From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CDD7246182 for ; Mon, 3 Feb 2025 14:52:01 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5632140265; Mon, 3 Feb 2025 14:52:01 +0100 (CET) Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) by mails.dpdk.org (Postfix) with ESMTP id C0DF540264 for ; Mon, 3 Feb 2025 14:51:59 +0100 (CET) Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-6f678a27787so26449417b3.1 for ; Mon, 03 Feb 2025 05:51:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738590719; x=1739195519; darn=dpdk.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YCst4+cEIuDGeS7fFea5TDYBlqSDJBb0sixwV0ljPKo=; b=NyUsoiEVQLtnUgJYibG0Ola90pn//A5r8DwRe1D0aYFDCjQ0srt7VbHM92mpn/gPN5 gXWGHKsvzoZdxmzqjysTPJYHwB/9PRWHpTdscw4igAEhyftF53m7I9xftPPVvWcyqYMl vB3VAr6XUCTgAJ4pk4VhxzyZ7CpNpkaOX7cjJXLOhGiS3IjWLrTOAr08yWoV5I6DxD4A dMVGtfPUiSQaOUEuyrL7JGXnJtrIDC/zE7r91FyUjTSM/A0hxTpImKhclGt7oakP99dO 8MkslCL38Eb4Mc3vxrdZgmGnDi9LlQ5UXyz8gPNPHX9OWWbp6qbTI3oBVCcjPHWVo/zH SokQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738590719; x=1739195519; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YCst4+cEIuDGeS7fFea5TDYBlqSDJBb0sixwV0ljPKo=; b=Gtc7Vz5AOGV3e5h8nmG1z+VQaCMGtWk258syzFxbZn63L5VbJ8Qmq3yKVYDz/A5sQq c2D6+xNgliX25s0GQuhF/GXIu1VurhXBLGLLvMwjiUN8waCP9htJuNsP17S27gL7OCHY KONoPkdkPBfnLhJBtpv4bEW+7RJQ4fgXqT7TfSabOvTluCImgv3NyEaGANXTr/AVXlQO N4XxJNYKTvxR5UiP9bGqcS2FVshbUsrXKmrIEXjC5bwFt+v/xIF6K942AwkFUPuxBbuu Hd/v/fVXp4WjQrOG1vcI1QKib25/P3qmINugmhQlAQhcKZ3mMjc1erwNlfEDXqqQIUUU sPmQ== X-Gm-Message-State: AOJu0Yxh/AZwVjy/bxerKf/5hWbOvDc0o1pQOwos8fq5ou0eW4X68237 wvmysHiKQdPyJmcKp3iZnS8fLKJ/oAZ48rofJVPqZbLAlwOYvNtS+ws7WVIl+tG5/FbK5u0/TqE 7eOpHOZvp7OfMYFa8kMe0BWKqJYMec/KXaIA= X-Gm-Gg: ASbGncuXyIlJk0SLlYp3oVDhkjjTLUE33f3lQQq14IbApusBPyWvnB6MkUHMmOvnmk1 yh0CTKa+ORB/yu9LlGfnQq56+MjmPU2uQLQO5yDtBdniDYnHzNaxv9Y9CCwcTEXwOptkcv5I= X-Google-Smtp-Source: AGHT+IGNvzHJRdlvMeYJUk3+QmuB6tuynskRfqMNFsOdjej5nphCMwdmcXIWTT4faQ/C9A9zE53qjB3gB1panpX6/SE= X-Received: by 2002:a05:690c:67c2:b0:6ef:a4bc:8b9f with SMTP id 00721157ae682-6f7a8375593mr180306917b3.19.1738590717791; Mon, 03 Feb 2025 05:51:57 -0800 (PST) MIME-Version: 1.0 References: <20250128214616.3f9324de@sovereign> In-Reply-To: <20250128214616.3f9324de@sovereign> From: Sid ali cherrati Date: Mon, 3 Feb 2025 14:51:46 +0100 X-Gm-Features: AWEUYZnXqR-vIx5aHE4WEeBY3r1B8wgkQH0s2l3xchJhubhA-tcuzUuTZvNiNq0 Message-ID: Subject: Re: DPDK Flow Filtering Not Working as Expected To: Dmitry Kozlyuk Cc: users@dpdk.org Content-Type: multipart/alternative; boundary="00000000000024d533062d3d3281" X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org --00000000000024d533062d3d3281 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Dmitry, I followed your suggestions, and this is what I came up with: #include "../include/flow.h" #include #include int flow_filtering(uint16_t port_id, uint32_t ip_addr, uint16_t udp_port) { struct rte_flow_error error; struct rte_flow_attr attr =3D { .ingress =3D 1, .priority =3D 0 }; struct rte_flow_item pattern[4]; struct rte_flow_action action[2]; struct rte_flow *flow; // D=C3=A9finir le motif Ethernet memset(pattern, 0, sizeof(pattern)); pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; // D=C3=A9finir le motif IPv4 struct rte_flow_item_ipv4 ipv4_spec =3D { .hdr.dst_addr =3D RTE_BE32(ip_add= r) }; struct rte_flow_item_ipv4 ipv4_mask =3D { .hdr.dst_addr =3D RTE_BE32(0xFFFF= FFFF) }; pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; pattern[1].spec =3D &ipv4_spec; pattern[1].mask =3D &ipv4_mask; // D=C3=A9finir le motif UDP struct rte_flow_item_udp udp_spec =3D { .hdr.dst_port =3D RTE_BE16(udp_port= ) }; struct rte_flow_item_udp udp_mask =3D { .hdr.dst_port =3D RTE_BE16(0xFFFF) = }; pattern[2].type =3D RTE_FLOW_ITEM_TYPE_UDP; pattern[2].spec =3D &udp_spec; pattern[2].mask =3D &udp_mask; // Terminer le motif pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; // D=C3=A9finir l'action action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; struct rte_flow_action_queue queue_action =3D { .index =3D 0 }; action[0].conf =3D &queue_action; action[1].type =3D RTE_FLOW_ACTION_TYPE_END; // Cr=C3=A9er la r=C3=A8gle de flux flow =3D rte_flow_create(port_id, &attr, pattern, action, &error); if (!flow) { printf("Erreur lors de la cr=C3=A9ation de la r=C3=A8gle de flux : %s\n", e= rror. message); return -1; } // rte_flow_isolate(port_id, 1, &error); printf("R=C3=A8gle de flux cr=C3=A9=C3=A9e avec succ=C3=A8s pour IP %u.%u.%= u.%u et port UDP %u\n ", (ip_addr >> 24) & 0xFF, (ip_addr >> 16) & 0xFF, (ip_addr >> 8) & 0xFF, ip_addr & 0xFF, udp_port); return 0; } int create_drop_all_rule(uint16_t port_id) { struct rte_flow_attr attr =3D { .ingress =3D 1, .priority =3D 1}; struct rte_flow_item pattern[2]; struct rte_flow_action actions[2]; struct rte_flow *flow; struct rte_flow_error error; pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; pattern[1].type =3D RTE_FLOW_ITEM_TYPE_END; actions[0].type =3D RTE_FLOW_ACTION_TYPE_DROP; actions[1].type =3D RTE_FLOW_ACTION_TYPE_END; if (!rte_flow_validate(port_id, &attr, pattern, actions, &error)){ flow =3D rte_flow_create(port_id, &attr, pattern, actions, &error); } if(flow !=3D 0){ printf("Filed to create drop flow filter \n"); return -1; } printf("Default drop rule created successfully.\n"); return 0; } #include "../include/port.h" #include "../include/flow.h" #include #include #include #include #include #include #define MAX_PKT_BURST 32 int main(int argc, char **argv) { struct rte_mempool *mbuf_pool; int ret; // Initialiser l'EAL ret =3D rte_eal_init(argc, argv); if (ret < 0) { rte_exit(EXIT_FAILURE, "Erreur lors de l'initialisation de l'EAL\n"); } // Cr=C3=A9er le pool de mbufs mbuf_pool =3D rte_pktmbuf_pool_create("MBUF_POOL", NUM_MBUFS, MBUF_CACHE_SI= ZE, 0, RTE_MBUF_DEFAULT_BUF_SIZE, rte_socket_id()); if (!mbuf_pool) { rte_exit(EXIT_FAILURE, "Impossible de cr=C3=A9er le pool de mbufs\n"); } if (port_init(PORT_ID, mbuf_pool) !=3D 0) { rte_exit(EXIT_FAILURE, "Erreur initialisation port\n"); } // Cr=C3=A9er la r=C3=A8gle principale uint32_t ip_addr =3D RTE_IPV4(10, 81, 16, 111); uint16_t udp_port =3D 1234; if (flow_filtering(PORT_ID, ip_addr, udp_port) !=3D 0) { rte_exit(EXIT_FAILURE, "Erreur cr=C3=A9ation r=C3=A8gle principale\n"); } // Cr=C3=A9er la r=C3=A8gle drop-all if (create_drop_all_rule(PORT_ID) !=3D 0) { rte_exit(EXIT_FAILURE, "Erreur cr=C3=A9ation r=C3=A8gle drop-all\n"); } printf("Traitement des paquets...\n"); struct rte_mbuf *bufs[MAX_PKT_BURST]; while (1) { // R=C3=A9cup=C3=A9rer un burst de paquets sur la file RX de la queue 0 const uint16_t nb_rx =3D rte_eth_rx_burst(PORT_ID, 0, bufs, MAX_PKT_BURST); if (nb_rx > 0) { printf("Re=C3=A7u %u paquet(s)\n", nb_rx); for (uint16_t i =3D 0; i < nb_rx; i++) { // Afficher la taille du paquet printf("Paquet %u : taille =3D %u octets\n", i, rte_pktmbuf_pkt_len(bufs[i])); // Traiter le paquet pour afficher les adresses source et destination struct rte_ether_hdr *eth_hdr; eth_hdr =3D rte_pktmbuf_mtod(bufs[i], struct rte_ether_hdr *); // V=C3=A9rifier que le paquet est de type IPv4 if (rte_be_to_cpu_16(eth_hdr->ether_type) =3D=3D RTE_ETHER_TYPE_IPV4) { struct rte_ipv4_hdr *ip_hdr; ip_hdr =3D (struct rte_ipv4_hdr *)(eth_hdr + 1); // R=C3=A9cup=C3=A9rer les adresses source et destination (conversion en fo= rmat h=C3=B4te) uint32_t src_ip =3D rte_be_to_cpu_32(ip_hdr->src_addr); uint32_t dst_ip =3D rte_be_to_cpu_32(ip_hdr->dst_addr); // Convertir les adresses en cha=C3=AEne de caract=C3=A8res lisible char src_str[INET_ADDRSTRLEN]; char dst_str[INET_ADDRSTRLEN]; inet_ntop(AF_INET, &src_ip, src_str, INET_ADDRSTRLEN); inet_ntop(AF_INET, &dst_ip, dst_str, INET_ADDRSTRLEN); printf("Adresse source : %s\n", src_str); printf("Adresse destination : %s\n", dst_str); } else { printf("Paquet non IPv4, impossible d'extraire les adresses\n"); } // Lib=C3=A9rer le mbuf une fois le traitement termin=C3=A9 rte_pktmbuf_free(bufs[i]); } } // Petite pause pour =C3=A9viter une utilisation CPU trop intensive rte_delay_us_block(100); } // Nettoyage port_cleanup(PORT_ID); return 0; } The issue is that when I implement this, I get an error on the drop filter: "Failed to create rule." Do you have any idea why this might be happening? Thank you for your time. Best regards, Ali Le mar. 28 janv. 2025 =C3=A0 19:46, Dmitry Kozlyuk a =C3=A9crit : > Hi Ali, > > 2025-01-28 17:54 (UTC+0100), Sid ali cherrati: > > I am attempting to use DPDK's rte_flow API to filter incoming packets a= t > > the hardware level. My goal is to drop all packets except those with a > > specific IP address and UDP port. > > > > I have implemented the following flow filtering rule in my code: > > [...] > > However, despite this configuration, I continue to receive packets with > > other IP addresses and ports that do not match the specified filter. > > Packets that do not match the rule pattern are processed as usual. > If without the rule queue RX_ID could receive any packet, > it will also receive them after the rule is created. > You need another rule with lower priority (BTW, 0 is the highest one) > that matches all packets and drops them or steers to other queues. > If you want your DPDK app to only process packets matching the rule > and to leave all other traffic for the OS to process, > flow isolated mode may be what you're looking for: > > > https://doc.dpdk.org/guides/prog_guide/ethdev/flow_offload.html#flow-isol= ated-mode > > > Could you provide any insights into why the filtering isn't working as > > expected? Any advice on ensuring the rule is properly applied at the > > hardware level would be greatly appreciated. > > The usual way to check that the rule is matched > is to all a counter to the rule and check if it increases. > I suggest using testpmd for playing with flow rules: > > > https://doc.dpdk.org/guides/testpmd_app_ug/testpmd_funcs.html#flow-rules-= management > > There was also a useful talk abound HW rules debugging on DPDK Summit: > > > https://dpdksummit2024.sched.com/event/1iAtU/debug-functional-and-perform= ance-issues-in-rteflow-dariusz-sosnowski-nvidia-corp > > --00000000000024d533062d3d3281 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hello Dmitry,

I followed your su= ggestions, and this is what I came up with:

#include "../include/flow.h"
#include <stdio.= h>
#include <string.h>

= int flow_filtering(uint16_t port_id, uint32_t<= /span> ip_addr, uint16_t udp_por= t) {
struct rte_flow_error error;
struct rte_flow_attr attr =3D { .ingress =3D = 1, .priority= =3D 0 };
s= truct rte_flow_item pattern[4];
struct rte_flow_action action[<= span style=3D"color:rgb(181,206,168)">2];
struct rte_flow<= /span> *flow= ;

// D=C3=A9finir le motif Ethernet
memset(= pattern, 0, sizeof(pattern));
pattern[0].type <= /span>=3D RTE_FLOW_I= TEM_TYPE_ETH;
// D=C3=A9finir le motif IPv4
<= span style=3D"color:rgb(204,204,204)"> struct rte_flow_item_ipv4 ipv4= _spec =3D { = .hdr.dst_add= r =3D RTE_BE32(ip_addr) };
struct rte_flow_item_ipv4 ipv4_mask =3D { .= hdr.dst_addr= =3D RTE_BE32(0xFFFFFFFF<= span style=3D"color:rgb(204,204,204)">) };
pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4;
patte= rn[1].spec =3D &ipv4_spec= ;
pat= tern[1].mask =3D<= span style=3D"color:rgb(204,204,204)"> &ipv4_mask;

// D=C3=A9finir le motif UDP
struct<= span style=3D"color:rgb(204,204,204)"> rte_flow_item_udp udp_spec =3D { .hdr.dst_port =3D RTE_BE16(udp_port) };
struct r= te_flow_item_udp udp_mask =3D { .hdr.dst_port =3D RTE_BE16(0xFFFF) };
pattern[2].type =3D RTE_FLOW_ITEM_TYPE_UDP;
pattern[2].spec =3D &udp_spec;
pattern[2].mask =3D &udp_mask;

// Terminer le motif
<= /span>pattern[3].type =3D RTE_FLOW_ITEM_TYPE= _END;

// D=C3=A9finir l'action
acti= on[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE;
struct rte_flow_= action_queue queue_action =3D { .index =3D 0 };
action[0].conf =3D &am= p;queue_action;
= action[<= span style=3D"color:rgb(181,206,168)">1].type =3D RTE_FLOW_ACTION_TYPE_END;

// Cr=C3= =A9er la r=C3=A8gle de flux
flow =3D rte_flow_create<= span style=3D"color:rgb(204,204,204)">(port_id, &attr, pattern, action<= span style=3D"color:rgb(204,204,204)">, &error<= span style=3D"color:rgb(204,204,204)">);
if (!flo= w) {
printf("Erreur lors de la cr=C3=A9ation de= la r=C3=A8gle de flux : %s\n", error.message);
return -1;
}

//= rte_flow_isolate(port_id, 1, &error);

printf("R=C3=A8gle de flux cr=C3=A9=C3=A9e avec succ=C3=A8s pour= IP %u.%u.%u.%u et port UDP %u\n",
= (ip_addr >> 24) & 0xFF, (ip_addr >> 16) & <= /span>0xFF,
(ip_addr= >> 8) & 0xFF, ip_addr & 0xFF, udp_port);

return 0;
}

int create_drop_all_rule(uint= 16_t port_id= ) {
struct rte_flow_attr attr =3D { .ingress =3D 1, .priority =3D 1};
struct rte_flow_item pattern[2];
<= span style=3D"color:rgb(86,156,214)">struct rte_flow_action= actions[2];
= struct rte_= flow *flow;
struct rte_flow_error error;
<= br>
pattern= [0].type =3D RTE_FLOW_ITEM_TYPE_ETH;
pattern= [1].<= span style=3D"color:rgb(156,220,254)">type =3D RTE_FLOW_ITEM_TYPE_END;<= /span>

actions[0].type =3D RTE_FLOW_ACTION_TYPE_DROP;
actions[1= ].type =3D RTE_FLOW_ACTION_TYPE_END;

= if (!rte_flow_validate(= port_id, &attr, pattern, actions, &error)){
flow= =3D = rte_flow_create(por= t_id, &a= ttr, pattern= , actions, &error);
}

if(= flow !=3D 0){
= printf("Filed to create drop flow filter \n"<= span style=3D"color:rgb(204,204,204)">);
return -1;
}

printf= ("Default drop rule created successfully.\n");
<= div> return 0;
}

#include "../include= /port.h"
#incl= ude "../include/flow.h"
#include <rte_eal.h>
#include <rte_mbuf.h>
#include <rte_ethdev.h>
#include <rte_ether.h>= ;
#include <rte_ip.h>
#include <arpa/inet.h>

#define MAX_PKT_BURST 32

int main(int argc= , char **argv) {
struct = rte_mempool *= mbuf_pool;
int ret= ;

// Initialiser l'EAL
ret =3D rte_eal_init(argc, argv);
if (<= span style=3D"color:rgb(156,220,254)">ret < 0) {
<= span style=3D"color:rgb(204,204,204)"> rte_exit(EXIT_FAILURE, &q= uot;Erreur lors de l'initialisation de l'EAL\n&quo= t;);
}

// = Cr=C3=A9er le pool de mbufs
mbuf_pool= =3D rte_pktmbuf_pool_create(= "MBUF_POOL", NUM_MBUFS, MBUF_CACH= E_SIZE, 0,
= RTE_MBUF_D= EFAULT_BUF_SIZE, rte_socket_id());
if (!mbuf_pool) {
rte_exit= (EXIT_FAILURE= , "Impossible de cr=C3= =A9er le pool de mbufs\n");
}

if (port_init(PORT_ID, mbuf_pool) !=3D 0) {
rte_exit(EXIT_FAILURE, "Erreur initialisation port\n");
}

// Cr=C3=A9er = la r=C3=A8gle principale
uint32_t ip_addr =3D RTE_IPV4(10, 81, 16, 111= );
uin= t16_t udp_port =3D 1234<= /span>;

if (flow_filtering(PORT_ID, ip_addr, udp_port) !=3D<= span style=3D"color:rgb(204,204,204)"> 0) {
rte_exit= (EXIT_FAILURE, "Erreur cr=C3=A9ation r=C3=A8gle principale\n"= );
}

// Cr= =C3=A9er la r=C3=A8gle drop-all
if (create_drop_all_rule= (PORT_ID) != =3D 0) {
rte_exit(EXIT_FAILURE, "Erreur cr=C3=A9ation r=C3=A8gle drop-all\n");
= }

printf("Traitement des paquets...\n");
struct <= span style=3D"color:rgb(78,201,176)">rte_mbuf *bufs[MAX_PKT_BURST];

while (1= ) {
= // R=C3=A9cup=C3=A9rer un burst de pa= quets sur la file RX de la queue 0
const<= /span> uint16_t nb_rx =3D= rte_eth_rx_burst(<= /span>PORT_ID, 0, bufs, <= span style=3D"color:rgb(86,156,214)">MAX_PKT_BURST);
if (nb_rx > 0) {
printf("Re=C3=A7u %u paquet(s)\n", nb_rx);
= for (uint16_t= i =3D 0; i < nb_rx; i++) {
= // Afficher la t= aille du paquet
= printf("Paquet %u : taille =3D %u o= ctets\n",
= i, rte= _pktmbuf_pkt_len(bufs[i]));

// Traiter le paquet pour afficher les adresses source et destination
struct rte_ether_h= dr *eth_hdr<= /span>;
eth_hdr =3D rte_pktmbuf_mto= d(bufs[i], struct<= span style=3D"color:rgb(204,204,204)"> rte_ether_hdr *);

= // V=C3=A9rifier que le paquet= est de type IPv4
= if (rte_be_to_cpu_16(eth_hdr->ether_= type) =3D=3D= RTE_ETHER_TYPE_IPV4) {
struct rte_ipv4_hdr *ip_hdr;
= ip_hdr= =3D (struct rte_ipv4_hdr<= span style=3D"color:rgb(204,204,204)"> *)(eth_hdr + = 1);

// R=C3=A9cup=C3=A9rer les adresses source et de= stination (conversion en format h=C3=B4te)
uint32_t src_ip =3D<= span style=3D"color:rgb(204,204,204)"> rte_be_to_cpu_32(ip_hdr->src_= addr);
uint32_t dst_ip = =3D rte_be_to_cpu_32(ip_hdr->dst_addr);
// Convertir les adresses en cha=C3= =AEne de caract=C3=A8res lisible
char src_str[INET_ADDRSTRLEN<= span style=3D"color:rgb(204,204,204)">];
char dst_str[INET_ADDRSTRLEN];
inet_ntop(= AF_INET, &= ;src_ip, src= _str, INET_ADDRSTRLEN);
= inet_ntop<= span style=3D"color:rgb(204,204,204)">(AF_INET, &dst_ip, dst_str, INET_ADDRSTRLE= N);

printf("Adresse source : = %s\n", src_str);
<= /span>printf("= Adresse destination : %s\n", = dst_str);
} else {
printf(= "Paquet non IPv4, impossible d&= #39;extraire les adresses\n");
}

// Lib= =C3=A9rer le mbuf une fois le traitement termin=C3=A9
rte_pktmbuf_free(bufs[i]);
}
}
/= / Petite pause pour =C3=A9viter une utilisation CPU trop intensive
rte_delay_us_block(100<= span style=3D"color:rgb(204,204,204)">);
}

// Nettoyage<= /span>
port_cleanup(PORT_ID<= span style=3D"color:rgb(204,204,204)">);
ret= urn 0;
}



The issue is that when I implement this, I get an error on the drop filter: "Failed to create rule." Do you have any idea why this might be= =20 happening?

Thank you for your time.

Best regards,
Ali


Le=C2=A0mar. 28 janv. 2025 =C3=A0=C2=A019:46, Dmit= ry Kozlyuk <dmitry.kozliuk@g= mail.com> a =C3=A9crit=C2=A0:
Hi Ali,

2025-01-28 17:54 (UTC+0100), Sid ali cherrati:
> I am attempting to use DPDK's rte_flow API to filter incoming pack= ets at
> the hardware level. My goal is to drop all packets except those with a=
> specific IP address and UDP port.
>
> I have implemented the following flow filtering rule in my code:
> [...]
> However, despite this configuration, I continue to receive packets wit= h
> other IP addresses and ports that do not match the specified filter.
Packets that do not match the rule pattern are processed as usual.
If without the rule queue RX_ID could receive any packet,
it will also receive them after the rule is created.
You need another rule with lower priority (BTW, 0 is the highest one)
that matches all packets and drops them or steers to other queues.
If you want your DPDK app to only process packets matching the rule
and to leave all other traffic for the OS to process,
flow isolated mode may be what you're looking for:

https://doc.dpdk.o= rg/guides/prog_guide/ethdev/flow_offload.html#flow-isolated-mode

> Could you provide any insights into why the filtering isn't workin= g as
> expected? Any advice on ensuring the rule is properly applied at the > hardware level would be greatly appreciated.

The usual way to check that the rule is matched
is to all a counter to the rule and check if it increases.
I suggest using testpmd for playing with flow rules:

https://doc.dpdk.= org/guides/testpmd_app_ug/testpmd_funcs.html#flow-rules-management

There was also a useful talk abound HW rules debugging on DPDK Summit:

https://dpdksummit2024.sched.com/event/1iAtU/debug= -functional-and-performance-issues-in-rteflow-dariusz-sosnowski-nvidia-corp=

--00000000000024d533062d3d3281--