]> git.proxmox.com Git - ceph.git/blame - ceph/src/spdk/dpdk/doc/guides/prog_guide/switch_representation.rst
projects / ceph.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
update source to Ceph Pacific 16.2.2
[ceph.git] / ceph / src / spdk / dpdk / doc / guides / prog_guide / switch_representation.rst
CommitLineData
11fdf7f2
TL		 1.. SPDX-License-Identifier: BSD-3-Clause
2 Copyright(c) 2018 6WIND S.A.
3
4.. _switch_representation:
5
6Switch Representation within DPDK Applications
7==============================================
8
9.. contents:: :local:
10
11Introduction
12------------
13
14Network adapters with multiple physical ports and/or SR-IOV capabilities
15usually support the offload of traffic steering rules between their virtual
16functions (VFs), physical functions (PFs) and ports.
17
18Like for standard Ethernet switches, this involves a combination of
19automatic MAC learning and manual configuration. For most purposes it is
20managed by the host system and fully transparent to users and applications.
21
22On the other hand, applications typically found on hypervisors that process
23layer 2 (L2) traffic (such as OVS) need to steer traffic themselves
24according on their own criteria.
25
26Without a standard software interface to manage traffic steering rules
27between VFs, PFs and the various physical ports of a given device,
28applications cannot take advantage of these offloads; software processing is
29mandatory even for traffic which ends up re-injected into the device it
30originates from.
31
32This document describes how such steering rules can be configured through
33the DPDK flow API (**rte_flow**), with emphasis on the SR-IOV use case
34(PF/VF steering) using a single physical port for clarity, however the same
35logic applies to any number of ports without necessarily involving SR-IOV.
36
37Port Representors
38-----------------
39
40In many cases, traffic steering rules cannot be determined in advance;
41applications usually have to process a bit of traffic in software before
42thinking about offloading specific flows to hardware.
43
44Applications therefore need the ability to receive and inject traffic to
45various device endpoints (other VFs, PFs or physical ports) before
46connecting them together. Device drivers must provide means to hook the
47"other end" of these endpoints and to refer them when configuring flow
48rules.
49
50This role is left to so-called "port representors" (also known as "VF
51representors" in the specific context of VFs), which are to DPDK what the
52Ethernet switch device driver model (**switchdev**) [1]_ is to Linux, and
53which can be thought as a software "patch panel" front-end for applications.
54
55- DPDK port representors are implemented as additional virtual Ethernet
56 device (**ethdev**) instances, spawned on an as needed basis through
57 configuration parameters passed to the driver of the underlying
58 device using devargs.
59
60::
61
62 -w pci:dbdf,representor=0
63 -w pci:dbdf,representor=[0-3]
64 -w pci:dbdf,representor=[0,5-11]
65
66- As virtual devices, they may be more limited than their physical
67 counterparts, for instance by exposing only a subset of device
68 configuration callbacks and/or by not necessarily having Rx/Tx capability.
69
70- Among other things, they can be used to assign MAC addresses to the
71 resource they represent.
72
73- Applications can tell port representors apart from other physical of virtual
74 port by checking the dev_flags field within their device information
75 structure for the RTE_ETH_DEV_REPRESENTOR bit-field.
76
77.. code-block:: c
78
79 struct rte_eth_dev_info {
80 ...
81 uint32_t dev_flags; /**< Device flags */
82 ...
83 };
84
85- The device or group relationship of ports can be discovered using the
86 switch ``domain_id`` field within the devices switch information structure. By
87 default the switch ``domain_id`` of a port will be
88 ``RTE_ETH_DEV_SWITCH_DOMAIN_ID_INVALID`` to indicate that the port doesn't
89 support the concept of a switch domain, but ports which do support the concept
90 will be allocated a unique switch ``domain_id``, ports within the same switch
91 domain will share the same ``domain_id``. The switch ``port_id`` is used to
92 specify the port_id in terms of the switch, so in the case of SR-IOV devices
93 the switch ``port_id`` would represent the virtual function identifier of the
94 port.
95
96.. code-block:: c
97
98 /**
99 * Ethernet device associated switch information
100 */
101 struct rte_eth_switch_info {
102 const char *name; /**< switch name */
103 uint16_t domain_id; /**< switch domain id */
104 uint16_t port_id; /**< switch port id */
105 };
106
107
108.. [1] `Ethernet switch device driver model (switchdev)
109 <https://www.kernel.org/doc/Documentation/networking/switchdev.txt>`_
110
111Basic SR-IOV
112------------
113
114"Basic" in the sense that it is not managed by applications, which
115nonetheless expect traffic to flow between the various endpoints and the
116outside as if everything was linked by an Ethernet hub.
117
118The following diagram pictures a setup involving a device with one PF, two
119VFs and one shared physical port
120
121::
122
123 .-------------. .-------------. .-------------.
124 | hypervisor | | VM 1 | | VM 2 |
125 | application | | application | | application |
126 `--+----------' `----------+--' `--+----------'
127 | | |
128 .-----+-----. | |
129 | port_id 3 | | |
130 `-----+-----' | |
131 | | |
132 .-+--. .---+--. .--+---.
133 | PF | | VF 1 | | VF 2 |
134 `-+--' `---+--' `--+---'
135 | | |
136 `---------. .-----------------------' |
137 | | .-------------------------'
138 | | |
139 .--+-----+-----+--.
140 | interconnection |
141 `--------+--------'
142 |
143 .----+-----.
144 | physical |
145 | port 0 |
146 `----------'
147
148- A DPDK application running on the hypervisor owns the PF device, which is
149 arbitrarily assigned port index 3.
150
151- Both VFs are assigned to VMs and used by unknown applications; they may be
152 DPDK-based or anything else.
153
154- Interconnection is not necessarily done through a true Ethernet switch and
155 may not even exist as a separate entity. The role of this block is to show
156 that something brings PF, VFs and physical ports together and enables
157 communication between them, with a number of built-in restrictions.
158
159Subsequent sections in this document describe means for DPDK applications
160running on the hypervisor to freely assign specific flows between PF, VFs
161and physical ports based on traffic properties, by managing this
162interconnection.
163
164Controlled SR-IOV
165-----------------
166
167Initialization
168~~~~~~~~~~~~~~
169
170When a DPDK application gets assigned a PF device and is deliberately not
171started in `basic SR-IOV`_ mode, any traffic coming from physical ports is
172received by PF according to default rules, while VFs remain isolated.
173
174::
175
176 .-------------. .-------------. .-------------.
177 | hypervisor | | VM 1 | | VM 2 |
178 | application | | application | | application |
179 `--+----------' `----------+--' `--+----------'
180 | | |
181 .-----+-----. | |
182 | port_id 3 | | |
183 `-----+-----' | |
184 | | |
185 .-+--. .---+--. .--+---.
186 | PF | | VF 1 | | VF 2 |
187 `-+--' `------' `------'
188 |
189 `-----.
190 |
191 .--+----------------------.
192 | managed interconnection |
193 `------------+------------'
194 |
195 .----+-----.
196 | physical |
197 | port 0 |
198 `----------'
199
200In this mode, interconnection must be configured by the application to
201enable VF communication, for instance by explicitly directing traffic with a
202given destination MAC address to VF 1 and allowing that with the same source
203MAC address to come out of it.
204
205For this to work, hypervisor applications need a way to refer to either VF 1
206or VF 2 in addition to the PF. This is addressed by `VF representors`_.
207
208VF Representors
209~~~~~~~~~~~~~~~
210
211VF representors are virtual but standard DPDK network devices (albeit with
212limited capabilities) created by PMDs when managing a PF device.
213
214Since they represent VF instances used by other applications, configuring
215them (e.g. assigning a MAC address or setting up promiscuous mode) affects
216interconnection accordingly. If supported, they may also be used as two-way
217communication ports with VFs (assuming **switchdev** topology)
218
219
220::
221
222 .-------------. .-------------. .-------------.
223 | hypervisor | | VM 1 | | VM 2 |
224 | application | | application | | application |
225 `--+---+---+--' `----------+--' `--+----------'
226 | | | | |
227 | | `-------------------. | |
228 | `---------. | | |
229 | | | | |
230 .-----+-----. .-----+-----. .-----+-----. | |
231 | port_id 3 | | port_id 4 | | port_id 5 | | |
232 `-----+-----' `-----+-----' `-----+-----' | |
233 | | | | |
234 .-+--. .-----+-----. .-----+-----. .---+--. .--+---.
235 | PF | | VF 1 rep. | | VF 2 rep. | | VF 1 | | VF 2 |
236 `-+--' `-----+-----' `-----+-----' `---+--' `--+---'
237 | | | | |
238 | | .---------' | |
239 `-----. | | .-----------------' |
240 | | | | .---------------------'
241 | | | | |
242 .--+-------+---+---+---+--.
243 | managed interconnection |
244 `------------+------------'
245 |
246 .----+-----.
247 | physical |
248 | port 0 |
249 `----------'
250
251- VF representors are assigned arbitrary port indices 4 and 5 in the
252 hypervisor application and are respectively associated with VF 1 and VF 2.
253
254- They can't be dissociated; even if VF 1 and VF 2 were not connected,
255 representors could still be used for configuration.
256
257- In this context, port index 3 can be thought as a representor for physical
258 port 0.
259
260As previously described, the "interconnection" block represents a logical
261concept. Interconnection occurs when hardware configuration enables traffic
262flows from one place to another (e.g. physical port 0 to VF 1) according to
263some criteria.
264
265This is discussed in more detail in `traffic steering`_.
266
267Traffic Steering
268~~~~~~~~~~~~~~~~
269
270In the following diagram, each meaningful traffic origin or endpoint as seen
271by the hypervisor application is tagged with a unique letter from A to F.
272
273::
274
275 .-------------. .-------------. .-------------.
276 | hypervisor | | VM 1 | | VM 2 |
277 | application | | application | | application |
278 `--+---+---+--' `----------+--' `--+----------'
279 | | | | |
280 | | `-------------------. | |
281 | `---------. | | |
282 | | | | |
283 .----(A)----. .----(B)----. .----(C)----. | |
284 | port_id 3 | | port_id 4 | | port_id 5 | | |
285 `-----+-----' `-----+-----' `-----+-----' | |
286 | | | | |
287 .-+--. .-----+-----. .-----+-----. .---+--. .--+---.
288 | PF | | VF 1 rep. | | VF 2 rep. | | VF 1 | | VF 2 |
289 `-+--' `-----+-----' `-----+-----' `--(D)-' `-(E)--'
290 | | | | |
291 | | .---------' | |
292 `-----. | | .-----------------' |
293 | | | | .---------------------'
294 | | | | |
295 .--+-------+---+---+---+--.
296 | managed interconnection |
297 `------------+------------'
298 |
299 .---(F)----.
300 | physical |
301 | port 0 |
302 `----------'
303
304- **A**: PF device.
305- **B**: port representor for VF 1.
306- **C**: port representor for VF 2.
307- **D**: VF 1 proper.
308- **E**: VF 2 proper.
309- **F**: physical port.
310
311Although uncommon, some devices do not enforce a one to one mapping between
312PF and physical ports. For instance, by default all ports of **mlx4**
313adapters are available to all their PF/VF instances, in which case
314additional ports appear next to **F** in the above diagram.
315
316Assuming no interconnection is provided by default in this mode, setting up
317a `basic SR-IOV`_ configuration involving physical port 0 could be broken
318down as:
319
320PF:
321
322- **A to F**: let everything through.
323- **F to A**: PF MAC as destination.
324
325VF 1:
326
327- **A to D**, **E to D** and **F to D**: VF 1 MAC as destination.
328- **D to A**: VF 1 MAC as source and PF MAC as destination.
329- **D to E**: VF 1 MAC as source and VF 2 MAC as destination.
330- **D to F**: VF 1 MAC as source.
331
332VF 2:
333
334- **A to E**, **D to E** and **F to E**: VF 2 MAC as destination.
335- **E to A**: VF 2 MAC as source and PF MAC as destination.
336- **E to D**: VF 2 MAC as source and VF 1 MAC as destination.
337- **E to F**: VF 2 MAC as source.
338
339Devices may additionally support advanced matching criteria such as
340IPv4/IPv6 addresses or TCP/UDP ports.
341
342The combination of matching criteria with target endpoints fits well with
343**rte_flow** [6]_, which expresses flow rules as combinations of patterns
344and actions.
345
346Enhancing **rte_flow** with the ability to make flow rules match and target
347these endpoints provides a standard interface to manage their
348interconnection without introducing new concepts and whole new API to
349implement them. This is described in `flow API (rte_flow)`_.
350
f67539c2 351.. [6] :doc:`Generic flow API (rte_flow) <rte_flow>`
11fdf7f2
TL		 352
353Flow API (rte_flow)
354-------------------
355
356Extensions
357~~~~~~~~~~
358
359Compared to creating a brand new dedicated interface, **rte_flow** was
360deemed flexible enough to manage representor traffic only with minor
361extensions:
362
363- Using physical ports, PF, VF or port representors as targets.
364
365- Affecting traffic that is not necessarily addressed to the DPDK port ID a
366 flow rule is associated with (e.g. forcing VF traffic redirection to PF).
367
368For advanced uses:
369
370- Rule-based packet counters.
371
372- The ability to combine several identical actions for traffic duplication
373 (e.g. VF representor in addition to a physical port).
374
375- Dedicated actions for traffic encapsulation / decapsulation before
376 reaching an endpoint.
377
378Traffic Direction
379~~~~~~~~~~~~~~~~~
380
381From an application standpoint, "ingress" and "egress" flow rule attributes
382apply to the DPDK port ID they are associated with. They select a traffic
383direction for matching patterns, but have no impact on actions.
384
385When matching traffic coming from or going to a different place than the
386immediate port ID a flow rule is associated with, these attributes keep
387their meaning while applying to the chosen origin, as highlighted by the
388following diagram
389
390::
391
392 .-------------. .-------------. .-------------.
393 | hypervisor | | VM 1 | | VM 2 |
394 | application | | application | | application |
395 `--+---+---+--' `----------+--' `--+----------'
396 | | | | |
397 | | `-------------------. | |
398 | `---------. | | |
399 | ^ | ^ | ^ | |
400 | | ingress | | ingress | | ingress | |
401 | | egress | | egress | | egress | |
402 | v | v | v | |
403 .----(A)----. .----(B)----. .----(C)----. | |
404 | port_id 3 | | port_id 4 | | port_id 5 | | |
405 `-----+-----' `-----+-----' `-----+-----' | |
406 | | | | |
407 .-+--. .-----+-----. .-----+-----. .---+--. .--+---.
408 | PF | | VF 1 rep. | | VF 2 rep. | | VF 1 | | VF 2 |
409 `-+--' `-----+-----' `-----+-----' `--(D)-' `-(E)--'
410 | | | ^ | | ^
411 | | | egress | | | | egress
412 | | | ingress | | | | ingress
413 | | .---------' v | | v
414 `-----. | | .-----------------' |
415 | | | | .---------------------'
416 | | | | |
417 .--+-------+---+---+---+--.
418 | managed interconnection |
419 `------------+------------'
420 ^ |
421 ingress | |
422 egress | |
423 v |
424 .---(F)----.
425 | physical |
426 | port 0 |
427 `----------'
428
429Ingress and egress are defined as relative to the application creating the
430flow rule.
431
432For instance, matching traffic sent by VM 2 would be done through an ingress
433flow rule on VF 2 (**E**). Likewise for incoming traffic on physical port
434(**F**). This also applies to **C** and **A** respectively.
435
436Transferring Traffic
437~~~~~~~~~~~~~~~~~~~~
438
439Without Port Representors
440^^^^^^^^^^^^^^^^^^^^^^^^^
441
442`Traffic direction`_ describes how an application could match traffic coming
443from or going to a specific place reachable from a DPDK port ID. This makes
444sense when the traffic in question is normally seen (i.e. sent or received)
445by the application creating the flow rule (e.g. as in "redirect all traffic
446coming from VF 1 to local queue 6").
447
448However this does not force such traffic to take a specific route. Creating
449a flow rule on **A** matching traffic coming from **D** is only meaningful
450if it can be received by **A** in the first place, otherwise doing so simply
451has no effect.
452
453A new flow rule attribute named "transfer" is necessary for that. Combining
454it with "ingress" or "egress" and a specific origin requests a flow rule to
455be applied at the lowest level
456
457::
458
459 ingress only : ingress + transfer
460 :
461 .-------------. .-------------. : .-------------. .-------------.
462 | hypervisor | | VM 1 | : | hypervisor | | VM 1 |
463 | application | | application | : | application | | application |
464 `------+------' `--+----------' : `------+------' `--+----------'
465 | | | traffic : | | | traffic
466 .----(A)----. | v : .----(A)----. | v
467 | port_id 3 | | : | port_id 3 | |
468 `-----+-----' | : `-----+-----' |
469 | | : | ^ |
470 | | : | | traffic |
471 .-+--. .---+--. : .-+--. .---+--.
472 | PF | | VF 1 | : | PF | | VF 1 |
473 `-+--' `--(D)-' : `-+--' `--(D)-'
474 | | | traffic : | ^ | | traffic
475 | | v : | | traffic | v
476 .--+-----------+--. : .--+-----------+--.
477 | interconnection | : | interconnection |
478 `--------+--------' : `--------+--------'
479 | | traffic : |
480 | v : |
481 .---(F)----. : .---(F)----.
482 | physical | : | physical |
483 | port 0 | : | port 0 |
484 `----------' : `----------'
485
486With "ingress" only, traffic is matched on **A** thus still goes to physical
487port **F** by default
488
489
490::
491
492 testpmd> flow create 3 ingress pattern vf id is 1 / end
493 actions queue index 6 / end
494
495With "ingress + transfer", traffic is matched on **D** and is therefore
496successfully assigned to queue 6 on **A**
497
498
499::
500
501 testpmd> flow create 3 ingress transfer pattern vf id is 1 / end
502 actions queue index 6 / end
503
504
505With Port Representors
506^^^^^^^^^^^^^^^^^^^^^^
507
508When port representors exist, implicit flow rules with the "transfer"
509attribute (described in `without port representors`_) are be assumed to
510exist between them and their represented resources. These may be immutable.
511
512In this case, traffic is received by default through the representor and
513neither the "transfer" attribute nor traffic origin in flow rule patterns
514are necessary. They simply have to be created on the representor port
515directly and may target a different representor as described in `PORT_ID
516action`_.
517
518Implicit traffic flow with port representor
519
520::
521
522 .-------------. .-------------.
523 | hypervisor | | VM 1 |
524 | application | | application |
525 `--+-------+--' `----------+--'
526 | | ^ | | traffic
527 | | | traffic | v
528 | `-----. |
529 | | |
530 .----(A)----. .----(B)----. |
531 | port_id 3 | | port_id 4 | |
532 `-----+-----' `-----+-----' |
533 | | |
534 .-+--. .-----+-----. .---+--.
535 | PF | | VF 1 rep. | | VF 1 |
536 `-+--' `-----+-----' `--(D)-'
537 | | |
538 .--|-------------|-----------|--.
539 | | | | |
540 | | `-----------' |
541 | | <-- traffic |
542 `--|----------------------------'
543 |
544 .---(F)----.
545 | physical |
546 | port 0 |
547 `----------'
548
549Pattern Items And Actions
550~~~~~~~~~~~~~~~~~~~~~~~~~
551
552PORT Pattern Item
553^^^^^^^^^^^^^^^^^
554
555Matches traffic originating from (ingress) or going to (egress) a physical
556port of the underlying device.
557
558Using this pattern item without specifying a port index matches the physical
559port associated with the current DPDK port ID by default. As described in
560`traffic steering`_, specifying it should be rarely needed.
561
562- Matches **F** in `traffic steering`_.
563
564PORT Action
565^^^^^^^^^^^
566
567Directs matching traffic to a given physical port index.
568
569- Targets **F** in `traffic steering`_.
570
571PORT_ID Pattern Item
572^^^^^^^^^^^^^^^^^^^^
573
574Matches traffic originating from (ingress) or going to (egress) a given DPDK
575port ID.
576
577Normally only supported if the port ID in question is known by the
578underlying PMD and related to the device the flow rule is created against.
579
580This must not be confused with the `PORT pattern item`_ which refers to the
581physical port of a device. ``PORT_ID`` refers to a ``struct rte_eth_dev``
582object on the application side (also known as "port representor" depending
583on the kind of underlying device).
584
585- Matches **A**, **B** or **C** in `traffic steering`_.
586
587PORT_ID Action
588^^^^^^^^^^^^^^
589
590Directs matching traffic to a given DPDK port ID.
591
592Same restrictions as `PORT_ID pattern item`_.
593
594- Targets **A**, **B** or **C** in `traffic steering`_.
595
596PF Pattern Item
597^^^^^^^^^^^^^^^
598
599Matches traffic originating from (ingress) or going to (egress) the physical
600function of the current device.
601
602If supported, should work even if the physical function is not managed by
603the application and thus not associated with a DPDK port ID. Its behavior is
604otherwise similar to `PORT_ID pattern item`_ using PF port ID.
605
606- Matches **A** in `traffic steering`_.
607
608PF Action
609^^^^^^^^^
610
611Directs matching traffic to the physical function of the current device.
612
613Same restrictions as `PF pattern item`_.
614
615- Targets **A** in `traffic steering`_.
616
617VF Pattern Item
618^^^^^^^^^^^^^^^
619
620Matches traffic originating from (ingress) or going to (egress) a given
621virtual function of the current device.
622
623If supported, should work even if the virtual function is not managed by
624the application and thus not associated with a DPDK port ID. Its behavior is
625otherwise similar to `PORT_ID pattern item`_ using VF port ID.
626
627Note this pattern item does not match VF representors traffic which, as
628separate entities, should be addressed through their own port IDs.
629
630- Matches **D** or **E** in `traffic steering`_.
631
632VF Action
633^^^^^^^^^
634
635Directs matching traffic to a given virtual function of the current device.
636
637Same restrictions as `VF pattern item`_.
638
639- Targets **D** or **E** in `traffic steering`_.
640
641\*_ENCAP actions
642^^^^^^^^^^^^^^^^
643
644These actions are named according to the protocol they encapsulate traffic
645with (e.g. ``VXLAN_ENCAP``) and using specific parameters (e.g. VNI for
646VXLAN).
647
648While they modify traffic and can be used multiple times (order matters),
649unlike `PORT_ID action`_ and friends, they have no impact on steering.
650
651As described in `actions order and repetition`_ this means they are useless
652if used alone in an action list, the resulting traffic gets dropped unless
653combined with either ``PASSTHRU`` or other endpoint-targeting actions.
654
655\*_DECAP actions
656^^^^^^^^^^^^^^^^
657
658They perform the reverse of `\*_ENCAP actions`_ by popping protocol headers
659from traffic instead of pushing them. They can be used multiple times as
660well.
661
662Note that using these actions on non-matching traffic results in undefined
663behavior. It is recommended to match the protocol headers to decapsulate on
664the pattern side of a flow rule in order to use these actions or otherwise
665make sure only matching traffic goes through.
666
667Actions Order and Repetition
668~~~~~~~~~~~~~~~~~~~~~~~~~~~~
669
670Flow rules are currently restricted to at most a single action of each
671supported type, performed in an unpredictable order (or all at once). To
672repeat actions in a predictable fashion, applications have to make rules
673pass-through and use priority levels.
674
675It's now clear that PMD support for chaining multiple non-terminating flow
676rules of varying priority levels is prohibitively difficult to implement
677compared to simply allowing multiple identical actions performed in a
678defined order by a single flow rule.
679
680- This change is required to support protocol encapsulation offloads and the
681 ability to perform them multiple times (e.g. VLAN then VXLAN).
682
683- It makes the ``DUP`` action redundant since multiple ``QUEUE`` actions can
684 be combined for duplication.
685
686- The (non-)terminating property of actions must be discarded. Instead, flow
687 rules themselves must be considered terminating by default (i.e. dropping
688 traffic if there is no specific target) unless a ``PASSTHRU`` action is
689 also specified.
690
691Switching Examples
692------------------
693
694This section provides practical examples based on the established testpmd
695flow command syntax [2]_, in the context described in `traffic steering`_
696
697::
698
699 .-------------. .-------------. .-------------.
700 | hypervisor | | VM 1 | | VM 2 |
701 | application | | application | | application |
702 `--+---+---+--' `----------+--' `--+----------'
703 | | | | |
704 | | `-------------------. | |
705 | `---------. | | |
706 | | | | |
707 .----(A)----. .----(B)----. .----(C)----. | |
708 | port_id 3 | | port_id 4 | | port_id 5 | | |
709 `-----+-----' `-----+-----' `-----+-----' | |
710 | | | | |
711 .-+--. .-----+-----. .-----+-----. .---+--. .--+---.
712 | PF | | VF 1 rep. | | VF 2 rep. | | VF 1 | | VF 2 |
713 `-+--' `-----+-----' `-----+-----' `--(D)-' `-(E)--'
714 | | | | |
715 | | .---------' | |
716 `-----. | | .-----------------' |
717 | | | | .---------------------'
718 | | | | |
719 .--|-------|---|---|---|--.
720 | | | `---|---' |
721 | | `-------' |
722 | `---------. |
723 `------------|------------'
724 |
725 .---(F)----.
726 | physical |
727 | port 0 |
728 `----------'
729
730By default, PF (**A**) can communicate with the physical port it is
731associated with (**F**), while VF 1 (**D**) and VF 2 (**E**) are isolated
732and restricted to communicate with the hypervisor application through their
733respective representors (**B** and **C**) if supported.
734
735Examples in subsequent sections apply to hypervisor applications only and
736are based on port representors **A**, **B** and **C**.
737
f67539c2 738.. [2] :ref:`Flow syntax <testpmd_rte_flow>`
11fdf7f2
TL		 739
740Associating VF 1 with Physical Port 0
741~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
742
743Assign all port traffic (**F**) to VF 1 (**D**) indiscriminately through
744their representors
745
746::
747
748 flow create 3 ingress pattern / end actions port_id id 4 / end
749 flow create 4 ingress pattern / end actions port_id id 3 / end
750
751More practical example with MAC address restrictions
752
753::
754
755 flow create 3 ingress
756 pattern eth dst is {VF 1 MAC} / end
757 actions port_id id 4 / end
758
759::
760
761 flow create 4 ingress
762 pattern eth src is {VF 1 MAC} / end
763 actions port_id id 3 / end
764
765
766Sharing Broadcasts
767~~~~~~~~~~~~~~~~~~
768
769From outside to PF and VFs
770
771::
772
773 flow create 3 ingress
774 pattern eth dst is ff:ff:ff:ff:ff:ff / end
775 actions port_id id 3 / port_id id 4 / port_id id 5 / end
776
777Note ``port_id id 3`` is necessary otherwise only VFs would receive matching
778traffic.
779
780From PF to outside and VFs
781
782::
783
784 flow create 3 egress
785 pattern eth dst is ff:ff:ff:ff:ff:ff / end
786 actions port / port_id id 4 / port_id id 5 / end
787
788From VFs to outside and PF
789
790::
791
792 flow create 4 ingress
793 pattern eth dst is ff:ff:ff:ff:ff:ff src is {VF 1 MAC} / end
794 actions port_id id 3 / port_id id 5 / end
795
796 flow create 5 ingress
797 pattern eth dst is ff:ff:ff:ff:ff:ff src is {VF 2 MAC} / end
798 actions port_id id 4 / port_id id 4 / end
799
800Similar ``33:33:*`` rules based on known MAC addresses should be added for
801IPv6 traffic.
802
803Encapsulating VF 2 Traffic in VXLAN
804~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
805
806Assuming pass-through flow rules are supported
807
808::
809
810 flow create 5 ingress
811 pattern eth / end
812 actions vxlan_encap vni 42 / passthru / end
813
814::
815
816 flow create 5 egress
817 pattern vxlan vni is 42 / end
818 actions vxlan_decap / passthru / end
819
820Here ``passthru`` is needed since as described in `actions order and
821repetition`_, flow rules are otherwise terminating; if supported, a rule
822without a target endpoint will drop traffic.
823
824Without pass-through support, ingress encapsulation on the destination
825endpoint might not be supported and action list must provide one
826
827::
828
829 flow create 5 ingress
830 pattern eth src is {VF 2 MAC} / end
831 actions vxlan_encap vni 42 / port_id id 3 / end
832
833 flow create 3 ingress
834 pattern vxlan vni is 42 / end
835 actions vxlan_decap / port_id id 5 / end
Ceph