Hi Dariusz, I have tested the following example and it is working fine. Can we add this example to documentation (either in https://doc.dpdk.org/guides/testpmd_app_ug/testpmd_funcs.html or mlx5 or somewhere else) ? On Mon, Aug 11, 2025 at 8:17 PM Dariusz Sosnowski wrote: > > [1]: Full conntrack example, testpmd commands: > > # Initial conntrack action configuration: original direction, state > SYN_RECV, liberal mode and enabled > set conntrack com peer 0 is_orig 1 enable 1 live 0 sack 0 cack 0 last_dir > 0 liberal 1 state 0 max_ack_win 0 r_lim 5 last_win 510 last_seq 2000 > last_ack 101 last_end 101 last_index 0x2 > set conntrack orig scale 0xf fin 0 acked 1 unack_data 0 sent_end 101 > reply_end 65535 max_win 0 max_ack 0 > set conntrack rply scale 0xf fin 0 acked 1 unack_data 0 sent_end 2001 > reply_end 65535 max_win 0 max_ack 101 > flow indirect_action 0 create ingress action conntrack / end > > # Create a rule for original direction > flow create 0 group 3 ingress pattern eth / ipv4 src is 1.2.3.4 dst is > 5.6.7.8 / tcp src is 40000 dst is 50000 / end actions indirect 0 / jump > group 5 / end > > # Update conntrack action - now rule will created for reply direction > set conntrack com peer 0 is_orig 0 enable 1 live 0 sack 0 cack 0 last_dir > 0 liberal 1 state 0 max_ack_win 0 r_lim 5 last_win 510 last_seq 2000 > last_ack 101 last_end 101 last_index 0x2 > flow indirect_action 0 update 0 action conntrack_update dir / end > > # Create a rule for reply direction > flow create 0 group 3 ingress pattern eth / ipv4 src is 5.6.7.8 dst is > 1.2.3.4 / tcp src is 50000 dst is 40000 / end actions indirect 0 / jump > group 5 / end > > # Create group 0 rule for TCP traffic > flow create 0 ingress pattern eth / ipv4 / tcp / end actions jump group 3 > / end > > # Match valid packets, mark and send to queue 0 > flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / > end actions mark id 0x111 / queue index 0 / end > # Match valid packets which change connection state > flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 3 / > end actions mark id 0x333 / queue index 0 / end > > set verbose 1 > set fwd rxonly > start > > Example packets to send after all flow rules are created: > > # ACK in handshake: transition SYN_RECV->ESTABLISHED; logged as "FDIR > matched ID=0x333" > pkt = (Ether() / IP(src='1.2.3.4', dst='5.6.7.8') / TCP(sport=40000, > dport=50000, flags='A', seq=101, ack=2001)) > > # some data from original direction; logged as "FDIR matched ID=0x111" > pkt = (Ether() / IP(src='1.2.3.4', dst='5.6.7.8') / TCP(sport=40000, > dport=50000, flags='A', seq=101, ack=2001) / Raw(load=b'a' * 100)) > > # ack from reply direction; logged as "FDIR matched ID=0x111" > pkt = (Ether() / IP(src='5.6.7.8', dst='1.2.3.4') / TCP(sport=50000, > dport=40000, flags='A', seq=2001, ack=201)) > > # fin from original direction; logged as "FDIR matched ID=0x333" > pkt = (Ether() / IP(src='1.2.3.4', dst='5.6.7.8') / TCP(sport=40000, > dport=50000, flags='F', seq=201, ack=2001)) > > # ack from reply direction; logged as "FDIR matched ID=0x333" > pkt = (Ether() / IP(src='5.6.7.8', dst='1.2.3.4') / TCP(sport=50000, > dport=40000, flags='A', seq=2001, ack=202)) > > # fin from reply direction; logged as "FDIR matched ID=0x333" > pkt = (Ether() / IP(src='5.6.7.8', dst='1.2.3.4') / TCP(sport=50000, > dport=40000, flags='F', seq=2001, ack=202)) > > # ack from original direction; logged as "FDIR matched ID=0x333" > pkt = (Ether() / IP(src='1.2.3.4', dst='5.6.7.8') / TCP(sport=40000, > dport=50000, flags='A', seq=201, ack=2002)) > Best Regards, Khadem