patch 'net/mlx5: fix ESP header match after UDP for group 0' has been queued to stable release 24.11.4

Kevin Traynor ktraynor at redhat.com
Fri Oct 31 15:33:27 CET 2025

Previous message (by thread): patch 'net/mlx5: fix ESP item validation to match on seqnum' has been queued to stable release 24.11.4
Next message (by thread): patch 'net/mlx5: fix multicast' has been queued to stable release 24.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 24.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/05/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/3e535a9e970c16871fec2a1ed175444fe7f99b29

Thanks.

Kevin

---
>From 3e535a9e970c16871fec2a1ed175444fe7f99b29 Mon Sep 17 00:00:00 2001
From: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
Date: Tue, 9 Sep 2025 09:28:53 +0300
Subject: [PATCH] net/mlx5: fix ESP header match after UDP for group 0

[ upstream commit ed8eb60c9b2c243b4098f59dc6d9a87ee0bbd4c8 ]

The ESP item translation routine always forced the match
on IP next protocol to be 50 (ESP). This prevented on
matching ESP packets over UDP.

The patch checks if UDP header is expected, and also forces
match on UDP destination port 4500 if it is not set
by the caller yet.

Fixes: 18ca4a4ec73a ("net/mlx5: support ESP SPI match and RSS hash")

Signed-off-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
Acked-by: Matan Azrad <matan at nvidia.com>
---
 drivers/net/mlx5/linux/mlx5_flow_os.c |  6 -----
 drivers/net/mlx5/mlx5_flow.h          |  3 +++
 drivers/net/mlx5/mlx5_flow_dv.c       | 34 ++++++++++++++++-----------
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/drivers/net/mlx5/linux/mlx5_flow_os.c b/drivers/net/mlx5/linux/mlx5_flow_os.c
index 777125e9a8..f5eee46e44 100644
--- a/drivers/net/mlx5/linux/mlx5_flow_os.c
+++ b/drivers/net/mlx5/linux/mlx5_flow_os.c
@@ -26,6 +26,4 @@ mlx5_flow_os_validate_item_esp(const struct rte_eth_dev *dev,
 	const uint64_t l3m = tunnel ? MLX5_FLOW_LAYER_INNER_L3 :
 				      MLX5_FLOW_LAYER_OUTER_L3;
-	const uint64_t l4m = tunnel ? MLX5_FLOW_LAYER_INNER_L4 :
-				      MLX5_FLOW_LAYER_OUTER_L4;
 	static const struct rte_flow_item_esp mlx5_flow_item_esp_mask = {
 		.hdr = {
@@ -42,8 +40,4 @@ mlx5_flow_os_validate_item_esp(const struct rte_eth_dev *dev,
 						  item, "L3 is mandatory to filter on L4");
 	}
-	if (item_flags & l4m)
-		return rte_flow_error_set(error, EINVAL,
-					  RTE_FLOW_ERROR_TYPE_ITEM, item,
-					  "multiple L4 layers not supported");
 	if (target_protocol != 0xff && target_protocol != IPPROTO_ESP)
 		return rte_flow_error_set(error, EINVAL,
diff --git a/drivers/net/mlx5/mlx5_flow.h b/drivers/net/mlx5/mlx5_flow.h
index ce33a4e425..1e60bc76dd 100644
--- a/drivers/net/mlx5/mlx5_flow.h
+++ b/drivers/net/mlx5/mlx5_flow.h
@@ -474,4 +474,7 @@ enum mlx5_feature_name {
 #define MLX5_UDP_PORT_GENEVE 6081
 
+/* UDP port numbers for ESP. */
+#define MLX5_UDP_PORT_ESP 4500
+
 /* Lowest priority indicator. */
 #define MLX5_FLOW_LOWEST_PRIO_INDICATOR ((uint32_t)-1)
diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index c1ff6a2dae..1faae8ab32 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -9712,5 +9712,5 @@ flow_dv_translate_item_tcp(void *key, const struct rte_flow_item *item,
 static void
 flow_dv_translate_item_esp(void *key, const struct rte_flow_item *item,
-			   int inner, uint32_t key_type)
+			   int inner, uint32_t key_type, uint64_t item_flags)
 {
 	const struct rte_flow_item_esp *esp_m;
@@ -9718,21 +9718,27 @@ flow_dv_translate_item_esp(void *key, const struct rte_flow_item *item,
 	void *headers_v;
 	char *spi_v;
+	bool over_udp = item_flags & (inner ? MLX5_FLOW_LAYER_INNER_L4_UDP :
+					      MLX5_FLOW_LAYER_OUTER_L4_UDP);
 
 	headers_v = inner ? MLX5_ADDR_OF(fte_match_param, key, inner_headers) :
-		MLX5_ADDR_OF(fte_match_param, key, outer_headers);
-	if (key_type & MLX5_SET_MATCHER_M)
-		MLX5_SET(fte_match_set_lyr_2_4, headers_v,
-			 ip_protocol, 0xff);
-	else
-		MLX5_SET(fte_match_set_lyr_2_4, headers_v,
-			 ip_protocol, IPPROTO_ESP);
+			    MLX5_ADDR_OF(fte_match_param, key, outer_headers);
+	if (key_type & MLX5_SET_MATCHER_M) {
+		MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_protocol, 0xff);
+		if (over_udp && !MLX5_GET16(fte_match_set_lyr_2_4, headers_v, udp_dport))
+			MLX5_SET(fte_match_set_lyr_2_4, headers_v, udp_dport, 0xFFFF);
+	} else {
+		if (!over_udp)
+			MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_protocol, IPPROTO_ESP);
+		else
+			if (!MLX5_GET16(fte_match_set_lyr_2_4, headers_v, udp_dport))
+				MLX5_SET(fte_match_set_lyr_2_4, headers_v, udp_dport,
+					 MLX5_UDP_PORT_ESP);
+	}
 	if (MLX5_ITEM_VALID(item, key_type))
 		return;
-	MLX5_ITEM_UPDATE(item, key_type, esp_v, esp_m,
-			 &rte_flow_item_esp_mask);
+	MLX5_ITEM_UPDATE(item, key_type, esp_v, esp_m, &rte_flow_item_esp_mask);
 	headers_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
-	spi_v = inner ? MLX5_ADDR_OF(fte_match_set_misc, headers_v,
-				inner_esp_spi) : MLX5_ADDR_OF(fte_match_set_misc
-				, headers_v, outer_esp_spi);
+	spi_v = inner ? MLX5_ADDR_OF(fte_match_set_misc, headers_v, inner_esp_spi) :
+			MLX5_ADDR_OF(fte_match_set_misc, headers_v, outer_esp_spi);
 	*(uint32_t *)spi_v = esp_m->hdr.spi & esp_v->hdr.spi;
 }
@@ -14211,5 +14217,5 @@ flow_dv_translate_items(struct rte_eth_dev *dev,
 	switch (item_type) {
 	case RTE_FLOW_ITEM_TYPE_ESP:
-		flow_dv_translate_item_esp(key, items, tunnel, key_type);
+		flow_dv_translate_item_esp(key, items, tunnel, key_type, wks->item_flags);
 		wks->priority = MLX5_PRIORITY_MAP_L4;
 		last_item = MLX5_FLOW_ITEM_ESP;
-- 
2.51.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-10-31 13:53:54.826828910 +0000
+++ 0085-net-mlx5-fix-ESP-header-match-after-UDP-for-group-0.patch	2025-10-31 13:53:52.218523936 +0000
@@ -1 +1 @@
-From ed8eb60c9b2c243b4098f59dc6d9a87ee0bbd4c8 Mon Sep 17 00:00:00 2001
+From 3e535a9e970c16871fec2a1ed175444fe7f99b29 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ed8eb60c9b2c243b4098f59dc6d9a87ee0bbd4c8 ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -46 +47 @@
-index 367dacc277..ff61706054 100644
+index ce33a4e425..1e60bc76dd 100644
@@ -49 +50 @@
-@@ -490,4 +490,7 @@ struct mlx5_mirror {
+@@ -474,4 +474,7 @@ enum mlx5_feature_name {
@@ -58 +59 @@
-index 18d0d29377..bcce1597e2 100644
+index c1ff6a2dae..1faae8ab32 100644
@@ -61 +62 @@
-@@ -9714,5 +9714,5 @@ flow_dv_translate_item_tcp(void *key, const struct rte_flow_item *item,
+@@ -9712,5 +9712,5 @@ flow_dv_translate_item_tcp(void *key, const struct rte_flow_item *item,
@@ -68 +69 @@
-@@ -9720,21 +9720,27 @@ flow_dv_translate_item_esp(void *key, const struct rte_flow_item *item,
+@@ -9718,21 +9718,27 @@ flow_dv_translate_item_esp(void *key, const struct rte_flow_item *item,
@@ -108 +109 @@
-@@ -14225,5 +14231,5 @@ flow_dv_translate_items(struct rte_eth_dev *dev,
+@@ -14211,5 +14217,5 @@ flow_dv_translate_items(struct rte_eth_dev *dev,

Previous message (by thread): patch 'net/mlx5: fix ESP item validation to match on seqnum' has been queued to stable release 24.11.4
Next message (by thread): patch 'net/mlx5: fix multicast' has been queued to stable release 24.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list