On 3/7/23 09:27, Ales Musil wrote: > On Mon, Mar 6, 2023 at 12:07 PM Xavier Simonart <[email protected]> wrote: > >> As commented in northd.c, we should not use ct() for router ports. >> When there are no stateful_acl, this patch prevents sending packet to >> conntrack >> for router ports. >> The patch does this by issuing ct_clear in ls_out_pre_lb stage so that >> hints >> are not set in ls_out_acl_hint and ls_out_acl stages. >> >> Note that ct_clear is not added for ingress for router ports as already >> done >> for patch ports (no change by this patch on this aspect). >> >> Also, this patch does not change the behavior for ACLs such as >> allow-related: >> packets are still sent to conntrack, even for router ports. While this does >> not work if router ports are distributed, allow-related ACLs work today on >> router ports when those ports are handled on the same chassis for ingress >> and >> egress traffic. This patch does not change that behavior. >> >> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2062431 >> >> Signed-off-by: Xavier Simonart <[email protected]> >> >> --- >> v2: - handled Dumitru's comments >> - handled Ales' comments >> - added change to xml documentation >> - do not do ct_clear for ingress as already done >> ---
[...] >> >> > Looks good to me, thanks. > > Acked-by: Ales Musil <[email protected]> > Thanks, Xavier and Ales! I applied this to the main branch! Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
