DOCA_FLOW_PIPE_ACL and ICMP

We are working on a DOCA_FLOW application and working with ACL pipes (DOCA_FLOW_PIPE_ACL) under DOCA 2.0.2. We find that we cannot add flow entries for matching IPv4 ICMP traffic. Flow additions are rejected with “Unsupported Protocol” errors if flow L4 type is set to DOCA_FLOW_L4_TYPE_EXT_ICMP. We CAN match TCP and UDP traffic successfully so I believe we are using ACL pipes correctly overall.

How might one match ICMP traffic in an ACL type pipe?

@xiaofengl - perhaps you can check this; it seems like something you might know.

Thanks!
-J

I recall DOCA flow API not support ICMP header match on old version.

But I checked latest API, it already have.

https://docs.nvidia.com/doca/sdk/flow-programming-guide/index.html#doca-flow-header-format

struct doca_flow_header_format {
struct doca_flow_header_eth eth;
uint16_t l2_valid_headers;
struct doca_flow_header_eth_vlan eth_vlan[DOCA_FLOW_VLAN_MAX];
enum doca_flow_l3_type l3_type;
union {
struct doca_flow_header_ip4 ip4;
struct doca_flow_header_ip6 ip6;
};
enum doca_flow_l4_type_ext l4_type_ext;
union {
struct doca_flow_header_icmp icmp;
struct doca_flow_header_udp udp;
struct doca_flow_header_tcp tcp;
};
};

https://docs.nvidia.com/doca/sdk/flow-programming-guide/index.html#doca-flow-match

@Xiaofengl

Yep, this is what we are trying to use. Unfortunately it returns error.

Do you have access to enterprise support tickets? If so, can you take a look at my case 00603711 which has an attached code sample. I wonder if you might have thoughts on this…

-J

I have a short review,

result = add_acl_specific_entry(

		DOCA_FLOW_L4_TYPE_EXT_ICMP,  // jfitz

DOCA_FLOW_L4_TYPE_EXT_ICMP, may not define on runtime.

We do have ICMP match API,

doca\libs\doca_flow\doca_flow_net.h

enum doca_flow_l4_type_ext {
DOCA_FLOW_L4_TYPE_EXT_NONE = 0,
/< l4 ext type is not set */
DOCA_FLOW_L4_TYPE_EXT_TCP,
/
< l4 ext type is tcp */
DOCA_FLOW_L4_TYPE_EXT_UDP,
/< l4 ext type is udp */
DOCA_FLOW_L4_TYPE_EXT_ICMP,
/
< l4 ext type is icmp */
DOCA_FLOW_L4_TYPE_EXT_ICMP6,
/**< l4 ext type is icmp6 */
};

Where you run doca_flow (host/dpu)? you need check if 2.0.2 runtime libs install properly.

I am on vacation so far.

I see 00603711 handled by James Tau, he could check that to help you.

@xiofengl

Thank you for looking at this. To clarify, you comment

“DOCA_FLOW_L4_TYPE_EXT_ICMP, may not define on runtime.”

Does it mean L4 type is not allowed in individual match entries and can only be specified in pipe config, doca_flow_pipe_create(), call? In other words, this field must be constant for whole pipe?

If so, this probably explain my issue. So, if I need to filter some ICMP, TCP, and UDP, then best approach is to chain three pipes, one for each L4, using fwd_miss on each one to reach the next?

I will try it today on my lab.

Also, you ask if we run DOCA 2.0.2 on host or dpu. Answer is we run on DPU. For test, we compile code on DPU directly and run there via SSH.

Thank you for replying even in your holiday; I really appreciate the help. I just got back from holiday myself, yesterday.

-J

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.