DPDK Flow Filtering Not Working as Expected

[Sid ali cherrati <scherrati1@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2770 bytes --]

Dear DPDK Team,

I am attempting to use DPDK's rte_flow API to filter incoming packets at
the hardware level. My goal is to drop all packets except those with a
specific IP address and UDP port.

I have implemented the following flow filtering rule in my code:
int flow_filtering(uint16_t port_id, uint32_t ip_addr, uint16_t udp_port) {
struct rte_flow_error error;
struct rte_flow_attr attr;
struct rte_flow_item pattern[4]; // 4 pour inclure END
struct rte_flow_action action[2];
struct rte_flow *flow;

// Remplir l'attribut de la règle
memset(&attr, 0, sizeof(struct rte_flow_attr));
attr.ingress = 1; // Règle pour le trafic entrant
attr.priority = 1000; // Priorité haute pour que cette règle soit appliquée
en premier

// Définir le motif de filtrage (IP + UDP)
memset(pattern, 0, sizeof(pattern));

pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;

// Motif IPv4
pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
pattern[1].spec = &(struct rte_flow_item_ipv4){
.hdr = {
.dst_addr = RTE_BE32(ip_addr), // Adresse IP de destination
}
};
pattern[1].mask = &(struct rte_flow_item_ipv4){
.hdr = {
.dst_addr = RTE_BE32(0xFFFFFFFF), // Masque pour l'adresse IP
}
};

// Motif UDP
pattern[2].type = RTE_FLOW_ITEM_TYPE_UDP;
pattern[2].spec = &(struct rte_flow_item_udp){
.hdr = {
.dst_port = RTE_BE16(udp_port), // Port de destination
}
};
pattern[2].mask = &(struct rte_flow_item_udp){
.hdr = {
.dst_port = RTE_BE16(0xFFFF), // Masque pour le port
}
};

// Fin du motif
pattern[3].type = RTE_FLOW_ITEM_TYPE_END;

// Définir l'action (accepter le paquet)
memset(action, 0, sizeof(action));

// Envoyer à la file RX_ID
action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
action[0].conf = &(struct rte_flow_action_queue){
.index = RX_ID, // Envoyer les paquets à la file RX_ID
};

// Fin de la liste d'actions
action[1].type = RTE_FLOW_ACTION_TYPE_END;

// Créer la règle de filtrage
flow = rte_flow_create(port_id, &attr, pattern, action, &error);
if (flow == NULL) {
printf("Erreur lors de la création de la règle de filtrage : %s\n", error.
message);
return -1;
}

// Afficher un message de succès
printf(
"Règle de filtrage créee avec succès pour l'IP %u.%u.%u.%u et le port %u\n",
(ip_addr >> 24) & 0xFF,
(ip_addr >> 16) & 0xFF,
(ip_addr >> 8) & 0xFF,
ip_addr & 0xFF,
udp_port
);

return 0;
}

However, despite this configuration, I continue to receive packets with
other IP addresses and ports that do not match the specified filter.

Could you provide any insights into why the filtering isn't working as
expected? Any advice on ensuring the rule is properly applied at the
hardware level would be greatly appreciated.

Thank you for your assistance.

Best regards,

Ali

[-- Attachment #2: Type: text/html, Size: 24550 bytes --]