Migrating virtual machines while performing middlebox service operations at a PNIC

The invention claimed is: 1 . A method for migrating virtual machines (VMs) from a first host computer to a second host computer, the first host computer connected to a physical network interface card (PNIC) that performs middlebox service operations for data message flows associated with the VMs, the method comprising: at the PNIC: receiving a notification that a particular VM is to be migrated from the first host computer to the second host computer; configuring an embedded hardware switch of the PNIC to forward a set of data message flows associated with the particular VM to a firewall of the PNIC, wherein the embedded hardware switch was initially programmed to process the set of data message flows instead of the firewall; synchronizing flow cache information regarding the set of data message flows from a first flow record table of the embedded hardware switch to a second flow record table of the firewall; and processing the set of data message flows at the firewall until the particular VM is migrated to the second host computer. 2 . The method of claim 1 , wherein receiving the notification comprises receiving the notification at the embedded hardware switch. 3 . The method of claim 2 , wherein the notification is received from the particular VM. 4 . The method of claim 3 , wherein the notification is received from the particular VM through a virtual network interface card (VNIC) of the particular VM that connects to a virtual function (VF) of the PNIC. 5 . The method of claim 4 , wherein the VF is a virtualized peripheral component interconnect express (PCIe) function exposed as an interface of the PNIC. 6 . The method of claim 5 , wherein the VF is associated with a physical interface of the PNIC. 7 . The method of claim 1 , wherein configuring the embedded hardware switch comprises configuring the embedded hardware switch to forward the set of data message flows to the firewall without processing the set of data message flows. 8 . The method of claim 1 , wherein synchronizing the flow cache information comprises extracting, for each data message flow in the set of data message flows, a flow record from the first flow record table and storing the flow record in the second flow record table. 9 . The method of claim 8 , wherein each flow record for each data message flow comprises a flow identifier (ID) identifying the data message flow and a set of one or more actions to perform on data messages of the data message flow. 10 . The method of claim 9 , wherein the flow ID is at least one of a source network address, a destination network address, a source port, a destination port, a protocol of the data message flow, a virtual local area network (VLAN) ID, and a virtual network identifier (VNI). 11 . The method of claim 9 , wherein each set of actions for each data message flow comprises one of (i) allowing the data message flow, (ii) dropping the data message flow, or (iii) blocking the data message flow. 12 . The method of claim 11 , wherein at least one set of actions for at least one data message flow comprises performing at least one middlebox service operation on the data message flow. 13 . The method of claim 12 , wherein the at least one middlebox service operation is at least one of (i) an intrusion detection system (IDS) service, (ii) a network address translation (NAT) service, (iii) a load balancing service, and (iv) a deep packet inspection (DPI) service. 14 . The method of claim 8 , wherein, after the extracting, the first flow record table no longer stores the flow records for the set of data message flows such that the embedded hardware switch is no longer able to process the set of data message flows. 15 . The method of claim 1 further comprising, while processing the set of data message flows at the firewall, providing the flow cache information and a set of firewall rules associated with the set of data message flows to the second host computer to migrate the particular VM to the second host computer. 16 . The method of claim 15 , wherein providing the flow cache information and the set of firewall rules to the second host computer comprises providing the flow cache information and the set of firewall rules from the firewall to the embedded hardware switch to provide to the second host computer. 17 . The method of claim 1 , wherein: the firewall is a first firewall, the receiving, configuring, synchronizing, and processing are performed by a flow-cache second firewall of the PNIC, and processing the set of data message flows at the first firewall comprises providing the set of data messages to the first firewall for processing. 18 . The method of claim 1 , wherein the notification is a first notification, the method further comprising: receiving a second notification that migration of the particular VM to the second host computer has failed; and after receiving the second notification, reconfiguring the embedded hardware switch to process the set of data message flows without providing the set of data message flows to the firewall. 19 . The method of claim 18 , wherein reconfiguring the embedded hardware switch comprises providing the flow cache information a second time to the embedded hardware switch to store in the first flow record table. 20 . A non-transitory machine readable medium storing a program for execution by at least one processing unit for migrating virtual machines (VMs) from a first host computer to a second host computer, the first host computer connected to a physical network interface card (PNIC) that performs middlebox service operations for data message flows associated with the VMs, the program comprising sets of instructions for: at the PNIC: receiving a notification that a particular VM is to be migrated from the first host computer to the second host computer; configuring an embedded hardware switch of the PNIC to forward a set of data message flows associated with the particular VM to a firewall of the PNIC, wherein the embedded hardware switch was initially programmed to process the set of data message flows instead of the firewall; synchronizing flow cache information regarding the set of data message flows from a first flow record table of the embedded hardware switch to a second flow record table of the firewall; and processing the set of data message flows at the firewall until the particular VM is migrated to the second host computer.