* [PATCH] net/mlx5: fix connection tracking state item validation
@ 2025-08-05 13:23 Khadem Ullah
2025-08-05 14:44 ` Ivan Malov
0 siblings, 1 reply; 4+ messages in thread
From: Khadem Ullah @ 2025-08-05 13:23 UTC (permalink / raw)
To: Dariusz Sosnowski, Viacheslav Ovsiienko, Bing Zhao, Ori Kam,
Suanming Mou, Matan Azrad
Cc: dev, stable, Khadem Ullah
This patch validate a connection tracking state when matching
'conntrack is' in rte_flow rules. The conntract possible CT states
are SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK and
TIME_WAIT. Therefore the maximum possible value to match on
in rte_flow is TIME_WAIT but mlx5 allowed matching on any values.
This patch validate the CT state item.
Fixes: aca19061e4b9 ('net/mlx5: validate connection tracking item')
Cc: stable@dpdk.org
Signed-off-by: Khadem Ullah <14pwcse1224@uetpeshawar.edu.pk>
---
drivers/net/mlx5/mlx5_flow_dv.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index 7b9e5018b8..750385cd42 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -3290,6 +3290,11 @@ mlx5_flow_dv_validate_item_aso_ct(struct rte_eth_dev *dev,
NULL,
"Conflict status bits");
}
+ if (spec->flags > RTE_FLOW_CONNTRACK_STATE_TIME_WAIT)
+ return rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ NULL,
+ "Invalid CT state matching \n");
/* State change also needs to be considered. */
*item_flags |= MLX5_FLOW_LAYER_ASO_CT;
return 0;
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5: fix connection tracking state item validation
2025-08-05 13:23 [PATCH] net/mlx5: fix connection tracking state item validation Khadem Ullah
@ 2025-08-05 14:44 ` Ivan Malov
2025-08-06 8:51 ` Khadem Ullah
0 siblings, 1 reply; 4+ messages in thread
From: Ivan Malov @ 2025-08-05 14:44 UTC (permalink / raw)
To: Khadem Ullah
Cc: Dariusz Sosnowski, Viacheslav Ovsiienko, Bing Zhao, Ori Kam,
Suanming Mou, Matan Azrad, dev, stable
Hi,
On Tue, 5 Aug 2025, Khadem Ullah wrote:
> This patch validate a connection tracking state when matching
> 'conntrack is' in rte_flow rules. The conntract possible CT states
> are SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK and
> TIME_WAIT. Therefore the maximum possible value to match on
> in rte_flow is TIME_WAIT but mlx5 allowed matching on any values.
>
> This patch validate the CT state item.
> Fixes: aca19061e4b9 ('net/mlx5: validate connection tracking item')
> Cc: stable@dpdk.org
>
> Signed-off-by: Khadem Ullah <14pwcse1224@uetpeshawar.edu.pk>
> ---
> drivers/net/mlx5/mlx5_flow_dv.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
> index 7b9e5018b8..750385cd42 100644
> --- a/drivers/net/mlx5/mlx5_flow_dv.c
> +++ b/drivers/net/mlx5/mlx5_flow_dv.c
> @@ -3290,6 +3290,11 @@ mlx5_flow_dv_validate_item_aso_ct(struct rte_eth_dev *dev,
> NULL,
> "Conflict status bits");
> }
> + if (spec->flags > RTE_FLOW_CONNTRACK_STATE_TIME_WAIT)
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> + NULL,
> + "Invalid CT state matching \n");
It might be better to enclose the multi-line block in brackets.
Also, is it correct to treat 'flags' like enum 'RTE_FLOW_CONNTRACK_STATE'?
I thought it was following 'RTE_FLOW_CONNTRACK_PKT_STATE' flags instead [1].
[1] https://doc.dpdk.org/api-25.07/rte__flow_8h.html#a7a41946aa03ebca8c432279604265b51
Or am I missing something?
Thank you.
> /* State change also needs to be considered. */
> *item_flags |= MLX5_FLOW_LAYER_ASO_CT;
> return 0;
> --
> 2.43.0
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5: fix connection tracking state item validation
2025-08-05 14:44 ` Ivan Malov
@ 2025-08-06 8:51 ` Khadem Ullah
2025-08-08 7:47 ` Dariusz Sosnowski
0 siblings, 1 reply; 4+ messages in thread
From: Khadem Ullah @ 2025-08-06 8:51 UTC (permalink / raw)
To: ivan.malov
Cc: dsosnowski, viacheslavo, bingz, orika, suanmingm, matan, dev, stable
Hi Ivan,
The multi-line block was not closed in brackets due to coding style.
Spec provides values to match (e.g. a given IPv4 address) in rte_flow rules.
Incase of the flowing rte_flow rule, spec provides in
mlx5_flow_dv_validate_item_aso_ct the conntrack state to be validated.
The following is a valid rule and it should be offloaded.
flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / end actions queue index 5 / end
and the following is an invalid rule which should be rejected, as there is no conntract state corresponds to 10.
flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 10 / end actions queue index 5 / end
Please check https://doc.dpdk.org/guides-24.07/prog_guide/rte_flow.html#pattern-item
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5: fix connection tracking state item validation
2025-08-06 8:51 ` Khadem Ullah
@ 2025-08-08 7:47 ` Dariusz Sosnowski
0 siblings, 0 replies; 4+ messages in thread
From: Dariusz Sosnowski @ 2025-08-08 7:47 UTC (permalink / raw)
To: Khadem Ullah
Cc: ivan.malov, viacheslavo, bingz, orika, suanmingm, matan, dev, stable
On Wed, Aug 06, 2025 at 04:51:42AM -0400, Khadem Ullah wrote:
> Hi Ivan,
>
> The multi-line block was not closed in brackets due to coding style.
>
> Spec provides values to match (e.g. a given IPv4 address) in rte_flow rules.
> Incase of the flowing rte_flow rule, spec provides in
> mlx5_flow_dv_validate_item_aso_ct the conntrack state to be validated.
>
> The following is a valid rule and it should be offloaded.
>
> flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / end actions queue index 5 / end
>
> and the following is an invalid rule which should be rejected, as there is no conntract state corresponds to 10.
> flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 10 / end actions queue index 5 / end
>
> Please check https://doc.dpdk.org/guides-24.07/prog_guide/rte_flow.html#pattern-item
I think there might have been a misunderstanding about states
relevant for conntrack flow items and actions.
What Ivan has mentioned regarding RTE_FLOW_CONNTRACK_PKT_STATE_* flags
is correct.
- rte_flow_conntrack_state enum denotes possible TCP connection states
(SYN_RECV, ESTABLISHED, TIME_WAIT, etc.).
These are used during creation/querying of the conntrack flow action object
to initialize/inspect the TCP connection state machine in the HW.
From flow API perspective, it is relevant only for the conntrack action:
https://doc.dpdk.org/api/structrte__flow__action__conntrack.html
- rte_flow_item_conntrack flow item is used to match packets based on
how they interact with HW TCP state machine.
After conntrack action is executed in the HW on the packet,
application can match that packet based on the result of connection
tracking e.g., match correct TCP packets which are in current TCP
window or match packets which change TCP connection state.
As noted in API docs - https://doc.dpdk.org/api/structrte__flow__item__conntrack.html -
this item takes a bitmap of RTE_FLOW_CONNTRACK_PKT_STATE_* bits.
For example match can be on RTE_FLOW_CONNTRACK_PKT_STATE_VALID | RTE_FLOW_CONNTRACK_PKT_STATE_CHANGED
meaning, "match valid TCP packets which change TCP connection state".
Because of the above, the proposed change to validate item's flags
against variants of rte_flow_conntrack_state enum is incorrect.
Best regards,
Dariusz Sosnowski
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-08 7:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-08-05 13:23 [PATCH] net/mlx5: fix connection tracking state item validation Khadem Ullah
2025-08-05 14:44 ` Ivan Malov
2025-08-06 8:51 ` Khadem Ullah
2025-08-08 7:47 ` Dariusz Sosnowski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).