virtio-comment

Summary:
========
This series improves virtio net receive packet steering to forward/steer
packets to specific RQ.

This basic functionality will enable Linux ethtool steering, Accelerated
receive flow steering (ARFS) as starting point, and more use cases in
future.

Problem statement:
==================
Currently packet allow/drop interface has few limitations.

1. Driver cannot add or delete an individual entry for mac and vlan.
2. Driver cannot select mac+vlan combination for which
to allow/drop packet.
3. Driver cannot not set other commonly used packet match fields
such as IP header fields, TCP, UDP, SCP header fields.
4. Driver cannot steer specific packets based on the match
fields to specific receiveq.
5. Driver do not have multiple or dedicated virtqueues to
perform flow filter requests in accelerated manner in
the device.

Solution:
=========
Flow filter as generic framework to overcome above limitations.

Overview:
=========
A flow filter defines the flow based on one or more match fields
of the packet, defines an action like drop/forward to RQ.

The flow filters are organized in flow filter groups so that they
can be ordered when multiple applications wants to use it.

Flow filters requests can be transported via control vq or dedicated
flow filter virtqueue so that it does not get intermixed with other
slow operations of cvq.

Flow filter requirements addressed by this series is worked by virtio community at

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179

This series utilizes enhancements proposed in [2] and [3].
It uses updated control vq command format from [3].
It uses new _DYNAMIC feature to create queues when needed and
saves guest and device resources.

[1] https://lists.oasis-open.org/archives/virtio-comment/202308/msg00263.html
[2] https://lists.oasis-open.org/archives/virtio-comment/202309/msg00236.html
[3] https://lists.oasis-open.org/archives/virtio-comment/202309/msg00227.html

Patch summary:
==============
patch-1 adds theory of operation description for flow filter
patch-2 adds device capabilities cvq commands
patch-3 adds group add/delete commands
patch-4 adds transport set command
patch-5 adds packet match fields and values
patch-6 adds flow filter requests to transport via vq
patch-7 adds device and driver requirements

Please review.

Changelog:
==========
v0->v1:
- addressed comments from Satananda
- added device requirement to return non zero value in fields_bmap
- added device requirement to not repeat filter type in response
- added driver requirement to order filter match field as it
appears in the packet
- added device requirement to fail group delete command on existing
flow entries
- added mask field in the type to indicate supported mask by device
and also in later patch to use it to indicate mask on adding
flow filter. As a result removed the mask_supported capability
field

Parav Pandit (7):
virtio-net: Add theory of operation for flow filter
virtio-net: Add flow filter capabilities read commands
virtio-net: Add flow filter group life cycle commands
virtio-net: Add flow filter transport set command
virtio-net: Add flow filter match values
virtio-net: Add flow filter requests
virtio-net: Add flow filter device and driver requirements

device-types/net/description.tex | 687 ++++++++++++++++++++++++++++++-
1 file changed, 686 insertions(+), 1 deletion(-)

--
2.34.1

Currently packet allow/drop interface has few limitations.

1. Driver can either select which MAC and VLANs to consider
for allowing/dropping packets, here, the driver has a
limitation that driver needs to supply full mac
table for each type. Driver cannot add or delete an
individual entry.

2. Driver cannot select mac+vlan combination for which
to allow/drop packet.

3. Driver cannot not set other commonly used packet match fields
such as IP header fields, TCP, UDP, SCP header fields.

4. Driver cannot steer specific packets based on the match
fields to specific receiveq.

5. Driver do not have multiple or dedicated virtqueues to
perform flow filter requests in accelerated manner in
the device.

Flow filter as generic framework overcome above limitations.

As starting point it is useful to support at least two use cases.
a. ARFS
b. ethtool ntuple steering

In future it can be further extended for usecases such as
switching device, connection tracking or may be more.

The flow filter has following properties.

1. It is an extendible object that driver can add or delete.
2. It belongs to a flow filter group (group has priority).
3. Each flow filter is identified using a unique identifier(id),
has priority, match fields, destination(rq) and action(allow/drop).
4. Flow filter has optionally mask too.

This patch adds theory of operation for flow filter functionality.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>
---
device-types/net/description.tex | 114 ++++++++++++++++++++++++++++++-
1 file changed, 113 insertions(+), 1 deletion(-)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 76585b0..c9a8c52 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -10,7 +10,9 @@ \section{Network Device}\label{sec:Device Types / Network Device}
removes these packets from the transmit virtqueue and sends them to
the link. The device may have a control virtqueue. The driver
uses the control virtqueue to dynamically manipulate various
-features of the initialized device.
+features of the initialized device. The device may have flow filter
+virtqueues. The driver uses flow filter virtqueues to steer specific
+receive packets to a specific destination such as specified receiveq.

\subsection{Device ID}\label{sec:Device Types / Network Device / Device ID}

@@ -33,6 +35,9 @@ \subsection{Virtqueues}\label{sec:Device Types / Network Device / Virtqueues}
controlq is optional; it only exists if VIRTIO_NET_F_CTRL_VQ is
negotiated.

+The flow filter virtqueues are optional; it may exists only if VIRTIO_NET_F_FLOW_FILTER
+is negotiated and if the device reports such capability.
+
\subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits}

\begin{description}
@@ -119,6 +124,8 @@ \subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits
device with the same MAC address.

\item[VIRTIO_NET_F_SPEED_DUPLEX(63)] Device reports speed and duplex.
+
+\item[VIRTIO_NET_F_FLOW_FILTER(64)] Device supports flow filter requests.
\end{description}

\subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device / Feature bits / Feature bit requirements}
@@ -150,6 +157,7 @@ \subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device
\item[VIRTIO_NET_F_RSS] Requires VIRTIO_NET_F_CTRL_VQ.
\item[VIRTIO_NET_F_VQ_NOTF_COAL] Requires VIRTIO_NET_F_CTRL_VQ.
\item[VIRTIO_NET_F_HASH_TUNNEL] Requires VIRTIO_NET_F_CTRL_VQ along with VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT.
+\item[VIRTIO_NET_F_FLOW_FILTER] Requires VIRTIO_NET_F_CTRL_VQ.
\end{description}

\subsubsection{Legacy Interface: Feature bits}\label{sec:Device Types / Network Device / Feature bits / Legacy Interface: Feature bits}
@@ -1141,6 +1149,110 @@ \subsubsection{Processing of Incoming Packets}\label{sec:Device Types / Network
#define VIRTIO_NET_HASH_REPORT_UDPv6_EX 9
\end{lstlisting}

+\subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Flow Filter}
+
+To forward a received packet to a specific receiveq or to drop the packet based
+on one ore more fields of the packet, the device supports flow filter
+functionality. The flow filter can match the packet for a flow, take an action
+such as forward the packet to the specific receiveq or drop the packet.
+For example, the driver can request the device to forward received packets
+which matches to a specific source and destination IP addresses and
+TCP ports to a specific receiveq.
+
+Each flow filter consists of one or more match fields, a flow filter priority,
+a flow filter identifier, an action to forward a packet to the destination
+or to drop the packet. Each flow filter is independent of each other.
+The driver can add, replace and delete a flow filter in the device using
+a flow filter request.
+
+The device indicates the flow filter capabilities to the driver, which
+includes various maximum device limits, supported transports and
+supported packet match fields. The driver enables the transport for flow
+filter requests using a control virtqueue command.
+
+The device support transporting flow filter requests on either the control
+virtqueue or on the flow filter virtqueues or on both. However, device
+supports enabling flow filter request only on one type of virtqueue
+at a time, i.e. either control virtqueue or flow filter virtqueues.
+Once the driver sets the flow filter request transport in the device,
+the driver can send flow filter request using the enabled transport.
+
+The flow filters are grouped using a flow filter group. Each flow filter
+group has a priority. The device first applies the flow filters of the highest
+priority group to the received packet. If there is no match for the
+flow filters of such a group for the packet, the flow filters of the next
+priority group are applied, until there is a match for the packet from such
+a group or the last group has reached.
+
+The flow filter group can have one or more flow filters. Within a flow
+filter group, a packet may find match to multiple flow filters. In such
+scenario, a flow filter with the highested priority is applied first to the
+packet, if there is no match, the next higher priority flow filter is applied.
+
+The match fields also optionally consist of a match mask. When a mask is
+specified for the flow filter, first the packet fields are masked before
+matching with the fields of the flow filter.
+
+\paragraph{Flow Filter Virtqueue}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Virtqueue}
+
+The flow filter virtqueues are dedicated virtqueues which transport the
+flow filter requests. The driver adds flow filter request to the flow
+filter virtqueue, the device removes such a request from the virtqueue
+and executes it, when the request completes by the device, the device
+updates the result of it to the driver.
+
+The flow filter virtqueues are optional. The device may choose to support
+flow filters requests either on the control virtqueue or on the flow filter
+virtqueues or both.
+
+If the VIRTIO_F_RING_DYNAMIC is negotiated, the driver can create the
+flow filters virtqueues after the driver has finished the device
+initialization.
+
+The device can support one or more flow filter virtqueues. The driver
+can choose one to up to supported number of virtqueues to send requests.
+
+If the VIRTIO_F_RING_DYNAMIC is not negotiated, the flow filters
+virtqueues must be created during device initialization phase.
+
+\paragraph{Packet Processing Order}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Packet Processing Order}
+
+Whichever filtering and steering functionality is enabled, they are
+applied in the following order to for the received packet:
+
+\begin{itemize}
+\item apply device configuration done using control virtqueue commands
+ VIRTIO_NET_CTRL_RX, VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
+\item apply flow filter configuration done using flow filter requests.
+\item apply device configuration done using command
+ VIRTIO_NET_CTRL_MQ_RSS_CONFIG.
+\end{itemize}
+
+While processing a received packet, at any stage if the packet is dropped,
+the next level of processing is omitted.
+
+When a flow filter is matched for the packet, it also stops the processing
+of the packet for next stage.
+
+Few examples are:
+\begin{itemize}
+\item If the packet is dropped by the flow filter configuration, RSS
+ configuration is not applied to such a packet.
+\item If the packet is forwarded to a specific receiveq using flow filters,
+ RSS configuration is not applied to such a packet due to a match on the
+ flow filter request.
+\item If the packet is dropped due to VIRTIO_NET_CTRL_MAC configuration,
+ flow filters or RSS configuration is not applied to such a packet.
+\item If the packet does not find any match in any of the flow filter groups,
+ next level RSS device configuration is applied if its exists.
+\item If there are three flow filter groups configured as group_A, group_B
+ and group_C with respective priorties as 4, 5, and 6; flow filters of
+ group_C is applied first having highest group priority, if there is a match,
+ flow filters of group_B and group_A are skipped; if there is no match for
+ the flow filters in group_C, the flow filters of next level group_B are applied.
+\end{itemize}
+
+\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
--
2.34.1

? 2023/10/7 ??1:14, Parav Pandit ??:
> Currently packet allow/drop interface has few limitations.

s/few limitations/a few limitations

>
> 1. Driver can either select which MAC and VLANs to consider
> for allowing/dropping packets, here, the driver has a
> limitation that driver needs to supply full mac
> table for each type. Driver cannot add or delete an
> individual entry.
>
> 2. Driver cannot select mac+vlan combination for which
> to allow/drop packet.
>
> 3. Driver cannot not set other commonly used packet match fields

Remove 'not'.

> such as IP header fields, TCP, UDP, SCP header fields.
>
> 4. Driver cannot steer specific packets based on the match
> fields to specific receiveq.
>
> 5. Driver do not have multiple or dedicated virtqueues to
> perform flow filter requests in accelerated manner in
> the device.
>
> Flow filter as generic framework overcome above limitations.

'as a generic framework overcomes'

>
> As starting point it is useful to support at least two use cases.
> a. ARFS
> b. ethtool ntuple steering
>
> In future it can be further extended for usecases such as
> switching device, connection tracking or may be more.
>
> The flow filter has following properties.
>
> 1. It is an extendible object that driver can add or delete.
> 2. It belongs to a flow filter group (group has priority).
> 3. Each flow filter is identified using a unique identifier(id),
> has priority, match fields, destination(rq) and action(allow/drop).
> 4. Flow filter has optionally mask too.
>
> This patch adds theory of operation for flow filter functionality.
>
> Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
> Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
> Signed-off-by: Parav Pandit <parav@nvidia.com>
> ---
> device-types/net/description.tex | 114 ++++++++++++++++++++++++++++++-
> 1 file changed, 113 insertions(+), 1 deletion(-)
>
> diff --git a/device-types/net/description.tex b/device-types/net/description.tex
> index 76585b0..c9a8c52 100644
> --- a/device-types/net/description.tex
> +++ b/device-types/net/description.tex
> @@ -10,7 +10,9 @@ \section{Network Device}\label{sec:Device Types / Network Device}
> removes these packets from the transmit virtqueue and sends them to
> the link. The device may have a control virtqueue. The driver
> uses the control virtqueue to dynamically manipulate various
> -features of the initialized device.
> +features of the initialized device. The device may have flow filter
> +virtqueues. The driver uses flow filter virtqueues to steer specific
> +receive packets to a specific destination such as specified receiveq.
>
> \subsection{Device ID}\label{sec:Device Types / Network Device / Device ID}
>
> @@ -33,6 +35,9 @@ \subsection{Virtqueues}\label{sec:Device Types / Network Device / Virtqueues}
> controlq is optional; it only exists if VIRTIO_NET_F_CTRL_VQ is
> negotiated.
>
> +The flow filter virtqueues are optional; it may exists only if VIRTIO_NET_F_FLOW_FILTER
> +is negotiated and if the device reports such capability.
> +
> \subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits}
>
> \begin{description}
> @@ -119,6 +124,8 @@ \subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits
> device with the same MAC address.
>
> \item[VIRTIO_NET_F_SPEED_DUPLEX(63)] Device reports speed and duplex.
> +
> +\item[VIRTIO_NET_F_FLOW_FILTER(64)] Device supports flow filter requests.
> \end{description}
>
> \subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device / Feature bits / Feature bit requirements}
> @@ -150,6 +157,7 @@ \subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device
> \item[VIRTIO_NET_F_RSS] Requires VIRTIO_NET_F_CTRL_VQ.
> \item[VIRTIO_NET_F_VQ_NOTF_COAL] Requires VIRTIO_NET_F_CTRL_VQ.
> \item[VIRTIO_NET_F_HASH_TUNNEL] Requires VIRTIO_NET_F_CTRL_VQ along with VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT.
> +\item[VIRTIO_NET_F_FLOW_FILTER] Requires VIRTIO_NET_F_CTRL_VQ.
> \end{description}
>
> \subsubsection{Legacy Interface: Feature bits}\label{sec:Device Types / Network Device / Feature bits / Legacy Interface: Feature bits}
> @@ -1141,6 +1149,110 @@ \subsubsection{Processing of Incoming Packets}\label{sec:Device Types / Network
> #define VIRTIO_NET_HASH_REPORT_UDPv6_EX 9
> \end{lstlisting}
>
> +\subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Flow Filter}
> +
> +To forward a received packet to a specific receiveq or to drop the packet based
> +on one ore more fields of the packet, the device supports flow filter

s/one ore more/one or more

> +functionality. The flow filter can match the packet for a flow, take an action
> +such as forward the packet to the specific receiveq or drop the packet.
> +For example, the driver can request the device to forward received packets
> +which matches to a specific source and destination IP addresses and

s/which matches/which match

> +TCP ports to a specific receiveq.
> +
> +Each flow filter consists of one or more match fields, a flow filter priority,
> +a flow filter identifier, an action to forward a packet to the destination
> +or to drop the packet. Each flow filter is independent of each other.
> +The driver can add, replace and delete a flow filter in the device using
> +a flow filter request.
> +
> +The device indicates the flow filter capabilities to the driver, which
> +includes various maximum device limits, supported transports and

s/includes/include

> +supported packet match fields. The driver enables the transport for flow
> +filter requests using a control virtqueue command.
> +
> +The device support transporting flow filter requests on either the control

s/support/supports

> +virtqueue or on the flow filter virtqueues or on both. However, device
> +supports enabling flow filter request only on one type of virtqueue
> +at a time, i.e. either control virtqueue or flow filter virtqueues.
> +Once the driver sets the flow filter request transport in the device,
> +the driver can send flow filter request using the enabled transport.
> +
> +The flow filters are grouped using a flow filter group. Each flow filter
> +group has a priority. The device first applies the flow filters of the highest
> +priority group to the received packet. If there is no match for the
> +flow filters of such a group for the packet, the flow filters of the next
> +priority group are applied, until there is a match for the packet from such
> +a group or the last group has reached.
> +
> +The flow filter group can have one or more flow filters. Within a flow
> +filter group, a packet may find match to multiple flow filters. In such

s/find match/find a match

> +scenario, a flow filter with the highested priority is applied first to the

s/highested/highest

> +packet, if there is no match, the next higher priority flow filter is applied.
> +
> +The match fields also optionally consist of a match mask. When a mask is
> +specified for the flow filter, first the packet fields are masked before
> +matching with the fields of the flow filter.
> +
> +\paragraph{Flow Filter Virtqueue}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Virtqueue}
> +
> +The flow filter virtqueues are dedicated virtqueues which transport the
> +flow filter requests. The driver adds flow filter request to the flow
> +filter virtqueue, the device removes such a request from the virtqueue
> +and executes it, when the request completes by the device, the device

s/request completes/request is completed

> +updates the result of it to the driver.
> +
> +The flow filter virtqueues are optional. The device may choose to support
> +flow filters requests either on the control virtqueue or on the flow filter
> +virtqueues or both.
> +
> +If the VIRTIO_F_RING_DYNAMIC is negotiated, the driver can create the
> +flow filters virtqueues after the driver has finished the device
> +initialization.
> +
> +The device can support one or more flow filter virtqueues. The driver
> +can choose one to up to supported number of virtqueues to send requests.
> +
> +If the VIRTIO_F_RING_DYNAMIC is not negotiated, the flow filters
> +virtqueues must be created during device initialization phase.
> +
> +\paragraph{Packet Processing Order}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Packet Processing Order}
> +
> +Whichever filtering and steering functionality is enabled, they are
> +applied in the following order to for the received packet:

Remove 'to'.

> +
> +\begin{itemize}
> +\item apply device configuration done using control virtqueue commands
> + VIRTIO_NET_CTRL_RX, VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
> +\item apply flow filter configuration done using flow filter requests.
> +\item apply device configuration done using command
> + VIRTIO_NET_CTRL_MQ_RSS_CONFIG.
> +\end{itemize}
> +
> +While processing a received packet, at any stage if the packet is dropped,
> +the next level of processing is omitted.
> +
> +When a flow filter is matched for the packet, it also stops the processing
> +of the packet for next stage.
> +
> +Few examples are:
> +\begin{itemize}
> +\item If the packet is dropped by the flow filter configuration, RSS
> + configuration is not applied to such a packet.
> +\item If the packet is forwarded to a specific receiveq using flow filters,
> + RSS configuration is not applied to such a packet due to a match on the
> + flow filter request.
> +\item If the packet is dropped due to VIRTIO_NET_CTRL_MAC configuration,
> + flow filters or RSS configuration is not applied to such a packet.
> +\item If the packet does not find any match in any of the flow filter groups,
> + next level RSS device configuration is applied if its exists.
> +\item If there are three flow filter groups configured as group_A, group_B
> + and group_C with respective priorties as 4, 5, and 6; flow filters of

s/priorties/priorities

Thanks!

> + group_C is applied first having highest group priority, if there is a match,
> + flow filters of group_B and group_A are skipped; if there is no match for
> + the flow filters in group_C, the flow filters of next level group_B are applied.
> +\end{itemize}
> +
> +\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
> \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}
>
> The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is

> From: Heng Qi <hengqi@linux.alibaba.com>
> Sent: Thursday, October 19, 2023 12:40 PM
>
> ? 2023/10/7 ??1:14, Parav Pandit ??:
> > Currently packet allow/drop interface has few limitations.
>
> s/few limitations/a few limitations
>
> >
> > 1. Driver can either select which MAC and VLANs to consider for
> > allowing/dropping packets, here, the driver has a limitation that
> > driver needs to supply full mac table for each type. Driver cannot add
> > or delete an individual entry.
> >
> > 2. Driver cannot select mac+vlan combination for which to allow/drop
> > packet.
> >
> > 3. Driver cannot not set other commonly used packet match fields
>
> Remove 'not'.
I think 'not' is fine, as driver cannot set it today. Above lists our current limitations.

For rest of the comments below. I will fix them.

The device responds flow filter capabilities using two commands.
One command indicates generic flow filter device limits such as
number of flow filters, number of flow filter groups, support or
multiple transports etc.

The second command indicates supported match types, and fields
of the packet.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>

---
changelog:
v0->v1:
- added mask field in the type to indicate supported mask by device
and also in later patch to use it to indicate mask on adding
flow filter. As a result removed the mask_supported capability
field
---
device-types/net/description.tex | 194 ++++++++++++++++++++++++++++++-
1 file changed, 192 insertions(+), 2 deletions(-)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index c9a8c52..19f6c60 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1168,7 +1168,11 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
The device indicates the flow filter capabilities to the driver, which
includes various maximum device limits, supported transports and
supported packet match fields. The driver enables the transport for flow
-filter requests using a control virtqueue command.
+filter requests using a control virtqueue command. These control virtqueue
+commands are:
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
+and
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}.

The device support transporting flow filter requests on either the control
virtqueue or on the flow filter virtqueues or on both. However, device
@@ -1252,7 +1256,116 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
the flow filters in group_C, the flow filters of next level group_B are applied.
\end{itemize}

-\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
+\paragraph{Match Types and Fields}\label{sec:Device Types / Network Device / Device Operation / Flow Filter / Match Types and Fields}
+
+\begin{lstlisting}
+struct virtio_net_ff_match_type {
+ le16 type;
+ le16 mask;
+ le32 reserved;
+ le64 fields_bmap;
+};
+\end{lstlisting}
+
+The \field{type} corresponds to following table:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Type & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_ETH_HDR & Ethernet header of the packet \\
+\hline
+1 & VIRTIO_NET_FF_IPV4_HDR & IPv4 header of the packet \\
+\hline
+2 & VIRTIO_NET_FF_IPV6_HDR & IPv6 header of the packet \\
+\hline
+3 & VIRTIO_NET_FF_TCP_HDR & TCP header of the packet \\
+\hline
+4 & VIRTIO_NET_FF_UDP_HDR & UDP header of the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+When the \field{mask} is set, for the specific \field{type}, the device
+supports masking packet content with the supplied mask of the flow filter
+before comparing the resulting value with the flow filter match fields.
+
+For the \field{type} of VIRTIO_NET_FF_ETH_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_DST_MAC & Destination MAC address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_SRC_MAC & Source MAC address in the packet \\
+\hline
+2 & VIRTIO_NET_FF_ETHER_TYPE & Ether type in the packet \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_IPV4 & Source IPV4 address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_IPV4 & Destination IPV4 address in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_IPV6_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_IPV6 & Source IPV6 address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_IPV6 & Destination IPV6 address in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_TCP_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_TCP_PORT & Source TCP port in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_TCP_PORT & Destination TCP port in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_UDP_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_UDP_PORT & Source UDP port in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_UDP_PORT & Destination UDP port in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
@@ -1917,6 +2030,83 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi

Upon reset, a device MUST initialize all coalescing parameters to 0.

+\paragraph{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
+
+If the VIRTIO_NET_F_FLOW_FILTERS feature is negotiated, the driver can
+send commands VIRTIO_NET_CTRL_FF_CAP_GET and
+VIRTIO_NET_CTRL_FF_MATCH_CAP_GET to query the flow filter
+capabilities of the device.
+
+\begin{lstlisting}
+#define VIRTIO_NET_CTRL_FF 7
+ #define VIRTIO_NET_CTRL_FF_CAP_GET 0
+ #define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
+\end{lstlisting}
+
+\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
+
+The command VIRTIO_NET_CTRL_FF_CAP_GET provides the flow filter device capabilities.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_caps {
+ le16 max_vqs;
+ le16 start_vq_index;
+ le16 max_match_fields;
+ le16 max_groups; /* valid group id = max_groups - 1 */
+ le32 max_ff_per_group;
+ le32 max_ff; /* max flow_id in add/del
+ * = max_ff - 1.
+ */
+ u8 max_flow_priorities_per_group;
+ u8 cvq_supports_ff_req;
+};
+\end{lstlisting}
+
+The \field{max_vqs} indicates total number of flow filter virtqueues supported
+by the device starting from virtqueue index \field{start_vq_index}. When the
+device do not support flow filter requests over flow filter virtqueues,
+\field{max_vqs} is zero. When \field{max_vqs} is non zero, the driver can enable
+maximum of \field{max_vqs} number of flow filter virtqueues starting from
+virtqueue index \field{start_vq_index}.
+
+The \field{max_groups} indicates total number of flow filter groups supported
+by the device whose group identifier can be any value in the range from 0 to
+\field{max_groups - 1}. The flow filter group can have any priority in range
+of 0 to \field{max_groups - 1}.
+
+The \field{max_ff_per_group} indicates maximum number of
+flow filter per flow filter group which can be added by the driver.
+
+The \field{max_ff} indicates maximum number of flow filters across
+all the flow groups which can be added by the driver.
+
+The \field{max_ff_priorities_per_group} indicates maximum priority value
+of a flow filter within a group. A flow filter within a group can have any
+priority in range of zero to \field{max_ff_priorities_per_group - 1}.
+
+The \field{max_match_fields} indicates maximum number of fields of the packet
+which can be matched by the device for a flow filter.
+
+When the \field{cvq_supports_ff_req} is set, the device supports
+flow filter requests using a control virtqueue. The device may support flow
+filter requests on control virtqueue or using flow filter virtqueues or both.
+
+\subparagraph{Flow Filter Match Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}
+
+The command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET indicates which fields
+from the packet can be matched.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_match_types {
+ le32 num_entries;
+ struct virtio_net_ff_match_type types[];
+};
+\end{lstlisting}
+
+The \field{num_entries} indicates the length of an array \field{types}.
+Each array entry of \field{types} represents supported match fields of
+the packet by the device.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Hi Parav

> +For the \field{type} of VIRTIO_NET_FF_ETH_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_DST_MAC & Destination MAC address in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_SRC_MAC & Source MAC address in the packet \\
> +\hline
> +2 & VIRTIO_NET_FF_ETHER_TYPE & Ether type in the packet \\
> +\hline
> +\end{tabular}
How about vlan ? if a filter selects ETHER_TYPE as vlan (0x8100),
How to then match the vlanid ? I believe I mentioned this in
last series as well.

Regards
Satananda

? 2023/10/7 ??1:14, Parav Pandit ??:
> The device responds flow filter capabilities using two commands.
> One command indicates generic flow filter device limits such as
> number of flow filters, number of flow filter groups, support or
> multiple transports etc.
>
> The second command indicates supported match types, and fields
> of the packet.
>
> Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
> Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
> Signed-off-by: Parav Pandit <parav@nvidia.com>
>
> ---
> changelog:
> v0->v1:
> - added mask field in the type to indicate supported mask by device
> and also in later patch to use it to indicate mask on adding
> flow filter. As a result removed the mask_supported capability
> field
> ---
> device-types/net/description.tex | 194 ++++++++++++++++++++++++++++++-
> 1 file changed, 192 insertions(+), 2 deletions(-)
>
> diff --git a/device-types/net/description.tex b/device-types/net/description.tex
> index c9a8c52..19f6c60 100644
> --- a/device-types/net/description.tex
> +++ b/device-types/net/description.tex
> @@ -1168,7 +1168,11 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
> The device indicates the flow filter capabilities to the driver, which
> includes various maximum device limits, supported transports and
> supported packet match fields. The driver enables the transport for flow
> -filter requests using a control virtqueue command.
> +filter requests using a control virtqueue command. These control virtqueue
> +commands are:
> +\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
> +and
> +\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}.
>
> The device support transporting flow filter requests on either the control
> virtqueue or on the flow filter virtqueues or on both. However, device
> @@ -1252,7 +1256,116 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
> the flow filters in group_C, the flow filters of next level group_B are applied.
> \end{itemize}
>
> -\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
> +\paragraph{Match Types and Fields}\label{sec:Device Types / Network Device / Device Operation / Flow Filter / Match Types and Fields}
> +
> +\begin{lstlisting}
> +struct virtio_net_ff_match_type {
> + le16 type;
> + le16 mask;
> + le32 reserved;
> + le64 fields_bmap;
> +};
> +\end{lstlisting}
> +
> +The \field{type} corresponds to following table:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Type & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_ETH_HDR & Ethernet header of the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_IPV4_HDR & IPv4 header of the packet \\
> +\hline
> +2 & VIRTIO_NET_FF_IPV6_HDR & IPv6 header of the packet \\
> +\hline
> +3 & VIRTIO_NET_FF_TCP_HDR & TCP header of the packet \\
> +\hline
> +4 & VIRTIO_NET_FF_UDP_HDR & UDP header of the packet \\
> +\hline
> +other & - & reserved \\
> +\hline
> +\end{tabular}
> +
> +When the \field{mask} is set, for the specific \field{type}, the device
> +supports masking packet content with the supplied mask of the flow filter
> +before comparing the resulting value with the flow filter match fields.
> +
> +For the \field{type} of VIRTIO_NET_FF_ETH_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_DST_MAC & Destination MAC address in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_SRC_MAC & Source MAC address in the packet \\
> +\hline
> +2 & VIRTIO_NET_FF_ETHER_TYPE & Ether type in the packet \\
> +\hline
> +\end{tabular}
> +
> +For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_SRC_IPV4 & Source IPV4 address in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_DST_IPV4 & Destination IPV4 address in the packet \\
> +\hline
> +other & - & reserved \\
> +\hline
> +\end{tabular}
> +
> +For the \field{type} of VIRTIO_NET_FF_IPV6_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_SRC_IPV6 & Source IPV6 address in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_DST_IPV6 & Destination IPV6 address in the packet \\
> +\hline
> +other & - & reserved \\
> +\hline
> +\end{tabular}
> +
> +For the \field{type} of VIRTIO_NET_FF_TCP_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_SRC_TCP_PORT & Source TCP port in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_DST_TCP_PORT & Destination TCP port in the packet \\
> +\hline
> +other & - & reserved \\
> +\hline
> +\end{tabular}
> +
> +For the \field{type} of VIRTIO_NET_FF_UDP_HDR, header fields
> +are represented by a bitmap in \field{fields_bmap} are following:
> +
> +\begin{tabular}{|l|l|l|}
> +\hline
> +Bit & Name & Description \\
> +\hline \hline
> +0 & VIRTIO_NET_FF_SRC_UDP_PORT & Source UDP port in the packet \\
> +\hline
> +1 & VIRTIO_NET_FF_DST_UDP_PORT & Destination UDP port in the packet \\
> +\hline
> +other & - & reserved \\
> +\hline
> +\end{tabular}
> +
> \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}
>
> The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
> @@ -1917,6 +2030,83 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
>
> Upon reset, a device MUST initialize all coalescing parameters to 0.
>
> +\paragraph{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
> +
> +If the VIRTIO_NET_F_FLOW_FILTERS feature is negotiated, the driver can
> +send commands VIRTIO_NET_CTRL_FF_CAP_GET and
> +VIRTIO_NET_CTRL_FF_MATCH_CAP_GET to query the flow filter
> +capabilities of the device.
> +
> +\begin{lstlisting}
> +#define VIRTIO_NET_CTRL_FF 7
> + #define VIRTIO_NET_CTRL_FF_CAP_GET 0
> + #define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
> +\end{lstlisting}
> +
> +\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
> +
> +The command VIRTIO_NET_CTRL_FF_CAP_GET provides the flow filter device capabilities.
> +
> +\begin{lstlisting}
> +struct virtio_net_ctrl_ff_caps {
> + le16 max_vqs;
> + le16 start_vq_index;
> + le16 max_match_fields;
> + le16 max_groups; /* valid group id = max_groups - 1 */
> + le32 max_ff_per_group;
> + le32 max_ff; /* max flow_id in add/del
> + * = max_ff - 1.
> + */
> + u8 max_flow_priorities_per_group;
> + u8 cvq_supports_ff_req;
> +};
> +\end{lstlisting}
> +
> +The \field{max_vqs} indicates total number of flow filter virtqueues supported
> +by the device starting from virtqueue index \field{start_vq_index}. When the
> +device do not support flow filter requests over flow filter virtqueues,

s/do not/does not

Thanks!

> +\field{max_vqs} is zero. When \field{max_vqs} is non zero, the driver can enable
> +maximum of \field{max_vqs} number of flow filter virtqueues starting from
> +virtqueue index \field{start_vq_index}.
> +
> +The \field{max_groups} indicates total number of flow filter groups supported
> +by the device whose group identifier can be any value in the range from 0 to
> +\field{max_groups - 1}. The flow filter group can have any priority in range
> +of 0 to \field{max_groups - 1}.
> +
> +The \field{max_ff_per_group} indicates maximum number of
> +flow filter per flow filter group which can be added by the driver.
> +
> +The \field{max_ff} indicates maximum number of flow filters across
> +all the flow groups which can be added by the driver.
> +
> +The \field{max_ff_priorities_per_group} indicates maximum priority value
> +of a flow filter within a group. A flow filter within a group can have any
> +priority in range of zero to \field{max_ff_priorities_per_group - 1}.
> +
> +The \field{max_match_fields} indicates maximum number of fields of the packet
> +which can be matched by the device for a flow filter.
> +
> +When the \field{cvq_supports_ff_req} is set, the device supports
> +flow filter requests using a control virtqueue. The device may support flow
> +filter requests on control virtqueue or using flow filter virtqueues or both.
> +
> +\subparagraph{Flow Filter Match Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}
> +
> +The command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET indicates which fields
> +from the packet can be matched.
> +
> +\begin{lstlisting}
> +struct virtio_net_ctrl_ff_match_types {
> + le32 num_entries;
> + struct virtio_net_ff_match_type types[];
> +};
> +\end{lstlisting}
> +
> +The \field{num_entries} indicates the length of an array \field{types}.
> +Each array entry of \field{types} represents supported match fields of
> +the packet by the device.
> +
> \subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
> Types / Network Device / Legacy Interface: Framing Requirements}
>

> From: Heng Qi <hengqi@linux.alibaba.com>
> Sent: Thursday, October 19, 2023 12:43 PM
> > +The \field{max_vqs} indicates total number of flow filter virtqueues
> > +supported by the device starting from virtqueue index
> > +\field{start_vq_index}. When the device do not support flow filter
> > +requests over flow filter virtqueues,
>
> s/do not/does not
Fixing it. Thanks.

All the flow filters are managed in the flow filter group. The
device can have one or more flow filter groups. Each flow filter
group has its own priority. The group priority which
defines the packet processing order in the flow filter domain.

Add commands to add and delete the flow filter group.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
device-types/net/description.tex | 33 ++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 19f6c60..c7306b6 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1192,6 +1192,11 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
filter group, a packet may find match to multiple flow filters. In such
scenario, a flow filter with the highested priority is applied first to the
packet, if there is no match, the next higher priority flow filter is applied.
+The driver adds and deletes the flow filter group using a control
+virtqueue commands \ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Add}
+and
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Delete}
+respectively.

The match fields also optionally consist of a match mask. When a mask is
specified for the flow filter, first the packet fields are masked before
@@ -2041,6 +2046,8 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF 7
#define VIRTIO_NET_CTRL_FF_CAP_GET 0
#define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
+ #define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
+ #define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2107,6 +2114,32 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
Each array entry of \field{types} represents supported match fields of
the packet by the device.

+\subparagraph{Flow Filter Group Add}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Add}
+
+The command VIRTIO_NET_CTRL_FF_GROUP_ADD adds a new flow filter
+group with the supplied group identifier \field{id} with assigned
+priority \field{priority}.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_group_add {
+ le16 priority; /* higher the value, higher priority */
+ le16 id;
+};
+\end{lstlisting}
+
+\subparagraph{Flow Filter Group Delete}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Delete}
+
+The command VIRTIO_NET_CTRL_FF_GROUP_DEL deletes the
+flow filter group that has been previously added using command
+VIRTIO_NET_CTRL_FF_GROUP_ADD. Flow filter group is
+identified using a group identifier \field{id}.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_group_del {
+ le16 id;
+};
+\end{lstlisting}
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Flow filter requests can be either sent using a control virtqueue
or using one or more flow filter virtqueues.
The driver can choose one of the transport based on device capability.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
device-types/net/description.tex | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index c7306b6..17d4f15 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1180,6 +1180,8 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
at a time, i.e. either control virtqueue or flow filter virtqueues.
Once the driver sets the flow filter request transport in the device,
the driver can send flow filter request using the enabled transport.
+The driver selects the flow filter transport using control vq command
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Transport Mode Set}.

The flow filters are grouped using a flow filter group. Each flow filter
group has a priority. The device first applies the flow filters of the highest
@@ -2048,6 +2050,7 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
#define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
#define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
+ #define VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET 4
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2140,6 +2143,25 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
};
\end{lstlisting}

+\subparagraph{Flow Filter Transport Mode Set}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Transport Mode Set}
+
+The command VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET sets the
+transport mode for flow filter requests in the device.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_transport_set {
+ u8 mode;
+};
+
+#define VIRTIO_NET_FF_TRANSPORT_CVQ 0
+#define VIRTIO_NET_FF_TRANSPORT_FFVQ 1
+\end{lstlisting}
+
+The \field{mode} when set to 0, it indicates the driver will use
+control virtqueue for transporting flow filters requests; when the
+\field{mode} is set to 1, it indicates that the driver will use
+flow filter virtqueue(s) for transporting flow filter requests.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Define flow filter match values for the defined types.

Currently it covers the most common filter types and value
of Ethernet header, IP addresses, TCP and UDP ports.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>
---
changelog:
v0->v1:
- added mask flag to the type
---
device-types/net/description.tex | 79 ++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 17d4f15..19d1655 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1272,6 +1272,10 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
le32 reserved;
le64 fields_bmap;
};
+
+struct virtio_net_ff_match_value {
+ u8 value[];
+};
\end{lstlisting}

The \field{type} corresponds to following table:
@@ -1298,6 +1302,10 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
supports masking packet content with the supplied mask of the flow filter
before comparing the resulting value with the flow filter match fields.

+For each of the \field{type}, a corresponding bitmap for the
+\field{fields_bmap} and the \field{struct virtio_net_ff_match_value}
+is defined as following:
+
For the \field{type} of VIRTIO_NET_FF_ETH_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1313,6 +1321,21 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_ETH_HDR, the match
+entry \field{struct virtio_net_ff_match_value} is in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_eth_hdr {
+ u8 dmac[6];
+ u8 smac[6];
+ le16 ether_type;
+};
+\end{lstlisting}
+
+The \field{dmac} is valid when VIRTIO_NET_FF_DST_MAC is set.
+The \field{smac} is valid when VIRTIO_NET_FF_SRC_MAC is set.
+The \field{ether_type} is valid when VIRTIO_NET_FF_ETHER_TYPE is set.
+
For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1328,6 +1351,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, match entry
+\field{struct virtio_net_ff_match_value} is in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_ipv4_hdr {
+ le32 reserved[3];
+ le32 sip;
+ le32 dip;
+};
+\end{lstlisting}
+
+The \field{sip} is valid when VIRTIO_NET_FF_SRC_IPV4 is set.
+The \field{dip} is valid when VIRTIO_NET_FF_DST_IPV4 is set.
+
For the \field{type} of VIRTIO_NET_FF_IPV6_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1343,6 +1380,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, match entry
+\field{struct virtio_net_ff_match_value} is in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_ipv6_hdr {
+ le32 reserved[2];
+ u8 sip[16];
+ u8 dip[16];
+};
+\end{lstlisting}
+
+The \field{sip} is valid when VIRTIO_NET_FF_SRC_IPV6 is set.
+The \field{dip} is valid when VIRTIO_NET_FF_DST_IPV6 is set.
+
For the \field{type} of VIRTIO_NET_FF_TCP_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1358,6 +1409,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_TCP_HDR, match entry
+\field{struct virtio_net_ff_match_value} is in following format:
+
+\begin{lstlisting}
+struct virtio_ndr_ff_match_tcp_hdr {
+ le16 sport;
+ le16 dport;
+ le32 reserved[4];
+};
+\end{lstlisting}
+
+The \field{sport} is valid when VIRTIO_NET_FF_SRC_TCP_PORT is set.
+This \field{dport} is valid when VIRTIO_NET_FF_DST_TCP_PORT is set.
+
For the \field{type} of VIRTIO_NET_FF_UDP_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1373,6 +1438,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_UDP_HDR, match entry
+\field{struct virtio_net_ff_match_value} is in following format:
+
+\begin{lstlisting}
+struct virtio_ndr_ff_match_udp_hdr {
+ le16 sport;
+ le16 dport;
+ le32 reserved;
+};
+\end{lstlisting}
+
+The \field{sport} is valid when VIRTIO_NET_FF_SRC_UDP_PORT is set.
+This \field{dport} is valid when VIRTIO_NET_FF_DST_UDP_PORT is set.
+
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
--
2.34.1

Define generic flow filter add and delete requests and its transport
using a control virtqueue command and flow filter virtqueue(s).

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>

---
changelog:
v0->v1:
- reworded add flow request text to consider optional mask
- replaced respond with set
---
device-types/net/description.tex | 123 +++++++++++++++++++++++++++++++
1 file changed, 123 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 19d1655..cf2836d 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1452,6 +1452,104 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
The \field{sport} is valid when VIRTIO_NET_FF_SRC_UDP_PORT is set.
This \field{dport} is valid when VIRTIO_NET_FF_DST_UDP_PORT is set.

+\paragraph{Flow Filter Request}
+\label{sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Request}
+
+Two flow filter requests are supported by the device.
+
+\begin{itemize}
+\item Add or replace a flow filter using a request \field{struct virtio_net_ff_add}.
+
+\item Delete an existing flow filter using a request \field{struct virtio_net_ff_del}.
+
+\end{itemize}
+
+\begin{lstlisting}
+struct virtio_net_ff_match_field {
+ struct virtio_net_ff_match_type type;
+ struct virtio_net_ff_match_value value;
+ struct virtio_net_ff_match_value mask; /* optional, only exists if mask in type is set to 1. */
+};
+
+struct virtio_net_ff_match_fields {
+ le32 num_entries;
+ struct virtio_net_ff_match_field match_entries[];
+};
+
+#define VIRTIO_NET_FF_DEST_RQ 0
+
+struct virtio_net_ff_dest {
+ u8 dest_type;
+ u8 reserved[3];
+ union {
+ le16 vq_index;
+ le32 reserved1;
+ };
+};
+
+struct virtio_net_ff_action {
+ u8 action;
+ u8 reserved[7];
+};
+
+#define VIRTIO_NET_FF_ACTION_DROP 0
+#define VIRTIO_NET_FF_ACTION_FORWARD 1
+
+struct virtio_net_ff_add {
+ u8 op;
+ u8 priority; /* higher the value, higher priority */
+ u16 group_id;
+ le32 id;
+ struct virtio_net_ff_match_fields match;
+ struct virtio_net_ff_dest dest;
+ struct virtio_net_ff_action action;
+};
+
+struct virtio_net_ff_del {
+ u8 op;
+ u8 padding[3];
+ le32 id;
+};
+
+#define VIRTIO_NET_FF_REQ__ADD 0
+#define VIRTIO_NET_FF_REQ__DEL 1
+
+struct virtio_net_ff_req_result {
+ le16 status;
+};
+
+#define VIRTIO_NET_FF_RESULT_OK 0
+#define VIRTIO_NET_FF_RESULT_ERR 1
+
+struct virtio_net_ff_req {
+ /* Device-readable part */
+ union {
+ struct virtio_net_ff_add add;
+ struct virtio_net_ff_del del;
+ };
+ /* Device-writable part */
+ struct virtio_net_ff_req_result result;
+};
+\end{lstlisting}
+
+When the flow filter request is sent using a flow filter virtqueue,
+the descriptors points to \field{struct virtio_net_ff_req}.
+
+In the field \field{match_entries}, for each of the array entry the
+field \field{value} and \field{type} are in the format described in
+\ref{sec:Device Types / Network Device / Device Operation / Flow Filter / Match Types and Fields}.
+
+When the device completes the request, \field{status} is updated
+by the device; when the request is successful, \field{status} is
+set to VIRTIO_NET_FF_RESULT_OK, on error, \field{status} is
+set to VIRTIO_NET_FF_RESULT_ERR.
+
+When the driver sets the \field{mask} to 1 in
+\field{struct virtio_net_ff_match_type}, the \field{mask} is present in
+\field{struct virtio_net_ff_match_field}. When the mask is present in
+the flow filter, for the match \field{type}, the mask is applied first to the
+packet fields before comparing the match result.
+
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
@@ -2130,6 +2228,7 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
#define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
#define VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET 4
+ #define VIRTIO_NET_CTRL_FF_REQ 5
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2241,6 +2340,30 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
\field{mode} is set to 1, it indicates that the driver will use
flow filter virtqueue(s) for transporting flow filter requests.

+\subparagraph{Flow Filter Requests}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Requests}
+
+When the driver has successfully set flow filter transport mode as control
+virtqueue using command VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET, the
+flow filter requests are transported using command
+VIRTIO_NET_CTRL_FF_REQ over a control virtqueue.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_req {
+ union {
+ struct virtio_net_ff_add add;
+ struct virtio_net_ff_del del;
+ };
+};
+
+\end{lstlisting}
+
+The \field{command-specific-data} is in format of
+\field{struct virtio_net_ctrl_ff_req}.
+
+When the flow filter request command is successful, the
+\field{command-specific-result} is in format of
+\field{struct virtio_net_ff_req_result}.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Hi Parav

> +#define VIRTIO_NET_FF_DEST_RQ 0
> +
> +struct virtio_net_ff_dest {
> + u8 dest_type;
> + u8 reserved[3];
> + union {
> + le16 vq_index;
> + le32 reserved1;
> + };
> +};
> +
> +struct virtio_net_ff_action {
> + u8 action;
> + u8 reserved[7];
> +};
> +
> +#define VIRTIO_NET_FF_ACTION_DROP 0
> +#define VIRTIO_NET_FF_ACTION_FORWARD 1
> +
> +struct virtio_net_ff_add {
> + u8 op;
> + u8 priority; /* higher the value, higher priority */
> + u16 group_id;
> + le32 id;
> + struct virtio_net_ff_match_fields match;
> + struct virtio_net_ff_dest dest;
> + struct virtio_net_ff_action action;
> +};
I think virtio_net_ff_dest and virtio_net_ff_action can be combined.
In fact, dest is only valid if action is forward. So, the additional
fields in virtio_net_ff_dest can be added to virtio_net_ff_action in
a union and only interpreted if action type is forward.
Also we would need support for multiple actions in future(tc flower)
so we may need to have an array of actions. Similar to
https://elixir.bootlin.com/linux/latest/source/include/net/flow_offload.h#L328

Regards
Satananda

The flow filter functionality consists of the following
four components.
Add driver and device requirements for it.

1. Device capabilities query for commands VIRTIO_NET_CTRL_FF_CAP_GET,
VIRTIO_NET_CTRL_FF_MATCH_CAP_GET.
2. Flow filter group operation commands VIRTIO_NET_CTRL_FF_GROUP_ADD
and VIRTIO_NET_CTRL_FF_GROUP_DEL.
3. Flow filter transport mode set command
VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
4. Flow filter requests using command VIRTIO_NET_CTRL_FF_REQ and
the structure virtio_net_ff_op for the flow filter virtqueue.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
changelog:
v0->v1:
- addressed comments from Satananda
- added device requirement to return non zero value in fields_bmap
- added device requirement to not repeat filter type in response
- added driver requirement to order filter match field as it
appears in the packet
- added device requirement to fail group delete command on existing
flow entries
---
device-types/net/description.tex | 126 +++++++++++++++++++++++++++++++
1 file changed, 126 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index cf2836d..1a3ce63 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -2364,6 +2364,132 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
\field{command-specific-result} is in format of
\field{struct virtio_net_ff_req_result}.

+\devicenormative{\subparagraph}{Flow Filter}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
+
+When the VIRTIO_NET_F_FLOW_FILTER is negotiated, the device MUST support
+VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
+VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
+VIRTIO_NET_CTRL_FF_REQ commands.
+
+When the VIRTIO_NET_F_FLOW_FILTER is not negotiated, the device MUST respond
+with error VIRTIO_NET_ERR for
+VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
+VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
+VIRTIO_NET_CTRL_FF_REQ commands.
+
+When the command VIRTIO_NET_CTRL_FF_CAP_GET completes successfully, the device
+MUST set either \field{max_vqs} to be non zero or set
+\field{cvq_supports_ff_ops} to 1; the device MUST set non zero value for fields
+\field{max_groups}, \field{max_ff_per_group}, \field{max_ff},
+\field{max_match_fields} and \field{max_flow_priorities_per_group}.
+
+When the command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET completes successfully,
+\begin{itemize}
+\item the device MUST set non zero value for fields \field{num_entries}, \field{fields_bmap}
+and set corresponding number of valid entries.
+\item the device MUST NOT repeat \field{type} in the \field{types}.
+\end{itemize}
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_ADD if there are existing flow filters for the
+supplied group \field{id} or for the supplied \field{priority}.
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
+does not exist in the device.
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
+has one or more flow filters present in the group.
+
+If there are active flow filters already added in the device, the device
+MUST respond VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
+
+The device MUST respond VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when \field{mode} is set to
+VIRTIO_NET_FF_TRANSPORT_CVQ and \field{cvq_supports_ff_ops} is set to zero;
+or when \field{mode} is set to VIRTIO_NET_FF_TRANSPORT_FFVQ and
+\field{max_vqs} is zero.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
+\field{match} contains duplicate \field{type}.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_DEL if the
+requested flow filter of identifier \field{id} do not exist in the
+the device.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
+\field{vq_index} in the \field{dest} is outside of the range.
+
+When the flow filter forwards the packet to the \field{vq_index} and
+if the receiveq is reset, the device MUST drop such packets.
+
+When the flow filter \field{action} is VIRTIO_NET_FF_ACTION_DROP,
+the device MUST ignore fields of \field{struct virtio_net_ff_dest}.
+
+When the driver has added multiple flow filters with same \field{priority}
+and for a packet if multiple flow filters MAY match such that it MAY result
+in different \field{action} or different \field{dest}, the device
+MAY apply any of the matching flow filters.
+
+The device MUST follow received packet processing ordering chain as following:
+
+The device SHOULD set \field{device_status} to DEVICE_NEEDS_RESET when
+the driver has not set the flow filter transport mode to
+VIRTIO_NET_FF_TRANSPORT_FFVQ and if the driver enables the flow filter
+virtqueue.
+
+\begin{itemize}
+\item Device configuration done using control virtqueue commands VIRTIO_NET_CTRL_RX,
+ VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
+\item Flow filters programmed using flow filters functionality.
+\item Device configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
+\end{itemize}
+
+When the device drops the packet due to the configuration done using the control
+virtqueue commands VIRTIO_NET_CTRL_RX or VIRTIO_NET_CTRL_MAC or VIRTIO_NET_CTRL_VLAN,
+the device MUST stop processing this packet for flow filters processing.
+
+When the device matches the flow filter for the packet and if the match is successful,
+the filter processing chain MUST stop, i.e. next level of processing MUST not be done.
+
+When the device matches the flow filter for the packet and if no match entry is found
+for the packet, the receive packet processing continues to next level, i.e. to apply
+configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
+
+The device MUST support enabling \field{max_vqs} number of flow filters
+virtqueues after device initializaton phase if VIRTIO_F_RING_DYNAMIC
+feature is negotiated.
+
+When \field{max_vqs} is non zero, the device MUST report \field{start_vq_index},
+such that it does not overlap with any other virtqueues indices.
+
+\drivernormative{\subparagraph}{Flow Filters}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filters}
+
+The driver MUST NOT change the flow filters transport mode using
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when the device has flow filters
+added.
+
+The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_CVQ
+if \field{cvq_supports_ff_ops} is set to zero.
+
+The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_FFVQ
+if \field{max_vqs} is set to zero in the command response of
+VIRTIO_NET_CTRL_FF_CAP_GET.
+
+The driver MUST NOT send any flow filters specific commands having class code
+of VIRTIO_NET_CTRL_FF when VIRTIO_NET_F_FLOW_FILTER is not negotiated.
+
+The driver SHOULD NOT add multiple flow filters with same \field{priority}
+in a flow filter group, with overlapping match values.
+
+The driver SHOULD use different priority for different flow filters
+if multiple of the flow filters MAY match for a packet.
+
+The driver SHOULD set the \field{type} in \field{match_entries} as that of
+the order appears in the packet.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Hi Parav

> +When the device matches the flow filter for the packet and if no match
> entry is found
> +for the packet, the receive packet processing continues to next level,
> i.e. to apply
> +configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
Did you mean to say that the device has flow filters configured but
no match is found for a packet? I think the following line is confusing
"When the device matches the flow filter for the packet and if no match entry is found"

Regards
Satananda

? 2023/10/7 ??1:14, Parav Pandit ??:
> The flow filter functionality consists of the following
> four components.
> Add driver and device requirements for it.
>
> 1. Device capabilities query for commands VIRTIO_NET_CTRL_FF_CAP_GET,
> VIRTIO_NET_CTRL_FF_MATCH_CAP_GET.
> 2. Flow filter group operation commands VIRTIO_NET_CTRL_FF_GROUP_ADD
> and VIRTIO_NET_CTRL_FF_GROUP_DEL.
> 3. Flow filter transport mode set command
> VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
> 4. Flow filter requests using command VIRTIO_NET_CTRL_FF_REQ and
> the structure virtio_net_ff_op for the flow filter virtqueue.
>
> Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
> Signed-off-by: Parav Pandit <parav@nvidia.com>
> Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
> ---
> changelog:
> v0->v1:
> - addressed comments from Satananda
> - added device requirement to return non zero value in fields_bmap
> - added device requirement to not repeat filter type in response
> - added driver requirement to order filter match field as it
> appears in the packet
> - added device requirement to fail group delete command on existing
> flow entries
> ---
> device-types/net/description.tex | 126 +++++++++++++++++++++++++++++++
> 1 file changed, 126 insertions(+)
>
> diff --git a/device-types/net/description.tex b/device-types/net/description.tex
> index cf2836d..1a3ce63 100644
> --- a/device-types/net/description.tex
> +++ b/device-types/net/description.tex
> @@ -2364,6 +2364,132 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
> \field{command-specific-result} is in format of
> \field{struct virtio_net_ff_req_result}.
>
> +\devicenormative{\subparagraph}{Flow Filter}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
> +
> +When the VIRTIO_NET_F_FLOW_FILTER is negotiated, the device MUST support
> +VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
> +VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
> +VIRTIO_NET_CTRL_FF_REQ commands.
> +
> +When the VIRTIO_NET_F_FLOW_FILTER is not negotiated, the device MUST respond
> +with error VIRTIO_NET_ERR for
> +VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
> +VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
> +VIRTIO_NET_CTRL_FF_REQ commands.
> +
> +When the command VIRTIO_NET_CTRL_FF_CAP_GET completes successfully, the device
> +MUST set either \field{max_vqs} to be non zero or set
> +\field{cvq_supports_ff_ops} to 1; the device MUST set non zero value for fields
> +\field{max_groups}, \field{max_ff_per_group}, \field{max_ff},
> +\field{max_match_fields} and \field{max_flow_priorities_per_group}.
> +
> +When the command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET completes successfully,
> +\begin{itemize}
> +\item the device MUST set non zero value for fields \field{num_entries}, \field{fields_bmap}
> +and set corresponding number of valid entries.
> +\item the device MUST NOT repeat \field{type} in the \field{types}.
> +\end{itemize}
> +
> +The device MUST set VIRTIO_NET_ERROR for the command
> +VIRTIO_NET_CTRL_FF_GROUP_ADD if there are existing flow filters for the
> +supplied group \field{id} or for the supplied \field{priority}.
> +
> +The device MUST set VIRTIO_NET_ERROR for the command
> +VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
> +does not exist in the device.
> +
> +The device MUST set VIRTIO_NET_ERROR for the command
> +VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
> +has one or more flow filters present in the group.
> +
> +If there are active flow filters already added in the device, the device
> +MUST respond VIRTIO_NET_ERROR for the command
> +VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
> +
> +The device MUST respond VIRTIO_NET_ERROR for the command
> +VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when \field{mode} is set to
> +VIRTIO_NET_FF_TRANSPORT_CVQ and \field{cvq_supports_ff_ops} is set to zero;
> +or when \field{mode} is set to VIRTIO_NET_FF_TRANSPORT_FFVQ and
> +\field{max_vqs} is zero.
> +
> +The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
> +\field{match} contains duplicate \field{type}.
> +
> +The device MUST fail the operation VIRTIO_NET_FF_OP_DEL if the
> +requested flow filter of identifier \field{id} do not exist in the
> +the device.
> +
> +The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
> +\field{vq_index} in the \field{dest} is outside of the range.
> +
> +When the flow filter forwards the packet to the \field{vq_index} and
> +if the receiveq is reset, the device MUST drop such packets.
> +
> +When the flow filter \field{action} is VIRTIO_NET_FF_ACTION_DROP,
> +the device MUST ignore fields of \field{struct virtio_net_ff_dest}.
> +
> +When the driver has added multiple flow filters with same \field{priority}
> +and for a packet if multiple flow filters MAY match such that it MAY result
> +in different \field{action} or different \field{dest}, the device
> +MAY apply any of the matching flow filters.
> +
> +The device MUST follow received packet processing ordering chain as following:
> +
> +The device SHOULD set \field{device_status} to DEVICE_NEEDS_RESET when
> +the driver has not set the flow filter transport mode to
> +VIRTIO_NET_FF_TRANSPORT_FFVQ and if the driver enables the flow filter
> +virtqueue.
> +
> +\begin{itemize}
> +\item Device configuration done using control virtqueue commands VIRTIO_NET_CTRL_RX,
> + VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
> +\item Flow filters programmed using flow filters functionality.
> +\item Device configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
> +\end{itemize}
> +
> +When the device drops the packet due to the configuration done using the control
> +virtqueue commands VIRTIO_NET_CTRL_RX or VIRTIO_NET_CTRL_MAC or VIRTIO_NET_CTRL_VLAN,
> +the device MUST stop processing this packet for flow filters processing.
> +
> +When the device matches the flow filter for the packet and if the match is successful,
> +the filter processing chain MUST stop, i.e. next level of processing MUST not be done.
> +
> +When the device matches the flow filter for the packet and if no match entry is found
> +for the packet, the receive packet processing continues to next level, i.e. to apply
> +configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
> +
> +The device MUST support enabling \field{max_vqs} number of flow filters
> +virtqueues after device initializaton phase if VIRTIO_F_RING_DYNAMIC

s/initializaton/initialization

Thanks!

> +feature is negotiated.
> +
> +When \field{max_vqs} is non zero, the device MUST report \field{start_vq_index},
> +such that it does not overlap with any other virtqueues indices.
> +
> +\drivernormative{\subparagraph}{Flow Filters}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filters}
> +
> +The driver MUST NOT change the flow filters transport mode using
> +VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when the device has flow filters
> +added.
> +
> +The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_CVQ
> +if \field{cvq_supports_ff_ops} is set to zero.
> +
> +The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_FFVQ
> +if \field{max_vqs} is set to zero in the command response of
> +VIRTIO_NET_CTRL_FF_CAP_GET.
> +
> +The driver MUST NOT send any flow filters specific commands having class code
> +of VIRTIO_NET_CTRL_FF when VIRTIO_NET_F_FLOW_FILTER is not negotiated.
> +
> +The driver SHOULD NOT add multiple flow filters with same \field{priority}
> +in a flow filter group, with overlapping match values.
> +
> +The driver SHOULD use different priority for different flow filters
> +if multiple of the flow filters MAY match for a packet.
> +
> +The driver SHOULD set the \field{type} in \field{match_entries} as that of
> +the order appears in the packet.
> +
> \subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
> Types / Network Device / Legacy Interface: Framing Requirements}
>

Hi Parav.

Please fix some minor typos in the next version. More below.

Thanks!

? 2023/10/7 ??1:14, Parav Pandit ??:
> Summary:
> ========
> This series improves virtio net receive packet steering to forward/steer
> packets to specific RQ.
>
> This basic functionality will enable Linux ethtool steering, Accelerated
> receive flow steering (ARFS) as starting point, and more use cases in
> future.
>
> Problem statement:
> ==================
> Currently packet allow/drop interface has few limitations.

s/has few limitations/has a few limitations/

>
> 1. Driver cannot add or delete an individual entry for mac and vlan.
> 2. Driver cannot select mac+vlan combination for which
> to allow/drop packet.

s/packet/packets

> 3. Driver cannot not set other commonly used packet match fields

Remove 'not'.

> such as IP header fields, TCP, UDP, SCP header fields.
> 4. Driver cannot steer specific packets based on the match
> fields to specific receiveq.
> 5. Driver do not have multiple or dedicated virtqueues to
> perform flow filter requests in accelerated manner in

in an accelerated manner

> the device.
>
> Solution:
> =========
> Flow filter as generic framework to overcome above limitations.

as a generic framework

>
> Overview:
> =========
> A flow filter defines the flow based on one or more match fields
> of the packet, defines an action like drop/forward to RQ.
>
> The flow filters are organized in flow filter groups so that they
> can be ordered when multiple applications wants to use it.

s/wants/want

>
> Flow filters requests can be transported via control vq or dedicated
> flow filter virtqueue so that it does not get intermixed with other
> slow operations of cvq.
>
> Flow filter requirements addressed by this series is worked by virtio community at
>
> Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
>
> This series utilizes enhancements proposed in [2] and [3].
> It uses updated control vq command format from [3].
> It uses new _DYNAMIC feature to create queues when needed and
> saves guest and device resources.
>
> [1] https://lists.oasis-open.org/archives/virtio-comment/202308/msg00263.html
> [2] https://lists.oasis-open.org/archives/virtio-comment/202309/msg00236.html
> [3] https://lists.oasis-open.org/archives/virtio-comment/202309/msg00227.html
>
> Patch summary:
> ==============
> patch-1 adds theory of operation description for flow filter
> patch-2 adds device capabilities cvq commands
> patch-3 adds group add/delete commands
> patch-4 adds transport set command
> patch-5 adds packet match fields and values
> patch-6 adds flow filter requests to transport via vq
> patch-7 adds device and driver requirements
>
> Please review.
>
> Changelog:
> ==========
> v0->v1:
> - addressed comments from Satananda
> - added device requirement to return non zero value in fields_bmap
> - added device requirement to not repeat filter type in response
> - added driver requirement to order filter match field as it
> appears in the packet
> - added device requirement to fail group delete command on existing
> flow entries
> - added mask field in the type to indicate supported mask by device
> and also in later patch to use it to indicate mask on adding
> flow filter. As a result removed the mask_supported capability
> field
>
> Parav Pandit (7):
> virtio-net: Add theory of operation for flow filter
> virtio-net: Add flow filter capabilities read commands
> virtio-net: Add flow filter group life cycle commands
> virtio-net: Add flow filter transport set command
> virtio-net: Add flow filter match values
> virtio-net: Add flow filter requests
> virtio-net: Add flow filter device and driver requirements
>
> device-types/net/description.tex | 687 ++++++++++++++++++++++++++++++-
> 1 file changed, 686 insertions(+), 1 deletion(-)
>