Re: [E1000-devel] [Intel-wired-lan] i40e X722 RSS problem with NAT-Traversal IPsec packets

From: Lennart Sorensen
Date: Mon Jun 10 2019 - 15:06:09 EST

On Fri, Jun 07, 2019 at 10:08:31PM +0000, Fujinaka, Todd wrote:
> Just a quick update with the response I got and I'll make sure this is in our internal bug database.
> Here's what I got back, and it looks like you guys have tried this already:
> Have they tried these steps to configure RSS:
> RSS Hash Flow
> -------------
> Allows you to set the hash bytes per flow type and any combination of one or
> more options for Receive Side Scaling (RSS) hash byte configuration.
> #ethtool -N <dev> rx-flow-hash <type> <option>
> Where <type> is:
> tcp4 signifying TCP over IPv4
> udp4 signifying UDP over IPv4
> tcp6 signifying TCP over IPv6
> udp6 signifying UDP over IPv6
> And <option> is one or more of:
> s Hash on the IP source address of the rx packet.
> d Hash on the IP destination address of the rx packet.
> f Hash on bytes 0 and 1 of the Layer 4 header of the rx packet.
> n Hash on bytes 2 and 3 of the Layer 4 header of the rx packet.

With potentially 10000 ipsec connections, we don't even want to look at
creating manual flow entries. There isn't enough room for that. We just
wanted RSS to do its job the way it does on every other NIC in the past.
After years of using mostly intel NICs that just worked, this one has
been quite the surprise.

> Also, looks like the driver needs to be updated to latest version:
> >>> 1.1767.0 i40e 0000:3d:00.0: The driver for the device detected a
> >>> newer version of the NVM image than expected. Please install the
> >>> most recent version of the network driver.
> Out of tree:

Already tried with 4.19 kernel which is essentially identical to the
latest out of tree driver (I diffed them and found no functional
differences at all) and it didn't help. Well it was essentially identical
to the latest out of tree a few weeks ago. It seems there is now a
newer one with some changes although nothing in the list of changes
sound relevant.

We do not want to use the out of tree driver and even trying it out is
a lot of work. We used to use it in the past for some NIC types but
stopped due to the hassle of maintaining the integration. If any problems
exist in the in kernel driver we will patch it, but so far that does not
appear to be the problem. The tests we did so far indicate the firmware
isn't applying an RSS value to certain packet types. Even mapping every
RSS value to queue 7 still saw these packets arrive on queue 0 which
should of course be impossible if the firmware was working. Now if
there is anything in the out of tree driver that you think can explain
this problem, I will look at it and consider trying it, but so far I
see nothing that makes that worth the effort. It just doesn't look like
a driver problem. If someone has access to a S2600WFT board (or some
other C612 based board) it should be simple enough to try replaying
the captured packet and see what RSS queue it hits (with ATR disabled
of course).

The message is because we tried installing an NVM update to see if it
fixed anything, and it did not. We could put the old version back,
but since neither version works I didn't bother yet.

Len Sorensen