[PATCH 24.11] net/mlx5/hws: fix ESP header match in strict mode

patches for DPDK stable branches
 help / color / mirror / Atom feed

* [PATCH 24.11] net/mlx5/hws: fix ESP header match in strict mode
@ 2025-11-12  7:35 Viacheslav Ovsiienko
  2025-11-12 12:15 ` Kevin Traynor
  0 siblings, 1 reply; 2+ messages in thread
From: Viacheslav Ovsiienko @ 2025-11-12  7:35 UTC (permalink / raw)
  To: stable; +Cc: ktraynor, bluca, Matan Azrad

[ upstream commit 4237d1efa6e3f7f18ba809aa2073640fb034ae8d ]

The pattern like "eth / ipv6 / esp / end" matched on any IPv6
packet in strict mode, because there was no implicit match on the
IP.proto forced.

This patch adds the implicit match on IP.proto with value 50 (ESP)
and adds implicit match on UDP.dport with value 4500 for the case
ESP over UDP.

Fixes: 81cf20a25abf ("net/mlx5/hws: support match on ESP item")
Cc: stable@dpdk.org

Signed-off-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
---
 drivers/net/mlx5/hws/mlx5dr_definer.c | 29 +++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/drivers/net/mlx5/hws/mlx5dr_definer.c b/drivers/net/mlx5/hws/mlx5dr_definer.c
index 4af24c788a..25d7f729c5 100644
--- a/drivers/net/mlx5/hws/mlx5dr_definer.c
+++ b/drivers/net/mlx5/hws/mlx5dr_definer.c
@@ -14,6 +14,7 @@
 #define UDP_VXLAN_PORT	4789
 #define UDP_VXLAN_GPE_PORT	4790
 #define UDP_GTPU_PORT	2152
+#define UDP_ESP_PORT	4500
 #define UDP_PORT_MPLS	6635
 #define UDP_GENEVE_PORT 6081
 #define UDP_ROCEV2_PORT	4791
@@ -230,6 +231,8 @@ struct mlx5dr_definer_conv_data {
 	X(SET_BE16,	nvgre_protocol,		v->protocol,		rte_flow_item_nvgre) \
 	X(SET_BE32P,	nvgre_dw1,		&v->tni[0],		rte_flow_item_nvgre) \
 	X(SET,		meter_color,		rte_col_2_mlx5_col(v->color),	rte_flow_item_meter_color) \
+	X(SET,		ipsec_protocol,		IPPROTO_ESP,		rte_flow_item_esp) \
+	X(SET,		ipsec_udp_port,		UDP_ESP_PORT,		rte_flow_item_esp) \
 	X(SET_BE32,     ipsec_spi,              v->hdr.spi,             rte_flow_item_esp) \
 	X(SET_BE32,     ipsec_sequence_number,  v->hdr.seq,             rte_flow_item_esp) \
 	X(SET,		ib_l4_udp_port,		UDP_ROCEV2_PORT,	rte_flow_item_ib_bth) \
@@ -2804,6 +2807,32 @@ mlx5dr_definer_conv_item_esp(struct mlx5dr_definer_conv_data *cd,
 	const struct rte_flow_item_esp *m = item->mask;
 	struct mlx5dr_definer_fc *fc;
 
+	/* To match on ESP we must match on ip_protocol and optionally on l4_dport */
+	if (!cd->relaxed) {
+		bool over_udp;
+
+		fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
+		over_udp = fc->tag_set == &mlx5dr_definer_udp_protocol_set;
+
+		if (over_udp) {
+			fc = &cd->fc[DR_CALC_FNAME(L4_DPORT, false)];
+			if (!fc->tag_set) {
+				fc->item_idx = item_idx;
+				fc->tag_mask_set = &mlx5dr_definer_ones_set;
+				fc->tag_set = &mlx5dr_definer_ipsec_udp_port_set;
+				DR_CALC_SET(fc, eth_l4, destination_port, false);
+			}
+		} else {
+			fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
+			if (!fc->tag_set) {
+				fc->item_idx = item_idx;
+				fc->tag_set = &mlx5dr_definer_ipsec_protocol_set;
+				fc->tag_mask_set = &mlx5dr_definer_ones_set;
+				DR_CALC_SET(fc, eth_l3, protocol_next_header, false);
+			}
+		}
+	}
+
 	if (!m)
 		return 0;
 	if (m->hdr.spi) {
-- 
2.34.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 24.11] net/mlx5/hws: fix ESP header match in strict mode
  2025-11-12  7:35 [PATCH 24.11] net/mlx5/hws: fix ESP header match in strict mode Viacheslav Ovsiienko
@ 2025-11-12 12:15 ` Kevin Traynor
  0 siblings, 0 replies; 2+ messages in thread
From: Kevin Traynor @ 2025-11-12 12:15 UTC (permalink / raw)
  To: Viacheslav Ovsiienko, stable; +Cc: bluca, Matan Azrad

On 12/11/2025 07:35, Viacheslav Ovsiienko wrote:
> [ upstream commit 4237d1efa6e3f7f18ba809aa2073640fb034ae8d ]
> 

Hi Slava. I just noticed while checking this commit, there are two
commits of the same name, and as result I only sent a note about one
needing rebase.

f2f75ffe14 net/mlx5/hws: fix ESP header match in strict mode
https://git.dpdk.org/dpdk/commit/?id=f2f75ffe14
I sent this one in list of commits needing rebase, as the function did
not exist. Not sure if that's something you want to do or just drop.

4237d1efa6 net/mlx5/hws: fix ESP header match in strict mode
https://git.dpdk.org/dpdk/commit/?id=4237d1efa6
I missed to send this in the list needing rebase. It applied but not
building, so I needed to remove. I saw other commit of same name in list
of commits for rebase and assumed it was the same one. Now I have
backport I will apply.

thanks,
Kevin.

> The pattern like "eth / ipv6 / esp / end" matched on any IPv6
> packet in strict mode, because there was no implicit match on the
> IP.proto forced.
> 
> This patch adds the implicit match on IP.proto with value 50 (ESP)
> and adds implicit match on UDP.dport with value 4500 for the case
> ESP over UDP.
> 
> Fixes: 81cf20a25abf ("net/mlx5/hws: support match on ESP item")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
> Acked-by: Matan Azrad <matan@nvidia.com>
> ---
>  drivers/net/mlx5/hws/mlx5dr_definer.c | 29 +++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/drivers/net/mlx5/hws/mlx5dr_definer.c b/drivers/net/mlx5/hws/mlx5dr_definer.c
> index 4af24c788a..25d7f729c5 100644
> --- a/drivers/net/mlx5/hws/mlx5dr_definer.c
> +++ b/drivers/net/mlx5/hws/mlx5dr_definer.c
> @@ -14,6 +14,7 @@
>  #define UDP_VXLAN_PORT	4789
>  #define UDP_VXLAN_GPE_PORT	4790
>  #define UDP_GTPU_PORT	2152
> +#define UDP_ESP_PORT	4500
>  #define UDP_PORT_MPLS	6635
>  #define UDP_GENEVE_PORT 6081
>  #define UDP_ROCEV2_PORT	4791
> @@ -230,6 +231,8 @@ struct mlx5dr_definer_conv_data {
>  	X(SET_BE16,	nvgre_protocol,		v->protocol,		rte_flow_item_nvgre) \
>  	X(SET_BE32P,	nvgre_dw1,		&v->tni[0],		rte_flow_item_nvgre) \
>  	X(SET,		meter_color,		rte_col_2_mlx5_col(v->color),	rte_flow_item_meter_color) \
> +	X(SET,		ipsec_protocol,		IPPROTO_ESP,		rte_flow_item_esp) \
> +	X(SET,		ipsec_udp_port,		UDP_ESP_PORT,		rte_flow_item_esp) \
>  	X(SET_BE32,     ipsec_spi,              v->hdr.spi,             rte_flow_item_esp) \
>  	X(SET_BE32,     ipsec_sequence_number,  v->hdr.seq,             rte_flow_item_esp) \
>  	X(SET,		ib_l4_udp_port,		UDP_ROCEV2_PORT,	rte_flow_item_ib_bth) \
> @@ -2804,6 +2807,32 @@ mlx5dr_definer_conv_item_esp(struct mlx5dr_definer_conv_data *cd,
>  	const struct rte_flow_item_esp *m = item->mask;
>  	struct mlx5dr_definer_fc *fc;
>  
> +	/* To match on ESP we must match on ip_protocol and optionally on l4_dport */
> +	if (!cd->relaxed) {
> +		bool over_udp;
> +
> +		fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
> +		over_udp = fc->tag_set == &mlx5dr_definer_udp_protocol_set;
> +
> +		if (over_udp) {
> +			fc = &cd->fc[DR_CALC_FNAME(L4_DPORT, false)];
> +			if (!fc->tag_set) {
> +				fc->item_idx = item_idx;
> +				fc->tag_mask_set = &mlx5dr_definer_ones_set;
> +				fc->tag_set = &mlx5dr_definer_ipsec_udp_port_set;
> +				DR_CALC_SET(fc, eth_l4, destination_port, false);
> +			}
> +		} else {
> +			fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
> +			if (!fc->tag_set) {
> +				fc->item_idx = item_idx;
> +				fc->tag_set = &mlx5dr_definer_ipsec_protocol_set;
> +				fc->tag_mask_set = &mlx5dr_definer_ones_set;
> +				DR_CALC_SET(fc, eth_l3, protocol_next_header, false);
> +			}
> +		}
> +	}
> +
>  	if (!m)
>  		return 0;
>  	if (m->hdr.spi) {


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-11-12 12:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-12  7:35 [PATCH 24.11] net/mlx5/hws: fix ESP header match in strict mode Viacheslav Ovsiienko
2025-11-12 12:15 ` Kevin Traynor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).