Merge branch 'netfilter-flowtable-hardware-offload'
Pablo Neira Ayuso says:
====================
netfilter flowtable hardware offload
The following patchset adds hardware offload support for the flowtable
infrastructure [1]. This infrastructure provides a fast datapath for
the classic Linux forwarding path that users can enable through policy,
eg.
table inet x {
flowtable f {
hook ingress priority 10 devices = { eth0, eth1 }
flags offload
}
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload @f
}
}
This example above enables the fastpath for TCP traffic between devices
eth0 and eth1. Users can turn on the hardware offload through the
'offload' flag from the flowtable definition. If this new flag is not
specified, the software flowtable datapath is used.
This patchset is composed of 4 preparation patches:
room to extend this infrastructure, eg. accelerate bridge forwarding.
And 2 patches to add the hardware offload control and data planes:
hardware offload. This includes a new NFTA_FLOWTABLE_FLAGS netlink
attribute to convey the optional NF_FLOWTABLE_HW_OFFLOAD flag.
API available at net/core/flow_offload.h to represent the flow
through two flow_rule objects to configure an exact 5-tuple matching
on each direction plus the corresponding forwarding actions, that is,
the MAC address, NAT and checksum updates; and port redirection in
order to configure the hardware datapath. This patch only supports
for IPv4 support and statistics collection for flow aging as an initial
step.
This patchset introduces a new flow_block callback type that needs to be
set up to configure the flowtable hardware offload.
The first client of this infrastructure follows up after this batch.
I would like to thank Mellanox for developing the first upstream driver
to use this infrastructure.
[1] Documentation/networking/nf_flowtable.txt
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
projects / linux.git / commit