From: Khadem Ullah <14pwcse1224@uetpeshawar.edu.pk>
To: dsosnowski@nvidia.com, ivan.malov@arknetworks.am
Cc: viacheslavo@nvidia.com, bingz@nvidia.com, orika@nvidia.com,
suanmingm@nvidia.com, matan@nvidia.com, dev@dpdk.org,
stable@dpdk.org
Subject: Re: [PATCH] net/mlx5: fix connection tracking state item validation
Date: Mon, 11 Aug 2025 02:21:49 -0400 [thread overview]
Message-ID: <20250811062149.2489151-1-14pwcse1224@uetpeshawar.edu.pk> (raw)
In-Reply-To: <20250808074738.2nqgorlqzzyf2jid@ds-vm-debian.local>
Hi Dariusz Sosnowski,
According to documentation, conntrack item matches a conntrack
state after conntrack action. Your statement is also correct
"match valid TCP packets which change TCP connection state",
it means in this case also we are matching TCP connection state.
Please check CONNTRACK item in Generic flow API (rte_flow)
16.2.6.47. Item: CONNTRACK
Matches a conntrack state after conntrack action.
flags: conntrack packet state flags.
Default mask matches all state bits.
https://doc.dpdk.org/guides-24.07/prog_guide/rte_flow.html
E.g. I have performed the following experiemtns on connect-x6-Dx for clarification
(provding only the relevent information).
conntract state can be verified for liberal mode.
In liberal mode, the Seq/ACK/Win check will be ignored (forget about act/seq)
and only the state change will be tracked.
Test 1 : Starting state machine from State 0
flow indirect_action 0 create ingress action conntrack / end
flow create 0 ingress pattern eth / ipv4 / tcp / end actions jump group 3 / end
flow create 0 group 3 ingress pattern eth / ipv4 / tcp / end actions indirect 0 / jump group 5 / end
flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / end actions queue index 1 / end
flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 2 / end actions queue index 2 / end
set fwd rxonly
start
set verbose 3
The following packets will be forwared to queue 1, it means the state machine is now in established state (state 1).
sendp(Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10), iface="",count=1)
sendp(Ether(dst="bb:cc:dd:ee:ff:22",src="aa:bb:cc:dd:ee:ff")/IP(src="150.1.10.10")/TCP(ack=265,seq=265,dport=5555,flags=0x18), iface="",count=1)
FIN packet Terminate the connection; the following packets will be forwarded to queue 2:
pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x01)
pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10)
pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x01)
pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10)
This will be again forwarded it to queue 1:
pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10)
So, according to my understanding(from rte_flow and various experiments),
conntrack item ('conntract is') matches the state of the connection tracking
state machine in hardware
and forward it to the relevent queue.
In any case, I think only a range of values for "conntract is" to be allowed.
Best Regards,
Khadem
next prev parent reply other threads:[~2025-08-11 6:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-05 13:23 Khadem Ullah
2025-08-05 14:44 ` Ivan Malov
2025-08-06 8:51 ` Khadem Ullah
2025-08-08 7:47 ` Dariusz Sosnowski
2025-08-11 6:21 ` Khadem Ullah [this message]
2025-08-11 15:15 ` Dariusz Sosnowski
2025-08-11 16:27 ` Khadem Ullah
2025-08-11 17:18 ` Dariusz Sosnowski
2025-08-12 9:51 ` Dariusz Sosnowski
2025-08-12 12:50 ` Khadem Ullah
2025-08-12 12:46 ` [PATCH v2] " Khadem Ullah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250811062149.2489151-1-14pwcse1224@uetpeshawar.edu.pk \
--to=14pwcse1224@uetpeshawar.edu.pk \
--cc=bingz@nvidia.com \
--cc=dev@dpdk.org \
--cc=dsosnowski@nvidia.com \
--cc=ivan.malov@arknetworks.am \
--cc=matan@nvidia.com \
--cc=orika@nvidia.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=viacheslavo@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).