This patchset has been applied to dev-queue, however there were a lot of potential issues reported by sashiko [1] that I'm currently addressing. In my opinion a lot of them are valid, so I'm planning to submit v3 soon.
[1] https://sashiko.dev/#/patchset/20260409120003.2719-1-marcin.szycik%40linux.intel.com On 09/04/2026 13:59, Marcin Szycik wrote: > E8xx hardware provides a Ternary Classifier block for implementing > functions such as ACL (Access Control List). In this series it's simply > referred to as "ACL". > > Implement ACL filtering. This expands support of network flow classification > rules for the ethtool ntuple command. ACL filtering allows for an ip or port > field's optional mask to be specified. > > Example filters: > ethtool -N eth0 flow-type tcp4 dst-port 8880 m 0x00ff action 10 > ethtool -N eth0 flow-type tcp4 src-ip 192.168.0.55 m 0.0.0.255 action -1 > > This is a resurrection of an old series from 2020 [1] with several > improvements, but the fundamental logic unchanged. v1 was almost pulled > in, but ultimately it was decided to drop it [2] because of unresolved > issues. One issue was too many defensive NULL checks. Second issue is > about inconsistency when using multiple input sets. Both are addressed > in this patchset. > > More about the second issue: > > From [3]: >> I would argue that you need to have some sort of logic that basically >> checks to see if you are going to hit the input set issue and falls >> back and applies the ACL rules. Otherwise you are significantly >> hampering the usefulness of this filter type. It doesn't make sense >> that dropping a field will cause a rule to fail to be added, but >> masking a single bit in some field will make it valid. It would make >> it a nightmare to use from the user point of view as the rules come >> across as arbitrary. > > Flow Director (FD) has a hardware limitation where all filters for the same > packet type must use identical input sets. Previously, attempting to add the > second filter would fail. > > Patch 10 adds automatic fallback to ACL block when FD cannot accommodate a > filter due to input set conflicts, which resolves this inconsistency. > > v2: > * Rebase. Notable conflicts were the removal of ice_status and the addition of > libie (which affected AdminQ communication) > * Reduce the number of defensive NULL checks > * Use = {} instead of memset for definitions > * Use kzalloc_obj() instead of plain kzalloc() > * Move from devm_ to plain allocation for objects that don't require it > * Move iterator declaration to loop start > * Move some defines out of structs > * Fix kdoc (except untouched ice_ethtool_fdir.c functions) > * Adjust style (err for return variable, spacing, rewrite some comments, > * commit messages) > * Remove overly verbose comments > * Add patches 5, 6, 9 and 10 > * More changes listed in patches (if applicable) > > [1] > https://lore.kernel.org/intel-wired-lan/[email protected] > [2] > https://lore.kernel.org/netdev/[email protected]/#t > [3] > https://lore.kernel.org/netdev/cakgt0ucxd5-gvewwadbl04er2o++rx_oekuv3e0ryquegfk...@mail.gmail.com > > Lukasz Czapnik (1): > ice: use ACL for ntuple rules that conflict with FDir > > Marcin Szycik (3): > Revert "ice: remove unused ice_flow_entry fields" > ice: use plain alloc/dealloc for ice_ntuple_fltr > ice: re-introduce ice_dealloc_flow_entry() helper > > Real Valiquette (5): > ice: initialize ACL table > ice: initialize ACL scenario > ice: create flow profile > ice: create ACL entry > ice: program ACL entry > > Tony Nguyen (1): > ice: rename shared Flow Director functions and structs > > drivers/net/ethernet/intel/ice/Makefile | 5 +- > drivers/net/ethernet/intel/ice/ice.h | 21 +- > drivers/net/ethernet/intel/ice/ice_acl.h | 170 +++ > drivers/net/ethernet/intel/ice/ice_acl_main.h | 9 + > .../net/ethernet/intel/ice/ice_adminq_cmd.h | 391 +++++- > drivers/net/ethernet/intel/ice/ice_arfs.h | 2 +- > drivers/net/ethernet/intel/ice/ice_fdir.h | 18 +- > .../net/ethernet/intel/ice/ice_flex_pipe.h | 2 + > drivers/net/ethernet/intel/ice/ice_flow.h | 39 +- > .../net/ethernet/intel/ice/ice_lan_tx_rx.h | 3 + > drivers/net/ethernet/intel/ice/ice_type.h | 5 + > drivers/net/ethernet/intel/ice/ice_acl.c | 486 +++++++ > drivers/net/ethernet/intel/ice/ice_acl_ctrl.c | 1111 +++++++++++++++ > drivers/net/ethernet/intel/ice/ice_acl_main.c | 293 ++++ > drivers/net/ethernet/intel/ice/ice_arfs.c | 8 +- > drivers/net/ethernet/intel/ice/ice_ethtool.c | 8 +- > ...ce_ethtool_fdir.c => ice_ethtool_ntuple.c} | 641 ++++++--- > drivers/net/ethernet/intel/ice/ice_fdir.c | 30 +- > .../net/ethernet/intel/ice/ice_flex_pipe.c | 11 +- > drivers/net/ethernet/intel/ice/ice_flow.c | 1208 ++++++++++++++++- > drivers/net/ethernet/intel/ice/ice_lib.c | 10 +- > drivers/net/ethernet/intel/ice/ice_main.c | 91 +- > drivers/net/ethernet/intel/ice/virt/fdir.c | 32 +- > 23 files changed, 4344 insertions(+), 250 deletions(-) > create mode 100644 drivers/net/ethernet/intel/ice/ice_acl.h > create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_main.h > create mode 100644 drivers/net/ethernet/intel/ice/ice_acl.c > create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_ctrl.c > create mode 100644 drivers/net/ethernet/intel/ice/ice_acl_main.c > rename drivers/net/ethernet/intel/ice/{ice_ethtool_fdir.c => > ice_ethtool_ntuple.c} (79%) >
