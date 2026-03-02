The application is based on two major components that work together to define and manage the forwarding state:

A DPL program loaded onto the DPL Runtime Service:

gateway_shm.p4 Collapse Source Copy Copied! #include <doca_model.p4> #include <doca_headers.p4> #include <doca_externs.p4> #include <doca_parser.p4> const bit< 32 > DECAP_TABLE_SIZE = 32768 ; const bit< 32 > ENCAP_TABLE_SIZE = 32768 ; const bit< 32 > WIRE_PORT = 32w0; struct headers_t { NV_FIXED_HEADERS } parser packet_parser(packet_in packet, out headers_t headers) { NV_FIXED_PARSER(packet, headers) } /** * This control performs the overlay policy including L2 encap with VxLAN */ control overlay_encap( inout headers_t headers, in nv_standard_metadata_t std_meta, inout nv_empty_metadata_t user_meta, inout nv_empty_metadata_t pkt_out_meta ) { NvDirectCounter(NvCounterType.PACKETS_AND_BYTES) encap_counter; action deny() { encap_counter.count(); nv_drop(); } action to_port(nv_logical_port_t port) { encap_counter.count(); nv_send_to_port(port); } action vxlan_v4_encap(nv_mac_addr_t underlay_src_mac, nv_mac_addr_t underlay_dst_mac, nv_ipv4_addr_t underlay_sip, nv_ipv4_addr_t underlay_dip, bit< 24 > vni, nv_logical_port_t port) { nv_set_vxlan_v4_underlay(headers, underlay_dst_mac, underlay_src_mac, underlay_sip, underlay_dip, vni); encap_counter.count(); nv_send_to_port(port); } table encap_v4_table { key = { headers.ipv4.dst_addr : exact; } actions = { vxlan_v4_encap; to_port; deny; } size = ENCAP_TABLE_SIZE; default_action = deny; direct_counter = encap_counter; nv_high_update_rate = true ; } apply { if (headers.ipv4.isValid()) { encap_v4_table.apply(); } } } /** * This control is for packets from wire to host (RX) * and includes policy for L2 decap */ control underlay_decap( inout headers_t headers, in nv_standard_metadata_t std_meta, inout nv_empty_metadata_t user_meta, inout nv_empty_metadata_t pkt_out_meta ) { NvDirectCounter(NvCounterType.PACKETS_AND_BYTES) decap_counter; action deny() { decap_counter.count(); nv_drop(); } action decap() { decap_counter.count(); nv_l2_decap(headers); } action to_port(nv_logical_port_t port) { nv_send_to_port(port); } action decap_to_port(nv_logical_port_t port) { decap(); to_port(port); } table decap_v4_table { key = { headers.vxlan.vni : exact; } actions = { decap; to_port; decap_to_port; deny; NoAction; } size = DECAP_TABLE_SIZE; direct_counter = decap_counter; default_action = NoAction; nv_high_update_rate = true ; } apply { if (headers.vxlan.isValid()) { decap_v4_table.apply(); } } } control gateway( inout headers_t headers, in nv_standard_metadata_t std_meta, inout nv_empty_metadata_t user_meta, inout nv_empty_metadata_t pkt_out_meta ) { overlay_encap() over; underlay_decap() under; table direction_table { key = { std_meta.ingress_port : exact; } actions = { NoAction; } default_action = NoAction; const entries = { (WIRE_PORT) : NoAction(); } } apply { if (direction_table.apply().hit) { under.apply(headers, std_meta, user_meta, pkt_out_meta); } else { over.apply(headers, std_meta, user_meta, pkt_out_meta); } } } NvDocaPipeline( packet_parser(), gateway() ) main;

This P4 application implements a basic VXLAN termination and origination function for IPv4 traffic. Its primary goal is to differentiate between incoming packets from the underlay network (Rx/Decapsulation) and packets originating from a host (Tx/Encapsulation), applying the necessary L2 overlay policies in each direction.

The program logic is separated into three distinct Control Blocks: gateway , underlay_decap , and overlay_encap .

gateway : Responsible for directing packets into the relevant control block ( underlay_decap or overlay_encap ) by matching on the ingress port.

underlay_decap : Responsible for L2 decapsulation of packets from wire to host (Rx) .

overlay_encap : Responsible for the overlay policy, including L2 VXLAN encapsulation of packets from host to wire (Tx) .

Table Name Control Block Match Field Actions Purpose direction_table gateway ingress_port NoAction (default) Determines the processing direction (Rx or Tx) decap_v4_table underlay_decap VxLAN.vni decap , to_port , decap_to_port , deny , NoAction (default) Core policy table for decapsulation; identifies the tenant context encap_v4_table overlay_encap IPv4.dst_addr vxlan_v4_encap , to_port , deny (default) Core policy table for encapsulation; determines the tunnel endpoint and VNI

Counter Name Tied to Table Actions Tracked Function decap_counter decap_v4_table decap , deny Counts successfully decapsulated packets and denied packets encap_counter encap_v4_table vxlan_v4_encap , deny Counts successfully encapsulated packets and denied packets

A control application manages the daemon's HW steering rules from a JSON input file that describes the desired rules.

gateway.entries.json Collapse Source Copy Copied! { "doctype" : "gateway_shm.p4" , "tables" : { "encap_v4_table" : { "entries" : [ { "match" : { "headers.ipv4.dst_addr" : "6.6.6.4" }, "action" : "vxlan_v4_encap_encap_v4_table" , "params" : { "underlay_src_mac" : "3C:6D:66:11:11:11" , "underlay_dst_mac" : "ff:ff:ff:ff:ff:ff" , "underlay_sip" : "6.6.6.3" , "underlay_dip" : "6.6.6.2" , "vni" : "1" , "port" : "0" } }, { "match" : { "headers.ipv4.dst_addr" : "6.6.6.5" }, "action" : "vxlan_v4_encap_encap_v4_table" , "params" : { "underlay_src_mac" : "3C:6D:66:11:11:11" , "underlay_dst_mac" : "ff:ff:ff:ff:ff:ff" , "underlay_sip" : "6.6.6.3" , "underlay_dip" : "6.6.6.2" , "vni" : "1" , "port" : "0" } } ] }, "decap_v4_table" : { "entries" : [ { "match" : { "headers.vxlan.vni" : "1" }, "action" : "decap_to_port_decap_v4_table" , "params" : { "port" : "1" } }, { "match" : { "headers.vxlan.vni" : "2" }, "action" : "deny_decap_v4_table" } ] } } }



