From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C02A146CF7 for ; Mon, 11 Aug 2025 08:22:23 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 93B13400D5; Mon, 11 Aug 2025 08:22:23 +0200 (CEST) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mails.dpdk.org (Postfix) with ESMTP id 5046C400D5 for ; Mon, 11 Aug 2025 08:22:22 +0200 (CEST) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-b4209a0d426so4026486a12.1 for ; Sun, 10 Aug 2025 23:22:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uetpeshawar-edu-pk.20230601.gappssmtp.com; s=20230601; t=1754893341; x=1755498141; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EldddhkGCuwKbXNDxm5G/D8Wp6/vmHDgNEXXDsZUjBs=; b=cB6Q16i+/zTr0Bdj6wmUHqlhAOZwBUdLawq8fjgmw7AP65IzB1nLvh2KzZgUx9hrhC 47SP7wFx9hLGEDe2s0n2PDuHiSGph10rDaGSf/wLqUtWpUQQGRxUpSNv1VJs7RIvzcdX 3oCLLUGkZdHOQmryQQiyBQ3qUDYUkOm+s0yLsld+MFD8pG4IExojI7bl/j5QymmbkBmx XcGvBjPbiWwowbFY+9hIFqDjbyzmkWY1DXTJme3EBLJzt/xS0BbVXb3kyZEOkU8Pym/i spAMPWLM5/DDgQRzQf8bYpLKYPoFnfswMCNmw+o5XkfxuNvur/bexuBBn9zuJyd6TgRn QpDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754893341; x=1755498141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EldddhkGCuwKbXNDxm5G/D8Wp6/vmHDgNEXXDsZUjBs=; b=J+M4ejQ8sStfdQNPTXKrOLbQQK9OBWrLd3Dqi545U0R11Us3ljOtkJkDiTGp89pV3/ nQTLCkwHhJAVlSJA02DRWCpzmnndpn4084zkqXtNHz525m+WVo1CuWnpCRgeGyUk9vbI xmnblI+h+3RLKXd+BZUivQvMcweaG2UQovD0bwJNdAwsDcYnetZEgJXPAdfBh0lPqVSz M1DiTQ2g5tgm4CShtrZfTchVoJL/5/QRlxbNaKtRqGDRPy3JNj/AgwR3lfTOxoyqSHvB L3Rh/GLkeT6bdx2s1iJpoq5erzK2J4lsQ/3UnoE4w6toxAgiJBDR92TUdcj5nXpVuKuY XEJw== X-Forwarded-Encrypted: i=1; AJvYcCVxymyQBTB1Myd8QPZv4C7nAR8qGsc4A/APn4ErP0bcdO0ksjYy+C3OgvUAmSscT2gzLNguwfI=@dpdk.org X-Gm-Message-State: AOJu0YzkjiZsLnAkVM+UE8vpkPL8EbPQ3HVXl73QhRcOppXLWo3XZY6m FOvldTyUXhSfh4wc+yN7D403b4bbLmV5xFoSmJDmtm7Ka/BDIsn70YfTKsj3BLyQQZU= X-Gm-Gg: ASbGncsVJK/RBZxItsHPN9rEOGckG5CsWog+OMx0vh2TtL/0AQ4TegNaNg2QrdUDp8T YFDpZwz6niXCoCzT9scT+wmSQqTNCYK5lewMFf6iq2JjOyO5Cqijnh1/FQn01Ne+Rrv+cCNZBhI 3ylb2joaQ4+UE3nuQpn8wUDPgQ+aAF8Xrm69W0GbALgRzWpVcH8ExDqkJN00U7RdebEYR67MChn QAzpi++J5sAJhSPZfZdjLmYGuiaq5AEJYkSlQQevjTkv/V+ivhDMNC65VMEbSfpqPwrcfkbYnXY FsPt+HnhIb2Ko+7zIKZRWfMU8mpom3lINYlRjo8grWOrXbkLJDH23ZlwBzCQH8SFv3knwQ4z7Qe CvGYRQUzc86T/XBUZJwhfxx0zNvwKv3R6nXOFtbm9NDWDPFoP X-Google-Smtp-Source: AGHT+IER0M9FsR4+w+KopdZ1/eqUYnWOJgbLBLdGHpEed5La5t/aiDcsZxue5iYdnsRdeiFBWbYODQ== X-Received: by 2002:a17:903:41c9:b0:240:11ba:3842 with SMTP id d9443c01a7336-242c21df705mr177468725ad.35.1754893340922; Sun, 10 Aug 2025 23:22:20 -0700 (PDT) Received: from localhost.localdomain ([64.62.143.197]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-241d1ef7557sm262163515ad.19.2025.08.10.23.22.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Aug 2025 23:22:20 -0700 (PDT) From: Khadem Ullah <14pwcse1224@uetpeshawar.edu.pk> To: dsosnowski@nvidia.com, ivan.malov@arknetworks.am Cc: viacheslavo@nvidia.com, bingz@nvidia.com, orika@nvidia.com, suanmingm@nvidia.com, matan@nvidia.com, dev@dpdk.org, stable@dpdk.org Subject: Re: [PATCH] net/mlx5: fix connection tracking state item validation Date: Mon, 11 Aug 2025 02:21:49 -0400 Message-ID: <20250811062149.2489151-1-14pwcse1224@uetpeshawar.edu.pk> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250808074738.2nqgorlqzzyf2jid@ds-vm-debian.local> References: <20250808074738.2nqgorlqzzyf2jid@ds-vm-debian.local> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi Dariusz Sosnowski, According to documentation, conntrack item matches a conntrack state after conntrack action. Your statement is also correct "match valid TCP packets which change TCP connection state", it means in this case also we are matching TCP connection state. Please check CONNTRACK item in Generic flow API (rte_flow) 16.2.6.47. Item: CONNTRACK Matches a conntrack state after conntrack action. flags: conntrack packet state flags. Default mask matches all state bits. https://doc.dpdk.org/guides-24.07/prog_guide/rte_flow.html E.g. I have performed the following experiemtns on connect-x6-Dx for clarification (provding only the relevent information). conntract state can be verified for liberal mode. In liberal mode, the Seq/ACK/Win check will be ignored (forget about act/seq) and only the state change will be tracked. Test 1 : Starting state machine from State 0 flow indirect_action 0 create ingress action conntrack / end flow create 0 ingress pattern eth / ipv4 / tcp / end actions jump group 3 / end flow create 0 group 3 ingress pattern eth / ipv4 / tcp / end actions indirect 0 / jump group 5 / end flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / end actions queue index 1 / end flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 2 / end actions queue index 2 / end set fwd rxonly start set verbose 3 The following packets will be forwared to queue 1, it means the state machine is now in established state (state 1). sendp(Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10), iface="",count=1) sendp(Ether(dst="bb:cc:dd:ee:ff:22",src="aa:bb:cc:dd:ee:ff")/IP(src="150.1.10.10")/TCP(ack=265,seq=265,dport=5555,flags=0x18), iface="",count=1) FIN packet Terminate the connection; the following packets will be forwarded to queue 2: pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x01) pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10) pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x01) pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10) This will be again forwarded it to queue 1: pkt=Ether()/IP()/TCP(ack=265,seq=265,dport=5555,flags=0x10) So, according to my understanding(from rte_flow and various experiments), conntrack item ('conntract is') matches the state of the connection tracking state machine in hardware and forward it to the relevent queue. In any case, I think only a range of values for "conntract is" to be allowed. Best Regards, Khadem