From: Maayan Kashani <mkashani@nvidia.com>
To: <dev@dpdk.org>
Cc: <mkashani@nvidia.com>, <dsosnowski@nvidia.com>,
<rasland@nvidia.com>,
Viacheslav Ovsiienko <viacheslavo@nvidia.com>, <stable@dpdk.org>,
Matan Azrad <matan@nvidia.com>, Bing Zhao <bingz@nvidia.com>,
Ori Kam <orika@nvidia.com>, Suanming Mou <suanmingm@nvidia.com>,
Raja Zidane <rzidane@nvidia.com>
Subject: [PATCH v2 3/3] net/mlx5: fix ESP header match after UDP for group 0
Date: Tue, 9 Sep 2025 09:28:53 +0300 [thread overview]
Message-ID: <20250909062853.60592-3-mkashani@nvidia.com> (raw)
In-Reply-To: <20250909062853.60592-1-mkashani@nvidia.com>
From: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
The ESP item translation routine always forced the match
on IP next protocol to be 50 (ESP). This prevented on
matching ESP packets over UDP.
The patch checks if UDP header is expected, and also forces
match on UDP destination port 4500 if it is not set
by the caller yet.
Fixes: 18ca4a4ec73a ("net/mlx5: support ESP SPI match and RSS hash")
Cc: stable@dpdk.org
Signed-off-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
---
drivers/net/mlx5/linux/mlx5_flow_os.c | 6 -----
drivers/net/mlx5/mlx5_flow.h | 3 +++
drivers/net/mlx5/mlx5_flow_dv.c | 34 ++++++++++++++++-----------
3 files changed, 23 insertions(+), 20 deletions(-)
diff --git a/drivers/net/mlx5/linux/mlx5_flow_os.c b/drivers/net/mlx5/linux/mlx5_flow_os.c
index 777125e9a87..f5eee46e44b 100644
--- a/drivers/net/mlx5/linux/mlx5_flow_os.c
+++ b/drivers/net/mlx5/linux/mlx5_flow_os.c
@@ -25,8 +25,6 @@ mlx5_flow_os_validate_item_esp(const struct rte_eth_dev *dev,
const int tunnel = !!(item_flags & MLX5_FLOW_LAYER_TUNNEL);
const uint64_t l3m = tunnel ? MLX5_FLOW_LAYER_INNER_L3 :
MLX5_FLOW_LAYER_OUTER_L3;
- const uint64_t l4m = tunnel ? MLX5_FLOW_LAYER_INNER_L4 :
- MLX5_FLOW_LAYER_OUTER_L4;
static const struct rte_flow_item_esp mlx5_flow_item_esp_mask = {
.hdr = {
.spi = RTE_BE32(0xffffffff),
@@ -41,10 +39,6 @@ mlx5_flow_os_validate_item_esp(const struct rte_eth_dev *dev,
RTE_FLOW_ERROR_TYPE_ITEM,
item, "L3 is mandatory to filter on L4");
}
- if (item_flags & l4m)
- return rte_flow_error_set(error, EINVAL,
- RTE_FLOW_ERROR_TYPE_ITEM, item,
- "multiple L4 layers not supported");
if (target_protocol != 0xff && target_protocol != IPPROTO_ESP)
return rte_flow_error_set(error, EINVAL,
RTE_FLOW_ERROR_TYPE_ITEM, item,
diff --git a/drivers/net/mlx5/mlx5_flow.h b/drivers/net/mlx5/mlx5_flow.h
index 367dacc2779..ff617060549 100644
--- a/drivers/net/mlx5/mlx5_flow.h
+++ b/drivers/net/mlx5/mlx5_flow.h
@@ -489,6 +489,9 @@ struct mlx5_mirror {
/* UDP port numbers for GENEVE. */
#define MLX5_UDP_PORT_GENEVE 6081
+/* UDP port numbers for ESP. */
+#define MLX5_UDP_PORT_ESP 4500
+
/* Lowest priority indicator. */
#define MLX5_FLOW_LOWEST_PRIO_INDICATOR ((uint32_t)-1)
diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index 18d0d293770..bcce1597e2d 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -9713,29 +9713,35 @@ flow_dv_translate_item_tcp(void *key, const struct rte_flow_item *item,
*/
static void
flow_dv_translate_item_esp(void *key, const struct rte_flow_item *item,
- int inner, uint32_t key_type)
+ int inner, uint32_t key_type, uint64_t item_flags)
{
const struct rte_flow_item_esp *esp_m;
const struct rte_flow_item_esp *esp_v;
void *headers_v;
char *spi_v;
+ bool over_udp = item_flags & (inner ? MLX5_FLOW_LAYER_INNER_L4_UDP :
+ MLX5_FLOW_LAYER_OUTER_L4_UDP);
headers_v = inner ? MLX5_ADDR_OF(fte_match_param, key, inner_headers) :
- MLX5_ADDR_OF(fte_match_param, key, outer_headers);
- if (key_type & MLX5_SET_MATCHER_M)
- MLX5_SET(fte_match_set_lyr_2_4, headers_v,
- ip_protocol, 0xff);
- else
- MLX5_SET(fte_match_set_lyr_2_4, headers_v,
- ip_protocol, IPPROTO_ESP);
+ MLX5_ADDR_OF(fte_match_param, key, outer_headers);
+ if (key_type & MLX5_SET_MATCHER_M) {
+ MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_protocol, 0xff);
+ if (over_udp && !MLX5_GET16(fte_match_set_lyr_2_4, headers_v, udp_dport))
+ MLX5_SET(fte_match_set_lyr_2_4, headers_v, udp_dport, 0xFFFF);
+ } else {
+ if (!over_udp)
+ MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_protocol, IPPROTO_ESP);
+ else
+ if (!MLX5_GET16(fte_match_set_lyr_2_4, headers_v, udp_dport))
+ MLX5_SET(fte_match_set_lyr_2_4, headers_v, udp_dport,
+ MLX5_UDP_PORT_ESP);
+ }
if (MLX5_ITEM_VALID(item, key_type))
return;
- MLX5_ITEM_UPDATE(item, key_type, esp_v, esp_m,
- &rte_flow_item_esp_mask);
+ MLX5_ITEM_UPDATE(item, key_type, esp_v, esp_m, &rte_flow_item_esp_mask);
headers_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
- spi_v = inner ? MLX5_ADDR_OF(fte_match_set_misc, headers_v,
- inner_esp_spi) : MLX5_ADDR_OF(fte_match_set_misc
- , headers_v, outer_esp_spi);
+ spi_v = inner ? MLX5_ADDR_OF(fte_match_set_misc, headers_v, inner_esp_spi) :
+ MLX5_ADDR_OF(fte_match_set_misc, headers_v, outer_esp_spi);
*(uint32_t *)spi_v = esp_m->hdr.spi & esp_v->hdr.spi;
}
@@ -14224,7 +14230,7 @@ flow_dv_translate_items(struct rte_eth_dev *dev,
switch (item_type) {
case RTE_FLOW_ITEM_TYPE_ESP:
- flow_dv_translate_item_esp(key, items, tunnel, key_type);
+ flow_dv_translate_item_esp(key, items, tunnel, key_type, wks->item_flags);
wks->priority = MLX5_PRIORITY_MAP_L4;
last_item = MLX5_FLOW_ITEM_ESP;
break;
--
2.21.0
prev parent reply other threads:[~2025-09-09 6:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-04 5:05 [PATCH] net/mlx5/hws: fix ESP header match in strict mode Viacheslav Ovsiienko
2025-08-08 7:30 ` Dariusz Sosnowski
2025-08-18 6:33 ` Raslan Darawsheh
2025-09-08 12:12 ` Maayan Kashani
2025-09-08 12:26 ` Raslan Darawsheh
2025-09-09 6:28 ` [PATCH v2 1/3] net/mlx5: " Maayan Kashani
2025-09-09 6:28 ` [PATCH v2 2/3] net/mlx5: fix ESP item validation to match on seqnum Maayan Kashani
2025-09-09 6:28 ` Maayan Kashani [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250909062853.60592-3-mkashani@nvidia.com \
--to=mkashani@nvidia.com \
--cc=bingz@nvidia.com \
--cc=dev@dpdk.org \
--cc=dsosnowski@nvidia.com \
--cc=matan@nvidia.com \
--cc=orika@nvidia.com \
--cc=rasland@nvidia.com \
--cc=rzidane@nvidia.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=viacheslavo@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).