On Tue, Nov 15, 2022 at 5:31 PM Mark Michelson <[email protected]> wrote:
> Hi Ales, be sure to address the checkpatch errors that 0-day robot > reported. > > Other than that, I have just a couple of comments down below. > > Done in v3. > > On 11/4/22 04:18, Ales Musil wrote: > > In order to allow realted traffic use the > > s/realted/related/ > Done in v3. > > > new action ct_commit_nat, which ensures that > > the traffic is commited and NATted. In combination > > with match on ct.rel it allows the related traffic > > to go through with correct NAT being applied. > > > > Reported-at: https://bugzilla.redhat.com/2126083 > > Signed-off-by: Ales Musil <[email protected]> > > --- > > v2: Add e2e test case. > > --- > > northd/northd.c | 29 ++++-- > > northd/ovn-northd.8.xml | 19 +++- > > tests/ovn-northd.at | 208 +++++++++++++++++++++------------------- > > tests/ovn.at | 10 +- > > tests/system-ovn.at | 128 +++++++++++++++++++++++++ > > 5 files changed, 279 insertions(+), 115 deletions(-) > > > > diff --git a/northd/northd.c b/northd/northd.c > > index b7388afc5..e188e4f6a 100644 > > --- a/northd/northd.c > > +++ b/northd/northd.c > > @@ -6686,7 +6686,8 @@ build_acls(struct ovn_datapath *od, const struct > chassis_features *features, > > /* Ingress and Egress ACL Table (Priority 65535). > > * > > * Allow traffic that is related to an existing conntrack > entry that > > - * has not been marked for deletion (ct_mark.blocked). > > + * has not been marked for deletion (ct_mark.blocked). At the > same > > + * time apply NAT on this traffic. > > * > > * This is enforced at a higher priority than ACLs can be > defined. > > * > > @@ -6699,9 +6700,9 @@ build_acls(struct ovn_datapath *od, const struct > chassis_features *features, > > use_ct_inv_match ? " && !ct.inv" : "", > > ct_blocked_match); > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, > > - ds_cstr(&match), "next;"); > > + ds_cstr(&match), "ct_commit_nat;"); > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, > > - ds_cstr(&match), "next;"); > > + ds_cstr(&match), "ct_commit_nat;"); > > > > /* Ingress and Egress ACL Table (Priority 65532). > > * > > @@ -10006,16 +10007,16 @@ build_lrouter_nat_flows_for_lb(struct > ovn_lb_vip *lb_vip, > > int prio = 110; > > if (lb_vip->vip_port) { > > prio = 120; > > - new_match = xasprintf("ct.new && %s && %s && " > > + new_match = xasprintf("ct.new && !ct.rel && %s && %s && " > > REG_ORIG_TP_DPORT_ROUTER" == %d", > > ds_cstr(match), lb->proto, > lb_vip->vip_port); > > - est_match = xasprintf("ct.est && %s && %s && " > > + est_match = xasprintf("ct.est && !ct.rel && %s && %s && " > > REG_ORIG_TP_DPORT_ROUTER" == %d && %s == > 1", > > ds_cstr(match), lb->proto, > lb_vip->vip_port, > > ct_natted); > > } else { > > - new_match = xasprintf("ct.new && %s", ds_cstr(match)); > > - est_match = xasprintf("ct.est && %s && %s == 1", > > + new_match = xasprintf("ct.new && !ct.rel && %s", > ds_cstr(match)); > > + est_match = xasprintf("ct.est && !ct.rel && %s && %s == 1", > > ds_cstr(match), ct_natted); > > } > > > > @@ -13664,6 +13665,20 @@ build_lrouter_nat_defrag_and_lb(struct > ovn_datapath *od, struct hmap *lflows, > > ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); > > ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", > "next;"); > > > > + /* Ingress DNAT Table (Priority 50). > > + * > > + * Allow traffic that is related to an existing conntrack entry. > > + * At the same time apply NAT for this traffic. > > + * > > + * NOTE: This does not support related data sessions (eg, > > + * a dynamically negotiated FTP data channel), but will allow > > + * related traffic such as an ICMP Port Unreachable through > > + * that's generated from a non-listening UDP port. */ > > + if (od->has_lb_vip) { > > + ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50, > > + "ct.rel && !ct.est && !ct.new", "ct_commit_nat;"); > > + } > > + > > /* If the router has load balancer or DNAT rules, re-circulate > every packet > > * through the DNAT zone so that packets that need to be unDNATed > in the > > * reverse direction get unDNATed. > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index a70f2e678..175db6130 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -766,6 +766,8 @@ > > related to a committed flow in the connection tracker (e.g., an > > ICMP Port Unreachable from a non-listening UDP port), as long > > as the committed flow does not have > <code>ct_mark.blocked</code> set. > > + This flow also applies NAT to the related traffic so that ICMP > headers > > + and the inner packet have correct addresses. > > If ACL logging and logging of related packets is enabled, then > a > > companion priority-65533 flow will be installed that > accomplishes the > > same thing but also logs the traffic. > > @@ -3206,7 +3208,7 @@ icmp6 { > > Router with gateway port in <code>OVN_Northbound</code> > database that > > includes a L4 port <var>PORT</var> of protocol <var>P</var> > and IPv4 > > or IPv6 address <var>VIP</var>, a priority-120 flow that > matches on > > - <code>ct.new && ip && reg0 == <var>VIP</var> > > + <code>ct.new && !ct.rel && ip && reg0 > == <var>VIP</var> > > && <var>P</var> && reg9[16..31] == </code> > > <code><var>PORT</var></code> (<code>xxreg0 == > <var>VIP</var></code> > > in the IPv6 case) with an action of > > @@ -3238,7 +3240,7 @@ icmp6 { > > <code>OVN_Northbound</code> database that includes a L4 port > > <var>PORT</var> of protocol <var>P</var> and IPv4 or IPv6 > address > > <var>VIP</var>, a priority-120 flow that matches on > > - <code>ct.est && ip4 && reg0 == <var>VIP</var> > > + <code>ct.est && !ct.rel && ip4 && > reg0 == <var>VIP</var> > > && <var>P</var> && reg9[16..31] == </code> > > <code><var>PORT</var></code> (<code>ip6</code> and > > <code>xxreg0 == <var>VIP</var></code> in the IPv6 case) with > an > > @@ -3263,7 +3265,7 @@ icmp6 { > > For all the configured load balancing rules for a router in > > <code>OVN_Northbound</code> database that includes just an > IP address > > <var>VIP</var> to match on, a priority-110 flow that matches > on > > - <code>ct.new && ip4 && reg0 == > > + <code>ct.new && !ct.rel && ip4 && > reg0 == > > <var>VIP</var></code> (<code>ip6</code> and <code>xxreg0 == > > <var>VIP</var></code> in the IPv6 case) with an action of > > <code>ct_lb_mark(<var>args</var>)</code>, where > <var>args</var> contains > > @@ -3290,7 +3292,7 @@ icmp6 { > > For all the configured load balancing rules for a router in > > <code>OVN_Northbound</code> database that includes just an > IP address > > <var>VIP</var> to match on, a priority-110 flow that matches > on > > - <code>ct.est && ip4 && reg0 == > > + <code>ct.est && !ct.rel && ip4 && > reg0 == > > <var>VIP</var></code> (or <code>ip6</code> and > > <code>xxreg0 == <var>VIP</var></code>) with an action of > > <code>next;</code>. If the router is configured to force > SNAT any > > @@ -3317,6 +3319,15 @@ icmp6 { > > Please note using <code>--reject</code> option will disable > > empty_lb SB controller event for this load balancer. > > </li> > > + > > + <li> > > + <p> > > + For the related traffic, a priority 50 flow that matches > > + <code>ct.rel && !ct.est && !ct.new </code> > > + with an action of <code>ct_commit_nat;</code>, if the router > > + has load balancer assigned to it. > > + </p> > > + </li> > > </ul> > > > > <p>Ingress Table 6: DNAT on Gateway Routers</p> > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > > index 4f399eccb..654e55984 100644 > > --- a/tests/ovn-northd.at > > +++ b/tests/ovn-northd.at > > @@ -2348,7 +2348,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > table=4 (ls_out_acl ), priority=1 , match=(ip && > !ct.est), action=(reg0[[1]] = 1; next;) > > table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && > ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) > > @@ -2360,7 +2360,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > table=8 (ls_in_acl ), priority=1 , match=(ip && > !ct.est), action=(reg0[[1]] = 1; next;) > > table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > ]) > > @@ -2388,7 +2388,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=4 (ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg0[[1]] = 1; next;) > > table=4 (ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 > && (ip)), action=(next;) > > table=4 (ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > > - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -2406,7 +2406,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=8 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg0[[1]] = 1; next;) > > table=8 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 > && (ip)), action=(next;) > > table=8 (ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -3660,10 +3660,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | > sort], [0], [dnl > > @@ -3696,10 +3697,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | > sort], [0], [dnl > > @@ -3742,10 +3744,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | > sort], [0], [dnl > > @@ -3802,10 +3805,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | > sort], [0], [dnl > > @@ -3848,8 +3852,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > ]) > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], > [0], [dnl > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.20 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.skip_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.20 && tcp && reg9[[16..31]] == 80), > action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.20 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.20 && tcp && reg9[[16..31]] == 80), > action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080);) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -4224,14 +4228,14 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=? (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=? (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > ]) > > > > AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=? (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=? (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -4244,14 +4248,14 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && ct_mark.blocked == 0), action=(ct_commit_nat;) > > table=? (ls_in_acl ), priority=65532, match=((ct.est && > ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = > 0; reg0[[10]] = 0; next;) > > table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > ]) > > > > AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && ct_mark.blocked == 0), action=(ct_commit_nat;) > > table=? (ls_out_acl ), priority=65532, match=((ct.est && > ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(next;) > > table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -4268,14 +4272,14 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=? (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=? (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > ]) > > > > AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed > 's/table=./table=?/'], [0], [dnl > > - table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=? (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=? (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=? (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -5103,14 +5107,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst > == 172.168.0.20 && inport == "lr0-public" && > is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone(10.0.0.3);) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 172.168.0.200 && ct_mark.natted == 1 && > is_chassis_resident("cr-lr0-public")), action=(next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 172.168.0.200 && is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1 > && is_chassis_resident("cr-lr0-public")), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted > == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:82,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:6062,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.200 && ct_mark.natted == 1 && > is_chassis_resident("cr-lr0-public")), action=(next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.200 && > is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:82,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:6062,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -5172,14 +5177,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst > == 172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 172.168.0.200 && ct_mark.natted == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 172.168.0.200), > action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted > == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.200), > action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > ct_mark.natted == 1), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -5233,14 +5239,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst > == 172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = > 1; ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -5297,16 +5304,17 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst > == 172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = > 1; ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -5374,18 +5382,19 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst > == 172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip6 > && xxreg0 == def0::2 && tcp && reg9[[16..31]] == 8000 && ct_mark.natted == > 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip6 > && xxreg0 == def0::2 && tcp && reg9[[16..31]] == 8000), > action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.200 && ct_mark.natted == 1), > action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = > 1; ct_lb_mark(backends=10.0.0.80,10.0.0.81);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip6 && xxreg0 == def0::2 && tcp && reg9[[16..31]] == 8000 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.10 && tcp && reg9[[16..31]] == 9082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp && reg9[[16..31]] == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82 > ,10.0.0.60:82);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip6 && xxreg0 == def0::2 && tcp && reg9[[16..31]] == 8000), > action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -5441,10 +5450,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], > [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl > > table=6 (lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && tcp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted > == 1), action=(flags.force_snat_for_lb = 1; next;) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && tcp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > - table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 > && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && tcp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && > ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && tcp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062 > ,10.0.0.60:6062);) > > + table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed > 's/table=./table=?/' | sort], [0], [dnl > > @@ -6522,7 +6532,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed > 's/table=../table=??/' | sort], [0], > > table=??(ls_in_acl ), priority=2004 , match=(reg0[[10]] == > 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = > 1; }; /* drop */) > > table=??(ls_in_acl ), priority=2004 , match=(reg0[[9]] == 1 > && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -6567,7 +6577,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed > 's/table=../table=??/' | sort], [0], > > table=??(ls_in_acl ), priority=1 , match=(ip && > !ct.est), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -6624,7 +6634,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed > 's/table=../table=??/' | sort], [0], > > table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 > && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 > && (ip4 && icmp)), action=(next;) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7055,7 +7065,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(next;) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7077,7 +7087,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_out_acl ), priority=1 , match=(ip && > !ct.est), action=(drop;) > > table=??(ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > > - table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=??(ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7178,7 +7188,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_in_acl ), priority=1 , match=(ip && > !ct.est), action=(drop;) > > table=??(ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7202,7 +7212,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_out_acl ), priority=1 , match=(ip && > !ct.est), action=(drop;) > > table=??(ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > > - table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=??(ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7303,7 +7313,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_in_acl ), priority=1 , match=(ip && > !ct.est), action=(drop;) > > table=??(ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > > - table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=??(ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7327,7 +7337,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > > table=??(ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) > > table=??(ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(next;) > > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > > - table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=??(ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=??(ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=??(ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > > @@ -7648,8 +7658,8 @@ check ovn-nbctl > \ > > AS_BOX([No chassis registered - use ct_lb_mark and ct_mark.natted]) > > check ovn-nbctl --wait=sb sync > > AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 66.66.66.66 && ct_mark.natted == 1), > action=(next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 66.66.66.66), > action=(ct_lb_mark(backends=42.42.42.2);) > > table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == > 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) > > table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == > 1), action=(ct_lb_mark;) > > table=11(ls_in_lb ), priority=110 , match=(ct.new && > ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; > ct_lb_mark(backends=42.42.42.2);) > > @@ -7660,8 +7670,8 @@ AS_BOX([Chassis registered that doesn't support > ct_lb_mark - use ct_lb and ct_la > > check ovn-sbctl chassis-add hv geneve 127.0.0.1 > > check ovn-nbctl --wait=sb sync > > AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 66.66.66.66 && ct_label.natted == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 66.66.66.66), action=(ct_lb(backends=42.42.42.2);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 66.66.66.66 && ct_label.natted == 1), > action=(next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 66.66.66.66), action=(ct_lb(backends=42.42.42.2);) > > table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == > 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;) > > table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == > 1), action=(ct_lb;) > > table=11(ls_in_lb ), priority=110 , match=(ct.new && > ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);) > > @@ -7672,8 +7682,8 @@ AS_BOX([Chassis upgrades and supports ct_lb_mark - > use ct_lb_mark and ct_mark.na > > check ovn-sbctl set chassis hv other_config:ct-no-masked-label=true > > check ovn-nbctl --wait=sb sync > > AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 > && reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;) > > - table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 > && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.est && > !ct.rel && ip4 && reg0 == 66.66.66.66 && ct_mark.natted == 1), > action=(next;) > > + table=6 (lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && reg0 == 66.66.66.66), > action=(ct_lb_mark(backends=42.42.42.2);) > > table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == > 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) > > table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == > 1), action=(ct_lb_mark;) > > table=11(ls_in_lb ), priority=110 , match=(ct.new && > ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; > ct_lb_mark(backends=42.42.42.2);) > > @@ -7701,7 +7711,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && > ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && > ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > @@ -7709,7 +7719,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && > ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && > ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > @@ -7723,7 +7733,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && > ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && > ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) > > + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), > action=(ct_commit_nat;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) > > table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) > > @@ -7731,7 +7741,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && > ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && > ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) > > + table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), > action=(ct_commit_nat;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), > action=(next;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) > > table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) > > @@ -7745,7 +7755,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && > ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && > ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) > > table=8 (ls_in_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > @@ -7753,7 +7763,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep > 'ls.*acl.*blocked' ], [0], [dnl > > table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && > ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) > > table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && > ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) > > - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) > > + table=4 (ls_out_acl ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), > action=(ct_commit_nat;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(next;) > > table=4 (ls_out_acl ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) > > table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est > && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) > > diff --git a/tests/ovn.at b/tests/ovn.at > > index 65edb7812..b9ac6d359 100644 > > --- a/tests/ovn.at > > +++ b/tests/ovn.at > > @@ -23669,7 +23669,7 @@ AT_CAPTURE_FILE([sbflows2]) > > OVS_WAIT_FOR_OUTPUT( > > [ovn-sbctl dump-flows > sbflows2 > > ovn-sbctl dump-flows lr0 | grep ct_lb_mark | grep priority=120 | > sed 's/table=..//'], 0, > > - [ (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && > reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) > > + [ (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && > ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) > > ]) > > > > # get the svc monitor mac. > > @@ -23711,8 +23711,8 @@ AT_CHECK( > > AT_CAPTURE_FILE([sbflows4]) > > ovn-sbctl dump-flows lr0 > sbflows4 > > AT_CHECK([grep lr_in_dnat sbflows4 | grep priority=120 | sed > 's/table=..//' | sort], [0], [dnl > > - (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 > == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1 && > is_chassis_resident("cr-lr0-public")), action=(next;) > > - (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 > == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), action=(drop;) > > + (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && > ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted > == 1 && is_chassis_resident("cr-lr0-public")), action=(next;) > > + (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && > ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && > is_chassis_resident("cr-lr0-public")), action=(drop;) > > ]) > > > > # Delete sw0-p1 > > @@ -32405,7 +32405,7 @@ SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]" > > > > lr0_dp_key=$(printf "%x" $(fetch_column Datapath_Binding tunnel_key > external_ids:name=lr0)) > > > > -dnat_zone=$(ovs-ofctl dump-flows br-int > table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' > -f 2) > > +dnat_zone=$(ovs-ofctl dump-flows br-int > table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep "nw_dst=172.16.0.2" | > grep -o zone=.*, | cut -d '=' -f 2) > > dnat_zone=${dnat_zone::-1} > > snat_zone=$(ovs-ofctl dump-flows br-int > table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o > zone=.*, | cut -d '=' -f 2) > > snat_zone=${snat_zone::-1} > > @@ -32417,7 +32417,7 @@ check test "$snat_zone" = "$DNAT_ZONE_REG" > > > > check ovn-nbctl --wait=hv set logical_router lr0 > options:snat-ct-zone=666 > > > > -dnat_zone=$(ovs-ofctl dump-flows br-int > table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' > -f 2) > > +dnat_zone=$(ovs-ofctl dump-flows br-int > table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep "nw_dst=172.16.0.2" | > grep -o zone=.*, | cut -d '=' -f 2) > > dnat_zone=${dnat_zone::-1} > > snat_zone=$(ovs-ofctl dump-flows br-int > table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o > zone=.*, | cut -d '=' -f 2) > > snat_zone=${snat_zone::-1} > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > > index 20c058415..bcaf765e4 100644 > > --- a/tests/system-ovn.at > > +++ b/tests/system-ovn.at > > @@ -8597,3 +8597,131 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query > port patch-.*/d > > /connection dropped.*/d"]) > > AT_CLEANUP > > ]) > > + > > +OVN_FOR_EACH_NORTHD([ > > +AT_SETUP([LB - ICMP related traffic]) > > + > > +CHECK_CONNTRACK() > > +CHECK_CONNTRACK_NAT() > > +ovn_start > > +OVS_TRAFFIC_VSWITCHD_START() > > +ADD_BR([br-int]) > > + > > +# Set external-ids in br-int needed for ovn-controller > > +ovs-vsctl \ > > + -- set Open_vSwitch . external-ids:system-id=hv1 \ > > + -- set Open_vSwitch . > external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ > > + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ > > + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ > > + -- set bridge br-int fail-mode=secure > other-config:disable-in-band=true > > +start_daemon ovn-controller > > + > > +# client -- ls0 -- lr -- ls1 -- server > > +check ovn-nbctl ls-add ls0 > > +check ovn-nbctl ls-add ls1 > > + > > +check ovn-nbctl lsp-add ls0 ls0-lr > > +check ovn-nbctl lsp-set-type ls0-lr router > > +check ovn-nbctl lsp-set-addresses ls0-lr 00:00:00:00:10:00 router > > +check ovn-nbctl lsp-set-options ls0-lr router-port=lr-ls0 > > + > > +check ovn-nbctl lsp-add ls1 ls1-lr > > +check ovn-nbctl lsp-set-type ls1-lr router > > +check ovn-nbctl lsp-set-addresses ls1-lr 00:00:00:00:20:00 router > > +check ovn-nbctl lsp-set-options ls1-lr router-port=lr-ls1 > > + > > +check ovn-nbctl lsp-add ls0 client > > +check ovn-nbctl lsp-set-addresses client "00:00:00:00:10:10 > 192.168.10.10" > > + > > +check ovn-nbctl lsp-add ls1 server > > +check ovn-nbctl lsp-set-addresses server "00:00:00:00:20:10 > 192.168.20.10" > > + > > +check ovn-nbctl lr-add lr > > +check ovn-nbctl lrp-add lr lr-ls0 00:00:00:00:10:00 192.168.10.1/24 > > +check ovn-nbctl lrp-add lr lr-ls1 00:00:00:00:20:00 192.168.20.1/24 > > + > > +check ovn-nbctl lrp-set-gateway-chassis lr-ls0 hv1 > > + > > +check ovn-nbctl lb-add lb0 192.168.20.20 192.168.20.10 > > + > > +ADD_NAMESPACES(client) > > +ADD_VETH(client, client, br-int, "192.168.10.10/24", > "00:00:00:00:10:10", \ > > + "192.168.10.1") > > +ADD_NAMESPACES(server) > > +ADD_VETH(server, server, br-int, "192.168.20.10/24", > "00:00:00:00:20:10", \ > > + "192.168.20.1") > > + > > +test_related_traffic() { > > + > > + check ovn-nbctl ls-lb-del ls0 > > + check ovn-nbctl lr-lb-del lr > > + > > + if [[ "$1" == "switch" ]]; then > > + check ovn-nbctl ls-lb-add ls0 lb0 > > + else > > + check ovn-nbctl lr-lb-add lr lb0 > > + fi > > + > > + NETNS_DAEMONIZE([client], [tcpdump -U -i client -w client.pcap], > [tcpdump0.pid]) > > + NETNS_DAEMONIZE([server], [tcpdump -U -i server -w server.pcap], > [tcpdump1.pid]) > > + > > + # Setup a dummy UDP listeners so we don't get "port unreachable". > > + NETNS_DAEMONIZE([client], [nc -l -u 1], [nc0.pid]) > > + NETNS_DAEMONIZE([server], [nc -l -u 2], [nc1.pid]) > > + sleep 1 > > + > > + # Send UDP client -> server > > + check ovs-ofctl packet-out br-int "in_port=ovs-client,\ > > > +packet=00000000100000000000101008004500001C000040000A11D162C0A80A0AC0A814140001000200080000,\ > > +actions=resubmit(,0)" > > + > > + # Send reply server -> client > > + check ovs-ofctl packet-out br-int "in_port=ovs-server,\ > > > +packet=00000000200000000000201008004500001C000040000A11D16CC0A8140AC0A80A0A0002000100080000,\ > > +actions=resubmit(,0)" > > + > > + # Send ICMP "need to frag" client -> server > > + check ovs-ofctl packet-out br-int "in_port=ovs-client,\ > > > +packet=000000001000000000001010080045000038011F0000FF011B37C0A80A0AC0A814140304F77800000578\ > > +4500001c000040000911d262c0a81414c0a80a0a0002000100080000,\ > > +actions=resubmit(,0)" > > + > > + # Wait for all packets to arrive > > + OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "udp" -r client.pcap > 2>/dev/null | wc -l) -eq 2]) > > + OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "udp" -r server.pcap > 2>/dev/null | wc -l) -eq 2]) > > + OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "icmp" -r server.pcap > 2>/dev/null | wc -l) -eq 4]) > > + > > + kill $(cat tcpdump0.pid) > > + kill $(cat tcpdump1.pid) > > + > > + kill $(cat nc0.pid) > > + kill $(cat nc1.pid) > > + > > + # Check the ICMP packet > > + AT_CHECK([tcpdump -tvnnne "icmp" -r server.pcap 2>/dev/null | sed > 's/^\s*//'], [0], [dnl > > +00:00:00:00:20:00 > 00:00:00:00:20:10, ethertype IPv4 (0x0800), length > 70: (tos 0x0, ttl 254, id 287, offset 0, flags [[none]], proto ICMP (1), > length 56) > > +192.168.10.10 > 192.168.20.10: ICMP 192.168.10.10 unreachable - need > to frag (mtu 1400), length 36 > > +(tos 0x0, ttl 9, id 0, offset 0, flags [[DF]], proto UDP (17), length > 28) > > +192.168.20.10.2 > 192.168.10.10.1: UDP, length 0 > > +]) > > Using stdout from tcpdump seems a bit dangerous. It's possible to have > UI variations between versions of tcpdump and for the UI to vary between > distros. > > I think a better method would be to run the ovs-pcap utility against the > server.pcap file. This can turn the pcap data into raw hex packets. You > can then check the packets to determine whether the "need to frag" > packet you expect to be present is there. > Right, that makes sense. I've adjusted the test to be independent on the tcpdump human readable output. > > > +} > > + > > +test_related_traffic switch > > +test_related_traffic router > > + > > +OVS_APP_EXIT_AND_WAIT([ovn-controller]) > > + > > +as ovn-sb > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > + > > +as ovn-nb > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > + > > +as northd > > +OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) > > + > > +as > > +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d > > +/connection dropped.*/d"]) > > +AT_CLEANUP > > +]) > > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> [email protected] IM: amusil <https://red.ht/sig> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
