19. ICE DCF ACL filter

19.1. Description

Support CPF on to program ACL rule to control packet to VFs. Currently, only support the action “drop”. 1. Deny packets according to IPV4 SRC/DST subnet 2. Deny packets according to L4 (UDP/TCP/SCTP) SRC/DST PORT 3. Deny packets according to IPV4 SRC/DST, TCP/UDP/SCTP SRC/DST PORT 4. Deny packets according to ETH SRC/DST MAC, IPV4 SRC/DST, TCP/UDP/SCTP SRC/DST PORT

Note: Each NIC has 16 TCAM blocks. Due to limited TCAM resource, 2 ports card can support denying packets according to ETH SRC/DST MAC. 4 ports card can’t support denying packets according to ETH SRC/DST MAC.

19.2. Prerequisites

1. Hardware: Intel® Ethernet 800 Series: E810-XXVDA4/E810-CQ

2. Software: dpdk: http://dpdk.org/git/dpdk scapy: http://www.secdev.org/projects/scapy/

3. Support ice pkg:

   os default/comms/wireless
   

4. Compile DPDK:

   CC=gcc meson -Denable_kmods=True -Dlibdir=lib  --default-library=static x86_64-native-linuxapp-gcc
   ninja -C x86_64-native-linuxapp-gcc
   

5. Get the pci device id of DUT, for example:

   ./usertools/dpdk-devbind.py -s
   
   0000:86:00.0 'Device 1593' if=enp134s0f0 drv=ice unused=vfio-pci
   0000:86:00.1 'Device 1593' if=enp134s0f1 drv=ice unused=vfio-pci
   

6. Generate 2 VFs on PF0:

   echo 2 > /sys/bus/pci/devices/0000:86:00.0/sriov_numvfs
   
   ./usertools/dpdk-devbind.py -s
   0000:86:01.0 'Ethernet Adaptive Virtual Function 1889' if=enp134s1 drv=iavf unused=vfio-pci
   0000:86:01.1 'Ethernet Adaptive Virtual Function 1889' if=enp134s1f1 drv=iavf unused=vfio-pci
   

7. Set VF0 as trust:

   ip link set enp134s0f0 vf 0 trust on
   

   Set VF1 MAC address:

   ip link set enp134s0f0 vf 1 mac 00:01:23:45:67:89
   

8. Bind VFs to dpdk driver:

   modprobe vfio-pci
   ./usertools/dpdk-devbind.py -b vfio-pci 0000:86:01.0 0000:86:01.1
   

9. Launch dpdk on VF0, and VF0 request DCF mode:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:86:01.0,cap=dcf --file-prefix=vf0 --log-level="ice,7" -- -i
   testpmd> set fwd mac
   testpmd> set verbose 1
   testpmd> start
   testpmd> show port info all
   

   check the VF0 driver is net_ice_dcf. the mac address is 42:52:CC:FD:CC:BB

10. Launch dpdk on VF1:

    ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf0 -n 4 -a 86:01.1 --file-prefix=vf1 -- -i
    testpmd> set fwd rxonly
    testpmd> set verbose 1
    testpmd> start
    testpmd> show port info all
    

check the VF1 driver is net_iavf. the mac address is 00:01:23:45:67:89

or launch one testpmd on VF0 and VF1:

./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:86:01.0,cap=dcf,representor=vf[1] -a 86:01.1 --file-prefix=vf0 --log-level="ice,7" -- -i

19.3. Common steps of basic cases

1. create a rule successfully.
2. send matched packets, check the packets be dropped by VF1.
3. send unmatched packet, check the packet be received by VF1.
4. delete the rule.
5. send match packets again, check all the packets are received by VF1.

19.4. Test Case 1: pattern IPV4

19.4.1. Subcase 1: src mac(only 2ports NIC support)

1. rule:

   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask 00:ff:ff:ff:ff:ff / ipv4 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="01:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="02:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="ff:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="01:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:66:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:66:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:66", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:32:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="01:11:22:33:44:66", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

19.4.2. Subcase 2: dst mac(only 2ports NIC support)

On Rx side, the ACL filter follows switch filter in pipeline. So we need set switch filter first, which switch some packets with dst mac address which is not VF1’s mac address. Then the ACL filter can filter the packet with dst mac address.

1. rule:

   flow create 0 ingress pattern eth dst is 00:11:22:33:44:55 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 00:11:22:33:44:66 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 00:11:22:33:66:55 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:00 / ipv4 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:44:55")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:44:66")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:02:00:00:00:01", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:66:55")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

Note: only delete ACL rule in step 4:

flow destroy 0 rule 3

19.4.3. Subcase 3: src ipv4

1. rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.158", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.255", dst="192.168.0.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.255", dst="192.168.0.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.255", dst="192.168.0.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

19.4.4. Subcase 4: dst ipv4

1. rule:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.0 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.0")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.158")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.255")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.255")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.255")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

19.4.5. Subcase 5: src ipv4 + dst ipv4

1. rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.255", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.158", dst="192.168.255.2")/UDP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.1.2")/TCP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.1.2")/SCTP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.1.2")/ICMP()/Raw(load='X'*30)], iface="enp216s0f0")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/TCP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/SCTP()/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/ICMP()/Raw(load='X'*30)], iface="enp216s0f0")
   

19.4.6. Subcase 6: src mac + dst mac + src ipv4 + dst ipv4(only 2port NIC support)

1. rule:

   flow create 0 ingress pattern eth dst is 33:00:00:00:00:01 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 33:00:00:00:00:02 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 33:00:00:00:00:03 / ipv4 / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 33:00:00:00:00:02 dst mask ff:ff:ff:ff:ff:fe \
   / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:1b", dst="33:00:00:00:00:02")/IP(src="192.168.0.255", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:00", dst="33:00:00:00:00:03")/IP(src="192.168.0.158", dst="192.168.255.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:ff", dst="33:00:00:00:00:02")/IP(src="192.168.0.0", dst="192.168.1.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:ff", dst="33:00:00:00:00:02")/IP(src="192.168.0.0", dst="192.168.1.2")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:ff", dst="33:00:00:00:00:02")/IP(src="192.168.0.0", dst="192.168.1.2")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:66:55", dst="33:00:00:00:00:02")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="33:00:00:00:00:01")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="33:00:00:00:00:02")/IP(src="192.168.1.1", dst="192.168.0.2")/TCP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="33:00:00:00:00:02")/IP(src="192.168.0.1", dst="192.168.0.3")/SCTP()/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="33:00:00:00:00:02")/IP(src="192.168.0.1", dst="192.168.0.3")/ICMP()/Raw(load='X'*30)], iface="enp134s0f1")
   

Note: only delete ACL rule in step 4:

flow destroy 0 rule 3

19.5. Test Case 2: pattern IPV4_TCP

19.5.1. Subcase 1: src mac(only 2ports NIC support)

1. rule:

   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:fe / ipv4 / tcp / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:54", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:57", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IPv6()/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

19.5.2. Subcase 2: dst mac(only 2ports NIC support)

On Rx side, the ACL filter follows switch filter in pipeline. So we need set switch filter first, which switch some packets with dst mac address which is not VF1’s mac address. Then the ACL filter can filter the packet with dst mac address.

1. rule:

   flow create 0 ingress pattern eth dst is 00:11:22:33:44:55 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 00:11:22:33:44:66 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 00:11:22:33:66:55 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:00 / ipv4 / tcp / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:44:55")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:44:66")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:02:00:00:00:01", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:02:00:00:00:01", dst="00:11:22:33:66:55")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

Note: only delete ACL rule in step 4:

flow destroy 0 rule 3

19.5.3. Subcase 3: src ipv4

1. rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / tcp / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

19.5.4. Subcase 4: dst ipv4

1. rule:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.243 / tcp / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.14")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/SCTP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

19.5.5. Subcase 5: src port

1. rule:

   flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 src mask 65520 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/TCP(sport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/TCP(sport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IPv6()/TCP(sport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/SCTP(sport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   

19.5.6. Subcase 6: dst port

1. rule:

   flow create 0 ingress pattern eth / ipv4 / tcp dst spec 8010 dst mask 65520 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/TCP(dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/TCP(dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP()/UDP(dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IPv6()/TCP(dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   

19.5.7. Subcase 7: src ip + dst ip + src port + dst port

1. rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 \
   / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.2", dst="192.168.255.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp216s0f0")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=7985,dport=8018)/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8012,dport=7985)/Raw(load='X'*30)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/UDP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp216s0f0")
   

19.5.8. Subcase 8: src mac + dst mac + src ip + dst ip + src port + dst port(only 2ports NIC support)

1. rule:

   flow create 0 ingress pattern eth dst is 00:01:23:45:67:89 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 5E:8E:8B:4D:89:06 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth dst is 5E:8E:8B:4D:90:05 / ipv4 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 00:01:23:45:67:89 dst mask ff:ff:ff:ff:00:ff \
   / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 \
   / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   

2. matched packets:

   sendp([Ether(src="00:11:22:33:44:66", dst="00:01:23:45:66:89")/IP(src="192.168.0.2", dst="192.168.255.2")/TCP(sport=8012,dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

3. unmatched packets:

   sendp([Ether(src="00:11:22:33:66:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:90")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.2")/TCP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.3")/TCP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=7985,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/TCP(sport=8010,dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   

Note: only delete ACL rule in step 4:

flow destroy 0 rule 3

19.6. Test Case 3: pattern IPV4_UDP

the rules and packets in this test case is similar to “Test case 2: pattern IPV4_TCP” just change some parts of rules and packets:

rule:

change tcp to udp.

packets:

if the packet’s L4 layer is UDP, change it to TCP; if the packet’s L4 layer is TCP, change it to UDP;

19.6.1. Subcase 1: src mac(only 2ports NIC support)

19.6.2. Subcase 2: dst mac(only 2ports NIC support)

19.6.3. Subcase 3: src ipv4

19.6.4. Subcase 4: dst ipv4

19.6.5. Subcase 5: src port

19.6.6. Subcase 6: dst port

19.6.7. Subcase 7: src ip + dst ip + src port + dst port

19.6.8. Subcase 8: src mac + src ip + dst ip + src port + dst port(only 2ports NIC support)

19.7. Test Case 4: pattern IPV4_SCTP

the rules and packets in this test case is similar to “Test case 2: pattern IPV4_TCP” just change some parts of rules and packets:

rule:

change tcp to sctp.

packets:

if the packet’s L4 layer is TCP, change it to SCTP; if the packet’s L4 layer is SCTP, change it to UDP;

19.7.1. Subcase 1: src mac(only 2ports NIC support)

19.7.2. Subcase 2: dst mac(only 2ports NIC support)

note: switch rule don’t support SCTP packet type, so there is some difference to UDP/TCP case.

19.7.3. Subcase 3: src ipv4

19.7.4. Subcase 4: dst ipv4

19.7.5. Subcase 5: src port

19.7.6. Subcase 6: dst port

19.7.7. Subcase 7: src ip + dst ip + src port + dst port

19.7.8. Subcase 8: src mac + src ip + dst ip + src port + dst port(only 2ports NIC support)

note: switch rule don’t support SCTP packet type, so there is some difference to UDP/TCP case.

19.8. Test Case 5: max entry number

Note: now the default entry number is 256. if create a IPv4 rule, will generate 4 entries: ipv4, ipv4-udp, ipv4-tcp, ipv4-sctp So we can create 64 IPv4 rules at most. while we can create 256 ipv4-udp/ipv4-tcp/ipv4-sctp rules at most.

1. launch DPDK on VF0, request DCF mode:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xc -n 4 -a 86:01.0,cap=dcf -- -i --port-topology=loop
   

   Launch dpdk on VF1:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf0 -n 4 -a 86:01.1 --file-prefix=vf1 -- -i
   

2. create a full mask rule, it’s created as a switch rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.255 / udp / end actions drop / end
   

3. create 256 ipv4-udp ACL rules:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.0 src mask 255.254.255.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.254.255.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.2 src mask 255.254.255.255 / udp / end actions drop / end
   ......
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.255 src mask 255.254.255.255 / udp / end actions drop / end
   

   all the rules can be created successfully as ACL rules.

4. list the rules, there are rule 0-256 listed.

5. send packet1:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.255", dst="192.168.100.2")/UDP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet dropped. stop the forward:

   ---------------------- Forward statistics for port 1  ----------------------
   RX-packets: 0              RX-dropped: 1             RX-total: 1
   TX-packets: 0              TX-dropped: 0             TX-total: 0
   ----------------------------------------------------------------------------
   

6. create one more rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.0 src mask 255.254.255.255 / udp / end actions drop / end
   

   the rule is created as a switch rule.

7. send packet2:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.0", dst="192.168.100.2")/UDP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet can’t be received by VF1. stop the forward:

   ---------------------- Forward statistics for port 1  ----------------------
   RX-packets: 0              RX-dropped: 0             RX-total: 0
   TX-packets: 0              TX-dropped: 0             TX-total: 0
   ----------------------------------------------------------------------------
   

8. delete the rule 256 and 257:

   flow destroy 0 rule 256
   flow destroy 0 rule 257
   

   list the rules:

   flow list 0
   

   there are rule 0-255 listed.

9. create the rule in the step6 again, check the rule can be created as acl rule successfully. list the rules, there are rule 0-256 listed.

10.send packet2 again, check the packet dropped. stop the forward:

---------------------- Forward statistics for port 1  ----------------------
RX-packets: 0              RX-dropped: 1             RX-total: 1
TX-packets: 0              TX-dropped: 0             TX-total: 0
----------------------------------------------------------------------------

19.9. Test Case 6: max entry number ipv4-other

1. launch DPDK on VF0, request DCF mode:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xc -n 4 -a 86:01.0,cap=dcf -- -i --port-topology=loop
   

   Launch dpdk on VF1:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf0 -n 4 -a 86:01.1 --file-prefix=vf1 -- -i
   

2. create a full mask rule, it’s created as a switch rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.255 / end actions drop / end
   

3. create 64 ipv4-other ACL rules:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.1 src mask 255.255.0.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.2 src mask 255.255.0.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.3 src mask 255.255.0.255 / end actions drop / end
    ......
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.64 src mask 255.255.0.255 / end actions drop / end
   

   all the rules can be created successfully as ACL rules.

4. list the rules, there are rule 0-64 listed.

5. send packet1:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.64", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet dropped. stop the forward:

   ---------------------- Forward statistics for port 1  ----------------------
   RX-packets: 0              RX-dropped: 1             RX-total: 1
   TX-packets: 0              TX-dropped: 0             TX-total: 0
   ----------------------------------------------------------------------------
   

6. create one more rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.2 src mask 255.255.0.255 / udp / end actions drop / end
   

   check the rule can’t be created as an ACL rule successfully. it’s created as a switch rule.

7. send packet2:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.2", dst="192.168.1.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet can’t be received by vf1. stop forward:

   ---------------------- Forward statistics for port 1  ----------------------
   RX-packets: 0              RX-dropped: 0             RX-total: 0
   TX-packets: 0              TX-dropped: 0             TX-total: 0
   ----------------------------------------------------------------------------
   

8. delete the rule 64 and 65:

   flow destroy 0 rule 64
   flow destroy 0 rule 65
   

   list the rules:

   flow list 0
   

   there are rule 0-63 listed.

9. create the rule in the step6 again, check the rule can be created as an ACL rule successfully. list the rules, there are rule 0-64 listed.

10.send packet2 again, check the packet dropped. stop the forward:

---------------------- Forward statistics for port 1  ----------------------
RX-packets: 0              RX-dropped: 1             RX-total: 1
TX-packets: 0              TX-dropped: 0             TX-total: 0
----------------------------------------------------------------------------

19.10. Test Case 7: max entry number combined patterns

1. launch DPDK on VF0, request DCF mode:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xc -n 4 -a 86:01.0,cap=dcf -- -i --port-topology=loop
   

   Launch dpdk on VF1:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf0 -n 4 -a 86:01.1 --file-prefix=vf1 -- -i
   

2. create 32 ipv4-other ACL rules:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.0 dst mask 255.255.0.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.0.255 / end actions drop / end
   ......
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.30 src mask 255.255.0.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.31 src mask 255.255.0.255 / end actions drop / end
   

   all the rules can be created successfully as ACL rules.

3. create 128 ipv4-udp ACL rules:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.0 dst mask 255.255.0.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.0.255 / udp / end actions drop / end
   ......
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.126 src mask 255.255.0.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.127 src mask 255.255.0.255 / udp / end actions drop / end
   

   all the rules can be created successfully as ACL rules.

4. list the rules, there are rule 0-159 listed.

5. create one more ACl rule failed, it is created as a switch rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.2.255 src mask 255.255.255.254 / udp / end actions drop / end
   

6. delete one ACL rule, create the rule in step5 again, it’s created as an ACL rule successfully.

7. delete the switch rule, send packet1:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.2.255", dst="192.168.0.2")/UDP(sport=8010,dport=8017)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet dropped. stop the forward:

   ---------------------- Forward statistics for port 1  ----------------------
   RX-packets: 0              RX-dropped: 1             RX-total: 1
   TX-packets: 0              TX-dropped: 0             TX-total: 0
   ----------------------------------------------------------------------------
   

8. delete all the rules, check the packet is received by vf1.

19.11. Test Case 8: negative case

Note: 4 ports NIC doesn’t support eth input set. the rule with eth input set can be created successfully, but can’t take effect on 4 ports NIC.

1. create an ACL rule without spec or mask:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src mask 255.255.255.0 / end actions drop / end
   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 / ipv4 / tcp / end actions drop / end
   flow create 0 ingress pattern eth src mask ff:ff:ff:ff:ff:00 / ipv4 / tcp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp src mask 65520 / end actions drop / end
   

   check the rule can’t be created successfully.

2. create an ACL rule with all “0” mask:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.1 dst mask 0.0.0.0 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp dst spec 8010 dst mask 0 / end actions drop / end
   flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask 00:00:00:00:00:00 / ipv4 / tcp / end actions drop / end
   

   check the rule can’t be created successfully.

3. create acl rules combined “0” mask and not “0” mask:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 0.0.0.0 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 0 / end actions drop / end
   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 00:11:22:33:44:66 dst mask 00:00:00:00:00:00 / ipv4 / tcp / end actions drop / end
   

   check the rules created successfully. send matched packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.1",dst="192.168.1.2")/("X"*480)], iface="enp216s0f0")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1",dst="192.168.0.2")/TCP(sport=8012,dport=23)/("X"*480)], iface="enp216s0f0")
   sendp([Ether(src="00:11:22:33:44:55",dst="00:01:23:45:67:89")/IP(src="192.168.1.1",dst="192.168.0.2")/TCP(sport=22,dport=23)/("X"*480)], iface="enp216s0f0")
   

   check the packets dropped by port 1.

Note: the last rule and last packet can only test on 2 ports NIC.

4. create inconsistent spec and mask rule:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 dst mask 255.255.255.0 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 dst mask 65520 / end actions drop / end
   

   check the rules created successfully. send matched packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1",dst="0.0.0.0")/("X"*480)], iface="enp216s0f0")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.1",dst="192.168.0.2")/TCP(sport=22,dport=0)/("X"*480)], iface="enp216s0f0")
   

   check the packets dropped by port 1.

5. create ACL rule with full mask, for 4 ports NIC:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.255 dst spec 192.168.0.2 dst mask 255.255.255.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.1 src mask 255.255.255.255 dst spec 192.168.1.2 dst mask 255.255.255.255 \
   / tcp src spec 8010 src mask 65535 dst spec 8017 dst mask 65535 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.2.1 src mask 255.255.255.255 dst spec 192.168.2.2 dst mask 255.255.255.0 \
   / udp src spec 8010 src mask 65520 dst spec 8017 dst mask 65535 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.2.1 src mask 255.255.255.255 dst spec 192.168.2.2 dst mask 255.255.255.255 \
   / sctp src spec 8012 src mask 65535 dst spec 8018 dst mask 65535 / end actions drop / end
   

   for 2 ports NIC:

   / ipv4 src spec 192.168.0.1 src mask 255.255.255.255 dst spec 192.168.0.2 dst mask 255.255.255.255 / end actions drop / end
   flow create 0 ingress pattern eth src spec 00:01:23:45:67:89 src mask ff:ff:ff:ff:ff:ff dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:ff \
   / ipv4 src spec 192.168.1.1 src mask 255.255.255.255 dst spec 192.168.1.2 dst mask 255.255.255.255 \
   / tcp src spec 8010 src mask 65535 dst spec 8017 dst mask 65535 / end actions drop / end
   flow create 0 ingress pattern eth src spec 00:01:23:45:67:89 src mask ff:ff:ff:ff:ff:ff dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:ff \
   / ipv4 src spec 192.168.2.1 src mask 255.255.255.255 dst spec 192.168.2.2 dst mask 255.255.255.0 \
   / udp src spec 8010 src mask 65520 dst spec 8017 dst mask 65535 / end actions drop / end
   flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:ff dst spec 00:01:23:45:67:89 dst mask ff:ff:ff:ff:ff:ff \
   / ipv4 src spec 192.168.2.1 src mask 255.255.255.255 dst spec 192.168.2.2 dst mask 255.255.255.255 \
   / sctp src spec 8012 src mask 65535 dst spec 8018 dst mask 65535 / end actions drop / end
   

   check the rules created successfully only as switch rule.

19.12. Test Case 9: multirules with different pattern or input set

1. create rule 0:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 / end actions drop / end
   

2. send packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.3.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.3", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.3.3", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.3.3", dst="192.168.1.2")/UDP(sport=8012, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check the packet 1 is dropped, packet 2-5 are not dropped.

3. create rule 1, same inputset field, same spec, different mask:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.0.255 / end actions drop / end
   

4. send same packets, check packet 1 is dropped by rule 0, packet 2 is dropped by rule 1. packet 3-5 are not dropped.

5. create rule 2, same inputset field, different spec, same mask:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.1.1 src mask 255.255.255.0 / end actions drop / end
   

6. send same packets, check packet 1 is dropped by rule 0, packet 2 is dropped by rule 1. packet 3 is dropped by rule 2, packet 4-5 are not dropped.

7. create rule 3, same pattern, different input set field:

   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.1 dst mask 255.255.255.0 / end actions drop / end
   

8. send same packets, check packet 1 is dropped by rule 0, packet 2 is dropped by rule 1. packet 3 is dropped by rule 2, packet 4 is dropped by rule 3, packet 5 is not dropped.

9. create rule 4, different pattern, same input set field:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.2.3 src mask 255.255.0.255 / udp / end actions drop / end
   

10. send same packets, check packet 1 is dropped by rule 0, packet 2 is dropped by rule 1. packet 3 is dropped by rule 2, packet 4 is dropped by rule 3, packet 5 is dropped by rule4.

19.13. Test Case 10: multirules with all patterns

1. create multirules with different pattern or input set:

   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.0 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 src mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / tcp dst spec 8017 dst mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / tcp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.254 / tcp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / udp src spec 8017 src mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / udp dst spec 8010 dst mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.254.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.254.255 / udp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / udp src spec 8017 src mask 65520 dst spec 8010 dst mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / sctp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.254 / sctp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / sctp src spec 8010 src mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 / sctp dst spec 8010 dst mask 65520 / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / sctp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   

   check all the rules can be created successfully.

2. send ipv4-pay packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.0.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/Raw(load='X'*30)], iface="enp134s0f1")
   

   check ipv4-pay packets 1-3 are dropped, packet 4 is not dropped.

3. send ipv4-tcp packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/TCP(sport=8012, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/TCP(sport=7985, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.1.2")/TCP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.3")/TCP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.1.2")/TCP(sport=8012, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/TCP(sport=8018, dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check ipv4-tcp packets 1-5 are dropped, packet 6 is not dropped.

4. send ipv4-udp packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/UDP(sport=8017, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/UDP(sport=7985, dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.3")/UDP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.1.2")/UDP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.1.2")/UDP(sport=8018, dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.0", dst="192.168.0.3")/UDP(sport=8012, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check ipv4-udp packets 1-6 are dropped.

5. send ipv4-sctp packets:

   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/SCTP(sport=8012, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.1.2")/SCTP(sport=7985, dport=8012)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.3")/SCTP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.1", dst="192.168.1.2")/SCTP(sport=7984, dport=7985)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.0.3", dst="192.168.1.2")/SCTP(sport=8012, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   sendp([Ether(dst="00:01:23:45:67:89")/IP(src="192.168.1.0", dst="192.168.1.3")/SCTP(sport=8017, dport=8018)/Raw(load='X'*30)], iface="enp134s0f1")
   

   check ipv4-sctp packets 1-5 are dropped, packet 6 is not dropped.

19.14. Test Case 11: switch/acl/fdir/rss rules combination

1. launch testpmd:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xc -n 4 -a 86:01.0,cap=dcf -a 86:01.1 --log-level="ice,7" -- -i --port-topology=loop --rxq=4 --txq=4
   

2. create rules:

   flow create 0 ingress pattern eth / ipv4 src is 192.168.0.1 dst is 192.168.0.20 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth / ipv4 src is 192.168.0.2 dst is 192.168.0.20 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth / ipv4 src is 192.168.0.3 dst is 192.168.0.20 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth / ipv4 src is 192.168.0.4 dst is 192.168.0.20 / tcp / end actions represented_port ethdev_port_id 1 / end
   flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.2 src mask 255.255.255.254 / tcp / end actions drop / end
   flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.21 dst mask 255.255.0.255 / tcp / end actions drop / end
   flow create 2 ingress pattern eth / ipv4 src is 192.168.0.1 dst is 192.168.0.20 / tcp src is 22 dst is 23 / end actions queue index 3 / mark / end
   flow create 2 ingress pattern eth / ipv4 src is 192.168.0.2 dst is 192.168.0.20 / tcp src is 22 dst is 23 / end actions queue index 3 / mark / end
   flow create 2 ingress pattern eth / ipv4 src is 192.168.1.1 dst is 192.168.0.20 / tcp src is 22 dst is 23 / end actions queue index 3 / mark / end
   

3. check the rule list:

   testpmd> flow list 0
   ID      Group   Prio    Attr    Rule
   0       0       0       i--     ETH IPV4 TCP => VF
   1       0       0       i--     ETH IPV4 TCP => VF
   2       0       0       i--     ETH IPV4 TCP => VF
   3       0       0       i--     ETH IPV4 TCP => VF
   4       0       0       i--     ETH IPV4 TCP => DROP
   5       0       0       i--     ETH IPV4 TCP => DROP
   testpmd> flow list 2
   ID      Group   Prio    Attr    Rule
   0       0       0       i--     ETH IPV4 TCP => QUEUE MARK
   1       0       0       i--     ETH IPV4 TCP => QUEUE MARK
   2       0       0       i--     ETH IPV4 TCP => QUEUE MARK
   

4. send packets:

   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.1", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.1", dst="192.168.0.20")/TCP(sport=32,dport=33)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.2", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.3", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.4", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.1.1", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:89")/IP(src="192.168.1.1", dst="192.168.0.21")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   

5. check packet 1 is received by port 2 and redirected to queue 3 with FDIR matched ID=0x0. packet 2 is received by port 2 and distributed by RSS without mark ID. packet 3 is dropped by port 2. packet 4 is dropped by port 2. packet 5 is received by port 2 and distributed by RSS without mark ID. packet 6 is can’t received by port 0 and port 2. packet 7 is received by port 2 and redirected to queue 3 with FDIR matched ID=0x0. packet 8 is dropped by port 2.

6. delete rule ID 4 from port 0 and list the rules:

   testpmd> flow destroy 0 rule 4
   Flow rule #4 destroyed
   testpmd> flow list 0
   ID      Group   Prio    Attr    Rule
   0       0       0       i--     ETH IPV4 TCP => VF
   1       0       0       i--     ETH IPV4 TCP => VF
   2       0       0       i--     ETH IPV4 TCP => VF
   3       0       0       i--     ETH IPV4 TCP => VF
   5       0       0       i--     ETH IPV4 TCP => DROP
   

7. send packets:

   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.2", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   sendp(Ether(src="00:11:22:33:44:55", dst="00:01:23:45:67:88")/IP(src="192.168.0.3", dst="192.168.0.20")/TCP(sport=22,dport=23)/Raw(load="x"*30), iface="enp216s0f0")
   

8. check packet 1 is received by port 2 and redirected to queue 3 with FDIR matched ID=0x0. packet 2 is received by port 2 and distributed by RSS without mark ID.