef RATELIMIT @@ -3940,6 +3947,12 @@ /* XXX wait a bit to allow IOCTL handlers to complete */ pause("W", hz); + /* deregister pfil */ + if (priv->pfil != NULL) { + pfil_head_unregister(priv->pfil); + priv->pfil = NULL; + } + #ifdef RATELIMIT /* * The kernel can have reference(s) via the m_snd_tag's into Index: sys/dev/mlx5/mlx5_en/mlx5_en_rx.c =================================================================== --- sys/dev/mlx5/mlx5_en/mlx5_en_rx.c +++ sys/dev/mlx5/mlx5_en/mlx5_en_rx.c @@ -462,6 +462,21 @@ rq->stats.wqe_err++; goto wq_ll_pop; } + if (PFIL_HOOKED_IN(rq->channel->priv->pfil)) { + int rv; + + rv = pfil_run_hooks(rq->channel->priv->pfil, + rq->mbuf[wqe_counter].data, rq->ifp, + byte_cnt | PFIL_MEMPTR | PFIL_IN, NULL); + + KASSERT(rv != PFIL_REALLOCED, + ("Filter did something we don't support yet")); + + if (rv != PFIL_PASS) { + rq->stats.packets++; + goto wq_ll_pop; + } + } if ((MHLEN - MLX5E_NET_IP_ALIGN) >= byte_cnt && (mb = m_gethdr(M_NOWAIT, MT_DATA)) != NULL) { #if (MLX5E_MAX_RX_SEGS != 1)