From: Dariusz Sosnowski <dsosnowski@nvidia.com>
To: Khadem Ullah <14pwcse1224@uetpeshawar.edu.pk>
Cc: <ivan.malov@arknetworks.am>, <viacheslavo@nvidia.com>,
<bingz@nvidia.com>, <orika@nvidia.com>, <suanmingm@nvidia.com>,
<matan@nvidia.com>, <dev@dpdk.org>, <stable@dpdk.org>
Subject: Re: [PATCH] net/mlx5: fix connection tracking state item validation
Date: Mon, 11 Aug 2025 19:18:34 +0200 [thread overview]
Message-ID: <20250811171834.fcyhsgkssyai5uho@ds-vm-debian.local> (raw)
In-Reply-To: <CA++2-x5voCjMDXcO_jJw6vrmvtDzfPaAArABeAT9TGcVzXtoZA@mail.gmail.com>
On Mon, Aug 11, 2025 at 09:27:06PM +0500, Khadem Ullah wrote:
> Thank you for providing these details. Sure, I will go through it (will
> performed the experiment) and come back to you.
> I totally agree that the documentation about connection tracking should be
> improved.
>
>
> On Mon, Aug 11, 2025 at 8:17 PM Dariusz Sosnowski <dsosnowski@nvidia.com>
> wrote:
>
> >
> > > Are these the only testpmd commands you execute?
> >
> > No, as I mentioned earlier, I have provided only relevant information. I
> had added something similar commands as yours,
> the following was missing from my configurations.
>
> set conntrack com peer 1 is_orig 1 enable 1 live 1 sack 1 cack 0 last_dir 0
> liberal 1 state 0 max_ack_win 7
> r_lim 3 last_win 510 last_seq 65535 last_ack 65537 last_end 65545
> last_index 0x8
>
> set conntrack orig scale 7 fin 1 acked 1 unack_data 0 sent_end 65545
> reply_end 65535 max_win 28960 max_ack 2632987379
> set conntrack rply scale 7 fin 0 acked 1 unack_data 0 sent_end 65545
> reply_end 65535 max_win 65280 max_ack 2532480967
>
> . > 3 conntrack item deals with RTE_FLOW_CONNTRACK_PKT_STATE_* bitmap
>
> > In your example, "conntrack is 1" specification sets flags to 1.
> > This means, "match packets with RTE_FLOW_CONNTRACK_PKT_STATE_VALID"
> >and not "connection in RTE_FLOW_CONNTRACK_STATE_ESTABLISHED".
>
> > The same goes for "conntrack is 2". It specifies match on
> > RTE_FLOW_CONNTRACK_PKT_STATE_CHANGED, not on
> >R TE_FLOW_CONNTRACK_STATE_FIN_WAIT or any other state.
> >
> > Because it is a bitmap, conntrack item can specify a combination of
> >P KT_STATE flags. For example, "conntrack is 3" would mean matching
> >a packet with RTE_FLOW_CONNTRACK_PKT_STATE_VALID and
> >RTE_FLOW_CONNTRACK_PKT_STATE_CHANGED flags set.
>
> Can this RTE_FLOW_CONNTRACK_PKT_STATE_* bitmap be represented with a
> specific valid range ?
> for example, we can say, 'conntrack is' valid for 1 to 8, or any other
> range. As, currently user can specify
> any value e.g., 1000 and it allows it.
Since conntrack item flags is a bitmap, then any combination of RTE_FLOW_CONNTRACK_PKT_STATE_*
flags is a valid value to match on.
The validation could be done as follows:
flags_all = (RTE_FLOW_CONNTRACK_PKT_STATE_VALID |
RTE_FLOW_CONNTRACK_PKT_STATE_CHANGED |
RTE_FLOW_CONNTRACK_PKT_STATE_INVALID |
RTE_FLOW_CONNTRACK_PKT_STATE_DISABLED |
RTE_FLOW_CONNTRACK_PKT_STATE_BAD)
if spec->flags & ~flags_all:
reject
Regarding validation itself, if this is added, please make sure of the following:
- In mlx5_flow_dv_validate_item_aso_ct() - check for spec->flags should be
inside if clause for `!mlx5_hws_active()`. This is to make sure that
validation is done only in synchronous flow API.
- Asynchronous flow API has a separate validation, which can be enabled
at build time.
This can be added to a switch case in flow_hw_validate_rule_pattern().
>
> Thanks again!
> Best regards,
> Khadem
next prev parent reply other threads:[~2025-08-11 17:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-05 13:23 Khadem Ullah
2025-08-05 14:44 ` Ivan Malov
2025-08-06 8:51 ` Khadem Ullah
2025-08-08 7:47 ` Dariusz Sosnowski
2025-08-11 6:21 ` Khadem Ullah
2025-08-11 15:15 ` Dariusz Sosnowski
2025-08-11 16:27 ` Khadem Ullah
2025-08-11 17:18 ` Dariusz Sosnowski [this message]
2025-08-12 9:51 ` Dariusz Sosnowski
2025-08-12 12:50 ` Khadem Ullah
2025-08-12 12:46 ` [PATCH v2] " Khadem Ullah
2025-08-13 14:16 ` Dariusz Sosnowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250811171834.fcyhsgkssyai5uho@ds-vm-debian.local \
--to=dsosnowski@nvidia.com \
--cc=14pwcse1224@uetpeshawar.edu.pk \
--cc=bingz@nvidia.com \
--cc=dev@dpdk.org \
--cc=ivan.malov@arknetworks.am \
--cc=matan@nvidia.com \
--cc=orika@nvidia.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=viacheslavo@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).