virtio-comment

Summary:
========
This series improves virtio net receive packet steering to forward/steer
packets to specific RQ.

This basic functionality will enable Linux ethtool steering, Accelerated
receive flow steering (ARFS) as starting point, and more use cases in
future.

Problem statement:
==================
Currently packet allow/drop interface has few limitations.

1. Driver cannot add or delete an individual entry for mac and vlan.
2. Driver cannot select mac+vlan combination for which
to allow/drop packet.
3. Driver cannot not set other commonly used packet match fields
such as IP header fields, TCP, UDP, SCP header fields.
4. Driver cannot steer specific packets based on the match
fields to specific receiveq.
5. Driver do not have multiple or dedicated virtqueues to
perform flow filter requests in accelerated manner in
the device.

Solution:
=========
Flow filter as a generic framework to overcome above limitations.

Overview:
=========
A flow filter defines the flow based on one or more match fields
of the packet, defines an action like drop/forward to RQ.

The flow filters are organized in flow filter groups so that their
processing can be ordered when multiple applications wants to use it.

Flow filters requests can be transported via control vq or dedicated
flow filter virtqueue so that it does not get intermixed with other
slow operations of cvq.

Flow filter requirements addressed by this series is worked by virtio
community at [1].

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179

This series utilizes enhancements proposed in [2] and [3].
It uses updated control vq command format from [3].
It uses new _DYNAMIC feature to create queues when needed and
saves guest and device resources.

[1] https://lists.oasis-open.org/archives/virtio-comment/202308/msg00263.html
[2] https://lists.oasis-open.org/archives/virtio-comment/202310/msg00183.html
[3] https://lists.oasis-open.org/archives/virtio-comment/202310/msg00047.html

Patch summary:
==============
patch-1 adds theory of operation description for flow filter
patch-2 adds device capabilities cvq commands
patch-3 adds group add/delete commands
patch-4 adds transport set command
patch-5 adds flow filter match key, action and requests to transport via vq
patch-6 adds device and driver requirements

Please review.

Changelog:
==========
v1->v2:
- addressed comments from Satananda
- squashed with match fields definition patch of v1
- added length to the flexible array definition struct to benefit
from future runtime length bound checkers listed in
https://people.kernel.org/kees/bounded-flexible-arrays-in-c
- renamed value to key
- addressed comments from Satananda
- merged destination and action to one struct
- added vlan type match field
- kept space for types between l2, l3, l4 header match types
- renamed mask to mask_supported with shorter width
- made more fields reserved for future
- addressed comments from Heng
- grammar correction
- added field to indicate supported number of actions per flow
filter match entry
- added missing documentation for max_flow_priorities_per_group
- fixed comments from Heng
- grammar corrections
- spelling corrections
- fixed spelling from initializaton to initialization
- added more requirements for multiple actions

v0->v1:
- addressed comments from Satananda
- added device requirement to return non zero value in fields_bmap
- added device requirement to not repeat filter type in response
- added driver requirement to order filter match field as it
appears in the packet
- added device requirement to fail group delete command on existing
flow entries
- added mask field in the type to indicate supported mask by device
and also in later patch to use it to indicate mask on adding
flow filter. As a result removed the mask_supported capability
field

Parav Pandit (6):
virtio-net: Add theory of operation for flow filter
virtio-net: Add flow filter capabilities read commands
virtio-net: Add flow filter group life cycle commands
virtio-net: Add flow filter transport set command
virtio-net: Add flow filter match entry, action and requests
virtio-net: Add flow filter device and driver requirements

device-types/net/description.tex | 730 ++++++++++++++++++++++++++++++-
1 file changed, 729 insertions(+), 1 deletion(-)

--
2.34.1

Currently packet allow/drop interface has following limitations.

1. Driver can either select which MAC and VLANs to consider
for allowing/dropping packets, here, the driver has a
limitation that driver needs to supply full mac
table or full vlan table for each type. Driver cannot add or
delete an individual entry.

2. Driver cannot select mac+vlan combination for which
to allow/drop packet.

3. Driver cannot not set other commonly used packet match fields
such as IP header fields, TCP, UDP, SCP header fields.

4. Driver cannot steer specific packets based on the match
fields to specific receiveq.

5. Driver do not have multiple or dedicated virtqueues to
perform flow filter requests in accelerated manner in
the device.

Flow filter as a generic framework overcome above limitations.

As starting point it is useful to support at least two use cases.
a. ARFS
b. ethtool ntuple steering

In future it can be further extended for usecases such as
switching device, connection tracking or may be more.

The flow filter has following properties.

1. It is an extendible object that driver can add or delete.
2. It belongs to a flow filter group (group has priority).
3. Each flow filter is identified using a unique identifier(id),
has priority, match fields, destination(rq) and action(allow/drop).
4. Flow filter has optionally mask too.

This patch adds theory of operation for flow filter functionality.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>

---
changelog:
v1->v2:
- fixed comments from Heng
- grammar corrections
- spelling corrections
---
device-types/net/description.tex | 116 ++++++++++++++++++++++++++++++-
1 file changed, 115 insertions(+), 1 deletion(-)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 76585b0..b7adfb8 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -10,7 +10,9 @@ \section{Network Device}\label{sec:Device Types / Network Device}
removes these packets from the transmit virtqueue and sends them to
the link. The device may have a control virtqueue. The driver
uses the control virtqueue to dynamically manipulate various
-features of the initialized device.
+features of the initialized device. The device may have flow filter
+virtqueues. The driver uses flow filter virtqueues to steer specific
+receive packets to a specific destination such as specified receiveq.

\subsection{Device ID}\label{sec:Device Types / Network Device / Device ID}

@@ -33,6 +35,9 @@ \subsection{Virtqueues}\label{sec:Device Types / Network Device / Virtqueues}
controlq is optional; it only exists if VIRTIO_NET_F_CTRL_VQ is
negotiated.

+The flow filter virtqueues are optional; it may exists only if VIRTIO_NET_F_FLOW_FILTER
+is negotiated and if the device reports such capability.
+
\subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits}

\begin{description}
@@ -119,6 +124,8 @@ \subsection{Feature bits}\label{sec:Device Types / Network Device / Feature bits
device with the same MAC address.

\item[VIRTIO_NET_F_SPEED_DUPLEX(63)] Device reports speed and duplex.
+
+\item[VIRTIO_NET_F_FLOW_FILTER(64)] Device supports flow filter requests.
\end{description}

\subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device / Feature bits / Feature bit requirements}
@@ -150,6 +157,7 @@ \subsubsection{Feature bit requirements}\label{sec:Device Types / Network Device
\item[VIRTIO_NET_F_RSS] Requires VIRTIO_NET_F_CTRL_VQ.
\item[VIRTIO_NET_F_VQ_NOTF_COAL] Requires VIRTIO_NET_F_CTRL_VQ.
\item[VIRTIO_NET_F_HASH_TUNNEL] Requires VIRTIO_NET_F_CTRL_VQ along with VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT.
+\item[VIRTIO_NET_F_FLOW_FILTER] Requires VIRTIO_NET_F_CTRL_VQ.
\end{description}

\subsubsection{Legacy Interface: Feature bits}\label{sec:Device Types / Network Device / Feature bits / Legacy Interface: Feature bits}
@@ -1141,6 +1149,112 @@ \subsubsection{Processing of Incoming Packets}\label{sec:Device Types / Network
#define VIRTIO_NET_HASH_REPORT_UDPv6_EX 9
\end{lstlisting}

+\subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Flow Filter}
+
+To forward a received packet to a specific receiveq or to drop the packet based
+on one or more fields of the packet, the device supports flow filter
+functionality. The flow filter can match the packet for a flow, take an action
+such as forward the packet to the specific receiveq or drop the packet.
+For example, the driver can request the device to forward received packets
+which match to a specific source and destination IP addresses and
+TCP ports to a specific receiveq.
+
+Each flow filter consists of one or more match key, a flow filter priority,
+a flow filter identifier, an action to forward a packet to the destination
+or to drop the packet.
+
+The match fields also optionally consist of a match mask. When a mask is
+specified for the flow filter, first the packet fields are masked before
+matching with the fields of the flow filter.
+
+Each flow filter is independent of each other. The driver can add, replace
+and delete a flow filter in the device using a flow filter request.
+
+The device indicates the flow filter capabilities to the driver. These
+capabilities include various maximum device limits, supported transports and
+supported packet match fields. The driver enables the transport for flow
+filter requests using a control virtqueue command.
+
+The device supports transporting flow filter requests on either the control
+virtqueue or on the flow filter virtqueues or on both. However, device
+supports enabling flow filter request only on one type of virtqueue
+at a time, i.e. either control virtqueue or flow filter virtqueues.
+Once the driver sets the flow filter request transport in the device,
+the driver can send flow filter request using the enabled transport.
+
+The flow filters are grouped using a flow filter group. Each flow filter
+group has a priority. The device first applies the flow filters of the highest
+priority group to the received packet. If there is no match for the
+flow filters of such a group for the packet, the flow filters of the next
+priority group are applied, until there is a match for the packet from such
+a group or the last group has reached.
+
+The flow filter group can have one or more flow filters. Within a flow
+filter group, a packet may find a match to multiple flow filters. In such
+scenario, a flow filter with the highest priority is applied first to the
+packet, if there is no match, the next higher priority flow filter is applied.
+
+\paragraph{Flow Filter Virtqueue}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Virtqueue}
+
+The flow filter virtqueues are dedicated virtqueues which transport the
+flow filter requests. The driver adds flow filter request to the flow
+filter virtqueue, the device removes such a request from the virtqueue
+and executes it, when the request is completed by the device, the device
+updates the result of it to the driver.
+
+The flow filter virtqueues are optional. The device may choose to support
+flow filters requests either on the control virtqueue or on the flow filter
+virtqueues or both.
+
+If the VIRTIO_F_RING_DYNAMIC is negotiated, the driver can create the
+flow filter virtqueues after the driver has finished the device
+initialization.
+
+The device can support one or more flow filter virtqueues. The driver
+can choose one to up to supported number of virtqueues to send
+flow filter requests.
+
+If the VIRTIO_F_RING_DYNAMIC is not negotiated, the flow filter
+virtqueues must be created during device initialization phase.
+
+\paragraph{Packet Processing Order}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Packet Processing Order}
+
+Whichever filtering and steering functionality is enabled, they are
+applied in the following order for the received packet:
+
+\begin{itemize}
+\item apply device configuration done using control virtqueue commands
+ VIRTIO_NET_CTRL_RX, VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
+\item apply flow filter configuration done using flow filter requests.
+\item apply device configuration done using command
+ VIRTIO_NET_CTRL_MQ_RSS_CONFIG.
+\end{itemize}
+
+While processing a received packet, at any stage if the packet is dropped,
+the next level of processing is omitted.
+
+When a flow filter is matched for the packet, it also stops the processing
+of the packet for next stage.
+
+Few examples are:
+\begin{itemize}
+\item If the packet is dropped by the flow filter configuration, RSS
+ configuration is not applied to such a packet.
+\item If the packet is forwarded to a specific receiveq using flow filters,
+ RSS configuration is not applied to such a packet due to a match on the
+ flow filter request.
+\item If the packet is dropped due to VIRTIO_NET_CTRL_MAC configuration,
+ flow filters or RSS configuration is not applied to such a packet.
+\item If the packet does not find any match in any of the flow filter groups,
+ next level RSS device configuration is applied if its exists.
+\item If there are three flow filter groups configured as group_A, group_B
+ and group_C with respective priorities as 4, 5, and 6; flow filters of
+ group_C is applied first having highest group priority, if there is a match,
+ flow filters of group_B and group_A are skipped; if there is no match for
+ the flow filters in group_C, the flow filters of next level group_B are applied.
+\end{itemize}
+
+\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
--
2.34.1

The device responds flow filter capabilities using two commands.
One command indicates generic flow filter device limits such as
number of flow filters, number of flow filter groups, support or
multiple transports etc.

The second command indicates supported match types, and fields
of the packet.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>

---
changelog:
v1->v2:
- addressed comments from Satananda
- added vlan type match field
- kept space for types between l2, l3, l4 header match types
- renamed mask to mask_supported with shorter width
- made more fields reserved for future
- addressed comments from Heng
- grammar correction
- added field to indicate supported number of actions per flow
filter match entry
- added missing documentation for max_flow_priorities_per_group
v0->v1:
- added mask field in the type to indicate supported mask by device
and also in later patch to use it to indicate mask on adding
flow filter. As a result removed the mask_supported capability
field
---
device-types/net/description.tex | 220 ++++++++++++++++++++++++++++++-
1 file changed, 218 insertions(+), 2 deletions(-)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index b7adfb8..b94daed 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1173,7 +1173,11 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
The device indicates the flow filter capabilities to the driver. These
capabilities include various maximum device limits, supported transports and
supported packet match fields. The driver enables the transport for flow
-filter requests using a control virtqueue command.
+filter requests using a control virtqueue command. These control virtqueue
+commands are:
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
+and
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}.

The device supports transporting flow filter requests on either the control
virtqueue or on the flow filter virtqueues or on both. However, device
@@ -1181,6 +1185,8 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
at a time, i.e. either control virtqueue or flow filter virtqueues.
Once the driver sets the flow filter request transport in the device,
the driver can send flow filter request using the enabled transport.
+The driver enables the transport for flow filter requests using a control
+virtqueue command.

The flow filters are grouped using a flow filter group. Each flow filter
group has a priority. The device first applies the flow filters of the highest
@@ -1254,7 +1260,136 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
the flow filters in group_C, the flow filters of next level group_B are applied.
\end{itemize}

-\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Setting Promiscuous Mode}%old label for latexdiff
+\paragraph{Match Types and Fields}\label{sec:Device Types / Network Device / Device Operation / Flow Filter / Match Types and Fields}
+
+\begin{lstlisting}
+struct virtio_net_ff_match_type_cap {
+ le16 type;
+ u8 mask_supported;
+ u8 reserved[5];
+ le64 fields_bmap;
+};
+\end{lstlisting}
+
+The \field{type} corresponds to following table:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Type & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_ETH_HDR & Ethernet header of the packet \\
+\hline
+0x1 & VIRTIO_NET_FF_VLAN_TAG_HDR & VLAN tag of the packet \\
+\hline
+0x200 & VIRTIO_NET_FF_IPV4_HDR & IPv4 header of the packet \\
+\hline
+0x300 & VIRTIO_NET_FF_IPV6_HDR & IPv6 header of the packet \\
+\hline
+0x400 & VIRTIO_NET_FF_TCP_HDR & TCP header of the packet \\
+\hline
+0x500 & VIRTIO_NET_FF_UDP_HDR & UDP header of the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+When the \field{mask_supported} is set, for the specific \field{type}, the
+device can perform masking packet fields with the mask supplied in the flow
+filter match entry.
+
+For each \field{type} the \field{fields_bmap} indicates supported fields
+of the packet header which can be matched.
+
+For the \field{type} of VIRTIO_NET_FF_ETH_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_DST_MAC & Destination MAC address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_SRC_MAC & Source MAC address in the packet \\
+\hline
+2 & VIRTIO_NET_FF_ETHER_TYPE & Ether type in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_VLAN_TAG_HDR, VLAN tag fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_VLAN_TAG_TCI & Vlan tag TCI 16-bit field \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_IPV4 & Source IPV4 address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_IPV4 & Destination IPV4 address in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_IPV6_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_IPV6 & Source IPV6 address in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_IPV6 & Destination IPV6 address in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_TCP_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_TCP_PORT & Source TCP port in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_TCP_PORT & Destination TCP port in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
+For the \field{type} of VIRTIO_NET_FF_UDP_HDR, header fields
+are represented by a bitmap in \field{fields_bmap} are following:
+
+\begin{tabular}{|l|l|l|}
+\hline
+Bit & Name & Description \\
+\hline \hline
+0 & VIRTIO_NET_FF_SRC_UDP_PORT & Source UDP port in the packet \\
+\hline
+1 & VIRTIO_NET_FF_DST_UDP_PORT & Destination UDP port in the packet \\
+\hline
+other & - & reserved \\
+\hline
+\end{tabular}
+
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
@@ -1919,6 +2054,87 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi

Upon reset, a device MUST initialize all coalescing parameters to 0.

+\paragraph{Flow Filter}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
+
+If the VIRTIO_NET_F_FLOW_FILTERS feature is negotiated, the driver can
+send commands VIRTIO_NET_CTRL_FF_CAP_GET and
+VIRTIO_NET_CTRL_FF_MATCH_CAP_GET to query the flow filter
+capabilities of the device.
+
+\begin{lstlisting}
+#define VIRTIO_NET_CTRL_FF 7
+ #define VIRTIO_NET_CTRL_FF_CAP_GET 0
+ #define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
+\end{lstlisting}
+
+\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
+
+The command VIRTIO_NET_CTRL_FF_CAP_GET provides the flow filter device capabilities.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_caps {
+ le16 max_vqs;
+ le16 start_vq_index;
+ le16 max_match_fields;
+ le16 max_groups; /* valid group id = max_groups - 1 */
+ le32 max_ff_per_group;
+ le32 max_ff; /* max flow_id in add/del = max_ff - 1 */
+ le16 max_actions;
+ u8 max_flow_priorities_per_group;
+ u8 cvq_supports_ff_req;
+};
+\end{lstlisting}
+
+The \field{max_vqs} indicates total number of flow filter virtqueues supported
+by the device. When the device does not support flow filter requests over flow
+filter virtqueues, \field{max_vqs} is zero. When \field{max_vqs} is non zero,
+the driver can enable maximum of \field{max_vqs} number of flow filter
+virtqueues starting from virtqueue index \field{start_vq_index}.
+
+The \field{max_groups} indicates total number of flow filter groups supported
+by the device whose group identifier can be any value in the range from 0 to
+\field{max_groups - 1}. The flow filter group can have any priority in range
+of 0 to \field{max_groups - 1}.
+
+The \field{max_ff_per_group} indicates maximum number of
+flow filter per flow filter group which can be added by the driver.
+
+The \field{max_ff} indicates maximum number of flow filters across
+all the flow groups which can be added by the driver.
+
+The \field{max_ff_priorities_per_group} indicates maximum priority value
+of a flow filter within a group. A flow filter within a group can have any
+priority in range of zero to \field{max_ff_priorities_per_group - 1}.
+
+The \field{max_match_fields} indicates maximum number of fields of the packet
+which can be matched by the device for a flow filter.
+
+The \field{max_actions} indicates maximum number of actions for a flow filter
+match entry can be supplied by the driver.
+
+The \field{max_flow_priorities_per_group} indicates maximum number of
+priorities supported by the device per flow filter group.
+
+When the \field{cvq_supports_ff_req} is set, the device supports
+flow filter requests using a control virtqueue. The device may support flow
+filter requests on control virtqueue or using flow filter virtqueues or both.
+
+\subparagraph{Flow Filter Match Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Match Capabilities Get}
+
+The command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET indicates which fields
+from the packet can be matched.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_match_types {
+ le32 num_entries;
+ struct virtio_net_ff_match_type_cap types[];
+};
+\end{lstlisting}
+
+The \field{num_entries} indicates the length of an array \field{types}.
+Each array entry of \field{types} represents supported match fields of
+the packet by the device.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

All the flow filters are managed in the flow filter group. The
device can have one or more flow filter groups. Each flow filter
group has its own priority. The group priority which
defines the packet processing order in the flow filter domain.

Add commands to add and delete the flow filter group.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
device-types/net/description.tex | 33 ++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index b94daed..9087d36 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1199,6 +1199,11 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
filter group, a packet may find a match to multiple flow filters. In such
scenario, a flow filter with the highest priority is applied first to the
packet, if there is no match, the next higher priority flow filter is applied.
+The driver adds and deletes the flow filter group using a control
+virtqueue commands \ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Add}
+and
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Delete}
+respectively.

\paragraph{Flow Filter Virtqueue}\label{sec:sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Virtqueue}

@@ -2065,6 +2070,8 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF 7
#define VIRTIO_NET_CTRL_FF_CAP_GET 0
#define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
+ #define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
+ #define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2135,6 +2142,32 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
Each array entry of \field{types} represents supported match fields of
the packet by the device.

+\subparagraph{Flow Filter Group Add}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Add}
+
+The command VIRTIO_NET_CTRL_FF_GROUP_ADD adds a new flow filter
+group with the supplied group identifier \field{id} with assigned
+priority \field{priority}.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_group_add {
+ le16 priority; /* higher the value, higher priority */
+ le16 id;
+};
+\end{lstlisting}
+
+\subparagraph{Flow Filter Group Delete}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Group Delete}
+
+The command VIRTIO_NET_CTRL_FF_GROUP_DEL deletes the
+flow filter group that has been previously added using command
+VIRTIO_NET_CTRL_FF_GROUP_ADD. Flow filter group is
+identified using a group identifier \field{id}.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_group_del {
+ le16 id;
+};
+\end{lstlisting}
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Flow filter requests can be either sent using a control virtqueue
or using one or more flow filter virtqueues.
The driver can choose one of the transport based on device capability.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
device-types/net/description.tex | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 9087d36..5ed095a 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1186,7 +1186,8 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
Once the driver sets the flow filter request transport in the device,
the driver can send flow filter request using the enabled transport.
The driver enables the transport for flow filter requests using a control
-virtqueue command.
+virtqueue command
+\ref{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Transport Mode Set}.

The flow filters are grouped using a flow filter group. Each flow filter
group has a priority. The device first applies the flow filters of the highest
@@ -2072,6 +2073,7 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF_MATCH_CAP_GET 1
#define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
#define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
+ #define VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET 4
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2168,6 +2170,25 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
};
\end{lstlisting}

+\subparagraph{Flow Filter Transport Mode Set}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Transport Mode Set}
+
+The command VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET sets the
+transport mode for flow filter requests in the device.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_transport_set {
+ u8 mode;
+};
+
+#define VIRTIO_NET_FF_TRANSPORT_CVQ 0
+#define VIRTIO_NET_FF_TRANSPORT_FFVQ 1
+\end{lstlisting}
+
+The \field{mode} when set to 0, it indicates the driver will use
+control virtqueue for transporting flow filters requests; when the
+\field{mode} is set to 1, it indicates that the driver will use
+flow filter virtqueue(s) for transporting flow filter requests.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

Define flow filter match key for the defined types.

Currently it covers the most common filter types and value
of Ethernet header, IP addresses, TCP and UDP ports.

Define generic flow filter add and delete requests and its transport
using a control virtqueue command and flow filter virtqueue(s).

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>

---
changelog:
v1->v2:
- squashed with match fields definition patch of v1
- added length to the flexible array definition struct to benefit
from future runtime length bound checkers listed in
https://people.kernel.org/kees/bounded-flexible-arrays-in-c
- renamed value to key
- addressed comments from Satananda
- merged destination and action to one struct
v0->v1:
- reworded add flow request text to consider optional mask
- replaced respond with set
- added mask flag to the type
---
device-types/net/description.tex | 209 +++++++++++++++++++++++++++++++
1 file changed, 209 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index 5ed095a..ba7026e 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -1277,6 +1277,50 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
};
\end{lstlisting}

+\begin{lstlisting}
+struct virtio_ff_match_entry {
+ le16 type;
+ u8 mask_present;
+ u8 key_mask_len; /* sum of length of fields key and mask */
+ le64 fields_bmap;
+ u8 key[];
+ u8 mask[]; /* optional, only present when mask_present is set to 1 */
+};
+
+struct virtio_ff_match {
+ u8 num_entries; /* indicates number of valid entries */
+ u8 reserved[7];
+ struct virtio_ff_match_entry entries[];
+};
+
+#define VIRTIO_NET_FF_DEST_TYPE_RQ 0
+
+struct virtio_ff_action_forward {
+ u8 dest_type;
+ u8 reserved[3];
+ union {
+ le16 vq_index;
+ le32 reserved1;
+ };
+};
+
+#define VIRTIO_NET_FF_ACTION_DROP 0
+#define VIRTIO_NET_FF_ACTION_FORWARD 1
+
+struct virtio_ff_action_entry {
+ u8 action;
+ u8 len; /* indicates the length of value in bytes */
+ u8 value[];
+};
+
+struct virtio_ff_action {
+ u8 num_entries; /* indicates number of valid entries */
+ u8 reserved[7];
+ struct virtio_ff_action_entry entries[];
+};
+
+\end{lstlisting}
+
The \field{type} corresponds to following table:

\begin{tabular}{|l|l|l|}
@@ -1323,6 +1367,21 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_ETH_HDR, the match entry
+\field{key} and \field{mask} are in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_eth_hdr {
+ u8 dmac[6];
+ u8 smac[6];
+ le16 ether_type;
+};
+\end{lstlisting}
+
+The \field{dmac} is valid when VIRTIO_NET_FF_DST_MAC is set.
+The \field{smac} is valid when VIRTIO_NET_FF_SRC_MAC is set.
+The \field{ether_type} is valid when VIRTIO_NET_FF_ETHER_TYPE is set.
+
For the \field{type} of VIRTIO_NET_FF_VLAN_TAG_HDR, VLAN tag fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1351,6 +1410,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, match entry
+\field{key} and \field{mask} are in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_ipv4_hdr {
+ le32 reserved[3];
+ le32 sip;
+ le32 dip;
+};
+\end{lstlisting}
+
+The \field{sip} is valid when VIRTIO_NET_FF_SRC_IPV4 is set.
+The \field{dip} is valid when VIRTIO_NET_FF_DST_IPV4 is set.
+
For the \field{type} of VIRTIO_NET_FF_IPV6_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1366,6 +1439,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_IPV4_HDR, match entry
+\field{key} and \field{mask} are in following format:
+
+\begin{lstlisting}
+struct virtio_net_ff_match_ipv6_hdr {
+ le32 reserved[2];
+ u8 sip[16];
+ u8 dip[16];
+};
+\end{lstlisting}
+
+The \field{sip} is valid when VIRTIO_NET_FF_SRC_IPV6 is set.
+The \field{dip} is valid when VIRTIO_NET_FF_DST_IPV6 is set.
+
For the \field{type} of VIRTIO_NET_FF_TCP_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1381,6 +1468,20 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_TCP_HDR, match entry
+\field{key} and \field{mask} are in following format:
+
+\begin{lstlisting}
+struct virtio_ndr_ff_match_tcp_hdr {
+ le16 sport;
+ le16 dport;
+ le32 reserved[4];
+};
+\end{lstlisting}
+
+The \field{sport} is valid when VIRTIO_NET_FF_SRC_TCP_PORT is set.
+This \field{dport} is valid when VIRTIO_NET_FF_DST_TCP_PORT is set.
+
For the \field{type} of VIRTIO_NET_FF_UDP_HDR, header fields
are represented by a bitmap in \field{fields_bmap} are following:

@@ -1396,6 +1497,89 @@ \subsubsection{Flow Filter}\label{sec:Device Types / Network Device / Device Ope
\hline
\end{tabular}

+For the \field{type} of VIRTIO_NET_FF_UDP_HDR, match entry
+\field{key} and \field{mask} are in following format:
+
+\begin{lstlisting}
+struct virtio_ndr_ff_match_udp_hdr {
+ le16 sport;
+ le16 dport;
+ le32 reserved;
+};
+\end{lstlisting}
+
+The \field{sport} is valid when VIRTIO_NET_FF_SRC_UDP_PORT is set.
+This \field{dport} is valid when VIRTIO_NET_FF_DST_UDP_PORT is set.
+
+\paragraph{Flow Filter Request}
+\label{sec:Device Types / Network Device / Device Operation / Flow Filter / Flow Filter Request}
+
+Two flow filter requests are supported by the device.
+
+\begin{itemize}
+\item Add or replace a flow filter using a request \field{struct virtio_net_ff_add}.
+
+\item Delete an existing flow filter using a request \field{struct virtio_net_ff_del}.
+
+\end{itemize}
+
+\begin{lstlisting}
+#define VIRTIO_NET_FF_OP_ADD 0
+#define VIRTIO_NET_FF_OP_DEL 1
+
+struct virtio_net_ff_add {
+ u8 op; /* VIRTIO_NET_FF_REQ_OP_ADD */
+ u8 priority; /* higher the value, higher priority */
+ u16 group_id;
+ le32 id;
+ struct virtio_ff_match match;
+ struct virtio_ff_action action;
+};
+
+struct virtio_net_ff_del {
+ u8 op; /* VIRTIO_NET_FF_REQ_OP_DEL */
+ u8 reserved[3];
+ le32 id;
+};
+
+struct virtio_net_ff_result {
+ le16 status;
+};
+
+#define VIRTIO_NET_FF_RESULT_OK 0
+#define VIRTIO_NET_FF_RESULT_ERR 1
+
+struct virtio_net_ff_req {
+ /* Device-readable part */
+ union {
+ struct virtio_net_ff_add add;
+ struct virtio_net_ff_del del;
+ };
+ /* Device-writable part */
+ struct virtio_net_ff_result result;
+};
+\end{lstlisting}
+
+When the flow filter request is sent using a flow filter virtqueue,
+the descriptors points to \field{struct virtio_net_ff_req}.
+
+When adding a flow filter entry using request \field{struct virtio_net_ff_add},
+the \field{match.match_entries} indidates number of valid array entries \field{match.entries}.
+for each of the array entry the
+For each of the valid entry in \field{match.entries}, the field \field{type}
+and \field{key} are in the format described in
+\ref{sec:Device Types / Network Device / Device Operation / Flow Filter / Match Types and Fields}.
+When the \field{mask_present} is set, the field \field{mask} is present and it has
+exact same format as \field{key}.
+
+The field \field{key_mask_len} represents the total length of fields
+\field{key} and \field{mask}.
+
+When the device completes the request, \field{status} is updated
+by the device; when the request is successful, \field{status} is
+set to VIRTIO_NET_FF_RESULT_OK, on error, \field{status} is
+set to VIRTIO_NET_FF_RESULT_ERR.
+
\subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue}

The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is
@@ -2074,6 +2258,7 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
#define VIRTIO_NET_CTRL_FF_GROUP_ADD 2
#define VIRTIO_NET_CTRL_FF_GROUP_DEL 3
#define VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET 4
+ #define VIRTIO_NET_CTRL_FF_REQ 5
\end{lstlisting}

\subparagraph{Flow Filter Capabilities Get}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Capabilities Get}
@@ -2189,6 +2374,30 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
\field{mode} is set to 1, it indicates that the driver will use
flow filter virtqueue(s) for transporting flow filter requests.

+\subparagraph{Flow Filter Requests}\label{sec:Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter / Flow Filter Requests}
+
+When the driver has successfully set flow filter transport mode as control
+virtqueue using command VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET, the
+flow filter requests are transported using command
+VIRTIO_NET_CTRL_FF_REQ over a control virtqueue.
+
+\begin{lstlisting}
+struct virtio_net_ctrl_ff_req {
+ union {
+ struct virtio_net_ff_add add;
+ struct virtio_net_ff_del del;
+ };
+};
+
+\end{lstlisting}
+
+The \field{command-specific-data} is in format of
+\field{struct virtio_net_ctrl_ff_req}.
+
+When the flow filter request command is successful, the
+\field{command-specific-result} is in format of
+\field{struct virtio_net_ff_result}.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

The flow filter functionality consists of the following
four components.
Add driver and device requirements for it.

1. Device capabilities query for commands VIRTIO_NET_CTRL_FF_CAP_GET,
VIRTIO_NET_CTRL_FF_MATCH_CAP_GET.
2. Flow filter group operation commands VIRTIO_NET_CTRL_FF_GROUP_ADD
and VIRTIO_NET_CTRL_FF_GROUP_DEL.
3. Flow filter transport mode set command
VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
4. Flow filter requests using command VIRTIO_NET_CTRL_FF_REQ and
the structure virtio_net_ff_op for the flow filter virtqueue.

Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
---
changelog:
v1->v2:
- fixed comments from Heng
- fixed spelling from initializaton to initialization
- added more requirements for multiple actions
v0->v1:
- addressed comments from Satananda
- added device requirement to return non zero value in fields_bmap
- added device requirement to not repeat filter type in response
- added driver requirement to order filter match field as it
appears in the packet
- added device requirement to fail group delete command on existing
flow entries
---
device-types/net/description.tex | 135 +++++++++++++++++++++++++++++++
1 file changed, 135 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index ba7026e..e9aff9d 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -2398,6 +2398,141 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Network Device / Devi
\field{command-specific-result} is in format of
\field{struct virtio_net_ff_result}.

+\devicenormative{\subparagraph}{Flow Filter}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filter}
+
+When the VIRTIO_NET_F_FLOW_FILTER is negotiated, the device MUST support
+VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
+VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
+VIRTIO_NET_CTRL_FF_REQ commands.
+
+When the VIRTIO_NET_F_FLOW_FILTER is not negotiated, the device MUST respond
+with error VIRTIO_NET_ERR for
+VIRTIO_NET_CTRL_FF_CAP_GET, VIRTIO_NET_CTRL_FF_MATCH_CAP_GET, VIRTIO_NET_CTRL_FF_GROUP_ADD,
+VIRTIO_NET_CTRL_FF_GROUP_DEL, VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET and
+VIRTIO_NET_CTRL_FF_REQ commands.
+
+When the command VIRTIO_NET_CTRL_FF_CAP_GET completes successfully, the device
+MUST set either \field{max_vqs} to be non zero or set
+\field{cvq_supports_ff_ops} to 1; the device MUST set non zero value for fields
+\field{max_groups}, \field{max_ff_per_group}, \field{max_ff},
+\field{max_match_fields}, \field{max_flow_priorities_per_group} and
+\field{max_actions}.
+
+When the command VIRTIO_NET_CTRL_FF_MATCH_CAP_GET completes successfully,
+\begin{itemize}
+\item the device MUST set non zero value for fields \field{num_entries}, \field{fields_bmap}
+and set corresponding number of valid entries.
+\item the device MUST NOT repeat \field{type} in the \field{types}.
+\end{itemize}
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_ADD if there are existing flow filters for the
+supplied group \field{id} or for the supplied \field{priority}.
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
+does not exist in the device.
+
+The device MUST set VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_GROUP_DEL if the group identified with \field{id}
+has one or more flow filters present in the group.
+
+If there are active flow filters already added in the device, the device
+MUST respond VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET.
+
+The device MUST respond VIRTIO_NET_ERROR for the command
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when \field{mode} is set to
+VIRTIO_NET_FF_TRANSPORT_CVQ and \field{cvq_supports_ff_ops} is set to zero;
+or when \field{mode} is set to VIRTIO_NET_FF_TRANSPORT_FFVQ and
+\field{max_vqs} is zero.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
+\field{match} contains duplicate \field{type}.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_DEL if the
+requested flow filter of identifier \field{id} do not exist in the
+the device.
+
+The device MUST fail the operation VIRTIO_NET_FF_OP_ADD if the
+\field{vq_index} in the \field{dest} is outside of the range.
+
+When the flow filter forwards the packet to the \field{vq_index} and
+if the receiveq is reset, the device MUST drop such packets.
+
+When the flow filter \field{action} is VIRTIO_NET_FF_ACTION_DROP,
+the device MUST ignore rest of the fields of
+\field{struct virtio_flow_action_entry}.
+
+When the driver has added multiple flow filters with same \field{priority}
+and for a packet if multiple flow filters MAY match such that it MAY result
+in different \field{action} or different \field{dest}, the device
+MAY apply any of the matching flow filters.
+
+The device MUST follow received packet processing ordering chain as following:
+
+The device SHOULD set \field{device_status} to DEVICE_NEEDS_RESET when
+the driver has not set the flow filter transport mode to
+VIRTIO_NET_FF_TRANSPORT_FFVQ and if the driver enables the flow filter
+virtqueue.
+
+The device MUST apply the actions of \field{struct virtio_flow_action} in same
+order as it is supplied by the driver when \field{num_entries} is greater than 1.
+
+\begin{itemize}
+\item Device configuration done using control virtqueue commands VIRTIO_NET_CTRL_RX,
+ VIRTIO_NET_CTRL_MAC and VIRTIO_NET_CTRL_VLAN.
+\item Flow filters programmed using flow filters functionality.
+\item Device configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
+\end{itemize}
+
+When the device drops the packet due to the configuration done using the control
+virtqueue commands VIRTIO_NET_CTRL_RX or VIRTIO_NET_CTRL_MAC or VIRTIO_NET_CTRL_VLAN,
+the device MUST stop processing this packet for flow filters processing.
+
+When the device matches the flow filter for the packet and if the match is successful,
+the filter processing chain MUST stop, i.e. next level of processing MUST not be done.
+
+When the device perform flow filter match operations and if the operation
+result did not have any match, the receive packet processing continues to next level,
+i.e. to apply configuration done using VIRTIO_NET_CTRL_MQ_RSS_CONFIG command.
+
+The device MUST support enabling \field{max_vqs} number of flow filters
+virtqueues after device initialization phase if VIRTIO_F_RING_DYNAMIC
+feature is negotiated.
+
+When \field{max_vqs} is non zero, the device MUST report \field{start_vq_index},
+such that it does not overlap with any other virtqueues indices.
+
+\drivernormative{\subparagraph}{Flow Filters}{Device Types / Network Device / Device Operation / Control Virtqueue / Flow Filters}
+
+The driver MUST NOT change the flow filters transport mode using
+VIRTIO_NET_CTRL_FF_TRANSPORT_MODE_SET when the device has flow filters
+added.
+
+The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_CVQ
+if \field{cvq_supports_ff_ops} is set to zero.
+
+The driver MUST NOT set transport mode of VIRTIO_NET_FF_TRANSPORT_FFVQ
+if \field{max_vqs} is set to zero in the command response of
+VIRTIO_NET_CTRL_FF_CAP_GET.
+
+The driver MUST NOT send any flow filters specific commands having class code
+of VIRTIO_NET_CTRL_FF when VIRTIO_NET_F_FLOW_FILTER is not negotiated.
+
+The driver SHOULD NOT add multiple flow filters with same \field{priority}
+in a flow filter group, with overlapping match values.
+
+The driver SHOULD use different priority for different flow filters
+if multiple of the flow filters MAY match for a packet.
+
+The driver SHOULD set the \field{type} in \field{match_entries} as that of
+the order appears in the packet.
+
+The driver MUST NOT set \field{num_entries} in \field{struct virtio_ff_action}
+to more than \field{max_actions} supplied by the device in the
+\field{virtio_net_ctrl_ff_caps}.
+
\subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
Types / Network Device / Legacy Interface: Framing Requirements}

--
2.34.1

> From: Parav Pandit <parav@nvidia.com>
> Sent: Friday, October 20, 2023 6:03 PM
> To: virtio-comment@lists.oasis-open.org; mst@redhat.com;
> cohuck@redhat.com
> Cc: sburla@marvell.com; Shahaf Shuler <shahafs@nvidia.com>; si-
> wei.liu@oracle.com; xuanzhuo@linux.alibaba.com; Parav Pandit
> <parav@nvidia.com>
> Subject: [PATCH v2 0/6] virtio-net: Support flow filter for receive packets
>
> Summary:
> ========
> This series improves virtio net receive packet steering to forward/steer packets
> to specific RQ.
>
> This basic functionality will enable Linux ethtool steering, Accelerated receive
> flow steering (ARFS) as starting point, and more use cases in future.
>
> Problem statement:
> ==================
> Currently packet allow/drop interface has few limitations.
>
> 1. Driver cannot add or delete an individual entry for mac and vlan.
> 2. Driver cannot select mac+vlan combination for which
> to allow/drop packet.
> 3. Driver cannot not set other commonly used packet match fields
> such as IP header fields, TCP, UDP, SCP header fields.
> 4. Driver cannot steer specific packets based on the match
> fields to specific receiveq.
> 5. Driver do not have multiple or dedicated virtqueues to
> perform flow filter requests in accelerated manner in
> the device.
>
> Solution:
> =========
> Flow filter as a generic framework to overcome above limitations.
>
> Overview:
> =========
> A flow filter defines the flow based on one or more match fields of the packet,
> defines an action like drop/forward to RQ.
>
> The flow filters are organized in flow filter groups so that their processing can be
> ordered when multiple applications wants to use it.
>
> Flow filters requests can be transported via control vq or dedicated flow filter
> virtqueue so that it does not get intermixed with other slow operations of cvq.
>
> Flow filter requirements addressed by this series is worked by virtio community
> at [1].
>
> Fixes: https://github.com/oasis-tcs/virtio-spec/issues/179
>
> This series utilizes enhancements proposed in [2] and [3].
> It uses updated control vq command format from [3].
> It uses new _DYNAMIC feature to create queues when needed and saves guest
> and device resources.
>
> [1] https://lists.oasis-open.org/archives/virtio-
> comment/202308/msg00263.html
> [2] https://lists.oasis-open.org/archives/virtio-
> comment/202310/msg00183.html
> [3] https://lists.oasis-open.org/archives/virtio-
> comment/202310/msg00047.html

I will rebase this series without depending on [2] which was abusing the init time register for dynamic things.
Please hold your review in the text around dynamic flow filter vqs until v3 of this series.