Configuring udf flow

Owned by Tracy Yang (Unlicensed)
Apr 26, 2023
9 min read

Abstract

The goal is to be able to add flows which utilizes the udf (User defined filter) function of the hardware.

As hardware cannot parse the L3 protocol of an mpls packet, we can not match both mpls labels and transport layer ports. But we can do this by utilizing the udf function of hardware. The udf allow us to match 4 bytes of content at the given offset of the L2 header of the L3 header. The L2 header refers to the mac header of frame, and the L3 header refers to the first mpls lable of mpls frame or IP header of the non-mpls frame (in other words the header next to the inner VLAN tag).

Due to the limitation of the hardware, we only support 4 fields of udf. The max number of udf flows share the same limitation of normal tcam flows.



Note:

Only untag packets can be matched when configure udf base L2 and L3 at the same time.


Example 1

Send IP packets with dl_dst 22:22:22:22:22:22, dl_src 22:11:11:11:11:11, tag 1000.

And we want to match this tag.

Step1:  Create a new bridge named br0

admin@PicOS-OVS$ovs-vsctl add-br br0 -- set bridge br0 datapath_type=pica8

Step 2:  Add ports to br0

admin@PicOS-OVS$ovs-vsctl add-port br0 te-1/1/1 vlan_mode=trunk tag=1  -- set Interface te-1/1/1 type=pica8
admin@PicOS-OVS$ovs-vsctl add-port br0 te-1/1/2 vlan_mode=trunk tag=1  -- set Interface te-1/1/2 type=pica8

Step 3:  Configure udf and add flow 

ovs-vsctl set-udf-mode "udf0(l2,offset=12,length=4)"
ovs-ofctl add-flow br0 table=250,in_port=1,udf0=0x810003E8/0x0000ffff,actions=2

Step 4:  Check table 

admin@PicOS-OVS$ovs-vsctl show-udf-mode
  udf mode is udf0(l2,offset=12,length=4)
admin@PicOS-OVS$
admin@PicOS-OVS$ovs-ofctl dump-flows br-vi
OFPST_FLOW reply (OF1.4) (xid=0x2):
 cookie=0x0, duration=25.315s, table=250, n_packets=n/a, n_bytes=0, in_port=4,udf0=0x3e8/0xffff actions=output:5
admin@PicOS-OVS$
admin@PicOS-OVS$ovs-appctl pica/dump-flows
#1 udf permanent recirc_id=0,in_port=4,udf0=0x3e8/0xffff, actions:5
#0 normal permanent priority=0,recirc_id=0, actions:drop
Total 2 flows in HW.
admin@PicOS-OVS$

Example 2

Send IP packets with dl_dst 22:22:22:22:22:22, dl_src 22:11:11:11:11:11,ip_src=192.168.200.100,ip_dst=192.168.100.100,tp_src=2002,tp_dst=3003,mpls_label=666;

And we want to match mpls_label and tp_src:

Step1:  Create a new bridge named br0

admin@PicOS-OVS$ovs-vsctl add-br br0 -- set bridge br0 datapath_type=pica8

Step 2:  Add ports to br0

admin@PicOS-OVS$ovs-vsctl add-port br0 te-1/1/1 vlan_mode=trunk tag=1  -- set Interface te-1/1/1 type=pica8
admin@PicOS-OVS$ovs-vsctl add-port br0 te-1/1/2 vlan_mode=trunk tag=1  -- set Interface te-1/1/2 type=pica8

Step 3:  Configure udf and add flow

ovs-vsctl set-udf-mode "udf0(l3,offset=0,length=4), udf1(l3,offset=24,length=2)"
ovs-ofctl add-flow br0 table=250, in_port=1,udf0=0x0029a140/0xfffff000,udf1=0x07d2,actions=2

Note:

1. Offset needs to be aligned on 4 bytes and less than or equal to 124, length is less than or equal to 4.

2. (base, offset, length) defines one field of udf. Base refers to L2 or L3. Due to hardware limitations, we only support 4 fields of udf. But the max number of udf flows share the same limitation of normal tcam flows. L2 fields must be placed before L3 fields, and fields are in ascending order of offset with no overlapping of each other.

3. In the udf table, we can only use udf match format. We can not use both OXM (OpenFlow Extensible Match) and udf format in the same flow.

4. Flows in other tables can not use goto action with a udf table, and udf tables do not support goto action either, supporting output and drop actions,and from version 2.6.4,udf actions also support set_queue,meter and normal.

5. All udf flows will have higher priority than all the other tcam flows.

6. Adding udf flows will return errors, when there are arp or mpls flows in hardware already; also arp or mpls flows will return an error when there are udf flows in the hardware table already.

7. When adding udf flows, table=250 in match field is needed.

8. User cannot enable udf mode and match mode at the same time.

UDF L4

From PicOS2.8.0, picos support UDF offset from L4. The L4 header refers to L4 protocol ports, such as tcp or udp.

For example:

Send packets with:

dl_dst=22:22:22:22:22;22,dl_src=22:11:11:11:11:11, dl_vlan=199,nw_dst=1.1.1.1,nw_src=2.2.2.2,udp,udp_src=1234,udp_dst=5678

And we will match udp source port and destination port with udf.

Configure udf:

admin@PicOS-OVS$ovs-vsctl set-udf-mode "udf0(l4,offset=0,length=4)"

Add flow.

admin@PicOS-OVS$ovs-ofctl add-flow br0 in_port=1,table=250,udf0=0x04d2162e,actions=2


Macro UDF

From PicOS2.8.0, support a new format to add udf flow entry. Different from previous use (base, offset, length) to configure udf, user can use udf fields to configure it now.

1)Show all udf field. 

admin@PicOS-OVS$ovs-vsctl show-udf-field
     Udf support fields:
    Match field                   layer       Offset      Length      
    ------------------------------------------------------------
    dl_type                       l2          12          2         
    vlan_inner                    l2          16          4         
    mpls_outermost                l3          0           4         
    ip_src                        l3          12          4         
    ip_dst                        l3          16          4         
    l2gre_key                     l3          24          4         
    l2gre_ip_src_high             l3          52          4         
    l2gre_ip_src_low_dst_high     l3          56          4         
    l2gre_ip_dst_low              l3          60          2         
    l2gre_ip_src_high_tag         l3          56          4         
    l2gre_ip_src_low_dst_high_tag l3          60          4         
    l2gre_ip_dst_low_tag          l3          64          2         
    l4_port                       l4          0           4         
    vxlan_vni                     l4          12          3         
    vxlan_ip_src_high             l4          40          4         
    vxlan_ip_src_low_dst_high     l4          44          4         
    vxlan_ip_dst_low              l4          48          2         
    vxlan_ip_src_high_tag         l4          44          4         
    vxlan_ip_src_low_dst_high_tag l4          48          4         
    vxlan_ip_dst_low_tag          l4          52          2         
admin@PicOS-OVS$

2)configure macro udf.

admin@PicOS-OVS$ovs-vsctl set-macro-udf dl_type,ip_src,ip_dst

The match field can be any field in show-udf-field.

3)show udf mode.

admin@PicOS-OVS$ovs-vsctl show-udf-mode

or:

admin@PicOS-OVS$ovs-vsctl show-macro-udf


For example:

We will match vxlan vni for sending vxlan packets with vni=1122867.

1)Configure macro udf.

admin@PicOS-OVS$ovs-vsctl set-macro-udf vxlan_vni
admin@PicOS-OVS$
admin@PicOS-OVS$ovs-vsctl show-udf-mode
  udf mode is udf0(l4,offset=12,length=3)
admin@PicOS-OVS$ovs-vsctl show-macro-udf
  macro udf mode is
 vxlan_vni : udf0(l4,offset=12,length=3)
admin@PicOS-OVS$


2)Add flow to macth vni.

admin@PicOS-OVS$ovs-ofctl add-flow br0 table=250,udf0=0x112233,actions=3

1.l4 can not work with l2/l3.

2.If you want to configure l2 and l3 udf at the same time, the matched packets must be untag packets.

3.It cannot match the tag value which packets have one tag using macro udf.



UDF on TD3

Three commands you can use to show and set udf.

ovs-vsctl show-udf-base
ovs-vsctl show-udf-mode
ovs-vsctl set-udf-mode MODE


On trident3 platforms, using  "ovs-vsctl show-udf-base" will show udf_v2 base types.

root@PICOS-OVS:~# ovs-vsctl show-udf-base
UDF_v2 base types:
 
 base-id     base-packet-format                                                                       description
 ------------------------------------------------------------------------------------------------------
 1           UdfAbstractPktFormatUnknownL3                          Abstract from the start of first byte after unknown ethertype.
 2           UdfAbstractPktFormatKnownNonIp                        Abstract from the start of first byte after Known non-ip ethertype (other than Known IPv4/6 and FcoE/Mim/MPLS tunnels).
 3           UdfAbstractPktFormatKnownL3MplsOneLabel        Abstract from the start of MPLS Header with one label.
 4           UdfAbstractPktFormatKnownL3MplsTwoLabel        Abstract from the start of MPLS Header with two labels.
 5           UdfAbstractPktFormatUnknownL4                         Abstract from the start of first byte of unknown L4 Header.
 6           UdfAbstractPktFormatUdpUnknownL5                   Abstract from the start of first byte of unknown L5 after UDP Header.
 7           UdfAbstractPktFormatUdpVxlan                             Abstract from the start of first byte of known L5 VXLAN header after UDP.
 8           UdfAbstractPktFormatTcpUnknownL5                     Abstract from the start of first byte of TCP.
 9           UdfAbstractPktFormatGreWithoutKey                     Abstract from the start of first byte of L4 header for GRE packets without key flag set (C=0/1, R=0/1 and K=0).
 10         UdfAbstractPktFormatGreWithKey                          Abstract from the start of first byte of L4 header for GRE packet

Users can set udf mode using command  "ovs-vsctl set-udf-mode "udf0(base=2,offset=0,length=2)"",on td3 support 10 base ids. According to above descriptions of each base id to set the udf mode you need. 


Copyright © 2024 Pica8 Inc. All Rights Reserved.