Using PNICS to perform firewall operations

The invention claimed is: 1 . A method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer, the method comprising: configuring on the PNIC having an embedded hardware switch: a first firewall (i) to determine actions to perform on data message flows associated with the set of VMs, (ii) to offload processing of the data message flows to a flow-cache second firewall of the PNIC, and (iii) to indicate, for each data message flow, whether or not the processing thereof can be further offloaded to the embedded hardware switch; the flow-cache second firewall (i) to process a first set of data message flows based on a first set of actions determined by the first firewall, and (ii) to offload processing of a second set of data message flows to the embedded hardware switch of the PNIC based on indications by the first firewall that the processing of each of the data message flows in the second set can be offloaded to the embedded hardware switch; and the embedded hardware switch to process the second set of data message flows based on a second set of actions determined by the first firewall. 2 . The method of claim 1 , wherein configuring the first firewall to determine the actions to perform on the data message flows comprises configuring the first firewall to determine the actions using at least a first data message of each data message flow. 3 . The method of claim 2 , wherein configuring the first firewall to determine the actions further comprises configuring the first firewall to determine the actions also using a set of firewall rules. 4 . The method of claim 3 , wherein the set of firewall rules is provided to the first firewall by a network administrator. 5 . The method of claim 2 , wherein the actions comprise at least one of (i) allowing the data message flow, (ii) dropping the data message flow, and (iii) blocking the data message flow. 6 . The method of claim 5 , wherein the actions further comprise at least one of (i) an intrusion detection system (IDS) service, (ii) a network address translation (NAT) service, (iii) a load balancing service, and (iv) a deep packet inspection (DPI) service. 7 . The method of claim 1 further comprising, before the first and second sets of data message flows are offloaded to the flow-cache second firewall and the embedded hardware switch, configuring the embedded hardware switch to receive the data message flows and provide the data message flows to the first firewall. 8 . The method of claim 7 , wherein the embedded hardware switch receives the data message flows from at least one of the set of VMs and a set of one or more external servers. 9 . The method of claim 7 , wherein the embedded hardware switch provides the data message flows to the first firewall by providing the data message flows to the flow-cache second firewall to provide to the first firewall. 10 . The method of claim 9 further comprising, after the first and second sets of data message flows are offloaded to the flow-cache second firewall and the embedded hardware switch, configuring the embedded hardware switch to receive the first set of data message flows and provide the first set of data message flows to the flow-cache second firewall for processing. 11 . The method of claim 1 , wherein configuring the first firewall to offload processing of the data message flows to the flow-cache second firewall comprises configuring the first firewall (i) to generate a first set of flow records for the first set of data message flows and a second set of flow records for the second set of data message flows, and (ii) to provide the first and second sets of flow records to the flow-cache second firewall. 12 . The method of claim 11 , wherein each flow record for each data message flow comprises a flow identifier (ID) identifying the data message flow and a set of one or more actions to perform on data messages of the data message flow. 13 . The method of claim 12 , wherein the flow ID is at least one of a source network address, a destination network address, a source port, a destination port, a protocol of the data message flow, a virtual local area network (VLAN) ID, and a virtual network identifier (VNI). 14 . The method of claim 11 , wherein configuring the flow-cache second firewall to process the first set of data message flows comprises configuring the flow-cache second firewall to process the first set of data message flows according to the first set of flow records. 15 . The method of claim 11 , wherein configuring the flow-cache second firewall to offload processing of the second set of data message flows comprises configuring the flow-cache second firewall to provide the second set of flow records to the embedded hardware switch. 16 . The method of claim 1 further comprising: configuring, on the PNIC, a physical network port to connect the embedded hardware switch to a set of one or more external servers through a network; and configuring, on the host computer, a set of one or more virtual network interface cards (VNICs) to connect the set of VMs to the PNIC. 17 . The method of claim 16 , wherein each VNIC connects to a different virtual function of the PNIC via a Peripheral Component Interconnect Express (PCIe) fabric. 18 . The method of claim 16 further comprising configuring, on the PNIC, a set of one or more ports to connect the embedded hardware switch to the flow-cache second firewall. 19 . The method of claim 18 further comprising configuring, on the PNIC, a virtual distributed switch (VDS) to connect the first firewall to the physical network port through the embedded hardware switch, wherein the VDS connects to a port of the set of ports to connect the first firewall to the physical network port through the embedded hardware switch. 20 . A non-transitory machine readable medium storing a program for execution by at least one processing unit for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer, the program comprising sets of instructions for: configuring on the PNIC having an embedded hardware switch: a first firewall (i) to determine actions to perform on data message flows associated with the set of VMs, (ii) to offload processing of the data message flows to a flow-cache second firewall of the PNIC, and (iii) to indicate, for each data message flow, whether or not the processing thereof can be further offloaded to the embedded hardware switch; the flow-cache second firewall (i) to process a first set of data message flows based on a first set of actions determined by the first firewall, and (ii) to offload processing of a second set of data message flows to the embedded hardware switch of the PNIC based on indications by the first firewall that the processing of each of the data message flows in the second set can be offloaded to the embedded hardware switch; and the embedded hardware switch to process the second set of data message flows based on a second set of actions determined by the first firewall.