Dear DPDK Team,

I am attempting to use DPDK's rte_flow API to filter incoming packets at the hardware level. My goal is to drop all packets except those with a specific IP address and UDP port.

I have implemented the following flow filtering rule in my code:

int flow_filtering(uint16_t port_id, uint32_t ip_addr, uint16_t udp_port) {
    struct rte_flow_error error;
    struct rte_flow_attr attr;
    struct rte_flow_item pattern[4]; // 4 pour inclure END
    struct rte_flow_action action[2];
    struct rte_flow *flow;

    // Remplir l'attribut de la règle
    memset(&attr, 0, sizeof(struct rte_flow_attr));
    attr.ingress = 1; // Règle pour le trafic entrant
    attr.priority = 1000; // Priorité haute pour que cette règle soit appliquée en premier

    // Définir le motif de filtrage (IP + UDP)
    memset(pattern, 0, sizeof(pattern));

    pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;

    // Motif IPv4
    pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
    pattern[1].spec = &(struct rte_flow_item_ipv4){
        .hdr = {
            .dst_addr = RTE_BE32(ip_addr), // Adresse IP de destination
        }
    };
    
    pattern[1].mask = &(struct rte_flow_item_ipv4){
        .hdr = {
            .dst_addr = RTE_BE32(0xFFFFFFFF), // Masque pour l'adresse IP
        }
    };

    // Motif UDP
    pattern[2].type = RTE_FLOW_ITEM_TYPE_UDP;
    pattern[2].spec = &(struct rte_flow_item_udp){
        .hdr = {
            .dst_port = RTE_BE16(udp_port), // Port de destination
        }
    };
    pattern[2].mask = &(struct rte_flow_item_udp){
        .hdr = {
            .dst_port = RTE_BE16(0xFFFF), // Masque pour le port
        }
    };

    // Fin du motif
    pattern[3].type = RTE_FLOW_ITEM_TYPE_END;

    // Définir l'action (accepter le paquet)
    memset(action, 0, sizeof(action));

    // Envoyer à la file RX_ID
    action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
    action[0].conf = &(struct rte_flow_action_queue){
        .index = RX_ID, // Envoyer les paquets à la file RX_ID
    };

    // Fin de la liste d'actions
    action[1].type = RTE_FLOW_ACTION_TYPE_END;

    // Créer la règle de filtrage
    flow = rte_flow_create(port_id, &attr, pattern, action, &error);
    if (flow == NULL) {
        printf("Erreur lors de la création de la règle de filtrage : %s\n", error.message);
        return -1;
    }

    // Afficher un message de succès
    printf(
        "Règle de filtrage créee avec succès pour l'IP %u.%u.%u.%u et le port %u\n",
        (ip_addr >> 24) & 0xFF,
        (ip_addr >> 16) & 0xFF,
        (ip_addr >> 8) & 0xFF,
        ip_addr & 0xFF,
        udp_port
    );

    return 0;
}

However, despite this configuration, I continue to receive packets with other IP addresses and ports that do not match the specified filter.

Could you provide any insights into why the filtering isn't working as expected? Any advice on ensuring the rule is properly applied at the hardware level would be greatly appreciated.

Thank you for your assistance.

Best regards,

Ali