+
+set_hash_input_set
+~~~~~~~~~~~~~~~~~~
+
+Set the input set for hash::
+
+ set_hash_input_set (port_id) (ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp| \
+ ipv4-other|ipv6-frag|ipv6-tcp|ipv6-udp|ipv6-sctp|ipv6-other| \
+ l2_payload|<flow_id>) (ovlan|ivlan|src-ipv4|dst-ipv4|src-ipv6|dst-ipv6| \
+ ipv4-tos|ipv4-proto|ipv6-tc|ipv6-next-header|udp-src-port|udp-dst-port| \
+ tcp-src-port|tcp-dst-port|sctp-src-port|sctp-dst-port|sctp-veri-tag| \
+ udp-key|gre-key|fld-1st|fld-2nd|fld-3rd|fld-4th|fld-5th|fld-6th|fld-7th| \
+ fld-8th|none) (select|add)
+
+For example, to add source IP to hash input set for flow type of ipv4-udp on port 0::
+
+ testpmd> set_hash_input_set 0 ipv4-udp src-ipv4 add
+
+set_fdir_input_set
+~~~~~~~~~~~~~~~~~~
+
+The Flow Director filters can match the different fields for different type of packet, i.e. specific input set
+on per flow type and the flexible payload. This command can be used to change input set for each flow type.
+
+Set the input set for flow director::
+
+ set_fdir_input_set (port_id) (ipv4-frag|ipv4-tcp|ipv4-udp|ipv4-sctp| \
+ ipv4-other|ipv6|ipv6-frag|ipv6-tcp|ipv6-udp|ipv6-sctp|ipv6-other| \
+ l2_payload|<flow_id>) (ivlan|ethertype|src-ipv4|dst-ipv4|src-ipv6|dst-ipv6| \
+ ipv4-tos|ipv4-proto|ipv4-ttl|ipv6-tc|ipv6-next-header|ipv6-hop-limits| \
+ tudp-src-port|udp-dst-port|cp-src-port|tcp-dst-port|sctp-src-port| \
+ sctp-dst-port|sctp-veri-tag|none) (select|add)
+
+For example to add source IP to FD input set for flow type of ipv4-udp on port 0::
+
+ testpmd> set_fdir_input_set 0 ipv4-udp src-ipv4 add
+
+global_config
+~~~~~~~~~~~~~
+
+Set different GRE key length for input set::
+
+ global_config (port_id) gre-key-len (number in bytes)
+
+For example to set GRE key length for input set to 4 bytes on port 0::
+
+ testpmd> global_config 0 gre-key-len 4
+
+
+.. _testpmd_rte_flow:
+
+Flow rules management
+---------------------
+
+Control of the generic flow API (*rte_flow*) is fully exposed through the
+``flow`` command (validation, creation, destruction, queries and operation
+modes).
+
+Considering *rte_flow* overlaps with all `Filter Functions`_, using both
+features simultaneously may cause undefined side-effects and is therefore
+not recommended.
+
+``flow`` syntax
+~~~~~~~~~~~~~~~
+
+Because the ``flow`` command uses dynamic tokens to handle the large number
+of possible flow rules combinations, its behavior differs slightly from
+other commands, in particular:
+
+- Pressing *?* or the *<tab>* key displays contextual help for the current
+ token, not that of the entire command.
+
+- Optional and repeated parameters are supported (provided they are listed
+ in the contextual help).
+
+The first parameter stands for the operation mode. Possible operations and
+their general syntax are described below. They are covered in detail in the
+following sections.
+
+- Check whether a flow rule can be created::
+
+ flow validate {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+- Create a flow rule::
+
+ flow create {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+- Destroy specific flow rules::
+
+ flow destroy {port_id} rule {rule_id} [...]
+
+- Destroy all flow rules::
+
+ flow flush {port_id}
+
+- Query an existing flow rule::
+
+ flow query {port_id} {rule_id} {action}
+
+- List existing flow rules sorted by priority, filtered by group
+ identifiers::
+
+ flow list {port_id} [group {group_id}] [...]
+
+- Restrict ingress traffic to the defined flow rules::
+
+ flow isolate {port_id} {boolean}
+
+Validating flow rules
+~~~~~~~~~~~~~~~~~~~~~
+
+``flow validate`` reports whether a flow rule would be accepted by the
+underlying device in its current state but stops short of creating it. It is
+bound to ``rte_flow_validate()``::
+
+ flow validate {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+If successful, it will show::
+
+ Flow rule validated
+
+Otherwise it will show an error message of the form::
+
+ Caught error type [...] ([...]): [...]
+
+This command uses the same parameters as ``flow create``, their format is
+described in `Creating flow rules`_.
+
+Check whether redirecting any Ethernet packet received on port 0 to RX queue
+index 6 is supported::
+
+ testpmd> flow validate 0 ingress pattern eth / end
+ actions queue index 6 / end
+ Flow rule validated
+ testpmd>
+
+Port 0 does not support TCPv6 rules::
+
+ testpmd> flow validate 0 ingress pattern eth / ipv6 / tcp / end
+ actions drop / end
+ Caught error type 9 (specific pattern item): Invalid argument
+ testpmd>
+
+Creating flow rules
+~~~~~~~~~~~~~~~~~~~
+
+``flow create`` validates and creates the specified flow rule. It is bound
+to ``rte_flow_create()``::
+
+ flow create {port_id}
+ [group {group_id}] [priority {level}] [ingress] [egress] [transfer]
+ pattern {item} [/ {item} [...]] / end
+ actions {action} [/ {action} [...]] / end
+
+If successful, it will return a flow rule ID usable with other commands::
+
+ Flow rule #[...] created
+
+Otherwise it will show an error message of the form::
+
+ Caught error type [...] ([...]): [...]
+
+Parameters describe in the following order:
+
+- Attributes (*group*, *priority*, *ingress*, *egress*, *transfer* tokens).
+- A matching pattern, starting with the *pattern* token and terminated by an
+ *end* pattern item.
+- Actions, starting with the *actions* token and terminated by an *end*
+ action.
+
+These translate directly to *rte_flow* objects provided as-is to the
+underlying functions.
+
+The shortest valid definition only comprises mandatory tokens::
+
+ testpmd> flow create 0 pattern end actions end
+
+Note that PMDs may refuse rules that essentially do nothing such as this
+one.
+
+**All unspecified object values are automatically initialized to 0.**
+
+Attributes
+^^^^^^^^^^
+
+These tokens affect flow rule attributes (``struct rte_flow_attr``) and are
+specified before the ``pattern`` token.
+
+- ``group {group id}``: priority group.
+- ``priority {level}``: priority level within group.
+- ``ingress``: rule applies to ingress traffic.
+- ``egress``: rule applies to egress traffic.
+- ``transfer``: apply rule directly to endpoints found in pattern.
+
+Each instance of an attribute specified several times overrides the previous
+value as shown below (group 4 is used)::
+
+ testpmd> flow create 0 group 42 group 24 group 4 [...]
+
+Note that once enabled, ``ingress`` and ``egress`` cannot be disabled.
+
+While not specifying a direction is an error, some rules may allow both
+simultaneously.
+
+Most rules affect RX therefore contain the ``ingress`` token::
+
+ testpmd> flow create 0 ingress pattern [...]
+
+Matching pattern
+^^^^^^^^^^^^^^^^
+
+A matching pattern starts after the ``pattern`` token. It is made of pattern
+items and is terminated by a mandatory ``end`` item.
+
+Items are named after their type (*RTE_FLOW_ITEM_TYPE_* from ``enum
+rte_flow_item_type``).
+
+The ``/`` token is used as a separator between pattern items as shown
+below::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end [...]
+
+Note that protocol items like these must be stacked from lowest to highest
+layer to make sense. For instance, the following rule is either invalid or
+unlikely to match any packet::
+
+ testpmd> flow create 0 ingress pattern eth / udp / ipv4 / end [...]
+
+More information on these restrictions can be found in the *rte_flow*
+documentation.
+
+Several items support additional specification structures, for example
+``ipv4`` allows specifying source and destination addresses as follows::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 src is 10.1.1.1
+ dst is 10.2.0.0 / end [...]
+
+This rule matches all IPv4 traffic with the specified properties.
+
+In this example, ``src`` and ``dst`` are field names of the underlying
+``struct rte_flow_item_ipv4`` object. All item properties can be specified
+in a similar fashion.
+
+The ``is`` token means that the subsequent value must be matched exactly,
+and assigns ``spec`` and ``mask`` fields in ``struct rte_flow_item``
+accordingly. Possible assignment tokens are:
+
+- ``is``: match value perfectly (with full bit-mask).
+- ``spec``: match value according to configured bit-mask.
+- ``last``: specify upper bound to establish a range.
+- ``mask``: specify bit-mask with relevant bits set to one.
+- ``prefix``: generate bit-mask from a prefix length.
+
+These yield identical results::
+
+ ipv4 src is 10.1.1.1
+
+::
+
+ ipv4 src spec 10.1.1.1 src mask 255.255.255.255
+
+::
+
+ ipv4 src spec 10.1.1.1 src prefix 32
+
+::
+
+ ipv4 src is 10.1.1.1 src last 10.1.1.1 # range with a single value
+
+::
+
+ ipv4 src is 10.1.1.1 src last 0 # 0 disables range
+
+Inclusive ranges can be defined with ``last``::
+
+ ipv4 src is 10.1.1.1 src last 10.2.3.4 # 10.1.1.1 to 10.2.3.4
+
+Note that ``mask`` affects both ``spec`` and ``last``::
+
+ ipv4 src is 10.1.1.1 src last 10.2.3.4 src mask 255.255.0.0
+ # matches 10.1.0.0 to 10.2.255.255
+
+Properties can be modified multiple times::
+
+ ipv4 src is 10.1.1.1 src is 10.1.2.3 src is 10.2.3.4 # matches 10.2.3.4
+
+::
+
+ ipv4 src is 10.1.1.1 src prefix 24 src prefix 16 # matches 10.1.0.0/16
+
+Pattern items
+^^^^^^^^^^^^^
+
+This section lists supported pattern items and their attributes, if any.
+
+- ``end``: end list of pattern items.
+
+- ``void``: no-op pattern item.
+
+- ``invert``: perform actions when pattern does not match.
+
+- ``any``: match any protocol for the current layer.
+
+ - ``num {unsigned}``: number of layers covered.
+
+- ``pf``: match traffic from/to the physical function.
+
+- ``vf``: match traffic from/to a virtual function ID.
+
+ - ``id {unsigned}``: VF ID.
+
+- ``phy_port``: match traffic from/to a specific physical port.
+
+ - ``index {unsigned}``: physical port index.
+
+- ``port_id``: match traffic from/to a given DPDK port ID.
+
+ - ``id {unsigned}``: DPDK port ID.
+
+- ``mark``: match value set in previously matched flow rule using the mark action.
+
+ - ``id {unsigned}``: arbitrary integer value.
+
+- ``raw``: match an arbitrary byte string.
+
+ - ``relative {boolean}``: look for pattern after the previous item.
+ - ``search {boolean}``: search pattern from offset (see also limit).
+ - ``offset {integer}``: absolute or relative offset for pattern.
+ - ``limit {unsigned}``: search area limit for start of pattern.
+ - ``pattern {string}``: byte string to look for.
+
+- ``eth``: match Ethernet header.
+
+ - ``dst {MAC-48}``: destination MAC.
+ - ``src {MAC-48}``: source MAC.
+ - ``type {unsigned}``: EtherType or TPID.
+
+- ``vlan``: match 802.1Q/ad VLAN tag.
+
+ - ``tci {unsigned}``: tag control information.
+ - ``pcp {unsigned}``: priority code point.
+ - ``dei {unsigned}``: drop eligible indicator.
+ - ``vid {unsigned}``: VLAN identifier.
+ - ``inner_type {unsigned}``: inner EtherType or TPID.
+
+- ``ipv4``: match IPv4 header.
+
+ - ``tos {unsigned}``: type of service.
+ - ``ttl {unsigned}``: time to live.
+ - ``proto {unsigned}``: next protocol ID.
+ - ``src {ipv4 address}``: source address.
+ - ``dst {ipv4 address}``: destination address.
+
+- ``ipv6``: match IPv6 header.
+
+ - ``tc {unsigned}``: traffic class.
+ - ``flow {unsigned}``: flow label.
+ - ``proto {unsigned}``: protocol (next header).
+ - ``hop {unsigned}``: hop limit.
+ - ``src {ipv6 address}``: source address.
+ - ``dst {ipv6 address}``: destination address.
+
+- ``icmp``: match ICMP header.
+
+ - ``type {unsigned}``: ICMP packet type.
+ - ``code {unsigned}``: ICMP packet code.
+
+- ``udp``: match UDP header.
+
+ - ``src {unsigned}``: UDP source port.
+ - ``dst {unsigned}``: UDP destination port.
+
+- ``tcp``: match TCP header.
+
+ - ``src {unsigned}``: TCP source port.
+ - ``dst {unsigned}``: TCP destination port.
+
+- ``sctp``: match SCTP header.
+
+ - ``src {unsigned}``: SCTP source port.
+ - ``dst {unsigned}``: SCTP destination port.
+ - ``tag {unsigned}``: validation tag.
+ - ``cksum {unsigned}``: checksum.
+
+- ``vxlan``: match VXLAN header.
+
+ - ``vni {unsigned}``: VXLAN identifier.
+
+- ``e_tag``: match IEEE 802.1BR E-Tag header.
+
+ - ``grp_ecid_b {unsigned}``: GRP and E-CID base.
+
+- ``nvgre``: match NVGRE header.
+
+ - ``tni {unsigned}``: virtual subnet ID.
+
+- ``mpls``: match MPLS header.
+
+ - ``label {unsigned}``: MPLS label.
+
+- ``gre``: match GRE header.
+
+ - ``protocol {unsigned}``: protocol type.
+
+- ``fuzzy``: fuzzy pattern match, expect faster than default.
+
+ - ``thresh {unsigned}``: accuracy threshold.
+
+- ``gtp``, ``gtpc``, ``gtpu``: match GTPv1 header.
+
+ - ``teid {unsigned}``: tunnel endpoint identifier.
+
+- ``geneve``: match GENEVE header.
+
+ - ``vni {unsigned}``: virtual network identifier.
+ - ``protocol {unsigned}``: protocol type.
+
+- ``vxlan-gpe``: match VXLAN-GPE header.
+
+ - ``vni {unsigned}``: VXLAN-GPE identifier.
+
+- ``arp_eth_ipv4``: match ARP header for Ethernet/IPv4.
+
+ - ``sha {MAC-48}``: sender hardware address.
+ - ``spa {ipv4 address}``: sender IPv4 address.
+ - ``tha {MAC-48}``: target hardware address.
+ - ``tpa {ipv4 address}``: target IPv4 address.
+
+- ``ipv6_ext``: match presence of any IPv6 extension header.
+
+ - ``next_hdr {unsigned}``: next header.
+
+- ``icmp6``: match any ICMPv6 header.
+
+ - ``type {unsigned}``: ICMPv6 type.
+ - ``code {unsigned}``: ICMPv6 code.
+
+- ``icmp6_nd_ns``: match ICMPv6 neighbor discovery solicitation.
+
+ - ``target_addr {ipv6 address}``: target address.
+
+- ``icmp6_nd_na``: match ICMPv6 neighbor discovery advertisement.
+
+ - ``target_addr {ipv6 address}``: target address.
+
+- ``icmp6_nd_opt``: match presence of any ICMPv6 neighbor discovery option.
+
+ - ``type {unsigned}``: ND option type.
+
+- ``icmp6_nd_opt_sla_eth``: match ICMPv6 neighbor discovery source Ethernet
+ link-layer address option.
+
+ - ``sla {MAC-48}``: source Ethernet LLA.
+
+- ``icmp6_nd_opt_sla_eth``: match ICMPv6 neighbor discovery target Ethernet
+ link-layer address option.
+
+ - ``tla {MAC-48}``: target Ethernet LLA.
+
+Actions list
+^^^^^^^^^^^^
+
+A list of actions starts after the ``actions`` token in the same fashion as
+`Matching pattern`_; actions are separated by ``/`` tokens and the list is
+terminated by a mandatory ``end`` action.
+
+Actions are named after their type (*RTE_FLOW_ACTION_TYPE_* from ``enum
+rte_flow_action_type``).
+
+Dropping all incoming UDPv4 packets can be expressed as follows::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions drop / end
+
+Several actions have configurable properties which must be specified when
+there is no valid default value. For example, ``queue`` requires a target
+queue index.
+
+This rule redirects incoming UDPv4 traffic to queue index 6::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions queue index 6 / end
+
+While this one could be rejected by PMDs (unspecified queue index)::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / udp / end
+ actions queue / end
+
+As defined by *rte_flow*, the list is not ordered, all actions of a given
+rule are performed simultaneously. These are equivalent::
+
+ queue index 6 / void / mark id 42 / end
+
+::
+
+ void / mark id 42 / queue index 6 / end
+
+All actions in a list should have different types, otherwise only the last
+action of a given type is taken into account::
+
+ queue index 4 / queue index 5 / queue index 6 / end # will use queue 6
+
+::
+
+ drop / drop / drop / end # drop is performed only once
+
+::
+
+ mark id 42 / queue index 3 / mark id 24 / end # mark will be 24
+
+Considering they are performed simultaneously, opposite and overlapping
+actions can sometimes be combined when the end result is unambiguous::
+
+ drop / queue index 6 / end # drop has no effect
+
+::
+
+ queue index 6 / rss queues 6 7 8 / end # queue has no effect
+
+::
+
+ drop / passthru / end # drop has no effect
+
+Note that PMDs may still refuse such combinations.
+
+Actions
+^^^^^^^
+
+This section lists supported actions and their attributes, if any.
+
+- ``end``: end list of actions.
+
+- ``void``: no-op action.
+
+- ``passthru``: let subsequent rule process matched packets.
+
+- ``jump``: redirect traffic to group on device.
+
+ - ``group {unsigned}``: group to redirect to.
+
+- ``mark``: attach 32 bit value to packets.
+
+ - ``id {unsigned}``: 32 bit value to return with packets.
+
+- ``flag``: flag packets.
+
+- ``queue``: assign packets to a given queue index.
+
+ - ``index {unsigned}``: queue index to use.
+
+- ``drop``: drop packets (note: passthru has priority).
+
+- ``count``: enable counters for this rule.
+
+- ``rss``: spread packets among several queues.
+
+ - ``func {hash function}``: RSS hash function to apply, allowed tokens are
+ the same as `set_hash_global_config`_.
+
+ - ``level {unsigned}``: encapsulation level for ``types``.
+
+ - ``types [{RSS hash type} [...]] end``: specific RSS hash types, allowed
+ tokens are the same as `set_hash_input_set`_, except that an empty list
+ does not disable RSS but instead requests unspecified "best-effort"
+ settings.
+
+ - ``key {string}``: RSS hash key, overrides ``key_len``.
+
+ - ``key_len {unsigned}``: RSS hash key length in bytes, can be used in
+ conjunction with ``key`` to pad or truncate it.
+
+ - ``queues [{unsigned} [...]] end``: queue indices to use.
+
+- ``pf``: direct traffic to physical function.
+
+- ``vf``: direct traffic to a virtual function ID.
+
+ - ``original {boolean}``: use original VF ID if possible.
+ - ``id {unsigned}``: VF ID.
+
+- ``phy_port``: direct packets to physical port index.
+
+ - ``original {boolean}``: use original port index if possible.
+ - ``index {unsigned}``: physical port index.
+
+- ``port_id``: direct matching traffic to a given DPDK port ID.
+
+ - ``original {boolean}``: use original DPDK port ID if possible.
+ - ``id {unsigned}``: DPDK port ID.
+
+- ``of_set_mpls_ttl``: OpenFlow's ``OFPAT_SET_MPLS_TTL``.
+
+ - ``mpls_ttl``: MPLS TTL.
+
+- ``of_dec_mpls_ttl``: OpenFlow's ``OFPAT_DEC_MPLS_TTL``.
+
+- ``of_set_nw_ttl``: OpenFlow's ``OFPAT_SET_NW_TTL``.
+
+ - ``nw_ttl``: IP TTL.
+
+- ``of_dec_nw_ttl``: OpenFlow's ``OFPAT_DEC_NW_TTL``.
+
+- ``of_copy_ttl_out``: OpenFlow's ``OFPAT_COPY_TTL_OUT``.
+
+- ``of_copy_ttl_in``: OpenFlow's ``OFPAT_COPY_TTL_IN``.
+
+- ``of_pop_vlan``: OpenFlow's ``OFPAT_POP_VLAN``.
+
+- ``of_push_vlan``: OpenFlow's ``OFPAT_PUSH_VLAN``.
+
+ - ``ethertype``: Ethertype.
+
+- ``of_set_vlan_vid``: OpenFlow's ``OFPAT_SET_VLAN_VID``.
+
+ - ``vlan_vid``: VLAN id.
+
+- ``of_set_vlan_pcp``: OpenFlow's ``OFPAT_SET_VLAN_PCP``.
+
+ - ``vlan_pcp``: VLAN priority.
+
+- ``of_pop_mpls``: OpenFlow's ``OFPAT_POP_MPLS``.
+
+ - ``ethertype``: Ethertype.
+
+- ``of_push_mpls``: OpenFlow's ``OFPAT_PUSH_MPLS``.
+
+ - ``ethertype``: Ethertype.
+
+Destroying flow rules
+~~~~~~~~~~~~~~~~~~~~~
+
+``flow destroy`` destroys one or more rules from their rule ID (as returned
+by ``flow create``), this command calls ``rte_flow_destroy()`` as many
+times as necessary::
+
+ flow destroy {port_id} rule {rule_id} [...]
+
+If successful, it will show::
+
+ Flow rule #[...] destroyed
+
+It does not report anything for rule IDs that do not exist. The usual error
+message is shown when a rule cannot be destroyed::
+
+ Caught error type [...] ([...]): [...]
+
+``flow flush`` destroys all rules on a device and does not take extra
+arguments. It is bound to ``rte_flow_flush()``::
+
+ flow flush {port_id}
+
+Any errors are reported as above.
+
+Creating several rules and destroying them::
+
+ testpmd> flow create 0 ingress pattern eth / ipv6 / end
+ actions queue index 2 / end
+ Flow rule #0 created
+ testpmd> flow create 0 ingress pattern eth / ipv4 / end
+ actions queue index 3 / end
+ Flow rule #1 created
+ testpmd> flow destroy 0 rule 0 rule 1
+ Flow rule #1 destroyed
+ Flow rule #0 destroyed
+ testpmd>
+
+The same result can be achieved using ``flow flush``::
+
+ testpmd> flow create 0 ingress pattern eth / ipv6 / end
+ actions queue index 2 / end
+ Flow rule #0 created
+ testpmd> flow create 0 ingress pattern eth / ipv4 / end
+ actions queue index 3 / end
+ Flow rule #1 created
+ testpmd> flow flush 0
+ testpmd>
+
+Non-existent rule IDs are ignored::
+
+ testpmd> flow create 0 ingress pattern eth / ipv6 / end
+ actions queue index 2 / end
+ Flow rule #0 created
+ testpmd> flow create 0 ingress pattern eth / ipv4 / end
+ actions queue index 3 / end
+ Flow rule #1 created
+ testpmd> flow destroy 0 rule 42 rule 10 rule 2
+ testpmd>
+ testpmd> flow destroy 0 rule 0
+ Flow rule #0 destroyed
+ testpmd>
+
+Querying flow rules
+~~~~~~~~~~~~~~~~~~~
+
+``flow query`` queries a specific action of a flow rule having that
+ability. Such actions collect information that can be reported using this
+command. It is bound to ``rte_flow_query()``::
+
+ flow query {port_id} {rule_id} {action}
+
+If successful, it will display either the retrieved data for known actions
+or the following message::
+
+ Cannot display result for action type [...] ([...])
+
+Otherwise, it will complain either that the rule does not exist or that some
+error occurred::
+
+ Flow rule #[...] not found
+
+::
+
+ Caught error type [...] ([...]): [...]
+
+Currently only the ``count`` action is supported. This action reports the
+number of packets that hit the flow rule and the total number of bytes. Its
+output has the following format::
+
+ count:
+ hits_set: [...] # whether "hits" contains a valid value
+ bytes_set: [...] # whether "bytes" contains a valid value
+ hits: [...] # number of packets
+ bytes: [...] # number of bytes
+
+Querying counters for TCPv6 packets redirected to queue 6::
+
+ testpmd> flow create 0 ingress pattern eth / ipv6 / tcp / end
+ actions queue index 6 / count / end
+ Flow rule #4 created
+ testpmd> flow query 0 4 count
+ count:
+ hits_set: 1
+ bytes_set: 0
+ hits: 386446
+ bytes: 0
+ testpmd>
+
+Listing flow rules
+~~~~~~~~~~~~~~~~~~
+
+``flow list`` lists existing flow rules sorted by priority and optionally
+filtered by group identifiers::
+
+ flow list {port_id} [group {group_id}] [...]
+
+This command only fails with the following message if the device does not
+exist::
+
+ Invalid port [...]
+
+Output consists of a header line followed by a short description of each
+flow rule, one per line. There is no output at all when no flow rules are
+configured on the device::
+
+ ID Group Prio Attr Rule
+ [...] [...] [...] [...] [...]
+
+``Attr`` column flags:
+
+- ``i`` for ``ingress``.
+- ``e`` for ``egress``.
+
+Creating several flow rules and listing them::
+
+ testpmd> flow create 0 ingress pattern eth / ipv4 / end
+ actions queue index 6 / end
+ Flow rule #0 created
+ testpmd> flow create 0 ingress pattern eth / ipv6 / end
+ actions queue index 2 / end
+ Flow rule #1 created
+ testpmd> flow create 0 priority 5 ingress pattern eth / ipv4 / udp / end
+ actions rss queues 6 7 8 end / end
+ Flow rule #2 created
+ testpmd> flow list 0
+ ID Group Prio Attr Rule
+ 0 0 0 i- ETH IPV4 => QUEUE
+ 1 0 0 i- ETH IPV6 => QUEUE
+ 2 0 5 i- ETH IPV4 UDP => RSS
+ testpmd>
+
+Rules are sorted by priority (i.e. group ID first, then priority level)::
+
+ testpmd> flow list 1
+ ID Group Prio Attr Rule
+ 0 0 0 i- ETH => COUNT
+ 6 0 500 i- ETH IPV6 TCP => DROP COUNT
+ 5 0 1000 i- ETH IPV6 ICMP => QUEUE
+ 1 24 0 i- ETH IPV4 UDP => QUEUE
+ 4 24 10 i- ETH IPV4 TCP => DROP
+ 3 24 20 i- ETH IPV4 => DROP
+ 2 24 42 i- ETH IPV4 UDP => QUEUE
+ 7 63 0 i- ETH IPV6 UDP VXLAN => MARK QUEUE
+ testpmd>
+
+Output can be limited to specific groups::
+
+ testpmd> flow list 1 group 0 group 63
+ ID Group Prio Attr Rule
+ 0 0 0 i- ETH => COUNT
+ 6 0 500 i- ETH IPV6 TCP => DROP COUNT
+ 5 0 1000 i- ETH IPV6 ICMP => QUEUE
+ 7 63 0 i- ETH IPV6 UDP VXLAN => MARK QUEUE
+ testpmd>
+
+Toggling isolated mode
+~~~~~~~~~~~~~~~~~~~~~~
+
+``flow isolate`` can be used to tell the underlying PMD that ingress traffic
+must only be injected from the defined flow rules; that no default traffic
+is expected outside those rules and the driver is free to assign more
+resources to handle them. It is bound to ``rte_flow_isolate()``::
+
+ flow isolate {port_id} {boolean}
+
+If successful, enabling or disabling isolated mode shows either::
+
+ Ingress traffic on port [...]
+ is now restricted to the defined flow rules
+
+Or::
+
+ Ingress traffic on port [...]
+ is not restricted anymore to the defined flow rules
+
+Otherwise, in case of error::
+
+ Caught error type [...] ([...]): [...]
+
+Mainly due to its side effects, PMDs supporting this mode may not have the
+ability to toggle it more than once without reinitializing affected ports
+first (e.g. by exiting testpmd).
+
+Enabling isolated mode::
+
+ testpmd> flow isolate 0 true
+ Ingress traffic on port 0 is now restricted to the defined flow rules
+ testpmd>
+
+Disabling isolated mode::
+
+ testpmd> flow isolate 0 false
+ Ingress traffic on port 0 is not restricted anymore to the defined flow rules
+ testpmd>
+
+Sample QinQ flow rules
+~~~~~~~~~~~~~~~~~~~~~~
+
+Before creating QinQ rule(s) the following commands should be issued to enable QinQ::
+
+ testpmd> port stop 0
+ testpmd> vlan set qinq on 0
+
+The above command sets the inner and outer TPID's to 0x8100.
+
+To change the TPID's the following commands should be used::
+
+ testpmd> vlan set outer tpid 0xa100 0
+ testpmd> vlan set inner tpid 0x9100 0
+ testpmd> port start 0
+
+Validate and create a QinQ rule on port 0 to steer traffic to a VF queue in a VM.
+
+::
+
+ testpmd> flow validate 0 ingress pattern eth / vlan tci is 123 /
+ vlan tci is 456 / end actions vf id 1 / queue index 0 / end
+ Flow rule #0 validated
+
+ testpmd> flow create 0 ingress pattern eth / vlan tci is 4 /
+ vlan tci is 456 / end actions vf id 123 / queue index 0 / end
+ Flow rule #0 created
+
+ testpmd> flow list 0
+ ID Group Prio Attr Rule
+ 0 0 0 i- ETH VLAN VLAN=>VF QUEUE
+
+Validate and create a QinQ rule on port 0 to steer traffic to a queue on the host.
+
+::
+
+ testpmd> flow validate 0 ingress pattern eth / vlan tci is 321 /
+ vlan tci is 654 / end actions pf / queue index 0 / end
+ Flow rule #1 validated
+
+ testpmd> flow create 0 ingress pattern eth / vlan tci is 321 /
+ vlan tci is 654 / end actions pf / queue index 1 / end
+ Flow rule #1 created
+
+ testpmd> flow list 0
+ ID Group Prio Attr Rule
+ 0 0 0 i- ETH VLAN VLAN=>VF QUEUE
+ 1 0 0 i- ETH VLAN VLAN=>PF QUEUE
+
+BPF Functions
+--------------
+
+The following sections show functions to load/unload eBPF based filters.
+
+bpf-load
+~~~~~~~~
+
+Load an eBPF program as a callback for partciular RX/TX queue::
+
+ testpmd> bpf-load rx|tx (portid) (queueid) (load-flags) (bpf-prog-filename)
+
+The available load-flags are:
+
+* ``J``: use JIT generated native code, otherwise BPF interpreter will be used.
+
+* ``M``: assume input parameter is a pointer to rte_mbuf, otherwise assume it is a pointer to first segment's data.
+
+* ``-``: none.
+
+.. note::
+
+ You'll need clang v3.7 or above to build bpf program you'd like to load
+
+For example:
+
+.. code-block:: console
+
+ cd test/bpf
+ clang -O2 -target bpf -c t1.c
+
+Then to load (and JIT compile) t1.o at RX queue 0, port 1::
+
+.. code-block:: console
+
+ testpmd> bpf-load rx 1 0 J ./dpdk.org/test/bpf/t1.o
+
+To load (not JITed) t1.o at TX queue 0, port 0::
+
+.. code-block:: console
+
+ testpmd> bpf-load tx 0 0 - ./dpdk.org/test/bpf/t1.o
+
+bpf-unload
+~~~~~~~~~~
+
+Unload previously loaded eBPF program for partciular RX/TX queue::
+
+ testpmd> bpf-unload rx|tx (portid) (queueid)
+
+For example to unload BPF filter from TX queue 0, port 0:
+
+.. code-block:: console
+
+ testpmd> bpf-load tx 0 0 - ./dpdk.org/test/bpf/t1.o