Chain Support

By default, when tc filter (rule) is added and the chain parameter is omitted, tc assumes that chain 0 is the default chain used by the user. Chain 0 is also the only chain that is processed by the ACL by default.

To process rules in another chain, set the goto action of the filter in chain 0. For example

tc filter add dev sw1p1 ingress chain 0 flower skip_sw action goto chain 1

To insert a filter into a specific chain, use the chain parameter of tc filter. Use the following command:

tc filter add dev <DEV> {ingress | egress} chain <CHAIN-INDEX> flower [MATCH(es)] action <ACTION>

Where, CHAIN-INDEX can be 0, 1 or 2 for ingress and only CHAIN-INDEX 0 is supported for egress.

A chain, if not created by the user, is created implicitly when a filter is added. Similarly, after the last filter is removed from the chain, it is destroyed. To explicitly create and destroy chains, use the following commands:

tc chain add dev <DEV> {ingress | egress} chain <CHAIN-INDEX>
tc chain del dev <DEV> {ingress | egress} chain <CHAIN-INDEX>

To show a list of tc chains, use the following command:

tc chain show dev <DEV> {ingress | egress}

Example. Create/show/destroy:

tc chain add dev sw1p1 ingress chain 1
tc chain show dev sw1p1 ingress
tc chain del dev sw1p1 ingress chain 1

Assumptions and limitations

Only flower filter supports chaining.
Up to 3 chains are supported (chain index 0, 1, and 2) on ingress, and only 1 chain (chain index 0) on egress.
goto action is supported only on ingress.
Only forward goto chaining is supported. Setting a backward goto chain raises an error.
Setting a goto action on an unsupported chain sets the rule to be processed without modification. The packet will be processed by the next pipeline engines. No error is raised by the tc tool.
goto does not support multiple actions.

Chain Template Support

Whenever a chain is created (implicit chain 0, or other), the driver allocates enough memory for all possible supported match keys in the filter that are on that chain. In the case that not all matches in the filter are used, some of the memory will be wasted (not used). To use TCAM memory more efficiently, use the tc chain template feature. This feature is useful if you know in advance, what keys you need to use on a given chain. For example, you might only need matching on a destination IP address.

Chain templates enable you to specify the shape that filters on this chain are going to have. The Driver can use this information to configure the hardware optimally to support the requested matching keys. To configure templates in the chain, you must explicitly create a chain with a template. The configuration looks like this:

tc chain add dev <DEV> {ingress | egress}  chain <CHAIN-INDEX> flower <MATCH-TEMPLATE>

Where, MATCH-TEMPLATE is the match list in this chain. The format is the same as specifying matches when adding the filters. Action is not required for this operation.

For example, to create a chain with Source IP matched with Mask 16, use this command:

tc chain add dev <DEV> ingress proto ip chain 1 flower src_ip 1.1.0.0/16

In this example, only flower filter with Source IP match is allowed. Filters that do not match the template are rejected by the kernel. To show and delete the chain, use the commands described in previous section.

More examples:

tc chain add dev sw1p1 ingress chain 0 proto ip flower src_ip 1.1.1.1/32 dst_ip 2.0.0.0/8
tc chain add dev sw1p1 ingress chain 1 proto ip flower ip_proto udp src_port 150-200
tc chain add dev sw1p1 ingress chain 2 src_mac 00:11:22:33:44:55

Assumptions and limitations

Assumptions and limitations from previous section apply to templates as well.

If a chain template create fails by Switchdev driver, the command itself will not fail (kernel limitation). But, adding the hardware rule into that chain will be rejected by the kernel and an error is returned.
The maximum number of different chain templates is 6 per chain. But there is also one template reserved for NAT (this template is 20B key format) which is created in chain 1. So, you can create 6 templates in chain 0, 5 templates in chain 1, and 6 templates in chain 2 (17 different templates in total).
Different chain templates - are templates that have different match criteria and those criteria do not fit into any existing templates. See next section for information on how to allocate templates.

Chain Template Reuse

As described in the chain limitation, it is possible to create 17 unique chain templates. This does not mean that only 17 chains are allowed on the system. When user creates a chain template, the Switchdev driver tries to reuse an existing template, or allocate a new one based on the following algorithm:

Chain Template Reuse Algorithm

NOTE: in case of an error the error message is not returned to the user.

Network Configurations

Switch Port
- Switch Port Configuration
- Port Isolation
Layer 2
Layer 3
Dynamic SCT
- Dynamic SCT
Quality of Service (QoS)
- Priority Mapping
Access Control Lists (ACL)
Network Address Translation (NAT)
Debugging Tools and and Methods
Resources and Releases
Marvell® Switchdev Slim (Single-CPU) mode guide

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chain Support

Chain Support

Assumptions and limitations

Chain Template Support

Assumptions and limitations

Chain Template Reuse

Clone this wiki locally