From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B34C748B4C for ; Wed, 19 Nov 2025 11:29:06 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8C83940262; Wed, 19 Nov 2025 11:29:06 +0100 (CET) Received: from MW6PR02CU001.outbound.protection.outlook.com (mail-westus2azon11012001.outbound.protection.outlook.com [52.101.48.1]) by mails.dpdk.org (Postfix) with ESMTP id D9AA740262 for ; Wed, 19 Nov 2025 11:29:04 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PXhXz2ho7w4T2V4qIuFxDmdFh726O82mHfJJYfApXwbQrs9pxqZ2DN2FmYpHkOaA58lU/8yOhZlJq2RFbpFLS9jne2Nkc5eIqxHsqu1MtDwAT6tq+o0OqXB5w3FqGnx0F2m3g0+PyOrkq6ATiGgcN+8MkbN3ie+WWFE2wmuu3q8dRTv++5blAT6fc6xfvkEs2C7JUh6phz5bZmfdP5BLR3dea5uxf6V6KWnYN5ifP844+cN+j+pbjmuRTnMNgiWNpQfhGC0ELmxg3wI1Qe9p77RWfyq/RZc453EMuidMgW/59UZPw+Rd+ml5gvbWOA8GEdh5KV3XOc0J7xxQ5Y1eAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xFju5S/WMuFQMBpo+/X96fJ/b8lTxTf6aAch19I5hGA=; b=jxw9saIcyYxUYPhoQVzMDrZr9qy3uB/vL8OW/S8lXEBP8M8KntrrsuSmz9Rllo3tT0WGVmOwrejDCvef5Sh7tqrcPtvBNLSVoDwIxEiqiitaiGC1yAF4T6ibOtC6VrE/0hMingj2yC68Xs5L5lScp22++obrQ000Ir4NhdLlZzk0O6h1yyqJqRl6L7JUayj84D1TiN+PQ3X7ROCKPvNFM1LKnYcmF7/7xqi1aaeKfkB5+m+0YnZiCZia12tTAvu/m3R1aLIaqRD9k6PIHxc8uTDqq6R4fvMio60J9eyPlV90i2FVq7cp/mCqLgu6OdLGHR6EspHJi269j91dh7BzAg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=dpdk.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xFju5S/WMuFQMBpo+/X96fJ/b8lTxTf6aAch19I5hGA=; b=IN3aoPKfhSEiKFDknjnBieRrvSRjN3eCbOEv+86Lor3NeSb7Rry8gpeAADBQd12gTaS5hqsUmxgeGxmT6oGbgoIsQus7EYwhF9DjcXyeHYjoK516BG/80ncoak+vhTPcfU7DTmiYOO9kjvDEjDz3Ce+OOm1m7BokclF6J1nCzvd3+Yj3k0H7qIofMQ4haZSTRiq/1Ra0e97f2iQwMaCzNZRJ3iT63VNDkrX6NWbHUujDXMu86jIv6Zc+fgNUs/dAhp5CUtyooqptrSoj0T1RZ89+cKwcNFOZsbGMxUNaaLfNj13lT7bszwOXXeg6U3GDLH82/yjCYEtV1DDcTUPf4Q== Received: from DM6PR08CA0027.namprd08.prod.outlook.com (2603:10b6:5:80::40) by BY5PR12MB4067.namprd12.prod.outlook.com (2603:10b6:a03:212::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.10; Wed, 19 Nov 2025 10:28:57 +0000 Received: from CY4PEPF0000EDD2.namprd03.prod.outlook.com (2603:10b6:5:80:cafe::a6) by DM6PR08CA0027.outlook.office365.com (2603:10b6:5:80::40) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9343.10 via Frontend Transport; Wed, 19 Nov 2025 10:28:57 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by CY4PEPF0000EDD2.mail.protection.outlook.com (10.167.241.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.9 via Frontend Transport; Wed, 19 Nov 2025 10:28:57 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 19 Nov 2025 02:28:42 -0800 Received: from nvidia.com (10.126.230.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 19 Nov 2025 02:28:38 -0800 From: Junfeng Guo To: CC: , , , , , , , Subject: [PATCH] net/mlx5: fix IP tunnel detection for IPIP and IPv6 ENCAP Date: Wed, 19 Nov 2025 12:28:12 +0200 Message-ID: <20251119102812.44075-1-junfengg@nvidia.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.230.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD2:EE_|BY5PR12MB4067:EE_ X-MS-Office365-Filtering-Correlation-Id: cbbc66e6-8ed2-4135-8ede-08de27567248 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|376014|82310400026|1800799024|36860700013|7053199007; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?YiHryw7L335bceYFlNK66kwJn1RA2HUbLzjS8vnJOxjZOKnaqeEEpUTPP4Dl?= =?us-ascii?Q?sPB5aBmu309cxDCMFZ//zgSlNXbB6cNwSy61pTkNPAaGttOZjXRpB4kfGDqV?= =?us-ascii?Q?dLGTzOlqUOKoVj7p8V5nJus3oE46FoCglcWwxDLcH7HZ995pyum53Rel+cbw?= =?us-ascii?Q?z5XoguHTVXzejFH/nX40LmY3STKBy1FU926kD69oAjhFHk8P/WkNnbavLKsu?= =?us-ascii?Q?OMZqDTjrjRE2T12uXiM6DxERsBUWdOyYDon7eo4u/14ins/QFuBjTotrSGvv?= =?us-ascii?Q?JycFfF66wZUw5+s+bNDIO0uRrtYo4Lx2UAAPyC9O6oiTH/4rnu9+3KC1FO//?= =?us-ascii?Q?WKmSwKog5g7G5SzppJkb41nhgHYje0lW3rOoURcqUKw42sqvLFVdw3lVihzx?= =?us-ascii?Q?w6WfRb4PzJ4OT4fNH9c/av+2jWgvK9X0t6MsOURuJo5rB55FAs/7pQBerVvs?= =?us-ascii?Q?m6sM+lyWsVAgov5oIyqB5NuIVW6OH+Jy4v1bEn259KG+Lg8TKFmlBLJBvKCI?= =?us-ascii?Q?Raax38GEwNF7vgB3ShM11FoOPG/sP38UFp5h23W1QFAIeLrXi3WJellVuFof?= =?us-ascii?Q?v3uJPXh9CQzV97vboDM5gvYRosxC/cC2tCfL0wblDzjfMfASE7mfiUXPtAIr?= =?us-ascii?Q?PSUOF8uGehJlu2EZ0T4C1gKOowZ4DD2WGNrEkDOAvyi4i8yEWyW8+e2cYtsU?= =?us-ascii?Q?AHp1Ni0sHpWmzqudmS8SUmCHfVACs5Nvqq4I1q3hIbPuT+3pyYug7Ybf7ZiE?= =?us-ascii?Q?/has+izAJqUhLLGExPGiqi5avWI6YmsJtAVPiFBfpvDr8AA2mH/gVSxKVCTR?= =?us-ascii?Q?dKdMWz5xtRTZ4k2Gd/a80mHjRkutQ+rQWOOApPUGYz+aFGJAnT36XQ++t2q9?= =?us-ascii?Q?ncOap6DmzKoPmRfSD2jQ1/ur0GU66I7N92Cz7xN2s2jrd66rldCR5p51My7X?= =?us-ascii?Q?duYgi1jSwYVGDX4HvTVPcz5569txowa2EIs8ilIJd2vDx8SpaiNBrDc1b5sl?= =?us-ascii?Q?TqC6LvSJM5I9m2ZKt367Yd/oydpWTA8FY6o9tpf7r7foWIn3ym0tiU4cLJe4?= =?us-ascii?Q?0GfWwAaqUrcrgMdNaGZgjJ6wedmDyYGYMClZ5acRnpf/Ck3ll6Abs0vz/iPU?= =?us-ascii?Q?5bA/Xh3Zpg5jF/i+Mt/4PUTtO0QjJ/lVOXjHM0n9zRW3m5inQ/xPc1QkJL+O?= =?us-ascii?Q?fPJ8dOxWaK6Y/6E4IJ+AaTNk5MH5XRj4HAvmhJTVt2Y/+k3znCmOWx3qgIBa?= =?us-ascii?Q?OdYRa/nW0cTL5AcNJ63zVFco1eXPecTOc1td9wLf43jiu3s3vkNfEbp5LHs8?= =?us-ascii?Q?okpy3inWkkzN691dytxDcTjbexAiI41cORMLg6RMkzgw4TM+XgX6oXar+h51?= =?us-ascii?Q?q7ZZCRkqJaYLCTKDxBMKSYXgPECjtTERJT0UK/BbfYArA5+OrGDjl3C0lMXd?= =?us-ascii?Q?FFad+oG4gahsvDGXCTmzl8FBHT2lNZkTQdhd6axxgk3+OGHP/QdJ8CBwj2Ha?= =?us-ascii?Q?KC7+L0+ehTKzTXUhqOj4KnqfMVia2aD7+O8c2ln5fS9UsOcpeqJNRLNi/f+z?= =?us-ascii?Q?NGwT/5sIv/N8Yzuc4K4=3D?= X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE; SFS:(13230040)(376014)(82310400026)(1800799024)(36860700013)(7053199007); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2025 10:28:57.0282 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cbbc66e6-8ed2-4135-8ede-08de27567248 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD2.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4067 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org The HWS (Hardware Steering) IP tunnel detection implementation was not recognizing IPIP tunnel types based on the next protocol value in the outer IP header as specified by RFC 2003 (IP-in-IP) and RFC 2473 (IPv6 Encapsulation). The issue was that the code treated all combinations of [IPv4|6] / [IPv4|6] as IPIP tunnels, setting MLX5_FLOW_LAYER_IPIP flag regardless of the actual protocol. While this happened to work for simple cases due to the fallback classification, it violated RFC compliance and could cause issues with protocol validation. The fix adds RFC-compliant tunnel detection by 1. Checking the protocol field (IPPROTO_IPIP=4 or IPPROTO_IPV6=41) in the outer IP header to determine tunnel type 2. Adding protocol mismatch validation to ensure outer protocol matches inner header type 3. Correctly setting MLX5_FLOW_LAYER_IPV6_ENCAP for IPv6 encapsulation The expected tunnel patterns are now: - [ipv4 | ipv6] proto is 4 / ipv4 -> MLX5_FLOW_LAYER_IPIP - [ipv4 | ipv6] proto is 41 / ipv6 -> MLX5_FLOW_LAYER_IPV6_ENCAP For cases without protocol specification, fallback classification based on inner header type is still supported. Fixes: f66c7c3ab983 ("net/mlx5/hws: recognize IP-in-IP tunnel in definer layer") Fixes: 4b7044562f59 ("net/mlx5: support IP-in-IP tunnel for all combinations") Cc: stable@dpdk.org Signed-off-by: Junfeng Guo --- drivers/net/mlx5/hws/mlx5dr_definer.c | 4 +- drivers/net/mlx5/mlx5_flow.c | 5 - drivers/net/mlx5/mlx5_flow_hw.c | 162 ++++++++++++++++++++++---- 3 files changed, 143 insertions(+), 28 deletions(-) diff --git a/drivers/net/mlx5/hws/mlx5dr_definer.c b/drivers/net/mlx5/hws/mlx5dr_definer.c index afa70bf793..03d2794367 100644 --- a/drivers/net/mlx5/hws/mlx5dr_definer.c +++ b/drivers/net/mlx5/hws/mlx5dr_definer.c @@ -3381,6 +3381,7 @@ mlx5dr_definer_conv_items_to_hl(struct mlx5dr_context *ctx, if (cd.last_item == RTE_FLOW_ITEM_TYPE_IPV4 || cd.last_item == RTE_FLOW_ITEM_TYPE_IPV6) { cd.tunnel = true; + /* [IPv4 | IPv6] / IPv4: IPIP */ item_flags |= MLX5_FLOW_LAYER_IPIP; } ret = mlx5dr_definer_conv_item_ipv4(&cd, items, i); @@ -3391,7 +3392,8 @@ mlx5dr_definer_conv_items_to_hl(struct mlx5dr_context *ctx, if (cd.last_item == RTE_FLOW_ITEM_TYPE_IPV4 || cd.last_item == RTE_FLOW_ITEM_TYPE_IPV6) { cd.tunnel = true; - item_flags |= MLX5_FLOW_LAYER_IPIP; + /* [IPv4 | IPv6] / IPv6: IPV6_ENCAP */ + item_flags |= MLX5_FLOW_LAYER_IPV6_ENCAP; } ret = mlx5dr_definer_conv_item_ipv6(&cd, items, i); item_flags |= cd.tunnel ? MLX5_FLOW_LAYER_INNER_L3_IPV6 : diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c index 2c48f1b01b..0821c93a9a 100644 --- a/drivers/net/mlx5/mlx5_flow.c +++ b/drivers/net/mlx5/mlx5_flow.c @@ -2892,11 +2892,6 @@ mlx5_flow_validate_item_ipv4(const struct rte_eth_dev *dev, "multiple tunnel " "not supported"); } - if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) - return rte_flow_error_set(error, EINVAL, - RTE_FLOW_ERROR_TYPE_ITEM, item, - "wrong tunnel type - IPv6 specified " - "but IPv4 item provided"); if (item_flags & l3m) return rte_flow_error_set(error, ENOTSUP, RTE_FLOW_ERROR_TYPE_ITEM, item, diff --git a/drivers/net/mlx5/mlx5_flow_hw.c b/drivers/net/mlx5/mlx5_flow_hw.c index c41b99746f..75ac3bce28 100644 --- a/drivers/net/mlx5/mlx5_flow_hw.c +++ b/drivers/net/mlx5/mlx5_flow_hw.c @@ -8384,23 +8384,132 @@ mlx5_hw_validate_item_nsh(struct rte_eth_dev *dev, return mlx5_flow_validate_item_nsh(dev, item, error); } -static bool -mlx5_hw_flow_tunnel_ip_check(uint64_t last_item, uint64_t *item_flags) +static inline uint8_t +mlx5_hw_flow_get_next_protocol(const struct rte_flow_item *item) +{ + if (!item || !item->spec) + return 0xff; + + switch (item->type) { + case RTE_FLOW_ITEM_TYPE_IPV4: { + const struct rte_flow_item_ipv4 *spec = item->spec; + const struct rte_flow_item_ipv4 *mask = item->mask; + + /* If mask is NULL or next_proto_id field in mask is 0, + * then next_protocol in spec should not be read + */ + if (!mask || mask->hdr.next_proto_id == 0) + return 0xff; + + return spec->hdr.next_proto_id & mask->hdr.next_proto_id; + } + case RTE_FLOW_ITEM_TYPE_IPV6: { + const struct rte_flow_item_ipv6 *spec = item->spec; + const struct rte_flow_item_ipv6 *mask = item->mask; + + /* If mask is NULL or proto field in mask is 0, + * then proto in spec should not be read + */ + if (!mask || mask->hdr.proto == 0) + return 0xff; + + return spec->hdr.proto & mask->hdr.proto; + } + case RTE_FLOW_ITEM_TYPE_IPV6_FRAG_EXT: { + const struct rte_flow_item_ipv6_frag_ext *spec = item->spec; + const struct rte_flow_item_ipv6_frag_ext *mask = item->mask; + + /* If mask is NULL or next_header field in mask is 0, + * then next_header in spec should not be read + */ + if (!mask || mask->hdr.next_header == 0) + return 0xff; + + return spec->hdr.next_header & mask->hdr.next_header; + } + default: + return 0xff; + } +} + +static int +mlx5_hw_flow_tunnel_ip_check(uint64_t last_item, + const struct rte_flow_item *last_l3_item, + const struct rte_flow_item *item, + uint64_t *item_flags, + struct rte_flow_error *error) { - bool tunnel; + uint64_t tunnel_flag = 0; + uint8_t outer_protocol; + + /* IP tunnel detection - only single-level tunneling supported */ + if (last_l3_item && (last_item == MLX5_FLOW_LAYER_OUTER_L3_IPV4 || + last_item == MLX5_FLOW_LAYER_OUTER_L3_IPV6)) { + /* + * Tunnel type determination strategy: + * 1. If previous L3 item has protocol field specified, use it (RFC compliant) + * 2. Otherwise, fall back to inner header type (what's being encapsulated) + */ + outer_protocol = mlx5_hw_flow_get_next_protocol(last_l3_item); + + if (outer_protocol != 0xff) { + /* Proto field specified in outer hdr mask - use RFC-compliant detection */ + switch (outer_protocol) { + case IPPROTO_IPIP: /* 4 - IP-in-IP */ + /* Outer header indicates IPv4 payload */ + if (item->type == RTE_FLOW_ITEM_TYPE_IPV6) + return rte_flow_error_set(error, EINVAL, + RTE_FLOW_ERROR_TYPE_ITEM, item, + "protocol mismatch: outer proto is IPIP but inner is IPv6"); + tunnel_flag = MLX5_FLOW_LAYER_IPIP; + break; + case IPPROTO_IPV6: /* 41 - IPv6-in-IP */ + /* Outer header indicates IPv6 payload */ + if (item->type == RTE_FLOW_ITEM_TYPE_IPV4) + return rte_flow_error_set(error, EINVAL, + RTE_FLOW_ERROR_TYPE_ITEM, item, + "protocol mismatch: outer proto is IPV6 but inner is IPv4"); + tunnel_flag = MLX5_FLOW_LAYER_IPV6_ENCAP; + break; + default: + /* Unknown/unsupported protocol, fall back to inner header type */ + goto fallback_classification; + } + } else { +fallback_classification: + /* + * Protocol field not specified or unknown - classify based on + * what is being encapsulated (inner header type) + */ + if (item->type == RTE_FLOW_ITEM_TYPE_IPV4) + tunnel_flag = MLX5_FLOW_LAYER_IPIP; + else if (item->type == RTE_FLOW_ITEM_TYPE_IPV6) + tunnel_flag = MLX5_FLOW_LAYER_IPV6_ENCAP; + else + return 0; /* Not an IP item - shouldn't happen, but be defensive */ + } + + /* Check for unsupported nested tunneling after tunnel is detected */ + if (*item_flags & MLX5_FLOW_LAYER_TUNNEL) + return rte_flow_error_set(error, ENOTSUP, + RTE_FLOW_ERROR_TYPE_ITEM, item, + "multiple tunnel layers not supported"); + + *item_flags |= tunnel_flag; + return 1; /* Tunnel detected */ + } else if (last_item == MLX5_FLOW_ITEM_OUTER_IPV6_ROUTING_EXT) { + /* Special case: IPv6 routing extension header */ + /* Check for unsupported nested tunneling */ + if (*item_flags & MLX5_FLOW_LAYER_TUNNEL) + return rte_flow_error_set(error, ENOTSUP, + RTE_FLOW_ERROR_TYPE_ITEM, item, + "multiple tunnel layers not supported"); - if (last_item == MLX5_FLOW_LAYER_OUTER_L3_IPV4 || - last_item == MLX5_FLOW_LAYER_OUTER_L3_IPV6) { - tunnel = true; - *item_flags |= MLX5_FLOW_LAYER_IPIP; - } else if (last_item == MLX5_FLOW_LAYER_OUTER_L3_IPV6 || - last_item == MLX5_FLOW_ITEM_OUTER_IPV6_ROUTING_EXT) { - tunnel = true; *item_flags |= MLX5_FLOW_LAYER_IPV6_ENCAP; - } else { - tunnel = false; + return 1; /* Tunnel detected */ } - return tunnel; + + return 0; /* No tunnel */ } const struct rte_flow_item_ipv4 hws_nic_ipv4_mask = { @@ -8475,6 +8584,7 @@ __flow_hw_pattern_validate(struct rte_eth_dev *dev, struct rte_flow_error *error) { struct mlx5_priv *priv = dev->data->dev_private; + const struct rte_flow_item *last_l3_item = NULL; const struct rte_flow_item *item; const struct rte_flow_item *gtp_item = NULL; const struct rte_flow_item *gre_item = NULL; @@ -8677,21 +8787,28 @@ __flow_hw_pattern_validate(struct rte_eth_dev *dev, MLX5_FLOW_LAYER_OUTER_VLAN; break; case RTE_FLOW_ITEM_TYPE_IPV4: - tunnel |= mlx5_hw_flow_tunnel_ip_check(last_item, - item_flags); + ret = mlx5_hw_flow_tunnel_ip_check(last_item, last_l3_item, item, + item_flags, error); + if (ret < 0) + return ret; + tunnel |= (ret > 0); ret = mlx5_flow_dv_validate_item_ipv4(dev, item, - *item_flags, - last_item, 0, - &hws_nic_ipv4_mask, - error); + *item_flags, + last_item, 0, + &hws_nic_ipv4_mask, + error); if (ret) return ret; last_item = tunnel ? MLX5_FLOW_LAYER_INNER_L3_IPV4 : - MLX5_FLOW_LAYER_OUTER_L3_IPV4; + MLX5_FLOW_LAYER_OUTER_L3_IPV4; + last_l3_item = item; break; case RTE_FLOW_ITEM_TYPE_IPV6: - tunnel |= mlx5_hw_flow_tunnel_ip_check(last_item, - item_flags); + ret = mlx5_hw_flow_tunnel_ip_check(last_item, last_l3_item, item, + item_flags, error); + if (ret < 0) + return ret; + tunnel |= (ret > 0); ret = mlx5_flow_validate_item_ipv6(dev, item, *item_flags, last_item, 0, @@ -8701,6 +8818,7 @@ __flow_hw_pattern_validate(struct rte_eth_dev *dev, return ret; last_item = tunnel ? MLX5_FLOW_LAYER_INNER_L3_IPV6 : MLX5_FLOW_LAYER_OUTER_L3_IPV6; + last_l3_item = item; break; case RTE_FLOW_ITEM_TYPE_UDP: ret = mlx5_flow_validate_item_udp(dev, item, -- 2.43.0