On 7/16/26 6:39 PM, Arpit Jain wrote:
> Hi Dumitru,

Hi Arpit,

> Thank you for reviewing and proposing changes. We can probably merge the 
> patch.
> 
> Will evaluate changes proposed and raise separate patch.
> 

There might be some misunderstanding.  I meant: I'd rather not merge the
v2 as is.  I'd like the things I identified today to be addressed first.

So normally that would require a v3.

But, as I tested the potential changes myself already if you were OK
with what I'm suggesting in the incremental diff in my previous patch,
we could've avoided a v3 if I just squashed my changes into your commit.

Let's keep it simpler and clear though.  Can you please post a v3
addressing my latest review comments?

Thanks again,
Dumitru

> Regards,
> Arpit Jain
> 
> From: Dumitru Ceara <[email protected]>
> Date: Thursday, 16 July 2026 at 9:40 PM
> To: Arpit Jain <[email protected]>; Lorenzo Bianconi 
> <[email protected]>
> Cc: [email protected] <[email protected]>
> Subject: Re: [ovs-dev] [PATCH ovn v2] northd: Gate priority-1 default-allow 
> on REG_ACL_TIER for tiered ACLs.
> 
> !-------------------------------------------------------------------|
>   CAUTION: External Email
> 
> |-------------------------------------------------------------------!
> 
> On 7/10/26 6:36 PM, Arpit Jain wrote:
>> Hi Dumitru,
>>
> 
> Hi Arpit,
>> Thanks for review. Part of this patch was indeed AI-assisted (Cursor with 
>> Opus 4.8), so an Assisted-by: tag would be appropriate.
>>
>> This is my first OVN patch, and I wasn't aware of the disclosure 
>> requirement. I'll make sure to include the tag in future submissions.
>>
> 
> No worries, thanks for the confirmation.  Looking forward to more
> submissions in the future!
> 
>> Regards,
>> Arpit
>>
>> From: Dumitru Ceara <[email protected]>
>> Date: Friday, 10 July 2026 at 1:09 PM
>> To: Lorenzo Bianconi <[email protected]>
>> Cc: [email protected] <[email protected]>; Arpit Jain 
>> <[email protected]>
>> Subject: Re: [ovs-dev] [PATCH ovn v2] northd: Gate priority-1 default-allow 
>> on REG_ACL_TIER for tiered ACLs.
>>
>> !-------------------------------------------------------------------|
>>   CAUTION: External Email
>>
>> |-------------------------------------------------------------------!
>>
>> On 7/3/26 5:57 PM, Lorenzo Bianconi via dev wrote:
>>>> For stateful ACLs, ovn-northd emits a priority-1 flow in the
>>>> ls_in_acl_eval / ls_out_acl_eval stages that re-allows an established
>>>> connection whose ct_mark.blocked bit is set:
>>>>
>>>>   match=(ip && ct.est && ct_mark.blocked == 1)
>>>>   action=(REGBIT_ACL_VERDICT_ALLOW = 1; next;)
>>>>
>>>> ct_mark.blocked is set when an established connection is denied by an
>>>> ACL.  This flow lets the connection resume, without being reset, once a
>>>> "drop"/"reject" ACL is replaced by an "allow"/"allow-related" ACL; the
>>>> connection is re-committed with ct_mark.blocked cleared in a later
>>>> stage.
>>>>
>>>> The flow is emitted with no REG_ACL_TIER match.  When ACLs are assigned
>>>> to tiers, ACL evaluation re-circulates through the same eval stage with
>>>> REG_ACL_TIER (reg8[30..31]) advancing from 0 up to the highest tier
>>>> configured on the switch: tier 0 is evaluated first and the next tier
>>>> is only reached while no verdict has been determined.  Since the
>>>> priority-1 flow carries no tier match, it is hit on the first pass at
>>>> tier 0, where it sets the allow verdict and runs "next;", ending
>>>> evaluation - so an ACL at a higher tier is never reached.
>>>>
>>>> For example, on a logical switch using tiered ACLs:
>>>>
>>>>   - an "allow-related" ACL establishes a TCP connection from a client;
>>>>   - that ACL is later removed and a tier-1 ACL is added that drops the
>>>>     same traffic (raising the switch's highest ingress tier to 1).
>>>>
>>>> The first packet after the change hits the tier-1 drop, which sets
>>>> ct_mark.blocked=1.  On the next packet the priority-1 flow matches at
>>>> tier 0, allows it and ends evaluation, so the tier-1 drop ACL is never
>>>> reached and the packet leaks; ct_mark.blocked is then cleared, the
>>>> following packet is dropped again and re-sets ct_mark.blocked, and the
>>>> cycle repeats - the connection alternates between leaking and being
>>>> dropped instead of being cleanly blocked.
>>>>
>>>> When no ACL is assigned a tier there is no eval loop, and a configured
>>>> "drop"/"reject" ACL is emitted at acl->priority + OVN_ACL_PRI_OFFSET,
>>>> far above priority 1, so it always wins over the priority-1 flow and
>>>> this case is unaffected.
>>>>
>>>> Gate the priority-1 flow on REG_ACL_TIER == highest-configured-tier for
>>>> the relevant stage (ingress pre-LB / egress) so that it only competes
>>>> once every tier has been evaluated.  When no tier is configured the
>>>> match is left unchanged, so the emitted flows and behaviour are
>>>> identical for existing setups.
>>>>
>>>> Signed-off-by: Arpit Jain <[email protected]>
>>>> Acked-by: Naveen Yerramneni <[email protected]>
>>>
>>> Acked-by: Lorenzo Bianconi <[email protected]>
>>>
>>>> ---
>>>> v2: Fix the expected logical flow output in the new ovn-northd
>>>>     test by dropping the stage-name column padding; that padding
>>>>     is normalized away by the test's filter, so v1 failed CI.
>>>>     No change to northd.c.
>>
>> Hi Arpit, Lorenzo,
>>
>> Thanks for the patch and review!
>>
>> Arpit, just double checking, were some of the contents of this patch
>> written with AI assistance?  That's no problem, we accept AI assisted
>> contributions, but that should be disclosed with an "Assisted-by:" tag.
>>
>> It's also possible that I'm wrong and this is completely written without
>> AI assistance.
>>
>> In any case, the change looks OK to me.  I have a minor comment below
>> but I can address that when merging the patch.
>>
>> I'll first wait for confirmation from you to see if I also need to
>> squash an "Assisted-by" tag into the commit message.
>>
>> Regards,
>> Dumitru
>>
>>>>
>>>>  northd/northd.c     | 21 ++++++++++++-
>>>>  tests/ovn-northd.at | 73 +++++++++++++++++++++++++++++++++++++++++++++
>>>>  2 files changed, 93 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/northd/northd.c b/northd/northd.c
>>>> index 7a7866d9a..0e791007b 100644
>>>> --- a/northd/northd.c
>>>> +++ b/northd/northd.c
>>>> @@ -8116,13 +8116,32 @@ build_acls(const struct ls_stateful_record 
>>>> *ls_stateful_rec,
>>>>           * We need to set ct_mark.blocked=0 to let the connection 
>>>> continue,
>>>>           * which will be done by ct_commit in the "stateful" stage.
>>>>           * Subsequent packets will hit the flow at priority 0 that just
>>>> -         * uses "next;". */
>>>> +         * uses "next;".
>>>> +         *
>>>> +         * When tiered ACLs are configured, this default-allow must only
>>>> +         * fire after the tier loop has reached the highest configured
>>>> +         * tier; otherwise a drop ACL at a higher tier would be bypassed
>>>> +         * for an already-blocked connection (it would short-circuit on
>>>> +         * the first tier-0 visit, set VERDICT_ALLOW, and skip the rest
>>>> +         * of the tier loop).  Gate the match on REG_ACL_TIER == max_tier
>>>> +         * so the rule only competes once every tier has been evaluated. 
>>>> */
>>>>          ds_clear(&match);
>>>>          ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
>>
>> While at it, we should also change this to ds_put_cstr().
>>
>>>> +        if (ls_stateful_rec->max_acl_tier.ingress_pre_lb) {
>>
>> It's annoying that this is conditional, REG_ACL_TIER == 0 should be just
>> fine if there's no other tiers.  However, the place where we initialize
>> REG_ACL_TIER = 0 is also conditional (already before this patch) so we'd
>> have to change that too.
>>
>> It's outside the scope of this patch so let's leave it as is for now.
>> I'll try to remember to follow up on this in the future.
>>
>>>> +            ds_put_format(&match, " && " REG_ACL_TIER " == %"PRIu64,
>>>> +                          ls_stateful_rec->max_acl_tier.ingress_pre_lb);
>>>> +        }
>>>>          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1,
>>>>                        ds_cstr(&match),
>>>>                        REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>>>                        lflow_ref);
>>>> +
>>>> +        ds_clear(&match);
>>>> +        ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
>>
>> ds_put_cstr().
>>
>>>> +        if (ls_stateful_rec->max_acl_tier.egress) {
>>>> +            ds_put_format(&match, " && " REG_ACL_TIER " == %"PRIu64,
>>>> +                          ls_stateful_rec->max_acl_tier.egress);
>>>> +        }
>>>>          ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1,
>>>>                        ds_cstr(&match),
>>>>                        REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>>>> index 6c84311ed..a56be2a03 100644
>>>> --- a/tests/ovn-northd.at
>>>> +++ b/tests/ovn-northd.at
>>>> @@ -11449,6 +11449,79 @@ OVN_CLEANUP_NORTHD
>>>>  AT_CLEANUP
>>>>  ])
>>>>
>>>> +AT_SETUP([Tiered ACL default-allow fallback is gated by tier])
>>>> +AT_KEYWORDS([acl])
>>>> +
>>>> +dnl When tiered ACLs are in use, the priority-1 default-allow flow that
>>>> +dnl unblocks previously-blocked connections must not fire until the
>>>> +dnl tier loop reaches the highest configured tier; otherwise a drop ACL
>>>> +dnl at a higher tier would be bypassed for an already-blocked connection.
>>>> +
>>>> +ovn_start
>>>> +
>>>> +check ovn-nbctl ls-add ls
>>>> +check ovn-nbctl lsp-add ls lsp
> 
> A few things slipped through my previous review, sorry.
> 
> There's no --wait=sb sync here so checking the flows below might fail
> making the test flaky.
> 
>>>> +
>>>> +m4_define([UNBLOCK_FLOW], [ovn-sbctl lflow-list ls dnl
>>>> +  | grep -w $1 | grep 'ip && ct.est && ct_mark.blocked == 1' dnl
>>>> +  | ovn_strip_lflows | sed "s/\($1[[^)]]*\)/$1/"])
>>>> +
> 
> While this shortens the test a bit, I think I'd prefer the explicit
> checks as we do in other in other tests.
> 
>>>> +# Baseline: no ACLs => no stateful flows at all in acl_eval, so no
>>>> +# priority-1 default-allow either.
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [])
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [])
>>>> +
>>>> +# Add a stateful, untiered ACL on each direction. The priority-1
>>>> +# default-allow appears with no tier guard.
>>>> +check ovn-nbctl --wait=sb acl-add ls from-lport 1000 "tcp" allow-related
> 
> Nit: the first --wait=sb is not needed.
> 
>>>> +check ovn-nbctl --wait=sb acl-add ls to-lport   1000 "tcp" allow-related
>>>> +
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
>>>> +  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>> +])
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
>>>> +  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>> +])
>>>> +
>>>> +# Move both ACLs to tier 1. Each fallback flow should now be guarded
>>>> +# by REG_ACL_TIER == 1 so it only fires after the tier loop completes.
>>>> +in_uuid=$(ovn-nbctl --bare --columns _uuid find ACL direction=from-lport)
>>>> +out_uuid=$(ovn-nbctl --bare --columns _uuid find ACL direction=to-lport)
> 
> We should use fetch_column for both of these instead.
> 
>>>> +check ovn-nbctl --wait=sb set ACL $in_uuid tier=1
> 
> Nit: the first --wait=sb is not needed.
> 
>>>> +check ovn-nbctl --wait=sb set ACL $out_uuid tier=1
>>>> +
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
>>>> +  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; 
>>>> next;)
>>>> +])
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
>>>> +  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; 
>>>> next;)
>>>> +])
>>>> +
>>>> +# Move the ingress ACL to tier 3 while the egress ACL stays at tier 1.
>>>> +# The two stages should pick up their per-stage max independently.
>>>> +check ovn-nbctl --wait=sb set ACL $in_uuid tier=3
>>>> +
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
>>>> +  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1 && reg8[[30..31]] == 3), action=(reg8[[16]] = 1; 
>>>> next;)
>>>> +])
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
>>>> +  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; 
>>>> next;)
>>>> +])
>>>> +
>>>> +# Drop both ACLs back to tier 0; the tier guard should disappear.
>>>> +check ovn-nbctl --wait=sb set ACL $in_uuid tier=0
> 
> Nit: the first --wait=sb is not needed.
> 
>>>> +check ovn-nbctl --wait=sb set ACL $out_uuid tier=0
>>>> +
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
>>>> +  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>> +])
>>>> +AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
>>>> +  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
>>>> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>> +])
>>>> +
>>>> +OVN_CLEANUP_NORTHD
>>>> +AT_CLEANUP
>>>> +
>>>>  OVN_FOR_EACH_NORTHD_NO_HV([
>>>>  AT_SETUP([ACL "pass" logical flows])
>>>>  AT_KEYWORDS([acl])
>>>> --
>>>> 2.39.3
>>>>
> 
> To avoid a v3, I could go ahead and squash the following changes in.
> Just let me know if they look OK to you and I can merge the patch then.
> 
> Regards,
> Dumitru
> 
> diff --git a/northd/northd.c b/northd/northd.c
> index 0d87d75a43..1cc62eac52 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -8164,14 +8164,15 @@ build_acls(const struct ls_stateful_record 
> *ls_stateful_rec,
>           * uses "next;".
>           *
>           * When tiered ACLs are configured, this default-allow must only
> -         * fire after the tier loop has reached the highest configured
> +         * be hit after the tier loop has reached the highest configured
>           * tier; otherwise a drop ACL at a higher tier would be bypassed
>           * for an already-blocked connection (it would short-circuit on
>           * the first tier-0 visit, set VERDICT_ALLOW, and skip the rest
>           * of the tier loop).  Gate the match on REG_ACL_TIER == max_tier
> -         * so the rule only competes once every tier has been evaluated. */
> +         * so the rule can only be matched once every tier has been
> +         * evaluated. */
>          ds_clear(&match);
> -        ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
> +        ds_put_cstr(&match, "ip && ct.est && ct_mark.blocked == 1");
>          if (ls_stateful_rec->max_acl_tier.ingress_pre_lb) {
>              ds_put_format(&match, " && " REG_ACL_TIER " == %"PRIu64,
>                            ls_stateful_rec->max_acl_tier.ingress_pre_lb);
> @@ -8182,7 +8183,7 @@ build_acls(const struct ls_stateful_record 
> *ls_stateful_rec,
>                        lflow_ref);
> 
>          ds_clear(&match);
> -        ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
> +        ds_put_cstr(&match, "ip && ct.est && ct_mark.blocked == 1");
>          if (ls_stateful_rec->max_acl_tier.egress) {
>              ds_put_format(&match, " && " REG_ACL_TIER " == %"PRIu64,
>                            ls_stateful_rec->max_acl_tier.egress);
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 4a0a3c5ef2..4fb9a11146 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -11632,64 +11632,59 @@ dnl at a higher tier would be bypassed for an 
> already-blocked connection.
> 
>  ovn_start
> 
> -check ovn-nbctl ls-add ls
> -check ovn-nbctl lsp-add ls lsp
> -
> -m4_define([UNBLOCK_FLOW], [ovn-sbctl lflow-list ls dnl
> -  | grep -w $1 | grep 'ip && ct.est && ct_mark.blocked == 1' dnl
> -  | ovn_strip_lflows | sed "s/\($1[[^)]]*\)/$1/"])
> +check ovn-nbctl --wait=sb ls-add ls -- lsp-add ls lsp
> 
>  # Baseline: no ACLs => no stateful flows at all in acl_eval, so no
>  # priority-1 default-allow either.
> -AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [])
> -AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [])
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_in_acl_eval' | grep -q 'ip && 
> ct.est && ct_mark.blocked == 1'], [1])
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_out_acl_eval' | grep -q 'ip && 
> ct.est && ct_mark.blocked == 1'], [1])
> 
>  # Add a stateful, untiered ACL on each direction. The priority-1
>  # default-allow appears with no tier guard.
> -check ovn-nbctl --wait=sb acl-add ls from-lport 1000 "tcp" allow-related
> +check ovn-nbctl acl-add ls from-lport 1000 "tcp" allow-related
>  check ovn-nbctl --wait=sb acl-add ls to-lport   1000 "tcp" allow-related
> 
> -AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
> -  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_in_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>  ])
> -AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
> -  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_out_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>  ])
> 
>  # Move both ACLs to tier 1. Each fallback flow should now be guarded
> -# by REG_ACL_TIER == 1 so it only fires after the tier loop completes.
> -in_uuid=$(ovn-nbctl --bare --columns _uuid find ACL direction=from-lport)
> -out_uuid=$(ovn-nbctl --bare --columns _uuid find ACL direction=to-lport)
> -check ovn-nbctl --wait=sb set ACL $in_uuid tier=1
> +# by REG_ACL_TIER == 1 so it only matches after the tier loop completes.
> +in_uuid=$(fetch_column nb:ACL _uuid direction=from-lport)
> +out_uuid=$(fetch_column nb:ACL _uuid direction=to-lport)
> +check ovn-nbctl set ACL $in_uuid tier=1
>  check ovn-nbctl --wait=sb set ACL $out_uuid tier=1
> 
> -AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
> -  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_in_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
>  ])
> -AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
> -  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_out_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
>  ])
> 
>  # Move the ingress ACL to tier 3 while the egress ACL stays at tier 1.
>  # The two stages should pick up their per-stage max independently.
>  check ovn-nbctl --wait=sb set ACL $in_uuid tier=3
> 
> -AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
> -  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 3), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_in_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 3), action=(reg8[[16]] = 1; next;)
>  ])
> -AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
> -  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_out_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1 && reg8[[30..31]] == 1), action=(reg8[[16]] = 1; next;)
>  ])
> 
>  # Drop both ACLs back to tier 0; the tier guard should disappear.
> -check ovn-nbctl --wait=sb set ACL $in_uuid tier=0
> +check ovn-nbctl set ACL $in_uuid tier=0
>  check ovn-nbctl --wait=sb set ACL $out_uuid tier=0
> 
> -AT_CHECK([UNBLOCK_FLOW([ls_in_acl_eval])], [0], [dnl
> -  table=??(ls_in_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_in_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>  ])
> -AT_CHECK([UNBLOCK_FLOW([ls_out_acl_eval])], [0], [dnl
> -  table=??(ls_out_acl_eval), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> +AT_CHECK([ovn-sbctl lflow-list | grep 'ls_out_acl_eval' | grep 'ip && ct.est 
> && ct_mark.blocked == 1' | ovn_strip_lflows], [0], [dnl
> +  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>  ])
> 
>  OVN_CLEANUP_NORTHD
> 
> 

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to