1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (C) 2017-2018 Netronome Systems, Inc. */
3 
4 #include <linux/skbuff.h>
5 #include <net/devlink.h>
6 #include <net/pkt_cls.h>
7 
8 #include "cmsg.h"
9 #include "main.h"
10 #include "conntrack.h"
11 #include "../nfpcore/nfp_cpp.h"
12 #include "../nfpcore/nfp_nsp.h"
13 #include "../nfp_app.h"
14 #include "../nfp_main.h"
15 #include "../nfp_net.h"
16 #include "../nfp_port.h"
17 
18 #define NFP_FLOWER_SUPPORTED_TCPFLAGS \
19 	(TCPHDR_FIN | TCPHDR_SYN | TCPHDR_RST | \
20 	 TCPHDR_PSH | TCPHDR_URG)
21 
22 #define NFP_FLOWER_SUPPORTED_CTLFLAGS \
23 	(FLOW_DIS_IS_FRAGMENT | \
24 	 FLOW_DIS_FIRST_FRAG)
25 
26 #define NFP_FLOWER_WHITELIST_DISSECTOR \
27 	(BIT(FLOW_DISSECTOR_KEY_CONTROL) | \
28 	 BIT(FLOW_DISSECTOR_KEY_BASIC) | \
29 	 BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) | \
30 	 BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS) | \
31 	 BIT(FLOW_DISSECTOR_KEY_TCP) | \
32 	 BIT(FLOW_DISSECTOR_KEY_PORTS) | \
33 	 BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
34 	 BIT(FLOW_DISSECTOR_KEY_VLAN) | \
35 	 BIT(FLOW_DISSECTOR_KEY_CVLAN) | \
36 	 BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
37 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
38 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
39 	 BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \
40 	 BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) | \
41 	 BIT(FLOW_DISSECTOR_KEY_ENC_OPTS) | \
42 	 BIT(FLOW_DISSECTOR_KEY_ENC_IP) | \
43 	 BIT(FLOW_DISSECTOR_KEY_MPLS) | \
44 	 BIT(FLOW_DISSECTOR_KEY_CT) | \
45 	 BIT(FLOW_DISSECTOR_KEY_META) | \
46 	 BIT(FLOW_DISSECTOR_KEY_IP))
47 
48 #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR \
49 	(BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \
50 	 BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
51 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
52 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
53 	 BIT(FLOW_DISSECTOR_KEY_ENC_OPTS) | \
54 	 BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) | \
55 	 BIT(FLOW_DISSECTOR_KEY_ENC_IP))
56 
57 #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R \
58 	(BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \
59 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS))
60 
61 #define NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R \
62 	(BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) | \
63 	 BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS))
64 
65 #define NFP_FLOWER_MERGE_FIELDS \
66 	(NFP_FLOWER_LAYER_PORT | \
67 	 NFP_FLOWER_LAYER_MAC | \
68 	 NFP_FLOWER_LAYER_TP | \
69 	 NFP_FLOWER_LAYER_IPV4 | \
70 	 NFP_FLOWER_LAYER_IPV6)
71 
72 #define NFP_FLOWER_PRE_TUN_RULE_FIELDS \
73 	(NFP_FLOWER_LAYER_EXT_META | \
74 	 NFP_FLOWER_LAYER_PORT | \
75 	 NFP_FLOWER_LAYER_MAC | \
76 	 NFP_FLOWER_LAYER_IPV4 | \
77 	 NFP_FLOWER_LAYER_IPV6)
78 
79 struct nfp_flower_merge_check {
80 	union {
81 		struct {
82 			__be16 tci;
83 			struct nfp_flower_mac_mpls l2;
84 			struct nfp_flower_tp_ports l4;
85 			union {
86 				struct nfp_flower_ipv4 ipv4;
87 				struct nfp_flower_ipv6 ipv6;
88 			};
89 		};
90 		unsigned long vals[8];
91 	};
92 };
93 
94 int
95 nfp_flower_xmit_flow(struct nfp_app *app, struct nfp_fl_payload *nfp_flow,
96 		     u8 mtype)
97 {
98 	u32 meta_len, key_len, mask_len, act_len, tot_len;
99 	struct sk_buff *skb;
100 	unsigned char *msg;
101 
102 	meta_len =  sizeof(struct nfp_fl_rule_metadata);
103 	key_len = nfp_flow->meta.key_len;
104 	mask_len = nfp_flow->meta.mask_len;
105 	act_len = nfp_flow->meta.act_len;
106 
107 	tot_len = meta_len + key_len + mask_len + act_len;
108 
109 	/* Convert to long words as firmware expects
110 	 * lengths in units of NFP_FL_LW_SIZ.
111 	 */
112 	nfp_flow->meta.key_len >>= NFP_FL_LW_SIZ;
113 	nfp_flow->meta.mask_len >>= NFP_FL_LW_SIZ;
114 	nfp_flow->meta.act_len >>= NFP_FL_LW_SIZ;
115 
116 	skb = nfp_flower_cmsg_alloc(app, tot_len, mtype, GFP_KERNEL);
117 	if (!skb)
118 		return -ENOMEM;
119 
120 	msg = nfp_flower_cmsg_get_data(skb);
121 	memcpy(msg, &nfp_flow->meta, meta_len);
122 	memcpy(&msg[meta_len], nfp_flow->unmasked_data, key_len);
123 	memcpy(&msg[meta_len + key_len], nfp_flow->mask_data, mask_len);
124 	memcpy(&msg[meta_len + key_len + mask_len],
125 	       nfp_flow->action_data, act_len);
126 
127 	/* Convert back to bytes as software expects
128 	 * lengths in units of bytes.
129 	 */
130 	nfp_flow->meta.key_len <<= NFP_FL_LW_SIZ;
131 	nfp_flow->meta.mask_len <<= NFP_FL_LW_SIZ;
132 	nfp_flow->meta.act_len <<= NFP_FL_LW_SIZ;
133 
134 	nfp_ctrl_tx(app->ctrl, skb);
135 
136 	return 0;
137 }
138 
139 static bool nfp_flower_check_higher_than_mac(struct flow_rule *rule)
140 {
141 	return flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS) ||
142 	       flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV6_ADDRS) ||
143 	       flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS) ||
144 	       flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ICMP);
145 }
146 
147 static bool nfp_flower_check_higher_than_l3(struct flow_rule *rule)
148 {
149 	return flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS) ||
150 	       flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ICMP);
151 }
152 
153 static int
154 nfp_flower_calc_opt_layer(struct flow_dissector_key_enc_opts *enc_opts,
155 			  u32 *key_layer_two, int *key_size, bool ipv6,
156 			  struct netlink_ext_ack *extack)
157 {
158 	if (enc_opts->len > NFP_FL_MAX_GENEVE_OPT_KEY ||
159 	    (ipv6 && enc_opts->len > NFP_FL_MAX_GENEVE_OPT_KEY_V6)) {
160 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: geneve options exceed maximum length");
161 		return -EOPNOTSUPP;
162 	}
163 
164 	if (enc_opts->len > 0) {
165 		*key_layer_two |= NFP_FLOWER_LAYER2_GENEVE_OP;
166 		*key_size += sizeof(struct nfp_flower_geneve_options);
167 	}
168 
169 	return 0;
170 }
171 
172 static int
173 nfp_flower_calc_udp_tun_layer(struct flow_dissector_key_ports *enc_ports,
174 			      struct flow_dissector_key_enc_opts *enc_op,
175 			      u32 *key_layer_two, u8 *key_layer, int *key_size,
176 			      struct nfp_flower_priv *priv,
177 			      enum nfp_flower_tun_type *tun_type, bool ipv6,
178 			      struct netlink_ext_ack *extack)
179 {
180 	int err;
181 
182 	switch (enc_ports->dst) {
183 	case htons(IANA_VXLAN_UDP_PORT):
184 		*tun_type = NFP_FL_TUNNEL_VXLAN;
185 		*key_layer |= NFP_FLOWER_LAYER_VXLAN;
186 
187 		if (ipv6) {
188 			*key_layer |= NFP_FLOWER_LAYER_EXT_META;
189 			*key_size += sizeof(struct nfp_flower_ext_meta);
190 			*key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6;
191 			*key_size += sizeof(struct nfp_flower_ipv6_udp_tun);
192 		} else {
193 			*key_size += sizeof(struct nfp_flower_ipv4_udp_tun);
194 		}
195 
196 		if (enc_op) {
197 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: encap options not supported on vxlan tunnels");
198 			return -EOPNOTSUPP;
199 		}
200 		break;
201 	case htons(GENEVE_UDP_PORT):
202 		if (!(priv->flower_ext_feats & NFP_FL_FEATS_GENEVE)) {
203 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support geneve offload");
204 			return -EOPNOTSUPP;
205 		}
206 		*tun_type = NFP_FL_TUNNEL_GENEVE;
207 		*key_layer |= NFP_FLOWER_LAYER_EXT_META;
208 		*key_size += sizeof(struct nfp_flower_ext_meta);
209 		*key_layer_two |= NFP_FLOWER_LAYER2_GENEVE;
210 
211 		if (ipv6) {
212 			*key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6;
213 			*key_size += sizeof(struct nfp_flower_ipv6_udp_tun);
214 		} else {
215 			*key_size += sizeof(struct nfp_flower_ipv4_udp_tun);
216 		}
217 
218 		if (!enc_op)
219 			break;
220 		if (!(priv->flower_ext_feats & NFP_FL_FEATS_GENEVE_OPT)) {
221 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support geneve option offload");
222 			return -EOPNOTSUPP;
223 		}
224 		err = nfp_flower_calc_opt_layer(enc_op, key_layer_two, key_size,
225 						ipv6, extack);
226 		if (err)
227 			return err;
228 		break;
229 	default:
230 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel type unknown");
231 		return -EOPNOTSUPP;
232 	}
233 
234 	return 0;
235 }
236 
237 int
238 nfp_flower_calculate_key_layers(struct nfp_app *app,
239 				struct net_device *netdev,
240 				struct nfp_fl_key_ls *ret_key_ls,
241 				struct flow_rule *rule,
242 				enum nfp_flower_tun_type *tun_type,
243 				struct netlink_ext_ack *extack)
244 {
245 	struct flow_dissector *dissector = rule->match.dissector;
246 	struct flow_match_basic basic = { NULL, NULL};
247 	struct nfp_flower_priv *priv = app->priv;
248 	u32 key_layer_two;
249 	u8 key_layer;
250 	int key_size;
251 	int err;
252 
253 	if (dissector->used_keys & ~NFP_FLOWER_WHITELIST_DISSECTOR) {
254 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match not supported");
255 		return -EOPNOTSUPP;
256 	}
257 
258 	/* If any tun dissector is used then the required set must be used. */
259 	if (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR &&
260 	    (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R)
261 	    != NFP_FLOWER_WHITELIST_TUN_DISSECTOR_V6_R &&
262 	    (dissector->used_keys & NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R)
263 	    != NFP_FLOWER_WHITELIST_TUN_DISSECTOR_R) {
264 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel match not supported");
265 		return -EOPNOTSUPP;
266 	}
267 
268 	key_layer_two = 0;
269 	key_layer = NFP_FLOWER_LAYER_PORT;
270 	key_size = sizeof(struct nfp_flower_meta_tci) +
271 		   sizeof(struct nfp_flower_in_port);
272 
273 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS) ||
274 	    flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_MPLS)) {
275 		key_layer |= NFP_FLOWER_LAYER_MAC;
276 		key_size += sizeof(struct nfp_flower_mac_mpls);
277 	}
278 
279 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) {
280 		struct flow_match_vlan vlan;
281 
282 		flow_rule_match_vlan(rule, &vlan);
283 		if (!(priv->flower_ext_feats & NFP_FL_FEATS_VLAN_PCP) &&
284 		    vlan.key->vlan_priority) {
285 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support VLAN PCP offload");
286 			return -EOPNOTSUPP;
287 		}
288 		if (priv->flower_ext_feats & NFP_FL_FEATS_VLAN_QINQ &&
289 		    !(key_layer_two & NFP_FLOWER_LAYER2_QINQ)) {
290 			key_layer |= NFP_FLOWER_LAYER_EXT_META;
291 			key_size += sizeof(struct nfp_flower_ext_meta);
292 			key_size += sizeof(struct nfp_flower_vlan);
293 			key_layer_two |= NFP_FLOWER_LAYER2_QINQ;
294 		}
295 	}
296 
297 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CVLAN)) {
298 		struct flow_match_vlan cvlan;
299 
300 		if (!(priv->flower_ext_feats & NFP_FL_FEATS_VLAN_QINQ)) {
301 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support VLAN QinQ offload");
302 			return -EOPNOTSUPP;
303 		}
304 
305 		flow_rule_match_vlan(rule, &cvlan);
306 		if (!(key_layer_two & NFP_FLOWER_LAYER2_QINQ)) {
307 			key_layer |= NFP_FLOWER_LAYER_EXT_META;
308 			key_size += sizeof(struct nfp_flower_ext_meta);
309 			key_size += sizeof(struct nfp_flower_vlan);
310 			key_layer_two |= NFP_FLOWER_LAYER2_QINQ;
311 		}
312 	}
313 
314 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) {
315 		struct flow_match_enc_opts enc_op = { NULL, NULL };
316 		struct flow_match_ipv4_addrs ipv4_addrs;
317 		struct flow_match_ipv6_addrs ipv6_addrs;
318 		struct flow_match_control enc_ctl;
319 		struct flow_match_ports enc_ports;
320 		bool ipv6_tun = false;
321 
322 		flow_rule_match_enc_control(rule, &enc_ctl);
323 
324 		if (enc_ctl.mask->addr_type != 0xffff) {
325 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: wildcarded protocols on tunnels are not supported");
326 			return -EOPNOTSUPP;
327 		}
328 
329 		ipv6_tun = enc_ctl.key->addr_type ==
330 				FLOW_DISSECTOR_KEY_IPV6_ADDRS;
331 		if (ipv6_tun &&
332 		    !(priv->flower_ext_feats & NFP_FL_FEATS_IPV6_TUN)) {
333 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: firmware does not support IPv6 tunnels");
334 			return -EOPNOTSUPP;
335 		}
336 
337 		if (!ipv6_tun &&
338 		    enc_ctl.key->addr_type != FLOW_DISSECTOR_KEY_IPV4_ADDRS) {
339 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: tunnel address type not IPv4 or IPv6");
340 			return -EOPNOTSUPP;
341 		}
342 
343 		if (ipv6_tun) {
344 			flow_rule_match_enc_ipv6_addrs(rule, &ipv6_addrs);
345 			if (memchr_inv(&ipv6_addrs.mask->dst, 0xff,
346 				       sizeof(ipv6_addrs.mask->dst))) {
347 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match IPv6 destination address is supported");
348 				return -EOPNOTSUPP;
349 			}
350 		} else {
351 			flow_rule_match_enc_ipv4_addrs(rule, &ipv4_addrs);
352 			if (ipv4_addrs.mask->dst != cpu_to_be32(~0)) {
353 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match IPv4 destination address is supported");
354 				return -EOPNOTSUPP;
355 			}
356 		}
357 
358 		if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_OPTS))
359 			flow_rule_match_enc_opts(rule, &enc_op);
360 
361 		if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_PORTS)) {
362 			/* check if GRE, which has no enc_ports */
363 			if (!netif_is_gretap(netdev) && !netif_is_ip6gretap(netdev)) {
364 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: an exact match on L4 destination port is required for non-GRE tunnels");
365 				return -EOPNOTSUPP;
366 			}
367 
368 			*tun_type = NFP_FL_TUNNEL_GRE;
369 			key_layer |= NFP_FLOWER_LAYER_EXT_META;
370 			key_size += sizeof(struct nfp_flower_ext_meta);
371 			key_layer_two |= NFP_FLOWER_LAYER2_GRE;
372 
373 			if (ipv6_tun) {
374 				key_layer_two |= NFP_FLOWER_LAYER2_TUN_IPV6;
375 				key_size +=
376 					sizeof(struct nfp_flower_ipv6_udp_tun);
377 			} else {
378 				key_size +=
379 					sizeof(struct nfp_flower_ipv4_udp_tun);
380 			}
381 
382 			if (enc_op.key) {
383 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: encap options not supported on GRE tunnels");
384 				return -EOPNOTSUPP;
385 			}
386 		} else {
387 			flow_rule_match_enc_ports(rule, &enc_ports);
388 			if (enc_ports.mask->dst != cpu_to_be16(~0)) {
389 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: only an exact match L4 destination port is supported");
390 				return -EOPNOTSUPP;
391 			}
392 
393 			err = nfp_flower_calc_udp_tun_layer(enc_ports.key,
394 							    enc_op.key,
395 							    &key_layer_two,
396 							    &key_layer,
397 							    &key_size, priv,
398 							    tun_type, ipv6_tun,
399 							    extack);
400 			if (err)
401 				return err;
402 
403 			/* Ensure the ingress netdev matches the expected
404 			 * tun type.
405 			 */
406 			if (!nfp_fl_netdev_is_tunnel_type(netdev, *tun_type)) {
407 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: ingress netdev does not match the expected tunnel type");
408 				return -EOPNOTSUPP;
409 			}
410 		}
411 	}
412 
413 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_BASIC))
414 		flow_rule_match_basic(rule, &basic);
415 
416 	if (basic.mask && basic.mask->n_proto) {
417 		/* Ethernet type is present in the key. */
418 		switch (basic.key->n_proto) {
419 		case cpu_to_be16(ETH_P_IP):
420 			key_layer |= NFP_FLOWER_LAYER_IPV4;
421 			key_size += sizeof(struct nfp_flower_ipv4);
422 			break;
423 
424 		case cpu_to_be16(ETH_P_IPV6):
425 			key_layer |= NFP_FLOWER_LAYER_IPV6;
426 			key_size += sizeof(struct nfp_flower_ipv6);
427 			break;
428 
429 		/* Currently we do not offload ARP
430 		 * because we rely on it to get to the host.
431 		 */
432 		case cpu_to_be16(ETH_P_ARP):
433 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: ARP not supported");
434 			return -EOPNOTSUPP;
435 
436 		case cpu_to_be16(ETH_P_MPLS_UC):
437 		case cpu_to_be16(ETH_P_MPLS_MC):
438 			if (!(key_layer & NFP_FLOWER_LAYER_MAC)) {
439 				key_layer |= NFP_FLOWER_LAYER_MAC;
440 				key_size += sizeof(struct nfp_flower_mac_mpls);
441 			}
442 			break;
443 
444 		/* Will be included in layer 2. */
445 		case cpu_to_be16(ETH_P_8021Q):
446 			break;
447 
448 		default:
449 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on given EtherType is not supported");
450 			return -EOPNOTSUPP;
451 		}
452 	} else if (nfp_flower_check_higher_than_mac(rule)) {
453 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: cannot match above L2 without specified EtherType");
454 		return -EOPNOTSUPP;
455 	}
456 
457 	if (basic.mask && basic.mask->ip_proto) {
458 		switch (basic.key->ip_proto) {
459 		case IPPROTO_TCP:
460 		case IPPROTO_UDP:
461 		case IPPROTO_SCTP:
462 		case IPPROTO_ICMP:
463 		case IPPROTO_ICMPV6:
464 			key_layer |= NFP_FLOWER_LAYER_TP;
465 			key_size += sizeof(struct nfp_flower_tp_ports);
466 			break;
467 		}
468 	}
469 
470 	if (!(key_layer & NFP_FLOWER_LAYER_TP) &&
471 	    nfp_flower_check_higher_than_l3(rule)) {
472 		NL_SET_ERR_MSG_MOD(extack, "unsupported offload: cannot match on L4 information without specified IP protocol type");
473 		return -EOPNOTSUPP;
474 	}
475 
476 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_TCP)) {
477 		struct flow_match_tcp tcp;
478 		u32 tcp_flags;
479 
480 		flow_rule_match_tcp(rule, &tcp);
481 		tcp_flags = be16_to_cpu(tcp.key->flags);
482 
483 		if (tcp_flags & ~NFP_FLOWER_SUPPORTED_TCPFLAGS) {
484 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: no match support for selected TCP flags");
485 			return -EOPNOTSUPP;
486 		}
487 
488 		/* We only support PSH and URG flags when either
489 		 * FIN, SYN or RST is present as well.
490 		 */
491 		if ((tcp_flags & (TCPHDR_PSH | TCPHDR_URG)) &&
492 		    !(tcp_flags & (TCPHDR_FIN | TCPHDR_SYN | TCPHDR_RST))) {
493 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: PSH and URG is only supported when used with FIN, SYN or RST");
494 			return -EOPNOTSUPP;
495 		}
496 
497 		/* We need to store TCP flags in the either the IPv4 or IPv6 key
498 		 * space, thus we need to ensure we include a IPv4/IPv6 key
499 		 * layer if we have not done so already.
500 		 */
501 		if (!basic.key) {
502 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on TCP flags requires a match on L3 protocol");
503 			return -EOPNOTSUPP;
504 		}
505 
506 		if (!(key_layer & NFP_FLOWER_LAYER_IPV4) &&
507 		    !(key_layer & NFP_FLOWER_LAYER_IPV6)) {
508 			switch (basic.key->n_proto) {
509 			case cpu_to_be16(ETH_P_IP):
510 				key_layer |= NFP_FLOWER_LAYER_IPV4;
511 				key_size += sizeof(struct nfp_flower_ipv4);
512 				break;
513 
514 			case cpu_to_be16(ETH_P_IPV6):
515 					key_layer |= NFP_FLOWER_LAYER_IPV6;
516 				key_size += sizeof(struct nfp_flower_ipv6);
517 				break;
518 
519 			default:
520 				NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on TCP flags requires a match on IPv4/IPv6");
521 				return -EOPNOTSUPP;
522 			}
523 		}
524 	}
525 
526 	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) {
527 		struct flow_match_control ctl;
528 
529 		flow_rule_match_control(rule, &ctl);
530 		if (ctl.key->flags & ~NFP_FLOWER_SUPPORTED_CTLFLAGS) {
531 			NL_SET_ERR_MSG_MOD(extack, "unsupported offload: match on unknown control flag");
532 			return -EOPNOTSUPP;
533 		}
534 	}
535 
536 	ret_key_ls->key_layer = key_layer;
537 	ret_key_ls->key_layer_two = key_layer_two;
538 	ret_key_ls->key_size = key_size;
539 
540 	return 0;
541 }
542 
543 struct nfp_fl_payload *
544 nfp_flower_allocate_new(struct nfp_fl_key_ls *key_layer)
545 {
546 	struct nfp_fl_payload *flow_pay;
547 
548 	flow_pay = kmalloc(sizeof(*flow_pay), GFP_KERNEL);
549 	if (!flow_pay)
550 		return NULL;
551 
552 	flow_pay->meta.key_len = key_layer->key_size;
553 	flow_pay->unmasked_data = kmalloc(key_layer->key_size, GFP_KERNEL);
554 	if (!flow_pay->unmasked_data)
555 		goto err_free_flow;
556 
557 	flow_pay->meta.mask_len = key_layer->key_size;
558 	flow_pay->mask_data = kmalloc(key_layer->key_size, GFP_KERNEL);
559 	if (!flow_pay->mask_data)
560 		goto err_free_unmasked;
561 
562 	flow_pay->action_data = kmalloc(NFP_FL_MAX_A_SIZ, GFP_KERNEL);
563 	if (!flow_pay->action_data)
564 		goto err_free_mask;
565 
566 	flow_pay->nfp_tun_ipv4_addr = 0;
567 	flow_pay->nfp_tun_ipv6 = NULL;
568 	flow_pay->meta.flags = 0;
569 	INIT_LIST_HEAD(&flow_pay->linked_flows);
570 	flow_pay->in_hw = false;
571 	flow_pay->pre_tun_rule.dev = NULL;
572 
573 	return flow_pay;
574 
575 err_free_mask:
576 	kfree(flow_pay->mask_data);
577 err_free_unmasked:
578 	kfree(flow_pay->unmasked_data);
579 err_free_flow:
580 	kfree(flow_pay);
581 	return NULL;
582 }
583 
584 static int
585 nfp_flower_update_merge_with_actions(struct nfp_fl_payload *flow,
586 				     struct nfp_flower_merge_check *merge,
587 				     u8 *last_act_id, int *act_out)
588 {
589 	struct nfp_fl_set_ipv6_tc_hl_fl *ipv6_tc_hl_fl;
590 	struct nfp_fl_set_ip4_ttl_tos *ipv4_ttl_tos;
591 	struct nfp_fl_set_ip4_addrs *ipv4_add;
592 	struct nfp_fl_set_ipv6_addr *ipv6_add;
593 	struct nfp_fl_push_vlan *push_vlan;
594 	struct nfp_fl_pre_tunnel *pre_tun;
595 	struct nfp_fl_set_tport *tport;
596 	struct nfp_fl_set_eth *eth;
597 	struct nfp_fl_act_head *a;
598 	unsigned int act_off = 0;
599 	bool ipv6_tun = false;
600 	u8 act_id = 0;
601 	u8 *ports;
602 	int i;
603 
604 	while (act_off < flow->meta.act_len) {
605 		a = (struct nfp_fl_act_head *)&flow->action_data[act_off];
606 		act_id = a->jump_id;
607 
608 		switch (act_id) {
609 		case NFP_FL_ACTION_OPCODE_OUTPUT:
610 			if (act_out)
611 				(*act_out)++;
612 			break;
613 		case NFP_FL_ACTION_OPCODE_PUSH_VLAN:
614 			push_vlan = (struct nfp_fl_push_vlan *)a;
615 			if (push_vlan->vlan_tci)
616 				merge->tci = cpu_to_be16(0xffff);
617 			break;
618 		case NFP_FL_ACTION_OPCODE_POP_VLAN:
619 			merge->tci = cpu_to_be16(0);
620 			break;
621 		case NFP_FL_ACTION_OPCODE_SET_TUNNEL:
622 			/* New tunnel header means l2 to l4 can be matched. */
623 			eth_broadcast_addr(&merge->l2.mac_dst[0]);
624 			eth_broadcast_addr(&merge->l2.mac_src[0]);
625 			memset(&merge->l4, 0xff,
626 			       sizeof(struct nfp_flower_tp_ports));
627 			if (ipv6_tun)
628 				memset(&merge->ipv6, 0xff,
629 				       sizeof(struct nfp_flower_ipv6));
630 			else
631 				memset(&merge->ipv4, 0xff,
632 				       sizeof(struct nfp_flower_ipv4));
633 			break;
634 		case NFP_FL_ACTION_OPCODE_SET_ETHERNET:
635 			eth = (struct nfp_fl_set_eth *)a;
636 			for (i = 0; i < ETH_ALEN; i++)
637 				merge->l2.mac_dst[i] |= eth->eth_addr_mask[i];
638 			for (i = 0; i < ETH_ALEN; i++)
639 				merge->l2.mac_src[i] |=
640 					eth->eth_addr_mask[ETH_ALEN + i];
641 			break;
642 		case NFP_FL_ACTION_OPCODE_SET_IPV4_ADDRS:
643 			ipv4_add = (struct nfp_fl_set_ip4_addrs *)a;
644 			merge->ipv4.ipv4_src |= ipv4_add->ipv4_src_mask;
645 			merge->ipv4.ipv4_dst |= ipv4_add->ipv4_dst_mask;
646 			break;
647 		case NFP_FL_ACTION_OPCODE_SET_IPV4_TTL_TOS:
648 			ipv4_ttl_tos = (struct nfp_fl_set_ip4_ttl_tos *)a;
649 			merge->ipv4.ip_ext.ttl |= ipv4_ttl_tos->ipv4_ttl_mask;
650 			merge->ipv4.ip_ext.tos |= ipv4_ttl_tos->ipv4_tos_mask;
651 			break;
652 		case NFP_FL_ACTION_OPCODE_SET_IPV6_SRC:
653 			ipv6_add = (struct nfp_fl_set_ipv6_addr *)a;
654 			for (i = 0; i < 4; i++)
655 				merge->ipv6.ipv6_src.in6_u.u6_addr32[i] |=
656 					ipv6_add->ipv6[i].mask;
657 			break;
658 		case NFP_FL_ACTION_OPCODE_SET_IPV6_DST:
659 			ipv6_add = (struct nfp_fl_set_ipv6_addr *)a;
660 			for (i = 0; i < 4; i++)
661 				merge->ipv6.ipv6_dst.in6_u.u6_addr32[i] |=
662 					ipv6_add->ipv6[i].mask;
663 			break;
664 		case NFP_FL_ACTION_OPCODE_SET_IPV6_TC_HL_FL:
665 			ipv6_tc_hl_fl = (struct nfp_fl_set_ipv6_tc_hl_fl *)a;
666 			merge->ipv6.ip_ext.ttl |=
667 				ipv6_tc_hl_fl->ipv6_hop_limit_mask;
668 			merge->ipv6.ip_ext.tos |= ipv6_tc_hl_fl->ipv6_tc_mask;
669 			merge->ipv6.ipv6_flow_label_exthdr |=
670 				ipv6_tc_hl_fl->ipv6_label_mask;
671 			break;
672 		case NFP_FL_ACTION_OPCODE_SET_UDP:
673 		case NFP_FL_ACTION_OPCODE_SET_TCP:
674 			tport = (struct nfp_fl_set_tport *)a;
675 			ports = (u8 *)&merge->l4.port_src;
676 			for (i = 0; i < 4; i++)
677 				ports[i] |= tport->tp_port_mask[i];
678 			break;
679 		case NFP_FL_ACTION_OPCODE_PRE_TUNNEL:
680 			pre_tun = (struct nfp_fl_pre_tunnel *)a;
681 			ipv6_tun = be16_to_cpu(pre_tun->flags) &
682 					NFP_FL_PRE_TUN_IPV6;
683 			break;
684 		case NFP_FL_ACTION_OPCODE_PRE_LAG:
685 		case NFP_FL_ACTION_OPCODE_PUSH_GENEVE:
686 			break;
687 		default:
688 			return -EOPNOTSUPP;
689 		}
690 
691 		act_off += a->len_lw << NFP_FL_LW_SIZ;
692 	}
693 
694 	if (last_act_id)
695 		*last_act_id = act_id;
696 
697 	return 0;
698 }
699 
700 static int
701 nfp_flower_populate_merge_match(struct nfp_fl_payload *flow,
702 				struct nfp_flower_merge_check *merge,
703 				bool extra_fields)
704 {
705 	struct nfp_flower_meta_tci *meta_tci;
706 	u8 *mask = flow->mask_data;
707 	u8 key_layer, match_size;
708 
709 	memset(merge, 0, sizeof(struct nfp_flower_merge_check));
710 
711 	meta_tci = (struct nfp_flower_meta_tci *)mask;
712 	key_layer = meta_tci->nfp_flow_key_layer;
713 
714 	if (key_layer & ~NFP_FLOWER_MERGE_FIELDS && !extra_fields)
715 		return -EOPNOTSUPP;
716 
717 	merge->tci = meta_tci->tci;
718 	mask += sizeof(struct nfp_flower_meta_tci);
719 
720 	if (key_layer & NFP_FLOWER_LAYER_EXT_META)
721 		mask += sizeof(struct nfp_flower_ext_meta);
722 
723 	mask += sizeof(struct nfp_flower_in_port);
724 
725 	if (key_layer & NFP_FLOWER_LAYER_MAC) {
726 		match_size = sizeof(struct nfp_flower_mac_mpls);
727 		memcpy(&merge->l2, mask, match_size);
728 		mask += match_size;
729 	}
730 
731 	if (key_layer & NFP_FLOWER_LAYER_TP) {
732 		match_size = sizeof(struct nfp_flower_tp_ports);
733 		memcpy(&merge->l4, mask, match_size);
734 		mask += match_size;
735 	}
736 
737 	if (key_layer & NFP_FLOWER_LAYER_IPV4) {
738 		match_size = sizeof(struct nfp_flower_ipv4);
739 		memcpy(&merge->ipv4, mask, match_size);
740 	}
741 
742 	if (key_layer & NFP_FLOWER_LAYER_IPV6) {
743 		match_size = sizeof(struct nfp_flower_ipv6);
744 		memcpy(&merge->ipv6, mask, match_size);
745 	}
746 
747 	return 0;
748 }
749 
750 static int
751 nfp_flower_can_merge(struct nfp_fl_payload *sub_flow1,
752 		     struct nfp_fl_payload *sub_flow2)
753 {
754 	/* Two flows can be merged if sub_flow2 only matches on bits that are
755 	 * either matched by sub_flow1 or set by a sub_flow1 action. This
756 	 * ensures that every packet that hits sub_flow1 and recirculates is
757 	 * guaranteed to hit sub_flow2.
758 	 */
759 	struct nfp_flower_merge_check sub_flow1_merge, sub_flow2_merge;
760 	int err, act_out = 0;
761 	u8 last_act_id = 0;
762 
763 	err = nfp_flower_populate_merge_match(sub_flow1, &sub_flow1_merge,
764 					      true);
765 	if (err)
766 		return err;
767 
768 	err = nfp_flower_populate_merge_match(sub_flow2, &sub_flow2_merge,
769 					      false);
770 	if (err)
771 		return err;
772 
773 	err = nfp_flower_update_merge_with_actions(sub_flow1, &sub_flow1_merge,
774 						   &last_act_id, &act_out);
775 	if (err)
776 		return err;
777 
778 	/* Must only be 1 output action and it must be the last in sequence. */
779 	if (act_out != 1 || last_act_id != NFP_FL_ACTION_OPCODE_OUTPUT)
780 		return -EOPNOTSUPP;
781 
782 	/* Reject merge if sub_flow2 matches on something that is not matched
783 	 * on or set in an action by sub_flow1.
784 	 */
785 	err = bitmap_andnot(sub_flow2_merge.vals, sub_flow2_merge.vals,
786 			    sub_flow1_merge.vals,
787 			    sizeof(struct nfp_flower_merge_check) * 8);
788 	if (err)
789 		return -EINVAL;
790 
791 	return 0;
792 }
793 
794 static unsigned int
795 nfp_flower_copy_pre_actions(char *act_dst, char *act_src, int len,
796 			    bool *tunnel_act)
797 {
798 	unsigned int act_off = 0, act_len;
799 	struct nfp_fl_act_head *a;
800 	u8 act_id = 0;
801 
802 	while (act_off < len) {
803 		a = (struct nfp_fl_act_head *)&act_src[act_off];
804 		act_len = a->len_lw << NFP_FL_LW_SIZ;
805 		act_id = a->jump_id;
806 
807 		switch (act_id) {
808 		case NFP_FL_ACTION_OPCODE_PRE_TUNNEL:
809 			if (tunnel_act)
810 				*tunnel_act = true;
811 			fallthrough;
812 		case NFP_FL_ACTION_OPCODE_PRE_LAG:
813 			memcpy(act_dst + act_off, act_src + act_off, act_len);
814 			break;
815 		default:
816 			return act_off;
817 		}
818 
819 		act_off += act_len;
820 	}
821 
822 	return act_off;
823 }
824 
825 static int
826 nfp_fl_verify_post_tun_acts(char *acts, int len, struct nfp_fl_push_vlan **vlan)
827 {
828 	struct nfp_fl_act_head *a;
829 	unsigned int act_off = 0;
830 
831 	while (act_off < len) {
832 		a = (struct nfp_fl_act_head *)&acts[act_off];
833 
834 		if (a->jump_id == NFP_FL_ACTION_OPCODE_PUSH_VLAN && !act_off)
835 			*vlan = (struct nfp_fl_push_vlan *)a;
836 		else if (a->jump_id != NFP_FL_ACTION_OPCODE_OUTPUT)
837 			return -EOPNOTSUPP;
838 
839 		act_off += a->len_lw << NFP_FL_LW_SIZ;
840 	}
841 
842 	/* Ensure any VLAN push also has an egress action. */
843 	if (*vlan && act_off <= sizeof(struct nfp_fl_push_vlan))
844 		return -EOPNOTSUPP;
845 
846 	return 0;
847 }
848 
849 static int
850 nfp_fl_push_vlan_after_tun(char *acts, int len, struct nfp_fl_push_vlan *vlan)
851 {
852 	struct nfp_fl_set_tun *tun;
853 	struct nfp_fl_act_head *a;
854 	unsigned int act_off = 0;
855 
856 	while (act_off < len) {
857 		a = (struct nfp_fl_act_head *)&acts[act_off];
858 
859 		if (a->jump_id == NFP_FL_ACTION_OPCODE_SET_TUNNEL) {
860 			tun = (struct nfp_fl_set_tun *)a;
861 			tun->outer_vlan_tpid = vlan->vlan_tpid;
862 			tun->outer_vlan_tci = vlan->vlan_tci;
863 
864 			return 0;
865 		}
866 
867 		act_off += a->len_lw << NFP_FL_LW_SIZ;
868 	}
869 
870 	/* Return error if no tunnel action is found. */
871 	return -EOPNOTSUPP;
872 }
873 
874 static int
875 nfp_flower_merge_action(struct nfp_fl_payload *sub_flow1,
876 			struct nfp_fl_payload *sub_flow2,
877 			struct nfp_fl_payload *merge_flow)
878 {
879 	unsigned int sub1_act_len, sub2_act_len, pre_off1, pre_off2;
880 	struct nfp_fl_push_vlan *post_tun_push_vlan = NULL;
881 	bool tunnel_act = false;
882 	char *merge_act;
883 	int err;
884 
885 	/* The last action of sub_flow1 must be output - do not merge this. */
886 	sub1_act_len = sub_flow1->meta.act_len - sizeof(struct nfp_fl_output);
887 	sub2_act_len = sub_flow2->meta.act_len;
888 
889 	if (!sub2_act_len)
890 		return -EINVAL;
891 
892 	if (sub1_act_len + sub2_act_len > NFP_FL_MAX_A_SIZ)
893 		return -EINVAL;
894 
895 	/* A shortcut can only be applied if there is a single action. */
896 	if (sub1_act_len)
897 		merge_flow->meta.shortcut = cpu_to_be32(NFP_FL_SC_ACT_NULL);
898 	else
899 		merge_flow->meta.shortcut = sub_flow2->meta.shortcut;
900 
901 	merge_flow->meta.act_len = sub1_act_len + sub2_act_len;
902 	merge_act = merge_flow->action_data;
903 
904 	/* Copy any pre-actions to the start of merge flow action list. */
905 	pre_off1 = nfp_flower_copy_pre_actions(merge_act,
906 					       sub_flow1->action_data,
907 					       sub1_act_len, &tunnel_act);
908 	merge_act += pre_off1;
909 	sub1_act_len -= pre_off1;
910 	pre_off2 = nfp_flower_copy_pre_actions(merge_act,
911 					       sub_flow2->action_data,
912 					       sub2_act_len, NULL);
913 	merge_act += pre_off2;
914 	sub2_act_len -= pre_off2;
915 
916 	/* FW does a tunnel push when egressing, therefore, if sub_flow 1 pushes
917 	 * a tunnel, there are restrictions on what sub_flow 2 actions lead to a
918 	 * valid merge.
919 	 */
920 	if (tunnel_act) {
921 		char *post_tun_acts = &sub_flow2->action_data[pre_off2];
922 
923 		err = nfp_fl_verify_post_tun_acts(post_tun_acts, sub2_act_len,
924 						  &post_tun_push_vlan);
925 		if (err)
926 			return err;
927 
928 		if (post_tun_push_vlan) {
929 			pre_off2 += sizeof(*post_tun_push_vlan);
930 			sub2_act_len -= sizeof(*post_tun_push_vlan);
931 		}
932 	}
933 
934 	/* Copy remaining actions from sub_flows 1 and 2. */
935 	memcpy(merge_act, sub_flow1->action_data + pre_off1, sub1_act_len);
936 
937 	if (post_tun_push_vlan) {
938 		/* Update tunnel action in merge to include VLAN push. */
939 		err = nfp_fl_push_vlan_after_tun(merge_act, sub1_act_len,
940 						 post_tun_push_vlan);
941 		if (err)
942 			return err;
943 
944 		merge_flow->meta.act_len -= sizeof(*post_tun_push_vlan);
945 	}
946 
947 	merge_act += sub1_act_len;
948 	memcpy(merge_act, sub_flow2->action_data + pre_off2, sub2_act_len);
949 
950 	return 0;
951 }
952 
953 /* Flow link code should only be accessed under RTNL. */
954 static void nfp_flower_unlink_flow(struct nfp_fl_payload_link *link)
955 {
956 	list_del(&link->merge_flow.list);
957 	list_del(&link->sub_flow.list);
958 	kfree(link);
959 }
960 
961 static void nfp_flower_unlink_flows(struct nfp_fl_payload *merge_flow,
962 				    struct nfp_fl_payload *sub_flow)
963 {
964 	struct nfp_fl_payload_link *link;
965 
966 	list_for_each_entry(link, &merge_flow->linked_flows, merge_flow.list)
967 		if (link->sub_flow.flow == sub_flow) {
968 			nfp_flower_unlink_flow(link);
969 			return;
970 		}
971 }
972 
973 static int nfp_flower_link_flows(struct nfp_fl_payload *merge_flow,
974 				 struct nfp_fl_payload *sub_flow)
975 {
976 	struct nfp_fl_payload_link *link;
977 
978 	link = kmalloc(sizeof(*link), GFP_KERNEL);
979 	if (!link)
980 		return -ENOMEM;
981 
982 	link->merge_flow.flow = merge_flow;
983 	list_add_tail(&link->merge_flow.list, &merge_flow->linked_flows);
984 	link->sub_flow.flow = sub_flow;
985 	list_add_tail(&link->sub_flow.list, &sub_flow->linked_flows);
986 
987 	return 0;
988 }
989 
990 /**
991  * nfp_flower_merge_offloaded_flows() - Merge 2 existing flows to single flow.
992  * @app:	Pointer to the APP handle
993  * @sub_flow1:	Initial flow matched to produce merge hint
994  * @sub_flow2:	Post recirculation flow matched in merge hint
995  *
996  * Combines 2 flows (if valid) to a single flow, removing the initial from hw
997  * and offloading the new, merged flow.
998  *
999  * Return: negative value on error, 0 in success.
1000  */
1001 int nfp_flower_merge_offloaded_flows(struct nfp_app *app,
1002 				     struct nfp_fl_payload *sub_flow1,
1003 				     struct nfp_fl_payload *sub_flow2)
1004 {
1005 	struct nfp_flower_priv *priv = app->priv;
1006 	struct nfp_fl_payload *merge_flow;
1007 	struct nfp_fl_key_ls merge_key_ls;
1008 	struct nfp_merge_info *merge_info;
1009 	u64 parent_ctx = 0;
1010 	int err;
1011 
1012 	ASSERT_RTNL();
1013 
1014 	if (sub_flow1 == sub_flow2 ||
1015 	    nfp_flower_is_merge_flow(sub_flow1) ||
1016 	    nfp_flower_is_merge_flow(sub_flow2))
1017 		return -EINVAL;
1018 
1019 	/* check if the two flows are already merged */
1020 	parent_ctx = (u64)(be32_to_cpu(sub_flow1->meta.host_ctx_id)) << 32;
1021 	parent_ctx |= (u64)(be32_to_cpu(sub_flow2->meta.host_ctx_id));
1022 	if (rhashtable_lookup_fast(&priv->merge_table,
1023 				   &parent_ctx, merge_table_params)) {
1024 		nfp_flower_cmsg_warn(app, "The two flows are already merged.\n");
1025 		return 0;
1026 	}
1027 
1028 	err = nfp_flower_can_merge(sub_flow1, sub_flow2);
1029 	if (err)
1030 		return err;
1031 
1032 	merge_key_ls.key_size = sub_flow1->meta.key_len;
1033 
1034 	merge_flow = nfp_flower_allocate_new(&merge_key_ls);
1035 	if (!merge_flow)
1036 		return -ENOMEM;
1037 
1038 	merge_flow->tc_flower_cookie = (unsigned long)merge_flow;
1039 	merge_flow->ingress_dev = sub_flow1->ingress_dev;
1040 
1041 	memcpy(merge_flow->unmasked_data, sub_flow1->unmasked_data,
1042 	       sub_flow1->meta.key_len);
1043 	memcpy(merge_flow->mask_data, sub_flow1->mask_data,
1044 	       sub_flow1->meta.mask_len);
1045 
1046 	err = nfp_flower_merge_action(sub_flow1, sub_flow2, merge_flow);
1047 	if (err)
1048 		goto err_destroy_merge_flow;
1049 
1050 	err = nfp_flower_link_flows(merge_flow, sub_flow1);
1051 	if (err)
1052 		goto err_destroy_merge_flow;
1053 
1054 	err = nfp_flower_link_flows(merge_flow, sub_flow2);
1055 	if (err)
1056 		goto err_unlink_sub_flow1;
1057 
1058 	err = nfp_compile_flow_metadata(app, merge_flow->tc_flower_cookie, merge_flow,
1059 					merge_flow->ingress_dev, NULL);
1060 	if (err)
1061 		goto err_unlink_sub_flow2;
1062 
1063 	err = rhashtable_insert_fast(&priv->flow_table, &merge_flow->fl_node,
1064 				     nfp_flower_table_params);
1065 	if (err)
1066 		goto err_release_metadata;
1067 
1068 	merge_info = kmalloc(sizeof(*merge_info), GFP_KERNEL);
1069 	if (!merge_info) {
1070 		err = -ENOMEM;
1071 		goto err_remove_rhash;
1072 	}
1073 	merge_info->parent_ctx = parent_ctx;
1074 	err = rhashtable_insert_fast(&priv->merge_table, &merge_info->ht_node,
1075 				     merge_table_params);
1076 	if (err)
1077 		goto err_destroy_merge_info;
1078 
1079 	err = nfp_flower_xmit_flow(app, merge_flow,
1080 				   NFP_FLOWER_CMSG_TYPE_FLOW_MOD);
1081 	if (err)
1082 		goto err_remove_merge_info;
1083 
1084 	merge_flow->in_hw = true;
1085 	sub_flow1->in_hw = false;
1086 
1087 	return 0;
1088 
1089 err_remove_merge_info:
1090 	WARN_ON_ONCE(rhashtable_remove_fast(&priv->merge_table,
1091 					    &merge_info->ht_node,
1092 					    merge_table_params));
1093 err_destroy_merge_info:
1094 	kfree(merge_info);
1095 err_remove_rhash:
1096 	WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table,
1097 					    &merge_flow->fl_node,
1098 					    nfp_flower_table_params));
1099 err_release_metadata:
1100 	nfp_modify_flow_metadata(app, merge_flow);
1101 err_unlink_sub_flow2:
1102 	nfp_flower_unlink_flows(merge_flow, sub_flow2);
1103 err_unlink_sub_flow1:
1104 	nfp_flower_unlink_flows(merge_flow, sub_flow1);
1105 err_destroy_merge_flow:
1106 	kfree(merge_flow->action_data);
1107 	kfree(merge_flow->mask_data);
1108 	kfree(merge_flow->unmasked_data);
1109 	kfree(merge_flow);
1110 	return err;
1111 }
1112 
1113 /**
1114  * nfp_flower_validate_pre_tun_rule()
1115  * @app:	Pointer to the APP handle
1116  * @flow:	Pointer to NFP flow representation of rule
1117  * @key_ls:	Pointer to NFP key layers structure
1118  * @extack:	Netlink extended ACK report
1119  *
1120  * Verifies the flow as a pre-tunnel rule.
1121  *
1122  * Return: negative value on error, 0 if verified.
1123  */
1124 static int
1125 nfp_flower_validate_pre_tun_rule(struct nfp_app *app,
1126 				 struct nfp_fl_payload *flow,
1127 				 struct nfp_fl_key_ls *key_ls,
1128 				 struct netlink_ext_ack *extack)
1129 {
1130 	struct nfp_flower_priv *priv = app->priv;
1131 	struct nfp_flower_meta_tci *meta_tci;
1132 	struct nfp_flower_mac_mpls *mac;
1133 	u8 *ext = flow->unmasked_data;
1134 	struct nfp_fl_act_head *act;
1135 	u8 *mask = flow->mask_data;
1136 	bool vlan = false;
1137 	int act_offset;
1138 	u8 key_layer;
1139 
1140 	meta_tci = (struct nfp_flower_meta_tci *)flow->unmasked_data;
1141 	key_layer = key_ls->key_layer;
1142 	if (!(priv->flower_ext_feats & NFP_FL_FEATS_VLAN_QINQ)) {
1143 		if (meta_tci->tci & cpu_to_be16(NFP_FLOWER_MASK_VLAN_PRESENT)) {
1144 			u16 vlan_tci = be16_to_cpu(meta_tci->tci);
1145 
1146 			vlan_tci &= ~NFP_FLOWER_MASK_VLAN_PRESENT;
1147 			flow->pre_tun_rule.vlan_tci = cpu_to_be16(vlan_tci);
1148 			vlan = true;
1149 		} else {
1150 			flow->pre_tun_rule.vlan_tci = cpu_to_be16(0xffff);
1151 		}
1152 	}
1153 
1154 	if (key_layer & ~NFP_FLOWER_PRE_TUN_RULE_FIELDS) {
1155 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: too many match fields");
1156 		return -EOPNOTSUPP;
1157 	} else if (key_ls->key_layer_two & ~NFP_FLOWER_LAYER2_QINQ) {
1158 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: non-vlan in extended match fields");
1159 		return -EOPNOTSUPP;
1160 	}
1161 
1162 	if (!(key_layer & NFP_FLOWER_LAYER_MAC)) {
1163 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: MAC fields match required");
1164 		return -EOPNOTSUPP;
1165 	}
1166 
1167 	if (!(key_layer & NFP_FLOWER_LAYER_IPV4) &&
1168 	    !(key_layer & NFP_FLOWER_LAYER_IPV6)) {
1169 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: match on ipv4/ipv6 eth_type must be present");
1170 		return -EOPNOTSUPP;
1171 	}
1172 
1173 	if (key_layer & NFP_FLOWER_LAYER_IPV6)
1174 		flow->pre_tun_rule.is_ipv6 = true;
1175 	else
1176 		flow->pre_tun_rule.is_ipv6 = false;
1177 
1178 	/* Skip fields known to exist. */
1179 	mask += sizeof(struct nfp_flower_meta_tci);
1180 	ext += sizeof(struct nfp_flower_meta_tci);
1181 	if (key_ls->key_layer_two) {
1182 		mask += sizeof(struct nfp_flower_ext_meta);
1183 		ext += sizeof(struct nfp_flower_ext_meta);
1184 	}
1185 	mask += sizeof(struct nfp_flower_in_port);
1186 	ext += sizeof(struct nfp_flower_in_port);
1187 
1188 	/* Ensure destination MAC address is fully matched. */
1189 	mac = (struct nfp_flower_mac_mpls *)mask;
1190 	if (!is_broadcast_ether_addr(&mac->mac_dst[0])) {
1191 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: dest MAC field must not be masked");
1192 		return -EOPNOTSUPP;
1193 	}
1194 
1195 	/* Ensure source MAC address is fully matched. This is only needed
1196 	 * for firmware with the DECAP_V2 feature enabled. Don't do this
1197 	 * for firmware without this feature to keep old behaviour.
1198 	 */
1199 	if (priv->flower_ext_feats & NFP_FL_FEATS_DECAP_V2) {
1200 		mac = (struct nfp_flower_mac_mpls *)mask;
1201 		if (!is_broadcast_ether_addr(&mac->mac_src[0])) {
1202 			NL_SET_ERR_MSG_MOD(extack,
1203 					   "unsupported pre-tunnel rule: source MAC field must not be masked");
1204 			return -EOPNOTSUPP;
1205 		}
1206 	}
1207 
1208 	if (mac->mpls_lse) {
1209 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: MPLS not supported");
1210 		return -EOPNOTSUPP;
1211 	}
1212 
1213 	/* Ensure destination MAC address matches pre_tun_dev. */
1214 	mac = (struct nfp_flower_mac_mpls *)ext;
1215 	if (memcmp(&mac->mac_dst[0], flow->pre_tun_rule.dev->dev_addr, 6)) {
1216 		NL_SET_ERR_MSG_MOD(extack,
1217 				   "unsupported pre-tunnel rule: dest MAC must match output dev MAC");
1218 		return -EOPNOTSUPP;
1219 	}
1220 
1221 	/* Save mac addresses in pre_tun_rule entry for later use */
1222 	memcpy(&flow->pre_tun_rule.loc_mac, &mac->mac_dst[0], ETH_ALEN);
1223 	memcpy(&flow->pre_tun_rule.rem_mac, &mac->mac_src[0], ETH_ALEN);
1224 
1225 	mask += sizeof(struct nfp_flower_mac_mpls);
1226 	ext += sizeof(struct nfp_flower_mac_mpls);
1227 	if (key_layer & NFP_FLOWER_LAYER_IPV4 ||
1228 	    key_layer & NFP_FLOWER_LAYER_IPV6) {
1229 		/* Flags and proto fields have same offset in IPv4 and IPv6. */
1230 		int ip_flags = offsetof(struct nfp_flower_ipv4, ip_ext.flags);
1231 		int ip_proto = offsetof(struct nfp_flower_ipv4, ip_ext.proto);
1232 		int size;
1233 		int i;
1234 
1235 		size = key_layer & NFP_FLOWER_LAYER_IPV4 ?
1236 			sizeof(struct nfp_flower_ipv4) :
1237 			sizeof(struct nfp_flower_ipv6);
1238 
1239 
1240 		/* Ensure proto and flags are the only IP layer fields. */
1241 		for (i = 0; i < size; i++)
1242 			if (mask[i] && i != ip_flags && i != ip_proto) {
1243 				NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: only flags and proto can be matched in ip header");
1244 				return -EOPNOTSUPP;
1245 			}
1246 		ext += size;
1247 		mask += size;
1248 	}
1249 
1250 	if ((priv->flower_ext_feats & NFP_FL_FEATS_VLAN_QINQ)) {
1251 		if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_QINQ) {
1252 			struct nfp_flower_vlan *vlan_tags;
1253 			u16 vlan_tpid;
1254 			u16 vlan_tci;
1255 
1256 			vlan_tags = (struct nfp_flower_vlan *)ext;
1257 
1258 			vlan_tci = be16_to_cpu(vlan_tags->outer_tci);
1259 			vlan_tpid = be16_to_cpu(vlan_tags->outer_tpid);
1260 
1261 			vlan_tci &= ~NFP_FLOWER_MASK_VLAN_PRESENT;
1262 			flow->pre_tun_rule.vlan_tci = cpu_to_be16(vlan_tci);
1263 			flow->pre_tun_rule.vlan_tpid = cpu_to_be16(vlan_tpid);
1264 			vlan = true;
1265 		} else {
1266 			flow->pre_tun_rule.vlan_tci = cpu_to_be16(0xffff);
1267 			flow->pre_tun_rule.vlan_tpid = cpu_to_be16(0xffff);
1268 		}
1269 	}
1270 
1271 	/* Action must be a single egress or pop_vlan and egress. */
1272 	act_offset = 0;
1273 	act = (struct nfp_fl_act_head *)&flow->action_data[act_offset];
1274 	if (vlan) {
1275 		if (act->jump_id != NFP_FL_ACTION_OPCODE_POP_VLAN) {
1276 			NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: match on VLAN must have VLAN pop as first action");
1277 			return -EOPNOTSUPP;
1278 		}
1279 
1280 		act_offset += act->len_lw << NFP_FL_LW_SIZ;
1281 		act = (struct nfp_fl_act_head *)&flow->action_data[act_offset];
1282 	}
1283 
1284 	if (act->jump_id != NFP_FL_ACTION_OPCODE_OUTPUT) {
1285 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: non egress action detected where egress was expected");
1286 		return -EOPNOTSUPP;
1287 	}
1288 
1289 	act_offset += act->len_lw << NFP_FL_LW_SIZ;
1290 
1291 	/* Ensure there are no more actions after egress. */
1292 	if (act_offset != flow->meta.act_len) {
1293 		NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: egress is not the last action");
1294 		return -EOPNOTSUPP;
1295 	}
1296 
1297 	return 0;
1298 }
1299 
1300 static bool offload_pre_check(struct flow_cls_offload *flow)
1301 {
1302 	struct flow_rule *rule = flow_cls_offload_flow_rule(flow);
1303 	struct flow_dissector *dissector = rule->match.dissector;
1304 
1305 	if (dissector->used_keys & BIT(FLOW_DISSECTOR_KEY_CT))
1306 		return false;
1307 
1308 	if (flow->common.chain_index)
1309 		return false;
1310 
1311 	return true;
1312 }
1313 
1314 /**
1315  * nfp_flower_add_offload() - Adds a new flow to hardware.
1316  * @app:	Pointer to the APP handle
1317  * @netdev:	netdev structure.
1318  * @flow:	TC flower classifier offload structure.
1319  *
1320  * Adds a new flow to the repeated hash structure and action payload.
1321  *
1322  * Return: negative value on error, 0 if configured successfully.
1323  */
1324 static int
1325 nfp_flower_add_offload(struct nfp_app *app, struct net_device *netdev,
1326 		       struct flow_cls_offload *flow)
1327 {
1328 	struct flow_rule *rule = flow_cls_offload_flow_rule(flow);
1329 	enum nfp_flower_tun_type tun_type = NFP_FL_TUNNEL_NONE;
1330 	struct nfp_flower_priv *priv = app->priv;
1331 	struct netlink_ext_ack *extack = NULL;
1332 	struct nfp_fl_payload *flow_pay;
1333 	struct nfp_fl_key_ls *key_layer;
1334 	struct nfp_port *port = NULL;
1335 	int err;
1336 
1337 	extack = flow->common.extack;
1338 	if (nfp_netdev_is_nfp_repr(netdev))
1339 		port = nfp_port_from_netdev(netdev);
1340 
1341 	if (is_pre_ct_flow(flow))
1342 		return nfp_fl_ct_handle_pre_ct(priv, netdev, flow, extack);
1343 
1344 	if (is_post_ct_flow(flow))
1345 		return nfp_fl_ct_handle_post_ct(priv, netdev, flow, extack);
1346 
1347 	if (!offload_pre_check(flow))
1348 		return -EOPNOTSUPP;
1349 
1350 	key_layer = kmalloc(sizeof(*key_layer), GFP_KERNEL);
1351 	if (!key_layer)
1352 		return -ENOMEM;
1353 
1354 	err = nfp_flower_calculate_key_layers(app, netdev, key_layer, rule,
1355 					      &tun_type, extack);
1356 	if (err)
1357 		goto err_free_key_ls;
1358 
1359 	flow_pay = nfp_flower_allocate_new(key_layer);
1360 	if (!flow_pay) {
1361 		err = -ENOMEM;
1362 		goto err_free_key_ls;
1363 	}
1364 
1365 	err = nfp_flower_compile_flow_match(app, rule, key_layer, netdev,
1366 					    flow_pay, tun_type, extack);
1367 	if (err)
1368 		goto err_destroy_flow;
1369 
1370 	err = nfp_flower_compile_action(app, rule, netdev, flow_pay, extack);
1371 	if (err)
1372 		goto err_destroy_flow;
1373 
1374 	if (flow_pay->pre_tun_rule.dev) {
1375 		err = nfp_flower_validate_pre_tun_rule(app, flow_pay, key_layer, extack);
1376 		if (err)
1377 			goto err_destroy_flow;
1378 	}
1379 
1380 	err = nfp_compile_flow_metadata(app, flow->cookie, flow_pay, netdev, extack);
1381 	if (err)
1382 		goto err_destroy_flow;
1383 
1384 	flow_pay->tc_flower_cookie = flow->cookie;
1385 	err = rhashtable_insert_fast(&priv->flow_table, &flow_pay->fl_node,
1386 				     nfp_flower_table_params);
1387 	if (err) {
1388 		NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot insert flow into tables for offloads");
1389 		goto err_release_metadata;
1390 	}
1391 
1392 	if (flow_pay->pre_tun_rule.dev) {
1393 		if (priv->flower_ext_feats & NFP_FL_FEATS_DECAP_V2) {
1394 			struct nfp_predt_entry *predt;
1395 
1396 			predt = kzalloc(sizeof(*predt), GFP_KERNEL);
1397 			if (!predt) {
1398 				err = -ENOMEM;
1399 				goto err_remove_rhash;
1400 			}
1401 			predt->flow_pay = flow_pay;
1402 			INIT_LIST_HEAD(&predt->nn_list);
1403 			spin_lock_bh(&priv->predt_lock);
1404 			list_add(&predt->list_head, &priv->predt_list);
1405 			flow_pay->pre_tun_rule.predt = predt;
1406 			nfp_tun_link_and_update_nn_entries(app, predt);
1407 			spin_unlock_bh(&priv->predt_lock);
1408 		} else {
1409 			err = nfp_flower_xmit_pre_tun_flow(app, flow_pay);
1410 		}
1411 	} else {
1412 		err = nfp_flower_xmit_flow(app, flow_pay,
1413 					   NFP_FLOWER_CMSG_TYPE_FLOW_ADD);
1414 	}
1415 
1416 	if (err)
1417 		goto err_remove_rhash;
1418 
1419 	if (port)
1420 		port->tc_offload_cnt++;
1421 
1422 	flow_pay->in_hw = true;
1423 
1424 	/* Deallocate flow payload when flower rule has been destroyed. */
1425 	kfree(key_layer);
1426 
1427 	return 0;
1428 
1429 err_remove_rhash:
1430 	WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table,
1431 					    &flow_pay->fl_node,
1432 					    nfp_flower_table_params));
1433 err_release_metadata:
1434 	nfp_modify_flow_metadata(app, flow_pay);
1435 err_destroy_flow:
1436 	if (flow_pay->nfp_tun_ipv6)
1437 		nfp_tunnel_put_ipv6_off(app, flow_pay->nfp_tun_ipv6);
1438 	kfree(flow_pay->action_data);
1439 	kfree(flow_pay->mask_data);
1440 	kfree(flow_pay->unmasked_data);
1441 	kfree(flow_pay);
1442 err_free_key_ls:
1443 	kfree(key_layer);
1444 	return err;
1445 }
1446 
1447 static void
1448 nfp_flower_remove_merge_flow(struct nfp_app *app,
1449 			     struct nfp_fl_payload *del_sub_flow,
1450 			     struct nfp_fl_payload *merge_flow)
1451 {
1452 	struct nfp_flower_priv *priv = app->priv;
1453 	struct nfp_fl_payload_link *link, *temp;
1454 	struct nfp_merge_info *merge_info;
1455 	struct nfp_fl_payload *origin;
1456 	u64 parent_ctx = 0;
1457 	bool mod = false;
1458 	int err;
1459 
1460 	link = list_first_entry(&merge_flow->linked_flows,
1461 				struct nfp_fl_payload_link, merge_flow.list);
1462 	origin = link->sub_flow.flow;
1463 
1464 	/* Re-add rule the merge had overwritten if it has not been deleted. */
1465 	if (origin != del_sub_flow)
1466 		mod = true;
1467 
1468 	err = nfp_modify_flow_metadata(app, merge_flow);
1469 	if (err) {
1470 		nfp_flower_cmsg_warn(app, "Metadata fail for merge flow delete.\n");
1471 		goto err_free_links;
1472 	}
1473 
1474 	if (!mod) {
1475 		err = nfp_flower_xmit_flow(app, merge_flow,
1476 					   NFP_FLOWER_CMSG_TYPE_FLOW_DEL);
1477 		if (err) {
1478 			nfp_flower_cmsg_warn(app, "Failed to delete merged flow.\n");
1479 			goto err_free_links;
1480 		}
1481 	} else {
1482 		__nfp_modify_flow_metadata(priv, origin);
1483 		err = nfp_flower_xmit_flow(app, origin,
1484 					   NFP_FLOWER_CMSG_TYPE_FLOW_MOD);
1485 		if (err)
1486 			nfp_flower_cmsg_warn(app, "Failed to revert merge flow.\n");
1487 		origin->in_hw = true;
1488 	}
1489 
1490 err_free_links:
1491 	/* Clean any links connected with the merged flow. */
1492 	list_for_each_entry_safe(link, temp, &merge_flow->linked_flows,
1493 				 merge_flow.list) {
1494 		u32 ctx_id = be32_to_cpu(link->sub_flow.flow->meta.host_ctx_id);
1495 
1496 		parent_ctx = (parent_ctx << 32) | (u64)(ctx_id);
1497 		nfp_flower_unlink_flow(link);
1498 	}
1499 
1500 	merge_info = rhashtable_lookup_fast(&priv->merge_table,
1501 					    &parent_ctx,
1502 					    merge_table_params);
1503 	if (merge_info) {
1504 		WARN_ON_ONCE(rhashtable_remove_fast(&priv->merge_table,
1505 						    &merge_info->ht_node,
1506 						    merge_table_params));
1507 		kfree(merge_info);
1508 	}
1509 
1510 	kfree(merge_flow->action_data);
1511 	kfree(merge_flow->mask_data);
1512 	kfree(merge_flow->unmasked_data);
1513 	WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table,
1514 					    &merge_flow->fl_node,
1515 					    nfp_flower_table_params));
1516 	kfree_rcu(merge_flow, rcu);
1517 }
1518 
1519 void
1520 nfp_flower_del_linked_merge_flows(struct nfp_app *app,
1521 				  struct nfp_fl_payload *sub_flow)
1522 {
1523 	struct nfp_fl_payload_link *link, *temp;
1524 
1525 	/* Remove any merge flow formed from the deleted sub_flow. */
1526 	list_for_each_entry_safe(link, temp, &sub_flow->linked_flows,
1527 				 sub_flow.list)
1528 		nfp_flower_remove_merge_flow(app, sub_flow,
1529 					     link->merge_flow.flow);
1530 }
1531 
1532 /**
1533  * nfp_flower_del_offload() - Removes a flow from hardware.
1534  * @app:	Pointer to the APP handle
1535  * @netdev:	netdev structure.
1536  * @flow:	TC flower classifier offload structure
1537  *
1538  * Removes a flow from the repeated hash structure and clears the
1539  * action payload. Any flows merged from this are also deleted.
1540  *
1541  * Return: negative value on error, 0 if removed successfully.
1542  */
1543 static int
1544 nfp_flower_del_offload(struct nfp_app *app, struct net_device *netdev,
1545 		       struct flow_cls_offload *flow)
1546 {
1547 	struct nfp_flower_priv *priv = app->priv;
1548 	struct nfp_fl_ct_map_entry *ct_map_ent;
1549 	struct netlink_ext_ack *extack = NULL;
1550 	struct nfp_fl_payload *nfp_flow;
1551 	struct nfp_port *port = NULL;
1552 	int err;
1553 
1554 	extack = flow->common.extack;
1555 	if (nfp_netdev_is_nfp_repr(netdev))
1556 		port = nfp_port_from_netdev(netdev);
1557 
1558 	/* Check ct_map_table */
1559 	ct_map_ent = rhashtable_lookup_fast(&priv->ct_map_table, &flow->cookie,
1560 					    nfp_ct_map_params);
1561 	if (ct_map_ent) {
1562 		err = nfp_fl_ct_del_flow(ct_map_ent);
1563 		return err;
1564 	}
1565 
1566 	nfp_flow = nfp_flower_search_fl_table(app, flow->cookie, netdev);
1567 	if (!nfp_flow) {
1568 		NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot remove flow that does not exist");
1569 		return -ENOENT;
1570 	}
1571 
1572 	err = nfp_modify_flow_metadata(app, nfp_flow);
1573 	if (err)
1574 		goto err_free_merge_flow;
1575 
1576 	if (nfp_flow->nfp_tun_ipv4_addr)
1577 		nfp_tunnel_del_ipv4_off(app, nfp_flow->nfp_tun_ipv4_addr);
1578 
1579 	if (nfp_flow->nfp_tun_ipv6)
1580 		nfp_tunnel_put_ipv6_off(app, nfp_flow->nfp_tun_ipv6);
1581 
1582 	if (!nfp_flow->in_hw) {
1583 		err = 0;
1584 		goto err_free_merge_flow;
1585 	}
1586 
1587 	if (nfp_flow->pre_tun_rule.dev) {
1588 		if (priv->flower_ext_feats & NFP_FL_FEATS_DECAP_V2) {
1589 			struct nfp_predt_entry *predt;
1590 
1591 			predt = nfp_flow->pre_tun_rule.predt;
1592 			if (predt) {
1593 				spin_lock_bh(&priv->predt_lock);
1594 				nfp_tun_unlink_and_update_nn_entries(app, predt);
1595 				list_del(&predt->list_head);
1596 				spin_unlock_bh(&priv->predt_lock);
1597 				kfree(predt);
1598 			}
1599 		} else {
1600 			err = nfp_flower_xmit_pre_tun_del_flow(app, nfp_flow);
1601 		}
1602 	} else {
1603 		err = nfp_flower_xmit_flow(app, nfp_flow,
1604 					   NFP_FLOWER_CMSG_TYPE_FLOW_DEL);
1605 	}
1606 	/* Fall through on error. */
1607 
1608 err_free_merge_flow:
1609 	nfp_flower_del_linked_merge_flows(app, nfp_flow);
1610 	if (port)
1611 		port->tc_offload_cnt--;
1612 	kfree(nfp_flow->action_data);
1613 	kfree(nfp_flow->mask_data);
1614 	kfree(nfp_flow->unmasked_data);
1615 	WARN_ON_ONCE(rhashtable_remove_fast(&priv->flow_table,
1616 					    &nfp_flow->fl_node,
1617 					    nfp_flower_table_params));
1618 	kfree_rcu(nfp_flow, rcu);
1619 	return err;
1620 }
1621 
1622 static void
1623 __nfp_flower_update_merge_stats(struct nfp_app *app,
1624 				struct nfp_fl_payload *merge_flow)
1625 {
1626 	struct nfp_flower_priv *priv = app->priv;
1627 	struct nfp_fl_payload_link *link;
1628 	struct nfp_fl_payload *sub_flow;
1629 	u64 pkts, bytes, used;
1630 	u32 ctx_id;
1631 
1632 	ctx_id = be32_to_cpu(merge_flow->meta.host_ctx_id);
1633 	pkts = priv->stats[ctx_id].pkts;
1634 	/* Do not cycle subflows if no stats to distribute. */
1635 	if (!pkts)
1636 		return;
1637 	bytes = priv->stats[ctx_id].bytes;
1638 	used = priv->stats[ctx_id].used;
1639 
1640 	/* Reset stats for the merge flow. */
1641 	priv->stats[ctx_id].pkts = 0;
1642 	priv->stats[ctx_id].bytes = 0;
1643 
1644 	/* The merge flow has received stats updates from firmware.
1645 	 * Distribute these stats to all subflows that form the merge.
1646 	 * The stats will collected from TC via the subflows.
1647 	 */
1648 	list_for_each_entry(link, &merge_flow->linked_flows, merge_flow.list) {
1649 		sub_flow = link->sub_flow.flow;
1650 		ctx_id = be32_to_cpu(sub_flow->meta.host_ctx_id);
1651 		priv->stats[ctx_id].pkts += pkts;
1652 		priv->stats[ctx_id].bytes += bytes;
1653 		priv->stats[ctx_id].used = max_t(u64, used,
1654 						 priv->stats[ctx_id].used);
1655 	}
1656 }
1657 
1658 void
1659 nfp_flower_update_merge_stats(struct nfp_app *app,
1660 			      struct nfp_fl_payload *sub_flow)
1661 {
1662 	struct nfp_fl_payload_link *link;
1663 
1664 	/* Get merge flows that the subflow forms to distribute their stats. */
1665 	list_for_each_entry(link, &sub_flow->linked_flows, sub_flow.list)
1666 		__nfp_flower_update_merge_stats(app, link->merge_flow.flow);
1667 }
1668 
1669 /**
1670  * nfp_flower_get_stats() - Populates flow stats obtained from hardware.
1671  * @app:	Pointer to the APP handle
1672  * @netdev:	Netdev structure.
1673  * @flow:	TC flower classifier offload structure
1674  *
1675  * Populates a flow statistics structure which which corresponds to a
1676  * specific flow.
1677  *
1678  * Return: negative value on error, 0 if stats populated successfully.
1679  */
1680 static int
1681 nfp_flower_get_stats(struct nfp_app *app, struct net_device *netdev,
1682 		     struct flow_cls_offload *flow)
1683 {
1684 	struct nfp_flower_priv *priv = app->priv;
1685 	struct nfp_fl_ct_map_entry *ct_map_ent;
1686 	struct netlink_ext_ack *extack = NULL;
1687 	struct nfp_fl_payload *nfp_flow;
1688 	u32 ctx_id;
1689 
1690 	/* Check ct_map table first */
1691 	ct_map_ent = rhashtable_lookup_fast(&priv->ct_map_table, &flow->cookie,
1692 					    nfp_ct_map_params);
1693 	if (ct_map_ent)
1694 		return nfp_fl_ct_stats(flow, ct_map_ent);
1695 
1696 	extack = flow->common.extack;
1697 	nfp_flow = nfp_flower_search_fl_table(app, flow->cookie, netdev);
1698 	if (!nfp_flow) {
1699 		NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot dump stats for flow that does not exist");
1700 		return -EINVAL;
1701 	}
1702 
1703 	ctx_id = be32_to_cpu(nfp_flow->meta.host_ctx_id);
1704 
1705 	spin_lock_bh(&priv->stats_lock);
1706 	/* If request is for a sub_flow, update stats from merged flows. */
1707 	if (!list_empty(&nfp_flow->linked_flows))
1708 		nfp_flower_update_merge_stats(app, nfp_flow);
1709 
1710 	flow_stats_update(&flow->stats, priv->stats[ctx_id].bytes,
1711 			  priv->stats[ctx_id].pkts, 0, priv->stats[ctx_id].used,
1712 			  FLOW_ACTION_HW_STATS_DELAYED);
1713 
1714 	priv->stats[ctx_id].pkts = 0;
1715 	priv->stats[ctx_id].bytes = 0;
1716 	spin_unlock_bh(&priv->stats_lock);
1717 
1718 	return 0;
1719 }
1720 
1721 static int
1722 nfp_flower_repr_offload(struct nfp_app *app, struct net_device *netdev,
1723 			struct flow_cls_offload *flower)
1724 {
1725 	if (!eth_proto_is_802_3(flower->common.protocol))
1726 		return -EOPNOTSUPP;
1727 
1728 	switch (flower->command) {
1729 	case FLOW_CLS_REPLACE:
1730 		return nfp_flower_add_offload(app, netdev, flower);
1731 	case FLOW_CLS_DESTROY:
1732 		return nfp_flower_del_offload(app, netdev, flower);
1733 	case FLOW_CLS_STATS:
1734 		return nfp_flower_get_stats(app, netdev, flower);
1735 	default:
1736 		return -EOPNOTSUPP;
1737 	}
1738 }
1739 
1740 static int nfp_flower_setup_tc_block_cb(enum tc_setup_type type,
1741 					void *type_data, void *cb_priv)
1742 {
1743 	struct flow_cls_common_offload *common = type_data;
1744 	struct nfp_repr *repr = cb_priv;
1745 
1746 	if (!tc_can_offload_extack(repr->netdev, common->extack))
1747 		return -EOPNOTSUPP;
1748 
1749 	switch (type) {
1750 	case TC_SETUP_CLSFLOWER:
1751 		return nfp_flower_repr_offload(repr->app, repr->netdev,
1752 					       type_data);
1753 	case TC_SETUP_CLSMATCHALL:
1754 		return nfp_flower_setup_qos_offload(repr->app, repr->netdev,
1755 						    type_data);
1756 	default:
1757 		return -EOPNOTSUPP;
1758 	}
1759 }
1760 
1761 static LIST_HEAD(nfp_block_cb_list);
1762 
1763 static int nfp_flower_setup_tc_block(struct net_device *netdev,
1764 				     struct flow_block_offload *f)
1765 {
1766 	struct nfp_repr *repr = netdev_priv(netdev);
1767 	struct nfp_flower_repr_priv *repr_priv;
1768 	struct flow_block_cb *block_cb;
1769 
1770 	if (f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS)
1771 		return -EOPNOTSUPP;
1772 
1773 	repr_priv = repr->app_priv;
1774 	repr_priv->block_shared = f->block_shared;
1775 	f->driver_block_list = &nfp_block_cb_list;
1776 
1777 	switch (f->command) {
1778 	case FLOW_BLOCK_BIND:
1779 		if (flow_block_cb_is_busy(nfp_flower_setup_tc_block_cb, repr,
1780 					  &nfp_block_cb_list))
1781 			return -EBUSY;
1782 
1783 		block_cb = flow_block_cb_alloc(nfp_flower_setup_tc_block_cb,
1784 					       repr, repr, NULL);
1785 		if (IS_ERR(block_cb))
1786 			return PTR_ERR(block_cb);
1787 
1788 		flow_block_cb_add(block_cb, f);
1789 		list_add_tail(&block_cb->driver_list, &nfp_block_cb_list);
1790 		return 0;
1791 	case FLOW_BLOCK_UNBIND:
1792 		block_cb = flow_block_cb_lookup(f->block,
1793 						nfp_flower_setup_tc_block_cb,
1794 						repr);
1795 		if (!block_cb)
1796 			return -ENOENT;
1797 
1798 		flow_block_cb_remove(block_cb, f);
1799 		list_del(&block_cb->driver_list);
1800 		return 0;
1801 	default:
1802 		return -EOPNOTSUPP;
1803 	}
1804 }
1805 
1806 int nfp_flower_setup_tc(struct nfp_app *app, struct net_device *netdev,
1807 			enum tc_setup_type type, void *type_data)
1808 {
1809 	switch (type) {
1810 	case TC_SETUP_BLOCK:
1811 		return nfp_flower_setup_tc_block(netdev, type_data);
1812 	default:
1813 		return -EOPNOTSUPP;
1814 	}
1815 }
1816 
1817 struct nfp_flower_indr_block_cb_priv {
1818 	struct net_device *netdev;
1819 	struct nfp_app *app;
1820 	struct list_head list;
1821 };
1822 
1823 static struct nfp_flower_indr_block_cb_priv *
1824 nfp_flower_indr_block_cb_priv_lookup(struct nfp_app *app,
1825 				     struct net_device *netdev)
1826 {
1827 	struct nfp_flower_indr_block_cb_priv *cb_priv;
1828 	struct nfp_flower_priv *priv = app->priv;
1829 
1830 	list_for_each_entry(cb_priv, &priv->indr_block_cb_priv, list)
1831 		if (cb_priv->netdev == netdev)
1832 			return cb_priv;
1833 
1834 	return NULL;
1835 }
1836 
1837 static int nfp_flower_setup_indr_block_cb(enum tc_setup_type type,
1838 					  void *type_data, void *cb_priv)
1839 {
1840 	struct nfp_flower_indr_block_cb_priv *priv = cb_priv;
1841 
1842 	switch (type) {
1843 	case TC_SETUP_CLSFLOWER:
1844 		return nfp_flower_repr_offload(priv->app, priv->netdev,
1845 					       type_data);
1846 	default:
1847 		return -EOPNOTSUPP;
1848 	}
1849 }
1850 
1851 void nfp_flower_setup_indr_tc_release(void *cb_priv)
1852 {
1853 	struct nfp_flower_indr_block_cb_priv *priv = cb_priv;
1854 
1855 	list_del(&priv->list);
1856 	kfree(priv);
1857 }
1858 
1859 static int
1860 nfp_flower_setup_indr_tc_block(struct net_device *netdev, struct Qdisc *sch, struct nfp_app *app,
1861 			       struct flow_block_offload *f, void *data,
1862 			       void (*cleanup)(struct flow_block_cb *block_cb))
1863 {
1864 	struct nfp_flower_indr_block_cb_priv *cb_priv;
1865 	struct nfp_flower_priv *priv = app->priv;
1866 	struct flow_block_cb *block_cb;
1867 
1868 	if ((f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS &&
1869 	     !nfp_flower_internal_port_can_offload(app, netdev)) ||
1870 	    (f->binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_EGRESS &&
1871 	     nfp_flower_internal_port_can_offload(app, netdev)))
1872 		return -EOPNOTSUPP;
1873 
1874 	switch (f->command) {
1875 	case FLOW_BLOCK_BIND:
1876 		cb_priv = nfp_flower_indr_block_cb_priv_lookup(app, netdev);
1877 		if (cb_priv &&
1878 		    flow_block_cb_is_busy(nfp_flower_setup_indr_block_cb,
1879 					  cb_priv,
1880 					  &nfp_block_cb_list))
1881 			return -EBUSY;
1882 
1883 		cb_priv = kmalloc(sizeof(*cb_priv), GFP_KERNEL);
1884 		if (!cb_priv)
1885 			return -ENOMEM;
1886 
1887 		cb_priv->netdev = netdev;
1888 		cb_priv->app = app;
1889 		list_add(&cb_priv->list, &priv->indr_block_cb_priv);
1890 
1891 		block_cb = flow_indr_block_cb_alloc(nfp_flower_setup_indr_block_cb,
1892 						    cb_priv, cb_priv,
1893 						    nfp_flower_setup_indr_tc_release,
1894 						    f, netdev, sch, data, app, cleanup);
1895 		if (IS_ERR(block_cb)) {
1896 			list_del(&cb_priv->list);
1897 			kfree(cb_priv);
1898 			return PTR_ERR(block_cb);
1899 		}
1900 
1901 		flow_block_cb_add(block_cb, f);
1902 		list_add_tail(&block_cb->driver_list, &nfp_block_cb_list);
1903 		return 0;
1904 	case FLOW_BLOCK_UNBIND:
1905 		cb_priv = nfp_flower_indr_block_cb_priv_lookup(app, netdev);
1906 		if (!cb_priv)
1907 			return -ENOENT;
1908 
1909 		block_cb = flow_block_cb_lookup(f->block,
1910 						nfp_flower_setup_indr_block_cb,
1911 						cb_priv);
1912 		if (!block_cb)
1913 			return -ENOENT;
1914 
1915 		flow_indr_block_cb_remove(block_cb, f);
1916 		list_del(&block_cb->driver_list);
1917 		return 0;
1918 	default:
1919 		return -EOPNOTSUPP;
1920 	}
1921 	return 0;
1922 }
1923 
1924 static int
1925 nfp_setup_tc_no_dev(struct nfp_app *app, enum tc_setup_type type, void *data)
1926 {
1927 	if (!data)
1928 		return -EOPNOTSUPP;
1929 
1930 	switch (type) {
1931 	case TC_SETUP_ACT:
1932 		return nfp_setup_tc_act_offload(app, data);
1933 	default:
1934 		return -EOPNOTSUPP;
1935 	}
1936 }
1937 
1938 int
1939 nfp_flower_indr_setup_tc_cb(struct net_device *netdev, struct Qdisc *sch, void *cb_priv,
1940 			    enum tc_setup_type type, void *type_data,
1941 			    void *data,
1942 			    void (*cleanup)(struct flow_block_cb *block_cb))
1943 {
1944 	if (!netdev)
1945 		return nfp_setup_tc_no_dev(cb_priv, type, data);
1946 
1947 	if (!nfp_fl_is_netdev_to_offload(netdev))
1948 		return -EOPNOTSUPP;
1949 
1950 	switch (type) {
1951 	case TC_SETUP_BLOCK:
1952 		return nfp_flower_setup_indr_tc_block(netdev, sch, cb_priv,
1953 						      type_data, data, cleanup);
1954 	default:
1955 		return -EOPNOTSUPP;
1956 	}
1957 }
1958