Mailing List Archive

PF_RING Intel 82599ES hardware filters
Hello,

I'm trying to set up hardware filtering on an Intel X520 board. I wanted to
check how many filters I could set on this board so I started from the
example pfcount_82599.c file and added a loop to add filters sequentially.
The function pfring_add_hw_rule fails after ~ 8K filters.

On the PF_RING packets filtering page (
https://www.ntop.org/products/packet-capture/pf_ring/hardware-packet-filtering/),
the FAQ mentions that 32K filters are supported:

Q. How many filters a 82599-based card typically supports?
A. You can have up to 32K hardware filters.

I checked the Intel 82599 data sheet and the chapter "Flow Director
Filters" mentions both a limit of ~8K filters (the one I seem to hit) and
~32K filters:

The 82599 support two types of filtering modes (static setting by the
FDIRCTRL.PerfectMatch bit):
• Perfect match filters — The hardware checks a match between the masked
fields of the received packets and the programmed filters. Masked fields
should be programmed as zeros in the filter context. The 82599 support up
to 8 K - 2 perfect match filters.
• Signature filters — The hardware checks a match between a hash-based
signature of the masked fields of the received packet. The 82599 supports
up to 32 K - 2 signature filters.

Do you know if there is a way to have access to these ~ 32K filters through
PF_RING?

Best Regards,
Raphael
Re: PF_RING Intel 82599ES hardware filters [ In reply to ]
Hi Raphael
please note that it is possible to use both filters types using the pfring_add_hw_rule() API,
just set hw_filtering_rule.rule_family_type to intel_82599_five_tuple_rule or
intel_82599_perfect_filter_rule and set the corresponding struct
(intel_82599_five_tuple_filter_hw_rule / struct intel_82599_perfect_filter_hw_rule)
Please see the sample code at
https://github.com/ntop/PF_RING/blob/dev/userland/examples/pfcount_82599.c <https://github.com/ntop/PF_RING/blob/dev/userland/examples/pfcount_82599.c>

Alfredo

> On 16 Aug 2018, at 16:22, Raphael Benedet <raphael.benedet@netaxis.be> wrote:
>
> Hello,
>
> I'm trying to set up hardware filtering on an Intel X520 board. I wanted to check how many filters I could set on this board so I started from the example pfcount_82599.c file and added a loop to add filters sequentially. The function pfring_add_hw_rule fails after ~ 8K filters.
>
> On the PF_RING packets filtering page (https://www.ntop.org/products/packet-capture/pf_ring/hardware-packet-filtering/ <https://www.ntop.org/products/packet-capture/pf_ring/hardware-packet-filtering/>), the FAQ mentions that 32K filters are supported:
>
> Q. How many filters a 82599-based card typically supports?
> A. You can have up to 32K hardware filters.
>
> I checked the Intel 82599 data sheet and the chapter "Flow Director Filters" mentions both a limit of ~8K filters (the one I seem to hit) and ~32K filters:
>
> The 82599 support two types of filtering modes (static setting by the FDIRCTRL.PerfectMatch bit):
> • Perfect match filters — The hardware checks a match between the masked fields of the received packets and the programmed filters. Masked fields should be programmed as zeros in the filter context. The 82599 support up to 8 K - 2 perfect match filters.
> • Signature filters — The hardware checks a match between a hash-based signature of the masked fields of the received packet. The 82599 supports up to 32 K - 2 signature filters.
>
> Do you know if there is a way to have access to these ~ 32K filters through PF_RING?
>
> Best Regards,
> Raphael
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: PF_RING Intel 82599ES hardware filters [ In reply to ]
Hi Alfredo,

pfring_add_hw_rule() is already the function I use. I modified the code of
pfcount_82599.c to add rules of type intel_82599_perfect_filter_rule in a
loop:
int i;
for (i = 10000; i < 40000; i++) {
memset(&rule, 0, sizeof(rule)), rule.rule_family_type =
intel_82599_perfect_filter_rule;
rule.rule_id = rule_id++, perfect_rule->queue_id = -1,
perfect_rule->proto = 17,
perfect_rule->d_port = i;
rc = pfring_add_hw_rule(pd, &rule);
if(rc != 0) {
printf("pfring_add_hw_rule(%d) failed [rc=%d]: did you enable the
FlowDirector (ethtool -K ethX ntuple on)\n", rule.rule_id, rc);
break;
}
}

And pfring_add_hw_rule fails after 8190 rules insertions.

When using 5-tuple rules (intel_82599_five_tuple_rule), pfring_add_hw_rule
fails after 128 rules. This is in-line with the Intel 82599 data sheet (
https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/82599-10-gbe-controller-datasheet.pdf,
page 292).

So, I'm wondering which code to use to be able to insert the 32K filters
you mention in the FAQ?

Best Regards,
Raphael



On Thu, Aug 16, 2018 at 4:35 PM, Alfredo Cardigliano <cardigliano@ntop.org>
wrote:

> Hi Raphael
> please note that it is possible to use both filters types using the
> pfring_add_hw_rule() API,
> just set hw_filtering_rule.rule_family_type to
> intel_82599_five_tuple_rule or
> intel_82599_perfect_filter_rule and set the corresponding struct
> (intel_82599_five_tuple_filter_hw_rule / struct
> intel_82599_perfect_filter_hw_rule)
> Please see the sample code at
> https://github.com/ntop/PF_RING/blob/dev/userland/examples/pfcount_82599.c
>
> Alfredo
>
> On 16 Aug 2018, at 16:22, Raphael Benedet <raphael.benedet@netaxis.be>
> wrote:
>
> Hello,
>
> I'm trying to set up hardware filtering on an Intel X520 board. I wanted
> to check how many filters I could set on this board so I started from the
> example pfcount_82599.c file and added a loop to add filters sequentially.
> The function pfring_add_hw_rule fails after ~ 8K filters.
>
> On the PF_RING packets filtering page (https://www.ntop.org/
> products/packet-capture/pf_ring/hardware-packet-filtering/), the FAQ
> mentions that 32K filters are supported:
>
> Q. How many filters a 82599-based card typically supports?
> A. You can have up to 32K hardware filters.
>
> I checked the Intel 82599 data sheet and the chapter "Flow Director
> Filters" mentions both a limit of ~8K filters (the one I seem to hit) and
> ~32K filters:
>
> The 82599 support two types of filtering modes (static setting by the
> FDIRCTRL.PerfectMatch bit):
> • Perfect match filters — The hardware checks a match between the masked
> fields of the received packets and the programmed filters. Masked fields
> should be programmed as zeros in the filter context. The 82599 support up
> to 8 K - 2 perfect match filters.
> • Signature filters — The hardware checks a match between a hash-based
> signature of the masked fields of the received packet. The 82599 supports
> up to 32 K - 2 signature filters.
>
> Do you know if there is a way to have access to these ~ 32K filters
> through PF_RING?
>
> Best Regards,
> Raphael
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
Re: PF_RING Intel 82599ES hardware filters [ In reply to ]
Hi Raphael
I double checked and it actually seems that there is some confusion with the FAQ,
pf_ring currently supports perfect filters (8K-2) and 5-tuple filters (128), I will fix the
FAQ to clarify this. Thank you for reporting.

Best Regards
Alfredo

> On 16 Aug 2018, at 17:03, Raphael Benedet <raphael.benedet@netaxis.be> wrote:
>
> Hi Alfredo,
>
> pfring_add_hw_rule() is already the function I use. I modified the code of pfcount_82599.c to add rules of type intel_82599_perfect_filter_rule in a loop:
> int i;
> for (i = 10000; i < 40000; i++) {
> memset(&rule, 0, sizeof(rule)), rule.rule_family_type = intel_82599_perfect_filter_rule;
> rule.rule_id = rule_id++, perfect_rule->queue_id = -1, perfect_rule->proto = 17,
> perfect_rule->d_port = i;
> rc = pfring_add_hw_rule(pd, &rule);
> if(rc != 0) {
> printf("pfring_add_hw_rule(%d) failed [rc=%d]: did you enable the FlowDirector (ethtool -K ethX ntuple on)\n", rule.rule_id, rc);
> break;
> }
> }
>
> And pfring_add_hw_rule fails after 8190 rules insertions.
>
> When using 5-tuple rules (intel_82599_five_tuple_rule), pfring_add_hw_rule fails after 128 rules. This is in-line with the Intel 82599 data sheet (https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/82599-10-gbe-controller-datasheet.pdf <https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/82599-10-gbe-controller-datasheet.pdf>, page 292).
>
> So, I'm wondering which code to use to be able to insert the 32K filters you mention in the FAQ?
>
> Best Regards,
> Raphael
>
>
>
> On Thu, Aug 16, 2018 at 4:35 PM, Alfredo Cardigliano <cardigliano@ntop.org <mailto:cardigliano@ntop.org>> wrote:
> Hi Raphael
> please note that it is possible to use both filters types using the pfring_add_hw_rule() API,
> just set hw_filtering_rule.rule_family_type to intel_82599_five_tuple_rule or
> intel_82599_perfect_filter_rule and set the corresponding struct
> (intel_82599_five_tuple_filter_hw_rule / struct intel_82599_perfect_filter_hw_rule)
> Please see the sample code at
> https://github.com/ntop/PF_RING/blob/dev/userland/examples/pfcount_82599.c <https://github.com/ntop/PF_RING/blob/dev/userland/examples/pfcount_82599.c>
>
> Alfredo
>
>> On 16 Aug 2018, at 16:22, Raphael Benedet <raphael.benedet@netaxis.be <mailto:raphael.benedet@netaxis.be>> wrote:
>>
>> Hello,
>>
>> I'm trying to set up hardware filtering on an Intel X520 board. I wanted to check how many filters I could set on this board so I started from the example pfcount_82599.c file and added a loop to add filters sequentially. The function pfring_add_hw_rule fails after ~ 8K filters.
>>
>> On the PF_RING packets filtering page (https://www.ntop.org/products/packet-capture/pf_ring/hardware-packet-filtering/ <https://www.ntop.org/products/packet-capture/pf_ring/hardware-packet-filtering/>), the FAQ mentions that 32K filters are supported:
>>
>> Q. How many filters a 82599-based card typically supports?
>> A. You can have up to 32K hardware filters.
>>
>> I checked the Intel 82599 data sheet and the chapter "Flow Director Filters" mentions both a limit of ~8K filters (the one I seem to hit) and ~32K filters:
>>
>> The 82599 support two types of filtering modes (static setting by the FDIRCTRL.PerfectMatch bit):
>> • Perfect match filters — The hardware checks a match between the masked fields of the received packets and the programmed filters. Masked fields should be programmed as zeros in the filter context. The 82599 support up to 8 K - 2 perfect match filters.
>> • Signature filters — The hardware checks a match between a hash-based signature of the masked fields of the received packet. The 82599 supports up to 32 K - 2 signature filters.
>>
>> Do you know if there is a way to have access to these ~ 32K filters through PF_RING?
>>
>> Best Regards,
>> Raphael
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc