Re: [ovs-dev] [PATCH ovn v2] northd: Added svc_monitor_ipv4 in NB_Global options.

Mark Michelson Thu, 01 Feb 2024 19:15:18 -0800

Hi Priyankar,

I'm not sure I understand the purpose of this patch. Even without thispatch, you could configure whatever IP address you want in theip_port_mappings as the source address for the health checks. I don'tsee anything in the code that restricts the IP to be within the subnetof the backend IP address. And even if there is such a restriction, Idon't see anything in this patch that lifts that restriction.

The extra matches added in this patch (eth.dst == $svc_monitor_mac ||ip4.dst == $svc_monitor_ip4) don't make much sense to me either. WhenOVN sends a health check, the reply from the backend will have eth.dstset to the service monitor MAC address. Since the existing matches donot care what the destination IPv4 address is, the existing match shouldwork fine. If there was something in the code that was dropping packetsaddressed to IP addresses outside the subnet of the configured loadbalancer backends, this patch doesn't appear to be doing anything toprevent such droppage.

And finally, if I'm mistaken about my above two points, then my finalproblem with this patch is that it only adds support for IPv4. I noticedthat in the documentation for the Service_Monitor table in thesouthbound database, it claims that "Service monitoring for IPv6services is not supported." And the "src_ip" field is documented as"Source IPv4 address to use in the service monitor packet."Unfortunately, these are inaccurate. IPv6 service monitoring was addedas a feature about 3 months after the initial IPv4 service monitoringwas added. Unfortunately, it looks as though we did not update thedocumentation, and we need to get this fixed. However, the northboundload balancer health check documentation makes it clear that IPv6 issupported, and the code also has support for IPv6 in it. So if I'mincorrect in the first two paragraphs and this option is really needed,then it needs to support IPv6 as well.


Thanks,
Mark Michelson

On 1/8/24 08:00, Priyankar Jain wrote:

This commit adds a new optional svc_monitor_ipv4 config in the NB_Global
options column. This IP address can be used to send the packets to the
OVN controller bypassing most of the logical switches pipelines.

Usage: Currently Load balancer health check requires a source IP address
to be allocated from the subnets where backends are present.
This change removes that requirement and instead user can give one IP
address for the system and set it in NB_Global:options:svc_monitor_ipv4.
While configuring the health check for the load balancer user can
provide this same IP while specifying the ip-port mappings.

Signed-off-by: Priyankar Jain <[email protected]>
---

Changes since v1:
  - Fixed one testcase in ovn-northd.at

---
  northd/en-sync-sb.c     | 10 +++++
  northd/northd.c         | 34 +++++++++++++--
  northd/northd.h         |  1 +
  northd/ovn-northd.8.xml | 40 +++++++++++------
  tests/ovn-northd.at     | 96 ++++++++++++++++++++---------------------
  5 files changed, 116 insertions(+), 65 deletions(-)

diff --git a/northd/en-sync-sb.c b/northd/en-sync-sb.c
index 2ec3bf54f..95e9ead29 100644
--- a/northd/en-sync-sb.c
+++ b/northd/en-sync-sb.c
@@ -372,6 +372,16 @@ sync_addr_sets(struct ovsdb_idl_txn *ovnsb_txn,
      sync_addr_set(ovnsb_txn, "svc_monitor_mac", &svc, &sb_address_sets);
      sorted_array_destroy(&svc);

+ /* Service monitor IP. */

+    const char *svc_monitor_ip4 = northd_get_svc_monitor_ip4();
+    int num_addr = 0; /* Create empty address-set by default */
+    if (svc_monitor_ip4) {
+        num_addr = 1;
+    }
+    struct sorted_array ip_svc = sorted_array_create(&svc_monitor_ip4,
+                                                     num_addr, false);
+    sync_addr_set(ovnsb_txn, "svc_monitor_ip4", &ip_svc, &sb_address_sets);
+
      /* sync port group generated address sets first */
      const struct nbrec_port_group *nb_port_group;
      NBREC_PORT_GROUP_TABLE_FOR_EACH (nb_port_group,
diff --git a/northd/northd.c b/northd/northd.c
index db3cd272e..f6d35143a 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -82,6 +82,7 @@ static bool use_common_zone = false;
  static char svc_monitor_mac[ETH_ADDR_STRLEN + 1];
  static struct eth_addr svc_monitor_mac_ea;

+static char *svc_monitor_ip4 = NULL;

  /* If this option is 'true' northd will make use of ct.inv match fields.
   * Otherwise, it will avoid using it.  The default is true. */
  static bool use_ct_inv_match = true;
@@ -7197,7 +7198,8 @@ build_pre_acls(struct ovn_datapath *od,
      ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;");

ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,

-                  "eth.dst == $svc_monitor_mac", "next;");
+                  "eth.dst == $svc_monitor_mac || ip4.dst == $svc_monitor_ip4",
+                  "next;");

ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,

                    "eth.src == $svc_monitor_mac", "next;");
@@ -7370,7 +7372,8 @@ build_pre_lb(struct ovn_datapath *od, const struct shash 
*meter_groups,

/* Do not send service monitor packets to conntrack. */

      ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
-                  "eth.dst == $svc_monitor_mac", "next;");
+                  "eth.dst == $svc_monitor_mac || ip4.dst == $svc_monitor_ip4",
+                  "next;");
      ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
                    "eth.src == $svc_monitor_mac", "next;");

@@ -8238,7 +8241,7 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features,

          /* Add a 34000 priority flow to advance the service monitor reply
          * packets to skip applying ingress ACLs. */
          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 34000,
-                    "eth.dst == $svc_monitor_mac",
+                    "eth.dst == $svc_monitor_mac || ip4.dst == 
$svc_monitor_ip4",
                      REGBIT_ACL_VERDICT_ALLOW" = 1; next;");

/* Add a 34000 priority flow to advance the service monitor packets

@@ -10325,7 +10328,8 @@ build_lswitch_destination_lookup_bmcast(struct 
ovn_datapath *od,
      ovs_assert(od->nbs);

ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110,

-                      "eth.dst == $svc_monitor_mac && (tcp || icmp || icmp6)",
+                      "(eth.dst == $svc_monitor_mac || ip4.dst == 
$svc_monitor_ip4)"
+                      " && (tcp || icmp || icmp6)",
                        "handle_svc_check(inport);",
                        copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp,
                                       meter_groups));
@@ -17891,6 +17895,22 @@ ovnnb_db_run(struct northd_input *input_data,
          smap_replace(&options, "svc_monitor_mac", svc_monitor_mac);
      }

+ const char *monitor_ip4 = smap_get(&nb->options, "svc_monitor_ip4");

+    if (monitor_ip4) {
+        struct sockaddr_storage svc_mon_src_addr;
+        if (inet_parse_address(monitor_ip4, &svc_mon_src_addr)) {
+            struct ds src_ip_s = DS_EMPTY_INITIALIZER;
+            ss_format_address_nobracks(&svc_mon_src_addr, &src_ip_s);
+            svc_monitor_ip4 = ds_steal_cstr(&src_ip_s);
+        } else {
+            free(svc_monitor_ip4);
+            svc_monitor_ip4 = NULL;
+        }
+    } else {
+        free(svc_monitor_ip4);
+        svc_monitor_ip4 = NULL;
+    }
+
      char *max_tunid = xasprintf("%d",
          get_ovn_max_dp_key_local(input_data->sbrec_chassis_table));
      smap_replace(&options, "max_tunid", max_tunid);
@@ -18326,3 +18346,9 @@ northd_get_datapath_for_port(const struct hmap 
*ls_ports,

return op ? op->od : NULL;

  }
+
+const char *
+northd_get_svc_monitor_ip4(void)
+{
+    return svc_monitor_ip4;
+}
diff --git a/northd/northd.h b/northd/northd.h
index 5be7b5384..a69b96bda 100644
--- a/northd/northd.h
+++ b/northd/northd.h
@@ -374,4 +374,5 @@ bool check_sb_lb_duplicates(const struct 
sbrec_load_balancer_table *);
  void sync_pbs(struct ovsdb_idl_txn *, struct hmap *ls_ports);
  bool sync_pbs_for_northd_ls_changes(struct tracked_ls_changes *);

+const char *northd_get_svc_monitor_ip4(void);

  #endif /* NORTHD_H */
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 98cf7adb4..c121fbb4c 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -448,11 +448,14 @@

<p>

        This table also has a priority-110 flow with the match
-      <code>eth.dst == <var>E</var></code> for all logical switch
-      datapaths to move traffic to the next table. Where <var>E</var>
-      is the service monitor mac defined in the
+      <code>eth.dst == <var>E</var> || ip4.dst == <var>I</var></code> for all
+      logical switch datapaths to move traffic to the next table. Where
+      <var>E</var> is the service monitor mac defined in the
        <ref column="options:svc_monitor_mac" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
+      db="OVN_Northbound"/> table and <var>I</var> is the service monitor
+      IP defined in the <ref column="options:svc_monitor_ip4" table="NB_Global"
+      db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> table.
      </p>

@@ -515,11 +518,14 @@<p>

        This table also has a priority-110 flow with the match
-      <code>eth.dst == <var>E</var></code> for all logical switch
-      datapaths to move traffic to the next table. Where <var>E</var>
-      is the service monitor mac defined in the
+      <code>eth.dst == <var>E</var> || ip4.dst == <var>I</var></code> for all
+      logical switch datapaths to move traffic to the next table. Where
+      <var>E</var> is the service monitor mac defined in the
        <ref column="options:svc_monitor_mac" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
+      db="OVN_Northbound"/> table and <var>I</var> is the service monitor
+      IP defined in the <ref column="options:svc_monitor_ip4" table="NB_Global"
+      db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> table.
      </p>

@@ -820,12 +826,15 @@

      <ul>
        <li>
          A priority 34000 logical flow is added for each logical switch 
datapath
-        with the match <code>eth.dst = <var>E</var></code> to allow the service
-        monitor reply packet destined to <code>ovn-controller</code>
-        that sets the allow bit, where <var>E</var> is the
-        service monitor mac defined in the
+        with the match <code>eth.dst = <var>E</var> || ip4.dst == <var>I</var>
+        </code> to allow the service monitor reply packet destined to
+        <code>ovn-controller</code> that sets the allow bit, where <var>E</var>
+        is the service monitor mac defined in the
          <ref column="options:svc_monitor_mac" table="NB_Global"
          db="OVN_Northbound"/> column of <ref table="NB_Global"
+        db="OVN_Northbound"/> table and <var>I</var> is the service monitor IP
+        defined in the <ref column="options:svc_monitor_ip4" table="NB_Global"
+        db="OVN_Northbound"/> column of <ref table="NB_Global"
          db="OVN_Northbound"/> table.
        </li>
      </ul>
@@ -1883,11 +1892,16 @@ output;
      <ul>
        <li>
          A priority-110 flow with the match
-        <code>eth.src == <var>E</var></code> for all logical switch
-        datapaths and applies the action <code>handle_svc_check(inport)</code>.
-        Where <var>E</var> is the service monitor mac defined in the
+        <code>eth.src == <var>E</var> || ip4.dst == <var>I</var></code> for
+        all logical switch datapaths and applies the action
+        <code>handle_svc_check(inport)</code>. Where <var>E</var> is the
+        service monitor mac defined in the
          <ref column="options:svc_monitor_mac" table="NB_Global"
          db="OVN_Northbound"/> column of <ref table="NB_Global"
+        db="OVN_Northbound"/> table and <var>I</var> is the
+        service monitor IP defined in the
+        <ref column="options:svc_monitor_ip4" table="NB_Global"
+        db="OVN_Northbound"/> column of <ref table="NB_Global"
          db="OVN_Northbound"/> table.
        </li>

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at

index 34bd25de7..dcb2e514c 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2611,7 +2611,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=8 (ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
    table=8 (ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
    table=8 (ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
-  table=8 (ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=8 (ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=8 (ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=8 (ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=8 (ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -4318,7 +4318,7 @@ check_stateful_flows() {
      AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 
's/table=./table=?/'], [0], [dnl
    table=? (ls_in_pre_lb       ), priority=0    , match=(1), action=(next;)
    table=? (ls_in_pre_lb       ), priority=100  , match=(ip), 
action=(reg0[[2]] = 1; next;)
-  table=? (ls_in_pre_lb       ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=? (ls_in_pre_lb       ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(eth.mcast), 
action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(ip && inport == 
"sw0-lr0"), action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra 
|| mldv1 || mldv2), action=(next;)
@@ -4388,7 +4388,7 @@ AT_CAPTURE_FILE([sw0flows])

AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 's/table=./table=?/'], [0], [dnl

    table=? (ls_in_pre_lb       ), priority=0    , match=(1), action=(next;)
-  table=? (ls_in_pre_lb       ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=? (ls_in_pre_lb       ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(eth.mcast), 
action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(ip && inport == 
"sw0-lr0"), action=(next;)
    table=? (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra 
|| mldv1 || mldv2), action=(next;)
@@ -5079,7 +5079,7 @@ check ovn-nbctl --wait=sb sync
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5091,7 +5091,7 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 
's/table=../table=??/' | sort],
  ovn-sbctl lflow-list ls2 > ls2_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls2_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:01), 
action=(outport = "ls2-ro2"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:02), 
action=(outport = "vm2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5111,7 +5111,7 @@ check ovn-nbctl --wait=sb lr-nat-add ro2 snat 20.0.0.200 
192.168.2.200/30
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5125,7 +5125,7 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 
's/table=../table=??/' | sort],
  ovn-sbctl lflow-list ls2 > ls2_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls2_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:01), 
action=(outport = "ls2-ro2"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:02), 
action=(outport = "vm2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5147,7 +5147,7 @@ check ovn-nbctl --wait=sb lr-nat-add ro2 snat 40.0.0.200 
192.168.2.148/30
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5163,7 +5163,7 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 
's/table=../table=??/' | sort],
  ovn-sbctl lflow-list ls2 > ls2_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls2_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:01), 
action=(outport = "ls2-ro2"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:02:02), 
action=(outport = "vm2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5184,7 +5184,7 @@ ovn-nbctl --wait=sb lr-lb-add ro1 lb1
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5204,7 +5204,7 @@ ovn-nbctl --wait=sb lb-add lb1 192.168.4.100:80 
10.0.0.10:80
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -5230,7 +5230,7 @@ ovn-nbctl --wait=sb lrp-set-gateway-chassis ro1-ls1 
chassis-1 30
  ovn-sbctl lflow-list ls1 > ls1_lflows
  AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed 's/table=../table=??/' | 
sort], [0], [dnl
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:01), 
action=(outport = "ls1-ro1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:01:02), 
action=(outport = "vm1"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -7172,7 +7172,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | sed 's/table=.
    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; 
next;)
    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -7227,7 +7227,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | sed 's/table=.
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -7282,7 +7282,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | sed 's/table=.
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -7573,7 +7573,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_acl_hint     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65535, match=(1), action=(next;)
@@ -7598,7 +7598,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_acl_hint     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65535, match=(1), action=(next;)
@@ -7623,7 +7623,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_acl_hint     ), priority=65535, match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65535, match=(1), action=(next;)
@@ -7656,11 +7656,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7693,11 +7693,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7730,11 +7730,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7771,7 +7771,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -7786,7 +7786,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(eth.mcast), 
action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(nd || nd_rs || nd_ra || mldv1 || 
mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7840,11 +7840,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7877,11 +7877,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7914,11 +7914,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -7955,7 +7955,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -7970,7 +7970,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(eth.mcast), 
action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(nd || nd_rs || nd_ra || mldv1 || 
mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -8023,11 +8023,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -8060,11 +8060,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -8097,11 +8097,11 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs 
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[16]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;)
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[17]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -8137,7 +8137,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl 
&& ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
@@ -8152,7 +8152,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
sed 's/table=../table=??/
    table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
-  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac), action=(next;)
+  table=??(ls_in_pre_acl      ), priority=110  , match=(eth.dst == 
$svc_monitor_mac || ip4.dst == $svc_monitor_ip4), action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(eth.mcast), 
action=(next;)
    table=??(ls_in_pre_acl      ), priority=110  , match=(nd || nd_rs || nd_ra || mldv1 || 
mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
    table=??(ls_out_acl_action  ), priority=0    , match=(1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
@@ -8324,7 +8324,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=0    , match=(1), action=(output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
    table=??(ls_in_l2_unknown   ), priority=0    , match=(1), action=(output;)
    table=??(ls_in_l2_unknown   ), priority=50   , match=(outport == "none"), 
action=(drop;)
@@ -8349,7 +8349,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=0    , match=(1), action=(output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:01), 
action=(outport = "sw0p1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:02), 
action=(outport = "sw0p2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -8375,7 +8375,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=0    , match=(1), action=(output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:01), 
action=(outport = "sw0p1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:02), 
action=(outport = "sw0p2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -8402,7 +8402,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=0    , match=(1), action=(output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 
00:00:00:00:00:01), action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:02), 
action=(outport = "sw0p2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -8430,7 +8430,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=110  , match=(outport == "localnetport" && 
inport == "sw0p2"), action=(set_queue(10); output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 
00:00:00:00:00:01), action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:02), 
action=(outport = "sw0p2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)
@@ -8462,7 +8462,7 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
    table=??(ls_out_apply_port_sec), priority=110  , match=(outport == "localnetport" && 
inport == "sw0p2"), action=(set_queue(10); output;)
    table=??(ls_out_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
    table=??(ls_in_l2_lkup      ), priority=0    , match=(1), action=(outport = 
get_fdb(eth.dst); next;)
-  table=??(ls_in_l2_lkup      ), priority=110  , match=(eth.dst == $svc_monitor_mac 
&& (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
+  table=??(ls_in_l2_lkup      ), priority=110  , match=((eth.dst == $svc_monitor_mac 
|| ip4.dst == $svc_monitor_ip4) && (tcp || icmp || icmp6)), 
action=(handle_svc_check(inport);)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:01), 
action=(outport = "sw0p1"; output;)
    table=??(ls_in_l2_lkup      ), priority=50   , match=(eth.dst == 00:00:00:00:00:02), 
action=(outport = "sw0p2"; output;)
    table=??(ls_in_l2_lkup      ), priority=70   , match=(eth.mcast), action=(outport = 
"_MC_flood"; output;)


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH ovn v2] northd: Added svc_monitor_ipv4 in NB_Global options.

Reply via email to