Re: [PATCH] net/mlx5: fix connection tracking state item validation

Tue, 05 Aug 2025 07:45:14 -0700 

Hi,

On Tue, 5 Aug 2025, Khadem Ullah wrote:


This patch validate a connection tracking state when matching
'conntrack is' in rte_flow rules. The conntract possible CT states
are SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK and
TIME_WAIT. Therefore the maximum possible value to match on
in rte_flow is TIME_WAIT but mlx5 allowed matching on any values.

This patch validate the CT state item.
Fixes: aca19061e4b9 ('net/mlx5: validate connection tracking item')
Cc: sta...@dpdk.org

Signed-off-by: Khadem Ullah <14pwcse1...@uetpeshawar.edu.pk>
---
drivers/net/mlx5/mlx5_flow_dv.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index 7b9e5018b8..750385cd42 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -3290,6 +3290,11 @@ mlx5_flow_dv_validate_item_aso_ct(struct rte_eth_dev 
*dev,
                                                  NULL,
                                                  "Conflict status bits");
        }
+       if (spec->flags > RTE_FLOW_CONNTRACK_STATE_TIME_WAIT)
+               return rte_flow_error_set(error, EINVAL,
+                                       RTE_FLOW_ERROR_TYPE_ITEM,
+                                       NULL,
+                                       "Invalid CT state matching \n");


It might be better to enclose the multi-line block in brackets.

Also, is it correct to treat 'flags' like enum 'RTE_FLOW_CONNTRACK_STATE'?
I thought it was following 'RTE_FLOW_CONNTRACK_PKT_STATE' flags instead [1].

[1] 
https://doc.dpdk.org/api-25.07/rte__flow_8h.html#a7a41946aa03ebca8c432279604265b51

Or am I missing something?

Thank you.


        /* State change also needs to be considered. */
        *item_flags |= MLX5_FLOW_LAYER_ASO_CT;
        return 0;
--
2.43.0

Reply via email to