patch 'net/mlx5/hws: fix ESP header match in strict mode' has been queued to stable release 23.11.6

Shani Peretz shperetz at nvidia.com
Sun Dec 21 15:56:11 CET 2025 

Hi,

FYI, your patch has been queued to stable release 23.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/26/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/shanipr/dpdk-stable

This queued commit can be viewed at:
https://github.com/shanipr/dpdk-stable/commit/9b29d486fba5e060afa77b626dc169f9e8e68769

Thanks.

Shani

---
>From 9b29d486fba5e060afa77b626dc169f9e8e68769 Mon Sep 17 00:00:00 2001
From: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
Date: Mon, 4 Aug 2025 08:05:14 +0300
Subject: [PATCH] net/mlx5/hws: fix ESP header match in strict mode

[ upstream commit f2f75ffe14a521ee3000be2b5286ff3047f3958c ]

The pattern like "eth / ipv6 / esp / end" matched on any IPv6
packet in strict mode, because there was no impicit match on the
IP.proto forced.

This patch adds the implicit match on IP.proto with value 50 (ESP)
and adds implicit match on UDP.dport with value 4500 for the case
ESP over UDP.

Fixes: 18ca4a4ec73a ("net/mlx5: support ESP SPI match and RSS hash")

Signed-off-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
---
 drivers/net/mlx5/hws/mlx5dr_definer.c | 36 +++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/drivers/net/mlx5/hws/mlx5dr_definer.c b/drivers/net/mlx5/hws/mlx5dr_definer.c
index 69a99d6785..51917f01a0 100644
--- a/drivers/net/mlx5/hws/mlx5dr_definer.c
+++ b/drivers/net/mlx5/hws/mlx5dr_definer.c
@@ -11,6 +11,7 @@
 #define UDP_GTPU_PORT   2152
 #define UDP_VXLAN_PORT  4789
 #define UDP_PORT_MPLS   6635
+#define UDP_ESP_PORT	4500
 #define UDP_ROCEV2_PORT	4791
 #define DR_FLOW_LAYER_TUNNEL_NO_MPLS (MLX5_FLOW_LAYER_TUNNEL & ~MLX5_FLOW_LAYER_MPLS)
 
@@ -183,6 +184,8 @@ struct mlx5dr_definer_conv_data {
 	X(SET_BE32,	gre_opt_seq,		v->sequence.sequence,	rte_flow_item_gre_opt) \
 	X(SET_BE16,	gre_opt_checksum,	v->checksum_rsvd.checksum,	rte_flow_item_gre_opt) \
 	X(SET,		meter_color,		rte_col_2_mlx5_col(v->color),	rte_flow_item_meter_color) \
+	X(SET,		ipsec_protocol,		IPPROTO_ESP,		rte_flow_item_esp) \
+	X(SET,		ipsec_udp_port,		UDP_ESP_PORT,		rte_flow_item_esp) \
 	X(SET_BE32,     ipsec_spi,              v->hdr.spi,             rte_flow_item_esp) \
 	X(SET_BE32,     ipsec_sequence_number,  v->hdr.seq,             rte_flow_item_esp) \
 	X(SET,		ib_l4_udp_port,		UDP_ROCEV2_PORT,	rte_flow_item_ib_bth) \
@@ -2118,7 +2121,9 @@ mlx5dr_definer_conv_item_meter_color(struct mlx5dr_definer_conv_data *cd,
 }
 
 static struct mlx5dr_definer_fc *
-mlx5dr_definer_get_flex_parser_fc(struct mlx5dr_definer_conv_data *cd, uint32_t byte_off)
+mlx5dr_definer_get_flex_parser_fc(struct mlx5dr_definer_conv_data *cd,
+				  uint32_t byte_off,
+				  int item_idx)
 {
 	uint32_t byte_off_fp7 = MLX5_BYTE_OFF(definer_hl, flex_parser.flex_parser_7);
 	uint32_t byte_off_fp0 = MLX5_BYTE_OFF(definer_hl, flex_parser.flex_parser_0);
@@ -2130,6 +2135,33 @@ mlx5dr_definer_get_flex_parser_fc(struct mlx5dr_definer_conv_data *cd, uint32_t
 		rte_errno = EINVAL;
 		return NULL;
 	}
+
+	/* To match on ESP we must match on ip_protocol and optionally on l4_dport */
+	if (!cd->relaxed) {
+		bool over_udp;
+
+		fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
+		over_udp = fc->tag_set == &mlx5dr_definer_udp_protocol_set;
+
+		if (over_udp) {
+			fc = &cd->fc[DR_CALC_FNAME(L4_DPORT, false)];
+			if (!fc->tag_set) {
+				fc->item_idx = item_idx;
+				fc->tag_mask_set = &mlx5dr_definer_ones_set;
+				fc->tag_set = &mlx5dr_definer_ipsec_udp_port_set;
+				DR_CALC_SET(fc, eth_l4, destination_port, false);
+			}
+		} else {
+			fc = &cd->fc[DR_CALC_FNAME(IP_PROTOCOL, false)];
+			if (!fc->tag_set) {
+				fc->item_idx = item_idx;
+				fc->tag_set = &mlx5dr_definer_ipsec_protocol_set;
+				fc->tag_mask_set = &mlx5dr_definer_ones_set;
+				DR_CALC_SET(fc, eth_l3, protocol_next_header, false);
+			}
+		}
+	}
+
 	idx = (byte_off_fp0 - byte_off) / (sizeof(uint32_t));
 	fname += (enum mlx5dr_definer_fname)idx;
 	fc = &cd->fc[fname];
@@ -2181,7 +2213,7 @@ mlx5dr_definer_conv_item_ipv6_routing_ext(struct mlx5dr_definer_conv_data *cd,
 
 	if (m->hdr.next_hdr || m->hdr.type || m->hdr.segments_left) {
 		byte_off = flow_hw_get_srh_flex_parser_byte_off_from_ctx(cd->ctx);
-		fc = mlx5dr_definer_get_flex_parser_fc(cd, byte_off);
+		fc = mlx5dr_definer_get_flex_parser_fc(cd, byte_off, item_idx);
 		if (!fc)
 			return rte_errno;
 
-- 
2.43.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-12-21 16:54:18.516529621 +0200
+++ 0023-net-mlx5-hws-fix-ESP-header-match-in-strict-mode.patch	2025-12-21 16:54:16.808067000 +0200
@@ -1 +1 @@
-From f2f75ffe14a521ee3000be2b5286ff3047f3958c Mon Sep 17 00:00:00 2001
+From 9b29d486fba5e060afa77b626dc169f9e8e68769 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit f2f75ffe14a521ee3000be2b5286ff3047f3958c ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -20,2 +21,2 @@
- drivers/net/mlx5/hws/mlx5dr_definer.c | 38 ++++++++++++++++++++++++---
- 1 file changed, 35 insertions(+), 3 deletions(-)
+ drivers/net/mlx5/hws/mlx5dr_definer.c | 36 +++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
@@ -24 +25 @@
-index 7464d95373..113feae291 100644
+index 69a99d6785..51917f01a0 100644
@@ -27,4 +28,4 @@
-@@ -14,6 +14,7 @@
- #define UDP_VXLAN_PORT	4789
- #define UDP_VXLAN_GPE_PORT	4790
- #define UDP_GTPU_PORT	2152
+@@ -11,6 +11,7 @@
+ #define UDP_GTPU_PORT   2152
+ #define UDP_VXLAN_PORT  4789
+ #define UDP_PORT_MPLS   6635
@@ -32,2 +32,0 @@
- #define UDP_PORT_MPLS	6635
- #define UDP_GENEVE_PORT 6081
@@ -35,3 +34,5 @@
-@@ -231,6 +232,8 @@ struct mlx5dr_definer_conv_data {
- 	X(SET_BE16,	nvgre_protocol,		v->protocol,		rte_flow_item_nvgre) \
- 	X(SET_BE32P,	nvgre_dw1,		&v->tni[0],		rte_flow_item_nvgre) \
+ #define DR_FLOW_LAYER_TUNNEL_NO_MPLS (MLX5_FLOW_LAYER_TUNNEL & ~MLX5_FLOW_LAYER_MPLS)
+ 
+@@ -183,6 +184,8 @@ struct mlx5dr_definer_conv_data {
+ 	X(SET_BE32,	gre_opt_seq,		v->sequence.sequence,	rte_flow_item_gre_opt) \
+ 	X(SET_BE16,	gre_opt_checksum,	v->checksum_rsvd.checksum,	rte_flow_item_gre_opt) \
@@ -44 +45 @@
-@@ -2481,7 +2484,9 @@ mlx5dr_definer_conv_item_meter_color(struct mlx5dr_definer_conv_data *cd,
+@@ -2118,7 +2121,9 @@ mlx5dr_definer_conv_item_meter_color(struct mlx5dr_definer_conv_data *cd,
@@ -55 +56 @@
-@@ -2493,6 +2498,33 @@ mlx5dr_definer_get_flex_parser_fc(struct mlx5dr_definer_conv_data *cd, uint32_t
+@@ -2130,6 +2135,33 @@ mlx5dr_definer_get_flex_parser_fc(struct mlx5dr_definer_conv_data *cd, uint32_t
@@ -89 +90 @@
-@@ -2544,7 +2576,7 @@ mlx5dr_definer_conv_item_ipv6_routing_ext(struct mlx5dr_definer_conv_data *cd,
+@@ -2181,7 +2213,7 @@ mlx5dr_definer_conv_item_ipv6_routing_ext(struct mlx5dr_definer_conv_data *cd,
@@ -95,9 +95,0 @@
- 		if (!fc)
- 			return rte_errno;
- 
-@@ -2666,7 +2698,7 @@ mlx5dr_definer_conv_item_ecpri(struct mlx5dr_definer_conv_data *cd,
- 		if (!mask)
- 			continue;
- 		mask = htobe32(mask);
--		fc = mlx5dr_definer_get_flex_parser_fc(cd, byte_off[i]);
-+		fc = mlx5dr_definer_get_flex_parser_fc(cd, byte_off[i], item_idx);

More information about the stable mailing list