[URL Filtering App] It shows the failure when executing 'commit database' command

Infrastructure & Networking DOCA Enterprise Networking
1

Hi,

I’m able to execute the URL filtering application. However, the application showed the failure and was aborted when executing ‘commit database’ command. I seek for the assistance about this failure. Detail is described as follows.

  • Able to execute the URL filtering application

    $ sudo /opt/mellanox/doca/examples/url_filter/bin/doca_url_filter -a 0000:03:00.0,class=regex -a
    auxiliary:mlx5_core.sf.3,sft_en=1 -a auxiliary:mlx5_core.sf.4,sft_en=1 -c3 – -p
    EAL: Detected 8 lcore(s)
    EAL: Detected 1 NUMA nodes
    EAL: Detected shared linkage of DPDK
    EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
    EAL: Selected IOVA mode ‘PA’
    EAL: No available hugepages reported in hugepages-32768kB
    EAL: No available hugepages reported in hugepages-64kB
    EAL: No available hugepages reported in hugepages-1048576kB
    EAL: Probing VFIO support…
    EAL: VFIO support initialized
    EAL: Device is not NUMA-aware, defaulting socket to 0
    EAL: Probe PCI driver: mlx5_pci (15b3:a2d6) device: 0000:03:00.0 (socket 0)
    EAL: No legacy callbacks, legacy socket not created
    Temporary WARN - Destination table level lower than Source
    [01:49:52:893055][DOCA][I][DWRKR]: 1 cores are used as DPI workers
    URL FILTER>>

  • Create an empty database and the http filter signature

    URL FILTER>> create database
    URL FILTER>> filter http test www.slashdot.org

    The command ‘filter http test www.slashdot.org’ will create the following signature in /tmp/signature.txt. (The following command is executed in another terminal)

    $ cat /tmp/signature.txt
    drop tcp any any → any any (msg:“test”; flow:to_server; pcre:“/www.slashdot.org/I”; sid:1;)
    drop tcp any any → any any (msg:“test”; flow:to_server; tls.sni; pcre:“/www.slashdot.org/”; sid:2;)

  • Execute ‘commit database’ command. The application showed the failure and was aborted.

    URL FILTER>> commit database /tmp/signature.txt
    /tmp/265053/signatures.rules
    rules file is /tmp/265053/signatures.rules
    Info: Setting target hardware version to v5.7…done
    Info: Setting virtual prefix mode to 0…done
    Info: Setting prefix capacity to 32K…done
    Info: Setting compiler objective value to 5…done
    Info: Setting number of threads for compilation to 1…done
    Info: Reading ruleset…done
    Info: Detected 2 rules
    Info: Enabling global single-line mode…done
    Info: Setting maximum TPE data width to 4…done
    Info: Scanning rules…[==============================]…done
    Info: Analising possible prefix usage…[==============================]…done
    Info: Mapping prefixes, phase 1…[==============================]…done
    Info: Mapping prefixes, phase 2…[==============================]…done
    Info: Running rules analysis…[==============================]…done
    Info: Optimizing memory map…[==============================]…done
    Info: Analyzing memory map…[==============================]…done
    Info: Calculating thread instructions…[==============================]…done
    Info: Beginning to write memory map for ROF2…done
    Info: PPE total 1-byte prefix usage: 0/256 (0%)
    Info: PPE total 2-byte prefix usage: 0/2048 (0%)
    Info: PPE total 3-byte prefix usage: 0/2048 (0%)
    Info: PPE total 4-byte prefix usage: 1/32768 (0.00305176%)
    Info: TPE instruction RAM TCM partition usage: 2048/2048 (100%)
    Info: TPE instruction RAM external memory partition usage: 6218/13M (0.045615%)
    Info: TPE class RAM usage: 2/256 (0.78125%)
    Info: Estimated threads/byte: 5.183e-10
    Info: Finalizing memory map for ROF2…done
    Info: Storing ROF2 data…done
    Info: Number of rules compiled = 2/2
    Info: Writing ROF2 file to /tmp/265053/rof/signatures_compiled.rof2
    Info: Writing binary ROF2 file to /tmp/265053/rof/signatures_compiled.rof2.binary…done
    mlx5_regex: Rules program failed 22
    mlx5_regex: Failed to program rxp rules.
    [02:25:01:105139][DOCA][E][UFLTR::Core]: Loading DPI signature failed

    $

[My configuration steps]

  • Create a scalable function interface

    $ sudo /opt/mellanox/iproute2/sbin/mlxdevm port add pci/0000:03:00.0 flavour pcisf pfnum 0 sfnum 4
    pci/0000:03:00.0/294928: type eth netdev eth0 flavour pcisf controller 0 pfnum 0 sfnum 4
    function:
    hw_addr 02:71:0e:09:0e:2c state inactive opstate detached roce true max_uc_macs 128 trust off
    $ sudo /opt/mellanox/iproute2/sbin/mlxdevm port function set pci/0000:03:00.0/294928 hw_addr
    02:25:f2:8d:a2:4c trust on state active
    $ sudo sh -c ‘echo mlx5_core.sf.3 > /sys/bus/auxiliary/drivers/mlx5_core.sf_cfg/unbind’
    $ sudo sh -c ‘echo mlx5_core.sf.3 > /sys/bus/auxiliary/drivers/mlx5_core.sf/bind’

  • Create another scalable function interface

    $ sudo /opt/mellanox/iproute2/sbin/mlxdevm port add pci/0000:03:00.0 flavour pcisf pfnum 0 sfnum 5
    pci/0000:03:00.0/294929: type eth netdev eth0 flavour pcisf controller 0 pfnum 0 sfnum 5
    function:
    hw_addr 00:00:00:00:00:00 state inactive opstate detached roce true max_uc_macs 128 trust off
    $ sudo /opt/mellanox/iproute2/sbin/mlxdevm port function set pci/0000:03:00.0/294929 hw_addr 02:25:f2:8d:a2:5c trust on state active
    $ sudo sh -c ‘echo mlx5_core.sf.4 > /sys/bus/auxiliary/drivers/mlx5_core.sf_cfg/unbind’
    $ sudo sh -c ‘echo mlx5_core.sf.4 > /sys/bus/auxiliary/drivers/mlx5_core.sf/bind’

  • List scalable function ports

    $ sudo mlnx-sf --action show
    SF Index: pci/0000:03:00.0/294928
    Parent PCI dev: 0000:03:00.0
    Representor netdev: en3f0pf0sf4
    Function HWADDR: 02:25:f2:8d:a2:4c
    Auxiliary device: mlx5_core.sf.3
    netdev: enp3s0f0s4
    RDMA dev: mlx5_3

    SF Index: pci/0000:03:00.0/294929
    Parent PCI dev: 0000:03:00.0
    Representor netdev: en3f0pf0sf5
    Function HWADDR: 02:25:f2:8d:a2:5c
    Auxiliary device: mlx5_core.sf.4
    netdev: enp3s0f0s5
    RDMA dev: mlx5_4

  • OVS configuration
    $ sudo ovs-vsctl add-br ovsbr1
    $ sudo ovs-vsctl add-br ovsbr2
    $ sudo ovs-vsctl add-port ovsbr1 pf0hpf
    $ sudo ovs-vsctl add-port ovsbr1 en3f0pf0sf4
    $ sudo ovs-vsctl add-port ovsbr2 p0
    $ sudo ovs-vsctl add-port ovsbr2 en3f0pf0sf5

  • Show OVS info

    $ sudo ovs-vsctl show
    cd52839a-d5f5-4987-bec0-b7ed3678502f
    Bridge ovsbr1
    Port pf0hpf
    Interface pf0hpf
    Port ovsbr1
    Interface ovsbr1
    type: internal
    Port en3f0pf0sf4
    Interface en3f0pf0sf4
    Bridge ovsbr2
    Port ovsbr2
    Interface ovsbr2
    type: internal
    Port p0
    Interface p0
    Port en3f0pf0sf5
    Interface en3f0pf0sf5
    ovs_version: “2.14.1”

  • Activate all interfaces (ovsbr1, pf0hpf, en3f0pf0sf4, ovsbr2, p0, en3f0pf0sf5) by executing “ifconfig network_interface up”.

  • Start the ‘mlx-regex.service’ if it is not started.

  • $ sudo sh -c ‘echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages’

  • Run URL filtering application

Thanks.

2

I meet the similar problem today,and I just wanna test the regex
I config the regex followed by the doc, and the result shows below

systemctl status mlx-regex
mlx-regex.service - Regex daemon for BlueField 2
Loaded: loaded (/etc/systemd/system/mlx-regex.service; enabled; vendor preset:enabled)
Active: active (running) since Sun 2022-04-03 08:59:49 UTC; 8s ago
Main PID: 60802 (mlx-regex)
Tasks: 1 (limit: 19077)
Memory: 528.0K
CGroup: /system.slice/mlx-regex.service
└─60802 /usr/bin/mlx-regex

then I create the datebase

# Create a simple rules file, with a single rule “hello\s+world”
echo “1,/hello\s+world/” > test.rules
# Compile the rules file. All output files will be prefixed by “rof/synthetic”
rxpc -f test.rules -o hello

finally I start the dpdk regex test app

opt/mellanox/dpdk/bin/dpdk-test-regex -a 03:00.1,class=regex -- --rules hello.rof2 --data test.dat

and it shows like below

EAL: Detected 8 lcore(s)
EAL: Detected 1 NUMA nodes
EAL: Detected shared linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: No available hugepages reported in hugepages-32768kB
EAL: No available hugepages reported in hugepages-64kB
EAL: No available hugepages reported in hugepages-1048576kB
EAL: Probing VFIO support...
EAL: VFIO support initialized
EAL:   Device is not NUMA-aware, defaulting socket to 0
EAL: Probe PCI driver: mlx5_pci (15b3:a2d6) device: 0000:03:00.0 (socket 0)
EAL: No legacy callbacks, legacy socket not created
:: initializing dev: 0
mlx5_regex: Rules program failed 22
mlx5_regex: Failed to program rxp rules.
mlx5_regex: Failed to program rxp rules.
Error, can't configure device 0.
EAL: Error - exiting with code: 1
  Cause: init port failed

It return error code 22, I don’t konw what’s this mean

3

I have the same problem and i solved , the regex engine was inactive

systemctl status mlx-regex
systemctl start mlx-regex
4

The URL filtering app needs a ruleset that is compiled by the doca_dpi_compiler not rxpc

The doca_dpi_compiler accepts rules in suricata format, then invokes rxpc to compile the regular expression part of the rule, but the rules need to be in the json format the the doca_dpi_compiler outputs.