When multi-tier ACLs are configured, "ovn-nbctl acl-list" does not display any tier information, making it difficult to see which tier each ACL belongs to without querying the database directly.
Display a "[tier N]" annotation for ACLs with non-zero tier values. Tier 0 is the default and is omitted to keep the output clean for users who do not use multi-tier ACLs. Reported-at: https://redhat.atlassian.net/browse/FDP-3585 Assisted-by: Claude Opus 4.6, OpenCode Signed-off-by: Ales Musil <[email protected]> --- tests/ovn-nbctl.at | 24 ++++++++++++++++++++++++ utilities/ovn-nbctl.c | 3 +++ 2 files changed, 27 insertions(+) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 890d24dbf..6ce6a6729 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -3019,12 +3019,25 @@ check_column 3 nb:ACL tier priority=1001 check ovn-nbctl --tier=2 acl-add ls from-lport 1002 "ip" drop check_column 2 nb:ACL tier priority=1002 +check ovn-nbctl acl-add ls from-lport 999 "ip" allow +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl +from-lport 1002 (ip) drop [[tier 2]] +from-lport 1001 (ip) drop [[tier 3]] +from-lport 1000 (ip) drop [[tier 3]] +from-lport 999 (ip) allow +]) +check ovn-nbctl acl-del ls from-lport 999 "ip" + # Removing the tier 3 acls from ls should result in 1 ACL # remaining. check ovn-nbctl --tier=3 acl-del ls check_row_count nb:ACL 1 check_column 2 nb:ACL tier priority=1002 +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl +from-lport 1002 (ip) drop [[tier 2]] +]) + # Add two egress ACLs at tier 2. check ovn-nbctl --tier=2 acl-add ls to-lport 1000 "ip" drop check ovn-nbctl --tier=2 acl-add ls to-lport 1001 "ip" drop @@ -3072,12 +3085,23 @@ check_row_count nb:ACL 1 tier=1 check_row_count nb:ACL 1 tier=2 check_row_count nb:ACL 1 tier=3 +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl +from-lport 1000 (ip) drop [[tier 3]] +from-lport 1000 (ip) drop [[tier 2]] +from-lport 1000 (ip) drop [[tier 1]] +]) + # Specifying tier 1 should result in only one ACL being deleted. check ovn-nbctl --tier=1 acl-del ls from-lport 1000 "ip" check_row_count nb:ACL 2 check_row_count nb:ACL 1 tier=2 check_row_count nb:ACL 1 tier=3 +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl +from-lport 1000 (ip) drop [[tier 3]] +from-lport 1000 (ip) drop [[tier 2]] +]) + # Not specifying a tier should result in all ACLs being deleted. check ovn-nbctl acl-del ls from-lport 1000 "ip" check_row_count nb:ACL 0 diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 0900254c4..f9e983faa 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2783,6 +2783,9 @@ nbctl_acl_print(struct ctl_context *ctx, const struct nbrec_acl **acls, if (acl->label) { ds_put_format(&ctx->output, " label=%"PRId64, acl->label); } + if (acl->tier) { + ds_put_format(&ctx->output, " [tier %"PRId64"]", acl->tier); + } if (smap_get_bool(&acl->options, "apply-after-lb", false)) { ds_put_cstr(&ctx->output, " [after-lb]"); } -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
