Thanks Ales, looks good to me! Acked-by: Mark Michelson <[email protected]>
On Wed, Jun 3, 2026 at 3:31 AM Ales Musil via dev <[email protected]> wrote: > > When multi-tier ACLs are configured, "ovn-nbctl acl-list" does > not display any tier information, making it difficult to see > which tier each ACL belongs to without querying the database > directly. > > Display a "[tier N]" annotation for ACLs with non-zero tier > values. Tier 0 is the default and is omitted to keep the > output clean for users who do not use multi-tier ACLs. > > Reported-at: https://redhat.atlassian.net/browse/FDP-3585 > Assisted-by: Claude Opus 4.6, OpenCode > Signed-off-by: Ales Musil <[email protected]> > --- > tests/ovn-nbctl.at | 24 ++++++++++++++++++++++++ > utilities/ovn-nbctl.c | 3 +++ > 2 files changed, 27 insertions(+) > > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at > index 890d24dbf..6ce6a6729 100644 > --- a/tests/ovn-nbctl.at > +++ b/tests/ovn-nbctl.at > @@ -3019,12 +3019,25 @@ check_column 3 nb:ACL tier priority=1001 > check ovn-nbctl --tier=2 acl-add ls from-lport 1002 "ip" drop > check_column 2 nb:ACL tier priority=1002 > > +check ovn-nbctl acl-add ls from-lport 999 "ip" allow > +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl > +from-lport 1002 (ip) drop [[tier 2]] > +from-lport 1001 (ip) drop [[tier 3]] > +from-lport 1000 (ip) drop [[tier 3]] > +from-lport 999 (ip) allow > +]) > +check ovn-nbctl acl-del ls from-lport 999 "ip" > + > # Removing the tier 3 acls from ls should result in 1 ACL > # remaining. > check ovn-nbctl --tier=3 acl-del ls > check_row_count nb:ACL 1 > check_column 2 nb:ACL tier priority=1002 > > +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl > +from-lport 1002 (ip) drop [[tier 2]] > +]) > + > # Add two egress ACLs at tier 2. > check ovn-nbctl --tier=2 acl-add ls to-lport 1000 "ip" drop > check ovn-nbctl --tier=2 acl-add ls to-lport 1001 "ip" drop > @@ -3072,12 +3085,23 @@ check_row_count nb:ACL 1 tier=1 > check_row_count nb:ACL 1 tier=2 > check_row_count nb:ACL 1 tier=3 > > +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl > +from-lport 1000 (ip) drop [[tier 3]] > +from-lport 1000 (ip) drop [[tier 2]] > +from-lport 1000 (ip) drop [[tier 1]] > +]) > + > # Specifying tier 1 should result in only one ACL being deleted. > check ovn-nbctl --tier=1 acl-del ls from-lport 1000 "ip" > check_row_count nb:ACL 2 > check_row_count nb:ACL 1 tier=2 > check_row_count nb:ACL 1 tier=3 > > +AT_CHECK([ovn-nbctl acl-list ls], [0], [dnl > +from-lport 1000 (ip) drop [[tier 3]] > +from-lport 1000 (ip) drop [[tier 2]] > +]) > + > # Not specifying a tier should result in all ACLs being deleted. > check ovn-nbctl acl-del ls from-lport 1000 "ip" > check_row_count nb:ACL 0 > diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c > index 0900254c4..f9e983faa 100644 > --- a/utilities/ovn-nbctl.c > +++ b/utilities/ovn-nbctl.c > @@ -2783,6 +2783,9 @@ nbctl_acl_print(struct ctl_context *ctx, const struct > nbrec_acl **acls, > if (acl->label) { > ds_put_format(&ctx->output, " label=%"PRId64, acl->label); > } > + if (acl->tier) { > + ds_put_format(&ctx->output, " [tier %"PRId64"]", acl->tier); > + } > if (smap_get_bool(&acl->options, "apply-after-lb", false)) { > ds_put_cstr(&ctx->output, " [after-lb]"); > } > -- > 2.54.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
