+ flow_director_filter (port_id) mode IP (add|del|update) \
+ flow (ipv4-sctp|ipv6-sctp) \
+ src (src_ip_address) (src_port) \
+ dst (dst_ip_address) (dst_port) \
+ tos (tos_value) ttl (ttl_value) \
+ tag (verification_tag) vlan (vlan_value) \
+ flexbytes (flexbytes_value) (drop|fwd) \
+ pf|vf(vf_id) queue (queue_id) fd_id (fd_id_value)
+
+ flow_director_filter (port_id) mode IP (add|del|update) flow l2_payload \
+ ether (ethertype) flexbytes (flexbytes_value) \
+ (drop|fwd) pf|vf(vf_id) queue (queue_id)
+ fd_id (fd_id_value)
+
+ flow_director_filter (port_id) mode MAC-VLAN (add|del|update) \
+ mac (mac_address) vlan (vlan_value) \
+ flexbytes (flexbytes_value) (drop|fwd) \
+ queue (queue_id) fd_id (fd_id_value)
+
+ flow_director_filter (port_id) mode Tunnel (add|del|update) \
+ mac (mac_address) vlan (vlan_value) \
+ tunnel (NVGRE|VxLAN) tunnel-id (tunnel_id_value) \
+ flexbytes (flexbytes_value) (drop|fwd) \
+ queue (queue_id) fd_id (fd_id_value)
+
+ flow_director_filter (port_id) mode raw (add|del|update) flow (flow_id) \
+ (drop|fwd) queue (queue_id) fd_id (fd_id_value) \
+ packet (packet file name)
+
+For example, to add an ipv4-udp flow type filter::
+
+ testpmd> flow_director_filter 0 mode IP add flow ipv4-udp src 2.2.2.3 32 \
+ dst 2.2.2.5 33 tos 2 ttl 40 vlan 0x1 flexbytes (0x88,0x48) \
+ fwd pf queue 1 fd_id 1
+
+For example, add an ipv4-other flow type filter::
+
+ testpmd> flow_director_filter 0 mode IP add flow ipv4-other src 2.2.2.3 \
+ dst 2.2.2.5 tos 2 proto 20 ttl 40 vlan 0x1 \
+ flexbytes (0x88,0x48) fwd pf queue 1 fd_id 1
+
+flush_flow_director
+~~~~~~~~~~~~~~~~~~~
+
+Flush all flow director filters on a device::
+
+ testpmd> flush_flow_director (port_id)
+
+Example, to flush all flow director filter on port 0::
+
+ testpmd> flush_flow_director 0
+
+flow_director_mask
+~~~~~~~~~~~~~~~~~~
+
+Set flow director's input masks::
+
+ flow_director_mask (port_id) mode IP vlan (vlan_value) \
+ src_mask (ipv4_src) (ipv6_src) (src_port) \
+ dst_mask (ipv4_dst) (ipv6_dst) (dst_port)
+
+ flow_director_mask (port_id) mode MAC-VLAN vlan (vlan_value)
+
+ flow_director_mask (port_id) mode Tunnel vlan (vlan_value) \
+ mac (mac_value) tunnel-type (tunnel_type_value) \
+ tunnel-id (tunnel_id_value)
+
+Example, to set flow director mask on port 0::
+
+ testpmd> flow_director_mask 0 mode IP vlan 0xefff \
+ src_mask 255.255.255.255 \
+ FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0xFFFF \
+ dst_mask 255.255.255.255 \
+ FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0xFFFF
+
+flow_director_flex_mask
+~~~~~~~~~~~~~~~~~~~~~~~
+
+set masks of flow director's flexible payload based on certain flow type::
+
+ testpmd> flow_director_flex_mask (port_id) \
+ flow (none|ipv4-other|ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp| \
+ ipv6-other|ipv6-frag|ipv6-tcp|ipv6-udp|ipv6-sctp| \
+ l2_payload|all) (mask)
+
+Example, to set flow director's flex mask for all flow type on port 0::
+
+ testpmd> flow_director_flex_mask 0 flow all \
+ (0xff,0xff,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
+
+
+flow_director_flex_payload
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Configure flexible payload selection::
+
+ flow_director_flex_payload (port_id) (raw|l2|l3|l4) (config)
+
+For example, to select the first 16 bytes from the offset 4 (bytes) of packet's payload as flexible payload::
+
+ testpmd> flow_director_flex_payload 0 l4 \
+ (4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19)
+
+get_sym_hash_ena_per_port
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Get symmetric hash enable configuration per port::
+
+ get_sym_hash_ena_per_port (port_id)
+
+For example, to get symmetric hash enable configuration of port 1::
+
+ testpmd> get_sym_hash_ena_per_port 1
+
+set_sym_hash_ena_per_port
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Set symmetric hash enable configuration per port to enable or disable::
+
+ set_sym_hash_ena_per_port (port_id) (enable|disable)
+
+For example, to set symmetric hash enable configuration of port 1 to enable::
+
+ testpmd> set_sym_hash_ena_per_port 1 enable
+
+get_hash_global_config
+~~~~~~~~~~~~~~~~~~~~~~
+
+Get the global configurations of hash filters::
+
+ get_hash_global_config (port_id)
+
+For example, to get the global configurations of hash filters of port 1::
+
+ testpmd> get_hash_global_config 1
+
+set_hash_global_config
+~~~~~~~~~~~~~~~~~~~~~~
+
+Set the global configurations of hash filters::
+
+ set_hash_global_config (port_id) (toeplitz|simple_xor|default) \
+ (ipv4|ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp|ipv4-other|ipv6|ipv6-frag| \
+ ipv6-tcp|ipv6-udp|ipv6-sctp|ipv6-other|l2_payload|<flow_id>) \
+ (enable|disable)
+
+For example, to enable simple_xor for flow type of ipv6 on port 2::
+
+ testpmd> set_hash_global_config 2 simple_xor ipv6 enable
+
+set_hash_input_set
+~~~~~~~~~~~~~~~~~~
+
+Set the input set for hash::
+
+ set_hash_input_set (port_id) (ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp| \
+ ipv4-other|ipv6-frag|ipv6-tcp|ipv6-udp|ipv6-sctp|ipv6-other| \
+ l2_payload|<flow_id>) (ovlan|ivlan|src-ipv4|dst-ipv4|src-ipv6|dst-ipv6| \
+ ipv4-tos|ipv4-proto|ipv6-tc|ipv6-next-header|udp-src-port|udp-dst-port| \
+ tcp-src-port|tcp-dst-port|sctp-src-port|sctp-dst-port|sctp-veri-tag| \
+ udp-key|gre-key|fld-1st|fld-2nd|fld-3rd|fld-4th|fld-5th|fld-6th|fld-7th| \
+ fld-8th|none) (select|add)
+
+For example, to add source IP to hash input set for flow type of ipv4-udp on port 0::
+
+ testpmd> set_hash_input_set 0 ipv4-udp src-ipv4 add
+
+set_fdir_input_set
+~~~~~~~~~~~~~~~~~~
+
+The Flow Director filters can match the different fields for different type of packet, i.e. specific input set
+on per flow type and the flexible payload. This command can be used to change input set for each flow type.
+
+Set the input set for flow director::
+
+ set_fdir_input_set (port_id) (ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp| \
+ ipv4-other|ipv6|ipv6-frag|ipv6-tcp|ipv6-udp|ipv6-sctp|ipv6-other| \
+ l2_payload|<flow_id>) (ivlan|ethertype|src-ipv4|dst-ipv4|src-ipv6|dst-ipv6| \
+ ipv4-tos|ipv4-proto|ipv4-ttl|ipv6-tc|ipv6-next-header|ipv6-hop-limits| \
+ tudp-src-port|udp-dst-port|cp-src-port|tcp-dst-port|sctp-src-port| \
+ sctp-dst-port|sctp-veri-tag|none) (select|add)
+
+For example to add source IP to FD input set for flow type of ipv4-udp on port 0::
+
+ testpmd> set_fdir_input_set 0 ipv4-udp src-ipv4 add
+
+global_config
+~~~~~~~~~~~~~
+
+Set different GRE key length for input set::
+
+ global_config (port_id) gre-key-len (number in bytes)
+
+For example to set GRE key length for input set to 4 bytes on port 0::
+
+ testpmd> global_config 0 gre-key-len 4
+
+
+.. _testpmd_rte_flow:
+
+Flow rules management
+---------------------
+
+Control of the generic flow API (*rte_flow*) is fully exposed through the
+``flow`` command (validation, creation, destruction, queries and operation
+modes).
+
+Considering *rte_flow* overlaps with all `Filter Functions`_, using both
+features simultaneously may cause undefined side-effects and is therefore
+not recommended.
+
+``flow`` syntax
+~~~~~~~~~~~~~~~
+
+Because the ``flow`` command uses dynamic tokens to handle the large number
+of possible flow rules combinations, its behavior differs slightly from
+other commands, in particular:
+
+- Pressing *?* or the *<tab>* key displays contextual help for the current
+ token, not that of the entire command.
+
+- Optional and repeated parameters are supported (provided they are listed
+ in the contextual help).
+
+The first parameter stands for the operation mode. Possible operations and
+their general syntax are described below. They are covered in detail in the
+following sections.
+
+- Check whether a flow rule can be created::
+
+ flow validate {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+- Create a flow rule::
+
+ flow create {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+- Destroy specific flow rules::
+
+ flow destroy {port_id} rule {rule_id} [...]
+
+- Destroy all flow rules::
+
+ flow flush {port_id}
+
+- Query an existing flow rule::
+
+ flow query {port_id} {rule_id} {action}
+
+- List existing flow rules sorted by priority, filtered by group
+ identifiers::
+
+ flow list {port_id} [group {group_id}] [...]
+
+- Restrict ingress traffic to the defined flow rules::
+
+ flow isolate {port_id} {boolean}
+
+Validating flow rules
+~~~~~~~~~~~~~~~~~~~~~
+
+``flow validate`` reports whether a flow rule would be accepted by the
+underlying device in its current state but stops short of creating it. It is
+bound to ``rte_flow_validate()``::
+
+ flow validate {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+If successful, it will show::
+
+ Flow rule validated
+
+Otherwise it will show an error message of the form::
+
+ Caught error type [...] ([...]): [...]
+
+This command uses the same parameters as ``flow create``, their format is
+described in `Creating flow rules`_.
+
+Check whether redirecting any Ethernet packet received on port 0 to RX queue
+index 6 is supported::
+
+ testpmd> flow validate 0 ingress pattern eth / end
+ actions queue index 6 / end
+ Flow rule validated
+ testpmd>
+
+Port 0 does not support TCPv6 rules::
+
+ testpmd> flow validate 0 ingress pattern eth / ipv6 / tcp / end
+ actions drop / end
+ Caught error type 9 (specific pattern item): Invalid argument
+ testpmd>
+
+Creating flow rules
+~~~~~~~~~~~~~~~~~~~
+
+``flow create`` validates and creates the specified flow rule. It is bound
+to ``rte_flow_create()``::
+
+ flow create {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+If successful, it will return a flow rule ID usable with other commands::
+
+ Flow rule #[...] created
+
+Otherwise it will show an error message of the form::
+
+ Caught error type [...] ([...]): [...]
+
+Parameters describe in the following order:
+
+- Attributes (*group*, *priority*, *ingress*, *egress*, *transfer* tokens).
+- A matching pattern, starting with the *pattern* token and terminated by an
+ *end* pattern item.
+- Actions, starting with the *actions* token and terminated by an *end*
+ action.
+
+These translate directly to *rte_flow* objects provided as-is to the
+underlying functions.
+
+The shortest valid definition only comprises mandatory tokens::
+
+ testpmd> flow create 0 pattern end actions end
+
+Note that PMDs may refuse rules that essentially do nothing such as this
+one.
+
+**All unspecified object values are automatically initialized to 0.**
+
+Attributes
+^^^^^^^^^^
+
+These tokens affect flow rule attributes (``struct rte_flow_attr``) and are
+specified before the ``pattern`` token.
+
+- ``group {group id}``: priority group.
+- ``priority {level}``: priority level within group.
+- ``ingress``: rule applies to ingress traffic.
+- ``egress``: rule applies to egress traffic.
+- ``transfer``: apply rule directly to endpoints found in pattern.
+
+Each instance of an attribute specified several times overrides the previous
+value as shown below (group 4 is used)::
+
+ testpmd> flow create 0 group 42 group 24 group 4 [...]
+
+Note that once enabled, ``ingress`` and ``egress`` cannot be disabled.
+
+While not specifying a direction is an error, some rules may allow both
+simultaneously.
+
+Most rules affect RX therefore contain the ``ingress`` token::
+
+ testpmd> flow create 0 ingress pattern [...]
+
+Matching pattern
+^^^^^^^^^^^^^^^^
+
+A matching pattern starts after the ``pattern`` token. It is made of pattern
+items and is terminated by a mandatory ``end`` item.
+
+Items are named after their type (*RTE_FLOW_ITEM_TYPE_* from ``enum
+rte_flow_item_type``).
+
+The ``/`` token is used as a separator between pattern items as shown
+below::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end [...]
+
+Note that protocol items like these must be stacked from lowest to highest
+layer to make sense. For instance, the following rule is either invalid or
+unlikely to match any packet::
+
+ testpmd> flow create 0 ingress pattern eth / udp / ipv4 / end [...]
+
+More information on these restrictions can be found in the *rte_flow*
+documentation.
+
+Several items support additional specification structures, for example
+``ipv4`` allows specifying source and destination addresses as follows::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 src is 10.1.1.1
+ dst is 10.2.0.0 / end [...]
+
+This rule matches all IPv4 traffic with the specified properties.
+
+In this example, ``src`` and ``dst`` are field names of the underlying
+``struct rte_flow_item_ipv4`` object. All item properties can be specified
+in a similar fashion.
+
+The ``is`` token means that the subsequent value must be matched exactly,
+and assigns ``spec`` and ``mask`` fields in ``struct rte_flow_item``
+accordingly. Possible assignment tokens are:
+
+- ``is``: match value perfectly (with full bit-mask).
+- ``spec``: match value according to configured bit-mask.
+- ``last``: specify upper bound to establish a range.
+- ``mask``: specify bit-mask with relevant bits set to one.
+- ``prefix``: generate bit-mask from a prefix length.
+
+These yield identical results::
+
+ ipv4 src is 10.1.1.1
+
+::
+
+ ipv4 src spec 10.1.1.1 src mask 255.255.255.255
+
+::
+
+ ipv4 src spec 10.1.1.1 src prefix 32
+
+::
+
+ ipv4 src is 10.1.1.1 src last 10.1.1.1 # range with a single value
+
+::
+
+ ipv4 src is 10.1.1.1 src last 0 # 0 disables range
+
+Inclusive ranges can be defined with ``last``::
+
+ ipv4 src is 10.1.1.1 src last 10.2.3.4 # 10.1.1.1 to 10.2.3.4
+
+Note that ``mask`` affects both ``spec`` and ``last``::
+
+ ipv4 src is 10.1.1.1 src last 10.2.3.4 src mask 255.255.0.0
+ # matches 10.1.0.0 to 10.2.255.255
+
+Properties can be modified multiple times::
+
+ ipv4 src is 10.1.1.1 src is 10.1.2.3 src is 10.2.3.4 # matches 10.2.3.4
+
+::
+
+ ipv4 src is 10.1.1.1 src prefix 24 src prefix 16 # matches 10.1.0.0/16
+
+Pattern items
+^^^^^^^^^^^^^
+
+This section lists supported pattern items and their attributes, if any.
+
+- ``end``: end list of pattern items.
+
+- ``void``: no-op pattern item.
+
+- ``invert``: perform actions when pattern does not match.
+
+- ``any``: match any protocol for the current layer.
+
+ - ``num {unsigned}``: number of layers covered.
+
+- ``pf``: match traffic from/to the physical function.
+
+- ``vf``: match traffic from/to a virtual function ID.
+
+ - ``id {unsigned}``: VF ID.
+
+- ``phy_port``: match traffic from/to a specific physical port.
+
+ - ``index {unsigned}``: physical port index.
+
+- ``port_id``: match traffic from/to a given DPDK port ID.
+
+ - ``id {unsigned}``: DPDK port ID.
+
+- ``mark``: match value set in previously matched flow rule using the mark action.
+
+ - ``id {unsigned}``: arbitrary integer value.
+
+- ``raw``: match an arbitrary byte string.
+
+ - ``relative {boolean}``: look for pattern after the previous item.
+ - ``search {boolean}``: search pattern from offset (see also limit).
+ - ``offset {integer}``: absolute or relative offset for pattern.
+ - ``limit {unsigned}``: search area limit for start of pattern.
+ - ``pattern {string}``: byte string to look for.
+
+- ``eth``: match Ethernet header.
+
+ - ``dst {MAC-48}``: destination MAC.
+ - ``src {MAC-48}``: source MAC.
+ - ``type {unsigned}``: EtherType or TPID.
+
+- ``vlan``: match 802.1Q/ad VLAN tag.
+
+ - ``tci {unsigned}``: tag control information.
+ - ``pcp {unsigned}``: priority code point.
+ - ``dei {unsigned}``: drop eligible indicator.
+ - ``vid {unsigned}``: VLAN identifier.
+ - ``inner_type {unsigned}``: inner EtherType or TPID.
+
+- ``ipv4``: match IPv4 header.
+
+ - ``tos {unsigned}``: type of service.
+ - ``ttl {unsigned}``: time to live.
+ - ``proto {unsigned}``: next protocol ID.
+ - ``src {ipv4 address}``: source address.
+ - ``dst {ipv4 address}``: destination address.
+
+- ``ipv6``: match IPv6 header.
+
+ - ``tc {unsigned}``: traffic class.
+ - ``flow {unsigned}``: flow label.
+ - ``proto {unsigned}``: protocol (next header).
+ - ``hop {unsigned}``: hop limit.
+ - ``src {ipv6 address}``: source address.
+ - ``dst {ipv6 address}``: destination address.
+
+- ``icmp``: match ICMP header.
+
+ - ``type {unsigned}``: ICMP packet type.
+ - ``code {unsigned}``: ICMP packet code.
+
+- ``udp``: match UDP header.
+
+ - ``src {unsigned}``: UDP source port.
+ - ``dst {unsigned}``: UDP destination port.
+
+- ``tcp``: match TCP header.
+
+ - ``src {unsigned}``: TCP source port.
+ - ``dst {unsigned}``: TCP destination port.
+
+- ``sctp``: match SCTP header.
+
+ - ``src {unsigned}``: SCTP source port.
+ - ``dst {unsigned}``: SCTP destination port.
+ - ``tag {unsigned}``: validation tag.
+ - ``cksum {unsigned}``: checksum.
+
+- ``vxlan``: match VXLAN header.
+
+ - ``vni {unsigned}``: VXLAN identifier.
+
+- ``e_tag``: match IEEE 802.1BR E-Tag header.
+
+ - ``grp_ecid_b {unsigned}``: GRP and E-CID base.
+
+- ``nvgre``: match NVGRE header.
+
+ - ``tni {unsigned}``: virtual subnet ID.
+
+- ``mpls``: match MPLS header.
+
+ - ``label {unsigned}``: MPLS label.
+
+- ``gre``: match GRE header.
+
+ - ``protocol {unsigned}``: protocol type.
+
+- ``fuzzy``: fuzzy pattern match, expect faster than default.
+
+ - ``thresh {unsigned}``: accuracy threshold.
+
+- ``gtp``, ``gtpc``, ``gtpu``: match GTPv1 header.
+
+ - ``teid {unsigned}``: tunnel endpoint identifier.
+
+- ``geneve``: match GENEVE header.
+
+ - ``vni {unsigned}``: virtual network identifier.
+ - ``protocol {unsigned}``: protocol type.
+
+- ``vxlan-gpe``: match VXLAN-GPE header.
+
+ - ``vni {unsigned}``: VXLAN-GPE identifier.
+
+- ``arp_eth_ipv4``: match ARP header for Ethernet/IPv4.
+
+ - ``sha {MAC-48}``: sender hardware address.
+ - ``spa {ipv4 address}``: sender IPv4 address.
+ - ``tha {MAC-48}``: target hardware address.
+ - ``tpa {ipv4 address}``: target IPv4 address.
+
+- ``ipv6_ext``: match presence of any IPv6 extension header.
+
+ - ``next_hdr {unsigned}``: next header.
+
+- ``icmp6``: match any ICMPv6 header.
+
+ - ``type {unsigned}``: ICMPv6 type.
+ - ``code {unsigned}``: ICMPv6 code.
+
+- ``icmp6_nd_ns``: match ICMPv6 neighbor discovery solicitation.
+
+ - ``target_addr {ipv6 address}``: target address.
+
+- ``icmp6_nd_na``: match ICMPv6 neighbor discovery advertisement.
+
+ - ``target_addr {ipv6 address}``: target address.
+
+- ``icmp6_nd_opt``: match presence of any ICMPv6 neighbor discovery option.
+
+ - ``type {unsigned}``: ND option type.
+
+- ``icmp6_nd_opt_sla_eth``: match ICMPv6 neighbor discovery source Ethernet
+ link-layer address option.
+
+ - ``sla {MAC-48}``: source Ethernet LLA.
+
+- ``icmp6_nd_opt_sla_eth``: match ICMPv6 neighbor discovery target Ethernet
+ link-layer address option.
+
+ - ``tla {MAC-48}``: target Ethernet LLA.
+
+Actions list
+^^^^^^^^^^^^
+
+A list of actions starts after the ``actions`` token in the same fashion as
+`Matching pattern`_; actions are separated by ``/`` tokens and the list is
+terminated by a mandatory ``end`` action.
+
+Actions are named after their type (*RTE_FLOW_ACTION_TYPE_* from ``enum
+rte_flow_action_type``).
+
+Dropping all incoming UDPv4 packets can be expressed as follows::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions drop / end
+
+Several actions have configurable properties which must be specified when
+there is no valid default value. For example, ``queue`` requires a target
+queue index.
+
+This rule redirects incoming UDPv4 traffic to queue index 6::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions queue index 6 / end
+
+While this one could be rejected by PMDs (unspecified queue index)::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions queue / end
+
+As defined by *rte_flow*, the list is not ordered, all actions of a given
+rule are performed simultaneously. These are equivalent::