The ACLs configured by the "ovn -- L2 Drop and Allow ACL w/ Stateful ACL" test were incorrect because they didn't enclose logical port names in quotes. This caused stateful ACLs to never be applied so the L2 drop rules were not properly tested.
ovn-controller was logging the following errors: lflow|WARN|error parsing match "reg0[8] == 1 && (inport == lp31 && ip)": Syntax error at `lp31' expecting constant. lflow|WARN|error parsing match "reg0[8] == 1 && (inport == lp31 && ip)": Syntax error at `lp31' expecting constant. lflow|WARN|error parsing match "reg0[8] == 1 && (inport == lp31 && ip)": Syntax error at `lp31' expecting constant. Fixes: 63640c0d1199 ("ovn-northd: ls_*_acl behavior not consistent for untracked flows") Signed-off-by: Dumitru Ceara <dce...@redhat.com> --- tests/ovn.at | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ovn.at b/tests/ovn.at index 8f88424..718b2ee 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -14096,7 +14096,7 @@ for sf in 0 1; do if test ${sf} = 1; then # Add a stateful rule and re-run the check to make sure the # drop rule is still effective.. - ovn-nbctl --wait=hv acl-add lsw0 from-lport 2000 "inport == lp31 && ip" allow-related + ovn-nbctl --wait=hv acl-add lsw0 from-lport 2000 'inport == "lp31" && ip' allow-related fi for is in 1 2 3; do s=${is}1 @@ -14135,7 +14135,7 @@ for sf in 0 1; do if test ${sf} = 1; then # Add a stateful rule and re-run the check to make sure the # allow rule is still effective.. - check ovn-nbctl --wait=hv acl-add lsw0 from-lport 2000 "inport == lp31 && ip" allow-related + check ovn-nbctl --wait=hv acl-add lsw0 from-lport 2000 'inport == "lp31" && ip' allow-related fi # dump information and flows with counters ovn-sbctl dump-flows -- list multicast_group > sbflows$sf -- 1.8.3.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev