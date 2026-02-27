config switch bool Configures whether DOCA Flow runs in VNF ( false ) or switch ( true ) mode Copy Copied! "switch" : true

esp-header-offload string Decap and encap offloading: both , encap , decap , or none . Default is both (offloading both encap and decap). Copy Copied! "esp-header-offload" : "none"

sw-sn-inc-enable bool Increments sequence number of ESP in software if set to true . Default is false. Note Available only if esp_header_offload is decap or none . Copy Copied! "sw-sn-inc-enable" : true

sw-antireplay-enable bool Enables anti-replay mechanism in software if set to true . Default is false. Note Available only if esp_header_offload is encap or none . Note Window size is 64. Not ESN. Supports non-zero sn_initial . Copy Copied! "sw-antireplay-enable" : true

sn-initial uint Initial sequence number for ESP header. Used also when sw_antireplay_enable is true. Default is 0. Copy Copied! "sn-initial" : 0

debug bool Set debug counter for all entries when true . Default is false . This parameter is also used from CLI, will be taken as true if was sent in one of them. Copy Copied! "debug" : false

fwd-bad-syndrome string Forward packets that has bad syndrome: drop , RSS . Default is drop . Note Only available in debug mode. Copy Copied! "fwd-bad-syndrome" : "drop"

perf-measurements string Possible values: none , insertion-rate , bandwidth , both . Default is none . insertion-rate – print the total time it took to add the entries

bandwidth – optimize the pipe to improve pps for IPv6 Copy Copied! "perf-measurements" : "both"

vxlan-encap bool When true , preform vxlan-encap after encryption and decap before decryption. Default is false . Copy Copied! "vxlan-encap" : false

vni uint When vxlan-encap is true, use this vni value in the VXLAN tunnel. Copy Copied! "vni" : 5

marker-encap bool When true , add an extra non-ESP marker of 8 bytes. Default is false . Copy Copied! "marker-encap" : false

icv-length int ICV length value: 8 , 12 , or 16 . Default is 16 . Copy Copied! "icv-length" : 12

encrypt_rules ip-version int Source and destination IP version. Possible values: 4 , 6 . Optional; default is 4 . Copy Copied! "ip-version" : 6

src-ip string Source IP to match Copy Copied! "src-ip" : "1.2.3.4"

dst-ip string Destination IP to match Copy Copied! "dst-ip" : "101:101:101:101:101:101:101:101"

protocol string L4 protocol: TCP or UDP Copy Copied! "protocol"

src-port int Source port to match

dst-port int Destination port to match Copy Copied! "dst-port" : 55

encap-ip-version int Encap IP version: 4 or 6 . Optional; default is 4 . Copy Copied! "ip-version" : 4

encap-dst-ip string Encap destination IP Note Mandatory for tunnel mode only. Copy Copied! "encap-dst-ip" : "1.1.1.1"

spi int SPI integer to set in the ESP header Copy Copied! "spi" : 5

key string Key for creating the SA (in hex format) Copy Copied! "key" : "112233445566778899aabbccdd"

key-type int Key size: 128 or 256 . Optional; default is 256 . Copy Copied! "key-type" : 128

iv string Initial vector (IV) for creating the SA (in hex format). Optional; default is an IV of zero bytes. Copy Copied! "iv" : "0102030405060708"

salt int Salt value for creating the SA. Default ICS 6 . Copy Copied! "salt" : 1212

lifetime-threshold int Set IPsec lifetime threshold. Ignored if sw-sn-inc-enable is true. Default is 0. Copy Copied! "lifetime-threshold" : 1000000

esn_en bool Enables extended sequence number. Default is false . Copy Copied! "esn_en" : true

decrypt_rules ip-version int Destination IP version: 4 or 6 . Optional; default is 4 . Copy Copied! "ip-version" : 6

dst-ip string Destination IP to match Copy Copied! "dst-ip" : "1122:3344:5566:7788:99aa:bbcc:ddee:ff00"

inner-ip-version int Inner IP version: 4 or 6 . Optional; default is 4 . Note Mandatory for tunnel mode only. Copy Copied! "inner-ip-version" : 4

spi int SPI to match in the ESP header Copy Copied! "spi" : 5

key string Key for creating the SA (in hex format) Copy Copied! "key" : "112233445566778899aabbccdd"

key-type int Key size: 128 or 256 . Optional; default is 256 . Copy Copied! "key-type" : 128

iv string Initial vector (IV) for creating the SA (in hex format). Optional; default is an IV of zero bytes. Copy Copied! "iv" : "0102030405060708"

salt int Salt value for creating the SA. Default is 6 . Copy Copied! "salt" : 1212

lifetime-threshold int Set IPsec lifetime threshold. Ignored if sw-antireplay-enable is true. Default is 0. Copy Copied! "lifetime-threshold" : 1000000