From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 29C9C45C66 for ; Tue, 28 Jan 2025 19:47:32 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1DD6F40151; Tue, 28 Jan 2025 19:47:32 +0100 (CET) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mails.dpdk.org (Postfix) with ESMTP id 867FE40144 for ; Tue, 28 Jan 2025 19:47:30 +0100 (CET) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-21a7ed0155cso99860985ad.3 for ; Tue, 28 Jan 2025 10:47:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1738090049; x=1738694849; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=lzug34Elq1A+6qJ9DB9gJp4on8m2BpxvKX+d7e5x8iw=; b=XfZJQUni6OPwtJfxb8zlCHF3CSgnYYVHR5VlJyHw8ZfKjXdLOHq3U3/+OQAJADb/ip m/6vZDgSh9z79FqBQzfsYmeRvghSPariE9+McMC4CQnGskzhnIvXPxMXLL98sB9Thi+G xQkzvMoJnhFQlntBrCeo565uzxeyR1sdhSxwAHHU+DBQPM/r5l6ZT7ObWQ8pLvQHQcyb yqMREFqRT5Kz708VZH+bRV9Ls/uqsGAwlQ3rEJaY0tHu6H/N4MM+Kkk45p0GFwhA9fxH MBgW0jN3qs83uuDsa9S8i+fBaDbSfmBQ0k4jKOxxASCniKfVHpGFapgSksyFMlpazfrL UivA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738090049; x=1738694849; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lzug34Elq1A+6qJ9DB9gJp4on8m2BpxvKX+d7e5x8iw=; b=Y4ZHaU0pyGdmdEZdvwyq1KBUGYv62wUQcXrwNLBQDSvsLMW9SGA6wUBZVHfYCT0HY6 0I/GsvQeUjca5JUGWz5dFC9x2ZaYxyc9xlKc+nz1AFVVFO39vXA+KAOYs59GNv68jJpQ IVvoD+gjx7vA0WyeSZ+94M2K4sU/xXNDtvja1vl6inUZooeZ4T53b0QANGjIn7JIBMfj 5gJV59fJ9ITt0e8rYw57YEkvEHuZANPVGYxWipbcB7YgDV/NUP5pL2O5hQwVNpndSTep Tg5EjmiLstvuyferggYt34RdWHfqtyJQIkorjzNpN1c6q27E6k9J2FIHyapIYyWP1H3o xIyA== X-Gm-Message-State: AOJu0YzWW9pxqgQI9gxS8xqp4j+su9VnmmC+VI2zFOK/9Y3ZNICuQ0JK c4EguDm4s60ZhDgAM2pbTQoGh4y2R/h8FfoRT2CReRtsPej5Uk6UCeTnRcmikFI= X-Gm-Gg: ASbGncvB1d2hacGrjviu40ZGJwsP4QB378Df1kJW7N6DuoLS6k9b/za4vrbD2qi0qav MqcNoefuOGW5myxU8EFGGT/i2gzowWIGe4y1b48M+xd2HBLdySU/Amjs3+WSsCz9LDQhv+NURf+ /gnCnG8EPbaq9XMftUYPR4Onxd2M6ulzIp2uxEePEU7H89MIV4ElOSFLwUjgTUh0fXgSWfO/g9k BKB5IYKIGmNhxnO4dYyJBYDGMDSeJnRBq2ZxdAio0AoiBlQMZSaNceYo+Pr0W9dImWjZnPQIZhM jqjKGiinRqNOPC0c+Ha/dRAC1zF3s5qFO1CYNUnyMhGUzFv/EgAirweGMB56W03F83SF X-Google-Smtp-Source: AGHT+IHhrazIZbKdPCev+a0pFuPBZmYz1XAzeT0o+0UpxQCccqk9qbMTDaxQog4awx/RSRyM2ksrcw== X-Received: by 2002:a17:903:2b07:b0:216:4165:c05e with SMTP id d9443c01a7336-21dd7d787f8mr2902425ad.24.1738090049637; Tue, 28 Jan 2025 10:47:29 -0800 (PST) Received: from hermes.local (204-195-96-226.wavecable.com. [204.195.96.226]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21da3d9c610sm85359595ad.1.2025.01.28.10.47.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jan 2025 10:47:29 -0800 (PST) Date: Tue, 28 Jan 2025 10:47:27 -0800 From: Stephen Hemminger To: Sid ali cherrati Cc: users@dpdk.org Subject: Re: DPDK Flow Filtering Not Working as Expected Message-ID: <20250128104727.0a1cb988@hermes.local> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org On Tue, 28 Jan 2025 17:54:40 +0100 Sid ali cherrati wrote: > Dear DPDK Team, >=20 > I am attempting to use DPDK's rte_flow API to filter incoming packets at > the hardware level. My goal is to drop all packets except those with a > specific IP address and UDP port. >=20 > I have implemented the following flow filtering rule in my code: > int flow_filtering(uint16_t port_id, uint32_t ip_addr, uint16_t udp_port)= { > struct rte_flow_error error; > struct rte_flow_attr attr; > struct rte_flow_item pattern[4]; // 4 pour inclure END > struct rte_flow_action action[2]; > struct rte_flow *flow; >=20 > // Remplir l'attribut de la r=C3=A8gle > memset(&attr, 0, sizeof(struct rte_flow_attr)); > attr.ingress =3D 1; // R=C3=A8gle pour le trafic entrant > attr.priority =3D 1000; // Priorit=C3=A9 haute pour que cette r=C3=A8gle = soit appliqu=C3=A9e > en premier >=20 > // D=C3=A9finir le motif de filtrage (IP + UDP) > memset(pattern, 0, sizeof(pattern)); >=20 > pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; >=20 > // Motif IPv4 > pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > pattern[1].spec =3D &(struct rte_flow_item_ipv4){ > .hdr =3D { > .dst_addr =3D RTE_BE32(ip_addr), // Adresse IP de destination > } > }; > pattern[1].mask =3D &(struct rte_flow_item_ipv4){ > .hdr =3D { > .dst_addr =3D RTE_BE32(0xFFFFFFFF), // Masque pour l'adresse IP > } > }; >=20 > // Motif UDP > pattern[2].type =3D RTE_FLOW_ITEM_TYPE_UDP; > pattern[2].spec =3D &(struct rte_flow_item_udp){ > .hdr =3D { > .dst_port =3D RTE_BE16(udp_port), // Port de destination > } > }; > pattern[2].mask =3D &(struct rte_flow_item_udp){ > .hdr =3D { > .dst_port =3D RTE_BE16(0xFFFF), // Masque pour le port > } > }; >=20 > // Fin du motif > pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; >=20 > // D=C3=A9finir l'action (accepter le paquet) > memset(action, 0, sizeof(action)); >=20 > // Envoyer =C3=A0 la file RX_ID > action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > action[0].conf =3D &(struct rte_flow_action_queue){ > .index =3D RX_ID, // Envoyer les paquets =C3=A0 la file RX_ID > }; >=20 > // Fin de la liste d'actions > action[1].type =3D RTE_FLOW_ACTION_TYPE_END; >=20 > // Cr=C3=A9er la r=C3=A8gle de filtrage > flow =3D rte_flow_create(port_id, &attr, pattern, action, &error); > if (flow =3D=3D NULL) { > printf("Erreur lors de la cr=C3=A9ation de la r=C3=A8gle de filtrage : %s= \n", error. > message); > return -1; > } >=20 > // Afficher un message de succ=C3=A8s > printf( > "R=C3=A8gle de filtrage cr=C3=A9ee avec succ=C3=A8s pour l'IP %u.%u.%u.%u= et le port %u\n", > (ip_addr >> 24) & 0xFF, > (ip_addr >> 16) & 0xFF, > (ip_addr >> 8) & 0xFF, > ip_addr & 0xFF, > udp_port > ); >=20 > return 0; > } >=20 > However, despite this configuration, I continue to receive packets with > other IP addresses and ports that do not match the specified filter. >=20 > Could you provide any insights into why the filtering isn't working as > expected? Any advice on ensuring the rule is properly applied at the > hardware level would be greatly appreciated. >=20 > Thank you for your assistance. >=20 > Best regards, >=20 > Ali You need to add a wildcard flow filter (ie match all) with with a drop acti= on. The default when no matches to any flow is process packet as normal using default queues.