20. ICE DCF DISABLE ACL engine

20.1. Description

Support disabling DCF ACL engine via devarg “acl=off” in cmdline, aiming to shorten the DCF startup time. After disabling the ACL engine, some of the rules supported by the ACL engine will be created by the Switch engine and others will failed to be created, as shown in the following table.

Pattern	Input Set	ACL	Switch
IPv4	[Source MAC]	success	fail
	[Dest MAC]	success	success
	[Source IP]	success	success
	[Dest IP]	success	success
	[Source IP],[Dest IP]	success	success
	[Source MAC],[Dest MAC],[Source IP],[Dest IP]	success	fail
IPv4_TCP	[Source MAC]	success	fail
	[Dest MAC]	success	success
	[Source IP]	success	success
	[Dest IP]	success	success
	[Source port]	success	success
	[Dest port]	success	success
	[Source IP],[Dest IP],[Source port],[Dest port]	success	success
	[Source MAC],[Dest MAC],[Source IP],[Dest IP],[Source port],[Dest port]	success	fail
IPv4_UDP	[Source MAC]	success	fail
	[Dest MAC]	success	success
	[Source IP]	success	success
	[Dest IP]	success	success
	[Source port]	success	success
	[Dest port]	success	success
	[Source IP],[Dest IP],[Source port],[Dest port]	success	success
	[Source MAC],[Dest MAC],[Source IP],[Dest IP],[Source port],[Dest port]	success	fail
IPv4_SCTP	all input sets	success	fail

20.2. Prerequisites

20.2.1. Topology

dut_port_0 <—> tester_port_0

dut_port_1 <—> tester_port_1

20.2.2. Hardware

Supported NICs: Intel® Ethernet 800 Series: E810-CQDA2/E810-2CQDA2/E810-XXVDA4 etc.

20.2.3. Software

dpdk: http://dpdk.org/git/dpdk

scapy: http://www.secdev.org/projects/scapy/

20.2.4. General set up

1. Compile DPDK:

   CC=gcc meson -Denable_kmods=True -Dlibdir=lib  --default-library=static x86_64-native-linuxapp-gcc
   ninja -C x86_64-native-linuxapp-gcc
   

2. Get the pci device id of DUT, for example:

   ./usertools/dpdk-devbind.py -s
   
   0000:17:00.0 'Ethernet Controller E810-C for QSFP 1592' if=ens9 drv=ice unused=vfio-pci
   

3. Generate 2 VFs on PF0:

   echo 2 > /sys/bus/pci/devices/0000:17:00.0/sriov_numvfs
   
   ./usertools/dpdk-devbind.py -s
   0000:17:01.0 'Ethernet Adaptive Virtual Function 1889' drv=vfio-pci unused=iavf
   0000:17:01.1 'Ethernet Adaptive Virtual Function 1889' drv=vfio-pci unused=iavf
   

4. Set VF0 as trust and set VF1 mac address:

   ip link set ens9 vf 0 trust on
   ip link set ens9 vf 1 mac 00:01:23:45:67:89
   

5. Bind VFs to dpdk driver:

   modprobe vfio-pci
   ./usertools/dpdk-devbind.py -b=vfio-pci 0000:17:01.0 0000:17:01.1
   

6. Launch testpmd on VF0, VF0 request DCF mode and add parameter “acl=off” to disable the ACL engine:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:17:01.0,cap=dcf,acl=off -a 0000:17:01.1 --log-level="ice,7" -- -i
   
   Notice that when launching testpmd, the application prints "ice_flow_init():Engine 4 disabled"
   
   Quit testpmd::
   
   testpmd> quit
   
   Check that when quitting testpmd, the application prints "ice_flow_uninit():Engine 4 disabled skip it"
   

20.3. Test Case

20.3.1. Test Case 1: Compare startup time

It takes too much time to enable the ACL engine when launching testpmd, so the startup time should be shortened after disabling ACL.

20.3.1.1. test steps

1. Disable ACL, execute command and record the time “start_time_disable_acl”:

   echo quit | time ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:17:01.0,cap=dcf,acl=off -a 0000:17:01.1 --log-level="ice,7" -- -i
   

2. Enable ACL, execute command and record the time “start_time_enable_acl”:

   echo quit | time ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:17:01.0,cap=dcf -a 0000:17:01.1 --log-level="ice,7" -- -i
   

3. Repeat step 1~2 for at least 6 times to get the average time of “start_time_disable_acl” and “start_time_enable_acl”.

20.3.1.2. expected result

Check that the average startup time with “acl=off” is shorter than that without “acl=off”.

20.3.2. Test Case 2: disable ACL engine

Add “–log-level=’ice,7’” when launching testpmd, it will print the detailed information when creating one rule. “Succeeded to create (4) flow” means the rule was created by the ACL engine, “Succeeded to create (2) flow” means it was created by the Switch engine. Therefore, when creating ACL rules after disabling the ACL engine, the ACL engine will fail to create any of these rules, but some of them can be successfully created by the switch engine.

20.3.2.1. test steps

1. Launch testpmd:

   ./x86_64-native-linuxapp-gcc/app/dpdk-testpmd -c 0xf -n 4 -a 0000:17:01.0,cap=dcf,acl=off -a 0000:17:01.1 --log-level="ice,7" -- -i
   

2. Create ACL rules on port 0:

   Switch supported rules::
   
   ipv4:
       flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:ff / ipv4 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.0 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / end actions drop / end
   ipv4_tcp:
       flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:00 / ipv4 / tcp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / tcp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.243 / tcp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / tcp src spec 8010 src mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / tcp dst spec 8010 dst mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   ipv4_udp:
       flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:00 / ipv4 / udp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / udp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.243 / udp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / udp src spec 8010 src mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / udp dst spec 8010 dst mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / udp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   
   Switch not supported rules::
   
   ipv4:
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask 00:ff:ff:ff:ff:ff / ipv4 / end actions drop / end
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 33:00:00:00:00:02 dst mask ff:ff:ff:ff:ff:fe / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / end actions drop / end
   ipv4_tcp:
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:fe / ipv4 / tcp / end actions drop / end
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 00:01:23:45:67:89 dst mask ff:ff:ff:ff:00:ff / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / tcp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   ipv4_udp:
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:fe / ipv4 / udp / end actions drop / end
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 00:01:23:45:67:89 dst mask ff:ff:ff:ff:00:ff / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / udp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   ipv4_sctp:
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:fe / ipv4 / sctp / end actions drop / end
       flow create 0 ingress pattern eth dst spec 00:11:22:33:44:55 dst mask ff:ff:ff:ff:ff:00 / ipv4 / sctp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.254 / sctp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 dst spec 192.168.0.2 dst mask 255.255.255.243 / sctp / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / sctp src spec 8010 src mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 / sctp dst spec 8010 dst mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / sctp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
       flow create 0 ingress pattern eth src spec 00:11:22:33:44:55 src mask ff:ff:ff:ff:ff:00 dst spec 00:01:23:45:67:89 dst mask ff:ff:ff:ff:00:ff / ipv4 src spec 192.168.0.1 src mask 255.255.255.0 dst spec 192.168.0.2 dst mask 255.255.0.255 / sctp src spec 8010 src mask 65520 dst spec 8017 dst mask 65520 / end actions drop / end
   

20.3.2.2. expected result

Check that Switch support rules will be created:

ice_flow_create(): Succeeded to create (2) flow

Switch not support rules will be created failed:

ice_flow_create(): Failed to create flow
port_flow_complain(): Caught PMD error type 10 (item specification): cause: 0x7ffd63133730,Invalid input set: Invalid argument

Both outputs mean that the ACL engine has been disabled.