diff --git a/sys/dev/mlx5/mlx5_accel/ipsec.h b/sys/dev/mlx5/mlx5_accel/ipsec.h index 95742c4099f1..361b9f72d873 100644 --- a/sys/dev/mlx5/mlx5_accel/ipsec.h +++ b/sys/dev/mlx5/mlx5_accel/ipsec.h @@ -1,278 +1,280 @@ /*- * Copyright (c) 2023 NVIDIA corporation & affiliates. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #ifndef __MLX5_ACCEL_IPSEC_H__ #define __MLX5_ACCEL_IPSEC_H__ #include #include #include #include #include #include #define MLX5E_IPSEC_SADB_RX_BITS 10 #define MLX5_IPSEC_METADATA_MARKER(ipsec_metadata) ((ipsec_metadata >> 31) & 0x1) #define VLAN_NONE 0xfff struct mlx5e_priv; struct mlx5e_tx_wqe; struct mlx5e_ipsec_tx; struct mlx5e_ipsec_rx; +struct mlx5e_ipsec_rx_ip_type; struct aes_gcm_keymat { u64 seq_iv; u32 salt; u32 icv_len; u32 key_len; u32 aes_key[256 / 32]; }; struct mlx5e_ipsec_priv_bothdir { struct mlx5e_ipsec_sa_entry *priv_in; struct mlx5e_ipsec_sa_entry *priv_out; }; struct mlx5e_ipsec_work { struct work_struct work; struct mlx5e_ipsec_sa_entry *sa_entry; void *data; }; struct mlx5e_ipsec_dwork { struct delayed_work dwork; struct mlx5e_ipsec_sa_entry *sa_entry; struct mlx5e_ipsec_priv_bothdir *pb; }; struct mlx5e_ipsec_aso { u8 __aligned(64) ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; dma_addr_t dma_addr; struct mlx5_aso *aso; /* Protect ASO WQ access, as it is global to whole IPsec */ spinlock_t lock; }; struct mlx5_replay_esn { u32 replay_window; u32 esn; u32 esn_msb; u8 overlap : 1; u8 trigger : 1; }; struct mlx5_accel_esp_xfrm_attrs { u32 spi; struct aes_gcm_keymat aes_gcm; union { __be32 a4; __be32 a6[4]; } saddr; union { __be32 a4; __be32 a6[4]; } daddr; u8 dir : 2; u8 encap : 1; u8 drop : 1; u8 family; struct mlx5_replay_esn replay_esn; u32 authsize; u32 reqid; u16 sport; u16 dport; }; enum mlx5_ipsec_cap { MLX5_IPSEC_CAP_CRYPTO = 1 << 0, MLX5_IPSEC_CAP_ESN = 1 << 1, MLX5_IPSEC_CAP_PACKET_OFFLOAD = 1 << 2, MLX5_IPSEC_CAP_ROCE = 1 << 3, MLX5_IPSEC_CAP_PRIO = 1 << 4, MLX5_IPSEC_CAP_TUNNEL = 1 << 5, MLX5_IPSEC_CAP_ESPINUDP = 1 << 6, }; struct mlx5e_ipsec { struct mlx5_core_dev *mdev; struct workqueue_struct *wq; struct mlx5e_ipsec_tx *tx; struct mlx5e_ipsec_rx *rx_ipv4; struct mlx5e_ipsec_rx *rx_ipv6; + struct mlx5e_ipsec_rx_ip_type *rx_ip_type; struct mlx5e_ipsec_aso *aso; u32 pdn; u32 mkey; }; struct mlx5e_ipsec_rule { struct mlx5_flow_handle *rule; struct mlx5_flow_handle *kspi_rule; struct mlx5_flow_handle *reqid_rule; struct mlx5_flow_handle *vid_zero_rule; struct mlx5_modify_hdr *modify_hdr; struct mlx5_pkt_reformat *pkt_reformat; struct mlx5_fc *fc; }; struct mlx5e_ipsec_esn_state { u32 esn; u32 esn_msb; u8 overlap: 1; }; struct mlx5e_ipsec_sa_entry { struct secasvar *savp; if_t ifp; if_t ifpo; struct mlx5e_ipsec *ipsec; struct mlx5_accel_esp_xfrm_attrs attrs; struct mlx5e_ipsec_rule ipsec_rule; struct mlx5e_ipsec_dwork *dwork; struct mlx5e_ipsec_work *work; u32 ipsec_obj_id; u32 enc_key_id; u16 kspi; /* Stack allocated unique SA identifier */ struct mlx5e_ipsec_esn_state esn_state; u16 vid; }; struct upspec { u16 dport; u16 sport; u8 proto; }; struct mlx5_accel_pol_xfrm_attrs { union { __be32 a4; __be32 a6[4]; } saddr; union { __be32 a4; __be32 a6[4]; } daddr; struct upspec upspec; u8 family; u8 action; u8 dir : 2; u32 reqid; u32 prio; u16 vid; }; struct mlx5e_ipsec_pol_entry { struct secpolicy *sp; struct mlx5e_ipsec *ipsec; struct mlx5e_ipsec_rule ipsec_rule; struct mlx5_accel_pol_xfrm_attrs attrs; }; /* This function doesn't really belong here, but let's put it here for now */ void mlx5_object_change_event(struct mlx5_core_dev *dev, struct mlx5_eqe *eqe); int mlx5e_ipsec_init(struct mlx5e_priv *priv); void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv); int mlx5e_ipsec_aso_init(struct mlx5e_ipsec *ipsec); void mlx5e_ipsec_aso_cleanup(struct mlx5e_ipsec *ipsec); int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev); static inline struct mlx5_core_dev * mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry) { return sa_entry->ipsec->mdev; } static inline struct mlx5_core_dev * mlx5e_ipsec_pol2dev(struct mlx5e_ipsec_pol_entry *pol_entry) { return pol_entry->ipsec->mdev; } void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, struct mlx5_accel_esp_xfrm_attrs *attrs, u8 dir); int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec); void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec); int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry); void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry); void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry); struct ipsec_accel_out_tag; void mlx5e_accel_ipsec_handle_tx_wqe(struct mbuf *mb, struct mlx5e_tx_wqe *wqe, struct ipsec_accel_out_tag *tag); int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry); void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry); static inline int mlx5e_accel_ipsec_get_metadata(unsigned int id) { return MLX5_ETH_WQE_FT_META_IPSEC << 23 | id; } static inline void mlx5e_accel_ipsec_handle_tx(struct mbuf *mb, struct mlx5e_tx_wqe *wqe) { struct ipsec_accel_out_tag *tag; tag = (struct ipsec_accel_out_tag *)m_tag_find(mb, PACKET_TAG_IPSEC_ACCEL_OUT, NULL); if (tag != NULL) mlx5e_accel_ipsec_handle_tx_wqe(mb, wqe, tag); } void mlx5e_accel_ipsec_fs_rx_tables_destroy(struct mlx5e_priv *priv); int mlx5e_accel_ipsec_fs_rx_tables_create(struct mlx5e_priv *priv); void mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy(struct mlx5e_priv *priv); int mlx5e_accel_ipsec_fs_rx_catchall_rules(struct mlx5e_priv *priv); int mlx5_accel_ipsec_rx_tag_add(if_t ifp, struct mlx5e_rq_mbuf *mr); void mlx5e_accel_ipsec_handle_rx_cqe(struct mbuf *mb, struct mlx5_cqe64 *cqe, struct mlx5e_rq_mbuf *mr); static inline int mlx5e_accel_ipsec_flow(struct mlx5_cqe64 *cqe) { return MLX5_IPSEC_METADATA_MARKER(be32_to_cpu(cqe->ft_metadata)); } static inline void mlx5e_accel_ipsec_handle_rx(struct mbuf *mb, struct mlx5_cqe64 *cqe, struct mlx5e_rq_mbuf *mr) { u32 ipsec_meta_data = be32_to_cpu(cqe->ft_metadata); if (MLX5_IPSEC_METADATA_MARKER(ipsec_meta_data)) mlx5e_accel_ipsec_handle_rx_cqe(mb, cqe, mr); } #endif /* __MLX5_ACCEL_IPSEC_H__ */ diff --git a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c index f7950bf61269..fb9ca94278db 100644 --- a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c +++ b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c @@ -1,2137 +1,2270 @@ /*- * Copyright (c) 2023 NVIDIA corporation & affiliates. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include "opt_ipsec.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * TX tables are organized differently for Ethernet and for RoCE: * * +=========+ * Ethernet Tx | SA KSPI | match * --------------------->|Flowtable|----->+ + * | |\ | / \ * +=========+ | | / \ +=========+ +=========+ * miss | | / \ | Status | | | * DROP<--------+ |---->|Encrypt|------>|Flowtable|---->| TX NS | * | \ / | | | | * | \ / +=========+ +=========+ * +=========+ +=========+ | \ / | * RoCE | Policy | match|SA ReqId |match| + | * Tx |Flowtable|----->|Flowtable|---->+ | * ---->|IP header| |ReqId+IP | | * | | | header |--------------------------------+ * +=========+ +=========+ miss | * | | * | miss | * +------------------------------------------------------- * * +=========+ * | RDMA | * |Flowtable| * | | * Rx Tables and rules: +=========+ * + / * +=========+ +=========+ / \ +=========+ +=========+ /match * | Policy | | SA | / \ | Status | | RoCE |/ * ---->|Flowtable| match|Flowtable| match / \ |Flowtable|----->|Flowtable| * |IP header|----->|IP header|----->|Decrypt|----->| | | Roce V2 | * | | |+ESP+SPI | \ / | | | UDP port|\ * +=========+ +=========+ \ / +=========+ +=========+ \miss * | | \ / \ * | | + +=========+ * | miss | miss | Ethernet| * +--------------->---------------------------------------------------->| RX NS | * | | * +=========+ * */ #define NUM_IPSEC_FTE BIT(15) #define IPSEC_TUNNEL_DEFAULT_TTL 0x40 struct mlx5e_ipsec_fc { struct mlx5_fc *cnt; struct mlx5_fc *drop; }; struct mlx5e_ipsec_ft { struct mutex mutex; /* Protect changes to this struct */ struct mlx5_flow_table *pol; struct mlx5_flow_table *sa_kspi; struct mlx5_flow_table *sa; struct mlx5_flow_table *status; u32 refcnt; }; struct mlx5e_ipsec_tx_roce { struct mlx5_flow_group *g; struct mlx5_flow_table *ft; struct mlx5_flow_handle *rule; struct mlx5_flow_namespace *ns; }; struct mlx5e_ipsec_miss { struct mlx5_flow_group *group; struct mlx5_flow_handle *rule; }; struct mlx5e_ipsec_tx { struct mlx5e_ipsec_ft ft; struct mlx5e_ipsec_miss pol; struct mlx5e_ipsec_miss kspi_miss; struct mlx5e_ipsec_rule status; struct mlx5e_ipsec_rule kspi_bypass_rule; /*rule for IPSEC bypass*/ struct mlx5_flow_namespace *ns; struct mlx5e_ipsec_fc *fc; struct mlx5_fs_chains *chains; struct mlx5e_ipsec_tx_roce roce; }; struct mlx5e_ipsec_rx_roce { struct mlx5_flow_group *g; struct mlx5_flow_table *ft; struct mlx5_flow_handle *rule; struct mlx5e_ipsec_miss roce_miss; struct mlx5_flow_table *ft_rdma; struct mlx5_flow_namespace *ns_rdma; }; +struct mlx5e_ipsec_rx_ip_type { + struct mlx5_flow_table *ft; + struct mlx5_flow_namespace *ns; + struct mlx5_flow_handle *ipv4_rule; + struct mlx5_flow_handle *ipv6_rule; + struct mlx5e_ipsec_miss miss; +}; + struct mlx5e_ipsec_rx { struct mlx5e_ipsec_ft ft; struct mlx5e_ipsec_miss pol; struct mlx5e_ipsec_miss sa; struct mlx5e_ipsec_rule status; struct mlx5_flow_namespace *ns; struct mlx5e_ipsec_fc *fc; struct mlx5_fs_chains *chains; struct mlx5e_ipsec_rx_roce roce; }; static void setup_fte_reg_a_with_tag(struct mlx5_flow_spec *spec, u16 kspi); static void setup_fte_reg_a_no_tag(struct mlx5_flow_spec *spec); static void setup_fte_no_frags(struct mlx5_flow_spec *spec) { /* Non fragmented */ spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.frag); MLX5_SET(fte_match_param, spec->match_value, outer_headers.frag, 0); } static void setup_fte_esp(struct mlx5_flow_spec *spec) { /* ESP header */ spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_protocol); MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_protocol, IPPROTO_ESP); } static void setup_fte_spi(struct mlx5_flow_spec *spec, u32 spi, bool encap) { /* SPI number */ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS; if (encap) { MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters.inner_esp_spi); MLX5_SET(fte_match_param, spec->match_value, misc_parameters.inner_esp_spi, spi); } else { MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters.outer_esp_spi); MLX5_SET(fte_match_param, spec->match_value, misc_parameters.outer_esp_spi, spi); } } static void setup_fte_vid(struct mlx5_flow_spec *spec, u16 vid) { /* virtual lan tag */ spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.cvlan_tag); MLX5_SET(fte_match_param, spec->match_value, outer_headers.cvlan_tag, 1); MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.first_vid); MLX5_SET(fte_match_param, spec->match_value, outer_headers.first_vid, vid); } static void clear_fte_vid(struct mlx5_flow_spec *spec) { MLX5_SET(fte_match_param, spec->match_criteria, outer_headers.cvlan_tag, 0); MLX5_SET(fte_match_param, spec->match_value, outer_headers.cvlan_tag, 0); MLX5_SET(fte_match_param, spec->match_criteria, outer_headers.first_vid, 0); MLX5_SET(fte_match_param, spec->match_value, outer_headers.first_vid, 0); } static void setup_fte_no_vid(struct mlx5_flow_spec *spec) { MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.cvlan_tag); MLX5_SET(fte_match_param, spec->match_value, outer_headers.cvlan_tag, 0); } static struct mlx5_fs_chains * ipsec_chains_create(struct mlx5_core_dev *mdev, struct mlx5_flow_table *miss_ft, enum mlx5_flow_namespace_type ns, int base_prio, int base_level, struct mlx5_flow_table **root_ft) { struct mlx5_chains_attr attr = {}; struct mlx5_fs_chains *chains; struct mlx5_flow_table *ft; int err; attr.flags = MLX5_CHAINS_AND_PRIOS_SUPPORTED | MLX5_CHAINS_IGNORE_FLOW_LEVEL_SUPPORTED; attr.max_grp_num = 2; attr.default_ft = miss_ft; attr.ns = ns; attr.fs_base_prio = base_prio; attr.fs_base_level = base_level; chains = mlx5_chains_create(mdev, &attr); if (IS_ERR(chains)) return chains; /* Create chain 0, prio 1, level 0 to connect chains to prev in fs_core */ ft = mlx5_chains_get_table(chains, 0, 1, 0); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_chains_get; } *root_ft = ft; return chains; err_chains_get: mlx5_chains_destroy(chains); return ERR_PTR(err); } static void ipsec_chains_destroy(struct mlx5_fs_chains *chains) { mlx5_chains_put_table(chains, 0, 1, 0); mlx5_chains_destroy(chains); } static struct mlx5_flow_table * ipsec_chains_get_table(struct mlx5_fs_chains *chains, u32 prio) { return mlx5_chains_get_table(chains, 0, prio + 1, 0); } static void ipsec_chains_put_table(struct mlx5_fs_chains *chains, u32 prio) { mlx5_chains_put_table(chains, 0, prio + 1, 0); } static struct mlx5_flow_table *ipsec_rx_ft_create(struct mlx5_flow_namespace *ns, int level, int prio, int max_num_groups) { struct mlx5_flow_table_attr ft_attr = {}; ft_attr.max_fte = NUM_IPSEC_FTE; ft_attr.level = level; ft_attr.prio = prio; ft_attr.autogroup.max_num_groups = max_num_groups; ft_attr.autogroup.num_reserved_entries = 1; return mlx5_create_auto_grouped_flow_table(ns, &ft_attr); } static int ipsec_miss_create(struct mlx5_core_dev *mdev, struct mlx5_flow_table *ft, struct mlx5e_ipsec_miss *miss, struct mlx5_flow_destination *dest) { int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); struct mlx5_flow_act flow_act = {}; struct mlx5_flow_spec *spec; u32 *flow_group_in; int err = 0; flow_group_in = kvzalloc(inlen, GFP_KERNEL); spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!flow_group_in || !spec) { err = -ENOMEM; goto out; } /* Create miss_group */ MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, ft->max_fte - 1); MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, ft->max_fte - 1); miss->group = mlx5_create_flow_group(ft, flow_group_in); if (IS_ERR(miss->group)) { err = PTR_ERR(miss->group); mlx5_core_err(mdev, "fail to create IPsec miss_group err=%d\n", err); goto out; } if (dest) flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; else flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP; /* Create miss rule */ miss->rule = mlx5_add_flow_rules(ft, NULL, &flow_act, dest, 1); if (IS_ERR(miss->rule)) { mlx5_destroy_flow_group(miss->group); err = PTR_ERR(miss->rule); mlx5_core_err(mdev, "fail to create IPsec miss_rule err=%d\n", err); goto out; } out: kvfree(flow_group_in); kvfree(spec); return err; } static int setup_modify_header(struct mlx5_core_dev *mdev, u32 val, u8 dir, struct mlx5_flow_act *flow_act) { u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] = {}; enum mlx5_flow_namespace_type ns_type; struct mlx5_modify_hdr *modify_hdr; MLX5_SET(set_action_in, action, action_type, MLX5_ACTION_TYPE_SET); switch (dir) { case IPSEC_DIR_INBOUND: MLX5_SET(set_action_in, action, field, MLX5_ACTION_IN_FIELD_METADATA_REG_B); ns_type = MLX5_FLOW_NAMESPACE_KERNEL; break; case IPSEC_DIR_OUTBOUND: MLX5_SET(set_action_in, action, field, MLX5_ACTION_IN_FIELD_METADATA_REG_C_0); ns_type = MLX5_FLOW_NAMESPACE_EGRESS; break; default: return -EINVAL; } MLX5_SET(set_action_in, action, data, val); MLX5_SET(set_action_in, action, offset, 0); MLX5_SET(set_action_in, action, length, 32); modify_hdr = mlx5_modify_header_alloc(mdev, ns_type, 1, action); if (IS_ERR(modify_hdr)) { mlx5_core_err(mdev, "Failed to allocate modify_header %ld\n", PTR_ERR(modify_hdr)); return PTR_ERR(modify_hdr); } flow_act->modify_hdr = modify_hdr; flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_MOD_HDR; return 0; } static int setup_pkt_transport_reformat(struct mlx5_accel_esp_xfrm_attrs *attrs, struct mlx5_pkt_reformat_params *reformat_params) { struct udphdr *udphdr; size_t bfflen = 16; char *reformatbf; __be32 spi; void *hdr; if (attrs->family == AF_INET) { if (attrs->encap) reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_UDPV4; else reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_IPV4; } else { if (attrs->encap) reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_UDPV6; else reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_IPV6; } if (attrs->encap) bfflen += sizeof(*udphdr); reformatbf = kzalloc(bfflen, GFP_KERNEL); if (!reformatbf) return -ENOMEM; hdr = reformatbf; if (attrs->encap) { udphdr = (struct udphdr *)reformatbf; udphdr->uh_sport = attrs->sport; udphdr->uh_dport = attrs->dport; hdr += sizeof(*udphdr); } /* convert to network format */ spi = htonl(attrs->spi); memcpy(hdr, &spi, 4); reformat_params->param_0 = attrs->authsize; reformat_params->size = bfflen; reformat_params->data = reformatbf; return 0; } static int setup_pkt_reformat(struct mlx5_core_dev *mdev, struct mlx5_accel_esp_xfrm_attrs *attrs, struct mlx5_flow_act *flow_act) { enum mlx5_flow_namespace_type ns_type = MLX5_FLOW_NAMESPACE_EGRESS; struct mlx5_pkt_reformat_params reformat_params = {}; struct mlx5_pkt_reformat *pkt_reformat; int ret; if (attrs->dir == IPSEC_DIR_INBOUND) { if (attrs->encap) reformat_params.type = MLX5_REFORMAT_TYPE_DEL_ESP_TRANSPORT_OVER_UDP; else reformat_params.type = MLX5_REFORMAT_TYPE_DEL_ESP_TRANSPORT; ns_type = MLX5_FLOW_NAMESPACE_KERNEL; goto cmd; } ret = setup_pkt_transport_reformat(attrs, &reformat_params); if (ret) return ret; cmd: pkt_reformat = mlx5_packet_reformat_alloc(mdev, &reformat_params, ns_type); if (reformat_params.data) kfree(reformat_params.data); if (IS_ERR(pkt_reformat)) return PTR_ERR(pkt_reformat); flow_act->pkt_reformat = pkt_reformat; flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; return 0; } static void setup_fte_addr4(struct mlx5_flow_spec *spec, __be32 *saddr, __be32 *daddr) { spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_version); MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, 4); memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value, outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4), saddr, 4); memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value, outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4), daddr, 4); MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4); MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4); } static void setup_fte_addr6(struct mlx5_flow_spec *spec, __be32 *saddr, __be32 *daddr) { spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_version); MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, 6); memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value, outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), saddr, 16); memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value, outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), daddr, 16); memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria, outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), 0xff, 16); memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria, outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), 0xff, 16); } +static void +setup_fte_ip_version(struct mlx5_flow_spec *spec, u8 family) +{ + spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; + + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_version); + MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, + family == AF_INET ? 4 : 6); +} + static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) { struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule; struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); struct mlx5e_ipsec *ipsec = sa_entry->ipsec; struct mlx5_flow_destination dest[2] = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; struct mlx5e_ipsec_rx *rx; struct mlx5_fc *counter; int err; rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; if (!attrs->drop) { err = setup_modify_header(mdev, sa_entry->kspi | BIT(31), IPSEC_DIR_INBOUND, &flow_act); if (err) goto err_mod_header; } err = setup_pkt_reformat(mdev, attrs, &flow_act); if (err) goto err_pkt_reformat; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_add_cnt; } flow_act.crypto.type = MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_IPSEC; flow_act.crypto.op = MLX5_FLOW_ACT_CRYPTO_OP_DECRYPT; flow_act.crypto.obj_id = sa_entry->ipsec_obj_id; flow_act.flags |= FLOW_ACT_NO_APPEND; flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT | MLX5_FLOW_CONTEXT_ACTION_COUNT; if (attrs->drop) flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP; else flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest[0].ft = rx->ft.status; dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest[1].counter_id = mlx5_fc_id(counter); if (attrs->family == AF_INET) setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4); else setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6); if (!attrs->encap) setup_fte_esp(spec); setup_fte_spi(spec, attrs->spi, attrs->encap); setup_fte_no_frags(spec); if (sa_entry->vid != VLAN_NONE) setup_fte_vid(spec, sa_entry->vid); else setup_fte_no_vid(spec); rule = mlx5_add_flow_rules(rx->ft.sa, spec, &flow_act, dest, 2); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add RX ipsec rule err=%d\n", err); goto err_add_flow; } ipsec_rule->rule = rule; /* Add another rule for zero vid */ if (sa_entry->vid == VLAN_NONE) { clear_fte_vid(spec); setup_fte_vid(spec, 0); rule = mlx5_add_flow_rules(rx->ft.sa, spec, &flow_act, dest, 2); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add RX ipsec zero vid rule err=%d\n", err); goto err_add_flow; } ipsec_rule->vid_zero_rule = rule; } kvfree(spec); ipsec_rule->fc = counter; ipsec_rule->modify_hdr = flow_act.modify_hdr; ipsec_rule->pkt_reformat = flow_act.pkt_reformat; return 0; err_add_flow: mlx5_fc_destroy(mdev, counter); if (ipsec_rule->rule != NULL) mlx5_del_flow_rules(&ipsec_rule->rule); err_add_cnt: mlx5_packet_reformat_dealloc(mdev, flow_act.pkt_reformat); err_pkt_reformat: if (flow_act.modify_hdr != NULL) mlx5_modify_header_dealloc(mdev, flow_act.modify_hdr); err_mod_header: kvfree(spec); return err; } static struct mlx5_flow_table *ipsec_tx_ft_create(struct mlx5_flow_namespace *ns, int level, int prio, int max_num_groups) { struct mlx5_flow_table_attr ft_attr = {}; ft_attr.autogroup.num_reserved_entries = 1; ft_attr.autogroup.max_num_groups = max_num_groups; ft_attr.max_fte = NUM_IPSEC_FTE; ft_attr.level = level; ft_attr.prio = prio; return mlx5_create_auto_grouped_flow_table(ns, &ft_attr); } static int ipsec_counter_rule_tx(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) { struct mlx5_flow_destination dest = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *fte; int err; /* create fte */ flow_act.action = MLX5_FLOW_CONTEXT_ACTION_COUNT | MLX5_FLOW_CONTEXT_ACTION_ALLOW; dest.type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest.counter_id = mlx5_fc_id(tx->fc->cnt); fte = mlx5_add_flow_rules(tx->ft.status, NULL, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(fte)) { err = PTR_ERR(fte); mlx5_core_err(mdev, "Fail to add ipsec tx counter rule err=%d\n", err); goto err_rule; } tx->status.rule = fte; return 0; err_rule: return err; } static void tx_destroy_roce(struct mlx5e_ipsec_tx *tx) { if (!tx->roce.ft) return; mlx5_del_flow_rules(&tx->roce.rule); mlx5_destroy_flow_group(tx->roce.g); mlx5_destroy_flow_table(tx->roce.ft); tx->roce.ft = NULL; } /* IPsec TX flow steering */ static void tx_destroy(struct mlx5e_ipsec_tx *tx) { tx_destroy_roce(tx); if (tx->chains) { ipsec_chains_destroy(tx->chains); } else { mlx5_del_flow_rules(&tx->pol.rule); mlx5_destroy_flow_group(tx->pol.group); mlx5_destroy_flow_table(tx->ft.pol); } mlx5_destroy_flow_table(tx->ft.sa); mlx5_del_flow_rules(&tx->kspi_miss.rule); mlx5_destroy_flow_group(tx->kspi_miss.group); mlx5_del_flow_rules(&tx->kspi_bypass_rule.rule); mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule); mlx5_destroy_flow_table(tx->ft.sa_kspi); mlx5_del_flow_rules(&tx->status.rule); mlx5_destroy_flow_table(tx->ft.status); } static int ipsec_tx_roce_rule_setup(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) { struct mlx5_flow_destination dst = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *rule; int err = 0; flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; dst.type = MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE; dst.ft = tx->ft.pol; rule = mlx5_add_flow_rules(tx->roce.ft, NULL, &flow_act, &dst, 1); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Fail to add TX roce ipsec rule err=%d\n", err); goto out; } tx->roce.rule = rule; out: return err; } static int ipsec_tx_create_roce(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) { struct mlx5_flow_table_attr ft_attr = {}; struct mlx5_flow_table *ft; struct mlx5_flow_group *g; int ix = 0; int err; u32 *in; if (!tx->roce.ns) return -EOPNOTSUPP; in = kvzalloc(MLX5_ST_SZ_BYTES(create_flow_group_in), GFP_KERNEL); if (!in) return -ENOMEM; ft_attr.max_fte = 1; ft = mlx5_create_flow_table(tx->roce.ns, &ft_attr); if (IS_ERR(ft)) { err = PTR_ERR(ft); mlx5_core_err(mdev, "Fail to create ipsec tx roce ft err=%d\n", err); goto fail_table; } tx->roce.ft = ft; MLX5_SET_CFG(in, start_flow_index, ix); ix += 1; MLX5_SET_CFG(in, end_flow_index, ix - 1); g = mlx5_create_flow_group(ft, in); if (IS_ERR(g)) { err = PTR_ERR(g); mlx5_core_err(mdev, "Fail to create ipsec tx roce group err=%d\n", err); goto fail_group; } tx->roce.g = g; err = ipsec_tx_roce_rule_setup(mdev, tx); if (err) { mlx5_core_err(mdev, "Fail to create RoCE IPsec tx rules err=%d\n", err); goto fail_rule; } kvfree(in); return 0; fail_rule: mlx5_destroy_flow_group(tx->roce.g); fail_group: mlx5_destroy_flow_table(tx->roce.ft); tx->roce.ft = NULL; fail_table: kvfree(in); return err; } /* * Setting a rule in KSPI table for values that should bypass IPSEC. * * mdev - mlx5 core device * tx - IPSEC TX * return - 0 for success errno for failure */ static int tx_create_kspi_bypass_rules(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) { struct mlx5_flow_destination dest = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_act flow_act_kspi = {}; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; dest.ft = tx->ft.status; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; flow_act_kspi.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; setup_fte_reg_a_with_tag(spec, IPSEC_ACCEL_DRV_SPI_BYPASS); rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, &flow_act_kspi, &dest, 1); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n", err); goto err_add_kspi_rule; } tx->kspi_bypass_rule.kspi_rule = rule; /* set the rule for packets withoiut ipsec tag. */ flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; memset(spec, 0, sizeof(*spec)); setup_fte_reg_a_no_tag(spec); rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, &flow_act, &dest, 1); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n", err); goto err_add_rule; } tx->kspi_bypass_rule.rule = rule; kvfree(spec); return 0; err_add_rule: mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule); err_add_kspi_rule: kvfree(spec); return err; } static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) { struct mlx5_flow_destination dest = {}; struct mlx5_flow_table *ft; int err; /* * Tx flow is different for ethernet traffic then for RoCE packets * For Ethernet packets we start in SA KSPI table that matches KSPI of SA rule * to the KSPI in the packet metadata * For RoCE traffic we start in Policy table, then move to SA table * which matches either reqid of the SA rule to reqid reported by policy table * or ip header fields of SA to the packet IP header fields. * Tables are ordered by their level so we set kspi * with level 0 to have it first one for ethernet traffic. * For RoCE the RoCE TX table direct the packets to policy table explicitly */ ft = ipsec_tx_ft_create(tx->ns, 0, 0, 4); if (IS_ERR(ft)) return PTR_ERR(ft); tx->ft.sa_kspi = ft; ft = ipsec_tx_ft_create(tx->ns, 2, 0, 4); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_reqid_ft; } tx->ft.sa = ft; if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) { tx->chains = ipsec_chains_create( mdev, tx->ft.sa, MLX5_FLOW_NAMESPACE_EGRESS_IPSEC, 0, 1, &tx->ft.pol); if (IS_ERR(tx->chains)) { err = PTR_ERR(tx->chains); goto err_pol_ft; } } else { ft = ipsec_tx_ft_create(tx->ns, 1, 0, 2); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_pol_ft; } tx->ft.pol = ft; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft = tx->ft.sa; err = ipsec_miss_create(mdev, tx->ft.pol, &tx->pol, &dest); if (err) goto err_pol_miss; } ft = ipsec_tx_ft_create(tx->ns, 2, 0, 1); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_status_ft; } tx->ft.status = ft; /* set miss rule for kspi table with drop action*/ err = ipsec_miss_create(mdev, tx->ft.sa_kspi, &tx->kspi_miss, NULL); if (err) goto err_kspi_miss; err = tx_create_kspi_bypass_rules(mdev, tx); if (err) goto err_kspi_rule; err = ipsec_counter_rule_tx(mdev, tx); if (err) goto err_status_rule; err = ipsec_tx_create_roce(mdev, tx); if (err) goto err_counter_rule; return 0; err_counter_rule: mlx5_del_flow_rules(&tx->status.rule); err_status_rule: mlx5_del_flow_rules(&tx->kspi_bypass_rule.rule); mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule); err_kspi_rule: mlx5_destroy_flow_table(tx->ft.status); err_status_ft: if (tx->chains) { ipsec_chains_destroy(tx->chains); } else { mlx5_del_flow_rules(&tx->pol.rule); mlx5_destroy_flow_group(tx->pol.group); } err_pol_miss: if (!tx->chains) mlx5_destroy_flow_table(tx->ft.pol); err_pol_ft: mlx5_del_flow_rules(&tx->kspi_miss.rule); mlx5_destroy_flow_group(tx->kspi_miss.group); err_kspi_miss: mlx5_destroy_flow_table(tx->ft.sa); err_reqid_ft: mlx5_destroy_flow_table(tx->ft.sa_kspi); return err; } static int tx_get(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx) { int err; if (tx->ft.refcnt) goto skip; err = tx_create(mdev, tx); if (err) return err; skip: tx->ft.refcnt++; return 0; } static void tx_put(struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx) { if (--tx->ft.refcnt) return; tx_destroy(tx); } static struct mlx5e_ipsec_tx *tx_ft_get(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec) { struct mlx5e_ipsec_tx *tx = ipsec->tx; int err; mutex_lock(&tx->ft.mutex); err = tx_get(mdev, ipsec, tx); mutex_unlock(&tx->ft.mutex); if (err) return ERR_PTR(err); return tx; } static struct mlx5_flow_table *tx_ft_get_policy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, u32 prio) { struct mlx5e_ipsec_tx *tx = ipsec->tx; struct mlx5_flow_table *ft; int err; mutex_lock(&tx->ft.mutex); err = tx_get(mdev, ipsec, tx); if (err) goto err_get; ft = tx->chains ? ipsec_chains_get_table(tx->chains, prio) : tx->ft.pol; if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_get_ft; } mutex_unlock(&tx->ft.mutex); return ft; err_get_ft: tx_put(ipsec, tx); err_get: mutex_unlock(&tx->ft.mutex); return ERR_PTR(err); } static void tx_ft_put_policy(struct mlx5e_ipsec *ipsec, u32 prio) { struct mlx5e_ipsec_tx *tx = ipsec->tx; mutex_lock(&tx->ft.mutex); if (tx->chains) ipsec_chains_put_table(tx->chains, prio); tx_put(ipsec, tx); mutex_unlock(&tx->ft.mutex); } static void tx_ft_put(struct mlx5e_ipsec *ipsec) { struct mlx5e_ipsec_tx *tx = ipsec->tx; mutex_lock(&tx->ft.mutex); tx_put(ipsec, tx); mutex_unlock(&tx->ft.mutex); } static void setup_fte_reg_a_with_tag(struct mlx5_flow_spec *spec, u16 kspi) { /* Add IPsec indicator in metadata_reg_a. */ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_a); MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.metadata_reg_a, MLX5_ETH_WQE_FT_META_IPSEC << 23 | kspi); } static void setup_fte_reg_a_no_tag(struct mlx5_flow_spec *spec) { /* Add IPsec indicator in metadata_reg_a. */ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2; MLX5_SET(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_a, MLX5_ETH_WQE_FT_META_IPSEC << 23); MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.metadata_reg_a, 0); } static void setup_fte_reg_c0(struct mlx5_flow_spec *spec, u32 reqid) { /* Pass policy check before choosing this SA */ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_c_0); MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.metadata_reg_c_0, reqid); } static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec) { switch (upspec->proto) { case IPPROTO_UDP: if (upspec->dport) { MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport); } if (upspec->sport) { MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->sport); } break; case IPPROTO_TCP: if (upspec->dport) { MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, tcp_dport); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, tcp_dport, upspec->dport); } if (upspec->sport) { MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, tcp_sport); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, tcp_dport, upspec->sport); } break; default: return; } spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto); } static int tx_add_kspi_rule(struct mlx5e_ipsec_sa_entry *sa_entry, struct mlx5e_ipsec_tx *tx, struct mlx5_flow_act *flow_act, struct mlx5_flow_destination *dest, int num_dest) { struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule; struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; setup_fte_no_frags(spec); setup_fte_reg_a_with_tag(spec, sa_entry->kspi); rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, flow_act, dest, num_dest); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add TX ipsec kspi rule err=%d\n", err); goto err_add_kspi_flow; } ipsec_rule->kspi_rule = rule; kvfree(spec); return 0; err_add_kspi_flow: kvfree(spec); return err; } static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry, struct mlx5e_ipsec_tx *tx, struct mlx5_flow_act *flow_act, struct mlx5_flow_destination *dest, int num_dest) { struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule; struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL; if(attrs->reqid) { setup_fte_no_frags(spec); setup_fte_reg_c0(spec, attrs->reqid); rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add TX ipsec reqid rule err=%d\n", err); goto err_add_reqid_rule; } ipsec_rule->reqid_rule = rule; memset(spec, 0, sizeof(*spec)); } if (attrs->family == AF_INET) setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4); else setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6); setup_fte_no_frags(spec); rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add TX ipsec ip rule err=%d\n", err); goto err_add_ip_rule; } ipsec_rule->rule = rule; kvfree(spec); return 0; err_add_ip_rule: mlx5_del_flow_rules(&ipsec_rule->reqid_rule); err_add_reqid_rule: kvfree(spec); return err; } static int tx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) { struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule; struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); struct mlx5e_ipsec *ipsec = sa_entry->ipsec; struct mlx5_flow_destination dest[2] = {}; struct mlx5_flow_act flow_act = {}; struct mlx5e_ipsec_tx *tx; struct mlx5_fc *counter; int err; tx = tx_ft_get(mdev, ipsec); if (IS_ERR(tx)) return PTR_ERR(tx); err = setup_pkt_reformat(mdev, attrs, &flow_act); if (err) goto err_pkt_reformat; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_add_cnt; } flow_act.crypto.type = MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_IPSEC; flow_act.crypto.obj_id = sa_entry->ipsec_obj_id; flow_act.flags |= FLOW_ACT_NO_APPEND; flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_CRYPTO_ENCRYPT | MLX5_FLOW_CONTEXT_ACTION_COUNT; if (attrs->drop) flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP; else flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; dest[0].ft = tx->ft.status; dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest[1].counter_id = mlx5_fc_id(counter); err = tx_add_kspi_rule(sa_entry, tx, &flow_act, dest, 2); if (err) { goto err_add_kspi_rule; } err = tx_add_reqid_ip_rules(sa_entry, tx, &flow_act, dest, 2); if (err) { goto err_add_reqid_ip_rule; } ipsec_rule->fc = counter; ipsec_rule->pkt_reformat = flow_act.pkt_reformat; return 0; err_add_reqid_ip_rule: mlx5_del_flow_rules(&ipsec_rule->kspi_rule); err_add_kspi_rule: mlx5_fc_destroy(mdev, counter); err_add_cnt: if (flow_act.pkt_reformat) mlx5_packet_reformat_dealloc(mdev, flow_act.pkt_reformat); err_pkt_reformat: tx_ft_put(ipsec); return err; } static int tx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry) { struct mlx5_accel_pol_xfrm_attrs *attrs = &pol_entry->attrs; struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry); struct mlx5e_ipsec_tx *tx = pol_entry->ipsec->tx; struct mlx5_flow_destination dest[2] = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; struct mlx5_flow_table *ft; int err, dstn = 0; ft = tx_ft_get_policy(mdev, pol_entry->ipsec, attrs->prio); if (IS_ERR(ft)) return PTR_ERR(ft); spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) { err = -ENOMEM; goto err_alloc; } if (attrs->family == AF_INET) setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4); else setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6); setup_fte_no_frags(spec); setup_fte_upper_proto_match(spec, &attrs->upspec); switch (attrs->action) { case IPSEC_POLICY_IPSEC: flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; err = setup_modify_header(mdev, attrs->reqid, IPSEC_DIR_OUTBOUND, &flow_act); if (err) goto err_mod_header; break; case IPSEC_POLICY_DISCARD: flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP | MLX5_FLOW_CONTEXT_ACTION_COUNT; dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest[dstn].counter_id = mlx5_fc_id(tx->fc->drop); dstn++; break; default: err = -EINVAL; goto err_mod_header; } flow_act.flags |= FLOW_ACT_NO_APPEND; dest[dstn].ft = tx->ft.sa; dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dstn++; rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add TX ipsec rule err=%d\n", err); goto err_action; } kvfree(spec); pol_entry->ipsec_rule.rule = rule; pol_entry->ipsec_rule.modify_hdr = flow_act.modify_hdr; return 0; err_action: if (flow_act.modify_hdr) mlx5_modify_header_dealloc(mdev, flow_act.modify_hdr); err_mod_header: kvfree(spec); err_alloc: tx_ft_put_policy(pol_entry->ipsec, attrs->prio); return err; } static int rx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry) { struct mlx5_accel_pol_xfrm_attrs *attrs = &pol_entry->attrs; struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry); struct mlx5e_ipsec *ipsec = pol_entry->ipsec; struct mlx5_flow_destination dest[2]; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; struct mlx5_flow_table *ft; struct mlx5e_ipsec_rx *rx; int err, dstn = 0; rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6; ft = rx->chains ? ipsec_chains_get_table(rx->chains, attrs->prio) : rx->ft.pol; if (IS_ERR(ft)) return PTR_ERR(ft); spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) { err = -ENOMEM; goto err_alloc; } switch (attrs->action) { case IPSEC_POLICY_IPSEC: flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; break; case IPSEC_POLICY_DISCARD: flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP | MLX5_FLOW_CONTEXT_ACTION_COUNT; dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest[dstn].counter_id = mlx5_fc_id(rx->fc->drop); dstn++; break; default: err = -EINVAL; goto err_action; } flow_act.flags |= FLOW_ACT_NO_APPEND; dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest[dstn].ft = rx->ft.sa; dstn++; if (attrs->family == AF_INET) setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4); else setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6); setup_fte_no_frags(spec); setup_fte_upper_proto_match(spec, &attrs->upspec); if (attrs->vid != VLAN_NONE) setup_fte_vid(spec, attrs->vid); else setup_fte_no_vid(spec); rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Failed to add RX IPsec policy rule err=%d\n", err); goto err_action; } pol_entry->ipsec_rule.rule = rule; /* Add also rule for zero vid */ if (attrs->vid == VLAN_NONE) { clear_fte_vid(spec); setup_fte_vid(spec, 0); rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Failed to add RX IPsec policy rule err=%d\n", err); goto err_action; } pol_entry->ipsec_rule.vid_zero_rule = rule; } kvfree(spec); return 0; err_action: if (pol_entry->ipsec_rule.rule != NULL) mlx5_del_flow_rules(&pol_entry->ipsec_rule.rule); kvfree(spec); err_alloc: if (rx->chains != NULL) ipsec_chains_put_table(rx->chains, attrs->prio); return err; } static void ipsec_fs_destroy_counters(struct mlx5e_ipsec *ipsec) { struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4; struct mlx5_core_dev *mdev = ipsec->mdev; struct mlx5e_ipsec_tx *tx = ipsec->tx; mlx5_fc_destroy(mdev, rx_ipv4->fc->drop); mlx5_fc_destroy(mdev, rx_ipv4->fc->cnt); kfree(rx_ipv4->fc); mlx5_fc_destroy(mdev, tx->fc->drop); mlx5_fc_destroy(mdev, tx->fc->cnt); kfree(tx->fc); } static int ipsec_fs_init_counters(struct mlx5e_ipsec *ipsec) { struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4; struct mlx5e_ipsec_rx *rx_ipv6 = ipsec->rx_ipv6; struct mlx5_core_dev *mdev = ipsec->mdev; struct mlx5e_ipsec_tx *tx = ipsec->tx; struct mlx5e_ipsec_fc *fc; struct mlx5_fc *counter; int err; fc = kzalloc(sizeof(*tx->fc), GFP_KERNEL); if (!fc) return -ENOMEM; tx->fc = fc; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_tx_fc_alloc; } fc->cnt = counter; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_tx_fc_cnt; } fc->drop = counter; fc = kzalloc(sizeof(*tx->fc), GFP_KERNEL); if (!fc) { err = -ENOMEM; goto err_tx_fc_drop; } /* Both IPv4 and IPv6 point to same flow counters struct. */ rx_ipv4->fc = fc; rx_ipv6->fc = fc; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_rx_fc_alloc; } fc->cnt = counter; counter = mlx5_fc_create(mdev, false); if (IS_ERR(counter)) { err = PTR_ERR(counter); goto err_rx_fc_cnt; } fc->drop = counter; return 0; err_rx_fc_cnt: mlx5_fc_destroy(mdev, rx_ipv4->fc->cnt); err_rx_fc_alloc: kfree(rx_ipv4->fc); err_tx_fc_drop: mlx5_fc_destroy(mdev, tx->fc->drop); err_tx_fc_cnt: mlx5_fc_destroy(mdev, tx->fc->cnt); err_tx_fc_alloc: kfree(tx->fc); return err; } static int ipsec_status_rule(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx, struct mlx5_flow_destination *dest) { u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_modify_hdr *modify_hdr; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; /* Action to copy 7 bit ipsec_syndrome to regB[24:30] */ MLX5_SET(copy_action_in, action, action_type, MLX5_ACTION_TYPE_COPY); MLX5_SET(copy_action_in, action, src_field, MLX5_ACTION_IN_FIELD_IPSEC_SYNDROME); MLX5_SET(copy_action_in, action, src_offset, 0); MLX5_SET(copy_action_in, action, length, 7); MLX5_SET(copy_action_in, action, dst_field, MLX5_ACTION_IN_FIELD_METADATA_REG_B); MLX5_SET(copy_action_in, action, dst_offset, 24); modify_hdr = mlx5_modify_header_alloc(mdev, MLX5_FLOW_NAMESPACE_KERNEL, 1, action); if (IS_ERR(modify_hdr)) { err = PTR_ERR(modify_hdr); mlx5_core_err(mdev, "fail to alloc ipsec copy modify_header_id err=%d\n", err); goto out_spec; } /* create fte */ flow_act.action = MLX5_FLOW_CONTEXT_ACTION_MOD_HDR | MLX5_FLOW_CONTEXT_ACTION_FWD_DEST | MLX5_FLOW_CONTEXT_ACTION_COUNT; flow_act.modify_hdr = modify_hdr; rule = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, dest, 2); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "fail to add ipsec rx err copy rule err=%d\n", err); goto out; } kvfree(spec); rx->status.rule = rule; rx->status.modify_hdr = modify_hdr; return 0; out: mlx5_modify_header_dealloc(mdev, modify_hdr); out_spec: kvfree(spec); return err; } static void ipsec_fs_rx_roce_rules_destroy(struct mlx5e_ipsec_rx_roce *rx_roce) { if (!rx_roce->ns_rdma) return; mlx5_del_flow_rules(&rx_roce->roce_miss.rule); mlx5_del_flow_rules(&rx_roce->rule); mlx5_destroy_flow_group(rx_roce->roce_miss.group); mlx5_destroy_flow_group(rx_roce->g); } static void ipsec_fs_rx_catchall_rules_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) { mutex_lock(&rx->ft.mutex); mlx5_del_flow_rules(&rx->sa.rule); mlx5_destroy_flow_group(rx->sa.group); if (rx->chains == NULL) { mlx5_del_flow_rules(&rx->pol.rule); mlx5_destroy_flow_group(rx->pol.group); } mlx5_del_flow_rules(&rx->status.rule); mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr); ipsec_fs_rx_roce_rules_destroy(&rx->roce); mutex_unlock(&rx->ft.mutex); } static void ipsec_fs_rx_roce_table_destroy(struct mlx5e_ipsec_rx_roce *rx_roce) { if (!rx_roce->ns_rdma) return; mlx5_destroy_flow_table(rx_roce->ft_rdma); mlx5_destroy_flow_table(rx_roce->ft); } +static void +ipsec_fs_rx_ip_type_catchall_rule_destroy(struct mlx5e_ipsec_rx_ip_type* rx_ip_type) +{ + mlx5_del_flow_rules(&rx_ip_type->ipv4_rule); + mlx5_del_flow_rules(&rx_ip_type->ipv6_rule); + mlx5_del_flow_rules(&rx_ip_type->miss.rule); + mlx5_destroy_flow_group(rx_ip_type->miss.group); + rx_ip_type->miss.group = NULL; +} + static void ipsec_fs_rx_table_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) { - mutex_lock(&rx->ft.mutex); if (rx->chains) { ipsec_chains_destroy(rx->chains); } else { mlx5_del_flow_rules(&rx->pol.rule); mlx5_destroy_flow_table(rx->ft.pol); } mlx5_destroy_flow_table(rx->ft.sa); mlx5_destroy_flow_table(rx->ft.status); ipsec_fs_rx_roce_table_destroy(&rx->roce); - mutex_unlock(&rx->ft.mutex); } static void ipsec_roce_setup_udp_dport(struct mlx5_flow_spec *spec, u16 dport) { spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_protocol); MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_protocol, IPPROTO_UDP); MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.udp_dport); MLX5_SET(fte_match_param, spec->match_value, outer_headers.udp_dport, dport); } static int ipsec_roce_rx_rule_setup(struct mlx5_flow_destination *default_dst, struct mlx5e_ipsec_rx_roce *roce, struct mlx5_core_dev *mdev) { struct mlx5_flow_destination dst = {}; struct mlx5_flow_act flow_act = {}; struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err = 0; spec = kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) return -ENOMEM; ipsec_roce_setup_udp_dport(spec, ROCE_V2_UDP_DPORT); //flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;//not needed it is added in command dst.type = MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE; dst.ft = roce->ft_rdma; flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; rule = mlx5_add_flow_rules(roce->ft, spec, &flow_act, &dst, 1); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Fail to add RX roce ipsec rule err=%d\n", err); goto fail_add_rule; } roce->rule = rule; rule = mlx5_add_flow_rules(roce->ft, NULL, &flow_act, default_dst, 1); if (IS_ERR(rule)) { err = PTR_ERR(rule); mlx5_core_err(mdev, "Fail to add RX roce ipsec miss rule err=%d\n", err); goto fail_add_default_rule; } roce->roce_miss.rule = rule; kvfree(spec); return 0; fail_add_default_rule: mlx5_del_flow_rules(&roce->rule); fail_add_rule: kvfree(spec); return err; } static int ipsec_roce_rx_rules(struct mlx5e_ipsec_rx *rx, struct mlx5_flow_destination *defdst, struct mlx5_core_dev *mdev) { int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); struct mlx5_flow_group *g; void *outer_headers_c; u32 *in; int err = 0; int ix = 0; u8 *mc; if (!rx->roce.ns_rdma) return 0; in = kvzalloc(inlen, GFP_KERNEL); if (!in) return -ENOMEM; mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); outer_headers_c = MLX5_ADDR_OF(fte_match_param, mc, outer_headers); MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, outer_headers_c, ip_protocol); MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, outer_headers_c, udp_dport); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_CFG(in, start_flow_index, ix); ix += 1; MLX5_SET_CFG(in, end_flow_index, ix - 1); g = mlx5_create_flow_group(rx->roce.ft, in); if (IS_ERR(g)) { err = PTR_ERR(g); mlx5_core_err(mdev, "Fail to create ipsec rx roce group at nic err=%d\n", err); goto fail_group; } rx->roce.g = g; memset(in, 0, MLX5_ST_SZ_BYTES(create_flow_group_in)); MLX5_SET_CFG(in, start_flow_index, ix); ix += 1; MLX5_SET_CFG(in, end_flow_index, ix - 1); g = mlx5_create_flow_group(rx->roce.ft, in); if (IS_ERR(g)) { err = PTR_ERR(g); mlx5_core_err(mdev, "Fail to create ipsec rx roce miss group at nic err=%d\n", err); goto fail_mgroup; } rx->roce.roce_miss.group = g; err = ipsec_roce_rx_rule_setup(defdst, &rx->roce, mdev); if (err) goto fail_setup_rule; kvfree(in); return 0; fail_setup_rule: mlx5_destroy_flow_group(rx->roce.roce_miss.group); fail_mgroup: mlx5_destroy_flow_group(rx->roce.g); fail_group: kvfree(in); return err; } static int ipsec_fs_rx_catchall_rules(struct mlx5e_priv *priv, struct mlx5e_ipsec_rx *rx, struct mlx5_flow_destination *defdst) { struct mlx5_core_dev *mdev = priv->mdev; struct mlx5_flow_destination dest[2] = {}; int err = 0; mutex_lock(&rx->ft.mutex); /* IPsec RoCE RX rules */ err = ipsec_roce_rx_rules(rx, defdst, mdev); if (err) goto out; /* IPsec Rx IP Status table rule */ dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; if (rx->roce.ft) dest[0].ft = rx->roce.ft; else dest[0].ft = priv->fts.vlan.t; dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; dest[1].counter_id = mlx5_fc_id(rx->fc->cnt); err = ipsec_status_rule(mdev, rx, dest); if (err) goto err_roce_rules_destroy; if (!rx->chains) { /* IPsec Rx IP policy default miss rule */ err = ipsec_miss_create(mdev, rx->ft.pol, &rx->pol, defdst); if (err) goto err_status_rule_destroy; } /* FIXME: This is workaround to current design * which installs SA on firt packet. So we need to forward this * packet to the stack. It doesn't work with RoCE and eswitch traffic, */ err = ipsec_miss_create(mdev, rx->ft.sa, &rx->sa, defdst); if (err) goto err_status_sa_rule_destroy; mutex_unlock(&rx->ft.mutex); return 0; err_status_sa_rule_destroy: if (!rx->chains) { mlx5_del_flow_rules(&rx->pol.rule); mlx5_destroy_flow_group(rx->pol.group); } err_status_rule_destroy: mlx5_del_flow_rules(&rx->status.rule); mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr); err_roce_rules_destroy: ipsec_fs_rx_roce_rules_destroy(&rx->roce); out: mutex_unlock(&rx->ft.mutex); return err; } static int ipsec_fs_rx_roce_tables_create(struct mlx5e_ipsec_rx *rx, int rx_init_level, int rdma_init_level) { struct mlx5_flow_table_attr ft_attr = {}; struct mlx5_flow_table *ft; int err = 0; if (!rx->roce.ns_rdma) return 0; ft_attr.max_fte = 2; ft_attr.level = rx_init_level; ft = mlx5_create_flow_table(rx->ns, &ft_attr); if (IS_ERR(ft)) { err = PTR_ERR(ft); return err; } rx->roce.ft = ft; ft_attr.max_fte = 0; ft_attr.level = rdma_init_level; ft = mlx5_create_flow_table(rx->roce.ns_rdma, &ft_attr); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto out; } rx->roce.ft_rdma = ft; return 0; out: mlx5_destroy_flow_table(rx->roce.ft); rx->roce.ft = NULL; return err; } +static int +ipsec_fs_rx_ip_type_catchall_rules_create(struct mlx5e_priv *priv, + struct mlx5_flow_destination *defdst) +{ + struct mlx5_core_dev *mdev = priv->mdev; + struct mlx5e_ipsec *ipsec = priv->ipsec; + struct mlx5_flow_destination dst = {}; + struct mlx5_flow_act flow_act = {}; + struct mlx5_flow_handle *rule; + struct mlx5_flow_spec *spec; + int err = 0; + + spec = kvzalloc(sizeof(*spec), GFP_KERNEL); + if (!spec) { + return -ENOMEM; + } + dst.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; + + /* Set rule for ipv4 packets */ + dst.ft = ipsec->rx_ipv4->ft.pol; + setup_fte_ip_version(spec, AF_INET); + rule = mlx5_add_flow_rules(ipsec->rx_ip_type->ft, spec, &flow_act, &dst, 1); + if (IS_ERR(rule)) { + err = PTR_ERR(rule); + mlx5_core_err(mdev, "Failed to add ipv4 rule to ip_type table err=%d\n", + err); + goto out; + } + ipsec->rx_ip_type->ipv4_rule = rule; + + /* Set rule for ipv6 packets */ + dst.ft = ipsec->rx_ipv6->ft.pol; + setup_fte_ip_version(spec, AF_INET6); + rule = mlx5_add_flow_rules(ipsec->rx_ip_type->ft, spec, &flow_act, &dst, 1); + if (IS_ERR(rule)) { + err = PTR_ERR(rule); + mlx5_core_err(mdev, "Failed to add ipv6 rule to ip_type table err=%d\n", + err); + goto fail_add_ipv6_rule; + } + ipsec->rx_ip_type->ipv6_rule = rule; + + /* set miss rule */ + err = ipsec_miss_create(mdev, ipsec->rx_ip_type->ft, &ipsec->rx_ip_type->miss, defdst); + if (err) { + mlx5_core_err(mdev, "Failed to add miss rule to ip_type table err=%d\n", + err); + goto fail_miss_rule; + } + + goto out; + +fail_miss_rule: + mlx5_del_flow_rules(&ipsec->rx_ip_type->ipv6_rule); +fail_add_ipv6_rule: + mlx5_del_flow_rules(&ipsec->rx_ip_type->ipv4_rule); +out: + kvfree(spec); + return err; +} + +static int +ipsec_fs_rx_ip_type_table_create(struct mlx5e_priv *priv, + int level) +{ + struct mlx5e_ipsec *ipsec = priv->ipsec; + struct mlx5_flow_table *ft; + int err = 0; + + /* Create rx ip type table */ + ft = ipsec_rx_ft_create(ipsec->rx_ip_type->ns, level, 0, 1); + if (IS_ERR(ft)) { + err = PTR_ERR(ft); + goto out; + } + ipsec->rx_ip_type->ft = ft; + + priv->fts.ipsec_ft = priv->ipsec->rx_ip_type->ft; + +out: + return err; +} + static int ipsec_fs_rx_table_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx, int rx_init_level, int rdma_init_level) { struct mlx5_flow_namespace *ns = rx->ns; struct mlx5_flow_table *ft; int err = 0; mutex_lock(&rx->ft.mutex); /* IPsec Rx IP SA table create */ ft = ipsec_rx_ft_create(ns, rx_init_level + 1, 0, 1); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto out; } rx->ft.sa = ft; /* IPsec Rx IP Status table create */ ft = ipsec_rx_ft_create(ns, rx_init_level + 2, 0, 1); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_sa_table_destroy; } rx->ft.status = ft; if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) { rx->chains = ipsec_chains_create(mdev, rx->ft.sa, MLX5_FLOW_NAMESPACE_KERNEL, 0, rx_init_level, &rx->ft.pol); if (IS_ERR(rx->chains)) { err = PTR_ERR(rx->chains); goto err_status_table_destroy; } } else { ft = ipsec_rx_ft_create(ns, rx_init_level, 0, 1); if (IS_ERR(ft)) { err = PTR_ERR(ft); goto err_status_table_destroy; } rx->ft.pol = ft; } /* IPsec RoCE RX tables create*/ err = ipsec_fs_rx_roce_tables_create(rx, rx_init_level + 3, rdma_init_level); if (err) goto err_pol_table_destroy; goto out; err_pol_table_destroy: mlx5_destroy_flow_table(rx->ft.pol); err_status_table_destroy: mlx5_destroy_flow_table(rx->ft.status); err_sa_table_destroy: mlx5_destroy_flow_table(rx->ft.sa); out: mutex_unlock(&rx->ft.mutex); return err; } #define NIC_RDMA_BOTH_DIRS_CAPS (MLX5_FT_NIC_RX_2_NIC_RX_RDMA | MLX5_FT_NIC_TX_RDMA_2_NIC_TX) static void mlx5e_accel_ipsec_fs_init_roce(struct mlx5e_ipsec *ipsec) { struct mlx5_core_dev *mdev = ipsec->mdev; struct mlx5_flow_namespace *ns; if ((MLX5_CAP_GEN_2(ipsec->mdev, flow_table_type_2_type) & NIC_RDMA_BOTH_DIRS_CAPS) != NIC_RDMA_BOTH_DIRS_CAPS) { mlx5_core_dbg(mdev, "Failed to init roce ns, capabilities not supported\n"); return; } ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_RX_IPSEC); if (!ns) { mlx5_core_err(mdev, "Failed to init roce rx ns\n"); return; } ipsec->rx_ipv4->roce.ns_rdma = ns; ipsec->rx_ipv6->roce.ns_rdma = ns; ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_TX_IPSEC); if (!ns) { ipsec->rx_ipv4->roce.ns_rdma = NULL; ipsec->rx_ipv6->roce.ns_rdma = NULL; mlx5_core_err(mdev, "Failed to init roce tx ns\n"); return; } ipsec->tx->roce.ns = ns; } int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) { if (sa_entry->attrs.dir == IPSEC_DIR_OUTBOUND) return tx_add_rule(sa_entry); return rx_add_rule(sa_entry); } void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry) { struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule; struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); mlx5_del_flow_rules(&ipsec_rule->rule); mlx5_del_flow_rules(&ipsec_rule->kspi_rule); if (ipsec_rule->vid_zero_rule != NULL) mlx5_del_flow_rules(&ipsec_rule->vid_zero_rule); if (ipsec_rule->reqid_rule != NULL) mlx5_del_flow_rules(&ipsec_rule->reqid_rule); mlx5_fc_destroy(mdev, ipsec_rule->fc); mlx5_packet_reformat_dealloc(mdev, ipsec_rule->pkt_reformat); if (sa_entry->attrs.dir == IPSEC_DIR_OUTBOUND) { tx_ft_put(sa_entry->ipsec); return; } if (ipsec_rule->modify_hdr != NULL) mlx5_modify_header_dealloc(mdev, ipsec_rule->modify_hdr); } int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry) { if (pol_entry->attrs.dir == IPSEC_DIR_OUTBOUND) return tx_add_policy(pol_entry); return rx_add_policy(pol_entry); } void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry) { struct mlx5e_ipsec_rule *ipsec_rule = &pol_entry->ipsec_rule; struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry); mlx5_del_flow_rules(&ipsec_rule->rule); if (ipsec_rule->vid_zero_rule != NULL) mlx5_del_flow_rules(&ipsec_rule->vid_zero_rule); if (pol_entry->attrs.dir == IPSEC_DIR_INBOUND) { struct mlx5e_ipsec_rx *rx; rx = (pol_entry->attrs.family == AF_INET) ? pol_entry->ipsec->rx_ipv4 : pol_entry->ipsec->rx_ipv6; if (rx->chains) ipsec_chains_put_table(rx->chains, pol_entry->attrs.prio); return; } if (ipsec_rule->modify_hdr) mlx5_modify_header_dealloc(mdev, ipsec_rule->modify_hdr); tx_ft_put_policy(pol_entry->ipsec, pol_entry->attrs.prio); } void mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy(struct mlx5e_priv *priv) { /* Check if IPsec supported */ if (!priv->ipsec) return; + ipsec_fs_rx_ip_type_catchall_rule_destroy(priv->ipsec->rx_ip_type); ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv4); ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); } int mlx5e_accel_ipsec_fs_rx_catchall_rules(struct mlx5e_priv *priv) { struct mlx5e_ipsec *ipsec = priv->ipsec; struct mlx5_flow_destination dest = {}; int err = 0; /* Check if IPsec supported */ if (!ipsec) return 0; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft = priv->fts.vlan.t; err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv6, &dest); if (err) goto out; err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv4, &dest); if (err) ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); + + err = ipsec_fs_rx_ip_type_catchall_rules_create(priv, &dest); + if (err) { + ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); + ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv4); + } + out: return err; } void mlx5e_accel_ipsec_fs_rx_tables_destroy(struct mlx5e_priv *priv) { struct mlx5_core_dev *mdev = priv->mdev; struct mlx5e_ipsec *ipsec = priv->ipsec; /* Check if IPsec supported */ if (!ipsec) return; + mlx5_destroy_flow_table(ipsec->rx_ip_type->ft); ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv6); ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv4); } int mlx5e_accel_ipsec_fs_rx_tables_create(struct mlx5e_priv *priv) { struct mlx5e_ipsec *ipsec = priv->ipsec; int err = 0; /* Check if IPsec supported */ if (!ipsec) return 0; - err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv4, 0, 0); + err = ipsec_fs_rx_ip_type_table_create(priv, 0); if (err) - goto out; + return err; - err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv6, 4, 1); - if (err) { - ipsec_fs_rx_table_destroy(priv->mdev, ipsec->rx_ipv4); - goto out; - } + err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv4, 1, 0); + if (err) + goto err_ipv4_table; - priv->fts.ipsec_ft = priv->ipsec->rx_ipv4->ft.pol; -out: + err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv6, 5, 1); + if (err) + goto err_ipv6_table; + + return 0; + +err_ipv6_table: + ipsec_fs_rx_table_destroy(priv->mdev, ipsec->rx_ipv4); +err_ipv4_table: + mlx5_destroy_flow_table(ipsec->rx_ip_type->ft); return err; } void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec) { WARN_ON(ipsec->tx->ft.refcnt); mutex_destroy(&ipsec->rx_ipv6->ft.mutex); mutex_destroy(&ipsec->rx_ipv4->ft.mutex); mutex_destroy(&ipsec->tx->ft.mutex); ipsec_fs_destroy_counters(ipsec); + kfree(ipsec->rx_ip_type); kfree(ipsec->rx_ipv6); kfree(ipsec->rx_ipv4); kfree(ipsec->tx); } int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec) { struct mlx5_flow_namespace *tns, *rns; int err = -ENOMEM; tns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_EGRESS_IPSEC); if (!tns) return -EOPNOTSUPP; rns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_KERNEL); if (!rns) return -EOPNOTSUPP; ipsec->tx = kzalloc(sizeof(*ipsec->tx), GFP_KERNEL); if (!ipsec->tx) return -ENOMEM; + ipsec->rx_ip_type = kzalloc(sizeof(*ipsec->rx_ip_type), GFP_KERNEL); + if (!ipsec->rx_ip_type) + goto err_tx; + ipsec->rx_ipv4 = kzalloc(sizeof(*ipsec->rx_ipv4), GFP_KERNEL); if (!ipsec->rx_ipv4) - goto err_tx; + goto err_ip_type; ipsec->rx_ipv6 = kzalloc(sizeof(*ipsec->rx_ipv6), GFP_KERNEL); if (!ipsec->rx_ipv6) goto err_rx_ipv4; err = ipsec_fs_init_counters(ipsec); if (err) goto err_rx_ipv6; ipsec->tx->ns = tns; mutex_init(&ipsec->tx->ft.mutex); + ipsec->rx_ip_type->ns = rns; ipsec->rx_ipv4->ns = rns; ipsec->rx_ipv6->ns = rns; mutex_init(&ipsec->rx_ipv4->ft.mutex); mutex_init(&ipsec->rx_ipv6->ft.mutex); mlx5e_accel_ipsec_fs_init_roce(ipsec); return 0; err_rx_ipv6: kfree(ipsec->rx_ipv6); err_rx_ipv4: kfree(ipsec->rx_ipv4); +err_ip_type: + kfree(ipsec->rx_ip_type); err_tx: kfree(ipsec->tx); return err; } void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry) { struct mlx5e_ipsec_sa_entry sa_entry_shadow = {}; int err; memcpy(&sa_entry_shadow, sa_entry, sizeof(*sa_entry)); memset(&sa_entry_shadow.ipsec_rule, 0x00, sizeof(sa_entry->ipsec_rule)); err = mlx5e_accel_ipsec_fs_add_rule(&sa_entry_shadow); if (err) return; mlx5e_accel_ipsec_fs_del_rule(sa_entry); memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry)); } diff --git a/sys/dev/mlx5/mlx5_en/mlx5_en_flow_table.c b/sys/dev/mlx5/mlx5_en/mlx5_en_flow_table.c index f8be5b9e881c..6e24395b5577 100644 --- a/sys/dev/mlx5/mlx5_en/mlx5_en_flow_table.c +++ b/sys/dev/mlx5/mlx5_en/mlx5_en_flow_table.c @@ -1,2297 +1,2297 @@ /*- * Copyright (c) 2015-2021 Mellanox Technologies. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "opt_rss.h" #include "opt_ratelimit.h" #include #include #include #include #include #include /* * The flow tables with rules define the packet processing on receive. * Currently the following structure is set up to handle different * offloads like TLS RX offload, VLAN decapsulation, packet * classification, RSS hashing, VxLAN checksum offloading: * * +=========+ +=========+ +=================+ * |TCP/IPv4 | |TCP/IPv4 | |TCP/IPv4 Match | * |Flowtable|------>| |----->|Outer Proto Match|=====> TLS TIR n * | | |Catch-all|\ | | * +=========+ +=========+| +=================+ * | * +------------------------+ * V * +=========+ +=========+ +=================+ * |TCP/IPv6 | |TCP/IPv6 | |TCP/IPv6 Match | * |Flowtable|------>| |----->|Outer Proto Match|=====> TLS TIR n * | | |Catch-all|\ | | * +=========+ +=========+| +=================+ * | * +------------------------+ * V * +=========+ +=========+ +=================+ * |VLAN ft: | |VxLAN | |VxLAN Main | * |CTAG/STAG|------>| VNI|----->|Inner Proto Match|=====> Inner TIR n * |VID/noVID|/ |Catch-all|\ | | * +=========+ +=========+| +=================+ * | * | * | * v * +=================+ * |Main | * |Outer Proto Match|=====> TIR n * | | * +=================+ * * The path through flow rules directs each packet into an appropriate TIR, * according to the: * - VLAN encapsulation * - Outer protocol * - Presence of inner protocol */ #define MLX5_SET_CFG(p, f, v) MLX5_SET(create_flow_group_in, p, f, v) enum { MLX5E_FULLMATCH = 0, MLX5E_ALLMULTI = 1, MLX5E_PROMISC = 2, }; enum { MLX5E_UC = 0, MLX5E_MC_IPV4 = 1, MLX5E_MC_IPV6 = 2, MLX5E_MC_OTHER = 3, }; enum { MLX5E_ACTION_NONE = 0, MLX5E_ACTION_ADD = 1, MLX5E_ACTION_DEL = 2, }; struct mlx5e_eth_addr_hash_node { LIST_ENTRY(mlx5e_eth_addr_hash_node) hlist; u8 action; u32 mpfs_index; struct mlx5e_eth_addr_info ai; }; static void mlx5e_del_all_vlan_rules(struct mlx5e_priv *); static inline int mlx5e_hash_eth_addr(const u8 * addr) { return (addr[5]); } static bool mlx5e_add_eth_addr_to_hash(struct mlx5e_eth_addr_hash_head *hash, struct mlx5e_eth_addr_hash_node *hn_new) { struct mlx5e_eth_addr_hash_node *hn; u32 ix = mlx5e_hash_eth_addr(hn_new->ai.addr); LIST_FOREACH(hn, &hash[ix], hlist) { if (bcmp(hn->ai.addr, hn_new->ai.addr, ETHER_ADDR_LEN) == 0) { if (hn->action == MLX5E_ACTION_DEL) hn->action = MLX5E_ACTION_NONE; free(hn_new, M_MLX5EN); return (false); } } LIST_INSERT_HEAD(&hash[ix], hn_new, hlist); return (true); } static void mlx5e_del_eth_addr_from_hash(struct mlx5e_eth_addr_hash_node *hn) { LIST_REMOVE(hn, hlist); free(hn, M_MLX5EN); } static void mlx5e_del_eth_addr_from_flow_table(struct mlx5e_priv *priv, struct mlx5e_eth_addr_info *ai) { mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV6_IPSEC_ESP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV4_IPSEC_ESP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV6_IPSEC_AH]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV4_IPSEC_AH]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV6_TCP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV4_TCP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV6_UDP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV4_UDP]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV6]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_IPV4]); mlx5_del_flow_rules(&ai->ft_rule[MLX5E_TT_ANY]); } static int mlx5e_get_eth_addr_type(const u8 * addr) { if (ETHER_IS_MULTICAST(addr) == 0) return (MLX5E_UC); if ((addr[0] == 0x01) && (addr[1] == 0x00) && (addr[2] == 0x5e) && !(addr[3] & 0x80)) return (MLX5E_MC_IPV4); if ((addr[0] == 0x33) && (addr[1] == 0x33)) return (MLX5E_MC_IPV6); return (MLX5E_MC_OTHER); } static u32 mlx5e_get_tt_vec(struct mlx5e_eth_addr_info *ai, int type) { int eth_addr_type; u32 ret; switch (type) { case MLX5E_FULLMATCH: eth_addr_type = mlx5e_get_eth_addr_type(ai->addr); switch (eth_addr_type) { case MLX5E_UC: ret = (1 << MLX5E_TT_IPV4_TCP) | (1 << MLX5E_TT_IPV6_TCP) | (1 << MLX5E_TT_IPV4_UDP) | (1 << MLX5E_TT_IPV6_UDP) | (1 << MLX5E_TT_IPV4) | (1 << MLX5E_TT_IPV6) | (1 << MLX5E_TT_ANY) | 0; break; case MLX5E_MC_IPV4: ret = (1 << MLX5E_TT_IPV4_UDP) | (1 << MLX5E_TT_IPV4) | 0; break; case MLX5E_MC_IPV6: ret = (1 << MLX5E_TT_IPV6_UDP) | (1 << MLX5E_TT_IPV6) | 0; break; default: ret = (1 << MLX5E_TT_ANY) | 0; break; } break; case MLX5E_ALLMULTI: ret = (1 << MLX5E_TT_IPV4_UDP) | (1 << MLX5E_TT_IPV6_UDP) | (1 << MLX5E_TT_IPV4) | (1 << MLX5E_TT_IPV6) | (1 << MLX5E_TT_ANY) | 0; break; default: /* MLX5E_PROMISC */ ret = (1 << MLX5E_TT_IPV4_TCP) | (1 << MLX5E_TT_IPV6_TCP) | (1 << MLX5E_TT_IPV4_UDP) | (1 << MLX5E_TT_IPV6_UDP) | (1 << MLX5E_TT_IPV4) | (1 << MLX5E_TT_IPV6) | (1 << MLX5E_TT_ANY) | 0; break; } return (ret); } static int mlx5e_add_eth_addr_rule_sub(struct mlx5e_priv *priv, struct mlx5e_eth_addr_info *ai, int type, struct mlx5_flow_spec *spec) { struct mlx5_flow_destination dest = {}; u8 mc_enable = 0; struct mlx5_flow_handle **rule_p; struct mlx5_flow_table *ft = priv->fts.main.t; u8 *mc_dmac = MLX5_ADDR_OF(fte_match_param, spec->match_criteria, outer_headers.dmac_47_16); u8 *mv_dmac = MLX5_ADDR_OF(fte_match_param, spec->match_value, outer_headers.dmac_47_16); u32 *tirn = priv->tirn; u32 tt_vec; int err = 0; struct mlx5_flow_act flow_act = { .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, }; u8 *mc; u8 *mv; mv = (u8 *)spec->match_value; mc = (u8 *)spec->match_criteria; spec->flow_context.flow_tag = MLX5_FS_ETH_FLOW_TAG; spec->flow_context.flags = FLOW_CONTEXT_HAS_TAG; dest.type = MLX5_FLOW_DESTINATION_TYPE_TIR; switch (type) { case MLX5E_FULLMATCH: mc_enable = MLX5_MATCH_OUTER_HEADERS; memset(mc_dmac, 0xff, ETH_ALEN); ether_addr_copy(mv_dmac, ai->addr); break; case MLX5E_ALLMULTI: mc_enable = MLX5_MATCH_OUTER_HEADERS; mc_dmac[0] = 0x01; mv_dmac[0] = 0x01; break; case MLX5E_PROMISC: break; default: break; } tt_vec = mlx5e_get_tt_vec(ai, type); spec->match_criteria_enable = mc_enable; if (tt_vec & BIT(MLX5E_TT_ANY)) { rule_p = &ai->ft_rule[MLX5E_TT_ANY]; dest.tir_num = tirn[MLX5E_TT_ANY]; *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } mc_enable = MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); spec->match_criteria_enable = mc_enable; if (tt_vec & BIT(MLX5E_TT_IPV4)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV4]; dest.tir_num = tirn[MLX5E_TT_IPV4]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } if (tt_vec & BIT(MLX5E_TT_IPV6)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV6]; dest.tir_num = tirn[MLX5E_TT_IPV6]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET(fte_match_param, mv, outer_headers.ip_protocol, IPPROTO_UDP); if (tt_vec & BIT(MLX5E_TT_IPV4_UDP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV4_UDP]; dest.tir_num = tirn[MLX5E_TT_IPV4_UDP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } if (tt_vec & BIT(MLX5E_TT_IPV6_UDP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV6_UDP]; dest.tir_num = tirn[MLX5E_TT_IPV6_UDP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } MLX5_SET(fte_match_param, mv, outer_headers.ip_protocol, IPPROTO_TCP); if (tt_vec & BIT(MLX5E_TT_IPV4_TCP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV4_TCP]; dest.tir_num = tirn[MLX5E_TT_IPV4_TCP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } if (tt_vec & BIT(MLX5E_TT_IPV6_TCP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV6_TCP]; dest.tir_num = tirn[MLX5E_TT_IPV6_TCP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } MLX5_SET(fte_match_param, mv, outer_headers.ip_protocol, IPPROTO_AH); if (tt_vec & BIT(MLX5E_TT_IPV4_IPSEC_AH)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV4_IPSEC_AH]; dest.tir_num = tirn[MLX5E_TT_IPV4_IPSEC_AH]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } if (tt_vec & BIT(MLX5E_TT_IPV6_IPSEC_AH)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV6_IPSEC_AH]; dest.tir_num = tirn[MLX5E_TT_IPV6_IPSEC_AH]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } MLX5_SET(fte_match_param, mv, outer_headers.ip_protocol, IPPROTO_ESP); if (tt_vec & BIT(MLX5E_TT_IPV4_IPSEC_ESP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV4_IPSEC_ESP]; dest.tir_num = tirn[MLX5E_TT_IPV4_IPSEC_ESP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } if (tt_vec & BIT(MLX5E_TT_IPV6_IPSEC_ESP)) { rule_p = &ai->ft_rule[MLX5E_TT_IPV6_IPSEC_ESP]; dest.tir_num = tirn[MLX5E_TT_IPV6_IPSEC_ESP]; MLX5_SET(fte_match_param, mv, outer_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; } return 0; err_del_ai: err = PTR_ERR(*rule_p); *rule_p = NULL; mlx5e_del_eth_addr_from_flow_table(priv, ai); return err; } static int mlx5e_add_eth_addr_rule(struct mlx5e_priv *priv, struct mlx5e_eth_addr_info *ai, int type) { struct mlx5_flow_spec *spec; int err = 0; spec = mlx5_vzalloc(sizeof(*spec)); if (!spec) { mlx5_en_err(priv->ifp, "alloc failed\n"); err = -ENOMEM; goto add_eth_addr_rule_out; } err = mlx5e_add_eth_addr_rule_sub(priv, ai, type, spec); add_eth_addr_rule_out: kvfree(spec); return (err); } static void mlx5e_del_main_vxlan_rules(struct mlx5e_priv *priv) { mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_IPSEC_ESP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_IPSEC_ESP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_IPSEC_AH]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_IPSEC_AH]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_TCP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_TCP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_UDP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_UDP]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV6]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_IPV4]); mlx5_del_flow_rules(&priv->fts.main_vxlan_rule[MLX5E_TT_ANY]); } static int mlx5e_add_main_vxlan_rules_sub(struct mlx5e_priv *priv, struct mlx5_flow_spec *spec) { struct mlx5_flow_destination dest = {}; struct mlx5_flow_handle **rule_p; struct mlx5_flow_table *ft = priv->fts.main_vxlan.t; u32 *tirn = priv->tirn_inner_vxlan; struct mlx5_flow_act flow_act = { .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, }; int err = 0; u8 *mc; u8 *mv; spec->flow_context.flags = FLOW_CONTEXT_HAS_TAG; spec->flow_context.flow_tag = MLX5_FS_ETH_FLOW_TAG; mc = (u8 *)spec->match_criteria; mv = (u8 *)spec->match_value; dest.type = MLX5_FLOW_DESTINATION_TYPE_TIR; spec->match_criteria_enable = MLX5_MATCH_INNER_HEADERS; MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ethertype); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV4]; dest.tir_num = tirn[MLX5E_TT_IPV4]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV6]; dest.tir_num = tirn[MLX5E_TT_IPV6]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ip_protocol); MLX5_SET(fte_match_param, mv, inner_headers.ip_protocol, IPPROTO_UDP); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_UDP]; dest.tir_num = tirn[MLX5E_TT_IPV4_UDP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_UDP]; dest.tir_num = tirn[MLX5E_TT_IPV6_UDP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; MLX5_SET(fte_match_param, mv, inner_headers.ip_protocol, IPPROTO_TCP); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_TCP]; dest.tir_num = tirn[MLX5E_TT_IPV4_TCP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_TCP]; dest.tir_num = tirn[MLX5E_TT_IPV6_TCP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; MLX5_SET(fte_match_param, mv, inner_headers.ip_protocol, IPPROTO_AH); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_IPSEC_AH]; dest.tir_num = tirn[MLX5E_TT_IPV4_IPSEC_AH]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_IPSEC_AH]; dest.tir_num = tirn[MLX5E_TT_IPV6_IPSEC_AH]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; MLX5_SET(fte_match_param, mv, inner_headers.ip_protocol, IPPROTO_ESP); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV4_IPSEC_ESP]; dest.tir_num = tirn[MLX5E_TT_IPV4_IPSEC_ESP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IP); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_IPV6_IPSEC_ESP]; dest.tir_num = tirn[MLX5E_TT_IPV6_IPSEC_ESP]; MLX5_SET(fte_match_param, mv, inner_headers.ethertype, ETHERTYPE_IPV6); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; spec->match_criteria_enable = 0; memset(mv, 0, MLX5_ST_SZ_BYTES(fte_match_param)); memset(mc, 0, MLX5_ST_SZ_BYTES(fte_match_param)); rule_p = &priv->fts.main_vxlan_rule[MLX5E_TT_ANY]; dest.tir_num = tirn[MLX5E_TT_ANY]; *rule_p = mlx5_add_flow_rules(ft, NULL, &flow_act, &dest, 1); if (IS_ERR_OR_NULL(*rule_p)) goto err_del_ai; return (0); err_del_ai: err = PTR_ERR(*rule_p); *rule_p = NULL; mlx5e_del_main_vxlan_rules(priv); return (err); } static int mlx5e_add_main_vxlan_rules(struct mlx5e_priv *priv) { struct mlx5_flow_spec *spec; int err = 0; spec = mlx5_vzalloc(sizeof(*spec)); if (!spec) { mlx5_en_err(priv->ifp, "alloc failed\n"); err = -ENOMEM; goto add_main_vxlan_rules_out; } err = mlx5e_add_main_vxlan_rules_sub(priv, spec); add_main_vxlan_rules_out: kvfree(spec); return (err); } static int mlx5e_vport_context_update_vlans(struct mlx5e_priv *priv) { if_t ifp = priv->ifp; int max_list_size; int list_size; u16 *vlans; int vlan; int err; int i; list_size = 0; for_each_set_bit(vlan, priv->vlan.active_vlans, VLAN_N_VID) list_size++; max_list_size = 1 << MLX5_CAP_GEN(priv->mdev, log_max_vlan_list); if (list_size > max_list_size) { mlx5_en_err(ifp, "ifnet vlans list size (%d) > (%d) max vport list size, some vlans will be dropped\n", list_size, max_list_size); list_size = max_list_size; } vlans = kcalloc(list_size, sizeof(*vlans), GFP_KERNEL); if (!vlans) return -ENOMEM; i = 0; for_each_set_bit(vlan, priv->vlan.active_vlans, VLAN_N_VID) { if (i >= list_size) break; vlans[i++] = vlan; } err = mlx5_modify_nic_vport_vlans(priv->mdev, vlans, list_size); if (err) mlx5_en_err(ifp, "Failed to modify vport vlans list err(%d)\n", err); kfree(vlans); return err; } enum mlx5e_vlan_rule_type { MLX5E_VLAN_RULE_TYPE_UNTAGGED, MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID, MLX5E_VLAN_RULE_TYPE_ANY_STAG_VID, MLX5E_VLAN_RULE_TYPE_MATCH_VID, }; static int mlx5e_add_vlan_rule_sub(struct mlx5e_priv *priv, enum mlx5e_vlan_rule_type rule_type, u16 vid, struct mlx5_flow_spec *spec) { struct mlx5_flow_table *ft = priv->fts.vlan.t; struct mlx5_flow_destination dest = {}; struct mlx5_flow_handle **rule_p; int err = 0; struct mlx5_flow_act flow_act = { .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, }; u8 *mv; u8 *mc; mv = (u8 *)spec->match_value; mc = (u8 *)spec->match_criteria; spec->flow_context.flow_tag = MLX5_FS_ETH_FLOW_TAG; spec->flow_context.flags = FLOW_CONTEXT_HAS_TAG; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft = priv->fts.vxlan.t; spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS; switch (rule_type) { case MLX5E_VLAN_RULE_TYPE_UNTAGGED: rule_p = &priv->vlan.untagged_ft_rule; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.cvlan_tag); break; case MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID: rule_p = &priv->vlan.any_cvlan_ft_rule; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.cvlan_tag); MLX5_SET(fte_match_param, mv, outer_headers.cvlan_tag, 1); break; case MLX5E_VLAN_RULE_TYPE_ANY_STAG_VID: rule_p = &priv->vlan.any_svlan_ft_rule; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.svlan_tag); MLX5_SET(fte_match_param, mv, outer_headers.svlan_tag, 1); break; default: /* MLX5E_VLAN_RULE_TYPE_MATCH_VID */ rule_p = &priv->vlan.active_vlans_ft_rule[vid]; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.cvlan_tag); MLX5_SET(fte_match_param, mv, outer_headers.cvlan_tag, 1); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.first_vid); MLX5_SET(fte_match_param, mv, outer_headers.first_vid, vid); mlx5e_vport_context_update_vlans(priv); break; } *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR(*rule_p)) { err = PTR_ERR(*rule_p); *rule_p = NULL; mlx5_en_err(priv->ifp, "add rule failed\n"); } return (err); } static int mlx5e_add_vlan_rule(struct mlx5e_priv *priv, enum mlx5e_vlan_rule_type rule_type, u16 vid) { struct mlx5_flow_spec *spec; int err = 0; spec = mlx5_vzalloc(sizeof(*spec)); if (!spec) { mlx5_en_err(priv->ifp, "alloc failed\n"); err = -ENOMEM; goto add_vlan_rule_out; } err = mlx5e_add_vlan_rule_sub(priv, rule_type, vid, spec); add_vlan_rule_out: kvfree(spec); return (err); } static void mlx5e_del_vlan_rule(struct mlx5e_priv *priv, enum mlx5e_vlan_rule_type rule_type, u16 vid) { switch (rule_type) { case MLX5E_VLAN_RULE_TYPE_UNTAGGED: mlx5_del_flow_rules(&priv->vlan.untagged_ft_rule); break; case MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID: mlx5_del_flow_rules(&priv->vlan.any_cvlan_ft_rule); break; case MLX5E_VLAN_RULE_TYPE_ANY_STAG_VID: mlx5_del_flow_rules(&priv->vlan.any_svlan_ft_rule); break; case MLX5E_VLAN_RULE_TYPE_MATCH_VID: mlx5_del_flow_rules(&priv->vlan.active_vlans_ft_rule[vid]); mlx5e_vport_context_update_vlans(priv); break; default: break; } } static void mlx5e_del_any_vid_rules(struct mlx5e_priv *priv) { mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID, 0); mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_ANY_STAG_VID, 0); } static int mlx5e_add_any_vid_rules(struct mlx5e_priv *priv) { int err; err = mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID, 0); if (err) return (err); err = mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_ANY_STAG_VID, 0); if (err) mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_ANY_CTAG_VID, 0); return (err); } void mlx5e_enable_vlan_filter(struct mlx5e_priv *priv) { if (priv->vlan.filter_disabled) { priv->vlan.filter_disabled = false; if (if_getflags(priv->ifp) & IFF_PROMISC) return; if (test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_del_any_vid_rules(priv); } } void mlx5e_disable_vlan_filter(struct mlx5e_priv *priv) { if (!priv->vlan.filter_disabled) { priv->vlan.filter_disabled = true; if (if_getflags(priv->ifp) & IFF_PROMISC) return; if (test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_add_any_vid_rules(priv); } } void mlx5e_vlan_rx_add_vid(void *arg, if_t ifp, u16 vid) { struct mlx5e_priv *priv = arg; if (ifp != priv->ifp) return; PRIV_LOCK(priv); if (!test_and_set_bit(vid, priv->vlan.active_vlans) && test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_VID, vid); PRIV_UNLOCK(priv); } void mlx5e_vlan_rx_kill_vid(void *arg, if_t ifp, u16 vid) { struct mlx5e_priv *priv = arg; if (ifp != priv->ifp) return; PRIV_LOCK(priv); clear_bit(vid, priv->vlan.active_vlans); if (test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_VID, vid); PRIV_UNLOCK(priv); } static int mlx5e_add_all_vlan_rules(struct mlx5e_priv *priv) { int err; int i; set_bit(0, priv->vlan.active_vlans); for_each_set_bit(i, priv->vlan.active_vlans, VLAN_N_VID) { err = mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_VID, i); if (err) goto error; } err = mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_UNTAGGED, 0); if (err) goto error; if (priv->vlan.filter_disabled) { err = mlx5e_add_any_vid_rules(priv); if (err) goto error; } return (0); error: mlx5e_del_all_vlan_rules(priv); return (err); } static void mlx5e_del_all_vlan_rules(struct mlx5e_priv *priv) { int i; if (priv->vlan.filter_disabled) mlx5e_del_any_vid_rules(priv); mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_UNTAGGED, 0); for_each_set_bit(i, priv->vlan.active_vlans, VLAN_N_VID) mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_VID, i); clear_bit(0, priv->vlan.active_vlans); } #define mlx5e_for_each_hash_node(hn, tmp, hash, i) \ for (i = 0; i < MLX5E_ETH_ADDR_HASH_SIZE; i++) \ LIST_FOREACH_SAFE(hn, &(hash)[i], hlist, tmp) static void mlx5e_execute_action(struct mlx5e_priv *priv, struct mlx5e_eth_addr_hash_node *hn) { switch (hn->action) { case MLX5E_ACTION_ADD: mlx5e_add_eth_addr_rule(priv, &hn->ai, MLX5E_FULLMATCH); hn->action = MLX5E_ACTION_NONE; break; case MLX5E_ACTION_DEL: mlx5e_del_eth_addr_from_flow_table(priv, &hn->ai); if (hn->mpfs_index != -1U) mlx5_mpfs_del_mac(priv->mdev, hn->mpfs_index); mlx5e_del_eth_addr_from_hash(hn); break; default: break; } } static struct mlx5e_eth_addr_hash_node * mlx5e_move_hn(struct mlx5e_eth_addr_hash_head *fh, struct mlx5e_eth_addr_hash_head *uh) { struct mlx5e_eth_addr_hash_node *hn; hn = LIST_FIRST(fh); if (hn != NULL) { LIST_REMOVE(hn, hlist); LIST_INSERT_HEAD(uh, hn, hlist); } return (hn); } static struct mlx5e_eth_addr_hash_node * mlx5e_remove_hn(struct mlx5e_eth_addr_hash_head *fh) { struct mlx5e_eth_addr_hash_node *hn; hn = LIST_FIRST(fh); if (hn != NULL) LIST_REMOVE(hn, hlist); return (hn); } struct mlx5e_copy_addr_ctx { struct mlx5e_eth_addr_hash_head *free; struct mlx5e_eth_addr_hash_head *fill; bool success; }; static u_int mlx5e_copy_addr(void *arg, struct sockaddr_dl *sdl, u_int cnt) { struct mlx5e_copy_addr_ctx *ctx = arg; struct mlx5e_eth_addr_hash_node *hn; hn = mlx5e_move_hn(ctx->free, ctx->fill); if (hn == NULL) { ctx->success = false; return (0); } ether_addr_copy(hn->ai.addr, LLADDR(sdl)); return (1); } static void mlx5e_sync_ifp_addr(struct mlx5e_priv *priv) { struct mlx5e_copy_addr_ctx ctx; struct mlx5e_eth_addr_hash_head head_free; struct mlx5e_eth_addr_hash_head head_uc; struct mlx5e_eth_addr_hash_head head_mc; struct mlx5e_eth_addr_hash_node *hn; if_t ifp = priv->ifp; size_t x; size_t num; PRIV_ASSERT_LOCKED(priv); retry: LIST_INIT(&head_free); LIST_INIT(&head_uc); LIST_INIT(&head_mc); num = 1 + if_lladdr_count(ifp) + if_llmaddr_count(ifp); /* allocate place holders */ for (x = 0; x != num; x++) { hn = malloc(sizeof(*hn), M_MLX5EN, M_WAITOK | M_ZERO); hn->action = MLX5E_ACTION_ADD; hn->mpfs_index = -1U; LIST_INSERT_HEAD(&head_free, hn, hlist); } hn = mlx5e_move_hn(&head_free, &head_uc); MPASS(hn != NULL); ether_addr_copy(hn->ai.addr, if_getlladdr(ifp)); ctx.free = &head_free; ctx.fill = &head_uc; ctx.success = true; if_foreach_lladdr(ifp, mlx5e_copy_addr, &ctx); if (ctx.success == false) goto cleanup; ctx.fill = &head_mc; if_foreach_llmaddr(ifp, mlx5e_copy_addr, &ctx); if (ctx.success == false) goto cleanup; /* insert L2 unicast addresses into hash list */ while ((hn = mlx5e_remove_hn(&head_uc)) != NULL) { if (mlx5e_add_eth_addr_to_hash(priv->eth_addr.if_uc, hn) == 0) continue; if (hn->mpfs_index == -1U) mlx5_mpfs_add_mac(priv->mdev, &hn->mpfs_index, hn->ai.addr, 0, 0); } /* insert L2 multicast addresses into hash list */ while ((hn = mlx5e_remove_hn(&head_mc)) != NULL) { if (mlx5e_add_eth_addr_to_hash(priv->eth_addr.if_mc, hn) == 0) continue; } cleanup: while ((hn = mlx5e_remove_hn(&head_uc)) != NULL) free(hn, M_MLX5EN); while ((hn = mlx5e_remove_hn(&head_mc)) != NULL) free(hn, M_MLX5EN); while ((hn = mlx5e_remove_hn(&head_free)) != NULL) free(hn, M_MLX5EN); if (ctx.success == false) goto retry; } static void mlx5e_fill_addr_array(struct mlx5e_priv *priv, int list_type, u8 addr_array[][ETH_ALEN], int size) { bool is_uc = (list_type == MLX5_NIC_VPORT_LIST_TYPE_UC); if_t ifp = priv->ifp; struct mlx5e_eth_addr_hash_node *hn; struct mlx5e_eth_addr_hash_head *addr_list; struct mlx5e_eth_addr_hash_node *tmp; int i = 0; int hi; addr_list = is_uc ? priv->eth_addr.if_uc : priv->eth_addr.if_mc; if (is_uc) /* Make sure our own address is pushed first */ ether_addr_copy(addr_array[i++], if_getlladdr(ifp)); else if (priv->eth_addr.broadcast_enabled) ether_addr_copy(addr_array[i++], if_getbroadcastaddr(ifp)); mlx5e_for_each_hash_node(hn, tmp, addr_list, hi) { if (ether_addr_equal(if_getlladdr(ifp), hn->ai.addr)) continue; if (i >= size) break; ether_addr_copy(addr_array[i++], hn->ai.addr); } } static void mlx5e_vport_context_update_addr_list(struct mlx5e_priv *priv, int list_type) { bool is_uc = (list_type == MLX5_NIC_VPORT_LIST_TYPE_UC); struct mlx5e_eth_addr_hash_node *hn; u8 (*addr_array)[ETH_ALEN] = NULL; struct mlx5e_eth_addr_hash_head *addr_list; struct mlx5e_eth_addr_hash_node *tmp; int max_size; int size; int err; int hi; size = is_uc ? 0 : (priv->eth_addr.broadcast_enabled ? 1 : 0); max_size = is_uc ? 1 << MLX5_CAP_GEN(priv->mdev, log_max_current_uc_list) : 1 << MLX5_CAP_GEN(priv->mdev, log_max_current_mc_list); addr_list = is_uc ? priv->eth_addr.if_uc : priv->eth_addr.if_mc; mlx5e_for_each_hash_node(hn, tmp, addr_list, hi) size++; if (size > max_size) { mlx5_en_err(priv->ifp, "ifp %s list size (%d) > (%d) max vport list size, some addresses will be dropped\n", is_uc ? "UC" : "MC", size, max_size); size = max_size; } if (size) { addr_array = kcalloc(size, ETH_ALEN, GFP_KERNEL); if (!addr_array) { err = -ENOMEM; goto out; } mlx5e_fill_addr_array(priv, list_type, addr_array, size); } err = mlx5_modify_nic_vport_mac_list(priv->mdev, list_type, addr_array, size); out: if (err) mlx5_en_err(priv->ifp, "Failed to modify vport %s list err(%d)\n", is_uc ? "UC" : "MC", err); kfree(addr_array); } static void mlx5e_vport_context_update(struct mlx5e_priv *priv) { struct mlx5e_eth_addr_db *ea = &priv->eth_addr; mlx5e_vport_context_update_addr_list(priv, MLX5_NIC_VPORT_LIST_TYPE_UC); mlx5e_vport_context_update_addr_list(priv, MLX5_NIC_VPORT_LIST_TYPE_MC); mlx5_modify_nic_vport_promisc(priv->mdev, 0, ea->allmulti_enabled, ea->promisc_enabled); } static void mlx5e_apply_ifp_addr(struct mlx5e_priv *priv) { struct mlx5e_eth_addr_hash_node *hn; struct mlx5e_eth_addr_hash_node *tmp; int i; mlx5e_for_each_hash_node(hn, tmp, priv->eth_addr.if_uc, i) mlx5e_execute_action(priv, hn); mlx5e_for_each_hash_node(hn, tmp, priv->eth_addr.if_mc, i) mlx5e_execute_action(priv, hn); } static void mlx5e_handle_ifp_addr(struct mlx5e_priv *priv, bool rx_mode_enable) { struct mlx5e_eth_addr_hash_node *hn; struct mlx5e_eth_addr_hash_node *tmp; int i; mlx5e_for_each_hash_node(hn, tmp, priv->eth_addr.if_uc, i) hn->action = MLX5E_ACTION_DEL; mlx5e_for_each_hash_node(hn, tmp, priv->eth_addr.if_mc, i) hn->action = MLX5E_ACTION_DEL; if (rx_mode_enable) mlx5e_sync_ifp_addr(priv); mlx5e_apply_ifp_addr(priv); } static void mlx5e_set_rx_mode_core(struct mlx5e_priv *priv, bool rx_mode_enable) { struct mlx5e_eth_addr_db *ea = &priv->eth_addr; if_t ndev = priv->ifp; int ndev_flags = if_getflags(ndev); bool promisc_enabled = rx_mode_enable && (ndev_flags & IFF_PROMISC); bool allmulti_enabled = rx_mode_enable && (ndev_flags & IFF_ALLMULTI); bool broadcast_enabled = rx_mode_enable; bool enable_promisc = !ea->promisc_enabled && promisc_enabled; bool disable_promisc = ea->promisc_enabled && !promisc_enabled; bool enable_allmulti = !ea->allmulti_enabled && allmulti_enabled; bool disable_allmulti = ea->allmulti_enabled && !allmulti_enabled; bool enable_broadcast = !ea->broadcast_enabled && broadcast_enabled; bool disable_broadcast = ea->broadcast_enabled && !broadcast_enabled; /* update broadcast address */ ether_addr_copy(priv->eth_addr.broadcast.addr, if_getbroadcastaddr(priv->ifp)); if (enable_promisc) { mlx5e_add_eth_addr_rule(priv, &ea->promisc, MLX5E_PROMISC); if (!priv->vlan.filter_disabled) mlx5e_add_any_vid_rules(priv); } if (enable_allmulti) mlx5e_add_eth_addr_rule(priv, &ea->allmulti, MLX5E_ALLMULTI); if (enable_broadcast) mlx5e_add_eth_addr_rule(priv, &ea->broadcast, MLX5E_FULLMATCH); mlx5e_handle_ifp_addr(priv, rx_mode_enable); if (disable_broadcast) mlx5e_del_eth_addr_from_flow_table(priv, &ea->broadcast); if (disable_allmulti) mlx5e_del_eth_addr_from_flow_table(priv, &ea->allmulti); if (disable_promisc) { if (!priv->vlan.filter_disabled) mlx5e_del_any_vid_rules(priv); mlx5e_del_eth_addr_from_flow_table(priv, &ea->promisc); } ea->promisc_enabled = promisc_enabled; ea->allmulti_enabled = allmulti_enabled; ea->broadcast_enabled = broadcast_enabled; mlx5e_vport_context_update(priv); } void mlx5e_set_rx_mode_work(struct work_struct *work) { struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv, set_rx_mode_work); PRIV_LOCK(priv); if (test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_set_rx_mode_core(priv, true); PRIV_UNLOCK(priv); } static void mlx5e_destroy_groups(struct mlx5e_flow_table *ft) { int i; for (i = ft->num_groups - 1; i >= 0; i--) { if (!IS_ERR_OR_NULL(ft->g[i])) mlx5_destroy_flow_group(ft->g[i]); ft->g[i] = NULL; } ft->num_groups = 0; } static void mlx5e_destroy_flow_table(struct mlx5e_flow_table *ft) { mlx5e_destroy_groups(ft); kfree(ft->g); mlx5_destroy_flow_table(ft->t); ft->t = NULL; } #define MLX5E_NUM_MAIN_GROUPS 10 #define MLX5E_MAIN_GROUP0_SIZE BIT(4) #define MLX5E_MAIN_GROUP1_SIZE BIT(3) #define MLX5E_MAIN_GROUP2_SIZE BIT(1) #define MLX5E_MAIN_GROUP3_SIZE BIT(0) #define MLX5E_MAIN_GROUP4_SIZE BIT(14) #define MLX5E_MAIN_GROUP5_SIZE BIT(13) #define MLX5E_MAIN_GROUP6_SIZE BIT(11) #define MLX5E_MAIN_GROUP7_SIZE BIT(2) #define MLX5E_MAIN_GROUP8_SIZE BIT(1) #define MLX5E_MAIN_GROUP9_SIZE BIT(0) #define MLX5E_MAIN_TABLE_SIZE (MLX5E_MAIN_GROUP0_SIZE +\ MLX5E_MAIN_GROUP1_SIZE +\ MLX5E_MAIN_GROUP2_SIZE +\ MLX5E_MAIN_GROUP3_SIZE +\ MLX5E_MAIN_GROUP4_SIZE +\ MLX5E_MAIN_GROUP5_SIZE +\ MLX5E_MAIN_GROUP6_SIZE +\ MLX5E_MAIN_GROUP7_SIZE +\ MLX5E_MAIN_GROUP8_SIZE +\ MLX5E_MAIN_GROUP9_SIZE +\ 0) static int mlx5e_create_main_groups_sub(struct mlx5e_flow_table *ft, u32 *in, int inlen) { u8 *mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); u8 *dmac = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria.outer_headers.dmac_47_16); int err; int ix = 0; /* Tunnel rules need to be first in this list of groups */ /* Start tunnel rules */ memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.udp_dport); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP0_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; /* End Tunnel Rules */ memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP1_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP2_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP3_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); memset(dmac, 0xff, ETH_ALEN); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP4_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); memset(dmac, 0xff, ETH_ALEN); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP5_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); memset(dmac, 0xff, ETH_ALEN); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP6_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); dmac[0] = 0x01; MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP7_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); dmac[0] = 0x01; MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP8_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); dmac[0] = 0x01; MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_GROUP9_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; return (0); err_destory_groups: err = PTR_ERR(ft->g[ft->num_groups]); ft->g[ft->num_groups] = NULL; mlx5e_destroy_groups(ft); return (err); } static int mlx5e_create_main_groups(struct mlx5e_flow_table *ft) { u32 *in; int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); int err; in = mlx5_vzalloc(inlen); if (!in) return (-ENOMEM); err = mlx5e_create_main_groups_sub(ft, in, inlen); kvfree(in); return (err); } #define MLX5E_MAIN_VXLAN_GROUP0_SIZE BIT(3) #define MLX5E_MAIN_VXLAN_GROUP1_SIZE BIT(3) #define MLX5E_MAIN_VXLAN_GROUP2_SIZE BIT(0) static int mlx5e_create_main_vxlan_groups_sub(struct mlx5e_flow_table *ft, u32 *in, int inlen) { u8 *mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); int err; int ix = 0; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_INNER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ip_protocol); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_VXLAN_GROUP0_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_INNER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ethertype); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_VXLAN_GROUP1_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_MAIN_VXLAN_GROUP2_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; return (0); err_destory_groups: err = PTR_ERR(ft->g[ft->num_groups]); ft->g[ft->num_groups] = NULL; mlx5e_destroy_groups(ft); return (err); } static int mlx5e_create_main_vxlan_groups(struct mlx5e_flow_table *ft) { u32 *in; int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); int err; in = mlx5_vzalloc(inlen); if (!in) return (-ENOMEM); err = mlx5e_create_main_vxlan_groups_sub(ft, in, inlen); kvfree(in); return (err); } static int mlx5e_create_main_flow_table(struct mlx5e_priv *priv, bool inner_vxlan) { struct mlx5e_flow_table *ft = inner_vxlan ? &priv->fts.main_vxlan : &priv->fts.main; struct mlx5_flow_table_attr ft_attr = {}; int err; ft->num_groups = 0; ft_attr.max_fte = MLX5E_MAIN_TABLE_SIZE; if (priv->ipsec) ft_attr.level = inner_vxlan ? 10 : 12; else ft_attr.level = inner_vxlan ? 2 : 4; ft->t = mlx5_create_flow_table(priv->fts.ns, &ft_attr); if (IS_ERR(ft->t)) { err = PTR_ERR(ft->t); ft->t = NULL; return (err); } ft->g = kcalloc(MLX5E_NUM_MAIN_GROUPS, sizeof(*ft->g), GFP_KERNEL); if (!ft->g) { err = -ENOMEM; goto err_destroy_main_flow_table; } err = inner_vxlan ? mlx5e_create_main_vxlan_groups(ft) : mlx5e_create_main_groups(ft); if (err) goto err_free_g; return (0); err_free_g: kfree(ft->g); err_destroy_main_flow_table: mlx5_destroy_flow_table(ft->t); ft->t = NULL; return (err); } static void mlx5e_destroy_main_flow_table(struct mlx5e_priv *priv) { mlx5e_destroy_flow_table(&priv->fts.main); } static void mlx5e_destroy_main_vxlan_flow_table(struct mlx5e_priv *priv) { mlx5e_destroy_flow_table(&priv->fts.main_vxlan); } #define MLX5E_NUM_VLAN_GROUPS 3 #define MLX5E_VLAN_GROUP0_SIZE BIT(12) #define MLX5E_VLAN_GROUP1_SIZE BIT(1) #define MLX5E_VLAN_GROUP2_SIZE BIT(0) #define MLX5E_VLAN_TABLE_SIZE (MLX5E_VLAN_GROUP0_SIZE +\ MLX5E_VLAN_GROUP1_SIZE +\ MLX5E_VLAN_GROUP2_SIZE +\ 0) static int mlx5e_create_vlan_groups_sub(struct mlx5e_flow_table *ft, u32 *in, int inlen) { int err; int ix = 0; u8 *mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.cvlan_tag); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.first_vid); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_VLAN_GROUP0_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.cvlan_tag); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_VLAN_GROUP1_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.svlan_tag); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_VLAN_GROUP2_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; return (0); err_destory_groups: err = PTR_ERR(ft->g[ft->num_groups]); ft->g[ft->num_groups] = NULL; mlx5e_destroy_groups(ft); return (err); } static int mlx5e_create_vlan_groups(struct mlx5e_flow_table *ft) { u32 *in; int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); int err; in = mlx5_vzalloc(inlen); if (!in) return (-ENOMEM); err = mlx5e_create_vlan_groups_sub(ft, in, inlen); kvfree(in); return (err); } static int mlx5e_create_vlan_flow_table(struct mlx5e_priv *priv) { struct mlx5e_flow_table *ft = &priv->fts.vlan; struct mlx5_flow_table_attr ft_attr = {}; int err; ft->num_groups = 0; ft_attr.max_fte = MLX5E_VLAN_TABLE_SIZE; - ft_attr.level = (priv->ipsec) ? 8 : 0; + ft_attr.level = (priv->ipsec) ? 9 : 0; ft->t = mlx5_create_flow_table(priv->fts.ns, &ft_attr); if (IS_ERR(ft->t)) { err = PTR_ERR(ft->t); ft->t = NULL; return (err); } ft->g = kcalloc(MLX5E_NUM_VLAN_GROUPS, sizeof(*ft->g), GFP_KERNEL); if (!ft->g) { err = -ENOMEM; goto err_destroy_vlan_flow_table; } err = mlx5e_create_vlan_groups(ft); if (err) goto err_free_g; return (0); err_free_g: kfree(ft->g); err_destroy_vlan_flow_table: mlx5_destroy_flow_table(ft->t); ft->t = NULL; return (err); } static void mlx5e_destroy_vlan_flow_table(struct mlx5e_priv *priv) { mlx5e_destroy_flow_table(&priv->fts.vlan); } static int mlx5e_add_vxlan_rule_sub(struct mlx5e_priv *priv, struct mlx5_flow_spec *spec, struct mlx5e_vxlan_db_el *el) { struct mlx5_flow_table *ft = priv->fts.vxlan.t; struct mlx5_flow_destination dest = {}; struct mlx5_flow_handle **rule_p; int err = 0; struct mlx5_flow_act flow_act = { .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, }; u8 *mc; u8 *mv; mv = (u8 *)spec->match_value; mc = (u8 *)spec->match_criteria; spec->flow_context.flow_tag = MLX5_FS_ETH_FLOW_TAG; spec->flow_context.flags = FLOW_CONTEXT_HAS_TAG; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft = priv->fts.main_vxlan.t; spec->match_criteria_enable = MLX5_MATCH_OUTER_HEADERS; rule_p = &el->vxlan_ft_rule; MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET(fte_match_param, mv, outer_headers.ethertype, el->proto); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET(fte_match_param, mv, outer_headers.ip_protocol, IPPROTO_UDP); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.udp_dport); MLX5_SET(fte_match_param, mv, outer_headers.udp_dport, el->port); *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR(*rule_p)) { err = PTR_ERR(*rule_p); *rule_p = NULL; mlx5_en_err(priv->ifp, "add rule failed\n"); } return (err); } static struct mlx5e_vxlan_db_el * mlx5e_vxlan_find_db_el(struct mlx5e_priv *priv, u_int proto, u_int port) { struct mlx5e_vxlan_db_el *el; TAILQ_FOREACH(el, &priv->vxlan.head, link) { if (el->proto == proto && el->port == port) return (el); } return (NULL); } static struct mlx5e_vxlan_db_el * mlx5e_vxlan_alloc_db_el(struct mlx5e_priv *priv, u_int proto, u_int port) { struct mlx5e_vxlan_db_el *el; el = mlx5_vzalloc(sizeof(*el)); el->refcount = 1; el->proto = proto; el->port = port; el->vxlan_ft_rule = NULL; return (el); } static int mlx5e_vxlan_family_to_proto(sa_family_t family, u_int *proto) { switch (family) { case AF_INET: *proto = ETHERTYPE_IP; return (0); case AF_INET6: *proto = ETHERTYPE_IPV6; return (0); default: return (-EINVAL); } } static int mlx5e_add_vxlan_rule_from_db(struct mlx5e_priv *priv, struct mlx5e_vxlan_db_el *el) { struct mlx5_flow_spec *spec; int err; spec = mlx5_vzalloc(sizeof(*spec)); if (!spec) { mlx5_en_err(priv->ifp, "alloc failed\n"); err = -ENOMEM; goto add_vxlan_rule_out; } err = mlx5e_add_vxlan_rule_sub(priv, spec, el); add_vxlan_rule_out: kvfree(spec); return (err); } static int mlx5e_add_vxlan_rule(struct mlx5e_priv *priv, sa_family_t family, u_int port) { struct mlx5e_vxlan_db_el *el; u_int proto; int err; err = mlx5e_vxlan_family_to_proto(family, &proto); if (err != 0) return (err); el = mlx5e_vxlan_find_db_el(priv, proto, port); if (el != NULL) { el->refcount++; if (el->installed) return (0); } el = mlx5e_vxlan_alloc_db_el(priv, proto, port); if ((if_getcapenable(priv->ifp) & IFCAP_VXLAN_HWCSUM) != 0) { err = mlx5e_add_vxlan_rule_from_db(priv, el); if (err == 0) el->installed = true; } if (err == 0) TAILQ_INSERT_TAIL(&priv->vxlan.head, el, link); else kvfree(el); return (err); } static int mlx5e_add_vxlan_catchall_rule_sub(struct mlx5e_priv *priv, struct mlx5_flow_spec *spec) { struct mlx5_flow_table *ft = priv->fts.vxlan.t; struct mlx5_flow_destination dest = {}; struct mlx5_flow_handle **rule_p; int err = 0; struct mlx5_flow_act flow_act = { .action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST, }; spec->flow_context.flow_tag = MLX5_FS_ETH_FLOW_TAG; spec->flow_context.flags = FLOW_CONTEXT_HAS_TAG; dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft = priv->fts.main.t; rule_p = &priv->fts.vxlan_catchall_ft_rule; *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); if (IS_ERR(*rule_p)) { err = PTR_ERR(*rule_p); *rule_p = NULL; mlx5_en_err(priv->ifp, "add rule failed\n"); } return (err); } static int mlx5e_add_vxlan_catchall_rule(struct mlx5e_priv *priv) { struct mlx5_flow_spec *spec; int err; spec = mlx5_vzalloc(sizeof(*spec)); if (!spec) { mlx5_en_err(priv->ifp, "alloc failed\n"); err = -ENOMEM; goto add_vxlan_rule_out; } err = mlx5e_add_vxlan_catchall_rule_sub(priv, spec); add_vxlan_rule_out: kvfree(spec); return (err); } int mlx5e_add_all_vxlan_rules(struct mlx5e_priv *priv) { struct mlx5e_vxlan_db_el *el; int err; err = 0; TAILQ_FOREACH(el, &priv->vxlan.head, link) { if (el->installed) continue; err = mlx5e_add_vxlan_rule_from_db(priv, el); if (err != 0) break; el->installed = true; } return (err); } static int mlx5e_del_vxlan_rule(struct mlx5e_priv *priv, sa_family_t family, u_int port) { struct mlx5e_vxlan_db_el *el; u_int proto; int err; err = mlx5e_vxlan_family_to_proto(family, &proto); if (err != 0) return (err); el = mlx5e_vxlan_find_db_el(priv, proto, port); if (el == NULL) return (0); if (el->refcount > 1) { el->refcount--; return (0); } if (el->installed) mlx5_del_flow_rules(&el->vxlan_ft_rule); TAILQ_REMOVE(&priv->vxlan.head, el, link); kvfree(el); return (0); } void mlx5e_del_all_vxlan_rules(struct mlx5e_priv *priv) { struct mlx5e_vxlan_db_el *el; TAILQ_FOREACH(el, &priv->vxlan.head, link) { if (!el->installed) continue; mlx5_del_flow_rules(&el->vxlan_ft_rule); el->installed = false; } } static void mlx5e_del_vxlan_catchall_rule(struct mlx5e_priv *priv) { mlx5_del_flow_rules(&priv->fts.vxlan_catchall_ft_rule); } void mlx5e_vxlan_start(void *arg, if_t ifp __unused, sa_family_t family, u_int port) { struct mlx5e_priv *priv = arg; int err; PRIV_LOCK(priv); err = mlx5_vxlan_udp_port_add(priv->mdev, port); if (err == 0 && test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_add_vxlan_rule(priv, family, port); PRIV_UNLOCK(priv); } void mlx5e_vxlan_stop(void *arg, if_t ifp __unused, sa_family_t family, u_int port) { struct mlx5e_priv *priv = arg; PRIV_LOCK(priv); if (test_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state)) mlx5e_del_vxlan_rule(priv, family, port); (void)mlx5_vxlan_udp_port_delete(priv->mdev, port); PRIV_UNLOCK(priv); } #define MLX5E_VXLAN_GROUP0_SIZE BIT(3) /* XXXKIB */ #define MLX5E_VXLAN_GROUP1_SIZE BIT(0) #define MLX5E_NUM_VXLAN_GROUPS BIT(1) #define MLX5E_VXLAN_TABLE_SIZE \ (MLX5E_VXLAN_GROUP0_SIZE + MLX5E_VXLAN_GROUP1_SIZE) static int mlx5e_create_vxlan_groups_sub(struct mlx5e_flow_table *ft, u32 *in, int inlen) { int err; int ix = 0; u8 *mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.udp_dport); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_VXLAN_GROUP0_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_VXLAN_GROUP1_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; return (0); err_destory_groups: err = PTR_ERR(ft->g[ft->num_groups]); ft->g[ft->num_groups] = NULL; mlx5e_destroy_groups(ft); return (err); } static int mlx5e_create_vxlan_groups(struct mlx5e_flow_table *ft) { u32 *in; int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); int err; in = mlx5_vzalloc(inlen); if (!in) return (-ENOMEM); err = mlx5e_create_vxlan_groups_sub(ft, in, inlen); kvfree(in); return (err); } static int mlx5e_create_vxlan_flow_table(struct mlx5e_priv *priv) { struct mlx5e_flow_table *ft = &priv->fts.vxlan; struct mlx5_flow_table_attr ft_attr = {}; int err; ft->num_groups = 0; ft_attr.max_fte = MLX5E_VXLAN_TABLE_SIZE; - ft_attr.level = (priv->ipsec) ? 9 : 1; + ft_attr.level = (priv->ipsec) ? 10 : 1; ft->t = mlx5_create_flow_table(priv->fts.ns, &ft_attr); if (IS_ERR(ft->t)) { err = PTR_ERR(ft->t); ft->t = NULL; return (err); } ft->g = kcalloc(MLX5E_NUM_VXLAN_GROUPS, sizeof(*ft->g), GFP_KERNEL); if (!ft->g) { err = -ENOMEM; goto err_destroy_vxlan_flow_table; } err = mlx5e_create_vxlan_groups(ft); if (err) goto err_free_g; TAILQ_INIT(&priv->vxlan.head); return (0); err_free_g: kfree(ft->g); err_destroy_vxlan_flow_table: mlx5_destroy_flow_table(ft->t); ft->t = NULL; return (err); } #define MLX5E_NUM_INNER_RSS_GROUPS 3 #define MLX5E_INNER_RSS_GROUP0_SIZE BIT(3) #define MLX5E_INNER_RSS_GROUP1_SIZE BIT(1) #define MLX5E_INNER_RSS_GROUP2_SIZE BIT(0) #define MLX5E_INNER_RSS_TABLE_SIZE (MLX5E_INNER_RSS_GROUP0_SIZE +\ MLX5E_INNER_RSS_GROUP1_SIZE +\ MLX5E_INNER_RSS_GROUP2_SIZE +\ 0) static int mlx5e_create_inner_rss_groups_sub(struct mlx5e_flow_table *ft, u32 *in, int inlen) { u8 *mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); int err; int ix = 0; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_INNER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ethertype); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ip_protocol); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_INNER_RSS_GROUP0_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_INNER_HEADERS); MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ethertype); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_INNER_RSS_GROUP1_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; memset(in, 0, inlen); MLX5_SET_CFG(in, start_flow_index, ix); ix += MLX5E_INNER_RSS_GROUP2_SIZE; MLX5_SET_CFG(in, end_flow_index, ix - 1); ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in); if (IS_ERR(ft->g[ft->num_groups])) goto err_destory_groups; ft->num_groups++; return (0); err_destory_groups: err = PTR_ERR(ft->g[ft->num_groups]); ft->g[ft->num_groups] = NULL; mlx5e_destroy_groups(ft); return (err); } static int mlx5e_create_inner_rss_groups(struct mlx5e_flow_table *ft) { u32 *in; int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); int err; in = mlx5_vzalloc(inlen); if (!in) return (-ENOMEM); err = mlx5e_create_inner_rss_groups_sub(ft, in, inlen); kvfree(in); return (err); } static int mlx5e_create_inner_rss_flow_table(struct mlx5e_priv *priv) { struct mlx5e_flow_table *ft = &priv->fts.inner_rss; struct mlx5_flow_table_attr ft_attr = {}; int err; ft->num_groups = 0; ft_attr.max_fte = MLX5E_INNER_RSS_TABLE_SIZE; ft_attr.level = (priv->ipsec) ? 11 : 3; ft->t = mlx5_create_flow_table(priv->fts.ns, &ft_attr); if (IS_ERR(ft->t)) { err = PTR_ERR(ft->t); ft->t = NULL; return (err); } ft->g = kcalloc(MLX5E_NUM_INNER_RSS_GROUPS, sizeof(*ft->g), GFP_KERNEL); if (!ft->g) { err = -ENOMEM; goto err_destroy_inner_rss_flow_table; } err = mlx5e_create_inner_rss_groups(ft); if (err) goto err_free_g; return (0); err_free_g: kfree(ft->g); err_destroy_inner_rss_flow_table: mlx5_destroy_flow_table(ft->t); ft->t = NULL; return (err); } static void mlx5e_destroy_inner_rss_flow_table(struct mlx5e_priv *priv) { mlx5e_destroy_flow_table(&priv->fts.inner_rss); } static void mlx5e_destroy_vxlan_flow_table(struct mlx5e_priv *priv) { mlx5e_destroy_flow_table(&priv->fts.vxlan); } int mlx5e_open_flow_tables(struct mlx5e_priv *priv) { int err; /* setup namespace pointer */ priv->fts.ns = mlx5_get_flow_namespace( priv->mdev, MLX5_FLOW_NAMESPACE_KERNEL); err = mlx5e_accel_ipsec_fs_rx_tables_create(priv); if (err) return err; err = mlx5e_create_vlan_flow_table(priv); if (err) goto err_destroy_ipsec_flow_table; err = mlx5e_create_vxlan_flow_table(priv); if (err) goto err_destroy_vlan_flow_table; err = mlx5e_create_main_flow_table(priv, true); if (err) goto err_destroy_vxlan_flow_table; err = mlx5e_create_inner_rss_flow_table(priv); if (err) goto err_destroy_main_flow_table_true; err = mlx5e_create_main_flow_table(priv, false); if (err) goto err_destroy_inner_rss_flow_table; err = mlx5e_add_vxlan_catchall_rule(priv); if (err) goto err_destroy_main_flow_table_false; err = mlx5e_accel_ipsec_fs_rx_catchall_rules(priv); if (err) goto err_destroy_vxlan_catchall_rule; err = mlx5e_accel_fs_tcp_create(priv); if (err) goto err_destroy_ipsec_catchall_rules; return (0); err_destroy_ipsec_catchall_rules: mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy(priv); err_destroy_vxlan_catchall_rule: mlx5e_del_vxlan_catchall_rule(priv); err_destroy_main_flow_table_false: mlx5e_destroy_main_flow_table(priv); err_destroy_inner_rss_flow_table: mlx5e_destroy_inner_rss_flow_table(priv); err_destroy_main_flow_table_true: mlx5e_destroy_main_vxlan_flow_table(priv); err_destroy_vxlan_flow_table: mlx5e_destroy_vxlan_flow_table(priv); err_destroy_vlan_flow_table: mlx5e_destroy_vlan_flow_table(priv); err_destroy_ipsec_flow_table: mlx5e_accel_ipsec_fs_rx_tables_destroy(priv); return (err); } void mlx5e_close_flow_tables(struct mlx5e_priv *priv) { mlx5e_accel_fs_tcp_destroy(priv); mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy(priv); mlx5e_del_vxlan_catchall_rule(priv); mlx5e_destroy_main_flow_table(priv); mlx5e_destroy_inner_rss_flow_table(priv); mlx5e_destroy_main_vxlan_flow_table(priv); mlx5e_destroy_vxlan_flow_table(priv); mlx5e_destroy_vlan_flow_table(priv); mlx5e_accel_ipsec_fs_rx_tables_destroy(priv); } int mlx5e_open_flow_rules(struct mlx5e_priv *priv) { int err; err = mlx5e_add_all_vlan_rules(priv); if (err) return (err); err = mlx5e_add_main_vxlan_rules(priv); if (err) goto err_del_all_vlan_rules; err = mlx5e_add_all_vxlan_rules(priv); if (err) goto err_del_main_vxlan_rules; mlx5e_set_rx_mode_core(priv, true); set_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state); return (0); err_del_main_vxlan_rules: mlx5e_del_main_vxlan_rules(priv); err_del_all_vlan_rules: mlx5e_del_all_vlan_rules(priv); return (err); } void mlx5e_close_flow_rules(struct mlx5e_priv *priv) { clear_bit(MLX5E_STATE_FLOW_RULES_READY, &priv->state); mlx5e_set_rx_mode_core(priv, false); mlx5e_del_all_vxlan_rules(priv); mlx5e_del_main_vxlan_rules(priv); mlx5e_del_all_vlan_rules(priv); }