[PATCH] net/mlx5: fix connection tracking state item validation

Dariusz Sosnowski dsosnowski at nvidia.com
Fri Aug 8 09:47:38 CEST 2025

Previous message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Next message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 06, 2025 at 04:51:42AM -0400, Khadem Ullah wrote:
> Hi Ivan, 
> 
> The multi-line block was not closed in brackets due to coding style.
> 
> Spec provides values to match (e.g. a given IPv4 address) in rte_flow rules. 
> Incase of the flowing rte_flow rule, spec provides in 
> mlx5_flow_dv_validate_item_aso_ct the conntrack state to be validated. 
> 
> The following is a valid rule and it should be offloaded. 
> 
> flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 1 / end actions queue index 5 / end
> 
> and the following is an invalid rule which should be rejected, as there is no conntract state corresponds to 10.
> flow create 0 group 5 ingress pattern eth / ipv4 / tcp / conntrack is 10 / end actions queue index 5 / end
> 
> Please check https://doc.dpdk.org/guides-24.07/prog_guide/rte_flow.html#pattern-item

I think there might have been a misunderstanding about states
relevant for conntrack flow items and actions.
What Ivan has mentioned regarding RTE_FLOW_CONNTRACK_PKT_STATE_* flags
is correct.

- rte_flow_conntrack_state enum denotes possible TCP connection states
  (SYN_RECV, ESTABLISHED, TIME_WAIT, etc.).
  These are used during creation/querying of the conntrack flow action object
  to initialize/inspect the TCP connection state machine in the HW.
  From flow API perspective, it is relevant only for the conntrack action:
  https://doc.dpdk.org/api/structrte__flow__action__conntrack.html

- rte_flow_item_conntrack flow item is used to match packets based on
  how they interact with HW TCP state machine.
  After conntrack action is executed in the HW on the packet,
  application can match that packet based on the result of connection
  tracking e.g., match correct TCP packets which are in current TCP
  window or match packets which change TCP connection state.

  As noted in API docs - https://doc.dpdk.org/api/structrte__flow__item__conntrack.html -
  this item takes a bitmap of RTE_FLOW_CONNTRACK_PKT_STATE_* bits.
  For example match can be on RTE_FLOW_CONNTRACK_PKT_STATE_VALID | RTE_FLOW_CONNTRACK_PKT_STATE_CHANGED
  meaning, "match valid TCP packets which change TCP connection state".

Because of the above, the proposed change to validate item's flags
against variants of rte_flow_conntrack_state enum is incorrect.

Best regards,
Dariusz Sosnowski

Previous message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Next message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list